Full podcast episode: kzbin.info/www/bejne/anzMgGt9h8yqes0 Lex Fridman podcast channel: kzbin.info Guest bio: Chris Tarbell is a former FBI special agent and cybercrime investigation specialist who brought down Ross Ulbricht and Silk Road, and Hector Monsegur (aka Sabu) of LulzSec and Anonymous.

1) Putting your phone in a glass of water is pretty pointless, ruining your hardware is rarely the answer. Just turn it off, then use another device to look up how to factory reset your particular handset. Guy ruined his moms phone for no rational purpose. Your phone "making noises" isn't an indication someone is stealing your information. 2) "we're figuring out how people generate their password and it's easier to crack their password" Rainbow tables and other predictive databases haven't been a thing worth using for a hot minute. What makes a password worthwhile presently is length. 3) The Yahoo hack I presume he's talking about was done through spear phising of a Yahoo employee. Having a 16 character password with upper and lower case, numbers, special characters, a hieroglyph and the blood of a virgin wouldn't have saved anyone. Absolutely nothing the consumer side could have realistically done about this, the fault lies squarely on Yahoo. The only thing notable about this is the size of the breach, the volume of user data compromised and the inexcusable lack of security structure at Yahoo. 4) Ring wasn't hacked, not in any conventional sense. What happened was people were compromised on other services and used the same password for Ring (credential stuffing). Blaming Ring for this, in any regard, just isn't right. While Ring is certainly in the security business, they have every incentive to give people what they want and not piss off their customer. Forcing 2FA would have solved the problem but also is the least convenient option for most people, meaning they would turn it off and/or switch to a different service. Login attempt restrictions likely wouldn't have accomplished much (especially at 10 attempts) unless they were actively monitoring for a spike in incorrect user logins, which if they had monitoring like that they should have noticed the issue when it occurred anyway due to the traffic. Chris's characterization of Ring's logic is spot on, they didn't force the account security on people because it would have hurt them financially. His taking them to task for not forcing account security on people, however, is misplaced. The market drives these things, if Ring didn't accommodate then it would just be another company. 5) Again numbers and special characters are brought up. No. This is myth from a bygone era. While you could argue that technically by doing so it increases the character set, it's also so standard now that nobody running actual brute force attacks are attempting without them and the hash rate is so high that it's not meaningful in strengthening the password. Again, length is the solution. Use whatever wacky character string you want, your 8 character password can be cracked in under an hour. 6) Keyloggers: the "black market" he's referring to isn't very black. There's nothing inherently illegal about keyloggers and many other penetration "testing" devices. There are numerous places you can buy things of this nature very openly, and if you don't want to do that it's not particularly hard to make one. 7) Brief note on the OS and Mac thing. Chris is way off talking like the saving grace was kids not having access to Macs. (On a personal note, the first computer I ever "hacked" was a Macintosh 512k in 1993. I was a kid. Just saying.) The only thing helping Mac in the past still helps it now, it's security through obscurity. Mac is just repackaged Unix, there's nothing particularly wild or clever about it. What makes Mac users more safe than the average PC is that they're a minority of the market. Anyone in any kind of business given the choice of targeting most of the market or small portion of the market, same work either way, will almost always choose the larger market option. As the market share grows, so too does the incentive to attack it. The smaller it is, the less attractive it is. Chris is a likable guy and I think it's commendable that he's communicating about infosec in a non technical way but you have to get it right and he's off the mark a lot, or at least not up to date with what's going on in cybersec. Most of the time the details aren't going to meaningfully matter in a situation like this but then there's things that do, like going on about special characters making passwords stronger. That kind of misinformation creates security theater, people think they're more protected than they are. I'll have to watch the full podcast now, I'm curious if this guy is more competent than he appears in this clip, kind of feel bad nitpicking him this bad but hey, it's my industry. I get he had some big wins in catching cybercriminals but catching criminals is a different animal than defending from them. Guess he at least knew enough to get the job done and good on him for that.

Living in a fraternity house taught me to sign out of my computer. Even if your just going for a glass of water, log out, or someone might mess with your stuff haha. It's been more than a decade and I haven't shook that habit

90% of hacking is just basic phishing. 😅😅

If your phone is already hacked, how is the time difference between putting it in a glass of water VS turning it off and factory reset, going to matter?

Lex is always on point with his emotions, his attire, and his outlook on helping others.

1:48 bad guys are making portfolios out of people 1:58 We are making a dossier on each person

Imagine being in the FBI and not knowing what a rubber ducky is 🤣 he’s on the level of just calling it a keylogger. This is why learning from a book and having a degree, doesn’t mean jack. Knowledge is key, stay woke!

Isn't when you log in with your google account, twitter account, by all the providers i mean, the database doesn't hold your connected provider's password, so hacked database would only provide them with your social media e-mail, name, profile picture maybe and that's it. I use those platform authorization/authentication patterns in my apps.

I thought they whacked Tony in the last episode while Journey was in the second chorus.

literally no mention of MFA

At my workplace people laughed at me when I even had a password for my work computer, one guy even said "What you got on there? Porn? LOL"

"Change your password" and then they hack the company and steal ALL the usernames/passwords.

1. Don't "smart home" your home 2. Don't have financial services connected\on to your phone. 3. Don't do financial services\transfer etc on your PC\electronically If you have no PW there is no PW to steal. I amazed at how banks have not only left doors open but they create new electronic pathways through which thieves can enter.

Procceeds to turn off anti virus and firewall for 3 percent performnace boost😂

Phone in a glass of water? Sounds like The worst idea ever.

Pet peeve - "I'm sorry, but your password can't be more than 8 characters" Grrrr

Funny how he said if you doxx yourself you aren't a target at that point. Because that's what I did for the same reason.

Hey Lex, why is Julian Assange still rotting in jail?

I wonder how secure two-step authentication is? I this on my important stuff and use different passwords on different sites, but I almost never change my passwords.

The methods of hacking are as diverse as the hackers.

Never click a link••• Learn how typical phishing tactics work••• Learn the type of language most hackers use.

Ok now we know how to not get hacked but what about slashed?

Well, at least I do have a different pw for everything I have to log into. Many are generated for me by my pw vault. I do have to keep them in a pw vault because there's no way I can remember them all. So, if I'm away from my desktop, there's no way I'm getting into some of that stuff. I can remember the ones I use the most though.

Most secure operating system is probably..... Commodore basic.

It’s funny how out of touch these guys are “put your phone inside of water” 😂😂😂😂😂😂 like what?

Lex has he personality of Siri

I once accidentally clicked on a KZbin ad. 😔

This guy is dropping how to hack 101 😂

yea well how do we protect our emails then i was told from a friend you can protect your phone from a government site it block the spam calls what program can save our emails and protect them this is getting annoying i keep getting my epic games account hacked i have 2fa on and on my email he by pass it dont know how he was able too by pass 2fa on email and epic games account the hell

Dell (Michael)

Mind Begs the Question: Pegasus - Hacks into iOS,Android Apple,Google - design iOS,Android Apple,Google - if leave door open,don't fix Apple,Google - not responsible,culpable?

TOO LATE JANUARY 24,2021

nice! as a pc user with bot level it skills I appreciate this!

“It used to be called google dorking…now it’s called google hacking….” No it’s not 😂😂😂😂 it’s still called google dorking. This is just laughable.

Secure the shit out of it. - fbi. Good advice.

It never too late 😢😅

Yeah great tip from FBI. Sure.

MFA guys.

GOOGLE, SAMSUNG, Microsoft. I want to say but OUTDATED SOFTWARE. 1/24/2021. MI C E TRAP 3.0... ?..BACK UP DESK TOP. SITIN MYLAB TOP. BLACKBERRY, ANDROID. INTERNATIONAL BUSINESS MANAGEMENT SOFTWARE AND....

Ok I needed this information the second I knew that Russia is besties with china

What happens when the passenger manager software itself gets hacked? E.g. LastPass

🃏

Oof

How boring is Lex….has to be a tool of the matrix