RPF0461-Justin_Carroll

00:00:00.000 | Welcome to Radical Personal Finance, the show dedicated to providing you with the knowledge,

00:00:05.240 | skills, insight, and encouragement you need to live a rich and meaningful life now while

00:00:10.360 | building a plan for financial freedom in 10 years or less.

00:00:12.760 | My name is Joshua, and today I'm thrilled to have a guest named Justin Carroll.

00:00:18.240 | Justin is the author of various books on privacy and security, the co-author of an excellent

00:00:23.320 | book called The Complete Privacy and Security Desk Reference, and also the co-host of The

00:00:28.440 | Complete Privacy and Security Podcast.

00:00:30.480 | Justin, welcome to Radical Personal Finance.

00:00:32.800 | Joshua, thank you so much for having me on.

00:00:35.120 | It's great to be here.

00:00:36.240 | Really glad to have you here.

00:00:37.400 | I was introduced to your work by a listener of mine, and privacy, especially financial

00:00:42.080 | privacy, has long been an interest of mine.

00:00:44.960 | But I've often found that the information in the space was either very cursory or not

00:00:52.680 | particularly up to date.

00:00:54.160 | And when I found the work that you and your business partner, Mike, are making, I was

00:00:59.120 | deeply impressed, and I've become a big fan of yours in the meantime.

00:01:02.840 | So in today's show, I want to outline and really just give you the floor to talk about

00:01:07.440 | privacy and security.

00:01:09.000 | Before I give you the microphone, I want to just lay the foundation that I see and why

00:01:13.300 | this is so important in the context of personal finance.

00:01:16.420 | In finance, there are a few different aspects wherein the discussion of financial privacy

00:01:22.160 | make a big, big impact, especially in the areas of asset protection, especially in the

00:01:28.880 | areas of business and the ability to protect yourself from potential harm.

00:01:34.220 | And one of the major concerns that I have is that, in general, people don't think about

00:01:38.420 | these things in advance.

00:01:39.920 | They usually only start thinking about things when they get a call from the lawyer or they

00:01:43.860 | start thinking about them when all of a sudden the police have shown up on the front door

00:01:47.880 | asking questions, et cetera.

00:01:49.960 | And so I believe that it's part of prudent planning to put in place some good safeguards

00:01:54.960 | with regard to your own financial privacy and security.

00:01:58.640 | So kick us off.

00:01:59.640 | Tell us about your background and how you first started to become interested in the

00:02:03.840 | topic of privacy and security.

00:02:05.800 | Well, I initially became interested, I come from a military background, and after I got

00:02:11.600 | out of the military, I spent several years going overseas as a contractor with another

00:02:18.260 | government agency, and I realized pretty quickly that privacy was kind of important.

00:02:24.680 | I had to give out my name and home address and next of kin information on various visa

00:02:30.160 | applications to countries that maybe aren't necessarily friendly to the U.S. and that

00:02:34.880 | kind of got the gears turning.

00:02:36.440 | And then a few years later, I spent about five years teaching a special operations course

00:02:41.460 | at one of the special operations courses for the U.S. military, and SOCOM was kind of grappling,

00:02:50.340 | the special operations command was kind of grappling with this issue, this emerging issue

00:02:54.780 | of identity management.

00:02:57.440 | And I was fortunate enough to be one of the instructors for that and kind of got to develop

00:03:01.500 | my own curriculum.

00:03:02.500 | And that's what really got the ball rolling.

00:03:05.240 | And then I met my partner, Michael Basil, who his big specialty is open source intelligence,

00:03:10.680 | which is finding everything there is to find about a person online just through really

00:03:16.280 | good Google searches and the things you put on Facebook and things like that.

00:03:20.560 | And between the two of us, we kind of put our heads together.

00:03:23.160 | He had a big interest in the privacy side as well.

00:03:26.060 | And this thing, some would say maybe has gotten a little bit out of control, where maybe a

00:03:30.600 | little bit to foil hat and paranoid.

00:03:33.720 | But that's kind of what got me started down this road.

00:03:37.980 | And it's turned into a big personal interest, big personal hobby.

00:03:40.480 | And I'm not saying that everyone has to take it to the level that Michael and I have taken

00:03:44.620 | it to, but that's where it came from.

00:03:46.740 | I used to pull back from talking about things that sounded outlandish and tinfoil hat approach

00:03:53.680 | in various subjects.

00:03:55.280 | But I've actually come to terms, I've come to peace with it.

00:03:57.440 | And I've realized this.

00:03:59.800 | Almost everybody seems to love watching Jason Bourne movies.

00:04:04.660 | And the reason they love it is just because he's such a far out character.

00:04:08.160 | And so there's tremendous value in having people who take things to the extreme, because

00:04:13.140 | I feel it has more of an influence on moving people a little bit than oftentimes people

00:04:17.840 | who just do a few things here.

00:04:20.220 | It's often fun to have a Jason Bourne character out on the extreme fringe who can be inspiring

00:04:26.400 | and kind of brings that sexy side of things to a discussion.

00:04:31.600 | So we're going to start with mainstream stuff, but I think it's extremely valuable to talk

00:04:38.200 | about the far out techniques so that people are aware of them.

00:04:41.760 | When you look at financial privacy, how do you factor into your thinking a specific focus

00:04:47.280 | of general privacy versus specifically financial privacy?

00:04:53.520 | There's a lot of overlap between the two.

00:04:55.960 | I'm kind of of the school of thought that there is no privacy without security and there

00:05:00.040 | is no security without privacy.

00:05:01.680 | If you can get into my email account, that's a security issue, right?

00:05:05.040 | If I have a poor password and no two factor authentication in there and you get into my

00:05:09.440 | primary Gmail account that holds everything, that's a security breach that's happened,

00:05:15.280 | but it affects my privacy deeply because now that you're in there, you have access to all

00:05:21.160 | the bank accounts, any financial account or any other kind of account that I've authenticated

00:05:26.840 | using that Gmail account as a point of contact for.

00:05:30.280 | So these things all kind of tied together and this, you know, we talk about the tinfoil

00:05:35.080 | hat stuff, but it wouldn't exist without the, the, without brilliance in the basics, without

00:05:42.320 | being very, very good at these baseline level privacy and security things.

00:05:46.080 | So I think everyone, whether you intend to take this to the furthest possible extreme,

00:05:54.000 | or if you just want to be a little bit more financially secure and financially private,

00:05:58.640 | you should consider those baseline level security measures.

00:06:02.400 | And you know, I know our talk is not primarily around security, but I'm, I'm a firm believer

00:06:07.960 | that you can't have one without the other and you, you have to take those initial steps.

00:06:13.280 | And just generally speaking, the advice I kind of give to everyone, um, and these are

00:06:19.200 | not financial specific, but they do deeply impact financial privacy is use good passwords.

00:06:25.760 | And to do that, you have to use a password manager.

00:06:27.960 | You need to use a different password on every account that you have.

00:06:32.160 | And if possible, a different username, because that influences your attack surface.

00:06:36.040 | If I know your username, I know where to start attacking your account.

00:06:40.680 | If however, you have set up a completely random username.

00:06:43.920 | I don't even have a good starting point for that.

00:06:46.640 | Um, two factor authentication is another thing.

00:06:50.240 | So the way we implement this, I go to my bank account, I enter my username, I enter my password,

00:06:56.040 | I hit log in and it presents me with a second screen that says, go ahead and enter your

00:06:59.720 | two factor authentication token.

00:07:02.040 | And maybe that's an app on my smartphone that displays a code.

00:07:05.160 | Maybe that's a text message sent to me, or maybe that's something else.

00:07:08.740 | But those are kind of those baseline level things that I would absolutely recommend doing

00:07:14.000 | for every single listener of, of your podcast or any other podcast is protect your accounts

00:07:20.560 | because that front end really is your biggest attack surface and possibly your weakest,

00:07:26.760 | your biggest potential point of failure.

00:07:28.280 | One of the things I most appreciate about your work is you've given me a vocabulary

00:07:34.680 | with your personal taxonomy of the realm of privacy and security.

00:07:39.640 | I didn't have the vocabulary to apply.

00:07:43.400 | And I really appreciate when you use things like attack surface, it's really, really helpful

00:07:47.440 | to me to do that and to know that.

00:07:50.560 | And just a couple of practical examples, as I understand what you're saying, when you

00:07:56.160 | have the same email address that you use constantly for every account, every social media account,

00:08:01.520 | every personal interaction, every business interaction, et cetera, that social, that

00:08:05.920 | email account is prominent and common across basically all over the web.

00:08:12.500 | So if there is a data breach from some random company that you do business with, which it's

00:08:17.500 | my opinion that in the fullness of time, every company that you do business with will have

00:08:21.140 | a data breach.

00:08:22.380 | Then now that email address is sold on the black market and that email address can be

00:08:26.160 | used by somebody and various combinations of it tried.

00:08:30.520 | So if my name is Joshua Sheets and my email address is joshuasheets@gmail.com and then

00:08:35.380 | all of a sudden I use Joshua Sheets as my login information, it's not that hard for

00:08:39.640 | somebody to start guessing password variations, put a little bit of computer power behind

00:08:44.280 | it, and now all of a sudden they may have access to my financial accounts.

00:08:48.720 | And I'll beat up on banks a little bit here.

00:08:51.440 | Banks are not great at these authentication measures.

00:08:54.000 | So the bank that I have my corporate account with is, I set it up with them kind of out

00:09:01.120 | of convenience and I'm really regretting that decision now because of some of the privacy

00:09:04.560 | interventions that I have taken.

00:09:07.520 | It's a little bit difficult for me to just jump to another bank, but I'm stuck with a

00:09:11.360 | bank that doesn't allow two factor authentication, that doesn't allow very long passwords.

00:09:16.080 | I think I'm capped at maybe 16 characters and the character set is kind of limited.

00:09:21.240 | And this is kind of endemic with banks.

00:09:22.720 | I think some of the banks are doing a good job.

00:09:25.320 | Banks like Bank of America, Citi and Chase are doing a reasonably good job, these top

00:09:30.520 | tiered banks.

00:09:31.520 | But if any of your listeners are with smaller credit unions or local banks or things of

00:09:36.920 | that nature, I would take a long, hard look at the security that is even possible to implement

00:09:42.360 | on those accounts before I go any further with that.

00:09:45.600 | And maybe consider, if you don't want to give up that oldest bank account that you have,

00:09:50.640 | maybe consider opening an account with a bank that offers some better security and using

00:09:55.720 | that as my primary day to day use account rather than continuing on with that bank that

00:10:00.320 | doesn't.

00:10:01.320 | My experience has been that the banks probably aren't paying attention to it because the

00:10:05.480 | customers aren't demanding it.

00:10:07.200 | Just yesterday I released a show talking about – the title was Don't Trust Your Financial

00:10:11.080 | Advisor.

00:10:12.080 | I released it before recording this.

00:10:13.920 | And the point was – I said you can't – and the point – it was a clickbait title.

00:10:17.160 | But basically my point was you can't trust your financial advisor to maintain your privacy,

00:10:24.440 | your secrecy or your security.

00:10:27.200 | And one of my major – since I come from the world of professional financial advice,

00:10:32.080 | I am disheartened to see how insecure customer data is.

00:10:38.000 | And it's not because the firm doesn't know that they have a need for it.

00:10:41.720 | The firm on the firm level, they try to put in place things that are available.

00:10:45.320 | But I used to try to communicate with clients via an encrypted email system.

00:10:48.640 | We had a very simple encrypted email system set up that I could use to convey private

00:10:54.200 | information to my clients.

00:10:56.040 | And I would use it and we were required to use it whenever we were transmitting personal

00:11:02.080 | information through the encrypted email system.

00:11:05.480 | But most of the clients hated using it because it required one extra step to decrypt the

00:11:10.800 | email.

00:11:11.800 | And so of course to get around it, people are constantly sending unencrypted files or

00:11:16.120 | they just pop it over and send it through their personal Yahoo account right there to

00:11:20.200 | get it to the client and the clients didn't demand it.

00:11:22.840 | So I think one of the first things that I'd love to see my listening audience do is start

00:11:26.280 | demanding better security measures from the people that serve you.

00:11:32.440 | Yeah, the thing I did with my financial advisor is – or that I do with him, he's still

00:11:38.640 | not very good at privacy and security.

00:11:41.200 | He's very good at his job, but privacy and security are definitely lacking.

00:11:45.120 | And I just put everything into a PDF.

00:11:47.400 | If you have Adobe PDF Pro on Windows or Preview on Mac, you can encrypt that PDF.

00:11:53.940 | So I'll send him the PDF and then I'll call him and tell him the password, which kind

00:11:57.720 | of necessitates a simple password, but it's much better than nothing.

00:12:02.060 | And my question for you is, how do we fix this?

00:12:04.920 | Is there a financial advisor convention that I can get on the speaker list for?

00:12:09.840 | How do we start fixing this issue?

00:12:11.520 | That's a great idea.

00:12:12.520 | We could probably team up because I actually have the outline on one of the reasons why

00:12:16.400 | I consumed all your content was because I've been concerned about this for a while and

00:12:20.200 | I had researched the topic.

00:12:21.800 | I have the outline of a book/course in my head – or I have the outline written out.

00:12:27.120 | I'm not committed to actually completing it, but how to actually maintain as much financial

00:12:33.040 | anonymity and privacy as possible.

00:12:35.960 | And it is a big concern.

00:12:37.760 | Yeah, we could talk about that because there probably is some stuff that could be created

00:12:42.960 | that would bring it to people's attention.

00:12:45.440 | I think people just don't recognize how big the vulnerability is.

00:12:49.960 | I know my experience was that I spent most of my life with my head in the clouds and

00:12:55.840 | I would just simply say, "It's not going to happen to me."

00:12:58.080 | And if it does happen to me, it's probably not a big deal.

00:13:00.280 | It can be cleaned up.

00:13:01.640 | But over the last few years, I think we've seen plenty of evidence that, number one,

00:13:04.800 | it's going to happen to you, whether it's something embarrassing and potentially life-changing,

00:13:10.520 | such as being found in the Ashley Madison database, or whether it's something just

00:13:15.360 | simply inconvenient, such as being in the Target or Home Depot breach, or whether it's

00:13:19.760 | something potentially serious, like being involved in a government information breach,

00:13:24.800 | whether it's – what was the breach on the military system?

00:13:27.560 | OPM.

00:13:28.560 | Yeah, exactly.

00:13:29.560 | Recently.

00:13:30.560 | Or, I mean, this goes back years, back when the U.S. Census Bureau lost 50 laptops, something

00:13:34.920 | like that, that were stolen with all this personal information on them.

00:13:38.320 | So I think the understanding that people have has raised – and so I'm trying to agitate

00:13:45.800 | here on the consumer side to get people to care about it.

00:13:48.600 | And my experience has been that just simply by telling people and encouraging people,

00:13:55.240 | "Hey," just requires certain things.

00:13:58.160 | I get a lot of my friends – I try to get everyone I can to use something as simple

00:14:02.080 | as Signal, which is just a simple encrypted messaging and communication app.

00:14:05.960 | It's so easy to install.

00:14:07.760 | Every time I do it – or I try to get people to use FaceTime, FaceTime audio, instead of

00:14:12.560 | making a phone call.

00:14:13.560 | So all of my friends with iPhones, I just always FaceTime audio them.

00:14:16.520 | What's this FaceTime audio?

00:14:17.520 | Well, at least it gets a base level of encryption.

00:14:20.080 | And so I personally am a bit of an evangelist for it, and I think that that will have an

00:14:24.480 | effect.

00:14:25.480 | And it's only when the customers demand it that the industry will change.

00:14:28.440 | Well, I have to tell you, that's incredibly refreshing to hear, because it's not very

00:14:32.400 | common to hear people outside of the dedicated privacy and security space agitating for these

00:14:38.280 | things or advocating using Signal or encrypted email or things like that.

00:14:44.160 | So that's really kind of uplifting to hear that at least someone is out there doing that.

00:14:50.600 | Well, it used to be hard to do.

00:14:53.040 | And my observation is – you know, setting up manual PGP encryption on your email program

00:14:59.280 | is not for the faint of heart, right?

00:15:01.280 | So it's just easier to say, "Well, I'm not going to worry about it."

00:15:04.000 | But now, when there are encrypted email options that are free and that are easy, I think the

00:15:09.320 | technology barrier has gone down.

00:15:12.000 | And especially my observation, the political scene really raised with the hacks of the

00:15:18.120 | Democratic National Committee and the releases there, whether that was from an outside attacker

00:15:22.120 | or an inside source, I don't know.

00:15:24.320 | But I think that these things have really raised their profile for people.

00:15:29.040 | Absolutely.

00:15:30.040 | Yeah, possibly the best thing to come out of the Snowden leaks was not massive public

00:15:36.680 | awareness and people making behavioral changes, but companies that are interested in privacy

00:15:41.360 | and security are now providing us with options that are much more easily implemented.

00:15:46.640 | Even you mentioned PGP, which I still have a PGP key on my blog.

00:15:51.520 | If people want to email me that way, they're welcome to.

00:15:54.920 | But I maybe exchange a manual PGP encrypted email once a month at most.

00:16:03.760 | And it's even still possible for people like me to screw that up because it is such a technically

00:16:08.320 | demanding system.

00:16:10.440 | And thankfully, for email, we have things like ProtonMail now that are much more manageable.

00:16:16.000 | Absolutely.

00:16:17.000 | So let's go back to the basics.

00:16:18.520 | I guess we went into nerd world there.

00:16:22.000 | Because I do want to emphasize the basics.

00:16:24.200 | And I think these basics matter.

00:16:26.520 | So your best practices that you mentioned were a few things.

00:16:30.680 | Number one, don't use a common username.

00:16:33.040 | If your name is Joshua Sheets, don't use Joshua Sheets as your login.

00:16:36.440 | Either use variations of that with numbers or even better, use an entirely random string

00:16:41.040 | of characters such as HK57329 and use a password management database system to maintain that

00:16:49.600 | information.

00:16:50.600 | Two was use strong passwords.

00:16:53.200 | So at the maximum length possible and of tremendous variation.

00:16:57.740 | The only way that's practically possible is to use a password management program, which

00:17:03.480 | I'm going to ask you about in just a moment, Justin, how you recommend.

00:17:06.080 | Because many people just have the habit of using one or two simple passwords and they're

00:17:10.400 | very proud of themselves when they add a number or two to it.

00:17:13.920 | And they use the same password across all accounts, which is also better than having

00:17:17.960 | a simplest password.

00:17:19.560 | But it's also pretty insecure.

00:17:21.920 | And then number three was third party authentication.

00:17:24.400 | Sorry, two factor authentication, making sure that whenever possible, you add a second login

00:17:29.920 | factor to the login information.

00:17:32.560 | So practically, how do you manage that?

00:17:34.320 | How do you do that?

00:17:35.320 | What are the apps and resources that you use and recommend for that base level of security

00:17:38.280 | for financial accounts?

00:17:39.640 | Absolutely.

00:17:40.680 | So for a password manager, I use a system called KeePass, which is free and open source.

00:17:46.920 | And there's some benefits and disadvantages to KeePass.

00:17:51.400 | So I'm a security, the security is my platform.

00:17:55.140 | So I'm always going to default to the more secure, less convenient option.

00:17:59.280 | KeePass creates a database that exists locally on your computer.

00:18:03.840 | So it's a I use KeePass for Windows, KeePass X, if you have Macs or Linux computers, and

00:18:11.720 | many KeePass for iOS and KeePass for Droid for Android operating systems.

00:18:18.000 | And that's a little bit complex.

00:18:19.800 | But once you have the applications installed, you create that KeePass database on whatever

00:18:25.960 | your primary system is probably your desktop computer, you can then drag that database

00:18:30.000 | over to your phone, your tablet, your other computer, your wife's computer, your husband's

00:18:37.240 | computer, they can all be accessed through that KeePass front end program, because that

00:18:42.840 | data they all read that same dot kbdx file format.

00:18:47.080 | So you can move those databases around, you do run into some version control issues with

00:18:51.280 | that if you add something on your phone, and you don't go in and update that database on

00:18:55.880 | your primary machine, those those versions can very quickly start to conflict with each

00:19:01.080 | other.

00:19:02.080 | So if you're looking for a simpler, more convenient option, there's a program called LastPass.

00:19:08.000 | This is cloud based.

00:19:09.000 | So it actually manages your database in the cloud, you can access it from any of your

00:19:13.280 | devices, Windows, Mac, Linux, Android, iOS, you can also log into it from the web, from

00:19:20.720 | your any of your internet browsers, or from dedicated browser extensions for most of the

00:19:26.240 | major browsers.

00:19:27.760 | And the great thing about this is you can access it from anywhere.

00:19:30.720 | And anytime you update that database, it's updated across every single device because

00:19:35.240 | it's maintained in that one central hub.

00:19:38.160 | Now I'm a little more leery of this because if that database were ever breached, then

00:19:42.760 | all my passwords for absolutely everything I have would be compromised.

00:19:48.360 | But I have some great security measures in place.

00:19:50.520 | I have a very, very long, strong password on that you can use two factor authentication.

00:19:57.440 | And let's talk about that a little bit.

00:19:58.840 | So I mentioned that you can get a text message, you can have an app on your phone that maintains

00:20:03.520 | those two factor authentication tokens, or you can have a piece of hardware.

00:20:07.140 | So I don't recommend the SMS generally that has actually been downgraded by a government

00:20:11.960 | agency, the National Institute of Standards and Technology, because of how easily defeated

00:20:17.160 | it is.

00:20:18.520 | It would take a fairly sophisticated, focused adversary that was specifically trying to

00:20:23.760 | defeat you.

00:20:25.480 | Because in order to do that, I would have to hack into your phone account, which is

00:20:29.160 | not difficult to do at all, and forward your text messages to me.

00:20:33.400 | At that point, I would receive all your two factor tokens and could log into your accounts

00:20:37.060 | provided I had cracked the username and password.

00:20:40.600 | So that's not ideal, but it's still far, far better than nothing.

00:20:45.360 | So the next kind of escalating up the next thing would be a software token on an app

00:20:49.960 | like Google Authenticator, which you can install on your iOS or Android devices, or Authy,

00:20:57.120 | and which uses the same protocol you install it on your iOS or Android device, you log

00:21:02.160 | into your account with your username and password.

00:21:05.280 | The next step will ask for your token, you open up your phone, open that Google Authenticator

00:21:10.360 | or Authy app, you can have multiple different accounts in these apps.

00:21:15.040 | So let's say I have a Gmail account or Dropbox account and a Facebook account, I can have

00:21:19.200 | those tokens for all of those in this one single app, I tap the icon for the account

00:21:23.360 | I want, it displays the current six digit code, I type that in, and I'm allowed to log

00:21:28.560 | in.

00:21:29.640 | That code is only good for one login, and it's only valid for a 30 second period.

00:21:34.220 | So you will notice if you watch the app every 30 seconds, the code that's on there will

00:21:39.000 | disappear and new one will pop up.

00:21:41.440 | This is much, much better security than the SMS version.

00:21:45.360 | And then if you really want to go all out, there's a product called the YubiKey.

00:21:49.720 | And I will make sure you have a link for that in your show notes.

00:21:52.420 | But the YubiKey is a hardware token that you plug into a USB port.

00:21:57.640 | And the problem, kind of the issue with this is not a lot of services support this yet.

00:22:03.720 | But it creates a rotating code, you have to have the hardware in your computer, so you

00:22:09.880 | username password.

00:22:11.440 | And on the next screen, you just tap a little button on the YubiKey, it dumps that massive

00:22:15.960 | 40 character two factor authentication token into the website, and you're allowed to log

00:22:21.080 | in.

00:22:22.080 | So there's kind of an escalating scale depending on how complex you want to get with it.

00:22:25.920 | Personally, I find the middle of the road the Authy or Google Authenticator app to be

00:22:31.080 | the most usable.

00:22:33.400 | Text messages, I have problems with sometimes if I can't get cell service for whatever reason,

00:22:38.280 | I won't get those two factor authentication tokens.

00:22:40.860 | So using the app has been the most convenient and it's the level of security that I'm comfortable

00:22:47.400 | with for most of my accounts.

00:22:49.720 | Authy is really simple to set up.

00:22:52.360 | You just do it and scan a code on the site and it's really easily integrated.

00:22:57.000 | My question is this, if you're using an app as in Authy or Google Authenticator, how do

00:23:01.720 | you back that up in case you have a malfunction of your mobile device that you are using the

00:23:06.760 | codes from?

00:23:07.760 | So Authy makes it really, really easy.

00:23:10.600 | And I'm a little bit less familiar with Google Authenticator.

00:23:14.840 | If anyone has listened to my podcast, they'll know I kind of have a really negative view

00:23:20.280 | of anything with the name Google on it.

00:23:21.960 | You and me both.

00:23:22.960 | I've been trying to extract myself for years and I'm hoping in a few years I can, but I

00:23:25.960 | don't think I'll ever be able to fully extract.

00:23:28.600 | So I'm really hesitant to put a Google branded app on my phone.

00:23:32.840 | So I'm more familiar with Authy, but it allows you to go in and set a username and password

00:23:38.480 | and it will store an encrypted version of your account information of those two factor

00:23:46.140 | tokens on Authy server.

00:23:47.520 | So if I lose my phone, if I drop my phone in the toilet, if my phone just dies one day,

00:23:52.440 | I go get a new one, back it up, and then I re-login to Authy and it will refresh those

00:23:57.760 | two factor tokens onto that device and I don't skip a beat.

00:24:02.760 | I've been learning how to use YubiKey.

00:24:05.280 | I learned that from you guys.

00:24:06.280 | I had never heard of it and then I listened to your podcast on it and ordered a couple

00:24:10.200 | of them and I've been using them.

00:24:12.040 | I think it's a tremendous, powerful, I mean it's really, really cool and it does what

00:24:17.260 | many of us I think would desire to have done.

00:24:19.920 | It uses and integrates the digital technology with the changing code with the physical security

00:24:26.200 | so I can be confident that my account is not going to be accessed unless my physical token

00:24:32.960 | is present.

00:24:34.600 | My question for you is it doesn't seem to work with Firefox.

00:24:37.100 | How do you do that?

00:24:38.100 | Because I like to use Firefox, but it doesn't work with Firefox, at least it doesn't right

00:24:41.680 | now.

00:24:42.680 | How do you fix that?

00:24:43.680 | Yeah, that's kind of a thing.

00:24:46.680 | That's my personal question because I've been trying to learn how to use it.

00:24:50.160 | It's like I got to do it on Chrome and I try not to use Chrome.

00:24:54.560 | So if I'm not mistaken, you can use the YubiKey with some services on Firefox.

00:25:00.680 | Gmail will not support it on Chrome.

00:25:03.320 | Is that the experience that you're having?

00:25:05.080 | Right.

00:25:06.080 | Gmail won't support it on Firefox.

00:25:07.080 | Facebook won't support it on Firefox, etc.

00:25:11.160 | Okay.

00:25:12.160 | And also I use YubiKey for some local accounts or some local applications like my KeePass

00:25:17.520 | database.

00:25:18.520 | I use a static YubiKey password to log into that KeePass database.

00:25:22.680 | So that's browser agnostic.

00:25:26.760 | It doesn't touch the browser so it doesn't care.

00:25:29.160 | I'm a little bit hesitant to recommend the YubiKey to people that aren't specifically

00:25:33.480 | privacy and security focused because a $40 product is a really tough sell when you can

00:25:39.480 | go out and download Google Authenticator or Authy completely for free and it works with

00:25:44.720 | a lot more things.

00:25:46.200 | However, I do really like the YubiKey.

00:25:49.000 | Once you have it set up and running, if you buy the YubiKey Nano, it just sits in your

00:25:53.600 | USB port.

00:25:54.600 | You barely even know it's there and occasionally you just tap it and it dumps that code.

00:25:59.120 | But it's a little bit more technically challenging to set up and I think to kind of wrap your

00:26:03.880 | head around.

00:26:05.200 | And that $40 cost of entry is a tough pill for a lot of people to swallow.

00:26:09.960 | Yeah, we'll get out of nerd world.

00:26:12.080 | Appreciate the reigning in there.

00:26:14.600 | LastPass for password management is fantastic and you make a valid point with regard to

00:26:20.960 | security.

00:26:21.960 | But for most of us, our security is so horrifically bad that just to move to LastPass where it

00:26:27.200 | will automatically set it up so while you're browsing, everything is right there and so

00:26:32.000 | that it'll create long random passwords that are stored is tremendously valuable.

00:26:37.520 | I've had great success with getting people to use LastPass because it's stored in the

00:26:41.600 | cloud which most people like and it helps them to feel good and also because of its

00:26:46.040 | just ubiquity across all platforms.

00:26:48.660 | So that would be a tremendous upgrade and then also I'll affirm as you said, Authy

00:26:52.880 | for two-factor authentication is easy to use, it's simple to set up, and it would be a tremendous

00:27:00.520 | step up for many people.

00:27:02.200 | So these steps would help to secure our accounts.

00:27:05.040 | What else?

00:27:06.040 | What are the low-hanging fruits?

00:27:09.480 | Are there any other low-hanging fruits that you wanted to add to this?

00:27:12.200 | Yeah, so I guess one more.

00:27:15.320 | So those are fairly easy steps to take.

00:27:17.480 | The next one is going to be a little bit painful but it's kind of necessary in my opinion for

00:27:22.760 | both security and privacy and that is get off Gmail.

00:27:27.680 | This is a tough sell because Google has kind of spread their tentacles into every aspect

00:27:32.900 | of life with Google Maps and Waze and Google Calendar and Google Translate and Google Street

00:27:38.540 | View and all these amazing services.

00:27:42.160 | If you have a Google account, you already have access to all these other things like

00:27:47.120 | Google Drive and Google Voice and all these other amazing products that make life so much

00:27:51.600 | easier.

00:27:52.800 | But these are all collecting information from you that will never be forgotten.

00:27:56.520 | It's all going onto a server and a lot of it is very, very personally sensitive.

00:28:00.720 | Even if you don't send emails and most people are migrating to services like iMessage or

00:28:06.320 | Snapchat or other messaging services, email is kind of going the way of the handwritten

00:28:11.560 | letter.

00:28:12.560 | It's becoming less and less common that people exchange these deep intimate personal emails.

00:28:17.780 | But if all you're receiving still is service notifications from your bank, from your physician,

00:28:22.520 | from all these services that create a lot of ancillary metadata about who you are and

00:28:29.360 | what you are, that's still a huge, huge privacy invasion.

00:28:34.240 | And there have been instances of rogue Google employees.

00:28:36.780 | There have been instances of, I mean, things like the NSA backdooring Google trunks to

00:28:43.120 | obtain all that data.

00:28:44.120 | And I don't want to emphasize that too much because we're not really trying to hide from

00:28:50.760 | the NSA, but the NSA has also proven very recently with the WannaCry leaks that they

00:28:56.240 | have a difficult time hanging on to the data that they collect.

00:28:59.420 | So if all this is floating around out there, it's at risk.

00:29:02.000 | So my personal solution is ProtonMail and to get the functionality that most people

00:29:08.120 | need out of email, you're probably going to need a premium account, which is a couple

00:29:12.720 | of bucks a month.

00:29:13.720 | It's not onerous.

00:29:15.240 | You can step up to the ProtonMail Plus plan for under $50 a year if you buy yearly.

00:29:22.060 | And all your emails are end-to-end encrypted between ProtonMail users.

00:29:25.940 | One thing I found really handy with people like my accountant is that I can even encrypt

00:29:30.120 | emails to outside users.

00:29:31.680 | I just say, encrypt this message.

00:29:33.360 | I assign a password to it.

00:29:34.680 | I call him up and say, "Hey, here's the password to open this email."

00:29:38.280 | And all the content of that email and any attachments are going to be encrypted.

00:29:42.360 | Everything's stored in an encrypted state in Switzerland.

00:29:48.800 | The administration of ProtonMail has no access to my emails.

00:29:52.800 | This is not the ultimate solution if you're going to be the next Edward Snowden.

00:29:57.600 | But for most of us, for our day-to-day communications, this takes you out of that automatically opted-in

00:30:05.700 | data collection that we're all subject to.

00:30:08.800 | And even if ProtonMail is hacked or has a rogue employee, I don't worry that they're

00:30:12.760 | going to have access to my financial accounts or my other email accounts or my Facebook

00:30:16.840 | account or my doctor's accounts or whatever emails I'm receiving there because it's encrypted

00:30:22.900 | and they have no access to it.

00:30:24.680 | Do you think the rogue employee risk is the highest risk that practically speaking most

00:30:29.760 | of us who aren't engaged in foreign espionage and high crimes against the state are involved

00:30:35.960 | in?

00:30:36.960 | Is that the biggest risk?

00:30:37.960 | No.

00:30:38.960 | I think even as good as Google security is, defense is much harder than offense.

00:30:45.760 | Defense you have to get it right every single time.

00:30:48.680 | Offense you have to get it right once to get in and get a bunch of stuff.

00:30:52.440 | And Google is probably the world's biggest target because they're the world's biggest

00:30:56.720 | repository of data.

00:30:58.120 | That data is really, really valuable to people.

00:31:01.720 | Google is targeted thousands of times every single day and they have to get everything

00:31:07.280 | right 100% of the time to avoid being exploited.

00:31:11.480 | And eventually they're going to fail.

00:31:14.840 | I really talk up Google security a lot because it's very good, but that's almost an unsustainable

00:31:21.440 | model to have to be perfect every single time.

00:31:27.200 | And the sophistication of the attackers is consistently increasing as well.

00:31:31.800 | There's a day when a hacker may have had some basic skills, but more and more a hacker can

00:31:38.560 | turn an army of computing power of remote bots against something.

00:31:43.520 | The coding sophistication, the knowledge just seems to be consistently increasing, which

00:31:47.880 | is why we have to consistently step up our game across the board.

00:31:52.560 | To misquote Bruce Schneier, today's NSA exploits are tomorrow's PhD theses and the next day's

00:31:57.800 | hacker tools.

00:32:00.880 | I was thinking as you're talking about communication security, because when I try to get people

00:32:05.960 | to just take a simple step, use FaceTime audio instead of using a phone call, number one,

00:32:10.720 | you'll get a better product.

00:32:11.720 | You'll get a digital connection instead of an analog connection, which is downgraded

00:32:14.760 | signal quality.

00:32:16.320 | Or to use signal for or wicker or something like that for your text messaging instead

00:32:20.720 | of using the SMS system.

00:32:24.000 | Oftentimes the number one question is, "Well, I don't have anything to hide.

00:32:30.080 | Why should I bother to do that?

00:32:33.480 | I don't have anything to hide.

00:32:34.480 | I'm not involved in anything illegal.

00:32:35.800 | I'm not involved in anything immoral.

00:32:37.160 | I don't have anything to hide."

00:32:39.080 | And I often wish to wax eloquent about the philosophical basis of freedom and liberty

00:32:45.400 | and how this is important, et cetera.

00:32:48.600 | But recently I've been trying this line.

00:32:51.080 | In the old days when you made a phone call, it was automatically a party line.

00:32:54.520 | Anybody all up and down the line, your phone would ring anytime anybody on your phone line

00:33:02.160 | was being called and you didn't listen for the fact of your phone ringing.

00:33:05.880 | You listened for the unique ring.

00:33:07.920 | If you had two short, one long, then you picked up only when it was too short and one long.

00:33:12.040 | But that meant that all up and down the line, anybody who wanted to could pick up the phone

00:33:15.300 | line and listen in on your conversation.

00:33:18.300 | And to me, it's as simple as, would you automatically voluntarily choose to use a technology that

00:33:24.160 | makes your phone calls a party line?

00:33:26.600 | Or if possible, would you prefer to have a direct person-to-person line and contact?

00:33:31.400 | And I've been trying that non-philosophical answer to some success.

00:33:34.940 | How do you answer that objection?

00:33:37.120 | I think my first answer for that is when I go to the bathroom or when I'm being intimate

00:33:43.120 | with my significant other, I'm not doing anything wrong.

00:33:47.520 | But if there are other people in the house, I'm going to close the door.

00:33:49.440 | In either of those cases, there's absolutely nothing wrong with what I'm doing.

00:33:52.840 | They're both kind of biological imperatives and things that everyone does to a greater

00:33:58.960 | or lesser extent.

00:34:01.320 | But there's still that desire for privacy, right?

00:34:04.040 | It's not just because I don't want my guests to be offended.

00:34:06.560 | It's also because I want to have that privacy.

00:34:10.160 | I think ultimately we feel the same about our communications if we don't think about

00:34:15.320 | it.

00:34:16.320 | We don't feel the same about carrying a cell phone, which tracks you everywhere you go

00:34:21.640 | because we've opted into that for the benefits that it gives us.

00:34:24.920 | But if there were someone following you around everywhere you went every day and writing

00:34:28.760 | in a notebook every place you stopped, how long you stayed there, who you talked to while

00:34:32.360 | you were there, people would get very frustrated with that really quickly.

00:34:35.960 | And that is happening.

00:34:38.000 | That happens on a daily basis to all of us that use a cell phone, which is probably every

00:34:42.120 | single person at this point, at least that listen to podcasts, that that very same data

00:34:48.720 | collection is occurring.

00:34:50.220 | It's less visibly apparent to us, which I think is why it's less viscerally alarming.

00:34:56.680 | Absolutely.

00:34:58.640 | Any of the low hanging fruit that you want to mention before I adjust this a little bit?

00:35:04.600 | No, we can go ahead and push on unless there's something specific you want me to talk about.

00:35:09.760 | Well, it's interesting because one of the things why I think this is so important for

00:35:14.040 | people to do and to practice, and here's just my commentary and I'm interested in your take.

00:35:20.400 | Number one, it's my observation that these things are skills that need to be developed.

00:35:27.240 | The ability to use a two-factor authentication application or even just the ability to receive

00:35:33.640 | an SMS message and to input that code on the website is a skill that has to be learned.

00:35:38.760 | I recently read an author who was citing a report about how two-factor authentication

00:35:45.240 | is increasing and he said, "This is bogus."

00:35:46.920 | He was an older guy.

00:35:47.920 | He said, "This is bogus.

00:35:48.960 | I don't see this anywhere."

00:35:50.040 | And I thought to myself, "That's bogus?

00:35:52.080 | You just obviously don't have the skill.

00:35:53.600 | You're not using this because this is certainly not bogus."

00:35:56.960 | You need to develop the skills and you got to develop the skills before you need them.

00:36:00.560 | And one of my concerns is to use your nomenclature, in time, most of us hope to do things and

00:36:08.320 | to be effective in things that are going to necessarily raise our attack surface, which

00:36:14.560 | means bring us to a higher degree of prominence, whether that's doing something like creating

00:36:18.800 | a podcast and talking about money on the internet or whether it's doing something like doing

00:36:23.040 | very well in your job or in your business and earning a significant amount of money

00:36:30.040 | or whether it's taking a stand in a political cause that is unpopular or that wherein you

00:36:35.160 | start to attract to yourself enemies.

00:36:37.760 | You got to think years in advance and put the framework in place so that when all of

00:36:43.560 | a sudden you're being targeted with a lawsuit by your tenant who's suing you because they

00:36:49.520 | fell off the front porch and injured themselves and they know you own 10 rental properties

00:36:53.680 | and now all of a sudden they're going to start – they're going to bring a lawsuit against

00:36:57.200 | you.

00:36:58.200 | You've got to have thought about that a decade earlier and built the skill set.

00:37:01.360 | So I believe that it's important to plan and to teach people to plan for the fact that

00:37:06.560 | your profile in the future is going to be raised and you need to build the skills now

00:37:10.880 | to be prepared for that.

00:37:12.320 | What say you?

00:37:13.320 | Aaron Powell: Absolutely.

00:37:14.320 | I'm going to steal a quote from one of our recent podcast guests and say that you should

00:37:19.040 | dig your well before you're thirsty.

00:37:22.200 | We've seen plenty of examples of law enforcement officers who have come to national attention

00:37:27.120 | because of their actions on the job and I'm not going to weigh in with a judgment either

00:37:33.640 | way on that, but I will say at that point it's too late to do anything.

00:37:37.720 | Everything about them becomes public knowledge.

00:37:39.440 | It goes in the newspaper on a news crawl at the bottom of the screen for however long

00:37:44.320 | that story is at the front of public consciousness and at that point it's too late to do anything

00:37:49.840 | about it.

00:37:51.140 | Once the news media is camped out on your lawn, it's too late to hide your address because

00:37:56.080 | everyone already knows it or once you're doxxed by anonymous or once your account is breached,

00:38:03.600 | yeah you can change that password then and make sure those future emails are safe, but

00:38:09.760 | that doesn't pull back those old emails and make them safe again.

00:38:13.440 | So don't wait until something happens to try to fix it.

00:38:17.320 | Take a proactive approach because that's really the only approach that's going to have any

00:38:22.960 | effectiveness.

00:38:23.960 | Lee: There were two stories that really sobered me and caused me to start working actively

00:38:30.160 | on defense for this, but in the last couple of years, three actually, and they all involved

00:38:36.280 | finances.

00:38:37.280 | Number one was the lady, the publicist who was on her way to South Africa and made a

00:38:43.440 | flippant comment and a tasteless joke on Twitter about contracting AIDS in Africa.

00:38:49.360 | No, I won't contract AIDS because I'm white and just trended bazillions of times on Twitter.

00:38:56.200 | By the time she had landed in South Africa, she'd been fired from her job and she had

00:39:00.560 | basically the whole world finding out every single detail of her during a single airplane

00:39:06.000 | flight and her whole world collapsed and it sent her into severe depression, affected

00:39:11.400 | all of her relationships, her financial world collapsed, etc.

00:39:15.080 | Second one was the dentist who shot the lion and he shot the lion and from my observation,

00:39:22.840 | I didn't follow the story deeply so I could be wrong in this, but I never saw evidence

00:39:27.000 | that he had committed any kind of illegal act or that he had broken the law.

00:39:31.160 | There were a few questions about his interactions with his hunting trip and the purchase of

00:39:35.920 | his licenses, but my guess was that was just probably standard African bribery systems.

00:39:41.000 | But there was no evidence that he had really done anything illegal or even immoral depending

00:39:46.600 | on somebody's definition of morality with regard to shooting lions.

00:39:49.980 | But his business was just destroyed overnight and he was sent into hiding.

00:39:55.040 | His house and with the ability of Google reviews and of Yelp reviews, etc., his business was

00:40:01.140 | just destroyed and his dental practice sent him to the ground.

00:40:04.840 | I don't know what's happened since then.

00:40:06.480 | And then the third one was the pizza restaurant owner in Indiana about two years ago when

00:40:14.120 | Indiana was passing the religious freedom – I think it was the Religious Freedom Restoration

00:40:18.440 | Act.

00:40:19.440 | News crews were hunting for somebody who was professing an opinion on that piece about

00:40:26.360 | being a discriminatory person and they found this pizza restaurant and they found the daughter

00:40:30.960 | of the owner, interviewed her on camera, making some fairly innocuous statements about homosexuality

00:40:35.520 | and religious freedom, etc.

00:40:37.840 | And then this became front and center news.

00:40:40.360 | And again, the pizza restaurant was just pounded into the ground, Yelp reviews destroyed, etc.

00:40:46.160 | All of those cases, none of us know what's happened since.

00:40:49.600 | But none of those three people set out in advance to cause a stir and to bring problems

00:40:57.560 | into their life and to the best of my knowledge, none of them committed anything illegal.

00:41:01.280 | They just had breaches of judgment or took a position that was unpopular, did something

00:41:06.680 | that didn't fit the cultural narrative.

00:41:09.160 | And yet their lives and their livelihood suffered immensely for it.

00:41:12.760 | And in today's day of instant access to the news, etc., I believe this is a serious financial

00:41:18.280 | planning concern that needs to be addressed by financial planners everywhere.

00:41:22.080 | Absolutely.

00:41:23.080 | And, you know, I find this a little bit easier to relate to law enforcement officers in my

00:41:28.640 | training.

00:41:29.640 | And the thing I tell them is, if you're involved in an officer-involved shooting, the news

00:41:35.520 | media is going to be at your house before you are, before you get home that day.

00:41:40.760 | And at that point, there's nothing you can do about it.

00:41:43.440 | And, you know, I was going to bring up the dentist as well, had nothing to do with his

00:41:46.960 | practice, had nothing to do with his family life, had nothing to do with, you know, most

00:41:53.000 | aspects of his life.

00:41:54.200 | This one thing occurred, this one unfortunate event that impacted all of these aspects.

00:41:59.960 | And at that point, there was very little he could do to recover from that.

00:42:03.840 | A proactive approach, you know, every dollar spent in prevention is probably worth, you

00:42:11.200 | know, probably substitute every hundred dollars you'll spend in repairing the damage later

00:42:16.760 | on.

00:42:18.520 | One aspect of, back to financial security and then we'll move to privacy.

00:42:21.640 | One other aspect of financial security that you haven't mentioned that I think is important

00:42:25.000 | is compartmentalization of information.

00:42:27.880 | And I share this because of my experience in the trenches where, you know, if you're,

00:42:35.200 | especially if you have a high profile, high attack surface, again, to use your language,

00:42:40.200 | if you are a prominent person, then the people in the office that you're doing business with

00:42:44.880 | are going to be talking about your name and are going to be pulling up your accounts in

00:42:48.360 | their computer.

00:42:49.360 | I saw this myself.

00:42:52.200 | I worked very hard to never participate, but you can't help but overhear, "Oh, so and so

00:42:56.480 | is a client of mine," and of course some people have access at the administrator level, can

00:43:01.560 | pull up and look and say, "Oh, here's this person's accounts.

00:43:04.160 | Here's that person's accounts," et cetera.

00:43:06.000 | And the staff, the administrative staff, is often somewhat broad who has access to that

00:43:10.760 | information.

00:43:11.760 | So the only way that I know to protect against that is to compartmentalize your information

00:43:16.400 | to the best degree possible, be very careful, and to just share what needs to be known with

00:43:21.400 | the people that need to know it rather than everything.

00:43:24.080 | How do you approach that problem?

00:43:25.560 | I approach that problem with a very proactive front-end approach in that I have essentially

00:43:34.880 | deleted my presence from the internet and there's very little that you will know about

00:43:39.640 | me that I don't want you to know about me.

00:43:41.920 | So I run a blog, I have a Twitter page, I have a podcast, and those are things that

00:43:46.360 | I kind of choose to put in the public space, but everything else I've worked very, very

00:43:51.920 | hard to regain control of, and also to a debatable extent, I do have a public presence that supports

00:44:00.080 | my occupation, my business, my livelihood, but I tend to maintain a pretty low profile

00:44:07.600 | in my personal life.

00:44:09.080 | And that's kind of a tough question in that now we're kind of getting into the things

00:44:14.640 | that require a lot of effort for a little bit of payoff.

00:44:18.960 | But I know this is going to be a very unpopular approach, but I would say the first and foremost

00:44:26.140 | thing that average people need to do, the average listener, not my audience, but everyone

00:44:32.240 | else, which is the majority of society, is pull back your presence on Facebook.

00:44:36.400 | Stop posting every single detail of your life to a public forum.

00:44:41.680 | And even if your Facebook account is fairly locked down, fairly private, it is still on

00:44:46.040 | the open internet, and that information is still available to regular people who really

00:44:51.280 | know how to use Facebook.

00:44:53.360 | That would be, I mean, that's the 90% solution right there.

00:44:58.440 | There's other mitigations we can do.

00:45:00.200 | There are, you know, sorry, Joshua, but I did conduct a little bit of background research

00:45:07.280 | on you.

00:45:08.280 | I would hope you would.

00:45:11.560 | I know you and I exchanged a few emails before this podcast.

00:45:14.720 | You'd written in with a couple of questions, and I thought about sending an email back

00:45:19.520 | saying you need to change your address from, you know, whatever it is.

00:45:26.320 | I'm not going to say it on air, but I didn't want to scare you off.

00:45:30.840 | I pulled back from that, but we can get into removing all those public mentions or at least

00:45:36.120 | most of them from the internet.

00:45:37.760 | So your home address is not easily searchable.

00:45:41.280 | And if you get into some of the self-background stuff that Michael and I talk about in the

00:45:45.720 | book and strongly advocate for just to find out what information exists about you online,

00:45:50.120 | you'll probably be surprised to learn that things like your home address is freely available

00:45:56.160 | on the open internet with your name and the names of your family members.

00:46:00.640 | And to some people, that's alarming.

00:46:02.240 | To people like me, that's certainly very alarming, but some people don't care.

00:46:06.000 | That's kind of public information.

00:46:07.960 | But that also says a lot of other information about you.

00:46:11.400 | I can extrapolate a great deal from that.

00:46:14.360 | Things like your income level, your level of education, possibly your ethnic demographic,

00:46:22.600 | your sexual orientation to some degree based on the neighborhood that you live in.

00:46:27.200 | And that seems like a small piece of information, but it tells me an awful lot about you, especially

00:46:32.360 | in certain neighborhoods that are very densely populated by one demographic or another.

00:46:38.760 | That's significantly private and intensely personal information to me, and I want to

00:46:42.840 | protect that.

00:46:44.760 | If this gets into a lot more effort for a lot less individual payoff per step, but we

00:46:51.120 | can control that information.

00:46:52.600 | We can remove a lot of it and manipulate a lot of it in some cases to make ourselves

00:46:58.240 | a little bit less public and a lot less easily researchable, if that makes sense.

00:47:03.200 | I would say that my own personal, and yes, I have conducted my own open source intelligence

00:47:09.760 | on myself, searches.

00:47:11.680 | And yes, almost everything is freely and openly available, so it would not have surprised

00:47:16.000 | me when you reached out to me.

00:47:20.360 | I would say that my own story is probably the best example.

00:47:23.400 | I never intended to become a public figure.

00:47:26.120 | It was completely unintentional.

00:47:29.560 | And I think this is the way that many people approach it, where they look at it and say,

00:47:36.640 | "Well, I don't have anything to hide."

00:47:41.320 | And also in terms of it's hard to put up walls around yourself for your privacy.

00:47:45.860 | Simple example in financial planning in Florida.

00:47:48.600 | In Florida and in most places, if you do something like purchase a home, your name is going to

00:47:53.880 | be entered into the property tax records as the owner of that local home.

00:47:59.560 | In Florida, this is a big deal because we have an unlimited homestead exemption amount

00:48:04.680 | where you can protect the entire value of your home with no dollar limit.

00:48:10.480 | There are a couple of limits as far as the amount of land that you own, et cetera, but

00:48:17.880 | there's no dollar limit.

00:48:19.200 | So you can protect the value of your home 100% from the claims of any creditors that

00:48:24.540 | you might face.

00:48:25.940 | This is very important with regard to asset protection planning.

00:48:30.340 | And as a financial planner, it's very important that I'm knowledgeable and skillful with that

00:48:34.520 | with regard to working with somebody.

00:48:36.340 | If you are going to looking for a very secure place to stash $10 million, well, going ahead

00:48:41.260 | and purchasing and living in a $10 million waterfront home in Florida is probably a good

00:48:46.320 | plan for that.

00:48:47.800 | But if you do that, you give up your privacy.

00:48:50.040 | And if you purchase that home in the context of a trust, a living trust, or if you purchase

00:48:55.240 | it in the context of an entity of some other kind, you lose that creditor protection.

00:49:00.820 | So it's a balance.

00:49:01.820 | Well, do I take the value of the privacy by owning it within a living trust that's at

00:49:09.640 | least at the very limit, at the very lowest hanging fruit masked in another name, or do

00:49:14.660 | I take the creditor protection?

00:49:15.840 | Because I'll lose that if I put it into a trust that's not held, especially if it's

00:49:19.880 | held jointly with my spouse.

00:49:21.080 | That gives very, very strong protection.

00:49:23.640 | And in my own case, along the way, you just make those normal situations.

00:49:28.800 | When I went and bought a house for the first time, I didn't know everything that I know

00:49:32.840 | now.

00:49:33.840 | And so I just bought a house and signed up for it and you faced a question.

00:49:36.080 | Well, do I try to move so that I can get a different place and protect my privacy?

00:49:44.440 | In the state of Florida, all of the voter records are public data.

00:49:47.280 | So do I register to vote?

00:49:48.480 | Well, it would be a crime for me to register using something that's not my actual information

00:49:56.840 | to some degree.

00:49:57.840 | So do I deregister, not register to vote, et cetera?

00:50:01.400 | And I have found that the whole path is a very challenging terrain to navigate.

00:50:06.600 | And each person has to look and say, well, what is my threat?

00:50:09.600 | Well, as you see, my threat level, my attack surface, as it were, has changed dramatically.

00:50:14.480 | I never expected to be a public figure, never expected to have people know my name all around

00:50:19.000 | the world.

00:50:20.000 | And yet, here we are.

00:50:22.800 | Absolutely agreed.

00:50:23.800 | And it is very much a compromise.

00:50:26.000 | And some things are kind of easy for me to compromise.

00:50:29.660 | You mentioned voting.

00:50:30.660 | And that is, man, voting is one of the most invasive things, privacy-wise, that I can

00:50:36.000 | think of.

00:50:37.280 | I can look up voter records for me if I know where to look and find very detailed records.

00:50:43.320 | And I've kind of made a decision not to vote anymore.

00:50:46.080 | And that's much less a-- it's not laziness.

00:50:52.000 | And as a veteran, I kind of consider that my right to make that decision or not.

00:50:57.160 | It's a very calculated decision.

00:50:58.880 | And part of it is privacy.

00:51:00.360 | And there's also another more ideological aspect to it.

00:51:04.740 | But I've kind of made that decision not to vote.

00:51:08.280 | Also, in regards to owning a home, my first house I bought using a VA loan, which if you

00:51:16.200 | use a VA loan, you can't use any of the privacy mitigations that Michael and I talk about,

00:51:22.440 | some of the more tinfoil hat stuff, because the home has to be in your name.

00:51:26.180 | You are the veteran.

00:51:27.420 | There's no business entity that can take that loan out for you.

00:51:30.360 | So I'm not currently a homeowner.

00:51:32.440 | I'm currently a renter.

00:51:34.000 | And the next house I purchase, I'm going to have to make a decision about that.

00:51:39.160 | And kind of my plan, my long-term plan is to pay cash for it.

00:51:43.200 | But that will be some time down the road for me.

00:51:46.640 | But yeah, all of these things are intensely personal choices.

00:51:52.600 | And I guess I'm not making any specific prescriptions here to do this, don't do that.

00:51:59.640 | I guess what I would advocate much more heavily for is think about it, make a conscious decision.

00:52:05.520 | Don't just go with the default of, yeah, this is how we do it.

00:52:09.440 | Buying cars, for instance, one of the most invasive, buying homes and cars are two of

00:52:13.960 | the most invasive things you can do privacy-wise because there's a credit check.

00:52:18.560 | All this information from Chevrolet or Ford or Nissan is sold to dozens of other parties

00:52:26.280 | who want to sell you extended warranties or refinance your loan or all these other kind

00:52:30.720 | of things.

00:52:32.000 | So think about that before you buy a car again.

00:52:35.120 | And I'm kind of a subscriber to the school of thought that a car is kind of a wheelchair.

00:52:41.920 | It doesn't need to be fancy.

00:52:43.240 | It gets me from A to B. I will never finance another car.

00:52:47.560 | And there's financial reasons for that.

00:52:50.400 | But there's also privacy reasons.

00:52:52.080 | I don't want that paper trail.

00:52:53.360 | I don't want to create this huge bloom of personal data in this kind of field, this

00:53:00.480 | well-manicured field that I take great pains with everywhere else.

00:53:04.040 | So think about it.

00:53:06.040 | Make a conscious decision before you provide this information.

00:53:09.080 | And that kind of goes for everything.

00:53:11.120 | When you go to Lowe's and buy something and they ask for your phone number, we're habituated

00:53:15.680 | and kind of, I guess for lack of a better word, institutionalized to just spit out the

00:53:20.720 | phone number.

00:53:21.720 | So when you're asked for personally identifiable information, think about it.

00:53:26.760 | Ask why am I being asked for this?

00:53:30.800 | Is it really necessary for what I'm doing?

00:53:33.200 | And that guides my decisions on a day-to-day basis, probably much more so than it will

00:53:38.200 | for most.

00:53:39.760 | But I guess that would be my overall advice on that.

00:53:44.040 | How do you buy a car and own a car privately?

00:53:48.320 | So there are a couple of different ways you can do this.

00:53:51.640 | I pay cash.

00:53:53.120 | I paid cash for my last two cars.

00:53:55.640 | And that involves some longer-term financial planning and being kind of fiscally responsible.

00:54:02.480 | And also, I'm not driving a brand new Audi.

00:54:06.200 | So I pay cash.

00:54:08.640 | That's kind of the starting point.

00:54:10.080 | Anytime you're taking a loan, it's going to be very, very invasive.

00:54:13.120 | So there's a couple other ways or a couple other techniques that we can use.

00:54:17.440 | So I am kind of set up on a system where I'm considered a nomad by the state where I claim

00:54:23.200 | legal residence.

00:54:24.200 | I don't spend 51% of my time in any given state because of my travel schedule.

00:54:28.100 | So I'm legally able to do this.

00:54:31.080 | So I just register my car to this mail drop address where I'm legally considered a resident.

00:54:38.360 | I'm legally kind of in the same place as a full-time RVer.

00:54:42.180 | So all my mail goes there, and I don't really care because I'm never at that place.

00:54:47.660 | If I were a homeowner and lived in the same place, what I would do instead is purchase

00:54:53.680 | the car in the name of a New Mexico LLC.

00:54:56.940 | And these limited liability corporations in New Mexico, New Mexico is one of the very

00:55:01.420 | few states that doesn't require that you give the names of the members of the LLC to the

00:55:08.660 | state.

00:55:09.660 | So I'm totally anonymous provided you set up your LLC through a service that kind of

00:55:15.260 | understands that.

00:55:16.800 | And I can give you the name of one such service.

00:55:19.780 | It's JJ Luna's service.

00:55:22.260 | He's very, he's kind of the godfather of this extreme personal privacy.

00:55:27.140 | But that's how I purchase my car.

00:55:28.740 | And when I go to register it, I would just tell the DMV or RMV or whatever your state's

00:55:35.000 | system is that I am doing business on behalf of this corporation in this state, and it's

00:55:40.880 | the corporation's car because it is, and register it to the corporation rather than to my personal

00:55:45.960 | name because the DMV is, most states actually sell the information that you give to the

00:55:51.920 | DMV, including your photograph, to data marketers.

00:55:55.100 | So that's another place that I'm kind of cautious.

00:55:57.760 | And we're kind of veering a little bit more into the more extreme techniques.

00:56:02.560 | - Bring it on, bring it on, don't worry.

00:56:04.560 | I told you we're not scared of extreme techniques around here.

00:56:06.520 | The show's called Radical Personal Finance for a reason.

00:56:09.160 | - Okay, good, good.

00:56:10.800 | But yeah, New Mexico LLC, or if you're in a situation like I am, like Florida, for instance,

00:56:17.440 | allows you to use a commercial mail receiving agency.

00:56:21.760 | There's a few select ones that you can use as your permanent home address.

00:56:26.880 | If you live in Florida, it's really easy to set that up and just have all your mail go

00:56:30.360 | there.

00:56:31.360 | You just go through their website and then they send you your mail to wherever you wanna

00:56:34.480 | get it at.

00:56:35.480 | But that becomes your legally official address.

00:56:38.880 | That's where my taxes go to, that's where my voting stuff goes to, that's where my vehicle

00:56:42.960 | registrations go to.

00:56:44.540 | So nothing comes to my home address.

00:56:48.560 | - It's very, very doable and very, very simple to do.

00:56:54.320 | What about, well, let's go on back to, instead of going deeper on the car, let's go to housing.

00:57:00.280 | What suggestions do you have for living and maintaining a more private residence, especially

00:57:05.320 | for somebody who has concerns about their public status?

00:57:08.720 | - Okay, sure.

00:57:10.100 | So if you're renting like I do, you absolutely have to stay away from the big apartment complexes.

00:57:16.760 | They have a flow chart of things they have to do for new renters and I found it impossible

00:57:22.560 | to basically to get them to bend in their practice of running a credit check, running

00:57:29.160 | a renter background check, and all these other things that place you at that address because

00:57:35.720 | these credit reporting agencies save that data.

00:57:38.200 | Yes, this was queried from this apartment complex, thus this is probably where this

00:57:41.840 | guy lives.

00:57:42.840 | So if you're renting, I would find something on Craigslist.

00:57:46.520 | If you work in a big company, there's probably someone looking to sublet a room or has a

00:57:51.960 | basement apartment or whatever, but you have to find that individual that's renting out

00:57:56.040 | a place and for those, I pay cash.

00:57:58.920 | I'm sure your audience will have no problem with this.

00:58:02.160 | I'm fairly fiscally responsible.

00:58:03.680 | I have some cash in the bank so when I go to that apartment, find that one I want, just

00:58:09.160 | tell the guy, "Hey, I'm just gonna give you three months rent right now.

00:58:12.280 | I will always stay a month ahead on the rent."

00:58:14.680 | And that really talks.

00:58:15.680 | People really tend to respect that and of course, I'm a good tenant and I'm always,

00:58:21.720 | I've lived up to my word, I'm always at least a month ahead on the rent and he has no issues

00:58:26.640 | with that and I don't check up on him to make sure he's paying taxes on that, though I assume

00:58:31.880 | he is.

00:58:32.880 | I have no reason to believe he's not.

00:58:35.120 | But he likes getting cash.

00:58:36.360 | I like giving him cash because my name is not tied to that apartment in any way and

00:58:41.200 | for utilities, I give him a little bit of extra money to keep the utility in his name

00:58:47.800 | and then I make sure those bills are paid on time so he's not getting any blowback from

00:58:51.840 | that.

00:58:52.840 | If I'm buying a house, it becomes a little bit more complicated.

00:58:54.400 | So I've got a couple options here.

00:58:55.800 | If I can pay in cash, which is hard for most people to do, it's impossible for me to do

00:58:59.120 | right now, it would be a few years down the road before I'm able to do this, but if I'm

00:59:03.520 | paying for cash, for a home in cash, again, I can use the New Mexico LLC option.

00:59:10.280 | There's a couple other LLC options, but New Mexico is probably the best one.

00:59:15.520 | Alternatively, if I'm taking out a loan, and again, if you're a VA, someone who would use

00:59:21.760 | a VA loan, this does not apply to you, unfortunately.

00:59:24.800 | But if I'm taking out a loan, I can put that home in the name of a living trust.

00:59:28.840 | A lot of people put their homes in trusts for estate planning, estate management purposes,

00:59:34.800 | and most people put it in the trust, their name, or most people name that trust in their

00:59:45.280 | real name.

00:59:46.280 | So if I were doing this, probably my tendency would be to name it the Justin Carroll Living

00:59:52.120 | Trust, which doesn't afford me any privacy benefit, but it gives me all those estate

00:59:56.320 | planning benefits.

00:59:57.720 | However, if I wanted the privacy, I could name it anything I wanted.

01:00:02.120 | I could name it the South Florida Living Trust, I can name it the anything you could-

01:00:07.440 | 123 Maple Street Living Trust.

01:00:09.120 | Yeah, I can name it anything I wanted, and my name is tied to that, but if you don't

01:00:14.600 | know the name of that living, if you can query that trust directly and look at it, you'll

01:00:18.200 | see my name on it, but you have to know the name of it to find it first.

01:00:21.320 | So this is a huge, huge privacy mitigation.

01:00:25.080 | And again, we run into setting up utilities, and in either case, whether I'm purchasing

01:00:29.720 | the home in an LLC or a living trust, I would open up an LLC, a New Mexico LLC, to put those

01:00:36.800 | utilities into, because if I go to all that trouble to purchase a home privately, I also

01:00:43.000 | want to make sure that I'm not tying my name to it with the utilities, because that's gonna

01:00:48.320 | defeat all the hard work that I've done to that point, and there will undoubtedly be

01:00:52.560 | a few roadblocks here.

01:00:55.960 | If you know any attorneys that specialize in privacy, I would love to talk to them,

01:01:00.320 | but sometimes that can be a challenge.

01:01:03.160 | Well, not sometimes, that is always a challenge, finding an attorney who is really comfortable

01:01:09.680 | doing these unconventional techniques and really gets privacy, and that's unfortunate

01:01:15.720 | that that's the case, but it is, sadly.

01:01:18.560 | So yeah, you've got a couple options there, and none of them are absolutely perfect.

01:01:25.680 | The New Mexico LLC comes closest, but the living trust still provides just immensely

01:01:34.880 | more privacy than you're going to have purchasing a home traditionally, putting in your name,

01:01:40.160 | especially if you're borrowing money to pay for it.

01:01:43.360 | To use another one of the terms that I learned from you, you use the term threat model, right?

01:01:49.240 | Yes.

01:01:50.240 | Okay, so how do you define threat model when you use it?

01:01:54.320 | Okay, so threat modeling is kind of a tough case-by-case basis thing, and depends greatly

01:02:01.120 | on what we're talking about, and basically the way I'll do this is take a look at who

01:02:06.240 | my adversary is, who I'm trying to hide from, and then what I look like to them.

01:02:10.040 | So let's say we're talking about email.

01:02:12.720 | My threat model for email is really services like Gmail or just the insipid mass surveillance

01:02:22.080 | that's going on.

01:02:23.080 | I want to kind of opt out of that stuff.

01:02:24.480 | If the NSA wants to look at my stuff, I'm sure they can hack into something and take

01:02:28.160 | a look at it specifically, but that's going to require that they dedicate resources to

01:02:32.000 | it and time to it and that sort of thing.

01:02:34.000 | I don't want to be in that just default mass everything being scooped up.

01:02:38.480 | So my threat model is kind of Google.

01:02:40.240 | I want to be out of Google and mass surveillance.

01:02:44.400 | So I'm comfortable with proton mail.

01:02:46.160 | It doesn't protect me from extreme high-level actors, but it protects me from 90% of things.

01:02:52.360 | If we're talking about taking internet privacy, home privacy, for instance, my threat model

01:02:59.400 | is that I don't want someone to be able to look up my, type my name into a Google search

01:03:05.000 | beside the words home address and actually find my home address.

01:03:08.200 | I'm not, you know, I'm not hiding from the U S marshals.

01:03:11.200 | If they were my threat model, I'd probably never rent anything, never buy anything.

01:03:14.800 | I would probably, you know, live, live in a tent in the woods somewhere and never interact

01:03:20.400 | with anyone.

01:03:21.400 | They're not my threat model.

01:03:22.400 | So it's kind of defining who you're hiding from or who you're trying to protect your

01:03:26.480 | information from.

01:03:27.960 | And of course, in all of these, there are other factors.

01:03:31.000 | Hackers are also my threat model.

01:03:32.280 | So if I'm using wifi at Starbucks, I don't want some kids sitting there with the wifi

01:03:36.560 | antenna to be able to read my email or to capture my login credentials to my bank or

01:03:41.800 | whatever else I happen to be logging into.

01:03:44.000 | So those kinds of general cyber things are always kind of an implied threat model, I

01:03:50.920 | guess, rather than an explicit threat model.

01:03:53.040 | Yeah.

01:03:54.040 | And I'll, and so let me give a couple of, to add to that, I really like your language.

01:03:57.720 | I've stolen all your language and I've applied it in the financial.

01:04:01.600 | Please do.

01:04:02.600 | Yeah.

01:04:03.600 | I do try to give credit.

01:04:04.600 | Don't worry.

01:04:05.600 | I'm not a hacker.

01:04:06.600 | But I apply it in the financial planning context, especially when you get into something like

01:04:12.120 | the question of asset management, asset protection planning.

01:04:16.360 | And you, and that's where you have different tools for different threat models.

01:04:21.600 | One simple thing is, do I have the threat model of my relatives thinking that I am,

01:04:27.800 | you know, I have a couple of relatives that are just no good, broke all the time, spend

01:04:32.320 | all the money and I'm doing well financially.

01:04:34.240 | I want to make sure that I have an ability to have a little bit of concealment around

01:04:39.160 | how much money that I actually have.

01:04:40.880 | Well, if I go and buy a personal residence in my name and then I go ahead and buy four

01:04:45.440 | or five rental properties and they're all personally owned in my name, then with a simple

01:04:50.260 | record search on my local county property appraisers website, all that information is

01:04:53.840 | going to come up.

01:04:54.880 | Or do I want my neighbor who finds out that I'm involved in something to be able to know

01:04:59.000 | how many properties that I have?

01:05:00.900 | So something as simple as owning my personal residence in a living trust and something

01:05:04.820 | as simple as using an entity of some sort for the ownership of my rental properties

01:05:09.220 | and having them segmented and segregated, as you said, adds a tiny little bit of cost

01:05:15.260 | but it lowers my threat significantly.

01:05:18.080 | That doesn't mean that a private investigator who's been hired to investigate me from – based

01:05:25.260 | upon a lawsuit from one of my tenants is not going to be able to find those properties

01:05:29.420 | if they're commonly owned and have a common threat of ownership.

01:05:33.500 | It all depends on how much money they have.

01:05:37.060 | I think that you mentioned J.J.

01:05:39.260 | Luna and his book, How to Be Invisible, which is an excellent book.

01:05:42.100 | I recommend to people.

01:05:43.100 | It's kind of a very readable, thoughtful entry-level discussion.

01:05:46.260 | He gives his different levels of private investigators and he says, "Okay, you're talking about

01:05:50.540 | a level one investigator, a level two, a level three or a level four because at the end of

01:05:54.900 | the day, it costs money.

01:05:55.900 | If you're Osama bin Laden and you're up against the US government, which has an unlimited

01:06:00.180 | source of money and an unlimited interest in finding you, it's going to happen at some

01:06:06.540 | point.

01:06:07.540 | You're not going to be able to escape that scrutiny.

01:06:10.940 | It's just simply not possible.

01:06:13.260 | No matter what you do in time, you're going to be caught up with because of the fact that

01:06:17.580 | you have an unlimited budget.

01:06:19.140 | But your neighbor doesn't have an unlimited budget of time.

01:06:21.780 | You can put different levels of protection in place.

01:06:26.340 | Now if all of a sudden you're a public figure, well now things change.

01:06:29.500 | Now you take different steps.

01:06:31.100 | Or if threat models will vary depending on what type of planning.

01:06:35.960 | If you're involved in something illegal, all of a sudden now things are very, very different

01:06:41.460 | where if you're running a chemical lab, we'll call it in quotations, now you've got to take

01:06:47.540 | a completely—stop running a chemical lab would be my plea.

01:06:51.260 | But if you're running a chemical lab, you've got to take a completely different approach

01:06:54.560 | because you're not worried about a jilted lover.

01:06:59.940 | You're worried about the US government.

01:07:02.020 | And now you're going to be using a very different approach than just somebody, a young woman

01:07:07.900 | protecting herself against a jealous ex-lover.

01:07:11.180 | So at every level, you've got to think practically what am I concerned about because none of

01:07:15.840 | us have unlimited funds.

01:07:18.100 | And it's all a matter of how much am I willing to pay to get the privacy and security that

01:07:22.860 | is appropriate for me.

01:07:24.540 | Absolutely.

01:07:25.540 | And I'm glad you brought up that portion of JJ's book because that's my favorite part

01:07:30.340 | of that.

01:07:31.340 | You know, your level one investigator has a thousand dollar budget.

01:07:35.260 | You know, he's really easy to defeat.

01:07:36.820 | But that level three or four with a hundred thousand dollar budget, he's going to be really,

01:07:40.980 | really hard.

01:07:41.980 | And, you know, probably most of us aren't worried about defeating that like level four

01:07:46.700 | investigator and, you know, it's going to cost a disproportionate amount of money to

01:07:53.100 | hide from him that it is from the level one, two and three.

01:07:56.740 | Like we can do those easy things like tightening up our accounts and pulling back on our Facebook

01:08:01.180 | profile and taking some information down off the Internet.

01:08:04.820 | And those will solve 90 percent of your problems.

01:08:08.660 | It's that last five or 10 percent that's going to take the disproportionate amount of effort

01:08:12.860 | for those very small incremental gains that are going to build up to that.

01:08:16.900 | You know, I say we're never at 100 percent, but it's going to build up to that 99 percent

01:08:21.100 | 99th percentile of privacy, I guess, for for lack of a better word.

01:08:27.780 | And it's as simple as it's as simple as this.

01:08:29.900 | Two books that I've read I really enjoyed that relating to threat model.

01:08:35.900 | Many people have heard the advice about don't you know, don't write on Facebook when you're

01:08:41.220 | going to when you're going on vacation because people are searching Facebook.

01:08:46.060 | That's not a new thing.

01:08:48.260 | There's a great book written by a guy named Jack McLean called Secrets of a Super Thief.

01:08:52.460 | He wrote it back in the mid 80s when he was in jail and he was a famous South Florida

01:08:56.300 | cat burglar who claims that he stole and the police agreed with them claims that he stole

01:09:01.020 | about one hundred and thirty million dollars of jewels, money, etc. through thousands of

01:09:07.520 | burglaries all throughout South Florida here.

01:09:09.580 | He was eventually caught and in prison.

01:09:12.340 | He wrote this book called Secrets of a Super Thief.

01:09:14.860 | But he talked about some of his techniques of how he would do these robberies.

01:09:18.380 | Well, a basic thing was going and looking at some if he could look at somebody's mailbox,

01:09:23.020 | he would case the house and say, OK, this house looks like it might be an attractive

01:09:26.860 | target and look at the mailbox number and see the name written on the mailbox number

01:09:32.220 | that gave him access to go to the white pages and look up the phone number for the person.

01:09:36.660 | And he tells a story about one particular mark where he targeted them, he called them

01:09:41.660 | and on their home answering machine it said, we're gone to the Bahamas or to the Caribbean

01:09:49.380 | for three weeks.

01:09:50.380 | We'll be back in a couple of weeks.

01:09:52.500 | So of course he went right over the next night, robbed the house, enjoyed himself and he left

01:09:56.460 | a little note on their kitchen table saying, I hope you're not too sunburned from your

01:10:00.780 | vacation.

01:10:01.780 | Thank you for helping my financial well-being.

01:10:05.420 | He was a very – he did that kind of thing a lot.

01:10:10.740 | So that's an old technique told from a guy who robbed a person.

01:10:14.420 | And in hindsight, you look at that and say, well, that was dumb.

01:10:17.220 | But yet how many of us check in on Instagram and check in on Facebook and say, here I am

01:10:23.500 | at such and such.

01:10:24.500 | We're having a great time and we've got to do it all right when we're there.

01:10:28.540 | Well, you can look up – any burglar who's casing your house can look you up in the property

01:10:32.500 | tax records.

01:10:33.500 | Oh, such and such a house is owned by Joshua Sheets.

01:10:35.540 | Let's go on Facebook, Joshua Sheets.

01:10:37.060 | Oh, look, Joshua Sheets is in South Carolina.

01:10:39.340 | It's safe to go in.

01:10:40.340 | That's a very reasonable, reliable, normal threat model that bears consideration.

01:10:46.980 | Another book I read recently – Justin, have you read the Tom Clancy book recent after

01:10:51.980 | his death published last year called True Faith and Allegiance?

01:10:54.660 | No, I haven't.

01:10:56.240 | You should read it.

01:10:57.240 | I'm looking up these books as you mentioned them though.

01:10:59.780 | OK.

01:11:00.780 | So this book, True Faith and Allegiance.

01:11:03.140 | It was written in the Tom Clancy pen name but of course he's dead now.

01:11:06.620 | It's part of the Jack Ryan series.

01:11:08.660 | But the basic outline of the book is built on open source intelligence.

01:11:15.460 | And the basic plotline – and this is not a spoiler alert.

01:11:20.460 | The basic plotline is that the US government database of all security clearances from many

01:11:31.440 | years previous was released through the efforts of a foreign state who their government hacking

01:11:39.340 | team had been able to get a hold of the file.

01:11:41.820 | And then a rogue Russian agent or Russian or Ukrainian agent had been able to get access

01:11:47.280 | to that file and had used open source intelligence techniques to collate the data with the outdated

01:11:54.300 | secret security clearance data and use the names, fast forward and figure out where these

01:12:00.800 | different people were.

01:12:02.540 | And then through the use of the publicly available Facebook information, other open source intelligence

01:12:07.060 | techniques that you and Michael Bazell teach, had been able to use that information and

01:12:12.420 | provide that information as targeting information to terrorist organizations who then took out

01:12:17.820 | physical attacks.

01:12:19.500 | And it was absolutely astonishing because with the exception of having the data breach

01:12:26.020 | – and this is why that recent data breach of government records to me was so horrifying

01:12:30.120 | – with the exception of the original data breach, there was nothing in the plot that

01:12:35.140 | was out of my capability.

01:12:37.140 | And I'm not even a technical guy.

01:12:40.260 | And I just – it stunned me.

01:12:41.860 | Go ahead.

01:12:42.860 | And if you want this capability for yourself, I can't recommend Michael's Open Source Intelligence

01:12:47.460 | Techniques book strongly enough.

01:12:50.300 | He truly is a world-renowned expert on this.

01:12:55.100 | Probably one of the best guys in the world at open source intelligence.

01:12:57.980 | And he documents all his techniques in extreme detail in his book.

01:13:03.020 | I don't make anything from the sale of his books.

01:13:05.620 | But if you do want that skill set, or even if you just want to play around with it and

01:13:10.540 | see what's really possible, it is such an eye-opener.

01:13:13.660 | It's horrifying.

01:13:14.660 | So I kind of take – forgive me for stealing the interview, but I see that as a very legitimate

01:13:24.540 | concern that doesn't involve my hiding from the U.S. government.

01:13:28.060 | People often immediately go in their thinking to the U.S. government.

01:13:31.140 | That's a real problem because I don't have anything to hide from the U.S. government.

01:13:33.740 | I'm not capable of hiding things.

01:13:35.620 | If I were the subject of attention of a specific focused probe, I don't know that I'm capable

01:13:42.060 | of hiding anything from the U.S. government.

01:13:44.140 | It's beyond my skill set and it's beyond my real interest.

01:13:47.980 | But that doesn't mean that I shouldn't be very circumspect about posting on Facebook

01:13:53.180 | or on my Twitter account that I'm going on vacation when it's very easy for somebody

01:13:57.460 | to find that information.

01:13:58.900 | Absolutely.

01:13:59.900 | And, yeah, if the government wants my – the contents of my bank account, they're not going

01:14:04.940 | to hack the account.

01:14:05.940 | They're just going to go to the bank and say, "Hey, give us everything you have on this

01:14:09.420 | guy."

01:14:10.420 | Yeah, that's not the threat model that I'm working against.

01:14:13.900 | But some of the mitigations I take might make it a little harder for them, but that's not

01:14:20.100 | the intent.

01:14:21.740 | So since this is a financial show, if we have a couple more minutes, there are a couple

01:14:28.100 | financial things that I'd like to hit, if that's all right.

01:14:31.300 | You're turning the conversation exactly where I was going to turn.

01:14:33.380 | I didn't want to miss some of the financial tools, so you go.

01:14:36.020 | OK, great.

01:14:37.300 | I think probably one of the biggest privacy mitigations that you can do for yourself and

01:14:42.980 | your spouse and your children is a security freeze with the credit reporting agencies.

01:14:48.860 | I'm sure you're familiar with this, Joshua, but you call up TransUnion, Equifax, and Experian.

01:14:55.180 | And if you really want to get detailed with it, you can also contact Anovus and Chex Systems

01:15:00.540 | at C-E-H-E-X, and I'll make sure you have all these links, and ask for a security freeze.

01:15:05.860 | And this will lock down your credit, and no credit can be taken out in your name without

01:15:11.780 | the eight-digit code and identity verification with that agency.

01:15:16.460 | So this doesn't expire.

01:15:19.180 | It might cost you $10, depending on the state that you live in, and I'm not going to list

01:15:22.860 | those, but some states are free, some they cost $10 per agency, unless you have been

01:15:28.100 | the victim of identity theft.

01:15:29.500 | If you've ever been the victim of even very low, had to change a credit card number, for

01:15:33.420 | instance, because someone had used your credit card number, you're eligible for free credit

01:15:38.580 | freezes or security freezes for life.

01:15:42.600 | So if you do need to take out credit, you go to whoever you're applying for credit with,

01:15:48.140 | your mortgage lender, and say, "Who are you going to run my credit through?"

01:15:51.740 | They say, "TransUnion."

01:15:52.820 | You call TransUnion, say, "Hey, lift my freeze for 24 hours."

01:15:56.580 | They run your credit, and then that freeze is back in place.

01:15:59.960 | This will also stop you completely from getting pre-approved credit card offers because those

01:16:05.800 | credit companies can't do soft pulls on your credit.

01:16:09.240 | It protects your address because no automatically generated mail like that, junk mail, like

01:16:16.960 | those pre-approved offers are automatically being sent to your house because they can't

01:16:20.240 | see your credit report.

01:16:21.280 | They can't get your address from that.

01:16:22.840 | It has a million benefits.

01:16:24.720 | It's really easy to implement.

01:16:26.480 | And this is probably the best security you can do on your line of credit.

01:16:32.680 | This doesn't protect existing accounts.

01:16:34.240 | If you lose your credit card, obviously that card can still be used until you report it

01:16:38.920 | and it's locked down by the bank.

01:16:42.080 | But this is the way it should be, in my opinion.

01:16:45.480 | I don't know why this is not the default, but you have to take action.

01:16:50.960 | If you're the average person and not like me, whose bank thinks that I'm dead and all

01:16:55.520 | this other problems that I have now, this might take you 10 minutes per credit reporting

01:17:01.480 | agency.

01:17:02.480 | Just don't lose that eight digit code and your credit is extremely well protected for

01:17:07.760 | a very long time.

01:17:08.760 | If there's one thing you take out of the show that's beyond the password two factor stuff,

01:17:12.560 | it is this.

01:17:13.960 | The next thing that I'm a strong proponent of is stop giving the bank information about

01:17:19.040 | where you shop, where you eat, where you stop for coffee, how you spend your money, all

01:17:24.600 | the elective places your money goes.

01:17:26.720 | I do that through a multi-pronged approach.

01:17:32.240 | First and foremost, I use cash.

01:17:33.840 | I take $300, $400 out at the beginning of the week and that's how I purchase my fuel.

01:17:38.600 | That's how I pay for coffee.

01:17:40.480 | That's how I pay for lunch.

01:17:41.480 | That's how I buy things when I go to the grocery store or to whatever store I'm buying things

01:17:46.480 | from.

01:17:47.480 | I've told this story before and it's on my blog and it's probably talked about it on

01:17:51.680 | the podcast.

01:17:52.680 | When I applied for my first home loan, I had to give them three months of statements from

01:17:57.360 | every credit and bank account that I had.

01:18:00.400 | I was really shocked to find that if you looked at this, it spelled out, you could pretty

01:18:04.560 | much figure out where I live and where I work based on where I stop for gas and where I

01:18:07.640 | get coffee every morning and the restaurants that I routinely go to lunch at and the restaurants

01:18:12.800 | that I routinely go to dinner at and the special interests I have based on the stores and activities

01:18:20.800 | that I spend money on.

01:18:23.000 | This was really shocking to me and I decided then and there, I'm never going to give the

01:18:26.760 | bank that level of insight into my life again.

01:18:29.840 | That was a strong motivator to start using cash.

01:18:33.320 | The other thing that I recommend is a service called privacy.com.

01:18:38.800 | If you've listened to the show, you're familiar with this.

01:18:41.360 | We interviewed the CEO.

01:18:42.960 | You set up an account, you give it access to your bank account and then if I need to

01:18:46.960 | make an online purchase, obviously I can't use cash.

01:18:49.940 | What I do is I log into privacy.com and I tell privacy, "Hey, I'm getting ready to set

01:18:54.920 | up an amazon.com account or I'm getting ready to make a purchase through, I'm getting ready

01:19:00.600 | to set up my bill pay for my electric company.

01:19:04.240 | Give me a unique credit card number to use to pay my electricity bill.

01:19:09.360 | Give me a unique credit card number for this Amazon account."

01:19:12.000 | It creates a credit card complete with a credit card number, an expiration date and a CCV

01:19:21.980 | code.

01:19:22.980 | I can set up all these other factors.

01:19:26.020 | They're all set up as single merchant cards.

01:19:28.700 | My electric company is the only merchant that can bill to that card.

01:19:34.060 | If they lose that credit card number, it's worthless to everybody else.

01:19:37.500 | I can also set a limit.

01:19:40.660 | Let's say my electric bill is $150 a month.

01:19:44.220 | I set that firm limit at let's say $160 just in case and they can never draw more than

01:19:52.060 | $160 per month from that account.

01:19:57.220 | Let's say they do have a breach and that number is stolen, I can go in and delete that card,

01:20:01.140 | make a new one, give the electric company a new card and now they can run on that.

01:20:06.420 | If this is a one-off website where I'm going to make one purchase one time ever in my life,

01:20:11.740 | I can also make that a, they call it a burner card.

01:20:14.860 | So once that one transaction is made, that card is worthless from then on out.

01:20:19.180 | I don't have to worry about canceling it.

01:20:20.740 | It's already canceled.

01:20:22.500 | This is a really strong service and it does a couple things.

01:20:25.620 | It takes the bank out of the loop because all these charges, they just see it being

01:20:30.140 | billed to privacy.com.

01:20:31.700 | They don't see that going out to Amazon or Best Buy.com or any of these other services.

01:20:36.820 | They just see a charge to privacy.com.

01:20:41.420 | All these merchants that I'm buying from also don't see my name because I can give it any

01:20:45.220 | name, any shipping address and any billing address that I choose.

01:20:49.100 | So if this is, let's say I'm signing up with an online dating site or something that maybe

01:20:53.300 | I'm not super proud of, I can give it any name I want, give it any address I want.

01:20:57.740 | It doesn't tie back to me.

01:20:59.260 | So if that's breached, I'm not really that worried about it because it doesn't come back

01:21:03.180 | to me.

01:21:04.180 | You'd have to know what name and address I'd given it.

01:21:07.780 | So this protects me in a bunch of different ways.

01:21:10.060 | And like I said, if any of these services spill their data, I don't really care because

01:21:14.060 | I just cancel that card, make a new one and I haven't lost anything.

01:21:19.060 | This takes my risk from account takeover or data breaches down to virtually nothing as

01:21:27.940 | far as financial concerns go.

01:21:30.100 | I love privacy.com.

01:21:33.100 | I use it for everything.

01:21:34.700 | Any purchase I make online, I have all my auto bill pay things set up to privacy.com.

01:21:40.540 | All my online purchases, I don't ever give out my real credit card number anymore.

01:21:45.300 | And one of my favorite things, you did a great job describing the features.

01:21:48.940 | One of my favorite just philosophical aspects is it puts the user back in control.

01:21:55.740 | I don't like auto billing.

01:21:58.060 | I've faced major financial problems in the past because my appetite exceeded my income

01:22:03.980 | and I would sign up for auto billing on this and that and the other thing.

01:22:07.740 | Unfortunately, in today's world, I work with many merchants who just will not send me a

01:22:13.980 | paper bill and will not send me a, you know, they just won't do it.

01:22:18.860 | I can't send them a check.

01:22:20.380 | I can't send them something.

01:22:21.460 | They require an auto bill pay.

01:22:24.220 | Now, 99.999% of the time, that's fine.

01:22:28.580 | We have an amicable working relationship.

01:22:30.860 | Everything works fine.

01:22:32.920 | But still, they're in control.

01:22:34.900 | They're in the billing.

01:22:36.200 | And if I need to change something or if I get into a dispute with them, that could mess

01:22:40.360 | up many accounts if I need to change card numbers and things like that.

01:22:44.700 | Privacy.com is wonderful because it puts me back in control.

01:22:47.900 | And I can set up a different card with every biller and in a voluntary win-win, voluntary

01:22:53.900 | transaction where we're working on agreed terms.

01:22:57.300 | I can pay them.

01:22:58.300 | They receive their money.

01:22:59.300 | We're all happy.

01:23:00.380 | In a combative, hostile situation where we've reached a problem, I'm in control just like

01:23:05.640 | I used to be with my choice to send a check or not for payment.

01:23:09.860 | And that to me is how it should be.

01:23:11.380 | The consumer is always in charge and the consumer should have control over the billing, not

01:23:17.620 | the vendor.

01:23:18.620 | Absolutely.

01:23:19.620 | No question about it.

01:23:21.900 | And privacy.com is kind of founded on a little bit of an ideological mindset.

01:23:27.940 | And the one thing I will warn listeners of is if you sign up for this, you have to give

01:23:32.940 | your bank username and password to privacy.com.

01:23:35.780 | And that's scary for a lot of people.

01:23:38.700 | Absolutely understandable.

01:23:40.100 | Even I was nervous about it.

01:23:41.860 | But like I said, I've spent an hour and a half on the phone with the CEO.

01:23:47.900 | Michael and I interviewed him on the podcast.

01:23:50.100 | I have a really good feeling about where they're coming from.

01:23:53.340 | Their privacy policy is clearly spelled out.

01:23:55.920 | And just one thing to note, the way privacy.com is structured, they are essentially a bank.

01:24:01.500 | So you're protected by all the laws that govern banking and how that information is handled.

01:24:09.620 | And I think they're probably actually doing a much better job at security than most banks

01:24:14.140 | are.

01:24:15.140 | Justin, did you know, I recently was on a phone call with a coaching client of mine

01:24:18.300 | and they told me that Citibank offers this service, that they offer one-time burner numbers

01:24:25.140 | for online transactions.

01:24:27.020 | Were you aware of that?

01:24:28.300 | I wasn't aware of Citibank specifically.

01:24:30.940 | I know that there are a few banks that will do this.

01:24:34.740 | Do you have it?

01:24:35.740 | Have you used this?

01:24:36.740 | Do you have any experience with it?

01:24:37.740 | I have not.

01:24:38.740 | No.

01:24:39.740 | Again, back to my book outline, I need to research other banks that did.

01:24:42.060 | I was not aware that this was being marketed nor used outside of the privacy.com, pseudo

01:24:47.260 | pay, etc.

01:24:49.340 | Blur, other services like that.

01:24:50.700 | I knew about those services, but I didn't know that the mainstream credit card companies

01:24:54.380 | were starting to offer this service.

01:24:56.780 | So for the complete privacy and security desk reference, Michael and I had this idea that

01:25:01.980 | we were going to set up accounts with all these different banks to see what features

01:25:05.100 | they had.

01:25:06.100 | And we were kind of aware of that one.

01:25:08.420 | But with our credit lockdown the way it is and with my address history as sketchy as

01:25:14.940 | it is, I found very quickly it's really hard for me to open up additional bank accounts.

01:25:20.180 | So we backed off that.

01:25:21.700 | But if anyone has used this in practice, you would be teaching me something.

01:25:26.780 | I'd be really curious to know how that works in practice.

01:25:29.180 | Email Justin through the, your website is yourultimatesecurity.guide, right?

01:25:33.780 | Yes, that's correct.

01:25:34.780 | Okay, so email Justin through his contact form and let him know.

01:25:37.820 | And send it to me as well.

01:25:39.060 | Justin, I'm going to test you.

01:25:40.660 | I'm interested to know.

01:25:42.940 | If you wanted, if you had to set up privacy.com as anonymously as possible, just a mental

01:25:52.660 | exercise, knowing that you were going to give banking information to them, and I consider

01:25:57.100 | this to be back to threat model, an unreasonable threat model.

01:26:01.380 | This is where you're in the criminal world or you're accused of something.

01:26:04.100 | How would you do it?

01:26:07.700 | This is tough because privacy.com is accountable to KYC laws, know your customer laws, which

01:26:14.380 | requires that they verify identity.

01:26:16.900 | But the way I might do this is set up an LLC, open up a bank account for that LLC, which

01:26:25.520 | again, we run into the problem of I would have to give my social security number to

01:26:30.340 | get the bank account, but that would create one additional layer.

01:26:34.260 | And then I would try to only give privacy.com the EIN for that business that I had set up.

01:26:42.620 | And I don't know if that would work or not, but it might be worth a try.

01:26:47.380 | All right.

01:26:48.380 | The only other idea I had was this would be where you would use a nominee.

01:26:52.580 | This would be where you would have to find somebody that you could trust, that you could

01:26:56.740 | work with, and that way you have the account disconnected from you and your actual identity.

01:27:02.700 | And once it's verified, it might be possible to use that.

01:27:07.660 | Sorry, I always enjoy thinking about these scenarios and thinking, okay, in the most

01:27:11.380 | hardcore scenario, how do you figure it out?

01:27:14.060 | What's the solution?

01:27:15.060 | I love the mental game of it.

01:27:17.060 | And that might be a great place to use a nominee, say, "Hey, here's a hundred bucks.

01:27:21.780 | Set up this account and then hand it over to me because you can change the password

01:27:27.300 | and you can put two factor on it," which would essentially block that person out.

01:27:31.340 | And if they're like most people, they will probably forget about it in six months and

01:27:37.740 | never even remember doing that.

01:27:39.380 | But I would always have that concern that that person would get greedy and call privacy.com

01:27:45.780 | and say, "Hey, someone's using my name.

01:27:47.300 | This is actually my account."

01:27:48.620 | And I would run into issues that way.

01:27:52.820 | Far fetch, maybe.

01:27:54.380 | I don't know.

01:27:55.380 | What was the quote that's attributed to Ben Franklin?

01:27:57.380 | "Three can keep a secret if two are dead."

01:28:01.500 | That's always how it is.

01:28:04.100 | And that's why crime doesn't pay.

01:28:05.820 | That's where all these things, it's always going to be somebody usually who exposes something.

01:28:12.660 | And I do want to make clear that nothing in our book, like both Michael and I are closely

01:28:17.180 | affiliated with the US government.

01:28:18.540 | We don't advocate this for any type of criminal activity.

01:28:21.340 | And I know that you don't either.

01:28:24.020 | But we do enjoy some thought experiments from time to time.

01:28:28.300 | Exactly.

01:28:29.300 | Point well taken.

01:28:30.300 | It's just fun to sit down and think about it sometimes.

01:28:32.420 | It is, yeah.

01:28:33.420 | I'm so glad you went through that.

01:28:34.820 | Last question I would ask you.

01:28:36.100 | I mentioned a couple of the other services, the other two competitors, and maybe there

01:28:40.460 | are more as well.

01:28:41.460 | And I'd love to see more come on the market.

01:28:42.740 | But privacy, I think, is fantastic.

01:28:46.980 | There's also PseudoPay, which is an app on the phone, and Blur, which is from the company

01:28:53.940 | Abine.

01:28:54.940 | Is that how you say their name?

01:28:55.940 | Abine, Abine, yeah.

01:28:56.940 | Yeah, something like that.

01:28:58.700 | So how do you mention those services as well in case people would like some options and

01:29:02.660 | compare and contrast them, please?

01:29:04.580 | Okay, sure.

01:29:05.580 | So PseudoPay is an iOS app.

01:29:08.820 | And I'll circle back around to this one at the end because their Pseudo app is really

01:29:13.340 | fantastic as well.

01:29:16.220 | PseudoPay does not require any money to set up an account.

01:29:19.260 | You install the app, set up your account, and it draws funds from your Apple Pay account.

01:29:25.100 | And much like privacy, it will make one-time use credit cards.

01:29:28.460 | And your charges, credit cards and debit cards, are two completely different things.

01:29:33.220 | In the banking world, I've learned, and you are charged a small fee for each one of these

01:29:39.020 | make, and it's based on a percentage of how much money is on the credit card.

01:29:42.460 | But I really do like this because of the convenience of, as an example, I visited New York City

01:29:49.260 | this summer.

01:29:51.060 | And kind of at the spur of the moment, we decided to go to the top of the rock, which

01:29:55.220 | you have to buy tickets online.

01:29:57.540 | And obviously, it wasn't at my computer.

01:29:59.940 | We were already downtown.

01:30:01.660 | And I just pulled out my phone, opened up PseudoPay, and created a credit card.

01:30:07.020 | And I had a card right there to pay for those tickets online.

01:30:11.700 | Really, really convenient.

01:30:12.700 | It's another option in the toolbox.

01:30:15.260 | Blur is the other one.

01:30:16.260 | It requires that you set up an account.

01:30:18.180 | And currently, right now, they are offering lifetime accounts for $119.

01:30:23.940 | Blur lets you set up one-time credit cards.

01:30:26.340 | Also, there's also a small fee for each one that you set up.

01:30:29.860 | Blur also has a ton of other features.

01:30:32.180 | It gives you a masked phone number, which will forward calls and texts to your real

01:30:35.940 | phone number if you so choose.

01:30:37.820 | It also has masked email addresses, which I use every single day.

01:30:42.500 | And I use these to set up unique usernames on accounts that require an email address.

01:30:47.480 | And they all forward into my regular ProtonMail inbox.

01:30:51.900 | I set up ProtonMail as the account that those go to.

01:30:55.360 | And then I give out these.

01:30:56.540 | I make unique email addresses for absolutely everything through Blur.

01:31:01.580 | Give those out, and they're forwarded right into my regular inbox.

01:31:04.940 | Super easy.

01:31:05.940 | So, that's also another option.

01:31:08.100 | And then I mentioned I would come back to PseudoPay.

01:31:12.240 | Their pseudo app...

01:31:13.240 | By the way, pseudo is S-U-D-O, not P-S-E-U-D-O.

01:31:17.060 | S-U-D-O, PseudoPay.

01:31:18.740 | Yes.

01:31:19.740 | Good call.

01:31:20.740 | But the pseudo app...

01:31:23.460 | Man, this thing is a game changer for me.

01:31:26.100 | It gives you nine pseudos, again, S-U-D-O, but nine pseudo identities, each with its

01:31:32.580 | own email address and phone number.

01:31:34.540 | So, you have nine phone numbers that will forward to your phone.

01:31:39.140 | And man, I can't recommend this strongly enough, because here's how I kind of use that.

01:31:43.500 | I have one that is for my financial stuff.

01:31:45.740 | It's for my bank account, my Coinbase account, any kind of accounts that deal with money

01:31:51.220 | that would cost me money financially if those accounts are breached.

01:31:56.460 | And there's a reason I do that.

01:31:57.840 | If you breach my Facebook account, which I don't have Facebook, but I realize most people

01:32:01.500 | do, if you breach my Facebook account, you're going to have my phone number, which means

01:32:05.580 | you're probably going to have the phone number that I verify my bank transactions with.

01:32:09.780 | So I can just take that completely out of the loop, put those bank accounts on their

01:32:13.740 | own phone number.

01:32:14.740 | That's the only people that get that number.

01:32:16.580 | Then I can have another number just for those two-factor authentication codes with my accounts,

01:32:22.900 | my online accounts that send SMS messages.

01:32:24.980 | So yeah, you can hack my cell phone account.

01:32:27.740 | It doesn't really matter, because those go to a pseudo number.

01:32:29.980 | And this just gives you, man, I can't overstate the flexibility of having these different

01:32:36.460 | phone numbers, because your phone number these days is literally more valuable than a social

01:32:42.580 | security number as far as your identity goes, because we use it to set up all our online

01:32:47.580 | accounts and we use it for verification and all these other things.

01:32:50.780 | If I have your phone number, man, I know a lot of information about you.

01:32:55.700 | It's huge, and I can't add any more.

01:33:01.260 | If people – I'm thinking about resources to share with the audience as far as people

01:33:05.700 | who are new to the subject and some of the news reports that have been done, some of

01:33:09.700 | the just different information.

01:33:11.540 | But the phone number is hugely – I have learned and been remiss in the past about

01:33:17.380 | how important that little piece of data is.

01:33:20.260 | And it's important.

01:33:24.980 | And just little things.

01:33:26.500 | So you can use – I recommend it to people to start with some simple things like Craigslist

01:33:32.900 | transactions.

01:33:33.900 | I recently sold my motorhome on Craigslist.

01:33:38.580 | And the transaction – I thought everything went great.

01:33:41.100 | Then all of a sudden, everything went bad.

01:33:43.540 | And it exposed me afresh.

01:33:45.060 | I ended up having to call the police when interacting with the buyer on my transaction.

01:33:51.580 | And so I started asking him about Craigslist fraud.

01:33:53.860 | And he started telling me stories about – the police officer started telling me stories

01:33:57.140 | about different – just different times of Craigslist fraud and crimes that have been

01:34:04.100 | committed and different things.

01:34:06.020 | And just a simple step of using an additional phone number – and there are others.

01:34:11.100 | There are burner apps in the app store, et cetera.

01:34:14.380 | Pseudo is really beautiful because it integrates phone calls, texting, and email all in one

01:34:19.140 | place.

01:34:20.700 | But using something like an additional outside number and then taking just a simple set of

01:34:25.100 | – simple step of meeting in a third-party location, et cetera, for safety is more important

01:34:34.020 | than I ever thought it was.

01:34:35.580 | And especially when you start layering on – I mean I have the unique advantage of

01:34:39.180 | being six and a half feet tall and over 300 pounds.

01:34:43.540 | So I'm not the most necessarily attractive rape target.

01:34:47.260 | But for a young lady or for a young woman especially who faces danger there with giving

01:34:52.940 | out a phone number, it provides an additional very important layer of privacy and protection.

01:34:58.540 | So my daughter is too young at this point to thankfully need to be concerned about that.

01:35:03.660 | But I think that's very important for parents to be educated – kids probably already know.

01:35:08.340 | But parents to be educating and encouraging people to protect themselves.

01:35:12.540 | It's very important.

01:35:13.540 | And I'm sure most people won't do it this way, but I don't even know the actual phone

01:35:18.740 | number that's on my phone because all I use are pseudo numbers.

01:35:21.580 | I have one that's for friends and family, one that's for, like I said, finances, one

01:35:24.860 | that's for online purchases.

01:35:27.300 | And I've seen time and time and time again cell phone companies breached.

01:35:34.500 | And these can be small things like a social engineer calling in to get into my account.

01:35:39.900 | Or it can be big things like T-Mobile dumping millions of records.

01:35:45.180 | And I just don't want that information out there.

01:35:47.740 | And I guess what I would challenge most people to do is download the app and start moving

01:35:51.540 | some of your important stuff over to pseudo.

01:35:53.940 | And again, like Authy, there's also the option to set up a backup, a backup username and

01:35:59.820 | password.

01:36:00.820 | So if you do lose your phone, you can install pseudo on your new phone, log in with that

01:36:05.860 | username and password, and you don't lose all those phone numbers.

01:36:09.380 | That was the thing I was worried about when this initially came out.

01:36:11.540 | I didn't want to run the risk of setting up all my numbers on pseudo and then having a

01:36:17.940 | catastrophic failure and being, you know, all of a sudden not having access to any of

01:36:22.140 | my numbers.

01:36:23.140 | But so all of the stuff you should be making good backups of.

01:36:27.140 | And like most things, it's a skill set.

01:36:29.500 | Using these things, learning how they work, it's a skill set.

01:36:32.580 | But you know, as we kind of start to wrap up here, Justin, when it comes to privacy/security,

01:36:39.660 | which obviously they go together, it seems to me that we in some ways have a double-edged

01:36:44.980 | – the sword cuts both ways.

01:36:49.180 | In some ways, it's harder today than it's ever been to maintain privacy and security.

01:36:55.780 | I mean the Know Your Customer laws in the wake of the Patriot Act just destroyed so

01:37:04.980 | much ability to bank and to engage in any kind of private financial transactions.

01:37:11.620 | It turned the financial world upside down.

01:37:14.100 | The ability to travel privately was just turned upside down.

01:37:17.220 | I have real concerns about the things like the Real ID – what's the word for it?

01:37:26.420 | Yeah, initiatives.

01:37:27.420 | The Real ID initiatives all across the country.

01:37:30.900 | So in many ways, the noose has tightened in ways that would be inconceivable.

01:37:38.220 | Just the existence of a passport, the fact that you have to have a passport to go across

01:37:42.880 | and travel across land is in my mind utterly indefensible.

01:37:48.860 | Now that I don't know – I know of almost nobody who would believe that.

01:37:52.900 | In today's world, you have the majority of people who want to put up a massive wall

01:37:55.980 | across every border and say no and control the movement of each and every person.

01:38:00.620 | So philosophically, that's a huge philosophical thing.

01:38:02.940 | But for many years, you didn't need a passport.

01:38:05.460 | You didn't need papers.

01:38:06.460 | And so it's very easy to draw the conclusion that the classic line of "your papers please"

01:38:15.400 | is something that most of us here are so accustomed and trained to hear as normal that we don't

01:38:21.800 | even think about it.

01:38:22.980 | So the sword cuts against it.

01:38:24.680 | It's harder than it's ever been.

01:38:27.560 | On the flip side, we haven't talked about cryptocurrency.

01:38:30.420 | You mentioned Coinbase.

01:38:31.420 | Obviously, that's a cryptocurrency.

01:38:33.560 | We haven't talked about – I mean we're missing a dozen things that we could list

01:38:38.000 | off.

01:38:39.000 | But when you have all of these apps and you look at it in a different way, pseudo is a

01:38:43.640 | game changer.

01:38:44.680 | All of these things, encrypted messaging apps, all of these things are complete game changers.

01:38:49.000 | And so on the flip side, I look at it and say in many ways, it's easier than it's

01:38:53.960 | ever been to live privately, communicate privately, maintain a greater sense of security.

01:39:03.100 | So it seems like we live in this very challenging and strange world where the sword cuts both

01:39:08.280 | ways.

01:39:09.280 | It is an uphill battle.

01:39:13.720 | And we have all these tools that make it easier.

01:39:18.320 | Like you said, we're totally habituated to just give out the data when we're asked.

01:39:23.320 | And there's – I mean we could go into a huge philosophical thing about this.

01:39:28.880 | But we are very – that is the default mode and the default mentality and the default

01:39:35.680 | way we do business is just to give out what we're asked for.

01:39:40.160 | And living differently, living privately is a deliberate effort.

01:39:45.720 | It's not as simple as download – get a privacy.com account and a pseudo account and

01:39:51.640 | all of a sudden you're private.

01:39:53.320 | It is a very deliberate decision.

01:39:54.720 | It requires behavioral modifications which quite honestly I think are much more important

01:40:00.520 | than the technology.

01:40:01.520 | The technology helps.

01:40:02.520 | It supports that.

01:40:04.160 | But this does – you've several times said it's a skill set that you have to practice.

01:40:08.720 | And that's absolutely right.

01:40:10.200 | It is something that you have to do.

01:40:12.360 | And I'm constantly telling military students, implement this into your daily life.

01:40:17.440 | Don't wait until eight months from now when you're about to deploy to all of a sudden

01:40:23.000 | set all this up on the laptop and the phone that you're deploying with.

01:40:27.320 | Start living this from day to day and it's second nature when you get there.

01:40:31.000 | And kind of the same thing applies in the – just in the citizen, the private citizen

01:40:36.680 | space.

01:40:37.680 | This is a – to greater or lesser extent a bit of a lifestyle.

01:40:42.120 | And you can make it kind of the focal point of your lifestyle like Michael and I have.

01:40:46.680 | Or it can be one of the many things.

01:40:49.640 | Everyone is a multifaceted individual and it can take greater or lesser prominence in

01:40:54.000 | your life.

01:40:55.000 | But it does require that you think about it.

01:40:56.760 | It's not as simple as setting up an account, downloading an app and boom, you're private.

01:41:00.920 | Absolutely.

01:41:01.920 | And we could – Michael and I spend an hour every week talking about this.

01:41:08.880 | So I feel like there's a ton we're leaving out.

01:41:12.920 | Just looking here at my notes.

01:41:13.920 | We're at an hour and 40 minutes and I'm looking at my notes thinking about – we didn't cover

01:41:17.680 | – just even financially.

01:41:19.120 | We didn't cover cryptocurrencies.

01:41:20.120 | We didn't cover prepaid debit cards.

01:41:24.000 | We didn't cover money orders.

01:41:25.120 | We didn't cover almost all of these other tools that could be used.

01:41:29.280 | But I think we're at a point where it's a good wrap-up point.

01:41:38.200 | Just looking at my notes here.

01:41:40.600 | We also didn't cover data security.

01:41:44.400 | And you know what, Mike?

01:41:45.400 | I might actually like to have you back on.

01:41:46.720 | I'm very much looking forward to your volume two of the Complete Privacy and Security Desk

01:41:52.800 | Reference which, as I understand it, is going to be related to physical security because

01:41:58.880 | I've come to learn from reading your blog that you're a bit of a security nerd, especially

01:42:04.640 | with weird things like locks.

01:42:07.360 | So I'm excited because it seems like you're more excited about locks sometimes than you

01:42:11.680 | are about full disk encryption.

01:42:14.480 | Yeah, and a little bit that's a product of when my head is in encrypted apps and encrypting

01:42:22.640 | messengers and encryption protocols and all this all the time.

01:42:25.800 | It's nice to have some grounding in the physical world and do something a little different and

01:42:30.320 | kind of fun.

01:42:31.480 | And part of that comes from a significant portion of my background that I can't go into

01:42:39.080 | in too much detail.

01:42:40.080 | But I have a lot of familiarity with locks and how they're defeated.

01:42:43.840 | So it does get me excited to run across some super rare, obscure, high security lock in

01:42:51.000 | Seattle or New York or wherever.

01:42:55.320 | So maybe in the future, let's line it up with your Put Me on Your Book promotion tour when

01:43:00.100 | you launch volume two.

01:43:02.220 | Let's have you back to talk about physical security because I've learned all kinds of

01:43:05.400 | other interesting things.

01:43:06.720 | You've almost convinced me to start flying with a firearm based upon your blog post about

01:43:14.840 | that.

01:43:15.840 | That's an interesting context.

01:43:16.840 | Obviously, sometimes it adds more hassle, but you go ahead and just describe the outline

01:43:21.360 | of that.

01:43:22.360 | I thought that was such an interesting idea from a physical security perspective that

01:43:25.040 | you seem to many times choose to travel with a firearm so that you can maintain security

01:43:29.720 | over your baggage.

01:43:30.720 | Yeah, traveling with a firearm.

01:43:32.960 | If there's a firearm in your baggage and there's a little bit of nuance, maybe misunderstanding

01:43:40.800 | about this, but you can travel with a firearm in your checked luggage, provided that you

01:43:45.920 | meet a few criteria.

01:43:46.920 | It has to be in a hard case.

01:43:49.040 | It has to be unloaded.

01:43:51.200 | You may have to demonstrate that it's unloaded to the airline agent or the TSA agent or both

01:43:55.960 | sometimes.

01:43:57.760 | But what this does is it lets you lock your luggage up.

01:44:00.240 | So if you have a hard sided suitcase that will take a padlock, you can throw a padlock

01:44:03.800 | on there.

01:44:04.800 | And per the letter of law, it cannot be a TSA approved padlock.

01:44:08.780 | So you can use a very good, very high quality lock.

01:44:12.440 | And I do this because I frequently travel with things like 12 iPhones.

01:44:17.180 | If I'm going to a class where the students have specifically asked and purchased iPhones

01:44:22.680 | and want instruction on those phones, I don't want the opportunity for a TSA agent to open

01:44:27.800 | my bag up, say, "Hey, there's a ton of iPhones in here.

01:44:30.200 | He's probably not going to miss one," and throw one in their lunchbox.

01:44:35.320 | So if you don't own firearms or you're uncomfortable with firearms, but you're still interested

01:44:40.040 | in this, you can travel with a couple of other items that will let you lock your suitcase

01:44:45.040 | because they're legally considered firearms, like flare guns, which you can purchase very

01:44:49.440 | inexpensively or blank firing starter pistols, which will not fire real ammunition, but they're

01:44:55.240 | still treated as firearms by the airlines and by the Transportation Security Administration.

01:45:00.720 | So I'm excited that at least one person has actually read those blog posts.

01:45:07.720 | Yeah, I love those little ideas because, again, back to the way, okay, you can travel with

01:45:13.400 | a flare gun and you check the local restriction.

01:45:17.280 | Perhaps you might not want to carry a .357 in the local area based upon local firearms

01:45:22.400 | laws, but you can do something.

01:45:25.200 | And just the ability to know how to secure your luggage when traveling brings back a

01:45:29.360 | little bit more control to somebody.

01:45:31.720 | Now, most of the time I don't travel with 12 iPhones, and my philosophy is there are

01:45:36.800 | two kinds of luggage.

01:45:38.960 | There's carry-on and lost, but there's a place where you need to check a bag, and so it's

01:45:45.120 | really useful.

01:45:46.120 | So I'd love to have you back on when you publish volume two of the Security and Desk Reference.

01:45:51.320 | I'll give my two just wrap-up points, and Justin, I'll give you the last word.

01:45:55.400 | And also make sure you go down the listings of your sites, your podcasts, and all of your

01:46:00.400 | materials to promote.

01:46:01.920 | And I'll give a wholehearted, unqualified endorsement of the power of your book, The

01:46:06.720 | Complete Privacy and Security Desk Reference.

01:46:08.400 | I think it's about $40, but a $40 book, well spent.

01:46:12.120 | I was so impressed with it.

01:46:14.560 | But philosophically, we've covered a lot of things, and my closing commentary would be

01:46:20.120 | it's important to start building the skill set and thinking about it.

01:46:24.880 | And there are two very important reasons why.

01:46:28.560 | Number one, you don't know in advance what circumstance you might face in the future

01:46:35.120 | due to no fault of your own.

01:46:36.880 | Recently on Radical Personal Finance, I've released various episodes on law enforcement,

01:46:39.840 | how to interact with law enforcement agents, and how to protect yourself.

01:46:44.140 | Every day I see news stories, and every single day the control and the ability of all the

01:46:49.400 | financial information becomes much, much more significant.

01:46:54.360 | And you can't protect it after the fact.

01:46:57.160 | Just last week, there was a horrifying story about a student who was arraigned, indicted

01:47:04.680 | for murder or for manslaughter at the very least in association with just awful fraternity

01:47:11.060 | hazing incident.

01:47:12.400 | And I was interested to read as part of the court proceedings that part of the evidence

01:47:16.180 | that the grand jury considered in bringing the charges against him was the fact that

01:47:21.680 | he had, number one, had there been communication between him and some of the other people,

01:47:28.480 | some of the other fraternity members involved about the situation, and number two, that

01:47:35.040 | he had his Google searches, Google searches on what to do with alcohol poisoning.

01:47:39.440 | Well, those material pieces of evidence were brought against him in terms of the bringing

01:47:43.240 | of the charges.

01:47:44.240 | Now, what they did was horrible, and all of us want to live in a well-ordered society

01:47:48.640 | in which people are held accountable for their crimes.

01:47:51.880 | But which leads me to the second point, you can't always know in advance what's actually

01:47:55.560 | going to be a crime, and laws change.

01:47:58.900 | Number one, there are plenty of laws out there, and there are plenty of agents who are trying

01:48:02.520 | – I use the term agents to mean just people, not government agents, but there are people

01:48:07.080 | who are seeking to target you.

01:48:08.680 | And you can't know in advance what the laws are going to be 20 years from now.

01:48:12.760 | But what you do today is going to have an aspect on it.

01:48:15.760 | So whether it's the most simple, common advice as what you put on Facebook is going to be

01:48:20.200 | seen by a future potential employer, or it's the fact that every single one of your Google

01:48:24.360 | searches is going to be saved and can be brought against you in a grand jury investigation,

01:48:29.160 | you've got to take steps in advance before you ever need it, because if you ever need

01:48:33.080 | it, it's too late.

01:48:34.360 | So Justin, finish us up with closing thoughts and walk through your resources, please.

01:48:39.320 | Absolutely.

01:48:40.360 | There are 27,000 pages of federal laws and an estimated another 100,000 pages of federal

01:48:48.640 | civil statutes.

01:48:50.720 | And a lot of times we're breaking a law and don't even know it.

01:48:53.820 | And a lot of these laws are enforced with a great deal of discretion.

01:48:57.040 | So like you said, a lot of people are like, "Oh, I'm never going to be in that situation."

01:49:01.880 | But the fact is, you don't know.

01:49:04.280 | And when you find yourself in that situation, if you find yourself in that situation, it's

01:49:09.200 | too late to go back and do this legwork.

01:49:11.040 | You have to do it now.

01:49:12.840 | Excuse me, you have to do it now.

01:49:16.040 | So you can find out more about me on yourultimatesecurity.guide.

01:49:20.200 | My blog is contained there.

01:49:22.240 | The book is The Complete Privacy and Security Desk Reference, Volume 1, Digital.

01:49:27.740 | That's by me and Michael Basile.

01:49:30.180 | If you want to check out Michael's site, it is privacy-training.com.

01:49:35.760 | And of course, you can download our podcast, The Complete Privacy and Security Podcast,

01:49:40.520 | wherever you get your podcasts.

01:49:42.840 | Josh, Joshua, thank you so much for being so generous with your time.

01:49:47.720 | This was truly a pleasure.

01:49:49.080 | And I will definitely look forward to being back on once Volume 2 is out.

01:49:54.040 | Absolutely.

01:49:55.040 | Thanks for coming on.

01:49:56.040 | Yes.

01:49:57.040 | Thank you.

01:49:58.080 | This show is part of the Radical Life Media Network of podcasts and resources.

01:50:03.720 | Find out more at radicallifemedia.com.

01:50:08.280 | Sweet Hop is an online marketplace curating the best in premium seating at stadiums, arenas,

01:50:12.840 | and amphitheaters nationwide.

01:50:14.400 | With Sweet Hop's 100% ticket guarantee, no hidden fees, and the personal high-level service

01:50:19.480 | you expect with a premium purchase, you can relax knowing you'll receive the luxury experience

01:50:24.360 | you deserve.

01:50:25.360 | Visit sweethop.com today to book your premium tickets to your favorite teams, artists, and

01:50:30.240 | all the must-see live events to Sweet Hop Around LA.

01:50:34.400 | It's more than just a ticket.

RPF0461-Justin_Carroll_Interview