Summary:
In this episode, Timothy De Block sits down with cybersecurity expert Bob Lord to discuss the dangerous impact of "Hacklore"—obsolete, excessive, and fear-based cybersecurity advice. They explore how bombarding everyday users with spy-thriller scenarios (like juice jacking and evil baristas) leads to security fatigue and inaction. Instead, they advocate for shifting the burden of security away from the user and onto tech companies, while narrowing consumer advice down to the absolute basics: Multi-Factor Authentication (MFA), password managers, and credit freezes.
Key Topics Discussed
The Origins of Hacklore: Bob Lord started the Hacklore website after a CISO friend emailed him a "trifecta" of problematic security advice concerning public Wi-Fi, juice jacking, and restaurant QR codes. The initiative serves as an expert-backed resource to debunk common myths and promote better, actionable security guidance.
Rethinking Security Advice: Providing users with excessive or overly complex advice often results in them ignoring it entirely. Security advice needs to be constantly reevaluated to ensure it addresses actual, common crimes rather than unlikely scenarios like an "evil barista" intercepting data.
Shifting the Security Burden: The responsibility for digital safety should move away from the end-user and toward internet service providers and tech companies. Companies must adopt "secure by design" practices, such as requiring password changes upon installation or shipping routers with unique default passwords.
The Power of MFA: Multi-Factor Authentication (MFA) is essential for protecting vulnerable populations, such as seniors who are frequently targeted by organized fraud. Even SMS-based MFA is far better than having no MFA at all, as it degrades most common attacks according to a Microsoft study.
The Hidden Benefit of Password Managers: A major, underappreciated benefit of password managers is their built-in phishing resistance. If a user is tricked into visiting an imposter website, the password manager will not fill in the credentials, effectively stopping the attack in its tracks.
Freezing Credit: Implementing a credit freeze is another highly recommended, fundamental security measure. This action builds directly on the basic security practices promoted by the Hacklore initiative.
Learning from Near Misses: At the upcoming RSA conference, Bob Lord will discuss the concept of cyber security "near misses". He advocates that the cybersecurity field should learn from incidents that almost went wrong, similar to the safety approach used in the aviation sector.
Memorable Insights
Sharing obsolete security advice can be considered an "act of harm" because it distracts people from effective measures and can create a fatalistic mindset that no security action will help.
Since most people will only dedicate a few minutes a year to security, recommendations must be strictly limited to what is truly feasible for them to implement.
Getting a friend or family member to make just one security change, like enabling MFA on their primary email account, is considered a significant victory.
Resources Mentioned
Hacklore Initiative: A non-commercial website aimed at replacing obsolete cybersecurity advice with expert-backed guidance (hacklore.org).
Hacklore on Bluesky: Follow the movement and join the conversation at @hacklore.bsky.social.
"How effective is multifactor authentication at deterring cyberattacks?": The Microsoft research paper (arXiv:2305.00945) referenced by Bob Lord detailing the real-world efficacy of MFA: https://arxiv.org/abs/2305.00945.
Bob Lord's Updated Cyber Guidance for Small Businesses: Originally written during his time at CISA, Bob has updated this practical security guide on his personal blog: Read on Medium.
Methods of Delivery vs. Intrusion (The Hacklore Edition): A blog post explaining why the security industry shouldn't over-index on flashy threats like parking meter QR codes: Read on Medium.
PSA: Elevator (un)safety: In addition to his popular seatbelt analogy, Bob explores the concept of built-in safety in this blog post about elevators: Read on Medium.
Support the Podcast:
Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.
Contact Information:
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.