September 1, 2021 • 78 mins
Hacker extraordinaire Shannon Morse joins the show to talk about how you can protect your data when browsing the Internet. Is public WiFi off limits? Are VPNs reliable? What about Tor?
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to Tech Stuff, a production from I Heart Radio.
Hey there, and welcome to tech Stuff. I'm your host,
Jonathan Strickland. I am an executive producer with I Heart
Radio and I love all things tech. And originally I
had intended to bring you a third installment on our
(00:24):
home theater basics, but stuff got got piled up. I
had to record episodes of a couple of other podcasts,
one of which is a spooky podcast that will be
coming out later this year. UH can't say a whole
lot about it, except it's not twelve days of Halloween
and it's not fourteen days of Halloween somewhere in between. Anyway,
(00:48):
Because of that, I got a little bit behind. So
we're going to have a rerun today of an episode
that published on Christmas Day in two thousand nineteen. UH
Spend guest Shannon Morrise joined the show to talk about
the dangers of public WiFi. So I hope you enjoy
this episode. Let's sit back and listen. There's a topic
(01:12):
that I really wanted to cover because as I record this,
we're in the holiday season. A lot of people are traveling,
They're going through airports, maybe you're visiting family and occasionally
you need to find a place to be elsewhere, like
maybe a coffee shop or something. That typically means we're
carrying our devices with us, and then we want to
connect to different networks. But that might not always be
(01:35):
a great idea, and so I decided I was going
to do an episode all about the best ways to
browse the Internet with privacy and safety in mind, going
from the least private and the least secure to perhaps
the most private and most secure. And then I thought, hey,
you dumb, dumb You know people who are extremely well
versed in this topic, and that's why I invited my
(01:57):
good friend, the phenomenal Shannon More to join this episode
to come back. So welcome back to Tech Stuff, Shannon.
Thank you so much. Jonathan. I'm so excited to be
back on the show. How are you doing. I'm tired.
But it's at the end of the year, so that
always happens, right like, And here's the thing, you know,
Shannon can tell you. In fact, we were just talking
(02:19):
about it before we went on to the record that
the tech journalists life does not get easier at the
end of the year because you immediately turn around and
head off to Vegas for ce S and that's where
you're gonna be in early January, as I understand it, right, Shannon, Yes,
I will. I'll be there all week covering everything over
(02:41):
on my channel, so make sure to link everybody to
my channel later, absolutely, because I ain't going folks. So
Shannon's your your your destination for finding all the really
cool stuff. And uh, Shannon, I can say from experience
because I've watched her work does amazing work. Not just
at c yes, but we were, but particularly like under
(03:01):
a high stress situation like c e S, certain people
can light up under the camera. And uh, I'm frankly
envious of your ability to do so. So um, that's
me be nice. Yeah, well, I mean I could be
more caddy about it, but I'm gonna be nice. The
Caddy would be like, how dare she? How dare she
(03:22):
show me up? But no, we're gonna talk about browsing safely.
So the first thing I wanted to do before we
get into the spectrum of browsing the Internet, because you
could argue that there's like the least safe, secure, naive
way to do it to what is perhaps the most
(03:42):
secure but not perfect. There's no perfect solution spoiler alert.
Before we get into any of that, I wanted to
talk about some stats, and these come from a few
different sources. Uh. One was a survey that was conducted
by one World Identity back in about public wi fi.
So this was just asking people about their perception and
(04:03):
their use of public WiFi. And Shannon, I kind of
wanted to get your reaction to this because being someone
who has been so entrenched in data security in the
hacker culture in you know, everything from how do we
make these systems more secure, to the white hat approach
of how do we find any vulnerability so that they
(04:23):
can be patched, to even the black hat culture where
people are exploiting this for their own gain. I wanted
to see what you thought about these stats. So the
first one was they asked a question to people in
the United States, in Germany and in France, and the
question they asked was do you ever use unsecured public
(04:44):
WiFi networks in the United States? So nearly half said,
you know, if there's no other option, sure, I'll do it.
Thirty two percent actually said I prefer using public WiFi
to using my cellular plan. Uh. Person sumably because they
would not be billed for data usage right because they're
(05:05):
using WiFi instead of their cell data only said they
never did it. One percent said they do it, but
only with a VPN. But we'll cover VPNs a little
bit later. So, Shannon, you've you've talked with hackers. What
do you think their reaction initially would be hearing that
nearly fifty of people in the United States said yeah,
(05:25):
you know, if there's no other connection, I'll I'll connect
to public WiFi, and another thirty two percent and I said, oh, heck, yeah,
sign me up. Well, I'm definitely in the one percent
of only with a VPN, and and that's assuming that
I have absolutely no other option. So I'm kind of
a mix of the and the one percent, but only
(05:47):
only if I have a vp n UM. I would
say from my experience, all of my friends would probably
not be surprised by the tent that prefer public WiFi
over their cellular plants, specifically because of what you said,
they'll be able to save money, especially if they don't
have an unlimited plan through their mobile carriers. So in
(06:07):
that way, it makes sense, uh that say yes, if
there's no other option, there's always another option. Come on, folks,
what are you doing? Where are you at? Yeah? I
mean we we have such good cellular coverage now there's
always another option, even if you just have three G
like that's manageable from most tasks. So what what are
(06:28):
they doing? I'm just my draw My job kind of
dropped a little bit when I heard that number. I
just thought it was I thought that I'm doing a
much better job of educating people about the importance of
not using public WiFi, and apparently I'm not doing my
job as well as I should have been, or or
the people who are already kind of hip to it
are the ones watching you, going yeah, she gets it,
(06:51):
she knows, and the people who need to see it
are like what's on the masked Singer today or whatever?
You know, Like so, yeah, I I look at this
and I think, man if I were a black hat,
I would just be doing the Mr Burns excellent. Just
you're over and over again just drooling at that opportunity,
because you know, public WiFi is definitely the most dangerous
(07:16):
option you can pick when you're talking about protecting your
own privacy and security, especially if you're not doing something
like using a VPN. UH spoiler alert will talk more
about that in a second. And so knowing that you're
your opportunity for targets is so vast has got to
be incredibly encouraging to someone who is ready to exploit that.
(07:40):
And that's really, you know, that's what we're trying to
protect everyone against, is you know, it's the likelihood of
you running into these situations is not necessarily high on
a day to day basis, but the opportunity is so
huge that you need to take it into account no
matter where you happen to be. So you you want
to make yourself the hard target. You want to be
(08:00):
the person that makes people work really hard to get
access to your data. You don't want to be the
easy target, because the easier target you are, the more
often you're going to be targeted. You don't want that. No, no,
And I was actually talking to a co worker today
and I said, honestly, when you look at data security,
even when you're talking like you always get naysayers who
(08:22):
will say, oh, sure you can use this, but it
doesn't protect you against everything, And they may technically be right,
but my answer is the harder you make it. Effectively,
what that means is you're making it more expensive for
someone to successfully target you. So if you price yourself
out where it would cost them more to break your security,
(08:42):
then they would get from whatever they took from you.
You win, because no one's going to lose money on that.
Uh exactly. It's when you've made it so convenient that
it's like it's like it's like when someone says about
a sale, I would lose money if I didn't buy that.
That's when you're in Yeah, yes, exactly, it's they're looking
(09:03):
for the bargain deal. And a lot of times when
a black hat is looking at public WiFi as a
way to access information, they're in tending to profit off
of that information, whether by stealing an idea, identity, or
reselling that data on the black market, like on the
dark web. So making yourself the hard target is absolutely
(09:24):
crucial to helping to protect you. Yeah. And and just
so that you guys out there, no, I mean I
mentioned the United States numbers. It's not like Germany and
France were shining examples of data privacy and security among
the public. In Germany, in fact, of respondents said they'd
used unsecured, unsecured public WiFi over their cellular data, So
(09:47):
it was even a larger percentage than the United States.
And the United States it was that it said, oh yeah,
I've got a choice, I'll use public over my cellular data.
In Germany it was fort um and and said they
would use it if they could not get a cellular option.
And then in France it was closer to what the
United States said, said they preferred using public WiFi to
(10:10):
using their cellular data, and forty percent said they'd used
it if they couldn't get any other option. So again
that mirrored very closely what the folks in the United
States said. So this is a trend that goes beyond
the US. I know that because I'm centered in the US,
I often get very US centric, And I also tend
to harp on how American citizens in particular seemed to
(10:34):
come across to me as being security illiterate for in
a in large part, I mean, I just see it
all the time, But I don't know if it's not
exactly reassuring to see that that way in other parts
of the world. That doesn't fill me with confidence. I
think a lot of times people either don't know where
to look for the information, for accessible information that's that
(10:57):
that's explained in a way that is it's scary, or
doesn't you know, create create emotions of paranoia or just
close people down so that they just get lose interest insecurity. Uh.
And you also have a lot of folks out there
that just don't care. But I think a lot of
people do care, they just don't know where to look
for this kind of information. So I'm glad that you, Jonathan,
(11:21):
as well as myself on my channel, we're putting that
information out there in a way that's easy to understand,
and I'm hoping that even if it just helps one
person understand a little bit better security and privacy, hopefully
we change that percentage over time. Absolutely, I agree. I think, uh,
it can be one of those situations where you get
overwhelmed by the scope of something. And when you get overwhelmed,
(11:46):
it's almost like there's a defense mechanism in your brain, right,
It's like this is too hard, so I can't worry
about it. And I have seen this in action when
trying to tell people about like password managers, for example,
and lead shut down. They have no interest. They get
glassy eyed, and they just say, well, I don't see
what the point is on I try to explain the point.
But as after that point, it's just it's just like
(12:09):
talking through talking through the air. They just don't want
anything to do with it. And and as someone who
relies heavily on a password manager like it is, it's
it's fundamentally one of the most important tools in my
toolbox to make certain that I don't do rookie mistakes
like using the same password for multiple accounts. Right because
(12:32):
as as we'll discuss as we get into this discussion
about safely browsing the Internet, one of the big dangers
is that if you, through accident or or your tricked
or whatever, if you somehow share your log in information
for one service. Let's say that you have one service
that isn't using uh secure encryption for some reason. First
(12:54):
of all, don't do that, But if you are, if
you're using that same password anywhere else, it's like you
just handed a skeleton key to somebody, because now they
can access everything you've used that password with. I mean,
this is this is blatantly obvious. So that's why it's
so important to have unique, strong passwords for all the
different services you use. That way, if one if worst
(13:16):
case scenario one gets compromised, it doesn't compromise everything else. Yes, absolutely,
I'm glad you mentioned that because the more different things
that you use that help your security and privacy, every
single step you take absolutely helps. And that's just one
of the many steps that you can take. Every single
(13:36):
consumer in the world does not have to take all
of these steps all at once, because that would be
quite mind boggling. But if you do take steps towards
these over time, you can increase your privacy and security
two fold times fold. Yeah, it's fantastic. Yeah, I mean
and and and to be fair, like like I'm going
to be upfront guys, like I used to be the
(13:57):
dude who had like three passwords and for everything. Yeah,
I was like that for years until until I finally
like woke up to how dangerous that was. I was
fortunate in that I was never knowingly anyway targeted for
a specific like intrusion. Uh, as far as I know,
(14:18):
I never none of my stuff ever got compromised because
of that. Stuff has been compromised because of data breaches
that are beyond our control. But we're really focusing on
the stuff that we as end users can do to
improve our security as best we can knowing that we
live in a world where that's just one point of vulnerability.
That's one point of attack, but it's it's one that
we have some control over another. Another scary statistic, or
(14:42):
at least I thought it was scary, is that Kaspersky
did a UH survey back in ten and are They
did an analysis of thirty two million hot spots, hot
spots being points of contact where your device connects over
to the Internet at large, and a hot spot can
be everything from the router in a like a coffee
(15:03):
shop to your own cell phone you might be using
that as a portable hot spot. Out of the thirty
two million hot spots they examined, one quarter of them
had no encryption in use at all, meaning everything is
being sent in plain text, which means that if anyone
has any method of eavesdropping on those communications, they see
(15:25):
it all, which again blows my mind that there would
be that many networks that have no encryption in place
at all, not even bad encryption. Yeah, that's a very
scary number. That's extremely high and is a lot higher
than what I thought it would be. UH. If if
(15:45):
they're not using any sort of encryption whatsoever, for a
hot spot. That means that anybody within that vicinity, within
range of that device would be able to see everything
you're doing. It's very, very mind boggling, and this is
one of the reasons why I wanted to have you
on the show because we say these things, right, we
(16:06):
say that when you use public WiFi, you're using if
you're using an unsecured public WiFi hot spot, especially one
that is unencrypted, that you are in danger of this.
And a lot of people say, all right, but exactly
what's going on? Right? How are they doing this? And
it's that there are various pieces of software out there
(16:26):
that allow people who are who get onto a network
to monitor traffic that's going across that network. I mean,
their entire groups out there that make different software and
hardware uh solutions to do just this. Right. Yeah, not
gonna lie. Um. I used to solder and sell some
(16:48):
of these products at a company that I used to
work with called hack five. So I'll definitely share some
of that information once we get closer to those those
topics with today's discussion. But yeah, those products exist, They're
very inexpensive, and some of the software is free, and
there's tutorials made by yours truly on YouTube that show
you how to use these things. It's definitely a thing
(17:12):
that pretty much anybody can introduce themselves to and then
they will be able to see what's going on on
a network. And there are different reasons to even do this.
There's obviously there's the nefarious ones that were concerned about,
but there's also like if you're a network administrator, being
able to do things like monitor network traffic and see
points of congestion education as well. Yeah, there's like there's
(17:36):
there are legit reasons to use that sort of technology
that don't that don't immediately point to to the to
the road of I'm here to steal all your infos.
It's like there's stuff that where this is used in
quote unquote legitimate purposes. I mean like packet sniffers. That's
something that sounds like it's underhanded and shady, but they
(17:56):
were invented not to try and sniff out what's someone
else was doing, but literally to help network administrators see
how network how network traffic was moving across so that
they could make sure that everything was working properly. So
but it doesn't mean that you can't think a tool.
A tool is either a tool or a weapon, depending
upon how you want to use it. And so the
(18:18):
same stuff that was used to help networks is also
used to exploit them. Um, exactly, you could say the
same thing about a kitchen knife. I mean kitchen knives
to to you know, cut up fruits and veggies. Some
nefarious people might use one to murder somebody part of me.
But I used the exact same sort of analogy except
(18:38):
when I was talking to someone earlier today. But it
was a hammer. But same thing, Like a hammer is
either something that you're using to to build stuff with
or it could be used to bludgeon somebody. And it
all comes down to it's not that the tool itself
is bad, it's the intent and use of the person
wielding that tool. And the same is true of technology.
(18:58):
Uh So, one other stat that I wanted to mention
that's pretty alarming. Norton found out this was in so
it's a few years ago, but Americans had had their
email hacked at some point, and that twelve percent had
their financial data stolen while they were shopping online, and
that in four million people globally had been a victim
(19:23):
of some sort of cyber crime, and that kind of
shows us the scale of why this is an important topic.
It's not just because the opportunity is there, it's because
people are actually actively taking advantage of those opportunities, and
you could be the victim of one of those actions
if you're not careful. And we love you absolutely, we
(19:46):
do love you very much. I'm kind of I'm kind
of thinking that all of those numbers have probably increased
given that it's been about four years since they were
they analyzed the data and had those those too sticks available,
because in the past couple of years we've seen hacks
go from a few hundred million people to almost a
(20:08):
billion people get hacked online. So it's entirely possible that
those numbers have increased quite a bit since, especially in
the realm of the mobile app becoming king right, because
there's there's such a proliferation of apps out there that
either through a conscious effort, are creating vulnerabilities or because
(20:31):
of poor design, create vulnerabilities that can later be exploited.
You know, we've seen so many examples of that where
an a p I didn't take everything into account and
then someone was able to exploit it, famous one being
Facebook and Cambridge Analytica, where you had an app that
if you installed the app, like you would voluntarily install
(20:53):
it within your Facebook and you're voluntary lee sharing your
own information. All of that is fine, right if you've
agreed to do it such a good not a good idea,
such a good example, good example, Yeah, good example, not
a good idea to do. But it's fine if you
if you are knowingly doing that, that's fine. But the
problem that the Cambradge Analytica story brought to bears that
(21:14):
they took advantage of a loophole in Facebook's API and
they were able to to phish out a ton of
information about all the contacts of the people who had
installed the app. These are people who did not, uh,
you know, give permission to share their information, but the
app collected all that information regardless. And that's where we see, like,
(21:36):
you know, there were countless victims of this app because
none of them opted in to share that information. It
was just taken from them. And uh, that's just one
little example of the world we live in where you know,
even when you are being careful, there are there are
these opportunities for your information to get out there, which
(21:58):
is why we're like this is why you need to
take the steps necessary to protect yourself as best you can,
because we live in a world where there are numerous
attack vectors that point back to us. All right, I
mean just mid December, the New York Times discussed location
tracking on phones and how ping pings to local towers
(22:20):
can basically give you a map of a certain phone
I D and you can track that and figure out
who that phone belongs to based on what residents and
what office they go to every day. It's extremely scary,
and the more information we have about it as consumers,
the better we can protect ourselves. Yeah, and again, like, uh,
back to what you were just saying, Shannon, Facebook send
(22:43):
a letter to Congress just a couple of days before
we record this episode where they said, yeah, even if
you opted out of location tracking, we actually know where
you are, partly because of the information people are voluntarily sharing.
Like if I tag If I take a photo while
I'm at a party and I tagged the location and
(23:04):
I tag people are in the photo, well, I'm voluntarily
sharing a lot of information. Maybe those people haven't given
me permission to do that, but I'm I'm sharing the information.
So yeah, of course, Facebook knows where I am, when
I when I'm there, and who I'm with because I
shared the information. But they also admitted, yeah, we also
use a lot of other methods where we can suss
out where you were and who you were with at
(23:27):
what time that aren't as obvious and aren't examples of
the user voluntarily handing over information. So yeah, scary stuff. Um.
One of the things I wanted to mention is sort
of the bird's eye view of the process of what
it's like just connecting to WiFi, so we can kind
of understand, uh, you know, what's going on, because I
(23:50):
think a lot of people if they think that if
they see that, for example, that there's a WiFi hotspot
that requires a password, they immediately think that that is
inherently more secure here than a public WiFi spot that
has no password, which is not necessarily true. Um. So
connecting to WiFi is really you can think of it
as a series of handshakes between whatever device you're using
(24:13):
and the hot spot, whether it's a router or something else.
And this series of handshakes is not meant to secure
the data. It's not meant to encrypt a channel necessarily,
it's not meant to protect it. What's meant to do
is to identify the device and the hot spot so
that they know where the data needs to go. Right. Otherwise,
(24:34):
if if we all connected to a public WiFi hot
spot and there wasn't this handshake thing going on, it
would be as if we were all listening to an
open broadcast of everything all at once, and it would
just be meaningless garbage and we would just get we
would just get everyone's data simultaneously, and we're like, I
don't even I don't know what this we could I
(24:54):
don't think it would go well. But so this was
this was literally the solution into that problem. Like, you know,
if you're using wired connections, that's one thing, right, you
can wire things to specific ports, you have physical hardware.
When you go wireless, you have to create a virtual
version of that. That's sort of what the handshake processes for.
It's saying, hey, there's this device that wants to connect
(25:16):
to the network. The network says, okay, I'm giving you permission.
The device is okay, this is who I am, and
the network devices all right, I I see who you are,
and now we can send information back and forth. You
can send requests out to the internet. I'll go out
and grab whatever it is you wanted, and I'll return
it just to you. That's the idea. That's actually a
great explanation without using any of the terminology. So I
(25:38):
thank you for the doing that. Yeah, I tried. I tried.
At one point I had a spoiler alert or well
not even spoiler, look behind the curtain, folks. I had
originally started this episode as a solo show, and that's
when it struck me that it would be way easier
if I brought Shannon on, because she's much smarter than
I am. And so as I was doing it, I
was trying to describe this process, and I think I
(26:00):
went through two or three drafts when I said, you
know what, I can just step back and not get
so technical, because the technical parts aren't really what's important.
What's important is just sort of understanding the concept of
the process and why it is not inherently tied to
security and privacy. It's inherently tied to just what does
it take so that you can have these two devices
(26:22):
communicate with one another and not have them confused with
all the other devices that hook into the same network.
And once I figured that out, was like, I'm going
to go with that because I'm tired of trying to
figure out how to explain this handshake process. Um, it
totally works. I mean I like the handshake terminology because
it is kind of like that, like in person, whenever
(26:43):
you meet somebody, you acknowledge each other, you shake each
other's hands, you kind of authenticate each other by name
and by face. And that's very similar to what a
router does with a device like your smartphone or a laptop.
It's basically doing the same thing where you're you're looking
for somebody to introduce yourself to. You go in, you
(27:05):
acknowledge each other, you shake hands with each other, you
kind of authenticate each other by name, and then you
have that connection. Yeah, and you have that connection forever
until you break it off. Yes, And if if you're
at c S, it probably also requires you to hand
over a business card because that's like, yeah, most likely
that's that's the current I guess that would be your password, right, yeah,
(27:25):
I guess so yeah. All right, Well when we come back,
we're going to talk about the how how information is
sent through packets, just so that we can understand why
did that packet sniffing thing mean earlier. But first let's
take a quick break to thank our sponsor Shannon and
I have a lot more to say about the dangers
of public WiFi, but first let's take a quick break.
(27:55):
All right, then we're back. So I promised that we
were going to talk about pack it's packets is pretty
simple concept. So a packet switching network. You've probably heard
that term before, uh the Internet. When the pioneers of
the Internet were sort of designing this thing, they thought, well,
how do we make it so that information can be
sent from one computer to another in such a way
(28:18):
that if something happens, the information can continue to make
its way to its destination even if there's some sort
of interruption. And if it were just an uninterrupted string
of data and there was an interruption, then you would
have a corrupt file or you know, things would not
work right. You wouldn't get what you were wanting. So
they said, what if we bundled data into uh certain sizes,
(28:41):
We'll call it packets. The packets will have information on
them that will tell the data where it needs to go,
where it came from, and how it fits within all
the other packets. To make whatever the thing is. And
since we're talking about the Internet, let's be honest, chances
are it's a picture of a cat. So that cat
picture is going to be a lot of different data packets,
(29:02):
and they have to put the packets together kind of
like a puzzle in order to recreate that image of
a cat. So that's that's what a packet is. Well,
the packet because it has that information on it about
where it's going and where it's from. That's what we
would call metadata, right, It's the data about the data,
or it's data that somehow describes the data that's inside.
And um and I always always try and say that
(29:24):
the packets on the other side get reassembled Willy Wonka
style like Mike TV when he goes across the camera. Um.
I like that. Yeah, I mean it's a it's a
nice way of putting it, especially since I mean that's
one of my favorite films of all time, the Gene
Wilder version of the Not the not the Johnny version yet.
So that's where we get the words for packets. So
(29:45):
a packet sniffer, as we mentioned earlier, can be software,
it can be hardware, it can be a combination of
the two. That is meant to sort of check out
the packets that are being sent across a network UH
and get an idea of what's going on there. And
one of the things someone can do if they have
a packet sniffer and they know how to do it,
(30:07):
is they can look for packets that represent essentially an
unencrypted cookie or a session key, And this is essentially
where a user has sent a request to log into
a service of some sort UH and if the hacker
is able to sniff out that cookie, they might be
able to step in and pose as that user and
(30:30):
thus get access to the user's account or services UM.
And this is sometimes referred to as side jacking. I
learned a lot of hacker slang while I was doing
the research. This. I'm so proud of you. I'm not
good at using it, but I learned it. It's okay.
You could go to def Con next year and totally fitting. Yeah,
(30:51):
except I would be like, all right, well, I'm gonna
leave all of my devices at home. Another great idea
def con for those who do not know is a
information security and hacking convention where if you aren't careful,
they will let you know about it. Oh yeah, they do.
Usually they're nice about it, and you just end up
(31:12):
on this thing called the wall of shame. But luckily
generally people don't nefariously hack each other there. It's just
kind of to pop your name up on a wall
of shame and that's about it. Yeah, essentially, essentially they're saying, hey,
you need to have a heads up, like whatever you're
doing is not sufficient. Yeah, it's it's really more like
(31:32):
it's really more like saying like, listen, we want you
to be safe, and right now you're not being safe.
So but but yeah, but still there's also the shame factor.
And the more the more known you are in the sphere,
I imagine, the greater the shame would be to appear
on that wall. Oh yeah, definitely. So this was never
(31:53):
been on the wall of shame, and I hope I
never congratulations. Yeah, I've never been on the wall of
shame either, but that's because I haven't gone. I am
certain I would end up doing something bone headed and
mess up. So you were talking earlier about how you
have actually actively worked on technologies that do this this
packet sniffing uh approach. Yes, yes, I have. I used
(32:14):
to work at a company called Hack five. I still
do shows on that channel, j K five, and our
our premise for that channel is educating people who are
interested in security and privacy and might want to go
into information technology or penetration testing or infosec info security
(32:34):
as a profession. So we teach young hackers how to
legally use their talents to actually get a job that
will help them spur the economy, help them protect companies,
h and help them really get involved with their passion. Um. So,
one of the products that we created is something called
(32:55):
called the WiFi Pineapple. It's a little hardware device. It's
basically a round outer, but the software that's built into
the WiFi Pineapple allows us to do things like get
people to connect to a WiFi Pineapple as opposed to
a regular router and allow us to sniff packets just
like you were saying. Um. The the product has been
(33:19):
around for half a decade at this point. No, actually
it's been almost a decade. Wow, I can't believe it's
been so long. But we've gone through various revisions of it,
and as security has gotten stronger, there's always been new
vulnerabilities available in wireless network technology, so we've always been
able to update the WiFi Pineapple to continue to educate
(33:40):
people why it's still a good idea to not connect
to public WiFi or open hotspots. And uh, it's been
a wonderful education tool since we can use it as
this kind of man in the middle attack for for
you know, helping people understand and I mean, like the
(34:02):
thing that I see people sometimes and I know you've
seen it sometimes protests they're like, why are you making
this thing? And the argument I would make to them,
and I'm sure it's an argument that you guys have
made numerous times, is you know that people who have
bad intentions are making stuff like this already. They're they're
they're doing it all the time. They're doing and they're
(34:24):
not talking about it. They're not upfront about it because
they want to take advantage of it. The reason why
you guys do it is to raise awareness, to teach
people how it works, and presumably they can then take
that knowledge and better protect whatever their future clients might
be if they end up working as a white hat hacker.
And yeah, straight up, people have made their own WiFi
(34:46):
pineapples using you know, different types of hardware and different
kind of software that they've made their own, but our
our products are well. Hack fives products are listed in MIST,
which is the National Institute of Standards and Technologies as
a wireless penetration testing device. So a lot of companies
see it as a professional tool and they get their
(35:09):
employees to purchase these items to use and make sure
that their networks are protected. Because as much as you
could use a WiFi Pineapple to hack somebody, you can
also use it to protect yourself because you're still doing
the same kind of tracking on your known network. So
if I had a WiFi Pineapple on a company's network
that I'm legally have access to as since that's my profession,
(35:33):
for example, hypothetically, uh, then I could see what employees
are doing on that network. So if somebody is visiting
Facebook when they shouldn't be, I could see that and
I could tell them, hey, you need to, you know,
cut that off or you're going to get written up.
Or if there was an attacker trying to gain access
to a wireless network, I would be able to see
those packets because they would not be what I normally see,
(35:54):
and I would be able to protect my network because
I could blacklist them then, So there's so many different
ways that you can use these tools, not just nefariously
like you had mentioned, but in like these amazing ways
that help protect so much more than just companies but
also the employees that are working there as well. Yeah. Yeah,
and that. And I've always been the type to say,
(36:15):
if if someone's outwardly talking about what their technology can do,
then those are the people you should trust. It's the
ones who aren't talking that you have to worry about.
So yeah, it's the same thing for me when people
are talking about security vulnerabilities that they found in systems,
where they might come forward and say, yeah, I reported
this like three months ago, the company still hasn't done
(36:37):
anything about it. The only reason I'm coming forward is
because that puts the pressure on the company to definitely
make a change, because that vulnerability exists, whether they talk
about it or not. Now they have to do something
because the public knows about it, and and they're I'm
I'm fully on board with that too. I mean, I
think that you always give the entity the chance to
address it, but if they haven't shown any movement towards that,
(37:02):
I think it's the responsibility of someone who's found a
vulnerability to come forward with it, because otherwise it's just
it's just a ticking time bomb. Someone's going to take
advantage of it, and then it becomes a problem far
bigger than coming forward and saying, hey, guys, need to
fix your stuff. And it's it's not just you know,
devices like the WiFi Pineapple, but as we had mentioned,
(37:24):
it's also software that's involved too that can do very
similar type of tracking on networks. There's a technology called
wire Shark, which I'll bring up not just because you know,
I have no financial responsibility via hack five. So like
if if you know, somebody purchases a WiFi Pineapple when
they hear this talk, I don't get anything from that,
(37:46):
no compensation whatsoever. I just do a show on that channel,
So don't worry. I'm not. I don't get referrals or anything.
But there's also software like wire shark, which is a
free service online that anybody can download and that allows
you to do packets niffing. I've used it to test
my own home network and make sure that my smart
coot devices are secure and they're encrypted, and that has luckily, luckily,
(38:11):
all of my devices are you know, totally secure, which
is wonderful. But back in the day when I first
started using wire shark, I discovered that when I was
using Instagram on my phone, I could see links to
the pictures that I was liking as I liked them,
So as I gave them the little hearts, uh, it
would pull up a little HTTP link and I could
(38:33):
click on that through wire Shark, and I could see
exactly which pictures I was liking, which was so creepy.
I mean, definitely something that you should be aware of
is what kind of data is being passed through with
no encryption whatsoever, and what kind of data is being
encrypted too. Yeah, totally, and you means crazy. You mentioned
(38:53):
the man in the middle attack. That's that's kind of
another step up, where you have a hacker that sets
their machine in between a user and some other computer
that might be a router. So you might actually have
a man in the middle of attack where someone say
at the coffee shop, and they set up uh their
computer so that it appears to be the coffee shops network.
(39:17):
There's actually ways where you can force a reboot of
a system and then pose as that system so that
when it does reboot, you are effectively a middleman. In
that relationship, and meanwhile you see all the stuff that
goes across that because your computer is acting as the
network spot for where where everybody's connecting through. Uh So
(39:38):
that's that's one way, But there's also ways of doing
a man in the middle of attack between a like
a client and an actual service, like you know, directing
people to fake bank log in pages and things of
that nature. UM So those are things you also have
to be aware of. Although that can happen pretty much
in every scenario we're going to talk about. That requires
(40:00):
you to pay close attention to what you are doing
as you're browsing. Um And I mentioned earlier about the
idea that if you are using public WiFi that is
password protected, Let's say you're at a coffee shop where yeah,
you can log into their their WiFi, but you have
to first go up to the cash register and find
out what the password is, and then you find that
out and you log in. Some people feel like that
(40:22):
gives them that extra area of security. Honestly, that doesn't
because there's nothing stopping a hacker going into that same
coffee shop getting that same password and like that. It
doesn't add any like by itself. It doesn't add any
extra security. It just is one extra little step. Yeah,
it's true. Uh yeah, anybody even in the vicinity, if
(40:44):
they've ever had access to that wireless password and the
coffee shop, for example, has never changed the password, like
they could easily get access again with a long range
antenna on the other side of a parking lot and
be able to sniff what everybody in that coffee shop
is doing. So yeah, I don't even use coffee shop
(41:04):
WiFi or airport WiFi if we want to use that example,
those even trustworthy exactly, and I think that those are
perfect examples, especially as people are traveling a lot for
the holidays. Like that's where I think of seeing people
whipping out their computers the most is airports and coffee shops.
That's it. Um. But yeah, if you have an encrypted network,
(41:29):
that's better. It's again like this is another step where
we're getting into uh more secure area. And we'll talk
about different types of encryption in a second, but before
we get to that, there's actually also a difference in
the types of browsers, right. Different browsers offer different levels
of features that either uh enable security and privacy or
(41:55):
they make it really difficult to protect, so on the
bad end of the scale as an Internet explorer for
multiple reasons. It was never the best browser when it
comes to security and privacy, but it's really not great
now because Microsoft no longer actively supports it. UM. They
will push out a security update on occasion, but it's
(42:19):
not frequent, which means that there are a lot more
opportunities for people to discover and exploit vulnerabilities and and
be fairly sure that those vulnerabilities will stick around for
a while. So it's not even like a rush because
Microsoft isn't updating it that frequently with security patches, So
(42:40):
that's a bad one. Don't use it. Microsoft Microsoft Edge
only slightly better than the completely unsupported Internet Explorer UM,
at least as far as privacy is concerned. Uh. I
use Google Chrome a lot, but admittedly Google Chrome not
great either. It's kind of on the bottom half off
of the middle of the pack. So uh, they're better
(43:03):
about security, but they are the pets when it comes
to privacy. Also not a big surprise, because I mean,
what's Google's business, right? Google owns you? Yeah, your data
is Google's That's what Google buys and sells. Like it's
your information. That's that's Google's currency. So clearly it does
(43:24):
not behoove Google too lockdown privacy super tight. They want
to know all the information about you they make that's
how they make their money. UM. So, of all the
common browsers, like the ones that are frequently used out there,
the one that UH that tends to rank the highest
is Firefox, higher than Opera, higher than Chrome, higher than Safari. UM.
(43:47):
So it does really well, especially for security and privacy.
It can support a lot of features that protect you
when you're when you're surfing stuff that will end up
cutting down on things like targeted advertise because you can
really limit the information that's being shared by the sites
that you're visiting. UM And you can also enhance it
(44:09):
with various add ons that you can find, although obviously
anytime you're going to be adding anything to an existing program,
it pays to do your research to make sure that
it is offered by a reputable and dependable app developer. Yeah,
Firefox is an excellent choice UH and two fold. If
(44:33):
you download something like Firefox, you also get a very
fast browser because they have worked very hard to make
that browser quick. So even if you don't care about
the security and you just want to access your sites
really fast, you should use Firefox. Yeah, yeah, I got Firefox.
I got stuck on Chrome because for a while Chrome
was super fast and then it got super bloated. And
(44:55):
also there's the more tabs you have opening Chrome. Anyone
who's done this with Chrome knows. Even though it are
all supposed to be distinct instances that don't bleed over
into each other, Uh, there gets to be some memory
issues if you happen to be really a heavy user,
and everyone here at this company is a heavy user.
So uh, Firefox is definitely going to be my browser
(45:16):
of choice moving forward after I did this research. I also,
I should point out, before I did this research, I
did not know this. I was just a happy, blithe,
naive Chrome user handing handing over reams of personal data
to Google, which I mean, granted, I'm sure that company's
board with me by now, but still there's some value
(45:37):
there um. And then that brings us to encryption. And
this encryption it gets this is sort of like complicated,
like the handshake thing, but encryption, when you boil it down,
is all about scrambling messages so that the only people
who can access it are the ones who have the
key to decode it, right, So you have the key
to encode and the key to decode. There are various
(46:00):
implementations of that technology, different ways to have the public
key and private key operations. I don't need to get
into all of that because it gets way too technical. Obviously,
encrypted is better than unencrypted, but not all encryption schemes
are created equal, and it pays which ones are in use.
(46:21):
So yes, that's very true. There's there's even like there's
symmetrical keys and asymmetrical keys, and then there's like SHAW
one and be crypt and r s A. There's all
these different terminologies for encryption. But for what it's worth,
all of them jumble up your information into some kind
(46:41):
of format that will hopefully hopefully encrypted, so that anybody
who does gain access to the encrypted version of your
information will not be able to reverse engineer it or
change it back to its original plain text formats, so
they can't read it in like English speak, right, it
would just be mean less garbage to them, hopefully in
(47:02):
its ideal, ideal implementation. So one of the things that
you may have encountered if you've ever set up any
sort of wireless network. I think most people have, or
at least they've they've had to connect to one where
they've seen the different types of UH network security protocols.
These are certifications that the WiFi Security Alliance creates, and
(47:24):
the earliest one was the Wired Equivalent Privacy Protocol or
w e p H. That one is decrepit, it's old,
it's vulnerable as heck, so don't use it. Yeah, if
you have the if if your router tells you, like
asks you which one you want to use, don't use
w ep UM. It is not secure. It is it's
(47:46):
I mean, you could argue it's better than nothing, but
not by much because the vulnerabilities have been known for
a long time. In fact, so long that even before
the nineties were up, you had people developing the next generation,
which would have been the WiFi Protected Access or w
p A. So w p A came out. Then you
get w p A two, which was trying to address
(48:07):
some of the shortcomings of w p A UH. Both
of those also still have vulnerabilities. W p A two
is generally talked about as being one of the more
secure UH certifications these days. There is a w p
A three also has vulnerabilities that have pointed out within
(48:28):
the year of coming out. Yeah so, but w P I,
I don't think I've even seen a lot of stuff
that's certified w P A three yet. Like we've we've
started to see some wireless routers come out with w
P A three, but they there's still a little expensive
and they haven't really gotten widespread adoption by consumers quite yet.
(48:49):
So w P A two is fine for most consumers
to use. Uh, you just have to make sure that
you set it up correctly and you don't give the
entire world access to your password for your account. Yeah that,
because then there's what what were you even thinking? There's
no point then? Yeah. So, so w P A three
(49:10):
on w P A two. All these are our designations.
And what happens is a manufacturer will make a piece
of equipment or uh either it's a computer or handset
or maybe it's a router, and then they submit it
to this WiFi Security alliance that then makes sure that
that technology meets whatever the requirements are for the particular designation.
(49:32):
Then they put the stamp on it and they say, yes,
this is w P A two compliant or w P
A three compliant. So that just tells you that compliance
really there. It gets more granular than that. For example,
w P A two has two different types of encryption
standards that can be used. There's the bad one. It's
(49:53):
Temporal key Integrity Protocol or t k I P, and
I call it bad because yeah, t KIP. T KIP
is no longer safe, skip the tea KIP. If you
skip the tea KIP, I like that. Yeah, it's nice
mnemonic device. And then there's Advanced Encryption Standard or a
e S, and that's the more secure of the two.
So don't rely on tea KIP, rely on a S uh.
(50:15):
So that will end up protecting you quite a bit
as well. The encryption will end up helping a great
deal because you've just made it more difficult for someone
to get anything meaningful from your browsing activity. It does
not mean that you are immune. But again, the harder
(50:36):
you make it for somebody, the less chance they're gonna
put forth the effort to break through whatever protections you
put up. So just general note um, and then that
also brings us to secure browsing. So back in the day,
which was the Thursday, I don't know if you know
that UH, there was the the Secure Sockets Layer SSL,
(50:58):
whenever you went to a website that had the little
padlock and the lock on it and the HTTPS like
the original version of that was SSL. In fact, a
lot of people still refer to SSL, even though that
technically has been and has before a while been replaced
by the Transport Layer Security or TLS. But the same
sort of purpose it's too. It's meant to create the
(51:20):
secure channel of communication between you and a specific UH
website U r L address. So if you see HTTPS
or you see that little locked padlock in the address
bar of your browser, then you know you are in
a secure channel between you know, your your device and
(51:40):
that browser, at least as far as information going between
those two points are. I mean, obviously, if you're on
a public WiFi hotspot that's unsecured, you've got other issues.
But it means that when you're browsing, you want to
make sure that that HTTPS is showing up. You don't
you don't want the h T t P, you you
want to make sure that S is there. So one
(52:03):
thing I've noticed very rarely, but it has happened on occasion,
is where a website that requires you to log in
somewhere like their main page there dot com address will
be encrypted with HTTPS, but as soon as you go
over to the log in page or go through any
tree of different sites that they have created on their
(52:25):
dot com domain, all the rest of their pages are
h T T P. They are unencrypted. So if you
go to the log in page and my cat agrees
she's mewing behind me, uh, and you put in your
user name and password, those would be copied through plain text,
and if anybody was, you know, tracking or sniffing your packets,
they would be able to see that plane text user
(52:48):
name and passwords. So, for example, if my password was
my cat's name is Starbuck, and that was a plain text,
unencrypted website just using HTTP, then if somebody was sniffing
those packets, they could see that passwords show up in
their software through whatever hardware device they might be using,
and just be able to see, oh, she entered Starbuck,
(53:10):
and then they couldn't go to the website type that
in and gain access to my login account information. Yeah,
and that is what we call no bueno, right like yeah, yeah,
And more and more sites are getting better about making
certain that their entire presence they are is being secure,
but you can. It's actually harder and harder to find
(53:31):
examples websites doing that, so which I'm happy to see
because that makes my job harder and that means people
are listening. Uh So, I am happy to see that
less sites are doing that, but we still have issues.
There's still some out there. And then occasionally you have
browsers that will alert you if you try to navigate
to a site that is not secure. It'll give you
(53:52):
a little alert, which is good too, because you know
if the people on the website aren't being diligent and
at gives the user on the other end the heads
up of hey, you probably thought this was secure, but
turns out it's not. Maybe you want to rethink that.
Are you sure you want to go ahead? You will
probably be eaten by a group, and then you decide
what you can do it. Um Now, when we come back,
(54:15):
we're gonna talk about one other topic before we get
into like the super secret stuff, and that is what
the heck is incognito mode for. But before we do that,
let's take another quick break. We've got some more discussion
about public WiFi and the steps you should take to
protect yourself But before we get to that, let's take
(54:35):
another break. So Shannon, I have I've gone to a
private network, right, I'm it's not maybe mine, but it's
(54:56):
a private once, not open to the public, it's encrypted,
it's password access. I've done all those wonderful things. And
then I think, you know what, I'm gonna look at
some so like your friend's house or something. Yeah, yeah, yeah,
And uh, I decided, you know what I want to do.
I wanna I'm gonna look at some I'm gonna look
at some some stuff that I don't think my friends
(55:16):
would really understand. Maybe maybe I'm gonna look into that
that my little pony fan fiction. Uh, and I don't
want my friends to know about it. So I'm like, well,
I'm gonna be super sneaky. I'm gonna go into incognito mode.
Now no one's ever done to know. So I click
on that little incognito mode and little bitty shadow Man
pops up, and I'm like, oh yeah, I'm totally safe
and totally secret. Nobody knows it's me. And I start
(55:39):
looking at my brony fan fiction. Oh you know the term. Hey, look,
I wouldn't listen listen, you just give yourself away. Listen,
Princess Celestia and I have an understanding. Okay, so we
are not gonna go down that road. We're not gonna
go there. Like yeah, Fluttershy and I we're like, we're tight,
(56:00):
so we're not. It's fine, Okay, it's acceptable behavior. But no,
it is acceptable, but I don't want my friend to
know that. Now here's the sad thing folks told everybody
on the podcast. One one, whoops, I guess I should
be more secure with my data. And secondly, secondly, incognito mode,
that's not how that works. It doesn't protect you from
(56:22):
anyone who has any access to the network from seeing
what you're doing, right right, that's correct. Um. Yeah, so
incognito mode. Uh, you you've probably seen it on your
own computer. If you go up into the menu for
your regular browser and go into like the dropdown menu,
there's usually an option to choose incognito mode or like
secret mode or something like private browsing or whatever. Yeah,
(56:44):
private browsing, Yeah, that's another one. Uh So if you
click that, it opens up a completely different window on
your computer or on your phone as well. You can
do it on your phone. Uh, and you start to browse.
But basically the only thing that incognito mode is really
doing is uh not putting anything into your local history
(57:05):
for your your web browsing history, so if somebody else
got it on your computer, they would not know what
you were doing in incognito mode. Uh. And it also
doesn't store the cookies on your computer, so any information
that you were sharing with a website during your incognito
mode would not be stored afterwards. So all those cookies
(57:25):
that might have happened during a session, they'll just be
erased like you never existed. Uh. That that can actually
be very useful. For example, if you're looking for a
fun hack, if you want to save some money on
airplane flights, you can track them. You can look up
airplane flight prices in incognito mode and compare them to
(57:45):
your regular browser. And sometimes on occasion you can find
cheaper prices in incognito mode. Because it doesn't see how
much you are searching, it doesn't see how how many
websites you've gone to. Those cookies just aren't it there,
so the website is going to give you the best
price through that that private browsing mode. Uh. That's pretty
(58:07):
much like the most interesting thing that I use for
incognito mode four, but it can be used to secretly
access websites without anybody else knowing that you're accessing those
websites at the time. For example, if you are a Brownie. Yeah,
so this works on the device level, but not the
network level. So yeah, so if my friend gets hold
(58:28):
of my phone or my computer, there would be no
record of me having gone on the Browny fan fiction
community site. Uh where I post by q D mark.
They would not be able to see that. But if
they were to look at the network traffic, they'd say, huh,
this I P address is going to this Brownie site
(58:49):
a lot, and it's not my computer, so it's obviously
your device and so and so this is why, like,
if you were to use let's say that you're at work,
let's hit your what the The example I like to
give is your Let's say you are stuck in a
crappy job. You're doing your job, but you're miserable and
you would really love to be able to get something else,
(59:10):
but you don't have any time outside of your job
where you can really dedicate towards things like searching for
job openings. So on your lunch break, you slip into
incognito mode and you go on a job search website. Well,
just because you're an incognito mode doesn't mean that at
the network level they can't see exactly what's going on,
So it doesn't actually protect what you're doing or how
(59:32):
you're doing it. So one thing you might want to
use incognito mode for if you're someone like me who
does a lot of research. Let's say I'm researching into
something that you know, it's it's just not my bag.
You know, it's I need to do an episode about it,
but it's not something I'm particularly interested in on a
personal level, or might even be something that I would
(59:53):
find very awkward. Let's say that I was doing an
episode about, uh, dating websites, and so I have to
do a whole bunch of research on dating websites. Well,
then I might want to use incognito mode so it
doesn't build up this cookie history that relates back to
me personally, so that maybe I log onto something like
Facebook and then suddenly all the ads are for dating sites.
(01:00:14):
That would be awkward, Right, that would be super awkward,
especially if you were married. Yes, I'm not a good thing. Yeah,
I had a similar occasion with I was looking up
pregnancy and birth information for somebody in my family. I'm
nowhere near any time soon giving you know, birth to
any children in my life except for my beautiful for
(01:00:35):
babies that I have in my house with me. Uh
So I was looking up this information and I was
just like, do I want Twitter on Instagram to start
promoting like baby items to me or do I want
them to keep on promoting like makeup in sailor moon items,
which I'm actually into. So I looked up the information
about pregnancy and birth for the other person through incognito
(01:00:58):
mode so that that informa and wouldn't actually be tracked
and identified as a part of my online personality. So
that way I was able to keep the same ads
that I actually, you know, sometimes kind of enjoy looking
at because they do pertain to my lifestyle, but nothing
that had to do with pregnancies. Right. And and that's
(01:01:19):
a great example too, because there was that famous example
a few years ago of a retailer I want to
say it was target, but I could be wrong, but
it was a retailer target, Yeah, And they had identified
through the browsing history of a user that she was
pregnant because of the things she was searching for, so
they proactively sent her through the snail mail a package
(01:01:43):
of coupons for pregnancy related items, and her father was
the one who intercepted the letter the coupons, and she
had not told him that she was pregnant, and he
had assumed that target had made this assumption and got
super mad, and then turned out that he was mad
(01:02:03):
about something that actually had happened. She just had not
She had not had the occasion, she had not found
the way to tell him. And that's awful. Uh. Yeah,
it's such a breach of privacy, to be honest, is
when they start tracking you like that and sending you information.
It's like unsolicited advertising, and I hate it. We deal
(01:02:25):
with it every single day online. Yeah, it's it's it's
even worse than unsolicited advice, Like that's bad, but unsolicited
advertising is even worse because they're like, yeah, they're so
eager to make that sale that they can overstep very easily. Well,
let's wrap up by talking about some of the more
secure ways you can browse if you have to connect him.
(01:02:47):
We mentioned this at the very top of the show,
where VPNs are virtual private networks, and we mentioned that
sort of man in the middle attack where you are
logging into a hackers machine thinking that that's a legit spot,
and then the hackers kind of relaying information and sniffing
the entire time and learning all about you. VPNs are
(01:03:07):
kind of like that, but on the legit side, where
you are logging into a remote server somewhere far away,
probably through an encrypted connection, and then when you browse,
it's as if you're browsing from the server's location, not
your personal device. So if I were to blog into
a VPN and then log into a web service, the
(01:03:29):
web service would see my location as the location of
the VPN server, not my gadget that's actually in front
of me, right and not necessarily just for if you
want to look at your my little pony browny fan fix,
but VPNs can be extremely useful if you're trying to
access a website that's only available in select countries. So
(01:03:52):
if you choose to purchase like a consumer facing VPN product,
and there's many out there, I could make recommendations, but
they're can instantly changing as far as their privacy and
security terms and policies go, So I won't make any
major recommendations here. But if you choose a VPN that
has a a UH, for example, a country facing server
(01:04:16):
that's in Japan, that means that I could download this VPN,
log into it, connect through Japan, and be able to
access a website that's only available to Japanese residences. UH.
So I I had to do that a few years
ago when I wanted to purchase tickets for the Studio
Ghibli Museum through the Japanese website. It wouldn't let you
(01:04:36):
access it through an American server or an American connection.
So I logged in through my VPN through the Japanese
server UH, and I was able to purchase those tickets
through the Japanese website. It thought that I was in Japan,
so it let me do it, and that way I
was able to save myself so much money. It was wonderful.
So you can do it for you know, buying goods,
(01:04:58):
buying tickets for where, you know, going to a concert
in a different country, or a museum or something like
that in a different country. You can use it to
access online streaming portals that are only available in specific countries.
You can use it to download specific things that are
only available in specific countries like the list goes on
(01:05:19):
and on as far as different ways that you can
use VPNs that aren't necessarily just directed for security and privacy,
but are also directed at manipulating where the website thinks
that you are coming from. Yeah, and this can be
a matter of life and death for some people. Like
here in the United States, we largely use it for
the purposes of things like privacy, security, and convenience, but
(01:05:42):
in other places where you might be uh in a
country with a more authoritarian government, one that is far
more restrictive in access to certain services. If you're able
to connect through a VPN, which you know, granted, that
means that that government agency has have been paying very
close attention. But if you're able to do that, then
(01:06:02):
you can log in two different things as if you
were from some other part of the world, and maybe
get access to vital information or services that otherwise you
would not have at your disposal. So they play a
very important role. In fact, I gave an example today
with a friend of mine about how I would see
VPNs and incognito mode together being incredibly important. So imagine
(01:06:26):
this is a terrible scenario and I put that out
there first. But imagine that you are in some form
of abusive situation at home, and whether it's a spouse,
a parent, a parent, some sort of authority figure, whatever
it may be. But you're in that abusive experience, You're
going to feel like you are helpless and you want
to look for resources that can help you get out
(01:06:48):
of that situation. But at the same time, you have
a very legitimate fear of being found out for seeking
out those resources and the fear of reprisal that you
might face as a result of that. Well, using something
like a VPN and incognito mode would mean that you're
not leaving a trace on the network of what you're doing,
because as far as the network is concerned, all you're
(01:07:09):
doing is visiting this VPN server. It's not seeing what
else you're doing. All of knows you went to that
VPN server. Incognito mode means you're not leaving the trace
on whatever device you're actually using to do that sort
of search. So these are the sort of tools that
can literally mean life or death scenarios for people. And
you know that's dramatically that's together and it yeah, and
(01:07:32):
once you start combining those different security and privacy products
together that are very consumer friendly. Then you can end
up having a much more secure experience online, especially if
you're dealing with some kind of like like an abusive
relationship or something like that that can be uh something
that you seriously have to worry about, so definitely take
(01:07:53):
those into consideration. Using an incognito mode and VPNs together
is so easy to It's just as simple as opening
up that browser window in private browsing mode and turning
on your VPN, which is usually with a lot of
software nowadays, is the click of a switch on your computer.
And there are a lot of VPN apps out there,
(01:08:14):
like there are a lot of the services where if
you subscribe to the service, you can use uh your computer,
or you can use a mobile device, or you can
use some combination of multiples. And they're even ones where
you can have it set as a default that as
soon as you connect to WiFi networks, you connect through
the VPN, so you don't even have to don't even
think about it in that case, which is definitely good.
(01:08:35):
If you're using like a mobile device and you're connecting
to public WiFi frequently, you definitely want to have that
that that turned on, because if you ever forget about it,
that's when you're going to have the opportunities for people
to take advantage of you. Uh, the last examples go ahead,
I'm sorry. There's also the option to build your own VPN,
but that gets very much into the nitty gritty, uh,
(01:08:57):
since there are a lot of consumer facing ones that
are generally fine for the average consumer. That's what I
wouldn't normally recommend. But when I go to Deacon, for example,
I bring like my own certificate, my own VPN, and
my own little o VPN basically file, and I stick
that on my phone to actually run my own VPN.
(01:09:19):
When you do that, you're basically creating your own secure profile,
as opposed to trusting a VPN company with your information
and hoping that they are doing it for you. Yeah.
That's a great point, Shannon, because a lot of these
solutions actually ultimately require you to put trust in another entity,
and you know, there have been cases where even VPNs
(01:09:41):
have suffered data breaches in recent past, where you know,
you have to worry about that kind of stuff too.
There does come a point where you ultimately you have
to say to yourself, at what point am I comfortable
handing over control or handing over you know, some of
my data, because either you're doing that or you're doing nothing.
(01:10:02):
But you know, deciding where that point is is a
very personal choice. Uh. The very last one I want
to talk about, and we can do this very briefly,
is Tour, the Tour browser. Tour initially was an acronym
instead for the Onion router. And the reason it's called
Onion is because it does encryption in layers, each outer
(01:10:22):
layer being another layer of encryption. And I gave a
very simple analogy. Imagine that you are trying to ship
a present. Let's say I'm shipping a present to Shannon,
but You're welcome, but I don't want you to know
where I live, um for some reason. And I don't
want anyone to know that I'm sending a present specifically
to you for some reason. So what I've done is
(01:10:44):
I've nested your package that has your present in it
inside another package that's gonna go to a totally different address.
And I've nested that what's is it a brown package?
There's probably some you know, my little pony temper tattoo
sheets in there. So that's in there, and then that's
(01:11:04):
in a second package, and the second package is in
the third, the third packages in the fourth. Each package
has a different address on it. So I've got a
really big package that ultimately is just holding a bunch
of boxes and a couple of sheets of temporary tattoos
and the innermost box. I ship that to the first address.
The person at the first address opens up this big
(01:11:24):
box and they see that there's a slightly smaller box
inside with a different address on it. So they plopped
that back into the post office. Post office takes that
to the second destination. They open up the package, well,
destination number two. They know that the package came from
destination number one, but they don't know anything further back
from that. They don't know that I was the person
who originally put the package in the mail, and they
(01:11:46):
don't know where the package is ultimately going to. They
just see destination three on the shipping label of that
inner package, so they send it to destination three. Destination
three gets it. They opened it up. They know it
came from destination too. They don't know about destination one.
They definitely don't know about me, and they see that
they need to send on the next package to destination four,
and so on and so forth until finally you get
(01:12:07):
to that innermost package which has Shannon's address on it.
She gets it, she knows it came from the previous site,
but doesn't know any of the rest of the history,
including where it came from, except I probably put a
note in the inside of the package saying hey, it's
from me, Brownie Joe. And then then she gets the package.
You would probably want to make sure that your message
is encrypted. Yes, Uh, there's like a you know, I
(01:12:31):
tell you that you need to use your super secret
Captain Crusader decode ring or whatever to decrypt the message,
and then and then she would be able to to
use a similar process to send information to me. Uh. Now,
this is a very secure way typically of sending information.
There are ways to try and sniff out things, just
as there are with any network communication, but it's hard.
(01:12:53):
It's very hard to get anything meaningful through this process.
It is possible, it's not foolproof, but it's real hard
and uh. And so this is generally considered the most
secure way to browse the Internet. However, with that security
there comes a trade off, and that trade off is
mainly felt in the form of speed. We're in the
(01:13:15):
home stretch. Now we're going to have a little bit
more talk about public WiFi and safety measures you should
be observing. But before we get to that, let's take
one last break. There has been talk on on the
(01:13:36):
internet many years ago that government agencies had access to
some of the UM end notes, the very last place
that your package would hit before it went on to
whoever it was supposed to go to. UM. So you
do have to consider where where is this information being
sent and who has access to the very end of
(01:13:59):
that tunnel that you're sending that information through UM and
if that's protected, then yeah, it's great option UM. But
of course with tour as well as with VPNs and
incognito mode, you shouldn't use just one of these options.
You should use all of them if they are at
your disposal. But again, do you want to deal with
(01:14:20):
the slowness that you're going to experience when you add
these additional tunnels and additional nodes onto whatever you're trying
to gain access to, or are you going to deal
with the security um UH minimal experience and add that
additional convenience to your experience by just not using it,
(01:14:41):
so there are trade offs either way, and you've summarized
it perfectly, Shannon. I mean, this is like we said
at the beginning, this is a spectrum, and the important
thing is to be educated to that spectrum so you
can make your own educated decisions and not just trust
to the fates. I have a tattoo on my back
of the full Terror card, the Eternal Optimist. Don't be
(01:15:03):
the fool. You get the tattoo who wants pretty awesome,
It's dope, But don't don't be the Don't be the
fool in life, right, Don't just trust that you can
take a step off a cliff and you're not going
to fall to your death. The fool is taking a
step off a cliff in the traditional tarot card. So
you don't want to be like that. You want to
be informed and make choices. And you know there might
(01:15:26):
be instances where you think, Okay, I'm in a public spot,
I am going to use WiFi, but I'm using it
for something that's not related to my personal information. I'm
literally maybe I'm looking up a restaurant to find out
what hours it's open, and that's it. You know, they're
different levels. But if you're thinking, I want to do
some shopping, or I'm going to check my bank statement,
(01:15:47):
or I'm going to log into my email or this
one's a big one for us here at my heart.
If I'm going to access any of my my work stuff, right,
like anything that's stored on there, any of the services
that are on your definitely use a VPN in those cases,
because you're talking about things that affect not just you
but other people. Right, You're talking about the potential of
(01:16:08):
affecting uh, essentially an entire company if if the wrong
information were to get out, you know, especially for talking
about things like publicly traded companies. You want to make
sure that you're being a good steward of the information
that's been entrusted to you, not just your own but others. So, uh, Shannon,
(01:16:30):
this has been a joy. You have given generously of
your time and your expertise, and I greatly appreciate it.
Please let people know where they can find your work. Well.
Thank you so much, Jonathan. I love security and privacy
and I think of it as a habit that you
build upon over time, and the more that you learn
(01:16:50):
about it, the better off you can be in the future.
So build upon your security for your future self and
for your family too, because the more secure cure you are,
the more secure they will be as well. Uh. And
if you're interested in learning more about consumer privacy and security,
you can check out my YouTube channel. It's YouTube dot
(01:17:10):
com slash Shannon Morse uh and that's m O R
s E just like Morse Code and I will be
going to CS just like Jonathan Jonathan mentioned, I'm very excited,
so I will be posting a lot of content from
the Consumer Electronic Show and I will have tons in
store through the year. Awesome. Shannon's always a pleasure. I
(01:17:32):
am so sad that I will not be seeing you
at c E S. Will have to make time for
some other tech conference, I'm sure. Or next time i'm
out your way, I'll give you a shout and maybe
we can, like please do Yeah, we can can go
grab ramin or something and chat about security. I would
love That would be awesome. And that was an episode
from Christmas Day two thousand nineteen, The Dangers of Public WiFi.
(01:17:53):
I hope you enjoyed this look back on the episode.
That was one of the really epic ones when it
took a look at the full running time. I thought, wow, um,
I oe Shannon a really nice lunch or something for
agreeing to sit on a podcast for so long with me, Because,
as we all know, that's a big request. I hope
(01:18:15):
you are all staying safe and are well. If you
have suggestions for topics I should cover on future episodes
of tech Stuff, please reach out to me. The best
way to do that is on Twitter. The handle for
the show is text Stuff H s W and I'll
talk to you again really soon. Yeah. Text Stuff is
(01:18:38):
an I Heart Radio production. For more podcasts from my
Heart Radio, visit the i Heart Radio app, Apple Podcasts,
or wherever you listen to your favorite shows.
Welcome to Tech Stuff, a production from I Heart Radio.
Hey there, and welcome to tech Stuff. I'm your host,
Jonathan Strickland. I am an executive producer with I Heart
Radio and I love all things tech. And originally I
had intended to bring you a third installment on our
(00:24):
home theater basics, but stuff got got piled up. I
had to record episodes of a couple of other podcasts,
one of which is a spooky podcast that will be
coming out later this year. UH can't say a whole
lot about it, except it's not twelve days of Halloween
and it's not fourteen days of Halloween somewhere in between. Anyway,
(00:48):
Because of that, I got a little bit behind. So
we're going to have a rerun today of an episode
that published on Christmas Day in two thousand nineteen. UH
Spend guest Shannon Morrise joined the show to talk about
the dangers of public WiFi. So I hope you enjoy
this episode. Let's sit back and listen. There's a topic
(01:12):
that I really wanted to cover because as I record this,
we're in the holiday season. A lot of people are traveling,
They're going through airports, maybe you're visiting family and occasionally
you need to find a place to be elsewhere, like
maybe a coffee shop or something. That typically means we're
carrying our devices with us, and then we want to
connect to different networks. But that might not always be
(01:35):
a great idea, and so I decided I was going
to do an episode all about the best ways to
browse the Internet with privacy and safety in mind, going
from the least private and the least secure to perhaps
the most private and most secure. And then I thought, hey,
you dumb, dumb You know people who are extremely well
versed in this topic, and that's why I invited my
(01:57):
good friend, the phenomenal Shannon More to join this episode
to come back. So welcome back to Tech Stuff, Shannon.
Thank you so much. Jonathan. I'm so excited to be
back on the show. How are you doing. I'm tired.
But it's at the end of the year, so that
always happens, right like, And here's the thing, you know,
Shannon can tell you. In fact, we were just talking
(02:19):
about it before we went on to the record that
the tech journalists life does not get easier at the
end of the year because you immediately turn around and
head off to Vegas for ce S and that's where
you're gonna be in early January, as I understand it, right, Shannon, Yes,
I will. I'll be there all week covering everything over
(02:41):
on my channel, so make sure to link everybody to
my channel later, absolutely, because I ain't going folks. So
Shannon's your your your destination for finding all the really
cool stuff. And uh, Shannon, I can say from experience
because I've watched her work does amazing work. Not just
at c yes, but we were, but particularly like under
(03:01):
a high stress situation like c e S, certain people
can light up under the camera. And uh, I'm frankly
envious of your ability to do so. So um, that's
me be nice. Yeah, well, I mean I could be
more caddy about it, but I'm gonna be nice. The
Caddy would be like, how dare she? How dare she
(03:22):
show me up? But no, we're gonna talk about browsing safely.
So the first thing I wanted to do before we
get into the spectrum of browsing the Internet, because you
could argue that there's like the least safe, secure, naive
way to do it to what is perhaps the most
(03:42):
secure but not perfect. There's no perfect solution spoiler alert.
Before we get into any of that, I wanted to
talk about some stats, and these come from a few
different sources. Uh. One was a survey that was conducted
by one World Identity back in about public wi fi.
So this was just asking people about their perception and
(04:03):
their use of public WiFi. And Shannon, I kind of
wanted to get your reaction to this because being someone
who has been so entrenched in data security in the
hacker culture in you know, everything from how do we
make these systems more secure, to the white hat approach
of how do we find any vulnerability so that they
(04:23):
can be patched, to even the black hat culture where
people are exploiting this for their own gain. I wanted
to see what you thought about these stats. So the
first one was they asked a question to people in
the United States, in Germany and in France, and the
question they asked was do you ever use unsecured public
(04:44):
WiFi networks in the United States? So nearly half said,
you know, if there's no other option, sure, I'll do it.
Thirty two percent actually said I prefer using public WiFi
to using my cellular plan. Uh. Person sumably because they
would not be billed for data usage right because they're
(05:05):
using WiFi instead of their cell data only said they
never did it. One percent said they do it, but
only with a VPN. But we'll cover VPNs a little
bit later. So, Shannon, you've you've talked with hackers. What
do you think their reaction initially would be hearing that
nearly fifty of people in the United States said yeah,
(05:25):
you know, if there's no other connection, I'll I'll connect
to public WiFi, and another thirty two percent and I said, oh, heck, yeah,
sign me up. Well, I'm definitely in the one percent
of only with a VPN, and and that's assuming that
I have absolutely no other option. So I'm kind of
a mix of the and the one percent, but only
(05:47):
only if I have a vp n UM. I would
say from my experience, all of my friends would probably
not be surprised by the tent that prefer public WiFi
over their cellular plants, specifically because of what you said,
they'll be able to save money, especially if they don't
have an unlimited plan through their mobile carriers. So in
(06:07):
that way, it makes sense, uh that say yes, if
there's no other option, there's always another option. Come on, folks,
what are you doing? Where are you at? Yeah? I
mean we we have such good cellular coverage now there's
always another option, even if you just have three G
like that's manageable from most tasks. So what what are
(06:28):
they doing? I'm just my draw My job kind of
dropped a little bit when I heard that number. I
just thought it was I thought that I'm doing a
much better job of educating people about the importance of
not using public WiFi, and apparently I'm not doing my
job as well as I should have been, or or
the people who are already kind of hip to it
are the ones watching you, going yeah, she gets it,
(06:51):
she knows, and the people who need to see it
are like what's on the masked Singer today or whatever?
You know, Like so, yeah, I I look at this
and I think, man if I were a black hat,
I would just be doing the Mr Burns excellent. Just
you're over and over again just drooling at that opportunity,
because you know, public WiFi is definitely the most dangerous
(07:16):
option you can pick when you're talking about protecting your
own privacy and security, especially if you're not doing something
like using a VPN. UH spoiler alert will talk more
about that in a second. And so knowing that you're
your opportunity for targets is so vast has got to
be incredibly encouraging to someone who is ready to exploit that.
(07:40):
And that's really, you know, that's what we're trying to
protect everyone against, is you know, it's the likelihood of
you running into these situations is not necessarily high on
a day to day basis, but the opportunity is so
huge that you need to take it into account no
matter where you happen to be. So you you want
to make yourself the hard target. You want to be
(08:00):
the person that makes people work really hard to get
access to your data. You don't want to be the
easy target, because the easier target you are, the more
often you're going to be targeted. You don't want that. No, no,
And I was actually talking to a co worker today
and I said, honestly, when you look at data security,
even when you're talking like you always get naysayers who
(08:22):
will say, oh, sure you can use this, but it
doesn't protect you against everything, And they may technically be right,
but my answer is the harder you make it. Effectively,
what that means is you're making it more expensive for
someone to successfully target you. So if you price yourself
out where it would cost them more to break your security,
(08:42):
then they would get from whatever they took from you.
You win, because no one's going to lose money on that.
Uh exactly. It's when you've made it so convenient that
it's like it's like it's like when someone says about
a sale, I would lose money if I didn't buy that.
That's when you're in Yeah, yes, exactly, it's they're looking
(09:03):
for the bargain deal. And a lot of times when
a black hat is looking at public WiFi as a
way to access information, they're in tending to profit off
of that information, whether by stealing an idea, identity, or
reselling that data on the black market, like on the
dark web. So making yourself the hard target is absolutely
(09:24):
crucial to helping to protect you. Yeah. And and just
so that you guys out there, no, I mean I
mentioned the United States numbers. It's not like Germany and
France were shining examples of data privacy and security among
the public. In Germany, in fact, of respondents said they'd
used unsecured, unsecured public WiFi over their cellular data, So
(09:47):
it was even a larger percentage than the United States.
And the United States it was that it said, oh yeah,
I've got a choice, I'll use public over my cellular data.
In Germany it was fort um and and said they
would use it if they could not get a cellular option.
And then in France it was closer to what the
United States said, said they preferred using public WiFi to
(10:10):
using their cellular data, and forty percent said they'd used
it if they couldn't get any other option. So again
that mirrored very closely what the folks in the United
States said. So this is a trend that goes beyond
the US. I know that because I'm centered in the US,
I often get very US centric, And I also tend
to harp on how American citizens in particular seemed to
(10:34):
come across to me as being security illiterate for in
a in large part, I mean, I just see it
all the time, But I don't know if it's not
exactly reassuring to see that that way in other parts
of the world. That doesn't fill me with confidence. I
think a lot of times people either don't know where
to look for the information, for accessible information that's that
(10:57):
that's explained in a way that is it's scary, or
doesn't you know, create create emotions of paranoia or just
close people down so that they just get lose interest insecurity. Uh.
And you also have a lot of folks out there
that just don't care. But I think a lot of
people do care, they just don't know where to look
for this kind of information. So I'm glad that you, Jonathan,
(11:21):
as well as myself on my channel, we're putting that
information out there in a way that's easy to understand,
and I'm hoping that even if it just helps one
person understand a little bit better security and privacy, hopefully
we change that percentage over time. Absolutely, I agree. I think, uh,
it can be one of those situations where you get
overwhelmed by the scope of something. And when you get overwhelmed,
(11:46):
it's almost like there's a defense mechanism in your brain, right,
It's like this is too hard, so I can't worry
about it. And I have seen this in action when
trying to tell people about like password managers, for example,
and lead shut down. They have no interest. They get
glassy eyed, and they just say, well, I don't see
what the point is on I try to explain the point.
But as after that point, it's just it's just like
(12:09):
talking through talking through the air. They just don't want
anything to do with it. And and as someone who
relies heavily on a password manager like it is, it's
it's fundamentally one of the most important tools in my
toolbox to make certain that I don't do rookie mistakes
like using the same password for multiple accounts. Right because
(12:32):
as as we'll discuss as we get into this discussion
about safely browsing the Internet, one of the big dangers
is that if you, through accident or or your tricked
or whatever, if you somehow share your log in information
for one service. Let's say that you have one service
that isn't using uh secure encryption for some reason. First
(12:54):
of all, don't do that, But if you are, if
you're using that same password anywhere else, it's like you
just handed a skeleton key to somebody, because now they
can access everything you've used that password with. I mean,
this is this is blatantly obvious. So that's why it's
so important to have unique, strong passwords for all the
different services you use. That way, if one if worst
(13:16):
case scenario one gets compromised, it doesn't compromise everything else. Yes, absolutely,
I'm glad you mentioned that because the more different things
that you use that help your security and privacy, every
single step you take absolutely helps. And that's just one
of the many steps that you can take. Every single
(13:36):
consumer in the world does not have to take all
of these steps all at once, because that would be
quite mind boggling. But if you do take steps towards
these over time, you can increase your privacy and security
two fold times fold. Yeah, it's fantastic. Yeah, I mean
and and and to be fair, like like I'm going
to be upfront guys, like I used to be the
(13:57):
dude who had like three passwords and for everything. Yeah,
I was like that for years until until I finally
like woke up to how dangerous that was. I was
fortunate in that I was never knowingly anyway targeted for
a specific like intrusion. Uh, as far as I know,
(14:18):
I never none of my stuff ever got compromised because
of that. Stuff has been compromised because of data breaches
that are beyond our control. But we're really focusing on
the stuff that we as end users can do to
improve our security as best we can knowing that we
live in a world where that's just one point of vulnerability.
That's one point of attack, but it's it's one that
we have some control over another. Another scary statistic, or
(14:42):
at least I thought it was scary, is that Kaspersky
did a UH survey back in ten and are They
did an analysis of thirty two million hot spots, hot
spots being points of contact where your device connects over
to the Internet at large, and a hot spot can
be everything from the router in a like a coffee
(15:03):
shop to your own cell phone you might be using
that as a portable hot spot. Out of the thirty
two million hot spots they examined, one quarter of them
had no encryption in use at all, meaning everything is
being sent in plain text, which means that if anyone
has any method of eavesdropping on those communications, they see
(15:25):
it all, which again blows my mind that there would
be that many networks that have no encryption in place
at all, not even bad encryption. Yeah, that's a very
scary number. That's extremely high and is a lot higher
than what I thought it would be. UH. If if
(15:45):
they're not using any sort of encryption whatsoever, for a
hot spot. That means that anybody within that vicinity, within
range of that device would be able to see everything
you're doing. It's very, very mind boggling, and this is
one of the reasons why I wanted to have you
on the show because we say these things, right, we
(16:06):
say that when you use public WiFi, you're using if
you're using an unsecured public WiFi hot spot, especially one
that is unencrypted, that you are in danger of this.
And a lot of people say, all right, but exactly
what's going on? Right? How are they doing this? And
it's that there are various pieces of software out there
(16:26):
that allow people who are who get onto a network
to monitor traffic that's going across that network. I mean,
their entire groups out there that make different software and
hardware uh solutions to do just this. Right. Yeah, not
gonna lie. Um. I used to solder and sell some
(16:48):
of these products at a company that I used to
work with called hack five. So I'll definitely share some
of that information once we get closer to those those
topics with today's discussion. But yeah, those products exist, They're
very inexpensive, and some of the software is free, and
there's tutorials made by yours truly on YouTube that show
you how to use these things. It's definitely a thing
(17:12):
that pretty much anybody can introduce themselves to and then
they will be able to see what's going on on
a network. And there are different reasons to even do this.
There's obviously there's the nefarious ones that were concerned about,
but there's also like if you're a network administrator, being
able to do things like monitor network traffic and see
points of congestion education as well. Yeah, there's like there's
(17:36):
there are legit reasons to use that sort of technology
that don't that don't immediately point to to the to
the road of I'm here to steal all your infos.
It's like there's stuff that where this is used in
quote unquote legitimate purposes. I mean like packet sniffers. That's
something that sounds like it's underhanded and shady, but they
(17:56):
were invented not to try and sniff out what's someone
else was doing, but literally to help network administrators see
how network how network traffic was moving across so that
they could make sure that everything was working properly. So
but it doesn't mean that you can't think a tool.
A tool is either a tool or a weapon, depending
upon how you want to use it. And so the
(18:18):
same stuff that was used to help networks is also
used to exploit them. Um, exactly, you could say the
same thing about a kitchen knife. I mean kitchen knives
to to you know, cut up fruits and veggies. Some
nefarious people might use one to murder somebody part of me.
But I used the exact same sort of analogy except
(18:38):
when I was talking to someone earlier today. But it
was a hammer. But same thing, Like a hammer is
either something that you're using to to build stuff with
or it could be used to bludgeon somebody. And it
all comes down to it's not that the tool itself
is bad, it's the intent and use of the person
wielding that tool. And the same is true of technology.
(18:58):
Uh So, one other stat that I wanted to mention
that's pretty alarming. Norton found out this was in so
it's a few years ago, but Americans had had their
email hacked at some point, and that twelve percent had
their financial data stolen while they were shopping online, and
that in four million people globally had been a victim
(19:23):
of some sort of cyber crime, and that kind of
shows us the scale of why this is an important topic.
It's not just because the opportunity is there, it's because
people are actually actively taking advantage of those opportunities, and
you could be the victim of one of those actions
if you're not careful. And we love you absolutely, we
(19:46):
do love you very much. I'm kind of I'm kind
of thinking that all of those numbers have probably increased
given that it's been about four years since they were
they analyzed the data and had those those too sticks available,
because in the past couple of years we've seen hacks
go from a few hundred million people to almost a
(20:08):
billion people get hacked online. So it's entirely possible that
those numbers have increased quite a bit since, especially in
the realm of the mobile app becoming king right, because
there's there's such a proliferation of apps out there that
either through a conscious effort, are creating vulnerabilities or because
(20:31):
of poor design, create vulnerabilities that can later be exploited.
You know, we've seen so many examples of that where
an a p I didn't take everything into account and
then someone was able to exploit it, famous one being
Facebook and Cambridge Analytica, where you had an app that
if you installed the app, like you would voluntarily install
(20:53):
it within your Facebook and you're voluntary lee sharing your
own information. All of that is fine, right if you've
agreed to do it such a good not a good idea,
such a good example, good example, Yeah, good example, not
a good idea to do. But it's fine if you
if you are knowingly doing that, that's fine. But the
problem that the Cambradge Analytica story brought to bears that
(21:14):
they took advantage of a loophole in Facebook's API and
they were able to to phish out a ton of
information about all the contacts of the people who had
installed the app. These are people who did not, uh,
you know, give permission to share their information, but the
app collected all that information regardless. And that's where we see, like,
(21:36):
you know, there were countless victims of this app because
none of them opted in to share that information. It
was just taken from them. And uh, that's just one
little example of the world we live in where you know,
even when you are being careful, there are there are
these opportunities for your information to get out there, which
(21:58):
is why we're like this is why you need to
take the steps necessary to protect yourself as best you can,
because we live in a world where there are numerous
attack vectors that point back to us. All right, I
mean just mid December, the New York Times discussed location
tracking on phones and how ping pings to local towers
(22:20):
can basically give you a map of a certain phone
I D and you can track that and figure out
who that phone belongs to based on what residents and
what office they go to every day. It's extremely scary,
and the more information we have about it as consumers,
the better we can protect ourselves. Yeah, and again, like, uh,
back to what you were just saying, Shannon, Facebook send
(22:43):
a letter to Congress just a couple of days before
we record this episode where they said, yeah, even if
you opted out of location tracking, we actually know where
you are, partly because of the information people are voluntarily sharing.
Like if I tag If I take a photo while
I'm at a party and I tagged the location and
(23:04):
I tag people are in the photo, well, I'm voluntarily
sharing a lot of information. Maybe those people haven't given
me permission to do that, but I'm I'm sharing the information.
So yeah, of course, Facebook knows where I am, when
I when I'm there, and who I'm with because I
shared the information. But they also admitted, yeah, we also
use a lot of other methods where we can suss
out where you were and who you were with at
(23:27):
what time that aren't as obvious and aren't examples of
the user voluntarily handing over information. So yeah, scary stuff. Um.
One of the things I wanted to mention is sort
of the bird's eye view of the process of what
it's like just connecting to WiFi, so we can kind
of understand, uh, you know, what's going on, because I
(23:50):
think a lot of people if they think that if
they see that, for example, that there's a WiFi hotspot
that requires a password, they immediately think that that is
inherently more secure here than a public WiFi spot that
has no password, which is not necessarily true. Um. So
connecting to WiFi is really you can think of it
as a series of handshakes between whatever device you're using
(24:13):
and the hot spot, whether it's a router or something else.
And this series of handshakes is not meant to secure
the data. It's not meant to encrypt a channel necessarily,
it's not meant to protect it. What's meant to do
is to identify the device and the hot spot so
that they know where the data needs to go. Right. Otherwise,
(24:34):
if if we all connected to a public WiFi hot
spot and there wasn't this handshake thing going on, it
would be as if we were all listening to an
open broadcast of everything all at once, and it would
just be meaningless garbage and we would just get we
would just get everyone's data simultaneously, and we're like, I
don't even I don't know what this we could I
(24:54):
don't think it would go well. But so this was
this was literally the solution into that problem. Like, you know,
if you're using wired connections, that's one thing, right, you
can wire things to specific ports, you have physical hardware.
When you go wireless, you have to create a virtual
version of that. That's sort of what the handshake processes for.
It's saying, hey, there's this device that wants to connect
(25:16):
to the network. The network says, okay, I'm giving you permission.
The device is okay, this is who I am, and
the network devices all right, I I see who you are,
and now we can send information back and forth. You
can send requests out to the internet. I'll go out
and grab whatever it is you wanted, and I'll return
it just to you. That's the idea. That's actually a
great explanation without using any of the terminology. So I
(25:38):
thank you for the doing that. Yeah, I tried. I tried.
At one point I had a spoiler alert or well
not even spoiler, look behind the curtain, folks. I had
originally started this episode as a solo show, and that's
when it struck me that it would be way easier
if I brought Shannon on, because she's much smarter than
I am. And so as I was doing it, I
was trying to describe this process, and I think I
(26:00):
went through two or three drafts when I said, you
know what, I can just step back and not get
so technical, because the technical parts aren't really what's important.
What's important is just sort of understanding the concept of
the process and why it is not inherently tied to
security and privacy. It's inherently tied to just what does
it take so that you can have these two devices
(26:22):
communicate with one another and not have them confused with
all the other devices that hook into the same network.
And once I figured that out, was like, I'm going
to go with that because I'm tired of trying to
figure out how to explain this handshake process. Um, it
totally works. I mean I like the handshake terminology because
it is kind of like that, like in person, whenever
(26:43):
you meet somebody, you acknowledge each other, you shake each
other's hands, you kind of authenticate each other by name
and by face. And that's very similar to what a
router does with a device like your smartphone or a laptop.
It's basically doing the same thing where you're you're looking
for somebody to introduce yourself to. You go in, you
(27:05):
acknowledge each other, you shake hands with each other, you
kind of authenticate each other by name, and then you
have that connection. Yeah, and you have that connection forever
until you break it off. Yes, And if if you're
at c S, it probably also requires you to hand
over a business card because that's like, yeah, most likely
that's that's the current I guess that would be your password, right, yeah,
(27:25):
I guess so yeah. All right, Well when we come back,
we're going to talk about the how how information is
sent through packets, just so that we can understand why
did that packet sniffing thing mean earlier. But first let's
take a quick break to thank our sponsor Shannon and
I have a lot more to say about the dangers
of public WiFi, but first let's take a quick break.
(27:55):
All right, then we're back. So I promised that we
were going to talk about pack it's packets is pretty
simple concept. So a packet switching network. You've probably heard
that term before, uh the Internet. When the pioneers of
the Internet were sort of designing this thing, they thought, well,
how do we make it so that information can be
sent from one computer to another in such a way
(28:18):
that if something happens, the information can continue to make
its way to its destination even if there's some sort
of interruption. And if it were just an uninterrupted string
of data and there was an interruption, then you would
have a corrupt file or you know, things would not
work right. You wouldn't get what you were wanting. So
they said, what if we bundled data into uh certain sizes,
(28:41):
We'll call it packets. The packets will have information on
them that will tell the data where it needs to go,
where it came from, and how it fits within all
the other packets. To make whatever the thing is. And
since we're talking about the Internet, let's be honest, chances
are it's a picture of a cat. So that cat
picture is going to be a lot of different data packets,
(29:02):
and they have to put the packets together kind of
like a puzzle in order to recreate that image of
a cat. So that's that's what a packet is. Well,
the packet because it has that information on it about
where it's going and where it's from. That's what we
would call metadata, right, It's the data about the data,
or it's data that somehow describes the data that's inside.
And um and I always always try and say that
(29:24):
the packets on the other side get reassembled Willy Wonka
style like Mike TV when he goes across the camera. Um.
I like that. Yeah, I mean it's a it's a
nice way of putting it, especially since I mean that's
one of my favorite films of all time, the Gene
Wilder version of the Not the not the Johnny version yet.
So that's where we get the words for packets. So
(29:45):
a packet sniffer, as we mentioned earlier, can be software,
it can be hardware, it can be a combination of
the two. That is meant to sort of check out
the packets that are being sent across a network UH
and get an idea of what's going on there. And
one of the things someone can do if they have
a packet sniffer and they know how to do it,
(30:07):
is they can look for packets that represent essentially an
unencrypted cookie or a session key, And this is essentially
where a user has sent a request to log into
a service of some sort UH and if the hacker
is able to sniff out that cookie, they might be
able to step in and pose as that user and
(30:30):
thus get access to the user's account or services UM.
And this is sometimes referred to as side jacking. I
learned a lot of hacker slang while I was doing
the research. This. I'm so proud of you. I'm not
good at using it, but I learned it. It's okay.
You could go to def Con next year and totally fitting. Yeah,
(30:51):
except I would be like, all right, well, I'm gonna
leave all of my devices at home. Another great idea
def con for those who do not know is a
information security and hacking convention where if you aren't careful,
they will let you know about it. Oh yeah, they do.
Usually they're nice about it, and you just end up
(31:12):
on this thing called the wall of shame. But luckily
generally people don't nefariously hack each other there. It's just
kind of to pop your name up on a wall
of shame and that's about it. Yeah, essentially, essentially they're saying, hey,
you need to have a heads up, like whatever you're
doing is not sufficient. Yeah, it's it's really more like
(31:32):
it's really more like saying like, listen, we want you
to be safe, and right now you're not being safe.
So but but yeah, but still there's also the shame factor.
And the more the more known you are in the sphere,
I imagine, the greater the shame would be to appear
on that wall. Oh yeah, definitely. So this was never
(31:53):
been on the wall of shame, and I hope I
never congratulations. Yeah, I've never been on the wall of
shame either, but that's because I haven't gone. I am
certain I would end up doing something bone headed and
mess up. So you were talking earlier about how you
have actually actively worked on technologies that do this this
packet sniffing uh approach. Yes, yes, I have. I used
(32:14):
to work at a company called Hack five. I still
do shows on that channel, j K five, and our
our premise for that channel is educating people who are
interested in security and privacy and might want to go
into information technology or penetration testing or infosec info security
(32:34):
as a profession. So we teach young hackers how to
legally use their talents to actually get a job that
will help them spur the economy, help them protect companies,
h and help them really get involved with their passion. Um. So,
one of the products that we created is something called
(32:55):
called the WiFi Pineapple. It's a little hardware device. It's
basically a round outer, but the software that's built into
the WiFi Pineapple allows us to do things like get
people to connect to a WiFi Pineapple as opposed to
a regular router and allow us to sniff packets just
like you were saying. Um. The the product has been
(33:19):
around for half a decade at this point. No, actually
it's been almost a decade. Wow, I can't believe it's
been so long. But we've gone through various revisions of it,
and as security has gotten stronger, there's always been new
vulnerabilities available in wireless network technology, so we've always been
able to update the WiFi Pineapple to continue to educate
(33:40):
people why it's still a good idea to not connect
to public WiFi or open hotspots. And uh, it's been
a wonderful education tool since we can use it as
this kind of man in the middle attack for for
you know, helping people understand and I mean, like the
(34:02):
thing that I see people sometimes and I know you've
seen it sometimes protests they're like, why are you making
this thing? And the argument I would make to them,
and I'm sure it's an argument that you guys have
made numerous times, is you know that people who have
bad intentions are making stuff like this already. They're they're
they're doing it all the time. They're doing and they're
(34:24):
not talking about it. They're not upfront about it because
they want to take advantage of it. The reason why
you guys do it is to raise awareness, to teach
people how it works, and presumably they can then take
that knowledge and better protect whatever their future clients might
be if they end up working as a white hat hacker.
And yeah, straight up, people have made their own WiFi
(34:46):
pineapples using you know, different types of hardware and different
kind of software that they've made their own, but our
our products are well. Hack fives products are listed in MIST,
which is the National Institute of Standards and Technologies as
a wireless penetration testing device. So a lot of companies
see it as a professional tool and they get their
(35:09):
employees to purchase these items to use and make sure
that their networks are protected. Because as much as you
could use a WiFi Pineapple to hack somebody, you can
also use it to protect yourself because you're still doing
the same kind of tracking on your known network. So
if I had a WiFi Pineapple on a company's network
that I'm legally have access to as since that's my profession,
(35:33):
for example, hypothetically, uh, then I could see what employees
are doing on that network. So if somebody is visiting
Facebook when they shouldn't be, I could see that and
I could tell them, hey, you need to, you know,
cut that off or you're going to get written up.
Or if there was an attacker trying to gain access
to a wireless network, I would be able to see
those packets because they would not be what I normally see,
(35:54):
and I would be able to protect my network because
I could blacklist them then, So there's so many different
ways that you can use these tools, not just nefariously
like you had mentioned, but in like these amazing ways
that help protect so much more than just companies but
also the employees that are working there as well. Yeah. Yeah,
and that. And I've always been the type to say,
(36:15):
if if someone's outwardly talking about what their technology can do,
then those are the people you should trust. It's the
ones who aren't talking that you have to worry about.
So yeah, it's the same thing for me when people
are talking about security vulnerabilities that they found in systems,
where they might come forward and say, yeah, I reported
this like three months ago, the company still hasn't done
(36:37):
anything about it. The only reason I'm coming forward is
because that puts the pressure on the company to definitely
make a change, because that vulnerability exists, whether they talk
about it or not. Now they have to do something
because the public knows about it, and and they're I'm
I'm fully on board with that too. I mean, I
think that you always give the entity the chance to
address it, but if they haven't shown any movement towards that,
(37:02):
I think it's the responsibility of someone who's found a
vulnerability to come forward with it, because otherwise it's just
it's just a ticking time bomb. Someone's going to take
advantage of it, and then it becomes a problem far
bigger than coming forward and saying, hey, guys, need to
fix your stuff. And it's it's not just you know,
devices like the WiFi Pineapple, but as we had mentioned,
(37:24):
it's also software that's involved too that can do very
similar type of tracking on networks. There's a technology called
wire Shark, which I'll bring up not just because you know,
I have no financial responsibility via hack five. So like
if if you know, somebody purchases a WiFi Pineapple when
they hear this talk, I don't get anything from that,
(37:46):
no compensation whatsoever. I just do a show on that channel,
So don't worry. I'm not. I don't get referrals or anything.
But there's also software like wire shark, which is a
free service online that anybody can download and that allows
you to do packets niffing. I've used it to test
my own home network and make sure that my smart
coot devices are secure and they're encrypted, and that has luckily, luckily,
(38:11):
all of my devices are you know, totally secure, which
is wonderful. But back in the day when I first
started using wire shark, I discovered that when I was
using Instagram on my phone, I could see links to
the pictures that I was liking as I liked them,
So as I gave them the little hearts, uh, it
would pull up a little HTTP link and I could
(38:33):
click on that through wire Shark, and I could see
exactly which pictures I was liking, which was so creepy.
I mean, definitely something that you should be aware of
is what kind of data is being passed through with
no encryption whatsoever, and what kind of data is being
encrypted too. Yeah, totally, and you means crazy. You mentioned
(38:53):
the man in the middle attack. That's that's kind of
another step up, where you have a hacker that sets
their machine in between a user and some other computer
that might be a router. So you might actually have
a man in the middle of attack where someone say
at the coffee shop, and they set up uh their
computer so that it appears to be the coffee shops network.
(39:17):
There's actually ways where you can force a reboot of
a system and then pose as that system so that
when it does reboot, you are effectively a middleman. In
that relationship, and meanwhile you see all the stuff that
goes across that because your computer is acting as the
network spot for where where everybody's connecting through. Uh So
(39:38):
that's that's one way, But there's also ways of doing
a man in the middle of attack between a like
a client and an actual service, like you know, directing
people to fake bank log in pages and things of
that nature. UM So those are things you also have
to be aware of. Although that can happen pretty much
in every scenario we're going to talk about. That requires
(40:00):
you to pay close attention to what you are doing
as you're browsing. Um And I mentioned earlier about the
idea that if you are using public WiFi that is
password protected, Let's say you're at a coffee shop where yeah,
you can log into their their WiFi, but you have
to first go up to the cash register and find
out what the password is, and then you find that
out and you log in. Some people feel like that
(40:22):
gives them that extra area of security. Honestly, that doesn't
because there's nothing stopping a hacker going into that same
coffee shop getting that same password and like that. It
doesn't add any like by itself. It doesn't add any
extra security. It just is one extra little step. Yeah,
it's true. Uh yeah, anybody even in the vicinity, if
(40:44):
they've ever had access to that wireless password and the
coffee shop, for example, has never changed the password, like
they could easily get access again with a long range
antenna on the other side of a parking lot and
be able to sniff what everybody in that coffee shop
is doing. So yeah, I don't even use coffee shop
(41:04):
WiFi or airport WiFi if we want to use that example,
those even trustworthy exactly, and I think that those are
perfect examples, especially as people are traveling a lot for
the holidays. Like that's where I think of seeing people
whipping out their computers the most is airports and coffee shops.
That's it. Um. But yeah, if you have an encrypted network,
(41:29):
that's better. It's again like this is another step where
we're getting into uh more secure area. And we'll talk
about different types of encryption in a second, but before
we get to that, there's actually also a difference in
the types of browsers, right. Different browsers offer different levels
of features that either uh enable security and privacy or
(41:55):
they make it really difficult to protect, so on the
bad end of the scale as an Internet explorer for
multiple reasons. It was never the best browser when it
comes to security and privacy, but it's really not great
now because Microsoft no longer actively supports it. UM. They
will push out a security update on occasion, but it's
(42:19):
not frequent, which means that there are a lot more
opportunities for people to discover and exploit vulnerabilities and and
be fairly sure that those vulnerabilities will stick around for
a while. So it's not even like a rush because
Microsoft isn't updating it that frequently with security patches, So
(42:40):
that's a bad one. Don't use it. Microsoft Microsoft Edge
only slightly better than the completely unsupported Internet Explorer UM,
at least as far as privacy is concerned. Uh. I
use Google Chrome a lot, but admittedly Google Chrome not
great either. It's kind of on the bottom half off
of the middle of the pack. So uh, they're better
(43:03):
about security, but they are the pets when it comes
to privacy. Also not a big surprise, because I mean,
what's Google's business, right? Google owns you? Yeah, your data
is Google's That's what Google buys and sells. Like it's
your information. That's that's Google's currency. So clearly it does
(43:24):
not behoove Google too lockdown privacy super tight. They want
to know all the information about you they make that's
how they make their money. UM. So, of all the
common browsers, like the ones that are frequently used out there,
the one that UH that tends to rank the highest
is Firefox, higher than Opera, higher than Chrome, higher than Safari. UM.
(43:47):
So it does really well, especially for security and privacy.
It can support a lot of features that protect you
when you're when you're surfing stuff that will end up
cutting down on things like targeted advertise because you can
really limit the information that's being shared by the sites
that you're visiting. UM And you can also enhance it
(44:09):
with various add ons that you can find, although obviously
anytime you're going to be adding anything to an existing program,
it pays to do your research to make sure that
it is offered by a reputable and dependable app developer. Yeah,
Firefox is an excellent choice UH and two fold. If
(44:33):
you download something like Firefox, you also get a very
fast browser because they have worked very hard to make
that browser quick. So even if you don't care about
the security and you just want to access your sites
really fast, you should use Firefox. Yeah, yeah, I got Firefox.
I got stuck on Chrome because for a while Chrome
was super fast and then it got super bloated. And
(44:55):
also there's the more tabs you have opening Chrome. Anyone
who's done this with Chrome knows. Even though it are
all supposed to be distinct instances that don't bleed over
into each other, Uh, there gets to be some memory
issues if you happen to be really a heavy user,
and everyone here at this company is a heavy user.
So uh, Firefox is definitely going to be my browser
(45:16):
of choice moving forward after I did this research. I also,
I should point out, before I did this research, I
did not know this. I was just a happy, blithe,
naive Chrome user handing handing over reams of personal data
to Google, which I mean, granted, I'm sure that company's
board with me by now, but still there's some value
(45:37):
there um. And then that brings us to encryption. And
this encryption it gets this is sort of like complicated,
like the handshake thing, but encryption, when you boil it down,
is all about scrambling messages so that the only people
who can access it are the ones who have the
key to decode it, right, So you have the key
to encode and the key to decode. There are various
(46:00):
implementations of that technology, different ways to have the public
key and private key operations. I don't need to get
into all of that because it gets way too technical. Obviously,
encrypted is better than unencrypted, but not all encryption schemes
are created equal, and it pays which ones are in use.
(46:21):
So yes, that's very true. There's there's even like there's
symmetrical keys and asymmetrical keys, and then there's like SHAW
one and be crypt and r s A. There's all
these different terminologies for encryption. But for what it's worth,
all of them jumble up your information into some kind
(46:41):
of format that will hopefully hopefully encrypted, so that anybody
who does gain access to the encrypted version of your
information will not be able to reverse engineer it or
change it back to its original plain text formats, so
they can't read it in like English speak, right, it
would just be mean less garbage to them, hopefully in
(47:02):
its ideal, ideal implementation. So one of the things that
you may have encountered if you've ever set up any
sort of wireless network. I think most people have, or
at least they've they've had to connect to one where
they've seen the different types of UH network security protocols.
These are certifications that the WiFi Security Alliance creates, and
(47:24):
the earliest one was the Wired Equivalent Privacy Protocol or
w e p H. That one is decrepit, it's old,
it's vulnerable as heck, so don't use it. Yeah, if
you have the if if your router tells you, like
asks you which one you want to use, don't use
w ep UM. It is not secure. It is it's
(47:46):
I mean, you could argue it's better than nothing, but
not by much because the vulnerabilities have been known for
a long time. In fact, so long that even before
the nineties were up, you had people developing the next generation,
which would have been the WiFi Protected Access or w
p A. So w p A came out. Then you
get w p A two, which was trying to address
(48:07):
some of the shortcomings of w p A UH. Both
of those also still have vulnerabilities. W p A two
is generally talked about as being one of the more
secure UH certifications these days. There is a w p
A three also has vulnerabilities that have pointed out within
(48:28):
the year of coming out. Yeah so, but w P I,
I don't think I've even seen a lot of stuff
that's certified w P A three yet. Like we've we've
started to see some wireless routers come out with w
P A three, but they there's still a little expensive
and they haven't really gotten widespread adoption by consumers quite yet.
(48:49):
So w P A two is fine for most consumers
to use. Uh, you just have to make sure that
you set it up correctly and you don't give the
entire world access to your password for your account. Yeah that,
because then there's what what were you even thinking? There's
no point then? Yeah. So, so w P A three
(49:10):
on w P A two. All these are our designations.
And what happens is a manufacturer will make a piece
of equipment or uh either it's a computer or handset
or maybe it's a router, and then they submit it
to this WiFi Security alliance that then makes sure that
that technology meets whatever the requirements are for the particular designation.
(49:32):
Then they put the stamp on it and they say, yes,
this is w P A two compliant or w P
A three compliant. So that just tells you that compliance
really there. It gets more granular than that. For example,
w P A two has two different types of encryption
standards that can be used. There's the bad one. It's
(49:53):
Temporal key Integrity Protocol or t k I P, and
I call it bad because yeah, t KIP. T KIP
is no longer safe, skip the tea KIP. If you
skip the tea KIP, I like that. Yeah, it's nice
mnemonic device. And then there's Advanced Encryption Standard or a
e S, and that's the more secure of the two.
So don't rely on tea KIP, rely on a S uh.
(50:15):
So that will end up protecting you quite a bit
as well. The encryption will end up helping a great
deal because you've just made it more difficult for someone
to get anything meaningful from your browsing activity. It does
not mean that you are immune. But again, the harder
(50:36):
you make it for somebody, the less chance they're gonna
put forth the effort to break through whatever protections you
put up. So just general note um, and then that
also brings us to secure browsing. So back in the day,
which was the Thursday, I don't know if you know
that UH, there was the the Secure Sockets Layer SSL,
(50:58):
whenever you went to a website that had the little
padlock and the lock on it and the HTTPS like
the original version of that was SSL. In fact, a
lot of people still refer to SSL, even though that
technically has been and has before a while been replaced
by the Transport Layer Security or TLS. But the same
sort of purpose it's too. It's meant to create the
(51:20):
secure channel of communication between you and a specific UH
website U r L address. So if you see HTTPS
or you see that little locked padlock in the address
bar of your browser, then you know you are in
a secure channel between you know, your your device and
(51:40):
that browser, at least as far as information going between
those two points are. I mean, obviously, if you're on
a public WiFi hotspot that's unsecured, you've got other issues.
But it means that when you're browsing, you want to
make sure that that HTTPS is showing up. You don't
you don't want the h T t P, you you
want to make sure that S is there. So one
(52:03):
thing I've noticed very rarely, but it has happened on occasion,
is where a website that requires you to log in
somewhere like their main page there dot com address will
be encrypted with HTTPS, but as soon as you go
over to the log in page or go through any
tree of different sites that they have created on their
(52:25):
dot com domain, all the rest of their pages are
h T T P. They are unencrypted. So if you
go to the log in page and my cat agrees
she's mewing behind me, uh, and you put in your
user name and password, those would be copied through plain text,
and if anybody was, you know, tracking or sniffing your packets,
they would be able to see that plane text user
(52:48):
name and passwords. So, for example, if my password was
my cat's name is Starbuck, and that was a plain text,
unencrypted website just using HTTP, then if somebody was sniffing
those packets, they could see that passwords show up in
their software through whatever hardware device they might be using,
and just be able to see, oh, she entered Starbuck,
(53:10):
and then they couldn't go to the website type that
in and gain access to my login account information. Yeah,
and that is what we call no bueno, right like yeah, yeah,
And more and more sites are getting better about making
certain that their entire presence they are is being secure,
but you can. It's actually harder and harder to find
(53:31):
examples websites doing that, so which I'm happy to see
because that makes my job harder and that means people
are listening. Uh So, I am happy to see that
less sites are doing that, but we still have issues.
There's still some out there. And then occasionally you have
browsers that will alert you if you try to navigate
to a site that is not secure. It'll give you
(53:52):
a little alert, which is good too, because you know
if the people on the website aren't being diligent and
at gives the user on the other end the heads
up of hey, you probably thought this was secure, but
turns out it's not. Maybe you want to rethink that.
Are you sure you want to go ahead? You will
probably be eaten by a group, and then you decide
what you can do it. Um Now, when we come back,
(54:15):
we're gonna talk about one other topic before we get
into like the super secret stuff, and that is what
the heck is incognito mode for. But before we do that,
let's take another quick break. We've got some more discussion
about public WiFi and the steps you should take to
protect yourself But before we get to that, let's take
(54:35):
another break. So Shannon, I have I've gone to a
private network, right, I'm it's not maybe mine, but it's
(54:56):
a private once, not open to the public, it's encrypted,
it's password access. I've done all those wonderful things. And
then I think, you know what, I'm gonna look at
some so like your friend's house or something. Yeah, yeah, yeah,
And uh, I decided, you know what I want to do.
I wanna I'm gonna look at some I'm gonna look
at some some stuff that I don't think my friends
(55:16):
would really understand. Maybe maybe I'm gonna look into that
that my little pony fan fiction. Uh, and I don't
want my friends to know about it. So I'm like, well,
I'm gonna be super sneaky. I'm gonna go into incognito mode.
Now no one's ever done to know. So I click
on that little incognito mode and little bitty shadow Man
pops up, and I'm like, oh yeah, I'm totally safe
and totally secret. Nobody knows it's me. And I start
(55:39):
looking at my brony fan fiction. Oh you know the term. Hey, look,
I wouldn't listen listen, you just give yourself away. Listen,
Princess Celestia and I have an understanding. Okay, so we
are not gonna go down that road. We're not gonna
go there. Like yeah, Fluttershy and I we're like, we're tight,
(56:00):
so we're not. It's fine, Okay, it's acceptable behavior. But no,
it is acceptable, but I don't want my friend to
know that. Now here's the sad thing folks told everybody
on the podcast. One one, whoops, I guess I should
be more secure with my data. And secondly, secondly, incognito mode,
that's not how that works. It doesn't protect you from
(56:22):
anyone who has any access to the network from seeing
what you're doing, right right, that's correct. Um. Yeah, so
incognito mode. Uh, you you've probably seen it on your
own computer. If you go up into the menu for
your regular browser and go into like the dropdown menu,
there's usually an option to choose incognito mode or like
secret mode or something like private browsing or whatever. Yeah,
(56:44):
private browsing, Yeah, that's another one. Uh So if you
click that, it opens up a completely different window on
your computer or on your phone as well. You can
do it on your phone. Uh, and you start to browse.
But basically the only thing that incognito mode is really
doing is uh not putting anything into your local history
(57:05):
for your your web browsing history, so if somebody else
got it on your computer, they would not know what
you were doing in incognito mode. Uh. And it also
doesn't store the cookies on your computer, so any information
that you were sharing with a website during your incognito
mode would not be stored afterwards. So all those cookies
(57:25):
that might have happened during a session, they'll just be
erased like you never existed. Uh. That that can actually
be very useful. For example, if you're looking for a
fun hack, if you want to save some money on
airplane flights, you can track them. You can look up
airplane flight prices in incognito mode and compare them to
(57:45):
your regular browser. And sometimes on occasion you can find
cheaper prices in incognito mode. Because it doesn't see how
much you are searching, it doesn't see how how many
websites you've gone to. Those cookies just aren't it there,
so the website is going to give you the best
price through that that private browsing mode. Uh. That's pretty
(58:07):
much like the most interesting thing that I use for
incognito mode four, but it can be used to secretly
access websites without anybody else knowing that you're accessing those
websites at the time. For example, if you are a Brownie. Yeah,
so this works on the device level, but not the
network level. So yeah, so if my friend gets hold
(58:28):
of my phone or my computer, there would be no
record of me having gone on the Browny fan fiction
community site. Uh where I post by q D mark.
They would not be able to see that. But if
they were to look at the network traffic, they'd say, huh,
this I P address is going to this Brownie site
(58:49):
a lot, and it's not my computer, so it's obviously
your device and so and so this is why, like,
if you were to use let's say that you're at work,
let's hit your what the The example I like to
give is your Let's say you are stuck in a
crappy job. You're doing your job, but you're miserable and
you would really love to be able to get something else,
(59:10):
but you don't have any time outside of your job
where you can really dedicate towards things like searching for
job openings. So on your lunch break, you slip into
incognito mode and you go on a job search website. Well,
just because you're an incognito mode doesn't mean that at
the network level they can't see exactly what's going on,
So it doesn't actually protect what you're doing or how
(59:32):
you're doing it. So one thing you might want to
use incognito mode for if you're someone like me who
does a lot of research. Let's say I'm researching into
something that you know, it's it's just not my bag.
You know, it's I need to do an episode about it,
but it's not something I'm particularly interested in on a
personal level, or might even be something that I would
(59:53):
find very awkward. Let's say that I was doing an
episode about, uh, dating websites, and so I have to
do a whole bunch of research on dating websites. Well,
then I might want to use incognito mode so it
doesn't build up this cookie history that relates back to
me personally, so that maybe I log onto something like
Facebook and then suddenly all the ads are for dating sites.
(01:00:14):
That would be awkward, Right, that would be super awkward,
especially if you were married. Yes, I'm not a good thing. Yeah,
I had a similar occasion with I was looking up
pregnancy and birth information for somebody in my family. I'm
nowhere near any time soon giving you know, birth to
any children in my life except for my beautiful for
(01:00:35):
babies that I have in my house with me. Uh
So I was looking up this information and I was
just like, do I want Twitter on Instagram to start
promoting like baby items to me or do I want
them to keep on promoting like makeup in sailor moon items,
which I'm actually into. So I looked up the information
about pregnancy and birth for the other person through incognito
(01:00:58):
mode so that that informa and wouldn't actually be tracked
and identified as a part of my online personality. So
that way I was able to keep the same ads
that I actually, you know, sometimes kind of enjoy looking
at because they do pertain to my lifestyle, but nothing
that had to do with pregnancies. Right. And and that's
(01:01:19):
a great example too, because there was that famous example
a few years ago of a retailer I want to
say it was target, but I could be wrong, but
it was a retailer target, Yeah, And they had identified
through the browsing history of a user that she was
pregnant because of the things she was searching for, so
they proactively sent her through the snail mail a package
(01:01:43):
of coupons for pregnancy related items, and her father was
the one who intercepted the letter the coupons, and she
had not told him that she was pregnant, and he
had assumed that target had made this assumption and got
super mad, and then turned out that he was mad
(01:02:03):
about something that actually had happened. She just had not
She had not had the occasion, she had not found
the way to tell him. And that's awful. Uh. Yeah,
it's such a breach of privacy, to be honest, is
when they start tracking you like that and sending you information.
It's like unsolicited advertising, and I hate it. We deal
(01:02:25):
with it every single day online. Yeah, it's it's it's
even worse than unsolicited advice, Like that's bad, but unsolicited
advertising is even worse because they're like, yeah, they're so
eager to make that sale that they can overstep very easily. Well,
let's wrap up by talking about some of the more
secure ways you can browse if you have to connect him.
(01:02:47):
We mentioned this at the very top of the show,
where VPNs are virtual private networks, and we mentioned that
sort of man in the middle attack where you are
logging into a hackers machine thinking that that's a legit spot,
and then the hackers kind of relaying information and sniffing
the entire time and learning all about you. VPNs are
(01:03:07):
kind of like that, but on the legit side, where
you are logging into a remote server somewhere far away,
probably through an encrypted connection, and then when you browse,
it's as if you're browsing from the server's location, not
your personal device. So if I were to blog into
a VPN and then log into a web service, the
(01:03:29):
web service would see my location as the location of
the VPN server, not my gadget that's actually in front
of me, right and not necessarily just for if you
want to look at your my little pony browny fan fix,
but VPNs can be extremely useful if you're trying to
access a website that's only available in select countries. So
(01:03:52):
if you choose to purchase like a consumer facing VPN product,
and there's many out there, I could make recommendations, but
they're can instantly changing as far as their privacy and
security terms and policies go, So I won't make any
major recommendations here. But if you choose a VPN that
has a a UH, for example, a country facing server
(01:04:16):
that's in Japan, that means that I could download this VPN,
log into it, connect through Japan, and be able to
access a website that's only available to Japanese residences. UH.
So I I had to do that a few years
ago when I wanted to purchase tickets for the Studio
Ghibli Museum through the Japanese website. It wouldn't let you
(01:04:36):
access it through an American server or an American connection.
So I logged in through my VPN through the Japanese
server UH, and I was able to purchase those tickets
through the Japanese website. It thought that I was in Japan,
so it let me do it, and that way I
was able to save myself so much money. It was wonderful.
So you can do it for you know, buying goods,
(01:04:58):
buying tickets for where, you know, going to a concert
in a different country, or a museum or something like
that in a different country. You can use it to
access online streaming portals that are only available in specific countries.
You can use it to download specific things that are
only available in specific countries like the list goes on
(01:05:19):
and on as far as different ways that you can
use VPNs that aren't necessarily just directed for security and privacy,
but are also directed at manipulating where the website thinks
that you are coming from. Yeah, and this can be
a matter of life and death for some people. Like
here in the United States, we largely use it for
the purposes of things like privacy, security, and convenience, but
(01:05:42):
in other places where you might be uh in a
country with a more authoritarian government, one that is far
more restrictive in access to certain services. If you're able
to connect through a VPN, which you know, granted, that
means that that government agency has have been paying very
close attention. But if you're able to do that, then
(01:06:02):
you can log in two different things as if you
were from some other part of the world, and maybe
get access to vital information or services that otherwise you
would not have at your disposal. So they play a
very important role. In fact, I gave an example today
with a friend of mine about how I would see
VPNs and incognito mode together being incredibly important. So imagine
(01:06:26):
this is a terrible scenario and I put that out
there first. But imagine that you are in some form
of abusive situation at home, and whether it's a spouse,
a parent, a parent, some sort of authority figure, whatever
it may be. But you're in that abusive experience, You're
going to feel like you are helpless and you want
to look for resources that can help you get out
(01:06:48):
of that situation. But at the same time, you have
a very legitimate fear of being found out for seeking
out those resources and the fear of reprisal that you
might face as a result of that. Well, using something
like a VPN and incognito mode would mean that you're
not leaving a trace on the network of what you're doing,
because as far as the network is concerned, all you're
(01:07:09):
doing is visiting this VPN server. It's not seeing what
else you're doing. All of knows you went to that
VPN server. Incognito mode means you're not leaving the trace
on whatever device you're actually using to do that sort
of search. So these are the sort of tools that
can literally mean life or death scenarios for people. And
you know that's dramatically that's together and it yeah, and
(01:07:32):
once you start combining those different security and privacy products
together that are very consumer friendly. Then you can end
up having a much more secure experience online, especially if
you're dealing with some kind of like like an abusive
relationship or something like that that can be uh something
that you seriously have to worry about, so definitely take
(01:07:53):
those into consideration. Using an incognito mode and VPNs together
is so easy to It's just as simple as opening
up that browser window in private browsing mode and turning
on your VPN, which is usually with a lot of
software nowadays, is the click of a switch on your computer.
And there are a lot of VPN apps out there,
(01:08:14):
like there are a lot of the services where if
you subscribe to the service, you can use uh your computer,
or you can use a mobile device, or you can
use some combination of multiples. And they're even ones where
you can have it set as a default that as
soon as you connect to WiFi networks, you connect through
the VPN, so you don't even have to don't even
think about it in that case, which is definitely good.
(01:08:35):
If you're using like a mobile device and you're connecting
to public WiFi frequently, you definitely want to have that
that that turned on, because if you ever forget about it,
that's when you're going to have the opportunities for people
to take advantage of you. Uh, the last examples go ahead,
I'm sorry. There's also the option to build your own VPN,
but that gets very much into the nitty gritty, uh,
(01:08:57):
since there are a lot of consumer facing ones that
are generally fine for the average consumer. That's what I
wouldn't normally recommend. But when I go to Deacon, for example,
I bring like my own certificate, my own VPN, and
my own little o VPN basically file, and I stick
that on my phone to actually run my own VPN.
(01:09:19):
When you do that, you're basically creating your own secure profile,
as opposed to trusting a VPN company with your information
and hoping that they are doing it for you. Yeah.
That's a great point, Shannon, because a lot of these
solutions actually ultimately require you to put trust in another entity,
and you know, there have been cases where even VPNs
(01:09:41):
have suffered data breaches in recent past, where you know,
you have to worry about that kind of stuff too.
There does come a point where you ultimately you have
to say to yourself, at what point am I comfortable
handing over control or handing over you know, some of
my data, because either you're doing that or you're doing nothing.
(01:10:02):
But you know, deciding where that point is is a
very personal choice. Uh. The very last one I want
to talk about, and we can do this very briefly,
is Tour, the Tour browser. Tour initially was an acronym
instead for the Onion router. And the reason it's called
Onion is because it does encryption in layers, each outer
(01:10:22):
layer being another layer of encryption. And I gave a
very simple analogy. Imagine that you are trying to ship
a present. Let's say I'm shipping a present to Shannon,
but You're welcome, but I don't want you to know
where I live, um for some reason. And I don't
want anyone to know that I'm sending a present specifically
to you for some reason. So what I've done is
(01:10:44):
I've nested your package that has your present in it
inside another package that's gonna go to a totally different address.
And I've nested that what's is it a brown package?
There's probably some you know, my little pony temper tattoo
sheets in there. So that's in there, and then that's
(01:11:04):
in a second package, and the second package is in
the third, the third packages in the fourth. Each package
has a different address on it. So I've got a
really big package that ultimately is just holding a bunch
of boxes and a couple of sheets of temporary tattoos
and the innermost box. I ship that to the first address.
The person at the first address opens up this big
(01:11:24):
box and they see that there's a slightly smaller box
inside with a different address on it. So they plopped
that back into the post office. Post office takes that
to the second destination. They open up the package, well,
destination number two. They know that the package came from
destination number one, but they don't know anything further back
from that. They don't know that I was the person
who originally put the package in the mail, and they
(01:11:46):
don't know where the package is ultimately going to. They
just see destination three on the shipping label of that
inner package, so they send it to destination three. Destination
three gets it. They opened it up. They know it
came from destination too. They don't know about destination one.
They definitely don't know about me, and they see that
they need to send on the next package to destination four,
and so on and so forth until finally you get
(01:12:07):
to that innermost package which has Shannon's address on it.
She gets it, she knows it came from the previous site,
but doesn't know any of the rest of the history,
including where it came from, except I probably put a
note in the inside of the package saying hey, it's
from me, Brownie Joe. And then then she gets the package.
You would probably want to make sure that your message
is encrypted. Yes, Uh, there's like a you know, I
(01:12:31):
tell you that you need to use your super secret
Captain Crusader decode ring or whatever to decrypt the message,
and then and then she would be able to to
use a similar process to send information to me. Uh. Now,
this is a very secure way typically of sending information.
There are ways to try and sniff out things, just
as there are with any network communication, but it's hard.
(01:12:53):
It's very hard to get anything meaningful through this process.
It is possible, it's not foolproof, but it's real hard
and uh. And so this is generally considered the most
secure way to browse the Internet. However, with that security
there comes a trade off, and that trade off is
mainly felt in the form of speed. We're in the
(01:13:15):
home stretch. Now we're going to have a little bit
more talk about public WiFi and safety measures you should
be observing. But before we get to that, let's take
one last break. There has been talk on on the
(01:13:36):
internet many years ago that government agencies had access to
some of the UM end notes, the very last place
that your package would hit before it went on to
whoever it was supposed to go to. UM. So you
do have to consider where where is this information being
sent and who has access to the very end of
(01:13:59):
that tunnel that you're sending that information through UM and
if that's protected, then yeah, it's great option UM. But
of course with tour as well as with VPNs and
incognito mode, you shouldn't use just one of these options.
You should use all of them if they are at
your disposal. But again, do you want to deal with
(01:14:20):
the slowness that you're going to experience when you add
these additional tunnels and additional nodes onto whatever you're trying
to gain access to, or are you going to deal
with the security um UH minimal experience and add that
additional convenience to your experience by just not using it,
(01:14:41):
so there are trade offs either way, and you've summarized
it perfectly, Shannon. I mean, this is like we said
at the beginning, this is a spectrum, and the important
thing is to be educated to that spectrum so you
can make your own educated decisions and not just trust
to the fates. I have a tattoo on my back
of the full Terror card, the Eternal Optimist. Don't be
(01:15:03):
the fool. You get the tattoo who wants pretty awesome,
It's dope, But don't don't be the Don't be the
fool in life, right, Don't just trust that you can
take a step off a cliff and you're not going
to fall to your death. The fool is taking a
step off a cliff in the traditional tarot card. So
you don't want to be like that. You want to
be informed and make choices. And you know there might
(01:15:26):
be instances where you think, Okay, I'm in a public spot,
I am going to use WiFi, but I'm using it
for something that's not related to my personal information. I'm
literally maybe I'm looking up a restaurant to find out
what hours it's open, and that's it. You know, they're
different levels. But if you're thinking, I want to do
some shopping, or I'm going to check my bank statement,
(01:15:47):
or I'm going to log into my email or this
one's a big one for us here at my heart.
If I'm going to access any of my my work stuff, right,
like anything that's stored on there, any of the services
that are on your definitely use a VPN in those cases,
because you're talking about things that affect not just you
but other people. Right, You're talking about the potential of
(01:16:08):
affecting uh, essentially an entire company if if the wrong
information were to get out, you know, especially for talking
about things like publicly traded companies. You want to make
sure that you're being a good steward of the information
that's been entrusted to you, not just your own but others. So, uh, Shannon,
(01:16:30):
this has been a joy. You have given generously of
your time and your expertise, and I greatly appreciate it.
Please let people know where they can find your work. Well.
Thank you so much, Jonathan. I love security and privacy
and I think of it as a habit that you
build upon over time, and the more that you learn
(01:16:50):
about it, the better off you can be in the future.
So build upon your security for your future self and
for your family too, because the more secure cure you are,
the more secure they will be as well. Uh. And
if you're interested in learning more about consumer privacy and security,
you can check out my YouTube channel. It's YouTube dot
(01:17:10):
com slash Shannon Morse uh and that's m O R
s E just like Morse Code and I will be
going to CS just like Jonathan Jonathan mentioned, I'm very excited,
so I will be posting a lot of content from
the Consumer Electronic Show and I will have tons in
store through the year. Awesome. Shannon's always a pleasure. I
(01:17:32):
am so sad that I will not be seeing you
at c E S. Will have to make time for
some other tech conference, I'm sure. Or next time i'm
out your way, I'll give you a shout and maybe
we can, like please do Yeah, we can can go
grab ramin or something and chat about security. I would
love That would be awesome. And that was an episode
from Christmas Day two thousand nineteen, The Dangers of Public WiFi.
(01:17:53):
I hope you enjoyed this look back on the episode.
That was one of the really epic ones when it
took a look at the full running time. I thought, wow, um,
I oe Shannon a really nice lunch or something for
agreeing to sit on a podcast for so long with me, Because,
as we all know, that's a big request. I hope
(01:18:15):
you are all staying safe and are well. If you
have suggestions for topics I should cover on future episodes
of tech Stuff, please reach out to me. The best
way to do that is on Twitter. The handle for
the show is text Stuff H s W and I'll
talk to you again really soon. Yeah. Text Stuff is
(01:18:38):
an I Heart Radio production. For more podcasts from my
Heart Radio, visit the i Heart Radio app, Apple Podcasts,
or wherever you listen to your favorite shows.
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.