alt Hacker NewsStop Hacklore – An Open Letter
Comments
Note that most of the signers are from companies which collect substantial consumer information for revenue purposes. Hence the emphasis on "updating". And the absence of "turn up browser security levels to max" or "get a good ad blocker".
Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.
I'm not a CISO just a random dog on the internet, but this open letter seems to assume that privacy is not a part of your security posture and that spear phishing isn't common these days. (Is 'spear phishing' still the term for targeted electronic scams to steal credentials/access?)
I realize not everyone is using a physically stripped burner, a graphene os install, etc and not everyone works at a high value financial, govt, or infra target but for those of us who need to deal with opsec or are commonly targeted by spear phishing this advice seems abysmal.
In the current political climate of the US, if you are living or traveling here and the current party isn't cheering for you personally, you really should be considering both state-sponsored attacks and no longer have the luxury of assuming good faith by the state. Telling people to enable cheap drive by attacks that are in active use by certain government agencies is irresponsible malpractice at best and actively evil at worst.
Source: I've worked at analytics companies that actively deanonymized users using cookies when available. We used wifi and Bluetooth details when available. We built "multi channel marketing" which was just taking any information we could scrape from the user to fingerprint them and cross reference and deanonymize them so we could sell interactions to businesses like geofenced price discrimination, value of users, and could offer cross website information on shopping habits/financial profile. The shit I did 15 years ago didn't go away and no matter how much I wish I didn't write that, it was the tip of the iceberg and relatively benign.
So, since this seems to be relevant im a CISO myself.
And i would definitely not agree with everything in this letter.
Personally, i think the worst part about it is handling a low probability as something that's not gonne happen. Thats, especially in IT-Sec, one of the worst practices.
To take on point as example - the "never scan public QR codes".
Apart from the fact that there have been enaugh exploits in the past (The USSD "Remote Wipe", iOS 11 Camera Notification Spoofing (iOS, 2018), ZBar Buffer Overflow (CVE-2023-40889), etc) even without an 0day exploit qr codes can pose a relevant risk.
As a simple example, not to long ago i was in a restaurant which only had their menu in form of a qr code to scan. Behind the QR code was the link to an PDF showing the menu. This PDF was hosted on a free to use webservice that allowed to upload files and get a QR code link to them. There was no account managed control about the pdf that they linked to, it could be replaced at any time opening a whole different world of possible exploitations via whatever file is being returned.
Sure you could argue "this is not a QR code vulnerability just bad practice by the restaurant owner" - but that's the point. For the user there is literally no difference if the QR code itself has a malicious payload or if the URL behind it has (etc etc).
While we in the tech world might understand the difference, for the John and Jane Doe this is the same thing. And for them its still a possible danger.
Apart from that, recently a coworker linked me a "hacker" video on youtube showing a guy in an interview talking about the O.MG cable. Sure, you might say this is also an absolutely non standard attack vector, yet it still exists. And people should be aware it does.
My point is - by telling people that all those attack vectors are basically "urban myths" you just desensitize the already not well enough informed public from the dangers the "digital" poses to them. And from my personal view, we should rather educate more than tell them "don't worry it will be fine".
> Never scan QR codes: There is no evidence of widespread crime originating from QR-code scanning itself.
> The true risk is social engineering scams...
Exactly. My grandma is very susceptible to phishing and social engineering, I don't want her scanning random QR codes that would lead to almost identical service to the one she would think she is on and end up with identity theft or the likes.
> Regularly change passwords: Frequent password changes were once common advice, but there is no evidence it reduces crime, and it often leads to weaker passwords and reuse across accounts.
Database leaks happen all the time.
I worked for a company that had 8-12 different employee passwords across various systems. There was no SSO, they each password had different requirements, and required changes at different intervals ranging from 30-90 days. Consequently every employee had a post-it note directly on the laptop with most or all of their passwords. The outdated IT policy security was so strict that real world security was abysmal.
Slight tangent: My wife's place of work has recently instituted a minimum 16-character password rule with the standard complexity requirements. They also encourage the use of password management software, as well as enforcing password changes every 6 months.
Where I see a flaw in this is the initial login.
If you're not already on your computer to access the password manager, how do you retrieve the essentially non-memorisable password to unlock your computer in order to get to the password manager to retrieve the essentially non-memorisable password?
The password to unlock the computer, therefore, must be able to be remembered. This pretty much excludes 16-character auto-generated passwords for anyone but a savant.
Am I missing something obvious here? (MFA using an authenticator app on the phone? Is that something that Windows / Mac/ Linux supports?)
I find it interesting that the comment about VPNs offering little additional privacy or security benefits is wrapped up under 'Avoid Public WiFi' rather than being called out explicitly. It drives me nuts all the ads I see for NordVPN or whatever claiming that by using their services you are now totally safe from all the hacks. If anything, it makes the median user less safe because they have a false sense of security.
I don't really like the name. When you say 'Hacklore' I think of the hackers at MIT and such. That stuff is really cool and shouldn't be stopped or suppressed!
But the message, absolutely on board with it.
This is good advice, and there's good people on the signature list, but why is this is an open letter? This feels navel-gazey and straight out of 2017.
For 1, you can still have extremely malicious networks. It's true that your web traffic is likely encrypted but... What services are exposed on your machine? Do you have mapped samba shares?
For 5 - session cookies are one of the main things stealers look for. Deleting cookies is absolutely good advice until browsers build in better mitigations against cookie theft.
For 6 - if there was a standard interface how password managers could rotate my creds, I would sure as hell use it. Force rotating passwords is only "bad" if people need to remember them. Any random credentials stored in a vault absolutely should be rotated periodically, there is no reason not to.
I don't see the point of this letter, none of the "bad" advice they call out is harmful to security in any way, if people feel safer avoiding public wifi, so be it. Is it just a call out to other cisos to update their security hygiene powerpoints?
That open letter is filled with malice, so I can only guess that it's either trolling or a bad taste joke (due people could think are outdated recommendations and spread, lets remember the flat-earth thing).
I might be alone in this, but I feel the advice regarding 2FA and password managers is putting people into risk.
My mom using those would be one “I don’t know where I put that” away from permanently losing access to her pictures or any other similar access. This is as potentially harmful as any attack.
> Use SMS one-time codes as a last resort
Let me fix this for you:
> Never use SMS one-time codes as a last resort
How about these:
- CISOs aren’t actually officers of the company and are typically 2-3 levels below the actual officers
- CISOs only exist to have someone to deflect blame onto after the inevitable breach
- If a company actually cared about security they wouldn’t put it in a silo
This has the energy of "Remove all DEI initiatives because we have solved workplace discrimination."
> This kind of advice is well-intentioned but misleading. It consumes the limited time people have to protect themselves and diverts attention from actions that truly reduce the likelihood and impact of real compromises.
I dislike any methodology that claims its intent is to talk down to people for whatever declared reasoning. People are capable, and should be helped to make decisions based on all available information.
> Regularly change passwords: Frequent password changes were once common advice, but there is no evidence it reduces crime, and it often leads to weaker passwords and reuse across accounts.
When I worked as a security professional the breaches were nearly always from someone's password getting leaked in a separate public breach. If those individuals had changed that password the in house breach would have been avoided.
> Use a password manager
Sage advice.
I think even the 'new' recommendations here are getting a bit old.
None of my opinions of this manifesto are positive. This is a defeatist position. It dangerously conditions people to be more casual about their privacy and safety.
There are still legitimate reasons to clear cookies, to turn off Bluetooth/NFC beaconing, and to occasionally rotate passwords (vis a vis password managers) as it costs nothing to accomplish, and very little in the way of tradeoffs. So...why not?
The probability of a random individual being the target of a sophisticated state sponsored attack is low, but the probability of being caught up in a larger dragnet and for data to be classified, aggregated and profiled is very high. So why not make it just a bit harder for them all?
If anything, let's chip away at this problem bit by bit. Make their life a bit harder...their datacenters a bit hotter. Add random fud to the cookie values, constantly switch VPN endpoints, randomize your mac address on every WiFi association, constantly delete old comments, accounts, create throwaway accounts, create proxies and intermediaries, rotate your password and 2FA -- use any legal means to frustrate any adversarial entities -- commercial or otherwise. They want information? They want your data? Fine, overwhelm them with it. THAT should be the proper modern privacy-focused manifesto. This is utterly bewildering...
...but then I get to the signatories and this nonsense suddenly made all the sense in the world:
> Sincerely, Heather Adkins, VP, Cybersecurity Resilience Officer, Google
> Aimee Cardwell, former CISO UnitedHealthGroup
> Curt Dukes, former NSA IA Director, and Cybersecurity Executive > Tony Sager, former NSA Executive
> Ben Adida, VotingWorks
> Geoff Belknap, Deputy CISO, Microsoft
The corporate CISO club is behind this.
Knowing what rules not to follow and what isn't a risk is important to know where to invest energy.
Tech and non tech users have a budget to spend on IT Sec, so if you impose a lot of useless or marginally useful rituals along with the useful prophylaxis, the user will be forced to drop some of the measures, so it's better to drop some rules early on by policy rather than letting users decide what good practices to avoid.
Don't worry about cookies or bother using a VPN, because... you are being tracked anyway? What's the point of including such a defeatist stance?
> the real world across industry, academia, and government.
Gotcha, so no one here gives a shit about privacy. They only care about avoiding the inconveniences of fraud and leaked secrets.
Use a password manager and a feature-complete adblocker (ublock origin on Firefox). Send messages over end-to-end encrypted channels. Use a VPN along with your adblocker and some kind of cookie/browser-id isolation if you don't want your traffic stalked.
Some of outdated advices are rarely a threat just because people follow the advice.
There's the typical mix of good and bad points in this manifesto, but I wish the people willing to sign their names to it had a better record of success implementing the call to action inside their own organizations first:
We call on software manufacturers to take responsibility for building software that is secure by design and secure by default—engineered to be safe before it ever reaches users—and to publish clear roadmaps showing how they will achieve that goal.You can only avoid rotation on passwords that are MFA-protected.
If you implement a password manager, you must mandate auto-fill only and actively discourage (via training) copy/paste of credentials to a web site. Train the users to view “auto-fill not working” as a red flag. (This doesn’t apply to non-website credentials). Mandate all passwords to be auto-generated. Mandate that the only manually-entered password is the one for the password manager. Of course, you must have MFA on the password manager entry.
This will allow your users to comply with frequent password rotations much more easily. Auto-fill requirement/culture is critical to reducing phishing success, especially for tired eyes.
I don’t understand why people promote password managers for individuals. You don’t need to store your password in a central location that is a prime target to hackers; even if it’s encrypted, that’s more of a risk than keeping one of your own.
And some of the previous advice they’re stepping back from like avoiding QR codes you’re unfamiliar with is still good advice; you should be careful and not expose yourself too much.
I have two more to add to the list:
> Secret questions
No, my mother's maiden name is not a secret. And some questions like "who was your best friend in elementary school?" might have different answers depending on when you ask me. Plus, unless my best friend's name was Jose Pawel Mustafa Mungabi de la Svenson-Kurosawaskiwitz (we used to call him Joe) it's pretty easy to guess with a dictionary attack. The only way to answer these questions securely is to make up an answer that's impossible to guess, which results in a second password.
> You password must contain these particular characters
I understand that this rule is to prevent people from using passwords like "kittycat", but "k!ttyc4T" is still less secure than "horse battery staple correct".