WEBVTT

1
00:00:00.060 --> 00:00:01.333
<v ->It is vitally important</v>

2
00:00:01.333 --> 00:00:03.790
that your password not be the same

3
00:00:03.790 --> 00:00:05.020
across different platforms,

4
00:00:05.020 --> 00:00:07.760
because when platforms get compromised,

5
00:00:07.760 --> 00:00:10.770
the usernames and passwords sometimes get dumped

6
00:00:10.770 --> 00:00:13.380
and passed around among hackers.

7
00:00:13.380 --> 00:00:14.700 line:15% 
Hi, my name is Eva Galperin.

8
00:00:14.700 --> 00:00:16.870 line:15% 
I work for the Electronic Frontier Foundation

9
00:00:16.870 --> 00:00:19.480 line:15% 
where I am the director of cybersecurity,

10
00:00:19.480 --> 00:00:21.965
and I'm here to debunk some myths about cybersecurity.

11
00:00:21.965 --> 00:00:24.548
[bright music]

12
00:00:27.580 --> 00:00:29.823
<v ->The government is watching me through my camera.</v>

13
00:00:30.810 --> 00:00:34.310
It is possible to remotely trigger somebody's camera

14
00:00:34.310 --> 00:00:37.900
if you install a remote access tool on their device.

15
00:00:37.900 --> 00:00:39.750
That is something that hackers do.

16
00:00:39.750 --> 00:00:41.786
That is something that criminals do.

17
00:00:41.786 --> 00:00:43.710
That's something that governments do,

18
00:00:43.710 --> 00:00:47.500
but in order for the government to install the software

19
00:00:47.500 --> 00:00:49.530
that they need to do in order to track you

20
00:00:49.530 --> 00:00:51.940
through your camera, they need a warrant from a judge.

21
00:00:51.940 --> 00:00:54.830
It is more likely that you will be watched by hackers,

22
00:00:54.830 --> 00:00:57.340
or if you're a student, by your school,

23
00:00:57.340 --> 00:00:59.010
than it is that you are going to be watched

24
00:00:59.010 --> 00:00:59.843
by the government.

25
00:00:59.843 --> 00:01:03.080
Since it is possible for someone to turn on your camera

26
00:01:03.080 --> 00:01:04.670
without the little green light going on,

27
00:01:04.670 --> 00:01:06.010
if you would like to make sure

28
00:01:06.010 --> 00:01:08.410
that when that happens that they don't see anything,

29
00:01:08.410 --> 00:01:10.890
then it is recommended to put a sticker over your camera.

30
00:01:10.890 --> 00:01:13.000
Most people aren't targeted with this stuff,

31
00:01:13.000 --> 00:01:15.510
and usually you don't have to worry.

32
00:01:15.510 --> 00:01:17.140
What I recommend that people do is

33
00:01:17.140 --> 00:01:19.570
that they download antivirus software

34
00:01:19.570 --> 00:01:21.810
from pretty much any antivirus company

35
00:01:21.810 --> 00:01:24.570
and just run a scan on the highest setting.

36
00:01:24.570 --> 00:01:27.910
The dark web is a scary place full of illegal activity.

37
00:01:27.910 --> 00:01:32.290
The dark web is a network of websites

38
00:01:32.290 --> 00:01:36.740
that you have to use something like Tor browser

39
00:01:36.740 --> 00:01:38.880
or any of the other sort of

40
00:01:38.880 --> 00:01:43.010
guaranteed-to-be-anonymous browsing applications

41
00:01:43.010 --> 00:01:44.290
in order to get to.

42
00:01:44.290 --> 00:01:46.030
And it can be any kind of website.

43
00:01:46.030 --> 00:01:50.344
This is not necessarily just used for selling drugs

44
00:01:50.344 --> 00:01:52.100
and trading child porn.

45
00:01:52.100 --> 00:01:55.910
For example, Facebook has a dark website.

46
00:01:55.910 --> 00:01:58.950
They have .onion site that you can only get to

47
00:01:58.950 --> 00:02:00.960
if you are logged in using Tor.

48
00:02:00.960 --> 00:02:03.630
Tor and other applications like it

49
00:02:03.630 --> 00:02:05.900
are not just used by criminals.

50
00:02:05.900 --> 00:02:09.280
The other people who frequently need anonymity online:

51
00:02:09.280 --> 00:02:11.630
journalists, activists,

52
00:02:11.630 --> 00:02:13.180
people who are talking to journalists,

53
00:02:13.180 --> 00:02:16.050
and of course, people in authoritarian countries

54
00:02:16.050 --> 00:02:17.960
who are very worried about their government spying

55
00:02:17.960 --> 00:02:19.610
on their social media use.

56
00:02:19.610 --> 00:02:22.230
Tor browser, originally funded by the US Navy.

57
00:02:22.230 --> 00:02:24.680
The government needed a way

58
00:02:24.680 --> 00:02:26.960
for people to be able to go to websites

59
00:02:26.960 --> 00:02:28.150
and maintain their anonymity

60
00:02:28.150 --> 00:02:31.120
and not have their digital footprint seen

61
00:02:31.120 --> 00:02:33.320
by the people who were running the websites.

62
00:02:33.320 --> 00:02:35.190
Privacy is dead.

63
00:02:35.190 --> 00:02:36.150
If privacy was dead,

64
00:02:36.150 --> 00:02:38.290
governments and law enforcement wouldn't have to keep trying

65
00:02:38.290 --> 00:02:41.040
to kill it by proposing new laws

66
00:02:41.040 --> 00:02:42.400
and talking about all of the stuff

67
00:02:42.400 --> 00:02:43.700
that they can't possibly get into.

68
00:02:43.700 --> 00:02:48.630
But most importantly, privacy is not about living

69
00:02:48.630 --> 00:02:51.580
as a hermit on a mountain by yourself,

70
00:02:51.580 --> 00:02:53.320
never communicating with anybody.

71
00:02:53.320 --> 00:02:56.650
Privacy is power over your information.

72
00:02:56.650 --> 00:03:01.180
Understanding what kind trail you leave behind

73
00:03:01.180 --> 00:03:04.220
enables you to limit that trail,

74
00:03:04.220 --> 00:03:06.780
or enables you to limit who can see that trail.

75
00:03:06.780 --> 00:03:08.400
The kind of security and privacy advice

76
00:03:08.400 --> 00:03:11.440
that you give to people really varies person by person,

77
00:03:11.440 --> 00:03:13.040
but there are a couple of things

78
00:03:13.880 --> 00:03:15.290
that are good for everybody,

79
00:03:15.290 --> 00:03:17.500
like eating your broccoli and taking your vitamins.

80
00:03:17.500 --> 00:03:22.110
You should have long, strong, and unique passwords

81
00:03:22.110 --> 00:03:23.530
for all of your accounts.

82
00:03:23.530 --> 00:03:24.940
And you turn on the highest level

83
00:03:24.940 --> 00:03:27.350
of two-factor authentication you're comfortable using.

84
00:03:27.350 --> 00:03:28.680
Take your software updates.

85
00:03:28.680 --> 00:03:31.960
This is how you benefit from the work of the security team.

86
00:03:31.960 --> 00:03:33.840
And finally, that you actually sit down

87
00:03:33.840 --> 00:03:35.160
and you think about your threat model.

88
00:03:35.160 --> 00:03:36.520
You think about what you wanna protect

89
00:03:36.520 --> 00:03:38.240
and who you wanna protect it from.

90
00:03:38.240 --> 00:03:39.870
Google reads all my Gmail.

91
00:03:39.870 --> 00:03:41.670
Google actually does read all of your Gmail.

92
00:03:41.670 --> 00:03:44.230
Google is storing all of your email

93
00:03:44.230 --> 00:03:46.760
if you are using a Gmail account.

94
00:03:46.760 --> 00:03:51.230
They automate scripts which read the contents of your mail

95
00:03:51.230 --> 00:03:53.490
and who you're mailing back and forth to.

96
00:03:53.490 --> 00:03:57.870
What they do not do is read your email

97
00:03:57.870 --> 00:04:00.050
and then tell the government what's in it.

98
00:04:00.050 --> 00:04:05.050
Google has extremely strict privacy rules internally,

99
00:04:05.680 --> 00:04:08.580
and if a government or law enforcement wants

100
00:04:08.580 --> 00:04:09.990
to get their hands on this data,

101
00:04:09.990 --> 00:04:12.540
they have to show up with a subpoena

102
00:04:12.540 --> 00:04:15.220
for the metadata or a warrant

103
00:04:15.220 --> 00:04:18.220
for the actual contents of your email.

104
00:04:18.220 --> 00:04:19.053
But there is a difference

105
00:04:19.053 --> 00:04:21.280
between protecting your data from hackers,

106
00:04:21.280 --> 00:04:23.410
protecting your data from advertisers,

107
00:04:23.410 --> 00:04:26.110
from governments and law enforcement.

108
00:04:26.110 --> 00:04:28.310
A strong password protects you from hackers.

109
00:04:29.230 --> 00:04:31.240
This is partially correct

110
00:04:31.240 --> 00:04:34.150
in that a strong password is one of the things

111
00:04:34.150 --> 00:04:36.180
that you need in order to secure your account.

112
00:04:36.180 --> 00:04:40.130
It is vitally important that your password not be the same

113
00:04:40.130 --> 00:04:41.360
across different platforms,

114
00:04:41.360 --> 00:04:44.080
because when platforms get compromised,

115
00:04:44.080 --> 00:04:47.100
the usernames and passwords sometimes get dumped

116
00:04:47.100 --> 00:04:49.370
and passed around among hackers,

117
00:04:49.370 --> 00:04:52.600
and hackers will do what we call credential stuffing,

118
00:04:52.600 --> 00:04:55.280
where they try to get into your account

119
00:04:55.280 --> 00:04:58.930
using these old passwords from other platforms.

120
00:04:58.930 --> 00:05:01.780
You should also be very careful

121
00:05:01.780 --> 00:05:03.310
about your security questions.

122
00:05:03.310 --> 00:05:07.300
Your security questions are usually things about you

123
00:05:07.300 --> 00:05:10.570
that a person who knows you relatively well knows.

124
00:05:10.570 --> 00:05:12.340
A person who knows you well might know the name

125
00:05:12.340 --> 00:05:13.940
of the street that you grew up on,

126
00:05:13.940 --> 00:05:16.100
or the name of your favorite teacher,

127
00:05:16.100 --> 00:05:17.770
or your favorite breed of dog.

128
00:05:17.770 --> 00:05:21.150
And so instead of answering those questions truthfully,

129
00:05:21.150 --> 00:05:22.970
I recommend answering them

130
00:05:22.970 --> 00:05:25.430
as if they are simply more passwords.

131
00:05:25.430 --> 00:05:27.710
So now you have a different, long, strong,

132
00:05:27.710 --> 00:05:29.960
unique password for every account,

133
00:05:29.960 --> 00:05:31.750
and trying to remember them all is a pain,

134
00:05:31.750 --> 00:05:33.920
and this is why I recommend using a password manager,

135
00:05:33.920 --> 00:05:36.430
which you install on each of your devices

136
00:05:36.430 --> 00:05:39.580
and will generate new passwords for you.

137
00:05:39.580 --> 00:05:41.110
That way you can make sure

138
00:05:41.110 --> 00:05:42.470
that you never forget your password

139
00:05:42.470 --> 00:05:44.280
as long as you remember the single password

140
00:05:44.280 --> 00:05:45.450
to your password manager.

141
00:05:45.450 --> 00:05:47.450
So how often should people change their passwords?

142
00:05:47.450 --> 00:05:51.310
Sometimes programs or companies will require you

143
00:05:51.310 --> 00:05:54.510
to change your password every 30 days or every 90 days.

144
00:05:54.510 --> 00:05:56.870
This is actually not helpful at all.

145
00:05:56.870 --> 00:06:00.550
It turns out that users create shorter

146
00:06:00.550 --> 00:06:02.600
and more memorable passwords

147
00:06:02.600 --> 00:06:04.340
when they have to change them all the time,

148
00:06:04.340 --> 00:06:06.110
that they don't change them very much,

149
00:06:06.110 --> 00:06:07.490
and therefore you're not actually getting

150
00:06:07.490 --> 00:06:09.390
a big gain in security.

151
00:06:09.390 --> 00:06:12.290
Your best bet is what we call Diceware,

152
00:06:12.290 --> 00:06:14.250
where you use somewhere between five

153
00:06:14.250 --> 00:06:17.980
or six randomly generated or randomly chosen words.

154
00:06:17.980 --> 00:06:19.650
That way you get a very long,

155
00:06:19.650 --> 00:06:21.990
very difficult-to-crack password

156
00:06:21.990 --> 00:06:24.500
that is also fairly easy to remember.

157
00:06:24.500 --> 00:06:26.283
Encryption will keep my data safe.

158
00:06:27.870 --> 00:06:29.940
Encryption is scrambling the data

159
00:06:29.940 --> 00:06:32.240
or the metadata so that it is not possible

160
00:06:32.240 --> 00:06:35.180
for somebody who sees it to read the information

161
00:06:35.180 --> 00:06:36.100
that you are sending.

162
00:06:36.100 --> 00:06:40.940
Encryption is used in two very different ways

163
00:06:40.940 --> 00:06:42.000
on the internet.

164
00:06:42.000 --> 00:06:44.760
One is called encryption in transit.

165
00:06:44.760 --> 00:06:47.180
Encrypting data in transit is

166
00:06:47.180 --> 00:06:50.200
if you look at your browser and you see the URL

167
00:06:50.200 --> 00:06:51.450
at the top of your browser,

168
00:06:51.450 --> 00:06:55.110
you'll see that it probably starts with the letters HTTPS.

169
00:06:55.110 --> 00:06:58.590
The S at the end there stands for security.

170
00:06:58.590 --> 00:07:00.440
It means that the information

171
00:07:00.440 --> 00:07:02.450
which is being sent between you

172
00:07:02.450 --> 00:07:04.970
and the website that you're going to is encrypted

173
00:07:04.970 --> 00:07:07.310
so that anybody else who is sitting on the network,

174
00:07:07.310 --> 00:07:08.770
somebody else in your coffee shop,

175
00:07:08.770 --> 00:07:12.320
the IT manager at your office,

176
00:07:12.320 --> 00:07:15.310
whoever it is that runs the network at your school,

177
00:07:15.310 --> 00:07:16.830
all of those people can only see

178
00:07:16.830 --> 00:07:18.177
that you are going to the website

179
00:07:18.177 --> 00:07:21.590
and they can't see specifically what page you're going to,

180
00:07:21.590 --> 00:07:24.420
and they can't see what it is that you're doing there.

181
00:07:24.420 --> 00:07:25.690
For example, they can't see

182
00:07:25.690 --> 00:07:27.180
what pictures you're downloading,

183
00:07:27.180 --> 00:07:30.030
or they can't see what password you're entering.

184
00:07:30.030 --> 00:07:33.960
The other kind of encryption is end-to-end encryption.

185
00:07:33.960 --> 00:07:36.640
When you encrypt something in transit,

186
00:07:36.640 --> 00:07:40.710
you are trusting the person who runs the website,

187
00:07:40.710 --> 00:07:42.310
but no one else.

188
00:07:42.310 --> 00:07:45.470
And when you are doing end-to-end encryption,

189
00:07:45.470 --> 00:07:46.730
you don't even have to trust the person

190
00:07:46.730 --> 00:07:47.610
who runs the website.

191
00:07:47.610 --> 00:07:50.050
The only person that you're trusting is the person

192
00:07:50.050 --> 00:07:51.690
that you are messaging,

193
00:07:51.690 --> 00:07:55.160
and that is because you have an encryption key,

194
00:07:55.160 --> 00:07:57.770
and the person that you're sending a message to

195
00:07:57.770 --> 00:07:59.170
has an encryption key,

196
00:07:59.170 --> 00:08:02.050
and that is how these things get locked down.

197
00:08:02.050 --> 00:08:04.940
The good news is that there's a lot of powerful encryption

198
00:08:04.940 --> 00:08:07.470
that's being used to protect you every day,

199
00:08:07.470 --> 00:08:08.838
and you don't even know it.

200
00:08:08.838 --> 00:08:12.160
WhatsApp, for example, has more than a billion users

201
00:08:12.160 --> 00:08:13.090
all over the world,

202
00:08:13.090 --> 00:08:15.400
and their messages are end-to-end encrypted.

203
00:08:15.400 --> 00:08:19.150
But what's most important is to understand

204
00:08:19.150 --> 00:08:22.140
where your data is going, who has access to it,

205
00:08:22.140 --> 00:08:25.640
and what they would have to do in order to access it

206
00:08:25.640 --> 00:08:27.330
if you did not want them to.

207
00:08:27.330 --> 00:08:28.783
Public wifi is safe.

208
00:08:30.650 --> 00:08:32.840
Back before the majority

209
00:08:32.840 --> 00:08:36.480
of the web was encrypted using HTTPS,

210
00:08:36.480 --> 00:08:39.100
it was extremely easy for anybody

211
00:08:39.100 --> 00:08:41.130
who was sitting on the same network as you,

212
00:08:41.130 --> 00:08:44.290
including somebody sitting on the same public wifi as you,

213
00:08:44.290 --> 00:08:45.830
sitting in a cafe with you,

214
00:08:45.830 --> 00:08:50.460
to not only see everything that you were browsing

215
00:08:50.460 --> 00:08:52.460
and everything that you were typing in,

216
00:08:52.460 --> 00:08:55.680
but also to inject false information

217
00:08:55.680 --> 00:08:59.320
into that stream so that you would,

218
00:08:59.320 --> 00:09:03.010
say, type your password into a website

219
00:09:03.010 --> 00:09:04.250
that the hacker controls,

220
00:09:04.250 --> 00:09:05.790
and now the hacker has your password

221
00:09:05.790 --> 00:09:06.920
and they can log into your stuff.

222
00:09:06.920 --> 00:09:09.920
It used to be extremely unsafe,

223
00:09:09.920 --> 00:09:11.480
and it was really common

224
00:09:11.480 --> 00:09:13.480
for hackers to hang out on public wifi.

225
00:09:13.480 --> 00:09:16.830
This is less true now that the web is mostly encrypted.

226
00:09:16.830 --> 00:09:19.830
A lot of people recommend using VPNs.

227
00:09:19.830 --> 00:09:22.660
VPN stands for virtual private network.

228
00:09:22.660 --> 00:09:26.380
It is just a way of creating a tunnel

229
00:09:26.380 --> 00:09:29.680
between you and wherever your VPN is

230
00:09:29.680 --> 00:09:33.780
in order to protect your browsing or your internet activity

231
00:09:33.780 --> 00:09:36.110
from whoever is running the network that you're on.

232
00:09:36.110 --> 00:09:40.220
For example, if you are in a hotel and you use hotel wifi,

233
00:09:40.220 --> 00:09:42.780
and you log into work using your VPN,

234
00:09:42.780 --> 00:09:45.120
the hotel can only see that you logged into the VPN.

235
00:09:45.120 --> 00:09:47.310
They can't see what your traffic looks like.

236
00:09:47.310 --> 00:09:49.810
But work can see all of your traffic,

237
00:09:49.810 --> 00:09:52.030
and so you need to be able to trust them.

238
00:09:52.030 --> 00:09:53.813
Cyber attacks are the new warfare.

239
00:09:55.290 --> 00:09:57.360
Most of what we think of as cyber warfare

240
00:09:57.360 --> 00:09:59.360
is actually cyber espionage,

241
00:09:59.360 --> 00:10:02.470
and in the cases where there is cyber warfare,

242
00:10:02.470 --> 00:10:03.820
that's extremely rare.

243
00:10:03.820 --> 00:10:07.360
Probably the most famous example of that is Stuxnet,

244
00:10:07.360 --> 00:10:10.450
when the US and Israel worked together

245
00:10:10.450 --> 00:10:14.360
on a piece of software which broke the centrifuges

246
00:10:14.360 --> 00:10:16.470
that the Iranian government was using

247
00:10:16.470 --> 00:10:20.450
in order to refine radioactive materials

248
00:10:20.450 --> 00:10:22.270
for their nuclear weapons program.

249
00:10:22.270 --> 00:10:25.180
But really, it almost never happens.

250
00:10:25.180 --> 00:10:27.270
What is important is

251
00:10:27.270 --> 00:10:32.270
that governments are not the only threat actors out there.

252
00:10:32.280 --> 00:10:35.130
For the most part, if you are an ordinary person,

253
00:10:35.130 --> 00:10:38.380
you are more likely to be targeted by criminals,

254
00:10:38.380 --> 00:10:41.030
by hackers who want your money.

255
00:10:41.030 --> 00:10:43.190
A lot of what people think of as hacking

256
00:10:43.190 --> 00:10:45.240
is actually security research,

257
00:10:45.240 --> 00:10:48.580
people who are trying to break systems for the better

258
00:10:48.580 --> 00:10:51.330
in order to inform both users

259
00:10:51.330 --> 00:10:52.850
and the people who make the systems

260
00:10:52.850 --> 00:10:53.980
about these vulnerabilities

261
00:10:53.980 --> 00:10:56.030
before bad people take advantage of them.

262
00:10:56.870 --> 00:10:59.480
The hacker mentality can be applied to anything.

263
00:10:59.480 --> 00:11:03.110
Hacking is not about being a bad person.

264
00:11:03.110 --> 00:11:06.990
It is about understanding systems and subverting them.

265
00:11:06.990 --> 00:11:10.050
Understanding the limits of surveillance

266
00:11:10.050 --> 00:11:11.870
and of hacking is really important

267
00:11:11.870 --> 00:11:15.560
in order to build out a place for yourself

268
00:11:15.560 --> 00:11:16.980
where you can feel safe

269
00:11:16.980 --> 00:11:19.470
and where you can understand where your information is going

270
00:11:19.470 --> 00:11:20.720
and who has access to it.