10 Computer Security Myths to Stop Believing

@ 9:30 Congrats, you all are now a computer GLENUIS

ThioJoe

As a 35-year software developer, let me give you props on a good video. You hit the nails on the head and got good points across without diving into too much techspeak.

DIYDaveOK

As a network security professional, I can tell you that most companies still enforce myth 1 religiously. This has the unintended consequence of people choosing weak password, re-using the same password but just incrementing any numbers that are used, or worse of all, writing them down (my favorite is the sticky on the bottom of the keyboard--no one will EVER look there!).

ABQSentinel

Also VPNs aren't really completely private. They're great for getting around geo-restrictions, and for remote work, but as you mentioned in another myth - if you log in or if a website uses cookies, they can still gather information about you. Generally speaking, if you want security or privacy, you can't rely on only a single piece of software - you use multiple strategies that cover different aspects of security and privacy.

logicalfundy

You did a good job trying to inform people on the myths you listed. I have been working in IT since 1978 and have seen so many changes in the industry overall. My focus currently is with network security in business environments. It amazes me how many business owners either believe these myths or know little to nothing about their network environment. Sometimes the hardest part is getting them to invest in their own security. The alternative can be far more devastating. Thanks for putting this video out!

activenets

As I learned in college getting my cybersecurity degree:

The user is the weakest link to security. You can have all the best practices and procotols in place, but even those can't prevent everything.

Darkhalo

Thanks! A great video and very informative 👍🏼

luckybear

I work in IT and you'd be amazed how many clients get angry and demand to know how they got infected when they have an antivirus installed. No antivirus software is going to catch 100% of stuff, especially if you're going around downloading and installing everything you come across online.

GeekIWG

I used to maintain a website. In the website logs are the unencrypted usernames of everyone who logged in. Every once in a while someone accidently put their password where their username should go and vice versa. Of course, the server denied them access. Then a few seconds later there was another login attempt with the username and password in the correct order. The password isn't logged. By searching the logs for gibberish usernames, followed by proper usernames from the same IP address I was easily able to find several passwords a week. I reported this vulnerability to my management, but I don't know what they did about it (if anything).

neilmara

As someone currently working in infosec, I'd like to point out an issue with the NIST recommendation for never expiring passwords. NIST is designed for government agencies that are already following all of the other guidelines. This means that bodies who follow this will also have modern 2FA, good minimum complexity requirements with phrases, no one is reusing the same passwords, SSO is configured everywhere possible, and these passwords are not being stored in an insecure manner. Not changing passwords IS the best practice if every other best practice is also being followed.

For example, I can guarantee you that many companies have not adopted 2FA more advanced that an SMS message and most users will still be reusing the same passwords for multiple accounts anyways. Also, many of those users will be using the infamous password spreadsheet instead of a manager.

ng

An important note on the last point: Formatting an SSD will not write zeros across the whole drive. SSDs have their own controllers and maps that strategically write data to their flash chips, the OS doesn't have access to the true locations of the files. I have heard of an alternative protocol that does allow the OS to control the SSD more directly but as far as I know it's not really in use anywhere. The reason SSDs are setup to manage their own data is to ensure proper wear leveling which preserves the life of the drive for as long as possible. Having said all that, for better or worse, it should also be much harder to recover data that was deleted from the recycling bin.

grn

I like the way you explain stuff, it's very easy to follow along. Would you mind making a tutorial about those yubico authenticators including showing how to add them to various popular services?

wookix

Note that even a "*slow*" format doesn't do a secure delete. Some drives might have a secure delete operation, but most consumer drives do not. With spinning-rust drives, you're generally fine if you ensure the disk actually writes out 0s to the physical sectors. With SSDs, wear leveling can keep you from ever writing the physical sector again. Bottom line, you should keep sensitive data encrypted, and keep the encryption keys somewhere you *can* delete them (like a hardware key), or at the least keep _them_ encrypted with a password.

lperkins

Great content, as usual.
Quick add-on: Incognito mode also deletes all cookies when you close the browser. Great for when you're wanting to log into the same site with different credentials, like when you're alpha testing a website.

EvanCastle

Everything spot on except number 10. With modern flash storage, there is a feature called TRIM on the SSD itself which overwrites files as they are deleted so file recovery now is a bit complicated. An exception is with Full Disk Encryption because TRIM only works on entire files, so when it sees an encrypted file system, it sees a delete operation as an update rather than a delete so TRIM doesn't kick in.

pentestical

The private browsing thing I find funny, because all incognito and private mode landing pages I've seen explicitly tell you what it does and doesn't do. Usually even explaining that your ISP, Employer/School, and the website you are visiting still see the activity.

blobofblutack

Here's one I heard too many times in my IT career: "I don't need antivirus, I have a Mac!"

I deliver auto parts now. Much less stressful than arguing with idiots.

tim

Great video. One more myth I would add is that security questions make your account more secure. This really isn't the case. A security question is most often a simpler, shorter password that you can find the answer to from looking at the person's social media account. I always treat security questions as passwords and generate long answers (stored in my password manager)

joe-skeen

Hey Joe, I just realized that I've been watching your videos for over 10 years now. From the troll videos I used to watch in primary school and actually trying them out and being disappointed/angry to today, where I'm studying computer engineering, I gotta say I always enjoyed your videos even if it's about something I understand to the core of it.
You've always been one of my favorite tech youtubers as your videos are always entertaining to watch. Not much else to say besides cheers to another 10🍻

emirkugic

Good video. I was an IT support person for years, the number of times I saw passwords written on Post-Its attached to monitors... I'm convinced that in most cases, computer security merely prevents honest people from getting their work done. Half of a tech calls to corp IT are from users who locked themselves out during a mandatory password change. Management smiles and keeps the policies in place.

aisle_of_view