clock menu more-arrow no yes

Full transcript: Security expert Tony Gambacorta on Too Embarrassed to Ask

“Hackers don’t think like normal people.”

Clive Rose / Getty

On this episode of Too Embarrassed to Ask, Recode’s Kara Swisher and The Verge’s Lauren Goode dive into Part 2 of the security- and privacy- (and Tony-) themed podcast. Part 1 featured Recode’s Politics and Policy Senior Editor Tony Romm; Part 2 brings in privacy and security expert Tony Gambacorta. The three discuss passwords, Internet of Things devices in the home and basic steps anyone can take to make their information more secure, and then answer questions from readers and listeners.

You can read some of the highlights from their discussion at that link, or listen to it in the audio player above. Below, we’ve posted a lightly edited complete transcript of their conversation.


Kara Swisher: Hi, I’m Kara Swisher, executive editor of Recode.

Lauren Goode: I’m Lauren Goode, senior technology editor at The Verge.

And you’re listening to Too Embarrassed to Ask, where we answer all of your embarrassing questions about tech.

It could be anything, like what’s the future of Uber, given all of the drama that’s going on there. Or, is my smart speaker listening to every word that I say?

Yes.

Why did Sony just put out a $700 e-paper tablet that everyone’s talking about on the internet this morning?

No idea.

Did Kara miss me when I took the day off last Friday?

Not even slightly. I didn’t even know you were gone.

That’s it. The podcast is over. Good-bye.

How can I miss you if you won’t go away?

Good-bye.

Oh, wait, you went away. I did miss you. Anyways, so send us your questions. We really do listen to them all. Find us on Twitter and tweet them to us at @Recode or to myself or to Lauren with a hashtag #tooembarrassed.

Did you have a wild weekend?

I did have a good weekend.

You sound kind of throaty.

No, I got a cold. It’s called a cold. I don’t have a wild life, Lauren. I have a very dull, boring life.

Did you go to SoulCycle with Casey? Is that how you got sick?

I did.

So, you did. You actually did?

I did.

I was joking. That’s how you got this voice.

No, I did a lot of stuff. I did many fun things this weekend.

So it sounds like you had a wild weekend.

Yeah, wild for me.

Wild?

No.

All right.

More of a dull, old-lady life.

Well, yeah. So, tweet us your questions. Could be anything. Could be about Kara’s experience in SoulCycle. We also have an email address, TooEmbarrassed@recode.net, and a reminder, embarrassed has two Rs and two Ss.

And while you’re at it, have a listen to our previous episodes too, which you can find on iTunes at iTunes.com/tooembarrassed.

So last week, we had Recode reporter Tony Romm on for the first time. He was great, actually

Great.

We got a lot of feedback from listeners who really enjoyed the podcast with him.

Yeah.

But it was the first of a two-part series about privacy and security in light of some of the changes that have been happening with the new government administration.

That would be the Trump administration.

You said it. Not me.

Okay, all right. We covered a lot of topics, Tony was amazing, and mostly about policy changes that could potentially impact how consumers use the internet. We covered net neutrality. We talked about the Trump administration’s attitude toward science and innovation, which is to say they don’t think science is good, apparently, because they haven’t appointed ...

It’s a hoax.

It’s a hoax. Science is fake news. And we talked a lot about these new policies they put into place, which give internet service providers an ability to get a lot of data on you. So, it’s a really interesting time.

Right. Which, as Tony explained, you know, they’d had these rights before, but in some ways some things haven’t changed, but at the same time, everything has changed.

Right. This is a more friendly administration to big business.

Right. And so this week, as part of our two-part Tony podcast, this week we’re focused on security, things like encryption, VPNs, the internet of things and other potential vulnerabilities. We’ve been getting a lot of questions about all of these topics since Donald Trump came into office.

Yeah.

LG: So, we’re thrilled to have security expert Tony Gambacorta on the show. Tony is a private security consultant who’s worked for Citrix, SilverTail Systems, RSA Security and, most recently, he was at Synack, a Silicon Valley firm that crowdsources vulnerability testing. Now he’s running his own company. It’s called 1585 Security and he focuses a lot on the hacking of internet of things devices. Tony, thanks so much for joining us.

Tony Gambacorta: Hey, thanks so much for having me. This is great.

LG: Tony part two.

KS: Big deal.

LG: Little-known trivia: Tony is the person who taught me how to pick a lock and find my way out of handcuffs at one point.

KS: I don’t even want to understand why you were looking to get out of handcuffs.

LG: It’s a good thing to know how to do.

KS: Yeah, I guess.

LG: Thanks, Tony.

KS: If you want to get out of them, you know. I do live in San Francisco. People want to get in them here. Anyway, Tony, let’s talk about these security issues, because I think one of the things that has happened is people are very worried about this administration. They should be worried about all administrations. I mean, I don’t think the Obama administration slathered itself in glory around security.

Sure.

KS: These issues, fighting Apple and others, people are very concerned about this. And as more hacking happens, it’s something that I think about, I think a lot of people think about. What would you say is the biggest security concern consumers should have right now, given the recent policy changes and the overall increasing sophistication of bad actors?

I’d say probably the biggest issue is the fact that there’s such an information asymmetry out there, that the people who are on the carrier side know a lot about how this technology works. The consumers don’t know much about how it works. And perhaps even more terrifying, the legislators have no idea how the technology works.

KS: Right, definitely.

As a consequence, people can kind of pull one over on you from time to time.

KS: What does that mean? What would be the ... Pull what over, exactly?

So when you see laws, like we saw with the FCC, where it was a pretty commonsense approach. It’s an easy play for anybody who understands the space, but they were able to repeal it, because they use some sort of fallacious arguments that, "Hey, we just ...”

KS: Explain that for regular people.

The big argument they gave was they needed to be on equal footing with Google and other people out there that are on more of the application side.

KS: Do they have to be equal footing to invade your privacy?

Exactly.

KS: Right.

Right. The difference here being that I can opt out of using Google. So, if I have something embarrassing that I want to learn about, I don’t have to use Google to do it. I can go off and do something else. It’s not easy, but I can go do it with somebody else. But with my internet service provider, they’re the only game in town. So, they’re going to see all of my traffic all the time, and that’s a really big difference that seems to have been lost, kind of, in the commotion here, in the exchange. But there is a very big gap between policy and technical capability, and I think that’s an area where people can get, sort of, the power back on their side again.

KS: All right. We’re going to talk about those tools in a minute, but what would you think are the biggest security concerns right now? Is it the invasion of all these devices into your homes or that your mobile phone is with you all the time or that cameras are everywhere? There’s so many things to be paranoid about.

I would say that there’s a very fast ramp of adoption for things like IoT devices. There’s a gold rush happening. People are charging into it, and as a consequence, they don’t always understand how things work. And if you’re desperate to get a product to market as quickly as you can and kind of jam commodity sensors into it, you’re more focused on the commercial maybe than you are about the privacy aspects of it, and that’s definitely a concern.

LG: So, IoT devices, you think right now, that’s the gold mine for companies, marketers, advertisers, but it’s also, you think, the biggest potential pitfall?

It creates such a rich dataset. Especially, for a device like a wearable or something like that that’s with you all the time. For that to exist, you have no visibility in how it communicates, right? I mean, if you have a Fitbit or if you have any other sort of item on your person, you don’t get to see that it’s using HTTPS or HTTP, you just know that it’s on and trading information. But how it’s doing that, it’s totally a big deal.

LG: Kara doesn’t use Fitbits ever.

KS: Never.

LG: She calls them her unwearables.

KS: Yeah.

LG: They all end up in a drawer.

KS: See, I have this regular watch.

LG: She’s more secure than the rest of us.

KS: I’m sure some CIA agent has put something in here, but at least they had to make an effort to do so. So, talk about the IoT. First, let’s talk about wearables. So it could communicate anything back, voice or presumably ... Right now, they don’t do that, but they could, correct?

Well, I think what people need to remember is that these are devices. They don’t know what they’re for, right? So, if you have something that’s got a camera and microphone on it and it’s running some embedded software, you could use it as a toy or you could use it as a weapon. It’s just all about the context of what’s happening there.

KS: Right. Then in the home, these new ... The Amazon Echos, the Google Devices, and there’s one coming from Apple soon allegedly. All these things have these capabilities of just being present and you forgetting about them being there.

I think so, yeah. When you think about, like, a device that’s got an always-on microphone ... these are exactly the sorts of things that people freak out about in the other context. My house is bugged, right?

KS: Right.

But when this happens to us because we paid for it, we love it. Now, as far as the FCC stuff goes, that stuff is generally encrypted when it’s going across the wire. The good news is that Comcast, everybody else, they’re not going to be able to intercept those communications. They’re not going to hear what you asked Alexa, for example. You know, the provider still will, but they’ll be blind to it.

KS: Right.

LG: By the provider, you mean, they’re not the internet service provider or the maker of the technology?

Sorry. The maker of the technology is going to be able to receive and interpret, and they’re going to build a nice, big, rich dataset on all the things that you like and what you do and how often you use it.

LG: Right.

But your internet ...

LG: Yeah, because right now, if I do a voice search through any of them, like, through Amazon Alexa, for example, or Google Home, you can then go into the mobile app and see a literal log of the things you’ve just asked.

That’s exactly right.

LG: I mean, it’s not encrypted. It’s just plain text. It’s right there.

Well, you can see that there, but as it’s being transmitted back up to the cloud, so in other words, as it’s crossing through the carrier’s network, in that point it’s encrypted.

KS: But it still gets to the company and who knows what ridiculous systems they have in place. Some guy named Phil is just happening to look at it.

There’s actually, probably, a small army.

KS: Yeah.

There’s a reason why it’s so darn hard to hire data scientists and data engineers right now, right? Because we have such a rich dataset and no one is really quite sure how we’re going to, like, finagle it all into something that they can monetize. But they certainly don’t create something like that so they can just, “Aw, shucks,” make it easier to figure out what the weather is.

KS: So, going back a little bit: Obviously, the first one is the phone that you’re carrying all the time, which you’ve become so comfortable with, it’s like an extension of yourself. Talk a little bit about where that is, and then we want to talk about what you can do, like, some of the things that you can do to protect against these things. But the phone, seems to me, is the first point of contact with everybody and how comfortable people are with it.

Yeah, I think you nailed it. People are just very comfortable. When you have this big emotional response to something, eventually you get fatigued and you get tired of being in this state of awareness all the time and you let your guard down as a consequence. We tend to install apps and we don’t really think about what permissions they’re asking for, depending on the operating system you’re using. Sometimes it just doesn’t give you a choice, right? It just says, “You either are gonna take this or leave it.”

I’m shocked by the permissions that are requested by a lot of different apps. I saw one the other day that was for watering a plant, but it still wanted to have access to my camera, my contact list, all my network information, my GPS, everything. So, I think that’s an area that’s going to get more and more interesting, because you’re not on a high alert there and you’re not thinking like, “Hey, this is an app that’s tracking me.”

KS: Right. I actually go, “No. Fuck you. Fuck you. Fuck you,” every time.

LG: And then you just don’t download the app.

KS: No, I do. I do. I just don’t give it permissions. And then I turn on and off permissions constantly.

LG: Yeah.

KS: But I don’t think people are like me.

I think the average person when they install it by default ...

KS: They just let it go.

They just flip the button and then that’s where it goes.

LG: They just, yeah.

And when you’re dealing with a targeted ... Let’s pretend for a moment these people are attackers as opposed to marketers.

KS: Right.

A targeted attacker is going to be frustrated by you turning things on and off. It’s going to try to figure out other ways to do it. These marketers, they’re opportunistic. They don’t want you or me. We don’t have a picture of ourselves up on bulletin boards somewhere, right? So, you’re not going to have to worry about them, because there’s so many people who are willing to swim into the net that, you know, you’re sort of immune that way.

KS: Right.

LG: I guess I wonder on a bigger scale right now, when we’re talking about what we should be most concerned about when it comes to online privacy and security, it seems like there are so many different ways or areas that we can be concerned about. We have a new administration, we see some policies changing. There’s that. We have these big, giant tech companies, these all-knowing tech companies, and they have access to specific information. Then there are marketers, advertisers, right? So we should be concerned about that to some extent. And then I guess there’s us in our own ignorance, we, the consumers. And then there are bad actors and there are hackers, right? So who’s the biggest concern right now, would you say? If you were telling people, “Yeah, you need to be concerned about privacy.” Why?

I would say it depends very much on what kind of person you are. If you’re the kind of person who inherently does not trust your government, then I would be very, very concerned about what’s happening with the administration. We’re seeing time and time again, when there’s an opportunity to give themselves a little bit more power, they’re taking it. Does this mean that, to your point, that Obama was a saint about this? No. No president has been a saint about this. And that’s why I say it’s not about administration. It’s about your government. How much do you want them to actually have access to?

If you’re worried more about your lifestyle and what’s going to happen there, then I would say be more worried about the marketing, the, you know, what does Apple know? What does everybody else know? Personally, I don’t let my kid interact with these devices, because I don’t feel like anybody really needs to have that. I don’t feel like she’s losing very much in her life by not signing information away to other people. It really comes down to how you think and feel about the problem.

But ultimately, I do think that the greatest threat is our own ignorance, because we don’t understand how these systems work. Granted, you can get really deep in the weeds. You can really geek out on this stuff, but even just a high-level understanding of a lot of it will help people at least become more educated, make some more-informed decisions about it.

LG: Honestly, there are some days where it seems like I’m not quite sure where I should direct my concern about my own online privacy and security.

Yeah, it can be a scary thing. And again, my fear with that is that when you get scared by things, you tend to get fatigued by them and we relax after a while, right? Some things that become the new normal now are actually really weird and not okay.

KS: All right. So, list those things, what people should do. Let’s think about just the very basics of security hygiene.

The most proactive thing you could do is just to understand what’s going on. If you try to think about all the tech and all the moving parts, it gets really tough. Think of a more simple kind of a thought experiment.

We all work in the same office building and there’s an old-school mail room that I work in, all right? So, by the nature of my position, I’m going to get to see a lot and learn a lot about what’s going on in the company, but what people do and how they interact with me influences the granularity of my knowledge, right? So when Lauren wants to send something in or out, all her stuff comes in as a loose pile of papers. I can rifle through it. I can read whatever I want. I have as much information about her comms as she does. When Eric comes in, he puts everything in an envelope and it’s signed. So I could try to sneak into the envelope and people would know, right?

Now, I can’t see the details of what’s going on, I’m not totally blind. I can see how often he’s sending things, who he’s sending it to, right? How thick is the envelope, and everything else, but the actual details are gone. And then let’s say you, Kara, you don’t trust me even a little bit.

KS: Not even slightly.

Smart move. So, you’ve hired a courier. All I know now is like, “Hey, look, Dave the courier comes in here 16 times a day.”

KS: Dave the courier is my cousin, too.

Right.

KS: Anyway, go ahead.

You got to get the blood ties to keep the trust up. So, all I can know is, I can see how heavy his bag is. I can see how often he comes in, but I’m not going to have much more information. It’s exactly the same thing with your web traffic.

If you’re sending stuff over HTTP, like when you’re web browsing, I can see all of it. I can rifle through it. I can monkey with it. If it’s HTTPS, can I intercept it? Sure I can, but it’s going to throw those warnings you see in Chrome that say, you know, hey, someone might be listening, and all that other kind of fun stuff.

But if you use a VPN service like a courier, all I’m going to see is this traffic is going in and out. I could still measure it. I can create a traffic graph, bytes in, bytes out, but I can’t know anything about the content of what’s in there.

KS: Sure. So, how does that manifest in ... You know, we’re talking about a mail room here. How does that manifest? The very first basic thing is not to be promiscuous on a public network. For example, don’t ever go on public networks?

I use public Wi-Fi with a VPN.

KS: Okay.

LG: So, you’re at Starbucks, for example.

If I go to Starbucks ...

LG: And there’s public Wi-Fi ...

KS: Walk through the steps very briefly.

I would say, first of all, 99.9 percent of the time I’m using my phone or I’m tethered to it. If I can’t do that, I have a VPN that I bought. It costs me like $6 a month. And when I have to go into a public network like that, I just click on and then it routes all of my traffic. So basically it becomes opaque to anybody who also is on that network or anybody along the chain, right? Anybody else at Starbucks’ ISP.

KS: This is on your computer.

This is on my computer.

KS: And on your phone?

I don’t have the same protections on my phone.

KS: What do you do then? Because that’s where you do get on public networks often.

I tend to not for that very reason. Because there’s just not enough visibility in what’s going on. When I open up an app, I have no really good way of knowing, is this thing sending it encrypted or not? So I’m pretty judicious about it.

KS: Is there anything you can do on the phone that protects it?

There are minor changes you can make here and there, but if we’re being honest about it for the average consumer, no. There just isn’t that kind of control on visibility.

KS: So don’t get on public networks with your mobile phone.

I would be darn cautious about it.

KS: And what happens? Explain to people what happens. If you’re lucky, you get out, nobody steals your stuff, but if you’re not lucky ...

If I’m sitting in the same Starbucks as you and you’re using an open connection, I’ve got a little thing called an alpha card. It cost like 20 bucks on Amazon. I can just listen to all the traffics that’s going back and forth. And so I can see all the people that are there and I can monitor what’s happening. If they were sending, you know, privileged information, I’d be able to see it. If they were searching WebMD — which doesn’t even use HTTPS, crazily enough, with medical information, it’s HTTP. If you’re searching WebMD for a super-embarrassing thing, I’m going to be able to see what that is and what’s going on.

KS: And will you be able to see into emails, for example?

If those emails are going back and forth in plain text with no protection on them, I would be able to see it, yeah. Thankfully, most people are doing it right. The problem is for those times when, you know, they’re not doing it right.

KS: Right.

LG: So, you’re that guy in a plane ... When everyone is logged on via Wi-Fi in a plane, you’re that guy that’s like, “I know what everybody on this plane is looking at right now.”

I would like to formally state for the record that under no circumstances do I do anything on aircraft and I love our friends at the FAA.

KS: But you could.

The fact is that anybody could.

LG: Anybody could.

There’s an initial investment — I would say probably about 100 hours or so if you’re already kind of technically inclined — to get up to that level where you can, like, “Oh, this is a protocol. It’s not dark magic. I can see how it all works.” And then it’s usually less than $100 to go out and buy the hardware that you would need to be able to do it.

KS: And not be trackable, either.

No, no, no. You’re completely dark. So when I, for example, when I use that Wi-Fi stuff, again, only for entertainment purposes, I actually change my hardware address. I can do so dynamically. So, you can’t even track that level of it.

KS: Track you doing it.

LG: So, the next level, I guess, is browsing, right?

KS: Browsing.

LG: Beyond that. So, you’re connected to the internet, and maybe you’re just connected securely, let’s hope, and maybe you’re not. But then you’re going to browse. Do you use Tor? Do you recommend using something like Tor?

What I would say is, you got to think about what your trade-off is there. So, you’re saying, “I don’t trust this ISP. I don’t trust this environment, so I’m gonna route my traffic through a bunch of strangers’ networks and then I’m going to trust them more than I trust these other kinds of people.” That’s a personal choice that you have to make. I will say that — and I think we learned about some of this in some of the leaks that have happened — a lot of those Tor exit nodes ... If you’re in the I-fear-my-government side, it kind of made sense, right?

KS: Right.

They all went and took over those nodes and they own them anyway.

KS: Right. So, does it matter in that regard?

It’s kind of a mixed game there.

KS: Right. If they really want to get to you in that way. But a VPN, before you mentioned, is advisable at least at the ... It’s like a basic lock. It’s like a pretty good lock to do that? And you pay for it. You do not take free VPNs. We want to stress that.

If you didn’t pay for it, you are the product being sold. Full stop.

KS: Right, right.

So, yeah. Just like you are on Facebook, there’s a reason why it’s free.

KS: Can you give us names of some?

Yeah. American Private Internet is a great one.

KS: American Private Internet.

Yeah. That’s the one that I use. And there’s quite a few other ones that are out there.

KS: Right, but paying for them is ...

Paying for it.

KS: Paying for it all the time.

Yeah.

KS: All right. So, that’s the first part. Second is, in your home, listening devices ... You’re right. You go paranoid about listening devices and then they’re there. I have an Amazon Echo. I keep it on the red mode almost all the time — and it’s bright, by the way, it’s bright red, so it’s irritating at the same time, but I’m fully aware that it’s not on. I don’t believe it’s not on. I keep thinking they’re probably secretly listening even though the red light is on. Talk about that when you’re using those.

All right, I’m going to wrap the tin foil hat around like three or four times here, right?

KS: Okay.

When we really think about what happened there, that device turned on a little red LED and then we’ve been conditioned that that red light means that everything is okay and there’s nothing wrong. But unless there’s a physical switch that you’re doing that pushes the thing over to the side that actually breaks that circuit, then all bets are off.

KS: That’s what I say. I unplug it now.

Exactly, right? And hence the fact that I’ve got Band-Aids on my cameras and stuff.

KS: Yeah, so do I.

It’s like that all over my house.

LG: Although, I do think there is a physical button on the Echo that you press to go from the red light non-listening mode to listening mode.

KS: Right. You do. I just still don’t trust it. I know it sounds dumb, but I, just, I unplug it too.

This is the glory of owning a soldering iron and having a lot of fun. You can, actually, if you’re the kind of person who wants to go in and look at these devices and say, “Hey, look, that button’s the only game in town,” you can do quite a bit with it.

KS: Right, right, but if you don’t want to turn off all the way, the red button’s the way to go. But then again, I feel like it does make me think that it’s not on.

I think that that’s probably fair. I would say if you’re going to bring a device like that into your home that there is a certain level of risk that you’re willing to trade off for the convenience of what you’re getting on the other side.

KS: So what risk is that?

The fact that it’s fallible, that it’s this thing that’s listening in your house and you are relying on the fact that the engineers that built it are doing the right thing. You’re relying on the fact that there isn’t an insider threat at that firm that’s then taking that information, doing something else with it. You’re relying on so many different things with something that’s extremely personal. What happens in your own home is kind of ... so that’s just the decision that you have to make.

KS: Right.

LG: What about smart TVs?

I think we’ve seen that those things are a bit of a mess.

LG: I think we have.

I think anything you have, you have a lot of problems that come into play there. I think the one that really gets me about smart TVs is that there’s just such a low incidence of people having auto updates on the firmware, where if a vulnerability is discovered, that’s it. Like, it’s going to be out there for a very, very, very long time. And that means that, you know, the longer it’s out there, the more people know about it, the more ways people figure out ways to exploit it.

KS: Again, what could people do with a smart TV, someone who sits outside your house? What could they do?

So, you’re talking about the ability to ... It’s got eyes and ears, right? It’s got audio and video capabilities on it. Depending on the what the vulnerability is ... There’s an interesting one that came out a few months back. I could actually change the content of what you see. So, we saw an example where a guy used over the air to ... You know, you thought you were watching CNN when in fact you’re watching hacker CNN, and things like that. So you can do a lot to influence what’s happening. Again, it’s just wires plugged into other wires. Once you realize, hey, this is just a signal and signals are just carrying a bunch of frames in a row. What happens if I replace the frames? What happens if I freeze the frames? Or things like that.

KS: But listening in is what the issue is. They could turn something on, like turn on your computer.

Yeah. They could turn things on. They can listen to things.

KS: So, unplugging remains ...

Unplugging is a great way to do it.

LG: Off the grid, Kara.

KS: Off the grid.

Off the grid.

LG: All signs point to we should just go off the grid.

KS: Okay, go off the grid.

There’s also a great ... There’s a great app. It’s actually free for people who use Mac from Objective See, he spells it S-E-E, that just listens to what’s happening on your laptop and tells you when something turns the mic on or the camera on or whenever any peripheral is accessed, it gets brought on. And when he cranked that on and released it, people started sending back, “Hey, this is weird. I saw this. I saw this. I saw that.” And what they saw was that more than one application provider was cranking the mic on and then leaving it on. And to your point, even when it said, “Hey, it’s off,” there was a pretty well publicized case with Shazam, where if you click the button off, it didn’t actually turn off.

KS: So, they’re like, “Oh, it’s easier for us and it’s easier for you.” That’s their excuse.

Yeah, “Oops, we made a mistake. We wrote a bug.”

KS: What do you think about putting cameras, covering up ... I got something from the Mr. Robot people, I love it. It’s not a Band-Aid. It’s the actual, like, on/off screen so people can’t see into my ...

Yeah. It’s a camera. And if you don’t understand how the inside of it works, then the best thing you can do ... You do understand how covers work, right?

KS: Yeah.

So, we can do that. We can protect ourselves that way.

LG: What about security cameras?

KS: Yeah.

LG: So, your old firm, Synack, had done a fair amount of testing around home security cameras, popular ones.

We did. Yeah, we got in the news a couple of times for some of that stuff. One of the ones was ... Yeah, it was actually anesthetizing cameras and then also inserting fake frames, so making it look like everything was well at the house when something wasn’t.

KS: Oh nice. Well done.

Yeah.

LG: I’m pretty sure my cat does that when we’re gone.

KS: That’s like a “Mission Impossible” plot I recall.

It’s fun.

KS: Yeah.

If I didn’t have this job, I’d be in jail.

KS: Yeah, I know.

So, yeah. There’s lot of things that we do where we think we’re making ourselves more safe, we are in fact introducing risk in another way.

KS: Do you have a security camera in your home like a Dropcam or ...

No, I don’t

KS: I don’t either.

I have probably the most low-tech house you’d ever see.

KS: Yeah, they wanted to ... Comcast recently put in, I can’t believe I’m letting them do this, but they put in my security system. And they were like, “Cameras here.” I’m like, “No.” They’re like, “Everybody wants cameras.” I’m like, “Not this lady.”

I don’t need ...

KS: Like, “Do you want to see your cat all day?” I’m like, “Nope.”

Exactly.

KS: Nope. Nope.

I don’t need the camera, and when the convenience it provides is nearly as ... Like, it doesn’t bounce out for me, and someone else could look at it.

KS: Right.

And I kind of know what I’m knowing. Like, I know how to configure these things. That’s what tools like Shodan are for. That’s why there’s such a playground where people can go out and you can really demonstrate the point that people who put these cameras in their house rarely know how they work, and so it’s incredibly easy to go off and just browse through other people’s networks.

KS: What about your own cameras, like, you know, in the teddy bear, that kind of stuff? Are those also vulnerable factors?

If it’s connected and it’s on the internet, then there’s a potential opportunity for a problem there.

KS: Okay.

Now, the thing here that you want to be careful about is, does it have any forward-emitting signals? So, in other words, if it’s sitting on the internet, is it like a black hole or is it making a bunch of noise? I tell people to think about submarines a lot, right?

If a submarine is just sitting there quietly, it’s a hole in the ocean. There’s nothing to know about it. You wouldn’t know to go off and attack it. But if you can hear the guys in the kitchen and there’s all sorts of noise going on, then, okay, that’s giving them away. So whether it’s a toy or a camera or anything else, if it’s exposing something to the internet, you’re going to have a bad time. That’s why companies like Nest, companies like Ero, rather than having you connect into them, they connect out to the cloud, and then your mobile app also connects to the cloud. You do all your conversations there and they can keep things, you know, nice and tight.

LG: Which means it’s off the device, specifically?

Yes. Rather than having a web server sitting on the device, your device is connecting back out to the cloud and you’re connecting to the cloud via your mobile or however you want to ...

KS: Then we just have to trust Google, which is not my favorite thing to do.

LG: Trust cloud.

Then, yeah, you have to go and trust those guys, yeah.

KS: Yeah, I do.

LG: Right.

Nobody should trust anybody, honestly.

KS: No.

LG: No.

KS: No. What about messaging apps? Because we talk a lot about Signal and others using them here for basic things. Like, I did have the Echo in my bedroom and then I removed it from my room, because I make a lot of calls, work calls and stuff like that, which also can be monitored, presumably. I use messaging apps now a lot and some of them ... I’m worried about some of them.

So, if you’re talking about cryptography and being in the business of keeping secrets, it’s kind of counterintuitive. But the more open the cryptography is, the more secure it is, the better it is at keeping your secrets. Signal, I’m in love with because it’s open-source. You can know how that math works. You can know how they’re keeping the secrets. You can look at all of it. It still won’t help you, because it’s just the way that crypto works.

LG: It still won’t help you as a hacker or as a consumer?

As a hacker. It won’t do anything bad to you. As a consumer, honestly, you’re probably not going to do much with it. You know what makes me feel really good is that I know guys who know crypto really well and they look at it. I know guys like, you know, Schneier and all those other guys out there are looking at and they’ve got eyes on and they’re saying, “Okay. This is fair. This is legit.” And so, there’s not secrets that are going back and forth. Compare that with some of the other technology that’s out there or it’s like, “How is this working?” “It’s working ’cause I said it’s working.”

KS: Right.

That don’t ask so many questions.

LG: You know there are apps that claim to encrypted?

Oh, I’ve seen way more people roll their own crypto and sort of build their own, “Hey, I’ve got a great way of keeping secrets. This is gonna be awesome.” And it’s usually this really embarrassing, like ... Imagine a toddler hiding behind a broom kind of level of secrecy that they’re bringing in to this stuff. So, I’m a much bigger fan of, “Let’s keep this stuff out in the open.” If I want to keep it a secret ...

KS: Right.

I use that. And so, when I communicate and I don’t want people to know what I’m doing, I use Signal.

KS: Would you do it all the time? No regular text over a phone?

The thing about something like Signal is that people on the other end also have to have it, right?

KS: Right.

We need end-to-end encryption here.

KS: What about basic texting?

Basic texting, if you’re just saying, “Hey, I’m gonna be five minutes late,” yeah, I send that stuff in plain text. You can knock yourself out if you want to know more.

KS: Right.

LG: Via SMS or IM message?

Again, it depends on who I’m talking to on the other side, so I don’t really rely on it either way. When you’re talking about SS7, I’m talking about that signaling network that’s underneath all that stuff. You know, that thing was built when we were like, “Oh God, please let’s get a connection going all the way through.” It wasn’t built for security, so it’s kind of Swiss cheese. But an opportunistic attacker doesn’t care what time I’m getting home.

KS: Right.

They don’t care about any of that kind of stuff. A targeted attacker does. So, if you’re getting, like, your multi-factor authentication codes through SMS and you’re a high-wealth person that’s likely to be targeted by an attacker, a place that’s doing a lot of wire transfers, that’s going to be bad.

KS: So, what you should do is what then? Because it’s only a code that lasts for a second.

That’s exactly right. That’s why the average consumer doesn’t worry about it. It’s opportunistic. They’re not really looking for that. They’re not going to go through all that effort it takes to get a control of your account and get your password and monitor your comms on the other side. You’re talking about someone being a must-in target, right?

KS: Right.

And most of us, again, we’re not must-in targets.

KS: Right. Because most of them are ephemeral. I use Auth, Google Authenticator or something like that, because I feel like that’s more ...

Yeah, I use the same. So yeah, I use it. It’s great. Again, the average consumer really overestimates how often they’re targeted by an attacker as opposed to just being an opportunity.

KS: But not having two-factor authentication, it’s ridiculous not to have it.

Yeah, yeah.

KS: That’s a must-have, I think.

It’s one of those things that just ... It’s an opportunistic issue.

KS: Right.

So if you have a password, chances are, just by the math, your password’s not great. So as a consequence, if you don’t have two-factor authentication, it’s a lot easier to get you. If I’m in organized crime and my bosses told me, “Go get a thousand accounts,” you’re going to be one of the thousand that I get. I’m not going to go expending extra calories to go catch the person that’s got the hard password or anything else, because I don’t need to. There’s just so much low-hanging fruit out there.

LG: Which brings me to password managers. Do you use one?

Absolutely. Yeah, yeah. I use 1Password. I can’t encourage it enough.

KS: And you like their scrambled passwords versus ...

I like their passwords. I like the fact that they give you the ability to have both super-high entropy ones, but then also they’ll generate just words. So, you know, hey, if it’s a password that I have to type in sometimes, like my iTunes password or something like that, I like the fact that I can have, this word dash that word dash another word and that’s really good on a lot of things. But I can also have these just, you know, high-entropy strings of 26 characters.

KS: What about making up your own passwords?

We’re not that smart. Don’t do it. Everyone thinks they’re creative. But, you know, if once you start playing with some of these things, like running like a horizontal password-guessing attack, you start to realize that everybody uses a date that’s from their lifetime.

KS: I don’t.

So it’s like from 1900 all the way to, you know, today.

LG: Or an address or some type ...

We don’t have very many different names for our dogs. Like, we all name them the same thing.

LG: Yeah.

So, a lot of things we think are creative and slick are in fact not.

KS: Interesting.

So, it’s just easier to outsource it.

KS: I have a foolproof thing that no one would ever find out.

LG: Really? Foolproof password or a system?

KS: A system.

LG: A system?

KS: Yeah.

LG: Oh, okay.

KS: Yeah. I’m not going to tell you, but ...

Because, again, it relies on the secret. And that’s when that’s the bad ...

KS: I’m not telling you.

LG: Well, yeah, no, you can tell us here.

KS: No, I’m not going to tell you anything.

LG: It’s just us listening to this podcast.

KS: No, I’m not telling you anything. It’s ingenious.

LG: I actually talked to someone this weekend who was asking for advice about an account that had been hacked and she no longer had access to it. And it was the email that was tied to her Facebook. And then she decided to create this, like, this whole mess. And I said, “Well, let me ask this, are you using the same password for all these accounts?” And she said, “Well, yeah.”

KS: That’s bad.

LG: And I said, “Oh God. Let’s just roll back and start at, you know, 101 here.”

If you’re somebody in that world where you’re using your password over and over again, Google “Have I been pwned?” Go to that site and go type your email address in. Or go type your username in. So, for me, I type in TGambacorta@ or just Tony or whatever else I might have that’s out there, they’ve got all the credential dumps. So when LinkedIn got popped a few a years ago, Adobe also ...

KS: Right.

All those other guys. They got millions and millions of sets of creds. They have those. And they’ll say, “Yeah, you’re on the list,” or, “No, you’re not.” So, if you’ve got a loved one who does sort of silly stuff like that, throw their name in their and see what happens. It’s a great way to be like, “Hey, you really ... Please.”

KS: Like Ashley Madison.

LG: You’ve been pwned.

So, we’ve just thrown a lot of terms out there, by the way. So to back it up a little bit, quickly explain when you said HTTPS earlier. Explain what that means for web users. And then, we’re going to be talking a lot more about VPNs. So, what does VPN actually stand for?

Gosh, yes. So yeah, HTTP is the way that your browser is trading information back and forth. By default, there’s no security on it. So, you can use HTTPS, which adds a layer of encryption on top of it. And what that does is it basically sits between my machine and the machine I’m talking to. So, you know, my browser and Facebook, we’re gonna be able to have a trusted session there. VPN, on the other hand, is like creating a pipe. It’s a virtual project network between my internet connection and whoever my VPN provider is. So, my ISP, for example, with the Facebook thing would know that I was going to Facebook. They wouldn’t be able to see anything in there, but they’d see the traffic heading over that way. But with a VPN, all they would see is a bunch of traffic heading out to the VPN provider.

LG: Okay.

So that they’re blind to what the actual content is.

LG: So, a little bit more, like, what you were saying earlier with the courier. You know that there’s traffic going back and forth but you don’t know what the package says. You don’t know what’s inside the package.

That’s right. So yeah. So if I see somebody, you know, 90 minutes of data going across all at about the same rate, cool, that’s probably somebody watching a movie. I can make inferences like that, but actually knowing what movie they’re watching or if it was on Netflix or YouTube or something else. That’s all going to be totally ... I’m not going to have any idea.

KS: Thanks, Tony. Stay tuned. We’re going to be answering all of our readers’ questions shortly. First, we’re going to take a quick break as Lauren reads a word from our sponsor. Ka-ching.

LG: I was actually hoping you would read it today, because you have a breathy, wild-weekend voice.

KS: No, that’s all right. No, thank you. It’s your job.

LG: Okay.

KS: One of the few jobs you do here. I carry most of the water, but this is your job too.

LG: It’s true, as everyone knows.

KS: Yes, so, please read.

LG: Today’s show is brought to you by HostGator. If you’re ready to take your website to the next level-

KS: More enthusiasm, Lauren, please.

LG: More ...

KS: Okay, keep going.

LG: One more time with feeling.

KS: All right. Okay.

[ad]

KS: Now, Lauren, can you just say pachow after every sentence?

LG: Pachow.

KS: Okay, good. Go ahead. Keep going.

LG: Where did you come up with that?

KS: I just did.

LG: It’s lik, Paczkowski. I’m just going to say Paczkowski.

KS: Pachow! I’ll tell you later where I came up with it.

LG: Okay. See what HostGator can do for your website. Pachow! Right now, Recode listeners, get 60 percent off. I’m not going to keep saying that.

KS: Pachow.

LG: Paczkowski. We miss you, John Paczkowski.

KS: Pa-tew! It’s the noise of fireworks, just so you know.

LG: Why fireworks?

KS: Pachow. People like fireworks. Who doesn’t like fireworks?

LG: I don’t know.

KS: Everybody. Oh, just you probably. All right. Anyway, so, we’re going to get to our readers’ questions right now.

LG: You know it was my birthday this weekend?

KS: No. I guess you told me.

LG: No, you didn’t wish me happy birthday.

KS: I think you told me. Oh, I have to just say happy birthday for that? Happy birthday. I’m sorry. How old are you?

LG: Walt Mossberg wished me a very happy birthday.

KS: All right. How old are you?

LG: I’m not telling you.

KS: All right. I’ll throw you a party this weekend, all right?

LG: Yeah, I’m sure.

KS: Yeah, I will. I’m serious.

LG: Yeah, I’m not going to hold my breath.

KS: I’m serious. I’m serious. I’m already having one and I’ll invite you and make it yours now.

Okay, so, if you’ve been listening to the show, you know how it works. Every week, we take tech questions from our readers and listeners and we try to answer everything we can. This week, we’re answering your questions about internet security and privacy. First question, Lauren, please do the honors.

LG: Okay. We should start off by giving credit to listener Delany Bisbee who emailed us.

KS: That’s not a real name, is it? Delany Bisbee? All right, go ahead.

LG: No. This person is obscuring their name, because they’re smart and do not want to be bothered or hacked. Delany emailed us shortly after the Senate voted to overturn the new FCC privacy rules that would’ve gone into effect later this year. And for more about that vote, you should definitely listen to last week’s episode with the other Tony, Tony Romm.

But Delany wrote in to us to say, “I was curious if you have any suggestions for the tech-illiterate when it comes to privacy to protect themselves. I try to keep in touch with what’s going on in tech, but this one kind of befuddles me. I grew up and just until recently worked on a factory trawler. My sister and brother-in-law are farmers and a good portion of my friends are teachers, loggers, and work in service jobs. Do you have any suggestions for platform users who aren’t tech-literate and don’t work in tech?”

KS: That’s everybody.

LG: So, I guess if we just make it super basic, what would you say are maybe the three or five most important things people should be doing?

So, yeah. A lot of my friends and family all come from the same world.

KS: Yeah.

Right? So I’ll tell you the same thing I tell them: Don’t gamble with what you can’t lose. So, every time that you put something out there, because you want to get a potential benefit, you want to possibly win the game. There’s also a chance you’re going to lose the information. So if you’re nervous about it and you’re worried about it, don’t put the camera on it. If you feel like you really have to have a camera at your house, maybe put the camera on the front porch as opposed to in your kid’s room. Just sort of commonsense things like that.

KS: Right. Okay, and on your phone? Two-factor auth?

If you have the opportunity to turn something on for two-factor auth, do it. If you don’t, use complex passwords.

KS: But you always do. Don’t be a lazy so-and-so.

Well, yeah. The sad thing is you don’t, really. A lot of banking apps, for example ...

KS: No, I know. I yelled at banks and then they finally got it.

It’s a bummer that more haven’t rolled it out.

KS: Yeah, Wells Fargo does.

Yeah, you have to fight tooth and nail to get Wells Fargo to do it.

KS: Yeah.

And my Twitter account was protected.

KS: And I’ve been yelling at Comcast all the time. They’re going to introduce it soon, I think.

I hope they do and I hope they make it the default.

KS: It’s crazy they don’t.

Because the people don’t know how all these things work, then they’re never going to ...

KS: No, I write Brian Roberts, I’m like, “Hey, two-factor auth, how’s that going?”

God damn. That’s the right way to do it.

KS: “And by the way, my cable’s a little slow.”

LG: So, it seems like what you need to do is if you buy an IoT device, something connected, maybe don’t put in the most sensitive part of your house.

KS: Yeah.

LG: The second thing to do is use ... I would say use a password manager. It’s going to be a little bit expensive. Something like 1Password, I think, charges around $65 per year.

KS: They do.

LG: But what they do is they make really secure passwords for you and they differentiate them from account to account. They store them for you securely and then you can just plug those in as you need them. It sounds like the third thing is, maybe, if you’re just really that nervous, like you said, there’s a cost-benefit analysis that goes on here. If you’re like, “I wanna buy this thing online, but the website looks kinda sketchy and I’m not really sure.”

Buy it from people who you know and who you trust, right? Yeah.

LG: Right. Just don’t do it then.

KS: And a VPN.

So if you found some really crazy deal out there, then it’s probably no good. If you’re not going to use a password manager, by the way, one thing that people often mess up is they think, “Oh, I’ve got to put lots of zeroes and exclamation points and everything else.” Go get three or four words that you know really well and put them in a row and add something in between. So, you know, cat-lawyer-boneyard. Great.

KS: Boneyard?

Whatever word pops into your head, the first thing that comes up.

KS: All right.

Those three words with a little bit of symbols between them, very easy for you to remember. And in terms of brute-force guessing a password ...

KS: It’s just weird.

Pretty darn hard to do.

KS: Yeah.

Right? It’s just the way the password works.

KS: That’s one of my systems.

The one thing that doesn’t work is “welcome” or “password” with an @ sign and zero and a bang at the end of it, right?

KS: Right.

LG: Right.

It fits the need that your provider said it’s got to have all these special things, but it’s remarkably easy to guess.

LG: Right.

KS: Yeah.

LG: I feel like Brute Force would be a good nickname for Kara.

KS: That is a good nickname. That’s my password.

LG: Yeah.

KS: BruteForce1.

LG: If you were in a Marvel Comic movie, your name would be Brute Force.

Kara, get the knuckle tattoos.

KS: Just totally got my password. Brute Force, you like that? That’s my porn name. Anyway, so, next question. Utterly Random Techie @UttrlyRndmTchie. “How to explain encryption to people who don’t follow technology a lot?”

When Mr. Duck and Mr. Bunny want to talk to each other and they don’t want Mr. Dog to understand what’s going on, they use a special language and they use secrets between them. So, they don’t say, “We’re going to go to a party later, do you want to come?” They use code words and that’s it. And we’re just getting fancier and fancier versions of that.

KS: Nice. Well done. I like that a lot. Mr. Duck and Mr. Bunny, those assholes. Anyway, another one, Lauren.

LG: This is an email from Farzan KH. “As we all know, Facebook Messenger is not end-to-end encrypted by default. I’m wondering, how does Facebook use our chats in order to make money? My primary messaging app was WhatsApp, by the way also owned by Facebook. And I recently switched to Telegram. What messaging app do you use? What do you recommend?” Well, we talked about Signal earlier, but I guess if you want to address that ...

KS: Telegram. Do you like Telegram?

I mean, like I said, I love Signal for the fact that I know what’s going on in it.

KS: Right.

I can’t answer the question about Facebook Messenger, because we don’t get to see what’s on the inside of it.

KS: Because Mark Zuckerberg knows best.

Exactly, but the other thing is, hey, these guys didn’t create this thing for free, all right? They didn’t do it just to be fun. So, yeah. They’re probably using that information in ways that might make you a bit uncomfortable.

KS: Yeah, yeah, absolutely. Early on in Facebook’s history, they, of course, had people look ... The people worked there looked into people’s accounts all the time. They fixed it.

Of course.

KS: All these companies fix it eventually, but there’s always that period of time where people ...

I used to do the deep packet inspection that everybody’s worried about. I spent 10 years in that space, and I’ll tell you, the way that we would troubleshoot things is we would watch somebody’s internet activities. They went past the wire. “Hey, he’s browsing this, he’s browsing that.”

KS: Right.

“Oh, look, his internet connection stopped.” So, yeah, it’s just the nature of the beast.

LG: Yeah.

KS: Yeah.

LG: That actually happens a lot when I’m testing wearable devices and I find something wrong with it. The data is not processing properly, things seem inaccurate and I’ll write to the company. And I’ll say, “I found this issue as I’ve been testing it.” And the first thing they always want to do is get access to my account to watch the flow of data and I just don’t let it happen. Maybe they go and they do it anyway. I’ve actually had companies write back to me, inadvertently admit it and say, “Well, we looked into your account and we could see this, this and this.” I’m saying, “I didn’t give you permission to do that.”

KS: Yeah.

LG: But I mean, it’s kind of crazy when you think about the level of granularity of data that some of us have access to.

Oh, yeah.

KS: And also, what people give up. I mean, I was on an airline and they were asking people’s birth dates, and everyone in front of me gave them their birthday, and they’re like, “What’s your birthday?” I’m like, “I’m not giving you my birthday.” They’re like, “You have to.” I go, “I don’t. What do you need it for? Like, if you tell me what you need it for, if there’s something special, and you have my license. I’ve already ...” It was really interesting, but very few resisted.

I say, pollute the dataset.

KS: Oh, I do.

You can resist by saying, “No,” or you can be like, “Yeah, yeah, January 1st.”

KS: That’s what I do.

Yeah, yeah.

LG: 1991.

I always throw a monkey wrench.

KS: I think it’s well known, and I have a dozen birthdays on the internet. I get birthday-wished a lot.

LG: It’s true. Actually, it’s really hard to keep track of Kara’s actual birthday, yeah. She’s had parties before ... Like, you had a big milestone birthday party that’s completely not around your birthday.

KS: Yes, my 50th birthday. Not near. Not even close.

Excellent.

KS: My real name is actually Eleanor. Anyway, “Without sounding too tinfoil hat,” — there’s nothing wrong with tinfoil hats, Raymond, by the way — “how much work would it be to have all my tech devices run through a VPN? Smartphones, computers, smart TV. Is that overkill?” And you can’t, right? You can’t.

Actually, you can.

KS: Okay.

So, there’s a thing called, but it takes a lot of work, there’s a thing called a point-to-point VPN.

KS: Oh wow.

So, what you would do is you would set up a VPN on your home router, on your Wi-Fi router.

KS: I see. Okay.

And then that would send all the information out. But your smartphone is portable. It’s going to go in and out of that network, so that VPN’s not going to protect it there.

KS: A smartphone.

But it’s a huge hassle. I’m actually kind of excited about what the response is going to be to this change and consumers being upset about privacy. I think you’re probably going to see a couple of the router companies offer that as an add-on service.

KS: Yeah. Of course, then you have to trust them.

Exactly.

LG: But so, you’re saying it’s a huge pain to do it yourself, kind of the turnkey solution now, but if it’s built into routers then it’s easier?

I’m saying, yeah, if it’s something where I have to go and put a Raspberry Pi line on my network and also that kind of stuff, that’s going to stink. If somebody says, “I’ll charge you an extra $6 a month,” like Ero comes to me and says, “I’ll charge you six or eight or 10 bucks,” or whatever, and then I’ll pipe this off to somewhere like Germany where the privacy laws are really strict. That’s possibly an opportunity there.

KS: What about naming a router? I’m just curious, because some people say, “Don’t name them your names either.” Does it matter?

LG: Kara’s is named “Kara Swisher lives here.”

KS: “Don’t hack me.”

In my neighborhood there are some people that have some very distinct names for their stuff and it just makes it easier to tie information to you. My computer’s name is Computer, you know? My router’s name is ...

KS: Well, now you just told everybody.

Is just something else. I know, I’m doomed. But, you know, just don’t give information away that you don’t need to give away.

KS: Yeah, yeah. I once had a router name called “John Lennon Just Died,” because he did and I just kept it for years and that’s not like that anymore.

LG: Why?

KS: I don’t know. It was just happening at the time, and so I just didn’t want my name on it. I didn’t want my name on it

See? Now I know, but now I can date ...

KS: It’s not there anymore.

LG: It was happening at the time.

But then you can date the firmware to when the name was on there and so ...

KS: Yeah, but it’s not on there anymore.

LG: Wait, when did John Lennon die? Didn’t he die in the ’80s?

KS: Yeah, but it was an anniversary.

LG: Oh okay, that makes sense. I’m like, “Kara.”

KS: I do stuff like that. Whatever I’m hearing at the time, I name things.

LG: Kara’s like, “I have an Ero in the ’80s.”

That’s why the passwords get us.

KS: What?

LG: You can get so many scoops. You’re like, “I had this scoop on a router that didn’t exist.”

KS: No, no, no, no, no, it was something like that. It’s a news event. Whatever the news event is. Something like that. Go ahead, next one, Lauren.

LG: Next one is from Jonathan Tanzer. “When using a VPN, is the speed of a fast connection, like Google Fiber, reduced by the VPN provider’s connection?”

KS: Oh, that’s the question. Yeah, I’m curious about that.

Yeah, absolutely. So, you’re adding another hop into the network. Every hop introduces latency. And if you have, you know, 100 percent possible throughput that’s going on through this, but your VPN provider, say, can only handle half that rate, well, then all your traffic’s going to go through at half of that rate and it’s going to slow down. That’s why a lot of these VPN providers compete on things like, “Hey, I’ve got lots of endpoints. I’m really close to your house. I can move the traffic pretty quickly.”

KS: And what about when you’re abroad? I used one in China. And they always stopped it. It was interesting.

Yeah, they have a tendency to do that, don’t they?

KS: It was almost useless and then I just ...

LG: Kara’s like, “I was safe. I was using China’s VPN.”

KS: I know, but it was. I used one. It was funny, because ... And then I just gave up and I got a Chromebook and I just threw it out. I just smashed it.

Yeah, that’s what a lot of people do.

KS: It was like $26.

I have some friends that played a fun game where they knew that was going to happen, so they brought an instrument and a laptop in and then looked at what happened on the other side of it.

KS: Yeah.

And they had a good time with it. But, yeah. If you’re in a country where they’re going to block your internet access, they would’ve blocked you anyway, whether there was VPN or not, all right? They’ll block half the traffic, so ...

KS: Right, right. That was interesting. What about, you’re in another country like China, for example, which is the problematic country that everyone talks about. Do you go in with your email and then just never sign on to it and just let them read your email, or do you ... What do you do?

Well, so, as soon as you cross the border in there and you had the email on your phone to begin with or the creds or anything else, and they took it from you at the border crossing and said, “Hey, I want to see this for a minute.” That was so they could image it and then go off and do their own thing. So, you’re already burned.

KS: Right.

So, I would suggest if you’re going to go do something like that and you’re concerned about it that you not try to do it by yourself. If you’re a, you know, a consumer that’s traveling on business and then you go talk to somebody who can help you understand counter-espionage.

KS: Right, so you can access your emails or whatever, because you have to access them.

Yeah.

KS: At the same time, you don’t want to type in a password or change the password.

There’s a lot of things you can do for counter-espionage, but that’s not usually the kind of stuff you find under your kitchen sink kind of security. You need to put some thought into how you’re going to build it.

KS: You put some thought in it.

LG: Does it help at all if you just log out of all of your usual accounts and create a kind of dummy email address just to use for specific apps?

KS: That’s what I did.

LG: Or browsing or things like that?

Yeah, yeah. It would certainly help. But if, again, if they take physical control of your device when you go through the airport, it’s already game over. So, it’s best to just sort of keep it nice and clean. I’ll tell you, like, if you were to tell me right now, “I got to get on a plane to go to China,” I’d just set up my Gmail account and use that for my communications while I was there.

LG: Set up a new Gmail account.

I’d set up a new Gmail account.

LG: Yeah, a new dummy account.

KS: And then have everything forward there that you want to forward there?

Yeah, you can forward the email, too. You can do whatever you need to.

LG: Yeah, right.

KS: That’s what I did. I had a phone that I threw out and broke.

LG: Yeah.

KS: I just have to think ...

LG: I used VPN when I was in Vietnam, but I’m pretty sure I was looking over things like where to find the best pho.

KS: Yeah.

LG: So, I wasn’t super concerned about ... I mean, I did have access to my work email, though, when I was there.

KS: I’m watching on that one, yeah.

And there’s actually a really good point to you bringing that up. Don’t forget, when you’re in one of these other countries and you are trying to actively evade another government, they might not think that’s funny.

KS: Yeah.

In this country, it’s your right to evade those sorts of controls. In other places, that’s not necessarily the case. So, anything that we think might be cute here could wind up with, “Ow, ow, the cuffs are hurting me.”

KS: We’re a cute country, aren’t we?

Yeah.

KS: We’re a cute country, it’s not so cute elsewhere. Okay. FReed @2lowtech, who’s written in before, “How do you know who owns a particular VPN, thus, seeing your way of history?” How do we trust the VPNs? I’m feeling very paranoid.

You don’t. Just don’t trust anybody. I mean, you know who they are ...

KS: What’s the one you named? I’m sorry, say it again?

American Private Internet. And you know who they are based on their ... No, the contract that you sign with them based on the privacy policy that you get from them and everything else. But yeah, if you sign up for a free VPN, again, there’s a reason why they made it free.

KS: Sure.

LG: Next one is from Will Pfeffer.

KS: Pfeffer?

LG: He’s at @pfffr, like, P-F-F-F-F-F-F-F-F-R, on Twitter. “A lot of people cover their laptop/phone camera. Why should I care if the mic and all of my data is not covered? #tooembarassed”

It’s a device. You like to use it to FaceTime and Skype and everything else, but it doesn’t know that. So, if someone finds a way to get in there and access your camera or your microphone, they’re going to do it. The most common way they would do that would be with malware. So the same sort of thing that gets installed on your device when you click that email link or you go to that bad website or wherever else and they steal your bank information. Now you’ve gone from stealing your credentials to being able to see what you’re doing when you’re online.

KS: Right. Yep. I think the camera’s probably the most critical.

I mean, the camera’s pretty darn important.

KS: How do you turn off the mic? You just turn off the mic, right?

You just put a little bit of tape over it.

KS: Tape over it?

Yeah, you can turn it off, but you’re turning it off in software, so somebody can turn it back on, which is just like when you stay, you know, with your phone, when it’s like, “Hey, my phone’s turned off. They can’t listen anymore.” They can totally turn it on, because the screen is turned off but that doesn’t mean the internals are.

KS: Right, so just cover the mic. You can’t really cover the mic on the phone. That would be a pain in the neck.

Again, a little piece of tape if you’re that worried about it, or, like, you just shut your phone off, put it in your bag.

KS: Yeah. And then I think the last question is, what is the weirdest thing that could happen to you? Like, what is the most ... you know, when you’re talking about the things that people are vulnerable to, but what is something they just don’t think about? For example, I’m thinking of putting an electronic lock at my house rather than a key. Is that stupid? Or like, things like that as you start to think about automating your home?

I think that people ... The weird factor that comes from it goes in two directions. One is that hackers don’t think like normal people. Like, I can’t build something to save my life. I know how to come to problems in weird ways. So, when you talk about putting a lock in your house like that and you’ve also got a voice-controlled system on the other side, as soon I hear you’ve got something that or you’re using if this, then that, I start wondering what I could do, how could I control it in ways that you’re not anticipating.

KS: Sure. Are those safe? More so than keys or not? Anyone can get into any house, let’s be honest. They can break a window.

Exactly, right? So, like, look at Lauren. I showed Lauren how to pick some locks. If people want to get in and out of a house, they’re going to do it. In terms of level of difficulty, yeah, cracking a window is heck of a lot easier than popping your August lock or something like that and then write a zero day to get me into that special room. There’s just easier ways to skin that cat, so that’s probably not as likely.

KS: Right.

But, you know, if you were looking at that August lock and you thinking, “Oh, that looks really cool. I can’t afford it, but look, this one’s like 20 percent of the cost.”

KS: I see.

There’s a reason why it’s 20 percent of the cost. It’s probably using a lot of OEM parts. It’s probably using an old distribution of Linux and might have a bunch of vulnerabilities in it that you don’t know about.

KS: Right. So, was there a good one in that area?

I like August lock. I’ve seen them be pretty proactive about what they’re doing in their security.

KS: Like Schlage, I think those people ... They have a whole ... I just was looking at them recently.

So they’re in the business of manufacturing locks. They don’t know a thing about ... They don’t have any mobile developers. They don’t have any guys with any kind of EE background in it, which means one or two things. Either the guy who’s been there for 15 years building normal locks googled some stuff.

LG: Or girl.

KS: Probably not a girl.

Could be the girl.

KS: Probably not.

Yeah, you wish it was the girl, because then, yeah, she’s probably thinking about it a little more carefully than the guy who’s been there for 15 years. But he’s sort of just trying to shoehorn some stuff in to get it to work. Or they went off to a third party, in which case they got a bunch of bids and they took the lowest possible bidder to go off and build this stuff.

LG: Right.

And the lock industry has shown time and time again that they’ll reuse things, even really dumb things. They’ll do it over and over and over again.

KS: Well then none of that, then.

LG: When we really we think about it, being in a fairly civilized society here, we all kind of have this false sense of security around what actually stops people from getting in. And for a long time it was these ... they were physical things, right? A door, the window, the things that we build.

KS: They can still get in those.

LG: People can still get in those, right? So it seems like the translation of the digital world is the same. There are these things in place, they’re sort of providing this sense of security, but really anyone can get in if they want to.

We presume that they’re defenses when they’re really deterrents. Right? So, I mean, the lock on a front door or the camera, it’s not there to keep me out. I know how to knock out your camera. I know how to pick your lock. It’s there to keep the average person out.

KS: Right.

If they’re trying to decide and they’re 50/50, “Am I going to do something bad or not? Not this one. I’m gonna go somewhere else,” right?

KS: Right, right.

That’s really all that is. If we mistake the two things for deterrence and defenses, we get ourselves in a whole bunch of mess.

LG: That’s a good point.

KS: Till we get the energizer, then we’re all screwed.

LG: I would just like to state for the record, by the way, that I’ve never picked a lock even though Tony taught me how to do this.

KS: No, no. Thus, you have.

LG: And I’ve never been in a position where I’ve had to get out of handcuffs, but I know now how to do this. And it’s funny, because in Hollywood movies, they often like ...

KS: That’s so sad that you’ve never been in a position to get out of handcuffs, but I’m not going to go into why that’s sad. Anyway, so sorry for you.

LG: I’ve never been in a ... I’m just not going to get into this.

KS: Let’s just not get into that.

LG: Back of a cop car.

KS: Anyway ... All right. We didn’t get into cars or anything else, but you’ll be fine for a while with cars. This has been another great episode of Too Embarrassed to Ask. Tony, thank you for joining us.

Thank you.

LG: Yes, Tony, thank you so much. We really appreciate it.

KS: Made us paranoid.

LG: Right.

KS: I’m going to change all my passwords right now.

LG: You all should stop listening to this podcast and go change your passwords, please.

KS: Change your passwords right now immediately.

LG: Cover your microphones and your camera.

KS: Send the list to Lauren. Send the list of your passwords. She’ll keep it safe for you.


This article originally appeared on Recode.net.

Sign up for the newsletter The Weeds

Understand how policy impacts people. Delivered Fridays.