Troy Hunt points to a story saying experts agree with this advice to power cycle nightly. I thought I’d write up some notes on cybersecurity.
It’s a ChatGPT style story
This is a typical case of non-techies mangling the advice of techies, taking their quotes out-of-context. It’s like asking ChatGPT the question:
ChatGPT largely assumes your premise is true, then explains why it’s true.
Non-techie journalists do the same. They don’t understand the content. They’ll assume a premise, then write a story confirming the premise. They just call up a bunch of “experts”, who then extemporize why whatever premise the journalist has given them is true. In other words, when reporting a story like this, the journalists calls you (the expert) and asks “Experts are saying X, what do you think?”. Your urge is to agree, explaining why X.
But the journalist could’ve done the reverse, prompting experts to refute the claim rather than confirm it: “The PM said X, but experts appear to disagree. What’s your view?” Prompted this way, experts will extemporize, explaining why it’s a bad idea.
As an expert in my field, I wonder why other experts are such idiots. Then I realize it’s not their fault, the journalist could’ve done a better job. For example, in the DNS-Trump-Alfa conspiracy theory, I know the experts in the story. They are foremost experts in the field, and yet they say stupid things. The fault lies with the journalist, giving them only part of the data asking if it’s plausible, then quoting them as if they’ve fully analyzed the situation.
You journalists should take this as a hint. If you want to keep your jobs in the face of ChatGPT doing a better job, you need to do a better job prompting your sources. Or interview contrarians like me. I’ll happily take the opposite side of all the other experts in the cybersecurity industry.
Cyberhygiene is bollox
I’m not a Brit/Aussie, so I don’t know if ‘bollox’ is too offensive of a word here. On the other hand, I’m not sure it’s dismissive enough.
Every suggestion to “Do X to be safe” is false. Cybersecurity is a tradeoff. Doing X costs Y. Just because it’s safer doesn’t mean it’s worth the cost. “Turn off your computer, chop it up with an ax, and bury the pieces” will make you safe. Everything else is unsafe.
It’s rare that I, as an expert, can judge for you whether the tradeoff is worth it.
Sure, it’ll make you a little safer, but I’m not willing to go through the hassle of power cycling my phone every night for security. Maybe you want to, I can’t make this judgement for you. If you are a government official, and thus under much more threat than I am, then maybe it’s worth it. But for the average person, I think you are just being needlessly paranoid.
That’s why you should never pay attention to some simple cyberhygiene guide to “Do these 10 steps to be safe”. The premise of such lists is false. I’d recommend you don’t pay attention to any of them.
With that said, there are two important “hygiene” items you should pay attention to.
The first is to keep your operating system (Windows, iOS, etc.) and web browser (Chrome, Edge, Brave, etc.) updated regularly. Note that I’m not saying update everything, only those things exposed to the Internet that are under constant attack by hackers.
The second issue is that the most common way hackers break into your accounts is because you use the same password everywhere. Sure, “i8t7gkuylafjse” is a safe password, but if you use it for all the website, then when one gets hacked (like the Bohemian basket weaving forum you visit), stealing that site’s passwords, then all your other accounts using that password get hacked, like Gmail.com. Go to Troy Hunt’s https://haveibeenpwned.com, enter your email address, and see for yourself.
One solution to this problem is using a notebook to write down passwords, because you can’t possibly remember passwords for every website. Another solution is to use a “password manager”.
Note that I’m not telling you what to do, I’m describing a problem, leaing you to figure out your own solution. Cyberhygiene guides that tell you “use a password manager” are bollox.
Location tracking
Your most important security/privacy problem is location tracking. Apps can be tracking your location without your knowledge. Innocent apps (like games) which have no business tracking you will nonetheless try to, to sell that information to advertisers. Intelligence agencies try to stick tracking code in apps as well.
Mobile phones have gotten better helping you prevent. Once every six months, you should probably review the apps with tracking enabled on the phone.
Some apps try to Always track your location. You should change this to only While Using. It’s also a big red flag — there’s few reasons to do this except for malicious tracking. If you are unsure why an app needs to track you Always, then disable the tracking.
Most apps these days merely track location While Using the app. This includes while the app is open, but in the background.
That’s probably the reason for the above advice: restarting your phone, or disabling background apps, stops the tracking.
But a better strategy would be to go through that list of permissions and simply disable location tracking While Using. Sure, I want Disney World app to track me while I’m in the park, and I only open the application in the park, so I’ll leave that enabled. But why does Fly Delta need to track me? I should disable that.
In other words, turning off all the background apps occasionally is good “hygiene”. But at the same time, if you didn’t trust the app to track you all the time, then you should question whether you should allow them track you some of the time.
Note that Google Android and Apple iPhone are tracking your location even if you’ve disabled all the apps, from the operating-system. There are separate settings to control this.
Exploits
The other reason to care about this (power cycling) is hackers trying to break into your phone.
In theory, more apps open (in the background) means more attack surface, more ways for them to break in. But as far as I can tell from looking at 0day exploits, this really isn’t a meaningful danger.
The Holy Grail of a phone hack is gaining persistence, meaning it’s still there even after restarting the phone. But most hacks can’t get that far. Killing the app or power cycling the phone gets rid of most malware.
For the most part, the adversary has the ability to attack the phone again when you turn it back on. If they used that 0day from silent text messages, they can just send another.
The upshot of this is that while restarting the phone will get rid of some hacker implants/malware, it’s not that great of a technique. If you are a human rights worker in an oppressive country, then I think it’s worth your trouble to regularly reboot your phone, but it’s not something I’d do.
But if your life depends upon this sort of thing, maybe you should reconsider using a personal phone. If you care about privacy and security, use Tor and the Signal app — unless your life depends upon it. In that case, you shouldn’t listen to the advice of any expert but instead learn enough to protect yourself, where things like Signal are appropriate. If your phone has been hacked, then end-to-end encryption like Signal won’t protect you.
Conclusion
The PM was likely advised to restart their phone daily. It’s the sort of thing a government intelligence service might advise a Prime Minister — because they are under special threat, they should care more about unlikely scenarios. But then, that implies the security services can’t provide a better phone to the PM, one that isolates things in a VM (such phones exist, like the Glacier phone).
You should ignore all such advice. If you are actually under realistic threat, then you need to understand the situation much better than relying on such advice. Most of us aren’t, and don’t need to worry much about our phones other than keeping them updated, disabling unnecessary location tracking, and dealing with the shared-password issue.
Mostly, such advice is just a placebo. It makes the patient happier because they feel like they are in control, like they are doing something, even though it’s not really doing much of anything.