A massive Europe wide operation took place between November 19 until December 6th, arresting 235 suspects in 13 countries. The operation confiscated 1,500 Euro banknotes, drugs, weapons, computers, phones, bitcoin, etc.

This operation was made possible after a 33-year old counterfeiter was arrested in June 2018 by Austrian police in the city of Leoben. The counterfeiter was producing 10,20 & 50 Euro banknotes and it is believed he had successfully offloaded over 10,000 (worth ~ $500,000 EUR) notes before being arrested. The counterfeit notes were sent out using regular mail, so as not to arouse suspicion.

The counterfeiter is believed to have designed the notes on his own computer. He printed them himself and made them look authentic using (suspected) Chinese made holograms. Depending on the quality of the prints, the price varied from 15-40% of the notes face value.

Aldia.cat also reports that data from an FBI/Europol raid on another Darknet seller specializing in weapons, drugs and fake money also contributed valuable information to Operation Green Heart.

The operation involved raids on 300 dwellings across Europe: 178 in Germany, 28 in France, 20 in Austria and others in Spain (Madrid, Velncia, Las Palmas de Gran Canaria, Tenerife, Barcelona, Sevilla, Granada, etc) , Croatia, Cyprus, Finland, Ireland and the Netherlands.

One of the suspects arrested in Munich still had 14 counterfeit notes with him.

The moral of the story is that good policing can cut through the anonymity of TOR, so criminals beware.

Sources:

• EU-WIDE ACTION AGAINST BUYERS OF COUNTERFEIT MONEY ON THE DARKNET

• Falschgeldhandel: Vier Offenbacher verdächtigt

• Darknet-Blüten: LKA findet Falschgeld in der Region

• Desmantellada una xarxa de distribució de bitllets falsos adquirits amb ‘bitcoins’

• Steirer (33) verkaufte Falschgeld über das Darknet

• Falschgeld-Razzien in ganz Europa

• Vente de faux billets d'euros sur le darknet : arrestations à Montpellier et dans les P-O

• Detenidas 18 personas, dos en CLM, por distribuir dinero falso adquirido en la darknet

• Detingudes 18 persones per distribuir diners falsos adquirits a la 'darknet'

• Geldfälscher: Durchsuchungen auch in Unterfranken

US law enforcement shutdown online classified ads site in April (2018) because they had evidence it was facilitating human trafficking and exploitation. Supporters applauded the authorities for shutting down a marketplace specifically encouraging sex sale, while free speech advocates highlight this as a limitation of free speech (and press) by government.

There is now an attempt to resurrect this service online (by new owners) using the secrecy of the TOR darknet anonymous network (http://s7guxry2lvu3bblf.onion/)

On the internet, many espouse the belief that if something can be done, then it should be done without any regard to the socioeconomic impact.

The site is very basic, with a clumsy interface. Clearly this was a hastily designed and deployed site.

This site is in startup mode, and you will notice that most categories are still empty, but it will be interesting to watch and see what happens. Could the push for open sexual advertising drive users to a TOR site (which typically is only used by more tech-savvy professionals)?

Bitcoin is a decentralized digital currency, without a central bank or single administrator, that can be sent from user to user on the peer-to-peer bitcoin network without the need for intermediaries. Transactions are verified by network nodes through cryptography and recorded in a public distributed ledger called a blockchain. Bitcoin was invented in 2008 by an unknown person or group of people using the name Satoshi Nakamoto, and started in 2009 when its source code was released as open-source software.

Bitcoin is often called the first cryptocurrency, although prior systems existed. Bitcoin is more correctly described as the first decentralized digital currency. It is the largest of its kind in terms of total market value.

Bitcoins are created as a reward for a process known as mining. They can be exchanged for other currencies, products, and services. As of February 2015, over 100,000 merchants and vendors accepted bitcoin as payment. Bitcoin can also be held as an investment. According to research produced by Cambridge University there were between 2.9 million and 5.8 million unique users using a cryptocurrency wallet, as of 2017, most of them using bitcoin.

What is proof of work?

Proof of work is a system that is used to secure the Bitcoin network. Miners are rewarded with bitcoins for their work in verifying and committing transactions to the blockchain. Proof of work is also used to ensure that new blocks are added to the blockchain in chronological order and not randomly.

In order for a new block to be added to the blockchain, miners must solve a complex mathematical problem. The difficulty of this problem varies depending on the total amount of computing power that is being used to mine Bitcoin. When more miners join the network, the problem's difficulty increases, and vice versa.

Why do environmental groups have a problem with proof of work?

Environmental groups have a problem with proof of work because it requires a lot of energy to power the computers that are used for mining. In fact, according to one estimate, the amount of energy required to mine Bitcoin is more than the annual energy consumption of the country of Ireland.

This has led to concerns that proof of work is not sustainable in the long term and that it could have a negative impact on the environment. However, there are some proposed solutions to this problem, such as using renewable energy to power the computers used for mining or using proof of stake instead of proof of work.

What is proof of stake, and can it solve the environmental problems?

Proof of stake is an alternative to proof of work that is used to secure the Ethereum network. Miners are not rewarded with bitcoins for their work but instead earn a share of the transaction fees that are collected by the network.

This system is seen as more energy efficient than proof of work, as it does not require powerful computers to run the mining process. However, proof of stake is still in the early stages of development, and it is not yet clear if it will be able to scale to the same level as proof of work.

This blog article is not advertising and is not a sponsored post.

Quip is a new entrant in the competitive and packed electric toothbrush space. Unlike many of the larger bulkier electric toothbrushes, Quip is a sleek, shiny and well designed modern looking toothbrush.

Like all modern electronic works of art, it comes in different colours, finishes and materials.

It also has the seal of approval from the American Dental Association Seal of Acceptance. The ADA website explains it as "To this day, dentists and consumers recognize it as the gold standard for evaluating safety and efficacy of dental products."

So what how is the Quip compare? Quip is a simpler toothbrush that delivers the basics: it has a vibrating alert timer (to measure brushing each quadrant) and has gently cleaning vibrations that won't harm your gums.

What does it come with? The basic kit comes with a pre-installed battery, brush head and a slim toothbrush holder (attaches to your mirror with micro suction cups but also doubles as a travel cover). I have had it attached to my bathroom mirror for 30 days, and it hasn't fallen off once. I have traveled with it once, rinsed it with warm water when I got back, and it stuck right back on the mirror.

How do you charge the battery? I have used OralB and Philips electric toothbrushes, and they each come with their charging bases (which are usually bulky and consume valuable counter space). The Quip uses a single AAA battery that can be changed within seconds. Since Quip is a Toothbrush As A Service, when you subscribe to their toothbrush head replacement plan, they also send you a replacement battery every three months. If you travel and run out of power, replace it with a cheap AAA, you can buy anywhere, and you don't have to carry a bulky charger.

How does it compare to a "normal" (non-powered) toothbrush? The Quip is definitely better than a normal plastic toothbrush because it offers gentle vibrations and helps with timing. Additionally, they send replacement heads automatically which means you never have to worry about timing replacements.

How does the Quip compare to other electric toothbrushes? It depends. The truth is that the newer electric toothbrushes that vibrate and rotate seem to deliver an easier and better clean. However, the Quip is less than half the cost, easier to travel with and effective when used as directed (in conjunction with flossing and regular dentist visits).

General recommendations included with the introductory guide are:

• Use a pea-sized amount of toothpaste

• Brush gently (don’t push too hard or you will injure your gums)

• Make sure you brush every tooth from all directions

• Brush for two minutes (30 seconds per quadrant)

• Brush your tongue (the back of the brush head has a scraper)

• Don’t rinse your mouth right after brushing

What are the cons?

• The Quip is better than a plain non-powered toothbrush, but its performance is significantly worse than the modern sonic toothbrushes.

• The Quip's bristles are better than a non-powered toothbrush, but they aren't as good as the ones on powered brushes that seem to have better reach into hard to reach crevices.

Conclusion: I like the Quip, but it isn't the most effective electric toothbrush. Not a bad offering but you need to determine what your actual needs are. I hope Quip releases another generation of their product with rotating bristles that uses real sonic pulses.

User authentication is one of the most important and fundamental building blocks of security. Authentication is built on username, password, token, biometrics or any combination of these. Regardless of the model, authentication is performed when the user starts his/her interaction with the target system.

What do you do if you require a higher level of authentication? What if you need to make sure the user interacting with your system is always whom they say they are. This is where the concept of continuous authentication comes in. We started to see this concept implemented for the mass-market with the Apple Watch and Apple Pay. You authenticate Apple Pay once and as long as the watch stays on your wrist (validated with a pulse), you do not need to re-authenticate. Apple pay can be sure that the person wanting to make a payment is the user that authenticated originally.

Continuous Authentication is a paradigm shift moving authentication from an event to a continuous risk management process.

Dynamic risk-based authentication means the system is continuously monitoring changes to environmental parameters and can decide the trustworthiness of users continually.

The shift to continuous authentication is inevitable. Not only will it make authentication more natural for the user but it will allow security administrators to implement much tighter security models.

As an example, if the user walks away from the computer, the system could notice and freeze the interactive session. Another example is a user working on a PC is tricked and launches malware. The system could be intelligent enough to know that a rogue process is attempting to masquerade as the user and block access.

Continuous authentication is to use the full array of modern technologies and others that have yet to be released. Parameters such as keyboard typing speed and style, how the user swipes on a touchscreen device, how the user moves the mouse, the camera input (from modern day cameras), gait analysis using the accelerometer in a smartphone or smartwatch, etc.

Although continuous authentication will be easy for users, expect it to be very complicated for developers. Expect this to be a burgeoning market in the coming years, something most security professionals have to start thinking about. We expect to start seeing serious mass market products around 2020-2021.

Going public was considered the ultimate sign of success for any company in a capitalist market. It meant the company had succeeded and the founders and original investors could reap some of the benefits. Public stock also allows companies to raise money, use stocks as a means to acquire and much more.

Would it surprise you to learn that the number of publicly listed American (USA) companies has declined dramatically?

We are currently sitting at about half the number of public companies, compared to the 80s and 90s. More are taken off the market through mergers and acquisitions. In 1996, 9080 companies were listed in the USA. In 2017, that number fell to 4336 (an almost 50% drop).

We are seeing more and more companies stay private longer. Why is this? Many, like the US Chamber of Commerce, believe overly burdensome regulations like Sarbanes Oxley are encouraging companies to stay private. Going public means spending millions on compliance and executives running the risk of jail time.

The numbers show that the decline started around 1997-1998, Sarbanes Oxley was enacted iJuly 30 2002. So SOX could be partly to blame for an acceleration in the rate of decline but it cannot be the sole culprit. The other half of the decline could be attributed to the end of an era of irrational exuberance (where hundreds of unprofitable companies couldn’t find continued funding and folded).

While the number of publicly listed companies fell sharply, the value of those that remained listed grew dramatically.

In 1996, the market capitalization of listed US domestic companies totaled 8.48 trillion dollars. In 2017, it hit 32.121 trillion dollars (all the while the number of companies listed dropped ~50%).

Many market purists now complain that this illustrates an unhealthy concentration of market power in the hands of fewer and fewer companies. Perhaps there is some truth to these concerns but on the other hand, many of the winning companies did so through technological innovation and global expansion.

Does this concentration mean newcomers are starving for funding? The answer is a resounding no. Look at the company everyone loves to hate, Uber. According to Crunchbase, Uber has raised 24.2B$ through 21 rounds of funding. The same can be said for dozens of other companies.

Aren’t public companies more transparent? The belief is that private companies are more opaque because there are less disclosure requirements and in most cases the company is managed by a small number of investors. Although government regulations like SOX impose a higher burden on public companies to be transparent, the truth is that a select group of large investors hold the majority of the shares for most companies (think hedge funds, pension funds, etc). So if we agree that public and private companies can be controlled by a select group of large investors, then the only difference is forced transparency through government regulation.

In addition to being VP Information Security for a large tech company, I am also responsible for many of the company’s compliance activities. Would I love the compliance burden to lighten? Of course, but the truth is that these compliance requirements instill a certain level of trust in the market. It is this forced transparency that makes the Western Markets so attractive to investors. Additionally we saw that the US attempt to lighten the regulatory burden on early-stage companies, through the 2012 jobs act. The JOBS act was designed to encourage smaller companies to go public. The argument was that these organizations were delaying going public because of overly-burdensome government regulations. The JOBS act dramatically reduced this burden hoping to spur a mad dash to IPO-heaven for companies under 1B$ in annual revenue. 12 months after go live, the number of companies that IPOed were just 63 which was down 20% from the previous year. It didn’t really help companies improve their performance and it didn’t spur a mad dash to the public markets as anticipated.

Conclusion

The moral of the story is that the USA is still a world leader in free markets and has the most valuable public companies of any country. Part of this success is due to the perceived transparency USA government regulation creates and hurting this in any way could undermine US public market leadership.

US pubic companies are raising more money than ever before, US public companies are larger than ever before. Foreign companies looking for cross-border listings are overwhelmingly choosing US markets.

Although there are fewer IPO companies today (compared to 20 years ago), modern companies are more stable, are raising more money and are considerably more sustainable.

Over the last 18 months, I have seen more and more sites prompting me to "Add to Home Screen" from websites I have been browsing. Then you add this site, it installs itself in the background and is now accessible like a native app from your smartphone.

What I have just described is the wondrous workings of a fairly new technology called Progressive Web Apps. This technology (called PWA) works even when you are offline and behaves like a "normal" smartphone app.

What are progressive web apps?

PWAs were created by Alex Russell and Frances Berriman. The technology driving Progressive Web Apps isn’t new. What was required was a new recipe to make Progressive Web Apps behave like native apps. This means that a progressive web app will work (as long as the platform supports it) on an iphone or Androis smartphone, a chromebook or ipad, on Windows or Mac.

True cross platform applications without needed to join an app store with super restrictive controls (I’m looking at you Apple).

Why Progressive Web apps

Like many of you, I live in a world with abundantly fast internet. This simply isn’t the reality everywhere. Even in my own backyard of Ontario (Canada), there are communities where internet is delivered via very slow ADSL,

PWAs, once installed, cache the content locally which means they will respond quickly even for those on slow internet connections.

Statistics show that users still prefer native apps to web pages. There are a tone of reasons for this from convenience (single click from your home screen), ability to get push notifications, etc. The web simply doesn’t offer the same bells and whistles.

PWAs offer most (if not all) native functions. They startup with a single click from the home screen and can hook into most native features. PWAs can even offer notifications (like a native app) and therefore remind the user to open and engage with the app.

What is required to build a progressive web app?

This is not a technical instructional article but you need 4 elements to build a Progressive Web App:

1. Web App Manifest - It is a JSON file with meta data about the web app, It contains information such as the icon, background color, app name, etc.

2. Service Workers - Even driven agents that work in the background. They perform tasks like updating the web app or its content.

3. Icon - You need an icon to represent the Progressive Web App on the home screen

4. HTTPS - The app and its content must be securely delivered over a TLS session.

Progressive Web app examples

You will find new PWAs every day but here are a couple of cool ones to get you started:

• WebFlap - A Flappy bird game clone

• AliExpress - Everyone’s favorite China cheap item import site

• Financial Times - A respected global newspaper

• QR Code Scanner - A PWA that scans barcodes

• SnapDrop - A PWA that enables you to transfer files from one device to another

• Notes - A super simple note taking app

• Currency Calc - An easy to use currency conversion tool

It's been a while since I posted a Darknet website. I would like to introduce you to the Tochka Marketplace ( http://pointgg3pgee4gic.onion/ )

Tochka was launched in 2015 by Russian speaking devs. It offers the ability to conduct transaction without the buyers and sellers having to talk. Dead-drop transactions are available for more sensitive transactions. They also offer a "Buy It Now" option called "Instant Trade".

This is a smaller marketplace and is less known that it's more popular (aka news-worthy) counterparts. It has poorer design and a questionable choice of colors.

Enter the marketplace

If you click on the vendor tab, you can choose your seller of choice.

You can buy anything from Marijuana to Marijuana oil, Research chemicals , with prescription medications, credit cards and everything in between.

Shipping Expertise

What you will find most interesting is how they have developed expertise to ship items carefully wrapped in an attempt to bypass customs inspection. Hopefully writing about it here may create interest by some police departments and shut down some of these more questionable and dangerous sellers.

This is not an ad or sponsored post. This is an honest review.

I have been a fan of minimalist wallets for many years, and my wallet of choice has been the HuMn Aluminium wallet.

Ridge Wallet Specs

• Holds 1-12 cards without stretching out

• Blocks RFID (wireless theft)

• Replaceable elastic

• Backed by our lifetime warranty

• 6061-T6 aluminum | anodized black

• Weight: 2 oz | 86 x 54 x 6 mm

Ridge Wallet Use

You add a card by sliding it from the top groove

To access a card, you press the ridged opening and pull the required card out from the top

To Insert a Card: Gently slide the card into the top groove.

To access a card in the middle, you push out all the cards from the ridge, separate the metal plates and then find your card.

This strategy is similar to the HuMn wallet and most other plate based wallets. This may seem a little off for someone coming from a traditional leather style wallet but you will get use to it quickly. You will start moving your most used cards to the top or bottom of the stack.

Design

The stated purpose of the Ridge was to design a sleek minimalist wallet that would be durable and easy to use. I believe they successfully achieved this stated goal. The height and width of the Ridge Wallet is designed to be very slightly larger than (North American) style credit cards.

First thing first, the wallet is a thing of beauty. Much better looking than the HuMn Wallet.

The aluminium wallet will feel slightly heavier than a “normal” wallet. After 3 weeks of use, the wallet feels normal and not heavy at all. For those that are looking for a lighter option, the poly-carbonate or carbon fiver models are lighter. Unless you want Carbon Fiber for the look and prestige, the aluminium version is likely the best cost/benefit deal.

The wallet comes with either a money clip or elastic band. I chose the clip version which makes it slightly thicker and less useful. I recommend you acquire the elastic band version.

For those that carry their (normal) wallets in their back pocket, you will notice that your cards are slightly bend. The Ridge Wallet’s aluminium “walls” are strong enough to keep the cards straight even if you sit on them.

The company claims that their wallet provides RFID protection. I used an RFID scanner to test this feature and can confirm that it does offer RFID protection (most leather wallets do not offer such protections).

Some companies provide non-standard sized cards (loyalty and membership). Those non-standard cards do not work well with the Ridge. In my case, I do not have any of those.

Behavioral change

For those coming from a normal leather wallet, moving to any minimalist wallet will force you to reconsider what cards you carry with you on a daily basis. In my case, I scanned all my loyalty cards into Google Pay (and Apple Pay) and leave those at home. Additionally I stopped carrying cards I barely use.

Conclusion

Coming from the HuMn Wallet, I wasn’t sure how I would feel about the Ridge Wallet. The truth is that I liked it much more than I expected and it has now become my main daily-use wallet.

They have made a great product that balances form, function and cost.

It is strong, light and dependable. For those looking for a great EDC wallet, this is currently the best choice available (I have tested over a dozen such wallets).

Link: Ridge wallet

NOTE: Sorry if this is a more technical article and not for general consumption.

Tab complete is the magic wand of any Linux magician and I am surprised every time I see users ignoring it.

Shorthand for system commands

Let’s say I want to type ifconfig, if I enter ifc and then press the TAB button, Linux will autocomplete the rest of the command for me

This trick can work for any app or command. If I want to start firefox, I just have to enter fire (since there is no Linux command that starts with fire) the system will autocomplete to Firefox.

Find command syntax

It can be useful to complete system commands by tapping TAB twice. As an example, if I write SUDO APT- and press tab twice it will list all the possible commands starting with APT.

Autocomplete file name

Let’s say you have a long file name like thisIsALongFileNameThatwouldBeDifficultToType565464654.txt and obviously want to save time, you just have to enter rnough text to make the file unique identifiable (e.g. thisI) and then pressing tab will autocomplete the rest for you. In this casem if I want to display the contents of the text file, I could enter

cat this [then press tab]

the system will autocomplete it for me.

Previous related articles:

• Is TOR Private and Anonymous?

• Examples of Darknet (TOR) sites

• Why use Facebook over the TOR secure network

• Alternative ways to get the TOR browser

• What is Tor and should I use it

• The New York Times now available on TOR

• What is the dark web

• SecureDrop protects the anonymity of whistle-blowers

The request I receive most often is from readers asking for links to “interesting” TOR (onion) sites. So here are a couple to keep you going.

TOR Search Engines

Candle is a basic search engine. It contains a small but interesting subset of TOR sites.

Grams is a dark market search engine for labour, digital & physical goods that can be purchased with various currencies including Bitcoin. It searches the most popular darknet markets including Hansa, AlphaBay, Agora, Nucleus Market, Majestic Garden, Oxygen, Outlaw Market, Oasis, Tochka and Arsenal.

Haystack is another TOR (darknet) search engine and claims to have indexed 1.5 billion pages (which makes it one of the most comprehensive TOR search engines). In my experience, this site is a hit type of thing. Every couple of searches fail for me.

Security sites

GnuPG (open source version of PGP) allows users to cryptographically sign and encrypt email communications.

OnionShare is a free and opensource tool that allows users to securely and anonymous share large files over the TOR network.

Anonymous Pasting sites

There may be times when you want to post (public or private) a snippet of text with the world. The common feature shared by most of these TOR based services is that pastes delete automatically after a certain amount of time. These are TOR alternatives to pastebin.com

DeepPaste is a very simple and basic pasting service.

RiseUp pasted are automatically deleted within a week. Additionally you can share files up to 50MB.

Pasta is an open source paste service that supports standard pastes, editable pastes, self-burning pastes and URL shortener.

Email

Confidant Mail is a free and open srouce non-SMTP encrypted email system that leverages GNU Privacy Guard (PGP).

Daniel email service is a free anonymous email and XMPP service (limit of 25MB storage space). Encryption is not built into the service.

Elude is an email service with encrypted storage with a TOR only web client. Their accounts are completely anonymous, they allow you to purge your data completely if required and provide encryption.

I wrote a review about ProtonMail here and their well designed email service is also accessible via the TOR network. This is a very good option because unlike the other email services here, ProtonMail is a real company offering a professional service.

Social sites

Cyph Messenger is an open source video chat and file transfer app that uses a modified Signal messenger protocol enhanced with Quantum Resistant encryption (their claim).

Dread is a TOR Reddit clone that is used primarily as a drug market discussion and reviews forum.

Here is the Facebook TOR site.

When an operational security expert thinks about hotel risks, we typically group them in these buckets:

1. physical security
2. safety
3. technological risk

Travel security means you need to think about potential risks you may be exposed to and how you could mitigate them.

What about room security?

First, think you should do when you walk into any hotel room is walk around and identify all potential ingress points. Make sure that they are locked (windows, sliding doors, doors to adjoining rooms, etc).

The front door is your primary risk and anytime you are in the room, you should always use all of the protection mechanisms made available to you (lock, hasp and deadbolt).

When travelling, I always carry a light and cheap Addalock to provide an additional level of safety.

If I'm going to sleep and believe that the risk level may be higher than normal, I will stack the glass cups (water and coffee) in front of the door so any attempted opening will cause them to fall and wake me up.

Are peepholes in hotel rooms really an issue?

The short answer is yes. There are inexpensive adapters that reverse the magnification of a peephole and allow a threat actor to watch you inside your room. I have even seen some with smartphone adapters so you can even record video.

Tip: If the peephole doesn't have a cover built-in, roll up some toilet paper and shove it in the peephole.

Is a hotel safer than an AirBNB?

This is a question I receive regularly and the answer isn't simple.

Most AirBNBs are located in non-descript residential buildings and therefore could allow you to blend in with the locals. Remember that you have to trust the Airbnb host. 

A hotel, on the other hand, is flashy and everyone knows where it is (forget about blending in) but these establishments typically have stronger better-designed security,

Hotels typically set up shop in safer neighbourhoods whereas an Airbnb can be anywhere.

You need to do some research and determine what your risk profile is and then determine which solution best meets your requirements. 

What should I look for before booking a hotel room?

In an emergency situation, you are ultimately responsible for your own safety. An ounce of prevention is worth a pound of cure. Do your research before booking a hotel and the room. I generally want a non-biased third party to provide the below answers. If that is not possible then I try to stick to major Western chains that usually will be fairly honest with their answers.

• Choose a hotel where the room locks are electronics. This makes it harder for previous guests or “bad guys” to have access to your room. Ask for 2 copies of the room key and keep both on you. If you misplace or lose one, immediately notify the hotel and have replacements made.
• Make sure the room is equipped with a deadbolt lock and a peephole
• Most of us do not pay attention to the hotel’s fire suppression system but trust me this one is important. Make sure your room is equipped with a smoke detector and that each room (and the hallways) have visible sprinkler systems. In many countries, the fire response teams are not as fast, well equipped or trained as in North America.
• Make sure that the hotel environment is secure with proper fencing and that the guest areas are well lit (parking, hallways, ice rooms, etc).
• Generally, I prefer hotels where the elevator leaving the parking area only goes to the lobby (and not directly to the rooms).
• I try to make sure that any hotel I choose has adequate security personnel. I like to see uniformed security personnel that seem to be well trained and adequately equipped (in this case adequate depends on the area.) They should be willing to escort you to your room or vehicle if requested.
• I recommend you contact the foreign affairs ministry of your country (DFAIT in Canada, US Embassy for the USA, etc). Ask them about the area the hotel is located in and determine how safe it is.

How do I ensure my stuff hasn't been tampered with?

If you have read my other articles, I talk about hotels being a prime target for intelligence gathering. Where possible, take all of your "stuff" (passports, money, electronics, etc) with you. Sometimes that isn't possible or desirable, so what do you do.

Make sure everything is turned off (not in hibernation or sleep mode).

Use discreet alignment of your "stuff" to detect if anyone has tampered with it. Discreet alignment means that everything has been placed in specific ways so you will detect the slightest movement. As an example, maybe you place a water bottle 1 thumb away from the USB port of your laptop. When you come back, you will immediately know if someone tampered with that port (if the alignment is off).

You can also use cardinal bearings (alone or with discreet alignment). Cardinal bearings are basically compass headings. So you place the protective item (coffee cup in front of the sensitive USB port) and make sure the handle of the coffee cup has a perfect bearing of north. You can also use pens or anything else that is easy to move.

Once you have set up your environment, take pictures of it with your smartphone camera.

If you are being tracked, make sure everything looks natural. You do not want anyone to suspect that you are laying traps.

Using the do not disturb sign

In security, we want as much advanced notification as possible that something is wrong. The trick here is to place the do not disturb sign on your door but to do it in a way that is unique but natural. As an example, instead of letting the sign just hang freely from the handle, you place the edge into the door frame so it is on a slight angle. To most people, it will seem like you left in a hurry and the sign justs got stuck in the door. If you come back and the sign is no longer on an angle stuck in the door frame (aka it is hanging freely), that means someone was in your room and that you should approach with caution.

I've talked about different technologies to provide additional protection when working online (Chromebooks1, Chromebooks2, VPN1, VPN2, VPN3, etc.) The truth is that anything that is posted, shared, stored or connected online risks being hacked and leaked. 

Instead of telling you how to protect yourself, I want to share tips on how to make yourself a flashier and easier target for hackers. After all, why make their lives more difficult than it needs to be? 

Reuse the same passwords everywhere

Reusing the same passwords everywhere is convenient for you and hackers. If they manage to crack or steal your password from one site, they can then reuse that same one on your other accounts. Don't make their lives difficult and reuse the same password for all your online accounts. While you're at it, use simple short passwords using only letters to make it easier to crack.

Don't use 2-factor authentication

2-factor authentication is usually a secret code generated on your phone using a free tool like the Google Authenticator or Authy. The purpose of 2-factor authentication is to provide additional account protect that would prevent someone from accessing your account if they somehow manage to get your password.

2-factor authentication goes against our goal of making you easier to hack. Doesn't 2-factor authentication sound like a lot of trouble for nothing? Why would you want to make it difficult for hackers to access your account if they have gone through all the effort of finding and cracking your password? 

Whatever you do, do not enable 2-factor authentication so your account can be stolen easier. 

Trust everyone and click on those links

Security advocates always caution users not to click on "strange" links from known or unknown sources. Sure often these types of links are used to install malware on your machine or to steal your login credentials (phishing), but you may miss that funny joke a friend sent. 

Hackers go to great lengths to make their emails look legitimate so why not reward all their hard work by clicking on them? If you don't click on those links, you will force the hackers to work harder to steal your information, and who wants to work harder? 

So I say click on those links quickly. If you see a link click on it regardless of any doubts you may have. 

Don't update your software and operating system

All software is written by humans and is therefore imperfect. Reputable software vendors (that hate hackers) release regular updates to their products to patch vulnerabilities that may be exploited. 

Our goal is to make you an easy target so why install updates? Updates take time. It is easy to forget checking for them (on smartphones, tablets and PCs). The easiest thing to do (the most hacker-friendly) is just to leave your machine as it is, and not install any updates. After all, what if the update changes a function? 

The moral of this story is to just leave well enough alone.  Don't make a hacker's life more difficult than it has to be, don't update your software or operating system.

Don't ever turn off Bluetooth

You work hard, and anything that makes your life easier should be encouraged and used. Bluetooth is a modern convenience for anyone that uses wireless headphones. You turn it on and pair it with your favourite headphones when you first set up your device and forget about it. 

Convenience is king. When you want to listen to a podcast or some music, you shouldn't be bothered to fiddle with small switches in some control menu to turn on Bluetooth. 

There are well-known attacks against Bluetooth that could allow a remote attacker to connect to your device and steal data stored on it. Who cares? Convenience is king and outranks security. We want to make your devices as vulnerable as possible, so whatever you do, leave Bluetooth on. While you are at it, leave other data transfer features on (like Airdrop on Apple and WIFI). 

Don't use a VPN

I have written about VPNs for years. How they can be used to protect your data when using unknown or untrusted WIFI networks. This article is about making your life and the hackers life easier, not making you more secure. 
VPNs are a hassled. You have to buy a subscription, install the app on your devices and remember to turn it on everytime you connect to an untrusted WIFI network. When using a VPN you are paying to make your WIFI experience more complicated. Does this seem logical to you?

Hackers love using unprotected or poorly protected WIFI networks to perform reconnaissance and even break into your devices. Hackers have a wide variety of easy to use tools that work on devices connected to these open WIFI networks where users aren't using a VPN. So the moral of the story is convenience. After all, if you can't trust your local coffee shop with your data security, who can you trust. 

Remeber that your goal is to make your and the hacker's life easier so trust easily and trust often. Don't use a VPN to encrypt your traffic and make it impossible for a local hacker to steal your data or compromise your device. 

Share a lot and often

The purpose of social media is to share information with friends and other strangers that are connected to you. So the hacker rule is to share as much data as possible and share it often.

Peacing data together is a fantastic way for a hacker to build a profile about you so they can reset passwords, use your credit or craft believable phishing emails. Make sure that all your social media profiles are public. Then once you your profile is visible to everyone on the internet, make sure you post a tone of "useful" information such as 

• habits: (when you go to the gym, restaurant, stores, etc) so hackers can figure out where you live
• vacations:  everyone wants to know that you have left the country for a week of sun and relaxation. Especially those hackers and thieves. It is so much easier when the target (oops... I mean friend) lets you know it is a good time to steal from them. 
• Date of birth: MAke sure you use your real date of birth on social media sites so friends (that can't be bothered to remember your birthday) can wish you a happy birthday. Hackers can then use this information to apply for credit in your name. It's a win-win for everyone. 

The moral of the story is to post lots of personal data, regularly and as quickly as possible. 

Conclusion

I hope you have found these tips useful. I know many hackers will thank you for being such a friendly and trusting person. Remember that good security is inconvenient and convenience is the most important factor to a busy person like you. You are too busy to worry about securing each and every service you use, so don't. 

After all, people are generally nice and trustworthy. So open that attachment. Click on that link. Share that vacation departure notice. Life is short, live a little.

Windows is the most popular operating system in the world and Google will naturally target it, in an attempt to win new customers for its upmarket Pixelbook offering.

January 2019, according to Statistica:

• Windows market share 75.47%

• MacOS market share 12.33%

• Linux market share 1.61%

• ChromeOS market share 1.17%

Google released a one-minute promo video entitles “If you want a laptop you can count on. You Chromebook. “ .

Truth be told the latest version of Windows 10 has been incredibly stable but this ad will be fun to watch for any Windows user annoyed with constant forced patches, badly designed progress bars and the infamous Blue Screen of Death.

This is an exaggeration of issues users experience but does highlight the main reason why many security professionals have moved to Chromebooks. Patching is almost seamless, the device is normally very stable (except v 72.x has introduced some bugs Google does need to fix) and security is on by default.

Current belief is that on a Chromebook, you have no regular maintenance, no need for an antivirus, no big bang updates that take 30-45 minutes to complete, etc.

Let’s just say Google got even with Microsoft for running the Scrooggled campaign years ago.

I first wrote about Google One in May 2018, when it was still shrouded in secrecy.  The new storage program with improved storage capacities was an invitation-only program until today (for US residents anyway).

Per the original (Google Drive) model, storage is shared across all of the Google properties you use (GMAIL, Photos stored in full resolution, Drive, etc.)

• 100 GB for $1.99
• 200 GB for $2.99 (New)
• 2 TB for $9.99 (2TB for the price of 1TB on the old plan)
• 10 TB for $99.99
• 20 TB for $199.99
• 30 TB for $299.99

If you use the Google Family sharing program (not available to Google Apps accounts, unfortunately), you can share your Google One storage with up to 5 family members. In addition to storage, Google is offering Google Play credit to Google One subscribers and promises to add even more benefits (24x7 support is now also included).

Many still see the Google One page as invitation only but expect this to change shortly. Rolling this new program out to its millions of customers is likely being undertaken in stages.

As a Canadian, I anxiously await any indication about when it will open for us.

US President Donald Trump has signed the Defense Authorization Act into law. Section 889 ( PROHIBITION ON CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT) bans use by government agencies and contractors of Huawei or ZTE technologies. 

The language of the act is ambiguous and doesn't clearly list what technology is or isn't covered by the prohibition. 

ZTE and Huawei should not be used to access government systems that display personal data, therefore it is safe to assume that most agencies and contractors will purge their networks of systems designed or that use these technologies.

I have not yet seen an official response from either of the tech complanies.

Stay tuned. 

Search Google for "Bug-out bag," and you will get 137M results. YouTube has a 144K videos discussing it. A Bug-out bag (also called Go Bag, BOB, 72-hour kit, grab bag, a battle box, personal emergency relocation kit) is a small personal maintenance kit that would allow you to survive 72-hours when faced with an emergency. 

Most emergency agencies reconnect you prepare some kind of emergency kit. Emergency Preparedness Canada has a website dedicated to building basic bug-out kits. The US Department of Homeland security offers similar suggestions on their website. 

Without going overboard, the purpose of this article is to provide general guidelines for the average Joe interested in being better prepared (not for a survivalist or extreme prepper).

Where should I keep it?

Location, location, location... You Bug-out bag is useless if you cannot quickly grab it during an emergency and quickly leave the risk region. 

Your bug-out bag should be kept close to the main exit for your dwelling so you can grab it and go. 

An operational security expert will typically run several scenarios to evaluate possible calamities and what the best exits would be (it isn't always your front door). Spent some time thinking about this and place your bug-out bag close to the exit you are most likely to use (garage, front door, back door, bedroom windows, etc).

Basic bug-out bag items

In security, you can spend a little or a lot, it really depends on your level of paranoia. Most people don't need a 200lb bug-out bag that contains $500 of survival items. So here are the basic everyone should have in their kit:

Documents

1. National identification documents (originals or copies). These can include drivers licenses, passports, medical identification cards, etc
2. Keep a couple hundred dollars of cash money in different denominations (assume the electronic payment networks may be unavailable)
3. A printed list of emergency contacts (local hospitals, police stations, family members, friends, etc) 

Personal Items

1. A basic $20 first aid kit (from the pharmacy or Costco)
2. A couple of litres of drinking water in sealed containers
3. High calorie easy to eat snacks (that do not require preparation)
4. Head covering (in case you have to walk in the sun, rain or snow), I keep a buff multiuse scarf
5. Bug repellent
6. Sunblock
7. Prescription medication, glasses and contact lenses

Communication Gear

1. A mobile phone (if possible an extra pre-paid SIM on a different network)
2. Hand crank powered emergency radio 
3. Small notebook, pen and pencil
4. Printed local maps (street and topographic)
5. A large (at least 20,000 mAh) external battery to charge your electronic gear. My battery of choice right now is the OmniChage Pro

General Gear

1. A multipurpose knife (my choice is the Victorinox SwissChamp)
2. Flashlight (ideally something that can be charged with your external battery via USB).
3. "Normal" candle and weather resistant matches
4. 550-lb paracord
5. Handheld mirror
6. Phrasebook if travelling abroad

The Pack

Talking about Bug-out bags is like discussing religion. Everyone has strong opinions about that the "best" bag is. My recommendation is to choose a backpack (since these balance the weight better and are easier to carry over long distances). 

My only recommendation is to choose something that is as light as possible while being resistant.

A captive portal is the intercept page you see when trying to log into most free public WIFI hotspots (e.g. airport, restaurant, hotel, etc.) You are normally shown a page that collects your email and then asks you to agree to the provider's terms of conditions. 

As browsers adopt more secure protocols by defaults (iPhone, Android, Windows, Mac, iPad, etc.) there are situations when your device may not trigger the portal webpage correctly. The browser may block redirection to the portal page because it is typically transmitted using unsecured HTTP. 

In some cases, devices will attempt to detect and open an unencrypted webpage to allow the public WIFI router to inject a redirect URL. WirelessPhreak has a good technical article that discusses why new more secure tech is causing this issue. 

Each smartphone manufacturer uses a different non-SSL webpage to detect a captive portal:

• Google Android: http://connectivitycheck.gstatic.com/generate_204
• Apple iPhone & iPad: http://captive.apple.com/hotspot-detect.html

What do you do if that automated portal detection doesn't work? How to you trigger the captive portal?

Enter the webpage Never SSL. If you are connected to a public WIFI (that should work) but are not seeing the captive portal, open your browser of choice and navigate to http://neverssl.com/
 

This will fix your issue and you should be bathed in warm loving WIFI Internet. 

A very important function of any information security team is threat intelligence. Threat Intel can be a complicated and costly service in some cases but can be as simple a running a simple search in other cases. Here is a trick to get you started with the simple and cheap function.

Did you know you can find lots of "fun" phishing and malware links using nothing more than a simple VirusTotal search? Search VirusTotal for Google Storage API (precooked link). 

Go down midway on the results page and voila.

The one I highlighted above takes you to a dropbox phishing site

Some may not be fully formed yet. Some may already be taken down but you can find some interesting opportunities for research. 

Simple "script kiddy" level Threat Intel for you.