While on a quick trip to Washington DC recently, I had a chance to sit down with Greg Otto and Jen O’Daniel of the Securiosity Podcast to talk about a wide range of topics. We discussed how I got started in privacy, why you don’t need to worry about nation state super hackers, being anonymous, OSINT, and wine. What a fun conversation!
My interview starts at about the 24 minute mark.
Back in the 1990’s, I was involved in a discussion about how an individual could deal with Van Eck monitoring, where an attacker captures the contents of your screen from outside the building. My take was that if your opponent has a surveillance team in a van full of special equipment parked right outside your house, your only realistic option is to run and never look back, in hopes of starting a new life elsewhere. Perhaps this scenario is a bit dramatic, but it illustrates an important point. We spend a lot of time thinking about and trying to mitigate threats that are so extreme you are basically already doomed if they are ever used against you. You can’t mitigate against Mission Impossible-style attacks, because whatever you try to prevent, they always have another way of getting at you.
Earlier I wrote about why a good security advisory board can be a powerful addition to any business. In this article I dive in to exactly how to make sure you get that value from your advisory board. My taking the right actions, you can ensure a strong ROI for your time and money while significantly boosting the security of your organization.
I had a chance to talk with Hiawatha Bray of the Boston Globe about GrinchBots which are a form of scalping that drives the cost of many limited edition items into the stratosphere.
Read the full article HERE.
In this video from Fifth Domain I talk about the problems of conducting online undercover operations. In this video I talk about issues with profile photos, writing style analysis, and patterns of behavior.
When talking about information security, nation-state backed hackers are set up as the ultimate threat. The countries have brilliant hackers, unlimited resources, endless exploits, and they are all after you! Fortunately for us, there are also many more nation state hackers who are not that skilled, on a tight budget, and forced to use off-the-shelf tools. Just because your organization might be of interest to foreign services does not mean that you should just give up.
In 2016, my CEO asked me to work with an outside advisor, Gary McGraw, to create a Security Advisory Board (SAB) for our company. Right away, I realized that creating a strong advisory board to effectively support the company would take a lot of work. We spent significant time thinking about how this board could add value to the business, and how to ensure that the board’s ideas and solutions were implemented. First, let me note that credit for many of the ideas in these articles should go to Gary. He was instrumental in the creation and continued success of our SAB. In the first article of this two-parter, I will explore the kinds of value a SAB can bring to a company, and why its creation is worth all the effort. In the next article, I will talk about the nuts and bolts of executing a successful SAB.
I founded Anonymizer Inc. in 1995, almost 23 years ago. It was born of my passion and commitment to privacy, security, and anonymity. I deeply appreciate the support, encouragement, and loyalty from the millions of people who have used the service over the years.
I am profoundly proud of what this company has accomplished. We were the first commercial internet privacy service in the world. We created the Kosovo Privacy Project, provided censorship circumvention services to hundreds of thousands of people in China and Iran, and worked with numerous human rights groups to provide protected communications and safe access to information. We also set up a secure anonymous terrorist tip site in the first days following 9/11.Read More
Reading legal documents is not something I usually enjoy. The Muller indictment of the Russian DNC hackers was different - the amount of detail revealed in the document stunned me, and suggests that the US had very deep visibility into the hackers’ operations. In this article I am not going to look at the details of the hacking or phishing attacks used. Rather, I am interested in how the hackers attempted to misattribute their activities and how their actions and errors undercut that effort.
Read the whole article at Security Week to see my analysis of all they ways the hackers failed in trying to remain hidden.
There has been endless discussion among security professionals about the ethics, propriety, legality, and effectiveness of corporations “hacking back” against attackers. On the other hand, there is no hesitation on the part of attackers to hack back against threat intelligence researchers who are investigating them. Identification and retaliation are a constant risk for anyone probing the darkest back alleys of the internet.
Read the whole article at Security Week to see why and how watching the wrong people can lead to counter-attack.
Sites on the Dark Web Have Several Motivations to Unmask Their Visitors
So, there you are, finally on the private sections of a dark market. You have established reputation and credibility with your targets. Suddenly, you get exposed as a “rat” and banned for life. They grab your escrowed cryptocurrency, and you are back at square one with a foe who is even more alert than before... How did this happen?
Read the full article at Security Week for my thoughts on staying anonymous while visiting the dark web.
I was recently asked, as an entrepreneur and angel investor, to provide the five most important skills and concepts for for founders in startups.
Any list like this will necessarily be incomplete but I found it an interesting question to think through.
Going with my first instincts, here is what I came up with.Read More
Staying anonymous while engaging online is hard, particularly if you need to do so over an extended period of time. While there are thousands of things that can trip you up there are six mistakes that cause most of the problems. Read the article to learn what they are.
I am very excited to see that the first in a series of articles I am writing for Security Week has been published. I would love to hear what you think.
The OODA loop is a well established concept often used in security which originated in the military. OODA stands for Observe, Orient, Decide, Act.
OODA is an iterative process because after each action you need to observe your results and any new opposing action. The idea is that if you can consistently get to the action faster than your opponent you can beat them. It is typically described using an airplane dogfight analogy – airplanes try to turn more quickly and sharply than their opponent in order to get off a shot. But, as you turn faster and faster the g-forces build and at this point the ever faster OODA loop is more like a centrifuge crushing us. We need to break out of the loop and find a new way to play the security game.