♪ Blessing in the mornin' ♪ ♪ Come back Sunday morning ♪ California's top casino and entertainment destination is now your California to Vegas connection. Play at Yamava Resort and Casino at San Manuel to earn points, rewards, and complimentary experiences for the iconic Palms Casino Resort in Las Vegas. ♪ We got the store to sell ♪ Two destinations, one loyalty card.
Visit yamava.com/palms to discover more. - Welcome to Radical Personal Finance, the show dedicated to providing you with the knowledge, skills, insight, and encouragement you need to live a rich and meaningful life now while building a plan for financial freedom in 10 years or less. My name is Joshua, and today I'm thrilled to have a guest named Justin Carroll.
Justin is the author of various books on privacy and security, the co-author of an excellent book called "The Complete Privacy and Security Desk Reference," and also the co-host of "The Complete Privacy and Security Podcast." Justin, welcome to Radical Personal Finance. - Joshua, thank you so much for having me on.
It's great to be here. - Really glad to have you here. I was introduced to your work by a listener of mine, and privacy, especially financial privacy, has long been an interest of mine, but I've often found that the information in the space was either very cursory or not particularly up-to-date.
And when I found the work that you and your business partner, Mike Urbano, are making, I was deeply impressed, and I've become a big fan of yours in the meantime. So in today's show, I want to outline and really just give you the floor to talk about privacy and security.
Before I give you the microphone, I want to just lay the foundation that I see and why this is so important in the context of personal finance. In finance, there are a few different aspects wherein the discussion of financial privacy make a big, big impact, especially in the areas of asset protection, especially in the areas of business and the ability to protect yourself from potential harm.
And one of the major concerns that I have is that in general, people don't think about these things in advance. They usually only start thinking about things when they get a call from the lawyer, or they start thinking about them when all of a sudden the police have shown up on the front door asking questions, et cetera.
And so I believe that it's part of prudent planning to put in place some good safeguards with regard to your own financial privacy and security. So kick us off, tell us about your background and how you first started to become interested in the topic of privacy and security. - Well, I initially became interested, I come from a military background, and after I got out of the military, I spent several years going overseas as a contractor with another government agency.
And I realized pretty quickly that privacy was kind of important. I had to give out my name and home address and next of kin information on various visa applications to countries that maybe aren't necessarily friendly to the US, and that kind of got the gears turning. And then a few years later, I spent about five years teaching a special operations course at one of the special operations courses for the US military.
And SOCOM was kind of grappling, the special operations command was kind of grappling with this issue, this emerging issue of identity management. And I was fortunate enough to be one of the instructors for that and kind of got to develop my own curriculum and that's what really got the ball rolling.
And then I met my partner, Michael Basil, who his big specialty is open source intelligence, which is finding everything there is to find about a person online just through really good Google searches and the things you put on Facebook and things like that. And between the two of us, we kind of put our heads together.
He had a big interest in the privacy side as well. And this thing, some would say maybe has gotten a little bit out of control. We're maybe a little bit to foil hat and paranoid. But that's kind of what got me started down this road. And it's turned into a big personal interest, big personal hobby, and I'm not saying that everyone has to take it to the level that Michael and I have taken it to, but that's where it came from.
- I used to pull back from talking about things that sounded outlandish and tinfoil hat approach in various subjects, but I've actually come to terms, I've come to peace with it and I've realized this. Almost everybody seems to love watching Jason Bourne movies. And the reason they love it is just because he's such a far out character.
And so there's tremendous value in having people take things to the extreme because I feel it has more of an influence on moving people a little bit than oftentimes people who just do a few things here. It's often fun to have a Jason Bourne character out on the extreme fringe who can be inspiring and kind of brings that sexy side of things to a discussion.
So we're gonna start with mainstream stuff, but I think it's extremely valuable to talk about the far out techniques so that people are aware of them. When you look at financial privacy, how do you factor into your thinking a specific focus of general privacy versus specifically financial privacy? - There's a lot of overlap between the two.
I'm kind of of the school of thought that there is no privacy without security and there is no security without privacy. If you can get into my email account, that's a security issue, right? If I have a poor password and no two-factor authentication in there and you get into my primary Gmail account that holds everything, that's a security breach that's happened, but it affects my privacy deeply because now that you're in there, you have access to all the bank accounts, any financial account or any other kind of account that I've authenticated using that Gmail account as a point of contact for.
So these things all kind of tie together and we talk about the tinfoil hat stuff, but it wouldn't exist without brilliance in the basics, without being very, very good at these baseline level privacy and security things. So I think everyone, whether you intend to take this to the furthest possible extreme or if you just wanna be a little bit more financially secure and financially private, you should consider those baseline level security measures.
And I know our talk is not primarily around security, but I'm a firm believer that you can't have one without the other and you have to take those initial steps. And just generally speaking, the advice I kind of give to everyone, and these are not financial specific, but they do deeply impact financial privacy, is use good passwords.
And to do that, you have to use a password manager. You need to use a different password on every account that you have, and if possible, a different username because that influences your attack surface. If I know your username, I know where to start attacking your account. However, you have set up a completely random username.
I don't even have a good starting point for that. Two-factor authentication is another thing. So the way we implement this, I go to my bank account, I enter my username, I enter my password, I hit Log In, and it presents me with a second screen that says, "Go ahead and enter your two-factor authentication token." And maybe that's an app on my smartphone that displays a code, maybe that's a text message sent to me, or maybe that's something else.
But those are kind of those baseline-level things that I would absolutely recommend doing for every single listener of your podcast or any other podcast, is protect your accounts because that front end really is your biggest attack surface and possibly your weakest-- your biggest potential point of failure. One of the things I most appreciate about your work is you've given me a vocabulary.
With your personal taxonomy of the realm of privacy and security, I didn't have the vocabulary to apply. And I really appreciate when you use things like attack surface. It's really, really helpful to me to do that and to know that. And just a couple of practical examples, as I understand what you're saying.
When you have the same email address that you use constantly for every account, every social media account, every personal interaction, every business interaction, etc., that email account is prominent and common across basically all over the web. So if there is a data breach from some random company that you do business with, which it's my opinion that in the fullness of time, every company that you do business with will have a data breach, then now that email address is sold on the black market and that email address can be used by somebody and various combinations of it tried.
So if my name is Joshua Sheets and my email address is joshuasheets@gmail.com and then all of a sudden I use Joshua Sheets as my login information, it's not that hard for somebody to start guessing password variations, put a little bit of computer power behind it, and now all of a sudden they may have access to my financial accounts.
And I'll beat up on banks a little bit here. Banks are not great at these authentication measures. So the bank that I have my corporate account with is I set it up with them kind of out of convenience, and I'm really regretting that decision now because of some of the privacy interventions that I have taken, it's a little bit difficult for me to just jump to another bank, but I'm stuck with a bank that doesn't allow two-factor authentication, that doesn't allow very long passwords.
I think I'm capped at maybe 16 characters, and the character set is kind of limited, and this is kind of endemic with banks. I think some of the banks are doing a good job, banks like Bank of America, Citi, and Chase are doing a reasonably good job, these top-tiered banks, but if any of your listeners are with smaller credit unions or local banks or things of that nature, I would take a long, hard look at the security that is even possible to implement on those accounts before I go any further with that, and would maybe consider, you know, if you don't want to give up that oldest bank account that you have, maybe consider opening an account with a bank that offers some better security, and using that as my primary day-to-day use account rather than continuing on with that bank that doesn't.
My experience has been that the banks probably aren't paying attention to it because the customers aren't demanding it. Just yesterday I released a show talking about-- the title was "Don't Trust Your Financial Advisor." I released it before recording this, and the point was, I said you can't-- and the point--it was a clickbait title, but basically my point was you can't trust your financial advisor to maintain your privacy, your secrecy, or your security.
And one of my major-- since I come from the world of professional financial advice, I am disheartened to see how insecure customer data is. And it's not because the firm doesn't know that they have a need for it. The firm, on the firm level, doesn't try to put in place things that are available.
But I used to try to communicate with clients via an encrypted email system. And we had a very simple encrypted email system set up that I could use to convey private information to my clients. And I would use it, and we were required to use it, whenever we were transmitting personal information through the encrypted email system.
But most of the clients hated using it because it required one extra step to decrypt the email. And so, of course, to get around it, people are constantly sending unencrypted files, or they just pop it over and send it through their personal Yahoo account right there to get it to the client, and the clients didn't demand it.
So I think one of the first things that I'd love to see my listening audience do is start demanding better security measures from the people that serve you. Yeah, the thing I did with my financial advisor is-- or that I do with him--he's still not very good at privacy and security.
He's very good at his job, but privacy and security are definitely lacking. And I just put everything into a PDF. If you have Adobe PDF Pro on Windows or Preview on Mac, you can encrypt that PDF. So I'll send him the PDF, and then I'll call him and tell him the password, which kind of necessitates a simple password, but it's much better than nothing.
And my question for you is, how do we fix this? Is there a financial advisor convention that I can get on the speaker list for? How do we start fixing this issue? That's a great idea. We could probably team up because I actually have the outline. One of the reasons why I consumed all your content was because I've been concerned about this for a while, and I had researched the topic.
I have the outline of a book/course in my head. I have the outline written out. I'm not committed to actually completing it, but how to actually maintain as much financial anonymity and privacy as possible. And it is a big concern. We could talk about that because there probably is some stuff that could be created that would bring it to people's attention.
I think people just don't recognize how big the vulnerability is. I know my experience was that I spent most of my life with my head in the clouds and I was just simply saying, "Eh, it's not going to happen to me, and if it does happen to me, it's probably not a big deal.
It can be cleaned up." But over the last few years, I think we've seen plenty of evidence that, number one, it's going to happen to you, whether it's something embarrassing and potentially life-changing, such as being found in the Ashley Madison database, or whether it's something just simply inconvenient, such as being in the Target or Home Depot breach, or whether it's something potentially serious, like being involved in a government information breach, whether it's -- what was the breach on the military system?
SIMON: OPM. STEVE: Yeah, exactly, recently. Or, I mean, this goes back years, back when the U.S. Census Bureau lost, what, 50 laptops, something like that, that were stolen with all this personal information on them. So I think the understanding that people have has raised, and so I'm trying to agitate here on the consumer side to get people to care about it, and my experience has been that just simply by telling people and encouraging people, "Hey," just requires certain things.
I get a lot of my friends -- I try to get everyone I can to use something as simple as Signal, which is just a simple encrypted messaging and communication app. It's so easy to install. Every time I do it -- or I try to get people to use FaceTime, FaceTime audio, instead of making a phone call.
So all of my friends with iPhones, I just always FaceTime audio them. "What's this FaceTime audio?" At least it gets a base level of encryption. And so I personally am a bit of an evangelist for it, and I think that that will have an effect, and it's only when the customers demand it that the industry will change.
Well, I have to tell you, that's incredibly refreshing to hear, because it's not very common to hear people outside of the dedicated privacy and security space agitating for these things or advocating using Signal or encrypted email or things like that. So that's really kind of uplifting to hear that at least someone is out there doing that.
Well, it used to be hard to do, and my observation is, you know, setting up manual PGP encryption on your email program is not for the faint of heart, right? So it's just easier to say, "Well, I'm not going to worry about it." But now when there are encrypted email options that are free and that are easy, I think the technology barrier has gone down.
And especially my observation, the political scene really raised with the hacks of the Democratic National Committee and the releases there, whether that was from an outside attacker or an inside source, I don't know. But I think that these things have really raised their profile for people. Absolutely. Yeah. Possibly the best thing to come out of the Snowden leaks was not massive public awareness and people making behavioral changes, but companies that are interested in privacy and security are now providing us with options that are much more easily implemented.
Even, you know, you mentioned PGP, which I still have a PGP key on my blog. If people want to email me that way, they're welcome to. But I maybe exchange a manual PGP encrypted email once a month at most. And it's even still possible for people like me to screw that up because it is such a technically demanding system.
And thankfully, you know, for email, we have things like ProtonMail now that are much more manageable. Absolutely. So let's go back to the basics. I guess we went into nerd world there. Because I do want to emphasize the basics and I think these basics matter. So your best best practices that you mentioned were a few things.
Number one, don't use a common username. If your name is Joshua Sheets, don't use Joshua Sheets as your login. Either use variations of that with numbers or even better, use an entirely random string of characters such as HK57329 and use a password management database system to maintain that information.
Two was use strong passwords. So at the maximum length possible and of tremendous variation, the only way that's practically possible is to use a password management program, which I'm going to ask you about in just a moment, Justin, how you recommend. Because many people just have the habit of using one or two simple passwords.
And they're very proud of themselves when they add a number or two to it. And they use the same password across all accounts, which is also better than having a simplest password. But it's also pretty insecure. And then number three was third-party authentication. Sorry, two-factor authentication, making sure that whenever possible, you add a second login factor to the login information.
So practically, how do you manage that? How do you do that? And what are the apps and resources that you use and recommend for that base level of security for financial accounts? Absolutely. So for a password manager, I use a system called KeePass, which is free and open source.
And there are some benefits and disadvantages to KeePass. So I'm a security. The security is my platform. So I'm always going to default to the more secure, less convenient option. KeePass creates a database that exists locally on your computer. So I use KeePass for Windows, KeePass X if you have Macs or Linux computers, and MiniKeePass for iOS, and KeePass for Android operating systems.
And that's a little bit complex. But once you have the applications installed, you create that KeePass database on whatever your primary system is, probably your desktop computer. You can then drag that database over to your phone, your tablet, your other computer, your wife's computer, your husband's computer. They can all be accessed through that KeePass front end program because they all read that same .kbdx file format.
So you can move those databases around. You do run into some version control issues with that. If you add something on your phone and you don't go in and update that database on your primary machine, those versions can very quickly start to conflict with each other. So if you're looking for a simpler, more convenient option, there's a program called LastPass.
This is cloud-based, so it actually manages your database in the cloud. You can access it from any of your devices, Windows, Mac, Linux, Android, iOS. You can also log into it from the web, from any of your internet browsers, or from dedicated browser extensions for most of the major browsers.
And the great thing about this is you can access it from anywhere, and anytime you update that database, it's updated across every single device because it's maintained in that one central hub. Now, I'm a little more leery of this because if that database were ever breached, then all my passwords for absolutely everything I have would be compromised.
But I have some great security measures in place. I have a very, very long, strong password on that. You can use two-factor authentication, and let's talk about that a little bit. So I mentioned that you can get a text message, you can have an app on your phone that maintains those two-factor authentication tokens, or you can have a piece of hardware.
So I don't recommend the SMS generally. That has actually been downgraded by a government agency, the National Institute of Standards and Technology, because of how easily defeated it is. It would take a fairly sophisticated, focused adversary that was specifically trying to defeat you, because in order to do that, I would have to hack into your phone account, which is not difficult to do at all, and forward your text messages to me.
At that point, I would receive all your two-factor tokens and could log into your accounts, provided I had cracked the username and password. So that's not ideal, but it's still far, far better than nothing. So the next, kind of escalating up, the next thing would be a software token on an app like Google Authenticator, which you can install on your iOS or Android devices, or Authy, which uses the same protocol.
You install it on your iOS or Android device, you log into your account with your username and password. The next step will ask for your token. You open up your phone, open that Google Authenticator or Authy app. You can have multiple different accounts in these apps. So let's say I have a Gmail account, a Dropbox account, and a Facebook account.
I can have those tokens for all of those in this one single app. I tap the icon for the account I want, it displays the current six-digit code, I type that in, and I'm allowed to log in. That code is only good for one login, and it's only valid for a 30-second period.
So you will notice if you watch the app every 30 seconds, the code that's on there will disappear, a new one will pop up. This is much, much better security than the SMS version. And then if you really want to go all out, there's a product called the YubiKey, and I will make sure you have a link for that in your show notes.
But the YubiKey is a hardware token that you plug into a USB port. And the problem, kind of the issue with this is not a lot of services support this yet, but it creates a rotating code, you have to have the hardware in your computer, so you username, password, and on the next screen you just tap a little button on the YubiKey, it dumps that massive 40-character two-factor authentication token into the website, and you're allowed to log in.
So there's kind of an escalating scale depending on how complex you want to get with it. Personally, I find the middle of the road, the Authy or Google Authenticator app to be the most usable. Text messages, I have problems with sometimes if I can't get cell service for whatever reason, I won't get those two-factor authentication tokens.
So using the app has been the most convenient, and it's the level of security that I'm comfortable with for most of my accounts. - Authy is really simple to set up, you just do it and scan a code on the site and it's really easily integrated. My question is this, if you're using an app as in Authy or Google Authenticator, how do you back that up in case you have a malfunction of your mobile device that you are using the codes from?
- So Authy makes it really, really easy, and I'm a little bit less familiar with Google Authenticator. If anyone has listened to my podcast, they'll know I kind of have a really negative view of anything with the name Google on it. - You and me both, I've been trying to extract myself for years, and I'm hoping in a few years I can, but I don't think I'll ever be able to fully extract.
- So yeah, I'm really hesitant to put a Google-branded app on my phone. So I'm more familiar with Authy, but it allows you to go in and set a username and password, and it will store an encrypted version of your account information of those two-factor tokens on Authy's server.
So if I lose my phone, if I drop my phone in the toilet, if my phone just dies one day, I go get a new one, back it up, and then I re-login to Authy, and it will refresh those two-factor tokens onto that device, and I don't skip a beat.
- I've been learning how to use YubiKey. I learned that from you guys. I had never heard of it, and then I listened to your podcast on it and ordered a couple of them, and I've been using them. I think it's a tremendous, powerful--I mean, it's really, really cool, and it does what many of us, I think, would desire to have done.
It uses and integrates the digital technology with the changing code with the physical security, so I can be confident that my account is not going to be accessed unless my physical token is present. My question for you is, it doesn't seem to work with Firefox. How do you do that?
Because I like to use Firefox, but it doesn't work with Firefox. At least it doesn't right now. How do you fix that? - Yeah, that's-- - That's my personal question, because I've been trying to learn how to use it, and it's like, I've got to do it on Chrome, and I try not to use Chrome.
- So if I'm not mistaken, you can use the YubiKey with some services on Firefox. Gmail will not support it on Chrome. Is that the experience that you're having? - Right. Gmail won't support it on Firefox. Facebook won't support it on Firefox, etc. - Okay. And also, I use YubiKey for some local accounts, or some local applications, like my KeePass database.
I use a static YubiKey password to log into that KeePass database, so that's browser agnostic. It doesn't touch the browser, so it doesn't care. - I'm a little bit hesitant to recommend the YubiKey to people that aren't specifically privacy and security focused, because a $40 product is a really tough sell when you can go out and download Google Authenticator or Authy completely for free, and it works with a lot more things.
However, I do really like the YubiKey. Once you have it set up and running, if you buy the YubiKey Nano, it just sits in your USB port. You barely even know it's there, and occasionally you just tap it and it dumps that code. But it's a little bit more technically challenging to set up and I think to kind of wrap your head around.
And that $40 cost of entry is a tough pill for a lot of people to swallow. - Yeah, we'll get out of nerd world. Appreciate the reigning in there. LastPass for password management is fantastic, and you make a valid point with regard to security, but for most of us, our security is so horrifically bad that just to move to LastPass, where it'll automatically set it up so while you're browsing, everything is right there, and so that it'll create long, random passwords that are stored is tremendously valuable.
I've had great success with getting people to use LastPass because it's stored in the cloud, which most people like, and it helps them to feel good, and also because of its just ubiquity across all platforms. So that would be a tremendous upgrade, and then also I'll affirm, as you said, Authy for two-factor authentication is easy to use, it's simple to set up, and it would be a tremendous step up for many people.
So these steps would help to secure our accounts. What else? What are the low-hanging fruits? Are there any other low-hanging fruits that you wanted to add to this? Yeah, so I guess one more. So those are fairly easy steps to take. The next one is going to be a little bit painful, but it's kind of necessary, in my opinion, for both security and privacy, and that is get off Gmail.
This is a tough sell because Google has kind of spread their tentacles into every aspect of life with Google Maps and Waze and Google Calendar and Google Translate and Google Street View and all these amazing services. If you have a Google account, you already have access to all these other things like Google Drive and Google Voice and all these other amazing products that make life so much easier.
But these are all collecting information from you that will never be forgotten. It's all going onto a server, and a lot of it is very, very personally sensitive, even if you don't send emails. And most people are migrating to services like iMessage or Snapchat or other messaging services. Email is kind of going the way of the handwritten letter.
It's becoming less and less common that people exchange these deep, intimate, personal emails. But if all you're receiving still is service notifications from your bank, from your physician, from all these services that create a lot of ancillary metadata about who you are and what you are, that's still a huge, huge privacy invasion.
And there have been instances of rogue Google employees. There have been instances of, I mean, things like the NSA backdooring Google trunks to obtain all that data. And, you know, I don't want to emphasize that too much because we're not really trying to hide from the NSA. But the NSA has also proven very recently with the WannaCry leaks that they have a difficult time hanging on to the data that they collect.
So if all this is floating around out there, it's at risk. So my personal solution is ProtonMail. And to get the functionality that most people need out of email, you're probably going to need a premium account, which is a couple of bucks a month. It's not onerous. You can step up to the ProtonMail Plus plan for under $50 a year if you buy yearly.
And all your emails are end-to-end encrypted between ProtonMail users. One thing I found really handy with people like my accountant is that I can even encrypt emails to outside users. I just say encrypt this message. I assign a password to it. I call him up and say, hey, here's the password to open this email.
And all the content of that email and any attachments are going to be encrypted. Everything's stored on an encrypted -- in an encrypted state in Switzerland. The administration of ProtonMail has no access to my emails. This is not the ultimate solution if you're going to be the next Edward Snowden.
But for most of us, for our day-to-day communications, this takes you out of that automatic, no opt-in -- automatically opted-in data collection that we're all subject to. And even if ProtonMail is hacked or has a rogue employee, I don't worry that they're going to have access to my financial accounts or my other email accounts or my Facebook account or my doctor's accounts or whatever emails I'm receiving there.
Because it's encrypted and they have no access to it. Do you think the rogue employee risk is the highest risk that practically speaking most of us who aren't engaged in foreign espionage and high crimes against the state are involved in? Do you think the rogue employee is the biggest risk?
No. I think even as good as Google security is, defense is much harder than offense. Defense, you have to get it right every single time. Offense, you have to get it right once to get in and get a bunch of stuff. And Google is probably the world's biggest target because they're the world's biggest repository of data.
That data is really, really valuable to people. Google is targeted thousands of times every single day and they have to get everything right 100% of the time to avoid being exploited. And eventually, they're going to fail. I really talk up Google security a lot because it's very good, but that's almost an unsustainable model to have to be perfect every single time.
And the sophistication of the attackers is consistently increasing as well. There's a day when a hacker may have had some basic skills, but more and more, a hacker can turn an army of computing power of remote bots against something. The coding sophistication, the knowledge just seems to be consistently increasing, which is why we have to consistently step up our game across the board.
Yeah. To misquote Bruce Schneier, today's NSA exploits are tomorrow's PhD theses and the next day's hacker tools. Yeah. I was thinking as you're talking about communication security, when I try to get people to just take a simple step, use FaceTime audio instead of using a phone call. Number one, you'll get a better product.
You'll get a digital connection instead of an analog connection, which is downgraded signal quality. Or to use signal or wicker or something like that for your text messaging instead of using the SMS system. Oftentimes, the number one question is, "Well, I don't have anything to hide. Why should I bother to do that?
I don't have anything to hide. I'm not involved in anything illegal. I'm not involved in anything immoral. I don't have anything to hide." And I often wish to wax eloquent about the philosophical basis of freedom and liberty and how this is important, etc. But recently, I've been trying this line.
In the old days, when you made a phone call, it was automatically a party line. Anybody all up and down the line, your phone would ring anytime anybody on your phone line was being called. And you didn't listen for the fact of your phone ringing. You listened for the unique ring.
If you had two short, one long, then you picked up only when it was two short and one long. But that meant that all up and down the line, anybody who wanted to could pick up the phone line and listen in on your conversation. And to me, it's as simple as, would you automatically voluntarily choose to use a technology that makes your phone calls a party line?
Or if possible, would you prefer to have a direct person-to-person line and contact? And I've been trying that nonphilosophical answer to some success. How do you answer that objection? I think my first answer for that is when I go to the bathroom or when I'm being intimate with my significant other, I'm not doing anything wrong.
But if there are other people in the house, I'm going to close the door. In either of those cases, there's absolutely nothing wrong with what I'm doing. They're both kind of biological imperatives and things that everyone does to a greater or lesser extent. But there's still that desire for privacy, right?
It's not just because I don't want my guests to be offended. It's also because I want to have that privacy. And I think ultimately we feel the same about our communications. We don't think about it. We don't think about carrying a cell phone, which tracks you everywhere you go, because we've opted into that for the benefits that it gives us.
But if there were someone following you around everywhere you went every day and writing in a notebook every place you stopped, how long you stayed there, who you talked to while you were there, people would get very frustrated with that really quickly. And that is happening. That happens on a daily basis to all of us that use a cell phone, which is probably every single person at this point, at least that listen to podcasts.
That very same data collection is occurring. It's less visibly apparent to us, which I think is why it's less viscerally alarming. Absolutely. Any other low-hanging fruit that you want to mention before I adjust this a little bit? No, we can go ahead and push on unless there's something specific you want me to talk about.
Well, it's interesting because one of the things why I think this is so important for people to do and to practice, and here's just my commentary and I'm interested in your take. Number one, it's my observation that these things are skills that need to be developed. The ability to use a two-factor authentication application or even just the ability to receive an SMS message and to input that code on the website is a skill that has to be learned.
I recently read an author who was citing a report about how two-factor authentication is increasing, and he said, "This is bogus." He was an older guy. He said, "This is bogus. I don't see this anywhere." And I thought to myself, "That's bogus?" You just obviously don't have the skill.
You're not using this because this is certainly not bogus. You need to develop the skills, and you got to develop the skills before you need them. And one of my concerns is to use your nomenclature, in time most of us hope to do things and to be effective in things that are going to necessarily raise our attack surface, which means bring us to a higher degree of prominence.
Whether that's doing something like creating a podcast and talking about money on the internet or whether it's doing something like doing very well in your job or in your business and earning a significant amount of money or whether it's taking a stand in a political cause that is unpopular or that wherein you start to attract to yourself enemies.
You've got to think years in advance and put the framework in place so that when all of a sudden you're being targeted with a lawsuit by your tenant who's suing you because they fell off the front porch and injured themselves and they know you own ten rental properties. And now all of a sudden they're going to start – they're going to bring a lawsuit against you.
You've got to have thought about that a decade earlier and built the skill set. So I believe that it's important to plan and to teach people to plan for the fact that your profile in the future is going to be raised and you need to build the skills now to be prepared for that.
What say you? Absolutely. I'm going to steal a quote from one of our recent podcast guests and say that you should dig your well before you're thirsty. We've seen plenty of examples of law enforcement officers who have come to national attention because of their actions on the job and I'm not going to weigh in with a judgment either way on that.
But I will say at that point it's too late to do anything. Everything about them becomes public knowledge. It goes in the newspaper on a news crawl at the bottom of the screen for however long that story is at the front of public consciousness. And at that point it's too late to do anything about it.
Once the news media is camped out on your lawn it's too late to hide your address because everyone already knows it. Or once you're doxxed by anonymous or once your account is breached, yeah you can change that password then and make sure those future emails are safe but that doesn't pull back those old emails and make them safe again.
So don't wait until something happens to try to fix it. Take a proactive approach because that's really the only approach that's going to have any effectiveness. There are two stories that really sobered me and caused me to start working actively on defense for this. But in the last couple of years, three actually, and they all involved finances.
Number one was the lady, the publicist who was on her way to South Africa and made a flippant comment and a tasteless joke on Twitter about contracting AIDS in Africa. No, I won't contract AIDS because I'm white and just trended bazillions of times on Twitter. By the time she had landed in South Africa she'd been fired from her job and she had basically the whole world finding out every single detail of her during a single airplane flight.
And her whole world collapsed and it sent her into severe depression, affected all of her relationships, her financial world collapsed, etc. Second one was the dentist who shot the lion. And he shot the lion and from my observation – I didn't follow the story deeply so I could be wrong in this – but I never saw evidence that he had committed any kind of illegal act or that he had broken the law.
There were a few questions about his interactions with his hunting trip and the purchase of his licenses but my guess was that was just probably standard African bribery systems. But there was no evidence that he had really done anything illegal and/or even immoral depending on somebody's definition of morality with regard to shooting lions.
But his business was just destroyed overnight and he was sent into hiding. His house – and with the ability of Google reviews and of Yelp reviews, etc., his business was just destroyed and his dental practice sent him to the ground. I don't know what's happened since then. And then the third one was the pizza restaurant owner in Indiana.
About two years ago when Indiana was passing the religious freedom – I think it was the Religious Freedom Restoration Act. The news crews were hunting for somebody who was professing an opinion on that piece about being a discriminatory person. And they found this pizza restaurant and they found the daughter of the owner, interviewed her on camera, making some fairly innocuous statements about homosexuality and religious freedom, etc.
And then this became front and center news. And again, the pizza restaurant was just pounded into the ground. Yelp reviews destroyed, etc. All of those cases, none of us know what's happened since. But none of those three people set out in advance to cause a stir and to bring problems into their life.
And to the best of my knowledge, none of them committed anything illegal. They just had breaches of judgment or took a position that was unpopular or did something that didn't fit the cultural narrative. And yet their lives and their livelihoods suffered immensely for it. And in today's day of instant access to the news, etc., I believe this is a serious financial planning concern that needs to be addressed by financial planners everywhere.
Absolutely. And I find this a little bit easier to relate to law enforcement officers in my training. And the thing I tell them is, if you're involved in an officer involved shooting, the news media is going to be at your house before you are, before you get home that day.
And at that point, there's nothing you can do about it. And, you know, I was going to bring up the dentist as well, had nothing to do with his practice, had nothing to do with his family life, had nothing to do with, you know, most aspects of his life.
This one thing occurred, this one unfortunate event that impacted all of these aspects. And at that point, there was there's very little he could do to recover from that. A proactive approach, you know, every dollar spent in prevention is probably worth, you know, probably substitute every hundred dollars you'll spend in repairing the damage later on.
One aspect of – back to financial security and then we'll move to privacy. One other aspect of financial security that you haven't mentioned that I think is important is compartmentalization of information. And I share this because of my experience in the trenches where, you know, if you're – especially if you have a high profile, high attack surface, again, to use your language, if you are a prominent person, then the people in the office that you're doing business with are going to be talking about your name and are going to be pulling up your accounts in their computer.
I saw this myself. I worked very hard and never participate, but you can't help but overhear, "Oh, so and so is a client of mine." And of course, some people have access at the administrator level, can pull up and look and say, "Oh, here's this person's accounts. Here's that person's accounts," etc.
And the staff, the administrative staff, is often somewhat broad who has access to that information. So the only way that I know to protect against that is to compartmentalize your information to the best degree possible, be very careful, and to just share what needs to be known with the people that need to know it rather than everything.
How do you approach that problem? I approach that problem with a very proactive front-end approach in that I have essentially deleted my presence from the internet, and there's very little that you will know about me that I don't want you to know about me. So I run a blog, I have a Twitter page, I have a podcast, and those are things that I choose to put in the public space, but everything else I've worked very, very hard to regain control of.
Also, to a debatable extent, I do have a public presence that supports my occupation, my business, my livelihood, but I tend to maintain a pretty low profile in my personal life. And that's kind of a tough question in that now we're kind of getting into the things that require a lot of effort for a little bit of payoff.
But I know this is going to be a very unpopular approach, but I would say the first and foremost thing that average people need to do, the average listener, not my audience, but everyone else, which is the majority of society, is pull back your presence on Facebook. Stop posting every single detail of your life to a public forum.
And even if your Facebook account is fairly locked down, fairly private, it is still on the open Internet, and that information is still available to regular people who really know how to use Facebook. That's the 90% solution right there. There's other mitigations we can do. Sorry, Joshua, but I did conduct a little bit of background research on you.
I would hope you would. I didn't. I know you and I exchanged a few emails before this podcast you'd written in with a couple of questions. And I thought about sending an email back saying you need to you know, you need to change your address from, you know, whatever it is.
I'm not going to say it on air, but I didn't want to scare you off. So I pulled back from that. But we can get into removing all those public mentions or at least most of them from the Internet. So your home address is not easily searchable. And if you get into some of the self background stuff that Michael and I talk about in the book and strongly advocate for just to find out what information exists about you online, you'll probably be surprised to learn that things like your home address is freely available on the open Internet with your name and the names of your family members.
And to some people, that's alarming. To people like me, that's certainly very alarming. But some people don't care. That's kind of public information. But that also says a lot of other information about you. I can extrapolate a great deal from that. Things like your income level, your level of education, your possibly your ethnic demographic, your sexual orientation to some degree based on the neighborhood that you live in.
And that seems like a small piece of information, but it tells me an awful lot about you, especially in certain neighborhoods that are very densely populated by one demographic or another. That's that's significantly private and intensely personal information to me. And I want to protect that. If this gets into a lot more effort for a lot less individual payoff per step, but we can control that information, we can remove a lot of it and and manipulate a lot of it in some cases to make ourselves a little bit less public and a lot less easily researchable.
If that makes sense. I would say that my own personal and yes, I have conducted my own open source intelligence on myself searches. And yes, most almost everything is freely and openly available. So it would not have surprised me when you reached out to me. I would say that my own story is probably the best example.
I never intended to become a public figure. It was completely unintentional. And I think this is the way that many people approach it where they look at it and say, "Well, I don't have anything to hide." So and so and also in terms of it's hard to put up walls around yourself for your privacy.
Simple example in financial planning in Florida. In Florida and in most places, if you do something like purchase a home, your name is going to be entered into the property tax records as the owner of that local home. In Florida, this is a big deal because we have an unlimited homestead exemption amount where you can protect the entire value of your home with no dollar figure.
There are a couple of – no dollar limit. There are a couple of limits as far as the amount of land that you own, etc. But there's no dollar limit. So you can protect the value of your home 100 percent from the claims of any creditors that you might face.
This is very important with regard to asset protection planning. And as a financial planner, it's very important that I'm knowledgeable and skillful with that with regard to working with somebody. If you are going to – looking for a very secure place to stash $10 million, well, going ahead and purchasing and living in a $10 million waterfront home in Florida is probably – is a good plan for that.
But if you do that, you give up your privacy. And if you purchase that home in the context of a trust, a living trust, or if you purchase it in the context of an entity of some other kind, you lose that creditor protection. So it's a balance. Well, do I take the value of the – do I take the value of the privacy by owning it within a living trust that's at least at the very limit – at the very lowest hanging fruit masked in another name?
Or do I take the creditor protection? Because I'll lose that if I put it into a trust that's not held, especially if it's held jointly with my spouse. That gives very, very strong protection. And in my own case, along the way, you just make those normal situations. When I went and bought a house for the first time, I didn't know everything that I know now.
And so I just bought a house and signed up for it and you faced a question. Well, do I try to move so I can – when I can – when I – do I try to move so that I can get a different place and protect my privacy?
Voting. In the state of Florida, all of the voter records are public data. So do I register to vote? Well, I can't. It would be a crime for me to register using something that's not my actual information to some degree. So do I deregister, not register to vote, et cetera?
And I have found that the whole path is a very challenging terrain to navigate. And each person has to look and say, well, what is my threat? Well, as you – my threat level, my attack surface, as it were, has changed dramatically. I never expected to be a public figure, never expected to have people know my name all around the world.
And yet here we are. Absolutely agreed. And it is very much a compromise. And some things are kind of easy for me to compromise. You mentioned voting, and that is – man, voting is one of the most invasive things privacy-wise that I can think of. I can look up voter records for me if I know where to look and find very detailed records.
And I've kind of made a decision not to vote anymore. And that's much less a – it's not laziness. And as a veteran, I kind of consider that my right to make that decision or not. It's a very calculated decision, and part of it is privacy. And there's also another more ideological aspect to it.
But I've kind of made that decision not to vote. Also, in regards to owning a home, my first house I bought using a VA loan, which if you use a VA loan, you can't use any of the privacy mitigations that Michael and I talk about, some of the more tinfoil hat stuff, because the home has to be in your name.
You are the veteran. There's no business entity that can take that loan out for you. So I'm not currently a homeowner. I'm currently a renter. And the next house I purchase, I'm going to have to make a decision about that. And kind of my plan, my long-term plan is to pay cash for it, but that will be some time down the road for me.
But yeah, all of these things are intensely personal choices, and I guess I'm not making any specific prescriptions here to do this, don't do that. I guess what I would advocate much more heavily for is think about it. Make a conscious decision. Don't just go with the default of, "Yeah, this is how we do it." Buying cars, for instance, one of the most invasive—buying homes and cars are two of the most invasive things you can do, privacy-wise, because there's a credit check.
All this information from Chevrolet or Ford or Nissan is sold to dozens of other parties who want to sell you extended warranties or refinance your loan or all these other kind of things. So think about that before you buy a car again. And I'm kind of a subscriber to the school of thought that a car is kind of a wheelchair.
It doesn't need to be fancy. It gets me from A to B. I will never finance another car. And there's financial reasons for that, but there's also privacy reasons. I don't want that paper trail. I don't want to create this huge bloom of personal data in this kind of field, this well-manicured field that I take great pains with everywhere else.
So think about it. Make a conscious decision before you provide this information. And that kind of goes for everything. When you go to Lowe's and buy something and they ask for your phone number, we're habituated and kind of, I guess for lack of a better word, institutionalized to just spit out the phone number.
But when you're asked for personally identifiable information, think about it. Ask why am I being asked for this? Is it really necessary for what I'm doing? And that guides my decisions on a day to day basis, probably much more so than it will for most. But I guess that would be my overall advice on that.
How do you buy a car and own a car privately? So. A couple of different ways you can do this. I pay cash. I paid cash for my last two cars. And, you know, that that involves some longer term financial planning and, you know, being like kind of fiscally responsible.
And also I'm not driving a brand new Audi. So I pay cash. That's that's kind of the starting point. Anytime you're taking a loan, it's going to be very, very invasive. So there's a couple other ways or a couple other techniques that we can use. So I am kind of set up on a system where I'm considered a nomad by the state where I claim legal residence.
I don't spend 51 percent of my time in any given state because of my travel schedule. So I'm I'm legally able to do this. So I just register my car to this mail drop address where I'm legally considered a resident. I'm legally kind of in the same place as a full time RV or.
So all my mail goes there and I don't really care because I'm never at that place. If I were a homeowner and lived in the same place, what I would do instead is purchase the car in the name of a New Mexico LLC. And these limited liability corporations in New Mexico, New Mexico is one of the very few states that doesn't require that you give the names of the members of the LLC to the state.
So it's completely anonymous, provided you set up your LLC through a service that that kind of understands that. And I can I can give you the name of one such service. It's JJ Luna's service. He's he's very he's kind of the godfather of this extreme personal privacy. But that's how I purchase my car.
When I go to register it, I would I would just tell the DMV that or are in the year, whatever your state's system is, that I am doing business on behalf of this corporation in the state. And it's the corporation's car because it is and register it to the corporation rather than to my personal name, because the DMV is most states actually sell the information that you give to the DMV, including your photograph to data marketers.
So that's another place that I'm kind of cautious and we're kind of veering a little bit more into, you know, the the more extreme techniques. But bring it on. Don't worry. I told you. I told you we're not scared of extreme techniques around here. The show's called Radical Personal Finance for a reason.
OK, good. Good. But yeah, New Mexico LLC or if you're in a situation like I am, like Florida, for instance, allows you to use a mail, a commercial mail receiving agency. There's a few select ones that you can use as your permanent home address. If you live in Florida, it's really easy to set that up and just have all your mail go there.
You log in through their website and then they send you your mail to to wherever you want to get it at. But that becomes your legally official address. That's where my taxes go to. That's where my voting stuff goes to. That's where my vehicle registrations go to. So nothing comes to my home address.
It's it's very, very doable and very, very simple, simple to do. What about. Well, let's go on back to instead of going deeper on the car, let's go to housing. What suggestions do you have for living and maintaining a more private residence, especially for somebody who has concerns about their public status?
OK, sure. So if you're renting like I do, you absolutely have to stay away from the big apartment complexes. They they have a flowchart of things they have to do for new renters. And it's I found it impossible to basically to get them to to bend in their practice of running a credit check, running a renter background check and all these other things that place you at that address.
Because these credit reporting agencies save that data. Yes, this was queried from this apartment complex. Thus, this is probably where this guy lives. So if you're renting, I would find something on Craigslist. If you work in a big company, there's probably someone looking to sublet a room or, you know, has a basement apartment or whatever.
But you have to find that individual that's renting out a place. And for those I pay cash again. I'm sure your audience will have no problem with this. I'm I'm fairly fiscally responsible. I have some cash in the bank. So when I go to that apartment, you know, find that one.
I want just tell the guy, hey, I'm just going to give you three months rent right now. I will always stay a month ahead on the rent. And that really talks. People really tend to respect that. And of course, I'm I'm a good tenant. And I know I'm always you know, I've lived up to my word.
I'm always at least a month ahead on the rent. And he has no issues with that. And I don't check up on him to make sure he's paying taxes on that, though. I assume he is. I have no reason to believe he's not. But but he likes getting cash.
I like giving him cash because my name is not tied to that apartment in any way. And for utilities, I give him a little bit of extra money to keep the utility. His name and then I make sure those bills are paid on time, so he's not getting any blowback from that.
If I'm buying a house, it becomes a little bit more complicated. So I've got a couple options here. If I can pay in cash, which is hard for most people to do, it's impossible for me to do right now. It will be a few years down the road before I'm able to do this.
But if I'm paying for cash for a home in cash, again, I can use the New Mexico LLC option. There's there's a couple other LLC options, but New Mexico is probably the best one. Alternatively, if I'm taking out a loan and again, if you're if you're a VA, someone who would use a VA loan, this does not apply to you, unfortunately.
But if I'm taking out a loan, I can put that home in the name of a living trust. And a lot of people put their homes in trust for estate planning, estate management purposes. And most people put it name. In the trust, their name or, you know, instead of most people name that trust in their real name.
So if if I were doing this, you know, probably my my tendency would be to name it the Justin Carroll Living Trust, which doesn't afford me any privacy benefit, but it gives me all those estate planning benefits. However, if I wanted the privacy, I could name it anything I wanted.
I could name it the South Florida Living Trust. I can name it the one to anything you could want to three Maple Street Living Trust. Yeah, I can name it anything I wanted. And my name is tied to that. But if you don't know the name of that living, if you can query that trust directly and look at it, you'll see my name on it.
But you have to know the name of it to find it first. So this is a huge, huge privacy mitigation. And again, we run into setting up utilities. And in either case, whether I'm purchasing the home in an LLC or a living trust, I would open up an LLC, a New Mexico LLC, to put those utilities into.
Because if I go to all that trouble to purchase a home privately, I also want to make sure that I'm not tying my name to it with the with the utilities, because that's going to defeat all the hard work that I've done to that point. And there will undoubtedly be a few roadblocks here.
You know, if you know any attorneys that specialize in privacy, I would love to talk to them. But sometimes that can be a challenge. Well, not sometimes. That is always a challenge, finding an attorney who is really comfortable doing these kind of unconventional techniques and really kind of gets privacy.
And that's unfortunate that that's the case. But it is, sadly. So, yeah, you've got a couple options there. And, you know, none of them are absolutely perfect. The New Mexico LLC comes closest. But the living trust still provides just immensely more privacy than you're going to have purchasing a home traditionally, putting in your name, especially if you're borrowing money to pay for it.
To use another one of the terms that I learned from you, you use the term threat model, right? Yes. OK, so how do you define threat model when you use it? OK, so threat modeling is kind of a tough case by case basis thing and depends greatly on what we're talking about.
And basically the way I'll do this is take a look at who my adversary is, who I'm trying to hide from and then what I look like to them. So let's say we're talking about email. My threat model for email is is really services like Gmail or just the insipid mass mass surveillance that's going on.
I want to kind of opt out of that stuff. If the NSA wants to look at my stuff, I'm sure they can hack into something and take a look at it specifically. But that's going to require that they dedicate resources to it and time to it and that sort of thing.
I don't want to be in that just default mass, everything being scooped up. So my threat model is kind of Google. I want to be out of Google. So and mass surveillance. So I'm comfortable with proton mail. It doesn't protect me from extreme high level actors, but it protects me from 90 percent of things.
If we're talking about, you know, taking Internet privacy, home privacy, for instance, my threat model is that I don't want someone to be able to look at my type, my name into a Google search beside the words home address and actually find my home address. I'm not you know, I'm not hiding from the U.S.
Marshals. If they were my threat model, I'd probably never rent anything, never buy anything. I'd probably live in a tent in the woods somewhere and never interact with anyone. They're not my threat model. So it's kind of defining who you're hiding from or who you're trying to protect your information from.
And of course, in all of these, there are other factors. Hackers are also my threat model. So if I'm using Wi-Fi at Starbucks, I don't want some kid sitting there with a Wi-Fi antenna to be able to read my email or to capture my login credentials to my bank or whatever else I happen to be logging into.
So those kind of general cyber things are always kind of an implied threat model, I guess, rather than an explicit threat model. Yeah. And so let me give a couple of to add to that. I really like your language. I've stolen all your language and have applied it in the financial.
Please do. I do try to give credit. Don't worry. But I try to – but I apply it in the financial planning context, especially when you get into something like the question of asset management, asset protection planning. And that's where you have different tools for different threat models. One simple thing is do I have the threat model of my relatives thinking that I am – I have a couple of relatives that are just no good, broke all the time, spend all the money, and I'm doing well financially.
And I want to make sure that I have an ability to have a little bit of concealment around how much money that I actually have. Well, if I go and buy a personal residence in my name and then I go ahead and buy four or five rental properties and they're all personally owned in my name, then with a simple record search on my local county property appraiser's website, all that information is going to come up.
Or do I want my neighbor who finds out that I'm involved in something to be able to know how many properties that I have? So something as simple as owning my personal residence in a living trust and something as simple as using an entity of some sort for the ownership of my rental properties and having them segmented and segregated, as you said, adds a tiny little bit of cost.
But it lowers my threat significantly. That doesn't mean that a private investigator who's been hired to investigate me from – based upon a lawsuit from one of my tenants is not going to be able to find those properties if they're commonly owned and have a common threat of ownership.
It all depends on how much money they have. I think that you mentioned J.J. Luna and his book How to Be Invisible, which is an excellent book. I recommend to people. It's kind of a very readable, thoughtful, entry-level discussion. He gives his different levels of private investigators and he says, "OK, you're talking about a level one investigator, a level two, a level three or a level four because at the end of the day, it costs money." If you're Osama bin Laden and you're up against the US government, which has an unlimited source of money and an unlimited interest in finding you, it's going to happen at some point.
You're not going to be able to escape that scrutiny. It's just simply not possible. No matter what you do in time, you're going to be caught up with because of the fact that you have an unlimited budget. But your neighbor doesn't have an unlimited budget of time. And so you can put different levels of protection in place.
Now, if all of a sudden you're a public figure, well, now things change. Now you take different steps. Or if threat models will vary depending on what type of planning. If you're involved in something illegal, all of a sudden now things are very, very different where if you're running a chemical lab, we'll call it in quotations, now you've got to take a completely – stop running a chemical lab would be my plea.
But if you're running a chemical lab, you've got to take a completely different approach because you're not worried about a jilted lover. You're worried about the US government. And now you're going to be using a very different approach than just somebody – a young woman protecting herself against a jealous ex-lover.
So at every level, you've got to think practically what am I concerned about because none of us have unlimited funds. And it's all a matter of how much am I willing to pay to get the privacy and security that is appropriate for me. Aaron Powell: Absolutely. And I'm glad you brought up that portion of JJ's book because that's my favorite part of that.
Your level one investigator has a $1,000 budget. He's really easy to defeat. But that level three or four with a $100,000 budget, he's going to be really, really hard. And probably most of us aren't worried about defeating that level four investigator. And it's going to cost a disproportionate amount of money to hide from him that it is from the level one, two, and three.
And we can do those easy things like tightening up our accounts and pulling back on our Facebook profile and taking some information down off the internet. And those will solve 90% of your problems. It's that last 5% or 10% that's going to take the disproportionate amount of effort for those very small incremental gains that are going to build up to that.
I say we're never at 100%, but it's going to build up to that 99th percentile of privacy, I guess, for lack of a better word. And it's as simple as this. Two books that I've read I really enjoyed relating to threat model. Many people have heard the advice about don't write on Facebook when you're going on vacation because people are searching Facebook.
That's not a new thing. There's a great book written by a guy named Jack McLean called Secrets of a Super Thief. He wrote it back in the mid '80s when he was in jail. And he was a famous South Florida cat burglar who claims that he stole – and the police agreed with him – claims that he stole about $130 million of jewels, money, etc.
through thousands of burglaries all throughout South Florida here. He was eventually caught and in prison he wrote this book called Secrets of a Super Thief. But he talked about some of his techniques of how he would do these robberies. Well, a basic thing was going and looking at – if he could look at somebody's mailbox, he would case the house and say, "OK, this house looks like it might be an attractive target," and look at the mailbox number and see the name written on the mailbox number.
That gave him access to go to the white pages and look up the phone number for the person. And he tells a story about one particular mark where he targeted them. He called them and on their home answering machine, it said, "We're gone to the Bahamas or to the Caribbean for three weeks.
We'll be back in a couple of weeks." So, of course, he went right over the next night, robbed the house, enjoyed himself, and he left a little note on their kitchen table saying, "I hope you're not too sunburned from your vacation. Thank you for helping my financial well-being." He was a very – he did that kind of thing a lot.
So, that's an old technique told from a guy who robbed a person. And in hindsight, you look at that and say, "Well, that was dumb." But yet how many of us check in on Instagram and check in on Facebook and say, "Here I am at such and such. We're having a great time and we've got to do it all right when we're there." Well, you can look up – any burglar who's casing your house can look you up in the property tax records.
"Oh, such and such a house is owned by Joshua Sheets. Let's go on Facebook, Joshua Sheets. Oh, look. Joshua Sheets is in South Carolina. It's safe to go in." That's a very reasonable, reliable, normal threat model that bears consideration. Another book I read recently – Justin, have you read the Tom Clancy book recent after his death published last year called True Faith and Allegiance?
No, I haven't. You should read it. I'm looking up these books as you mentioned them though. Okay. So, this book, True Faith and Allegiance, it was written in the Tom Clancy pen name, but of course he's dead now. It's part of the Jack Ryan series. But the basic outline of the book is built on open source intelligence.
And the basic plotline – and I'm not – this is not a spoiler alert. The basic plotline is that a US government database of all security clearances from many years previous was released through the efforts of a foreign state who their government hacking team had been able to get a hold of the file.
And then a rogue Russian agent or Russian or Ukrainian agent had been able to get access to that file and had used open source intelligence techniques to collate the data with the outdated secret security clearance data and use the names, fast forward, and figure out where these different people were.
And then through the use of the publicly available Facebook information, other open source intelligence techniques that you and Michael Bazell teach had been able to use that information and provide that information as targeting information to terrorist organizations who then took out physical attacks. And it was absolutely astonishing because with the exception of having the data breach – and this is why that recent data breach of government records to me was so horrifying – with the exception of the original data breach, there was nothing in the plot that was out of my capability.
And I'm not even a technical guy. And I just – it stunned me. Go ahead. If you want this capability for yourself, I can't recommend Michael's open source intelligence techniques book strongly enough. He truly is a world-renowned expert on this, probably one of the best guys in the world at open source intelligence.
And he documents all his techniques in extreme detail in his book. I don't make anything from the sale of his books. But if you do want that skill set or even if you just want to play around with it and see what's really possible, it is such an eye-opener.
It's horrifying. So I kind of take – forgive me for stealing the interview. But I see that as a very legitimate concern that doesn't involve my hiding from the US government. People often immediately go in their thinking to the US government. That's a real problem because I don't have anything to hide from the US government.
I'm not capable of hiding things. If I were the subject of attention of a specific focused probe, I don't know that I'm capable of hiding anything from the US government. That's beyond my skill set and it's beyond my real interest. But that doesn't mean that I shouldn't be very circumspect about posting on Facebook or on my Twitter account that I'm going on vacation when it's very easy for somebody to find that information.
Absolutely. And yeah, if the government wants my – the contents of my bank account, they're not going to hack the account. They're just going to go to the bank and say, "Hey, give us everything you have on this guy." So yeah, that's not the threat model that I'm working against.
But some of the mitigations I take might make it a little harder for them, but that's not the intent. So since this is a financial show, if we have a couple more minutes, there are a couple financial things that I'd like to hit if that's all right. You're turning the conversation exactly where I was going to turn.
I didn't want to miss some of the financial tools, so you go. Okay, great. I think probably one of the biggest privacy mitigations that you can do for yourself and your spouse and your children is a security freeze with the credit reporting agencies. I'm sure you're familiar with this, Joshua, but you call up TransUnion, Equifax, and Experian.
And if you really want to get detailed with it, you can also contact Anovus and Chex Systems at C-E-H-E-X, and I'll make sure you have all these links, and ask for a security freeze. And this will lock down your credit, and no credit can be taken out in your name without the eight-digit code and identity verification with that agency.
This doesn't expire. It might cost you $10 depending on the state that you live in, and I'm not going to list those, but some states are free, some they cost $10 per agency, unless you have been the victim of identity theft. If you've ever been the victim of even very low – had to change a credit card number, for instance, because someone had used your credit card number, you're eligible for free credit freezes or security freezes for life.
So if you do need to take out credit, you go to whoever you're applying for credit with, your mortgage lender, and say, "Who are you going to run my credit through?" They say TransUnion. You call TransUnion and say, "Hey, lift my freeze for 24 hours." They run your credit, and then that freeze is back in place.
This will also stop you completely from getting pre-approved credit card offers because those credit companies can't do soft pulls on your credit. It protects your address because no automatically generated mail like that, junk mail, like those pre-approved offers are automatically being sent to your house because they can't see your credit report.
They can't get your address from that. It has a million benefits. It's really easy to implement. It's probably the best security you can do on your line of credit. This doesn't protect existing accounts. If you lose your credit card, obviously that card can still be used until you report it and it's locked down by the bank.
But this is the way it should be, in my opinion. I don't know why this is not the default, but you have to take action. If you're the average person and not like me whose bank thinks that I'm dead and all these other problems that I have now, this might take you 10 minutes per credit reporting agency.
Just don't lose that eight-digit code, and your credit is extremely well protected for a very long time. If there's one thing you take out of the show that's beyond the password two-factor stuff, it is this. The next thing that I'm a strong proponent of is stop giving the bank information about where you shop, where you eat, where you stop for coffee, how you spend your money, all the elective places your money goes.
I do that through kind of a multi-pronged approach. First and foremost, I use cash. I take $300, $400 out at the beginning of the week, and that's how I purchase my fuel. That's how I pay for coffee. That's how I pay for lunch. That's how I buy things when I go to the grocery store or to whatever store I'm buying things from.
I've told this story before, and it's on my blog, and I've probably talked about it on the podcast. But when I applied for my first home loan, I had to give them three months of statements from every credit and bank account that I had. I was really shocked to find that if you looked at this, it spelled out.
You could pretty much figure out where I live and where I work based on where I stop for gas and where I get coffee every morning and the restaurants that I routinely go to lunch at and the restaurants that I routinely go to dinner at and kind of the special interests I have based on the stores and activities that I spend money on.
This was really shocking to me, and I decided then and there I'm never going to give the bank that level of insight into my life again. So that was a strong motivator to start using cash. So the other thing that I recommend is a service called privacy dot com.
And if you've listened to the show, you're familiar with this. We interviewed the CEO. But you set up an account. You give it access to your bank account. And then if I need to make an online purchase, obviously, I can't use cash. So what I do is I log into privacy dot com and I tell privacy, hey, I'm getting ready to set up an Amazon dot com account or I'm getting ready to make a purchase through.
I'm getting ready to set up my bill pay for my electric company. Give me a unique credit card number to use to pay my electricity bill. Give me a unique credit card number for this Amazon account. So it creates a credit card complete with a credit card number, an expiration date and a CCV code.
And I can set up all these other factors like they're all set up as single merchant cards. So my electric company is the only merchant that can bill to that card. So if they lose that credit card number, it's worthless to everybody else. I can also set a limit.
So let's say my electric bill is one hundred and fifty dollars a month. I set that limit, that firm limit at, let's say, one hundred and sixty just in case. And they can never draw more than one hundred and sixty dollars per month from that account. If it's, let's say they do have a breach and that number is stolen, I can go in and delete that card, make a new one, give the electric company a new card and now they can run on that.
If this is a one-off website for I'm going to make one purchase one time ever in my life, I can also make that a, they call it a burner card. So once that one transaction is made, that card is worthless from then on out. I don't have to worry about canceling it.
It's already canceled. This is a really strong service and it does a couple of things. It takes the bank out of the loop because all these charges, they just see it being billed to privacy.com. They don't see that going out to Amazon or Best Buy.com or any of these other services.
They just see a charge to privacy.com. All these merchants that I'm buying from also don't see my name because I can give it any name, any shipping address and any billing address that I choose. So if this is, let's say I'm signing up with an online dating site or something that maybe I'm not super proud of, give it any name I want, give it any address I want.
It doesn't tie back to me. So if that's breached, I'm not really that worried about it because it doesn't come back to me. You'd have to know what name and address I'd given it. So this protects me in a bunch of different ways. And like I said, if any of these services spill their data, I don't really care because I just cancel that card, make a new one, and I haven't lost anything.
This takes my risk from account takeover or data breaches down to virtually nothing as far as financial concerns go. I love privacy.com. Yeah, I use it for everything. Any purchase I make online, I have all my auto bill pay things set up to privacy.com. All my online purchases, I don't ever give out my real credit card number anymore.
And one of my favorite things – you did a great job describing the features. One of my favorite just philosophical aspects is it puts the user back in control. I don't like auto billing. I've faced major financial problems in the past because my appetite exceeded my income, and I would sign up for auto billing on this and that and the other thing.
Unfortunately, in today's world, I work with many merchants who just will not send me a paper bill and will not send me a – they just won't do it. I can't send them a check. I can't send them something. They require an auto bill pay. Now, 99.999% of the time, that's fine.
We have an amicable working relationship. Everything works fine. But still, they're in control. They're in the billing. And if I need to change something or if I get into a dispute with them, that could mess up many accounts if I need to change card numbers and things like that.
Privacy.com is wonderful because it puts me back in control. And I can set up a different card with every biller and in a voluntary win-win, voluntary transaction where we're working on agreed terms. I can pay them. They receive their money. We're all happy. In a combative hostile situation where we've reached a problem, I'm in control just like I used to be with my choice to send a check or not for payment.
And that to me is how it should be. The consumer is always in charge and the consumer should have control over the billing, not the vendor. Absolutely. No question about it. And privacy.com is kind of founded on a little bit of an ideological mindset. And the one thing I will warn listeners of is if you sign up for this, you have to give your bank username and password to privacy.com.
And that's scary for a lot of people. Absolutely understandable. Even I was nervous about it. But like I said, I've spent an hour and a half on the phone with the CEO. Michael and I interviewed him on the podcast. I have a really good feeling about where they're coming from.
Their privacy policy is clearly spelled out. And just one thing to note, the way privacy.com is structured, they are essentially a bank. So you're protected by all the laws that govern banking and how that information is handled. And I think they're probably actually doing a much better job at security than most banks are.
Justin, did you know I recently was on a phone call with a coaching client of mine and they told me that Citibank offers this service. That they offer one-time burner numbers for online transactions. Were you aware of that? I wasn't aware of Citibank specifically. I know that there are a few banks that will do this.
Do you have it? Have you used this? Do you have any experience with it? I have not. No. Again, back to my book outline. I need to research other banks that did. I was not aware that this was being marketed nor used outside of the privacy.com, PseudoPay, etc. Or other services like that.
I knew about those services, but I didn't know that the mainstream credit card companies were starting to offer this service. So for the complete privacy and security desk reference, Michael and I had this idea that we were going to set up accounts with all these different banks to see what features they had.
And we were kind of aware of that one. But with our credit lockdown the way it is and with my address history as sketchy as it is, I found very quickly it's really hard for me to open up additional bank accounts. So we backed off that. But if anyone has used this in practice, you would be teaching me something.
I'd be really curious to know how that works in practice. Email Justin through the website. Your website is yourultimatesecurity.guide, right? Yes, that's correct. Okay, so email Justin through his contact form and let him know. And send it to me as well. Justin, I'm going to test you. I'm interested to know.
If you wanted, if you had to set up Privacy.com as anonymously as possible, just a mental exercise, knowing that you were going to give banking information to them. And I consider this to be a back to threat model, an unreasonable threat model. This is where you're in the criminal world or you're accused of something.
How would you do it? This is tough because Privacy.com is accountable to KYC laws, Know Your Customer laws, which requires that they verify identity. But the way I might do this is set up an LLC, open up a bank account for that LLC, which, you know, again, we run into the problem of I would have to give my social security number to get the bank account.
But that would create one additional layer. And then I would give, I would try to only give Privacy.com the EIN for that business that I had set up. And I don't know if that would work or not, but it might be worth a try. All right. The only other idea I had was this would be where you would use a nominee.
This would be where you would have to find somebody that you could trust, that you could work with. And that way you have the account disconnected from you and your actual identity. And once it's verified, it might be possible to use that. Sorry, I always enjoy thinking about these scenarios and thinking, OK, in the most hardcore scenario, how do you figure it out?
What's the solution? I just I love the mental game of it. And, you know, that might be a great place to use a nominee. Say, hey, here's 100 bucks. Set up this account and then hand it over to me because you can you can you can change the password and you can put two factor on it, which would essentially lock that person out.
And if they're like most people, they will probably forget about it in six months and never even remember doing that. But I would always have that concern that that person would would get greedy and call Privacy.com and say, hey, someone's using my name. This is actually my account. And I would run into issues that way.
I think the best betch maybe I don't know what was the quote that's attributed to Ben Franklin. Two can keep a secret. Sorry, three. Three can keep a secret of two are dead. Right. That's always how it is. And that's why a crime doesn't pay. That's where all these things it's always going to be somebody usually who who exposes something.
Yeah. And I do want to make clear that nothing in our book like both Michael and I are closely affiliated with the US government. We don't advocate this for any type of criminal activity. And I know that you don't either. But we do enjoy some some thought experiments from time to time.
Exactly. Point well taken. It's just fun to sit down and think about it sometimes. It is. Yeah. I'm so glad you went through that. Last question I would ask you. I mentioned a couple of the other services, the other two competitors, and maybe there are more as well. And I'd love to see more come on the market.
But privacy, I think, is privacy is fantastic. There's also PseudoPay, which is an app on the phone and Blur, which is from the company Abine. Is that how you say their name? Abine. Yeah. Yeah. Something like that. So how do you mention those services as well in case people would like some options and compare and contrast them, please?
OK, sure. So PseudoPay is an iOS app, and I'll circle back around to this one at the end because their Pseudo app is really fantastic as well. PseudoPay does not require any money to set up an account. You install the app, set up your account, and it draws funds from your Apple Pay account.
And much like privacy, it will make one time use credit cards. And your charges, credit cards and debit cards, are two completely different things in the banking world, I've learned. And you are charged a small fee for each one of these make, and it's based on a percentage of how much money is on the credit card.
But I really do like this because of the convenience of it. As an example, I visited New York City this summer and, you know, kind of at the spur of the moment, we decided to go to the top of the rock, which you have to buy tickets online. And I, you know, obviously it wasn't at my computer.
We were already downtown and I just pulled out my phone, opened up PseudoPay and created a credit card. And I had a card right there to pay for those tickets online. Really, really convenient. It's another option in the toolbox. Blur is the other one. It requires that you set up an account.
And currently, right now, they are offering lifetime accounts for $119. Blur lets you set up one time credit cards. Also, there's also a small fee for each one that you set up. Blur also has a ton of other features. It gives you a masked phone number, which will forward calls and texts to your real phone number if you so choose.
It also has masked email addresses, which I use every single day. And I use these to set up unique usernames on accounts that require an email address, and they all forward into my regular ProtonMail inbox. So, set up ProtonMail as the account that those go to. And then I give out these.
I make unique email addresses for absolutely everything through Blur. Give those out and they're forwarded right into my regular inbox. Super easy. So, that's also another option. And then I mentioned PseudoPay. Their Pseudo app... By the way, Pseudo is S-U-D-O, not P-S-E-U-D-O. S-U-D-O, PseudoPay. Yes, good call. But the Pseudo app, man, this thing is a game changer for me.
It gives you nine Pseudos, again, S-U-D-O, but nine Pseudo identities, each with its own email address and phone number. So, you have nine phone numbers that will forward to your phone. And, man, I can't recommend this strongly enough, because here's how I kind of use that. I have one that is for my financial stuff.
It's for my bank account, my Coinbase account, any kind of accounts that deal with money that would cost me money financially if those accounts are breached. And there's a reason I do that. If you breach my Facebook account, which I don't have Facebook, but I realize most people do, if you breach my Facebook account, you're going to have my phone number, which means you're probably going to have the phone number that I verify my bank transactions with.
So, I can just take that completely out of the loop, put those bank accounts on their own phone number. That's the only people that get that number. And then I can have another number just for those two-factor authentication codes with my accounts, my online accounts that send SMS messages.
So, yeah, you can hack my cell phone account. It doesn't really matter, because those go to a Pseudo number. And this just gives you, man, I can't overstate the flexibility of having these different phone numbers, because your phone number these days is literally more valuable than a social security number as far as your identity goes, because we use it to set up all our online accounts, and we use it for verification and all these other things.
If I have your phone number, man, I know a lot of information about you. It's huge. And I can't add any more. I'm thinking about resources to share with the audience as far as people who are new to the subject and some of the news reports that have been done, some of the just different information.
But the phone number is hugely – I have learned and been remiss in the past about how important that little piece of data is. And it's important. And just little things. So, you can use Pseudo. I recommend it to people to start with some simple things like Craigslist transactions.
I recently sold my motorhome on Craigslist. And the transaction – I thought everything went great. Then all of a sudden, everything went bad. And it exposed me afresh. I ended up having to call the police when interacting with the buyer on my transaction. And so I started asking him about Craigslist fraud.
And he started telling me stories about – the police officer started telling me stories about different – just different times of Craigslist fraud and crimes that have been committed and different things. And just a simple step of using an additional phone number – and there are others. There are burner apps in the app store, et cetera.
Pseudo is really beautiful because it integrates phone calls, texting, and email all in one place. But using something like an additional outside number and then taking just a simple set of – simple step of meeting in a third-party location, et cetera, for safety is more important than I ever thought it was.
And especially when you start layering on – I mean I have the unique advantage of being six and a half feet tall and over 300 pounds. So I'm not the most necessarily attractive rape target. But for a young lady – for a young woman especially who faces danger there with giving out a phone number, it provides an additional very important layer of privacy and protection.
So my daughter is too young at this point to thankfully need to be concerned about that. But I think that's very important for parents to be educated – kids probably already know. But parents to be educating and encouraging people to protect themselves. It's very important. And I'm sure most people won't do it this way, but I don't even know the actual phone number that's on my phone because all I use are pseudo numbers.
I have one that's for friends and family, one that's for – like I said, finances, one that's for online purchases. And I've seen time and time and time again cell phone companies breached. And these can be small things like a social engineer calling in to get into my account.
Or it can be big things like T-Mobile dumping millions of records. And I just don't want that information out there. And I guess what I would challenge most people to do is download the app and start moving some of your important stuff over to pseudo. And again, like Authy, there's also the option to set up a backup username and password.
So if you do lose your phone, you can install pseudo on your new phone, log in with that username and password, and you don't lose all those phone numbers. That was the thing I was worried about when this initially came out. I didn't want to run the risk of setting up all my numbers on pseudo and then having a catastrophic failure and being – all of a sudden not having access to any of my numbers.
So all of the stuff you should be making good backups of. And like most things, it's a skill set. Using these things, learning how they work, it's a skill set. But as we kind of start to wrap up here, Justin, when it comes to privacy/security, which obviously they go together, it seems to me that we in some ways have a double-edged – the sword cuts both ways.
In some ways, it's harder today than it's ever been to maintain privacy and security. I mean the New York customer laws in the wake of the Patriot Act just destroyed so much ability to bank and to engage in any kind of private financial transactions. I mean it turned the financial world upside down.
The ability to travel privately was just turned upside down. I have real concerns about the – things like the Real ID – what's the word for it? Initiatives. Yeah, initiatives. The Real ID initiatives all across the country. So in many ways, the noose has tightened in ways that are – would be inconceivable.
Just the existence of a passport, the fact that you have to have a passport to go across and travel across land is, in my mind, utterly indefensible. Now, that – I don't know – I know of almost nobody who would believe that. In today's world, you have the majority of people who want to put up a massive wall across every border and say no and control the movement of each and every person.
So philosophically, that's a huge philosophical thing. But for many years, you didn't need a passport. You didn't need papers. And so it's very easy to draw the conclusion that the classic line of "your papers please" is something that most of us here are so accustomed and trained to hear as normal that we don't even think about it.
So the sword cuts against it that it's harder than it's ever been. On the flip side, we haven't talked about cryptocurrency. You mentioned Coinbase. Obviously, that's a cryptocurrency. We haven't talked about – I mean we're missing a dozen things that we could list off. But when you have all of these apps and you look at it in a different way, pseudo is a game-changer.
All of these things, encrypted messaging apps, all of these things are complete game-changers. And so on the flip side, I look at it and say in many ways, it's easier than it's ever been to live privately, communicate privately, maintain a greater sense of security. So it seems like we live in this very challenging and strange world where the sword cuts both ways.
It is an uphill battle and we have all these tools that make it easier. Like you said, we're totally habituated to just give out the data when we're asked. I mean we could go into a huge philosophical thing about this, but that is the default mode and the default mentality and the default way we do business is just to give out what we're asked for.
And living differently, living privately is a deliberate effort. It's not as simple as get a privacy.com account and a pseudo account and all of a sudden you're private. It is a very deliberate decision. It requires behavioral modifications, which quite honestly I think are much more important than the technology.
The technology helps, it supports that. But you've several times said it's a skill set that you have to practice. And that's absolutely right. It is something that you have to do. And I'm constantly telling military students, implement this into your daily life. Don't wait until eight months from now when you're about to deploy to all of a sudden set all this up on the laptop and the phone that you're deploying with.
Start living this from day to day and it's second nature when you get there. And kind of the same thing applies in the, you know, just in the citizen, the private citizen space. This is a, you know, to greater or lesser extent, a bit of a lifestyle and you can make it, you know, kind of the focal point of your lifestyle like Michael and I have.
Or it can be, you know, one of the many things. Everyone is a multifaceted individual and it can, you know, it can take greater or lesser prominence in your life, but it does require that you think about it. It's not as simple as setting up an account, downloading an app and boom, you're private.
Absolutely. And, you know, we could, Michael and I talk, you know, spend an hour every week talking about this. So I feel like there's a ton we're leaving out. I'm just looking at my notes or at an hour and 40 minutes and I'm looking at my notes thinking about we didn't cover just even financial.
We didn't cover cryptocurrencies. We didn't cover, you know, prepaid debit cards. We didn't cover money orders. We didn't cover almost all of these other tools that could be used. But I think we're at a point where it's a good wrap up, a good wrap up point. Just looking at my notes here.
We also didn't cover data security. And, you know what, Michael, I might actually like to have you back on. I'm very much looking forward to your volume two of the Complete Privacy and Security Desk Reference, which as I understand it is going to be related to physical security. Because I've come to learn from reading your blog that you're a bit of a security nerd, especially with weird things like locks.
So I'm excited because it seems like you're more excited about locks sometimes than you are about full disk encryption. Yeah. And that, you know, a little bit that's a product of when, you know, my head is in encrypted apps and encrypting messengers and encryption protocols and all this all the time.
It's nice to have like some grounding in the physical world and do something a little different kind of fun. And part of that comes from a significant portion of my background that can't go into in too much detail. But I have a lot of familiarity with locks and how they're defeated.
So it does get me excited to run across some super rare, obscure, high security lock in Seattle or New York or wherever. Yeah. And so maybe in the future, let's line it up with your Put Me on Your Book promotion tour when you launch volume two. Let's have you back to talk about physical security because I've learned all kinds of other interesting things.
You've almost convinced me to start flying with a firearm based upon your blog post about that. That's an interesting context. Obviously, sometimes it adds more hassle, but you go ahead and just describe the outline of that. I thought that was such an interesting idea from a physical security perspective that you seem to many times choose to travel with a firearm so that you can maintain security over your baggage.
Yeah. Traveling with a firearm. If there's a firearm in your baggage and there's a little bit of nuance, maybe misunderstanding about this, but you can travel with a firearm in your checked luggage, provided that you meet a few criteria. It has to be in a hard case. It has to be unloaded.
You may have to demonstrate that it's unloaded to the airline agent or the TSA agent or both sometimes. But what this does is it lets you lock your luggage up. So if you have a hard sided suitcase that will take a padlock, you can throw a padlock on there.
And per the letter of the law, it cannot be a TSA approved padlock. So you can use a very good, very high quality lock. And I do this because I frequently travel with things like 12 iPhones. If I'm going to a class where the students have specifically asked and purchased iPhones and want instruction on those phones, I don't want the opportunity for a TSA agent to open my bag up, say, hey, there's a ton of iPhones in here.
He's probably not going to miss one and, you know, throw one in their lunchbox. So if you if you don't own firearms or uncomfortable firearms, but you're still interested in this, you can travel with a couple of other items that will let you lock your suitcase because they're legally considered firearms like flare guns, which you can purchase very inexpensively or blank firing starter pistols, which will not fire real ammunition.
But they're still treated by fire as firearms by the airlines and by the Transportation Security Administration. So it's I'm excited that at least one person has actually read those blog posts. I love I love those little ideas because, again, back to the way, OK, you can travel with a flare gun and you check the local edges, the local restriction, perhaps the you know, perhaps you might not want to carry a 357 in the local area based upon local firearms laws, but you can do something.
And just the ability to know how to secure your luggage when traveling brings back a little bit more control to somebody. Now, most of the time I don't travel with 12 iPhones. And my philosophy is there are two kinds of luggage. There's carry on. Sorry, there's carry on and lost.
So but there's a place you need to check a bag. And so it's really useful. So I'd love to have you back on when you publish volume two of the of the security desk reference. I'll give to my to just wrap up points and just give you the last word and also make sure you go down the listings of your sites, your podcasts and all of your materials to promote.
And I'll give a wholehearted, unqualified endorsement of the power of your book, the complete privacy and security desk reference. I think it's about 40 bucks, but a 40 dollar book. Well spent. I was so impressed with it. But philosophically, we've covered a lot of things. And my closing commentary would be it's important to start building the skill set and thinking about it.
And there are two very important reasons why. Number one, you don't know in advance what circumstance you might face in the future due to no fault of your own. Recently on Radical Personal Finance, I've released various episodes on law enforcement, how to interact with law enforcement agents and how to protect yourself.
Every day I see news stories and every single day, the control and the ability of all of the financial information becomes much, much more significant. And you can't protect it after the fact. Just last week, there was a horrifying story about a student who was arraigned, indicted for murder or for manslaughter at the very least in association with just awful fraternity hazing incident.
And I was interested to read as part of the court proceedings that part of the evidence that the grand jury considered in bringing the charges against him was the fact that he had, number one, had there been communication between him and some of the other people, some of the other fraternity members involved about the situation.
And number two, that he had his Google searches, Google searches on what to do with alcohol poisoning. Well, those material pieces of evidence were brought against him in terms of the bringing of the charges. Now, what they did was horrible and all of us want to live in a well-ordered society in which people are held accountable for their crimes.
But, which leads me to the second point, you can't always know in advance what's actually going to be a crime. And laws change. Number one, there are plenty of laws out there and there are plenty of agents who are trying – I use the term agents to mean just people, not government agents.
But there are people who are seeking to target you and you can't know in advance what the laws are going to be 20 years from now. But what you do today is going to have an aspect on it. Whether it's the most simple common advice as what you put on Facebook is going to be seen by a future potential employer or it's the fact that every single one of your Google searches is going to be saved and can be brought against you in a grand jury investigation.
You've got to take steps in advance before you ever need it because if you ever need it, it's too late. So, Justin, finish us up with closing thoughts and walk through your resources please. Absolutely. There are 27,000 pages of federal laws and an estimated another 100,000 pages of federal civil statutes.
And a lot of times we're breaking a law and don't even know it. And a lot of these laws are enforced with a great deal of discretion. So, like you said, a lot of people are like, "Oh, I'm never going to be in that situation." But the fact is you don't know.
And when you find yourself in that situation, if you find yourself in that situation, it's too late to go back and do this legwork. You have to do it now. Excuse me. You have to do it now. So you can find out more about me on your ultimate security dot guide.
My blog is contained there. The book is the Complete Privacy and Security Desk Reference Volume One Digital. That's by me and Michael Basil. If you want to check out Michael's site, it is privacy-training.com. And, of course, you can download our podcast, the Complete Privacy and Security Podcast, wherever you get your podcasts.
Josh, Joshua, thank you so much for being so generous with your time. This was truly a pleasure. And I will definitely look forward to being back on once Volume Two is out. Absolutely. Thanks for coming on. Yes. Thank you. This show is part of the Radical Life Media network of podcasts and resources.
Find out more at RadicalLifeMedia.com. Struggling with your electric bill? Get an energy assist from SDG&E and SAFE. You may qualify for an 18% discount. Visit SDGE.com/FERA to find out more.