The World According to Mitch

A close friend of mine, an elderly gentleman from the old country (in every way), is going through a terrible time right now. Part of his struggles includes (a known) someone hacking into his email account. When he asked me ‘…why can’t I just hack into the account to take it back?’ I had to tell him that there are legal as well as ethical implications to my doing that would absolutely result in my losing licenses he backed down. When I told him that he has to call the police and an attorney he got very emotional. The cyber threat actors are people who he loves and once trusted.

As I commiserated over the situation with a colleague, they asked me how could I let it happen? I asked what he meant, and they said ‘You are his friend… you are the person he has usually turned to for advice on his computer. You are a cybersecurity guy. How could you let this happen?

To a greater or lesser extent, the colleague is right. I have been my friend’s computer guy for a decade. My friend is one of the few people for whom I am happy to work and consult for free… no exceptions. With that said, I take zero responsibility or blame for what happened. Why not? In order for my advice to work, you have to follow it.

• You have to change your passwords regularly.
• You can never share your passwords with anyone. No my friend, not even with me. Yes I am glad that you trust me with your life… please do not entrust me with your passwords.
• You must use different passwords on every account. No, there are no exceptions to that rule either.
• If you have ever entered your password onto a device that has been stolen or compromised then yo must change that password immediately.

None of these points are particularly insightful. They are all common sense. The following conversation happened a couple of months ago:

Mitch: Friend, you need to install an authenticator app on your phone.
Friend: My phone is too old… it won’t support it. Also, I do not want to have anything on my phone.
Mitch: We can look at other ways of implementing multifactor authentication, such as text codes.
Friend: All of this is too complicated. I simply want to be able to use my email. I don’t want any of these extra steps.
Mitch: Friend, I cannot keep you safe if you won’t take my simple advice. These steps will add an extra second or two to your day, but can keep you safe.
Friend: Why are you worried? There are only a few people I trust with my email.
Mitch: Yes but the list of people who have had access to your email includes someone that you used to trust but don’t trust anymore.
Friend: Don’t worry, I changed the password like you told me to.
Mitch: From what I can tell, you have three or four passwords that you use for everything. Please pick something completely new.
Friend: You are a good friend. Thank you!

My mistake was thinking that he meant, ‘You are a good friend. Thank you, I’ll do that!’ No, that is not what he meant. He meant ‘You are a good friend but you worry too much about these things, and my way is just fine for me.’

I have been told that I am pretty good at cybersecurity. I do not feel that I need to pull out my curriculum vitae for any of my readers to know that. Even were I not certified up the wazoo for large enterprises, and even if I did not consult for and teach government agencies and militaries, then I would still be pretty adept at protecting individual users. Use hard-to-guess passwords. Don’t share those passwords. Use Multifactor Authentication (MFA). Apply security patches in a timely manner. Don’t click on links in scam e-mails (and here is what to look for, but if you are ever unsure then forward it to me and I’ll tell you. The list goes on, but is really just a lot of common sense. All of it really does – no, but should – go without saying. Staying safe in the digital age takes a bit of extra work… but it is absolutely worth the effort and energy required.

Three weeks ago I was frustrated with something my friend said and I told him in exasperation that he needed to swap out his smart phone for something new enough to support the security that he needs. He yelled at me for disrespecting him and his phone, and then hung up on me. It took him three days to get him to speak with me again. I felt horrible for losing my patience with him. I’ll bet you a shekel that he now wishes that he had followed all of my advice that day.

There is a huge difference between hearing what you need to do and doing what you need to do. My friend heard… he did not do. Like so many people out there, he vastly underestimated the consequences of a security breach, and he probably ‘knew’ that it would never happen to him.

Where does that leave us? This morning I had to instruct a very close friend that his only course of action was to call the police on a close family member. It broke my heart. It broke my friend’s heart. While there is nothing more that I can do, and while I will lose even more sleep over the terrible situation that my friend finds himself in, I will not take any blame for myself. I did not tie my friend to a chair and yell at him to follow my advice or else. He is an adult, and while as his friend it is my duty to tell him what he should do, I cannot then tell him that he must do it… and then watch over him as he does it. You can lead a horse to water but you cannot make him drink.

Staying safe online is not rocket science, and it does not require degrees or certifications or higher education. It simply requires a healthy dose of common sense mixed with a basic understanding of what the consequences of a breach can be. A very basic meatspace** analogy would be crossing the street: Children may not know why we have to cross at the crosswalk, wait for the signal, and even then we look both ways before crossing the street; when we explain to them that by not doing so we risk getting hit by a car and getting extremely hurt or even dying, they will then hopefully follow the basic common sense precautions. In cyberspace we think we are safe… despite hearing myriad horror stories of people getting hacked, having their bank accounts emptied, their identities stolen, their reputations ruined… but they still don’t see the danger despite everything we tell them. It is frustrating – it is often infuriating. We have to simply continue to tell them about the importance of staying safe online… and hope that the message starts to sink in. With our kids we can force them to hold our hands when we are crossing the street… until they are too old for that and we have to just let them out into the world and trust that they learned the lesson. With our friends… they are already too old for that, and we have to hope and pray… and then we help them to pick up the pieces after they have been splattered all over the cyber road by the proverbial cyber (lower case, no reference to any actual product intended!) truck.

Conclusion

The first time I ever delivered a lecture on password complexity was nearly twenty-five years ago. It was a lunch-and-learn seminar at the office of the small security company where I was working. Has my advice changed since then? I don’t know is changed is the right word; it has certainly evolved slightly with the advent of multifactor authentication. Have the stakes changed? Absolutely. How so? There were people banking online in the year 2000… but not many of them. the concept of social media existed… but there were no huge platforms like Facebook, Instagram, or Twitter/X. Friendster and MySpace came to the Internet in 2002/2003, but the social media platforms from 2000 were all sites you have probably never heard of… SixDegrees.com, Bolt, and Xanga as three examples (yes, I had to look them up). In that year there were only 361 Million Internet users worldwide… hardly enough to steal an election or manipulate entire generations. Your entire life is online, whether you like it or not.

The long and the short of it is that when people like me tell you that secure passwords are important it is not because we get paid to nag you; it is because secure passwords are important. Your lives, your livelihoods, your everything is at stake. Listen to us, we are not shouting these messages from the rooftops for our health or because we enjoy nagging you. It is because we care about you. We care about the integrity of the online world… and we are sick and tired of sharing the horror stories of friends who refused to listen to us until it was too late.

**The term ‘Meatspace’ dates from the mid-1990s to mean the real (physical) world, as opposed to the on-line Cyberspace.