What Would You Die For?
At the end of our 2-plus-hour conversation, I asked Sebastian if he had any parting thoughts.
“Who would you die for? What ideas would you die for? The answer to those questions, for most of human history, would have come very readily to any person’s mouth. Any Comanche would tell you instantly who they would die for and what they would die for. In modern society, it gets more and more complicated, and when you lose the ready answer to those ancient human questions, you lose a part of yourself. You lose a part of your identity. I would ask people, ‘Who would you die for? What would you die for? And what do you owe your community?’ In our case, our community is our country. What do you owe your country, other than your taxes? Is there anything else you owe all of us? There’s no right answer or wrong answer, but it’s something that I think everyone should ask themselves.”
✸ Most-gifted or recommended book?
At Play in the Fields of the Lord by Peter Matthiessen
Behind the Scenes
I first met Sebastian at Josh Waitzkin’s (page 577) wedding, who described him via text as: “One of the leanest writers I know. So little bullshit between the muscle.”
Sebastian is a big guy and doesn’t look like a runner, but he can move. He has clocked 4:12 for the mile, 9:04 for 2 miles, 24:05 for 5 miles, and 2:21 for a marathon.
After our interview in my home, I had tea, and Sebastian took a few minutes to fire off emails from his laptop. I noticed him typing with one hand and asked him if he’d injured himself. He laughed sheepishly and explained there was no injury. As it turns out, Sebastian never learned to touch type. He has written all of his books and articles by hunting and pecking with one hand. Incredible.
Spirit animal: Golden retriever
* * *
Marc Goodman
Marc Goodman (TW: @FutureCrimes, marcgoodman.net) has spent a career in law enforcement and technology. He was appointed futurist-in-residence with the FBI, worked as a senior advisor to Interpol, and served as a street police officer. Marc heads the Future Crimes Institute, a think tank and clearinghouse that researches and advises on the security and risk implications of emerging technologies. Marc is the author of Future Crimes: Inside the Digital Underground and the Battle for Our Connected World.
Preface
Being wise includes knowing how to defend yourself or disappear when needed. Step one is becoming aware of the threats.
Google Can Determine Who Lives or Dies
“The fact of the matter is, back in 2008 [in Mumbai], terrorists were using search engines like Google to determine who shall live and who shall die. . . . When you’re sharing on Facebook, it’s not just the media and marketing companies that you need to be concerned about.”
How Business Travelers Often Get Kidnapped
Organized crime outfits are good at bribing airline employees for flight manifests (lists of passengers). They then Google each name, create a list of apparent high-value targets, and arrive early to look for the right names on limo driver signs. They pay or threaten the actual limo drivers, who leave and are replaced:
“The executive flying in from New York, San Francisco, or London would then get off the plane, see the piece of cardboard with their name on it, walk up to the person who was dressed like a limousine driver, get into a car, and get kidnapped as a result. There are actually a few people who were killed.”
TF: This is why I use Uber or pseudonyms for any car service pickups around the world. By using a made-up name for your car reservation, if you see a placard with your real name on it, you know it’s a set-up. If you become successful—or simply appear successful on the Internet—and travel a lot overseas, this is not paranoia.
Personalized Bioweapons
Marc and I discussed how criminals (or intelligent lunatics) could use your genetic information, if it’s made public or hacked:
“I’ll give you a perfect example. There’s a medicine called Warfarin, which is a blood thinner. There’s a certain small percentage of people that have a genetic marker that makes them allergic to that, and it’s deadly if taken. So that would be a perfect example. It’s a common pharmaceutical that exists today, and you can’t know whether or not someone is allergic to Warfarin by looking at somebody. But if [you have their genetic data], now you have that additional piece of information. You know about it, and it could be fatal.”
TF: I spoke about personalized bioweapons nearly 10 years ago with a qualified former NASA scientist. These are real. To stretch your brain on this subject, read a great article of Marc’s in the Atlantic titled “Hacking the President’s DNA.” If you’re a potential high-profile target, you need to think defensively. CRISPR and related technologies could potentially make the near future a boom era for biological weapons. Keep your genetic data very close to your chest. Even if you use pseudonyms, I’ve seen companies that can produce facial features from DNA info. It’s going to be practically impossible to anonymize.
✸ Do you have any quotes that you live your life by or think of often?
[Among others]
“The future is already here—it’s just unevenly distributed.”—William Gibson
“If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.”—Omar N. Bradley
✸ What is the worst advice you see or hear given in your trade or area of expertise?
“If you have nothing to hide, then you don’t have to worry about privacy, and that we must sacrifice our privacy in order to have security.”
✸ Three people or sources you’ve learned from—or followed closely—in the last year?
David Brooks, “The Moral Bucket List.” Nir Eyal, Hooked. Anything by Kevin Kelly, most recently The Inevitable.
Spirit animal: Honey badger
* * *
Samy Kamkar
Samy Kamkar (TW: @samykamkar, samy.pl) is one of the most innovative computer hackers in the United States. He is best known for creating the fastest-spreading virus of all time, a MySpace worm named “Samy,” for which he was raided by the United States Secret Service. More recently, he created SkyJack, a custom drone that hacks into any nearby drones, allowing any operator to control a swarm of devices. He also discovered illicit mobile phone tracking by Apple iPhone, Google Android, and Microsoft Windows Phone mobile devices. His findings led to a series of class-action lawsuits against these companies and a privacy hearing on Capitol Hill.
Why is Samy in Wise? Once again, because feeling safe and enjoying your resources isn’t solely about offense. It’s important to have basic defenses in place. Life is a full-contact sport, and the black swans will come visiting sooner or later.
Back Story
Samy was—perhaps surprisingly—one of my Obi-Wans for the “Dating Game” episode of The Tim Ferriss Experiment TV show. In 15 to 20 minutes, he demonstrated how he optimized and automated nearly all of his online dating in L.A. and other cities. Based on all of his data crunching, he told me shirtless pics and animals were “like crack.” I didn’t believe him, so we tested roughly a dozen of my preexisting profile pics alongside a new, shirtless pic of me with a kitten held over my shoulder. It was an embarrassing, ludicrous pic. Even Neil Strauss (page 347) didn’t want it to win. Alas, it did.
Music for the Zone
To get in the zone, Samy likes to code to AudioMolly.com, The Glitch Mob, and Infected Mushroom. Based on his recommendation, I found some of my current favorites—Pegboard Nerds (“Blackout”) and David Starfire (Karuna)—on AudioMolly.
✸ What advice would you give to your 20-year-old self?
“Stop committing felonies.”
Tools of a Hacker
I’ve often asked Samy, “How can I protect myself against people like you?” The tools below address more than 90% of the most common security threats. I currently use about half of them. This chapter can be dense, so feel free to skim and return to it as
a reference, if needed.
If you do nothing else, here’s a 60-second precaution: Put tape or a cover over your laptop camera (and perhaps your phone) when you’re not using it. Samy explained to me how simple it is to hijack cameras. It’s terrifying. This could be used to surveil your house and determine when you’re not home. It could also be used to catch you playing patty cake with Captain Winky. Covering it is 60 seconds well spent.
Enter Samy
How to protect your data on your computer and mobile devices, in case your systems are ever stolen or in case you’re traveling abroad or across borders
* * *
Use BitLocker on Windows or FileVault on OS X. Your data will be encrypted when the machine is off or suspended. Encrypt your hard drive using “full disk encryption” in order to keep your confidential data protected in case your machine is ever lost or stolen, preventing others from extracting data from your device without the password.
You’ll Never Take Me Alive! is a free tool for Windows and OS X machines so that if the machine is ever disconnected from AC power or wired Ethernet while the screen is locked [TF: e.g., someone grabs your laptop out of a coffee shop and sprints off], the system will go into hibernate, preventing a laptop thief from accessing your encrypted data. This requires you to be using FileVault or BitLocker disk encryption.
Use a PIN on your iOS or Android device to encrypt the data locally on the device. While a PIN may seem insecure, your data is typically well protected due to the mechanisms in place to prevent brute forcing of PIN codes onto your device, and the relatively secure (though not perfect) hardware implementations of security within iOS and Android. [TF: If on iPhone, I’d also recommend increasing your PIN from 4 to 8 characters. If someone is trying to brute-force crack your password, this takes the time required from roughly 4 to 5 days to 100+ days (iPhone: Settings → Touch ID & Passcode → Change Passcode)]
Don’t ever use the same password twice! Differentiate your passwords enough that someone can’t guess a password for one site by knowing the password of another. I try to use long but “simple” passwords that are easy to remember like lyrics from a song relevant to the site. A long password, even if mostly English words, is typically stronger than a short password with random characters. For casual, non-technical people, I would suggest using a program like 1Password or LastPass (or KeePass, if you want open-source) to remember all of these. Personally, I use VeraCrypt (below), but it’s more involved. The difference between this and a tool like 1Password is that 1Password is built into the browser and if a vulnerability is found, the software itself has access to my passwords the next time I use it. It’s unlikely to happen, but there is a small risk.
Consider using the free, cross-platform tool VeraCrypt. If you feel you might ever be compelled to reveal a password for your computer such as at a border crossing or by “rubber hose” cryptanalysis (being beaten by a rubber hose until you squeal), you can use “hidden volumes” to hide data with two passwords, providing you plausible deniability. Such hidden volumes are encrypted disks or directories that have one password that decrypts to show various files that you placed and are comfortable with revealing, while a secondary password can decrypt the same folder containing the actual, confidential data you’re protecting, with no way to prove whether there’s a single password or two passwords for the volume. I personally don’t use a second password for any of my encrypted drives. . . . or do I?
Detecting Malware or Software Behaving Badly on Your Computer
* * *
A great amount of software will make outbound connections to the Internet, typically for legitimate purposes, though not necessarily. If you wish to prevent or at least learn when an application is doing this, you can use NetLimiter on Windows or Little Snitch on OS X to detect and decide to allow or block when a specific application is connecting out, and learn where it’s connecting to. You can use Wireshark for further analysis, mentioned below.
You can use BlockBlock on OS X, which notifies you if a program is trying to install itself to run upon startup, even when it’s hiding itself in a nook or cranny of your system, and you have the clear option to block it if you wish. Some viruses or malware or simply annoying software will try to do this and you can decide if it should run at startup or not.
Don’t plug in any USB device that you don’t trust! There are even e-cigarettes that charge over USB that carry malware. If you wish to charge something, it’s safer to use a USB charger/adapter [for a wall outlet] rather than your computer.
Anonymizing Yourself on the Internet
* * *
Tor is a free, cross-platform software that allows you to browse the Internet anonymously and helps you defend against network surveillance. It will help change your IP address each time you use it as well as encrypt your network communication, however the last “hop” in the chain of Tor will always be able to see your unencrypted traffic, though [it will] not be able to detect your IP address. I would trust Tor over any VPN service as no Tor node knows both your IP and what you’re accessing, unlike a VPN, which could be compelled to share that data.
When you take a picture with your smartphone, it’s typically recording your GPS coordinates and other data about the picture, such as device used, into the image. This is called EXIF data and is metadata that’s hidden in the image, and anyone can recover it if you send the image directly to them. You can disable storing location in phones on various platforms [See Settings, Systems Preferences, etc. For instance, on iPhone 6: Settings → Privacy → Location Services] or use free software after the fact to do this. Search for ‘EXIF removal tool’ and find a tool for your operating system or mobile platform to do this when you wish to hide your location from images.
If you want to be particularly crafty, you can use a free app called LinkLiar on OS X to spoof or randomize your MAC address. A MAC address is a fixed, unique hardware identifier of the network device within your computer and never changes otherwise. I’ve also discovered that some large companies track MAC addresses to know the last place you’ve been, so it doesn’t hurt to adjust it every once in a while.
Accessing Interesting Data and Controlling the Websites You Visit
* * *
If a website is delivering images, video, or audio to your computer, that means in most cases you can download it directly, even if the site attempts to stop you. In Chrome (similar tools exist in Firefox and Safari), you can go to View → Developer → Developer Tools, click on the Network tab, refresh the page, and see all content going across. You can then right-click any file, such as an image that the site wouldn’t otherwise let you download, and click Copy Link Address to get the direct URL. The Elements tab is also particularly useful. [TF: You can also use this to easily copy and paste good quotes that some sites like to prevent you from copy and pasting.]
Using the same Developer Tools, if a site is ever trying to force you to sign up, fill out a form you don’t want to fill out, or otherwise cover the page with obtrusive windows or darkening the page, you can use the Elements tab in the Developer Tools (mentioned above), right-click on any element in the tab, and click Remove. Don’t worry, if you remove the wrong thing, you can simply refresh the page and try again! You are only affecting the page on your own computer, but this can be a useful tool to adjust a page to your liking.
Google Reverse Image Search is a surprisingly useful tool if you’re ever trying to perform reconnaissance, or just learn where an image came from or where else it might be used on the Internet. Simply browse to Google Images and drag and drop the image onto the page.
Tools that Hackers Use
* * *
Though I’m not a lawyer, using these tools on a network and devices you have reign over, such as your home LAN, will likely not carry any consequence. The only way to understand the security and insecurity of your own network is to test the same tools attackers would use. I highl
y suggest those interested in learning use these—both the good guys and the bad guys are using these same exact tools!
To learn about some of the starting tools a hacker, attacker, or someone just curious about security would use, I’d suggest looking at beginning tools such as Wireshark, Charles (web debugging proxy), NightHawk (ARP/ND spoofing and password sniffing), arpy (ARP spoofing), dsniff (password sniffing), and Kali Linux (penetration testing) and looking up tutorials on network intrusion, sniffing, and man-in-the-middling. Within a few minutes and with a tool like Wireshark, you can start seeing all the traffic going in and out of your computer, while tools like Nighthawk and arpy in conjunction with Wireshark can help you inspect and intercept all traffic on a network!
To further dive into security, I’d suggest learning to program. It’s easier than you think! Learning to program allows you to learn how someone might engineer something and helps you think about how you can then reverse that and exploit it, as if you had created it yourself.
Tools of Titans Page 44
