Stop Hacklore – An Open Letter

This open letter seems to assume that privacy is not a part of your security posture and that spear phishing isn't common these days. (Is 'spear phishing' still the term for targeted electronic scams to steal credentials/access?)

I realize not everyone is using a physically stripped burner, a graphene os install, etc and not everyone works at a high value financial, govt, or infra target but for those of us who need to deal with opsec or are commonly targeted by spear phishing this advice seems abysmal.

In the current political climate of the US, if you are living or traveling here and the current party isn't cheering for you personally, you really should be considering both state-sponsored attacks and no longer have the luxury of assuming good faith by the state. Telling people to enable cheap drive by attacks that are in active use by certain government agencies is malpractice at best.

Note that most of the signers are from companies which collect substantial consumer information for revenue purposes. Hence the emphasis on "updating". And the absence of "turn up browser security levels to max" or "get a good ad blocker".

Also, any password manager that's "cloud based" is potentially a security hole. Yeah, they say the server is secure. Right.

So, since this seems to be relevant im a CISO myself.

And i would definitely not agree with everything in this letter.

Personally, i think the worst part about it is handling a low probability as something that's not gonne happen. Thats, especially in IT-Sec, one of the worst practices.

To take on point as example - the "never scan public QR codes".

Apart from the fact that there have been enaugh exploits in the past (The USSD "Remote Wipe", iOS 11 Camera Notification Spoofing (iOS, 2018), ZBar Buffer Overflow (CVE-2023-40889), etc) even without an 0day exploit qr codes can pose a relevant risk.

As a simple example, not to long ago i was in a restaurant which only had their menu in form of a qr code to scan. Behind the QR code was the link to an PDF showing the menu. This PDF was hosted on a free to use webservice that allowed to upload files and get a QR code link to them. There was no account managed control about the pdf that they linked to, it could be replaced at any time opening a whole different world of possible exploitations via whatever file is being returned.

Sure you could argue "this is not a QR code vulnerability just bad practice by the restaurant owner" - but that's the point. For the user there is literally no difference if the QR code itself has a malicious payload or if the URL behind it has (etc etc).

While we in the tech world might understand the difference, for the John and Jane Doe this is the same thing. And for them its still a possible danger.

Apart from that, recently a coworker linked me a "hacker" video on youtube showing a guy in an interview talking about the O.MG cable. Sure, you might say this is also an absolutely non standard attack vector, yet it still exists. And people should be aware it does.

My point is - by telling people that all those attack vectors are basically "urban myths" you just desensitize the already not well enough informed public from the dangers the "digital" poses to them. And from my personal view, we should rather educate more than tell them "don't worry it will be fine".

None of my opinions of this manifesto are positive. This reads like a defeatist position. It dangerously conditions people to be more casual about their privacy and safety.

There are still legitimate reasons to clear cookies, to turn off Bluetooth/NFC beaconing, and to occasionally rotate passwords (vis a vis password managers) as it costs nothing to accomplish, and very little in the way of tradeoffs. So...why not?

The probability of a random individual being the target of a sophisticated state sponsored attack is low, but the probability of being caught up in a larger dragnet for your data and your privacy to be categorized, classified, and used for aggregate intel is not zero and I would argue is in the double digits. Thus, why not make it just a bit harder for them all? Why would you advocate for any other position?

> Sincerely, Heather Adkins, VP, Cybersecurity Resilience Officer, Google

Ah. I see.

> Never scan QR codes: There is no evidence of widespread crime originating from QR-code scanning itself.

> The true risk is social engineering scams...

Exactly. My grandma is very susceptible to phishing and social engineering, I don't want her scanning random QR codes that would lead to almost identical service to the one she would think she is on and end up with identity theft or the likes.

> Regularly change passwords: Frequent password changes were once common advice, but there is no evidence it reduces crime, and it often leads to weaker passwords and reuse across accounts.

Database leaks happen all the time.

I worked for a company that had 8-12 different employee passwords across various systems. There was no SSO, they each password had different requirements, and required changes at different intervals ranging from 30-90 days. Consequently every employee had a post-it note directly on the laptop with most or all of their passwords. The outdated IT policy security was so strict that real world security was abysmal.

This has the energy of "Remove all DEI initiatives because we have solved workplace discrimination."

> This kind of advice is well-intentioned but misleading. It consumes the limited time people have to protect themselves and diverts attention from actions that truly reduce the likelihood and impact of real compromises.

I dislike any methodology that claims its intent is to talk down to people for whatever declared reasoning. People are capable, and should be helped to make decisions based on all available information.

> Regularly change passwords: Frequent password changes were once common advice, but there is no evidence it reduces crime, and it often leads to weaker passwords and reuse across accounts.

When I worked as a security professional the breaches were nearly always from someone's password getting leaked in a separate public breach. If those individuals had changed that password the in house breach would have been avoided.

> Use a password manager

Sage advice.

I might be alone in this, but I feel the advice regarding 2FA and password managers is putting people into risk.

My mom using those would be one “I don’t know where I put that” away from permanently losing access to her pictures or any other similar access. This is as potentially harmful as any attack.

I think even the 'new' recommendations here are getting a bit old.

There's the typical mix of good and bad points in this manifesto, but I wish the people willing to sign their names to it had a better record of success implementing the call to action inside their own organizations first:

    We call on software manufacturers to take responsibility for building software that is secure by design and secure by default—engineered to be safe before it ever reaches users—and to publish clear roadmaps showing how they will achieve that goal.