Site icon Easy Prey Podcast

Rethinking Online Anonymity with Lance Cottrell

“Be very specific about what you want to protect.” - Lance Cottrell Share on X

In a world of cybersecurity and online privacy, anonymity seems to be the key. VPNs are often promoted as the cure-all to our internet needs. Let’s talk about some of those misconceptions.

Today’s guest is Lance Cottrell. Lance founded Anonymizer in 1995 and is an internationally recognized expert in cryptography, online privacy, and internet security. He is the principal author on multiple internet privacy and security technology patents. Lance stayed on as Chief Scientist as Anonymizer was acquired by Intrepid, and now advises start-ups through his platform.

“Actually achieving anonymity or pseudonymity and maintaining overtime is incredibly challenging.” - Lance Cottrell Share on X

Show Notes:

“If you need to trust someone, research who that someone is and understand if you can.” - Lance Cottrell Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Lance, thank you so much for coming on the Easy Prey Podcast today.

It's my pleasure. Great to be here.

Can you give the audience and myself a little bit of background about who you are, what you do, and more importantly, what you used to do probably?

I started off as an astrophysicist and dropped out of my PhD program to start the world's first internet privacy company, Anonymizer. I spent the next six years or so building internet anonymity platforms for consumers until, suddenly discovered that the people who really needed what I was doing were actually in the government. We pivoted to building platforms for doing online undercover operations for the intelligence and security communities. That led to a pretty successful exit, so now I work with startups, founders, work with early-stage companies on fundraising and strategy, and all the good stuff.

You must have lots and lots of really good stories that you're not allowed to tell.

Endless number.

I think you probably have some that you can't tell here today. Just because I'm still in the VPN space, do you feel that there was a resurgence in consumer VPN usage not too long after your exit?

Yeah. Certainly, it became very commoditized. There's a lot of different companies that started springing up. You could really tell it just by listening to podcasts. You knew it was a hot area because they were sponsoring everything, whether or not it had any tech aspect to it at all. I just couldn't almost avoid screaming back at the dashboard of my car because they're making these claims about what VPNs do that just were not quite within the bounds of truth.

We'll get around and talk about that in a bit. I did want to ask you, because I do ask everyone who is an expert in the cybersecurity or anti-scam counter fraud group: Have you ever been a victim of scam, fraud, either in person or online?

Yeah, I have. It was an interesting situation. The company Anonymizer had been up and running for maybe five, six years at that point, so we were reasonable sized. A guy approached me to help with some business development and strategic relationships, and it seemed like it was an out-of-the-blue thing. He actually showed up at my parents’ house. I was living down the street from my parents.

That's a little creepy.

They had a cool house. He was there with his parents. They were walking through the neighborhood. He introduced himself to them, got a tour. They helped connect him to me. It was a very sophisticated way of infiltrating into my network that came in and from a direction you just don't have your shields up at all.

He did connect me to a bunch of companies, but he wanted to take on this so he could negotiate for us. He wanted to be a principal in the company, wanted us to give him some equity, and establish him as a significant player. After a while, the hair on our neck went up and we realized this was going to be a problem as the shareholders in the board canceled all the shares, kicked him out, shut everything down. Frankly, if he'd been legit, he would have sued us, but he didn't.

I remember I got a call maybe six months after that from one of the women that he'd introduced me to at another company. She wanted to let me know that he was not a good guy, he destroyed her marriage, and tanked her company. Two or three other companies that I'd also been introduced to, they hadn't seen the signals in the air and emptied their bank accounts, destroyed their reputations, and just salted the earth. It was really bad.

Did this guy have a track record of doing this?

He did. Eventually, because I set up a Google alert on him, I know that he ended up getting arrested for. He was very Jewish and just played off his Jewish background and Israeli background. I saw he went to jail for scamming a rabbi.

It's interesting that some of these in-person scammers can do such a good job with their stories and their backgrounds to get that far.

That's right. They act personable. They do a good job of generally not feeling like they're being pushy while always driving the agenda forward in the direction they want to go but couching it in ways that you want to hear. They quickly in the conversations learn, what are the things you're hungry for? What is important to you? And then make sure that they can drip feed you the things or at least indications of the things that you've said that you wanted.

It sounds like this guy was also not just trying to go after you as an individual target, but leverage you to get to other targets. Because now he has your referral or, “Hey, I know Lance.” Lance says, “Yeah, I know him; we're working with him.”

Exactly right. Each one of these elements gave more credibility. He'd bring me into a meeting with a pretty high-powered group of people. These were all CEOs of their own companies that were fairly successful. That feels good. It feels like it checks all the boxes for being real, but he was in the outer orbit of all of them but was able to insinuate his way in through these mutual relationships in saying, “Oh, because I can broker this connection between you, therefore I should have this position to be someone who could broker it.” Yeah, it was clever.

If you don't mind me asking, what was it that got the hairs going up on the back of your neck and your board?

He was starting to do things, representing himself as representing us without necessarily checking it through us first. As soon as we started to see that, we call him on it and we'd start wanting to unwind things. A lot of smoke and mirrors about why that wasn't easy to do. Pretty quickly, that literally just needed to be killed.

I'm glad that you were able to get out of it with your skin intact.

Yeah. It was a total destruction thing if you didn't for sure.

To me, it's just awful that people like that exist and function in society because there's always predators out there.

That's right. These were his parents, so he was literally pulling them in.

I was figuring that they were just actors, but they actually were his parents. Do you think he fooled his parents? Were they part of the scam, or was he just using them and they thought he was who he was claiming to be?

I don't know. They were not active participants, but they were certainly window dressing. I have no idea what they knew.

Interesting.

It was clever, because it gave that whole perspective of a normal guy is out there taking care of his older parents.

It's just one of those things that turns one dial of hairs from the back of your neck down.

Precisely.

He's got family members with him; he's got to be a good guy.

That's right. Yeah, he's just walking through the neighborhood. It's not like I got a letter out of the blue or some random email asking me something and didn't even come looking for me to start with.

That's even the more insidious way. Well thought out in a very creepy way.

Yeah, exactly. It's like some of the stories I've heard from people in the intelligence communities in terms of how they go about these things. It tends to be pretty roundabout. You never want to come straight at someone, it's always this very circuitous process aiming for what they're trying to do.

I remember one of the executives in the company that bought mine—and they were all former senior CIA people—described her job in the CIA as meeting useful people in foreign countries and convincing them to commit treason.

I had an episode. Let's see if I can remember it. There's two reasons why people commit treason. Revenge—they feel that they got mistreated—and then justice—they feel like their government is doing something wrong.  At least that's what I remember of the two big motivators for spies.

Certainly if they're agreeing. Blackmail's a big one, too.

I didn't want to go that route, but yes. Why people voluntarily participate as a spy as opposed to involuntary.

Just so.

I wanted to have you talk about privacy and anonymity. Why did you ultimately end up starting Anonymizer so many years ago?

I started getting involved in the open source community before that. I was at UCSD doing my PhD in astrophysics. As part of that, I had fantastic access to the internet early on. This was 1992-1993, so the World Wide Web had been invented a year earlier. Good access to the internet was not something everyone had.

I had a Sun Unix workstation on my desk, directly etherneted into the San Diego supercomputer center and the backbone of the internet. I was very aware of what was going on. I set up our astronomy group's website so I could see what kind of data was available. This was when the government was trying to come up with a clipper chip.

For the people with less gray hair, the clipper chip was a concept that the FBI was pushing. They realized that cybersecurity was important, then encryption was going to be important. They wanted to have a standardized chip that could go in every single computer in the world, that would provide strong encryption and to which they would keep a copy of the keys.

Yes, of course.

It was that last thing that struck me as a monumentally bad idea, especially given how bad they are at their own security, how often they get hacked, and what a juicy target that would be. I ended up joining an informal group of people online called the Cypherpunks. This was a crypto-anarchist organization building open source, strong cryptography, started with PGP (Pretty Good Privacy) and Phil Zimmerman, and there were some anonymous remailers.

People knew that there were problems with the anonymous email systems. I sat down in my spare time and banged out one called Mix Master, which was a full Chamean mix and was very anonymous, very hard to backtrack. It was good stuff. I began to realize that I was enjoying it more than I was enjoying astronomy. I was getting frustrated because the Hubble Space Telescope wasn't big enough to actually answer the questions that my advisor and I were trying to ask. I was getting written up on The New York Times, I had tens of thousands of users, and hundreds of people running my server software. I'm like, “This is really cool, and I can't think of a way to make money with the thing I've built.”

It's not useful to the people who need it. It's by geeks for geeks, and the first step, if you wanted to run Mix Master was to execute this make file on the command line of your Unix workstation, which ruled most human rights people and things like that out, but it was an area I wanted to go. I found an Anonymizer with the intent of creating an internet privacy set of tools that were more broadly accessible. We tried a bunch of things before we finally settled on, initially, just an anonymous web browser and eventually morphing into being a VPN provider.

I'm trying to feel like in the scope of numbers of servers, numbers of users, what did it get up to?

The consumer service, probably, I think we had about a million users of the free service, monthly active, and about a hundred thousand paying subscribers. That was paying the bills and it capped out there. After that, it was pushing on a string to get more people online because it was definitely appealing to more of the privacy hardcore. People really understood the issues or were just generally paranoid about what was going on and wanted tools like that. That was a fairly small population, and of course, a lot of paranoid people don't want to trust you either.

Yeah. Why should I trust you instead of something else?

Exactly. Fundamentally, should you trust me? I have your best interest at large. At least we were public. I remember someone said, “How do I know that you won't just sell me out?” I'm like, “Well, if I sell you out and it gets out, it'll destroy the company. I'm not going to sell people out unless it's for an amount of money that allows me to buy my own island.”

One of the things I've always wondered about VPN services is the massive amount of infrastructure that you have to maintain. Was the challenging aspect of maintaining servers all over the place?

That was a lot of work. In the early days, it wasn't cloud-based. We had physical data centers with racks of servers running the VPN software on it directly. Maintaining and managing that was a lot of work as well because we really prioritize the anonymity aspect of it. It's not just for security, it's not just for being able to stream a show in an area where you're not allowed to watch that channel or something.

We designed the system in such a way that even our own sysadmins couldn't see who was going where, even in real time with root access on the servers. That made debugging, troubleshooting, nightmarishly difficult. That was a huge pain and then just the continuous evolution of technologies to try to keep up.

It started to get commoditized. We started to see more VPN players come in. Part of why we pivoted was that we just saw that this was not going to be a high-margin business. We're selling this at the time for $70-$80 a year per person, and then we began to see the opportunity in the government. I think by the time we finished with the government, we averaged $200,000 per seat per year.

That's pretty good.

Yeah. It's a lot fewer seats, obviously. You can afford to spend a lot more time handholding, troubleshooting, and working with people on things like that.

You're working with people who had a better understanding of what you were doing, why you were doing it, how it worked, as opposed to some consumer who, if I have to pick up the phone and talk to you, I've already lost my entire profit from you on that one phone call.

That is so true, yeah. Any interaction just destroys everything and a consumer-facing business. It's got to be completely transparent. With the government, you could do a lot more handholding. We could customize it a lot more.

To some extent, most of our customers actually didn't need what we were doing. No one was trying to really do anything particularly nefarious with them, and then they'd use our tool to go to somewhere like Facebook and log in; at which point, why? You've just undone everything you're working on, whereas with the government, it was literally a life-and-death thing. There were a number of scenarios where they laid out why they needed our tools, and it came down to, “Because last time we didn't use tools, a bunch of people died, and we want that not to happen this time.”

That's a really good motivator for something to work right.

I guarantee you, I went back and talked to the engineers about this. “Hey, guys, this has to work.”

I know there's always the concern, or if you're a VPN user, you're getting mixed up with people doing nefarious things. Did you have a problem with people using Anonymizer to do nefarious things? What were some of your interactions? If you're in the US, your interactions with law enforcement in the US are going to be a little bit different than if you're on some little Caribbean island somewhere behind 16 shell companies.

That's right, although there's better protections as well. Being in the United States, First Amendment things. There's a lot of constitutional law that turned out to be very useful for us and some foreign VPN providers didn't have that access, but absolutely. We were getting subpoenaed from some law enforcement group certainly. By the end, probably more than once a week. Someone was running stolen credit cards. In fact, that was one of our biggest problems. We had a credit card chargeback rate over 10%.

So no credit card processor wanted to do business with you?

It was tough. We got dropped a couple of times. In fact, we were put on a blacklist and managed to talk our way off. I remember some of the guys in the banks are like, “No one has ever talked their way off this list. It doesn't happen.” We talked to them; they said, “Well, you need to take certain precautions against fraud. You should do this, this, and this.” “Yeah, we've been doing all of those for years. Here's 10 things you haven't thought about yet that we're already doing.”

We completely blocked access from 120 countries. Just like, no, the chargeback rate from that whole chunk of the world is unacceptable. We won't allow you to come in. Of course the reason people were doing it was they signed up for Anonymizer with a stolen credit card and then go use stolen credit cards through Anonymizer.

Were there any interactions with law enforcement? I think any particular subpoenas are like, “I'm sorry. There's nothing I can do about that,” or maybe there's certain ones that you can. Were there any particular interactions with law enforcement that got you a bit nervous? “Is this going to shut us down, or is this going to keep me up at night?”

Yeah. There were certainly times when they'd come to us and the person had done something that was really pretty dire. You'd feel bad about that. Unfortunately, there's no way to avoid that situation. If I want to build things that could be used by dissidents in oppressive countries in a way that their intelligence services can't break, then Americans are going to be doing bad things with it too. You're going to end up with that. I think my favorite one was I received a cease-and-desist order and subpoena from the Beijing police department. I had that on the wall for a while. We didn't do anything.

I know you didn't travel to Beijing.

Yeah, that's right. I thought about China, Russia, and some of the other countries that had a strong dislike for us. The best case would be if they refused to give me a visa.

Yeah, the worst case is if they allow you to have a visa.

Precisely. It's a Hotel California; you can come in, but you can't leave kind of scenario. Yeah, not going back. We managed to really piss them off later because once we got involved with the government, we ended up with a large contract with the Voice of America building censorship circumvention tools against China, Iran, and Russia.

Yeah, that's not going to make you a fan.

No, and it had to be very public because we had to advertise it to let people know it existed so they could go use it.

That is a weird position to be in. “I'm advertising this tool, which will keep you safe but also put you at risk.”

It was funny. In Iran, the way we did this was the Voice of America has a satellite network. Of course, satellite dishes are illegal in Iran because they allow you to get all sorts of foreign influence. Literally, everyone has a satellite dish in Iran. One of the most popular shows in Iran was this soap opera thing in Farsi that they would broadcast.

In the middle of the show during a commercial break, they'd go, “Hey, if you are bothered by being censored by the Iranian government, go to this URL in the next 15 minutes, sign up for this service, and we'll provide access to be able to work around this.” We had well over a hundred thousand users in Iran.

Wow. Did you have to cycle through URLs very quickly because of that, because they would just get blocked and servers would get blocked?

Yeah. It was funny. At the beginning, most of these countries were not really on the ball. When we first started, a given IP address would stay up for months. By the time we were done, we basically had to change IP addresses daily. We were spending a lot on acquiring new chunks of IP addresses. We actually designed some really slick technologies for being able to identify who in our audience were spies for these organizations so that we could blackball them, but the government budgets didn't stretch to the level of sophistication and pricing that was going to incur.

Interesting.

It was also very hard to compete because there was a bunch of nonprofits that were doing this as well. They were all volunteer organizations, whereas I had to pay my people, so it was difficult to compete with them on price.

Was Tor up and running at that time?

Yeah. By then, Tor was up and running.

Was that the biggest free competitor? I'm trying to think of who else was back then, but my memory of these things is not as good as yours, I'm sure.

Yeah. There were a couple of groups, and they tended to be all foreign language. They were not well known in public, but they'd be setting up networks of volunteers and the United States would be the individual exit points so that you could word-of-mouth it around to avoid the way we were doing it with the mass advertising and so forth.

The problem with Tor is it's pretty easy to map the Tor network and go in and block all those nodes. It wasn't really an effective circumvention tool. Certainly from a VPN point of view for the paranoid, a lot of people wanted to go in that direction. There was a philosophical debate that I had with the Tor guys because I knew them pretty well. Between their model of don't trust anyone, pick random hosts, multi-hop chains, but anyone can be one of those exit nodes, and the exit node gets a lot of visibility in what's going in, so does the entrance node, and you could run many of them as different entities.

As I often said, I can understand why foreign government intelligence agencies would run Tor nodes, and I really don't understand why anyone else does other than just charitable reasons. My assumption was always a lot of them are. My argument was you need to trust someone, research who that is, understand if you can trust them, and then trust them and really restrict the circle of number of people you can trust.

One of the things that interested me was I started looking at some of the other VPN companies that popped up that were competitors to us and tried to identify who owned them and who operated them. They were opaque. You just had no idea what was going on with these things. My assumption has always been a large fraction of those were fronts.

Or fraud?

Fronts.

Fronts, yes. OK.

But fraud would be a reasonable other thing to be doing.

I don't know that I've actually ever said this on a podcast that's recorded, so maybe this will be the first time. I've definitely had this conversation with people before or after we recorded that it wouldn't surprise me if a number of the major VPN companies are run by intelligence organizations, because what better way to have access to what nefarious things are going on is if you control the network.

Absolutely. I would be shocked if that were not the case. Frankly, I remember I used to say often, “If they're not doing it, what are they wasting my tax dollars on?”

We've danced around it. What are the unrealistic expectations that people have of VPNs? Where are they good, and where are they falling down? The current consumer-faced products.

I think the biggest mistake is thinking that your IP address is the important thing anymore, whereas so often we're on dynamic IPs anyway. If you're at home, probably doesn't change very often. -Lance Cottrell Share on X

Yeah, exactly. I think the biggest mistake is thinking that your IP address is the important thing anymore, whereas so often we're on dynamic IPs anyway. If you're at home, probably doesn't change very often. If you're on cellphones, your addresses are changing continuously, if you're using mobile hotspots. People are paying much less attention to the IP address, and that's really all that effectively hides. All the other information about you and your computer are out there.

People go, “I'm going to use incognito mode on my browser.” OK, that's nice. It turns off cookies, but there's a huge number of browser fingerprints that are out there that will identify your computer fairly well, especially if you're going to a smaller website that maybe only gets thousands or tens of thousands of visitors. It's pretty easy to get unique identification just from physical characteristics of the device.

It's behavior. Behavior is a killer. It's where you go, it's what you type in, it's what names you use, it's password reuse, patterns, and those things. They make it really easy to pin people down, and actually maintaining anonymity, or even more difficult, pseudonymity. Maintaining over time, a good pseudonym, incredibly challenging. Back in the nineties, when I was a cypherpunk on that mailing list, I ran my real name and I ran a pseudonym.

Behavior is a killer. It's where you go, it's what you type in, it's what names you use, it's password reuse, patterns, and those things. They make it really easy to pin people down, and actually maintaining anonymity, or even more… Share on X

A company that acquired me, we were trying to build some tools to recognize authors to offer identification and see our people running false identities. I said, “There's an archive of this entire mailing list; go tell me who my alias was based on writing style alone.” I had been pretty careful and worked hard to keep it separate, and he nailed it first try.

Either really unnerving, really cool, or both at the same time.

Fortunately, it was largely a thought experiment, and I had never done anything with this other identity that was problematic. Yeah, it could have been bad for sure. If it had been bad, I wouldn't have offered it as a target of opportunity.

They would have just brought it to your attention. “Hey, is this you?”

They probably never would have gone back and looked at an archive of 15-year-old emails from some mailing lists. All of those things can really give it away. If you're using a VPN and you're coming out of some foreign country, that doesn't mean that the people watching you will believe that.

I actually ran into this with some government customers who were pretending to be in Turkey, but they were actually somewhere in the United States. After a while, I started getting complaints from them saying, “Oh, Google knows where I am. If I type in pizza, it says, hey pizza in the town they were actually located in. Clearly, I've screwed something up and it's my fault.” We spent a huge amount of time researching this to eventually discover that the problem was these guys were searching for pizzas, haircuts, sports events, and everything else in the town that they were in, through the platform coming out of Turkey.

Google very quickly just said, “I don't care what the traceroute says. I don't care where this IP address is registered; your behavior tells me you're in this town. I'm going to do that.” We ended up having to build all sorts of strange tools to overwhelm their operational failures, their OPSEC failures, to pin them back where they were supposed to be. That then became a standard part of our offerings.

That’s one of the most interesting things is just the human side of this, the behavior side of this, and learning all of the failure modes. Our big differentiator in the market was just having run into all of these bizarre things you never would have thought of and come up with ways of solving them.

That's interesting. That's like, “We need to create enough noise to overwhelm the signal.”

That's right. Or indeed not noise, but the signal we want you to be sending that you should have been sending all along.

When you have government clients, you can afford to do that thing. Your traditional consumer VPN company is not going to be investing money to say, “On our IP addresses in a UK data center, we're going to spew tons of stuff to get every fake behavior in order to get every geolocation service and every platform to think we're actually in the UK.”

That's right. Of course, having a VPN breaks a lot of things too, because a lot of folks don't want you to use it. Remember when I built the house I'm in now—we’re pretty rural—the internet was from some really weird, tiny, hokey provider. I went to try to sign up for Disney+. They're like, “Nope, you're using a VPN. You're probably in a foreign country. We won't let you sign up.” I'm like, “No, I'm not.” Resisting the urge to say, “I know more about hiding my location than almost anyone else on the planet. If I was trying to hide, you would not know it.” I didn't think that would be helpful.

It's not going to get your Disney+ service.

It is not. It just took a whole lot of repeated hassling their tech people before…

What do you think the good uses? Where are the uses where VPNs totally don't live up to their hype? Clearly, anonymity?

Yeah. Anonymity is probably the biggest. I think a lot of people, you need to remember that the VPN only secures you to the exit point. VPN is really designed for remote access to secure environments. You VPN into the office, you can access the office computers as though you were there, end to end. With these public things, everything from wherever that exit point is to the target you're going to is vulnerable, so it really depends on your threat model.

You need to remember that the VPN only secures you to the exit point. VPN is really designed for remote access to secure environments. -Lance Cottrell Share on X

I think people don't think anywhere near enough about the threat model. Who am I worried seeing? Where are they in the chain? What do they have access to? Do I care? Is that something that I need to be worried about? If you're trying to do political stuff, you need to worry about jurisdictions, pick locations where the guys who're trying to watch you don't have home field advantage and won't have good access to that, but most people are not living in those kinds of scenarios.

Most people aren't dissident journalists.

Most people aren't dissident journalists, high-level criminals, terrorists, or spies.

Where do VPNs live up to the hype?

If you're in an at-risk network; for example, you're on public Wi-Fi, or if you're using a third-party network, they can be pretty valuable. Although, I think the value tends to be decaying pretty quickly because end-to-end encryption within all of the individual protocols and applications is becoming almost ubiquitous. If you fire up a browser, you're almost never not secured end to end with the website. I remember back in the day, it was a lot of work to set up an SSL website. It was a lot of compute.

And it was expensive.

It was expensive, exactly. It would only go secure when you absolutely were doing a financial transaction or something like that. It's just not that anymore. Your email goes secure automatically. All these things are now secured by default, so that security aspect is less important than it was.

Security is still important, though. If you're connecting, especially into a corporate environment, that's good. It does tend to create hard and crunchy on the outside, soft and chewy on the inside-type security architectures. I much prefer the security in depth, the zero-trust structures. It's just circumventing geolocation restrictions where people are saying, “Oh, you can't stream this thing because you're not the right place.” It does a reasonable job of doing it until they subscribe to a list that shows where that's a VPN and they block it.

Yeah, and then you switch to a new server, a new location, and you hope that one works.

That's right. They do that. That's a game that I wasn't interested in playing, but they definitely are always churning through IP addresses because that is one of the big sales points. It's a lot of the reason why people are signing up for VPNs these days.

It's those weird copyright jurisdictions of, “We're allowed to air this content in the US, but we're not allowed to buy licensing. We're not allowed to make it available on this platform in this country, but it's on that other platform instead that you don't want to buy because it's really expensive.”

Exactly. It just isn't available at all because they never did a license over there, so you can only stream it here. All sorts of craziness. The really important takeaway with privacy is to be very specific about what you want to protect, because someone that says, “Look, I just want to be private on the internet” is either a non-technical hermit who's turned off absolutely everything, or is just lying to themselves. It's not possible. I think the key is decide what are the aspects of your universe that you want to keep private, pay close attention to them, lock those down, and then I'd largely encourage people to give up on the rest.

I think the key is decide what are the aspects of your universe that you want to keep private, pay close attention to them, lock those down, and then I'd largely encourage people to give up on the rest. -Lance Cottrell Share on X

What are the things that you would lock down, and which are the things that you'd give up on?

I think a lot of people will lock down on their kids, make sure that there's no pictures of their kids, they don't talk about their kids. I think home address is one that's worth trying to restrict. Get a PO box, for example, so that when you're putting your address in everywhere, it isn't that. These things are hard because there's a lot of public databases. Depending on what your threat model is, pretty quickly you need to own your house through an LLC registered with a point of address of that PO box, or maybe a different PO box because that PO box is associated with you.

It gets very hard very quickly, which is why when we went into the government, we could charge such a huge amount because we were worried about people who had those resources. That's why I say it does come down to the threat model. Who were you worried about? What happens if they get it? How do you manage that process? It's as simple as just, “Here's the set of things I don't put on Facebook, and I've talked to my friends. When my friends come over and visit, we have a lot of constraints on what they can photograph and post about when they're here, and I don't want geography.”

Yeah. If you are having people over, not necessarily you, but someone like you, what would be the things that you say that are the no-go photography?

I really don't want pictures of the whole house in particular. I don't want someone that's got a street view perspective on where we are. It tends to be more close-ups are OK. I'd rather not have things that frame. I don't want to advertise, “Oh, here's the thing they have that might be interesting to take’” and obvious things about defensibility of the space and so forth. I prefer that to be largely kept off, but I'm also realistic about how good a job we can do.

Do as much as you can, but don't lose sleep over it.

Yeah, right. Exactly. The obsession won't help you. There's going to be leakage. There's going to be things that go through. It doesn't make sense to run your life around that. Frankly, none of these things are going to stop a dedicated phone. I've got a gate coming into my property, and I set it up so that it just automatically opens when someone drives over it, because really the fence is there to keep deer out. People were talking to me about, “Oh, you need to put a code on that.” That's inconvenient to me.

Anyone who's driven all the way out to where I live, which is in the middle of nowhere, we'll just drive up to the deer fence next to the gate, get out, wire cutters, cut a hole in it, and open the gate. It's trivial to circumvent. You can spend a lot of time stopping this hypothetical set of incompetent and lazy criminals who are yet willing to go do the thing that you're doing. They wanted me to put huge deadbolts and kick guards on my front door and said…

But I have windows.

I have 30 feet of French doors next to that front door.

That was exactly the example I was going to use of not that you shouldn't have a lock on your front door, but over-engineering your front door but not over-engineering your windows is pointless because I don't have to deal with your front door. I could just take a rock and break a window.

Exactly. There's some interesting things about the psychology of crime as well. For example, I'll see people say, “It's really easy to pick door locks.” You can get a lock pick set. It's not difficult. It doesn't take that much work to train yourself to be good at lock picking. I've taught myself how to do it. Why is this not a problem?

You don't see people having their locks picked all the time by criminals. I think that the answer is it is just hard enough that any criminal with the self-possession and discipline to learn that skill at a high enough level to make it useful could make much more money at lower risk doing things that did involve breaking into people's houses. I mainly used it in data centers because I realized that I was parting like monitors and keyboards in and out all the time. There were a bunch of unused cabinets in the data center, so I just picked one of the cabinets and used it for storage.

And they would never find out?

They never did. No. It was only when we had a big operation. It would typically only be for a week or so at a time and then I'd evacuate it.

That's awesome. I super appreciate your time. I don't want to monopolize your day here. Any parting advice before we wrap up?

Two-factor authentication, password, software updates. It's just the basics that are 99% of what's out there. The real fancy stuff is icing on top. But if you're not paying attention to the basics, none of the rest of that really… Share on X

Yeah. I think it is just be aware of the basic hygiene around these things. What are you putting out? What are you letting people know? Two-factor authentication, password, software updates. It's just the basics that are 99% of what's out there. The real fancy stuff is icing on top. But if you're not paying attention to the basics, none of the rest of that really matters.

Awesome. Lance, if people want to find you online, where can they find you?

I spend all of my time working with startups these days. I've got a YouTube channel, TikTok channel, and website all called Feel The Boot because I give bounders and motivating kick in the ass. You can find me at Feel The Boot on LinkedIn or Lance Cottrell, LinkedIn, https://www.linkedin.com/in/lancecottrell. I always enjoy talking to people about these issues.

We'll make sure to link all those in the show notes as well. Lance, thank you again for coming on the podcast.

Absolutely. It's my pleasure. This was fun.

Exit mobile version