The only limits to my ability to hurt you are how much data I have on you and my creativity.

When I was teaching OPSEC in DC, the class started with an announcement from a coordinator. "If there are any security events, everyone needs to gather at the center building column." After they finished and introduced me, I told the class "knowing what we were just told as an attacker, the center column is where I'd plant the second bomb…

"But hold on", you say. "You'd still need to know ways to access the building, plant explosives unnoticed, and so on", and you'd be right but that's the point.

Some dangerous information can't be acted on without additional details. Some very innocuous-seeming data can become very dangerous with additional details. Basically, the aggregate of data is a force multiplier. Information in aggregate tells me:

• When to hit you.
• How to hit you.
• How to make it hurt to the maximum degree possible.
• How to ensure success in doing all of the above.

The concept of aggregation is well established in National Security. You have terrorist organizations working to get every detail of their target that they can and on the other side, you have OPSEC programs to teach forces the importance of information denial.

I spent years trying to find the right way to get this point across and, in doing so, learned that people find it hard to connect with examples at the Nation-State level. Instead, what about a little real-world thought experiment?

Trigger warning – some seriously dark possibilities

Assume that want to destroy your life and have at my disposal only two pieces of information: your address and…

I love you, Brad! We should be together!

… a post online I saw where you explained how your wife, due to a misunderstanding, thought you might be cheating on her. How hard would it be to drop some scandalous love letter in the mail adorned with a girl's name as the sender and a bright red kiss mark? What happens then?

… information that you participate in alcoholics anonymous or online support groups for alcoholism. What if I sent you a "complimentary bottle of wine" sometime? Or, better yet, I wait until I see your post talking about how the wife and kids were going out of town for the weekend?

… details of your parole after serving 10 years for possession. I hide a package of incriminating evidence in a conspicuous spot of your side yard then call your parole officer claiming to be a neighbor who saw you burying something suspicious.

Should I keep going? Or do you see how little bits of information can create opportunities to absolutely destroy someone? And lest you think this is only a thought experiment, Facebook has been caught using their vast data on people to manipulate their mood as an "experiment". Best Buy was caught data mining to label customers as either "Angels" or "Devils". And the examples go on and on…

It's not a fun exercise, but it's valuable to learn to think like a bad guy if only to better protect yourself and the people you care about. And it also helps you understand why you should learn the LifeSec skill of providing the most vague and least-detailed information possible in all situations.

You would be stunned if I told you how frequent data breaches are. So much so that they don't even make the news anymore. Instead of counting on negligent organizations to keep your data safe, we must practice information denial at all times, in all ways because it's hard for them to lose or abuse information they don't have.

Step 1: No more than necessary.

When you see a web form, do you fill it in? Why? Is every field you see necessary? Usually there's some kind of indication, but not always. To find out for sure, try pressing "sign up" or "go" or whatever and it will highlight all the necessary fields.

Everything is necessary? No worries. There's a strategy for that too.

It goes without saying that you should rarely fill in any details of your "profile page" in games, on websites, or in apps. Why provide even more data for them to lose or abuse?

Step 2: Ask why

If you're being asked for information that you can't see the reason for, ask why (when able). For example, when I go to the dentist, they might ask for my Social Security Number. I ask, "why?"

You get only what's necessary and no more.

They will say that it's necessary for billing, but this isn't my first rodeo. I always check when I change insurance to see if they every require SSN and (so far) the answer is always "no". And so I tell the dentist the same, "No. You can't have my SSN because you don't need it. I called and checked so process me without it or I'll find someone else."

Not once have I ever been turned away for withholding my SSN in medical situations. Why not try it? What's the worst that could happen? You don't end up doing business with someone who's careless with your data?

Step 3: Get creative

Sometimes there's not another dentist. Sometimes the site your need access to is the only one that will serve your purpose. Sometimes there isn't another good option and you're forced to make a decision… or are you?

To the best of my knowledge, it's not illegal to put fake answers for challenge questions (stuff like, "what's the name of your first pet"). Your phone will still get you home if you set your "home" location to somewhere NEAR your address (instead of using the real location). Most websites don't need YOUR birthday, they need A birthday. And those store discount codes work just as well with a generic phone number (Pro tip: use your area code and 867-5309 – it never fails).

"An" address...

"A" birthday...

"A" phone #...

Important! It's up to you to determine what is legal and what isn't when using this advice. For example, if you fake a SSN that belongs to someone else, that could be problematic. But there's nothing that stops you from being creative in low-stakes situations:

When you sell the phone, if it's stolen, if the data protection allows apps to peek at the data, there are so many ways that data can be taken. So why not give them nicknames instead (something you'd never actually call them to their face) so it's easy for you to know who's who, but no attacker would be able to call them and address them by name?

It's simple, safer, and fun! ("Hey Google, Call Aardvark!")

MeWe: A Facebook alternative based on protecting your right to privacy.

It's been great watching DuckDuckGo rise as a major Google competitor. I've been thrilled to see Firefox taking a more aggressive approach to protecting people as a way to combat the invasiveness of Chrome. Now we might finally have a solution to the Facebook problem. "Which problem", you might ask?

If you didn't already know, Facebook has a long and sordid history of taking and misusing your data, profiling you, selling those profiles, losing and mishandling the data as well. They're essentially a data-broker masquerading as social service. This means harvesting every piece of information they can find about you so they can package and sell it to others. It's nasty business, but everyone's doing it… everyone except a few who are building a new paradigm that proves you can make a business work without abusing customers.

Data-brokering is nasty business. They learn about your habits, your private business, your medical information - all of it packaged and sold with nary a thought to whether that will be used for ID Theft, skeezy marketing, law enforcement and so on.

That's what I hope to see in MeWe. I did some research since I'd never heard of the before today and they've actually been around a while. They used some business-focused "gofundme" services (Angel.co and wefunder) to get capital and have built up MeWe.com from that. There are various reviews of the site around including Forbes.com who claims they already have 8 million members (though that's rapidly growing).

If that's the case, they hardly need my review on top, but I still reached out to the CEO (his email is listed online… something he'll want to change if the site is growing this rapidly) to point out some room for improvement. For example:

It's not actually clear in the policy what happens if they change their mind later. I read on another post (their about page or one of the reviews perhaps) that they would notify you of changes and you could opt out… not very reassuring. Better would be to make it clear that minor changes to the policy that are still in-line with the philosophy would result in notices, but major changes would not affect you until you logged into your account again and manually accepted the change. This is a bold site with a bold plan; let's see bold assurances as well!

They're actually doing pretty well already in having a conversational tone, keeping it short, and avoiding legalese, but I think it can be even better. For example, the font is pretty small and they're not making great use of whitespace. Some pics might be good to break up the wall of text. Some of the detail is a little over-kill (maybe summarize and then link/expand for people who care).

Did you know? Internet law requires at least one cat pic per post.

There are precious few companies trying to take on the giants and it would make sense for them to join forces; even if only in cross endorsement. Obviously they should first review their business model, security plan, and a deeper look at their tech strategy, but then, if they're convinced, the endorsement of someone I already researched and trust would go a lot further than online posts.

So far going through the privacy policy and terms of service, I'm generally impressed. There are some neat features like "secret messaging" that even MeWe can't see (end-to-end encrypted between you and the recipient), full right to download all your MeWe content to your local computer, and messages that will auto-delete once they're received. Of course there's the question of "how they get paid" which they answer on their FAQ page.

It's a bit lengthy so let me summarize: they make money by charging businesses for a PRO version, by selling extra emotes (if you care), and other add-ons that are optional.

Last Thoughts

Signing up was easy and, though I will never let a website scan my contacts from other services, at least there's SOME assurance this site wouldn't abuse that function. The home page is clean, easy to understand and features some posts from the CEO about important privacy issues (like the growing concerns over how Amazon uses Alexa). Nice…

Not bad. If you combine the promised privacy with a good tool, this might be the tool that saves us from Facebook.

The jury's still out for me, but at least I can feel comfortable using MeWe in my regular browser instead of having to isolate Facebook in a private window to keep it from stalking me on the web. That alone puts MeWe on top for me.

(Image used under: Creative Commons 2.0 [SRC])

So yesterday, we learned that OnStar tracks you even if you're not a customer and today, we learn that Facebook will track and monitor your web usage without your knowledge or permission… even if you're not logged in.

The social network is quietly retracting a cookie that continued to report your Facebook user ID even after you "logged out" of the site. But it's not sorry about five other cookies that persist after you sign off. What, you didn't think Facebook would ever let you actually for real seriously 100 percent sign out, did you?

Remember, you're not Facebook's customer, you're cattle. These kinds of issues will never stop so if you aren't using special software to counter Facebook's nastier sides, you're at a disadvantage.

(Image used under: Creative Commons 2.0 [SRC])

I am constantly telling people to lock down their privacy settings because if you keep this stuff visible, this kind of story becomes possible. Apparently there was a debt collector that spammed friends and family of a debtor in order to pressure her to pay.

Melanie Beacham says she fell behind on her car payment after getting sick and taking a medical leave from work. She contacted MarkOne Financial to explain the situation but says the harassing phone calls, as many as 20 per day, kept coming. Then one day she got a call from her sister saying the company contacted her in Georgia. "I was telling her, 'No way, because you're not even a reference,'" said Beacham, who later found out MarkOne contacted her sister and other relatives via Facebook.

Today a severely depressing story of a baby that was shaken to death for interrupting his mother's Farmville time.

A normal parent knows interruptions happen and can deal, but someone suffering from an addiction is different. They're obsessed and nothing else is as important!

The Mashable article says this:

Needless to say, it is Ms. Tobias — and not the game itself — that is responsible for the death of her 3-month-old son.

While this is completely true, I don't think it's right to say that Farmville was not involved and bears none of the responsibility. The game, is fun, engaging, bright and feeds into people's innate needs to build, organize, nurture, and escape (all signs of addictive games), but worst of all, Farmville punishes you for not playing. When you stop playing, your animals and crops die.

At some point, the people who make Farmville had a meeting to decide how to keep people playing the game and came up with the death idea. To be fair, maybe they didn't realize how this would lead many people into addiction, but it has and that fact is pretty obvious by now.

Even Mashable agrees:

FarmVille, named one of the “worst inventions” in recent decades by Time magazine, has more than 60 million members, most of whom access the game through Facebook (Facebook). Some players have found it so addicting that they’ve lost their jobs and racked up debts north of $1,000.

In the end, what company owns up to this and apologizes or changes their ways even in the face of deaths and misery that they had a hand in causing? Instead, they'll blame the user saying that it's totally their responsibility for becoming addicted. So the only choice you have is to handle it yourself.

You have to manage or completely avoid games that are (allegedly) built addictive. Just do a search for "name of game" addictive and if there are pages and pages of results, you just might want to steer clear.

(Image used under: Creative Commons 2.0 [SRC])

Ok so maybe not ONE click. But someone has put together a simple tool that you can use to take over the active sessions of anyone within wireless range of you. Hang out at the Starbucks free wi-fi and you'll be able to control the Facebook or other accounts of people nearby. It's an attack that was always simple to do for those who know how, but now any idiot can do it with a simple new interface.

By the way, they mention a few protections from this at the bottom of the article, but here's one more.

(Image used under: Creative Commons 2.0 [SRC])

This is not surprising.

"Apps" are pieces of software that let Facebook's 500 million users play games or share common interests with one another. The Journal found that all of the 10 most popular apps on Facebook were transmitting users' IDs to outside companies.

The apps, ranked by research company Inside Network Inc. (based on monthly users), include Zynga Game Network Inc.'s FarmVille, with 59 million users, and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including FarmVille, also have been transmitting personal information about a user's friends to outside companies.

Once you install a 3rd party application, you no longer have control. Think twice before touching any "app" about how much you care if your information remains private or is sold on the information black market.

(Image used under: Creative Commons 2.0 [SRC])

Rule number 1: don't trust Facebook or any other marketer with your information. Anything you provide should be carefully researched to see how safe it is then provided only after deciding what risk you face.

Rule number 2: don't use automated processes to share information without even MORE careful research.

Breaking both rules is a new app from Facebook which will allow you (or one of your friends) to violate the privacy of many people at once by uploading your phonebook.

The greatest part is that you don't have to give up your phone number since one of your friends can instead! This is just like how Facebook let friends tell stalkers where to find you or add you to groups so someone who's mad at you can make you look like a pedophile.

Don't you love Facebook?

Let Facebook know location? Not a good idea

(Image used under: Creative Commons 2.0 [SRC])

I can't imagine broadcasting my current location to the world. There are so many risks that I don't even know where to begin. If you like this feature, good luck and godspeed. Hopefully you don't get robbed, stalked, or worse. The point is that your risk is higher when strangers know your location, and Facebook helpfully turns on this feature by default. If you want to take my advice and turn it off, here's how:

1. Find the control for Places in your settings

2. Disable the ability of friends to check you in

(Image used under: Creative Commons 2.0 [SRC])

I don't want this page to descend into an "everything about Facebook" page, but the news has been coming fast and hard the last few weeks. The article I found today isn't news, but instead a plea to the public to not buy in to Facebook's apology for their recent nastiness.

Parents of young children can spot an insincere apology from miles away.

"Sorry," your tot mumbles, after you find the dog half-shaved and your Xbox full of jam.

"Sorry for what?" you'll say. "Sorry for shaving the dog and putting jam in your Xbox," he'll say, looking at the floor. But he's lying. He's only sorry that he didn't get away with it.

Facebook's much-reported apology in the Washington Post is a bit like that. "Sorry," says Mark Zuckerberg. "Sorry for what?" the internet asks.

"Sorry for invading your privacy and making things confusing and stuff," Zuckerberg says. "Can I have an ice cream now?"

Funny and blisteringly accurate; that's a good combination. Check out the rest of the article here