Editing 1820: Security Advice

{{comic
| number    = 1820
| date      = April 5, 2017
| title     = Security Advice
| image     = security_advice.png
| titletext = Never give your password or bank account number to anyone who doesn't have a blue check mark next to their name.
}}

==Explanation==
The comic depicts a conversation between [[Cueball]] and [[Ponytail]], discussing the fact that giving people security advice in the past has failed to improve their internet security, and in some cases even made things worse.  One such example is telling people to create complicated passwords containing numbers and symbols, which not only made the passwords harder to remember (leading people to create huge security risks by [https://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/ leaving post-it notes with their passwords on their computer monitor]), but did not actually make those passwords harder to crack (see [[936: Password Strength]]).

As a result, Cueball suggests using {{w|reverse psychology}} and give out bad advice instead, in hopes of achieving a positive effect. The last panel contains a list with 13 security tips, which are parodies of actual security tips. The title text is just one more tip. See [[#Security tips|table]] below for explanations for all 14 tips.

This comic is yet another [[:Category:Tips|tips comic]].

===Security tips===
{| class="wikitable"
!Security Tip
!Explanation
|- id="tip0"
|Print out this list and keep it in your bank safe deposit box (header)
|This is a standard recommendation for documents that must be kept secure because they are irreplaceable and/or contain sensitive information. However this list itself is easily replaceable and the contents will be well-known, so storing it in a safe place is totally unnecessary.  Putting it in a {{w|safe deposit box}} would even be counterproductive since the list can only serve its purpose as a ready reminder if it's easily accessible to everyone. So when people fail to follow this tip, they may end of keeping it in a place where they have easy access to the tips so they may also fail to follow all the others.
|- id="tip1"
|Don't click links to websites
|The usual tip is "Don't click on ''suspicious'' website links" or "Don't click any links in suspicious emails". The comic's variation instead tells users not to click on any links to any websites, which essentially stops them from using the World Wide Web altogether. So this tip is not really helping, as the opposite of this would be to click on all links.
|- id="tip2"
|Use prime numbers in your password
|It is usually recommended that one uses numbers in one's password, to increase its entropy, making it harder to find with a {{w|Brute-force attack|brute force}} attack. In contrast the comic suggests using {{w|prime numbers}} in one's password. Large prime numbers are an essential part of modern cryptography and security systems, when used in algorithms that are computed by machines.  They don't have any effect when used by humans in passwords, except for maybe making it harder to remember. In addition, if people were to regularly use prime numbers in their passwords, it would actually make passwords ''easier'' to guess, as it would substantially reduce the number of possible passwords people may choose from.
|- id="tip3"
|Change your password manager monthly
|It is often recommended to change passwords on a regular basis and to use a {{w|password manager}}. Password managers are programs which can help users create, store, and change their passwords easily and securely. Changing password managers monthly would involve copying all stored passwords from one manager to another, which would be quite impractical and has no security benefit.
|- id="tip4"
|Hold your breath while crossing the border
|At some border crossings, government agents may search computers, cell phones, and other electronic devices.  The usual advice for such situations ranges from asserting your rights to resetting all devices and deleting all data prior to crossing a border.  Holding one's breath can potentially prevent inhaling germs or poisons in some situations, though useless in the context of computer security.  These two topics mixed in the same advice won't achieve anything, but if you hold your breath for too long you could pass out when crossing, or look stressed/suspicious and invite even more scrutiny. This could also be a reference to the superstition of holding one's breath when passing a graveyard, or similarly to the movie {{w|Spirited Away}}, where the main character is instructed to hold her breath while crossing the bridge that acts as the border between the human and spirit world. In any case, holding one's breath while browsing the Internet would have no useful effect, supernatural or otherwise.
|- id="tip5"
|Install a secure font
|A real tip might be "Install a secure browser" especially when many people used {{w|Internet Explorer 6}}. Secure fonts do exist and are designed to make checks difficult to alter, but using one on a computer would not help one's internet security. May also refer to Google Chrome [https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme "Install missing font"] malware.
|- id="tip6"
|Use a 2-factor smoke detector
|{{w|Multi-factor authentication|Two factor authentication}} describes the practice of using two different identification factors (such as a password and a code from a secure token) to authenticate the user. A two factor smoke detector presumably uses two or more factors to identify ''smoke'' (such as {{w|Smoke_detector#Ionization|ionization}} and {{w|Smoke_detector#Photoelectric|photoelectric}}). Such devices [https://alarmspecs.com actually exist], but, while improving the user's general safety, they do nothing to improve their internet security.

Also, the logic behind using two-factor authentication is that '''both''' types of credentials must match to grant access. Smoke detectors work otherwise - usually firing if '''any''' of the sensors detect a fire. If the smoke detector worked according to the authentication logic it will be less likely to detect smoke, effectively lessening fire safety as compared to a single sensor one.

A month before this comic the newest [[:Category:xkcd Phones|xkcd Phone]], [[1809: xkcd Phone 5]], was released with a 28-factor authentication.
|- id="tip7"
|Change your maiden name regularly
|Your maiden name is the family name with which you were born. Literally changing your maiden name, is impossible by the definition of "maiden name". A common tip is to change your passwords regularly. Some password recovery procedures ask for a security question, like "what is your {{w|Maiden and married names|maiden name}}" Maiden names and other trivia typically asked by security questions are not secret, so they are inherently insecure.

A real tip for dealing with security questions is to enter false data.
|- id="tip8"
|Put strange USB drives in a bag of rice overnight
|The usual security tip is "Don't plug strange {{w|USB flash drive|USB drives}} into your computer," because sometimes attackers leave USB devices with malicious programs lying around, hoping that people will plug them into target computers out of curiosity. This tip states that you should "put USB drives in a bag of rice overnight" which is a common technique for drying out water-damaged devices, due to rice's absorbent qualities. This would not clean the drive of viruses, and unless the drive was wet (perhaps because you found it outside due to it being called "strange") it would not do anything. In [[1598: Salvage]], another attempt is made to salvage something unconventional with rice, and here it is shown that Randall considers the rice drying of a wet mobile is a myth, so this is yet another jab at the idea.
|- id="tip9"
|Use special characters like & and %
|You can use special characters to increase the entropy/strength of your password, though as describe in [[936: Password Strength]], that often leads to passwords that are hard to remember but not particularly strong.  The password context is missing here, and in everyday situations the characters & and % are not special. These two characters are often disallowed in passwords because of their relevance to {{w|SQL}} (a common database query language). If these characters were used in a password, a badly written security system using SQL could have severe bugs (and security vulnerabilities) similar to the security flaw in [[327: Exploits of a Mom]].
|- id="tip10"
|Only read content published through Tor.com
|{{w|tor (anonymity network)|Tor}} is a software solution to provide anonymity on the web for its users. The website [https://tor.com Tor.com] is the website of fantasy and sci-fi book publisher {{w|Tor Books}}, which has no relation to the Tor-network.
|- id="tip11"
|Use a burner's phone
|A play on using a {{w|Prepay mobile phone|burner phone}} (a cheap/disposable cell phone like those purchased at 7-11, often used for drug deals or other activity one might not want traced), and using the cell phone of a burner, i.e. a person who goes to the {{w|Burning Man|Burning Man festival}}.
|- id="tip12"
|Get an SSL certificate and store it in a safe place
|{{w|Transport Layer Security|SSL/TLS}} is a protocol for securing connections on the internet. To check if someone is who they claim to be, you can check the individual's {{w|Public key certificate|certificate}}. Such a certificate has to be public; storing it in a safe place makes the certificate useless. You have to store the private key that matches the certificate in a safe place, else someone could steal the identity.
|- id="tip13"
|If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul.
|This tip is a reference to the common trope [http://tvtropes.org/pmwiki/pmwiki.php/Main/ChessWithDeath Chess with Death], in which a mortal challenges a god to a game or challenge, often for their life. This version of the trope traces back to {{w|Ingmar Bergman|Ingmar Bergman's}} film {{w|The Seventh Seal}}, in which the protagonist {{w|The Seventh Seal#Synopsis|challenges Death}} to a game of chess. But instead of avoiding death, this tip suggests you have the right to do the same to get out of handing your devices over to a border guard. (This trope is also featured in [http://www.explainxkcd.com/wiki/index.php/393 393: Ultimate Game]). 

This is the second tip referring to crossing a border.
|- id="tip14"
|'''Title Text''': Never give your password or bank account number to anyone who doesn't have a blue check mark next to their name. 
|The usual security tip here is ''"only trust Twitter accounts claiming to be legitimate if they have a blue check mark next to their name"'', which means that the account is verified as legitimate. This tip suggests only giving your ''password'' to verified accounts, although you shouldn't give your password to ''any'' account. It also refers to problems especially visible in the US banking system, where there is very little security for direct account drafts, and because of that it is advised there to keep the account number as secret as possible. In contrast, in Europe giving your account number to someone is one of the most common ways to get paid.

A related tip might be ""Never give your password or bank details to a website that doesn't have a padlock icon next to the URL"". In some browsers, if you access a secure website, there will be a padlock icon in the browser indicating you've connected to a secure website using the secure https protocol.  So this tip treats the verified account icon the same way you might treat a secure website icon.
|}

==Transcript==
:[Cueball is listening to Ponytail who holds her hands out in front of her.]
:Ponytail: We've been trying for decades to give people good security advice.
:Ponytail: But in retrospect, lots of the tips actually made things worse.

:[Cueball takes his hand to his chin as Ponytail takes her arms down.]
:Cueball: Maybe we should try to give ''bad'' advice?
:Ponytail: I guess it's worth a shot.

:[Below these two panel is one large and long panel with a long list with 13 tips. The underlined heading and the bracket below it are centered above the bullet list below.]
:<big><u>Security tips</u></big>
:(Print out this list and keep it in your bank safe deposit box.)
* Don't click links to websites
* Use prime numbers in your password
* Change your password manager monthly
* Hold your breath while crossing the border
* Install a secure font
* Use a 2-factor smoke detector
* Change your maiden name regularly
* Put strange USB drives in a bag of rice overnight
* Use special characters like & and %
* Only read content published through tor.com
* Use a burner's phone
* Get an SSL certificate and store it in a safe place
* If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul.

{{comic discussion}}

[[Category:Comics featuring Cueball]]
[[Category:Comics featuring Ponytail]]
[[Category:Chess]]
[[Category:Computers]]
[[Category:Tips]]