December 25, 2019 • 78 mins
Hacker extraordinaire Shannon Morse joins the show to talk about how you can protect your data when browsing the Internet. Is public WiFi off limits? Are VPNs reliable? What about Tor?
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to Tech Stuff, a production of I Heart Radios
How Stuff Works. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. Forgot my own name for
a second. I'm an executive producer at iHeart Radio and
I love all things tech. And you know, uh, there's
a there's a topic that I really wanted to cover
(00:25):
because as I record this, we're in the holiday season.
A lot of people are traveling, They're going through airports,
maybe you're visiting family, and occasionally you need to find
a place to be elsewhere, like maybe a coffee shop
or something. That typically means we're carrying our devices with us,
and then we want to connect to different networks, but
(00:45):
that might not always be a great idea, And so
I decided I was going to do an episode all
about the best ways to browse the Internet with privacy
and safety in mind, going from the least private and
the least secure to perhaps the most private and most
secure here. And then I thought, hey, you dumb, dumb.
You know people who are extremely well versed in this topic,
(01:06):
and that's why I invited my good friend, the phenomenal
Shannon Morris to join this episode. To come back so
welcome back to Tech Stuff, Shannon. Thank you so much. Jonathan.
I'm so excited to be back on the show. How
are you doing. I'm tired. But it's at the end
of the year, so that always happens, right, like, And
(01:26):
here's the thing, you know, Shannon can tell you. In fact,
we were just talking about it before we went on
to the record, that the tech journalists life does not
get easier at the end of the year because you
immediately turned around and head off to Vegas for c
E S. And that's where you're gonna be in early January,
(01:46):
as I understand it, right, Shannon, Yes, I will. I'll
be there all week covering everything over on my channel,
So make sure to link everybody to my channel later, absolutely,
because I ain't going folks. So Shannon's your your destination
for finding all the really cool stuff. And uh, Shannon,
I can say from experience because I've watched her work
(02:08):
does amazing work, not just at CES but everywhere, but
particularly like under a high stress situation like CES, certain
people can light up under the camera. And uh, I'm
frankly envious of your ability to do so. So um
that's me being nice. Yeah, well, I mean, I could
be more caddy about it, but I'm gonna be nice.
(02:31):
The caddy would be like, how dare she? How dare
she show me up? But no, we're gonna talk about
browsing safely. So the first thing I wanted to do
before we get into the spectrum of browsing the Internet,
because you could argue that there's like the least safe, secure,
naive way to do it to what is perhaps the
(02:54):
most secure but not perfect. There's no perfect solution spoiler alert.
Before we get into any of that, I wanted to
talk about some stats, and these come from a few
different sources. Uh. One was a survey that was conducted
by one World Identity back in eighteen about public WiFi.
So this was just asking people about their perception and
(03:15):
their use of public WiFi. And Shannon, I kind of
wanted to get your reaction to this because being someone
who has been so entrenched in data security, in the
hacker culture, in you know, everything from how do we
make these systems more secure? To the white hat approach
of how do we find any vulnerability so that they
(03:35):
can be patched, to even the black hat culture where
people are exploiting this for their own gain. I wanted
to see what you thought about these stats. So the
first one was they asked a question to people in
the United States, in Germany, and in France, and the
question they asked was, do you ever use unsecured public
(03:56):
WiFi networks? In the United States? Forty percent, so nearly
half said, you know, if there's no other option, sure,
I'll do it. Thirty two percent actually said I prefer
using public WiFi to using my cellular plan, presumably because
they would not be billed for data usage right because
(04:16):
they're using WiFi instead of their cell data only said
they never did it. One percent said they do it,
but only with a VPN. But we'll cover VPNs a
little bit later. So, Shannon, you've you've talked with hackers.
What do you think their reaction initially would be hearing
that nearly fifty of people in the United States said yeah,
(04:37):
you know, if there's no other connection, I'll I'll connect
to public WiFi, and another thirty two percent and I said, oh, heck, yeah,
sign me up. Well, I'm definitely in the one percent
of only with a VPN, and and that's assuming that
I have absolutely no other option. So I'm kind of
a mix of the and the one percent, but only
(04:59):
only if I have a VP n UM. I would
say from my experience, all of my friends would probably
not be surprised by the that prefer public WiFi over
their cellular plants, specifically because of what you said. They'll
be able to save money, especially if they don't have
an unlimited plan through their mobile carrier. So in that way,
(05:19):
it makes sense, uh that say yes, if there's no
other option, there's always another option. Come on, folks, what
are you doing? Where are you at? I mean, we
we have such good cellular coverage now there's always another option,
even if you just have three G like that's manageable
from most tasks. So what what are they doing? I'm
(05:41):
just my draw My job kind of dropped a little
bit when I heard that number. I just thought it
was I thought that I'm doing a much better job
of educating people about the importance of not using public WiFi,
and apparently I'm not doing my job as well as
I should have been, or or the people who are
already kind of hip to it are the ones watching you, going, yeah,
(06:01):
she gets it, she knows, and the people who need
to see it are like, what's on the masked Singer
today or whatever, you know, like, so, yeah, I I
look at this and I think, man if I were
a black hat, I would just be doing the Mr
Burns excellent gesture over and over again, just drooling at
that opportunity, because you know, public WiFi is definitely the
(06:27):
most dangerous option you can pick when you're talking about
protecting your own privacy and security, especially if you're not
doing something like using a VPN uh spoiler alert will
talk more about that in a second. And so knowing
that you're your opportunity for targets is so vast has
got to be incredibly encouraging to someone who is ready
(06:50):
to exploit that. And that's really, you know, that's what
we're trying to protect everyone against, is you know, it's
the likelihood of you running into these situations is not
necessarily hot on a day to day basis, but the
opportunity is so huge that you need to take it
into account no matter where you happen to be. So
you you want to make yourself the hard target. You
(07:11):
want to be the person that makes people work really
hard to get access to your data. You don't want
to be the easy target, because the easier target you are,
the more often you're going to be targeted. You don't
want that. No, No, And I was actually talking to
a co worker today and I said, honestly, when you
look at data security, even when you're talking like, you
(07:32):
always get naysayers who will say, oh, sure you can
use this, but it doesn't protect you against everything. And
they may technically be right, but my answer is the
harder you make it effectively, what that means is you're
making it more expensive for someone to successfully target you.
So if you price yourself out where it would cost
them more to break your security, then they would get
(07:55):
from whatever they took from you. You win, because no
one's going to lose money on that. Uh exactly. It's
when you've made it so convenient that it's like it's
like it's like when someone says about a sale, I
would lose money if I didn't buy that. That's when
you're in trouble. Yes, exactly. It's they're looking for the
bargain deal. And a lot of times when a black
(08:18):
hat is looking at public WiFi as a way to
access information, they're in tending to profit off of that information,
whether by stealing an idea, identity or reselling that data
on the black market, like on the dark web. So
making yourself the hard target is absolutely crucial to helping
to protect you. Yeah, and and just so that you
(08:40):
guys out there, no, I mean I mentioned the United
States numbers. It's not like Germany and France were shining
examples of data privacy and security among the public. In Germany,
in fact of respondent said they'd used unsecured, unsecured public
WiFi over their cellular data. So it was even a
larger centers than the United States and the United United States,
(09:02):
it was that thirty two percent it said, oh yeah,
if I've got a choice, I'll use public over my
cellular data. In Germany it was forty six percent um
and percent said they would use it if they could
not get a cellular option. And then in France it
was closer to what the United States said, said they
preferred using public WiFi to using their cellular data and
(09:23):
forty percent said they'd used it if they couldn't get
any other option. So again that mirrored very closely what
the folks in the United States said. So this is
a trend that goes beyond the US. I know that
because I'm centered in the US. I often get very
US centric, and I also tend to harp on how
American citizens in particular seemed to come across to me
(09:46):
as being security illiterate. For in a in large part,
I mean, I just see it all the time, but
I don't know if it's not exactly reassuring to see
that's that way in other parts of the world. That
doesn't film me with confidence. I think a lot of
times people either don't know where to look for the information,
for accessible information that's that that's explained in a way
(10:11):
that isn't scary, or doesn't you know, create create emotions
of paranoia, or just close people down so that they
just get lose interest insecurity. Uh. And you also have
a lot of folks out there that just don't care.
But I think a lot of people do care, they
just don't know where to look for this kind of information.
So I'm glad that you, Jonathan, as well as myself
(10:33):
on my channel, we're putting that information out there in
a way that's easy to understand, and I'm hoping that
even if it just helps one person understand a little
bit better security and privacy, hopefully we change that percentage
over time. Absolutely, I agree. I think, uh, it can
be one of those situations where you get overwhelmed by
(10:54):
the scope of something. And when you get overwhelmed, it's
almost like there's a defense mechanism them in your brain, right,
it's like this is too hard, so I can't worry
about it. And I have seen this in action when
trying to tell people about like password managers, for example,
and they just shut down. They have no interest, They
get glassy eyed, and they just say, well, I don't
(11:15):
see what the point is. And I try to explain
the point, but as after that point, it's just it's
just like talking through talking through the air. They just
don't want anything to do with it. And and as
someone who relies heavily on a password manager like it is,
it's it's fundamentally one of the most important tools in
my toolbox to make certain that I don't do rookie
(11:38):
mistakes like using the same password for multiple accounts. Right.
Because as as we'll discuss as we get into this
discussion about safely browsing the Internet, one of the big
dangers is that if you through accident or or your
tricked or whatever, if you somehow share your log in
information for one service. Let's say that you have one
(12:00):
service that isn't using uh secure encryption for some reason.
First of all, don't do that. But if you are,
if you're using that same password anywhere else, it's like
you just handed a skeleton key to somebody, because now
they can access everything you've used that password with. I mean,
this is this is blatantly obvious. So that's why it's
(12:21):
so important to have unique, strong passwords for all the
different services you use. That way, if one, if worst
case scenario one gets compromised, it doesn't compromise everything else. Yes, absolutely,
I'm glad you mentioned that because the more different things
that you use that help your security and privacy, every
single step you take absolutely helps. And that's just one
(12:45):
of the many steps that you can take. Every single
consumer in the world does not have to take all
of these steps all at once, because that would be
quite mind boggling. But if you do take steps towards
these over time, you can increase were privacy and security
two fold. Yeah, it's fantastic. Yeah, I mean and and
(13:05):
and to be fair, like like I'm gonna be upfront guys,
like I used to be the dude who had like
three passwords and for everything. Yeah, I was like that
for years until until I finally like woke up to
how dangerous that was. I was fortunate in that I
was never knowingly anyway targeted for a specific like intrusion. Uh,
(13:28):
as far as I know, I never None of my
stuff ever got compromised because of that. Stuff has been
compromised because of data breaches that are beyond our control.
But we're really focusing on the stuff that we as
end users can do to improve our security as best
we can, knowing that we live in a world where
that's just one point of vulnerability. That's one point of attack,
but it's it's one that we have some control over another.
(13:51):
Another scary statistic, or at least I thought it was scary,
is that Kaspersky did a UH survey back in seventeen
and are They did an analysis of thirty two million
hot spots. Hot spots being points of contact where your
device connects over to the Internet at large, and a
hot spot can be everything from the router in a
(14:14):
like a coffee shop to your own cell phone. You
might be using that as a portable hot spot. Out
of the thirty two million hot spots they examined, twenty
one quarter of them had no encryption in use at all,
meaning everything is being sent in plain text, which means
that if anyone has any method of eavesdropping on those communications,
(14:36):
they see it all, which again blows my mind that
there would be that many networks that have no encryption
in place at all, not even bad encryption. Yeah, that's
a very scary number. That's extremely high and is a
lot higher than what I thought it would be. Uh.
(14:57):
If if they're not using any sort of encryption whatso
ever for a hot spot, that means that anybody within
that vicinity, within range of that device would be able
to see everything you're doing. It's very very mind boggling. Yeah,
and this is one of the reasons why I wanted
to have you on the show, because we say these things, right,
(15:17):
We say that when you use public WiFi, you're using it.
If you're using an unsecured public WiFi hot spot, especially
one that is unencrypted, that you are in danger of
this And a lot of people say, all right, but
exactly what's going on? Right? How are they doing this?
And it's that there are various pieces of software out
there that allow people who are who get onto a
(15:40):
network to monitor traffic that's going across that network. I
mean their entire groups out there that make different software
and hardware, uh solutions to do just this, right, Yeah,
not gonna lie. Um. I used to solder and sell
some of these products at a company that I used
(16:02):
to work with called hack five, So I'll definitely share
some of that information once we get closer to those
those topics with today's discussion. But yeah, those products exist,
They're very inexpensive, and some of the software is free,
and there's tutorials made by yours truly on YouTube that
show you how to use these things. So it's definitely
(16:23):
a thing that pretty much anybody can introduce themselves too,
and then they will be able to see what's going
on on a network. And there are different reasons to
even do this. There's obviously there's the nefarious ones that
we're concerned about, but there's also like if you're a
network administrator being able to do things like monitor network
traffic and see points of co education as well. Yeah,
(16:46):
there's like there's there are legit reasons to use that
sort of technology that don't that don't immediately point you
to the to the road of I'm here to steal
all your infos. It's like there's stuff that where this
is used in quote unquote legitimate purposes. I mean like
packet sniffers. That's something that sounds like it's underhanded and shady,
(17:07):
but they were invented not to try and sniff out
what someone else was doing, but literally to help network
administrators see how network how network traffic was moving across,
so they could make sure that everything was working properly.
So but it doesn't mean that you can't a tool.
A tool is either a tool or a weapon, depending
upon how you want to use it, And so the
(17:29):
same stuff that was used to help networks is also
used to exploit them. Um exactly, you could say the
same thing about a kitchen knife. I mean kitchen knives
to to you know, cut up fruits and veggies. Some
nefarious people might use one to murder somebody part of me.
But the thing I used the exact same sort of analogy,
except when I was talking to someone earlier today, but
(17:51):
it was a hammer, But same thing, Like a hammer
is either something that you're using to to build stuff
with or it could be used to bludgeon somebody, And
it all comes down to it's not that the tool
itself is bad, it's the intent and use of the
person wielding that tool. And the same is true of technology.
Uh So, one other stat that I wanted to mention
(18:12):
that's pretty alarming. Norton found out this was in so
it's a few years ago, but Americans had had their
email hacked at some point, and that twelve percent had
their financial data stolen while they were shopping online, and
that in million people globally had been a victim of
(18:35):
some sort of cyber crime. And that kind of shows
us the scale of why this is an important topic.
It's not just because the opportunity is there. It's because
people are actually actively taking advantage of those opportunities, and
you could be the victim of one of those actions
if you're not careful. And we love you absolutely, we too,
(18:58):
love you very much. I'm kind of I'm kind of
thinking that all of those numbers have probably increased given
that it's been about four years since they were they
analyzed the data and had those those statistics available, because
in the past couple of years we've seen hacks go
from a few hundred million people to almost a billion
(19:20):
people get hacked online. So it's entirely possible that those
numbers have increased quite a bit since, especially in the
realm of the mobile app becoming king right, because there's
there's such a proliferation of apps out there that either
through a conscious effort, are creating vulnerabilities or because of
(19:43):
poor design, create vulnerabilities that can later be exploited. You know,
we've seen so many examples of that where an a
p I didn't take everything into account and then someone
was able to exploit it. Famous one being Facebook and
Cambridge Analytica, where where you had an app that if
you installed the app like you would voluntarily install it
(20:05):
within your Facebook and you're voluntary a lee sharing your
own information. All of that is fine, right if you've
agreed to do it such a god not a good idea,
such a good example. Good example. Yeah, good example, not
a good idea to do. But it's fine if you
if you are knowingly doing that, that's fine. But the
problem that the Cambrage Analytica story brought to bears that
(20:26):
they took advantage of a loophole in Facebook's API and
they were able to to phish out a ton of
information about all the contacts of the people who had
installed the app. These are people who did not, uh,
you know, give permission to share their information, but the
app collected all that information regardless. And that's where we see, like,
(20:48):
you know, there were countless victims of this app because
none of them opted in to share that information. It
was just taken from them. And uh, that's just one
little example of the world we live in where you know,
even when you are being careful, there are there are
these opportunities for your information to get out there, which
(21:10):
is why we're like, this is why you need to
take the steps necessary to protect yourself as best you can,
because we live in a world where there are numerous
attack vectors that point back to us. All right, I
mean just mid December, the New York Times discussed location
tracking on phones and how ping pings to local towers
(21:32):
can basically give you a map of a certain phone
I D and you can track that and figure out
who that phone belongs to based on what residents and
what office they go to every day. It's extremely scary,
and the more information we have about it as consumers,
the better we can protect ourselves. Yeah, and again like, uh,
back to what you were just saying, Shannon. Facebook send
(21:54):
a letter to Congress just a couple of days before
we record this episode where they said, Um, even if
you opted out of location tracking, we actually know where
you are, partly because of the information people are voluntarily sharing.
Like if I tag if I take a photo while
I'm at a party and I tagged the location and
(22:16):
I tag people are in the photo, well, I'm voluntarily
sharing a lot of information. Maybe those people haven't given
me permission to do that, but I'm sharing that information.
So yeah, of course Facebook knows where I am when
I when I'm there, and who I'm with because I
shared the information. But they also admitted yeah, we also
use a lot of other methods where we can suss
out where you were and who you were with at
(22:38):
what time that aren't as obvious and aren't examples of
the user voluntarily handing over information. So yeah, scary stuff. Um.
One of the things I wanted to mention is sort
of the bird's eye view of the process of what
it's like just connecting to WiFi, so we can kind
of understand, uh, you know, what's going on, because I
(23:01):
think a lot of people if they think that if
they see that, for example, that there's a Wi Fi
hot spot that requires a password, they immediately think that
that is inherently more secure than a public WiFi spot
that has no password, which is not necessarily true. Um,
So connecting to WiFi is really you can think of
it as a series of handshakes between whatever device you're
(23:24):
using and the hot spot, whether it's a router or
something else. And this series of handshakes is not meant
to secure the data. It's not meant to encrypt a
channel necessarily, it's not meant to protect it. What's meant
to do is to identify the device and the hot
spot so that they know where the data needs to go. Right. Otherwise,
(23:45):
if if we all connected to a public WiFi hot
spot and there wasn't this handshake thing going on, it
would be as if we were all listening to an
open broadcast of everything all at once, and it would
just be meaningless garbage, and we would just get just
get everyone's data simultaneously, and we're like, I don't even
I don't know what we could I don't think it
(24:06):
would go well. But so this was this was literally
the solution to that problem. Like you know, if you're
using wired connections, that's one thing, right, you can wire
things to specific ports. You have physical hardware. When you
go wireless, you have to create a virtual version of that.
That's sort of what the handshake processes for. It's saying, hey,
(24:26):
there's this device that wants to connect to the network.
The network says, okay, I'm giving you permission. The device
is okay. This is who I am, and the network
devices all right, I see who you are, and now
we can send information back and forth. You can send
a requests out to the internet. I'll go out and
grab whatever it is you wanted, and I'll return it
just to you. That's the idea. That's actually a great
explanation without using any of the terminology. So I thank
(24:50):
you for the doing that. Yeah, I tried. I tried.
At one point, I had a spoiler alert or we'll
not even spoiler. Look behind the curtain, folks. I had
originally started to episode as a solo show, and that's
when it struck me that it would be way easier
if I brought Shannon on because she's much smarter than
I am. And so as I was doing it, I
was trying to describe this process, And I think I
(25:12):
went through two or three drafts when I said, you
know what, I can just step back and not get
so technical because the technical parts aren't really what's important.
What's important is just sort of understanding the concept of
the process and why it is not inherently tied to
security and privacy. It's inherently tied to just what does
it take so that you can have these two devices
(25:33):
communicate with one another and not have them confused with
all the other devices that hook into the same network.
And once I figured that, I was like, I'm gonna
go with that because I'm tired of trying to figure
out how to explain this handshake process. Um, it totally works.
I mean, I like the handshake terminology because it is
kind of like that, like in person, whenever you meet somebody,
(25:56):
you acknowledge each other, you shake each other's hands, you
kind of enticate each other by name and by face.
And that's very similar to what a router does with
a device like your smartphone or a laptop. It's basically
doing the same thing where you're you're looking for somebody
to introduce yourself to. You go in, you acknowledge each other,
(26:17):
you shake hands with each other, you kind of authenticate
each other by name, and then you have that connection. Yeah,
and you have that connection forever until you break it off. Yes,
And if if you're at CES, it probably also requires
you to hand over a business card because that's like, yeah,
most likely that's that's the current I guess that would
be your password, right, yeah, I guess so yeah. All right, Well,
(26:39):
when we come back, we're going to talk about the
how how information is sent through packets, just so that
we can understand why did that packet sniffing thing mean earlier?
But first, let's take a quick break to thank our sponsor. Recently,
more than one million people had their personal information stolen
in a major data breach. Social security numbers, contact details,
(27:02):
credit scores, and more, all taken from Capital One customers.
There's a good chance you were affected. These kinds of
attacks are getting more frequent and more severe. It's not
just Capital One. Equifax, Facebook, eBay, Uber, PlayStation, and Yahoo
have all leaked passwords, credit card info, and bank numbers
(27:23):
belonging to billions of users. And if you think hackers
only target large companies to get your information, you're wrong.
I use Express VPN to safeguard my personal data online.
According to recent reports, hackers can make up to one
thousand dollars from selling someone's personal information on the dark web,
making people like me and you easy lucrative targets. Express
(27:46):
bb N is an app for your computer and phone
that secures and encrypts your data so you can have
peace of mind every time you go online. The app
connects with just one click. It's lightning fast, and the
best part is Express b p N costs less than
seven bucks a month. Listen. If a breach can happen
to Capital one, it can easily happen to an individual
(28:08):
like you. Protect yourself with Express VPN, the number one
VPN rated by tech Radar, c Net, the Verge, and
countless others. Use my special link Express vpn dot com
slash tech stuff right now to arm yourself with an
extra three months of Express VPN for free. Support the
show and keep your information safe. That's Express vpn dot
(28:34):
com slash tech stuff for an extra three months free.
All right, then we're back. So I promised that we
were going to talk about packets. Packets is pretty simple concept.
So a packet switching network. You've probably heard that term before. Uh,
the Internet. When the pioneers of the Internet, we're sort
of designing this thing. They thought, well, how do we
(28:56):
make it so that information can be sent from one
computer to another in such a way that if something happens,
the information can continue to make its way to its
destination even if there's some sort of interruption. And if
it were just an uninterrupted string of data and there
was an interruption, then you would have a corrupt file
or you know, things would not work right, you wouldn't
(29:17):
get what you were wanting. So they said, what if
we bundled data into uh, certain sizes, We'll call it packets.
The packets will have information on them that will tell
the data where it needs to go, where it came from,
and how it fits within all the other packets to
make whatever the thing is. And since we're talking about
(29:37):
the Internet, let's be honest, chances are it's a picture
of a cat. So that cat picture is going to
be a lot of different data packets and they have
to put the packets together kind of like a puzzle
in order to recreate that image of a cat. So
that's that's what a packet is. Well, the packet because
it has that information on it about where it's going
and where it's from. That's what we would call metadata, right,
(29:57):
that's the data about the data, or it's data that
somehow describes the data that's inside and um and I
always always try and say that the packets on the
other side get reassembled Willy Wonka style like Mike TV
when he goes across the camera. UM like that. Yeah,
I mean it's a it's a nice way of putting it,
especially since I mean that's one of my favorite films
(30:18):
of all time, the Gene Wilder version of the not
the Johnny not the Johnny Den version yet. So that's
where we get the words for packets. So, a packet sniffer,
as we mentioned earlier, can be software, it can be hardware,
it can be a combination of the two. That is
meant to sort of check out the packets that are
being sent across a network, uh and get an idea
(30:42):
of what's going on there. And one of the things
someone can do if they have a packet sniffer and
they know how to do it, is they can look
for packets that represent essentially an unencrypted cookie or a
session key. And this is essentially where a user has
sent a request to log into a service of some
sort uh, and if the hacker is able to sniff
(31:06):
out that cookie, they might be able to step in
and pose as that user and thus get access to
the user's account or services. Um and this is sometimes
referred to as side jacking. I learned a lot of
hacker slang while I was doing the research. This. I'm
(31:27):
so proud of you. I'm not good at using it,
but I learned it. It's okay. You could go to
def Con next year and totally fitting. Yeah, except I
will be like, all right, well, I'm gonna leave all
of my devices at home. Another great idea def Con
for those who do not know is a information security
and hacking convention where if you aren't careful, they will
(31:49):
let you know about it. Oh yeah they do. Usually
they're nice about it, and you just end up on
this thing called the wall of shame. But luckily generally
people don't nefariously hack each other there. It's just kind
of to pop your name up on a wall of
shame and that's about it. Yeah. Essentially, essentially they're saying, hey,
(32:09):
you need to have a heads up, like whatever you're
doing is not sufficient. Yeah, it's it's really more like
it's really more like saying like, listen, we want you
to be safe, and right now you're not being safe.
So but but yeah, but still there's also the shame factor.
And the more the more known you are in the sphere,
I imagine, the greater the shame would be to appear
(32:31):
on that wall. Oh yeah, definitely. So this was I've
never been on the wall of shame, and I hope
I never congratulations. Yeah, I've never been on the wall
of shame either, But that's because I haven't gone. I
am certain I would end up doing something bone headed
and mess up. So you were talking earlier about how
you have actually actively worked on technologies that do this
(32:51):
this packet sniffing uh approach. Yes, yes, I have. I
used to work at a company called hack five. I
still do show on that channel, j K five, And
our our premise for that channel is educating people who
are interested in security and privacy and might want to
go into information technology or penetration testing or infosec info
(33:15):
security as a profession. So we teach young hackers how
to legally use their talents to actually get a job
that will help them spur the economy, help them protect
companies h and help them really get involved with their passion. Um. So,
one of the products that we created is something called
(33:38):
called the WiFi Pineapple. It's a little hardware device. It's
basically a router, but the software that's built into the
WiFi Pineapple allows us to do things like get people
to connect to a WiFi Pineapple as opposed to a
regular router and allow us to sniff packets just like
you were saying, um it. The product has been around
(34:02):
for half a decade at this point. No, actually it's
been almost a decade. Wow, I can't believe it's been
so long. But we've gone through various revisions of it,
and as security has gotten stronger, there's always been new
vulnerabilities available in wireless network technology, so we've always been
able to update the WiFi Pineapple to continue to educate
(34:23):
people why it's still a good idea to not connect
to public WiFi or open hotspots. And uh, it's been
a wonderful education tool since we can use it as
this kind of man in the middle attack for for
you know, helping people understand. Yeah, and I mean, like
(34:43):
the thing that I see people sometimes and I know
you've seen it sometimes protests that like why are you
making this thing? And the argument I would make to them,
and I'm sure it's an argument that you guys have
made numerous times, is you know that people who have
bad intentions are making stuff like this already. They're they're
they're doing it all the time. They're doing and they're
(35:06):
not talking about it. They're not upfront about it because
they want to take advantage of it. The reason why
you guys do it is to raise awareness, to teach
people how it works, and presumably they can then take
that knowledge and better protect whatever their future clients might
be if they end up working as a white hat hacker.
And yeah, straight up, people have made their own WiFi
(35:29):
pineapples using you know, different types of hardware and different
kind of software that they've made their own. But our
our products are well. Hack fives products are listed in MIST,
which is the National Institute of Standards and Technologies as
a wireless penetration testing device. So a lot of companies
see it as a professional tool and they get their
(35:52):
employees to purchase these items to use and make sure
that their networks are protected. Because as much as you
could use a WiFi Pineapple to hack somebody, you can
also use it to protect yourself because you're still doing
the same kind of tracking on your known network. So
if I had a WiFi Pineapple on a company's network
that I'm legally have access to as since that's my profession,
(36:15):
for example, hypothetically, uh, then I could see what employees
are doing on that network. So if somebody is visiting
Facebook when they shouldn't be, I could see that, and
I could tell them, hey, you need to you know,
cut that off or you're going to get written up.
Or if there was an attacker trying to gain access
to a wireless network, I would be able to see
those packets because they would not be what I normally see,
(36:36):
and I would be able to protect my network because
I could blacklist them then. So there's so many different
ways that you can use these tools, not just nefariously
like you had mentioned, but in like these amazing ways
that help protect so much more than just companies, but
also the employees that are working there as well. Yeah,
and that, and I've always been the type to say,
(36:58):
if if someone's outwardly talking about what their technology can do,
then those are the people you should trust. It's the
ones who aren't talking that you have to worry about.
So yeah, it's the same thing for me when people
are talking about security vulnerabilities that they found in systems,
where they might come forward and say, yeah, I reported
this like three months ago, the company still hasn't done
(37:20):
anything about it. The only reason I'm coming forward is
because that puts the pressure on the company to definitely
make a change, because that vulnerability exists, whether they talk
about it or not. Now they have to do something
because the public knows about it, and and they're you know,
I'm I'm fully on board with that too. I mean,
I think that you always give the entity the chance
to address it, but if they haven't shown any movement
(37:44):
towards that, I think it's the responsibility of someone who's
found a vulnerability to come forward with it because otherwise
it's just it's just a ticking time bomb. Someone's going
to take advantage of it, and then it becomes a
problem far bigger than coming forward and saying, hey, guys,
need to fix your stuff. And it's it's not just
you know, devices like the WiFi Pineapple, but as we
(38:05):
had mentioned, it's also software that's involved too that can
do very similar type of tracking on networks. There's a
technology called wire Shark, which I'll bring up not just
because you know, I have no financial responsibility via hack five.
So like if if you know, somebody purchases a WiFi
Pineapple when they hear this talk, I don't get anything
(38:28):
from that, no compensation whatsoever. I just do a show
on that channel, So don't worry. I'm not. I don't
get referrals or anything. But there's also software like wire shark,
which is a free service online that anybody can download
and that allows you to do packet sniffing. I've used
it to test my own home network and make sure
that my smart coot devices are secure and they're encrypted,
(38:51):
and that has luckily, luckily, all of my devices are,
you know, totally secure, which is wonderful. But back in
the day when I first started using wire Shark, I
discovered that when I was using Instagram on my phone,
I could see links to the pictures that I was
liking as I liked them, so as I gave them
the little hearts, it would pull up a little HTTP
(39:14):
link and I could click on that through wire Shark,
and I could see exactly which pictures I was liking,
which was so creepy. I mean, definitely something that you
should be aware of is what kind of data is
being passed through with no encryption whatsoever, and what kind
of data is being encrypted too. Yeah, totally and you
(39:35):
means crazy. You mentioned the man in the middle attack.
That's that's kind of another step up, where you have
a hacker that sets their machine in between a user
and some other computer that might be a router. So
you might actually have a man in the middle of
attack where someone say at the coffee shop, and they
set up uh their computer so that it appears to
(39:57):
be the coffee shops network. There's actually ways where you
can force a reboot of a system and then pose
as that system so that when it does reboot, you
are effectively a middleman in that relationship, and meanwhile you
see all the stuff that goes across that because your
computer is acting as the network spot for where where
(40:18):
everybody's connecting through UH. So that's that's one way, but
there's also ways of began doing a man in the
middle of attack between a like a client and an
actual service, like you know, directing people to fake bank
log in pages and things. Of that nature. Um, So
those are things you also have to be aware of,
although that can happen pretty much in every scenario we're
(40:41):
going to talk about. That requires you to pay close
attention to what you are doing as you're browsing. UM.
And I mentioned earlier about the idea that if you
are using public WiFi that is password protected. Let's say
you're at us coffee shop where yeah, you can log
into their their WiFi, but you have to first go
up to the cash regis her and find out what
(41:01):
the password is, and then you find that out and
you log in. Some people feel like that gives them
that extra area of security. Honestly, that doesn't, because there's
nothing stopping a hacker going into that same coffee shop
getting that same password and like that. It doesn't add
any like by itself, it doesn't add any extra security.
It just as one extra little step. Yeah, it's true.
(41:23):
Uh yeah, anybody even in the vicinity, if they've ever
had access to that wireless password and the coffee shop,
for example, has never changed the password, Like they could
easily get access again with a long range antenna on
the other side of a parking lot and be able
to sniff what everybody in that coffee shop is doing.
(41:43):
So yeah, I don't even use coffee shop WiFi or
airport WiFi if we want to use that example. Those
aren't even trustworthy exactly, and I think that those are
perfect examples, especially as people are traveling a lot for
the holidays. Like I that's why I think of seeing
people whipping out their computers the most is airports and
coffee shops. That's it, um. But yeah, if you have
(42:08):
an encrypted network, that's better. It's again like this is
another step where we're getting into uh more secure area,
and we'll talk about different types of encryption in a second,
but before we get to that, there's actually also a
difference in the types of browsers, right. Different browsers offer
(42:30):
different levels of features that either uh enable security and
privacy or they make it really difficult to protect. So
on the bad end of the scale. As the Internet
Explorer for multiple reasons, it was never the best browser
when it comes to security and privacy. But it's really
(42:53):
not great now because Microsoft no longer actively supports it. UM.
They will push out a security update on occasion, but
it's not frequent, which means that there are a lot
more opportunities for people to discover and exploit vulnerabilities and
and be fairly sure that those vulnerabilities will stick around
(43:14):
for a while. So it's not even like a rush
because Microsoft isn't updating it that frequently with security patches,
So that's a bad one. Don't use it. Microsoft. Microsoft
Edge only slightly better than the completely unsupported Internet Explorer. Um,
at least as far as privacy is concerned. Uh, I
(43:37):
use Google Chrome a lot, but admittedly Google Chrome not
great either. It's kind of on the bottom half of
the middle of the pack. So, uh, they're better about security,
but they are the pets when it comes to privacy.
Also not a big surprise, because I mean, what's Google's business, right,
Google owns you? Yeah, your data is Google's That's what
(43:59):
Google buys and sells. It's your information, that's that's Google's currency.
So clearly it does not behoove Google too lockdown privacy
super tight. They want to know all the information about
you they make that's how they make their money. Um. So,
of all the common browsers, like the ones that are
(44:19):
frequently used out there, the one that that tends to
rank the highest is Firefox, higher than Opera higher than Chrome,
higher than safari Um. So it does really well, especially
for security and privacy. It can support a lot of
features that protect you when you're when you're surfing stuff
that will end up cutting down on things like targeted
(44:41):
advertising because you can really limit the information that's being
shared by the sites that you're visiting. UM and you
can also enhance it with various add ons that you
can find, although obviously anytime you're going to be adding
anything to UH an ext a sting program, it pays
(45:02):
to do your research to make sure that it is
offered by a reputable and dependable app developer. Yeah, Firefox
is an excellent choice UH and two fold. If you
download something like Firefox, you also get a very fast
browser because they have worked very hard to make that
browser quick. So even if you don't care about the
(45:24):
security and you just want to access your sites really fast,
you should use Firefox. Yeah. Yeah, I got Firefox. I
got stuck on Chrome because for a while Chrome was
super fast and then it got super bloated. And also
there's the more tabs you have opening Chrome. Anyone who's
done this with Chrome knows that even though it are
all supposed to be distinct instances that don't bleed over
(45:46):
into each other. Uh, there gets to be some memory
issues if you happen to be really a heavy user,
and everyone here at this company is a heavy user.
So Firefox is definitely going to be my browser of
choice moving forward after I did this research. I also,
I should point out, before I did this research, I
did not know this. I was just a happy, blithe,
(46:09):
naive Chrome user handing handing over reams of personal data
to Google, which I mean, granted, I'm sure that company's
board with me by now, but still there's some value
there um. And then that brings us to encryption. And
this encryption it gets This is sort of like complicated,
like the handshake thing. But encryption, when you boil it down,
(46:31):
is all about scrambling messages so that the only people
who can access it are the ones who have the
key to decode it. Right, So you have the key
to encode and the key to decode. There are various
implementations of that technology, different ways to have the public
key and private key operations. I don't need to get
into all of that because it gets way too technical. Obviously,
(46:54):
encrypted is better than unencrypted, but not all encryption schemes
are created equal and it pays use. So yes, that's
very true. There's there's even like there's symmetrical keys and
asymmetrical keys, and then there's like SHAW one and be
crypt and r s A. There's all these different terminologies
(47:16):
for encryption. But for what it's worth, all of them
jumble up your information into some kind of format that
will hopefully hopefully encrypted, so that anybody who does gain
access to the encrypted version of your information will not
be able to reverse engineer it or change it back
to its original plain text formats, so they can't read
(47:39):
it in like English speak, right, it would just be
meaningless garbage to them, hopefully, and its ideal, ideal implementation.
So one of the things that you may have encountered
if you've ever set up any sort of wireless network.
I think most people have, or at least they've they've
had to connect to one where they've seen the different
types of network security protocols. These are certifications that the
(48:04):
WiFi Security Alliance creates, and the earliest one was the
Wired Equivalent Privacy Protocol or w e p H. That
one is decrepit, it's old, it's vulnerable as heck, so
don't use it. Yeah, if you have the if if
your router tells you, like asks you which one you
want to use, don't use w ep UM. It is
(48:26):
not secure. It is it's I mean, you could argue
it's better than nothing, but not by much because the
vulnerabilities have been known for a long time, in fact,
so long that even before the nineties were up, you
had people developing the next generation, which would have been
the WiFi Protected Access or w p A. So w
p A came out. Then you get w p A two,
(48:48):
which was trying to address some of the shortcomings of
w p A UH. Both of those also still have vulnerabilities.
W p A two is general talked about as being
one of the more secure UH certifications these days. There
is a w p A three also has vulnerabilities that
(49:08):
have pointed out within the year already. Yeah. So, but
w p I, I don't think I've even seen a
lot of stuff that's certified w p A three yet,
Like we've we've started to see some wireless routers come
out with w p A three, but they there's still
a little expensive and they haven't really gotten widespread adoption
(49:30):
by consumers quite yet so w P A two is
fine for most consumers to use. You just have to
make sure that you set it up correctly and you
don't give the entire world access to your password for
your account. Yeah that, because then there's what what were
you even thinking? There's no point then? Yeah? So so
(49:51):
w P A three on w P A two. All
these are our designations. And what happens is a manufacturer
will make a piece of equipment or uh either it's
a computer or a handset or maybe it's a router,
and then they submit it to this WiFi security alliance
that then makes sure that that technology meets whatever the
(50:12):
requirements are for the particular designation. Then they put the
stamp on it and they say, yes, this is w
P A two compliant or w P A three compliant.
So that just tells you that compliance really there. It
gets more granular than that. For example, w P A
two has two different types of encryption standards that can
(50:33):
be used. There's the bad one. It's Temporal key Integrity
Protocol or t k i P, and I call it
bad because yeah, t KIP. T KIP is no longer safe.
Skip the t KIP. If you skip the t KIP
like that. Yeah, it's nice mnemonic device. And then there's
Advanced Encryption Standard or a e S, and that's the
more secure of the two. So don't rely on te KIP,
(50:55):
rely on a s U. So that will end up
protecting you quite a bit as well. The encryption will
end up helping a great deal because you've just made
it more difficult for someone to get anything meaningful from
your browsing activity. It does not mean that you are immune.
(51:17):
But again, the harder you make it for somebody, the
less chance they're gonna put forth the effort to break
through whatever protections you put up. So just general note um.
And then that also brings us to secure browsing. So
back in the day, which was the Thursday, I don't
know if you know that, Uh, there was the the
(51:38):
Secure Sockets Layer SSL. This whenever you went to a
website that had the little padlock and the lock on
it and the HTTPS like, the original version of that
was SSL. In fact, a lot of people still refer
to SSL, even though that technically has been and has
before a while been replaced by the Transport Layer Security
or TLS, but the same order of purpose it's too.
(52:01):
It's meant to create the secure channel of communication between
you and a specific UH website U r L address.
So if you see HTTPS, or you see that little
locked padlock in the address bar of your browser, then
you know you are in a secure channel between you know,
(52:21):
your your device, and that browser, at least as far
as information going between those two points are. I mean, obviously,
if you're on a public WiFi hotspot that's unsecured, you've
got other issues. But it means that when you're browsing,
you want to make sure that that HTTPS is showing up.
You don't you don't want the h T t P
(52:42):
you want you want to make sure that S is there.
So one thing I've noticed very rarely, but it has
happened on occasion is where a website that requires you
to log in somewhere like their main page there dot
com address will be encrypted with HTTP. Yes, but as
soon as you go over to the log in page
(53:03):
or go through any tree of different sites that they
have created on their dot com domain, all the rest
of their pages are h T t P. They are unencrypted.
So if you go to the log in page and
my cat agrees, she's mewing behind me and you put
in your user name and password. Those would be copied
through plain text, and if anybody was, you know, tracking
(53:26):
or sniffing your packets, they would be able to see
that plane text user name and passwords. So, for example,
if my password was my cat's name is Starbuck, and
that was a plain text, unencrypted website just using HTTP,
then if somebody was sniffing those packets, they could see
that passwords show up in their software through whatever hardware
(53:48):
device they might be using, and just be able to see, oh,
she entered Starbuck, and then they could go to the
website type that in and gain access to my login
account information. Yeah, and that is what we call no bueno, right,
like yeah, yeah and ho and more and more sites
are getting better about making certain that their entire presence
(54:10):
is being secure, but you can it's actually harder and
harder to find examples websites doing that, so which I'm
happy to see because that makes my job harder and
that means people are listening. Uh, So, I am happy
to see that less sites are doing that, but we
still have issues. There's still some out there. And then
occasionally you have browsers that will alert you if you
(54:31):
try to navigate to a site that is not secure,
it'll give you a little alert, which is good too,
because you know, if the people on the website aren't
being diligent, it at least gives the user on the
other end the heads up of, Hey, you probably thought
this was secure, but turns out it's not. Maybe you
want to rethink that. Are you sure you want to
go ahead? You will probably be eaten by a group,
(54:53):
and then you decide what you can do it. Um Now,
when we come back, we're going to talk about one
other topic before we get into like the super secret stuff,
and that is what the heck is incognito mode for.
But before we do that, let's take another quick break. So, Shannon,
(55:20):
I have I've I've gone to a private network, right,
I'm it's not maybe mine, but it's a private ones
not open to the public. It's encrypted password access. I've
done all those wonderful things. And then I think, you
know what, I'm gonna look at some so like your
friend's house or something. Yeah, yeah, yeah, And uh, I decided,
(55:44):
you know what I want to do. I wanna I'm
gonna look at some I'm gonna look at some some
stuff that I don't think my friends would really understand.
Maybe maybe I'm gonna look into this that my little
pony fan fiction. Uh, and I don't want my friends
to know about it. So I'm like, well, I'm gonna
be super sneak, gay, I'm gonna go into incognito mode. Now,
no one's ever done to know. So I click on
(56:04):
that little incognito mode and little bitty shadow Man pops up,
and I'm like, oh, yeah, I'm totally safe and totally secret.
Nobody knows it's me. And I start looking at my
browny fan fiction. Oh you know the term. Hey, look,
I wouldn't listen. Listen, you just give yourself away. Listen.
(56:24):
Princess Celestia and I have an understanding. Okay, so we
are not going to go down that road. We're not
gonna go there. Like, yeah, Fluttershy and I we're like,
we're tight, so we're not. It's fine, Okay, it's acceptable behavior,
but no, it is acceptable, but I don't want my
friend to know that. Now here's the sad thing folks
on the podcast. One one, whoops, I guess there should
(56:48):
be more secure with my data. And secondly, secondly, incognito mode.
That's not how that works. It doesn't protect you from
anyone who has any access to the network from seeing
what you're doing, right right, that's correct. Um. Yeah, so
incognito mode. Uh, you you've probably seen it on your
own computer. If you go up into the menu for
your regular browser and go into like the dropdown menu,
(57:11):
there's usually an option to choose incognito mode or like
secret mode or something like private browsing or whatever. Yeah,
private browsing, Yeah, that's another one. Uh. So if you
click that, it opens up a completely different window on
your computer or on your phone as well. You can
do it on your phone. Uh, and you start to browse.
But basically the only thing that incognito mode is really
(57:33):
doing is uh not putting anything into your local history
or your your web browsing history, So if somebody else
got it on your computer, they would not know what
you were doing in incognito mode. Uh. And it also
doesn't store the cookies on your computer, so any information
that you were sharing with a website during your incognito
(57:55):
mode would not be stored afterwards, So all those cookies
that might have happened during a session, they'll just be erased,
like you never existed that that can actually be very useful.
For example, if you're looking for a fun hack, if
you want to save some money on airplane flights, you
can track them. You can look up airplane flight prices
(58:17):
in incognito mode and compare them to your regular browser.
And sometimes on occasion you can find cheaper prices in
incognito mode because it doesn't see how much you are searching,
It doesn't see how how many websites you've gone to.
Those cookies just aren't it there, So the website is
going to give you the best price through that that
private browsing mode. Uh, that's pretty much like the most
(58:41):
interesting thing that I use for incognito mode for But
it can be used to secretly access websites without anybody
else knowing that you're accessing those websites at the time.
For example, if you are a Brownie. Yeah, so this
works on the device level, but not the network level.
So yeah, so if my friend gets hold of my
(59:03):
phone or my computer, there would be no record of
me having gone on the Browny fan fiction community site,
uh where I post by q d mark. They would
not be able to see that. But if they were
to look at the network traffic. They'd say, huh, this
I P address is going to this brownie site a lot,
(59:24):
and it's not my computer, so it's obviously your device
and so and so this is why, Like, if you
were to use let's say that you're at work. Let's
say you're what the example I like to give is
your Let's say you are stuck in a crappy job.
You're doing your job, but you're miserable and you would
really love to be able to get something else, but
(59:44):
you don't have any time outside of your job where
you can really dedicate towards things like searching for job openings.
So on your lunch break, you slip into incognito mode
and you go on a job search website. Well, just
because you're an incognito mode doesn't me that at the
network level, they can't see exactly what's going on, So
it doesn't actually protect what you're doing or how you're
(01:00:06):
doing it. So one thing you might want to use
incognito mode for if you're someone like me who does
a lot of research. Let's say I'm researching into something
that you know, it's it's just not my bag, you know,
it's I need to do an episode about it, but
it's not something I'm particularly interested in on a personal level,
or might even be something that I would find very awkward.
(01:00:29):
Let's say that I was doing an episode about uh,
dating websites, and so I have to do a whole
bunch of research on dating websites. Well, then I might
want to use incognito mode so it doesn't build up
this cookie history that relates back to me personally, so
that maybe I log onto something like Facebook and then
suddenly all the ads are for dating sites. That would
be awkward, right, That would be super awkward, especially if
(01:00:52):
you were married. Yes, I'm not a good thing. Yeah.
I had a similar occasion with I was looking up
pregnancy and birth information for somebody in my family. I'm
nowhere near any time soon giving you know, birth to
any children in my life except for my beautiful for
babies that I have in my house with me. So
I was looking up this information and I was just like,
(01:01:14):
do I want Twitter on Instagram to start promoting like
baby items to me or do I want them to
keep on promoting like makeup in sailor moon items, which
I'm actually into. So I looked up the information about
pregnancy and birth for the other person through incognito mode,
so that that information wouldn't actually be tracked and identified
(01:01:36):
as a part of my online personality. So that way,
I was able to keep the same ads that I actually,
you know, sometimes kind of enjoy looking at because they
do pertain to my lifestyle, but nothing that had to
do with pregnancy, right. And and that's a great example too,
because there was that famous example a few years ago
(01:01:58):
of a retailer. Want to say it was Target, but
I could be wrong, but it was a retailer Target. Yeah,
and they had identified through the browsing history of a
user that she was pregnant because of the things she
was searching for, so they proactively sent her through the
snail mail a package of coupons for pregnancy related items.
(01:02:20):
And her father was the one who intercepted the letter
the coupons, and she had not told him that she
was pregnant, and he had assumed that Target had made
this assumption and got super mad, and then turned out
that he was mad about something that actually had happened.
She just had not she had not had the occasion,
(01:02:41):
she had not found the way to tell him. And
that's awful. Uh, yeah, it's such a breach of privacy,
to be honest, is when they start tracking you like
that and sending you information. It's like unsolicited advertising. I
hate it. We deal with it every single day. Line. Yeah,
it's it's it's even worse than unsolicited advice, Like that's bad,
(01:03:05):
but unsolicited advertising is even worse because they're like, yeah,
they're so eager to make that sale that they can
overstep very easily. Well, let's wrap up by talking about
some of the more secure ways you can browse if
you have to connect, and we mentioned this at the
very top of the show, where VPNs are virtual private networks,
(01:03:25):
and we mentioned that sort of man in the middle
attack where you are logging into a hackers machine thinking
that that's a legit hotspot, and then the hackers kind
of relaying information and sniffing the entire time and learning
all about you. Vp ns are kind of like that,
but on the legit side, where you are logging into
a remote server somewhere far away, probably through an encrypted connection,
(01:03:50):
and then when you browse, it's as if you're browsing
from the servers location, not your personal device. So if
I were to blog into a VPN and then log
into a web service. The web service would see my
location as the location of the VPN server, not my
gadget that's actually in front of me, right and not
(01:04:13):
necessarily just for if you want to look at your
my little pony browny fan fix. But VPNs can be
extremely useful if you're trying to access a website that's
only available in select countries. So if you choose to
purchase like a consumer facing VPN product, and there's many
out there, I could make recommendations, but they're constantly changing
(01:04:34):
as far as their privacy and security terms and policies go,
so I won't make any major recommendations here. But if
you choose a VPN that has a a uh, for example,
a country facing server that's in Japan, that means that
I could download this VPN, log into it, connect through Japan,
(01:04:55):
and be able to access a website that's only available
to Japanese residences. UH. So I I had to do
that a few years ago when I wanted to purchase
tickets for the Studio Ghibli Museum through the Japanese website.
It wouldn't let you access it through an American server
or an American connection, so I logged in through my
(01:05:16):
VPN through the Japanese server UH and I was able
to purchase those tickets through the Japanese website. It thought
that I was in Japan, so it let me do it,
and that way I was able to save myself so
much money. It was wonderful. So you can do it
for you know, buying goods, buying tickets for you know,
going to a concert in a different country, or a
(01:05:37):
museum or something like that in a different country. You
can use it to access online streaming portals that are
only available in specific countries. You can use it to
download specific things that are only available in specific countries.
Like the list goes on and on, as far as
different ways that you can use VPNs that aren't necessarily
(01:05:58):
just directed for security and privacy, but are also directed
at manipulating where the website thinks that you are coming from. Yeah,
and this can be a matter of life and death
for some people. Like here in the United States, we
largely use it for the purposes of things like privacy, security,
and convenience. But in other places where you might be
(01:06:18):
UH in a country with a more authoritarian government, one
that is far more restrictive in access to certain services.
If you're able to connect through a VPN, which you know, granted,
that means that that government agency hasn't been paying very
close attention. But if we're able to do that, then
you can log in two different things as if you
(01:06:39):
were from some other part of the world and maybe
get access to vital information or services that otherwise you
would not have at your disposal. So they play a
very important role. In fact, I gave an example today
with a friend of mine about how I would see
VPNs and incognito mode together being incredibly important. So imagine
(01:06:59):
that this is a terrible scenario and I put that
out there first, but imagine that you are in some
form of abusive situation at home, and whether it's a
spouse of a parent, a parent, some sort of authority figure,
whatever it may be. But you're in that abusive experience,
You're going to feel like you are helpless and you
want to look for resources that can help you get
(01:07:22):
out of that situation. But at the same time, you
have a very legitimate fear of being found out for
seeking out those resources and the fear of reprisal that
you might face as a result of that. Well, using
something like a VPN and incognito mode would mean that
you're not leaving a trace on the network of what
you're doing, because as far as the network is concerned,
(01:07:42):
all you're doing is visiting this VPN server. It's not
seeing what else you're doing. All he knows you went
to that VPN server. Incognito mode means you're not leaving
the trace on whatever device you're actually using to do
that sort of search. So these are the sort of
tools that can literally mean life or death scenario eos
for people. And you know, thatsraically together and it yeah,
(01:08:05):
and once you start combining those different security and privacy
products together that are very consumer friendly, then you can
end up having a much more secure experience online, especially
if you're dealing with some kind of like like an
abusive relationship or something like that that can be uh
something that you seriously have to worry about, So definitely
(01:08:27):
take those into consideration. Using an incognito mode and VPNs
together is so easy too. It's just as simple as
opening up that browser window in private browsing mode and
turning on your VPN, which is usually with a lot
of software nowadays, is the click of a switch in
your computer and there are a lot of VPN apps
(01:08:47):
out there, like there are a lot of the services
where if you subscribe to the service, you can use
uh your computer, or you can use a mobile device,
or you can use some combination of multiples. And there
are even ones where you can have it set as
a fault that as soon as you connect to Wi
Fi networks, you connect through the VPN, so you don't
even have to think about it in that case, which
is definitely good. If you're using like a mobile device
(01:09:10):
and you're connecting to public WiFi frequently, you definitely want
to have that that that turned on, because if you
ever forget about it, that's when you're going to have
the opportunities for people to take advantage of you. The
last examples go ahead, I'm sorry. There's also the option
to build your own VPN, but that gets very much
into the nitty gritty UH since there are a lot
(01:09:32):
of consumer facing ones that are generally fine for the
average consumer. That's what I wouldn't normally recommend. But when
I go to Defcon, for example, I bring like my
own certificate, my own VPN, and my own little o
VPN basically file, and I stick that on my phone
to actually run my own VPN. When you do that,
(01:09:54):
you're basically creating your own secure profile as opposed to
trusting a VPN company with your information and hoping that
they are doing it for you. Yeah. Then that's a
great point, Shannon, because a lot of these solutions actually
ultimately require you to put trust in another entity. And
you know, there have been cases where even VPNs have
(01:10:15):
suffered data breaches in recent past, where you know, you
have to worry about that kind of stuff too. There
does come a point where you have, ultimately you have
to say to yourself, at what point am I comfortable
handing over control or handing over you know, some of
my data, because either you're doing that or you're doing nothing.
(01:10:36):
But you know, deciding where that point is is a
very personal choice. Uh. The very last one I want
to talk about, and we can do this very briefly,
is Tour, the Tour browser. Tour initially was an acronym
instead for the Onion router. And the reason it's called
Onion is because it does encryption in layers, each outer
(01:10:56):
layer being another layer of encryption. And I gave a
very simple analogy. Imagine that you are trying to ship
a present. Let's say I'm shipping a present to Shannon,
but you're welcome, But I don't want you to know
where I live um for some reason, and I don't
want anyone to know that I'm sending a present specifically
to you for some reason. So what I've done is
(01:11:18):
I've nested your package that has your present in it
inside another package that's gonna go to a totally different address.
And I've nested that. What's that Is it a brown package?
There's probably some you know, my little Pony temporary tattoo
sheets there, So that's in there, and then that's in
(01:11:38):
a second package. The second package is in a third,
the third packages in the fourth. Each package has a
different address on it. So I've got a really big
package that ultimately is just holding a bunch of boxes
and a couple of sheets of temporary tattoos and the
innermost box. I ship that to the first address. The
person at the first address opens up this big box
(01:11:58):
and they see that there's a lightly smaller box inside
with a different address on it. So they plopped that
back into the post office. Post office takes that to
the second destination. They opened up the package. Well, Destination
number two. They know that the package came from destination
number one, but they don't know anything further back from that.
They don't know that I was the person who originally
put the package in the mail, and they don't know
(01:12:20):
where the package is ultimately going to. They just see
Destination three on the shipping label of that inner package,
so they send it to Destination three. Destination three gets it.
They opened it up. They know it came from destination too.
They don't know about Destination one. They definitely don't know
about me, and they see that they need to send
on the next package to Destination four, and so on
and so forth, until finally you get to the innermost package,
(01:12:43):
which has Shannon's address on it. She gets it. She
knows it came from the previous site, but doesn't know
any of the rest of the history, including where it
came from, except I probably put a note in the
inside of the package saying, hey, it's from me, Brownie Joe,
and then then she gets the package. You would probably
want to make sure that your message is encrypted. Yes,
(01:13:03):
there's like a you know, I tell you that you
need to use your super secret Captain Crusader decoder ring
or whatever to decrypt the message and then and then
she would be able to to use a similar process
to send information to me. Uh. Now, this is a
very secure way typically of sending information. There are ways
to try and sniff out things, just as there are
(01:13:24):
with any network communication, but it's hard. It's very hard
to get anything meaningful through this process. It is possible,
it's not fool proof, but it's real hard and uh.
And so this is generally considered the most secure way
to browse the Internet. However, with that security there comes
a tradeoff, and that tradeoff is mainly felt in the
(01:13:46):
form of speed. Yes, because it's having to go through
it's definitely slower. Uh. And there has been talk on
on the Internet many years ago that govern ment agencies
had access to some of the UM end notes, the
very last place that your package would hit before it
(01:14:09):
went on to whoever it was supposed to go to. UM.
So you do have to consider where where is this
information being sent and who has access to the very
end of that tunnel that you're sending that information through
UM And if that's protected, then yeah, it's great option. UM.
But of course with tour as well as with VPNs
(01:14:30):
and incognito mode. You shouldn't use just one of these options,
you should use all of them if they are at
your disposal. But again, do you want to deal with
the slowness that you're going to experience when you add
these additional tunnels and additional nodes onto whatever you're trying
to gain access to, or are you going to deal
with the security um uh minimal experience and add that
(01:14:57):
additional convenience to your experience by just not using it.
So there are trade offs either way, and you've summarized
it perfectly, Shannon. I mean, this is like we said
at the beginning, this is a spectrum, and the important
thing is to be educated to that spectrum so you
can make your own educated decisions and not just trust
to the fates. I have a tattoo on my back
(01:15:19):
of the fool tarot card, the eternal Optimist. Don't be
the fool. You get the tattoo who wants pretty awesome,
It's dope, But don't don't be the don't be the
fool in life? Right, Don't just trust that you can
take a step off a cliff and you're not going
to fall to your death. The fool is taking a
step off a cliff in the traditional tarot card. So
(01:15:41):
you don't want to be like that. You want to
be informed and make choices, and you know, there might
be instances where you think, Okay, I'm in a public spot,
I am going to use WiFi, but I'm using it
for something that's not related to my personal information. I'm
literally maybe I'm looking up a restaurant to find out
what hours it's open and that it's it. You know,
(01:16:01):
they're different levels. But if you're thinking i want to
do some shopping, or I'm going to check my bank statement,
or I'm going to log into my email or this
one's a big one for us here at my heart,
if I'm going to access any of my my work stuff,
right like anything that's stored on there, any of the
services that are on here, definitely use a VPN in
(01:16:22):
those cases, because you're talking about things that affect not
just you but other people. Right, You're talking about the
potential of affecting uh, essentially an entire company if if
the wrong information were to get out. You know, especially
if you're talking about things like publicly traded companies, you
want to make sure that you're being a good steward
(01:16:43):
of the information that's been entrusted to you, not just
your own but others. So uh, Shannon, this has been
a joy. You have given generously of your time and
your expertise, and I greatly appreciate it. Please let people
know where they can find your work well. Thank you
so much, Jonathan. I love security and privacy and I
(01:17:05):
think of it as a habit that you build upon
over time, and the more that you learn about it,
the better off you can be in the future. So
build upon your security for your future self and for
your family too, because the more secure here you are,
the more secure they will be as well. Uh. And
if you're interested in learning more about consumer privacy and security,
(01:17:28):
you can check out my YouTube channel. It's YouTube dot
com slash Shannon Morse uh and that's m O R
s E just like Morse Code. And I will be
going to c e S just like Jonathan. Jonathan mentioned.
I'm very excited, so I will be posting a lot
of content from the Consumer Electronic Show and I will
have tons in store through the year of awesome. Shannon's
(01:17:51):
always a pleasure. I am so sad that I will
not be seeing you at c E S. Will have
to make time for some other tech conference. I'm sure,
or next time I'm out our way, I'll give you
a shout and maybe we can, like yeah, we can
can go grab ramin or something and chat about security.
That would be awesome. Al Right, guys, Well, if you
want to reach out to me, you can reach out
(01:18:13):
over our social media channels. Were on the facebooks and
the twitters with text stuff hs W And that wraps
this up. I hope you guys learned something and that
you put that information to you. Be safe, We love you,
and I'll talk to you again really soon. Text Stuff
(01:18:33):
is a production of I Heart Radio's How Stuff Works.
For more podcasts from my heart Radio, visit the I
heart Radio app, Apple Podcasts, or wherever you listen to
your favorite shows.
Welcome to Tech Stuff, a production of I Heart Radios
How Stuff Works. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. Forgot my own name for
a second. I'm an executive producer at iHeart Radio and
I love all things tech. And you know, uh, there's
a there's a topic that I really wanted to cover
(00:25):
because as I record this, we're in the holiday season.
A lot of people are traveling, They're going through airports,
maybe you're visiting family, and occasionally you need to find
a place to be elsewhere, like maybe a coffee shop
or something. That typically means we're carrying our devices with us,
and then we want to connect to different networks, but
(00:45):
that might not always be a great idea, And so
I decided I was going to do an episode all
about the best ways to browse the Internet with privacy
and safety in mind, going from the least private and
the least secure to perhaps the most private and most
secure here. And then I thought, hey, you dumb, dumb.
You know people who are extremely well versed in this topic,
(01:06):
and that's why I invited my good friend, the phenomenal
Shannon Morris to join this episode. To come back so
welcome back to Tech Stuff, Shannon. Thank you so much. Jonathan.
I'm so excited to be back on the show. How
are you doing. I'm tired. But it's at the end
of the year, so that always happens, right, like, And
(01:26):
here's the thing, you know, Shannon can tell you. In fact,
we were just talking about it before we went on
to the record, that the tech journalists life does not
get easier at the end of the year because you
immediately turned around and head off to Vegas for c
E S. And that's where you're gonna be in early January,
(01:46):
as I understand it, right, Shannon, Yes, I will. I'll
be there all week covering everything over on my channel,
So make sure to link everybody to my channel later, absolutely,
because I ain't going folks. So Shannon's your your destination
for finding all the really cool stuff. And uh, Shannon,
I can say from experience because I've watched her work
(02:08):
does amazing work, not just at CES but everywhere, but
particularly like under a high stress situation like CES, certain
people can light up under the camera. And uh, I'm
frankly envious of your ability to do so. So um
that's me being nice. Yeah, well, I mean, I could
be more caddy about it, but I'm gonna be nice.
(02:31):
The caddy would be like, how dare she? How dare
she show me up? But no, we're gonna talk about
browsing safely. So the first thing I wanted to do
before we get into the spectrum of browsing the Internet,
because you could argue that there's like the least safe, secure,
naive way to do it to what is perhaps the
(02:54):
most secure but not perfect. There's no perfect solution spoiler alert.
Before we get into any of that, I wanted to
talk about some stats, and these come from a few
different sources. Uh. One was a survey that was conducted
by one World Identity back in eighteen about public WiFi.
So this was just asking people about their perception and
(03:15):
their use of public WiFi. And Shannon, I kind of
wanted to get your reaction to this because being someone
who has been so entrenched in data security, in the
hacker culture, in you know, everything from how do we
make these systems more secure? To the white hat approach
of how do we find any vulnerability so that they
(03:35):
can be patched, to even the black hat culture where
people are exploiting this for their own gain. I wanted
to see what you thought about these stats. So the
first one was they asked a question to people in
the United States, in Germany, and in France, and the
question they asked was, do you ever use unsecured public
(03:56):
WiFi networks? In the United States? Forty percent, so nearly
half said, you know, if there's no other option, sure,
I'll do it. Thirty two percent actually said I prefer
using public WiFi to using my cellular plan, presumably because
they would not be billed for data usage right because
(04:16):
they're using WiFi instead of their cell data only said
they never did it. One percent said they do it,
but only with a VPN. But we'll cover VPNs a
little bit later. So, Shannon, you've you've talked with hackers.
What do you think their reaction initially would be hearing
that nearly fifty of people in the United States said yeah,
(04:37):
you know, if there's no other connection, I'll I'll connect
to public WiFi, and another thirty two percent and I said, oh, heck, yeah,
sign me up. Well, I'm definitely in the one percent
of only with a VPN, and and that's assuming that
I have absolutely no other option. So I'm kind of
a mix of the and the one percent, but only
(04:59):
only if I have a VP n UM. I would
say from my experience, all of my friends would probably
not be surprised by the that prefer public WiFi over
their cellular plants, specifically because of what you said. They'll
be able to save money, especially if they don't have
an unlimited plan through their mobile carrier. So in that way,
(05:19):
it makes sense, uh that say yes, if there's no
other option, there's always another option. Come on, folks, what
are you doing? Where are you at? I mean, we
we have such good cellular coverage now there's always another option,
even if you just have three G like that's manageable
from most tasks. So what what are they doing? I'm
(05:41):
just my draw My job kind of dropped a little
bit when I heard that number. I just thought it
was I thought that I'm doing a much better job
of educating people about the importance of not using public WiFi,
and apparently I'm not doing my job as well as
I should have been, or or the people who are
already kind of hip to it are the ones watching you, going, yeah,
(06:01):
she gets it, she knows, and the people who need
to see it are like, what's on the masked Singer
today or whatever, you know, like, so, yeah, I I
look at this and I think, man if I were
a black hat, I would just be doing the Mr
Burns excellent gesture over and over again, just drooling at
that opportunity, because you know, public WiFi is definitely the
(06:27):
most dangerous option you can pick when you're talking about
protecting your own privacy and security, especially if you're not
doing something like using a VPN uh spoiler alert will
talk more about that in a second. And so knowing
that you're your opportunity for targets is so vast has
got to be incredibly encouraging to someone who is ready
(06:50):
to exploit that. And that's really, you know, that's what
we're trying to protect everyone against, is you know, it's
the likelihood of you running into these situations is not
necessarily hot on a day to day basis, but the
opportunity is so huge that you need to take it
into account no matter where you happen to be. So
you you want to make yourself the hard target. You
(07:11):
want to be the person that makes people work really
hard to get access to your data. You don't want
to be the easy target, because the easier target you are,
the more often you're going to be targeted. You don't
want that. No, No, And I was actually talking to
a co worker today and I said, honestly, when you
look at data security, even when you're talking like, you
(07:32):
always get naysayers who will say, oh, sure you can
use this, but it doesn't protect you against everything. And
they may technically be right, but my answer is the
harder you make it effectively, what that means is you're
making it more expensive for someone to successfully target you.
So if you price yourself out where it would cost
them more to break your security, then they would get
(07:55):
from whatever they took from you. You win, because no
one's going to lose money on that. Uh exactly. It's
when you've made it so convenient that it's like it's
like it's like when someone says about a sale, I
would lose money if I didn't buy that. That's when
you're in trouble. Yes, exactly. It's they're looking for the
bargain deal. And a lot of times when a black
(08:18):
hat is looking at public WiFi as a way to
access information, they're in tending to profit off of that information,
whether by stealing an idea, identity or reselling that data
on the black market, like on the dark web. So
making yourself the hard target is absolutely crucial to helping
to protect you. Yeah, and and just so that you
(08:40):
guys out there, no, I mean I mentioned the United
States numbers. It's not like Germany and France were shining
examples of data privacy and security among the public. In Germany,
in fact of respondent said they'd used unsecured, unsecured public
WiFi over their cellular data. So it was even a
larger centers than the United States and the United United States,
(09:02):
it was that thirty two percent it said, oh yeah,
if I've got a choice, I'll use public over my
cellular data. In Germany it was forty six percent um
and percent said they would use it if they could
not get a cellular option. And then in France it
was closer to what the United States said, said they
preferred using public WiFi to using their cellular data and
(09:23):
forty percent said they'd used it if they couldn't get
any other option. So again that mirrored very closely what
the folks in the United States said. So this is
a trend that goes beyond the US. I know that
because I'm centered in the US. I often get very
US centric, and I also tend to harp on how
American citizens in particular seemed to come across to me
(09:46):
as being security illiterate. For in a in large part,
I mean, I just see it all the time, but
I don't know if it's not exactly reassuring to see
that's that way in other parts of the world. That
doesn't film me with confidence. I think a lot of
times people either don't know where to look for the information,
for accessible information that's that that's explained in a way
(10:11):
that isn't scary, or doesn't you know, create create emotions
of paranoia, or just close people down so that they
just get lose interest insecurity. Uh. And you also have
a lot of folks out there that just don't care.
But I think a lot of people do care, they
just don't know where to look for this kind of information.
So I'm glad that you, Jonathan, as well as myself
(10:33):
on my channel, we're putting that information out there in
a way that's easy to understand, and I'm hoping that
even if it just helps one person understand a little
bit better security and privacy, hopefully we change that percentage
over time. Absolutely, I agree. I think, uh, it can
be one of those situations where you get overwhelmed by
(10:54):
the scope of something. And when you get overwhelmed, it's
almost like there's a defense mechanism them in your brain, right,
it's like this is too hard, so I can't worry
about it. And I have seen this in action when
trying to tell people about like password managers, for example,
and they just shut down. They have no interest, They
get glassy eyed, and they just say, well, I don't
(11:15):
see what the point is. And I try to explain
the point, but as after that point, it's just it's
just like talking through talking through the air. They just
don't want anything to do with it. And and as
someone who relies heavily on a password manager like it is,
it's it's fundamentally one of the most important tools in
my toolbox to make certain that I don't do rookie
(11:38):
mistakes like using the same password for multiple accounts. Right.
Because as as we'll discuss as we get into this
discussion about safely browsing the Internet, one of the big
dangers is that if you through accident or or your
tricked or whatever, if you somehow share your log in
information for one service. Let's say that you have one
(12:00):
service that isn't using uh secure encryption for some reason.
First of all, don't do that. But if you are,
if you're using that same password anywhere else, it's like
you just handed a skeleton key to somebody, because now
they can access everything you've used that password with. I mean,
this is this is blatantly obvious. So that's why it's
(12:21):
so important to have unique, strong passwords for all the
different services you use. That way, if one, if worst
case scenario one gets compromised, it doesn't compromise everything else. Yes, absolutely,
I'm glad you mentioned that because the more different things
that you use that help your security and privacy, every
single step you take absolutely helps. And that's just one
(12:45):
of the many steps that you can take. Every single
consumer in the world does not have to take all
of these steps all at once, because that would be
quite mind boggling. But if you do take steps towards
these over time, you can increase were privacy and security
two fold. Yeah, it's fantastic. Yeah, I mean and and
(13:05):
and to be fair, like like I'm gonna be upfront guys,
like I used to be the dude who had like
three passwords and for everything. Yeah, I was like that
for years until until I finally like woke up to
how dangerous that was. I was fortunate in that I
was never knowingly anyway targeted for a specific like intrusion. Uh,
(13:28):
as far as I know, I never None of my
stuff ever got compromised because of that. Stuff has been
compromised because of data breaches that are beyond our control.
But we're really focusing on the stuff that we as
end users can do to improve our security as best
we can, knowing that we live in a world where
that's just one point of vulnerability. That's one point of attack,
but it's it's one that we have some control over another.
(13:51):
Another scary statistic, or at least I thought it was scary,
is that Kaspersky did a UH survey back in seventeen
and are They did an analysis of thirty two million
hot spots. Hot spots being points of contact where your
device connects over to the Internet at large, and a
hot spot can be everything from the router in a
(14:14):
like a coffee shop to your own cell phone. You
might be using that as a portable hot spot. Out
of the thirty two million hot spots they examined, twenty
one quarter of them had no encryption in use at all,
meaning everything is being sent in plain text, which means
that if anyone has any method of eavesdropping on those communications,
(14:36):
they see it all, which again blows my mind that
there would be that many networks that have no encryption
in place at all, not even bad encryption. Yeah, that's
a very scary number. That's extremely high and is a
lot higher than what I thought it would be. Uh.
(14:57):
If if they're not using any sort of encryption whatso
ever for a hot spot, that means that anybody within
that vicinity, within range of that device would be able
to see everything you're doing. It's very very mind boggling. Yeah,
and this is one of the reasons why I wanted
to have you on the show, because we say these things, right,
(15:17):
We say that when you use public WiFi, you're using it.
If you're using an unsecured public WiFi hot spot, especially
one that is unencrypted, that you are in danger of
this And a lot of people say, all right, but
exactly what's going on? Right? How are they doing this?
And it's that there are various pieces of software out
there that allow people who are who get onto a
(15:40):
network to monitor traffic that's going across that network. I
mean their entire groups out there that make different software
and hardware, uh solutions to do just this, right, Yeah,
not gonna lie. Um. I used to solder and sell
some of these products at a company that I used
(16:02):
to work with called hack five, So I'll definitely share
some of that information once we get closer to those
those topics with today's discussion. But yeah, those products exist,
They're very inexpensive, and some of the software is free,
and there's tutorials made by yours truly on YouTube that
show you how to use these things. So it's definitely
(16:23):
a thing that pretty much anybody can introduce themselves too,
and then they will be able to see what's going
on on a network. And there are different reasons to
even do this. There's obviously there's the nefarious ones that
we're concerned about, but there's also like if you're a
network administrator being able to do things like monitor network
traffic and see points of co education as well. Yeah,
(16:46):
there's like there's there are legit reasons to use that
sort of technology that don't that don't immediately point you
to the to the road of I'm here to steal
all your infos. It's like there's stuff that where this
is used in quote unquote legitimate purposes. I mean like
packet sniffers. That's something that sounds like it's underhanded and shady,
(17:07):
but they were invented not to try and sniff out
what someone else was doing, but literally to help network
administrators see how network how network traffic was moving across,
so they could make sure that everything was working properly.
So but it doesn't mean that you can't a tool.
A tool is either a tool or a weapon, depending
upon how you want to use it, And so the
(17:29):
same stuff that was used to help networks is also
used to exploit them. Um exactly, you could say the
same thing about a kitchen knife. I mean kitchen knives
to to you know, cut up fruits and veggies. Some
nefarious people might use one to murder somebody part of me.
But the thing I used the exact same sort of analogy,
except when I was talking to someone earlier today, but
(17:51):
it was a hammer, But same thing, Like a hammer
is either something that you're using to to build stuff
with or it could be used to bludgeon somebody, And
it all comes down to it's not that the tool
itself is bad, it's the intent and use of the
person wielding that tool. And the same is true of technology.
Uh So, one other stat that I wanted to mention
(18:12):
that's pretty alarming. Norton found out this was in so
it's a few years ago, but Americans had had their
email hacked at some point, and that twelve percent had
their financial data stolen while they were shopping online, and
that in million people globally had been a victim of
(18:35):
some sort of cyber crime. And that kind of shows
us the scale of why this is an important topic.
It's not just because the opportunity is there. It's because
people are actually actively taking advantage of those opportunities, and
you could be the victim of one of those actions
if you're not careful. And we love you absolutely, we too,
(18:58):
love you very much. I'm kind of I'm kind of
thinking that all of those numbers have probably increased given
that it's been about four years since they were they
analyzed the data and had those those statistics available, because
in the past couple of years we've seen hacks go
from a few hundred million people to almost a billion
(19:20):
people get hacked online. So it's entirely possible that those
numbers have increased quite a bit since, especially in the
realm of the mobile app becoming king right, because there's
there's such a proliferation of apps out there that either
through a conscious effort, are creating vulnerabilities or because of
(19:43):
poor design, create vulnerabilities that can later be exploited. You know,
we've seen so many examples of that where an a
p I didn't take everything into account and then someone
was able to exploit it. Famous one being Facebook and
Cambridge Analytica, where where you had an app that if
you installed the app like you would voluntarily install it
(20:05):
within your Facebook and you're voluntary a lee sharing your
own information. All of that is fine, right if you've
agreed to do it such a god not a good idea,
such a good example. Good example. Yeah, good example, not
a good idea to do. But it's fine if you
if you are knowingly doing that, that's fine. But the
problem that the Cambrage Analytica story brought to bears that
(20:26):
they took advantage of a loophole in Facebook's API and
they were able to to phish out a ton of
information about all the contacts of the people who had
installed the app. These are people who did not, uh,
you know, give permission to share their information, but the
app collected all that information regardless. And that's where we see, like,
(20:48):
you know, there were countless victims of this app because
none of them opted in to share that information. It
was just taken from them. And uh, that's just one
little example of the world we live in where you know,
even when you are being careful, there are there are
these opportunities for your information to get out there, which
(21:10):
is why we're like, this is why you need to
take the steps necessary to protect yourself as best you can,
because we live in a world where there are numerous
attack vectors that point back to us. All right, I
mean just mid December, the New York Times discussed location
tracking on phones and how ping pings to local towers
(21:32):
can basically give you a map of a certain phone
I D and you can track that and figure out
who that phone belongs to based on what residents and
what office they go to every day. It's extremely scary,
and the more information we have about it as consumers,
the better we can protect ourselves. Yeah, and again like, uh,
back to what you were just saying, Shannon. Facebook send
(21:54):
a letter to Congress just a couple of days before
we record this episode where they said, Um, even if
you opted out of location tracking, we actually know where
you are, partly because of the information people are voluntarily sharing.
Like if I tag if I take a photo while
I'm at a party and I tagged the location and
(22:16):
I tag people are in the photo, well, I'm voluntarily
sharing a lot of information. Maybe those people haven't given
me permission to do that, but I'm sharing that information.
So yeah, of course Facebook knows where I am when
I when I'm there, and who I'm with because I
shared the information. But they also admitted yeah, we also
use a lot of other methods where we can suss
out where you were and who you were with at
(22:38):
what time that aren't as obvious and aren't examples of
the user voluntarily handing over information. So yeah, scary stuff. Um.
One of the things I wanted to mention is sort
of the bird's eye view of the process of what
it's like just connecting to WiFi, so we can kind
of understand, uh, you know, what's going on, because I
(23:01):
think a lot of people if they think that if
they see that, for example, that there's a Wi Fi
hot spot that requires a password, they immediately think that
that is inherently more secure than a public WiFi spot
that has no password, which is not necessarily true. Um,
So connecting to WiFi is really you can think of
it as a series of handshakes between whatever device you're
(23:24):
using and the hot spot, whether it's a router or
something else. And this series of handshakes is not meant
to secure the data. It's not meant to encrypt a
channel necessarily, it's not meant to protect it. What's meant
to do is to identify the device and the hot
spot so that they know where the data needs to go. Right. Otherwise,
(23:45):
if if we all connected to a public WiFi hot
spot and there wasn't this handshake thing going on, it
would be as if we were all listening to an
open broadcast of everything all at once, and it would
just be meaningless garbage, and we would just get just
get everyone's data simultaneously, and we're like, I don't even
I don't know what we could I don't think it
(24:06):
would go well. But so this was this was literally
the solution to that problem. Like you know, if you're
using wired connections, that's one thing, right, you can wire
things to specific ports. You have physical hardware. When you
go wireless, you have to create a virtual version of that.
That's sort of what the handshake processes for. It's saying, hey,
(24:26):
there's this device that wants to connect to the network.
The network says, okay, I'm giving you permission. The device
is okay. This is who I am, and the network
devices all right, I see who you are, and now
we can send information back and forth. You can send
a requests out to the internet. I'll go out and
grab whatever it is you wanted, and I'll return it
just to you. That's the idea. That's actually a great
explanation without using any of the terminology. So I thank
(24:50):
you for the doing that. Yeah, I tried. I tried.
At one point, I had a spoiler alert or we'll
not even spoiler. Look behind the curtain, folks. I had
originally started to episode as a solo show, and that's
when it struck me that it would be way easier
if I brought Shannon on because she's much smarter than
I am. And so as I was doing it, I
was trying to describe this process, And I think I
(25:12):
went through two or three drafts when I said, you
know what, I can just step back and not get
so technical because the technical parts aren't really what's important.
What's important is just sort of understanding the concept of
the process and why it is not inherently tied to
security and privacy. It's inherently tied to just what does
it take so that you can have these two devices
(25:33):
communicate with one another and not have them confused with
all the other devices that hook into the same network.
And once I figured that, I was like, I'm gonna
go with that because I'm tired of trying to figure
out how to explain this handshake process. Um, it totally works.
I mean, I like the handshake terminology because it is
kind of like that, like in person, whenever you meet somebody,
(25:56):
you acknowledge each other, you shake each other's hands, you
kind of enticate each other by name and by face.
And that's very similar to what a router does with
a device like your smartphone or a laptop. It's basically
doing the same thing where you're you're looking for somebody
to introduce yourself to. You go in, you acknowledge each other,
(26:17):
you shake hands with each other, you kind of authenticate
each other by name, and then you have that connection. Yeah,
and you have that connection forever until you break it off. Yes,
And if if you're at CES, it probably also requires
you to hand over a business card because that's like, yeah,
most likely that's that's the current I guess that would
be your password, right, yeah, I guess so yeah. All right, Well,
(26:39):
when we come back, we're going to talk about the
how how information is sent through packets, just so that
we can understand why did that packet sniffing thing mean earlier?
But first, let's take a quick break to thank our sponsor. Recently,
more than one million people had their personal information stolen
in a major data breach. Social security numbers, contact details,
(27:02):
credit scores, and more, all taken from Capital One customers.
There's a good chance you were affected. These kinds of
attacks are getting more frequent and more severe. It's not
just Capital One. Equifax, Facebook, eBay, Uber, PlayStation, and Yahoo
have all leaked passwords, credit card info, and bank numbers
(27:23):
belonging to billions of users. And if you think hackers
only target large companies to get your information, you're wrong.
I use Express VPN to safeguard my personal data online.
According to recent reports, hackers can make up to one
thousand dollars from selling someone's personal information on the dark web,
making people like me and you easy lucrative targets. Express
(27:46):
bb N is an app for your computer and phone
that secures and encrypts your data so you can have
peace of mind every time you go online. The app
connects with just one click. It's lightning fast, and the
best part is Express b p N costs less than
seven bucks a month. Listen. If a breach can happen
to Capital one, it can easily happen to an individual
(28:08):
like you. Protect yourself with Express VPN, the number one
VPN rated by tech Radar, c Net, the Verge, and
countless others. Use my special link Express vpn dot com
slash tech stuff right now to arm yourself with an
extra three months of Express VPN for free. Support the
show and keep your information safe. That's Express vpn dot
(28:34):
com slash tech stuff for an extra three months free.
All right, then we're back. So I promised that we
were going to talk about packets. Packets is pretty simple concept.
So a packet switching network. You've probably heard that term before. Uh,
the Internet. When the pioneers of the Internet, we're sort
of designing this thing. They thought, well, how do we
(28:56):
make it so that information can be sent from one
computer to another in such a way that if something happens,
the information can continue to make its way to its
destination even if there's some sort of interruption. And if
it were just an uninterrupted string of data and there
was an interruption, then you would have a corrupt file
or you know, things would not work right, you wouldn't
(29:17):
get what you were wanting. So they said, what if
we bundled data into uh, certain sizes, We'll call it packets.
The packets will have information on them that will tell
the data where it needs to go, where it came from,
and how it fits within all the other packets to
make whatever the thing is. And since we're talking about
(29:37):
the Internet, let's be honest, chances are it's a picture
of a cat. So that cat picture is going to
be a lot of different data packets and they have
to put the packets together kind of like a puzzle
in order to recreate that image of a cat. So
that's that's what a packet is. Well, the packet because
it has that information on it about where it's going
and where it's from. That's what we would call metadata, right,
(29:57):
that's the data about the data, or it's data that
somehow describes the data that's inside and um and I
always always try and say that the packets on the
other side get reassembled Willy Wonka style like Mike TV
when he goes across the camera. UM like that. Yeah,
I mean it's a it's a nice way of putting it,
especially since I mean that's one of my favorite films
(30:18):
of all time, the Gene Wilder version of the not
the Johnny not the Johnny Den version yet. So that's
where we get the words for packets. So, a packet sniffer,
as we mentioned earlier, can be software, it can be hardware,
it can be a combination of the two. That is
meant to sort of check out the packets that are
being sent across a network, uh and get an idea
(30:42):
of what's going on there. And one of the things
someone can do if they have a packet sniffer and
they know how to do it, is they can look
for packets that represent essentially an unencrypted cookie or a
session key. And this is essentially where a user has
sent a request to log into a service of some
sort uh, and if the hacker is able to sniff
(31:06):
out that cookie, they might be able to step in
and pose as that user and thus get access to
the user's account or services. Um and this is sometimes
referred to as side jacking. I learned a lot of
hacker slang while I was doing the research. This. I'm
(31:27):
so proud of you. I'm not good at using it,
but I learned it. It's okay. You could go to
def Con next year and totally fitting. Yeah, except I
will be like, all right, well, I'm gonna leave all
of my devices at home. Another great idea def Con
for those who do not know is a information security
and hacking convention where if you aren't careful, they will
(31:49):
let you know about it. Oh yeah they do. Usually
they're nice about it, and you just end up on
this thing called the wall of shame. But luckily generally
people don't nefariously hack each other there. It's just kind
of to pop your name up on a wall of
shame and that's about it. Yeah. Essentially, essentially they're saying, hey,
(32:09):
you need to have a heads up, like whatever you're
doing is not sufficient. Yeah, it's it's really more like
it's really more like saying like, listen, we want you
to be safe, and right now you're not being safe.
So but but yeah, but still there's also the shame factor.
And the more the more known you are in the sphere,
I imagine, the greater the shame would be to appear
(32:31):
on that wall. Oh yeah, definitely. So this was I've
never been on the wall of shame, and I hope
I never congratulations. Yeah, I've never been on the wall
of shame either, But that's because I haven't gone. I
am certain I would end up doing something bone headed
and mess up. So you were talking earlier about how
you have actually actively worked on technologies that do this
(32:51):
this packet sniffing uh approach. Yes, yes, I have. I
used to work at a company called hack five. I
still do show on that channel, j K five, And
our our premise for that channel is educating people who
are interested in security and privacy and might want to
go into information technology or penetration testing or infosec info
(33:15):
security as a profession. So we teach young hackers how
to legally use their talents to actually get a job
that will help them spur the economy, help them protect
companies h and help them really get involved with their passion. Um. So,
one of the products that we created is something called
(33:38):
called the WiFi Pineapple. It's a little hardware device. It's
basically a router, but the software that's built into the
WiFi Pineapple allows us to do things like get people
to connect to a WiFi Pineapple as opposed to a
regular router and allow us to sniff packets just like
you were saying, um it. The product has been around
(34:02):
for half a decade at this point. No, actually it's
been almost a decade. Wow, I can't believe it's been
so long. But we've gone through various revisions of it,
and as security has gotten stronger, there's always been new
vulnerabilities available in wireless network technology, so we've always been
able to update the WiFi Pineapple to continue to educate
(34:23):
people why it's still a good idea to not connect
to public WiFi or open hotspots. And uh, it's been
a wonderful education tool since we can use it as
this kind of man in the middle attack for for
you know, helping people understand. Yeah, and I mean, like
(34:43):
the thing that I see people sometimes and I know
you've seen it sometimes protests that like why are you
making this thing? And the argument I would make to them,
and I'm sure it's an argument that you guys have
made numerous times, is you know that people who have
bad intentions are making stuff like this already. They're they're
they're doing it all the time. They're doing and they're
(35:06):
not talking about it. They're not upfront about it because
they want to take advantage of it. The reason why
you guys do it is to raise awareness, to teach
people how it works, and presumably they can then take
that knowledge and better protect whatever their future clients might
be if they end up working as a white hat hacker.
And yeah, straight up, people have made their own WiFi
(35:29):
pineapples using you know, different types of hardware and different
kind of software that they've made their own. But our
our products are well. Hack fives products are listed in MIST,
which is the National Institute of Standards and Technologies as
a wireless penetration testing device. So a lot of companies
see it as a professional tool and they get their
(35:52):
employees to purchase these items to use and make sure
that their networks are protected. Because as much as you
could use a WiFi Pineapple to hack somebody, you can
also use it to protect yourself because you're still doing
the same kind of tracking on your known network. So
if I had a WiFi Pineapple on a company's network
that I'm legally have access to as since that's my profession,
(36:15):
for example, hypothetically, uh, then I could see what employees
are doing on that network. So if somebody is visiting
Facebook when they shouldn't be, I could see that, and
I could tell them, hey, you need to you know,
cut that off or you're going to get written up.
Or if there was an attacker trying to gain access
to a wireless network, I would be able to see
those packets because they would not be what I normally see,
(36:36):
and I would be able to protect my network because
I could blacklist them then. So there's so many different
ways that you can use these tools, not just nefariously
like you had mentioned, but in like these amazing ways
that help protect so much more than just companies, but
also the employees that are working there as well. Yeah,
and that, and I've always been the type to say,
(36:58):
if if someone's outwardly talking about what their technology can do,
then those are the people you should trust. It's the
ones who aren't talking that you have to worry about.
So yeah, it's the same thing for me when people
are talking about security vulnerabilities that they found in systems,
where they might come forward and say, yeah, I reported
this like three months ago, the company still hasn't done
(37:20):
anything about it. The only reason I'm coming forward is
because that puts the pressure on the company to definitely
make a change, because that vulnerability exists, whether they talk
about it or not. Now they have to do something
because the public knows about it, and and they're you know,
I'm I'm fully on board with that too. I mean,
I think that you always give the entity the chance
to address it, but if they haven't shown any movement
(37:44):
towards that, I think it's the responsibility of someone who's
found a vulnerability to come forward with it because otherwise
it's just it's just a ticking time bomb. Someone's going
to take advantage of it, and then it becomes a
problem far bigger than coming forward and saying, hey, guys,
need to fix your stuff. And it's it's not just
you know, devices like the WiFi Pineapple, but as we
(38:05):
had mentioned, it's also software that's involved too that can
do very similar type of tracking on networks. There's a
technology called wire Shark, which I'll bring up not just
because you know, I have no financial responsibility via hack five.
So like if if you know, somebody purchases a WiFi
Pineapple when they hear this talk, I don't get anything
(38:28):
from that, no compensation whatsoever. I just do a show
on that channel, So don't worry. I'm not. I don't
get referrals or anything. But there's also software like wire shark,
which is a free service online that anybody can download
and that allows you to do packet sniffing. I've used
it to test my own home network and make sure
that my smart coot devices are secure and they're encrypted,
(38:51):
and that has luckily, luckily, all of my devices are,
you know, totally secure, which is wonderful. But back in
the day when I first started using wire Shark, I
discovered that when I was using Instagram on my phone,
I could see links to the pictures that I was
liking as I liked them, so as I gave them
the little hearts, it would pull up a little HTTP
(39:14):
link and I could click on that through wire Shark,
and I could see exactly which pictures I was liking,
which was so creepy. I mean, definitely something that you
should be aware of is what kind of data is
being passed through with no encryption whatsoever, and what kind
of data is being encrypted too. Yeah, totally and you
(39:35):
means crazy. You mentioned the man in the middle attack.
That's that's kind of another step up, where you have
a hacker that sets their machine in between a user
and some other computer that might be a router. So
you might actually have a man in the middle of
attack where someone say at the coffee shop, and they
set up uh their computer so that it appears to
(39:57):
be the coffee shops network. There's actually ways where you
can force a reboot of a system and then pose
as that system so that when it does reboot, you
are effectively a middleman in that relationship, and meanwhile you
see all the stuff that goes across that because your
computer is acting as the network spot for where where
(40:18):
everybody's connecting through UH. So that's that's one way, but
there's also ways of began doing a man in the
middle of attack between a like a client and an
actual service, like you know, directing people to fake bank
log in pages and things. Of that nature. Um, So
those are things you also have to be aware of,
although that can happen pretty much in every scenario we're
(40:41):
going to talk about. That requires you to pay close
attention to what you are doing as you're browsing. UM.
And I mentioned earlier about the idea that if you
are using public WiFi that is password protected. Let's say
you're at us coffee shop where yeah, you can log
into their their WiFi, but you have to first go
up to the cash regis her and find out what
(41:01):
the password is, and then you find that out and
you log in. Some people feel like that gives them
that extra area of security. Honestly, that doesn't, because there's
nothing stopping a hacker going into that same coffee shop
getting that same password and like that. It doesn't add
any like by itself, it doesn't add any extra security.
It just as one extra little step. Yeah, it's true.
(41:23):
Uh yeah, anybody even in the vicinity, if they've ever
had access to that wireless password and the coffee shop,
for example, has never changed the password, Like they could
easily get access again with a long range antenna on
the other side of a parking lot and be able
to sniff what everybody in that coffee shop is doing.
(41:43):
So yeah, I don't even use coffee shop WiFi or
airport WiFi if we want to use that example. Those
aren't even trustworthy exactly, and I think that those are
perfect examples, especially as people are traveling a lot for
the holidays. Like I that's why I think of seeing
people whipping out their computers the most is airports and
coffee shops. That's it, um. But yeah, if you have
(42:08):
an encrypted network, that's better. It's again like this is
another step where we're getting into uh more secure area,
and we'll talk about different types of encryption in a second,
but before we get to that, there's actually also a
difference in the types of browsers, right. Different browsers offer
(42:30):
different levels of features that either uh enable security and
privacy or they make it really difficult to protect. So
on the bad end of the scale. As the Internet
Explorer for multiple reasons, it was never the best browser
when it comes to security and privacy. But it's really
(42:53):
not great now because Microsoft no longer actively supports it. UM.
They will push out a security update on occasion, but
it's not frequent, which means that there are a lot
more opportunities for people to discover and exploit vulnerabilities and
and be fairly sure that those vulnerabilities will stick around
(43:14):
for a while. So it's not even like a rush
because Microsoft isn't updating it that frequently with security patches,
So that's a bad one. Don't use it. Microsoft. Microsoft
Edge only slightly better than the completely unsupported Internet Explorer. Um,
at least as far as privacy is concerned. Uh, I
(43:37):
use Google Chrome a lot, but admittedly Google Chrome not
great either. It's kind of on the bottom half of
the middle of the pack. So, uh, they're better about security,
but they are the pets when it comes to privacy.
Also not a big surprise, because I mean, what's Google's business, right,
Google owns you? Yeah, your data is Google's That's what
(43:59):
Google buys and sells. It's your information, that's that's Google's currency.
So clearly it does not behoove Google too lockdown privacy
super tight. They want to know all the information about
you they make that's how they make their money. Um. So,
of all the common browsers, like the ones that are
(44:19):
frequently used out there, the one that that tends to
rank the highest is Firefox, higher than Opera higher than Chrome,
higher than safari Um. So it does really well, especially
for security and privacy. It can support a lot of
features that protect you when you're when you're surfing stuff
that will end up cutting down on things like targeted
(44:41):
advertising because you can really limit the information that's being
shared by the sites that you're visiting. UM and you
can also enhance it with various add ons that you
can find, although obviously anytime you're going to be adding
anything to UH an ext a sting program, it pays
(45:02):
to do your research to make sure that it is
offered by a reputable and dependable app developer. Yeah, Firefox
is an excellent choice UH and two fold. If you
download something like Firefox, you also get a very fast
browser because they have worked very hard to make that
browser quick. So even if you don't care about the
(45:24):
security and you just want to access your sites really fast,
you should use Firefox. Yeah. Yeah, I got Firefox. I
got stuck on Chrome because for a while Chrome was
super fast and then it got super bloated. And also
there's the more tabs you have opening Chrome. Anyone who's
done this with Chrome knows that even though it are
all supposed to be distinct instances that don't bleed over
(45:46):
into each other. Uh, there gets to be some memory
issues if you happen to be really a heavy user,
and everyone here at this company is a heavy user.
So Firefox is definitely going to be my browser of
choice moving forward after I did this research. I also,
I should point out, before I did this research, I
did not know this. I was just a happy, blithe,
(46:09):
naive Chrome user handing handing over reams of personal data
to Google, which I mean, granted, I'm sure that company's
board with me by now, but still there's some value
there um. And then that brings us to encryption. And
this encryption it gets This is sort of like complicated,
like the handshake thing. But encryption, when you boil it down,
(46:31):
is all about scrambling messages so that the only people
who can access it are the ones who have the
key to decode it. Right, So you have the key
to encode and the key to decode. There are various
implementations of that technology, different ways to have the public
key and private key operations. I don't need to get
into all of that because it gets way too technical. Obviously,
(46:54):
encrypted is better than unencrypted, but not all encryption schemes
are created equal and it pays use. So yes, that's
very true. There's there's even like there's symmetrical keys and
asymmetrical keys, and then there's like SHAW one and be
crypt and r s A. There's all these different terminologies
(47:16):
for encryption. But for what it's worth, all of them
jumble up your information into some kind of format that
will hopefully hopefully encrypted, so that anybody who does gain
access to the encrypted version of your information will not
be able to reverse engineer it or change it back
to its original plain text formats, so they can't read
(47:39):
it in like English speak, right, it would just be
meaningless garbage to them, hopefully, and its ideal, ideal implementation.
So one of the things that you may have encountered
if you've ever set up any sort of wireless network.
I think most people have, or at least they've they've
had to connect to one where they've seen the different
types of network security protocols. These are certifications that the
(48:04):
WiFi Security Alliance creates, and the earliest one was the
Wired Equivalent Privacy Protocol or w e p H. That
one is decrepit, it's old, it's vulnerable as heck, so
don't use it. Yeah, if you have the if if
your router tells you, like asks you which one you
want to use, don't use w ep UM. It is
(48:26):
not secure. It is it's I mean, you could argue
it's better than nothing, but not by much because the
vulnerabilities have been known for a long time, in fact,
so long that even before the nineties were up, you
had people developing the next generation, which would have been
the WiFi Protected Access or w p A. So w
p A came out. Then you get w p A two,
(48:48):
which was trying to address some of the shortcomings of
w p A UH. Both of those also still have vulnerabilities.
W p A two is general talked about as being
one of the more secure UH certifications these days. There
is a w p A three also has vulnerabilities that
(49:08):
have pointed out within the year already. Yeah. So, but
w p I, I don't think I've even seen a
lot of stuff that's certified w p A three yet,
Like we've we've started to see some wireless routers come
out with w p A three, but they there's still
a little expensive and they haven't really gotten widespread adoption
(49:30):
by consumers quite yet so w P A two is
fine for most consumers to use. You just have to
make sure that you set it up correctly and you
don't give the entire world access to your password for
your account. Yeah that, because then there's what what were
you even thinking? There's no point then? Yeah? So so
(49:51):
w P A three on w P A two. All
these are our designations. And what happens is a manufacturer
will make a piece of equipment or uh either it's
a computer or a handset or maybe it's a router,
and then they submit it to this WiFi security alliance
that then makes sure that that technology meets whatever the
(50:12):
requirements are for the particular designation. Then they put the
stamp on it and they say, yes, this is w
P A two compliant or w P A three compliant.
So that just tells you that compliance really there. It
gets more granular than that. For example, w P A
two has two different types of encryption standards that can
(50:33):
be used. There's the bad one. It's Temporal key Integrity
Protocol or t k i P, and I call it
bad because yeah, t KIP. T KIP is no longer safe.
Skip the t KIP. If you skip the t KIP
like that. Yeah, it's nice mnemonic device. And then there's
Advanced Encryption Standard or a e S, and that's the
more secure of the two. So don't rely on te KIP,
(50:55):
rely on a s U. So that will end up
protecting you quite a bit as well. The encryption will
end up helping a great deal because you've just made
it more difficult for someone to get anything meaningful from
your browsing activity. It does not mean that you are immune.
(51:17):
But again, the harder you make it for somebody, the
less chance they're gonna put forth the effort to break
through whatever protections you put up. So just general note um.
And then that also brings us to secure browsing. So
back in the day, which was the Thursday, I don't
know if you know that, Uh, there was the the
(51:38):
Secure Sockets Layer SSL. This whenever you went to a
website that had the little padlock and the lock on
it and the HTTPS like, the original version of that
was SSL. In fact, a lot of people still refer
to SSL, even though that technically has been and has
before a while been replaced by the Transport Layer Security
or TLS, but the same order of purpose it's too.
(52:01):
It's meant to create the secure channel of communication between
you and a specific UH website U r L address.
So if you see HTTPS, or you see that little
locked padlock in the address bar of your browser, then
you know you are in a secure channel between you know,
(52:21):
your your device, and that browser, at least as far
as information going between those two points are. I mean, obviously,
if you're on a public WiFi hotspot that's unsecured, you've
got other issues. But it means that when you're browsing,
you want to make sure that that HTTPS is showing up.
You don't you don't want the h T t P
(52:42):
you want you want to make sure that S is there.
So one thing I've noticed very rarely, but it has
happened on occasion is where a website that requires you
to log in somewhere like their main page there dot
com address will be encrypted with HTTP. Yes, but as
soon as you go over to the log in page
(53:03):
or go through any tree of different sites that they
have created on their dot com domain, all the rest
of their pages are h T t P. They are unencrypted.
So if you go to the log in page and
my cat agrees, she's mewing behind me and you put
in your user name and password. Those would be copied
through plain text, and if anybody was, you know, tracking
(53:26):
or sniffing your packets, they would be able to see
that plane text user name and passwords. So, for example,
if my password was my cat's name is Starbuck, and
that was a plain text, unencrypted website just using HTTP,
then if somebody was sniffing those packets, they could see
that passwords show up in their software through whatever hardware
(53:48):
device they might be using, and just be able to see, oh,
she entered Starbuck, and then they could go to the
website type that in and gain access to my login
account information. Yeah, and that is what we call no bueno, right,
like yeah, yeah and ho and more and more sites
are getting better about making certain that their entire presence
(54:10):
is being secure, but you can it's actually harder and
harder to find examples websites doing that, so which I'm
happy to see because that makes my job harder and
that means people are listening. Uh, So, I am happy
to see that less sites are doing that, but we
still have issues. There's still some out there. And then
occasionally you have browsers that will alert you if you
(54:31):
try to navigate to a site that is not secure,
it'll give you a little alert, which is good too,
because you know, if the people on the website aren't
being diligent, it at least gives the user on the
other end the heads up of, Hey, you probably thought
this was secure, but turns out it's not. Maybe you
want to rethink that. Are you sure you want to
go ahead? You will probably be eaten by a group,
(54:53):
and then you decide what you can do it. Um Now,
when we come back, we're going to talk about one
other topic before we get into like the super secret stuff,
and that is what the heck is incognito mode for.
But before we do that, let's take another quick break. So, Shannon,
(55:20):
I have I've I've gone to a private network, right,
I'm it's not maybe mine, but it's a private ones
not open to the public. It's encrypted password access. I've
done all those wonderful things. And then I think, you
know what, I'm gonna look at some so like your
friend's house or something. Yeah, yeah, yeah, And uh, I decided,
(55:44):
you know what I want to do. I wanna I'm
gonna look at some I'm gonna look at some some
stuff that I don't think my friends would really understand.
Maybe maybe I'm gonna look into this that my little
pony fan fiction. Uh, and I don't want my friends
to know about it. So I'm like, well, I'm gonna
be super sneak, gay, I'm gonna go into incognito mode. Now,
no one's ever done to know. So I click on
(56:04):
that little incognito mode and little bitty shadow Man pops up,
and I'm like, oh, yeah, I'm totally safe and totally secret.
Nobody knows it's me. And I start looking at my
browny fan fiction. Oh you know the term. Hey, look,
I wouldn't listen. Listen, you just give yourself away. Listen.
(56:24):
Princess Celestia and I have an understanding. Okay, so we
are not going to go down that road. We're not
gonna go there. Like, yeah, Fluttershy and I we're like,
we're tight, so we're not. It's fine, Okay, it's acceptable behavior,
but no, it is acceptable, but I don't want my
friend to know that. Now here's the sad thing folks
on the podcast. One one, whoops, I guess there should
(56:48):
be more secure with my data. And secondly, secondly, incognito mode.
That's not how that works. It doesn't protect you from
anyone who has any access to the network from seeing
what you're doing, right right, that's correct. Um. Yeah, so
incognito mode. Uh, you you've probably seen it on your
own computer. If you go up into the menu for
your regular browser and go into like the dropdown menu,
(57:11):
there's usually an option to choose incognito mode or like
secret mode or something like private browsing or whatever. Yeah,
private browsing, Yeah, that's another one. Uh. So if you
click that, it opens up a completely different window on
your computer or on your phone as well. You can
do it on your phone. Uh, and you start to browse.
But basically the only thing that incognito mode is really
(57:33):
doing is uh not putting anything into your local history
or your your web browsing history, So if somebody else
got it on your computer, they would not know what
you were doing in incognito mode. Uh. And it also
doesn't store the cookies on your computer, so any information
that you were sharing with a website during your incognito
(57:55):
mode would not be stored afterwards, So all those cookies
that might have happened during a session, they'll just be erased,
like you never existed that that can actually be very useful.
For example, if you're looking for a fun hack, if
you want to save some money on airplane flights, you
can track them. You can look up airplane flight prices
(58:17):
in incognito mode and compare them to your regular browser.
And sometimes on occasion you can find cheaper prices in
incognito mode because it doesn't see how much you are searching,
It doesn't see how how many websites you've gone to.
Those cookies just aren't it there, So the website is
going to give you the best price through that that
private browsing mode. Uh, that's pretty much like the most
(58:41):
interesting thing that I use for incognito mode for But
it can be used to secretly access websites without anybody
else knowing that you're accessing those websites at the time.
For example, if you are a Brownie. Yeah, so this
works on the device level, but not the network level.
So yeah, so if my friend gets hold of my
(59:03):
phone or my computer, there would be no record of
me having gone on the Browny fan fiction community site,
uh where I post by q d mark. They would
not be able to see that. But if they were
to look at the network traffic. They'd say, huh, this
I P address is going to this brownie site a lot,
(59:24):
and it's not my computer, so it's obviously your device
and so and so this is why, Like, if you
were to use let's say that you're at work. Let's
say you're what the example I like to give is
your Let's say you are stuck in a crappy job.
You're doing your job, but you're miserable and you would
really love to be able to get something else, but
(59:44):
you don't have any time outside of your job where
you can really dedicate towards things like searching for job openings.
So on your lunch break, you slip into incognito mode
and you go on a job search website. Well, just
because you're an incognito mode doesn't me that at the
network level, they can't see exactly what's going on, So
it doesn't actually protect what you're doing or how you're
(01:00:06):
doing it. So one thing you might want to use
incognito mode for if you're someone like me who does
a lot of research. Let's say I'm researching into something
that you know, it's it's just not my bag, you know,
it's I need to do an episode about it, but
it's not something I'm particularly interested in on a personal level,
or might even be something that I would find very awkward.
(01:00:29):
Let's say that I was doing an episode about uh,
dating websites, and so I have to do a whole
bunch of research on dating websites. Well, then I might
want to use incognito mode so it doesn't build up
this cookie history that relates back to me personally, so
that maybe I log onto something like Facebook and then
suddenly all the ads are for dating sites. That would
be awkward, right, That would be super awkward, especially if
(01:00:52):
you were married. Yes, I'm not a good thing. Yeah.
I had a similar occasion with I was looking up
pregnancy and birth information for somebody in my family. I'm
nowhere near any time soon giving you know, birth to
any children in my life except for my beautiful for
babies that I have in my house with me. So
I was looking up this information and I was just like,
(01:01:14):
do I want Twitter on Instagram to start promoting like
baby items to me or do I want them to
keep on promoting like makeup in sailor moon items, which
I'm actually into. So I looked up the information about
pregnancy and birth for the other person through incognito mode,
so that that information wouldn't actually be tracked and identified
(01:01:36):
as a part of my online personality. So that way,
I was able to keep the same ads that I actually,
you know, sometimes kind of enjoy looking at because they
do pertain to my lifestyle, but nothing that had to
do with pregnancy, right. And and that's a great example too,
because there was that famous example a few years ago
(01:01:58):
of a retailer. Want to say it was Target, but
I could be wrong, but it was a retailer Target. Yeah,
and they had identified through the browsing history of a
user that she was pregnant because of the things she
was searching for, so they proactively sent her through the
snail mail a package of coupons for pregnancy related items.
(01:02:20):
And her father was the one who intercepted the letter
the coupons, and she had not told him that she
was pregnant, and he had assumed that Target had made
this assumption and got super mad, and then turned out
that he was mad about something that actually had happened.
She just had not she had not had the occasion,
(01:02:41):
she had not found the way to tell him. And
that's awful. Uh, yeah, it's such a breach of privacy,
to be honest, is when they start tracking you like
that and sending you information. It's like unsolicited advertising. I
hate it. We deal with it every single day. Line. Yeah,
it's it's it's even worse than unsolicited advice, Like that's bad,
(01:03:05):
but unsolicited advertising is even worse because they're like, yeah,
they're so eager to make that sale that they can
overstep very easily. Well, let's wrap up by talking about
some of the more secure ways you can browse if
you have to connect, and we mentioned this at the
very top of the show, where VPNs are virtual private networks,
(01:03:25):
and we mentioned that sort of man in the middle
attack where you are logging into a hackers machine thinking
that that's a legit hotspot, and then the hackers kind
of relaying information and sniffing the entire time and learning
all about you. Vp ns are kind of like that,
but on the legit side, where you are logging into
a remote server somewhere far away, probably through an encrypted connection,
(01:03:50):
and then when you browse, it's as if you're browsing
from the servers location, not your personal device. So if
I were to blog into a VPN and then log
into a web service. The web service would see my
location as the location of the VPN server, not my
gadget that's actually in front of me, right and not
(01:04:13):
necessarily just for if you want to look at your
my little pony browny fan fix. But VPNs can be
extremely useful if you're trying to access a website that's
only available in select countries. So if you choose to
purchase like a consumer facing VPN product, and there's many
out there, I could make recommendations, but they're constantly changing
(01:04:34):
as far as their privacy and security terms and policies go,
so I won't make any major recommendations here. But if
you choose a VPN that has a a uh, for example,
a country facing server that's in Japan, that means that
I could download this VPN, log into it, connect through Japan,
(01:04:55):
and be able to access a website that's only available
to Japanese residences. UH. So I I had to do
that a few years ago when I wanted to purchase
tickets for the Studio Ghibli Museum through the Japanese website.
It wouldn't let you access it through an American server
or an American connection, so I logged in through my
(01:05:16):
VPN through the Japanese server UH and I was able
to purchase those tickets through the Japanese website. It thought
that I was in Japan, so it let me do it,
and that way I was able to save myself so
much money. It was wonderful. So you can do it
for you know, buying goods, buying tickets for you know,
going to a concert in a different country, or a
(01:05:37):
museum or something like that in a different country. You
can use it to access online streaming portals that are
only available in specific countries. You can use it to
download specific things that are only available in specific countries.
Like the list goes on and on, as far as
different ways that you can use VPNs that aren't necessarily
(01:05:58):
just directed for security and privacy, but are also directed
at manipulating where the website thinks that you are coming from. Yeah,
and this can be a matter of life and death
for some people. Like here in the United States, we
largely use it for the purposes of things like privacy, security,
and convenience. But in other places where you might be
(01:06:18):
UH in a country with a more authoritarian government, one
that is far more restrictive in access to certain services.
If you're able to connect through a VPN, which you know, granted,
that means that that government agency hasn't been paying very
close attention. But if we're able to do that, then
you can log in two different things as if you
(01:06:39):
were from some other part of the world and maybe
get access to vital information or services that otherwise you
would not have at your disposal. So they play a
very important role. In fact, I gave an example today
with a friend of mine about how I would see
VPNs and incognito mode together being incredibly important. So imagine
(01:06:59):
that this is a terrible scenario and I put that
out there first, but imagine that you are in some
form of abusive situation at home, and whether it's a
spouse of a parent, a parent, some sort of authority figure,
whatever it may be. But you're in that abusive experience,
You're going to feel like you are helpless and you
want to look for resources that can help you get
(01:07:22):
out of that situation. But at the same time, you
have a very legitimate fear of being found out for
seeking out those resources and the fear of reprisal that
you might face as a result of that. Well, using
something like a VPN and incognito mode would mean that
you're not leaving a trace on the network of what
you're doing, because as far as the network is concerned,
(01:07:42):
all you're doing is visiting this VPN server. It's not
seeing what else you're doing. All he knows you went
to that VPN server. Incognito mode means you're not leaving
the trace on whatever device you're actually using to do
that sort of search. So these are the sort of
tools that can literally mean life or death scenario eos
for people. And you know, thatsraically together and it yeah,
(01:08:05):
and once you start combining those different security and privacy
products together that are very consumer friendly, then you can
end up having a much more secure experience online, especially
if you're dealing with some kind of like like an
abusive relationship or something like that that can be uh
something that you seriously have to worry about, So definitely
(01:08:27):
take those into consideration. Using an incognito mode and VPNs
together is so easy too. It's just as simple as
opening up that browser window in private browsing mode and
turning on your VPN, which is usually with a lot
of software nowadays, is the click of a switch in
your computer and there are a lot of VPN apps
(01:08:47):
out there, like there are a lot of the services
where if you subscribe to the service, you can use
uh your computer, or you can use a mobile device,
or you can use some combination of multiples. And there
are even ones where you can have it set as
a fault that as soon as you connect to Wi
Fi networks, you connect through the VPN, so you don't
even have to think about it in that case, which
is definitely good. If you're using like a mobile device
(01:09:10):
and you're connecting to public WiFi frequently, you definitely want
to have that that that turned on, because if you
ever forget about it, that's when you're going to have
the opportunities for people to take advantage of you. The
last examples go ahead, I'm sorry. There's also the option
to build your own VPN, but that gets very much
into the nitty gritty UH since there are a lot
(01:09:32):
of consumer facing ones that are generally fine for the
average consumer. That's what I wouldn't normally recommend. But when
I go to Defcon, for example, I bring like my
own certificate, my own VPN, and my own little o
VPN basically file, and I stick that on my phone
to actually run my own VPN. When you do that,
(01:09:54):
you're basically creating your own secure profile as opposed to
trusting a VPN company with your information and hoping that
they are doing it for you. Yeah. Then that's a
great point, Shannon, because a lot of these solutions actually
ultimately require you to put trust in another entity. And
you know, there have been cases where even VPNs have
(01:10:15):
suffered data breaches in recent past, where you know, you
have to worry about that kind of stuff too. There
does come a point where you have, ultimately you have
to say to yourself, at what point am I comfortable
handing over control or handing over you know, some of
my data, because either you're doing that or you're doing nothing.
(01:10:36):
But you know, deciding where that point is is a
very personal choice. Uh. The very last one I want
to talk about, and we can do this very briefly,
is Tour, the Tour browser. Tour initially was an acronym
instead for the Onion router. And the reason it's called
Onion is because it does encryption in layers, each outer
(01:10:56):
layer being another layer of encryption. And I gave a
very simple analogy. Imagine that you are trying to ship
a present. Let's say I'm shipping a present to Shannon,
but you're welcome, But I don't want you to know
where I live um for some reason, and I don't
want anyone to know that I'm sending a present specifically
to you for some reason. So what I've done is
(01:11:18):
I've nested your package that has your present in it
inside another package that's gonna go to a totally different address.
And I've nested that. What's that Is it a brown package?
There's probably some you know, my little Pony temporary tattoo
sheets there, So that's in there, and then that's in
(01:11:38):
a second package. The second package is in a third,
the third packages in the fourth. Each package has a
different address on it. So I've got a really big
package that ultimately is just holding a bunch of boxes
and a couple of sheets of temporary tattoos and the
innermost box. I ship that to the first address. The
person at the first address opens up this big box
(01:11:58):
and they see that there's a lightly smaller box inside
with a different address on it. So they plopped that
back into the post office. Post office takes that to
the second destination. They opened up the package. Well, Destination
number two. They know that the package came from destination
number one, but they don't know anything further back from that.
They don't know that I was the person who originally
put the package in the mail, and they don't know
(01:12:20):
where the package is ultimately going to. They just see
Destination three on the shipping label of that inner package,
so they send it to Destination three. Destination three gets it.
They opened it up. They know it came from destination too.
They don't know about Destination one. They definitely don't know
about me, and they see that they need to send
on the next package to Destination four, and so on
and so forth, until finally you get to the innermost package,
(01:12:43):
which has Shannon's address on it. She gets it. She
knows it came from the previous site, but doesn't know
any of the rest of the history, including where it
came from, except I probably put a note in the
inside of the package saying, hey, it's from me, Brownie Joe,
and then then she gets the package. You would probably
want to make sure that your message is encrypted. Yes,
(01:13:03):
there's like a you know, I tell you that you
need to use your super secret Captain Crusader decoder ring
or whatever to decrypt the message and then and then
she would be able to to use a similar process
to send information to me. Uh. Now, this is a
very secure way typically of sending information. There are ways
to try and sniff out things, just as there are
(01:13:24):
with any network communication, but it's hard. It's very hard
to get anything meaningful through this process. It is possible,
it's not fool proof, but it's real hard and uh.
And so this is generally considered the most secure way
to browse the Internet. However, with that security there comes
a tradeoff, and that tradeoff is mainly felt in the
(01:13:46):
form of speed. Yes, because it's having to go through
it's definitely slower. Uh. And there has been talk on
on the Internet many years ago that govern ment agencies
had access to some of the UM end notes, the
very last place that your package would hit before it
(01:14:09):
went on to whoever it was supposed to go to. UM.
So you do have to consider where where is this
information being sent and who has access to the very
end of that tunnel that you're sending that information through
UM And if that's protected, then yeah, it's great option. UM.
But of course with tour as well as with VPNs
(01:14:30):
and incognito mode. You shouldn't use just one of these options,
you should use all of them if they are at
your disposal. But again, do you want to deal with
the slowness that you're going to experience when you add
these additional tunnels and additional nodes onto whatever you're trying
to gain access to, or are you going to deal
with the security um uh minimal experience and add that
(01:14:57):
additional convenience to your experience by just not using it.
So there are trade offs either way, and you've summarized
it perfectly, Shannon. I mean, this is like we said
at the beginning, this is a spectrum, and the important
thing is to be educated to that spectrum so you
can make your own educated decisions and not just trust
to the fates. I have a tattoo on my back
(01:15:19):
of the fool tarot card, the eternal Optimist. Don't be
the fool. You get the tattoo who wants pretty awesome,
It's dope, But don't don't be the don't be the
fool in life? Right, Don't just trust that you can
take a step off a cliff and you're not going
to fall to your death. The fool is taking a
step off a cliff in the traditional tarot card. So
(01:15:41):
you don't want to be like that. You want to
be informed and make choices, and you know, there might
be instances where you think, Okay, I'm in a public spot,
I am going to use WiFi, but I'm using it
for something that's not related to my personal information. I'm
literally maybe I'm looking up a restaurant to find out
what hours it's open and that it's it. You know,
(01:16:01):
they're different levels. But if you're thinking i want to
do some shopping, or I'm going to check my bank statement,
or I'm going to log into my email or this
one's a big one for us here at my heart,
if I'm going to access any of my my work stuff,
right like anything that's stored on there, any of the
services that are on here, definitely use a VPN in
(01:16:22):
those cases, because you're talking about things that affect not
just you but other people. Right, You're talking about the
potential of affecting uh, essentially an entire company if if
the wrong information were to get out. You know, especially
if you're talking about things like publicly traded companies, you
want to make sure that you're being a good steward
(01:16:43):
of the information that's been entrusted to you, not just
your own but others. So uh, Shannon, this has been
a joy. You have given generously of your time and
your expertise, and I greatly appreciate it. Please let people
know where they can find your work well. Thank you
so much, Jonathan. I love security and privacy and I
(01:17:05):
think of it as a habit that you build upon
over time, and the more that you learn about it,
the better off you can be in the future. So
build upon your security for your future self and for
your family too, because the more secure here you are,
the more secure they will be as well. Uh. And
if you're interested in learning more about consumer privacy and security,
(01:17:28):
you can check out my YouTube channel. It's YouTube dot
com slash Shannon Morse uh and that's m O R
s E just like Morse Code. And I will be
going to c e S just like Jonathan. Jonathan mentioned.
I'm very excited, so I will be posting a lot
of content from the Consumer Electronic Show and I will
have tons in store through the year of awesome. Shannon's
(01:17:51):
always a pleasure. I am so sad that I will
not be seeing you at c E S. Will have
to make time for some other tech conference. I'm sure,
or next time I'm out our way, I'll give you
a shout and maybe we can, like yeah, we can
can go grab ramin or something and chat about security.
That would be awesome. Al Right, guys, Well, if you
want to reach out to me, you can reach out
(01:18:13):
over our social media channels. Were on the facebooks and
the twitters with text stuff hs W And that wraps
this up. I hope you guys learned something and that
you put that information to you. Be safe, We love you,
and I'll talk to you again really soon. Text Stuff
(01:18:33):
is a production of I Heart Radio's How Stuff Works.
For more podcasts from my heart Radio, visit the I
heart Radio app, Apple Podcasts, or wherever you listen to
your favorite shows.
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.