How much do you know about cybersecurity and how to be safe on the internet? Eva Galperin, Director of Cybersecurity at Electronic Frontier Foundation (EFF), debunks and confirms some common cybersecurity myths in her Mythbusting segment at Wired.
Here are some of the more common myths (and truths) you’ll hear:
Myth 1: The government is watching me through my camera
It’s actually possible to remotely trigger somebody’s camera if there’s a remote access tool installed on their device. This is what hackers and criminals do. But for the government to install the software to track you, they need a warrant from a judge.
You’ll likely be watched by hackers, or if you’re a student, by your school, than by the government. Unless you’re being specifically targeted by someone you know, most people aren’t usually targeted.
To ensure that nobody gets to see anything, put a sticker over your camera or download the latest antivirus software and just run a scan on the highest setting.
Myth 2: The Dark Web is full of illegal activity
The dark web is a network of websites only accessible via a guaranteed-to-be-anonymous browsing application, like a Tor browser. But the websites aren’t just used for selling drugs and trading child porn – they can be any kind. For example, Facebook has a dark website – they have a “.onion” site that you can only access via Tor.
The Tor browser was originally funded by the US Navy. Tor and other similar applications aren’t just used by criminals; other people who frequently need anonymity online include journalists, activists, people who talk to journalists, and of course, people in authoritarian countries.
Myth 3: Privacy is dead
If privacy was dead, governments and law enforcement wouldn’t have to keep trying to kill it by proposing new laws. Privacy is power over your information.
Understanding what kind trail you leave behind enables you to limit that trail, or enables you to limit who can see that trail. Some ways to protect your privacy include using strong passwords and enabling software updates.
Myth 4: Google reads all my Gmail
Google actually does read all of your Gmail! It stores all of your email and have automated scripts to read them, and who you’re mailing back and forth with. Google used to scan email data in order to custom ads for you, but they’ve stopped this in 2017.
Google has extremely strict privacy rules internally, and if a government or law enforcement wants to get their hands on your data, they need a subpoena or a warrant for it.
However, there’s a difference between protecting your data from hackers (password), and protecting your data from advertisers, and from governments and law enforcement.
Myth 5: A strong password protects you from hackers
A strong password is one of the things that can secure your account, and it’s vitally important that your password is different across different platforms. When platforms get compromised, the usernames and passwords sometimes get passed around among hackers, who do what’s called credential stuffing, where they try to get into your account using your passwords from other platforms.
You should also be very careful about your security questions. Someone who knows you relatively well will know the answers, like the name of the street that you grew up on, your favourite teacher, or the name of your dog.
How often should you change your passwords? Some apps or companies require you to change your password every 30 or 90 days. This is actually not helpful at all, because users tend to create shorter and more memorable passwords when they have to change them all the time. They also don’t change them very much, so it’s not actually getting a big gain in security.
Remembering all your different, unique passwords for every account is a pain, but you can use password manager which you install on each of your devices to generate new passwords for you. You only need to remember the single password to your password manager.
Your best bet is Diceware, where you use somewhere between five or six randomly generated or randomly chosen words. That way you get a very long, very difficult-to-crack password that’s also fairly easy to remember.
Myth 6: Encryption will keep my data safe
Encryption is scrambling the data or the metadata so no one knows what information you’re sending. Encryption is used in two very different ways on the internet.
One is called encryption in transit. It means that the information which is being sent between you and the website is encrypted so nobody else in the network can see what it is. They can see what page you’re on but not what you’re doing there – they can’t see what pictures you’re downloading, or passwords you’re entering. An example of that is any website with a HTTPS in the address – the ‘S’ is for ‘security.’
The other kind of encryption is end-to-end encryption. When you encrypt something in transit, you’re trusting only the person who runs the website. In end-to-end encryption, you don’t even have to trust the person who runs the website – only the person you’re messaging. This is because only you and the person that you’re messaging have an encryption key to decode the message.
There’s a lot of powerful encryption that’s being used to protect you every day, and you don’t even know it.
Myth 7: Public wifi is safe
It used to be extremely unsafe to use public wifi, because it was really common for hackers to hang out on the network. They could see everything you were typing in, and also inject false information into that stream so that you would, say, type your password into a website that the hacker controls.
This is less true now that the web is mostly encrypted using HTTPS. And you can also use VPNs to protect your browsing or your internet activity from whoever’s running the network you’re on.
Myth 8: Cyber attacks are the new warfare
Cyber warfare is extremely rare. Probably the most famous example is Stuxnet, when the US and Israel worked together on a piece of software which broke the centrifuges that the Iranian government was using in order to refine radioactive materials for their nuclear weapons programme. But really, it almost never happens, and governments aren’t the only threat actors out there.
Most of what we think of as cyber warfare is actually cyber espionage. For the most part, an ordinary person will more likely be targeted by criminals and hackers who want your money.
A lot of what people think of as hacking is actually security research – people who try to break systems for the better, in order to inform both users and the people who make the systems about these vulnerabilities before bad people take advantage of them. People who do this are referred to as ethical hackers, or penetration testers.
The hacker mentality can be applied to anything, and hacking is not about being a bad person. It’s about understanding systems and subverting them.