The only limits to my ability to hurt you are how much data I have on you and my creativity.

When I was teaching OPSEC in DC, the class started with an announcement from a coordinator. "If there are any security events, everyone needs to gather at the center building column." After they finished and introduced me, I told the class "knowing what we were just told as an attacker, the center column is where I'd plant the second bomb…

"But hold on", you say. "You'd still need to know ways to access the building, plant explosives unnoticed, and so on", and you'd be right but that's the point.

Some dangerous information can't be acted on without additional details. Some very innocuous-seeming data can become very dangerous with additional details. Basically, the aggregate of data is a force multiplier. Information in aggregate tells me:

• When to hit you.
• How to hit you.
• How to make it hurt to the maximum degree possible.
• How to ensure success in doing all of the above.

The concept of aggregation is well established in National Security. You have terrorist organizations working to get every detail of their target that they can and on the other side, you have OPSEC programs to teach forces the importance of information denial.

I spent years trying to find the right way to get this point across and, in doing so, learned that people find it hard to connect with examples at the Nation-State level. Instead, what about a little real-world thought experiment?

Trigger warning – some seriously dark possibilities

Assume that want to destroy your life and have at my disposal only two pieces of information: your address and…

I love you, Brad! We should be together!

… a post online I saw where you explained how your wife, due to a misunderstanding, thought you might be cheating on her. How hard would it be to drop some scandalous love letter in the mail adorned with a girl's name as the sender and a bright red kiss mark? What happens then?

… information that you participate in alcoholics anonymous or online support groups for alcoholism. What if I sent you a "complimentary bottle of wine" sometime? Or, better yet, I wait until I see your post talking about how the wife and kids were going out of town for the weekend?

… details of your parole after serving 10 years for possession. I hide a package of incriminating evidence in a conspicuous spot of your side yard then call your parole officer claiming to be a neighbor who saw you burying something suspicious.

Should I keep going? Or do you see how little bits of information can create opportunities to absolutely destroy someone? And lest you think this is only a thought experiment, Facebook has been caught using their vast data on people to manipulate their mood as an "experiment". Best Buy was caught data mining to label customers as either "Angels" or "Devils". And the examples go on and on…

It's not a fun exercise, but it's valuable to learn to think like a bad guy if only to better protect yourself and the people you care about. And it also helps you understand why you should learn the LifeSec skill of providing the most vague and least-detailed information possible in all situations.

You would be stunned if I told you how frequent data breaches are. So much so that they don't even make the news anymore. Instead of counting on negligent organizations to keep your data safe, we must practice information denial at all times, in all ways because it's hard for them to lose or abuse information they don't have.

Step 1: No more than necessary.

When you see a web form, do you fill it in? Why? Is every field you see necessary? Usually there's some kind of indication, but not always. To find out for sure, try pressing "sign up" or "go" or whatever and it will highlight all the necessary fields.

Everything is necessary? No worries. There's a strategy for that too.

It goes without saying that you should rarely fill in any details of your "profile page" in games, on websites, or in apps. Why provide even more data for them to lose or abuse?

Step 2: Ask why

If you're being asked for information that you can't see the reason for, ask why (when able). For example, when I go to the dentist, they might ask for my Social Security Number. I ask, "why?"

You get only what's necessary and no more.

They will say that it's necessary for billing, but this isn't my first rodeo. I always check when I change insurance to see if they every require SSN and (so far) the answer is always "no". And so I tell the dentist the same, "No. You can't have my SSN because you don't need it. I called and checked so process me without it or I'll find someone else."

Not once have I ever been turned away for withholding my SSN in medical situations. Why not try it? What's the worst that could happen? You don't end up doing business with someone who's careless with your data?

Step 3: Get creative

Sometimes there's not another dentist. Sometimes the site your need access to is the only one that will serve your purpose. Sometimes there isn't another good option and you're forced to make a decision… or are you?

To the best of my knowledge, it's not illegal to put fake answers for challenge questions (stuff like, "what's the name of your first pet"). Your phone will still get you home if you set your "home" location to somewhere NEAR your address (instead of using the real location). Most websites don't need YOUR birthday, they need A birthday. And those store discount codes work just as well with a generic phone number (Pro tip: use your area code and 867-5309 – it never fails).

"An" address...

"A" birthday...

"A" phone #...

Important! It's up to you to determine what is legal and what isn't when using this advice. For example, if you fake a SSN that belongs to someone else, that could be problematic. But there's nothing that stops you from being creative in low-stakes situations:

When you sell the phone, if it's stolen, if the data protection allows apps to peek at the data, there are so many ways that data can be taken. So why not give them nicknames instead (something you'd never actually call them to their face) so it's easy for you to know who's who, but no attacker would be able to call them and address them by name?

It's simple, safer, and fun! ("Hey Google, Call Aardvark!")

(Image used under: Creative Commons 2.0 [SRC])

In a colossally stupid move, Best Buy triggers the Streisand Effect by issuing a take-down notice to a blogger who wrote about something they didn't like.

It turns out that this group called Improve Anywhere did a funny prank where they got about 80 people to dress in khakis and blue shirts and had them all enter a Best Buy and stand around. I heard about the prank last year sometime (and I saw the video).

Now they are selling joke t-shirts based on their famous stunt and Best Buy (not surprisingly) doesn't like it. Whether they have a real claim or not, I don't know (or care), but they've issued a take-down notice to the guys over at the Laughing Squid. Who's that? Well, the Laughing Squid is a blog, not unlike many other blogs online and the key issue here is that Best Buy is trying to surpress the blogger's right to cover information by saying that he's "promoting" the shirts.

Here's one for you Best Buy, I'm covering all his articles, and the original story, plus I'm promoting blogging! Oh horrors. I wonder what they'll do now.

This is an amazing essay from a former Geek Squad tech as to why Geek Squad was great, but isn't anymore.

The fact is that you are no more likely to see a real technician at a Geek Squad today than you would be to see a real 5'10" mouse, wearing red suspenders at Disneyland. It is all an act... a show to provide what the customer assumes they need to see. The shoes, the ties, the badges, the pants, the socks, and the shirts do not increase the persons ability to fix your computer, they merely fulfill the customer's subconscious expectation of what a competent computer technician looks like.

He talks of the time he opened a "new" computer only to find that it was in reality, used. His manager told him to clean it off and give it to the customers like nothing had happened of which he said "On this day, I would favor the respect of my superior, rather than that of my integrity".

Wow.

Then there's the time that they were backlogged on computers to repair so management decided that things like crashes and viruses could be fixed easily by wiping all data on every computer. They don't have to worry about legal ramifications because customers are forced to sign a disclaimer that says they've backed up all their data.

And don't forget that Geeks are lonely. If you have (or had) any porn on your machine, they'll find it and save a copy:

If there were a competition between a Playboy editor, a photo lab technician, and a voyeur for the person who has seen the most random pictures of naked people... the only way any of them would win is if the Geek Squad agent was late to the contest.

Hey buddy... wanna rebate?

(Image used under: Creative Commons 2.0 [SRC])

In a trend that we hope continues, Best Buy Canada has killed mail in rebates. Companies have been ripping off customers for years with rebates so it's nice to see the trend finally reversing.

Angel Customers & Demon Customers (The book that started it all)
(See online!)

With the proliferation of data about customers on an individual level due to technology such as cookies, web bugs, and RFID (ie Spychips), companies have discovered a more valuable way to manage their assets. Customer profiling.

A new customer management policy has grown popularity in the business world which assigns customers the ominous labels of Angel and Demon.

Angels

This pleasant sounding label belongs to a customer who doesn't comparison shop, buys high-margin items, always picks up "extras" (such as extended warranties and accessories), uses store credit, etc. Basically, anyone who brings the store profit.

Demons

Imagine a point system, where every purchase made was given positive or negative points based on profitability. Now imagine that any interaction you have with a company could be tallied into your profile based on how much time and resources they need to spend on you. Here are some things that might count against you:

• Submitting a rebate
• Using your extended service plan
• Making any purchase without a certain percentage of high margin accessories
• Refusal to buy add-on services (such as a free Internet trial or movies-by-mail)
• Spending an over-average amount of time making the purchase decision
• Refusing to be upsold into a higher-end model
• Complaining about the store to management, to consumer watchdogs, or government agencies

Best Buy, a major electronics retailer, is one of the early adopters of these types of systems

After compiling the results of your score, you may be offered terms of credit, pricing, or specials based on that score. For example, "Special price for our 'Platinum' grade customers only!" (where platinum is another word for "angels"). Another example might be putting better customers in a priority queue for customer service by phone. Though only Best Buy (that I know of) has looked at the angel/demon methodology, there's nothing to stop companies from using the profiles on you they already have to do the same.