It is vitally important

that your password not be the same

across different platforms,

because when platforms get compromised,

the usernames and passwords sometimes get dumped

and passed around among hackers.

Hi, my name is Eva Galperin.

I work for the Electronic Frontier Foundation

where I am the director of cybersecurity,

and I'm here to debunk some myths about cybersecurity.

[bright music]

The government is watching me through my camera.

It is possible to remotely trigger somebody's camera

if you install a remote access tool on their device.

That is something that hackers do.

That is something that criminals do.

That's something that governments do,

but in order for the government to install the software

that they need to do in order to track you

through your camera, they need a warrant from a judge.

It is more likely that you will be watched by hackers,

or if you're a student, by your school,

than it is that you are going to be watched

by the government.

Since it is possible for someone to turn on your camera

without the little green light going on,

if you would like to make sure

that when that happens that they don't see anything,

then it is recommended to put a sticker over your camera.

Most people aren't targeted with this stuff,

and usually you don't have to worry.

What I recommend that people do is

that they download antivirus software

from pretty much any antivirus company

and just run a scan on the highest setting.

The dark web is a scary place full of illegal activity.

The dark web is a network of websites

that you have to use something like Tor browser

or any of the other sort of

guaranteed-to-be-anonymous browsing applications

in order to get to.

And it can be any kind of website.

This is not necessarily just used for selling drugs

and trading child porn.

For example, Facebook has a dark website.

They have .onion site that you can only get to

if you are logged in using Tor.

Tor and other applications like it

are not just used by criminals.

The other people who frequently need anonymity online:

journalists, activists,

people who are talking to journalists,

and of course, people in authoritarian countries

who are very worried about their government spying

on their social media use.

Tor browser, originally funded by the US Navy.

The government needed a way

for people to be able to go to websites

and maintain their anonymity

and not have their digital footprint seen

by the people who were running the websites.

Privacy is dead.

If privacy was dead,

governments and law enforcement wouldn't have to keep trying

to kill it by proposing new laws

and talking about all of the stuff

that they can't possibly get into.

But most importantly, privacy is not about living

as a hermit on a mountain by yourself,

never communicating with anybody.

Privacy is power over your information.

Understanding what kind trail you leave behind

enables you to limit that trail,

or enables you to limit who can see that trail.

The kind of security and privacy advice

that you give to people really varies person by person,

but there are a couple of things

that are good for everybody,

like eating your broccoli and taking your vitamins.

You should have long, strong, and unique passwords

for all of your accounts.

And you turn on the highest level

of two-factor authentication you're comfortable using.

Take your software updates.

This is how you benefit from the work of the security team.

And finally, that you actually sit down

and you think about your threat model.

You think about what you wanna protect

and who you wanna protect it from.

Google reads all my Gmail.

Google actually does read all of your Gmail.

Google is storing all of your email

if you are using a Gmail account.

They automate scripts which read the contents of your mail

and who you're mailing back and forth to.

What they do not do is read your email

and then tell the government what's in it.

Google has extremely strict privacy rules internally,

and if a government or law enforcement wants

to get their hands on this data,

they have to show up with a subpoena

for the metadata or a warrant

for the actual contents of your email.

But there is a difference

between protecting your data from hackers,

protecting your data from advertisers,

from governments and law enforcement.

A strong password protects you from hackers.

This is partially correct

in that a strong password is one of the things

that you need in order to secure your account.

It is vitally important that your password not be the same

across different platforms,

because when platforms get compromised,

the usernames and passwords sometimes get dumped

and passed around among hackers,

and hackers will do what we call credential stuffing,

where they try to get into your account

using these old passwords from other platforms.

You should also be very careful

about your security questions.

Your security questions are usually things about you

that a person who knows you relatively well knows.

A person who knows you well might know the name

of the street that you grew up on,

or the name of your favorite teacher,

or your favorite breed of dog.

And so instead of answering those questions truthfully,

I recommend answering them

as if they are simply more passwords.

So now you have a different, long, strong,

unique password for every account,

and trying to remember them all is a pain,

and this is why I recommend using a password manager,

which you install on each of your devices

and will generate new passwords for you.

That way you can make sure

that you never forget your password

as long as you remember the single password

to your password manager.

So how often should people change their passwords?

Sometimes programs or companies will require you

to change your password every 30 days or every 90 days.

This is actually not helpful at all.

It turns out that users create shorter

and more memorable passwords

when they have to change them all the time,

that they don't change them very much,

and therefore you're not actually getting

a big gain in security.

Your best bet is what we call Diceware,

where you use somewhere between five

or six randomly generated or randomly chosen words.

That way you get a very long,

very difficult-to-crack password

that is also fairly easy to remember.

Encryption will keep my data safe.

Encryption is scrambling the data

or the metadata so that it is not possible

for somebody who sees it to read the information

that you are sending.

Encryption is used in two very different ways

on the internet.

One is called encryption in transit.

Encrypting data in transit is

if you look at your browser and you see the URL

at the top of your browser,

you'll see that it probably starts with the letters HTTPS.

The S at the end there stands for security.

It means that the information

which is being sent between you

and the website that you're going to is encrypted

so that anybody else who is sitting on the network,

somebody else in your coffee shop,

the IT manager at your office,

whoever it is that runs the network at your school,

all of those people can only see

that you are going to the website

and they can't see specifically what page you're going to,

and they can't see what it is that you're doing there.

For example, they can't see

what pictures you're downloading,

or they can't see what password you're entering.

The other kind of encryption is end-to-end encryption.

When you encrypt something in transit,

you are trusting the person who runs the website,

but no one else.

And when you are doing end-to-end encryption,

you don't even have to trust the person

who runs the website.

The only person that you're trusting is the person

that you are messaging,

and that is because you have an encryption key,

and the person that you're sending a message to

has an encryption key,

and that is how these things get locked down.

The good news is that there's a lot of powerful encryption

that's being used to protect you every day,

and you don't even know it.

WhatsApp, for example, has more than a billion users

all over the world,

and their messages are end-to-end encrypted.

But what's most important is to understand

where your data is going, who has access to it,

and what they would have to do in order to access it

if you did not want them to.

Public wifi is safe.

Back before the majority

of the web was encrypted using HTTPS,

it was extremely easy for anybody

who was sitting on the same network as you,

including somebody sitting on the same public wifi as you,

sitting in a cafe with you,

to not only see everything that you were browsing

and everything that you were typing in,

but also to inject false information

into that stream so that you would,

say, type your password into a website

that the hacker controls,

and now the hacker has your password

and they can log into your stuff.

It used to be extremely unsafe,

and it was really common

for hackers to hang out on public wifi.

This is less true now that the web is mostly encrypted.

A lot of people recommend using VPNs.

VPN stands for virtual private network.

It is just a way of creating a tunnel

between you and wherever your VPN is

in order to protect your browsing or your internet activity

from whoever is running the network that you're on.

For example, if you are in a hotel and you use hotel wifi,

and you log into work using your VPN,

the hotel can only see that you logged into the VPN.

They can't see what your traffic looks like.

But work can see all of your traffic,

and so you need to be able to trust them.

Cyber attacks are the new warfare.

Most of what we think of as cyber warfare

is actually cyber espionage,

and in the cases where there is cyber warfare,

that's extremely rare.

Probably the most famous example of that is Stuxnet,

when the US and Israel worked together

on a piece of software which broke the centrifuges

that the Iranian government was using

in order to refine radioactive materials

for their nuclear weapons program.

But really, it almost never happens.

What is important is

that governments are not the only threat actors out there.

For the most part, if you are an ordinary person,

you are more likely to be targeted by criminals,

by hackers who want your money.

A lot of what people think of as hacking

is actually security research,

people who are trying to break systems for the better

in order to inform both users

and the people who make the systems

about these vulnerabilities

before bad people take advantage of them.

The hacker mentality can be applied to anything.

Hacking is not about being a bad person.

It is about understanding systems and subverting them.

Understanding the limits of surveillance

and of hacking is really important

in order to build out a place for yourself

where you can feel safe

and where you can understand where your information is going

and who has access to it.