The Principles of “LifeSec”

#1 Online is everyone, everywhere, forever

Trigger warning racism, stupidity

If you wanted to end your career in a hurry, it would be hard to beat the example of Justine Sacco. As the communications director for a large company, you'd think she'd know better than to drop this tweet just before hopping on a plane for a business trip:

Justine Sacco tweet: Going to Africa. Hope I don't get AIDS. Just kidding. I'm white!

For the 11 hour duration of her flight, the tweet spiraled further and further into cyberspace while people expressed outrage or gleefully waited to see her panic when she stepped off the plane to thousands upon thousands of posts under the hashtag #HasJustineLandedYet.

If you are an activist or ally, you may be extremely passionate and that might not come across the way you hoped. Sometimes it's a good idea to pause, rethink, or get someone else's opinion before posting. Better a delay than regret.

No matter how tired or addled we are, most of us would never post something like this and, even if we did, the odds of going viral are still pretty low.

It might go unnoticed entirely or, once you came to your senses, you might be able to edit/delete it or even intentionally obscure it to make it harder to find. But those are under very specific conditions that mostly depend on you acting before it's noticed.

That's why your best defense is not repair, it's prevention.

Always assume that the people who hate you most – the ones who'd want to do you harm – get a notification on their phone every time you post anything online. Not just the people today, but possibly years down the line when you're looking for a job, dating, or simply run across a particularly hateful person online who's happy to dig up your past and shove it in the face of your spouse or boss.

Is it possible what you post will never spread further than you intended? Is it possible to remove information before it's noticed or make it harder to find? Sure! But that's never guaranteed and isn't worth the risk. If you're not comfortable with something being visible to everyone, everywhere, forever, reconsider posting.
#2 Never be more specific than necessary
I live here.

Where are you from?

When you're traveling and someone asks, "where are you from?" What do you say? Do you give them an address? Street directions? Turn-by-turn steps to reach your front door? I'd guess not.

Not that you have to be silent or rude, but conversation doesn't demand highly specific details nor does your conversation partner usually care! For your benefit and theirs, always ask, what is the least amount of information I can give?"

Don't underestimate the double-win of becoming more safe AND becoming a better conversationalist by learning to omit needless details!

In my case, I live in the Seattle area. That means if I'm overseas, I say "American". If I'm someplace in the US, but exotic like Hawaii or Oregon, I say, "Washington". And if someone in Washington asks, I say "Seattle Area".

There will be times you make a judgement call that people are safe enough to share more details even down to the neighborhood – people at work, the other parents at the sports match, etc., but that's the exception. On average, be only as specific as necessary.

Pro tip! Your phone's map tool doesn't need to know where you live either. When setting your 'home' location, set it to somewhere in your neighborhood instead. Then, if your phone is hacked, lost, or your data is sold, you didn't paint a target directly on your house.

What about your family?

Commander biographies too often public and include family names

Every time you're tempted to write information about your family, pause. Is it really necessary to list their names ever? Not that I've ever seen.

Instead, why not just say "my wife", "my kids" (assuming there's a reason to bring them up at all). Instead of age, "baby", "young", "teens", and "adult" are specific enough. Why list genders? Why be specific about the number? Instead say, "less than 2", "more than 3", or just "I'm a parent" if the number isn't important.

Are you or someone you love LGBTQ? Faced self-harm? A psychotic break? Rehab? Had a religious conversion? Things that might be sensitive if other people knew? You should share sparingly (if at all) and as generally as possible.

It might be important in some conversations to mention I've got at least one LGBTQ kid, but not the number, not the age, not the gender, not the name, not anything specific. Default to the absolute minimum necessary (and always ask if you need to share that detail at all).

Focus on what is being asked and why and then answer the minimum. Whatever is close enough. For example, when asked for your birthday, it's rare that they actually need your birthday. Usually it's for age verification (in which case, any date that's about your age will work) or for an annual free coffee or cookie at your favorite cafe (again, any date will work).

In the few cases where someone pries uncomfortably, try asking, 'why do you want to know?' Maybe there's a valid reason you don't know about, but otherwise, it's best not to give more information than is necessary.
#3 Beware data aggregation!

Have you heard of doxing? Most people focus on the public release part, but the key is that they had a dossier of information to release in the first place. Where did they get it?

Generally, Doxers simply dig and combine from public data online – stuff that was carelessly left in the open or that people didn't think was a risk in isolation – but what happens when it doesn't stay isolated?

In the Department of Defense, we were trained to limit "data aggregation risk" – where the combination of details can paint a larger or more precise picture (sometimes even elevating Unclassified information to Classified by aggregation).

That's why should think carefully about playing along with one of those "your birth month is your Hogwart's character!" posts. Rarely (if ever) fill in details in online profiles and social sites. Think carefully about whether you're legally required to even use your real name or birthday.

When supermarkets ask you for a phone number, try using (your area code) 867-5309 (the 'Jenny' number) instead (555-1212 is a good second). If someone asks for your SSN and you're positive they don't actually have a right/need for it, zero out the two middle numbers. It's automatically an invalid social so you're not harming a stranger by providing it.

Little bits of information add up fast so make sure to limit the availability as much as possible. The less detail in the less locations information is, the harder it is to find and combine.

#4 Be a hard target!

Whether you are acting on your own capacity or as an ally/activist, arguing with hateful people online is risky. Depending what you say, who you say it to, in what venue, under what circumstance, you could be volunteering to be a bigot's new pet project.

Or maybe you did nothing wrong at all and the bad guys just found a conversation they weren't part of and took exception to something you said in particular. Either way, you're now in the crosshairs.

Sometimes the only thing you need to be safe is to be a hard target.

The bottom line is to be hard to attack. Post generically. Fudge unimportant details. Use fake information (where legal and appropriate). Guard your photos. Deny websites/stores/etc. information they don't strictly need. And carry these principles of data protection with you in real life too.

A lot of ID theft prevention is making sure people don't have your information who don't need it (see my Data Defense articles for more).

When making conversation, when at the store, filling out a form at the dentist – like a martial art, use the minimum motion and force to get the job done. Use the least information possible at all times and in all ways.

Then, even if someone becomes interested in you for the wrong reasons, if it takes far more attention and effort to harm you than they have, you win.

TL;DR

Loose information makes you a target and it makes you an easy target. It's up to you what to share, but do so aware of the consequences and risks. Most importantly, adopt LifeSec principles all the time and it becomes easy to:

  1. Remember that what goes online, goes everywhere; forever. Don't post anything that you're not willing to have dragged back up and used against you later.
  2. Learn to be evasive and general. Not only does this make you a better conversationalist, it's safer too!
  3. Think about how your data can be combined. Don't fall into the trap of thinking "this will be ok because it's just a little bit of information". People and AI can line all the different data up into one clear picture.
  4. Be a hard target. Don't get discouraged and think there's no point; no matter what the risk might be, if you're more trouble than you're worth to the bad guy, that can be enough!

And that's the basics.

If I wasn't clear, this isn't 'do this sometimes', but a way of life. Adopt LifeSec as a way of life and you'll be safer not just online or offline, but all the time. For you, for your loved ones. You become, by nature, a hard target.
Tags: , , , , , , , ,

PhotoSec

#1 - Fingerprints
A lovely glass heart and also fingerprints!

It's wild how often I find copies of peoples' fingerprints online. Someone selling a coin or button. A farmer showing off a growing berry. Or this artistic photo of a glass heart.

But what's the risk? Would people frame you for crimes with your fingerprint? Probably not. But what about unlocking your phone or laptop? With phone/computer access, it becomes trivial to get into every account you have – email, messages, social page, banks… everything.

Of course, they'd have to be able to translate an online photo into something that can defeat print scanners, but that only requires a 3D printer (or Gummi Bear candies in a pinch)

Are you dating someone really paranoid? Do you have a pissed-off 'ex' who might get access to your phone? Could your family use your phone to get access to your bank accounts and credit? Maybe, maybe not. What is certain is that it's hard to abuse someone's prints when you don't have them.

Whenever you're taking a picture of something in your palm, it's worth taking a second to make sure your fingertips aren't in the shot!

#2 Reflections
You'd be surprised how frequently people post themselves semi-nude because they didn't check reflections.

Long ago, I checked a work trading board for some furniture and found a decent hutch for a good price. Because I'd learned to scan reflections, I noticed that the woman who sold it to me was in her underwear when she took the photo.

Of course I never said anything (I didn't want to embarrass her), but I have told several thousand people since then!

People are constantly putting themselves in compromising positions by not checking reflections. Like the guy I found on LinkedIn who posted a "motivational talk" while apparently in the passenger seat of a car. Except, if you looked at the reflection in his sunglasses, you could clearly see him holding the wheel with one hand, and the phone in the other.

If I was someone who knew him and didn't like him, I could easily post that to the church board, send it to his family, or share it with the police. It wouldn't be the first time something like that happened:

This is a famous example that I've used for years teaching OPSEC.
I have no sympathy for people who film while driving, but what about people who's various states of undress or nearby toys and medicines might not be things they want people to see? Check your reflections, people.
#3 Background details
Hint, check the upper-right

The things people forget to check for in the background can occasionally be hilarious. A selfie where the dog is pooping or drinking out of the toilet or maybe your poor friend who's still in the shower… generally there's no harm done.

But what if you have private medical information visible? Passwords or security information? House keys that can be easily copied (even in a photo at an angle or from up to 200 feet away)? Concerning evidence of hoarding, filth, or other mental care concerns?


Giving away a pre-marriage pregnancy (Photo Credit)
Visible password? That's embarrassing. (Photo Credit)
JK Rowling's profile photo showed an apparent black mold infestation
A key where you can see the ridges can be copied. (Photo Credit)

It gets worse; what if the details people find in your background lead to more serious consequences? This is a scary world where people are judged, ostracized, attacked, or killed for:

Trigger warnings: abuse, violence

Keeping yourself and others safe means checking the background. What do you see? Are you "outing" yourself? Someone else? Are you giving away more than you realized? Will the visible details put you or anyone else at extra risk? Check every time before you upload.


#4 Location

Trigger Warning: Stalking, Assault

Hibiki Sato was one of many fans of pop-idol Ena Matsuoka, but he was obssessed. He studied her online photos to find her. Which way did the sun fall in the window of her apartment? What kind of window-dressings did she use? What features were visible outside?

He finally got his chance when he noticed, in a high-resolution selfie she took on her commute home, a sign for a train station in the reflection of her eye. It was enough for him to stake-out the station, wait until she showed, then follow her home. She survived, but some aren't so lucky.

Idol hunted from an eyeball reflection

Sometimes the only thing that stops evil people from acting is not knowing where to find the target of their obsession (or A target of their obsession – a.k.a., a target of opportunity). But what good is caution about reflections and details if the photo itself blabs about your exact location?

Do you notice the 'Show settings' link over there on the right? Try clicking it. What happens?

In this very nice selfie that I found on Flickr, you might notice location information on the right; something often seen on photos uploaded to Flicker or Google or Facebook or whatever. It's not that people are taking the trouble to tag their location; the phone does it for them.

The phone records all the settings for the photo, but also other details it has access to. Maybe your name and sometimes your exact location.

Maybe if you're hiking and want to remember exactly where you saw that cool blue lizard, geo-tagged photos are helpful. If you go missing, the search party might find your last known location by the last cloud-uploaded photo you took.

Trigger warning: dark possibilities But if you post while on vacation and thieves can see you're not home (and can check older photos for the location of your home). Or your stalker noticed you posted about being home alone for the evening (along with the exactly location where to find you). Or you're a battered spouse on the run whose safety depends on not being found. Or if someone simply finds your lifestyle/religion offensive and now they know where to go to take out their frustrations…

Often people are safe because finding and harming people is hard, but "helpful" technology trivialize it to the point that the risk becomes higher simply because it's "easy". Especially now that AI tools that help analyze photos for location indicators are becoming more and more proficient.

For example, here's a test I did with GeoSpy.ai

It got it within about 18 miles

Using only a Google Streetview picture at random from the Seattle area, it was able to narrow it to about 18 miles of the actual location – and that's just one photo. What if I had 10 or 100? Some people are very prolific posters and every photo gives bad guys more to work with.

Watch your timing! If you're at a restaurant and taking a picture of your food, if you upload it immediately, people will know where you are for the next 20 to 30 minutes. Maybe post later or the next day instead!
I'm scared. Now what?

It's easy to say "be careful" without offering any specific advice for actually doing so. But anything that's complicated or takes a lot of effort isn't something we'd actually do in practice. With that in mind, here are some simple tips for improving your risk posture:

  1. Crop – Easy – just remove the parts of the photo that have any problematic content. Sure, you can meticulously go through the visible papers on your home office desk; you can check with everyone in the photo at the party before posting. OR, you could just crop out that stuff instead.
  2. Shrink – There's rarely a time when it makes sense to upload a giant 20 megapixel photo directly to a social site. Why not shrink it by half or more? Even a photo only 1000 or 1500 pixels wide is plenty large for online sharing while making it next to impossible to see fine details like what's in the reflection of someone's eyes.
  3. Disable Geotagging – I mentioned there are some legitimate reasons to geo-tag, but those don't apply to almost anyone. If you want them there for something specific, so be it, but unless that applies to you, disable the "feature" and eliminate the risk entirely.
  4. Meta stripping tools/apps – These remove META DATA – the geo-tags, your name, and all that other information that I showed you before. All of it is dumped and gone. I don't have any recommendations because I don't upload near enough to use one of these, but if you're prolific, you might want to "clean" tons of photos all at once and then not worry about it.
  5. Screencap hack – On a computer, view the photo at about the size you'd want to see it online, then press WIN+SHIFT+S. This is a quick-capture shortcut that lets you snag a portion of your screen which is auto-saved in your screenshots folder. Then you can upload that screen capture which will be drastically size-reduced (but still large enough and have ZERO meta data attached).
  6. Caution and diligence – Check backgrounds, zoom in, check reflections, scour each photo carefully for anything that someone might be able to learn. Make sure you don't have any unique and identifiable features near by like street signs or addresses. If you find something or can't tell for sure, maybe reconsider posting.
Keep in mind this is all about risk. If you're not worried, so be it, but if you're at high risk because of your lifestyle, activism, have some measure of notoriety, or have been directly threatened or bullied, the key is to make sure you don't hand your enemies the weapons they use to bludgeon you with. Be smart, be safe.
Tags: , , , , , ,

PhotoSec – 4 Things You Should Always Check For Before Uploading Photos

#1 - Fingerprints
A lovely glass heart and also fingerprints!

It's wild how often I find copies of peoples' fingerprints online. Someone selling a coin or button. A farmer showing off a growing berry. Or this artistic photo of a glass heart.

But what's the risk? Would people frame you for crimes with your fingerprint? Probably not. But what about unlocking your phone or laptop? With phone/computer access, it becomes trivial to get into every account you have - email, messages, social page, banks... everything.

Of course, they'd have to be able to translate an online photo into something that can defeat print scanners, but that only requires a 3D printer (or Gummi Bear candies in a pinch)

Are you dating someone really paranoid? Do you have a pissed-off 'ex' who might get access to your phone? Could your family use your phone to get access to your bank accounts and credit? Maybe, maybe not. What is certain is that it's hard to abuse someone's prints when you don't have them.

Whenever you're taking a picture of something in your palm, it's worth taking a second to make sure your fingertips aren't in the shot!

#2 Reflections
You'd be surprised how frequently people post themselves semi-nude because they didn't check reflections.

Long ago, I checked a work trading board for some furniture and found a decent hutch for a good price. Because I'd learned to scan reflections, I noticed that the woman who sold it to me was in her underwear when she took the photo.

Of course I never said anything (I didn't want to embarrass her), but I have told several thousand people since then!

People are constantly putting themselves in compromising positions by not checking reflections. Like the guy I found on LinkedIn who posted a "motivational talk" while apparently in the passenger seat of a car. Except, if you looked at the reflection in his sunglasses, you could clearly see him holding the wheel with one hand, and the phone in the other.

If I was someone who knew him and didn't like him, I could easily post that to the church board, send it to his family, or share it with the police. It wouldn't be the first time something like that happened:

This is a famous example that I've used for years teaching OPSEC.
I have no sympathy for people who film while driving, but what about people who's various states of undress or nearby toys and medicines might not be things they want people to see? Check your reflections, people.
#3 Background details
Hint, check the upper-right

The things people forget to check for in the background can occasionally be hilarious. A selfie where the dog is pooping or drinking out of the toilet or maybe your poor friend who's still in the shower... generally there's no harm done.

But what if you have private medical information visible? Passwords or security information? House keys that can be easily copied (even in a photo at an angle or from up to 200 feet away)? Concerning evidence of hoarding, filth, or other mental care concerns?


Giving away a pre-marriage pregnancy (Photo Credit)
Visible password? That's embarrassing. (Photo Credit)
JK Rowling's profile photo showed an apparent black mold infestation
A key where you can see the ridges can be copied. (Photo Credit)

It gets worse; what if the details people find in your background lead to more serious consequences? This is a scary world where people are judged, ostracized, attacked, or killed for:

Trigger warnings: abuse, violence

Keeping yourself and others safe means checking the background. What do you see? Are you "outing" yourself? Someone else? Are you giving away more than you realized? Will the visible details put you or anyone else at extra risk? Check every time before you upload.


#4 Location

Trigger Warning: Stalking, Assault

Hibiki Sato was one of many fans of pop-idol Ena Matsuoka, but he was obssessed. He studied her online photos to find her. Which way did the sun fall in the window of her apartment? What kind of window-dressings did she use? What features were visible outside?

He finally got his chance when he noticed, in a high-resolution selfie she took on her commute home, a sign for a train station in the reflection of her eye. It was enough for him to stake-out the station, wait until she showed, then follow her home. She survived, but some aren't so lucky.

Idol hunted from an eyeball reflection

Sometimes the only thing that stops evil people from acting is not knowing where to find the target of their obsession (or A target of their obsession - a.k.a., a target of opportunity). But what good is caution about reflections and details if the photo itself blabs about your exact location?

Do you notice the 'Show settings' link over there on the right? Try clicking it. What happens?

In this very nice selfie that I found on Flickr, you might notice location information on the right; something often seen on photos uploaded to Flicker or Google or Facebook or whatever. It's not that people are taking the trouble to tag their location; the phone does it for them.

The phone records all the settings for the photo, but also other details it has access to. Maybe your name and sometimes your exact location.

Maybe if you're hiking and want to remember exactly where you saw that cool blue lizard, geo-tagged photos are helpful. If you go missing, the search party might find your last known location by the last cloud-uploaded photo you took.

Trigger warning: dark possibilities But if you post while on vacation and thieves can see you're not home (and can check older photos for the location of your home). Or your stalker noticed you posted about being home alone for the evening (along with the exactly location where to find you). Or you're a battered spouse on the run whose safety depends on not being found. Or if someone simply finds your lifestyle/religion offensive and now they know where to go to take out their frustrations...

Often people are safe because finding and harming people is hard, but "helpful" technology trivialize it to the point that the risk becomes higher simply because it's "easy". Especially now that AI tools that help analyze photos for location indicators are becoming more and more proficient.

For example, here's a test I did with GeoSpy.ai

It got it within about 18 miles

Using only a Google Streetview picture at random from the Seattle area, it was able to narrow it to about 18 miles of the actual location - and that's just one photo. What if I had 10 or 100? Some people are very prolific posters and every photo gives bad guys more to work with.

Watch your timing! If you're at a restaurant and taking a picture of your food, if you upload it immediately, people will know where you are for the next 20 to 30 minutes. Maybe post later or the next day instead!
I'm scared. Now what?

It's easy to say "be careful" without offering any specific advice for actually doing so. But anything that's complicated or takes a lot of effort isn't something we'd actually do in practice. With that in mind, here are some simple tips for improving your risk posture:

  1. Crop - Easy - just remove the parts of the photo that have any problematic content. Sure, you can meticulously go through the visible papers on your home office desk; you can check with everyone in the photo at the party before posting. OR, you could just crop out that stuff instead.
  2. Shrink - There's rarely a time when it makes sense to upload a giant 20 megapixel photo directly to a social site. Why not shrink it by half or more? Even a photo only 1000 or 1500 pixels wide is plenty large for online sharing while making it next to impossible to see fine details like what's in the reflection of someone's eyes.
  3. Disable Geotagging - I mentioned there are some legitimate reasons to geo-tag, but those don't apply to almost anyone. If you want them there for something specific, so be it, but unless that applies to you, disable the "feature" and eliminate the risk entirely.
  4. Meta stripping tools/apps - These remove META DATA - the geo-tags, your name, and all that other information that I showed you before. All of it is dumped and gone. I don't have any recommendations because I don't upload near enough to use one of these, but if you're prolific, you might want to "clean" tons of photos all at once and then not worry about it.
  5. Screencap hack - On a computer, view the photo at about the size you'd want to see it online, then press WIN+SHIFT+S. This is a quick-capture shortcut that lets you snag a portion of your screen which is auto-saved in your screenshots folder. Then you can upload that screen capture which will be drastically size-reduced (but still large enough and have ZERO meta data attached).
  6. Caution and diligence - Check backgrounds, zoom in, check reflections, scour each photo carefully for anything that someone might be able to learn. Make sure you don't have any unique and identifiable features near by like street signs or addresses. If you find something or can't tell for sure, maybe reconsider posting.
Keep in mind this is all about risk. If you're not worried, so be it, but if you're at high risk because of your lifestyle, activism, have some measure of notoriety, or have been directly threatened or bullied, the key is to make sure you don't hand your enemies the weapons they use to bludgeon you with. Be smart, be safe.
Tags: , , , , , ,

LifeSec

More than ever these days, it's become vitally important for our advocates and most vulnerable populations to learn how to speak without drawing undue attention from aggressors OR to be a 'hard target' when they do. You can read more about LifeSec and its benefits here or jump to The Principles of "LifeSec"

From the first days I taught Operations Security (OPSEC) for the Inter-Agency OPSEC Support Staff, I saw a problem. They actually expected every soldier and DoD civilian to understand the process, the math, and mechanics of OPSEC Risk Management (which no one but program managers care about).

Instead, I pushed to bring OPSEC principles into real life; LifeSec! My theory was that if we showed how information protection could actually help in real life, people would see why this matters.

Why This Matters

Because seemingly unimportant information that is carelessly shared is dangerous.

Purple Dragon - the original OPSEC program for the USA.

For example, during the Vietnam war, the US military inadvertently leaked their plans to the Viet Cong spy network by having their planes visibly on the runway with the supplies staged nearby.

In a more modern example, reporters in the 90's discovered that they could predict major world-events based on the number of late-night pizza delivered to the Pentagon and other key agencies – a phenomenon now playfully referred to as "the pizza meter".

Basically, by operating in the open with no care for who was watching and what they might learn, US forces suffered data leaks of their own making. But who cares about the government, right? Why should regular people should care?

Why Regular People Should Care

The crime of disbelief

Do you believe in Zeus and Poseidon? Do you legitimately believe they're real and must be respected and feared? If not, you are a non-believer… just like the rest of us. There are many major religions and branches and we are all non-believers to one or the other… and that shouldn't be anyone's business or concern.

But there are backwards parts of the world that find your lack of faith disturbing. In those places, mere disbelief can put you at risk of abuse, violence, and death. For example, the USA:

Trigger warning: violence

I was raised Christian, but learned early that there are "right kinds" and "wrong kinds". Catholics, Baptists, and others who claim to have the same beliefs, but will still argue and judge each other. It's one reason separation of church and state is so important – even if people could agree on the religion, there's just too much disagreement about details.

A 2017 Netflix Special about an activist murdered for her cause

Luckily, brave people like Madalyn Murray O'Hair advocated against forced prayer and Bible readings in public schools as early as the 60's. Through a lifetime of court cases and advocacy, she made schools a safe place for those of a different denomination, a different religion, or no religion at all.

A 2017 Netflix special details O’Hair’s life, her struggles, her victories, and (ultimately) her kidnapping and brutal murder in 1995. By making an effort to make the USA more respectful and inclusive for people of different beliefs, she, her son, and granddaughter paid the ultimate price.

The crime of being "girly"

Trigger warning: suicide

In 2014, 11 year old Michael Morales liked cartoons. But his school bullies decided it was the "wrong kind" of cartoon and made his life hell. For violating gender norms and expectations, he faced abuse so severe, that he attempted suicide. Though unsuccessful, he was left in a catatonic state from the attempt and tragically passed away seven years later. All for his "crime" of liking a "girl's cartoon".

The crime of freedom

Trigger warning: child abuse

In 2024, an American teenager from Lacey Washington refused to follow her family tradition of an arranged marriage to an older man. She ran away from home and sought help from the staff at her high school, but was caught by her father who choked her unconscious. She only survived the murder attempt thanks to a Good Samaritan who was driving by, saw the attack, and intervened.

In an ideal USA, bigots and abusers would face scorn, shame, and, most of all, repercussions for their hate. But at the whims of society and politics, they not only might escape any consequence; they may be cheered and applauded. It's twisted and it's wrong, but this is the reality we have to live in and that means that being judicious about the amount and kind of attention we draw to ourselves.

Control your exposure

The sad truth is that some people hate and harm without an ounce of shame or consequence. It's wrong, but that truth doesn't keep you safe. Every person needs to guard against being overly visible or interesting – for themselves and the people they love.

Bottom line, whether it's serial killers, child molesters, haters, abusers, creeps, or con artists; strangers or people you know – it's in your best interests to learn about risks and countermeasures so you can make an informed choice about sharing information.

But first a disclaimer!

Disclaimer! LifeSec is NOT victim blaming!

It is risk management. For example, swimming in the deep ocean with bleeding bait strapped to your trunks is likely to attract predators and posting online carelessly is similar.

When participating and especially when being an activist/ally, it's important to have a good sense of the actual risks so you can make sensible choices. This isn't a judgement of anyone's courage or duty – it is about keeping people safe and letting them choose for themselves what that means.

To learn more, use the lesson navigation below.

Tags: , , , , , , , ,

Home network safety tip: keep most devices on the “Guest” network

Home network safety tip: keep most devices on the
Malware from the manufacturer means bad times for everyone

It would be great if the stories of products sold by major retailers with baked-in malware were relegated to decades past, but the issue hasn't gone away. The Electronic Frontier Foundation reports that a low-budget kids tablet by Dragon Touch was sold on Amazon for the better part of a year despite having possible malware preinstalled from the factory.

There really is no clear and obvious way to prevent any instance of factory malware, but one thing that could help quite a bit is to keep your networks separate.

This is an example of a router with guest network functionality built in.
(See online!)

Many home routers these days offer "guest networks" which are intended to let houseguests or visiting friends access your Internet without exposing your home computers and files. It's convenient and easy to set up along with your normal network. But the best part is that you can use the same trick to keep untrusted devices away from your important data!

You'll need to look in the manual, instructions, or a handy Youtube video if you need help for your specific router (or buy a new one if your current one doesn't support it), but, once configured, it's simply a matter of asking: "does this device/thing need to connect to my home computers or backup systems? If "no", put it on the guest network!

Bottom line, you might have several computers and maybe a printer/scanner on your home network for file sharing or backup purposes, but why let the Playstation or Echo in the same space? They can still access the Internet on the Guest Network and that's really all they need

Moving forward, always put phones, tablets, and any other device stays segregated on the guest network where, if they become infected, they can't damage your real computers and important data.

Tags: ,

Time to re-evaluate my browser strategy. Time to be Brave

Time to re-evaluate my browser strategy. Time to be Brave – The Geek Professor
Brave. The privacy browser

Keeping up with security and privacy topics when your work is only tangentially related and life sweeps you away (so you don't have time or energy the rest of the time) is not easy. That's why your best chance for getting an upgrade is finding the time to focus and experiment OR finding the right article at the right time… and I hope this will be that for you.

I've tried to focus this article on how most people use the Internet most of the time. For extreme folks, there are other options including Lone Wolf and Tor, but for everyone else, keep reading:

Hate having to read an entire article for the answer? Here's the bottom line: I use Firefox for websites with logins (except social sites), Brave for regular Internet (and social sites that constantly lead out to the Internet), and a little bit Edge as backup and personal brand segregation.

The brief background

Why is this necessary? Because companies are doing everything in their power to get into your business. They track where you go, what you click, what you're interested in, or just what they THINK you're interested in based on your browsing and clicking patterns. Besides being creepy and unwanted, it creates problems.

What happens when someone else uses your computer or you look something up for a friend or family member? Now their interests get mixed with yours causing you to see ads and recommendations that aren't remotely relevant. And what happens when you accidentally click a bad link in a chat or email (it happens to the best of us)? Many attacks are based on the idea that you're logged into your email or bank in another tab of the same browser (this is called cross-site scripting). And what if someone buys ad space and puts malicious code in or (or it's just rude and obnoxious)?

To reduce risks, annoyances, and invasion of your privacy while keeping things extremely simple, the pro tip is browser segregtation

Generally speaking, you can break down your Internet use into two or three main categories:

  1. Actual browsing. Searching, clicking, exploring, etc.
  2. Account-based web applications. Email, banking, shopping, etc.
  3. Social and personal brand. LinkedIn, Facebook, Twitter, and other things connected to your professional image.

Let me explain each in more detail.

Benefits to browser segregation

Browsing

When you're browsing around the Internet, you want the toughest browser around because you could end up anywhere at any time. Click a bad link, type a url wrong, or just browse around normally where sites attempt to identify you individually, track you, invade your privacy, and put you at risk due to poorly managed scripts and advertisements. As your default browser, this is the one that will load if you accidentally click the wrong thing in a Discord chat or any other app on your computer.

This is also the one you want to use for your private social accounts and any other app that is so closely tied to the general Internet that its nearly indistinguishable from open Internet anyway. Things like Reddit and Pinterest or alternate accounts for Twitter and Facebook that aren't tied to your identity.

Basically, you need your A-game browser – the best of the best – when out in the wilds of the open Internet.

Account-based Web Applications

This is where you keep your login-based accounts like emails, banking, shopping, and so on. If it's not a semi-Internet site like Reddit or Pinterest and it requires a login, keep it in your secondary browser.

Granted, sites like Amazon are very invasive as well, but much of the way they spy on you requires that you're out browsing the internet and not staying on a handful of specific websites. Additionally various types of attacks depend on you browsing around and taking a wrong turn while your tasty bank account or email are open in another tab of the same browser. Using separation this way largely prevents that too.

Don't overcomplicate it! For many people, keeping your logged in accounts and open browsing separate is good enough, but if you want to see why I use a third, read on.

Identity Accounts and Branding

In my case, I chose to have one more separation where my identity is known and my reputation at stake. To make sure that I don't cross wires and rant about how much I hate the VI editor on my branded-Reddit page, I keep them segregated too.

LinkedIn, Reddit with my professional name, Kickstarter, Twitter (if it survives into 2024 and beyond), my official Facebook (if I ever decide to make one) – basically, I keep these in a third browser because:

  1. I want to keep a third more standard browser around in the rare cases where sites refuse to load in anything else
  2. I can visually tell if I'm in the wrong place because of the different browser. That helps me think twice about what I'm going to post since it's tied to me individually.

Which browser and why?

For identity-based Internet

I'll cover this first and only briefly since only some people will be using the 3rd-level browser. I use Edge because it's one of the three major-supported browsers and will work for any site that doesn't like deviations from the norm. Also, it's not Chrome (the worst for privacy invasion).

For account-based Internet

For this one, I chose Firefox. Firefox is nowhere near the privacy-focused and community-friendly browser it used to be, but most of the ways it sucks now require being on open Internet. It's still going to be supported by major websites and you shouldn't have any trouble using your accounts with it.

For open Internet

I had been sleeping on this one for a while and heard bad things in the past, but read and watched videos and did some research. I determined that, as of this posting, Brave is the best browser for privacy online. It has a built-in adblock function and VPN (the first is free, the VPN you have to pay for, but not a big deal). It's nicely presented, fast, and works everywhere I've tried it so far.

Brave is also building a privacy-based search engine which is something DuckDuckGo has been known for, but even DDG has some issues that Brave does not. If the Brave search isn't working for you, Google and DDG are still there. Brave does use some kind of cryptocurrency gimmick, but that's optional and doesn't get in the way enough that I see it as a dealbreaker.

Summary

For best safety/security/privacy, use at least two browsers and mentally separate your activity online into "log-in account stuff" and "everything else" (and maybe a third for "anything that I use my real name for"). Tags: , , , ,

Farmville Addiction Leads to Baby’s Death

Today a severely depressing story of a baby that was shaken to death for interrupting his mother's Farmville time.

A normal parent knows interruptions happen and can deal, but someone suffering from an addiction is different. They're obsessed and nothing else is as important!

The Mashable article says this:

Needless to say, it is Ms. Tobias — and not the game itself — that is responsible for the death of her 3-month-old son.

While this is completely true, I don't think it's right to say that Farmville was not involved and bears none of the responsibility. The game, is fun, engaging, bright and feeds into people's innate needs to build, organize, nurture, and escape (all signs of addictive games), but worst of all, Farmville punishes you for not playing. When you stop playing, your animals and crops die.

At some point, the people who make Farmville had a meeting to decide how to keep people playing the game and came up with the death idea. To be fair, maybe they didn't realize how this would lead many people into addiction, but it has and that fact is pretty obvious by now.

Even Mashable agrees:

FarmVille, named one of the “worst inventions” in recent decades by Time magazine, has more than 60 million members, most of whom access the game through Facebook (Facebook). Some players have found it so addicting that they’ve lost their jobs and racked up debts north of $1,000.

In the end, what company owns up to this and apologizes or changes their ways even in the face of deaths and misery that they had a hand in causing? Instead, they'll blame the user saying that it's totally their responsibility for becoming addicted. So the only choice you have is to handle it yourself.

You have to manage or completely avoid games that are (allegedly) built addictive. Just do a search for "name of game" addictive and if there are pages and pages of results, you just might want to steer clear.

Tags: , , ,

Answer a Phone Survey – Get Cheated

(Image used under: Creative Commons 2.0 [SRC])

I've always debated things like helping jaywalkers, buying magazines at the door, and listening to telemarketers, but I think that I've finally come up with a common solution. Don't pick up anyone on the side of the road. Don't buy anything at your doorstep that doesn't involve cash and girl-scout cookies. And definitely, never, ever, talk to someone selling something or doing a "survey" on the phone.

The Consumerist is running a story about a warehouse worker who took a phone survey and was fired for it. It turns out that the shady company on the other end remixed the phone call recording to make it sound as if he answered "YES" to questions like "are you authorized to make phone plan decisions for your company" and "do you want to switch to Thieving Scumbag Phone Service Inc?"

It may not be fair to the people who are honest, but there's just no way for you to know who is and who isn't safe to deal with so the only logical choice to to stay out of it entirely. Check out this advice from a prior phone survey industry member on how to permanently get out of the call listings.

Tags: ,

Story of Gaming Addiction

(Image used under: Creative Commons 2.5 [SRC])

This is a heartbreaking account of someone's battle with gaming addiction. Posted here so I can look it up later.

This pretty much sums it up.

"I hated level 40," she said with a sigh. It was the first time we'd spoken in eight years, and she had never forgotten the night I spurned her advances in favor of gaining a level in EverQuest.
Tags: , ,

5 Minutes Posing as a 14-year-old On Social Site

(Image used under: Creative Commons 2.0 [SRC])

A police official in the UK signed up a new account with a girls name and used data and a photo that suggested he was a 14 year old girl.

Within 90 seconds, a middle-aged man wanted to perform a sex act in front of me. I was deluged by strangers asking stomach-churning questions about my sexual experience. I was pressured to meet men with whom I'd never before communicated.

If you plan to let your kids use sites like these, you have to know what they're getting into. Make sure you have the name and password to their account (being friends with them is not enough) so you can see what they see and talk to them about it. Also bone up on safety precautions like learning the proper way to secure your account.

Tags: , , ,

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

email Tutorial
|INDEX|next: E-mail Viruses

E-mail Dangers

Until we find out who the people are who actually buy things from spammers and kick them off the Internet, you're going to have to learn how to deal with and prevent spam.
E-mail Viruses - Learn how viruses are spread through e-mail and how to stop them
Phishing - Spot and avoid lures that pull you into the dark side of the web
Don't be one of those people that loses thousands of dollars to the classic Nigerian Scam.

E-mail Etiquette

Use CC only when necessary and BCC the rest of the time.
Use Reply-All when you mean to and never when you don't.
Practice proper E-mail Forwarding to protect privacy and make e-mails more readable.
Always personalize your e-mails to make it obvious to your recipient that it's valid.

E-mail Tips and Tricks

Using E-Mail Aliases Properly - Be careful about using sensitive data (like your real name) in an e-mail account.
Remember to treat your e-mail account with the security it deserves.
Use a decoy e-mail account to keep your main e-mail account free of spam.
Avoid using any Internet provider's default e-mail.

... or check out any of my other guides and tutorials by clicking here!

Preventing Spam

Spam is annoying and worthless, but you still see it every single day. Here are some tips for preventing and reducing spam.

[Click for full description]

E-mail Viruses

Make sure that viruses don't sneak onto your computer through your e-mails. Read some simple tips to prevent that from happening.

[Click for full description]

Phishing

By far the most dangerous thing you'll find in e-mails is a lie. Sending a bogus e-mail to someone is generally called phishing, but can also be referred to as a Nigerian scam (depending on the goal of the e-mail). Learn to recognize and deal with phishing before it's too late.

[Click for full description]

Nigerian Scam

Many people have lost thousands and even hundreds of thousands of dollars to the classic Nigerian Scam. Don't fall for it!

[Click for full description]

How to Use "CC" Properly

Don't violate people's privacy and invite spam into their accounts by CC'ing all your contacts. Learn the proper way to send mass e-mails first.

[Click for full description]

Reply-All

It's easy to embarass yourself or harm your career when you don't know how to use Reply-All appropriately.

[Click for full description]

How to Forward E-mails Properly

Don't forward e-mails carelessly or you risk looking foolish as best and violating the privacy of all your contacts at worst.

[Click for full description]

Personalize E-mail

Follow this simple rule of e-mail etiquette to help prevent your friends and family from falling for phishing scams.

[Click for full description]

Using E-Mail Aliases Properly

It can be hard to find a good name to use in an e-mail account that hasn't been used and doesn't give away too much information about you.

[Click for full description]

Protecting E-mail Passwords

Your e-mail account is the most important online account you have. Remember to treat it as such!.

[Click for full description]

Using a Decoy E-Mail Account

Why it's very important to use a buffer e-mail account to shield your main account from people and companies that you don't trust.

[Click for full description]

The ISP E-mail Trap

Don't fall for the trap of using the free e-mail account provided to you by your Internet service!

[Click for full description]