IRA FLATOW: This is Science Friday. I’m Ira Flatow. Now that the gift-giving season is over, how many of you are still trying to figure out how to set up your new smartwatch, or tablet, or your security camera? Or to get Alexa or Google to respond to your requests?

All these wireless, geeky gadgets are fun, aren’t they? But how can you guard against hackers who might be trying to break into your WiFi-enabled refrigerator, or dryer, or whatever, and commandeer your system? We’re going to talk about how you can beef up your digital security, and avoid getting hacked.

My guests are going to be our guides into the world of stronger passwords, encrypted messaging, and all other ways to up your cybersecurity game. And if you have questions, give us a call. 844-724-8255. You can also tweet us @scifri.

Let me introduce my guest. Micah Lee is a software developer. He’s also a security engineer at The Intercept based out of Berkeley. And Jason Koebler is editor-in-chief of Motherboard, based in New York. He’s here in our CUNY studios. Welcome to both of you.

JASON KOEBLER: Hey. Thanks for having me.

MICAH LEE: Thank you.

IRA FLATOW: This has been some season. It’s impossible to protect everything, is it not, Micah? I mean, how do you decide– the official term is threat modeling. Is that right? How do you–

MICAH LEE: Yeah.

IRA FLATOW: How should you prioritize what you want to protect?

MICAH LEE: Yeah, threat modeling is a very important thing to do when you’re trying to figure out what you want to protect because the simple fact is that it’s impossible to protect everything. There are– It’s really just how much effort you want to put into protecting stuff.

So it really makes sense to figure out exactly who you think might be after you, or your information, and what’s important to you to protect. And then focusing your energy on that.

IRA FLATOW: All right. Let’s get into some of those details. But first, Jason, I want to get into this flaw in the chip we’ve been hearing about. Intel announced a flaw in a chip that could make hardware vulnerable to hackers. And it’s almost just about every computer.

JASON KOEBLER: Yeah, so it is every computer that has an Intel chip going back to at least 1995. So we’re talking about billions of devices. This vulnerability has been called Spectre and Meltdown. And basically what it does is it allows hackers to gain access to the kernel of the device which is the system memory that usually a user wouldn’t interact with. And it allows the hacker to basically knock down the wall between the system memory and the user’s memory so they can access pretty much anything on your device.

This is a bigger problem for infrastructure companies and big– like, ATMs and things that aren’t regularly updated. If you have an iPhone or a Mac, Apple has already pushed a software update that helps protect yourself against this.

And I think this will probably come up a lot during this conversation. The best thing you can do to protect yourself is to make sure you’re updating your software and hardware as often as possible. So if there are new firmware updates– something pops up on your computer says, update this– you should probably do it, even if it seems pretty annoying.

IRA FLATOW: And there get to be many of them coming in. Let’s talk also about the very basics of security being a good password. We have a question from Twitter. Farmer Bonnie asks, is it true that we no longer need to substitute upper lower case, numbers, and special characters to make our passwords more secure? Jason.

JASON KOEBLER: Yeah, I think that this is– common wisdom was always, you want a super complicated password that has special symbols, upper case, lower case. The problem with that is, it’s really hard to remember a password when it’s gobbledygook. So what we recommend is you get a password manager, such as LastPass or 1Password.

And what this does is, you have one master password. And then this password manager enters the login data for all the services you use. So it’s impossible to remember 300 different passwords, but the password manager remembers it for you.

So what we recommend when creating a master password is not to make something super hard to remember, but to make something that’s secure. And what that means is, make something that you’ll remember. It could be a string of words. It could be a sentence from your favorite novel or poem. Something that you’ll remember is long, not easily hacked, but doesn’t need to be a lot of symbols.

IRA FLATOW: Micah, is it better to get a password manager like the kind you were mentioning, or 1Password, or any of these free ones so that you don’t have to remember all these things?

MICAH LEE: Yeah, absolutely. This is one of the most important things that I think everyone should do, regardless of your threat model. Because the rationale behind it is that the worst thing you can do with passwords is reuse them.

And so if you have one password that you’re using for your Yahoo account, and then you’re using that same password on Amazon, and then there’s a giant breach in Yahoo that affects billions of users. And with hackers can just try that same password on Amazon, or on your bank, or other things to get in.

And so there’s a wide variety of password managers, and there’s different considerations into going into them. Do you want to use one that stores your password database in the cloud? Or do you want to use one that’s only local? Or how do you get your passwords on multiple devices?

But really, the most important thing is to just use a password manager and make it so that all your passwords for all of your different accounts are really strong and random. And so you don’t even know them. All you need to know is the one master password.

IRA FLATOW: And where do you store that password for the master password maker?

JASON KOEBLER: Ideally, you would memorize it, but you can write it down–

IRA FLATOW: Put it on a piece of paper. Stick it in a drawer somewhere.

JASON KOEBLER: Yeah, that’s comes back to threat model. If you’re trying to hide something from the NSA, they’re not going to break into your house and look in your drawer for your password.

IRA FLATOW: Let’s go to the phones. Go ahead, did you want to say something?

MICAH LEE: Oh, yeah. Just every time I occasionally have to memorize a new, very strong passphrase and every time– and my method for it is, I write it on a piece of paper. And then I put that paper in my wallet. And then every time I try typing it, I just try typing it without looking, and I look if I need to.

And it generally takes me one or two days before I’ve completely memorized it, and don’t need to consult the paper anymore. And then I destroy the paper.

IRA FLATOW: All right, let’s go to the phones. Let’s go to Berkeley, to Peter in Berkeley. Hi. Welcome to Science Friday.

PETER: Hi. Can you hear me OK?

IRA FLATOW: Five by five, as they used to say.

PETER: I’ve had a really strange thing where I have to login twice in a row to my iMac. And this also happened on my Airbook sporadically, and periodically, and very annoyingly several times months ago. And then it happened sporadically on the iMac. And then it started happening consistently for the last 10 days.

IRA FLATOW: All right. Let me get–

PETER: And I’ve asked a couple of people, and they don’t seem to have ever heard of that.

IRA FLATOW: Well, we’ve got two smart guys here. Maybe they have heard of it. Let me ask Jason first. Any idea–

JASON KOEBLER: Honestly, I’ve never heard of this happening. I would suggest updating your operating system, but maybe Micah has more specific advice.

MICAH LEE: Yeah, I’m not sure. This sounds like something that would require sitting with you, and troubleshooting, and trying some stuff.

IRA FLATOW: You know what I found? This has happened to me, but in a different– when I try to log into my Google account, I find I’m typing too quickly on my keyboard. And I’m hitting two keys instead of one sometimes. And if I do it– oh, I figured it’s something wrong with Google. No, it was my fingers weren’t working.

JASON KOEBLER: That’s very possible, yeah.

IRA FLATOW: That’s possible. Let’s talk to Micah. Let’s talk about two-factor authentication. It’s a good way to protect your account? Should we all be using that?

MICAH LEE: Yeah, two-factor authentication makes your life slightly more annoying, but it makes your accounts way, way, way more secure. And so the reason is– OK, so this is how two-factor authentication works.

Normally when you log into an account– like your Gmail account– you use your username and a password. And two-factor authentication means you need something else besides just your password. And so a lot of times this is your phone.

And most people have probably experienced it– even if you didn’t really intend to enable it– for your bank, or for maybe a couple of other services, where– when you try logging in– it has a security check and sends you a text message with a couple of numbers. And you have to type those in. That’s an example of two-factor authentication.

But it’s the best way to protect yourself against spear phishing or against– if your password is somehow stolen, making it so that attackers still can’t access your account.

IRA FLATOW: But here’s a question I have for you. Let’s say– I don’t want this to happen to anybody. You’re in a car accident. You go to the hospital. You have your cell phone and left it at home, or it’s in the car.

And you need to log into your bank account to pay the medical bill, right? And you can’t, because you don’t have your phone with you anymore. You’re trying to log in, and it’s sending the second thing to your phone that you don’t have.

MICAH LEE: Yeah, this is exactly why it makes your life harder.

JASON KOEBLER: Yeah, I think that that possibility or hypothetical– it is an annoyance at times. You could be overseas is one thing. Like you’re on vacation. You’re at an internet cafe. You don’t have access to your phone.

What I will say is, it is the best thing you can do beyond updating your software and doing a password manager. If your password is stolen– someone tries to log into your Gmail from Romania– you’ll get a text message. Say, why is someone trying to log in from my Gmail in Romania? And you say, don’t allow it. And I think that is–

IRA FLATOW: Yeah, it’s worth the hassle.

JASON KOEBLER: It’s worth the hassle, yeah.

IRA FLATOW: Here’s a tweet from Bobby Arndt who says, are you still safe if you open a phishing email but don’t click the link? How can you recover your security if you accidentally click?

MICAH LEE: So you should be safe in under almost every circumstance. But there are maybe a couple of circumstances where a malicious email might just directly hack your email program that you’re using. But for the most part, you should be safe if you get an email and don’t actually click links or open attachments.

And if you do click links, it really depends– I mean, a lot of this depends on what the type of attack is. But in a lot of cases, you can click a link and you’ll be fine as long as you don’t fill in your username and password.

So the way that a lot of phishing attacks work is, you get an email and it looks exactly like it’s from PayPal. And it says, we think your account is compromised. Login to confirm that you, you know, something. And it looks very scary, but it looks like an official PayPal thing.

So you click a link. You get to a website that looks exactly like PayPal, even though it’s actually a fake website. And it’s asking you to login with your username and password. And as long as you don’t type in your username and password, you haven’t yet been hacked. But this is also an example why two-factor authentication could totally protect you.

IRA FLATOW: I see. And a lot of times when you mouse over that little link, you can look at what the link says. It has nothing to do with PayPal, or any of that stuff.

JASON KOEBLER: They’re getting a lot more sophisticated, though. Yeah, some of these are pretty– they’re pretty impressive.

IRA FLATOW: Let’s talk about when you’re web browsing. Lots of sites use– you’ll see the URL say HTTPS, and you’ll see a lock icon in the left-hand corner. How does that work? Is it worth the risk if a site you really want to go doesn’t have the lock on it?

JASON KOEBLER: Everyone should be using HTTPS. But this is one of those things where you need the sites that you’re using to actually use that protocol. So what HTTPS does is it encrypts the address that you’re going to.

So if you are going to Facebook and you’re looking at a certain group there, the actual URL that you’re browsing can’t be seen by your ISP or a potential hacker. They’ll just see that you’ve gone to Facebook. Yeah.

IRA FLATOW: Yeah. And let’s also talk about when you get to a lot of sites, I know a lot of people worried about Flash. Flash is being slowly phased out, but it’s still everywhere. But Flash has some security vulnerabilities, right?

JASON KOEBLER: Yeah, I think Flash is one of the most notoriously insecure pieces of software ever made, which is one of the reasons that Steve Jobs really famously hated it. It gave us a lot of cool games back in the early 2000s, late ’90s. But these days, there’s better protocols out there.

Unfortunately, a lot of websites still do use flash for things like advertising and videos. And so what I would recommend– what I do on my computer– is I have a browser extension called ClicktoFlash which means all flash is disabled by default. But then if I really need to use something, I can enable it by clicking it and it turns it on.

IRA FLATOW: This is Science Friday from PRI, Public Radio International. Talking about cybersecurity with Jason Koebler and Micah Lee. Our number, 844-724-8255. Let’s go to Carter in Miami Beach. It’s a lot warmer than where we are, I hope, Carter.

CARTER: Hi, gentlemen. Hope everyone’s having a great new year so far.

IRA FLATOW: You, too.

CARTER: Thank you. So my question is in regards to VPN. So in doing a little bit of research, one of the things that I’ve found was that it seems to be slower than what your normal speeds would be. So I wanted to talk about that. How 5G as it begins to roll out towards the end of the next year, and 2020, can affect it.

And as well as, I’ve also seen different advertisements for different companies who offer $49 or a lifetime VPN membership and whatnot. Are these things– as technology proceeds to advance and change and whatnot, does it makes sense even to look at something that’s a lifetime VPN membership?

IRA FLATOW: Good question. Yeah. What about VPN? Jason, what do you think?

JASON KOEBLER: Yeah, I recently tested a bunch of different VPNs. And I turned– I had them off, and I tested my internet speed. And then I turned them on, and I tested again. And you’re absolutely right. It often slows down the speed.

Some are better than others. The ones that I would recommend are called FREEDOME or Private Internet Access. Both of them are really easy to use. Both of them seem to slow down a connection, but not by that much.

How they will affect 5G, I can’t really say because we haven’t seen a working 5G network yet. The one thing that I would say is, you don’t want to use a free VPN. And–

IRA FLATOW: You don’t?

JASON KOEBLER: You don’t want to use a free VPN because often those– the reason for using a VPN would be to protect your privacy. And many of the free options sell your data. So they are chained to your connection, but they’re selling your data to a third-party on the other side.

The last thing about VPNs is, you definitely want to use them if you’re using airport WiFi or public WiFi like coffee shop, McDonald’s, something like that. I use FREEDOME personally. I really like it. But I don’t use it all the time which is a personal preference. I don’t use it at my home, but I use it if I’m doing something sensitive– like for work– or if I’m in a public place.

IRA FLATOW: Micah you want to add anything to that?

MICAH LEE: Yeah, so I think that when you’re thinking about VPNs, an important thing to realize is that it’s basically your first hop onto the internet. So if you’re not using a VPN and you’re at the Starbucks public WiFi, then your first hop onto the internet is that WiFi network. And that’s a very insecure first hop, because anybody else at Starbucks can spy on you.

And maybe if you’re not using a VPN and you’re at your house, then your ISP– like Comcast– can see everything that you’re doing. And so this is one of– this is the reason why people use VPNs for privacy. But if you pick a VPN– just like Jason was saying– that is not good, then maybe you’re just getting spied on by somebody else. And so it’s important to pay for it.

IRA FLATOW: I have a web browser that has a VPN option built into it. Is that no good?

JASON KOEBLER: Is it Opera?

MICAH LEE: I mean–

IRA FLATOW: Yes, it’s Opera.

JASON KOEBLER: Yeah, I use their built-in one. I will defer to Micah here. I’ve talked to the folks at Opera and they seem to take privacy pretty seriously. But I will defer to the expert here.

MICAH LEE: Yeah, I mean I think that it really just depends. And if you’re considering using a VPN, for me the most important things to look at are their privacy policy. I would want to find a VPN that promises not to log what you do on the internet.

IRA FLATOW: Any suggestions for where to find them?

MICAH LEE: I really like one called Mullvad that’s based out of northern Europe. But I know some of the people that run it. And so that’s one of the reasons why I trust it.

IRA FLATOW: And that’s why we have you on the show. It’s not me giving out advice. All right, we’re going to take a break and talk lots more with our experts Jason Koebler and Micah Lee. Our number, 844-724-8255. You can also tweet us @scifri.

Talking about network vulnerability. We’re going to talk about some of the new gadgets that you guys got for the holidays. You know, everybody’s got these security cameras. We turning them all into attack platforms for us. We’ll talk about it when we get back. Stay with us.

This is Science Friday. I’m Ira Flatow. This hour, we’re talking about what you can do to avoid being hacked with my guests Micah Lee, software developer. Also security engineer at The Intercept based out of Berkeley. Jason Koebler, editor-in-chief of Motherboard, based here in New York. He’s with us in our studios here.

Our number, 844-724-8255. Lots of people interested in this. Lots of tweets are coming in @scifri. Micah, let’s talk about Amazon Echo. Are the other devices out there– Google– they’re always listening, right? Should we be fearful that they are sending stuff as we speak in the room?

MICAH LEE: I think we should absolutely be fearful of that. I think that there might be some products that are better to use than other products. And an example is Siri on iPhones. You can configure your iPhone to be always listening so that when you say, hey, Siri, it kind of wakes up. And then you could ask it a question.

And in that case– I specifically looked into this one– it’s always listening, but it’s always listening locally on your device. And it doesn’t actually send your recordings to Apple until after you say, hey, Siri. But then in other cases– I believe with Echo, it’s always listening but it’s just sending everything to Amazon.

IRA FLATOW: Would you say that Apple does probably one of the best jobs in keeping you secure more than other services?

MICAH LEE: Yeah, I think that they do a very good job at it. And I think that it appears to be their priority compared to a lot of other services.

IRA FLATOW: You have any–

JASON KOEBLER: Yeah, I would say– oh, go ahead.

IRA FLATOW: Go ahead. Go ahead, Micah. Finish.

MICAH LEE: I was just going to also point out that these always on, listening things, they might be useful for a lot of situations. I don’t know if they’re necessarily that much of a security risk, but they’re definitely a privacy risk. So you should consider, do you want recordings of what you’re saying in your living room to be stored on a computer somewhere else that you don’t own?

JASON KOEBLER: Yeah, I think it’s important to look at the business models of these companies. Google is primarily an advertising company. Amazon is primarily a company that is made to sell you products. And so there’s a reason why the Echo and the Dot are so cheap. It’s because they’re essentially extension of the Amazon store.

Whereas Apple is in the business of selling hardware. It doesn’t have as many ad products. It’s taken security much more seriously, I would say. It’s made security and privacy core to its business model in a way that Google and Amazon haven’t.

IRA FLATOW: And these people– if you have a Google email account, you’ve already told them that you don’t mind them looking through all your emails, do you?

JASON KOEBLER: Yeah, I mean I would say that I don’t worry about that quite as much because Google has shown itself to be a company that takes security very seriously. I think the difference between security and privacy is, are you going to get hacked versus are you going to get advertised to? Which– I don’t know if that’s fair or not– but that’s the way that I personally look at it.

And I think Google is always trying to sell you something. But it takes itself very seriously when it comes to protecting that data.

IRA FLATOW: I always said to myself, that’s why they want to get the self-driving car. Because when you’re driving, you’re not googling, so.

JASON KOEBLER: Exactly.

IRA FLATOW: When you’re not driving, it’s more time to Google. Jason, last year there was a big denial-of-service attack that brought down a bunch of websites for a while. And it was all through these baby monitors, and other connected devices. Are we going to see more of that? Is there something a person can do to help combat against this? Maybe it’s going to be our cameras and things now all ganging up on us.

JASON KOEBLER: Yeah, so this was called the Mirai botnet and it was one of those days that was like, wow. We are really living in the future. This is definitely a Black Mirror episode. It was millions of hijacked baby monitors and other smart devices that attacked the infrastructure of the internet, and took down something like 1/6 of the internet for a couple hours. I think Netflix and Facebook were down.

And this all happened because, A, a lot of internet things companies have pretty bad security because a lot of them are fly-by-night. A lot of them go out of business. And B, people don’t change their passwords on things like baby monitors or smart fridges. So a lot of the passwords to these are just username, admin, login. Password is admin as well. And you can easily sweep up and zombify millions of these devices at once.

IRA FLATOW: That’s a good word I hadn’t heard before.

JASON KOEBLER: So my advice here is, change the password on all of your smart devices.

IRA FLATOW: In the few minutes we have left, I want to talk to you about– in terms of being hacked or a cyber attack, what do you worry about the most coming up? You know, we’re always prepared for the last thing. We fight the last war with the information we have. Micah, well, let me ask you first. What are you most worried about in the future?

MICAH LEE: What am I most worried about in the future? I mean, I think that having kind of misinformation campaigns over social media is what I’m currently quite worried about. I mean, it’s kind of a mix of social engineering with some hacking. But I think that’s a big worry.

IRA FLATOW: And you?

JASON KOEBLER: Politicians always talk about a cyber Pearl Harbor, or the power grid going down, or infrastructure hacks. And I think as a consumer, that’s something I can’t worry about. The thing that we write about in our guide is basically you need to protect what you’re able to protect. When a company like Equifax gets hacked and half of all social security numbers are stolen, there’s not a whole lot that an individual can do about that.

And the scary thing is, we do put so much trust into these big companies that haven’t taken security very seriously. So I think that’s something to worry about. I think that’s also something you can go crazy worrying about.

So what we recommend is, protect your own stuff. We call it a guide to not getting hacked because you might get hacked. You might not. But there are some very basic things you can do to protect yourself.

IRA FLATOW: And Micah, just a follow up. I know you’re a security engineer. What are the trends that you all are trying to design for?

MICAH LEE: So I think one of the really huge trends from the last couple of years has been usable, encrypted messaging apps. So apps like Signal. It used to be only a couple of years ago that if you wanted to send an encrypted message to somebody, it was really, really way too complicated. And now you just both download the Signal app on your phone. And then you can start having encrypted conversations with anybody.

I think that people are kind of extending this to cover bigger collaboration tools, things like Slack but where the company can’t spy on all of the messages that you’re having with your team. And so there’s a pretty cool open-source app called Keybase Teams. And there’s another app called Semaphor that are aiming to do this. They’re like kind of encrypted Slack replacements. Yeah.

IRA FLATOW: And that’s it. OK, well, it’s spy versus spy, as they say. The good guys versus the bad guys, all the time. And we’ll be following this. I want to thank you both for taking time to be with us today. Micah Lee is software developer and a security engineer at The Intercept out in Berkeley. Jason Koebler is editor-in-chief of Motherboard based here in New York. Thank you both for taking time to be with us today. And happy holiday season to you.

JASON KOEBLER: Thanks for having me.

MICAH LEE: Thank you so much.

Copyright © 2017 Science Friday Initiative. All rights reserved. Science Friday transcripts are produced on a tight deadline by 3Play Media. Fidelity to the original aired/published audio or video file might vary, and text might be updated or amended in the future. For the authoritative record of Science Friday’s programming, please visit the original aired/published recording. For terms of use and more information, visit our policies pages at http://www.sciencefriday.com/about/policies/