The Principles of “LifeSec”

#1 Online is everyone, everywhere, forever

Trigger warning racism, stupidity

If you wanted to end your career in a hurry, it would be hard to beat the example of Justine Sacco. As the communications director for a large company, you'd think she'd know better than to drop this tweet just before hopping on a plane for a business trip:

Justine Sacco tweet: Going to Africa. Hope I don't get AIDS. Just kidding. I'm white!

For the 11 hour duration of her flight, the tweet spiraled further and further into cyberspace while people expressed outrage or gleefully waited to see her panic when she stepped off the plane to thousands upon thousands of posts under the hashtag #HasJustineLandedYet.

If you are an activist or ally, you may be extremely passionate and that might not come across the way you hoped. Sometimes it's a good idea to pause, rethink, or get someone else's opinion before posting. Better a delay than regret.

No matter how tired or addled we are, most of us would never post something like this and, even if we did, the odds of going viral are still pretty low.

It might go unnoticed entirely or, once you came to your senses, you might be able to edit/delete it or even intentionally obscure it to make it harder to find. But those are under very specific conditions that mostly depend on you acting before it's noticed.

That's why your best defense is not repair, it's prevention.

Always assume that the people who hate you most – the ones who'd want to do you harm – get a notification on their phone every time you post anything online. Not just the people today, but possibly years down the line when you're looking for a job, dating, or simply run across a particularly hateful person online who's happy to dig up your past and shove it in the face of your spouse or boss.

Is it possible what you post will never spread further than you intended? Is it possible to remove information before it's noticed or make it harder to find? Sure! But that's never guaranteed and isn't worth the risk. If you're not comfortable with something being visible to everyone, everywhere, forever, reconsider posting.
#2 Never be more specific than necessary
I live here.

Where are you from?

When you're traveling and someone asks, "where are you from?" What do you say? Do you give them an address? Street directions? Turn-by-turn steps to reach your front door? I'd guess not.

Not that you have to be silent or rude, but conversation doesn't demand highly specific details nor does your conversation partner usually care! For your benefit and theirs, always ask, what is the least amount of information I can give?"

Don't underestimate the double-win of becoming more safe AND becoming a better conversationalist by learning to omit needless details!

In my case, I live in the Seattle area. That means if I'm overseas, I say "American". If I'm someplace in the US, but exotic like Hawaii or Oregon, I say, "Washington". And if someone in Washington asks, I say "Seattle Area".

There will be times you make a judgement call that people are safe enough to share more details even down to the neighborhood – people at work, the other parents at the sports match, etc., but that's the exception. On average, be only as specific as necessary.

Pro tip! Your phone's map tool doesn't need to know where you live either. When setting your 'home' location, set it to somewhere in your neighborhood instead. Then, if your phone is hacked, lost, or your data is sold, you didn't paint a target directly on your house.

What about your family?

Commander biographies too often public and include family names

Every time you're tempted to write information about your family, pause. Is it really necessary to list their names ever? Not that I've ever seen.

Instead, why not just say "my wife", "my kids" (assuming there's a reason to bring them up at all). Instead of age, "baby", "young", "teens", and "adult" are specific enough. Why list genders? Why be specific about the number? Instead say, "less than 2", "more than 3", or just "I'm a parent" if the number isn't important.

Are you or someone you love LGBTQ? Faced self-harm? A psychotic break? Rehab? Had a religious conversion? Things that might be sensitive if other people knew? You should share sparingly (if at all) and as generally as possible.

It might be important in some conversations to mention I've got at least one LGBTQ kid, but not the number, not the age, not the gender, not the name, not anything specific. Default to the absolute minimum necessary (and always ask if you need to share that detail at all).

Focus on what is being asked and why and then answer the minimum. Whatever is close enough. For example, when asked for your birthday, it's rare that they actually need your birthday. Usually it's for age verification (in which case, any date that's about your age will work) or for an annual free coffee or cookie at your favorite cafe (again, any date will work).

In the few cases where someone pries uncomfortably, try asking, 'why do you want to know?' Maybe there's a valid reason you don't know about, but otherwise, it's best not to give more information than is necessary.
#3 Beware data aggregation!

Have you heard of doxing? Most people focus on the public release part, but the key is that they had a dossier of information to release in the first place. Where did they get it?

Generally, Doxers simply dig and combine from public data online – stuff that was carelessly left in the open or that people didn't think was a risk in isolation – but what happens when it doesn't stay isolated?

In the Department of Defense, we were trained to limit "data aggregation risk" – where the combination of details can paint a larger or more precise picture (sometimes even elevating Unclassified information to Classified by aggregation).

That's why should think carefully about playing along with one of those "your birth month is your Hogwart's character!" posts. Rarely (if ever) fill in details in online profiles and social sites. Think carefully about whether you're legally required to even use your real name or birthday.

When supermarkets ask you for a phone number, try using (your area code) 867-5309 (the 'Jenny' number) instead (555-1212 is a good second). If someone asks for your SSN and you're positive they don't actually have a right/need for it, zero out the two middle numbers. It's automatically an invalid social so you're not harming a stranger by providing it.

Little bits of information add up fast so make sure to limit the availability as much as possible. The less detail in the less locations information is, the harder it is to find and combine.

#4 Be a hard target!

Whether you are acting on your own capacity or as an ally/activist, arguing with hateful people online is risky. Depending what you say, who you say it to, in what venue, under what circumstance, you could be volunteering to be a bigot's new pet project.

Or maybe you did nothing wrong at all and the bad guys just found a conversation they weren't part of and took exception to something you said in particular. Either way, you're now in the crosshairs.

Sometimes the only thing you need to be safe is to be a hard target.

The bottom line is to be hard to attack. Post generically. Fudge unimportant details. Use fake information (where legal and appropriate). Guard your photos. Deny websites/stores/etc. information they don't strictly need. And carry these principles of data protection with you in real life too.

A lot of ID theft prevention is making sure people don't have your information who don't need it (see my Data Defense articles for more).

When making conversation, when at the store, filling out a form at the dentist – like a martial art, use the minimum motion and force to get the job done. Use the least information possible at all times and in all ways.

Then, even if someone becomes interested in you for the wrong reasons, if it takes far more attention and effort to harm you than they have, you win.

Be considerate of others!

Many years ago, my wife called me and said her friend needed help. "Friend" ("Fren" for short) was trying to build her business on Facebook, but someone was leaving harassing and slanderous comments on all her posts. Fren was pretty sure she knew who it was, but Facebook wouldn't help and the police said there was nothing they could do without an IP address of the perp and my wife wanted to know if there was something I could do. There was.

You see, I had learned about "Social Engineering" – the art of guiding people to giving away information without realizing it. So I set a trap: I wrote a post on this website saying something like "I've been looking at partnering with Fren Industries, but don't know much about them. If ANYONE has any information about them, I'd love to know!".

Next, the lure. I gave Fren the link and told her to post on Facebook something like "Hey, I'm trying to partner with The Geek Professor in my business and I could use some positive reviews! Please head over and leave some (link)".

In mere hours, I had a comment using the same kind of language and same kinds of slander as on the Facebook posts, but on my website, I can see the IP addresses of people who comment. So I provided the IP address and screenshot of the post to Fren and she called the police.

Though in the above example, social engineering was used for good, that's not always the case. Smooth operators are always trying to push people into giving them your data –OR– the data of others. Consider if a stalker sees you talking to their target because you're friends/co-workers/etc. So they ooze up to you with some story about how they "found something their victim dropped" or that they're good friends from high school and you really want to catch up!

They'll try to convince you to share the target's phone number, address, or schedule, but there's essentially zero cases where that's an OK thing to do. Instead, you can tell them, "Wow Stalker, you found their thing! Thanks, I'll get it back to them." or "That's great that you're good friends. I'm sure she'll be happy to hear from you so leave me your contact information and name and I'll give it to her when I see her next!".

Don't buy into someone's story and hand out someone else's information! Always be a buffer between them - no matter the story, no matter how believable it might be. They might be telling the truth, or they might be your friend's abusive spouse who's tracking them down.

Similarly:

  1. Never upload photos of friends, their kids, or anything else without asking first.
  2. Never "tag" someone by name. If they're good at LifeSec, you might be ruining it by naming them, their spouses, and their kids in your posts.
  3. Also be aware of bait.

  4. Nevtell someone else's stories or rants without asking fist. Just because they freely ranted about their boss to you doesn't mean you can share it online.
  5. TL;DR

    Loose information makes you a target and it makes you an easy target. It's up to you what to share, but do so aware of the consequences and risks. Most importantly, adopt LifeSec principles all the time and it becomes easy to:

    1. Remember that what goes online, goes everywhere; forever. Don't post anything that you're not willing to have dragged back up and used against you later.
    2. Learn to be evasive and general. Not only does this make you a better conversationalist, it's safer too!
    3. Think about how your data can be combined. Don't fall into the trap of thinking "this will be ok because it's just a little bit of information". People and AI can line all the different data up into one clear picture.
    4. Be a hard target. Don't get discouraged and think there's no point; no matter what the risk might be, if you're more trouble than you're worth to the bad guy, that can be enough!

    And that's the basics.

    If I wasn't clear, this isn't 'do this sometimes', but a way of life. Adopt LifeSec as a way of life and you'll be safer not just online or offline, but all the time. For you, for your loved ones. You become, by nature, a hard target.
    Tags: , , , , , , , ,

LifeSec

More than ever these days, it's become vitally important for our advocates and most vulnerable populations to learn how to speak without drawing undue attention from aggressors OR to be a 'hard target' when they do. You can read more about LifeSec and its benefits here or jump to The Principles of "LifeSec"

From the first days I taught Operations Security (OPSEC) for the Inter-Agency OPSEC Support Staff, I saw a problem. They actually expected every soldier and DoD civilian to understand the process, the math, and mechanics of OPSEC Risk Management (which no one but program managers care about).

Instead, I pushed to bring OPSEC principles into real life; LifeSec! My theory was that if we showed how information protection could actually help in real life, people would see why this matters.

Why This Matters

Because seemingly unimportant information that is carelessly shared is dangerous.

Purple Dragon - the original OPSEC program for the USA.

For example, during the Vietnam war, the US military inadvertently leaked their plans to the Viet Cong spy network by having their planes visibly on the runway with the supplies staged nearby.

In a more modern example, reporters in the 90's discovered that they could predict major world-events based on the number of late-night pizza delivered to the Pentagon and other key agencies – a phenomenon now playfully referred to as "the pizza meter".

Basically, by operating in the open with no care for who was watching and what they might learn, US forces suffered data leaks of their own making. But who cares about the government, right? Why should regular people should care?

Why Regular People Should Care

The crime of disbelief

Do you believe in Zeus and Poseidon? Do you legitimately believe they're real and must be respected and feared? If not, you are a non-believer… just like the rest of us. There are many major religions and branches and we are all non-believers to one or the other… and that shouldn't be anyone's business or concern.

But there are backwards parts of the world that find your lack of faith disturbing. In those places, mere disbelief can put you at risk of abuse, violence, and death. For example, the USA:

Trigger warning: violence

I was raised Christian, but learned early that there are "right kinds" and "wrong kinds". Catholics, Baptists, and others who claim to have the same beliefs, but will still argue and judge each other. It's one reason separation of church and state is so important – even if people could agree on the religion, there's just too much disagreement about details.

A 2017 Netflix Special about an activist murdered for her cause

Luckily, brave people like Madalyn Murray O'Hair advocated against forced prayer and Bible readings in public schools as early as the 60's. Through a lifetime of court cases and advocacy, she made schools a safe place for those of a different denomination, a different religion, or no religion at all.

A 2017 Netflix special details O’Hair’s life, her struggles, her victories, and (ultimately) her kidnapping and brutal murder in 1995. By making an effort to make the USA more respectful and inclusive for people of different beliefs, she, her son, and granddaughter paid the ultimate price.

The crime of being "girly"

Trigger warning: suicide

In 2014, 11 year old Michael Morales liked cartoons. But his school bullies decided it was the "wrong kind" of cartoon and made his life hell. For violating gender norms and expectations, he faced abuse so severe, that he attempted suicide. Though unsuccessful, he was left in a catatonic state from the attempt and tragically passed away seven years later. All for his "crime" of liking a "girl's cartoon".

The crime of freedom

Trigger warning: child abuse

In 2024, an American teenager from Lacey Washington refused to follow her family tradition of an arranged marriage to an older man. She ran away from home and sought help from the staff at her high school, but was caught by her father who choked her unconscious. She only survived the murder attempt thanks to a Good Samaritan who was driving by, saw the attack, and intervened.

In an ideal USA, bigots and abusers would face scorn, shame, and, most of all, repercussions for their hate. But at the whims of society and politics, they not only might escape any consequence; they may be cheered and applauded. It's twisted and it's wrong, but this is the reality we have to live in and that means that being judicious about the amount and kind of attention we draw to ourselves.

Control your exposure

The sad truth is that some people hate and harm without an ounce of shame or consequence. It's wrong, but that truth doesn't keep you safe. Every person needs to guard against being overly visible or interesting – for themselves and the people they love.

Bottom line, whether it's serial killers, child molesters, haters, abusers, creeps, or con artists; strangers or people you know – it's in your best interests to learn about risks and countermeasures so you can make an informed choice about sharing information.

But first a disclaimer!

Disclaimer! LifeSec is NOT victim blaming!

It is risk management. For example, swimming in the deep ocean with bleeding bait strapped to your trunks is likely to attract predators and posting online carelessly is similar.

When participating and especially when being an activist/ally, it's important to have a good sense of the actual risks so you can make sensible choices. This isn't a judgement of anyone's courage or duty – it is about keeping people safe and letting them choose for themselves what that means.

To learn more, use the lesson navigation below.

Tags: , , , , , , , ,

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

web posting dangers Tutorial
|INDEX|next: Spyware Scanners
Chat, Instant Messaging, Forums, and Internet Blogs are fun, but make sure you post carefully.
Sometimes spyware gets in your computer and the anti-virus won't stop it. Use a spyware scanner to find and remove spyware and adware.
Use a software firewall to detect bad code on your computer when it tries to connect to the Internet.
Always keep your system up to date with security patches or none of the rest of your security software will matter.
Use an encryption tool to protect your important data when storing or transmitting it.
Switch to Firefox for your web browsing and you'll be better protected from Internet threats.

... or check out any of my other guides and tutorials by clicking here!

Spyware Scanners

Learn how to detect and remove spyware and adware using a free scanning tool.

[Click for full description]

Software Firewall

Learn what a firewall is and why you want one on your computer.

[Click for full description]

Operating System Updates

Make sure to keep your operating system up-to-date with security patches or else none of the rest of your security software will be able to protect you.

[Click for full description]

File Encryption

Learn how to protect your important files on your computer or when transmitting them with free tools for file encryption.

[Click for full description]

Mozilla Firefox - Internet Browser

There are many browser choices out there. Read why I think Firefox is one of the best.

[Click for full description]