In August 2012, a writer at Wired named Mat Honan lost his digital life in under an hour. The attack used no malware. The attackers did not guess his password. They did not phish him. They picked up the phone.

They called Amazon. Then they called Apple. By the time Honan’s MacBook finished factory-resetting itself in front of him, eight years of Gmail were gone. The only copies of his daughter’s first photographs went with the wipe.

The attackers wanted his Twitter handle. It was three letters long.

What is worth noticing about this is not the attackers’ cleverness. The attack was not clever. What is worth noticing is that every step in the chain was the documented, official process. Amazon’s identity verification worked exactly as designed. So did Apple’s. So did Google’s password recovery flow, which displayed enough of Honan’s iCloud recovery email to tell the attackers where to call next. Honan had not made a single mistake. He had used every system in the way it was meant to be used.

The systems had been built in such a way that using them correctly produced this outcome.

This is the part most security advice cannot reach.

The standard checklist would not have helped

If you sat Honan down before the attack and asked him what he should do differently, he could have given you a passable security checklist. Use strong passwords. Don’t reuse them. Be skeptical of strange emails. Back up your data. He knew the list. He had probably written parts of it himself.

The list would not have helped. None of those defenses were the thing that broke. The thing that broke was that any sufficiently determined adult on a phone could chain together three companies’ help desks and emerge with the keys to a stranger’s life. No checklist item addresses that. Not directly. Not in time.

I have spent more than twenty years inside crypto and software companies, watching what attackers actually do and what defenses actually work. Honan’s story is not unusual. It is the everyday shape of the problem, scaled down to one person. The same shape repeats at the scale of a Fortune 500 board, a small startup, a self-custodied wallet, a research lab, a family.

Most security advice has the wrong subject

Most security advice assumes the user is the active component. Vigilance, attention, judgment, password complexity, suspicion of links. The user is on guard. The systems are passive. Stay alert and you stay safe.

Real attacks don’t work that way. Real attacks exploit the default behavior of the systems. The default flow of the customer service script. The default option in the dropdown. The default trust placed in a sender address. The default pattern of how identity is verified. The user is rarely the active component. The system is. The user is on autopilot, and so is the attacker, and the only question is whose script the autopilot is running.

Four ideas absorb a great deal of attention and money in this space and produce very little safety.

Compliance, the belief that following the rules makes you safe. Equifax was a compliant, audited company when it lost the personal data of roughly 147 million Americans in 2017.

Products, the belief that buying the right tools makes you safe. Twilio had multi-factor authentication and security training when it was breached in 2022. Cloudflare, hit by the same phishing campaign in the same week, was not breached. The label MFA covered both. The mechanism inside it did not.

Paranoia, the belief that staying vigilant makes you safe. Vigilance has a half-life that the calendar will outlast. Attackers do not need you to be unalert all the time. They need you to be unalert once.

Expertise, the belief that knowing enough makes you safe. Mat Honan was an expert. So are most of the people who get hit.

What’s left

What is left, when those four are subtracted, is one word that covers a lot of ground.

Defaults.

Specifically: defaults engineered so that the safe outcome is the one that happens when no one is paying attention. A hardware security key on a Google account is a default. Once it is in place, a phishing site cannot collect a usable second factor regardless of how convincing the page is, regardless of how tired you are when you click. The safe outcome is not earned through vigilance on each login. It is installed once. After that it is the floor.

The same logic generalizes. A correctly configured hardware wallet means that a remote attacker who fully owns your laptop still cannot move your coins. A separated payments account at a different bank from your main checking means a successful phishing of one set of credentials does not reach the other. None of these are heroic acts. They are setup decisions, made once, with the intention of changing what happens next time you are not paying attention.

Honan’s case fits the pattern in retrospect. The chain that destroyed his digital life had four links. At least three were breakable with defaults available to him at the time. Google had launched 2-Step Verification in 2011, the year before; turning it on would have ended the attack at the first link. Using a different credit card for Amazon than for Apple would have ended it in the middle. A Time Machine backup that iCloud could not reach would have preserved the photos. None of those defaults required him to be smarter or more skeptical than he already was. They were setup decisions. He simply had not made them.

This is the difference the book I am writing is concerned with. Not what to do during an attack. What to set up before one.

The working title is Safe by Default. It expands the argument across personal security, finance, self-custody, and the organizations you build or work inside. It walks through the major attack patterns from the public record and from twenty years of my own experience, and shows which defaults catch which attacks. It is honest about the cost of each, because every default has one.

The thesis, in one sentence: make your defaults safe, in a world where attackers count on them being convenient.

If you want to be told when the book lands, the place to do that is the home page of this site.