Editing 1820: Security Advice
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 8: | Line 8: | ||
==Explanation== | ==Explanation== | ||
− | + | {{incomplete|Incomplete. TBD:Complete tip explanations Do NOT delete this tag too soon.}} | |
The comic depicts a conversation between [[Cueball]] and [[Ponytail]], discussing the fact that giving people security advice in the past has failed to improve their internet security, and in some cases even made things worse. One such example is telling people to create complicated passwords containing numbers and symbols, which not only made the passwords harder to remember (leading people to create huge security risks by [https://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/ leaving post-it notes with their passwords on their computer monitor]), but did not actually make those passwords harder to crack (see [[936: Password Strength]]). | The comic depicts a conversation between [[Cueball]] and [[Ponytail]], discussing the fact that giving people security advice in the past has failed to improve their internet security, and in some cases even made things worse. One such example is telling people to create complicated passwords containing numbers and symbols, which not only made the passwords harder to remember (leading people to create huge security risks by [https://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/ leaving post-it notes with their passwords on their computer monitor]), but did not actually make those passwords harder to crack (see [[936: Password Strength]]). | ||
− | As a result, Cueball suggests using {{w|reverse psychology}} and give out bad advice instead, in hopes of achieving a positive effect. The last panel contains a list | + | As a result, Cueball suggests using {{w|reverse psychology}} and give out bad advice instead, in hopes of achieving a positive effect. The last panel contains a list these security tips, which are parodies of actual security tips. |
− | ===Security | + | ===Security Tip Explanations=== |
{| class="wikitable" | {| class="wikitable" | ||
!Security Tip | !Security Tip | ||
!Explanation | !Explanation | ||
− | |- | + | |- |
− | |Print out this list and keep | + | |Print out this list and keep in in your bank safe deposit box (header) |
− | |This is a standard recommendation for documents that must be kept secure because they are irreplaceable and/or contain sensitive information. However this list itself is easily replaceable and the contents will be well-known, so storing it in a safe place is totally unnecessary. Putting it in a | + | |This is a standard recommendation for documents that must be kept secure because they are irreplaceable and/or contain sensitive information. However this list itself is easily replaceable and the contents will be well-known, so storing it in a safe place is totally unnecessary. Putting it in a safe deposit box would even be counterproductive since the list can only serve its purpose as a ready reminder if it's easily accessible to everyone. |
− | |- | + | |- |
|Don't click links to websites | |Don't click links to websites | ||
− | |The usual tip is "Don't click on ''suspicious'' website links" or "Don't click any links in suspicious emails". The comic's variation instead tells users not to click on any links to any websites, which essentially stops them from using the | + | |The usual tip is "Don't click on ''suspicious'' website links" or "Don't click any links in suspicious emails". The comic's variation instead tells users not to click on any links to any websites, which essentially stops them from using the world wide web altogether. |
− | |- | + | |- |
|Use prime numbers in your password | |Use prime numbers in your password | ||
− | |It is usually recommended that one uses numbers in one's password, to increase its entropy, making it harder to | + | |It is usually recommended that one uses numbers in one's password, to increase its entropy, making it harder to {{w|Brute-force attack|brute force}}. In contrast the comic suggests using {{w|prime numbers}} in one's password. Large prime numbers are an essential part of modern cryptography and security systems, when used in algorithms that are computed by machines. They don't have any effect when used by humans in passwords, except for maybe making it harder to remember. In addition, if people were to regularly use prime numbers in their passwords, it would actually make passwords ''easier'' to guess, as it would substantially reduce the number of possible passwords people may choose from. |
− | |- | + | |- |
|Change your password manager monthly | |Change your password manager monthly | ||
|It is often recommended to change passwords on a regular basis and to use a {{w|password manager}}. Password managers are programs which can help users create, store, and change their passwords easily and securely. Changing password managers monthly would involve copying all stored passwords from one manager to another, which would be quite impractical and has no security benefit. | |It is often recommended to change passwords on a regular basis and to use a {{w|password manager}}. Password managers are programs which can help users create, store, and change their passwords easily and securely. Changing password managers monthly would involve copying all stored passwords from one manager to another, which would be quite impractical and has no security benefit. | ||
− | |- | + | |- |
|Hold your breath while crossing the border | |Hold your breath while crossing the border | ||
− | |At some border crossings, government agents may search computers, cell phones, and other electronic devices. The usual advice for such situations ranges from asserting your rights to resetting all devices and deleting all data prior to crossing a border. Holding one's breath can potentially prevent inhaling germs or poisons in some situations, though useless in the context of computer security. These two topics mixed in the same advice won't achieve anything, but if you hold your breath for too long you could pass out when crossing, or look stressed/suspicious and invite even more scrutiny. This could also be a reference to the superstition of holding one's breath when passing a graveyard | + | |At some border crossings, government agents may search computers, cell phones, and other electronic devices. The usual advice for such situations ranges from asserting your rights to resetting all devices and deleting all data prior to crossing a border. Holding one's breath can potentially prevent inhaling germs or poisons in some situations, though useless in the context of computer security. These two topics mixed in the same advice won't achieve anything, but if you hold your breath for too long you could pass out when crossing, or look stressed/suspicious and invite even more scrutiny. This could also be a reference to the superstition of holding one's breath when passing a graveyard. |
− | |- | + | |- |
|Install a secure font | |Install a secure font | ||
− | |A real tip might be "Install a secure browser" especially when many people used {{w|Internet Explorer 6}}. | + | |A real tip might be "Install a secure browser" especially when many people used {{w|Internet Explorer 6}}. Using a different font on a computer would not help one's internet security. Reference to Turing-complete kerning specification language in OpenType fonts. May also refer to [https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme Google Chrome "Install missing font" malware]. |
− | |- | + | |- |
|Use a 2-factor smoke detector | |Use a 2-factor smoke detector | ||
− | |{{w|Multi-factor authentication|Two factor authentication}} describes the practice of using two different identification factors (such as a password and a code from a secure token) to authenticate the user. A two factor smoke detector presumably uses two or more factors to identify ''smoke'' (such as {{w|Smoke_detector#Ionization|ionization}} and {{w|Smoke_detector#Photoelectric|photoelectric}}). Such devices [ | + | |{{w|Multi-factor authentication|Two factor authentication}} describes the practice of using two different identification factors (such as a password and a code from a secure token) to authenticate the user. A two factor smoke detector presumably uses two or more factors to identify ''smoke'' (such as {{w|Smoke_detector#Ionization|ionization}} and {{w|Smoke_detector#Photoelectric|photoelectric}}). Such devices [http://alarmspecs.com actually exist], but, while improving the users general safety, they do nothing to improve their internet security. |
− | + | |- | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |- | ||
|Change your maiden name regularly | |Change your maiden name regularly | ||
− | | | + | |The usual tip is to change your passwords regularly. Some password recovery procedures ask for a security question, like "what is your maiden name" (which is the family name that you were born with). Sometimes, maiden name of a parent of yours (typically your mother as your father's maiden name is most often your name too) is asked instead of one of yours. Since it acts as a second password, it should also be changed regularly. Changing it, however, would be very difficult or even impossible, even more so on a regular basis. Also, maiden names and other trivia typically asked by security questions are not secret, so they are inherently not secure. |
− | + | A real tip for dealing with security questions would be to enter false data. | |
− | A real tip for dealing with security questions | + | |- |
− | |- | ||
|Put strange USB drives in a bag of rice overnight | |Put strange USB drives in a bag of rice overnight | ||
− | |The usual security tip is "Don't plug strange | + | |The usual security tip is "Don't plug strange USB drives into your computer," because sometimes attackers put viruses that infect your system when plugged in. This tip states that you should "put USB drives in a bag of rice overnight" which is a common technique for drying out water damaged devices, due to rice's absorbent qualities. This would not clean the drive of viruses, and unless the drive was wet (perhaps because you found it outside due to it being called "strange") it would not do anything. In [[1598: Salvage]], another attempt is made to salvage something unconventional with rice. |
− | |- | + | |- |
|Use special characters like & and % | |Use special characters like & and % | ||
− | |You can use special characters to increase the entropy/strength of your password, though as | + | |You can use special characters to increase the entropy/strength of your password, though as describe in [http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength xkcd 936], that often leads to passwords that are hard to remember but not particularly strong. The password context is missing here, and in everyday situations the characters & and % are not special. These two characters are often disallowed in passwords because of their relevance to [https://en.m.wikipedia.org/wiki/SQL SQL] (a common database query language). If these characters were used in a password, a badly written security system using SQL could have severe bugs (and security vulnerabilities) similar to the security flaw in [[327: Exploits of a Mom]]. |
− | |- | + | |- |
|Only read content published through Tor.com | |Only read content published through Tor.com | ||
− | | | + | |[https://en.wikipedia.org/wiki/Tor_(anonymity_network) Tor] is a software solution to provide anonymity on the web for its users. The website [https://tor.com Tor.com] is the website of fantasy and sci-fi book publisher Tor, which has no relation to the Tor-network. |
− | |- | + | |- |
|Use a burner's phone | |Use a burner's phone | ||
− | |A play on using a | + | |A play on using a burner phone (a cheap/disposable cell phone like those purchased at 7-11, often used for drug deals or other activity one might not want traced), and using the cell phone of a burner, i.e. a person who goes to the the Burning Man festival. |
− | |- | + | |- |
|Get an SSL certificate and store it in a safe place | |Get an SSL certificate and store it in a safe place | ||
− | + | |SSL/TLS is a protocol for securing connections on the internet. To check if someone is who he claims to be you can check the individuals certificate. Such a certificate has to be public, storing it in a safe place makes the certificate useless. You have to store the private key that matches the certificate in a safe place, else someone could steal the identity. | |
− | |- | + | |- |
|If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul. | |If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul. | ||
− | |This tip is a reference to | + | |This tip is a reference to Ingmar Bergman's film {{w|The Seventh Seal#Synopsis| The Seventh Seal}}, in which the protagonist challenges Death to a game of chess. |
− | + | |- | |
− | + | |Never give your password or bank account number to anyone who doesn't have a blue check mark next to their name. (Title Text) | |
− | |- | + | |The usual security tip here is ''"only trust twitter accounts claiming to be legitimate if they have a blue check mark next to their name"'', which means that the account is verified as legitimate. This tip suggests only giving your ''password'' to verified accounts, although you shouldn't give your password to ''any'' account. It also refers to problems especially visible in the US banking system, where there is very little security for direct account drafts, and because of that it is advised there to keep the account number as secret as possible. In contrast, in Europe giving your account number to someone is one of the most common ways to get paid. |
− | | | ||
− | |The usual security tip here is ''"only trust | ||
− | |||
− | |||
− | |||
− | It also refers to problems especially visible in the US banking system, where there is very little security for direct account drafts, and because of that it is advised there to keep the account number as secret as possible. In contrast, in Europe giving your account number to someone is one of the most common ways to get paid. | ||
− | A related tip might be "Never give your password or bank details to a website that doesn't have a padlock icon next to the URL". In | + | A related tip might be ""Never give your password or bank details to a website that doesn't have a padlock icon next to the URL"". In some browsers, if you access a secure website, there will be a padlock icon in the browser indicating you've connected to a secure website using the secure https protocol. So this tip treats the verified account icon the same way you might treat a secure website icon. |
|} | |} | ||
==Transcript== | ==Transcript== | ||
− | + | ||
:Ponytail: We've been trying for decades to give people good security advice. | :Ponytail: We've been trying for decades to give people good security advice. | ||
:Ponytail: But in retrospect, lots of the tips actually made things worse. | :Ponytail: But in retrospect, lots of the tips actually made things worse. | ||
− | |||
:Cueball: Maybe we should try to give ''bad'' advice? | :Cueball: Maybe we should try to give ''bad'' advice? | ||
:Ponytail: I guess it's worth a shot. | :Ponytail: I guess it's worth a shot. | ||
− | : | + | :Security tips |
− | |||
:(Print out this list and keep it in your bank safe deposit box.) | :(Print out this list and keep it in your bank safe deposit box.) | ||
* Don't click links to websites | * Don't click links to websites | ||
Line 104: | Line 87: | ||
* Put strange USB drives in a bag of rice overnight | * Put strange USB drives in a bag of rice overnight | ||
* Use special characters like & and % | * Use special characters like & and % | ||
− | * Only read content published through | + | * Only read content published through Tor.com |
* Use a burner's phone | * Use a burner's phone | ||
* Get an SSL certificate and store it in a safe place | * Get an SSL certificate and store it in a safe place | ||
Line 110: | Line 93: | ||
{{comic discussion}} | {{comic discussion}} | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− |