Apple and Google’s bluetooth contact tracing API: impressive example of privacy-preserving features

The Apple & Google privacy-preserving contact tracing has no additional (privacy) cost.
It may have limited to no benefit because of low adoption and other issues.
It may have big benefit due to keeping the curve flat, while relaxing the physical distancing requirements.
It is the only one that has a chance to work because of its possible adoption and practical addressing of BTLE items.
No costs but potential (big) benefits = I vote we do this.

In case you are coming to this without previous context, this is an informal write up about the Apple & Google privacy-preserving approach, and why I wholeheartedly support it.

Compared to my normal bio-hacking ancient “woo-woo” practices with technology and dorking around with a high speed camera, this is the closest I’ve come to putting my work background on this blog.

I’ve put it here because I’d like to both show how a professional paranoid like me analyses this (in the hope you can learn that trick too), as well as hopefully counter some of the Fear Uncertainty and Doubt that comes up around tracing technology.
After all, I do think this is an excellent piece of engineering and policy decision from Apple and Google.

TL;DR version

The way I see it:

No costs but potential (big) benefits = I vote we do this.

How professional paranoids think

It is relatively easy to go into a paranoid mindset, just assume everyone is out to get you. I know, I’ve been doing that for decades, mostly professionally.
What distinguishes amateur and professional paranoids like me, is that professionals know when to stop worrying and doubting.

One of the things we do for this in my professionally paranoid world, is to think about the goal and capabilities of the attacker.
We think of things the attacker could do in terms of: “An attacker wanting <intent of the attacker> with <capability of the attacker> would <what the attacker achieves>”.
We call this the “threat model” or “security problem definition” in Common Criteria.

When this idea of phone based contact tracing was started (and to be overly clear: the Apple & Google privacy-preserving approach does not have these, which is why am supporting it), these were the kind of threats I thought:

  1. An attacker with access to the central server, would see who I have met, when and where. I.e. this can be used to map my social interaction graph by Apple/Google/government.
    (Not the case because the phone only sends the daily tracing keys to a semi-centralised server after I’m declared sick. And even then, these keys and the derived 10-minute pseudonym numbers are not linked to an identity. And even in that case, your phone determines if you were near that pseudonym, not the central server. Your phone doesn’t gain any information about me, just has a bunch of pseudonyms without attached identities and it determining it was near at a certain time.)
  2. An attacker able to eavesdrop the entire internet, would see who I have met, when and where. I.e. the above one on NSA scale.
    (Not the case because the phones just don’t transmit that information. An all mighty eavesdropper might know a bit more about me, and would be able to couple those facts to me being declared sick and uploading my daily tracing keys to the semi-central server. But that isn’t an added risk due to this system, this is the risk of worldwide surveillance by both the government agencies and commercial companies. They would already know you called a doctor…)
  3. An attacker able to eavesdrop an area, would know when I declare I am infected, that I was in that area, including when and ‘how far’ from the eavesdropping station.
    (Not really a case, as this is the same as say a shopkeeper’s phone doing this. Arguably this is a good thing: one could know where in the area extra cleaning might have been applicable.)
  4. An attacker able to eavesdrop all bluetooth transmissions over the whole world, would see all connections. I.e. the above one on illuminati scale.
    (Not the case because what they would see, is some blinks of ±10-minute ‘identities’ move around. Really not useful, but in any case this is not more information: any phone already sends a Bluetooth and WLAN MAC code that is unique. These MACs are in modern phones already randomised every ±10 minutes for exactly this tracing reason. One of the things I found clever, is that the tracing pseudonym and the bluetooth MAC are varied at the same time, thus one can not use one to link it to the other.
    Of course, if you disclose the daily tracing keys, the rolling proximity identifiers are now grouped for the same day. So this all powerful eavesdropper would know that a pseudonym infected person walked where. Which is exactly what contact tracers are doing manually without this process. So I consider this a feature.
    In the end this would be an attack for ‘the last mile’ location tracking: just to function on cellular network level, every mobile phone is still sending its unique identifier (IMSI and related values) to the mobile network, so at least on the granularity of mobile network cells the mobile networks know where that phone is.)
  5. An attacker with physical possession of my phone would be able to force me to show who I met. I.e. evil secret police forces me to show my co-conspiring cuddling group.
    (Not the case because my phone does not know this. It only knows those random pseudonyms. Actually is the above case.)
  6. An attacker would force me and you to show that we were close to each other. I.e. police investigation into me and an already suspected other, like you, for doing an unauthorised cuddling, or worse.
    (Somewhat possible, but with major limitations: they would have to force my phones to declare me are sick (which is usually illegal), they would then have to wait at least a day (because both phones only disclose tracing keys at least one day old), they would only be able to go back 15 days (again: phones), and then they would at best get that your phone says you were potentially exposed at a certain time it saw an ‘infected’ pseudonym. But still no confirmation it was me, just a suspicion it was me that they can’t use in court. And then we’re back to their original suspicion anyway.)
  7. An attacker with significant legal or informal power, forces me to declare I’m sick and then my app transmits “I am a leper” code for everyone to shun me.
    (Not possible, because since version 1.1 of the specification, the phone will not disclose the current day’s tracing key, only yesterdays onwards, with a max of 15 days. This is one of the improvements I found very clever.)
  8. An attacker forces me to show I am not infected/infectious, i.e. the green/yellow/red QR code apps being deployed.
    (This is independent of this proposal. The Google&Apple API does not help this, it actually seems to go out of its way to hinder this.)
  9. An attacker generates false ‘infections’ and causes many to be pseudo-infected. I.e. a cyber-bio-terror attack: I put my ‘phone’ with a strong Bluetooth amplifier near any place of gathering, then declare myself sick, and everyone who was in that place of gathering shows up as being ‘near’ to an infected person.
    (This is possible with any approach. I suspect this is one of the reasons why sane contact tracing apps will require some medical confirmation that one actually is infected. And that part then falls under medical safety and privacy as usual.)

So… long but hopefully insightful story on how someone like me looks at this mechanism and determines the risk/benefits.

Some of the underlying tricks I use to stop worrying:

  • Already accepted risk: if we end up in a situation we already accepted (here for example: the mobile phone could track me, regardless of this proposal), I remind myself why I accepted the original situation, quickly check if things really changed or not, and if not shrug and accept this too.
  • No additional risk: when we reach a point where we are assuming that the attacker already got what he is aiming for, to get it, I stop. Obviously an attacker who can hack the whole phone OS and hardware, can get it to do more than it should.
    But that attacker then doesn’t need this mechanism.
    So… probably that attack isn’t useful to the attacker.
  • No additional information: I’m keeping in mind what all parties could possibly know (this is an application of ‘belief logic’). If the attacker does something, but he does not gain knowledge, it is unlikely to be useful.

I hope you find this helpful.

With kind regards,
Wouter

P.S. (2020-06-14) There are quite a few other analyses out there, which I really like, but dear me a lot of them are unprofessional FUD.
For example Mind the GAP: Security & Privacy Risks of Contact Tracing Apps claims that:

  • “We demonstrate that in real-world scenarios the current GAP design is vulnerable to (i) profiling and possibly de-anonymizing infected persons,”: well no, not more than you already can, see my #3 and #4,
  • “and (ii) relay-based wormhole attacks that principally can generate fake contacts with the potential of significantly affecting the accuracy of an app-based contact tracing system.”: yes, but any false claim of connections would work, this has nothing to do with the technology, see my #9.

P.P.S (2022-08-26) The protocols held for privacy and there were only a few practical issues (ACM had a good overview), but mostly the adoption by the public was too low and the health organisations’ testing and contact tracing was established way too late to be of help before COVID went beyond containment.

RFID blockers have very limited use

I keep seeing these “RFID blockers”.

Anti RFID skimm device
Anti RFID skimm device

RFID blockers improve your security only a bit as contactless skimming is a high-risk/low-reward attack for the attacker: Contactless credit cards and electronic IDs reading distance is max ±25cm so about ±10 inches in lab conditions with 500+Watt amplifiers (this is the kind of power that causes sparks to fly!).
If you can get reading distance up to half that reliably in real world situations, you we can make a lot of money selling your skills in the reader market.

For this attack to work, someone needs to be basically rubbing up to you to talk to your card.
In the case of electronic IDs (eIDs) like passports, driver’s licenses, ID cards, that follow international ICAO norms (i.e. any European one, Americans only since a few years), that still doesn’t get the attacker anything: to talk to the chip requires some information from the front side of the card: the 3-4 lines of computer-readable text at the bottom of your passport. (In case you want to know, this is called the Machine Readable Zone (MRZ)).
Basically: you need to optically read the eID before you can electronically read it, i.e. you are already handing it over to them (ID checks at airports, rentals, hotels).

In the case of contactless credit cards, the story is a bit more complex, as it depends on what your issuing bank has configured the card for (they have a dozen or so parameters they can choose).
In general, transactions up to $25-ish to an overal total of $150-ish don’t require a PIN (for the tap-and-go payment of coffees).
As the electronic transactions with these credit cards are one-time and only-with-that-shop, a pair of attackers would need to pull of the following to pay with your card, in what I call a “contactless extension cord” attack or is often called “virtual pickpocketing”:

  1. Attacker A dry-humps you to get his card reader within those ±5 inches of your card, and
  2. Attacker B, at that exact same time, is physically at a shop with a card emulator, and about to pay to max that limit that we are talking about (i.e. max 5x$25-ish product).

This exposes both Attacker A and B to being physically caught, for $25-150 of stuff that still needs to be fenced at a much lower return value.
There are lower-risk and higher-reward kind of attacks you can do as a criminal :-). 

That said, if you want to get protection, consider adding a layer of aluminum foil in your existing wallet (reduces the read distance to 1-2 inches) or combine with the practicality of a compact wallet like Secrid.

With kind regards,
Wouter

Japan: Suica travel card

Something that has me proud as I have some background and connections in the domain, and happy because I just love Japan:
It is now possible to use any iPhone 7 or higher for most of the public transport in Japan (this is called “Suica”, a FeliCa technology solution). If you are travelling in Tokyo, this is great!

Transfer to iPhone

If you already have a Suica card, you can transfer the balance (including deposit!) to your iPhone 7 or higher. Apple has a walkthrough that is easy to follow (only attention point is that you have to change the region to Japan under General -> Language & Region -> Region).
Simply put, set your region to Japan and add a Suica card to your wallet.

Use is easy


Use is easy: just hold your iPhone on the turnstile readers. With the excellent reader technology and powered iPhone, reading distance and speed is really good. Your phone will vibrate and you are done.

My practical (air)travel trips

I travel quite a bit for work and pleasure, and have for a few decades. Here are some practical tips I have for you.

Preparation (weeks-days before travel)

  • Invest in the best active noise cancelling earphones you can afford and that fit you best. I love my Bose 20i. I prefer in-ear earplugs, but the over-ear Bose 35i and Sony WH1000XM3 work really well too (they are a bit hot to wear, and the Sony one’s Bluetooth handling is less elegant as it will not easily switch between two users. The reduction of the onslaught on your ears and the resulting stress on your system is worth more than any class upgrade if you are in a bind. I can’t emphasis this enough: invest in a good noise cancelling headphone.
  • Consider buying passive earplugs for sleeping: if you cover the microphones of the active noise cancellers they will typically give you a high screeching tone. Plus I don’t like having wires around my throat when I’m sleeping: I prefer not to garrotte myself. I like 3M’s 1100 Orange rounded earplugs or more recently my custom made earplugs from Alpine.nl.
  • Go into the travel with enough sleep. Going in with a sleep-debt will make the effects of jetlag much worse, and it will take longer to recover from it. Plus with low sleep you’ll be more tempted to eat crap food.

Preparation (just before the trip)

I have a check-in/carry-on suitcase (currently Samsonite B-Light 3 with 2 wheels) ready for travel nearly all the time. The week before a trip I have it open in my bedroom and fill it with the specific items I need for an upcoming trip as I bump into them (Getting Things Done style inbox filing ;-)).

I also have my daily-carry/designated carry-on backpack (currently North Face Kaban (older model)) which is always ready for day to day meetings and for air travel (fluids only in an external pouch, no sharps, etc).

That carry-on backpack also contains a change of clothes, just in case my check-in goes missing for a few days (rare) or I get caught in rain/manage to dirty my clothes (less rare). I’ve packed, in waterproof ziplock bags, wrinkle-free business casual clothes:

  • 1 Mizzen and Main shirt (doesn’t wrinkle, looks professional, does not sweat, does however love to absorb coloured liquids spectacularly).
  • 1 Nike Golf pants (looks like formal pants, stretches and dries like sport clothes, hard to get dirty and easy to clean)
  • 2 changes of underwear
  • 2 pairs of socks (with my Vibram 5fingers I get wet feet easily)
  • 1 waterproof trenchcoat from Patagonia (if I’m not wearing it)
  • Take a biggish (1 or 3 liter) ziplock bag, and put the items you need available at your seat in there. This allows you to quickly and without fuss settle into your seat. If you practice putting your stuff back in after using, you also won’t lose items as you leave again. As an added bonus, that bag probably is also exactly the electronics that you have to pull out at the security screening anyway, making that process much less stressful (and more efficient for other travellers like me too ;-)).
  • Consider packing:
    • Apple travel Adapter Kit (or equivalent), with the plugs of all your stops on the way. Consider to add the UK one too: I’ve found that the power plugs often don’t hold power supplies with US prongs at all, and poorly with the European ones. This is the one place where I really like the massive UK power prongs: they keep the power supply nice and snug even in turbulence.
    • Short USB charge cables for your phone, tablet and noise cancelling headset.
    • A good eye mask.
    • A small pen, and if you like that, a note pad.
  • Pack any item that is a liquid/gel in a good ziplock back of max 1l. Not only will that allow you to efficiently pull it out if it is in your carry-on luggage, but it will also save you much grief should it accidentally open/leak in your check-in luggage.

During the trip

  • Drink plenty of water: Simply accept every offer of water.
  • Stay away from alcohol: Alcohol dehydrates you, and degrades the sleep quality significantly. You might feel a bit better dulling yourself from the travel stress with the alcohol, but you are paying a heavy price for this after the flight. I advise meditation and binaural beats as an alternative for handling the stress of the travel.

Professional-paranoid tips

  • Consider putting a 3M privacy shield on your laptop. It severely reduces how much your neighbours can see and how much they are disturbed by your laptop’s light. (Disadvantage: it is glossy, especially the gold side, so it makes the screen a bit less clear. A privacy shield also interferes with a blue-filtering screen. Do install F.lux.)
  • Consider the environment and prefer seats with no people behind you. People do look on your screen. I know I can’t help but notice that presentation or business plan…
  • As usual, always lock your computer when you are away from it. Don’t leave it unattended in waiting rooms and such of course.
  • Put some TSA approved locks on the zippers of your backpack, and connect them together.

Flying business class: decadent waste of money or cost-efficient use of time?

I’m writing this half-way between Europe and the US. Decadently in business class.
I used to consider this was an extravagant decadence, a waste of money. Money was scarce, not mine to spend, or both. A typical ticket from Europe to the US costs about €400-600 per leg. The upgrade costs to business class is typically €300-600 per leg extra. That is a lot of money to spend on more personal space for ±8-10 hours.

And now that money isn’t scarce, but my time is, I’ve come to the conclusion that business class is actually cheaper for me financially. This surprised me (pleasantly ;-)). Below is my reasoning.

Yes: Getting work done

Flying in business class gives me room to put my laptop in an ergonomically ok distance (display is still too low, but there is not much to do about that), without fights for my elbow space or visibility on my screen.
As a result, I typically get a solid 4-6 hours of work done (no distractions), which pays for the upgrade costs. So this is money-cost neutral from just the work I can do on the plane.

Yes: less travel stress, more availability

Meanwhile, I travel much more comfortably, resulting in much less stress on my body and mind. I also get a good 2-3 hours of nap/meditation. The result is that I arrive in a much better physical state, with much less recovery time and energy costs. This saves me a good 1-2 days of crappy recovery from jetlag at the destination.
The improvement in my quality of life is totally worth it as a person, and me being immediately fully functional for work alone pays for the business class ticket in the 1-1.5 days of productivity that comes from that. Let alone the much deeper impact I can make from being resourced.

Conclusion: Heck yes!

So, now I decadently enjoy both the time saving and money making travel in business class.

Jet-setting and working hard,
Wouter

P.S. Regardless of the travel class, I have some tips that make travel much easier.

99Designs logo design experience

As you early readers of my blog know, I had a design “contest” using 99Designs for a new logo. I’ll have another post on how the economics of 99Designs lead to some less desirable results.

This post however, is about how selection of the logo happened.

Setting context: The brief I gave

Title: “Create a clearly personal, yet elegant logo and FB header” by Wouter.org.

The tone I want to convey is me (Wouter, my first name, masculine) talking to you (the reader), one on one, person to person, not with a lot of attention on me but also not shrinking that it is me you are talking to. I’d love the logo to be very similar to my own handwritten Wouter, or quite different but inspired. The total domain name “Wouter.org” has to be quickly understandable, with .org clearly part of it.
I’ve also attached some pictures of me for possible inspiration on the header files. All are mine in terms of copyright and can be used for this.

Lessons learned

Cross cultural experiences

An important practical detail for me was that the total domain name “Wouter.org” would be immediately clear. This brought up interesting multi-cultural perspectives. As the logo was based on my (arguably not so readable) handwriting, I found out that the t is crossed differently in the US for example. I did not know that cursive writing varied that much!

Voting isn’t that distinctive

I set out a poll with friends to ask for feedback.
It turned out that the actual voting itself wasn’t as useful to me as I expected, as the voting results were pretty close to each other:

Screen Shot 2016-09-07 at 10.49.23Screen Shot 2016-09-07 at 10.49.38Screen Shot 2016-09-07 at 10.49.56Screen Shot 2016-09-07 at 10.50.13Screen Shot 2016-09-07 at 10.50.30Screen Shot 2016-09-07 at 10.50.48

Interestingly there was quite a bit of “love or hate”, i.e. designs having lots of votes in both the “1: hate it” and the “5: love it”. My conclusion: this design does stir things with the viewer. 😉

Text remarks are most actionable

Getting specific comments from people turned out to be the most useful. I could spot common themes in what worked and did not work for people, and those who had experience in graphic design gave detailed feedback.

However, quite often that feedback was completely contradicting the previous feedback in impressively new ways. The first feedback would say some aspect of the logo was very unclear, the other immediately saw me and my name in it, the third said it wasn’t me and the ‘t’ should be different.

In the end I, Wouter, make the decision

So, with conflicting signals, ultimately this was my decision to make and hold. Not much different from my technical work and other leadership positions 😉

So I decided for the one that felt the most authentically me.

Wouter.org logo
Wouter.org logo

It looks really good on shirts and a business card!

With gratitude (and a new logo),
Wouter

In business, you outsource your shadow work

In the self-improvement world, there is a strong bias towards healing any wounds/shadow/reactive behavior. You see a weakness, you work on it. You struggle with it, finally heal yourself, and make yourself an even more perfect person. You learn to love being in that painful healing state.

In the business-world, you don’t. You see your weakness, you figure out what needs to be done to have that weakness resolved, and you outsource doing that – to a contractor, a piece of software, a system, a trusted employee. But not you. There is no value in struggling with your demons in business.

In business, you focus on doing what is so obvious to you and brilliant to others, what is so much your superpower, that it is simple to do that seems super-human to everyone else, what is your 10x value add.

Now stop delving deep in your shadows, just hire that accountant to do your taxes, and bring your actual gifts to the world!

With efficient passion,
Wouter

Flip Feng Shui: Perturbation attacks made it to VMs

I’ve been reading up on the Flip Feng Shui: Hammering a Needle in the Software Stack paper, and I’m enjoying that the common smart card attack considerations are coming to more mainstream software considerations.

From the paper:

We describe Flip Feng Shui (FFS), a new exploitation vector that allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way. FFS relies on two underlying primitives: (i) the ability to induce bit flips in controlled (but not predetermined) physical memory pages; (ii) the ability to control the physical memory layout to reverse-map a target physical page into a virtual memory address un- der attacker control.

This first item we call “perturbation attacks” in smartcard domain. We do those attacks all the time, by giving our poor smartcards power spikes it really shouldn’t be exposed to, prodding it with probing needles too small for the human eye, shooting it with freaking lasers, … you know: standard Monday morning stuff in the office*.

Because we’ve been doing this for ±20 years now in this domain, it takes a while for me to understand a statement like the following is not a joke:

existing cryptographic software is wholly unequipped to counter it, given that “bit flipping is not part of their threat model”.

Because in my world, bit flips are a given, considering that there is an attacker playing with the smartcard. Monday morning remember?

So how does this attack work?

The attack (mis)uses memory de-duplication, i.e. a feature in the host hypervisor that sees that the page of memory of one VM is identical to another one VM’s. When this is enabled, the host hypervisor then maps both these pages to the same page (to reduce actual used physical memory by 40-70%!). If the attacker was the one who created that page originally, he now owns the actual physical page. As long as the host software thinks this page’s content has not changed, the victim VM will read the attacker’s physical page.

So the attacker then does a Rowhammer attack to cause a bit to flip in the part of “his” page. As Rowhammer is a physical side-effect that ‘should not happen’, the host hypervisor does not see the page as changed, even though it is. So now the attacker has just caused a bit flip in his own and, more importantly, this victim’s memory.

Flipping a bit in say a RSA public key allows the attacker to factor that modified key, and generate the appropriate secret key to match. If the attacker does this with the RSA key say used to authenticate root access for SSH, or the signature key for package updates of Linux, he now has full control over that machine.

Neat! (In smartcard world we usually attack the secret key, because of how the protocols are used.)

Theory or practice?

Now, to successfully pull off this attack, several things have to be possible for the attacker:

  • predicting the memory content (this excludes attacks on confidential information such as secret keys),
  • memory de-duplication must be active (so disabling that, or setting it to “only zero pages”, seems prudent),
  • the attacker must be running his VM on the same physical machine as the victim’s VM (I don’t know if this is a realistic scenario. More on it below)
  • the memory must be sensitive to something like Rowhammer (so ECC memory is yet again a good idea, it will reduce the chances of this significantly)

Realistic to be the neighbour of your victim VM?

This attack depends on being able to run the attack VM on the same hardware as the victim VM. I have no well-founded grounds to guess if this is a realistic assumption.

I can think of the following situations where that is possible:

  • The pool of actual hardware is pretty small compared to the amount of VMs, because the hardware is very beefy or the VMs are small.
  • The amount of instances of the victim VMs is pretty big, because it is a standard VM replicated many, many times. I think about situations like massively parallel computing or streaming (Netflix?).
  • Or the targeted page is very common, and here I’m thinking of the signature files for updates for example, or company wide backup root accounts.

My conclusion: stay calm and …

Considering all the complexity of this attack, I don’t see it worm all over the Internet soon. It is however a cool warning that attack can and do cross over from these various fields.

I wonder when they’ll realise they can also apply this attack to modify the running code of say the password check routine

Financial growth to freedom

Lately, I’m getting questions on “how to invest” income beyond direct living costs.
Just like with GTD systems, I find it very important to have a financial system that one can relax into fully. Not having concerns about money frees up a lot of mental and emotional energy, and can shift one from a scarcity to abundance mindset.

My advice and practice is go implement this once the daily living costs have been covered, in the below stated order:

  1. Put an amount of at least 6 months of living costs + one big unforeseen cost (e.g. suddenly needing a new car due to an accident) aside in a savings account as buffer for hard times.
    Taking out a loan is very expensive, both in money (interest) and in energy (loss of abundance mindset).
  2. Invest at least 15% in a financial freedom fund, some form of savings that does not easily lose value but is accessible if you need it within half a year, relative to the way you live.
    In my case it is my own house and office, as I don’t likely need to move anytime soon. If you are like a lot of my friends and you want to stay more mobile for a while, consider an investment fund that has the same distribution as the Dow Jones, but mind the costs and risks!! I highly advise reading Tony Robbins’ “Money, master the game” on this topic. Management costs above 0.5% annually of your investment will kill any value accrued.
  3. Invest 10-30% in development of skills and contacts that make you more valuable, more productive and widely skilled, so that you upgrade your market value by at least one order every two years. Examples include workshops that really stretch you beyond what you think you could do or mastermind groups at a level you think is beyond your stature.

After the above, you can put the remainder into further tweaking of your financial growth and stability, with your choice of:

  • Extending your safety buffer to 12-24 months (I aim for 18+ months, allowing for a safety margin to abort ventures)
  • Reducing any costs you have (e.g. paying off outstanding credit card, loan or mortgage costs)
  • Investing in quality products and services that require reduced upkeep costs and make you much more productive
  • More investment in financial freedom capital
  • More investment in totally different skills and contacts

And whatever you have left and are entirely ok with losing completely, gamble that by:

  • Paying it forward to a personally worthwhile social goal. Ideally, this could be bootstrapping someone you personally care about towards their self independence, their growth, while expecting nothing in return (and probably getting a lot from that in feeling good).
  • Trying an investment in a start-up you believe in will work financially (with a return of at least 10x) and do your kind of good in the world. Then don’t touch or even look at that investment for at least 5, preferably 10+ years. Don’t expect it to return anything, be positively surprised when it does.
  • If you really must learn that lesson yourself: lose it by gambling on the stock market, stepping into or out of the latest crypto coin hype too late, or other such “I can beat the system” delusions.

I hope this view helps you decide wisely where to put your money.

For the growth!
Wouter