How to protect yourself from being hacked | Chris Tarbell and Lex Fridman

Guest bio: Chris Tarbell is a former FBI special agent and cybercrime investigation specialist who brought down Ross Ulbricht and Silk Road, and Hector Monsegur (aka Sabu) of LulzSec and Anonymous.

LexClips

1) Putting your phone in a glass of water is pretty pointless, ruining your hardware is rarely the answer. Just turn it off, then use another device to look up how to factory reset your particular handset. Guy ruined his moms phone for no rational purpose. Your phone "making noises" isn't an indication someone is stealing your information.

2) "we're figuring out how people generate their password and it's easier to crack their password" Rainbow tables and other predictive databases haven't been a thing worth using for a hot minute. What makes a password worthwhile presently is length.

3) The Yahoo hack I presume he's talking about was done through spear phising of a Yahoo employee. Having a 16 character password with upper and lower case, numbers, special characters, a hieroglyph and the blood of a virgin wouldn't have saved anyone. Absolutely nothing the consumer side could have realistically done about this, the fault lies squarely on Yahoo. The only thing notable about this is the size of the breach, the volume of user data compromised and the inexcusable lack of security structure at Yahoo.

4) Ring wasn't hacked, not in any conventional sense. What happened was people were compromised on other services and used the same password for Ring (credential stuffing). Blaming Ring for this, in any regard, just isn't right. While Ring is certainly in the security business, they have every incentive to give people what they want and not piss off their customer. Forcing 2FA would have solved the problem but also is the least convenient option for most people, meaning they would turn it off and/or switch to a different service. Login attempt restrictions likely wouldn't have accomplished much (especially at 10 attempts) unless they were actively monitoring for a spike in incorrect user logins, which if they had monitoring like that they should have noticed the issue when it occurred anyway due to the traffic. Chris's characterization of Ring's logic is spot on, they didn't force the account security on people because it would have hurt them financially. His taking them to task for not forcing account security on people, however, is misplaced. The market drives these things, if Ring didn't accommodate then it would just be another company.

5) Again numbers and special characters are brought up. No. This is myth from a bygone era. While you could argue that technically by doing so it increases the character set, it's also so standard now that nobody running actual brute force attacks are attempting without them and the hash rate is so high that it's not meaningful in strengthening the password. Again, length is the solution. Use whatever wacky character string you want, your 8 character password can be cracked in under an hour.

6) Keyloggers: the "black market" he's referring to isn't very black. There's nothing inherently illegal about keyloggers and many other penetration "testing" devices. There are numerous places you can buy things of this nature very openly, and if you don't want to do that it's not particularly hard to make one.

7) Brief note on the OS and Mac thing. Chris is way off talking like the saving grace was kids not having access to Macs. (On a personal note, the first computer I ever "hacked" was a Macintosh 512k in 1993. I was a kid. Just saying.) The only thing helping Mac in the past still helps it now, it's security through obscurity. Mac is just repackaged Unix, there's nothing particularly wild or clever about it. What makes Mac users more safe than the average PC is that they're a minority of the market. Anyone in any kind of business given the choice of targeting most of the market or small portion of the market, same work either way, will almost always choose the larger market option. As the market share grows, so too does the incentive to attack it. The smaller it is, the less attractive it is.

Chris is a likable guy and I think it's commendable that he's communicating about infosec in a non technical way but you have to get it right and he's off the mark a lot, or at least not up to date with what's going on in cybersec. Most of the time the details aren't going to meaningfully matter in a situation like this but then there's things that do, like going on about special characters making passwords stronger. That kind of misinformation creates security theater, people think they're more protected than they are.

I'll have to watch the full podcast now, I'm curious if this guy is more competent than he appears in this clip, kind of feel bad nitpicking him this bad but hey, it's my industry. I get he had some big wins in catching cybercriminals but catching criminals is a different animal than defending from them. Guess he at least knew enough to get the job done and good on him for that.

GentlemenMonkey

Living in a fraternity house taught me to sign out of my computer. Even if your just going for a glass of water, log out, or someone might mess with your stuff haha. It's been more than a decade and I haven't shook that habit

tylerkarlberg

Lex is always on point with his emotions, his attire, and his outlook on helping others.

ambermullins

90% of hacking is just basic phishing. 😅😅

PseudoProphet

If your phone is already hacked, how is the time difference between putting it in a glass of water VS turning it off and factory reset, going to matter?

wartem

1:48
bad guys are making portfolios out of people

1:58
We are making a dossier on each person

akreation

I thought they whacked Tony in the last episode while Journey was in the second chorus.

rebornsmith

At my workplace people laughed at me when I even had a password for my work computer, one guy even said "What you got on there? Porn? LOL"

harackmw

Isn't when you log in with your google account, twitter account, by all the providers i mean, the database doesn't hold your connected provider's password, so hacked database would only provide them with your social media e-mail, name, profile picture maybe and that's it. I use those platform authorization/authentication patterns in my apps.

BarisPalabiyik

Phone in a glass of water? Sounds like
The worst idea ever.

rightleft

Imagine being in the FBI and not knowing what a rubber ducky is 🤣 he’s on the level of just calling it a keylogger. This is why learning from a book and having a degree, doesn’t mean jack. Knowledge is key, stay woke!

AGalaxyOfficial

Procceeds to turn off anti virus and firewall for 3 percent performnace boost😂

theuzlivid

"Change your password" and then they hack the company and steal ALL the usernames/passwords.

brozbro

I wonder how secure two-step authentication is? I this on my important stuff and use different passwords on different sites, but I almost never change my passwords.

phaexus

1. Don't "smart home" your home 2. Don't have financial services connected\on to your phone. 3. Don't do financial services\transfer etc on your PC\electronically If you have no PW there is no PW to steal. I amazed at how banks have not only left doors open but they create new electronic pathways through which thieves can enter.

Donn

Pet peeve - "I'm sorry, but your password can't be more than 8 characters" Grrrr

cabanford

It’s funny how out of touch these guys are “put your phone inside of water” 😂😂😂😂😂😂 like what?

boso

Never click a link•••

Learn how typical phishing tactics work•••

Learn the type of language most hackers use.

astralfluxaf

Most secure operating system is

Commodore basic.

myprobate