KarneoliusMay 9, 2023
Annalee

I've been thinking lately about how we teach folks about digital security and safety and how we don't really have a way to retire old advice

I know folks who heard they should never connect to a public or unfamiliar Wi-Fi network, never scan a QR code, never charge their phone at a public outlet - and they never got the stand down memo that those threats have been largely mitigated and as long as they're keeping their phones and browsers up to date, it's usually fine to do those things.

May 8, 2023 at 12:11pmWeb
Show threadAnnaleeMay 8, 2023

And to some extent it's easier to say "just don't" than it is to teach nuanced risk analysis, because sure, connecting to other computers is never 100% safe no matter what.

But I worry that when reasonable precautions calcify into superstitions, we're contributing to the narrative that computers are inherently unknowable and dangerous, which leads to people giving up on even trying.

Show threadlike jam or bootlacesMay 8, 2023

@Annalee

"never write down your password"

turned into

always using the same, single, simple password for everything

Show threadJeff XilonMay 8, 2023
@Annalee your first paragraph there just blew my mind as I realized it's basically the sex-ed abstinence only model with pretty much the same outcome: folks generally uneducated about the topic at all.
Show threadJeff XilonMay 8, 2023
@Annalee And I say this as someone who absolutely didn't know that "never charge your phone at a public outlet" was already possibly outdated advice.
Show threadAnnaleeMay 8, 2023
@JXilon yeah, with the caveat that if you are the kind of high risk target that a state actor might burn a 0day on you should maintain a stronger security stance, it's pretty much fine - modern phones will prompt you if you connect to a USB device that wants data and they default to power only unless you grant access
Show threadLongwingMay 10, 2023

@Annalee @JXilon Good point and part of the issue with most security discussions (or computer discussions in general). We figure out the single optimal practice for a given goal (don't get infected/suborned), without considering other goals (educate people), and then we beat the point into the ground.

This creates the situation you describe, where people have heard "the best solution is to never..." and therefor don't research reasonable compromises instead.

Show threadAnnaleeMay 10, 2023
@Longwing @JXilon true but I'm not even talking about compromise, so much as cases where the threat has been addressed and the advice is obsolete. For the average user, advice not to charge on public chargers or use public WiFi is years out of date.
Show threadAnnaleeMay 10, 2023

@Longwing @JXilon that advice didn't become widespread because it held for high risk targets, but because there were widely known and widely used attacks that average people had to worry about. And that's just not true anymore. Those threats have been remediated.

The rules are different for high value targets because what exploits remain are too valuable to be worth using against random people.

Show threadLuo Binghe baculum trutherMay 8, 2023
@Annalee I'm thinking about how this maps onto people who heard one thing about COVID when the best advice was "stand further apart, wash your hands," and now they're being told they have to wear masks and they feel like they can't trust anything because the advice keeps changing.
Show threadMx. Aria StewartMay 8, 2023
@Annalee Same. I've long held the notion that security advice that doesn't embed the context of what it's mitigating is broken out of the gate.
Show threadSumana HarihareswaraMay 8, 2023
@Annalee Hmm! I'm interested in learning more about why those things are okay now (as long as one uses up-to-date devices and browsers).
Show threadEric HellmanMay 8, 2023
@brainwane @Annalee I'm also interested in why so many IT professionals cling to old advices like these and outdated practices such as password rotation. Perhaps it's just the power of mystery and mistrust.
There's no generally-respected, trustworthy up-to-date plain-language place we can point to and say "follow these recommendations".
There's no "Dr.Fauci" for digital security and safety.
Show threadchrisMay 8, 2023

@gluejar @brainwane @Annalee "I'm also interested in why so many IT professionals cling to old advices like these and outdated practices such as password rotation."

Because changing the advice, even if warranted, confuses people, too. How many times have you heard someone complain along the lines of "I have no idea if eggs are good for you or not, one day they say they're fine, the next they're not... they just don't know what they're talking about."

Show threadAnnaleeMay 8, 2023

@brainwane the caveat is that none of this applies if you're the kind of person a state actor might be willing to burn a 0day on.

But when there's a big clear easy to exploit risk like the above examples, it generally gets mitigated. For example if you plug a modern phone into a USB device that is capable of data access, your phone will prompt you to ask if you want data or just power.

Show threadAnnaleeMay 8, 2023

@brainwane for wifi networks, the risk was a malefactor in the middle attack, but these days the average person doesn't need to worry about that because of the widespread adoption of https. Your browser will warn you if your connection isn't private.

And with QR codes, the risk was that you couldn't tell where they were pointing, and it used to be pretty easy for a site to execute harmful code on load with no user interaction.