Except when they don't.
Ex-CISA officials, CISOs dispel 'hacklore,' spread cybersecurity truths
Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for …
-
Tuesday 25th November 2025 06:41 GMT doublelayer
Is this really the priority?
None of the things they're talking about are entirely wrong, and most is entirely correct. However, I have to question whether dispelling some "myths", some of which I would rather characterize as "exaggerations", is really going to help much. For example, I think they're right that there's no history of actual attackers using public USB ports in their attacks; it's too unreliable. Is there really much effort going into telling people that this does happen, and is correcting that misconception something we need to spend time on?
That's more than I can say for a few of their items. Scanning QR codes, for example. I'll admit that I have seen people who warned against these so vehemently that the unacquainted user might think that simply scanning these could entirely disable all their security, and they could ramp down on the hysteria somewhat. The fact remains though that a QR code is just a URL, and it can do anything that a URL can. When we tell people not to click on phishing links, it's for reasons. A QR code that goes to a static page is probably safe unless the attacker has a really nice vulnerability, but if someone had a QR code that led to something where you would enter account or payment information, that is something an attacker could easily modify. And yes, that does happen in the wild and while that warning was published when they only found one of them, it was done in such a way that thousands could have been deployed very easily. I get it, educating people on what the actual danger is and how to not face it, explanations that include phrases such as "investigate the URL" which the people who most need it don't want to do, is difficult and annoying. Being too blase about the risk is not better than being too strident. Only one of their examples, that of password rotation, is incorrect to the extent it's actively causing harm. Focusing too much on de-exaggerating the others may not be the best use of effort.
-
Tuesday 25th November 2025 08:42 GMT BBRush
Re: Is this really the priority?
Also not forgetting that a lot of the QR code phishing came through otherwise well configured mail servers without a problem because it was "just" an image file. Users then took out their mobiles and scanned the QR code away from all the protections of the managed corporate devices.
So they can be a legit source of effective phishing, more so than a link or a pdf with a link.
Back to the article, I kind of agree with what they are trying to do, but at the same time, personal IT security is a mindset and small things can be important attack vectors if your role changes or you go to a part of the world that has a different set of surveillance goals.
-
Wednesday 26th November 2025 08:36 GMT FeRDNYC
Re: Is this really the priority?
Is this really the priority?
Well, it's the priority of that site, because it was built for the sole purpose of combating vulnerability misinformation. Which is to say, it's not occupying space used for any other purposes, or pushing out any other type of information -- so it doesn't really seem to be a question of prioritization. There's nothing more important for the hacklore site/team to focus on instead of this.
And in terms of overall priority within our collective lives and attention, I guess it comes down to, "people can think about more than one thing". Is it the highest-priority issue facing the world right now? Obviously not. But is there so much else going on that we can spare no time for this? I would argue, also no.
None of the things they're talking about are entirely wrong, and most is entirely correct. However, I have to question whether dispelling some "myths", some of which I would rather characterize as "exaggerations", is really going to help much. For example, I think they're right that there's no history of actual attackers using public USB ports in their attacks; it's too unreliable. Is there really much effort going into telling people that this does happen, and is correcting that misconception something we need to spend time on?
Well, there I think it is about priorities, because people can only do so much to keep themselves safe, and any time they waste on meaningless, folklore protections against imaginary threats is time that could've been better spent preparing for actual threats. Not to mention, when it comes to physical vulnerabilities like USB connections, there are entire cottage industries springing up devoted to selling woo "defenses" against this kind of stuff. Helping people not waste their money on bullshit security products is a noble undertaking, IMHO.
Also, I don't think end users are the sole audience for the site or its messaging, possibly not even the main audience. One of its purposes is surely to educate the journalists who perpetuate exactly the sort of hacklore that prompted the site's creation. If they can stop the endless flood of misinformation, end users won't need to be disabused of those wrong-headed notions as much.
-
-
Thursday 27th November 2025 16:02 GMT doublelayer
Re: Is this really the priority?
To clarify, only the password rotation example from their list is a true myth. Password rotation, when the passwords aren't known or suspected to be compromised, is often recommended and does more harm than good.
The rest of the items on their list may be exaggerated but all are possible and most happen from time to time. Insecure public WiFi isn't a myth. Cookies are used in tracking and clearing them doesn't hurt if you're prepared to log in to things more often. I already mentioned the QR codes and USB charging ports in the last message. If I had to pick another that's close to myth status, it would be the Bluetooth and NFC functions, but I don't know that many people who actually think you have to disable those all the time for a security reason. Most who do cite battery life as the reason, and they're also mostly wrong, but that's not a security issue and it's their problem. Most of their things are exaggerations, but that's not the same as what they're claiming and doesn't make them important.
-
-
-
Tuesday 25th November 2025 12:58 GMT Bebu sa Ware
Sort of agree …
I wouldn't disagree with their take but I would be more enthusiastic if their www.hacklore.org web site didn't require javascript to access anything other than their open letter.
For anyone in IT it is pretty clear that wagon loads of bullshit and gratuitous theatre typically delivered by the ITsec fraternity can largely be ignored with very little risk.
Unfortunately the vast majority of the polloi are unable to distinguish between the bullshit and any genulne actionable security advice.
Computers, phones, the internet and pretty much everything are for them are as opaque and incomprehensible as "magick" was to our distant forebears. It is a different and arguably retrograde reality compared with that of my grand parents' times.
-
Tuesday 25th November 2025 17:40 GMT Cav
How would we know if repressive regimes have used juice-jacking? I've flown all over the world. The first thing people do on stop overs is connect their phones to USB cables in airports with no knowledge of what's on the other end. You'd have to be insane to connect to any device\cable you don't control.
The problem with dispelling these "myths" is that the average person will take it to mean that private wifi is now considered safe. QR codes are safe etc.
One of my own kids had a bluetooth request to pair from an unknown device. Thankfully, I saw it. So yes, I will disable Bluetooth unless it is necessary for a particular task and will then turn it off after use.
-
Wednesday 26th November 2025 16:41 GMT Anonymous Coward
Yep. I've got a USB-A data blocker and have used it. Given the vulnerabilities in phones, why would I take the chance that the convenient, free USB charging jack is safe to use? My QR code reader displays what is encoded in the QR code, and I have to hit a separate button to actually open it as a link. Gives me a chance to check it first. And as I rarely use bluetooth, I keep it off, both for power and security reasons. Public wifi can be malicious - it could have been configured (possibly by an attacker rather than the owner) to point to a poisoned DNS server, for instance.
But yes, routinely rotating passwords has a tendency to weaken security. Make it long but memorable to you (and nonsense to others), then you don't need to change it.
-
Saturday 29th November 2025 05:50 GMT The Organ Grinder's Monkey
Aren't there simple charging leads available that don't have the data lines? These would presumably be hack proof, but would also prevent all the fast charging modes (which I always turn off on day one of a new device in the interest of long battery service life, so wouldn't bother me, but ymmv as ever.)
-
-
-
Wednesday 26th November 2025 02:05 GMT Claptrap314
I love you.
Remember the I love you urban legend? Remember the legendary post debunking it? Remember the advent of Outlook, and the very real (and arguably most damaging of all time) I LOVE YOU virus?
I would rather have the unwashed masses afraid to scan QR codes than not. I would rather have the unwashed masses afraid to turn on Bluetooth than not. The list goes on and on.
The first rule of communicating to the public:
"No one in this world, so far as I know—and I have searched the records for years, and employed agents to help me—has ever lost money by underestimating the intelligence of the great masses of the plain people. Nor has anyone ever lost public office thereby. The mistake that is made always runs the other way. Because the plain people are able to speak and understand, and even, in many cases, to read and write, it is assumed that they have ideas in their heads, and an appetite for more. This assumption is a folly" -- H. L. Mencken
If you want people to act on what you say, you must be willing to give up all but the most crude of subtleties. The average person completely stops any semblance of comprehension at the first conjunction, and might well loss prepositions as well.
-
Sunday 30th November 2025 12:44 GMT tiggity
Think:
install patches:
Many phones soon become unsupported (android faster than iPhone usually) - not everyone can afford latest & greatest.
A lot of unpatched Win 10 machines as users cannot upgrade to Win 11 (due to artificially high hardware requirements) & a lot of people cannot afford a new machine (or feel confident installing Linux instead)
keep software up to date - see above - not everyone has money to burn, lots of unsupported EOL devices around (not helped by devices happily* being sold to mug punters when EOL imminent & so some "new shiny" is rapidly out of support )
turn on multi-factor authentication - Worth noting that a mobile phone is easily stolen (or just broken) & can become a single point of failure for the many MFA solutions that are mobile based.
They said avoiding public Wi-Fi needless - MITM attacks can occur, you do not have to be a juicy target, credential harvesting has been done by setting up a MITM exploiting Wi-Fi point (if I was doing it, would not be after specific targets, just pick somewhere busy & where some users relatively unfamiliar with the Wi-Fi in that area e.g. a train station, shopping centre etc. & may use my "poisoned" Wi-Fi)
they said never scanning QR codes needless - QR ode scams still ongoing. The big drawback is (especially for less clued up users ) is that with QR code user cannot see URI before activating it, made worse by many default web browser displays (especially on mobile, where user typically doing QR code from) do not clearly show the URI details (again more risk for less clued up users)
.. as @MaChatma CoatGPT 2.0 said " I look at that list of people/companies and alarm bells start to ring"
and echoing @Bebu sa Ware
" more enthusiastic if www.hacklore.org web site didn't require javascript to access anything other than their open letter."
.. needless JS is bad, any half decent security info site should drill into users the risk of JS & try & avoid it themselves.
.. also stares at UK ineptitude at https://www.ncsc.gov.uk/
* Ignoring the cesspool of mobile phone sales & dubious support (Android especially) Microsoft stopped selling new computers with Windows 10 pre-installed at the end of Jan 2023 - though you can guarantee that they were still been sold by retailers long after that date & you have to wonder how many didn't meet the hardware requirements for Win 11 upgrade. Support for Win 10 ended October this year
Biting the hand that feeds IT
