Stop Hacklore - An Open Letter
80 points by rslabbert
80 points by rslabbert
- Keep critical devices and applications updated: Focus your attention on the devices and applications you use to access essential services such as email, financial accounts, cloud storage, and identity-related apps. Enable automatic updates wherever possible so these core tools receive the latest security fixes. And when a device or app is no longer supported with security updates, it’s worth considering an upgrade.
There's a massive trust problem here, and it's largely on the vendors to fix it. It's hard to tell people that they should enable updates when that means constantly worrying about features getting dropped because someone wanted to sell more cars, or getting a bunch of "AI" anti-featues (including outright spyware!), or just getting infected by traditional malware (see also: the whole supply chain debate lately). And even if you do buy into the mandatory update mentality (which I still largely do! new security issues do get discovered and it is important that we fix them!) vendors then get to use EOLs as a shiny "give us more money" button, despite said updates only really being required because of their fuckups in the first place.
It reminds me of a toot I saw a few months ago..
also updated [app] while i had the pending updates list open, because it is the ~one thing on my phone that i can trust to not get worse if i just yolo update it without checking the changelog
ty [dev] for being non-terrible
And it's hard not to take it as an indictment of the whole industry.
(Of course, [dev] has made plenty of mistakes of their own too, and will continue doing so.. But we won't get anywhere if we don't at least try.)
- Turn off Bluetooth and NFC: Wireless exploits in the wild are extraordinarily rare and typically require specialized hardware, physical proximity, and unpatched devices.
Wasn't the recent Android security bulletin about an RCE in the Bluetooth stack? This wasn't officially confirmed, but this commit sure looks interesting.
Also, why the hell are attackers with "specialized hardware" outside of our threat model? A Flipper Zero isn't exactly expensive.
Their FAQ kinda addresses this:
I just saw a news story about a new security flaw that affects one of the items in the Hacklore list. Doesn’t that invalidate this advice?
No. All software has bugs—some of them security or privacy related—and it’s inevitable that flaws will occasionally be found in systems that handle things like WiFi, QR codes, or USB connections. When that happens, the right question isn’t “Should we tell millions of people to change their behavior?” but rather “Which manufacturer and product were affected, and what are they doing to fix it?”
Security defects are a normal part of the software lifecycle. The responsible reaction is to expect software makers to patch their products quickly and transparently—not to shift the burden onto users. We need to move the responsibility for staying cyber safe upstream, to the companies best positioned to make security improvements at scale. We need to demand software that is secure by design.
This seems ill-advised. Sure, you can demand software to be secure by design all you want, but right now we're stuck with the software we have. Why not reduce the attack surface?
Sure, I think this site's advice is aimed towards your average Joe, but I really doubt they're turning off Bluetooth and NFC for security? On the other hand, I fear that people who are at a higher risk - e.g. activists - will stumble upon this letter, and get convinced that they don't need to take the precautions they used to take.
The resources are also a bit weird. The VPN section starts off with
VPNs are heavily marketed, but most people do not need one for security. These resources explain when a VPN is useful, when it is not, and why built-in protections on modern devices already handle many of the risks.
It then links Apple's page about iCloud Private Relay... but that is marketing material for a product that is very similar to a VPN. This section also links to e.g. a Tom Scott video and NYT. I have nothing against Tom Scott, but do they seriously not have better sources?
I would argue turning off BT and WiFi is about privacy, not security these days. Often people confuse the two.
Generally speaking the BT and Wifi implementations are pretty secure and have a good security posture. Sure stuff happens, but I'm with hacklore on this, from a security perspective anyway. If you care about privacy, you probably don't want either on unless you are actively using it.
I agree VPN's sources here are pretty lame, but I agree that VPN's are mostly not useful, these days, since the entire internet pretty much moved to TLS everywhere and browsers are defaulting to DNS over HTTPS now. This takes away a lot of the MITM attacks that ISP's and others had.
Outside of censorship/filtering bypass, VPNs (any kind of public tunnel/relay) are mostly useful for location privacy. If you're not literally The Most Average Joe and you might have some kind of minimally skilled adversaries.. someone might trick you into loading a tracking pixel (and sometimes there are zero click notification-based ways to get you to load one and novel CDN tricks and so on) and query GeoIP to find out roughly where you live (usually down to the district), and you might be trying to keep that private. In the good old days of forums, moderators directly saw IP addresses in the forum software.. who said that your fedi instance admin couldn't look at the logs as well :)
I was speaking from a security perspective. I agree with you that VPN's can hide your location(and it's a good use of VPN's), but I'd argue that's still privacy, not security.
That said, thanks for sharing more details around VPN privacy use-cases!
Security and privacy are intertwined in precisely this way.. Sometimes you need privacy to be secure.
VPNs are a good way to know if the server you're connecting to is the right one if you and the server are both on a VPN. There are plenty of networks that delegate this dn42, anonet, yggdrasil, tor, i2p, gnunet, tailscale. The "darkweb" is just the internet + extra security and some privacy. It basically removes the whole idea that we need 100's of CA's or a single root DNSSEC key because the destination you're encrypting for is the address. The current layout of the internet and it's security model are designed to keep the users under control. That's why you still have browser, tls, dns, messaging layer encryption centric security models for the basis of connection. If I want to talk to someone over a secure channel why do I have to go somewhere else to do it? Why do you have to pay for dns and hosting? Someone is making money off of it.
By the way tor/i2p works great with container tabs on Firefox you don't need to run a special browser that counters a bazillion different fingerprinting techniques.
I would argue turning off BT and WiFi is about privacy, not security these days. Often people confuse the two.
In the last month, Android and Zephyr have both had arbitrary code execution vulnerabilities in their Bluetooth stacks. In both cases, these allow someone within radio range to run code with kernel-level privilege on the device.
It's really hard to understand how you could view this as a privacy issue and not a security one.
All of computing is currently insecure. On how long since the last RCE metric alone, we should just throw in the towel and consider all of computing insecure. OWASP's top 10 doesn't change very much because of it.
So to me we also have to factor in how do the humans involved in the networking stack treat security, how often are big security bugs found in the networking stack, etc.
The networking stack teams for Android, iOS, etc take their stuff seriously and work hard to avoid these things. An occasional big bug happens, but they are fixed and patched very quickly and pushed to devices ASAP as well.
What would make this a security issue to me is if these vulns were common, not patched quickly, not taken seriously, etc. If you stay up to date on your OS releases, these things are unlikely to affect you, even with a big bug.
Certainly security is a much larger topic, if your particular security posture has you worrying about nation state sized actors, then everything is a security problem, and computing has to be done very differently than the average person, not just the networking stacks.
For the average person, which is what hacklore and the OP was trying to address, these RCE's are not a behavior changing problem, to me. Are you suggesting we spend time and energy teaching tech illiterate people to alter their behavior around the networking stack, from a security perspective?
I think there is an argument to be made to alter their airplane mode behavior around privacy. Personally I'd much rather spend the time and resources trying to teach them about using password managers, keeping their systems up to date, etc. I think those will have a much bigger benefit to end user security than trying to teach them about airplane mode and the networking stack.
The networking stack teams for Android, iOS, etc take their stuff seriously and work hard to avoid these things. An occasional big bug happens, but they are fixed and patched very quickly and pushed to devices ASAP as well
You might want to look at some of the research on how quickly Android updates are pushed out. My former colleagues in Cambridge studied this and the results are the exact opposite of your claim.
But that's just it, because everyone is insecure, you want to minimise the attack surface. The examples here just show that. If you assume that the VPN and network stack are "secure enough", your TV can be picked up by a random "script kiddie" type actor.
Teaching people to use password managers is important, but that doesn't mean that the network is now suddenly "safe".
We don't tell the average Joe that it's now okay to open random attachments because we have antivirus and spam filters.
The same way we don't want to tell them it's now okay to use public WiFi.
In fact, we keep getting new people who don't know any of this, they just grew up, so we need to teach the stuff constantly.
And it's not without effect on above-average Joe either.
The attackers might not get you this time. But by catching your average Joe, they get crypto coins to fund their attacks on you, they create extra work for all of us, and they have a new attack vector, they can now DDoS you.
I don't think this stuff is black and white. There's some good advice there on that site, but it's not that simple.
Google Maps sometimes says that they don't have enough location data to pinpoint you, and their blue bar that replaces the blue dot covers up what you're trying to see. Their solution: turn on wifi. The wifi is just so Google can see what shops you visit, and now the shops are ID'ing you too.
While I agree, that's a privacy thing, not a security thing. We've been down the road of "Beacons" from both BT and Wifi before. We now they exist and are out there.
Apple helps alleviate this to some degree with rotating your mac address all the time, unless you happen to be logged into the same Apple account, and then you get a stable mac. I don't know what other vendors do, I haven't looked deeply with other vendors.
To be fair, Private Relay is legitimately excellent and any Apple user should check if it meets their needs before trusting some additional third party with all their traffic.
Then this is (inderectly) an argument for using VPNs! If there are security benefits to using Private Relay, then they should also apply to traditional VPNs. The latter have slightly[1] weaker privacy properties, and Apple has preexisting reputation outside of the VPN market, but that's it.
[1] I'm skeptical about how much the second hop is worth if both hops are controlled by Apple anyways.
Remember, this is advice for “normal people”. Apple Private Relay is technically a VPN, but to the vast majority of Apple users, it’s just part of the OS, and the point of this advice overall is that the OS is already good enough. You don’t need to put shopping for a VPN on your security to-do list.
I have nothing against Tom Scott, but do they seriously not have better sources?
Is there a better source? (No, really) His video is engaging, nuanced and explains technical concepts very well. I've not seen anyone do better yet, for normie audience.
Why not reduce the attack surface?
Because people don't care and limiting the number of requests for them is important. Yesterday it was rotate password, today 2fa, but not sms, but do use a password manager, but preferably not with totp, but passkey is fine and ....
If you want people to follow advice, it should be clear, preferably not change and be limited to actions someone will actually take. Update, use password manager, do backups is going to end up near the top of the list. Turn off Bluetooth, just in case, will be way down - because you don't want to replace anything higher.
It's kind of like a doctor will tell you to take a walk and eat healthy as a baseline, rather than dive into a perfect balance of some very specific chemical (unless you're way out of range on it). Because you're only going to care of so many things in the day, so it's better to choose those with more impact.
Maybe it's just that I haven't heard the Bluetooth advice being given out to average people, idk.
I mean, the doctors do change advice, or give different ones, but most of the change is slow, generational.
But that's kind of a good analogy. When your doctors tell you to eat veggies, you just do. They don't explain chemistry or biology, you don't think much about it. You just do.
So, having a clear "recipe" is important, but it's less relevant how long the list is. The doctors didn't tell anyone that since it's now not okay to vape, you can go back to smoking.
First, yes! Let's abandon outdated advice. Don't burn energy on useless practices.
Second, re: QR codes.
This week CISA published an alert about threat actors attacking secure messaging apps like Signal by tricking users into scanning malicious QR codes.
Their recently updated mobile communications best practices guide specifically states:
avoid scanning group-invitation links or QR codes from unknown sources.
The thing that gets me is that "don't scan QA codes" is practically pretty close to "don't click links." Like, in theory you know where a URL goes and you don't necessarily know where a QR code goes, but in practice we've had a lot of trouble with URLs containing Unicode characters that look like ASCII characters.
Let's abandon outdated advice. Don't burn energy on useless practices.
There are companies that still force regular password changes, despite the NIST recommending against that in 2017! That's eight years ago!
I guess the process to change the process is so onerous, that it's just easier to keep the process. Or, you know, it'll change when enough CSOs retire.
Just went through that at the office on two different systems. My federal government login (as an outside user) forces me to change passwords even more frequently.
finally someone spoke about it, amount of content I see that recommend me not use to public WiFi, install VPN, not to charge my phone through the wire is through the roof.
I do use VPN though, but not because of a single reason mentioned in this article or security gurus.
There are few rules, the most important one - don't click sh*t
My comment may come off as a bit off-target here, but I read through the site and mostly agree. I got to the part where they mention selling t-shirts at bonfire.com, which is fine. Thought I'd check that out. Limited selection, but then I read the note:
Logo on black shirts and hoodies will not be visible.
What? Then why the eff are you offering them as an option? I've used Print-on-Demand services to create my own products in the past and there's not a compelling reason to just leave it up to the customer that might prefer a black t-shirt to notice a tiny blurb.