Let's JAM!

Why most people don't need to worry about #Vault7

As I go through and read about the #Vault7 release as well as some of the reactions (both on social media and mainstream news) I'm amazed at how much sensationalism there is. Maybe I shouldn't be, but I am. Luckily Taylor Swift always keeps me sane:

One of the things that I think is often forgotten in the CyberSec industry (including by myself) is how many of the things we suggest to improve security would do nothing for the average person.

I have an awesome system for passwords. I use a Yubikey which houses my GPG key. I then use the Linux tool "Pass" to manage my passwords. I random generate all of my passwords and sync them across devices using Git via SSH. I host the Git repository myself. I store a backup of the GPG key on paper in my safe and that is encrypted with a password.

It gives me everything I want in a password storage system. I have syncing without trusting a Third Party, everything is entirely open source (minus the Yubikey hardware & firmware), it legitimately requires something I physically have (Yubikey) along with something I know (PIN), and lastly it's pretty cool.

I would never, ever in a million years suggest that anyone else use this. It's overly complicated, solves for problems that are extremely low risk factors, and is quite honestly a pain in the ass. I'll need to log into a service and my Yubikey is in my coat. It takes me 5 minutes to login instead of 30 seconds. And let's not even talk about the times where I forget or lose my keys.

With the #Vault7 release a lot of people have been talking about Signal being hacked, Smart TVs being used as microphones, etc. While this is certainly a problem, zero days are not the significant risk we need to be worried about for consumers. Are you a high value target? You should probably be worried. The average person, however, can't differentiate between a phishing email and a legitimate one.

I literally had a friend of a friend call me a few weeks ago. His voice was trembling and he was legitimately afraid because he had received an email from "PayPal" saying that a transfer had been made. He called his bank, he called me, and he was absolutely terrified. And he doesn't even have a PayPal account! (The good news is he didn't click on the link and did all the right things, but he was legitimately terrified).

The average person still has trouble with situations like this. As technologists we shouldn't be encouraging outlandish solutions like my Yubikey setup to people that open any email attachment they receive or have a 2 year old version of flash installed. Even very very basic security hygine should be the first thing that we suggest. After they have a decent understanding of the basics, then things like Signal and Password Managers become significantly more valuable. If you don't you're putting bulletproof glass in the windows while the front door sitting wide open.