Never mind the never-ending, superheroic struggle to get consumers to care about best computer security practices. Mark Loveless, a renowned independent security expert also known by the hacker handle Simple Nomad, says it’s hard enough to get security experts to consider their own operational security, or opsec.
How the military term migrated into consumer tech is a tale for another time. But Loveless, based in Arlington, Texas, has devoted a large portion of his career to making opsec—using attacker profiles to protect data and devices—simpler to understand and implement. As our connected devices, and the data troves they access, proliferate, this mission has become more complex. Threats to our data security seemingly could come from any corner.
“People focus their energy based on headlines, and based on what they’re told, particularly by a lot of vendors: ‘You’re going to be attacked by the Russians or the Chinese,’” Loveless says, “but a tech worker in your employ is more likely.”
Currently a senior security engineer at GitLab, Loveless’ career dates back to the early 1990s. He has investigated computer security breaches at railroads, helped develop network security hardware, worked on government-classified security projects, and moonlighted in a death metal band. Before joining GitLab, he was conducting research for Duo Security, which Cisco Systems acquired in August.
Just before his talk at last month’s Enigma Conference near San Francisco, Loveless and I spoke on the phone about incidents in his life over the past couple decades that forced him to change his personal opsec. What could (and should) hackers and consumers learn from his mistakes and successes? What follows is an edited transcript of our conversation.
Q: What’s one of the most common security mistakes that keeps leading to harm, exploits, and data theft or worse, that you’d like to see changed?
We really do risk assessment wrong. Everybody’s going to die. And at the end of our lives, what will we die of? Everyone’s thoughts naturally go to the worst place: Oh, I could be murdered.
But your chances of dying by murder are 1 in 229. Which seems pretty likely. Except when you compare that to suicide, which is 1 in 92. So, you need to think that, yeah, it’s good if you can protect yourself from being murdered. However, you need to understand that most people would commit suicide before being murdered. And even then, heart disease is the nation’s biggest killer. Eating healthy is one of those basics that everyone talks about to put off your death. But things like murder grab the headlines. And that’s like how it is in the whole security world.
Let’s stick with that metaphor. Eating healthy can mean different things to different groups of people. How do you adjust your security advice similarly?
That’s exactly it. For some groups of people, they’re at higher risk for certain things. I tell them to adjust their diet this way or that way. But the whole time, you’re dealing with an audience that’s saying, “Don’t tell me what to eat.”
“I had an incident occur in my hotel room at Black Hat. My room was broken into, and my tech was compromised. They pulled the hard drive out of the wall safe, plugged it into my Linux laptop, booted it up off of a different drive, and then accessed files and copied it. Then they put the drive back in the safe.”
Another analogy I use, for people who are attempting to teach their fellow employees how to be secure, is that there are certain physical-security things that everyone does all the time. They’re like muscle memory. You get out of the car or leave the house, you lock the door.
It should be muscle memory that when you get up from your desk, you lock your computer. Regardless of whether your desk is at home or the office, you don’t just close the lid; you should shut down the computer. This ensures that some patches that get properly installed on the next reboot. That’s the main difference for me between sleep mode and a complete reboot. Plus, in many cases, it helps to simply restart the computer to help it run smoother. This needs to be automatic.
What are some other basics that everybody needs to be doing but isn’t?
They need to worry about the things that are going to impact them the most. There are basics that everyone should cover, like using good passwords and two-factor authentication. Some people complain that SMS messages for two-factor authentication are not as secure because they can still be phished. Yes, they can, but if that’s the only two-factor option, then that’s what you use. You use what’s available.
And don’t click on unsolicited attachments and links in emails. If you don’t understand why you got sent something, don’t click on it.
Those are really basic things that should become muscle memory. Where things start getting different is when there are other factors: government contractors versus government agencies versus critical-infrastructure companies. I would not put as much emphasis on the Chinese hitting a railroad company, except that they’re a critical-infrastructure company.
How does opsec change across those three groups? And is there an analogous comparison for consumers?
A lot of these things are where you’re getting into weird areas. We’re not even talking about risk to the organization, but just being able to be a viable company or organization after a significant compromise in security.
I used to support a defense contractor, and it was part of the plan that if there was a compromise, the company still had to operate because its customer, the U.S. government, was depending on it. You can’t just say, “OK, we have to shut down everything and start over to fix all this.” They have to operate in an environment where we’re not sure that everything is 100 percent secure. You have to adjust your whole model to do that.
One rough analogy to that is hotel room privacy when traveling. I just go in with the assumption that someone is going to enter my room without my permission.
How long have you operated with that assumption?
Probably 20 years. I had an incident occur in my hotel room at Black Hat. My room was broken into, and my tech was compromised. They pulled the hard drive out of the wall safe, plugged it into my Linux laptop, booted it up off of a different drive, and then accessed files and copied it. Then they put the drive back in the safe.
There were indications in the room that things were disturbed. It was a real mess. I had a run-in with the hotel security there. The FBI was even involved at one point. And I wasn’t the only one.
I remember talking with Jennifer Granick, and she said, “Whatever you do, don’t hand over your laptop to the FBI.”
When was this?
This was in the early 2000s.
And you changed your behavior after this incident?
Yep. From then, I decided that all my tech stays with me. I changed my security model. I just assume that there’s not security in the room. The only tech that I leave in my room are spare cables.
Do you feel that if more hackers at DefCon last summer had adopted your model, there would’ve been fewer problems with hotel security?
It wouldn’t have mattered. I’m one of these people who’ve had weird shit happen to them a lot. I’ve found one and a quarter dead bodies, I’ve seen UFOs, I’ve been mugged four times. So as a result, I don’t know how weird I am about my paranoia. [The Vegas hoteliers] own the building; they don’t care about anybody’s privacy. They’ve got their own operational-security crap they’re dealing with.
“People laugh about it, but I’m on my third bait wallet.”
I’m not saying they’re going about it the right way, but it seems to just be a really bad deal. I would’ve just grabbed my stuff and left the room. I don’t worry about it anymore because I carry my tech with me.
Do you trust the safes in the hotel room?
No, I don’t. Not at all. I don’t use them.
So you apply the same kind of personal security to hotels around the world? It’s not like you have different protocol for visiting China versus visiting Canada?
I actually believe that it was the Chinese in my room in the early 2000s. The FBI let it slip accidentally, and later on, when I had a security clearance working for a government contractor, I was more or less able to confirm that that kind of thing did go on.
I was told by the physical-security people at that contractor during my exit interview, “Do not ever go to China.” When I asked if there was a particular reason why, they said, “Just don’t do it.”
But that’s me. I’m a femur in a dog’s mouth. That’s the weird stuff I deal with.
What other opsec chances have you made that might be helpful to consumers?
The muggings and pickpocketing, definitely. I typically embrace the concept of “going gray,” or the “gray-man concept.” It’s not gender-specific. It involves wearing gray, or neutral colors, and no logos, so you don’t stand out in a crowd. You more than blend in, especially around people wearing clothes that are designed to be noticed.
Two years ago, I was at Black Hat, and I was able to walk through the crowd, and nobody recognized me. I ran into [cybersecurity researcher and author] Bruce Potter, and I had to stand in front of him to prevent him from walking forward before he could see me.
Are you currently dressed in a “gray man” manner?
I’ve got my wrist wallet on, my regular main wallet in my front pocket, and I have a bait wallet in my back pocket. The bait wallet is the one that a pickpocket will get [presumably because it’s the most obvious target], and it currently has in it a $5 bill and a note that says, “Dear Thief, please take the included $5, go get a cup of coffee, and maybe rethink things.”
People laugh about it, but I’m on my third bait wallet.
The second one was stolen as I was coming back from Australia, and I had on this really goofy hat that I bought there. It was a kind of big cowboy-looking hat made out of kangaroo skin. I had it on at the airport. It drew attention, and sure enough, I got pickpocketed at the airport.
So in addition to the gray-man approach, what else do you recommend for hackers, activists, journalists, or anyone who might not instinctively have the same mind-set?
It takes a little bit of thinking about the “what if…” question: “Are there any simple steps I can do to take this out of the equation?” It can be something you carry with you, or otherwise help you in a situation, that can bring you peace of mind.
You see someone attending a conference, and they’re speaking about the importance of not spreading their information around. But afterward, they’ve got crap falling out of their backpack as they walk around with it unzipped. There are real simple steps that can get them started down a more secure path.
These tips of yours are not exactly state secrets. They’re often common-sense techniques. But if they’re, in general, so obvious, why has it proven to be hard to get other people to adopt them—even something basic like not clicking on unsolicited links or attachments in emails?
I think that people get into a feeling of being comfortable. You can go days, weeks, months without clicking on a piece of malware, and you get comfortable with a routine. That routine is the problem.
I’ve done it myself—I’ve been caught by very, very clever phishing tests by my employer. There has to be a level of vigilance.
I’ve never met anyone who can definitely trace getting hacked to using their credit card at Starbucks over insecure Wi-Fi. The vast majority of criminals are not sitting in a coffee shop waiting on someone to get on the Internet so they can steal their credit card. The criminal would have to wait for hours to find vulnerable computers, then compromise them and find credit cards—too inefficient.
That particular attack vector, while technically possible, is not practical and does not scale. Just because there is a non-zero chance of an event happening does not mean that it will actually happen. So you have a hard time convincing people to do all of these security basics, when all they read about in clickbait articles or see in unrealistic movies is hackers attacking computers on Wi-Fi. They are led to think that they need to worry about these advanced attacks.
Like a gray-man outfit, the important basics—patch up, use secure passwords, use two-factor—are very unsexy.