This week on What the Hack: How do you stay safe online? (Wrong answers only.) Avoid public Wi-Fi, QR codes, charging stations. Cyber OG Bob Lord (Yahoo, DNC, CISA) wrote an open letter tackling the real harm caused by bad advice, and offering a better path with proven practices to stay safe online.

Check out https://www.hacklore.org/letter

Transcript [uncorrected]

Beau: You might recognize him for his pivotal role hardening the DNC’s cybersecurity defenses.

Clip: This is an electronic Watergate. This is an electronic Watergate. This is a break in. This is a break in, and it, I think that we have to recognize, uh, what is happening here.

Bob Lord has work at the highest echelons of cybersecurity, including at the Department of Homeland Security where he spearheaded the secure by design program at the Cybersecurity and Infrastructure Security Agency, or CISA for short.

He just wrote an open letter that was greeted by the cybersecurity community with a collective sigh of relief. It’s about Hacklore–think folklore but online–things we think will keep us safe, but actually distract people from what might actually help. 

Clip:  It’s not, it’s not harmless to tell people to do things or to not do things if there’s no basis in how that works. People have a very limited amount of attention that they can spend. 

We’re going to explore all that and more in this week’s episode. I’m Beau Friedlander and this is “What the Hack?”, the podcast that asks, “In a world where your data is everywhere, how do you stay safe online?”

Start

Beau: Bob Lord. Bob is the Senior Vice President Digital Security Strategy at the Institute for Security and Technology. Previous roles have included CSO of the Democratic National Committee and Chief Information Security Officer at Yahoo once upon a time.

So, no stranger to the various and sundry issues that people face online. Also a lot of the nonsense that they have to wade through in order to figure out how to stay safe. Is that fair, Bob?

Bob: Yeah, that’s, that’s exactly right. This is something I’ve been struggling with for many years. I think most notably going back to my time at the DNC when I was trying to get people to adopt practices that really would help them stay more secure.

Beau: Well, okay. Way to dangle the bait. So, the DNC has had some newsworthy lapses of security over the years. Were you working for them at the time?

Clip: We are learning more about the hack into the Democratic National Committee, including indications for the first time that the breach went beyond the official accounts of DNC staffers and included personal email accounts as well.

Clip: I mean, it’s pretty clear that there’s, uh, security problems with DNC. Do we know that? Again, on the RNC side, have, have they upped their security in years or not? Well, look, 

Clip: I think everybody has made efforts to 

Clip: that the hackers breached private email accounts and not just a couple of more than a hundred party officials and different groups.

Clip: This is an electronic Watergate. This is an electronic Watergate. This is a break in. 

Bob: Yeah. So, I came in after the 2016 hacks to try to refactor the IT infrastructure and the security of the system there. So I was the first chief security officer there. And as you would imagine, we took a look around at the landscape and tried to figure out, how are people being compromised. And it shouldn’t be a surprise to anybody in your audience the most common forms of compromise; including just asking people for their passwords and tricking them into coughing them up. And so those were the kinds of things that we had to really focus on to help people stay more secure. Over the time we developed the checklist because it’s obviously not possible for any one person or team to scale. Uh, so we had a checklist, which is still available on the website. It’s a nonpolitical checklist. But the DNC checklist helps people walk through the things that will, reduce the chances of them being caught up in the most common scams.

Beau: Well, without getting into the Hacklore letter, which I want to do later, which is why we’re here today, I wouldn’t mind hearing what the shortlist of that punch list was to keep people safe.

Bob: Yeah. So, uh, spoiler alert, the basics are still the basics. So yeah, it turns out that keeping your machines up to date is a very important part of staying safe. So is having good identity. management. So is making sure that you have good passwords and a password manager and, um, you know, MFA, like those are the things that are really going to keep people safe.

And so those were some of the elements that went into the DNC checklist. It was much more of a checklist. One of the things that we learned when we started to sit down with people one-on-one is we’d learn that some of the terms that we use in the world of cybersecurity aren’t necessarily widely known.

And so I treated the checklist like software. So I would sit down with people, go through it, they would look at me and I’d say, what is that? What are those words you’re using, Bob? And I’d say, okay, let me try to, uh, let me try to use some words that’ll be a little bit less esoteric. And then we’d refine the text over and over again.

And over time it got to the point where people could actually sit down and, and complete it in ways that, uh, did not require as much handholding.

Beau: What’s the most mind blowing thing that you would think folks knew that didn’t, and they’d say, can you please explain that to me, Bob?

Bob: So I would assume that everybody knew what MFA is. Because everybody I talk to in the world of cybersecurity knows what MFA is, and it turns out that the everyday person may or may not know despite all of the marketing towards that particular control. But I also learned how confusing it is because we use a lot of different words for basically the same thing.

So I would talk about MFA and I would explain that that was multifactor authentication. People would turn around and say, well, what about 2FA? And I’d say, okay, good point. Good point. There’s an additional thing there too, that that’s really the same thing. And they’d say, well, I’m on a particular website and it talks about two-step verification. What’s that? I’d say, oh, okay. Yeah. Okay. So apologies on behalf of the cybersecurity world, we have a lot of different terms for basically the same thing. And this was something that I think to this day confuses a lot of people.

Beau: Okay, so anything else that was unexpected from the DNC days?

Bob: I think that was the main thing. You know, easing into the Hacklore conversation, people had a lot of misunderstandings about what really made your account secure .

Beau: So. Stop Hacklore. I saw it online and I immediately was like, huh, hack-lore. I guess it’s like folklore, but hacking. And sure enough, that’s what it was. I opened up the letter and I see that I’m, I’m not a signee, which really made me sad. A lot of guests that have been on the show though, ’cause we have done our job over the years. But here’s the thing that blew my mind. It’s calling BS on a lot of things that people think actually keep them safe and don’t. 

What made you do this, put this together and did you do it alone or did you do it with a team of people?

Bob: Yeah, so you know, I just saw so much cybersecurity advice that was aimed at everyday people that was just wrong and needed to get retired. And this happens year after year. I would see this and I’d say really? And, you know, I have some friends who know that this is something that bothers me and they occasionally like to send me news articles of reports to not use public wifi because the evil barista is going to steal all of your banking information and, uh, and things like this. So, just literally, about a month ago, somebody sent me another one of these and I just said, I need to stop rolling my eyes. I need to start doing something. I need to turn my frustration into action. And so I asked a few people, would you sign a letter if I started to type this up? And everybody surprisingly said yes. I really did not expect so many people to immediately say yes. And so now, now the burden was on me, so I had to start typing. But it wasn’t, it wasn’t that hard because again, this is something I’ve been thinking about for the better part of a decade.

So, we put it together and, uh, asked a few more friends and, uh, about a hundred people overall signed online. So, we knew that we were tapping into a collective frustration. It wasn’t just me.

Beau: No, I mean the, the collective sigh was audible here where I live through the internet. When I saw that list, I was like, oh, that, that needed to get said. I think maybe we need to dive in a little bit on this open letter, because it starts with a quick address to who your audience is and it’s, you know, the public essentially. And then you dive right into outdated advice. And I think I just wanna run through them for people because we, you know, we can’t give ’em a hyperlink on a podcast… So, avoid public wifi is the first one. And you already brought it up. And I’ll, I’ll tell you, I’ve been working in cyber for 15 years and I’ve done a lot of reporting on people who’ve been scammed, and I don’t think I’ve ever, ever come across somebody who had a so-called “man in the middle” attack happen to them. Talk about it.

Bob: Yeah, I mean, that’s exactly right. And so, back when I was at Twitter in 2010, this was a real problem. So if you want to use a public Wifi access point. It was absolutely true that somebody sitting on that network might be able to eavesdrop on your conversations because the only thing that was encrypted back then was your name and password when you logged in, and after that, the server would give you a cookie to remember who you are.

And that was all sent in the clear. So yes, somebody could sit on the network and listen to my conversation. In fact, somebody came up with a very clever Firefox plugin called Fire Sheep. And what that did is not only eavesdrop on it so that you could watch everybody’s Facebook and Twitter sessions.

But if you pushed a button, it would then allow you to steal their session cookies and become that person on Facebook or Twitter and whatever sites it supported. So this was a very interesting, turning point. And after that, most companies started a program to move all of their traffic to H-T-T-P-S.

Which means that the information is encrypted, such that anybody eavesdropping in is only going to see a bunch of gobbly go, and they’re not going to be able to see what you’re doing and they’re not going to be able to become you. So that was true in 2010. Since then, we’ve made so much progress in encrypting that that’s just not, uh, a viable attack for most people, most of the time.

Beau: And it correlates exactly with how long I’ve been doing this. So it explains why there haven’t been a whole bunch of “man in the middle of attacks” in the reporting that I’ve done because it stopped right about when I started doing this

Bob: It changed it, right? It changed the economics for an attack, and that’s really what we’re trying to do in security is, is raise the cost to the attacker. So they have to spend more and more effort, time, money, whatever their resources are in order to accomplish their goal. And this one. This, this migration to Htt BS, uh, took, it took that attack vector off the table for, for almost all attackers.

Beau: but it also took a while, as I remember Bob, like adoption was not immediate.

Bob: Absolutely. So it, it took a long time and even, you know, five years ago there was, uh, there, there were still some websites that were not, using, uh, the H-T-T-P-S protocol, uh, effectively, and the browser companies have been stepping up. The operating system companies have been stepping up. There’s, uh, one of the complaints was, it’s expensive too.

Bob: Buy a certificate, which you have to use, uh, in order to publish using this encryption protocol.

Beau: Is it, is it expensive?

Bob: well, it, it was, some people argue that it was expensive, although that you could get them for like 50 or a hundred dollars. But since then, there was a, uh, an initiative called Let’s Encrypt, and that is one in which the, uh, the cost is zero, it’s free.

Bob: And so that eliminated that particular problem.

QR Codes

Beau: The next. Thing on the list doesn’t really speak to that, but I still, I just want to go in order of what’s here. Um, the next one is never scan QR codes. So obviously people think I’m gonna go to a restaurant. I’m going, I’m gonna scan this code and it’s going to have access to, uh, it’s gonna, it’s gonna log every single keystroke and it’s gonna know everything about me and I’m dead.

Beau: I’m gonna die.

Bob: Yeah, that’s, that’s, uh, that’s probably not the way this is going to pan out. So the advice basically is a callback to those times when the way that you would scan QR codes is by downloading an app. And there were many on the, on all the stores. Some of them, little sketchy, not really clear what they were doing.

Bob: But now the. The function to scan a QR code and turn that into a website that is now built into the modern cameras and the companies that make those operating systems have been working to make sure that the software is, is going to be resilient, should there be some sort of hanky panky with the actual QR code.

Bob: And so in the last maybe five years, I’m just not aware of anybody being. Directly poisoned by a, a QR code. Uh, that’s just not how it works. Now, having said that, you are going to the restaurant’s website. You are going to some website that has the menu, say, course, it’s a website, so if there are cookies involved, they could start to learn who you are based on that.

Bob: And so some people have raised some privacy concerns around. QR codes from that angle. But when we think about the ways that the most, that most people lose control of their accounts or their devices, that’s not the way it happens.

Beau: Okay, now what the heck? We’re guilty of spreading some of this nonsense so over in the past. And I think some of it, I think some of it is sort of just lack of update, right? It was true 10 years ago.

Beau: It’s not true now. It was true five years ago. It’s not true now. And I know I, I think I’ve, I’ve said, you know, don’t charge your device at a public USB port, which is the next thing on the list. And. To be honest, I don’t know that, I know for a fact that juice jacking is a real thing. I, I, I, as, as I, I know I’ve said it a thousand times, and yet I also know that it was something researchers figured out, but it never did escape into the wild.

Bob: There was a really good. Talk at Defcon, I think it was in 2011. Uh, so this is a hacker conference and somebody demonstrated something that allowed them to take advantage of the fact that USB ports can not only, do charging, but they can send data, which of course we know. And what they were able to do is demonstrate an attack that took advantage of, of this feature of modern phones, modern at the time.

Bob: Not long after that, the phone companies seemed to understand what was happening and made a number of corrections, and I am not aware of any juice jacking taking place in the wild. There was one report I chased down, which was, which it took me a little while, but it, it got all the way back to the, um, to a particular, uh, sheriff’s department.

Bob: And I believe it was Zach Whitaker who wrote, uh, a report, based on that, he, he called and asked them for information about what sort of cases they were prosecuting, uh, or at least investigating. And they, they replied that there really weren’t any, they were just trying to warn people. So what happens is we mistake possibility for probability, and we start to warn people.

Bob: And the one thing I, I should mention here, this is sort of a meta comment. It’s not, varmless to tell people to do things or to not do things if there’s no basis in how that works. People have a very limited amount of attention that they can spend. Thinking about cybersecurity, and no matter what they tell you, people are not willing to spend hours per month protecting their digital lives.

Bob: They have things to do. They don’t even wanna spend hours per year. My personal experience is that when I talk to people and really get in the weeds, people will spend precious few minutes per year. Doing the things necessary to protect their lives. So when we pollute the airwaves with things that won’t make them safer, we’re actually stealing time from them doing the basics.

Bob: So this is, so this hack lawyer is not, it’s, you know, people say, well, what’s the harm? It turns out that there’s a lot of harm because you’re, you’re robbing them, them of the opportunity to get safe.

Beau: Y. Yeah. They have only so much memory allocated for this kind of. Activity and Yeah. And if they’re, they’re thinking about things that don’t work. That is, that is really a, a harm you’re causing to people. I was at a dinner, an FBI dinner not long ago, and I came back to the table after leaving my phone in front of my setting and it was sitting on top of the phone of a, a man who’s a friend of mine.

Beau: Who used to be the head very, very high up in the Secret service and is now the head of a global security firm. Meaning to say that he might have Pegasus on his phone, and certainly would be in one of the people who would have access to it. So Nearfield communication is on your list as a thing that’s like.

Beau: Because when I, you brought up Defcon too, and I thought when I went to Defcon, like, is somebody just gonna like, brush up against my, my computer bag and have all my data? No, they’re not. I know that, and I know that Bluetooth is, is probably not a channel, but I would love to hear your thoughts on the anecdote I just told you because I did return to the table, see my phone on his phone and go E gad, and, and he’s a friend, so I don’t know what he was looking for,

Bob: gonna get you or somebody got him, and then they’re gonna turn around and get you

Beau: Who knows. So, but they, but they in the Bluetooth thing, so yeah, those are on the list. Talk about Bluetooth and NFC

Bob: Yeah, so these, these are the, again, more common pieces of advice that don’t really seem to pop up in the wild. And we gotta, we gotta really focus our advice on the crimes that we see today. Not, not the, the spy stories, not the the ninja. Uh, you, you know, tactics, not the mission impossible kinds of things.

Bob: And I should say that there are high risk, uh, individuals. There are people who are high value targets and they could be, people who are in the secret service, senior people who have access to a lot of information. It could be reporters who are covering national security, topics.

Bob: It could be human rights activists, it could be people who are subject to intimate partner abuse. There are many people who. Are high value targets and they will need guidance that is tailored to their unique environment, their unique circumstances, their threat models. That is not what this is. We do have links to some of those resources on the fac, uh, and on the, in the resources page.

Bob: But, uh, this is designed to to counter the persistent. Commentary that we see that is aimed at everyday people for crimes that literally don’t exist.

Beau: Am I right in my sense that regularly changing passwords actually creates a vulnerability more than plugs one? Uh, fixes a one. 

Bob: Yeah, the advice to change passwords really, that’s sort of a complicated thing. Probably not worth going into. But, uh, yeah. So that was, that was the piece of advice that we got. The advice that we have further down is, is the modern advice.

FUD

Beau: So like, fud, fear, uncertainty, doubt, that kind of marketing around cybersecurity, products and services, is where I think some of this echo chamber, took root. Because it, you know, they, you had a marketing motion where people, people had a job to do, they needed to get people to sign on, use a SaaS, use this, use that.

Beau: Do you have a, an opinion about that? Because is that part of what happened here was marketing grabbed these things and started repeating it endlessly.

Bob: Well, so the reputation that you’re, you’re onto something there. So first of all, new technologies, uh, and we see this throughout, you know, literature and, and monster movies and, uh, all sorts of things. New technologies then often have some form of a backlash and, uh, where people say, oh, it’s not safe, uh, or whatever.

Bob: And so things that are scary and repeated. Become part of the overall conversation, and if enough people say it, then it becomes very, very hard to to dislodge that. And so the, the reason I wanted to build this hackler.org page was to have a place that people could point to otherwise there really, to the best of my knowledge, there really wasn’t any place that was specifically focused on debunking myths.

Bob: There were a lot of. A lot of convers conversation all over the place. You have Facebook comment here, you know, LinkedIn comment there, but there wasn’t a central place where people could create a link to, to debunk this, to explain the, uh, the, the repetition isn’t a. Really, warranted. And even, uh, and you’re probably gonna ask me about this, but there are, uh, government sites, there are, uh, very well-meaning, uh, non-for-profits that have repeated some of this stuff.

Bob: And once it gets into the system, it, it without some place to push back, it just keeps spreading. And so that was, that was another motivation was to to say point people here.

Beau: The, the, and it explains why you needed a hundred co-sign knees on the le on the letter, because now you have a hundred people in this business saying this is right. It’s simple. It’s correct. Let’s get into what is correct. ’cause talking about FUD actually gives me indigestion. So, and it’s not just because I’m old.

Beau: So the first recommendation for the public that the stop hack lower letter, um, presents is keep critical devices and applications. Updated and the whole world just said, duh, but they didn’t. Can you talk about that?

Bob: Well, it’s very funny because this is one of those things that most, uh, security practitioners know, but a lot of, uh, a lot of everyday people don’t fully understand. Um, and, you know, if somebody had a bad experience with a software update at some point back, uh, in, you know, 2005, they’re, you know, once burned and then they’re forever, uh, hesitant to to move forward.

Bob: So I think. We, we really wanted to emphasize the fact that, a lot of the, for example, a lot of the links that people send me, they say, well, what about this Bob? And I say, right, this, this affects everything up to Android version 13. We’re on version 16 now. So, and by the way, if you’re running these really old versions of Android, you know, more than three, four, or five years old, uh, or iOS or, or any operating system.

Bob: You know, any one of these scams is, is probably the least of, of your problems. You probably have a lot of other issues as well. So, uh, and I recognize the, the reality is not everybody can update to the latest phone all the time, so there’s some real tension there for, for sure. But the operating systems, the application makers, uh, you name it, continuously improve the security of their products and, and, and.

Bob: We need to make sure that we’re doing our part to, uh, to adopt those new versions when they come out. Now, I’m also a guy who started the Secure by Design program at at CISA within the government. So my whole thing is I wanna move the burden of staying cyber safe back to the manufacturers. Nevertheless, we are where we are today, and part of that responsibility is to make sure that you apply those security updates.

Beau: Bob, so what do you say to somebody who says, no, no, no, I’m using Windows 95 and therefore, and I have a flip phone or whatever. I have the first iPhone, whatever. Therefore, because I’m using these systems that nobody’s targeting anymore, I’m actually safer.

Bob: Uh, it’s, it’s if they’re going that far back, I, I don’t know that I’m gonna be able to reason my way through. I don’t know if I’m gonna be able to convince them because it sounds like they’ve already convinced themselves what they’re going to do. The, the reality is that the tools for automating, uh, attacks against systems are quite good.

Bob: And I wouldn’t count on thinking that something is too bold, uh, to be hacked.

Beau: so there’s no planned obsolescence on the attack front.

Bob: The, the attackers will do what works. Now, having said that, they’re mostly going after the large scale compromises. They’re not necessarily going after you. So somebody could possibly argue that they are, uh, going to be a little bit more immune to the most common attacks. But again, uh, I think that that’s, that’s probably not a, a, that’s not a good strategy long term.

Beau: Now it’s an age old among security people. It’s an age old. Chestnut that, you know, good security is something, you know, something you have and something you are, multifactor authentication’s on the list. And it doesn’t have to include, you know, jumping on a scale and doing a butt scan and a retina scan and you know, like the, I saw I, there’s some cartoon I watched with my children once upon a time that included all that silly stuff.

Beau: Or, or, or Tom Cruise like. You know, blocks on Mission Impossible. It’s much simpler than that. Talk about multi multifactor authentication and why it works.

Bob: So I think I first deployed MFA, I think it was in 1997, something like that. So it’s been around for, for a very long time in, in various incarnations. And so the basic idea is there are ways that attackers can sometimes learn your user account name and your password. And if they do that, then they would be able to log into an account.

Bob: And we don’t want that. So the question is, what additional friction can we throw at the attacker that will limit their ability to get access to your account? And the answer is sending another piece of information. And that information could be a text message that you get on your phone. It could be an authenticator app that you use on your, on your device.

Bob: It could be PAs keys, which is the more recently, uh, announced and, and, and propagated technology, which. Is really the gold standard for, for MFA. So we wanna be able to have that additional assurance. And the reason that we mention passkey is because the other forms of MFA while incredibly effective against the most common attacks, they’re still fishable.

Bob: In other words, I can ask you for your name and password and if I’ve convincing, if I’ve convinced you that I am your bank or if I’ve convinced you that I am a website that you wanna log into. I then will just ask you for the six digit code. So it’s, it’s not that much more effort to, to phish one of these codes.

Bob: It does, according to multiple investigations, it does stop a lot of the attacks, but it doesn’t stop all of them. So that’s why phishing resistant pass keys were invented.

Beau: Brian Krebs yesterday actually wrote up a situation in China involving e-commerce storefronts and um, and, and. iMessage phishing campaigns that are geared towards stealing credit card data and, and provisioning it for digital wallets. And if you don’t know what that means, it’s a, it’s a little complicated. But basically hackers are, combining social engineering with a, a believable e-commerce site in order to get the code that your bank sends you so they can steal your credit card information.

Beau: Did I say that right, Bob?

Bob: I, I think that’s right there. There are many different kinds of scams, but, uh, yes. I think that’s, that’s

Beau: And so the, the, the, the issue here really isn’t MFA, it is social engineering.

Bob: That’s right. I mean, to, to a certain degree. If you have fallen for the ruse, you are, uh, you are going to do things to comply. Now, if it’s simply logging onto a website, technologies like a, uh, passkey will still not give the attacker what they need. In other words, when you do what the attacker. Asks, they still cannot log into your account.

Bob: Now you’re talking about, a scam, which involves a few different parties, uh, and those kinds of things. It’s difficult, although we hope not impossible for technology to overcome at some point, but, uh, but it sort of falls outside the scope of what we’re advising here on this hackler.org page.

Beau: No, and that is kind of the point. I think the, the, the big takeaway point is that there are exceptions to everything out there. If you’re a high value target. If there’s a reason, if somebody, if there’s, and by high value, it doesn’t, I’m not telling you this, Bob, I’m telling our listeners by high value, that doesn’t mean that you have a ton of money.

Beau: It doesn’t mean that you have a Bitcoin wallet dating back to the beginning of time. It, it just means that somebody, as Bob pointed out, has is, is highly motivated to get where they’re going. So it could be a domestic abuse situation, it could be a lot of things. You know, if you’re a high value target, and if you know that, then this isn’t for you.

Beau: We’re talking about a baseline security protocol right now. Is that fair?

Bob: Yeah, that’s fair. The one nuance I would offer is. Some high value targets. Don’t believe that they’re high value targets. So this is, this is the strange thing. There are everyday people who mistakenly through, through all of his hackler, believe that they’re going to be victimized by mission impossible style hacks.

Bob: That’s not true. On the other end of the spectrum, there are high value targets who don’t, who’ve not emotionally fully gotten over the fact that they’re high value targets and that. Criminal criminal groups or nation state attacks are gonna come after them. So I, I think some people have actually suggested, can you, can you work on those people for your next project?

Bob: And that was like one, one theme at a time.

Beau: Well, you were at csa, so, so csa. I, I mean, I have to say I have been in the room with, a senator, I’ve interviewed a bunch of senators, so this is fair. A senator who was having trouble with something, I said, well, what’s the password? I’ll fix it. And they told me. And the password was dumb. The password was, you could crack it in 10 seconds. And if you don’t know what cracking a password means, listen to what Bob is going to tell you next because the next two things on the list I think we can do in one shot, which is passphrases and password managers.

Beau: People think like, I’ll get a password manager and it’s gonna solve everything. But in fact with, with ai, get where it is right now, and and basic programming that is exists as malware, as as, as crime, as a service malware. There are a lot of tools out there to crack passwords and pass phrasing is maybe the best way to, to keep that at bay, isn’t it?

Bob: Yeah. So a past phrase, uh, is a, uh, set of generally a set of words that you, that you, uh, can remember or write down, and the past phrase is, it, it is interesting because it’s long and. It turns out for certain kinds of attacks, you want to have a very long password. Now, those kinds of attacks are generally focused on times when somebody has broken into a, let’s say, a website and they’ve stolen the user database.

Bob: Generally speaking, that database will have each. Password, uh, it’ll be hashed in such a way that it looks like gobbledygook. However, there are very efficient tools which will then try to reverse that particular password to figure out what it is. And if you have a shorter password. Even if you’ve used upper and lowercase, even if you’ve used special characters, it turns out that those will not be sufficient to thwart the person who’s trying to crack your password.

Bob: So a longer password is really what does it, and it turns out you can actually use English words. You’ve probably seen much advice to never use any English words. That’s not really the current thinking. So using a long. Pass phrase is one of the characteristics that defines a strong password. So length is one, uniqueness is another.

Bob: And so when I was building this out, um, I had somebody from a, uh, a large company say, you know, you, you covered the length. That’s great. But what we see on an hourly and on a per minute basis is. Is the slew of account takeovers that are related to password reuse. The attackers knew what this person’s password was and they just logged in, and so having a unique password is another really, really important thing, and that, of course, it should be randomly generated.

Bob: And the three of those things. Are just impossible for most people to do. You can’t have 16 character passwords for hundreds of sites that are uniquely generated, by a password. You need a password manager to handle all that for you. The hidden value of the password manager that most people don’t know is in the database that the password manager maintains.

Bob: It contains the location of the website that you are visiting, and then your name and password if you are scammed into going to an imposter site, a lookalike site. The password manager has no record for that particular website. It’s not the real thing. It looks like it to you, but the actual location in the location bar is different and it will have no idea how to help you fill out the name and password.

Bob: So at that moment. It stopped the attack. Now some people then go in and copy the name and password, and you shouldn’t do that, but it gives you at least a few seconds to step back and say, why did the password manager fail me? Am I on the right website?

Beau: I’ve had that experience, Bob, where I’ve tried to log into a site and it doesn’t work and I do use a password manager and I had no idea that was the guts of the system working.

Bob: It was working as intended. Maybe it was a side effect, but I, I think it’s, it’s, uh, regardless, it’s the sort of thing that can really. It can really help you. It can give you a few seconds to stop and say What is happening here? And sometimes just a few seconds is all you need to have other parts of your brain that are not freaked out by some alleged transfer of money or, you know, whatever the scam is.

Bob: It gives your brain just a few more seconds to ask What, what is going on here?

Beau: Focusing on things that don’t work open you up to things that do. And for the average user, there’s only a few things that really work against them. That create insecurity, that create vulnerability, that expand the attackable service.

Bob: Well, these are the basics, so I don’t want to pretend like this is going to solve all of your security problems, but. They tend to need to start here. , Even most high value targets should start here. Not all, but most should start here. Some. There’s completely different advice, but this is the starting point and there’s a lot more to it.

Bob: I would also mention that people are often very concerned about privacy on the internet. This does not address. That there are additional mitigations that we link to in the resources page that will help you a little bit with that, but we’re really just focusing on the security of your accounts and your devices and making sure that bad guys don’t take those over.

Outro/Ending

Beau: Now, you want to get in sync with Bob Lord’s world, he has an active Medium account and there are a few posts you should read right away including, “Attack of the Evil Barista” The Quiet HTTPS Revolution. Reflections on how the internet slowly became encrypted.Juice-jacking Hacklore. Chasing down leads on alleged juice-jacking attacks.

Beau: Is there anywhere else you wanna send people?

Bob: The main thing you can do is if you’re interested in keeping current with Hacklore, you can go to hacklore.org and uh, there is a signup page for the mailing list.

Beau: What are we gonna get when we sign up for that mailing list?

Bob: Well, I just sent the first one last night and included some, uh, advice on, uh, how people can extend the work that we’re doing here. I think the most important thing is to get many voices saying the same thing. Many. People speaking to reporters, going on podcasts, uh, debunking information wherever they see it.

Bob: Uh, but also within their organizations, it may well be that their security or IT teams have put out information that contains a little bit of hack lore. And I think that there are ways to gently suggest to those folks that they. Go back and rethink some of these things. So, uh, I’m really trying to extend the work so it’s not just me and, and a hundred of my best friends, but it really is thousands more people.

Bob: So you’ll get a little bit more information there, but I’m also looking for feedback from people to tell us how they think about the program and how we should expand it, if we should expand it, or how we can, uh, finally put the site to bet that would, that for me would be a great thing, is for us to be able to, a year from now, be able to say, we’re pretty much done.

Bob: We’re, we’re gonna close down the site.

Beau: And what are you going to do with our mailing addresses, our email addresses.

Bob: It, it’s, it’s literally just me at this point. I’m not selling it. I’m not, uh, monetizing it. I’m not spamming you with anything else. And if you don’t like the newsletter, you can just click unsubscribe and I’ll never hear, you’ll never hear from me again.

Beau: Did you hear that? You have agency people agency And if you feel like you don’t have agency, start with the hack lawyer list. It’s really simple and it’s, uh, an effective way to start the first and most important layers of your personal cybersecurity, uh, routine. Bob, Lord, thank you so much for joining us to talk about hack War.

Bob: My pleasure. Thank you.

And now it’s time for the Tinfoil Swan, our paranoid takeaway to keep you safe on and offline.

Bob Lord wants us to be safe, and that means ditching outdated security advice—hacklore–and focusing on what matters: MFA, strong passwords, updates–basically: Better cyberhygiene.

But that advice is about security, and we need to make a critical distinction: Security is not Privacy except when privacy, or the lack of it, causes a security issue. 

Security stops someone from becoming you. Privacy stops your data from being weaponized against you, which can lead to very real-world security issues including harassment, stalking, or worse.

So, you’ve addressed the basics of your security stance, but your personal information is all over the place online. That creates a significant layer of INsecurity that can be used in online scams and fraud as well as real-world crime.

Focus on Bob’s shortlist: MFA, good password hygiene, updates. Strive for invisibility. Use email and phone masking, something you can get with DeleteMe, and use a service like DeleteMe to remove you personally identifiable information from People Search sites. Staying safe is all about decreasing your attackable surface, and that’s a multi-layered thing–think MFA on steroids.

Do the basics to stay secure, but don’t be fooled into thinking that’s that and you’re safe. Protect yourself from the hacker, protect yourself from the tracker. Be hard to hit.