All posts by roasty

“Grey Hat” IT Security and why the dark side counts

“Hustle beats talent, when talent doesn’t hustle.”

I was just using twitter and found this quote on someone else’s twitter feed status. It got my mindset in the mood for a bit of safe grey hat programming and script coding to show and solve an IT  security issue. Something worth solving & sharing that is useful.

I was thinking about writing a current and relevant IT Security exploit and the accompanying fix for it as a personal programming project in my spare time using a programming script language that is native to the target’s operating system such as Microsoft Windows using VBS or PowerShell scripting, and perhaps be able to run the proof of exploit and cure on other desktop and laptop computing platforms such as Apple Macintosh OSX and Linux operating systems such as Redhat and Tails.

Perhaps write a multi-platform exploit using a script language such as Python, although for each platform to run the code, it would depend on the run-time software being installed on each platform first to make it work at all, and that can be done only if the user is not alerted to the run-time software being installed due to them seeing or hearing  security alerts which points out something is suspicious. The fix to prevent or clean the effect of the exploit ideally should be available on the same platform being attacked to make it simple.  Maybe I will be looking at exploring other platforms like smartphones and tablets, and / or web browsers and their webpage scripting languages and later look into exploiting more secure and challenging file-server operating systems. Wireless and Bluetooth could be a good protocol to attack, or could be used to demonstrate the ability of my code to jump from one device such as a mobile phone to a computer that is not even connected to the internet (also known as an AirGapped machine), and never had any USB sticks, CD’s or other media used which could have been used to infect that target. I could use a phone, tablet or smartwatch to copy a file from one airgapped machine to another airgapped desktop, with no wires connecting the two together, and neither system having bluetooth or wireless capability. It has been done, and the smartphone is the bridge that was used. It’s a widely understated risk, and allows an attacker to steal files from a computer without having or needing logins and passwords for access, and if the phone was giving out a strong wifi or bluetooth signal, it should prevent the attacker needing to be located right next to the target computer including touching the machine at all to copy from it or install bad code to it.

This type of attack leaves any past, present and future CCTV video footage examined to identify who gained unauthorized access to a computer a fruitless task, and will bear no evidence to support a legal case without their smartphone being examined that was used as they walked past the machine while the phone was hidden in their pocket. If the attacker doesn’t even get seen on a security camera’s footage as touching the compromised computer, no evidence using CCTV footage should prove their attack. Might be worth coding 😉

I wanted to build the project’s programming source code files into two separate sub project programs that each in turn succeed in completing the demonstration of two very opposite & related goals:

Program 1) It does something naughty on my own personally owned computer(s) that is an undetected threat either locally or remotely

Program 2) It prevents the naughtiness & vulnerability I have proven by demonstrating the weakness using Program 1. This 2nd section of the project is aimed to not only stop and reverse the security hole and scale of the attack now but also in the future by fixing it. To find and clean any unwanted changes the unwanted exploit caused in files, folders, networks, disk & memory, to stop the bad code from running now & patch the hole, preventing the same attack repeating.

As a side note to that, I wrote my University project the same way and I miss the challenges and fun that it occupied me with. I hope to share my findings with my workplace now I am allowed to since given the title of “IT Security Ambassador”, because if I gave them something like this without permission to think and work on the dark side of IT, it would have been professional suicide for sure, especially if worked on during normal hours as a 1st,2nd,3rd,4th line support techie. IT Consultant is my title, but call me the tea boy for all I care, money and title of jobs mean nothing at the end of the day. What matters to me is the ability to identify and fix problems, both regarding IT Support and IT Security.

Look at my Anti-Virus final year project dissertation from 1999 that not only got me writing a brand new Microsoft office word document macro computer virus by using a virus construction kit that gave me lots of options my virus could have, and it generated the source code of the virus for me. I had to change the order of several chunks of the code known as procedures, just by cutting and pasting the order of the parts my code was split into, so that when it infected the first file, it was unique enough not to be a known pattern that bad code is found and stopped by examining with an Anti-Virus product. It could not be detected or killed with any virus scanner at the time, but then going on to write the virus scanner for part two of the practical coding half and also served as a cleaner that detected and killed it. That was what I wanted to prove, but the way I saw the issue and method to fix it was a real bonus over all other word virus scanners at the time, because it also detected and killed every single Microsoft word macro virus in existence, known or unknown, it was a generic approach, no updates were ever needed.

You can download the whole project, including source code in Visual Basic v5, the full write up & documentation and working program from my own website space here:

I aptly dedicated the titles that presented the virus code and the scanner code after “The Prodigy” – The virus being “The Poison” and the scanner “The Remedy” 🙂 Lol. The given name of my virus was Big Bertha. It was a big and nasty bitch, I wanted the threat to be serious enough to prove my point. It changed the appearance of its code every time it infected a new document making it hard to scan for viruses using a scanner, and the payload caused ball ache for the user infected with it on the 13th day of any given month. You open any document then, it selects the whole doc, deletes it, and saves it. No word recovery, undelete or recycle bin is going to save you at all. A recovery utility might fail too, since the file is still there but now empty. A disk editor might be the only way, and a difficult way at that, of getting your work back.

The scanner was called “GW-Scan” standing for “Generic Word Virus Scanner” but unfortunately since then other people have used the name I did for completely unrelated software programs. No loss or hardship my side, I gave it away with the source code for free from the start, and always wanted to share it at no cost. It solved the biggest type of computer virus infection at the time, when Microsoft hadn’t rewritten or patched the security issues that word documents and other office file types like spreadsheets and presentations allowed anyone to open and didn’t prevent an attacker from being able to run any code they wanted on the poor victim’s computer they used to open an office document with. Sharing the document shared the virus, and email system spread these types of macro virus quickly, in large numbers of files used in business and home computing systems on a global scale affecting many people, companies and systems. It became such a large issue of security that I could have made some money with the idea if the program underwent drastic improvements to graphical appearance, global language support for all of the programs menus, labels and messages meant I would have needed to hire many expert language translators for each country I wanted to display my program in. To sell it as a useful product it also needed a better way of handling the processor, allowing the user to carry on working while it scanned, as it always hogged the CPU full whack when it ran, preventing the user from doing anything else while it searched and cleaned viruses.

It ran quicker as a result of hogging the processor, and I thought at the time I wrote it that I wouldn’t want to do anything else with a PC that I suspected of having a virus on it until I scanned it first. I learnt that it was an improvement it needed, to prevent other tasks from freezing while it carried out the scan. I live and learn from early inexperienced under-sights like that, and would write it very differently today if the final version was to be sold in order to legally own a fully working version of it that behaved itself. It also needed to be TSR (Terminate Stay Resident) which means it runs as a process inside memory in the background of the operating system, maybe also show an icon in the system tray to let you know it’s there next to the date and time in windows, with the option to turn off the system tray icon by closing or hiding the app, change the settings of the program to suit the end user’s requirements or open the manual interface to it which allows custom locations to be scanned and cleaned. It would have prevented the need of the user having to scan drives, folders and files manually having it always check every document for me without the need to instruct it on where to scan. The process would have been automatically scanning every document the user opened up, copied or saved to and from any disk or network space. It would then have needed a website with a PayPal store front to allow the sale of my program as a downloadable software product, and would have needed better documentation including a professional user guide, a contact phone number and email address to write to me for support if needing help or advice using it, and the list goes forever on. It was a full time job.

I didn’t want to make all of that effort with potentially no payout from it because I find during development or shortly after release of my money making product, that Microsoft patched the issue and my scanner / cleaner was now defunct and worthless. It was eventually when Office 2010 came out due to .doc and .dot files being split into .docx and .docm and for templates split into .dotx and .dotm on the end of the document filename to show the additional letter of either “x” for no macros and “m” for macros. This improvement from Microsoft meant that before opening a document, you knew if it had any macros in it that would run, they would only run as a program at all if the document ended with the .docm extension. Even a virus infected document opened as a .docx file will never run the code. At last, they must had read my project and took it seriously. I had emailed them a copy of it. They also made the document warn you if it had unsigned code in it, but that was badly written and people still managed to circumvent legitimate documents containing macro code that users needed to run for their job or home life. It’s pretty much a defunct issue now since they made Office 2013 and 2016 versions, the security is tight enough by default to prevent easy spreading and running of bad code in word documents, or excel, access and PowerPoint too.

As a measure of safety, I made sure before displaying the project openly, which we had to make sure our project was available for anyone else to study, I emailed EICAR (the European Institute for Computer Antivirus Research) who were at the time responsible for sharing known virus strings all virus scanners used to find known threats with. I sent them a copy of my whole project, an example of an infected file that no virus scanner could find, a covering letter explaining my purposes of doing so for research towards my degree, and that I wanted them to add the search string of the new undetected virus to the leading virus scanners, which they kindly did for me, with no difficulty or delay, and funny enough without a reply! It was important to me that my project didn’t cause a virus problem itself, especially since Christopher Pile from Plymouth was famous that year for being the first UK virus writer to get 18 months in prison for writing two viruses, SMEG.Pathogen and SMEG.Queeg which were classed as “Polymorphic” viruses like mine was. It means that it aims to change it’s pattern each time it infects a new file, in order to prevent the virus scanner being able to use search strings to find it easily. It had a vicious payload too, which intended to overwrite documents and cause data loss. It bent a few rules already, and leaving it documented as an unknown virus could have haunted me, so I didn’t fancy taking any chances. Despite being legally protected by the academic facility that sanctioned the project, if it got out globally and caused damage, I doubted any right to freedom.

So that leaves me with a new problem to think about demonstrating, and solving. I don’t think you can be taken seriously and be treated safely and not considered a risk by a person, a company or an IT department that wants to hire IT Security and Support services from you, or give you a full time position in that capacity if all you want to think about, demonstrate or show to them that you only work and share exploits and weaknesses unless you are a fully employed ethical hacker who only gets hired to break into systems and not fix them. You would still have to write a detailed and accurate report of what you found to be a security risk to them if you wanted to make a living out of selling and safely using highly developed hacking skills.

Never hack anyone, any department or any company without fully authorised, written, signed, dated, company headed paper, get them to include the scope of the attack or access you will be looking at, along with location of target(s) and the date and time windows they will allow you to explore their security holes clearly in the letter. Using what would normally be considered breaking the law by using these skills and techniques without permission, you now have the ability to get paid for something that is considered illegal, but now it’s not only allowed because you are authorised by the right owner of that system, it’s only being tested with a view to presenting the facts they need to know, and that what they are paying you for, showing them how to stop someone else using the same method of attack perform it for real, where damages to you can be unlimited. With IT Security, it’s too dangerous for me to approach with anything other than honesty and integrity. If you make a living out of what normally would be breaking the law, it makes using the same skills being used in a dishonest way an unnecessary risk, being legal about it brings no guilt for you, no fear of getting caught, no evidence left behind anywhere to worry about being examined, no lack of freedom when eventually caught and punished, and gives you the ability to share with others openly about your enjoyment in legally exploiting systems in a safe and controlled manner that doesn’t cause anyone harm, loss or hardship. It makes the system more resilient to being hacked if you can throw a lot of known and new attacks to test the stability, security and privacy of the information being protected.

If possible keep emails to and from the company you want to explore and document their own vulnerabilities they need to correct, before a dark hat hacker comes along and takes money, causes damage, disrupts service, erases data, holds data to ransom, you name it. If you let anyone run their own programming code on your machine, you had better hope it’s not the modern day virus, spyware, malware, worm, Trojan, botnet, spammer or key grabber.

Back in the day I grew up, we did that for fun only, and never for profit or personal gain. I still hold those values. It’s just not worth being imprisoned and sharing a jail cell with “Big Bob” the male rapist when you happen to be a straight male who once enjoyed the love of a wife and pets, friends and family, the great outdoors, visiting the seaside, going on holiday, whatever most people enjoyed doing easily when they were once free to roam, but because they chose the wrong path of security, they now become choices today that are unavailable, denied, impossible or no longer fun. Because the existence of a long jail sentence becomes a very stressful and painful punishment for most people, but some people actually enjoy it surprisingly, and can’t cope without being locked up. For most people regretting the decision that changed their life for worse, thinking about the previous life experiences and memories you had traded for nothing but painfully missed abilities and lost happiness.

A screen, keyboard and mouse, or a smartphone, or tablet can lead to the difference between a life with freedom and luxury turn into misery and suffering. most people suffer with the experience of prison. I believe incarceration caused by getting legally caught using a computer or device to access and abuse information illegally is going to be more commonly detected and punished for sure. There are so many new laws created in recent years that can be broken by ignoring simple rules like gaining or denying access to something you were not allowed to interfere with and were caught by doing so.

And since the penalties for abusing IT information systems can now cost you more time being incarcerated for than committing murder, it seems that it’s gone too far when punished compared to what I would consider a much worse law to break compared to hacking. But that’s what happens if the rich have money stolen from them. They punish it more than the loss of someone’s life, which I don’t agree is right within a justice system that seems to have their priorities wrong about so many things, I give up trying to defend it making sense. I couldn’t justify giving a greater prison sentence to a hacker instead of a killer just because they were caught playing on the dark side of computing for fun, to see if they could beat the system, but were unable to provide solid proof of authorisation that allowed them permission to waive the law. If the owner gives verbal permission to hack anything, always get it in writing to prevent their verbal denial of the permission they gave you later on down the line when they tell authorities they never gave such consent. That lack of having a letter to cover you could have cost you everything you worked for and enjoy, for a very long time. Trust nobody with that.

Don’t get me wrong, I love playing all 3 security hats of white, grey and black, and mixing with the shades in between, but I do so only breaking into my own computers that I legally bought and own. I avoid affecting any other internet sites, services, servers or other people, companies, authorities, charities, financial institutions etc. Creating and preventing an attack from myself to myself only, and by using only my own hardware and software, doing so in my own time, at my own home, even down to using my own electricity, developing my own programming assets such as source code, not using source code that is illegal or restricted for use by anyone other than the programmer or company owning rights to prevent me using it legally. I find that most security issues and fixes can be achieved using free methods, be it in freeware or in house written code.

The fact I am very strict with myself when it comes to learning, practising and teaching others about what many perceive as the darker side of behaviours and laws to observe, and any electronic information systems and telecommunications I experiment in such a way completely belong to me in every way. As long as it bears no consequences to others that may be relying on my machines running normally in order to provide them a service I have a contract with them to uphold, I don’t need permission from anyone. It’s not breaking any law that I know about here in the UK. Still, I wouldn’t be surprised if some countries made even copying, keeping, downloading, writing and sharing any type of computing, electronics or telecoms exploit source or object code highly illegal. It seems that companies are too focused on litigation risk to defend themselves as they should, by testing the boundaries and limitations of their security solutions. Simply auditing financial figures quarterly doesn’t stop a break-in. It may leave companies and their directors who hired them to balance the books to tick boxes have much less money to count, and the figures still won’t balance anyway since funds are lost. There is no room for this old hat thinking if you want to secure the money held within a financial system of any businesses today.

My home machines are strictly legal for English law, I don’t need to worry about other places unless I start sending it to people around the world or sharing it via a website I may own. Then it’s best to do your homework before breaking the laws of other countries online. Extradition orders to have you transported to a country because you broke their laws by coding something they want to punish you for are not uncommon when it comes to global law and the internet.

There is a good example in the next link of a London UK hacker named Gary McKinnon who was found guilty of unauthorised access into a number of US military computers including NASA and the Pentagon, over a time frame of two years that he spent looking for secrets about anti-gravity and free energy technology he thought the US were hiding. He believed it could benefit the world by finding and disclosing it. I wouldn’t have made such a decision myself to look for that information or even consider releasing it. Not only for the sake of freedom, breaching the official secrets act is not good for anyone’s health if found. For the sake of a quiet and peaceful life, I would advise against anyone doing what he tried. Worse still in my mind is that if that information was found and shared by anyone regarding those secrets, and could have been used to create mass destruction by causing an explosion of a much greater magnitude that makes a nuclear weapon detonation look very mild compared.

His extradition was rejected by our then UK home secretary, who went on to become our current UK Prime Minister, Theresa May. His extradition order from the UK to face charges for the hack in the USA was denied by her, but strangely for the reason of a medical condition of Gary’s mental health condition of Asperger’s Syndrome and a depressive illness which put him at risk of suicide had the US succeeded in detaining him with their proposal of 60 years hard labour. Because it was deemed unfair to his human rights due to a risk of life, it finally won him the case after 15 long years of a costly and stressful legal battle his mother fought well. It is also known that the US charging him with damage to the systems he broke into was entirely fabricated.  All evidence of damage costs made by his hacking was just to meet the requirements of his extradition being valid to the US courts, and was never proven. He says in interviews about this, and it’s clear he was being made to look as bad as possible by the US legal team who lied. He was lucky to escape a harsh punishment, much worse than our legal system would of given him as a sentence for computer misuse. He faced no charges here in the UK either after the extradition was cancelled. It is known as one of the biggest hacks against the US military ever performed. Most people wouldn’t have got away with the magnitude of his actions.


It’s also just too easy for anyone to have power over you or get you punished for hardware  that was bought cheap because someone selling it to you stole the computer, and handles stolen goods. Best to buy a new one, get a receipt with the purchase and keep it safe. Also applies to software piracy, intellectual property of source code, paid for software needed to develop it, and many other rules you must follow to ensure that anyone inspecting your computer knows you are legally compliant, because you can prove it.

The penalty for legally getting charged for abusing IT, telecoms, privacy, access rights, copyright, ownership and causing disruption or damage doing so is something most punishment sentences for breaking those laws today in most countries charging someone for that is well over the top, and not treated as a less serious crime like it may have been treated as 20 years ago. In order to try and discourage people committing crimes online, and doing so on purpose for personal or financial gain, don’t expect to get away with it, and don’t expect a night in the police station and a verbal telling off for getting caught with that will happen. Authorities can and usually will ruin freedom and peace of a hacker if they can find you, they can prove activity like this against you eventually, so my advice is don’t hack anything illegally, practice the skills safely and carefully in accordance with the laws you need to respect depending on the countries that may be involved in your project. It’s best to protect your freedom now and while you can by doing this to prevent someone easily blackmailing you or getting you imprisoned, for whatever reason, to get you back for an argument or because they find it’s easier to get you locked up than compete with you over power, money, people and status to name but a few. It could be down to jealousy they have against you because you really rock at something they really suck at, and some people are just bad losers.

Information can be potentially the worst weapon that can be used against you, or that you can use against others. Here is an article I found that depicts the possible outcome caused by real black hat illegal hacking used to  attack a country’s IT infrastructure computer systems. Some systems that are hacked are agreed to be more dangerous to them being cyber attacked than the threat of nuclear war. An example would be causing a nuclear power station to explode. The size of the explosion would easily beat any nuclear missle attack, and the radioactive fallout would cause bigger losses.


I think they are right, but it would either take a hacking expert or one that just got lucky to be able to cause national grief that created a serious setback or ended up ruining a country. But then you have underground hacking groups that can hack different systems individually and collectively, they can split the effort and skill needed up between them, when to attack, what to attack, how to break in, how to make changes or prevent service, when to get out,  and staying untraceable to their defenses and security auditing records.

That’s a very tall order for any hacking group, and a huge task for an individual unless it was organised to hit specific targets that caused the required disruption the attack was looking to cause. It could be written in a way to spread itself specifically into their country using a targeted and focused attack, and by doing so it helped to infect itself for the attacker by copying itself around using a virus as a mechanism to spread around their country. It could perform a variety of payloads and stealth tactics depending on what type of machine it infected and what it did when it found the machine it targeted. If it finds what it is looking for, it can be set to cause chaos.

An excellent example of such a targeted attack springs to my mind to demonstrate this possibility. Not only was this malicious code specific to a particular country as the target, but also aimed at the shutdown of a particular type of infrastructure within that country only. The virus was called “Stuxnet” and the target affected the most was mainly that of Iran, and their nuclear facilities were rumoured to have been attacked accurately enough to shutdown their ability to produce weapons grade nuclear materials from one of their Nuclear facilities. Iran were deemed a risk that the material the plant produced could be used in a targeted nuclear war missile against other countries they wanted to fight a dangerous war with.

See the YouTube video below about the accuracy and intelligence displayed by the programmers who wrote it alleged to be the CIA working with Mossad by some experts, although this was never proven without a doubt to be truth about the origin of the code. It is thought that it’s creation had a purpose from the start to solve concerns of Iran being able to create nuclear weapons that could be used to cause mass destruction to the US or other countries they may have been able to reach using an ICBM (Inter-Continental Ballistic Missile) with a warhead payload if detonated correctly and the destination was reached accurately, that it may cause a potential death of millions if they were not prevented from being able to make enriched Uranium from one of their Nuclear power plant facilities that the US and Israel suspected that Iran were making to use in war.


The virus contained 4 separate “Zero Day” attacks (vulnerabilities unknown to the vendor as an exploit, in this case the security holes were not disclosed with Microsoft on purpose). Because the methods it used were unknown to Microsoft, Virus Scanners, firewalls and so on, the virus was not detected, it easily ran the code it wanted to inject and execute onto any machine they wanted to, and without the target user’s knowledge. It was suspected to be USA intelligence that created the virus with the help of Israel who mutually worked on making the goal achievable.  Their security concerns about Iran were shared, and their level of programming excellence was shared making it a very impressive, complicated and accurate at achieving it’s purpose, which was to prevent production of something Iran could abuse in a very devastating way for them.

Each zero day attack could have been sold to Microsoft as exploit source code to prove it was a risk to Windows, and Microsoft would have at that time paid a reward of $100,000 per zero day attack that qualified and you submitted it formally to Microsoft for them to examine and keep for their study. That bounty is now $200,000 for each qualifying zero day attack found and submitted to the vendor. Because Microsoft want to write security updates to patch their operating systems, they reward and prevent attacks they know about. Microsoft need to be seen stopping holes they know exist, in order to prevent hackers exploiting the vulnerabilities used for unauthorised access & online crimes. Doing so gives Windows customers more confidence in using their Windows and software they use with it.

It made a big statement, that someone wanted to stop the intended target so much, they were preventing themselves as the programmers of it being able to cash in a $400,000 reward (now doubled to $800,000 for the 4 attacks used in Stuxnet) by sharing the code of the zero day attacks they created and used for Stuxnet to be operational as a stealth virus. A reward from Microsoft instead of creating a virus with it would make financial sense to many people capable of finding or writing a zero day attack. It was a surprise to many that learnt about the virus that most people would have not thought twice about cashing it in, which is why it points towards code written by a government for political or national security purposes. It’s a drop in the ocean for most governments, and if they managed to stop a nuclear attack that would have killed millions of their citizens, it was money well spent to prevent a mass destruction on their soil. At the same time it shows that the creators of it were serious about the intention of it, and put what many people would consider to be some big money on the table, not only in order to make it secret and sneaky, and bypass security blocks that would have prevented it from spreading and working, but to me I felt that it proved to Iran and the rest of the world who later learnt about the code, that they meant business.

Stuxnet could spread stealthily between computers running Windows—even those not connected to the Internet. If a worker stuck a USB thumb drive into an infected machine, Stuxnet could, well, worm its way onto it, then spread onto the next machine that read that USB drive. Because someone could unsuspectingly infect a machine this way, letting the worm proliferate over local area networks, experts feared that the malware had perhaps gone wild across the world.

A good write up of how advanced it was, how expensive it was to make, the skill and accuracy involved in knowledge required to manipulate and control the systems it was written to target and how good it was at achieving it’s intended purpose made it famous globally and is regarded as one of the best code created cyber attack weapons ever created. I found an article below that explains it well.


The Stuxnet Wiki page provides more detailed information about it.

There were errors in Stuxnet which made it obvious when over 40,000 computers crashed, so it was not the best example of coding I have ever seen. There was a version 2 of Stuxnet which had the errors removed, and allowed the worm to infiltrate, do what it needed to do, and properly cover it’s tracks when done by using expiry time limits that cleaned it’s own infections up before discovery. I believe that if that corrected version was used, it was in and out so quick that it disrupted only the systems it was intended to affect. Little is known about the 2nd version ever being found in the wild because it did it’s job so well, that was the intention. Clever!

In October 2012, U.S. defence secretary Leon Panetta warned that the United States was vulnerable to a “cyber Pearl Harbor” that could derail trains, poison water supplies, and cripple power grids.

Most viruses, worms, Trojans and spy/malware programs and scripts are just too obvious, as they usually give the game away before too long because they slow down a system too much by hiding itself or running in a badly programmed way, and to be effective, it has to run in memory copying itself and waiting for the trigger the virus writer decided would activate the payload when that condition become true. Payloads that show the system is infected with bad code too early on won’t travel far. Infect other files too quickly, cause too much memory, disk light flashing or disk space hogging, high CPU or lots of network activity and traffic slowing shared networks and internet away from others will also be quickly found. Dr Alan Solomon the Anti Virus expert who made a living out of detecting & stopping bad code coined the phrase “If you spot it, you’ll squat it”.

So for bad code to be a success, hard to detect, resists showing itself off in any way at all, is written in a language that runs quick, using efficiently written small code which is accurate, compatible across all known versions of Windows, Apple Macintosh, Linux, and maybe android/windows/blackberry/apple phones and tablets could be in scope for a target platform to demonstrate it with. From a Black Hat perspective, writing a cross platform exploit and fix to it will generate a much wider audience that could spread the malicious code further, quicker and sneakier if the exploit was implemented well. You would possibly look at operating system stealth from the user being able to see it or feel their normal tasks are slower than usual, or manipulates web browsers in a way that most browsers will run the code and not complain with security warnings when visiting a website that runs a proof of the exploit without causing any damage.

This is important to avoid the risk of litigation when playing with malicious code, especially if sharing it with the world via a website or selling media with your programming source or object code written on it and distributed to others that wanted to buy, share or learn from it. It would be risky to your finance and freedom to ignore the possibility that you could end up legally disadvantaged, potentially in a lengthy and costly way if the exploit didn’t manage to contain any damage it caused when trying to highlight the vulnerability you sought to resolve, even if the intention was intended as educational.

Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, Apple’s Safari internet browsers are an example of the current popular audiences to test the exploit and the fix with, if the program is or needs to be written in web page scripting language to gain entry into the target system and perform it’s unauthorised and unannounced access for educational purposes only when playing the game legally and safely. The code that performs the naughty action(s) is much more prolific, spreadable quickly, globally and likely to work on many different systems, affect and travel across a much wider range of users and be out in the field for a long period of time before it eventually becomes eradicated by antivirus updates, operating systems like Microsoft windows being automatically set to update itself, which if Microsoft write a fix to cure the security hole, it no longer becomes a problem to a computer, and requires little or no action to defend computers that are set to update themselves.

I personally like IT Security projects that use the two pronged “double whammy” approach to the presentation of a problem and the solution rather than staying stuck in either the “White Hat” good person mode or “the Dark Hat” bad person mode and sticking to only one side of the fence. It’s a subject in my mind that needs to be sometimes a balance and show both sides of the coin at times in order to improve skills. This includes finding exploits, patching them and in stopping yourself and others from being hacked in what seems to be an infinite number of possible and complicated ways . I’m more comfortable with the Ying and the Yang balanced approach to the whole subject of IT or physical security, as I personally found that being good at one will improve the other, when both are learnt.

So my conclusion on how I need to think about IT Security problems and fixes from a technical and practical level becomes:

“Given the choice of being White Hat or Black Hat, I choose neither, Grey Hat seems to be a logical start”

By Roasty – November 2017

My early retirement plan. Security in finance. – Updated 25th April 2017

Spend £1000 and buy 1 bitcoin today, then wait on it for 10 years for a possible $1,000,000 return on investment. As it’s just a simple change of currency, e.g. £ to BTC, you can get your money back into a real bank account whenever you like. No early withdrawal fee, total control of the money including no interference from authorities, banks or legal cases. Little to no risk in trying this from my point of view, and considering the payback potential, it’s probably worth a gamble on. I remember 10 years ago when 1 BTC was only £1 to buy. Check these articles online for information about the future of bitcoin being worth millions in years to come:

Thinking about this with long term security, you won’t ever lock yourself out of your bitcoin wallet when you need it the most. You may want to pay off debts, buy a nice house, or retire early.

Early retirement sounds nice to me, and I believe it can happen 😉

Here is a good site to buy bitcoins with, and it even comes with a free bitcoin wallet for you to store your bitcoins in. – I signed up in 10 minutes, and verified my identity to a live agent via my laptop webcam, holding up my passport to my camera rather than have to scan documents and upload any files. Really easy to do.

My security advice that you can take or leave, your choice, is don’t forget to write down on a piece of paper the details of your chosen wallet website, and on that same piece of paper – your wallet ID, your wallet password, any 2nd password if you set one, any PIN number needed to withdraw coins with (some wallet sites have them) and write down your 12 given english wallet password recovery words, which can be used to get into the wallet easily later if the password is forgotten or lost. Add anything else relevant in writing to your bitcoin information and you will easily keep those bitcoins you own safe for 10 years, when you might decide it’s time to cash them in. Make it fool proof. It needs to be for something this valued. You can also write the amount of BTC in the bitcoin wallet, and you can spread your BTC over several wallets if you want to, either using different wallet sites or a different email address per wallet you have. Write down each separate wallet’s login details on a separate page, or write them into a paper notebook. I recommend storing that paperwork in a locked, fireproof safe or a bank safety deposit box if you can afford to rent one. Use a waterproof bag to store it inside, as floods, burst pipes or weather could make the writing unreadable. 10 years is a long time to protect the information against any possible disasters. I don’t trust a USB device or a CD/DVD media with the wallet details stored electronically to be readable in another 10 years due to temperature, damp, corruption by magnetism or electricity. Paper and pen is still a good old fashioned winner for me, but you may have your own methods.

For the best wallet security, turn on the 2 factor authentication option which sends a code via SMS text message to your mobile that you have to use along with the wallet ID and wallet password, as it makes it very difficult for someone to hack into your wallet unless they also have your mobile phone number. I would only recommend doing this if you will always be keeping the same mobile phone number, or you will have to contact the bitcoin wallet site’s customer support if the mobile number saved in your wallet is ever lost or changed later. Another tip is writing down the 2 factor manual add code for use with the Google Authenticator app (if the 2 factor authentication you chose for added security relies on an app not a text message), so that if you change, damage or replace your mobile phone, you can still authenticate from the new upgraded phone. If this code is not known, it’s a call to their technical support before you are able to login, so it’s worth not getting caught out by this.

Here’s a tip for sticking with the same mobile number – Get an easy to remember mobile number from and search for “Gold Numbers”, some are easier than others, easiest numbers are usually more expensive, but not always so it’s worth a good look at the different sellers, numbers and prices first before buying, as often I found some cheaper numbers can be as memorable as other pricier ones.

I changed my difficult to remember contract mobile number after topping up the pay as you go (£5 or £10 minimum depending on network) gold number SIM card I had posted to me from the eBay seller. I won the bid for my SIM card at the cheapest price using an excellent e-bay sniper free buying tool at You will never lose another eBay bid using this unless someone pays above your maximum price limit, and it wins it in the last 2 seconds of the bid ending, preventing others from increasing the bid amount.

I paid £42 for mine a few years ago with that ebay sniper tool, and even that buy was an investment in itself. The same number I have kept for over 3 years is now worth around £400 – £500 today. It seems that easier numbers are harder to find as more people use them, which pushes the price of better number combinations up.

It doesn’t matter which network operator the SIM card is with from the eBay seller, because it’s straightforward to change over the number from the unwanted network to your preferred one. Topping the Pay as you go SIM card up with minimum call credit first and then register the SIM card with a name and address, which can be anything you like if you are topping it up only once using cash at a convenience store or supermarket, with the top up card it is supplied with, rather than top it up with a bank card, just the once.

This allows you to then ask the pay as you go network customer support advisor person for the PAC code when you call them up and obtain it, usually a voice call with a real person, not automated, at least from the UK. Finally, then giving both the easy to remember mobile number and the PAC code you gained from the previous network operator, and doing this within the time limit of 30 days after first getting the PAC code generated, they will change it for you and it will be usually up and running within hours. If you have an online login for your mobile contract network provider in the form of a mobile number as a login to view the bill, you would have to ask the customer services advisor to change that number too.

As the easy number is now on my contract monthly bill, it will always stay connected as long as I pay the monthly direct debit. No direct debit details need changing to do this. I advise using contract to keep a decent number, not only because of possible lost, stolen or damaged phones and SIM cards that on a contract are always locked into your ownership, and a replacement SIM they send will have your same number, but also as the “pay as you go” SIM card service in the UK will lose the number for good after about 6 months of no calls being made from the mobile.

Contract SIM keeps it safer from number loss, which is not what you want if you paid a lot of money for a good one. If you lose the number, due to disconnection, you can’t usually get it back. I’ve asked them before on pay as you go, it was something they said they could not do for me (I’m always sure that someone with better access rights to the systems there could manage to save it, but sadly not offered as a service to the public), and stated that it goes into a pool to be reallocated later. If you want to go back to pay as you go from contract with the same number, or change mobile networks and still keep your number, make sure you get the PAC code again from the current network customer support advisor by calling them before it expires or disconnects, then re-use it with the new pay as you go SIM card or new network. Network to network usually doesn’t require a PAC code, e.g. Contract EE to Pay as you go EE can just be done with one call to EE the customer services helpline.

It’s not difficult to do this, despite it sounding complicated, you will find it really isn’t, trust me, have a go. You will find that many friends and family members can soon learn to easily remember your number without having to look it up first, and they know it will always be the same number for years to come if you manage it correctly by always getting the PAC code in time, and using it in time when the SIM, phone handset, sim size or your mobile network changes to a different provider. It saves a lot of bother when using sites with 2 factor authentication, where it relies on that website being able to send the SMS code to the same mobile number, year after year, what you want for a long-term bitcoin wallet.

The only thing about keeping the same number is to think about using call blocking apps to help you block sales calls from companies who pick up your number somewhere along the way. I fight them back with the TPS telephone preference service and a range of apps to allow me to block repeated sales calls and unwanted junk text messages coming in from unwanted numbers and coming from similar number ranges when different people from the same company try to keep contacting you to sell you something.

Sometimes I have to fight sales people to keep my number from being cold-called, and some will still get through because of their sneaky methods, different country and area codes and number ranges being used to call you from, but you can train your phone to learn for the next time, who it is that you don’t want to waste your time answering to again. Don’t let unwanted callers force you to change your number, and especially one that is worth keeping.

As for the Bitcoin investment idea;

an early retirement still sounds nice to me!

Read further for 10 good reasons why you should invest in Bitcoin now. I did, and I’m sure that I won’t be regretting it at all.


10 Good Reasons To Buy Bitcoin Now

This part of the article focuses on bitcoin investing. In this write-up I give 10 good reasons to buy bitcoin now.

1. Price of bitcoin has been more stable than ever before

In the last 1,5 years bitcoin has shown unprecedented stability as a financial instrument. It has been more stable than ever before which has increased trust in the currency. Historically large price increases have always been preceded by a stable period and now we’ve experienced the most stable period so far.

The volatility of bitcoin price has been decreasing

During this stable period there have been times when bitcoin has been more stable than the US stock index, japanese yen or even gold. This is totally unprecedented for something like bitcoin and it is a strong indicator. It means that bitcoin is growing up as a currency and is ready for the next stage of growth.

2. Global economy is unstable

The economic situation is unstable all over the world but the value of bitcoin is not strongly correlated neither with the stock market nor national currencies. Bitcoin may in fact benefit from the collapse of the traditional economy which means that it is smart to diversify some funds into bitcoin.

In 2008 the economy collapsed due to unsustainable debt structures but what many people don’t understand is that debt has only increased since. It is possible that in this decade we will see an even larger collapse.

The world is acquiring more and more debt

In that type of situation traditional safe havens such as physical gold will likely rise in value but this time bitcoin will have a significant role. Bitcoin as a currency is similar to gold, it is scarce and can’t be created from nothing . However the features of Bitcoin are more advanced as it can be moved effortlessly to anywhere in the world.

Weak national currencies are already a great source of demand for bitcoin. The growth of bitcoin trading volume is high in countries such as China, Latin America, South Africa and based on recent reports, also in India. Due to the weak valuation of local currencies people want to exchange increasing amounts of traditional currency into bitcoin.

The worse the traditional economy gets, the better it is for bitcoin. This is why it makes sense for anyone to diversify a portion of their investment portfolio or savings budget into bitcoin.

3. The creation rate of new bitcoins is halving

In July the daily amount of new bitcoins created will halve from 3 600 bitcoins to 1 800 bitcoins. This is a fixed rule set in the Bitcoin protocol since the beginning and it activates approximately every 4 years. The next halving is estimated to happen on July 10th and in addition to the actual reduction in new bitcoins created, it is expected to have significant speculative meaning.

As you can see from the picture, most bitcoins have already been created

As a currency bitcoin is very different to national currencies such as the dollar or the euro. Bitcoins can’t be created out of nothing and the amount of bitcoins is predetermined and strictly regulated by the protocol itself. The maximum amount of bitcoins is 21 million and there will simply be no more. To this date 15,5 million bitcoins have been created.

This absolute scarcity of bitcoins is one of the biggest reasons why they are such a good investment. As the user count of Bitcoin increases, we can assume that the price of bitcoin also increases. This causes no problems for the use of Bitcoin since a single bitcoin is divisible to very small pieces. Euros or dollars are divisible to one hundredths (cents) while the smallest bitcoin unit is 0.00000001 bitcoins, which is also called a satoshi.

The halving is one of the most significant Bitcoin events of 2016 and it is accompanied by a lot of price speculation. Now is a good time to stay updated on the events of the Bitcoin world.

4. From a historic perspective the price graph looks very tempting

The current price graph of bitcoin resembles the situation preceding the great price increase of 2013 a great deal. Bitcoin had recovered from the first price bubble of 2011 and stabilised. Then we saw the largest price increase to date when bitcoin increased from 13.5 dollars in the beginning of 2013 to an impressive high of over 1 100 dollars in December 2013.

Price of bitcoin from February 2012 to February 2013
Price of bitcoin for the last 12 months

The price development of bitcoin has repeated a similar pattern many times. That does not prove the same pattern will repeat in the future but it does increase the likelihood of it happening again. The price graph now is very similar to what it has been right before the large price increases in the past. That is quite interesting.

5. Plans to get rid of cash are a gold mine for bitcoin

At least in some parts of Europe there seems to be an increasing movement to get rid of cash. The trend is increasing in many developed countries where digital payment methods have high adoption. However, from a privacy perspective cash is an important payment method and traditional digital payments methods leave a lot to be desired in that sense. Bitcoin is digital cash and any attempts to remove actual cash will increase the demand of bitcoin.

Plans to abolish the 500 € bill is only the beginning

The digital revolution of money brings significant enhancements in ease of use but it causes problems for privacy. We are in danger of moving into a police state where everything people do can be monitored. In the era of digital money and payments Bitcoin is an alternative that retains the features of cash.

It is almost certain that all attempts to remove cash will increase the demand of cryptocurrencies and right now Bitcoin is the king of cryptocurrencies.

6. The usage of Bitcoin is increasing rapidly all over the world

The amount of transactions in the Bitcoin network is increasing rapidly. More goods and services are bought with bitcoin every day. Even here in Finland there have been multiple Tesla’s sold with bitcoin. In Latin America and South Africa the growth numbers of Bitcoin usage are impressive. In China bitcoin is used increasingly to move funds out of the country. And based on recent reports the use of Bitcoin is also increasing rapidly in India.

The growth in the amount of Bitcoin transactions during the last 2 years

In the real world Bitcoin is used much more than any other blockchain project. Other projects such as Ethereum are mainly in development stage and they are not used in the real world for almost anything. The increasing real world use of Bitcoin is a great strength and the meaning of that will only get bigger. Bitcoin is the first universal currency and that reality is getting more real day by day.

7. The solutions to the scaling issues of Bitcoin exist and are progressing

Bitcoin has been so popular that it is reaching the technical limitations of transaction processing. The Bitcoin network can only process a few transactions per second and the limit is almost up. This is a positive problem since it is a sign of the great growth of Bitcoin. The problem has caused a lot of public discussion though and it has questioned Bitcoin’s ability to evolve.

The solutions however do exist and are constantly being developed. In the coming months Bitcoin will be upgraded with an update called Segregated Witness which will increase the capacity of the Bitcoin network by approximately 80 %. This is a significant improvement but it is only a temporary fix. The long term solutions are also in development.

So called lightning network is being built on top of the Bitcoin network and already multiple different implementations exist. The lightning network will eventually increase Bitcoin transaction capacity to thousandfold. Additionally so called sidechains have been thought of as a potential method of scaling Bitcoin and sidechains are also in active development.

From an investment perspective it is smart to buy bitcoin before these upgrades are enabled since the price could rise very quickly once they are enabled.

8. New use cases for Bitcoin are found constantly

People seem to often have the wrong idea about Bitcoin. For example, people ask can I pay in the local store using Bitcoin? That is actually irrelevant. What is relevant then? Bitcoin technology enables whole new ways of trade that were not possible without Bitcoin. In this part I will go through 3 new Bitcoin developments that enable whole new ways of trade.


OpenBazaar is a decentralised store platform that enables opening your own internet shop easily and reliably. It is a competitor to platforms such as eBay and Alibaba and the engine of the platform is Bitcoin. All trade in OpenBazaar is done with bitcoin.

The advantages of OpenBazaar are diverse. The fee structure is radically cheaper than in eBay where the merchant could be forced to pay as much as 10 % every time someone buys their product. OpenBazaar is free. Additionally OpenBazaar is a free (as in freedom) platform with less restrictions than centralized platforms. Through OpenBazaar the merchants can also be found easily which makes it a great advertising platform for small merchants.

OpenBazaar has been in existence for only a short while but it already has tens of thousands of users and the merchants have been reporting that their sales have increased significantly since opening their shop in OpenBazaar.

21 API marketplace

Known for the first Bitcoin computer, 21 Inc has launched a revolutionary API marketplace. The idea is automated payments between computers. Computers can buy and sell different API’s in the API marketplace. This is a new and revolutionary way of trade.

The Bitcoin Computer developed by 21

One example of what can be done with the 21 marketplace is the paywalls of news sites. Currently paywalls are a pain in the ass, passing them requires complicated registrations, card payments and so on. Using the 21 model the user’s browser could automatically send small micro-transactions to the news site which gives access to a specific article. Micro-payments are difficult for traditional payment methods due to the fees but with Bitcoin this is actually possible to implement.

This is just one of the countless possibilities for buying and selling API access. Time will tell what kind of applications will come out of it.


Opendime, which was recently published, is the world’s first physical Bitcoin payment stick. It is a USB stick with bitcoin value in it and it is designed for re-use. The balance of the stick can be checked at any time to verify that it holds a certain amount of bitcoins. It can be given to other parties as payment. The bitcoins can be extracted from the stick at any time but after it is done, it can no longer be given to other people as payment. This is an innovative way of using digital currency like bitcoin and it has great potential.

Three OpenDime sticks that can be loaded with bitcoin value

9. Bitcoin is getting smarter smart contracts than Ethereum

In the near future the Bitcoin blockchain will be linked with so called sidechains which allow Bitcoin to achieve much more than just monetary payments. One of these use cases is smart contracts which are believed to change the world. Ethereum is a blockchain project focused on smart contracts but what many people don’t know is that Bitcoin is getting even smarter smart contracts.

Rootstock is a blockchain project independent of Ethereum and the purpose is to copy the Ethereum model of smart contracts and improve upon it. The plan for Rootstock is to become a sidechain of Bitcoin since Bitcoin is the largest and most secure blockchain. This would be a significant improvement for Bitcoin and from an investment perspective it is smart to buy bitcoin before the official release of Rootstock is out.

10. Bitcoin market sentiment is becoming positive

The trade of bitcoins in official exchanges started in 2010 and ever since the price of bitcoin has been quite a roller-coaster ride. Trading started at approximately 0.1 dollars per bitcoin and ever since there have been multiple price “bubbles”.

The all-time price graph of bitcoin (2009–2016)

The first great bubble started in the spring of 2011 when bitcoin broke the $1 price barrier and reached a high of $32 during the summer. After that the price crashed to a fall low of around 2 dollars. It is important to note that even after the crash the value was significantly higher than in early 2011.

The next bubble, which was the largest to date, happened in 2013. In that year there were actually 2 consecutive bubbles. The value of bitcoin was approximately 13.5 dollars in the beginning of the year and in the spring it rose to over $250. After that it crashed to a low around $60 and stabilised to around 100 dollars.

In the fall of 2013 we experienced the largest bubble in Bitcoin history. The price rose in a few months from 100 dollars to a high of over 1 100 dollars per bitcoin. After the high of December 2013 the price crashed and we had to suffer a whole 1,5 years from the price correction that followed. As before though, the price stabilised to a higher level than before the bubble.

The market sentiment cycle

This type of development is natural and it is part of the so called market sentiment cycle. When the price was at 1 000 dollars, bitcoin was in the so called euphoria phase. Everyone was very emotional and super excited about the continuous price increase and more and more people wanted to put all their money in to get rich with everyone else. This is a highly dangerous time to invest though, as has been seen.

The best time to invest is when a financial instrument is in its cycle either in the bottom or rising from the bottom. Investing at the bottom is very difficult since it is hard to find faith in that particular instrument at that time but it is already much easier to invest in something that is rising from the bottom.

Bitcoin price for the last 6 months

After that 2013 bubble and the ensuing price correction bitcoin stabilised to around 200 dollars per bitcoin. The price was at the 200 dollar range for a long time, around a year. Now in the last 12 months bitcoin has more than doubled to over 500 dollars and Bitcoin is being thought of more positively even in the media. At this time in the cycle we are between relief and optimism. I think this is a good time to invest as it is not as risky as a euphoria phase investment nor is it as difficult as trying to catch the bottom.

My view of the situation is that in the next 6 months or so bitcoin is going to start a new phase of massive price increase which could lead to an increase in the price to around 10x. It is also likely that after this rise the price will go down again but I believe it will stabilise higher than it is now. It is important to understand that even though bitcoin has a lot of volatility, it has been increasing in the long term.

One more reason Bitcoin will likely succeed: There is a certain tipping point in all network dependent systems where they suddenly become infinitely more useful and valuable. It’s an exponential process where the beginning is extremely slow and frustrating but when the growth reaches the elbow of the curve it suddenly takes off.

When there were only a few dozen phones in a town the utility was low, because you could only call certain people you may not even know, thus people were not interested to buy it and learn it. But as more and more phones were added to the network suddenly calling people became a thing and transformed how we do business and organise our life.

Bitcoin is in that very early phase where only a few people have bitcoins to pay you with, and accept BTC as payment. But the % of adopters is growing steadily. There will be a point in the near future (within 2-5 years) when there will be enough people using Bitcoin that it will suddenly make sense for many individuals and businesses to start using it. This usage growth will inevitably increase the price of Bitcoin.

How Not to Lose Your Bitcoin in 2017

Are you surprised by how much your bitcoin is worth? Don’t let that surprise turn to dismay by losing it. Now is the perfect time to take a few basic precautions to keep your cryptocurrency secure.

Here are 8 do-it-yourself tips to help you improve your security:

1. Backup today

You can never say it enough: back up your wallet. If you haven’t yet backed up your wallet, do it now.

Most hardware and software wallets use an industry standard backup protocol called BIP 39 that allows your wallet backup to be 12, 18, or 24 English words.

It’s important to write the words down, on paper, in order, and securely store the backup somewhere safe from people, water and fire. If you don’t back up your wallet, you could well lose your bitcoin. Forever.

2. Check on your backups

If you have backed up your wallet, check on the backup locations.

The new year is a perfect time to check on your important papers, including your wallet backups. Can you still access them? Can you still read the words? Are they secure from fire, water and theft? If you’ve given the backups to someone else (lawyer, accountant), ask them to check their storage.

Do they still have them? Verify the location and security of your backups.

3. Set a calendar reminder

While we all know we should be checking our backups, wallets and estate plans regularly, it’s hard to remember to do it.

Add a reminder to your calendar now, to check all these things again in three, six or at most 12 months.

4. Move money off your smartphone

With the increase in the bitcoin price, you might be shocked at how much money you’ve been carrying around on your smartphone.

Now is a great time to move your coins onto a hardware wallet or into cold storage. Hardware wallets are very easy to use, with user-friendly software components, and are considered one of the safest ways to store bitcoin.

While it’s great to carry petty cash or spending money on your phone, never carry more bitcoin on your smartphone than you would carry as cash in your wallet.

5. Move your money off exchanges

If you have coins sitting on an exchange, move them out today to a wallet you control.

Most of the popular exchanges pool coins and while you have a “balance” showing on your account, you do not actually control the keys. If the exchange gets hacked you could lose your money. Remember that you only control the bitcoin if you control the keys: “not your keys, not your bitcoin”.

6. Upgrade to two-factor authentication to prevent hackers and criminals stealing your bitcoin money, with possible theft examples.

Add two-factor authentication to your bitcoin-related accounts and to all other important online accounts. The best two-factor solution is a hardware token and you can buy one for just $20–$30.

Otherwise use a smartphone authentication app, such as Authy or Google Authenticator for Android or Google Authenticator for iOS.

SMS is not a very good two-factor solution, though it is still better than none at all. I will fully explain why and want you to consider a set of possibilities of theft against you taking place, and you might think at first is a far fetched scenario to consider. That would be a big mistake to believe that people would not go to extreme lengths to steal money & not get caught in the process. They have and they will.

Wifi hacking can gain access to all devices your home router is connected to and doesn’t need a man outside with a laptop and a car anymore. Now that 4G small mobile wifi battery charged spy devices can be bought easily from any member of the public, and planted on or near to a property to get within range of the target’s router.

This enables a good amount of  wifi traffic to be remotely monitored, with something like wireshark. and then it suddenly becomes a lot less obvious to the victim, especially in their home environment with less security than they might enjoy at their place of work.

Remote control drones costing only £200 can now be used to fly into heavily protected houses and offices, and leave or pickup spying devices on the roof of a property, it’s really sneaky when technology can be bought cheaply, easily, and effortlessly used against you. It’s no longer the stories of spies doing this, hackers use these techniques now, and although many do it for fun, many willing to take the risk of getting caught do it for the easy & big financial gains.

CCTV would have to be disabled if the target used it, or social engineering methods could be used to plant such a device in an obvious way and get away with it if the hacker was prepared.

Anyone with a key for outdoor electrical meters or water manhole covers could plant one if they dressed up as a workman in high visibility clothing and pretended to write meter readings on a clipboard. I suggest to anyone to watch the 1992 movie called “Sneakers” with Robert Redford as the lead actor. It shows how easy it can be for an individual or team to break high security method if planned well and executed confidently. Being seen tampering with buildings and nearby fixtures doesn’t always mean being suspected by the target if the target believes you are authorised to have access.

So gaining access to the wallet ID and password is difficult you may think. It’s not hard with access to the target’s wifi router, especially if they are not using a VPN like IPVanish to encrypt their internet traffic, and they may also using a vulnerable operating system. Microsoft Windows is one of the easiest operating systems to bypass security of it once the network reveals passwords via wifi.

The hacker could inject a keystroke recorder for gaining their wallet ID login and their wallet password, without the target’s knowledge, and even while the target was using their computer. There are many paid for key-loggers that are ready written and sold on the web to perform this easily, and anyone can buy a copy, then immediately download it. No waiting for the physical media to install it with via post for most software products I see now.

If you can gain enough wifi traffic to get logins and passwords to different websites the target uses, you may see many of the same password being used for different systems, you may be able to get full access to their windows machine through the internet. Their IP address could be questioned by your nearby box if it has the ability to talk to their router too, with you being able to remotely send it commands. With their public IP address and their windows login and password, it would allow a hacker to install a spy program easily.

If a password vault is used by the target after a hacker manages to install a key-logger, it can give all of your passwords to an attacker in one hit, they get the login and password to your vault site, as the login and password can be sent to the hacker via email. It could be a disposable free email address like gmail, hotmail or yahoo, but more sophisticated hackers would use anonymous encrypted email addresses in high privacy countries like Norway and Sweden to escape detection. The problem with high privacy rights is the abuse of them, and the balance is in the criminal’s favour by abusing it.

Passwords sent to the hacker could include your online banking login details being handed to them over a short time. Screenshots can be taken of the user entering memorable information into the bank website, and after a few logins from the target to their bank, eventually, all of the letters of memorable information could be guessed and compromised based on frequent screenshots being collected and sent to the attacker. It’s easier than it sounds, and off the shelf products that anyone can buy achieve this with no difficulty. Parental control software is a good example of this.

Let me explain this method to gain and use someone’s 2-factor SMS:

If using SMS, prevent access to your phone by using a passcode, fingerprint or security pattern, whichever method you prefer, and also prevent the text messages being send to the screen by turning off text message notifications, you can do this and still have the phone vibrate or play a sound. If not secured, it displays the 2 factor SMS code without anyone needing your password to the phone in order to get the code. A partner or a burglar could get into your phone if you were asleep, if the phone was switched on and a fingerprint entry method like the iPhone. On the iphone, this is solved by turning the phone fully off before sleeping. The password or PIN on an iPhone must be used instead of the fingerprint when the phone is switched on from being switched off. It makes sense!

With access to your wallet ID and password, and now the 2 factor SMS code they needed as well (all 3 needed for login), this allows them to use their phone, tablet or laptop or text an accomplice with the code to perform an attack away from the target’s phone and have the SMS code they need to steal the entire contents of your bitcoin wallet. This method requires someone with close proximity to the target phone to achieve it, or use of spy software on the phone when they login to their wallet. If you logged in quicker than they did, you would get access. That method would require around the clock monitoring of the live text data from the target, and would rely on the target regularly logging into their wallet to make the surveillance viable.

Theft of the target’s phone would give the attacker a small window of opportunity (until the target phoned the mobile network to block the SIM and IMEI of the phone) to see the SMS code on screen if notification was still enabled, which it usually is by default on iPhones for example, even when they are locked with a passcode.

More sophisticated attacks against SMS authentication would be to know the user’s verbal password when calling the mobile network they are using, easy to get if the attacker knew their location. The method to get them to say their password to the network operator is sneaky too. If you used a mobile jamming device to stop or disrupt their mobile service, especially if it cut their calls off, and the attacker used a decent directional microphone to listen in to them calling the network operator to report a fault that you caused them, the network operator would ask them for their password to confirm they own that number, and usually when the target says it verbally to them, it’s obvious that word is not part of their conversation, and can therefore be recorded and gained easily by the money thief.

Once they have the password of the target person’s mobile account, they can get a SIM card sent to the wallet hacker’s choice of address, even by changing their address first if needed, stating to the operator they have moved house recently. With the same mobile number on a new SIM card being sent to the hacker’s chosen address (would not be their own address if they had any sense), and being used without needing access to the target’s location or access being needed to their phone, the hacker could use the SIM with their phone provided they had the wallet ID and wallet password.

Some mobile networks only disconnect the existing SIM card number when the new one is used, so it could be used for a quick strike. I chose a network that knocks my phone out if a new one is requested, and takes a few days to get a new one, giving me time if someone else does it to me, to call the network operator and ask them what could have happened with my account and my SIM. If an old SIM stays working until the new one is plugged in, the time it takes the target victim to phone their mobile operator and find out their SIM was compromised, it’s too late to save their bitcoins.

To get away with the theft of bitcoins, an attacker could use a temporary bitcoin wallet such as using BlockChain using fake details, in order to gain all of their money from the target wallet in one quick swoop. Then they could use a bitcoin tumbler to slowly trickle the bitcoin money using random small amounts at random minutes and seconds in time. After a certain amount of hours, the money would leave no audit trail to follow.

The destination wallet it trickles into could be a very secure and privacy protected Dark Wallet. Once there, the hacker could even go further to transfer the money between two Dark wallets, delete the blockchain account and the first dark wallet account, and keep the 2nd. My guess is that it would most likely make the money and the transactions vanish from anyone that could bring the hacker to justice for their crimes.

The end result of that, would be losing all of your bitcoins, for good and having no trace of where they went, ever. Nobody would be equipped enough to help you find them, not the police, the law, computer experts or a fraud squad team of money theft experts could save you in that situation, it’s gone. Security makes the difference between being rich and poor when it comes to this.

As bitcoins are worth so much now and can be moved in untraceable ways, they are more secure for a hacker to get away with the crime, and the criminal no longer have to steal from very protected banks dealing with paper currency, which is so highly guarded, even to the point of armed police being used to enforce it’s security, it makes it a risky life or death game when theft of physical bank notes are involved. That makes bitcoin a preferred target for criminals to deal with for their currency including the act of stealing it from others. Your security minded lifestyle will prevent you from being a victim. Start thinking like a hacker, and you will find that it’s easier to stop them, and prevent yourself being a victim of your own nievity.

7. Use a password manager

Humans are great at identifying patterns and that makes us terrible at randomness. Password best practices – choose a different random password for each site, never write them down – pose management problems.

For most people, the only way to accomplish this is to use a password manager – one which generates and stores your passwords securely on multiple devices. Popular managers include 1Password, LastPass, and the open source KeePass.

Many offer free basic services, with premium services costing less than $80 per year. They’re easy to use and in just a couple of weeks you’ll never want to be without one again.

8. Plan for your family

If something happened to you tomorrow would your family be able to access your bitcoin? While this tip takes time to implement, it’s worth it.

It shouldn’t take you more than an hour to make a plan and decide who you want to get what, write down instructions and tell your family about your plan.

Be sure to consult an attorney, to make sure your plan is consistent with local law and can’t be challenged in a court. If you have a will, trust, or other estate plan, let your attorney know that you have new assets that need to be included in your plan.

Getting your first bitcoin is becoming easier and easier, but keeping it safe from hackers, insolvent exchanges, and loss isn’t as easy.

These 8 tips will help you bring in the new year with a renewed sense of confidence that you can safeguard the bitcoin that you have, especially now that it’s worth a lot more.

Erasing mobile phone personal data before sale or disposal – October 2016

I read an interesting article in a newspaper many years ago about people selling their mobile phones to buyers on eBay, and the security risk people could potentially let the new owner of that phone gain if they can retrieve your personal data from it. Some of the types of information are photographs, contact address book, text messages, notes, calendar appointments, emails and even passwords that were used with the phone, apps and the web browser site passwords and history. Some buyers on eBay that performed a security test purchased 2nd hand phones from random online sellers, and they were able to recover the previous user’s personal information from their old phone’s memory.

Here is an article about the scale of the problem published in 2015:

To me, this is a relevant modern day security risk that I wanted to research a good answer to, and think of solutions that will protect personal data when devices change ownership. I’ve only ever sold one of my old phones after an upgrade, it was an Android Samsung Galaxy S4, and fortunately for me, it was encrypted before a factory reset was performed (I always used the encryption on it when I owned it) so that it was ready for the new user and no chance of my personal data being discovered by that person or an expert they may know to retrieve the data from it. Don’t think that it’s not going to affect you, it won’t have any impact on you or that it’s okay because I have nothing to hide. Personal data can be used against you by dishonest people in many ways, so don’t ever make it easy for them. Ignorance is not going to save you, if you don’t know how to protect yourself, you should learn. Would you leave the front door open to your house and let people steal paperwork from your filing cabinet?

It’s a current and future problem now that smartphones and tablets are the normal trend for people moving to pocket sized computers that are just as capable in function as their laptop and desktop. This applies to anyone who sells their old phone or tablet after upgrading to a new device, replacing a broken device, with the owner just carelessly throwing their broken or unwanted device into a bin which can be possibly retrieved by others later. The point I am trying to make is that you could be letting someone use information about you to their advantage and more than likely to your disadvantage if they manage it. This article I have written about it aims to have some methods on how to secure against such a data breach happening to you by preparing you for some methods of erasing the phone or tablet correctly before it goes out of your hands with another owner. The same applies to laptops, desktops and servers. You can’t trust that people won’t try and find old information on a system in these days of increasing fraud, cybercrime and financial banking attacks.

I found this article on how to securly wipe a phone before selling it that you should consider to read before making your plan on how you will secure the sale or disposal of your device when it’s no longer needed by you:

This article explains about the same data cleansing on tablets as well as phones, so it’s worth reading for some extra data safety ideas:

You can also read this article for proof on why on android phones, a factory reset is not good enough to secure against the last user’s data being uncovered: I would imagine this extends to other types of phone too such as blackberry and windows phones.

So with Android, it looks like the method is to fully encrypt the device and then factory reset it 😉 I would repeat it a few times myself as it is possible to use equipment that can detect tiny particle traces of data before they were changed to the current content. Although these machines are expensive to buy, it doesn’t stop anyone using a service to get data from someone else’s device when they pretend it to be their own. The more reliant we get with mobile devices organising the way we work and live, we must also be aware of risks involved by not securing the information we store in them.

Magnetic disk certainly allows overwritten disks to be recovered forensically, which is why you see computer wiping tools such as KillDisk Pro from the Active Boot Disk Suite using wipe algorithms like the Gutmann 35 pass wipe to prevent those methods of getting poorly erased data back. It takes about 72 hours to run the wipe from beginning to end. You may think that it’s overkill or paranoia to use such a strong erasing method, but I have used the Guttman method myself at work to erase customer’s credit card data from decommissioned servers at banks in London before they were disposed of or sold to other companies for re-use. Because the software wiped the drives, the servers were sellable as complete working units because the hard drives were not destroyed, just the data on them was erased for good, and made the bank quick money.

Apple wipe options are very good apparently, but I still don’t trust that there are no backdoor abilities for Apple to recover wiped handsets, that is unless I know for sure this isn’t the case. Apple are very sensitive about their security in general, to the point that they will defend it strongly, even if law authorities need to break privacy.

John Mcafee recently hacked an iPhone login PIN number in a famous USA murder case. The phone they hacked into belonged to a dead suspect, so they were not around to ask them for their PIN and they were looking for clues about the murder from his iPhone. John famously got around the login for the FBI since Apple would not help them circumvent the pin login to get access to the phone.

I am suspecting that reversing a phone wipe on an Apple iPhone or iPad device is possible, if only for a few Apple experts within Apple that know how to decrypt the old data before it was factory erased. I honestly don’t know how safe the iPhone wipe is, and only Apple really know this. I do have a suggestion to make it a lot more secure.

First remove the phone from the icloud and turn off “Find my phone” (Settings, iCloud, Find my phone, switch the slider off and enter your Apple ID password to remove it) or it will be unuseable to a future buyer that you might want to sell it to. You can still keep your personal icloud data and get to it from a computer at web address – and even transfer it to an upgraded iphone by using the same apple ID on the new device.

Then to wipe an iphone, goto settings, General, Reset, Erase All Content and Settings. Enter device password or pin if there is one. Confirm erase and watch it wipe itself, it takes about 5 to 10 minutes depending on the model (newer is quicker) and the capacity of storage on that iPhone.

Then here’s the security kicker to prevent even Apple performing forensics, the best way of making sure it’s impossible to get wiped data back, is to fill up the phone’s internal memory (iPhones don’t have external memory cards yet but Blackberry, Windows and Android can depending on the model) with junk data after a factory reset of the phone is done. If external memory cards are being used with an old handset, you should either remove it before it changes hands, or plug the media card into a caddy that connects it to the computer so that you can use a secure erase program to wipe the data. When complete, the media card can go back into the phone.

To achieve this internal phone wipe, create a large file containing completely random data. Based on the phone’s internal memory capacity, you need to make the file exactly big enough to completely fill the entire free space on the phone. Upload that file to the phone’s free space, then wipe it again in settings (factory reset) for good measure. I would repeat this process several times over to make sure the data cannot be recovered using expensive recovery hardware. I am sure that it wouldn’t be too difficult for anyone to code a program to wipe a phone securly, as paid for products that do this can be expensive for businesses, I bet someone somewhere has written such a mobile phone sanitising program as freeware to automate the process. If I can’t find such a program, I can write it.

When it comes to your old phone or tablet, does anyone still need it?If you don’t want to sell it on, give it away to someone and don’t want to use it anymore yourself, you can go for a complete hardware destruction by using three fun methods that spring to my mind:

1) You can buy an electro magnetic degausser machine from here: – Just as an example shop.
The ones they sell there are big and expensive, you might be better off looking for a smaller version that is just for personal low volume use. I used to have one that erased audio tapes before CD’s were used for music. I could wipe a whole tape in 3 seconds with it. As for destroying a mobile phone with a degausser, it will need to be strong enough magnetically that it damages the memory chips in the phone beyond repair or recovery. It shouldn’t take much to wipe the memory chips of a mobile using a powerful industrial sized machine.

The NHS in the UK drill holes through their old hard drives, which they think secures them before disposal, but they should be using degausser devices as the site to buy them correctly states, that you can still get data of a drive with a hole drilled through it.

Degaussers are used to this day by very secure departments of government who handle sensitive information. Examples are the NSA, FBI, CIA, MI5, SIS, etc. It’s a great gadget to have and for peace of mind, it’s worth the investment in one. The phone will never work again if you use this method on it correctly. A high strength electricity amplifying the magnetism and this coupled with long enough exposure to the electromagnet will render the device useless. It will internally fry the internal circuit board’s attached microchips inside the phone, which is including the memory chips that you want to make sure are not recoverable by anyone else. It will also write off any other electronic components in the phone such as camera and flash, memory cards if inserted, screen LCD display and touch sensors, speakers, etc. Enough electrical current strength and longer the time that phone is exposed to it, the more secure the degauss method will be in making the memory useless to any modern forensic data recovery techniques. EMP (Electromagnetic Pulse) weapons can cause a similar internal destruction of the microchips in the phone, but these devices are illegal in most countries due to their ability to destroy any electronic devices they are in range of. They are used by the military to take out an enemy’s communication, so access to these devices are legally restricted, although the devices do exist to buy on the internet.

2) I find there’s nothing more satisfying than a good old fashioned hammer, be it a normal workmans hammer, a club hammer or a sledge hammer! It can crush a phone into dust if hit against a tough surface hard enough and the strikes to the phone are repeated enough until the chips in the phone are crushed to dust.

3) Use an incinerator. It would melt the phone at metal and glass melting temperatures leaving nothing physically left to recover data from. The phone would be turned into ashes at best using that. No forensic or cryptography expert would ever be able to recover data from a pile of ashes 😉

Good luck, and keep your personal information safe folks! Roasty.

Is your phone spying on you? – March 2016


Basic introduction to controlled electronic spying and surveillance:

Most people know by now that our governments, security agencies, police and even hired private investigators sometimes have access to record and listen to our calls, track our movements via GPS, read our emails and so on from the network and server side of our telecoms and internet services. Sometimes they are authorised, sometimes they can bend the rules to get what they feel they need.

In the UK, at least 3 years worth of voice calls can potentially be recorded and played back on demand by authorities which originated from your mobile phone or landline telephone. This duration of recording can be longer if currently under investigation, or that person is marked as a security risk. There is very little chance of you ever finding out what they know or keep, or if they go through your calls with a fine tooth comb without knowing the information from the inside. There is a very slim chance of the target ever knowing in their lifetime due to the careful selection of people that perform investigations and their high security practice & methods.

In the UK, GCHQ work with the NSA in America and have developed very powerful systems to record such information automatically on a worldwide scale. Should they need to investigate any one of us, they have the full backing of the law behind them to do so. How do we know if we can trust them to have that power? We don’t! People are always potentially corrupt, dishonest, criminal and can go against what is right. But it is generally accepted that it is regulated by supposedly trusted individuals and abuse of power if proven to be caused by them carries harsh legal penalties, which of course has proven to have happened, does happen and will always still happen.

When thinking about big brother vs your privacy or secrecy – I came to the conclusion myself that systems of control in this world I have to just accept and take on, knowing it will always be in one form or another, and that nothing I do will ever change it from existing, it has a very good reason to exist to keep us all safer and that openly protesting or being known to work against such powers can cost you everything.

My advice, take it or leave it, for the sake of a better chance of freedom and peace in your life is to go with accepting surveillance. Knowing we are always being monitored, be honest to others and yourself, know the law in the country you are in, don’t break it unless it’s a life or death situation and you are forced to, and refuse to knowingly help others break it.

You can still do everything correct legally your entire life and still be framed for something you didn’t do, so don’t presume the world should treat you well because you did well. Systems of every kind can be abused or incorrect. Minimise risk of being vulnerable in situations that could be misinterpreted as being your fault, but accept that there will always be an element of luck in your life and you will never be able to control it fully.

Now to the point of my article, a threat of security to consider:

But what if a regular person without the authority got access to your phone and they installed a spy application on it? It’s likely you would know that person if they asked to borrow your phone, but it could be that a stranger had a time-frame to use it while you left it on a table at a bar while you got a drink. There are many such spy applications now available to download, many are paid for services that can store all of the information about the target or email it to themselves, some of these applications are even free on a trial basis and would not cost someone anything to use it on any phone for the next 30 days. A common type of response I keep getting from law abiding, stable, rational, and intelligent people have responded to me on this subject, “Why would I care? I am not doing anything wrong or illegal, I have nothing to hide.” They would be very wrong to assume that, and it could be ignorance that puts their own safety or status at risk when they realise how dangerous it could be when used against them. You should accept that people are not always nice and there is good and evil. People that don’t think about the consequences of using powerful technology carelessly can easily become a victim.

The person who installed that software on your phone would have access to everything you said in voice calls, could see every letter you type with a key logger, get all of your passwords, steal your identity, be able to see or copy any photos taken or shared with you, know your exact location at any time (and therefore be able to burgle you without a challenge), read personal thoughts if you kept a secret diary, read notes, reminders, appointments, even look at your internet history of where you went and what you searched for. The list is just frightening of how much information could be collected about you. If you don’t think that is serious enough, let me remind you of your finances being at risk. If you do on-line banking from a smartphone, they could also steal all of your cash and leave you penniless, and even if you don’t have money they could potentially apply for loans and credit cards in your name. Hackers and online criminals these days go for your cash, they are no longer doing it for fun or to prove a point. Don’t presume that you will be safe without thinking about securing yourself, and changing behaviours as this crime against humanity is now popular and on the rise. Cyber crime should never be ignored and should become as important in your mind today as securing your property to prevent strangers from walking in. If you have ever been burgled, hacked or had your identity stolen, you will know that it’s a really terrible experience.

The reality is that it only takes a few minutes of time for someone to install software which can do this without you even knowing it. They could ask to borrow your phone and be sat opposite you, it could be your best friend who lies to you by saying they are sending a text to their partner, or checking their Facebook, or other excuses to get you to lend it to them and keep it long enough to install the hidden software program. If you have a smartphone, you should always protect it with a PIN number, password or security pattern that only you know. You should not let anyone else tamper with that phone, at any time, or lend it to anyone else for any reason at all, because potentially anyone you know or don’t know could use this technology against you at any time or place. Don’t presume in this day and age that such a temptation by others to have control over you, won’t ever happen to you, or you can trust them not to do this to you. When you realise how powerful they can be from it, you would be right to trust nobody with your phone ever again. I don’t.

How to reduce the risk of being a victim to this abuse of privacy:

The first golden rule of security, is physical security. My best security advice is to not trust anyone with any phone or computer you own or use with your personal information, including any member of your family (saying that upsets many people but in reality they are often the most likely culprits to invade other family member’s privacy, and the same goes for partners), and never let the phone out of your hand or sight when unlocked or even when you have it protected. There are many methods to get around different security measures of a phone if you know what you are doing with a laptop.

Keep that password or PIN you use to unlock it secret, so that only you know it, and if anyone does discover it by looking over your shoulder when typing it in, or filming you when unlocking it, get away from that person quickly and change it immediately whilst alone and unwatched, facing away from people and CCTV cameras if any are around you, this applies to changing and using the password. Use your other hand to cover your keyboard movements and screen keyboard entry if you can.

If it has fingerprint unlock, don’t add anyone else’s fingerprint to it so they can just help themselves to do anything they want, and keep it locked away when not being used at home, e.g. when you sleep and can’t defend someone else plugging it into a computer, switching it with another phone using your SIM or otherwise tampering with it, without your knowledge.

Another point worth thinking if your phone is fingerprint protected, is security while you sleep. Anyone you share that room with could use your own finger to access your fingerprint enabled password if they touched your phone to your finger. Most people would not wake up and know, especially if very tired or they had alcoholic drinks before they slept, so keep it in mind that it’s possible!

What this new technology allows anyone to now perform against anyone else is not just an invasion of privacy which is illegal and shocking in itself, it also gives that person a lot more information than they would normally know or that you would want them to know, and could therefore and potentially use the information against you that they gained and have considerable power over your life without your knowledge.

Information is power, and knowing how to protect yourself against this will prevent anyone else having that power over you. Don’t risk your freedom in others hands. The chances are if they do use this against you, it mostly won’t be good for you. Never underestimate how nosey and controlling people can be with electronic technology.

A parent using this application on their child may be a use of it that has good intentions if a parent worries about or can’t trust the actions of their children. The parent using this technology on their children in the eyes of the parent is correct, but in the eyes of the child, if they knew about it being used on them, would not accept it, argue about it, smash the phone up, not use it or find out how to remove it themselves. Don’t underestimate the intelligence that children have with computers and phones, including their ability to discover such techniques. If the child knew what their parent was doing using a spy app on them, they could never trust them again.

Examples of working phone spying applications you can test:

Want to see some examples of this technology? You don’t have to take my word for it, download and test it on your own phone to see how it works, how easy it is to install, the things it allows you to do and how well hidden it remains so the target is blissfully unaware of the security breach. The control that you now have over that phone is quite surprising the first time you see this type of spy application.

Example 1:-

Example 2:-

Example 3:-

What if someone has already done this to me? Advice to prevent it:

If you ever suspect that your phone has already been tampered with, or the possibility of it being tampered with in the past could have been possible, I would recommend performing a full factory reset of the phone which will put the software of the phone back to how it was on the first day you bought it. Of course, back up your music, photos, videos and important texts and documents away from the phone that you want to keep, like to a computer, memory card or USB stick, but if you can’t trust the data either, start from scratch.

Only when you know that you are starting from a clean phone can you correctly presume it’s safe to use. Especially suspect it if it’s a 2nd hand phone or a borrowed phone, and if a person facilitating such a transaction is known to you or not. If you don’t know how to reset the phone, you should learn how to by reading the manual from the internet of that phone’s make and model that shows you step by step how to perform the reset. This is the safest way because it relies on no 3rd party and you know the phone is then clean and trustworthy. If you have a manual that came with the phone, read it.

If you can’t handle technology very well, and are not comfortable doing this yourself, you could take it to a phone shop to do this for you, but you should get them to show you as they do it, and slowly, not let the phone and the screen of what they are doing on your phone out of your sight, and get them to explain and show you every single action they perform, and when it’s reset, get it straight back from them and out of their possession.

Don’t ever pick a friend to advise you or help you do it due to the possibility that the person you ask for advice or help is already spying on you, or will use it as an opportunity to start spying on you themselves because they have now just been given the opportunity to tamper with your phone and you allowed it. They could reset the phone and then install their spy software before giving it back to you. Don’t presume anything or anyone should be trusted with your personal devices where your personal information is concerned.

Hardware Spy-Phones:

Also be aware that purpose built spy phones can have spy technology built into the hardware of the phone, so resetting the phone back to factory would make no difference and the person controlling that phone would have access regardless of software. Generally these phones are very expensive to buy and harder to find, but can just as easily be used against you if swapped with your phone, gifted to you for free or purchased by you 2nd hand.

If you have suspicions about the phone’s hardware, get a known trusted phone of the same make and model, give both that phone and your suspected one to an electronics hardware engineer, and have them compare both phones at circuit board level by taking them apart. Don’t trust firmware that runs the phone either, update your phone software and firmware updates if you suspect the operating system or chip level software is compromised in any way. Using internet search engines are the best way of teaching yourself how to do this.

Other security risks to consider:

What goes beyond the scope of this article, but should also be considered are the apps that you choose to install, that could be used by the companies that wrote them to have access to your personal information or lifestyle habits as a result of you loading those applications. The same applies to any internet site you visit, or a link you could click on in an email or text message which could compromise the security of your phone if malicious.

Even the manufacturer of the phone who wrote the software for that phone could be spying on their users by design from the start. If you receive it brand new from a trusted source, not tampered with, shrink wrapped, security seal intact, the creators of that device could still be using your information to their advantage and without your knowledge. Research what others have found, tips for stopping known data collection techniques and tips for securing the phone against the most common attacks if you can find the time to.

About the author:

This article was written in March 2016 and are entirely the thoughts and opinions of

You can send feedback to me by emailing me from the email address on my main website if you wish. Congratulate me, agree with me, disagree with me, educate me, correct me, argue with me, but remember I am free to say what I want regardless of you agreeing with me or disagreeing. Nobody can ever please everyone, which is massively magnified when the audience is worldwide for anyone to comment on. I accept that fact, but trolls don’t control my thoughts.

My intentions are for you to share or use my articles freely but responsibly. I can’t stop anyone from using information I share with the world in the wrong way, but I believe in Karma and natural order has a way of providing it’s own rewards and consequences for good and bad actions that people decide to use any information with.

If you use my work for an essay, blog, journal, dissertation etc, quote me as a source or don’t, I really don’t care, and won’t be offended if you have to show your sources or want to hide them. Life from my point of view is too short to worry about such bragging right nonsense about who originally said and thought what, and I believe information should be free and unrestricted for the benefit of all. I have used plenty of other peoples knowledge all of my life but not to step on anyone’s toes when I use that information.

An example of where I draw the line, is that I don’t mind others progressing themselves with information I provide, as long as it’s not going to affect me financially or morally. When I would not be good with someone taking the credit for my work would be someone I work with in my career at the same company as me or a team member getting a promotion instead of myself, for something I did and they didn’t. It takes the reward out of that shared budget and I treat that as unforgivable and treacherous from equals or superiors alike. I have been known to communicate this in my past jobs and I still will regardless of how unpopular it has made my position in the past with anyone. I will always stand by that one, and if you don’t like it, don’t bother firing me, I resign! If you can accept that, I’m happy.

My articles on this site are not copyrighted or restricted in any way and never will be. They are also written in my own spare time on my own computers and my own private internet connection so can’t ever be contested by anyone as the intellectual property of any company I happen to work for past, present or future. How I like to feel in myself is to have my right to free speech without censorship and that extends to any person, company or country on the planet saying how I should think, act and communicate. I decide that alone.

And to end the article, here’s a good security quote to think about:

“Just because you’re paranoid doesn’t mean they aren’t after you.”

~ Joseph Heller