Don't Get Hacked!

Most books on cybersecurity suffer from one or more of three flaws. The most common books are those aimed at professionals: programmers, system administrators, their managers, and so on, up to the Chief Information Security Officer, a high-level corporate executive who reports to the CEO and the Board of Directors. There’s nothing wrong with such books—I’ve written or co-written three of them myself—but the advice in such books isn’t very helpful to home users. (My last book contained passages like “The solution is a technology known as fuzzy extractors. Without going into the details, a fuzzy extractor generates a uniformly random string from noisy input; this string is suitable for use as a cryptographic key.” This is, shall we say, not very useful (or even comprehensible) advice for ordinary users.)

That paragraph illustrates a second failing of most books: they’re too full of jargon, and filled with phrases like “fuzzy extractor.” No, I won’t bother explaining that one is; it’s not at all relevant here—and that’s precisely my point. I’ve tried to keep this book jargon-free, and while I have to use a few new terms, I’ve kept it to an absolute minimum. In fact, you almost certainly already know all of the concepts behind those terms. For example, anyone who knows not to flash $100 bills while walking through a dark alley in a dubious neighborhood already knows what I mean by “threat model,” even if they don’t use that phrase. Then why do I use such terms? It saves me the complexity and verbosity of constantly referring back to “the dark alley story.” Technical people (usually) don’t invent terms just to be obscure; rather, they do it for clarity within the profession. You’re probably not in the cybersecurity profession, but a very few terms are useful.

The third problem with many cybersecurity books is that they’re written by non-experts, and tend to contain obsolete or misleading advice. My favorite example is passwords, which, as we’ve all been told, must be 13½ characters long, contain at least one upper-case letter, one lower-case letter, one numeral, one special character, two characters from 19th century romance novels, and one from a dead or science fictional alphabet (personally, I’m partial to Linear A and Klingon). And oh, yes, you should never write down your password, and you must avoid using +, %, &, =, Ψ, 𐠛, or 𐜟. As we’ll see, that’s simply bad advice, though much of the blame rests with the web sites we all use rather than just authors of such books.

I’ve tried to avoid that problem here. While some of what I say may be surprising to you, since it appears to contradict received wisdom, little if anything would be seen as wrong by other experts in the cybersecurity field.

This book is for ordinary computer users, using our personal devices, e.g., our laptops, phones, etc. Work computers may have different requirements because of specialized needs of the organization, and that’s true even for small businesses. It’s also not aimed at people who may have particular security problems—if, say, you’re the deputy director of some three-letter agency, you might be targeted by hackers who have unusual powers and different goals. The precautions I suggest here are almost certainly insufficient for you. You know and I know that you wouldn’t be careless enough to put classified information on a home computer—but do those spies know that?

This book is released under a Creative Commons 4.2 BY-NC-ND license. Feel free to share!