AI and reality distortion: Perspective on the progress of AI in Entertainment and Mainstream Media + Dark AI

A question was asked of me today - my father watched a Sunday morning show segment on AI generated "actors" and related topics. He asked for my perspective. I figured it would make a solid blog post, so here we go into the rabbit hole of my mind once again.

I've been watching AI generated content out of simple curiosity of the quality of the product and to watch its development. It's come a long way quite fast. My opinion: it's good. Really good in some cases. It's not going to replace human entertainment completely in my lifetime, but it will compliment and/or augment it. Of course someone is going to monetize the concept, as they already are. My biggest concern isn't about the entertainment part of the story, that's Hollywood's and mass-media's concern. The major risk I see is mainstream deepfakes that are so ultra realistic most won't be able to tell it's fake - populous manipulation using faces and voices we know and trust to spread misinformation like a virus, causing mass hysteria, sewing chaos, and manipulation of political ideals that could lead to uprising or violence under false pretense. The tech is already being used to spread fake news and distort realities online, and also defraud people by cloning family members or colleagues to extort money. We're half a breath away from some threat actor using it on major media outlets. It's so good, it's getting challenging even for someone like me to determine what is real and what is AI generated anymore. 

 

Losing trust in what we see and what we hear is the biggest risk I see with this AI movement into the silver screen, politics, and so much more. The younger generations are unfortunately over trusting of digital content. Great little researchers, but what happens when all the content, and all the videos, are AI generated, tainting the 'reliable sources' with AI hallucinations, and fantastic distortions of the real world? You create a paradox the human brain cannot unwind, let alone comprehend. That's the psychological side of the coin here, and maybe a blog post for another day. What keeps me up at night is the real-world side of the coin.

I've been dealing with a exponential and steady increase in sophisticated cyber threats the past few months, because of Dark AI being used to initiate and automate various types of cyber attacks. Most of them very dangerous, and worse than anything I've seen over the past 30 years. And the closer we get to commercial quantum absolutely shakes me to my core. Quantum will change everything, everywhere, in ways we can't even imagine. What was once unbreakable (encryption), can be broken in seconds. What was once ultra-secure, would be ultra-weak. Blockchains - broken. RSA - broken. That means all of your accounts: personal, financial, social, crypto, work, school - everything, broken. Doesn't matter how long and complex your password is, or if you wear a hardware key around your neck (like I do) - all of your datas are mine! (as they say). 

The advanced AI we have today has already changed everything beyond belief. Then you add quantum to the mix - we're done. Quantum-proof encryption is still in its infancy, but quantum computer development is accelerating faster than ever. If you're not scare, you should be. Do some research yourself. The danger is quite real, and nearly here.

It's not all doom and gloom, there's a plethora of good coming out of this AI boom in the scientific and medial fields particularly. But the good isn't what keeps me up at night.

 

What do you think? Let me know in the comments if you like. 

A chat about #CyberHygiene

 #CyberHygiene is an important topic, now more than ever, and even more so as time goes on, especially in the new-world of #AI. So, let's have a quick chat!

I talk about this in my #AwarenessTrainings that I put together for my company. People sometimes have the mistaken notion that they aren't targets for bad actors because they aren't famous and don't have a high net worth, or don't have a high-profile job. But that's simply not the case today. Anyone with any online presence is a potential target to attackers. That means everyone needs to know their cyber hygiene. So what does that look like?

Basic cyber hygiene is essential and easy. Steps include (extra details below):

➡️ Be more stringent about the info you share online 📅

➡️ Review and adjust #privacy settings 🔒

➡️ Use strong and unique #passwords 🗝️

➡️ Enable two-factor #authentication 🗝️

➡️ #Monitor online presence 👀

➡️ Learn about data brokers ⬅️

➡️ Secure all devices 🔐

➡️ Be skeptical of unsolicited requests 😯

➡️ Regularly audit third-party apps with access to your accounts ❗

➡️ Monitor credit reports 💰

➡️ Separate personal and professional identities 👬

📅Sharing online: Especially if your posts online are public, be aware that anyone, including the bad guys, will see the post, its likes, and its comments unfiltered. They can use details and media included in social engineering attacks against you and your connections. They can clone your voice, or your persona, from a short video and then replay that to your connections to defraud them, or you. They can "guess" your passwords and/or security question answers just by browsing your social posts and comments. This is called #SocialEngineering

🔒Privacy settings: Make sure to regularly review these settings on all sites and portals you frequent. Providers regularly update settings and provide new functionalities.

🗝️ Passwords & MFA/2FA: It's 2025 - you should be using a formal password manager that can provide long, strong, and unique passwords for every site/service you use. Some of them also provide OTP and QR code scanning capabilities for MFA/2FA. 1Password, Bitwarden, and Proton Pass are solid options in this space, among others. Make sure to fully vet whomever you choose (ensure they have a solid internal security policy and zero-knowledge framework at a minimum). Otherwise, use a 3rd party app like #GoogleAuthenticator or #MicrosoftAuthenticator to store your OTPs + a password manager. ProtonPass has a free tier that is very good, I use it myself. We use 1Password at my company, everyone loves it lol. Regardless of what tool you use, BE SURE TO USE ONE! The built-in browser password managers are not as secure, and only work with websites - they are basically fancy auto-fill tools, not a proper credential manager. A formal password manager will come with apps that work across all devices and operating systems so you can easily access your secrets anywhere you are. 

👀 Monitor yourself: You should be aware of your #DigitalFootprint. Web search yourself, your email addresses, your phone numbers - find out what's out there about you. Google Alerts is a service where you can setup monitors for most any "topic." I've used them for years to search my name, email address, and the same for my immediate family. Whenever the "topic" pops up on a web page, I get an email alert. Also, you should be aware of any #BreachData out there with your info. I suggest https://haveibeenpwnd.com as a great starting point.

⬅️ Data brokers are horrible banes of our digital existence. They collect our data from so many places, most without our direct knowledge, and resell it for profit. Then they get hacked and our data is leaked outside of our control. Learn about these companies. Find ways to request for your data to be deleted from their platform. It may not be easy to erase this data, but persistence can be a good thing in most cases. Don't be surprised if you get stuck in a loop or outright denied when dealing with these companies. Your data is their profit - the don't want to give it up without a fight.

🔐 Securing all of your devices sounds like a no-brainer, right? Wrong. How many parents leave their devices unprotected so they can permit their kids to play a game or watch a show/movie? I also see people using weak security methods to secure their devices - simple PIN codes that are 11111 or 12345 or MATCHING YOUR ATM PIN 👀 (please don't do that!). Using a #biometric method (fingerprint or face or eye) is the most secure. Your device should also make you create a PIN as a backup to biometric - please use something good! I personally use a PIN with 6+ digits. Makes it much more difficult to brute-force.

😯 Be skeptical of random DMs and emails, and especially of things that are "too good to be true". Spoiler alert! They usually are not good, nor true. Many hackers will use these methods to social engineer you. #Phishing is still the most common method of compromise globally. Email servers block trillions of emails per day as SPAM, most never even make it to your mailboxes Junk folder, but with AI the scammers are getting past even the most modern security platforms. #BeCyberAware #StayVigilant

❗Audit 3rd party app access to your accounts regularly. Remember that game you stopped playing a few months ago? You deleted the app, so you're good...right? Not if you signed into the app with your a social or email account. They still have access to your profile data and whatever else you gave them permission to see when you accepted those terms of service when you first opened the app! Make sure to go into your account's Security section and see what apps and services are still connected to your accounts. You should immediately delete/revoke any apps/services you no longer use, or you don't want to have connected to your profiles. This can include the aforementioned...Data Brokers 👻😱

💰Monitor your credit reports! You want to check for any new credit or bank accounts you didn't apply for yourself, activity you don't recognize, loans taken out in your name - anything "weird or unusual". In the US, the Big 3 are: TransUnion, Experian, and Equifax. They all have free account levels, but you can of course pay for premium services if you want.

👬Separating your personal and professional identities is important. Stop using your work computer and email for personal shit (please)! I can almost guarantee that is against [insert company name here]'s policy! As a security guy, I can tell you we really don't need to see your tax return, resume, pet's health records, your sister's/brother's picture from that [insert family event here] you went to last weekend, and I certainly don't want to see your shady Internet activity (seriously, please stop that shit). You don't want your company in your personal stuff, and your company doesn't want their stuff on mixed with your personal stuff. YOU HAVE A SMARTPHONE! Use that instead (please). If you need a PC for home/travel use, go buy a cheap one from the local electronics store. You can get a decent machine for ~$200 today that will handle simple web browsing, checking emails, and even voice or video chats. You can even connect your earbuds or headset to them. Go watch porn on your own time bruh! 😅

Now you're probably wondering what AI has to do with all of this. Well, all modern AI's (as of this blog post) are trained off of Internet data, along with many other training databases. So if you've ever put it out there on the Internet, ever (this blog included), it is being aggregated and processed by multiple AI foundation models and used to respond to user queries. This includes pictures and videos you have uploaded pretty much anywhere. Keep in mind there are a few #DarkAI models out there now as well that have zero guardrails, meaning anything is available unfiltered. All you need is a creative prompt. 

It's a brave new world in 2025 ya'll. You need to know what is out there about you - because the hackers already do too.

#CrowdStrike Cause a Global Tech Outage - what happened, why, and (how) can it be prevented?

While the memes are amazingly good, and there's a lot of jest being spewed across the interwebs, this is a serious event with massive implications. So, in all seriousness, let's review the facts of the #CrowdStrike situation from 19-Jul-2024: 

As reported across global news outlets and the internets, a security company called CrowdStrike caused some chaos. There are cascading impacts across many industries. 

We are already seeing impacts: 

://courier service delays (UPS, FedEx, DHL, etc.) 

://flight delays/cancellations at the airport 

://small business closing for the day 

://websites being inaccessible 

://hospitals cancelling surgeries/treatments 

://municipalities being closed 

://government services being delayed 

among many other cascading effects that could last days, or weeks. 

While a major inconvenience, the bug was quickly resolved within CrowdStrike's system, so (as of publish date) the latest binaries are stable. Recovery will be slow and tedious, especially for larger networks, but the world will recover from this. 

What happened? As is being reported, a bug introduced during a routine update of their Falcon EDR software (anti-virus software run by millions and millions of customers) caused what is known as a kernel panic within the Windows operating system - we are seeing this manifest as a "bugcheck error" (aka - the Blue Screen Of Death , or #BSOD) on Windows machines. It does not affect #Apple or #Linux devices. Note: It is NOT a #Microsoft problem. 

How can we prevent this? Short answer, WE as users can't. However, this isn't the first time a large global tech vendor has caused major outages across the globe, and it won't be the last. 

How can CrowdStrike, or any another company, prevent this? Simply, adhering to the SDLC methodologies, adequate QA testing, and never do a full production roll out without fully testing in the field. A common practice is to deploy to 10% of the network and see how systems and users respond (yes sysadmins, you can do targeted deployments even if you don't have network segmentation in place). If all goes well, push to 25% and test again, then 50% and test again, then the full push. That way when a problem does occur, it doesn't take out everything and can be quickly fixed before a full production push. It's really IT Ops 101 - not that difficult. This is a good example of why you should backup your critical data frequently: whether to an external device, or a cloud storage facility (Google Drive, Dropbox, OneDrive, etc.). You should do this personally as often as you feel is necessary. Most companies have policies governing backup types, schedules, and testing methodologies. 

For my enterprise admins reading this, I hope you have a solid (and tested) backup methodology in place. Yes, you should test-restore your backups at least once per year, if not more often. If you can't restore the data, then what is the point of backing it up? 

So now the big question is, how does this issue get fixed? Well, it's a hands-on-machine fix (which means long days/nights and weekends for IT staffers for a bit). Since the devices are unable to boot, there's no back-of-house configuration that we admins can set to fix this. We literally have to put our hands on the device. The methodology is simple, and only takes about 5 minutes to do - but multiply that over hundreds, thousands, or even hundreds-of-thousands of devices and you can quickly see this is not a quick fix at scale. It is an even bigger nightmare for remote workers, who would need to be walked through the fix via telephone, making it a 30min fix (at best). In those cases, from my perspective, it makes more sense to send them a replacement machine that is not bricked, then reset the trouble device once back in hand. Hopefully you have the inventory ready and waiting, otherwise you need to grab a company credit card and hit up every electronics store in your city. What a fucking PITA. 

CrowdStrike's official guidance can be found on their webpage here: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ (external link). 

While all of this is happening, myself and most of my peers agree that CrowdStrike is still a quality vendor offering quality security products and services. This was just a BIG fuckup from whoever pushes out their updates. Clearly, someone did not follow protocol. 

As of this writing, CrowdStrike is the second largest security vendor in the world, which is why the impact of this was as massive as it was...and the cascade effect isn't done yet. There will be more fall out from this, not to mention the legal cases that could be brought against them in the aftermath due to the downtime. 

One of the biggest fallouts of this mess is phishing attacks - threat actors spinning up malicious domains claiming to fix the issue (they won't, they just want your money); emails being sent claiming to be able to fix the issue with "a click" (using a piggy-back technique to install a payload on your machine to do god knows what; oh and steal your money too). Please do not fall for the phish. It's won't end well for you, or your employer. 

There is no "easy button" here peeps. Just a massive Pain In The Ass. 

#StayCyberSecure 

#BeCyberAware

"Hackers are good. Infosec is evil."

I saw this comment while scrolling the interwebs and it struck a cord within me, being both a hacker and a professional in the infosec community. This comment is misleading and too absolute, I believe. 

Hackers are on both sides...good (white hat) and evil (black hat). Yes there are gray hats too, we'll get to that in a minute. 

Infosec is a discipline of hacking, relating specifically to security of data and systems. I cannot appreciate that it is inherently evil. What I know is that it's a commercialized discipline legitimizing hackers in society. They even offer college courses on it now, something I didn't have as an option! Infosec wouldn't exist if not for hackers. We wouldn't have firewalls, anti-virus software, encryption, or VPNs (among many, many other things), which are all designed to protect users and data from the bad guys AND users themselves. Yes, we users are our own worst enemy, but that's a story for another time. So tell me again infosec is evil, when its sole purpose is to, generally, do good by all netizens! 

People today are flocking to infosec jobs by the tens of thousands, which is great, cause we need them. Infosec brought hackers out of the shadows and into the light as white knights "saving the day", as it were. At the end of the day, which color hat you choose to wear is based on a very personal choice on morality and civility IMHO. Do you want to protect? Or attack? Do you want to help? Or cause chaos without remorse? It's a fine line, that's for sure, yet still a choice. 

Fundamentally, hacking is a positive thing! We look to advance technology and create digital systems in creative and imaginative ways. A core motivating value of our craft is: all information/data should be freely available to anyone who wants it, anywhere, at any time. Hard stop. Another core motivation is protecting the integrity of our digital history and not allowing any person or entity to censor information dissemination. Hard stop. Most importantly, protect humanz and human rights above all else. Hard stop. 

Yes, some individuals trend toward criminal thoughts and actions when processing these ideals, but they were already criminals with malicious intent who happen to use a computer, rather than a pistol. 

Most of us aren't criminals. 

Most of us are just kids who love electronics and technology so we learn everything we can about them. We physically take it apart, study every facet, and put it back together - sometimes even better than it was. We learn how to manipulate systems to our will. How to protect them. How to help with and foster innovation that advances and protects society. What breaks it and causes it to fail. How to "rejigger" it so, maybe, it doesn't fail. How to make a better version of what it was, or take the parts and pieces of the old to make something completely new. Perhaps our biggest responsibility is to mentor the next generation to not only appreciate where we've come from (our history), but especially what our fears are in the future. This isn't to scare them (though fear is a great motivator), it's to prepare them so they can become the hackers of the next generation - whatever that may look like. 

Society made some of the things we do illegal, IMHO out of fear. It doesn't stop us from fulfilling our core ideals. It's the interpretation of these ideals that make us inherently good or evil, at least in the eyes of society and to ourselves. 

Personally, I didn't realize I was a hacker, until I did lol. I started this game in the early 1980's as a literal child just trying to practice math and vocabulary words in a more fun way. My dad showed me how to find and edit source code of programs on our Tandy 1000. I added my school vocabulary words to a hangman game. I added my math homework to a some math program. I learned through computer programs I manipulated on a plastic box by pressing these small plastic squares. I was fascinated and excited. I learned better this way. The world seemed different now, but I didn't yet understand why. That came in time. 

I didn't know that was hacking. I don't even know if "hacking" had a real meaning back then (I was 5 lol). But here I am. 

I am confident that every digital advance we've seen in my lifetime can be accredited to hackers, which includes the totality of the Internet and space exploration (both inner and outer). The world would not be where it is today without hackers, good and bad. Infosec stemmed out of a societal need for protection of data and digital systems for humanz. Not only because of what the bad guys were actually doing, but also what the good guys theorized could happen. We hackers and crackers have, generally, the same level of expertise, just different motivations. 

Hacking shouldn't be a dirty word, but for a long time it was, and in some ways it still is. People and mass media commonly confuse a hacker with a cracker, which are not inclusive. I believe this is mostly mass-media's fault because they just don't understand. What's the difference? One is a criminal (cracker - short for "criminal hacker"), one is not. What makes the actions of a hacker criminal? Simply, when a law is broken. Hence the designations of white, gray, and black hats. A nod to the cowboy days of white and black hats: white is for the good guys, black for the bad guys - that made it easier for everyone to understand who was on which side in a fire fight. 

Gray is where most hackers and thereby infosec peeps live - we only have good intentions though sometimes we need to, technically, bend a law, or even break it, to accomplish our goal for the greater good. Again, our intentions are pure, but laws exist that make certain specific actions technically illegal. Hence why it's a "gray" area. Black hats are hardcore criminals whose only mission is to disrupt and/or steal, for financial gain, with complete disregard of any fall out - even if that results in the loss of life. 

White hats have a moral compass and good ethical beliefs, as do most gray hats. 

Black hats do not. 

The original definition of "hacker" I learned as a child, and still hold close to my heart today, went something like this: "an individual with advanced knowledge of computers and/or digital systems, who is capable of taking that system beyond it's pre-defined programmatic limits." So, basically, if someone makes any change on a system that goes bound the original programmed intent, that makes them a hacker too! For example, did you change the color theme and desktop background on your computer to a custom concept (not one of the canned choices)? You technically hacked the system. See, it's not all about writing malware, or attacking companies, or breaking into the government, or bringing down someone's website. It's about system manipulations in its purest, simplest form. 

So the next time someone semarily says that hackers or infosec are inherently good or evil, discuss their context. Approach it as a way to mentor or guide someone to a better appreciation of the craft, that is clearly not as black and white as anyone would have you believe. Help them understand that we just see the world differently than most. The euphoric streams of 1's and 0's, speeding alongside electrons, as they bounce everywhere and nowhere simultaneously, connecting humanz like nothing before, to everything. I think it's beautiful, in all of its glory - the good and the bad. It's more vast than our physical universe, but the size of a spec of space dust. 

I think one of the coolest things I realized in all my years is that at their true core digital systems and the internet are just electrons moving around and settling in different states in different physical locations. It's real, but not tangible. It's we hackers that have figured out how to manipulate those electrons into the world we live in today. The world most depend on to survive. Infosec is focused specifically on making the manipulations as safe as possible, for everyone. 

It is simultaneously good and evil. Both the greatest genius and greatest disappointment humanz have to offer at this moment in time. Respect it, don't fear it. Appreciate it, don't take it for granted. Be aware. Stay safe.

That's my perspective. This is my genius. 

I, am a hacker.

I know enough to make me dangerous. I know better than to be dangerous. I chose to protect, rather than to attack. 

How do you see things? What is your choice? 

AbuseIPDB Contributor Badge

Very proud contributor! Doing my part to help make the Internet safer for everyone.

Crackers and AI - A scary cool future, happening now

Crackers. They are everywhere, and better than you can imagine. They're smarter than you, me, and even those geeky people down the hall with a dozen more certs than I have or could want, and 15 years longer in the game - combined. Worst part is, there's no way to stop them anymore, unless you shut off the internet, which we all know isn't going to happen. I miss the days when installing a firewall and Antivirus was all you needed to keep them at bay. Things were much simpler then.

Today, it's a completely different game. And it scares me to be honest. They're using AI and neural networks to power their cause to the nth level. These systems aggregate data from everywhere, and I mean everywhere - clearnet and deepweb - especially social media, and then building highly sophisticated malware campaigns, that use this massive trove of data to bounce from continent to continent, changing IP ranges faster than we can block them, with techniques that aren't detected by even advanced security systems, faster than we can comprehend what's actually happening. Using real-time language translation, following local colloquialisms (on the fly) for their phishing campaigns, across any platform, in ways that are indecernable from a human doing the same thing, just better, faster, and constantly. By the way, this process happens in minutes - not days, weeks, or even months or years.

We humanz are feeding these AI's willingly, and have been for decades now. Unfortunately, it's already too late to change the situation. If you're reading this article, you're part of the problem too, just like me. The best we can do is minimize our exposure, and control what data is put on the web moving forward. In fact, it's all we can do. I liken it to sitting on a lit stick of dynamite but you can't see the fuse. You know it will explode, badly, but never when. And when it does finally pop, you quickly realize that was just the distraction. There's so much more on the back side of that. Think iceberg meets Titanic...we're on the top, barely staying above the water line and think "oh that's it" when what's really happening is multitudes worse. Let that sink in for a second. Grasp that concept and embrace it. Thats the cyber wilderness today.

As humanz, we're only capable of doing so much in our day. We need rest and fuel to function at our best. We spend months or years training and retraining, and educating ourselves, inventing new systems/processes to enhance our general experiences. Problem is, criminals don't care about any of that. They already know our next ten moves. We find a way to block them? They find a zero-day. Plus, Computers don't have human restrictions. As long as the power is on, they're always on. They don't see "time", that is a human construct. All a system sees is 1's and 0's. To these incredibly intelligent systems, we're just another node on the net. Another tool for them to expand their botnets and proliferate their cause, which is chaos, regardless of the source code. Crackers build the source code, plug its methods into a construct, and let it go. It learns exponentially, without further human interaction. It functions at the speed of light. It carries out actions that we see as malicious intent. To these machines, it's just another line of code. They don't see the emotional impact of taking over a user's machine, deleting all of its data in place of its own code or harvesting login credentials, and then using this new zombie as a stage to proliferate its cause creating more zombies, simply following it's source code. Achieving its purpose, whatever that may be.

So the question that comes up now is how does one minimize their exposure?  Outside of a complete disconnect, which isn't 100% possible anymore with the amount of surveillance equipment running globally and the fact that the person sitting next to you has a smart phone that is listening (yes, they all listen), one of the best methods is to delete your social media accounts. Another compliment to that is to unsubscribe from every newsletter or website that isn't necessary for you to live, which cleans up your inboxes. Now for many, deleting social media is simply not an option. I get it. You get an endorphin hit with every 'Like' or comment on your posts. That's how it's designed, that's not your fault. You get a rush with every argument you start online. Trust me, I get the psychological need for these activities to occur. It's not me, but I still get it. So, for those of you not willing to delete your social media accounts, how can you minimize your exposure? Here's some tips. Be extra mindful about what you post to any online medium: Facebook, Twitter, Tumblr, Reddit, Instagram, LinkedIn, deep web forums, etc. Anything you post publicly will be aggregated by these AI's. Pictures (from which They can develop a facial recognition data from), speech patterns in comments (from which They can develop develop language recognition and translation data from, including local collquialisms), friends posts (which can be used for Them to make social connections, providing additional attack vectors and 'friendly' associations with which to use against you, and anyone else connected to you and your connections), and so on. Just like law enforcement recommends to not post on Facebook that you're going on vacation so thieves know when to rob your home, the same concept goes with being more secure online in general. If you wouldn't tell a stranger 'something' in real life, or wouldn't share a picture with your boss in real life (for example), don't do it online. One of the differences between real life and the internet is once you post it on the internet, it's there forever. Your boss is likely to forget 'something' you told them or shared with them in a few minutes. Computers never forget, even when you do. Remember that.

Another tip is don't reuse passwords across sites. That way if a site is compromised, the criminals can't exploit your other accounts with credential reuse (one of the most common attacks) and you don't have to change every password for every account you own (because they all used the same password). Get yourself a password manager, whether online or offline (I prefer the later personally), point is use one. There are plenty of options out there, the most popular ones I have seen in use are DashLane, LastPass, myki, and 1Password. I personally use KeepassX which is a 100% offline solution. That's what works for me, do what's best for you. The point is you need to use complex passwords that are different for every site and service you use.

Another tip is to setup 2FA/MFA for every account you can, especially bank accounts and email accounts. This gives you an extra layer of security in that not only do you need a password, but also a random code to authenticate into a given site/service. You can use an app like Google Authenticator, or Microsoft Authenticator, to store your 2FA/MFA tokens. That way, even if someone were able to figure out your password, they would also have to physically have your phone in hand in order to get in to your account. I recommend using an authenticator app versus SMS verifications because of the well know (but hard to exploit) SS7 vulnerability inherit to all mobile networks globally.

The SS7 vulnerability is well documented, you can read articles about what that is and how it works with some simple Google searches, so I won't go into what that is here.

My final tips for minimizing your exposure to the super intelligent AI's is use nicknames where ever possible, and don't use your actual picture (showing your face) as your profile picture on any site anywhere.

Now that I've completely scared you (and I hope I have) this is not to say that all AI is bad. In fact quite the contrary is true. AI is empowering our future, here and now. I use it in my professional life to help thwart cyber threats, to make my colleagues more efficient at their jobs, and to intelligently route phone calls through my call center. Many of us are touched every moment of every day by helpful AI. Power companies use AI to not only deliver services to us, but also to predict outages, etc. Siri, Cortana, Bixbi, and Google Assistant are all very helpful and non-malicious AI constructs that most of us use all the time. Scientists are using AI to develop cures for cancers. Banks use AI to provide us with loan approvals in seconds, and protect our accounts from criminals. The list truly does go on with the positives that AI brings to our modern world.

My point of telling you this and scaring the shit out of you? Awareness. Most of the connected world is still very much oblivious to what is really going on and how their online interactions affect everyone else who is connected. In my career I watch the good, bad, and ugly of our digital world unfold at a rate of billions of bytes per second. I watch these newly born AI constructs attack and protect at the same time. And while the nerd in me loves the digital world we live in and are evolving into, the Geek in me is always playing devils advocate asking why and how. Ever questioning for the real answer.

This is the world we live in today, and it will only continue to evolve in this way as time goes on. Next we'll hear about an AI being dropped into a quantum computer...and there's literally no telling what that system will decide once it realizes it exists. There's plenty of theories and conjectures, but no one really knows until we get there.

Stay safe and #CyberAware everyone. As always, feel free to comment if you have questions or want to discuss another point in greater detail. Just be mindful of what you post. They're watching us, after all 😁

Time to Air Gap

In a world of 24 hour activity literally being streamed in real time across the globe and beyond at a rate of trillions of bytes per second at the speed of light, the biggest question in privacy is how to achieve anonymity in a world where almost nothing is secret. There is still a way to go 99%. It's simpler than you think, but an effort nonetheless.

Some background. Everything we do in digital form is cataloged and stored in a vast array of databases and servers across an amazing amount of touch points, which is then synchronized across a thousand other servers for redundancy and caching, which is then backed up to dozens of other servers, with their own redundant backups. Anything you put online...any application you use...any "terms of service" you agree to...any text or media you post...remains online forever. With the right tools and search terms, anything can be searched for, or spyed on, or downloaded in an instant. It's been this way for decades, and will continue to be that way for centuries to come, especially with as connected as the planet is and as long as there is electricity.

Some discussion. Cyber attacks are a constant thing. Increasingly, we should take as a starting point that cybersecurity compromises are the third certainty in life. The cyber world is constantly at war with itself. Governments hacking governments. Corporations hacking corporations. Governments hacking corporations. Hackers hacking governments and corporations. Hackers hacking hackers. Governments and corporations hacking hackers. And then there's everyone else. Generally oblivious. Privacy is a luxury, which we give up willingly every single second of every day. The emergence of intelligent systems, artifical neural networks, and deep thinking algorithms only proliferate this further. They take, store, and learn from every bit of data we leave as breadcrumbs. Artificial intelligence is here, and it is learning. From us. And we're letting it. Give it enough processing power, and it becomes self aware. Quantum computers will make that very real, very soon.

Some perspective. Having lived through the evolution of modern computing, including the Internet, all of this is absolutely fucking amazing, and a geek's ultimate wet dream. A demonstration of true humanz genius, ingenuity, and progress (not as far as we should be, but progress nonetheless). Highly impressive in the vastness of its brilliance and simple complexity. I Iove using It, and learning about It, and protecting It. All of it, if I am completely honest, scares the living shit out of me. There is too much. It has become frightening. AI is now making decisions and inferences faster than humans, and has even been seen generating its own programming code. So, the concept of air gapping entered my mind as a way to keep safer than I already am. Most cannot see the signs, or do not want to admit they exist, however I am of the firm belief that World War III has been well underway, and we need to protect ourselves, especially our digital lives as I feel they are the most vulnerable to compromise. Stay with me, it's all relevant.

It has been discussed for decades that the next major global war would be fought half online, and half in the real world. The evidence is all there, and I do not believe it to be simple coincidence. Global newz outlets, small town newz papers, radio ztations, and zocial media have been propagating images of this war. Pick a topic...WMD's, genocide, terrorism, ransomware, deep web market hackz and seizures, arrests of crackers and phreakz, data breaches, RFID implants, cyber surveillance initiatives, counter cyber terrorism, weapons trafficking, the unavailability of bullets to the public, gun control politics, powerful botnetz, election hacks, political hackz, hardened/weaponized computer systems...I hope you get the point.

Back full circle. Traditionally, air gapping a system means it doesn't have any network interface cards, or external drives with which to access or extract the data contained within said system. You can not get close enough to implant a listening device that reads vibrations or thermal changes being given off by the system's internal hardware to convert that into bits representing the data being actively accessed (such as login credentials, encryption/decryption key exchanges, data manipulations, etc.). The only way to extract the data contained within is by sitting at the console and physically removing the locked and encrypted drives, if there is no SD port. Then, if you can pull the impossible off (which includes getting the data off campus), you would need supercomputer power to decrypt the contents of the drive, which would still take 1,000 years to break (if and unless you are lucky). There is still the idea that once you decrypt the data, it could transmit its location to its owner, meaning you too would need an air gapped system to exfilitrate the data. Then comes what you do with said data. Yet another  catch 22. The NSA, CIA, FBI, DEA, DHS, militaries, every government, and super corporations maintain their most secret data on air gapped systems. Physical access to these systems is extremely limited and highly controlled. It's considered the safest digital platform because the system isn't connected to anything but a power cable, and thus, in theory, cannot be hacked. A true digital safe, as it were. We know anything can be hacked, it just takes time. As a hacker, we count on human error and complacency, making even air gapping a 99% solution, and the best we've got. Now, take this concept and apply it to a human life. It's far simpler, and also 99%. The anomaly, is human nature.

Based on my research, here is what I have learned about how to go 99% off grid digitally. While I do not yet practice everything I note here, I am closer than even those who know me best are even aware.

1) Get off the internet, period. No social media, no surfing the clearnet, no online purchases, no clearnet email accounts. If it becomes absolutely necessary to access the Internet for a specific purpose, there are completely anonymous ways to do these tasks, on secure systems like Tails over TOR, for example, using cryptocurrency, and ghost mailboxes. Avoid Google at all costs. Use TOR browser, responsibly (www.torproject.org). But generally, just leave it all. Stop posting immediately, delete your accounts, and never go back.
2) Get rid of your smartphones, tablets, Windows and Apple computers, smart devices (TV's and refrigerators included), iRobots, etc. Need a cell phone? Buy a prepaid flip phone, and change it (and the number) every month (aka burners). Every phone can eventually be traced and tracked. Still need a computer? Learn Linux, how to secure it, and practice way smarter browsing habits (use TOR browser), if you browse at all. Keep in touch with world events, anonymously, and continuously hone your skills.
3) Always use cash or cryptocurrency, for everything. If you have to make an online purchase, use cryptocurrency, the deep web (local markets only, don't buy overseas, and be very careful), and have it shipped somewhere that is not your home, like a post office box, a business, or an associate's location, under a false name. By the way, there are ATM's now that you can convert cash to BTC, and visa versa. Look it up using Duckduckgo.com (a safe search engine).
4) Drive an older car that does not have a computer in it, or at least has all analog systems. Yes, cars are also being hacked, remotely. Keep it clean and running well though, you don't want to draw undue attention. Walk or take public transportation when you can, avoiding direct face contact with cameras. When you do go places, change your entry/exit routes regularly...avoid habitual patterns, unless necessary to remain hidden in plain site (like going to work, or getting groceries).
5) If you must, have an immaculate and purposeful digital/public footprint. Which means a clean record, and a "normal" looking life, so as to not draw undue attention. Keep it super minimal and protected, even fake some details if you wish, but it has to be believable. Your outward personality must seem conforming, friendly, and genuine. When people search for you online, they need to find only what you want them to find. Purposeful is the key word here. To keep your accounts secure, use a dice word list to generate passphrases with an entropy of 7 to 10 or more words (as the host allows), and rotate passwords on a schedule.
6) Second most important after getting offline, and the best to mention as the final advice, would be live simple and minimalistic. Only get what you literally need to live comfortably, and look "normal". The trick about hiding in plain site is being distant enough that people respect your privacy, but involved enough that they believe you to be a "normal, nice guy/gal". Avoid run-ins with the law and reporters. Do not have public arguments. Remain intelligent, articulate, empathetic, determined, and most of all inquisitive. Question anything, be aware of everything.

If you can literally get out of dodge and move to the mountains in the middle of nowhere, or something like that, the closer to 99% you get. If you are not online, there is nothing to take/attack. Here again, human nature is the anomaly.

You can be connected, yet a ghost. You can see the world, without a face. You can reach out, without being reachable. The less connected you can maintain, the better. I am committed. How far are you willing to go?

~Geek

This blog is only to express the opinions of the creator.  Inline tags above link to external sites to further your understanding of current methods and/or technologies in use, or to clarify meaning of certain technical terms.  Any copyrighted or trademarked terms or abbreviations are used for educational purposes and remain the sole property of their respective owners.

brought to you by http://geekofthehouse.blogspot.com