Editing 1820: Security Advice
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 8: | Line 8: | ||
==Explanation== | ==Explanation== | ||
− | |||
− | |||
The comic depicts a conversation between [[Cueball]] and [[Ponytail]], discussing the fact that giving people security advice in the past has failed to improve their internet security, and in some cases even made things worse. One such example is telling people to create complicated passwords containing numbers and symbols, which not only made the passwords harder to remember (leading people to create huge security risks by [https://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/ leaving post-it notes with their passwords on their computer monitor]), but did not actually make those passwords harder to crack (see [[936: Password Strength]]). | The comic depicts a conversation between [[Cueball]] and [[Ponytail]], discussing the fact that giving people security advice in the past has failed to improve their internet security, and in some cases even made things worse. One such example is telling people to create complicated passwords containing numbers and symbols, which not only made the passwords harder to remember (leading people to create huge security risks by [https://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/ leaving post-it notes with their passwords on their computer monitor]), but did not actually make those passwords harder to crack (see [[936: Password Strength]]). | ||
As a result, Cueball suggests using {{w|reverse psychology}} and give out bad advice instead, in hopes of achieving a positive effect. The last panel contains a list with 13 security tips, which are parodies of actual security tips. The title text is just one more tip. See [[#Security tips|table]] below for explanations for all 14 tips. | As a result, Cueball suggests using {{w|reverse psychology}} and give out bad advice instead, in hopes of achieving a positive effect. The last panel contains a list with 13 security tips, which are parodies of actual security tips. The title text is just one more tip. See [[#Security tips|table]] below for explanations for all 14 tips. | ||
+ | |||
+ | This comic is yet another [[:Category:Tips|tips comic]]. | ||
===Security tips=== | ===Security tips=== | ||
Line 20: | Line 20: | ||
|- id="tip0" | |- id="tip0" | ||
|Print out this list and keep it in your bank safe deposit box (header) | |Print out this list and keep it in your bank safe deposit box (header) | ||
− | |This is a standard recommendation for documents that must be kept secure because they are irreplaceable and/or contain sensitive information. However this list itself is easily replaceable and the contents will be well-known, so storing it in a safe place is totally unnecessary. Putting it in a {{w|safe deposit box}} would even be counterproductive since the list can only serve its purpose as a ready reminder if it's easily accessible to everyone. So when people fail to follow this tip, they may end | + | |This is a standard recommendation for documents that must be kept secure because they are irreplaceable and/or contain sensitive information. However this list itself is easily replaceable and the contents will be well-known, so storing it in a safe place is totally unnecessary. Putting it in a {{w|safe deposit box}} would even be counterproductive since the list can only serve its purpose as a ready reminder if it's easily accessible to everyone. So when people fail to follow this tip, they may end of keeping it in a place where they have easy access to the tips so they may also fail to follow all the others. |
|- id="tip1" | |- id="tip1" | ||
|Don't click links to websites | |Don't click links to websites | ||
− | |The usual tip is "Don't click on ''suspicious'' website links" or "Don't click any links in suspicious emails". The comic's variation instead tells users not to click on any links to any websites, which essentially stops them from using the World Wide Web altogether. So this tip is not really helping, as the opposite of this would be to click on all links. | + | |The usual tip is "Don't click on ''suspicious'' website links" or "Don't click any links in suspicious emails". The comic's variation instead tells users not to click on any links to any websites, which essentially stops them from using the World Wide Web altogether. So this tip is not really helping, as the opposite of this would be to click on all links. |
|- id="tip2" | |- id="tip2" | ||
|Use prime numbers in your password | |Use prime numbers in your password | ||
Line 32: | Line 32: | ||
|- id="tip4" | |- id="tip4" | ||
|Hold your breath while crossing the border | |Hold your breath while crossing the border | ||
− | |At some border crossings, government agents may search computers, cell phones, and other electronic devices. The usual advice for such situations ranges from asserting your rights to resetting all devices and deleting all data prior to crossing a border. Holding one's breath can potentially prevent inhaling germs or poisons in some situations, though useless in the context of computer security. These two topics mixed in the same advice won't achieve anything, but if you hold your breath for too long you could pass out when crossing, or look stressed/suspicious and invite even more scrutiny. This could also be a reference to the superstition of holding one's breath when passing a graveyard, or similarly to the movie | + | |At some border crossings, government agents may search computers, cell phones, and other electronic devices. The usual advice for such situations ranges from asserting your rights to resetting all devices and deleting all data prior to crossing a border. Holding one's breath can potentially prevent inhaling germs or poisons in some situations, though useless in the context of computer security. These two topics mixed in the same advice won't achieve anything, but if you hold your breath for too long you could pass out when crossing, or look stressed/suspicious and invite even more scrutiny. This could also be a reference to the superstition of holding one's breath when passing a graveyard, or similarly to the movie {{w|Spirited Away}}, where the main character is instructed to hold her breath while crossing the bridge that acts as the border between the human and spirit world. In any case, holding one's breath while browsing the Internet would have no useful effect, supernatural or otherwise. |
|- id="tip5" | |- id="tip5" | ||
|Install a secure font | |Install a secure font | ||
Line 40: | Line 40: | ||
|{{w|Multi-factor authentication|Two factor authentication}} describes the practice of using two different identification factors (such as a password and a code from a secure token) to authenticate the user. A two factor smoke detector presumably uses two or more factors to identify ''smoke'' (such as {{w|Smoke_detector#Ionization|ionization}} and {{w|Smoke_detector#Photoelectric|photoelectric}}). Such devices [https://alarmspecs.com actually exist], but, while improving the user's general safety, they do nothing to improve their internet security. | |{{w|Multi-factor authentication|Two factor authentication}} describes the practice of using two different identification factors (such as a password and a code from a secure token) to authenticate the user. A two factor smoke detector presumably uses two or more factors to identify ''smoke'' (such as {{w|Smoke_detector#Ionization|ionization}} and {{w|Smoke_detector#Photoelectric|photoelectric}}). Such devices [https://alarmspecs.com actually exist], but, while improving the user's general safety, they do nothing to improve their internet security. | ||
− | + | Also, the logic behind using two-factor authentication is that '''both''' types of credentials must match to grant access. Smoke detectors work otherwise - usually firing if '''any''' of the sensors detect a fire. If the smoke detector worked according to the authentication logic it will be less likely to detect smoke, effectively lessening fire safety as compared to a single sensor one. | |
− | |||
− | |||
− | |||
− | |||
A month before this comic the newest [[:Category:xkcd Phones|xkcd Phone]], [[1809: xkcd Phone 5]], was released with a 28-factor authentication. | A month before this comic the newest [[:Category:xkcd Phones|xkcd Phone]], [[1809: xkcd Phone 5]], was released with a 28-factor authentication. | ||
|- id="tip7" | |- id="tip7" | ||
|Change your maiden name regularly | |Change your maiden name regularly | ||
− | | | + | |Your maiden name is the family name with which you were born. Literally changing your maiden name, is impossible by the definition of "maiden name". A common tip is to change your passwords regularly. Some password recovery procedures ask for a security question, like "what is your {{w|Maiden and married names|maiden name}}" Maiden names and other trivia typically asked by security questions are not secret, so they are inherently insecure. |
A real tip for dealing with security questions is to enter false data. | A real tip for dealing with security questions is to enter false data. | ||
Line 57: | Line 53: | ||
|- id="tip9" | |- id="tip9" | ||
|Use special characters like & and % | |Use special characters like & and % | ||
− | |You can use special characters to increase the entropy/strength of your password, though as | + | |You can use special characters to increase the entropy/strength of your password, though as describe in [[936: Password Strength]], that often leads to passwords that are hard to remember but not particularly strong. The password context is missing here, and in everyday situations the characters & and % are not special. These two characters are often disallowed in passwords because of their relevance to {{w|SQL}} (a common database query language). If these characters were used in a password, a badly written security system using SQL could have severe bugs (and security vulnerabilities) similar to the security flaw in [[327: Exploits of a Mom]]. |
|- id="tip10" | |- id="tip10" | ||
|Only read content published through Tor.com | |Only read content published through Tor.com | ||
Line 69: | Line 65: | ||
|- id="tip13" | |- id="tip13" | ||
|If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul. | |If a border guard asks to examine your laptop, you have a legal right to challenge them to a chess game for your soul. | ||
− | |This tip is a reference to the common trope | + | |This tip is a reference to the common trope [http://tvtropes.org/pmwiki/pmwiki.php/Main/ChessWithDeath Chess with Death], in which a mortal challenges a god to a game or challenge, often for their life. This version of the trope traces back to {{w|Ingmar Bergman|Ingmar Bergman's}} film {{w|The Seventh Seal}}, in which the protagonist {{w|The Seventh Seal#Synopsis|challenges Death}} to a game of chess. But instead of avoiding death, this tip suggests you have the right to do the same to get out of handing your devices over to a border guard. (This trope is also featured in [http://www.explainxkcd.com/wiki/index.php/393 393: Ultimate Game]). |
− | |||
− | |||
|- id="tip14" | |- id="tip14" | ||
|'''Title Text''': Never give your password or bank account number to anyone who doesn't have a blue check mark next to their name. | |'''Title Text''': Never give your password or bank account number to anyone who doesn't have a blue check mark next to their name. | ||
− | |The usual security tip here is ''"only trust Twitter accounts claiming to be legitimate if they have a blue check mark next to their name"'', which means that the account is verified as legitimate. This tip suggests only giving your ''password'' to verified accounts, although you shouldn't give your password to ''any'' account. Twitter Verification would be revisited in [[1914: Twitter Verification]] | + | |The usual security tip here is ''"only trust Twitter accounts claiming to be legitimate if they have a blue check mark next to their name"'', which means that the account is verified as legitimate. This tip suggests only giving your ''password'' to verified accounts, although you shouldn't give your password to ''any'' account. Twitter Verification would be revisited in [[1914: Twitter Verification]] |
− | |||
− | |||
It also refers to problems especially visible in the US banking system, where there is very little security for direct account drafts, and because of that it is advised there to keep the account number as secret as possible. In contrast, in Europe giving your account number to someone is one of the most common ways to get paid. | It also refers to problems especially visible in the US banking system, where there is very little security for direct account drafts, and because of that it is advised there to keep the account number as secret as possible. In contrast, in Europe giving your account number to someone is one of the most common ways to get paid. | ||
− | A related tip might be "Never give your password or bank details to a website that doesn't have a padlock icon next to the URL". In | + | A related tip might be ""Never give your password or bank details to a website that doesn't have a padlock icon next to the URL"". In some browsers, if you access a secure website, there will be a padlock icon in the browser indicating you've connected to a secure website using the secure https protocol. So this tip treats the verified account icon the same way you might treat a secure website icon. |
|} | |} | ||