My last post on this blog was around the time Covid really began taking its toll globally, and I encouraged my readers at the time to consider investing a part of their portfolio into bitcoin. On the day I published that post, bitcoin was trading at $8900, and it has not gone below that price since. BTC traded at $12k within 3 months, $18k within 6 months, $40k within 8 months, and peaked at approximately $63k inside a year. This week it hit an ATH of $67k.

Without doubt, BTC has had its share of volatility and anyone who doesn’t have the capacity to handle the disgusting downswings should avoid trading it. I still think BTC has room to grow, but I’m also including a portion of my portfolio towards ETH.

A stock market crash is inevitable at this point (unless we see some significant structural changes) so I’m refraining from becoming too invested in any particular stock. Set and forget in VOO or VTI, and long semiconductor ETFs (TSM/SOXX & INTC at <45). If you’re a highroller you can take a chance on cannabis which has taken a hit and may have upward movement with Dems trying to move legislation forward. Also consider mining ops like GDX and green energy.

Obligatory I’m not a financial advisor and do your own DD.

If I had to relate the last 6 months of trades to anything, it would be the Goliath rollercoaster in my hometown; a slow and steady ascension followed by a terrifying drop off that’s seemingly going in perpetuity. If you’re a dividend investor, while you took losses on your passive income recently, the game plan doesn’t change much. When you focus on cash flow from dividends you still get paid every month, year, quarter, whatever. Moving forward though, where futures are unpredictable, where can we invest to capitalize on the situation?

The Doom Loop

Baby Boomers.

• Average age: 66.
• Amount of money in their pensions: Much.
• About to what? Retire.

Pensions exist for spending when you retire, but prior to that, that money is invested into either the stock market or the credit market, where companies borrow money by issuing bonds. The bonds are sought and bought because of the yield and everything is fine and dandy until the economy slows down. The problem is that over the last 5 years, as boomers are slowly selling off their stock to fund their retirements, companies are the main source of buyers in the stock market, buying back their own shares. Millennials though mostly flirting with index funds aren’t really buying stocks and truthfully, most people aren’t. When companies don’t have cash to pay debts during a recession, they ultimately stop buying back their shares and additionally, less are paying taxes so less are buying bonds.

In An Ideal Situation…

The free market would allow prices to adjust so those with little to no assets can buy equities at cheap valuations, so there can be at least some expected return in the future. But that’s not the case. Millennials are stuck with all-time high valuations in equity markets, minute interest rates from bonds and high prices on property.

The Hand We’re Dealt

The government will not allow the some ~75 million baby boomer voters (who are also, basically, the demographic of the government) to go bust. They will be supported at all costs. As debt has grown massively over the past 40 years due to decreased interest rates, a problem arises. Companies that can’t service their debts and ultimately go bust invite an insolvency crisis. Unemployment rises, and pension plans deteriorate. Rather passing blame and instead just facing the reality of the situation, it’s clear millennials aren’t inheriting an ideal financial market.

Insert: Crypto.

This analysis is largely from concepts propagated by Raoul Pal. I’m a huge fan of his financial outlook and I encourage those looking for a better understanding of macroeconomics to study his work. He recommends The Bitcoin Standard and encourages people to understand why bitcoin is a great asset for savings. There is a low probability of btc going to zero and while a possibility to fall drastically obviously exists, there is also a possibility of significant return.

There is an opportunity of asymmetric risk here. It’s as if you use a wooden plank to move a giant stone. Sometimes the wood will snap, but there will be times the stone moves.

In a scenario where a young adult has 5k in savings and is not inclined to invest in stocks because of valuations; they can afford to be wrong on btc. There is time to recover, and considering a long period of time, it’s possible to see btc contribute well to a retirement fund.

If you’re another type of investor, though, say real estate, dividends, index funds, etc…then what? During a recession, prices fall, and it’s ideal to have cash on hand. Especially considering financial institutions likely to follow Chase suite when it comes to requiring lenders to have 20% down and a 700+ credit score. Consider Buffet sitting on $137 billion in cash, it might be ideal to open fewer long positions at the moment.

Building modern software incorporates tons of code. We want sophisticated systems with great functionality and incorporating open source packages helps create them. Unfortunately in doing so, if a package that is implemented has itself a vulnerability, we’re introducing a vulnerability to potentially the entire system through that dependency. A good example of this is Struts, a framework for Java, which was the library responsible for the Equifax breach, with over 143 million consumers affected.

The Exploit

// ContentTypeHandler Java class in Struts
  class ContentTypeHandler extends Interface {
  ContentTypeHandler() {
    this.hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler")
  }
}

//'toObject' method
  class ToObjectDeserialzer extends Method {
  ToObjectDeserializer() {
    this.getDeclaringType().getASuperType*() instanceof ContentTypeHandler and
    this.getSignature = "toObject(java.io.Reader,lang.Object)"
  }
}

Sample code used to detect vulnerability

Pentest credits to Riyaz Walikar

Triggered by sending a malicious XML POST payload with the “Content-Type” header set to “application/xml”.

Equipped with adequate payload the vulnerability allows code execution on the server. Code executed doesn’t block the parent thread as it uses the java.lang.ProcessBuilder class. Executing time delay commands dont help.

(ping -n 20 127.0.0.1, sleep 5 etc.)

So, send network packets to a self-controlled server. Linux, wget or curl. Windows, ping your server and use tcpdump to check for incoming ICMP packets.

The ping command in this payload will send 10 ICMP requests to the server running tcpdump.

Run the following tcpdump command on your server.

tcpdump -nni yourinterface icmp

So it’s established the application is vulnerable, open up calc via shell commands to the server.

Richer Targets

Be cognizant of dependencies, don’t assume all supporting software products are flawless. Even if our system isn’t as attractive to attacks, we become a target by using a vulnerable framework since every organization using that framework is going to be vulnerable. Of course, the downside to an open source package is that anyone can read/reverse engineer it.

It’s not all rain, my friend.

In any case, tools are available to check for vulnerable dependencies like OWASP dependency check, npm audit, Retire.js, and more. More importantly, those dependencies should be updated and vetted on a consistent basis.

Don’t fall victim to a Joe Goldberg.

If you haven’t watched You on Netflix, it gives a glimpse into the absurd amount of info people put out about themselves nowadays. Spoiler alert. It’s not the best idea.

All jokes aside, I thought I’d open up the blog with some basic, easy to follow tips on improving personal security while using the web. You don’t have to be a security professional or even tech-savvy to follow along with this. If you do have any questions, feel free to shoot me an email.

But Lemar, why? I have nothing to hide. What’re they gonna do, look at pictures of my cat?

It’s a valid question. A very simple answer would be that your privacy is invaded by many sites you visit. Your internet service provider, search engines, governments, and private interests store massive datasets on us.

• Even if you trust an entity with your information, it’s not promised to always solely belong to them. We’re seeing more frequent instances of personal data being sold to third parties, and we all know companies always have our best interests in mind, right? If you think privacy isn’t important because you have nothing to hide, you might as well say free speech isn’t important to you because you have nothing useful to say. Privacy means something to everyone.

Gotta get this one out of the way. Seriously, guys, stop sharing info about yourself if you’re not prepared for it to be stored on some server, somewhere, forever. Ditching socials isn’t an attractive nor dare I say, feasible option for most, but it’s probably the easiest way to limit public info about yourself. Recognize that public comments and broadcasting real information about yourself puts you at risk, more often than not.

Keep in mind moving forward that typically the more you beef up your security, the less convenient your time utilizing the web will be. Lets get into it.

1. Use a password manager.

Convenience and security actually coexist with this one. Password managers allow you to store all of your passwords in one place on the cloud (a global network of servers). There are a few reasons for using one. Many data breaches occur because one website you used in 2006 got attacked, and your password was exposed. You know… that same password you use for basically every other website you visit, like club penguin. A good password manager generates unique passwords for each service you use, so you’re actually incorporating a ton of diversity into the log-in info you use. These managers usually have rigorous encryption, which makes it difficult for attackers to access them. As mentioned, you also get convenience with a password manager because you only have to remember one master password.

• My favorite is Last Pass. You don’t need the premium version, free is fine. Make your master password very secure, and generate new passwords for the sites you use inside the password manager! The password manager can and should be used across different devices, which should be secure themselves with pins, passwords, and two-factor authentication when possible.

Edit 10/30 Since this post, there has been some controversy with lastpass. I now recommend Bitwarden, you can migrate lastpass to bitwarden here.

2. Two-factor authentication.

You’ve probably clicked “Set Up Later” on the prompts urging you to set up two factor authentication across various sites. Basically, two factor authentication makes it so even if someone gained access to your password, they’d need an additional code from your phone to gain access. Now, when I mention your phone, I mean a mobile app like Google Authenticator or something similar, not your phone number. Using your phone number (as in, getting the authentication code over text) has been proven to be a great security risk because of Sim Card Hijacking, but it’s better than nothing. So, the next time the services you use prompt you to set up 2FA, just do it. Actually, go do it right now. Go.

3. Web Browsers

Use whatever web browser your heart desires, I guess. But, please be very wary of the add-ons and extensions you add to it, and how you have it configured. I will say you should definitely set up your default search engine to either DuckDuckGo or StartPage. I highly recommend you follow the following steps on setting up FireFox. You only have to do this once, and then you’re good to go. Otherwise, skip to section 4.

• Firefox is a very powerful browser that lets you control your privacy completely. Really, no other user-friendly browser compares. Getting maximum privacy and security settings will require some effort but in my opinion it’s very worth it.

1. Download and install Firefox.
2. Open up the “options” via the three dashed lines in the top right corner, and move to “Privacy and Security” via the tabs on the left. Change enhanced tracking protection to “Strict”. Don’t worry, this is unlikely to break any of the mainstream websites you visit and you can alter this setting on a per need basis as you deem fit.
3. Under Cookies and site data, toggle delete when Firefox is closed. If you already have used firefox in the past, now is a good time to clear your data as well.
4. Under Logins and Passwords, make sure “Ask to save logins and passwords” is unchecked. You can use the LastPass Firefox Add-On for this.
5. Scroll further down to “History”, and change “Firefox will” to: “Use Custom Settings for history”. Toggle on “Always use privacy browsing mode”. This is important because over time, browsers pile up info on you and your revealing habits. Keep in mind, you won’t be able to check the history of sites you visit with this option.
6. Under Address Bar, uncheck all suggestions. While this is convenient, it makes it so further information about you is collected.
7. Under Permissions, click the Settings box for “Location”, “Camera”, “Microphone”, and “Notifications”. and select “Block new requests asking to access” for each one.
8. Even though we trust Mozilla, disallow their request for Data Collection.
9. Under Security uncheck “Block dangerous and deceptive content.” While it sounds like a great option to have, this service is actually provided by Google, which isn’t mentioned here. I’m not too fond of sharing with my info with Google, so we’ll be utilizing a different, more recommended extension for this service later on.
10. Under Search Bar, change your default search engine to Duckduckgo. Opt out of search suggestions to prevent tracking.
11. Under Home in settings, change your homepage and new tabs to open up with a blank page. Opt out of top sites and highlights.
12. That does it for visible settings, but feel free to go even further by accessing settings under the hood.
    • Type about:config in your firefox url box. Click “Accept risks and continue”.
    • Open up PrivacyTools.IO. Scroll down to the “How to disable WebRTC in Firefox” section, and follow the instructions. This will allow us to capitalize on some more settings we’ll set up later.
    • Browse the rest of the instructions on privacytools.io and tweak your settings accordingly.
13. Add-ons and Extensions
    • Head over to The Firefox Add-Ons directory.
    • Search for HTTPS everywhere, and add it to your browser.
    • Search for Ublock Origin, and add it to your browser. Alternatively, you could use Privacy Possum or Ghostery.
    • If at any time an add-on breaks a site you visit or it prompts you to disable your ad blocker, you can go into the settings for the add-on and allow permissions for the site. Do this at your own risk and only if you trust the website. You don’t have to use these add-ons, but they are the ones I like.

That’s it for add-ons. You can do your own research and decide whether you want to personalize it even further.

4. Virtual Private Networks (VPN)

VPNs are a way to hide your identity on the websites you visit and from your internet service provider, as well as encrypt your traffic so as to prevent entities trying to track you. I cant emphasize this enough, stay away from free VPNs. Using a sketchy VPN may compromise your personal security. Pay the $5-$10 or so a month and use a decent service. I recommend IPVanish but do your research into a provider that fits your budget and needs.

5. Back Up Your Data.

You’ve probably heard the term “Ransomware” in the media as of recent. Some major attacks, causing hundreds of millions of dollars in damages, have affected people and companies because attackers hold data captive for a price. Most of the time, even when the attackers are paid, the data is lost anyways. The best way to defend is to have a proper backup and restoration process. The golden rule is to keep your files backed up to at least 3 locations. This way, even if one goes down, you still have copies. Go buy a hard drive and backup your photos, files, and whatever else you think is important just in case. This isn’t even really a security protocol, more so a general process to make sure your files are safe in case they get damaged or lost.

6. Utilize Security-Driven Services and Products.

For phone calls and messages, this might be Signal. For email this might be Proton Mail. Basically, most of the mainstream email service providers and just communication services in general have terrible security protocol, with some flat out reading your emails. The main take away from this section is that you should do your research and use products and services that you trust.

7. Change Operating Systems.

This one isn’t really for the average person, especially those who’ve grown accustomed to using an operating system. To summarize the benefits on why swapping to an operating system like Linux is ideal:

• Windows is a popular choice. Roughly 90% of all computers on the web are using it. This means as an attacker, I’d want to develop my strategy and tactics biased towards Windows systems because there are just more fish in the sea. By swapping to a less used system, you’re improving your security through obscurity.
• Linux is open source(anyone can see the code that makes it). This might seem like a security nightmare, but is actually a critical element on why it’s secure. It allows the good guy professionals to inspect how the system is made and make sure there are no bugs or vulnerabilities.
• Probably the most significant advice I could give any organization or person is to limit admin permissions. Linux does this by having a better user privileges model. While windows users are generally given administrator access by default, Linux in contrast restricts admin access.
• If you aren’t fond of switching operating systems, attempt to learn to use a virtual machine for any risky online behaviour you may wish to engage in.

8. Scaling To Other Devices

Most of the information I wrote here can be applied to various devices, so apply it accordingly. Disable your bluetooth and location services on your mobile device when not in use, and enable your VPN on your mobile device as well. Get rid of apps you don’t use. Know that the texts you send have essentially no encryption. At the very least, limit permissions on your apps. Twitter doesn’t need your location. Snapchat doesn’t need access to your texts. Nice video about securing your phone here.

9. Retain and Work Towards Securing Pre-Existing Personal Data.

Research yourself. You may be surprised at what you find. Ask Google to provide you your data file. Enter your email on have I been pwned. Search yourself up on Google, and contact ‘owners’ of your data to see if you can get your information removed.

And that should do it. Again, if you have any questions or anything to add, feel free to shoot me an email.

Maybe someone a trillion years from now will read this.

An article written by Forbes further corroborated by an article from NASA propagates the ideology that planet Earth has emerged early in the life of the Universe. Scientists estimate the Universe is roughly 13.8 billion years old, but according to the articles over 90% of Earth-like planets that will ever exist have yet to be formed. The last star isn’t expected to burn out until 100 trillion years.

If the current expansion occurring within our universe continues, descendants clever enough about prolonging their existence could do so into the many trillions of years in the future.

I can’t help but ponder about the many intelligent civilizations cognizant of their nature and the universe that will arise after us. There is beauty and disaster in humanity’s early arrival. On one hand, we’re among the primary wave of intellectually sentient beings that will exist and there is something special about our place in the cosmos, whatever that may be.

On a less optimistic view… you and I will be missing a lot. Intelligent civilizations that are inevitably bound to have significant time to develop could help less developed ones. Beings in the future might not have to worry about inventing the wheel or engineering a dyson sphere, because some good ol’ aliens are there to help them. We can go down the rabbit hole when speculating, but its undeniable that there will be exponentially more opportunity with the crucial element of time and a more hospitable universe.

You and I are here in a stimulating time. We have the opportunity within the next few decades to significantly transform our capabilities and maybe even some of the civilizations that arise on another planet. Convincing our civilization to stop squabbling over different pigments of skin and to become efficient towards this goal seems to be the biggest obstacle, though.

I’m Lemar Aman,

LA native and software developer.

I’ve worked as a private security consultant for the majority of my professional career, advising companies like AIG on improving security protocol. My focus is on helping people and businesses protect themselves as they navigate through the digital realm.

Want to chat? Feel free to email me, or open a GitHub issue if you have a question other people might be interested in.