№ xlii The Almanac of GST · EN IT

Enrico·rubbo.li

Tech · Biohack · Markets · Opinions Enrico Rubboli, propr. Dubai, UAE
← I · Writings
essay May 5, 2026 4 min

Safe by Default

The hardware wallet on the table was yellow. Not black, like almost every other one sold that year. I had ordered it in yellow on purpose. Anyone who had spent the previous weeks watching me, in person or through a camera, would have been preparing for black.

The meeting was in Milan, on a floor that was not the one printed on the calendar invite. Fourteen minutes before we were due to sit down, the lawyer sent a WhatsApp message changing the room. Same building, different floor. I had asked him to send it that way, at that time, in his own voice, from his own number. The new room was clean. The old room, if anyone had pre-positioned cameras in it, watched an empty table for the rest of the afternoon.

When the device came out of the box, both parties signed a strip of paper tape and pressed it across the seam. After the seed was initialized, anyone who later asked to “just double check one thing” on the device would have to break a signature to do it.

None of this was instinct. All of it was planned. The yellow color, the late floor change, the tape, even the sequence of who touched the device first and when, were chosen weeks earlier. Each one defeated something a competent attacker would otherwise rely on, and each one cost almost nothing to add.

This is what the book is about.

I am writing it now. The working title is Safe by Default, and chapters and excerpts will appear on this site as they are ready. The argument fits in one line.

Make your defaults safe, in a world where attackers count on them being convenient.

This is not a checklist. There are already enough of those, and most of them age badly within a year. It is also not a book about cryptography or zero days, though both will appear when relevant. It is a book about how to recognize an attack while it is still being prepared, and how to arrange things so the preparation itself becomes expensive.

Three ideas run through the book. The first is the difference between security theater (rituals that feel safe and accomplish nothing) and security mechanism (something that actually changes what an attacker can do). The second is information asymmetry: at the start of any attack, the attacker knows more about you than you know about them, and the defender’s job is to flip that. The third is borrowed from a martial arts framework, which turns out to have surprisingly clean language for ideas that most security writing has to invent from scratch.

The reader I have in mind is curious but not technical by trade. Someone who has noticed that most security advice is either condescending or impenetrable, and would like a third option.

The first full piece is coming shortly. It is the chapter the yellow Ledger belongs to.