As careful as some of the things he suggests are...if you're truly wanted by a state-level actor or sufficiently motivated attacker, you won't be able to hide by simply using VPN and Tor. Especially if you're running something with many transactions like AlphaBay. You would need to obfuscate quite a bit more:
- if you're using VPN traffic but most people "around" you aren't, you're a suspicious node; your ISP could easily flag you to your government. If you use wifi at a common point you're likely to be flagged and there isn't an easy way other than keeping on the move. But moving often is another anomalous event, and it's very difficult to do even for Drug Lords ( El Chapo ) or Terrorists that it behooves to do. This puts you in a sort of Zugzwang, to borrow a chess term.
- there's always leakage, for instance, in the way you talk with people in the real world. At some point you send enough communication for sophisticated frequency analysis.
- and there are other patterns of usage that could be used to identify you, like searches or even keyboard frequency on anonymized accounts can be de-anonymized by very specific markers ( ML works! ).
- off ramps for crypto aren't very good. If you're in e.g. Brazil, haha, yeah, good luck spending bitcoin or any other crypto and going unnoticed. Mixers and tumblers will eventually leak and you'll be caught.
- you're very vulnerable to social engineering by people you do business with. one slip where you stop communicating in a transactional mode of communication and that's a weak link in your armor.
In the end, the FBI only has to be right once, and you have to be right every time.
You're absolutely right. It is not enough to use anonymity tools, you also have to make sure everything else around you doesn't compromise your anonymity. Made me think of a Harvard bomb threat incident where the student posting a fake bomb threat (through Tor) to avoid final exams was the only person using Tor on campus at the time, which trivially identified him.
From what I remember about that case, he was one of 8 people who were on the network at the time, but the authorities told him he was the only one, leading to his quick confession. Meaning that if he had stuck to his guns and denied it there wouldn't have been a good way to prove he was the one who did it.
It was indeed his immediate and voluntary confession that did him in. If he had not snitched on himself he would have just been a person of interest. He was one of several people who happened to be using Tor on the campus at the time, but that doesn’t mean anything, the person making the threat could have been someone in LA or Moscow or Beijing just looking to cause mischief and having no connection to the school at all. If he had kept his cool he probably would have gotten away with it.
No, it just means they couldn't have stopped digging at that point. Having dramatically reduced the search scope to a small number of people, they would have just needed to find one other small piece of evidence to narrow down the group suspects further.
I remember being shocked at the time that he had the foresight to use Tor but not to use literally any wifi network other than the campus wifi. That being said, there are a whole list of things he'd have to do to keep anonymous and it only takes one slip to identify someone.
Tor is amateur hour. The Feds can easily deanomymize things where a server is up 24/7 servicing requests.
The author of this article is also very wrong: Anonymity is not on a spectrum. It’s all or nothing. Like a Mario game where any mistaken encounter makes you start over (and that’s if you don’t get in trouble for what you did).
First step is to understand that any system could be bugged. Every IRL confidant could sell you out. Every keyboard could have a keylogger, etc. Every store could have a security camera. Phones are giving out their MAC numbers to every cell tower and wifi radio. They now have chips you can’t turn off, and so forth.
You should also assume there is no such thing as an “anonymous” account and that every service COULD sell out whatever information you gave it. (Yes, even Telegram or ProtonMail, however unlikely that may be.)
The below is a playbook for how to become truly anonymous. Continue to live your everyday life but the below is only for your “anonymous” identities, which you can gradually bootstrap as a hobby:
The first thing you do, therefore, is bootstrap your identity by taking advantage of unlinkability that is available to you. Buy a bunch of Android phones on Craigslist for cash, for example. (Or pay a homeless guy to buy a phone in a store for you.) Do not use SIM cards at all, only WiFi. Never take photos, etc. Keep your phone off or in a faraday cage until you use it. For extra points, always use it through a VPN on WiFi at home, which you purchased using the accounts below:
Then make an anonymous google account on the Android phone. Make some ProtonMail accoung usinf such an anonymous Google account. Now you can bootstrap from email addresses.
Buy some Google Play gift cards and download some apps to get a second number. Now you can bootstrap from a phone number. Sign up to Telegram, Signal and other accounts using this. Now you have end to end encrypted messaging.
Frankly, though, realtime messaging is a bit of a luxury to continue to stay in normie world. To stay truly anonymous, you should continue to:
1. Schedule posts and mail send/receive at random times. Do not ever use realtime audio or video because it might be recorded. You might make an exception for early days of your projects when people would have no reason to go out of their way to record you — just to give them confidence you’re a real person. But afterwarss, stop doing that. Let the people build your movement for you.
2. Never mention your anonymous identity or projects from your real one, and vice versa. This means your anonymous identity MUST NEVER have confidants or colleagues IRL. Build up a network of colleagues who are “fronts” for what you do. Eventually you can step back and let the movement do things for you.
3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).
4. You will only ever be able to spend the crypto on paying people for services and DeFi protocols. You can never cash out to fiat, because the IRL purchases catch up with you when they follow the money. There is a surprising amount of online services you can spend $97 million dollars on, while staying anonymous ;-) If you really do need to spend money IRL (because you went broke somehow in your everyday life) then you can cashout using cross-chain bridges and Monero to pay for goods. But still, never get ostentatious wealth IRL!
5. The weakest link then becomes your writing or coding style. Never publish any code or writing, let others do it for you. Make your communication to others from your anonymous identity sufficiently different than anything saved later would not identify you (this is the weakest link, but you can consider “playing a character” when speaking to others).
6. Any private keys that you used to sign your messages can be periodically published in some conspicuous place, effectively giving you plausible deniability about all your previous and future posts. It’s hard to prove a negative (that no one else has access to your private keys before your public disclosure.)
Is it not, for the non-criminal user? My HN, Reddit and Twitter accounts are "anonymous" (pseudonymous would be more accurate), and it matters to me to the extent I share thoughts I would not on Facebook or if Googling my name lead straight to it - not that I'm ashamed of them, I try to be decent (tho I slip at times and am more brash than I would IRL), it's just that they hold some personal opinions and matters, kind of like that lady in OP's post (except I wouldn't reuse pseudonyms, especially not openly cross-linked to identified accounts). Obviously, a governmental agency that had any reason to look for me would link them in the blink of an eye, but it is "anonymous" enough for my needs: people who matter to me or people like prospective employers do not know of them and hardly could. Even if they leaked to some dark corners of the Internet like my SSN (screw you, Equifax), that hardly doxes me as far as regular humans are concerned. If someone emailed me with my online usernames, it would creep the fuck out of me, but ultimately be inconsequential, at worse it would threaten to shame me for my opinions.
So how's that not on a spectrum of anonymity? OP's post obviously does not say your anonymity when it comes to three letter US agencies is on a spectrum, that is black and white and s-he recognizes it, but rather the link-ability of your online presence(s) to your real life identity. With that Tinder lady at the "IDGAF"-end of it, your paranoid (or criminal) Jane Doe on the other end and me somewhere in between (but much closer to the former).
So, you know who I am or how to reach me? Send me an e-mail (or, better yet, dox Satoshi) and I'll take your point. I don't see how pseudonymity can't be a flavor of anonymity, even cyber-criminals who have every reason to remain truly anonymous online - as in hidden from FBI and gang - can pick some form of pseudonym so people can address them, Dread Pirate Roberts would be an obvious example (tho he failed to be anonymous to govs).
Per Wikipedia:
>Anonymity describes situations where the acting person's identity is unknown. [...] The important idea here is that a person be non-identifiable, unreachable, or untrackable.
Using a phone is probably the first mistake. If you are going to use your home network you are better off using a machine you control and an operating system that is open source.
I suggest these steps:
Step 1: Connect to a popular vpn.
Step 2: Connect to tor
Step 3: Get free vps or pay with cryto you trade for gift cards purchased or some other method
Step 4: Connect to vps with desktop running. Use virtual desktop.
Step 5: Use vpn. This time use vpn with best rep to be accepted as regular traffic.
Step 6: Signup for services
Step 1 solves the k issue. Many people using that vpn will connect to tor
Step 4: Seems slow but at the virtual desktop level out things are fast from that machine to new hosts. Use scripts could help.
Iirc phones will broadcast previously connected access point max addresses. I doubt gp truly understands what it takes to be anonymous (imo it’s probably impossible).
They still had to somehow link your online identity to your phone. And how would they do that? The phone is simply a computer that you use, through VPNs, to send and reveive mail and post messages to groups etc. They’d have to approach ProtonMail, then your VPNs in order, and then get security footage from the place where you were accessing the VPN at that time. And then cross-reference your gait etc. to a database. Maybe in 10 years they would have such coordination, and we will need better tactics.
What’s far more interesting is what to do if VPNs are banned in a country. You can’t be using one there. You’d have to have set up anonymous hosting and port forward stuff yourself.
Again, it’s possible that all anonymous hosting, VPN etc. is shut down and requires KYC by say 2050. That is why you must bootstrap from what are valid but essentially “compromised* accounts now while you still can, and hope they are grandfathered into the new totalitarian surveillance system. Buying phones on craigslist is one example.
Another example is those eyes Anderton installs in Minority Report, but security in that movie is like a bad joke, IRL he’d be outed instantly by his gait, heart patterns via wifi and so on. In fact they didnt even change the access keys after he ran LMAO
It seems that this would work for a while, but if we're trying to bootstrap well into the future, a shiny new phone of the hour Samsung S22 showing up new on the network only 15 years out in 2037 would stick out like a beacon, and that's assuming it would even connect to the then-current comms protocols.
Not nearly on the level as what is being suggested but my company has had several anonymous surveys and I started thinking about writing style when taking them. If you're prone to certain phrases, words, use of contractions or lack thereof, especially when the pool of people is small and you're providing critical (but needed) criticisms, you could potentially be identified by your immediate supervisor. Introducing typos and avoiding phrases you commonly say, adjusting your "tone" is a lot of effort when you can just disengage entirely and/or behave like everything is public (which it may as well be at this point).
Most "anonymous" surveys I've been asked to take through work require listing more than enough information for unique identity. One assured I would be anonymous, then asked me to fill in the name of my manager, my team, and job title.
Fortunately mine have not but at a certain point they're useless because no matter no low the scores go nobody in their right mind wants to provide long-form feedback to identity actionable fixes because product teams are usually small even if there are a lot of developers in the pool your pain points will be unique to what your working on.
Yes, this is usually my experience as well. What makes sense for you to bring up identifies who you are. Hardly anonymous. But sometimes I've also been asked to explicitly identify myself as mentioned yet it's still supposedly anonymous.
We can give anonymous feedback about others where I work. We can submit it at any time about anything, positive or negative. I have never touched it despite knowing that HR doesn't get my name. It's not hard to figure out who's submitted a piece of feedback from their writing style and the specific situation you're writing about. Like if I were to give feedback related to working on a project with one other person, any sort of specifics about the project would make it very obvious that it was me writing the feedback.
One idea I've seen is running through translation services. IE, convert to spanish and then back to english. But unless we have good offline services, it defeats the point.
Maybe not very practical, but to combat targeted writing analysis on the internet you could try running such analysis software on your own writing to find out what makes it stand out. Work to make the writing as "bland" as possible, perhaps with aid of software translators or filters.
The hardest investigation to defend against is the rubber hose investigation. Gotta give them what they want, without them even suspecting you could be that mysterious founder. The only way people suspect you’re someone is if your k is small, eg how many people could be Satoshi?
If you’re efficient, you can retire the mysterious founder identity and simply have multiple “early adopter” addresses that generated rewards early, among actual adopters. Make an exit from your projects as early as you can after they gain momentum with the wider crowd.
There is no way to stop people from starting open source projects, accruing the early rewards and then selling those rewards to others in a decentralized exchange or async OTC deal. If every country worldwide ever closes down all such anonymous mechanisms (maybe by 2050) and makes register in order to sell your rewards, you simply sell your private keys to the wallet in an async OTC deal. The buyer will have to trust that you won’t move the money after they register the address and before they move it.
To not share how you secure anonymity is to rely on security by obscurity. Now I think it’s better to lay out the playbook using Kerchkoff’s principle so k will become far larger than 150. Remember… to improve anonymity, at some point you have to publish your private keys. And where better than Hacker News?
The playbook is yours. Improve it!
Step 1: try to break it. Post how you’d defeat the anonymization scheme. The threat model is that you’re all state level actors combined. I’d love to see what you come up with.
Awesome writeup thanks. That said, anonymity might literally be binary as you point out so eloquently, but the point of the article is that most people only need to think about it as a spectrum and be somewhere on it to be safe. Most people aren't running OmegaBay and need 14 burners handy and always be on the move. Boy would that be tough on one's social life. That said, a little bit of care and attention to the everyday shit we leave out there is a good idea. Bad actors will likely go to the lowest hanging fruit.
> 3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).
My first question about this plan is "what are you getting paid for and how do you advertise your services"? You need to never meet the people paying you in person, and ideally you are selling some purely digital good. So, something like underground illegal programming or hacking or such? Is there anything else that would work?
No, you don’t do work for money. You start an open source project and get many people to run your software. You meanwhile generate as many early rewards as you can (you can even do it under multiple accounts) and when the ecosystem is up and running, you’ll be the mysterious founder, generating millions (or billions) in passive income.
Sounds familiar? It should…
Simply never move money using your first few accounts, and whoever early people you pay, have them stake your currency for a long time, and borrow against it on decentralized lending marketplaces, to avoid spooking people that the mysterious founder has moved their money.
Buy on Craigslist. Go to a store. Or, as mentioned previously, pay a homeless guy to go into the store and buy it.
It’s a modular system. The key is Kerchkoff’s principle — I can describe it to you all day long, but as long as I don’t reveal each identity from the other, you all won’t know what projects I am doing, even if they earned $97 million already.
>> If you're in e.g. Brazil, haha, yeah, good luck spending bitcoin or any other crypto and going unnoticed
South America is the greatest tumbler of all. I spent years in Argentina under the currency restrictions and paid my rent in Bitcoin, bought USD and pesos at black market rates in Bitcoin, all with people I met on localbitcoins and never using an exchange. I don't know about Brazil, but there is a huge market for peer to peer BTC in AR and UY, and you can just trade an envelope of cash over the table at a Starbucks in Buenos Aires for anywhere up to $10K USD.
In the USA I would be scared of being on camera, but I really doubt you would have that problem if you meet someone in a bar or on the beach in Brazil.
[edit] Just to explain this comment for people who think of BTC as something that you have to buy or sell on an exchange where you're allowing the endpoints to be tracked; the original reason for cryptocurrency was that you don't have to show your passport or link it to a bank account. That still obtains in lots of places in the world where people will happily give you their shitty paper money for bitcoin, and you can use the paper to pay your rent. Don't buy BTC on an exchange, and don't sell it on an exchange. Buy it from someone in person in a phone-to-phone transfer, or win it in a poker game. Keep it in a private wallet, not an exchange. Sell it P2P in person when you want to. You don't need to use an exchange at all.
For example, you buy a burner phone, but the place you bought it from, even if a second hand shop, had a security camera. Maybe they also record IMEI's before selling phones.
Or you carry your burner phone together with your real phone. Or alternatively, you leave one at home when using the other. Both of these things can be linked by a sufficiently determined actor (FBI/NSA level).
Or they track you to using a public square WiFi one day. Again, cameras are everywhere.
If they got your real name, no matter how, it's game over. You will be surveilled and they will find proof to link you. This is why all those posts "if only DPR used this kind of encryption or dead-men-switch" are ridiculous. Once they knew his real name it was just a matter of time and building a case.
You should just assume a "real phone" is rooted by the FBI and functions to track your movements 24/7, accurate to the meter, is capable of remotely enabling mic/camera and all sensors, including WiFi, accelerometer, GPS, etc. Because even if it isn't, the software on it already (system software, apps, everything) already does a massive amount of snooping, distilling, and uploading. The feds "enabling" targeted surveillance on your phone will not look materially different from what it already does which has been purposely obfuscated to be undetectable.
The surveillance state is already here. The dragnet is on for everyone, and if they miss anything it's because it's hidden in the noise, not that the signal isn't being sent.
I'd argue that real anonymity requires disconnection from digital networks in this age.
I.e. cash, rural, paper letters for last mile
The internet is by definition centralized and the government has privileged access, from a surveillance perspective. Luckily, the number of people who really need this level of anonymity (i.e. I am wanted by every world government as a top priority) is pretty low.
Going analog is really more of an obscurity play than an anonymity one. In which case, you can go online and simply aim to be obscure, to never raise alarms, position oneself as a predatory target, or announce oneself as a threat. Explicit, true thoughts get pushed out to alt accounts, private diaries and the like. You may even allow some degree of linkage to take place, a "if you worked that hard to get here, you know exactly what you were doing" signal. I've done that for years.
I think this is the only way to feel truly at ease with the state of things, really. Keeping a whole self in public or in private is asking a bit much.
The way I look at it is a matter of attack surface and attack distance. Digital vastly increases both.
You have layers and layers of technology in even the simplest modern computers, and core network infrastructure subject to tapping or worse.
And much of this that can be done from anywhere on the planet.
Analog requires physical proximity, a strength and a serious inconvenience. But it also has the property of being legacy, in that you are now immune to state of the art digital methods, and susceptible to older ones that may be out of institutional memory and practice.
Charles Stross has a book series about a family of people that can step between different timelines of alternate Earth's that explores this a little.
**SPOILERS** Once the US that's basically our world discovers the existence of "world walkers" when they nuke the Whitehouse, it quickly steps into an authoritarian surveillance hellstate capable of realtime surveiling the population around the country to the point where they can track people entering their timeline because they were on camera exiting a building they were never recorded entering, or were flagged buying a plane/bus ticket from a city they shouldn't have been in according to previous records, or in one case for leaving a coffee shop with a noticeably empty backpack when she'd entered the shop with it completely full, having passed the contents to a world walker she was meeting. That irregularity automatically flagged everyone entering/leaving that building for review in their system and they backtracked all of these people through their paths that day until finding the gap where he'd stepped through to their world. That all happened in a matter of minutes and then quickly homed in on him.
Anyhow,it goes into detail about the lengths they go to to avoid detection by these systems and honestly didn't strike me at as all farfetched. The technology and capacity exists and it's a concentrated effort on part of the government is all it would take to implement it.
That's why step 0 if you plan on stepping on the U.S. governments toes is:
Move to a country with no extradition treaty with the U.S. and be prepared to spend the rest of your life only traveling between such countries. Make sure to also account for edge cases like countries without an extradition treaty that still enforce it (i.e. Maldives) and countries WITH an extradition treaty that do not enforce it (like Venezuela).
I would say that if you're caught and ... somehow manage to delete all the evidence linking you ( you have device explosives or, idk, 2048 bit encryption ), you may be able to escape, but come on, who are we kidding: the FBI has like a 99.96% conviction rate and that's without even going to into the "parallel construction" or other conspiratorial lines of attack.
I don't know if it's 99.96%, but the FBI is well-known for making sure everything is absolutely airtight before making an arrest. Once they make an arrest, you can be sure they have more than enough evidence to convict and then some. When people do avoid a conviction, it's usually by testifying against others in exchange for immunity or leniency.
It's very odd to list all these (pretty theoretical!) things when, in practice, everyone gets owned by much more basic operational security concerns (except for the last "social engineering" one, where moving to a different communication network is a super common way for law enforcement to close the loop on an investigation).
Like "being super careful isn't enough" _might be true_, but if you did everything on this list and get caught anyways, you are in a super minority of people getting caught.
The example in the article (a hotmail-based email address being used). Everyone sees this and immediately goes "OK the feds can get this info". If such a basic opsec failure was happening, how is it that this person was still able to get as far as they did building up their website?
Being worried about the feds finding you from speech analysis of your posts online seems a bit silly when it's always _not_ that and much more just "finding the one simple thing you did wrong".
Scamming is BOOMING. We are talking entire developing countries getting onboard. The noise ratio is very high on all these services. There are hundreds of "alphabays" running RIGHT now with millions of people using them, right now. This isnt 2013, those big take-downs of high profile sites did nothing but diversify, fracture the community.
Sure, if u piss off the wrong agent and they spend a few years on the case you may get busted. But the vast majority?
Why is this comment the top comment when it's a bunch of conjectures, scare mongering tactics and half-truths at best? Sure if you're on tor and no one else around you is then you stand out, so what? Now there is a faint signal that there is something suspicious going on. To assume one could with sufficient accuracy narrow down a target based on a weak signal like that to see what they're up to is like assuming we're going to general AI any day now because obviously imageNet is so good. Let's not allow the creation of an echo chamber to add confusion to the great work people at the Tor project are doing and to instill even more fear in those who may want to dissent against authoritarian forces.
I’ll start out by saying I agree with you on Tor being a layer in a “defense in depth” strategy but to imply my response to this is fearmongering is quite premature. Feel free to give a point by point rebuttal for the community. I have given quite a bit of thought to how to stay anonymous even though I use my real name and identity here, and have no real issues with government.
Tor is the definition of deceptively simple, and there are a lot of impressionable people who read articles like this on the web when they’re first starting out who could easily be lulled into a false sense of security and then start transacting on the darknet and think they can’t be touched. OGs on HN know better and remember the threads where tptacek and cperciva would routinely dismantle this notion of tor or VPN anonymity/security.
I'm about to publish an update to it that uses a toolbar popup to fill out forms instead of the current lag approach, which will also protect against keyboard layout leaks[1] (which Tor browser/privacy.resistFingerprinting protects against anyway)
> Don't use mixers and tumblers, use Monero and/or Monero atomic swaps.
Monero doesn’t make your transactions anonymous, it makes them ambiguous. your wallet might default to using an n=6 ring signature, meaning it picks 5 random addresses with balances and creates a transaction that could have plausibly originated from any of those 5 or your own. so you get plausible deniability, but also if your threat actor can unmask the other 5 addresses (which might not be so hard if those accounts are regularly interacting with exchanges) then you’re done.
zcash gets you actual transaction-level anonymity, not just ambiguity. fewer places accept it, but in theory you can still break the link by obtaining zcash and then exchanging it for the currency of your choice on any exchange that doesn’t ask for PII (e.g. a DEX)
> if you're using VPN traffic but most people "around" you aren't, you're a suspicious node
Yes, working from home is very suspicious. :P
(That said, the VPN companies that work in the B2C segment for those who can't set up their own VPN server is small and they're all well-known to the government.)
Are there reported incidents where somebody was caught with such sophisticated techniques? It seems like every time I read about how the FBI caught some big darknet criminal it was pretty much always some trivial mistake on the criminal's side.
But that is just it - you can use all the sophisticated techniques but there are 10000 ways to make a fatal error, and that number increases with every action. So even if you are 99.99% rock solid in your technique, it is a certainty that you will get caught with that one 'dumb' mistake. It only looks dumb in hindsight, but it was inevitable.
Getting to 99.99999% reliability is very difficult for one person, it usually takes a highly diligent team with very well-sorted processes.
VPN providers can also be compelled to share all logs, even if they say they don’t log your info or activity, there are court cases that prove there are weaknesses in VPN providers, whether it was the method of payment you signed up with or if they logged your meta data on sign up, location services and telemetry from a mobile app backend etc.
Privacy is never a guaranteed thing when you introduce ubiquitous computing to the mix, even things outside of computers can profile you like being captured in CCTV around the time when your signals are picked up from a computer/smartphone phoning home or unusual internet activity, like the scene out of Mr. Robot.
Having to be right “every time” is why it’s insane we still rely on things like SSNs and phone numbers that are difficult to replace but highly valuable and damaging if leaked.
We need to be exchanging personal data only in forms that become worthless and unidentifying in a short period of time, requiring secure refreshes to maintain.
It’s a bit like Schneier’s Law. You can put in place protections that you personally cannot workaround, but that doesn’t mean someone with sufficient means and motivation would also be blocked.
- if you're using VPN traffic but most people "around" you aren't, you're a suspicious node; your ISP could easily flag you to your government. If you use wifi at a common point you're likely to be flagged and there isn't an easy way other than keeping on the move. But moving often is another anomalous event, and it's very difficult to do even for Drug Lords ( El Chapo ) or Terrorists that it behooves to do. This puts you in a sort of Zugzwang, to borrow a chess term.
- there's always leakage, for instance, in the way you talk with people in the real world. At some point you send enough communication for sophisticated frequency analysis.
- and there are other patterns of usage that could be used to identify you, like searches or even keyboard frequency on anonymized accounts can be de-anonymized by very specific markers ( ML works! ).
- off ramps for crypto aren't very good. If you're in e.g. Brazil, haha, yeah, good luck spending bitcoin or any other crypto and going unnoticed. Mixers and tumblers will eventually leak and you'll be caught.
- you're very vulnerable to social engineering by people you do business with. one slip where you stop communicating in a transactional mode of communication and that's a weak link in your armor.
In the end, the FBI only has to be right once, and you have to be right every time.