The Vergecast - Cybersecurity Hotline Special
Episode Date: October 24, 2022We asked listeners to send in all their questions related to cybersecurity for this special Vergecast Hotline episode. David Pierce talks to Nilay Patel and Russell Brandom to get you the best advice ...for staying safe online. Email us at vergecast@theverge.com or call us at 866-VERGE11, we'd love to hear from you. We are conducting a short audience survey to help plan for our future and hear from you. To participate, head to vox.com/podsurvey, and thank you! Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Support for the show comes from Retool.
Too many companies run critical operations on duct taped spreadsheets,
Slack workflows, and whatever else they could cobble together.
Not because they want to, but because building internal tools
means weeks of waiting on someone else's backlog.
That's where Retool comes in.
Build custom internal tools just by describing what you need.
Prompts something like,
Build Me a Revenue Dashboard on our Salesforce data.
And Retool actually builds it on your company's data,
in your cloud with enterprise security built in.
Go to retool.com slash vergecast.
We all need to retool how we build software.
Welcome to the Vergecast, the flagship podcast of turning off Wi-Fi on all of your devices
and putting on tinfoil hats.
I'm your friend David Pierce.
Russell Brandem is here.
Hi, Russell.
Hi.
And this is a, this is very special Vergecast episode.
This is, is this the second week of cybersecurity week?
Russell, is this like infrastructure week?
It's kind of every week.
It's hard because for me, every week is cybersecurity week.
That's fair.
And it should be for you, too.
But here on the Vergecast, today is Cybersecurity Week, I guess.
Yeah, yeah, exactly.
And we were thinking about a bunch of things to do, and we decided that the best thing we could do is just see what everyone wanted to know about.
So we opened up the Vergecast hotline.
We got a bunch of really great questions.
You and I have been doing a bunch of research and prep and talking to folks, and we are going to just roll through some of the most interesting and popular questions we got.
It's going to be fun.
I'm very excited.
I have been out some weird rabbit holes in getting ready for this that I did not expect.
I don't know how it's been for you, but I'm in a weird corner of the internet.
Oh, yeah.
I've learned about myself and cybersecurity.
It's beautiful.
Isn't that, it's really the same thing, if you think about it.
It's really beautiful.
No.
No, they're different.
All right.
Let's get to our first question, which I think, let's just start with, I think, the one that is actually in a strange way, the easiest to answer, which is from Alex.
Hey there.
This is Alex from Max, Wisconsin.
and I'm walking my dog in the Brisk, Wisconsin evening,
and I had a question about a browser malware extension.
So I recently cleansed my computer of something called Bundle.
And it was really weird.
It sort of hit itself by making it so that whenever I tried to access the page to manage my extensions,
it just wouldn't go there.
It was like redirect the traffic.
The question I have is whenever I tried to search for something in the Chrome search bar,
it would redirect my search to Bing.
Why do you do that?
What benefit does some malware program have of redirecting my search through Bing instead of Google?
Also, who uses Bing?
Thank you.
Malware victims.
There's so many good questions in here.
Yeah, who uses Bing is no one on purpose, but sometimes it happens.
We've all been there.
You just end up on Bing.
You don't know how you got there.
You don't know where you are, but it's dark outside,
and you're bleeding from somewhere.
And you don't know.
Yeah.
So there's a lot to dig into here.
I will say the thing that I was kind of coming around to listening to this is a lot of people
being savvy about security is sort of knowing implicitly what to trust.
So it's like, is it sketchy if,
I'm reading my credit card number out over the phone.
It's like, well, if you called the restaurant and their thing is down, like, that's not actually
that weird.
Like, you're probably okay.
It's okay to put your credit card number into Amazon.com.
Like, it's fine.
And then, like, there's other things where I got a weird email and lots of stuff is misspelled.
It's like, that's obviously sketchy.
You should be careful.
I think browser extensions and particularly bundled browser extensions because he mentioned that
he got this bundle, people who are.
who work in this stuff have known for a while that this is a real sort of place where scams happen
and just it's a mess in there and you shouldn't trust anything. But I don't know if the average
user has really gotten around to like the vast majority of browser extensions are actively
exploitive and harmful and bad. Well, I'm not just, vast majority might be slightly overstated,
but it is. There's a lot of, there's a lot of crap out there's a lot of crap. There's a lot of
I guess for it. Yeah. Well, and it's, and it's tricky because like over the years, Google Chrome in particular has sort of devoted more and more resources to fighting that. But even still, it's basically like an automated system. And the thing that's crazy about Chrome extensions and browser extensions in general is when you install them, most of them require you to give them access to everything you do inside of your browser. Like in order to do the very basic thing that they want to do, you have to, because there's no like middle sense,
setting in many cases, you have to turn on.
Like, sure, read later app, you can see every single thing I do in my browser.
And that's just bonkers.
And it's like systemically, this is not right.
But like, you can replace what I'm seeing on the screen with other stuff.
Yes.
So, you know, they're like the classic joke extension is like, we made it.
So it replaces the word millennial with snake people.
Like, ha, ha, isn't that funny?
Uh-huh.
It's like, no, this is, you're looking at the website and what you're seeing is something
different from what the website is trying to show you?
Like, do you not see how this is potentially a problem?
We had one of those, when I was at Wired,
this was during the 2016 election,
and somebody had downloaded a bunch of, like,
jokey political extensions onto their computer,
and one of them replaced every mention of Donald Trump
with the phrase tiny hands.
And it's like a very funny joke
because you're reading the internet,
but then they filed a story about Donald Trump
and missed one of the times,
where the browser had changed, like, in our CMS to Tiny Hands.
So we published a story in which this person had typed Donald Trump, and it spit out Tiny Hands.
It was really, it was really something special.
Man.
Yeah.
Okay.
So, so what he said, bundle.
This is, I did want to, I wanted to see on this, too, because a lot of what happens is,
you're talking about Chrome.
So, like, Chrome is a very popular browser, as you know.
It's free and a common.
scammy thing is people will bundle free software with this predatory unwanted software.
If we're allowed to call it malware, spyware, adware, it gets into weird legal territory.
But basically, there's the software you want, and you should just get that, but instead you're
getting this bundled that has a bunch of other bad things in it. And that happens very often with
browsers. I suspect that what is happening here, the reason it's sending him to Bing, is there is some
I don't think Microsoft is purposefully paying this adware company.
Like, I don't think that that's what's happening.
But it is broadly true that, like, Google pays Mozilla to have the default Firefox search go to Google.com.
Because Google makes money through advertising when people search things on Google.com.
And so, for a while, they were paying Apple.
I mean, they're still paying Apple, right?
for the iPhone searches that direct to Google.com.
Billions of dollars.
So I suspect that one way or another
that money is going from Bing
to these scammy people
with lots of intermediaries
that make it hard for Bing to know
who exactly they're paying.
Yeah, I think that's right.
And to be clear,
all of that can be done without Microsoft
doing anything nefarious or even anything at all.
Like I think it's very unlikely
that Microsoft is like loading adware
into Chrome extension.
That'd be amazing if that were true.
But it'd be amazing.
I think it's probably a Microsoft executive who had had too much and sort of went
Joker mode.
And then they're like, we don't know what happened to it.
Just call it bundle.
Leave it alone.
He just makes an adware now.
No, but it is one of the main things that these extensions do is they will insert ads
onto websites in such a way that if you then click those ads, they make money.
Right. So like the main two things a browser extension that you don't want will do is collect all of your data and sell it to somebody or put ads into your experience or replace the ads you're seeing with other ads and make money that way. So it's like 98% of the time. It's like if some hack is happening on the internet, it's somebody trying to find like a cheap way to make money. Right. Like that's usually what this is. And in this case, that is kind of the overwhelming thing. And one of the things that I've seen a lot of and there was this big story, I forget when relatively recently,
where McAfee found a bunch of really well-known Chrome extensions,
including the one Netflix party where you can co-watch Netflix with your friends,
what Netflix party was doing was all the things Netflix party was supposed to do,
but then also doing things like adding affiliate links when you go to e-commerce websites
so that it makes money.
And all this is just like sneakily happening in the background.
And you never see it because it's able to get in between you and the browser,
because that's what Chrome extensions do.
And so it's just that kind of thing that it's,
like often you might not even notice, but they are aware of what you're doing and they're either
changing it in some way or taking something from you. So my read of it is not that like all Chrome
extensions are dangerous. I do think the fact that they automatically update in the background
without telling you is dangerous. But also like it is the kind of thing that you should be super,
super, super aware of what you're downloading and make sure the advice I always give people is never search
in the store. Always go from like if you're looking for an app's Chrome extension, go to the app and find
the link to the Chrome extension from there.
Because if you go into the Chrome Web Store and search for an app,
you're going to get 100 things that all look the same.
99 of them are scammy and one of them is real.
And it's often very hard to know.
So if you need to have a Chrome extension and you should use only the bare minimum
for all the reasons we've been describing,
like find it from somewhere else.
Don't just go hunting through the Chrome store for things that seem cool
because like there be dragons.
And if you're listening to this and being like, what can I do?
Like go to your Chrome, you know, check out what,
the extensions are. It's Chrome colon forward slash forward slash extensions, right? But you can see,
it'll just show you everything and you can like absolutely delete anything you do not recognize
or that you're like, oh, I sort of remember installing that, but I don't really use it. Like,
you should really have as few as possible. Yeah, 100%. If you, if you don't use it like every day,
you probably shouldn't have it. It's worth the like extra two clicks in the browser to not have
this stuff sitting between you and everything you do on the internet is my general read totally all right
should we do another one yeah let's let's move on so let's see we have we have a couple in a row about
passwords so let's let's knock those out first first we have one from edwardo to that
hello the verge team um second a question about passwords i use different passwords for every single
app and website that i log into but i'm deeply into the apple ecosystem
So my question is, should I go into the suggested passwords or should I just keep using my own different passwords for everything?
Is there any drawback on going into the Apple passwords or we'll all be able to do everything I've been doing so far?
Thanks.
Okay, so first of all, Eduardo, kudos for using different passwords for everything that immediately,
puts you ahead of almost everybody, so congratulations.
This is the question that sent me down the deepest, weirdest rabbit hole of any of the
questions we got.
But before I get real weird about random number generators, which is going to happen,
what are your thoughts, Russell?
Yeah.
I mean, I think, so partially this is like a question about password strength, right?
Because if he's coming up with these different passwords, they're presumably sort of human
comprehensible passwords, not just random strings.
And so it's like, is it better to use the random strings that Apple is using? And I don't think it's a huge deal. I think the main, so the place where your password strength is most likely to be tested is you can't just guess millions of passwords at once on like the Gmail login screen. Like they will catch on if they're like, this seems like a robot is just doing one, two, three, and then the next one.
but occasionally hashes, hashed versions, so a hash is what the website is checking your password
against. It sort of has a hashing function that does a special dance to the password that you
input it, and then it checks it against, well, this is what all, this is what the correct password
should look like after the special dance, so that it doesn't just immediately know what your
password is and have that information for everything. And so you're not supposed to be able to work
back from the hash to the actual password. But if you already know what the password is or you
have, if you like check a bunch of really common passwords and then that can help you crack
the hashing algorithm and undo the other ones, then it's a problem. But like the difference between
a fairly uncommon word that's in a dictionary and a couple like random characters and the complete
gobbledy gook that Apple spits out is just really not that significant and I wouldn't worry about it.
I think the main question is like, are you more likely to lose it because it's not automatically
being logged by Apple's password manager? But that also doesn't seem like a huge difference since
it sounds like this system is working for him. Yeah, I think I agree with all of that, actually.
And I think the two parts of this just jumped out to me are one, the like convenience thing you just
talked about. And I think to me, the biggest downside of using Apple's, the whole, like, keychain
system within Apple is it's very convenient, but it's also tied to all of your other Apple stuff, right?
And like one very common sense cybersecurity piece of advice is don't have all your eggs in one basket.
And so the idea of if somebody gets into my I cloud, they can also get into my passwords should
make you nervous. And there's a, there are good ways to get around that by like protecting your
Cloud and multi-factor authentication and all that stuff.
But like, I would say the only reason not to do it is that, A, it's not very cross
platforms.
So if you use other devices, pass keychain doesn't work all that well.
And it is attached to all of your other Apple stuff.
So do it that way you will.
To your point about the randomness, I think you're exactly right.
I think my worry would be that for somebody like our friend Eduardo here, that when they
say I have different passwords for everything, what they actually mean is like variations on
a theme where it's like, I have one password that is like cool kids.
and then I have another one that's cool kids with two Ss
and then I have one that's cool kids six
and that is not great password hygiene.
It's better than having the same password for everything
but it's not great password hygiene because...
Well, go ahead.
Yeah, and it's worth going into what the attack is there.
So there are these, like LinkedIn was breached in like 2009 or something, 2011.
It was a while ago.
This is all public.
This is not, I'm not blowing up any spot.
But then this means that like,
Anyone on the internet who wants it basically by now has the LinkedIn password I was using in
2011, right? And so if I was using that for anything else, when they were able to get to it,
they probably went through, you know, well, what's Russell's Gmail account? What's Russell's
other account? Let's see if the same password works. Right. Right. And a lot of times they have this
password and the breach isn't public. No one knows about it. And so they're likely to have sort of
find out about it before you do. Now, are they going to try, well, okay, what about Russell's
password, but the number is slightly different? Exactly. What about Russell's password and there's some
extra S's? On one hand, like, they're doing this with 10 million passwords and just running through
the list because it's fairly, it's rare that you get a hit. It's just like, it's worth it if we get a
hit. On the other hand, they have a lot of time and not a lot of these breached things, so they're
probably going to try as much as they can get away with. And that's why the password hygiene of,
like, here's this slight alteration is not great if a password very, very similar to that gets breached.
Yeah, I think that's right. And I think the deep rabbit hole I went down was about pseudo-random number
generators. And this idea that even things that purport to give you random sets of characters
are not random, right? Like computers on their own can't do random. There is a logic.
So what they do is they start basically from what's called a seed and then run an algorithm to do what is this, what looks a lot like randomness.
But if you can figure out what that seed is, you then know where the randomness started from and you can start to figure it out.
So Bruce Schneier, who is a security researcher who has done a lot of work on this over the years, I think he talks about that I like, and I think is a useful framework to think about all of this is basically like degrees of entropy, right?
Like if all of my passwords are one last character off, that's one degree of entropy, right?
If you know all of my password, except that one character, all you have to do is figure out one thing.
But if you don't know any of my password because it's all different, you're starting from nothing.
And suddenly the work you have to do to get there is much, much stronger.
So I think in a case like this, what I went, the rabbit hole I really went down is like, is Apple's pseudo random number generator better than the competition's pseudo random number generators.
And the answer is like not really.
There are a lot of very good ones out there.
And the real question is just about a lot of other things that actually like the random number generators are not.
likely what's going to screw up your passwords over time?
Yeah, that's like, that's like you're like, you're like, is this plane I'm getting on safe?
Right.
And they're like, well, let's look at the fuel.
Exactly.
Who's using the best fuel?
It's like, it's probably, it's not going to come down to that.
Is it information?
Yes, but is it going to be the difference?
Almost certainly not.
But generally, like, what I would say is, is think about entropy, right?
And if you want to keep your password as secure as possible, have as much entropy
between your different passwords as you possibly can. And if that means letting Apple fill it out for you
and save it in ways that everyone agrees are solid and secure, that works. I use one password,
which I love very much. I will stand for one password to anyone who listens. It's a really good
password manager. There are a lot of good ones out there. And I think having them be randomly
selected for me, I don't know most of my passwords. And I like it that way. And I feel like that's,
that's where everyone should be. Let a system know my passwords. And then I don't have to.
Absolutely.
All right, let's move on.
So what's the other, yeah, what's the other password?
I mean, our next one is even weirder, and I'm very excited.
It's from Leon.
Let's hear it.
Hey, Virchcast team.
It's Leon from Virginia.
What's up with websites having a maximum character limit for their passwords?
Like, why do I have to create a password with a maximum of eight or 12 characters?
Why is that safe?
Thanks.
This is the other question that sent me down.
crazy rabbit hole. And it was deeply unsatisfying. I mean, it's not safe, right? Like, broadly,
these limits are bad. Security people don't like them. I think that the reason that you see them
is kind of, has to do with making life easier for the architects of these systems more than,
like, security fundamentals. But it sounds like, David, you have a lot of research to spill out.
No, so you're right, but you're missing one piece of the equation, which is users. The simple
truth of the matter based on all the research I've done and all the people I've talked to
to is that fundamentally, if you allow people to have 500 character passwords, they will
forget them, they will type them incorrectly, they will call customer service to reset their
passwords more often, and that will suck for everyone involved. And so I went down looking
for like really useful technical answers. And what it seems like is on the one hand, you're right
that like, and especially in the early days of the internet, there was a lot of like technological
that just couldn't handle that much data coming in at the same time.
Like, if you're sending somebody a one megabyte password, that's a lot.
And it was especially a lot many years ago.
So.
Well, and also that, like, remember, there's the hashing algorithms.
Like, if you can know the amount of information very precisely, it lets you, it just
sort of smooths things out.
Totally.
Yeah.
And then that just sort of became the norm, so people kept doing it.
But then I was looking, and, like, the National Institute of Standards and Technology has a
bunch of rules about passwords and what they actually recommend is that you allow at least 64 characters
because the kind of new password theory is like what you don't need is just a bunch of like random
hexadecimal stuff. What you need is like a long, relatively random string of words that you can
remember, that that's actually the most useful thing. Like if it's five words in a row, you can do it.
I will say at risk of compromising my own security. So this is the pass phrase, right? Think of some phrase
that you remember. And I'm a word guy, so I remember phrases. Like, there are a lot of phrases where I'm
like, oh, yeah, that one line really meant something to me. And so when I was setting up my like work
account for Vox Media, I did the phrase. And I was like, I'm not going to, you know, this is going to be
in my password manager. I'm not going to type this in that much. And then as it went on, it's sort of
propagated until now it's the thing I need to type in every time I wake up my laptop.
And it's like, it's like a bunch of words long.
Like it's over 50 characters.
It's it.
And also, if I can't see it, I'll like have a typo sometimes.
So it'll take me like two or three tries.
And I'm just trying to like mute whatever song is playing.
It's really, uh, so that's a, that's a cautionary tale.
It's just like the first chapter of Moby Dick every time you want to wake up your computer.
Oh my God.
How did you guess?
No, but I mean, it's really like, yeah, I'm trying not to do it.
I'm not trying not to put.
any information out there that would make it easy for the hackers. But yeah, it's, uh, so think about
the fact that you'll have to maybe type this in a lot. But I think, yeah, in general, it is, I think I
would agree, bad form if they only allow you to have something like eight characters. What does
seem to be true is there are pretty severe diminishing returns after about 20. I don't know if that's
a magic number, but that, that one kind of came up a bunch that like the difference between a 20 character
password and a 200 character password is not massive in terms of like can a regular person
brute force their way into getting your password. Whereas the difference between 8 and 20 is when
it goes from like hard but feasible to hard and sort of infeasible. So I think if you're only allowed
to have short passwords, you should you should yell at them to let you have longer ones,
is what I would say. Yeah, cool. Do you have short passwords? I feel like I just shamed you by accident.
You're changing all your passwords right now. I will say I changed for,
From on the, in the iPhone unlock, they give you the option of four numbers, which the security people really don't like.
Or six numbers, which is, you know, it's powers of 10.
It's a hundred times more secure.
Or this alphanumeric thing, which you're going to type in on a keyboard, which is probably the best thing to do.
But, I mean, who has the time?
I'm not going to.
Honestly, like, it's, I'm a four-digit iPhone passcode person.
Wow.
And I'm ashamed of it.
Like I am.
It's not great.
And the best part is it defaults to six and it makes you change to four when you set up your phone.
It's like, do you want to make a stupid decision right now?
And every time I'm like, yes, I do.
Thank you for asking.
I'm very happy to do so.
Yeah.
All right.
We need to take a break.
And then we're going to come back and answer a couple more questions, including with our very good friend, Nilai Patel.
We'll be right back.
Support for the show comes from Framer.
Framer is an enterprise-grade, no-code website builder used by
teams at companies like Perplexity and Murrow to move faster.
With real-time collaboration and a robust CMS, with everything you need for great SEO,
not to mention advanced analytics that include integrated AB testing,
your designers and marketers are empowered to build and maximize your dot com from day one.
So whether you want to launch a new site, test a few landing pages, or migrate your full.com,
Framer has programs for startups, scaleups, and large enterprises,
to make going from idea to live site as easy and fast as possible.
Learn how you can get more out of your dot com from a Framer specialist
or get started building for free today at framer.com slash verge for 30% off
of Framer pro annual plan.
That's framer.com slash verge for 30% off.
Framer.com slash verge.
Rules and restrictions may apply.
Okay, next up, we have a question I think a bunch of us got very excited about.
This is from our friend Chuck, who has a question about babies.
Hey, guys.
This might be very niche, so maybe it doesn't go on the show, but maybe it could go on an article sometime.
I have a newborn, and I don't know how to keep her safe from online stuff.
Like, do I need to do anything?
Do I do nothing?
So yeah, I just, I don't want to leave doors open.
But yeah, I don't, there's nothing good out there that says, like, do this and you'll be safe.
Thanks.
Love the show.
Bye.
Okay.
This question gives me so many feelings.
And you can just, you can just feel the, like, vibes and energy from this person.
Nealai, I would tell us here to help us answer this question.
Hello.
Nelai, you are our resident baby expert.
Congratulations.
That's bad for America.
You are all that stands between the horrors of the internet and the children of America and some of Canada.
They are putting the whole show to parent blogging.
That's right.
Yeah.
I will say, Nilai has been threatening to do this ever since he had children.
So it's going to happen eventually.
I feel like we could start almost anywhere here.
But there's like, is there stock parenting advice for what you should do?
Like, because there comes a time when like your kid is going to start wanting to be on.
And you have to do things about that.
But we're talking even way before then.
This is the like, they don't even know what the internet is yet.
Do you have responsibilities to them?
Which I think is a super interesting question.
Yeah.
Well, David, you're about to have a kid.
So you're going to become the new.
Am I allowed to say that on the show?
Do the people know?
The people don't know.
They know now.
This is as good as time as any.
My wife is due in December.
And I'm going to be the Virgin's next baby correspondent.
Congratulations.
That's great.
Thank you.
You got to rotate in a new one.
because the kids keep getting relentlessly older.
It's a real problem.
So here's what I would say to everybody.
Almost everything about being a first-time parent
is just how afraid you choose to be
and how much you allow corporate America
to prey on that fear.
The best advice I ever got was from my friend Spencer Hall,
who some of you may know from other endeavors in the internet.
And he just looked at me very seriously.
I think he has like four kids.
And he was like, babies are more resilient than you think.
And if you just hold that in your,
head.
You're going to be like, just remember, people did this before any technology existed.
That's how you got here.
So you're just like, hold on to that.
The second thing I'll say much more specifically about computers is once you realize
that all that's designed to prey on your fear, you realize that a lot of like computer
products exist to just reassure you, but actually provide you like no additional safety.
So there's like infinity baby monitors and socks and snooze that you can buy.
And you just have to decide how much you want to, like, participate in that universe of things.
Our decision was that we didn't want anything that required a user account.
We just didn't want to start sharing data about our kid at any moment.
So we did not buy a connected baby camera.
We bought the Ufi one that's on Amazon.
I'm sure by now there are many iterations of it.
But there was one that everyone bought.
And then Ufi, which is Division of Anchor, came out with, like, the slightly upgraded riff on that one.
And we just have that one.
And it works great.
And it is, you know, like a proprietary RF protocol.
It's a rock solid in our house.
No Wi-Fi involved.
And it has a little piece of hardware that's great.
So we carry around a little screen in our house to watch our kid.
That is.
So your, your thinking was not only like no user accounts for your kid, but no user accounts
related to your kid.
Like, because it wouldn't have been, it wouldn't have been your kid's name on the
UFIA or on the baby monitor thing.
It would have been yours.
but even still, like that crossed the line.
Yeah, I wanted, I'll use a security term here.
I wanted to air gap the baby from the internet for as long as possible.
Oh, I love that.
Okay.
That's good.
Yeah.
Right.
So I didn't want anything connected to the internet near the baby for as long as I could hold off.
Air gap, your baby is a Vervege t-shirt that needs to do.
This is a thing.
We're going to make onesies.
It's going to say air-gapped.
It's going to be incredible.
One thing you're going to want to do is track a bunch of baby stuff related to a newborn.
When they eat, when they poop, when they poop,
when they sleep.
And there's infinity apps that are, you know, you can log into and you can use them.
And we don't want to use them.
So we use one called Sprout, which syncs the database over iCloud to another phone using a key.
There's no user accounts.
And they actually advertise it as having no user accounts.
So this is like four years ago.
We have not tracked our four-year-olds sleeping and pooping.
We're good.
She lets us know when it's going to happen.
I mean, are you weighing it?
What's the fine grain of the data?
How much data on the poop are we collecting here?
Well, so when you have a newborn, you don't sleep very often.
So your memory of what happened when becomes very limited.
And you're like, did I feed the baby?
And you just don't remember.
And you certainly don't remember how much or what you fed them.
It's like two in the morning.
So like how many ounces of milk did I feed the baby?
Is like, you were just not going to remember this five hours now.
So you just track that stuff.
Just have a log between you and your partner.
Because ideally, one of you is asleep while the other thing is happening.
Ideally, I said, sometimes it's just.
just a pure panic situation. So we just constantly made choices to keep the kid away from the
internet. And at some point, your parenting choice is going to be in order to make this child
eat or survive a restaurant or be on an airplane, we're going to give them a tablet. And then all
of it kind of goes out the window. But for us, anyhow, our choice was very much no user accounts,
no Wi-Fi connected toys. None of this stuff where I have to become the IT manager of
like a very helpless human beings internet presence because once you open the door,
you're just fully down the road.
Yeah.
The only other big picture question I can think of that it would be useful to ask or to
have answers too pretty early on would be like how do we take and share pictures of our
child in a way that makes us comfortable.
Yeah.
I will say so my, I have two nieces and my brother, I think, I was impressed by this,
although I think maybe some people would be worried about it.
But basically they didn't want to be on Facebook
or for Facebook to have an accessible record
of various pictures of the girls.
But you want to share it with family.
And so they set up this Tumblr that is public to the internet,
but that only the family members really have the address to,
and it doesn't have their names on it or any words whatsoever.
It's just a public-facing web page on the internet, which I think worked out for them.
I mean, the main thing is, like, grandma doesn't have to get a Facebook account or, like, maintain access to a Facebook account, which I think is probably good.
And, like, you know, grandma doesn't really want to see, grandma doesn't want to go on Facebook.
She just wants to see pictures of her grandchildren, so it's fine.
Yeah.
Yeah.
So I don't know if that's like, if that solves every problem, but that is a baby picture hack.
I have heard.
So that one, I buy it, right?
Because you're not inside of big tech.
Like, Tumblr is not big tech.
It's like small, struggling tech.
Yeah, small to medium tech, I think.
But public to the internet terrifies me, right?
Like, that's just a URL in the internet that could get picked up.
The Clearview AI is looking at pictures.
Like, who knows?
You can't see what's happening.
Well, it's not tied to their names.
Right.
So it's just these pictures of people on the internet.
It's true.
It could get scraped, though.
I mean, they didn't.
So one day this family is going to,
be in a Walmart looking at like empty photo frames and being like, well, that is us.
Yeah.
Very unfortunate. So we kind of went the other way, which requires more trust, but feels
more closed. So we started with Apple photos, which seemed very closed, share photo streams,
and then more people want to be involved. And then in particular, this thing that grandma
wanting to just see the photos, we wanted to set up digital photo frames that just had the
newest photos on them for various people in our family. So then we switch to Google Photos,
which Google will insist is a closed private ecosystem, but we were able to just set up
Google Homes and then lots of digital photo frames, like just the ones you can buy, have
Google Photos connections. So we just have one album that we add photos to, and it shows up
on picture frames in our various family members house. They don't have to do anything. And the more
that and that feels like I am just in control of that database of pictures and I am control of who
has access to it and that feels important to me. As she's gotten older, as Max has gotten older,
I've stopped posting her Instagram as much. I feel like babies are fine and now she's like a person
with a personality and I feel very like exploitative of her personality. Like that's just a choice
that she's going to have to make over time and I'm going to tell her not to do it. But,
well, I mean, if you're if you're going for the GERR sponsorship. When she was
If she's going to get grand deals.
And she was first born.
She's got to be on the ground.
We got to get this kid in the catalog.
And then it turns out Benetton doesn't exist anymore.
So my one target was gone.
I don't know.
She's got good hair.
You could work with that.
Yeah.
A lot of places to go.
Are there any other?
Like, I'm just even trying to think about like, what are the questions you should be asking
early on and like conversations you should be having?
Are there other big ones we haven't hit on yet?
The main ones are really just how public do you want your child's life to be.
Yeah.
Right? Like you start to have all these experiences and it turns out being a parent is like among the most universal experience you can have. You can relate to all kinds of people just by talking about your child. That's why people talk about their kids so much. It's very annoying before you have a kid and then you have a kid and you realize why it keeps happening. There's a reason people want to show your photos. It's kids in the weather. Like those are the only two things. Yeah. Lots of lots of people. Which is great. But there's an instinct to do it very publicly on the internet. There's an instinct to profit for him for some people. Like you could be.
a parent YouTuber, like all this stuff. And you've got to make that decision early and like hold on to it.
Because otherwise you're, I think a lot of people are going to grow up.
Their parents have been talking with them in public for a very long time. And they are not like,
they lose it, they might lose a sense of agency over who they get to be because there's this rich
backstory about their life. And I think you just have to make that decision that I've thought about
that a lot with our kid. I've talked to other parents who think about that a lot.
I think there's a rich and varied debate about that in the world.
of the internet, like in the world of internet parenting. And so that's the one that I would just
encourage people to think about. It's like really hard to see when you have a newborn. It's just a
picture of a newborn. Like that is kind of a story about you and how much you're not sleeping.
But soon it becomes a story about them and you got to flip that switch. Yeah, I will say the point
that the internet is just there to make you afraid and sell you stuff is a useful one to remember
and has been very useful for me to remember even in this like we're in the phase now of like
trying to figure out like what happens when you give birth and all the things you have to do.
And it's like I've started reading about sleep training. And the only thing I've learned about
sleep training is no matter what you do, you're wrong and you're a bad person and you hate your kids.
And it costs millions of dollars to buy all the right products to solve all of their problems.
And so I just like every time I go on the internet now, I have to just be like the internet is here to lie to me and sell me things.
And that is what this is for. And I am now like I am everyone's target demo.
Like new parents are everyone's target demo. Because you're terrified.
Yeah. Yeah. And you know, and you, and you,
whatever, whatever you might say about modern society, you don't have all the people around
you to keep you from being terrified, which is like a real thing.
All right, Nilai, we need to let you go.
We have some more questions to get to you, but thank you.
And, you know, good luck to all of us.
Good luck, Dave.
I'll buy some booze.
All right, Russell, we have a couple more.
We're just going to blow through these really fast.
One that we didn't technically choose to do here, but I just want to talk about quickly because
this is a thing that comes up a lot in conversations that we have with like regular
people thinking about cybersecurity is VPNs.
Liam, do we have Ben's question we can play about VPNs?
Hey, Birch.
This is Ben.
I've been thinking about subscribing to a VPN service, but it's very unclear which one is
the best, some of the most promoted ones like Express and NordVPN have questionable audits.
And, yeah, just very curious about what VPN service people should subscribe.
to. Thanks.
I love this question because I find it completely impossible.
And I feel like we've talked a lot about just deciding who to trust and who not to trust
in the course of this episode.
And I feel like this is sort of the same thing.
Like fundamentally, if you get a VPN, you are, it's like letting someone into your house, right?
Like you are giving them a massive amount of theoretical access to your stuff.
And a lot of them say they don't want it.
A lot of them say they don't store it.
But like, you just don't know for absolute certain.
And it is fundamentally a question of trust.
But then if you don't do it, you're trusting, I don't know, all of your browser extensions.
And you're trusting Google and you're trusting Facebook, which has all this kind of information.
Like, you just can't browse the internet without somebody knowing.
And at some point, you just have to decide who you trust the most.
And I feel like it gets very nihilistic for me from there.
But that's kind of where I land.
Yeah.
It's funny.
I was writing about actually in the Wi-Fi Coconut piece.
there's this question of like how much control does like a router, like if the bad guy is controlling the router that you're logging in through, like that's not good. How much of a threat is that? And one of the, I was thinking about it and I realized one of the fundamental things you see in internet technology at all sorts of different levels is you're basically using encryption to secure infrastructure. So it doesn't matter who's controlling the router. It doesn't matter who's at the ISP.
the router, you'll have like WPA keys that are keeping it from sort of being a point of attack.
The ISP, ideally you have SSL, and that's that level of encryption.
The VPN is kind of like adding another one.
And so there's a sense in which the attacks that it helps against are if you are working for a company,
like it's corporate security, and they're like, these are the plans to our next hot new airplane.
and the bad guys want to steal the plant.
And so we know exactly where the perimeter is of who we trust and who we don't.
And if the VPN is running through the company, then ideally you're not expanding the trust at all
because it's running through that same infrastructure.
It's the same group of people who are going to have access to it.
But you can have sort of an extra layer of protection to log in through the conference Wi-Fi
and not get injected because the old.
only thing you connect to is this Yves, you know, this VPN service, which then hardens the tunnel
through the rest of it. Having said that, that is not generally how I see people talking about
why they're using VPNs. Oh, honestly, the most, maybe this is because I'm hanging with a sketchy crowd,
but like the most common thing is people like, well, this will keep me from getting sued for
pirating movies or something. Oh, absolutely. Or this is how I can watch stuff on Netflix that's
only available in another country. Those are the two things I hear the most. Right. Well, I mean,
so the Netflix geolocation thing, that might be robust. I don't think that Netflix is really
cracking down on it yet because it would just be so, it would be so much of a pain for them without,
they don't really care if this is happening anyway. So, but anything illegal you're doing,
if you're paying for a commercial VPN service, it's just another subpoena that the police have
to send. So they subpoena the VPN service. So they subpoena the VPN service. So,
service to then subpoena the ISP to then get to you. And like, maybe it's in Switzerland and so it's
harder. But like, if you're the Dreadpire Roberts or something, this is not going to help you.
And I see people talking as if it is. And that, to me, is like my main experience of engaging
with VPNs. Very rarely do I see it lining up with the actual threat model it could protect against.
Yeah, that totally tracks. And I think in general, we talked a little bit about.
about VPNs with McKenna a while ago on this show. And one of the things I heard over and over,
even from VPN people, is that if you're just a regular person doing regular internet things,
you probably don't need one. And even to your point about like, what if the bad guys run
on the router? Like, thanks to things like HTTP, like, they can start to know what website I went
to, but not what I did there. And that stuff is increasingly encrypted. And the internet is much
harder as a result. And so the advice I've gotten from folks is basically like if you know you have
a specific thing that either you need to avoid being seen for or you have a specific thing you need
access to that you can't get access to, those are good reasons to get a VPN. But if you're just like
a person in a coffee shop worried about security, a VPN, to your point, is not actually going to
solve that sort of same mainstream problem. Yeah. Also, I trust my coffee shop more than I trust my
fan. That's, to me, that's the pinnacle of, they're so nice.
Shout out to Russell's coffee shop.
Somewhere in deep upstate New York, I think. I don't know.
Who's to say?
Russell doesn't tell us where he is. That's his real cybersecurity trick.
Yeah, I keep operational security. No one knows where I am at any time.
Yeah, he's in a dark room with a black background and no one's allowed to know what he's
doing. All right, let's move on. We have one more question to do before we get out of here.
It is from Emmanuel. Let's hear it.
Hey, Verge. This is Emmanuel.
I had a question related to your security podcast that's coming up.
I've always wondered what could a bad website do to me?
So, for example, I clicked on a bad ad on Google search results,
and I stayed on the website, didn't do anything,
then close my browser, close the window.
What is the worst thing that could have happened to my machine?
What could be installed?
What do I have to worry about?
Thanks.
This is such a good question, and made me realize I also have this question.
It made me very worried for Emmanuel's safety.
Like, we're going to find out this is the last communication anyone got from the manual.
It's just clicking every link everywhere just to see.
Like, what could happen?
What's the worst?
So what's the answer?
What is the worst that could happen?
Um, I, to me, it's like, it's like, what if the brakes stopped working on your car?
It's like, there are so many bad things that could happen.
I almost don't even want to think about it.
It's like, no, you should be able to use the brakes.
All right.
Well, let's frame this slightly differently then.
Yeah.
It's, I think one obvious bad thing that can happen to you on a computer is that, like,
you go to a website and it installs a key logger and takes your credit card information, right?
Like, that we grant.
But I think what seems to me to be implicit in this question is if I go to a bad website
and I leave that bad website before I do anything, can it do anything to my computer after
I leave the website?
And the answer to that, I think is like unequivocally, yes, absolutely, right?
Yeah, because you loaded, loaded.
the website. When we say I'm on the website, what that means is the server has sent this information
to your browser, and your browser has used that information and sort of executed the files to build
the thing that you're looking at, right? But that could have also included, they're like,
run this code, it'll make this fancy cool ad that with the little guy who dances around,
he's going to love it. And like, it made a fancy cool ad,
with a guy who danced around, and you did love it,
but it also installed this malware,
which is now, like, encrypting your entire computer
and get a ransomware you,
or just, like, hang out there for six months
and gradually sort of expand its access in the network.
I mean, I think the tricky thing is,
once the perimeter has been breached,
it's kind of like, well, what mischief do they wanna do
one there on the inside?
It's like, I don't know.
I hope nothing too bad, but like, it's out of my control now.
Yeah, I spent a lot of time in prepping for this talking to people and reading about exploit kits.
Oh, yeah.
Which is just, my God, terrifying.
And basically, it's exactly what you're talking about.
The idea is, like, you load this website and what it does is it installs software on your computer that essentially just looks for vulnerabilities, right?
And it says, like, you know, do you have this technology to play videos in your browser?
No, do you have this one to read PDFs in your browser?
Ah, you do.
I'm going to use that and just sort of open up a little hole in it and then download whatever I feel like.
And it's just once it's in, it does sort of all this different hunting.
It finds its place.
And then it can just sit there.
And it can wait as long as it needs to.
And then it just has access to your computer.
And this stuff is like, it's dormant forever.
It's tiny.
It's hard to find.
And it just sits there sort of waiting to be activated.
And it's gotten really sophisticated to the point where like, like, Flash, if I'm
remembering this right, used to be like the main problem here.
Right.
And it was like Flash was a garbage piece of software that was a very big problem.
It was full of loopholes and exploits.
and every time you would load a flash thing,
it was loading an app from your computer
and running it, and by doing so,
they could put code in it and then load other stuff,
but there are still a bunch of ways like that
into your computer now.
Yeah, I would say, I mean,
the other thing that classically people were worried about,
and this is something that, you know,
in the time I've been working at the verge,
HTTPS adoption, including by theverge.com,
has just gone from sort of zero to 60.
Like it was maybe a third of websites
in 20. It was definitely below half and now we're well over 95%. It's sort of rare that you go somewhere
on the internet that doesn't have it. The result of that is these injection attacks where someone is
at the ISP or at the router or at sort of tapping into some cable because they're the NSA and they
want to, you're sort of opening a legitimate website, but they are injecting malware into it
as sort of turning it into a malicious website. You know, those are still possible.
but they're much harder to do.
And so it seems to be in many ways things have gotten better,
but it still is the case that you should not like clicking.
The problem is clicking the link to the website.
Not like once I'm on the website, what do I do?
Yeah.
But we should say, and I think not to like downplay any of this stuff,
but I feel like it continues to be a useful thing to remind people
that like most people get into trouble
because they enter information in places that they shouldn't.
And this is like what you were talking about earlier about like, don't give your credit card over the phone and this like basic stuff.
But like anytime you're going to type in your username and password, anytime you're going to click on a link in your email, anytime you're going to type in your social security number or your home address or whatever.
Like most people get into trouble because they give up information willingly to people they shouldn't.
Like the malware stuff is real.
The exploit kit stuff is real.
The stuff they can download is real.
But like you are much more likely to get in trouble by reading your credit card number to someone you shouldn't than by like having your router tapped by the NSA.
Well, and also, I think, I mean, even more immediately, the thing right now that people are most
likely to get taken by is someone calling you on the phone and telling you they're from
text support.
And it's like, Microsoft will not call you on the phone because there's a problem with your office
installation.
That will not happen.
They have email.
They're good at it.
They know a lot about email.
They'll send you an email.
And mostly, they're avoiding you.
They don't want to call you.
they don't want you to call them.
Like if you ever get a customer support person
who's like desperate to talk to you,
that should set off all your alarm bells
because that is not a thing that happens in real life.
I'm just saying.
Absolutely.
I like it.
All right.
Any other like common sense security stuff
we should tell people?
I feel like the advice we always give
is like two-factor authentication is good.
Do that.
Yeah, absolutely.
I would say, yeah, I mean, work on knife skills.
Knife skills are always useful.
That's more of a physical security thing.
But I tell everyone, you know,
practice with a knife. Online knife skills.
Yep. Yeah. I like it. All right. We should go. Russell, thank you. This has been very fun and
enlightening. And if anybody ever wants to talk for many, many hours about pseudo-random number
generators, I now have all of this information in my head and nothing to do with it.
I know which ones are good. I know which ones are bad. I have a lot of thoughts. But anyway,
follow all of us on Twitter. There's a ton more good cybersecurity stuff we've done at the Verge
the last couple of weeks. And always, because it is always cybersecurity week on theverge.com.
Russell is Russell Brandom on Twitter.
Neely is reckless on Twitter.
I'm Pierce on Twitter.
Thank you for listening.
This is The Vergecast.
We will be back on Wednesday and Friday with our regularly scheduled programming.
We will see you then.
Rock and roll.