10 Computer Security Myths to Stop Believing

Поділитися
Вставка

КОМЕНТАРІ • 1,8 тис.

  • @ThioJoe
    @ThioJoe  2 роки тому +690

    @ 9:30 Congrats, you all are now a computer GLENUIS

    • @minecrafter7850
      @minecrafter7850 2 роки тому +8

      lol

    • @minecrafter7850
      @minecrafter7850 2 роки тому +38

      *GLENUIS*

    • @PushyPawn
      @PushyPawn 2 роки тому +21

      Escellent.

    • @abhishekjoy469
      @abhishekjoy469 2 роки тому +7

      Can you make a video on cracked version of windows 10 and KMspico and is it a virus or not?

    • @Fafr
      @Fafr 2 роки тому +26

      ayy I'm a glenuis now
      10:40 the proof that I am one is that I'm not clicking any linieeks, ninks and lincks

  • @DIYDaveOK
    @DIYDaveOK 2 роки тому +1314

    As a 35-year software developer, let me give you props on a good video. You hit the nails on the head and got good points across without diving into too much techspeak.

    • @taavi948
      @taavi948 2 роки тому +49

      As a 68 year old cleaner I agree

    • @EinChris75
      @EinChris75 2 роки тому +16

      Let me agree to that as well. 30 years in the business.

    • @RockyPeroxide
      @RockyPeroxide 2 роки тому +19

      Us IT guys never stop learning ^^
      It's why I chose this path.

    • @soygolpista
      @soygolpista 2 роки тому +3

      Nah this guy is a corporate shill

    • @MGBOI2011
      @MGBOI2011 2 роки тому +3

      But bro u are 12 year old

  • @ABQSentinel
    @ABQSentinel 2 роки тому +118

    As a network security professional, I can tell you that most companies still enforce myth 1 religiously. This has the unintended consequence of people choosing weak password, re-using the same password but just incrementing any numbers that are used, or worse of all, writing them down (my favorite is the sticky on the bottom of the keyboard--no one will EVER look there!).

    • @mythiclys
      @mythiclys 2 роки тому +11

      My school when I was younger used to enforce this all the time. It was awful, I never actually followed this guideline and stuck to one secure password. A few people did follow it and well... Quite a few trips to the technician.

    • @morganjohannisson2789
      @morganjohannisson2789 2 роки тому +4

      Do people still stick passwords under their keyboards?
      I remember it was pretty common during the mid- to late nineties.
      I use pass-phrases a lot. Some of them are padded-cell-crazy on purpose. 🎃

    • @TheHellis
      @TheHellis 2 роки тому +6

      We also are forced to change password every 90 days.
      The funny thing is that our company also encourage us to use the same password in other business softwares dor convince and so that they don't have to reset password so often. (How about that huh?)
      When our computer boot up most people open SAP and start typing the password just as Teams open with the last conversation.
      So every week we have a few who type out their [Company].55 passwords in to the last Teams conversations.

    • @johnduncan5117
      @johnduncan5117 2 роки тому

      @@morganjohannisson2789 I still see this all the time. It's a thing. Even managers and finance people.

    • @waynereed5473
      @waynereed5473 Рік тому +4

      As recently as two years ago I have seen security audits related to cyber insurance that ask for a password retention policy. This forces companies to keep enforcing password change policies even if the IT department responsible for security wants to follow better guidelines.

  • @logicalfundy
    @logicalfundy 2 роки тому +440

    Also VPNs aren't really completely private. They're great for getting around geo-restrictions, and for remote work, but as you mentioned in another myth - if you log in or if a website uses cookies, they can still gather information about you. Generally speaking, if you want security or privacy, you can't rely on only a single piece of software - you use multiple strategies that cover different aspects of security and privacy.

    • @ailivac
      @ailivac 2 роки тому +36

      Of course, but they're the ones paying the bills so why would he include that? "Use our sponsor to mask your IP address, except they will still track you with cookies, oh and they can still fingerprint you just as easily with private browser mode."

    • @lordelliott42
      @lordelliott42 2 роки тому +14

      @@ailivac And more and more countries are _requiring_ VPN's to keep logs.

    • @Izofeu
      @Izofeu 2 роки тому +45

      What a VPN does is it changes who tracks you. Now your ISP won't track you, but the VPN company will. I hate youtubers advertising vpns as a way to stop being tracked where it only changes who you get tracked by, not if you get tracked.

    • @Twisted_Code
      @Twisted_Code 2 роки тому +20

      sponsorships are ironic sometimes aren't they?

    • @Twisted_Code
      @Twisted_Code 2 роки тому +5

      @@Izofeu I mean, allegedly this one doesn't keep logs of anything, but they could always just be saying that right?

  • @activenets
    @activenets Рік тому +62

    You did a good job trying to inform people on the myths you listed. I have been working in IT since 1978 and have seen so many changes in the industry overall. My focus currently is with network security in business environments. It amazes me how many business owners either believe these myths or know little to nothing about their network environment. Sometimes the hardest part is getting them to invest in their own security. The alternative can be far more devastating. Thanks for putting this video out!

    • @deadlee0b1
      @deadlee0b1 Рік тому +1

      I did a server upgrade for a client, but the quote didn't include a backup solution. We warned them of this, and they said "Its okay, Greg handles our backups". Greg being one of the managers who "knows a little bit of IT". We got them to sign off and all was well. A year later they got hit with ransomware. I went in to help with the restoring their data, checked their backup software, and lo and behold, the logs just showed 6 months of failed backups attempts.

    • @FireAngelOfLondon
      @FireAngelOfLondon Рік тому

      Thanks for that list; a summary helps to remember information like this and the video didn't include one. I am surprised people questioned your reason for posting it, but I guess none of us knows it all - I sure don't.

  • @GeekIWG
    @GeekIWG 2 роки тому +375

    I work in IT and you'd be amazed how many clients get angry and demand to know how they got infected when they have an antivirus installed. No antivirus software is going to catch 100% of stuff, especially if you're going around downloading and installing everything you come across online.

    • @ThioJoe
      @ThioJoe  2 роки тому +92

      Yup, it’s basically just a last defense

    • @MatrixMode42
      @MatrixMode42 2 роки тому +26

      As a kid, I would install everything. It installed some weird chrome browser and to this say, it's still on my old computer.

    • @GeekIWG
      @GeekIWG 2 роки тому +12

      @@MatrixMode42 I see a lot of modified Chromium-based browsers get unknowingly installed by people that are seemingly used to show ads everywhere.

    • @jacksoncremean1664
      @jacksoncremean1664 2 роки тому +11

      many anti viruses are actually pretty poorly implemented and end up making your security worse as they end up increasing attack surface

    • @R.K_Chalkboard
      @R.K_Chalkboard 2 роки тому +6

      Thing is even if it catches stuff, it's called a virus for a reason. You can't just delete the root of the virus, it'll be in other places or it'll just reproduce itself before the AV can fully delete it. Only way is to reset.

  • @grn1
    @grn1 2 роки тому +22

    An important note on the last point: Formatting an SSD will not write zeros across the whole drive. SSDs have their own controllers and maps that strategically write data to their flash chips, the OS doesn't have access to the true locations of the files. I have heard of an alternative protocol that does allow the OS to control the SSD more directly but as far as I know it's not really in use anywhere. The reason SSDs are setup to manage their own data is to ensure proper wear leveling which preserves the life of the drive for as long as possible. Having said all that, for better or worse, it should also be much harder to recover data that was deleted from the recycling bin.

    • @repeekyraidcero
      @repeekyraidcero 2 роки тому +2

      Still very possible to recover many files.
      Better use multipass erasure

    • @wasd____
      @wasd____ 2 роки тому +2

      @@repeekyraidcero Multipass erasure doesn't necessarily do anything on SSDs. Wear leveling is automatic and may cause the multiple writes to go out to different blocks than the one with the data you're trying to erase.

    • @futuza
      @futuza 2 роки тому +3

      Best actually to physically destroy the SSD to be safe.

    • @ishrod_tweaks
      @ishrod_tweaks Рік тому +1

      There is an OS instruction to delete sentitive data called SANITIZE. But, be aware that using it to much shortens the life-span of SSD and usually requires to format the whole SSD.

  • @Darkhalo314
    @Darkhalo314 2 роки тому +674

    As I learned in college getting my cybersecurity degree:
    The user is the weakest link to security. You can have all the best practices and procotols in place, but even those can't prevent everything.

    • @writerpatrick
      @writerpatrick 2 роки тому +31

      Viruses can only get onto a computer when a user installs them. About every method scammers and hackers use involves getting the user to run or install something that gives them that access.

    • @MenelBOT
      @MenelBOT 2 роки тому +48

      @@writerpatrick not exactly, there existed some stuff that didn't even need the user to download anything to get infected

    • @edkhil
      @edkhil 2 роки тому +48

      @@writerpatrick That's wrong. There's malware that can infect computers without user interaction. Check out "zero-click" attacks. An example of a zero-click malware is Pegasus.

    • @BoGy1980
      @BoGy1980 2 роки тому +17

      That's why updates should always be run ASAR (as soon as released), because they often close the holes that zero-days are using. With Microsoft it's sadly the case that they patch AFTER it's being abused, with Linux most stuff gets fixed before it's abused because someone was overlooking the source code and found something that's exploitable. But zero days have also existed on Linux and it's software, though a lot less are abused compared to windows.
      Apart from these zero-days (zero day means, it's day 0 after finding the exploit in the system/software, it's not yet patched because they don't know about it yet), it's a good idea to not use an account with admin-rights if you don't exactly know what you're doing (and this means; if you don't know how to solve problems by yourself and you understand why the problem existed, googlefixing everything doesn't count). It's better to use a normal account and have the admin account only there to install updates on software or to change certain system settings. If multiple people use that computer, everyone should have a normal user account, and one person should have access to admin, so that 'accidents' are avoided, and even 'no-click' viruses get less chance to install themselves and change settings to run them at startup. My father his pc is set up that way, and he had tons of issues when he had access to admin-rights, even after that windows pop-up telling you that you're doing something with admin rights and should look out... Most non-tech people don't even know what that window means, they don't read anything, they just want access to whatever they clicked on and will OK everything without knowing what they're doing. After my dad destroyed his windows within 3 days (it booted but was laden with viruses and was very slow), I decided he should only have user access and in case something really needs admin rights, I'll just remotely take over his computer (with tools like TeamViewer) and type in the password when asked for it (of course I make sure I started the updater myself, not relying on his "this window asks for a password"-question as he's not a techie and doesn't understand the concept of updates, even after I explained it 50x). Firefox auto-updates on his machine, so does thunderbird, and I'll check monthly if other software on his machine is outdated. Since I started using these rules, things hardly went south again. No more viruses that installed themselves, no more sudden "my computer is acting strange" after he thought windows settings was just something to play with like changing volume on the TV. The only problems I now get from him, is when he wants to know 'how do I do this or that' or when some hardware fails. I try to avoid explaining stuff to him as much as possible. That's because he just doesn't want to write anything down and forgets it by the next/same day because of lack of interest from him (his excuse is that he didn't grow up with computers, though I know people 30 years older than him who learned it just fine and when I explain things to them and ask to write it down, they do so and they try it a few times when I'm gone, so they actually understand what they're doing and how to do it)

    • @repeekyraidcero
      @repeekyraidcero 2 роки тому +8

      In germany DAU (stupidest possible user) basically means this xD
      "error is sitting infront of the keyboard"

  • @lperkins2
    @lperkins2 2 роки тому +41

    Note that even a "*slow*" format doesn't do a secure delete. Some drives might have a secure delete operation, but most consumer drives do not. With spinning-rust drives, you're generally fine if you ensure the disk actually writes out 0s to the physical sectors. With SSDs, wear leveling can keep you from ever writing the physical sector again. Bottom line, you should keep sensitive data encrypted, and keep the encryption keys somewhere you *can* delete them (like a hardware key), or at the least keep _them_ encrypted with a password.

    • @AttilaAsztalos
      @AttilaAsztalos 2 роки тому +2

      ...or you can use purpose-built wiper software that merrily proceeds to write garbage data into every byte of "unused space", necessarily overwriting anything that was supposed to be deleted. Yes, some data may still survive by ending up on a spot that was replaced by the drive with spare capacity that drives keep just to be able to hide minor damage from you, but hey nothing is ever 100% secure and as levels of paranoia go this is a pretty efficient solution.

    • @lperkins2
      @lperkins2 2 роки тому +1

      @@AttilaAsztalos Doesn't take special wiper software, just boot from a different drive and have `dd` write from /dev/random to the head of the target disk. If you don't want to erase the files currently on the disk, doing it to a new file within the disks FS works for the logical portions of the disk managed by that FS. That gets you to where recovery of the data will require specialized tools, which is generally good enough unless your threat model includes state actors or others who will use SEMs and physically disect your drives.
      Just remember it _does_ leave any cells "parked" for wear leveling, and if your random number source isn't good enough, and at only a single pass, an SEM may be able to recover what the state of the individual cells were before you scrambled them.

    • @achtsekundenfurz7876
      @achtsekundenfurz7876 Рік тому

      BTW, two passes are usually good enough. If there was a way to write data to disk, then overwrite that chunk, and read both back, HDD manufacturers would have exploited that trick decades ago to double their capacity without adding to cost. Why _twice_ then? Because it might be impossible to read both versions back _reliably: but could work once in a blue moon if the newer data follows a simple pattern. It just _might_ happen on a chunk containing sensitive data...
      The old guidelines about 7 passes or more account for OLD hardware (i.e. 1980s or older -- governments tends to keep some of those for a longer time than any individual or company would). Those would sometimes practice "shingled magnetic recording" accidentally due to wandering alignment of the head or (if applicable) tape used.

    • @lperkins2
      @lperkins2 Рік тому

      @@achtsekundenfurz7876 If you are a device manufacturer, you need to, within the rated service life of the device, have a near 100% recovery rate of the data, so double-writing and guessing isn't a good option. If you are trying to erase state secrets, you need to have a near 0% recovery rate of the data, so writing over it once may not be enough. And remember, in the state-actor case, the final "read" procedure may be damaging to the drive (as it is when using an SEM to do the read).
      That said, if one pass (or certainly if two passes) haven't removed the data, it will be because of the device firmware. More passes won't help.

  • @n3g093
    @n3g093 2 роки тому +181

    As someone currently working in infosec, I'd like to point out an issue with the NIST recommendation for never expiring passwords. NIST is designed for government agencies that are already following all of the other guidelines. This means that bodies who follow this will also have modern 2FA, good minimum complexity requirements with phrases, no one is reusing the same passwords, SSO is configured everywhere possible, and these passwords are not being stored in an insecure manner. Not changing passwords IS the best practice if every other best practice is also being followed.
    For example, I can guarantee you that many companies have not adopted 2FA more advanced that an SMS message and most users will still be reusing the same passwords for multiple accounts anyways. Also, many of those users will be using the infamous password spreadsheet instead of a manager.

    • @anon_y_mousse
      @anon_y_mousse 2 роки тому +13

      Good point, and I agree, a simple SMS based 2FA is not good enough. Especially if your phone gets stolen it'll be worse.

    • @johnt7665
      @johnt7665 2 роки тому +5

      No apostrophe necessary. Many companies.

    • @zoetje9817
      @zoetje9817 2 роки тому +3

      @@BoGy1980
      I mean, password managers store don’t store passwords in plain text. Spreadsheets do AFAIK.

    • @BoGy1980
      @BoGy1980 2 роки тому +1

      @@zoetje9817 that's why you need to password protect them of course.
      Office documents (Microsoft / Libre /open-office) indeed are merely xml files stored in a zip container. Those xml files are protected as good as the password is. At least they won't target that file as fast as the datafile from pwd managers, which is also plain text in its purest for, but is also encrypted with your password

    • @marcusbk7317
      @marcusbk7317 2 роки тому +1

      Thank you! Everyone cherry-picks the NIST guidance about this.

  • @luckybear8283
    @luckybear8283 2 роки тому +4

    Thanks! A great video and very informative 👍🏼

    • @ThioJoe
      @ThioJoe  2 роки тому +1

      Appreciate it!

  • @9tim80
    @9tim80 2 роки тому +171

    Here's one I heard too many times in my IT career: "I don't need antivirus, I have a Mac!"
    I deliver auto parts now. Much less stressful than arguing with idiots.

    • @repeekyraidcero
      @repeekyraidcero 2 роки тому +23

      Well.. Mac is its own can of worms...
      And that myth is long dead

    • @kevinwong_2016
      @kevinwong_2016 2 роки тому +4

      @@repeekyraidcero yes

    • @TrekkerUK
      @TrekkerUK 2 роки тому +9

      Anecdote time! I've had a MacBook for about 10 years (And love it!) but one time years back I was having a problem with it. I can't remember exactly, but something was acting weird. So - I thought I'd post on the official Apple support forums for some help. A self-proclaimed expert user with something like *11,000* posts replied along the lines of "Do you have anti-virus installed? That can cause issues and isn't needed on Macs so just uninstall it." I just replied with a rant about how that was utterly terrible advice and I sincerely hoped other users did not listen to his 'solutions'.

    • @serbiagamingiscool515
      @serbiagamingiscool515 2 роки тому +14

      @@TrekkerUK the thing is, he is not all that wrong. Antiviruses can cause A LOT of issues, and its a headache to deal with them. I myself only have the windows one and occasionally install malwarebytes just to check if i fucked up or something, but thats about it. Dedicated anti viruses also end up slowing your pc down.

    • @samurai5910
      @samurai5910 2 роки тому +2

      I use Linux, I mean GNU/Linux... and I don't know any anti-virus programs for it.

  • @neilmara3093
    @neilmara3093 2 роки тому +89

    I used to maintain a website. In the website logs are the unencrypted usernames of everyone who logged in. Every once in a while someone accidently put their password where their username should go and vice versa. Of course, the server denied them access. Then a few seconds later there was another login attempt with the username and password in the correct order. The password isn't logged. By searching the logs for gibberish usernames, followed by proper usernames from the same IP address I was easily able to find several passwords a week. I reported this vulnerability to my management, but I don't know what they did about it (if anything).

    • @rbrucebicknell5038
      @rbrucebicknell5038 2 роки тому +15

      Eeek, usernames, passwords, and other things like SSNs and credit card numbers shouldn't be written to the logs at all, encrypted or otherwise. What you'll see in my company's logs is [filtered] where these things would be. We get audited regularly to ensure our logs, and many other things, are clean. As not everywhere is as diligent speaks to the necessity of not reusing passwords across sites.

  • @EvanCastle
    @EvanCastle 2 роки тому +43

    Great content, as usual.
    Quick add-on: Incognito mode also deletes all cookies when you close the browser. Great for when you're wanting to log into the same site with different credentials, like when you're alpha testing a website.

  • @pentestical8265
    @pentestical8265 2 роки тому +11

    Everything spot on except number 10. With modern flash storage, there is a feature called TRIM on the SSD itself which overwrites files as they are deleted so file recovery now is a bit complicated. An exception is with Full Disk Encryption because TRIM only works on entire files, so when it sees an encrypted file system , it sees a delete operation as an update rather than a delete so TRIM doesn't kick in.

  • @davidt01
    @davidt01 2 роки тому +120

    Myth 1: You need to change your password frequently. (Creating a single really strong password is better than using weak passwords that you change often).
    Myth 2: The padlock icon means a site is safe or trustworthy. (It only means the connection is secured).
    Myth 3: Incognito mode makes your internet activity untraceable. (Websites can still track your IP address or recognize you when you login).
    Myth 4: Strong passwords are just to stop people from guessing it. (If a website gets hacked, all the encrypted passwords will be shared with hackers who use computers to try to crack them).
    Myth 5: A strong password must be complex. (Making your passwords longer is often better than just adding numbers or symbols, unless you're using words alone).
    Myth 6: If you're good with computers, you don't need anti-virus. (There are zero day exploits and vulnerabilities that can affect even the most careful users).
    Myth 7: Anti-virus will always protect you from everything. (Be careful and use common sense.)
    Myth 8: If you have a virus, you'll know it or it will be obvious. (Except for ransomware, most viruses or malware today are spyware that you won't know is on your device).
    Myth 9: A strong password is all you need to secure your accounts. (Two-factor authentication is very important).
    Myth 10: Deleted files or formatted drives can never be recovered. (Deleted files and quick-formatted drives can usually be recovered with special software).

    • @hAT81
      @hAT81 2 роки тому +4

      lol whats the point of making this comment? (no hate)

    • @silopante
      @silopante 2 роки тому

      Boo

    • @davidt01
      @davidt01 2 роки тому +31

      @@hAT81 I wrote it out for people who don't want to watch the whole video. I actually wrote it out so I could share with my friends and family, but then I thought I might as well post it here. :)

    • @credulous2skeptic522
      @credulous2skeptic522 2 роки тому +10

      @@davidt01 Thank you for posting this David. Even though I watched the whole video I can share your notes with my friends who might not want to watch it.

    • @marcusbk7317
      @marcusbk7317 2 роки тому +6

      @@hAT81 because the OP did not make a summary

  • @1337GameDev
    @1337GameDev 2 роки тому +1

    15:25 - If you truly need data gone you can only do a few things:
    1. Do a 7 -12 data pass, using a mix of random data, all 0s and all 1s.
    2. FILL up your drive with dummy data, and then do that a few times (all free space after deleting the file).
    3. Replacing the drive and destroying the old one
    4. If the drive is a spinning drive (not SSD), using a DEGAUSS machine (takes around 60seconds to finish) to modify the magnetic properties of the platters.
    It's possible, using very sensitive forensics to recover data on platters, AS WELL as NAND flash used in SSDs, but obviously is expensive / used by higher agencies and targets. Also, it may not be possible to overwrite individual physical locations on an SSD unless the TRIM algorithm and memory controller have cycled through that cell enough times. SSDs usually have around 10%ish EXTRA flash cells for wear leveling, and may not "reuse" a cell for awhile if they instead use other cells to extend the life of the drive.
    The best option is to physically destroy the drive. For 99% of users, deleting a file, and then running a 7-12 pass of random data (you can download free programs that do this) is enough to conceal files recovered via "sector based recovery" programs.

  • @emirkugic
    @emirkugic 2 роки тому +69

    Hey Joe, I just realized that I've been watching your videos for over 10 years now. From the troll videos I used to watch in primary school and actually trying them out and being disappointed/angry to today, where I'm studying computer engineering, I gotta say I always enjoyed your videos even if it's about something I understand to the core of it.
    You've always been one of my favorite tech youtubers as your videos are always entertaining to watch. Not much else to say besides cheers to another 10🍻

    • @nabh_agrawal
      @nabh_agrawal 2 роки тому +4

      can u suggest me some other tech tips channel like thioJoe ! This channel do a great job but if u could, it would helpful for me!

    • @emirkugic
      @emirkugic 2 роки тому +3

      @@nabh_agrawal i don't know exactly about tech tips type of youtubers, the only one that comes to mind is computerphile, they teach you about various computer related stuff, but here are some of my fav learning/entertainment youtubers: Ben Eater is great for understanding how computer hardware even works, code bullet and michael reeves are hilarious, stuff made here is just mad impressive engineering videos and freeCodeCamp is a great source of useful tutorials if you're into comp sci. I hope you find this useful

    • @nabh_agrawal
      @nabh_agrawal 2 роки тому +1

      @@emirkugic Thank u !

    • @davebing11
      @davebing11 Рік тому

      writing them down is fine, as long as it is in a book that you know had better be secured to be safe

    • @myopinion6092
      @myopinion6092 2 місяці тому

      yes the troll videos should have been banned. and future

  • @blobofblutack
    @blobofblutack 2 роки тому +8

    The private browsing thing I find funny, because all incognito and private mode landing pages I've seen explicitly tell you what it does and doesn't do. Usually even explaining that your ISP, Employer/School, and the website you are visiting still see the activity.

  • @wookix
    @wookix 2 роки тому +310

    I like the way you explain stuff, it's very easy to follow along. Would you mind making a tutorial about those yubico authenticators including showing how to add them to various popular services?

    • @ThioJoe
      @ThioJoe  2 роки тому +95

      Possibly

    • @bharatmadho3742
      @bharatmadho3742 2 роки тому +6

      @@ThioJoe yayy

    • @Rmni2
      @Rmni2 2 роки тому +5

      @@ThioJoe Ooooo i wounder if he did make the video it will make us get a key

    • @futuza
      @futuza 2 роки тому +2

      Maybe also discuss weaknesses with using yubikeys, eg: the physical yubikey is stolen, or destroyed and you don't have any backups (because those would create weaker actor vectors, threat actors could use to their advantage)

  • @AaaTeeEyeBee
    @AaaTeeEyeBee 2 роки тому +11

    The LastPass password management suggestion really didn't age well in four months given what we've learned about the hack, their security practices, and their subpar browser extension. If the dev groups I frequent are an indication I think there's a mass exodus to Bitwarden, a company which seems to take security much more seriously by comparison.
    Also, Incognito Mode doesn't use the cookies/site data stored in the browser picked up during non-incognito mode. That's why you would need to log in to sites again if in incognito mode.

  • @DragoniteSpam
    @DragoniteSpam 2 роки тому +43

    I love how the AI interpreted the "sketchy link" prompt as a literal link that had been sketched.

  • @captain150
    @captain150 2 роки тому +6

    The deleted files thing is a bit more complicated with SSDs. On mechanical hard drives, it's true deleting (or quick formatting) does not remove the actual data. On an SSD though, deleting a file will, sooner or later, also wipe the data due to the TRIM command. Windows sends this with every file IO (and for quick formats). Linux uses FSTRIM which is usually scheduled to run (ie once per day or whatever). And different SSDs handle the trim command differently.

  • @merren2306
    @merren2306 Рік тому +2

    4:51 hash functions are one way. "decrypting" in this context just means guessing the password a bunch of times, though obviously if the database is leaked the attacker is unlimited in the number of guesses they can do, unlike if they were to try to log on directly to the website.

  • @jacquesmainguy1
    @jacquesmainguy1 2 роки тому +37

    Unless that changed recently, long formatting doesn't even overwrite the old data, it just checks every sector. The low-tech technique I use is to create a "filler" file with data from ond of my big files with nothing I worry about in. Then, once I've deleted everything, I re-fill the drive with that filler, and then re-delete it. The data left on the drive is now that filler repeated over and over, not my original files. Quite time-consuming, but worth doing before donating or discarding a PC.

    • @ailivac
      @ailivac 2 роки тому +11

      GNU coreutils comes with the shred program that will do this automatically over either a file or an entire disk. It actually overwrites it multiple times with different patterns of data, some random and some fixed, designed to physically scramble the media as much as possible. Of course that's only applicable to traditional filesystems on magnetic drives; on a CoW-based filesystem or SSD it won't do anything other than waste time. Some SSDs use internal encryption and have a fast secure erase command you can run that simply zeroizes the key without having to physically erase every block.

    • @lordelliott42
      @lordelliott42 2 роки тому +3

      I just destroy data drives. Hammer and fire is the way to go if you want to be *sure* your data is gone.

    • @jacquesmainguy1
      @jacquesmainguy1 2 роки тому +1

      ​@@lordelliott42 I have done that too, when discarding a PC or laptop.

    • @ThioJoe
      @ThioJoe  2 роки тому +9

      In my other video I tested the difference between Quick format and not, and at least for NTFS it did indeed write zeroes across the drive, I checked it with a hex viewer. I'd assume the same goes for other file systems but I didn't explicitly check those.

    • @ailivac
      @ailivac 2 роки тому +1

      I wonder if it just TRIMs every empty block on SSDs (which will make them default to 0) or actually overwrites everything

  • @joe-skeen
    @joe-skeen 2 роки тому +4

    Great video. One more myth I would add is that security questions make your account more secure. This really isn't the case. A security question is most often a simpler, shorter password that you can find the answer to from looking at the person's social media account. I always treat security questions as passwords and generate long answers (stored in my password manager)

    • @barryschwarz
      @barryschwarz 2 роки тому +1

      The 2 ones I choose are definitely not in any of my social media accounts or anywhere else. Mother's maiden name, and the name of my first pet are impossible to get both unless you go to my parents' house and torture it out of them.

    • @KaptainCanuck
      @KaptainCanuck Рік тому

      @@barryschwarz, where was a parent born is pretty good or first school is also good is long as you do not have your city of birth on social sites.

  • @hegedusuk
    @hegedusuk 2 роки тому +15

    I liked this video, it more or less echoes what I explain to people. You explain things in a very clear, concise and easy-to-follow way. Only thing I’d add is that these days with SSDs and TRIM, deleted files, whilst they may still be retrievable, are less likely to be so than with spinning rust disks.
    One more thing - nothing to do with your actual content - I do feel that VPNs don’t quite do what they say. Unless I’m missing something, they are no more private than using your ISP without a VPN. You’re just moving the breakout point to the internet from your ISP to the VPN provider. Who do I trust more? But yes, they’re useful for watching foreign Netflix stuff but I really can’t see what privacy they offer that really matters. Obviously you as a content creator who gets sponsored aren’t going to be able to reply much…

    • @liquidmagma0
      @liquidmagma0 2 роки тому +1

      its a matter of do you trust your isp or the vpn service more? some vpn's are more trustworthy than isp's, some are not. vpn's are also useful if your government uses heavy censorship or has human rights violating laws which makes you unable to look up or consume something.

    • @sparkypikachu7776
      @sparkypikachu7776 Рік тому +1

      @@liquidmagma0 i hope over day we can tackle that issue in the world, forcing the govs to make there no banned shows

    • @Guilhem34
      @Guilhem34 Рік тому

      @@liquidmagma0 Hiwever in my country (just blocking some « illegal » content, it is just a DNS block so just going through cloud flare or google dns is enough. And no one is ever gonna to go after you for visiting those websites (it is free streaming or others websites, of course not very very bad websites).

  • @torinnbalasar6774
    @torinnbalasar6774 2 роки тому +7

    Glad to know I already knew most of these. Only one I missed was part of number 1, that the best practices have shifted to only changing passwords when there's a suspended breach.
    The mention of password managers is somewhat lacking, because they're not infallible either. I recall LastPass had a pretty serious breach sometime in the last few years.

    • @johnd5398
      @johnd5398 Рік тому +1

      While password managers may not be infallible, they are extremely good at encouraging people to use unique passwords for sites as well as using more secure passwords; they are rarely ever breached and, when they are, most can automate the process of changing those same passwords. In the event of a breach, all sensitive user info is encrypted, as well.
      Aside from hardware-based security, nothing else compares, really.

    • @torinnbalasar6774
      @torinnbalasar6774 Рік тому

      @@johnd5398 I agree that password managers are a good thing, but am a lot more skeptical about their security than you. LastPass waited months before notifying their users of a breach, even longer of the severity, and was opaque through the whole process. The breach exposed an undisclosed amount of users vaults; containing both their encrypted passwords, and a host of unencrypted information (urls, billing addresses, etc.), and waited an extreme amount of time before warning anybody that they needed to change their leaked passwords, because they can still be decrypted through brute force in time.
      The problem with password managers is that they can become a single point of failure that is no more secure than any of what it's protecting, and it takes a lot of research to verify that a specific one is reliable and transparent, rather than taking their word for it.

  • @exxon47_
    @exxon47_ 2 роки тому +46

    Theo Joe: your browser history can be tracked even if you're using a VPN
    Theo Joe 13 seconds later: private internet access VPN will prevent your browser history from being logged

    • @anxiousearth680
      @anxiousearth680 2 роки тому +4

      He was talking about incognito mode on your browser. Not the same as VPNs.

    • @Leonhart_93
      @Leonhart_93 2 роки тому +1

      Yeah, you misunderstood completely what he said, I wonder how many people just completely miss information because they skipped words. He said:
      1. incognito is not a VPN
      2. if you log in to a website, you tell them who you are so not even a VPN will help you in that case
      Which infers a VPN should be good enough for any other case you don't input your data.

    • @eldrago19
      @eldrago19 Рік тому

      @@Leonhart_93 Though you will still need Incognito even if you are using a VPN (and a browser that blocks trackers in Incognito).

  • @JacobP81
    @JacobP81 2 роки тому +2

    3:23 Regarding Myth 3. Incognito mode AKA private browsing also has separate cookies from the regular mode and starts off with no cookies but can accumulate them. Private mode cookies are cleared when you close all private tabs/windows.

  • @Klusio19
    @Klusio19 2 роки тому +17

    About the last one, I believe that if you use SSD and you have TRIM enabled, it's much harder to read that "deleted" data (but NOT impossible!)

    • @johnd5398
      @johnd5398 Рік тому

      More harder? I see you've been failed by public school, also...

    • @Klusio19
      @Klusio19 Рік тому

      @@johnd5398 ?

  • @justaskin8523
    @justaskin8523 Рік тому +1

    Nice video. Some years ago, the word got out that 95% of people who had Windows intrusions, would have avoided it if only they had been using a NON-ADMIN logon account to their local machine. This is why a lot of companies have moved to a stance of nobody having an admin account for everyday use. It's annoying when you can't even use Task Manager to knock a misbehaving app out of memory, or install an updated mouse driver, but when companies started getting tough on that point with their employees, those companies started seeing a lot fewer actual intrusions, especially the really devastating one, ransomware.

  • @NeoMaruLLB
    @NeoMaruLLB Рік тому +7

    Overall, pretty good. A few technical issues I have though.
    Myth #2, the "padlock icon" or "secured notice" in your browser just means that the browser is detecting that the SSL cert info matches the web server info and is saying that it's "verifed". It does NOT however mean that "no-one is in the middle messing with it". Man in the middle attacks still intercept secure traffic links to harvest PII. The attacker spoofs the secure connection and you browser can't detect that there is an third party in the mix.
    Myth 8, more of a technicality, but keyloggers don't take over your computer, they just collect info on what you type to harvest passwords and other PII. Rootkits allow other software to take advantage of vulnerabilities. They allow other malicious software and users to exploit vulnerabilities and gain access to a machine. Technically, neither are capable on their own to take over your computer.

    • @myopinion6092
      @myopinion6092 2 місяці тому

      @@NeoMaruLLB less is better .wordy and saying nothing

  • @sludgiebear
    @sludgiebear 2 роки тому

    Very good! As a software developer, yes: use a password manager, allow it to generate passwords as long and as complicated as the site will allow, rotate them regularly, don't click any links in emails from addresses you're not 100% sure off, don't visit websites you're not sure of, consider using a VPN, keep things up-to-date, and rock on.

  • @ThunderKat
    @ThunderKat 2 роки тому +4

    10:05 That guy holding the notebook deserves an Oscar

  • @aisle_of_view
    @aisle_of_view Рік тому

    Good video. I was an IT support person for years, the number of times I saw passwords written on Post-Its attached to monitors... I'm convinced that in most cases, computer security merely prevents honest people from getting their work done. Half of a tech calls to corp IT are from users who locked themselves out during a mandatory password change. Management smiles and keeps the policies in place.

  • @OcteractSG
    @OcteractSG 2 роки тому +69

    Myth #6 is applicable to Linux. Sure, Linux has some additional protection because it's only about 1% of the operating system market and it relies on software repositories more heavily, but there has been an increase in supply chain attacks that threaten repositories.

    • @kevinwong_2016
      @kevinwong_2016 2 роки тому +2

      And mobile devices

    • @oneauraaaaa
      @oneauraaaaa 2 роки тому

      Isnt linux is an OS for hackers?

    • @Nelo390
      @Nelo390 2 роки тому +22

      @@oneauraaaaa No. More hackers use it for the control it gives you, but the vast majority is non hackers, and completely law abiding, techie citizens.

    • @Nelo390
      @Nelo390 2 роки тому +17

      @SHAKTI PRASAD SAHOO Open source code also means that vulnerabilities are caught by good people checking the code too, and so major hidden vulnerabilities being abused for long periods of time are impossible to form.

    • @relims
      @relims 2 роки тому +14

      @SHAKTI PRASAD SAHOO Open-source software means that community can read, identify and patch bugs before they are used maliciously. Sure, in some cases, the bad guys gets the exploit first and hide it from everyone else but that's the trade off for having a patches released early.
      Your arguments about getting hacked and your settings changed doesn't make any sense because it is usually your fault in the first place that lead to you getting hacked.

  • @forbiddenera
    @forbiddenera 2 роки тому +1

    @2:51 it does a bit more than that.. on Firefox, it prevents service workers from being run. It also prevents cookies and other local storage methods from retaining data beyond the session. It also restricts certain JS related things and prevents some forms of user tracking and a few others I'm not mentioning..but saying it's the only thing is an incorrect blanket statement.

  • @markc6714
    @markc6714 2 роки тому +96

    One of the reasons for changing passwords regularly is that people often see the first characters of a colleague typing their password. Over time they work out the whole password. It's definitely a valid procedure

    • @ThioJoe
      @ThioJoe  2 роки тому +89

      Except most people just change like 1 letter at the end so it doesn’t help

    • @chad4628
      @chad4628 2 роки тому +3

      It's not really the best idea of your changing your password change the entire thing

    • @markc6714
      @markc6714 2 роки тому +10

      @@ThioJoe well that comes down to staff education

    • @Kkooly
      @Kkooly 2 роки тому +6

      @Mark C...multifactor authentication greatly reduces the need nowadays. A better solution is to use a random password generator and a password vault with MFA enabled. And in addition use MFA wherever possible.

    • @connorbeam2711
      @connorbeam2711 2 роки тому +6

      This comment has been sponsored by Bitwarden.

  • @matthewshields
    @matthewshields 2 роки тому +1

    My favorite myth is that everyone needs a VPN. You only need a VPN if you travel frequently and/or have a high security job. There are reasons to want a VPN like accessing region locked content or get around content filters. Privacy really isn't a reason to use VPN because you'll still be tracked around the web.

  • @m1k3y_m1
    @m1k3y_m1 2 роки тому +4

    While private browsing isn't perfect, it does more than you give it credit for.
    Cookies are session only, so your searches aren't linked to your Google account and logins from private will be removed when switching back.
    No data is stored clientside.
    Web trackers get blocked.
    Plugins are restricted.
    The most important thing it doesn't protect is ip of you and the servers you're connecting to.

    • @cake0539
      @cake0539 2 роки тому

      I use it on sites, that require me to activate cookies. Easiest way to get rid of the cookies once I leave the page

    • @m1k3y_m1
      @m1k3y_m1 2 роки тому

      @@cake0539 If you have Firefox, cookie containers in combination with Cookie Quick Manager works well.
      I clean up the default container regularly and sites where I want cookies get their own containers(sometimes multiple for alt accounts)

  • @kylefillingim6258
    @kylefillingim6258 6 місяців тому

    Great video. Didn't really learn anything, but I know many people, including in the IT department at work who could use this knowledge. I especially liked when you said the length of a password is more important than complexity. I was very angry at my bank a few years ago when they wouldn't let me use my password because it was too long. It was 10 words long, not 10 characters, 10 words. I was also annoyed that I was not allowed to use the space bar in my password. Password rules are often preventing good passwords.
    One other tip I would definitely add to computer security. Only be admin when you have to be. I have a separate admin account that I have to promote myself with with a password whenever I am making any meaningful changes to my home PC. It is amazing how many issues get blocked when I realize that no, I don't want to promote myself to admin for that.

  • @seanplace8192
    @seanplace8192 2 роки тому +11

    Another security myth is that having strict password rules makes it more difficult to crack passwords. In reality, it just makes it easier for hackers because they can narrow down what the passwords will contain.
    Also, requiring very long passwords is a terrible idea because most users will just go with the bare minimum length. IE: If the minimum length is 16, then most will just go with a 16, 17 or at most 18 character password. Now the hackers know the most likely length, and will know it must contain certain characters.
    This is why tech giants like Google and Apple have fairly lax password requirements, I believe both of them require 8 characters, and may require at least one number. This greatly increases entropy because the hackers have very little information they can use to narrow down the possibilities.

    • @AnonyMous-gt8vq
      @AnonyMous-gt8vq Рік тому +1

      A password with length 16 is impossible to brute force anyway, even if the hacker knows the length. A password with length 12 takes a few days, while length 8 takes mere minutes. So, forcing a minimum length of 12 should be required.

  • @tm-sasanka
    @tm-sasanka 2 роки тому +2

    4.44 You keep repeating myths:
    1. Passwords are not encrypted, but hashed - that's a huge difference
    so: 2. There is no such thing as "decrypting passwords" in this case. Hackers can only find matching hashes with brute force, and this method (usually) requires more powerful hardware the longer the password is

  • @jiba7931
    @jiba7931 2 роки тому +3

    Myth #11: You will be a genius level expert, by the end of this video.
    0:11
    Kidding aside 😆

  • @BobfromSydney
    @BobfromSydney Рік тому +1

    Given that Lastpass has been hacked, twice and had it's entire database dumped, would you still recommend them as a password manager? @8:56
    Personally I don't think I can trust any software they release at this point.

  • @ckingpro
    @ckingpro 2 роки тому +17

    Really nice video! For myth 5, 15 character with lowercase symbols is 6.2X stronger than 11 character with lower and uppercase, numbers and symbols on shift number keys (not 10x). Myth 10 is becoming true for SSDs. Once you delete a file and empty the recycling bin, Windowos sends a TRIM signal. This causes the SSD to immediately return 0. However, behind the scenes, the data may not be garbage collected by the flash controller immediately. But to access the data, you need to contact data recovery (and they don't support all controllers. Unlike hard drives, you can't wait more than a year as SSDs lose their data when unplugged over time)

    • @BoGy1980
      @BoGy1980 2 роки тому

      It's not a good idea to trim every time after something was deleted. It IS a good idea to trim weekly or once per day. This way you still have the time to realize you just deleted some files by accident after clearing the garbage bin (or using shift-delete on the files). If you trim every time after deletion, it removes your timeframe to recover any lost data. If you remove daily (let's say on boot, after login, max 1x per day) then you can still boot your machine up again after you had this "Ohhh no, I deleted that tooo... damn"-moment and restore the files. (Or take the drive/computer to a repair specialist who can recover those files for you) I trim weekly on a system that's running 24/7 and never had issues. If you trim because the disk is almost full, and you want the system to give fast access when writing, you're wearing out the little remaining space on your drive by always using the same few memory-cells... you should at least have 10% or more disk space free on your system drive, the more the better, because there's a lot more writing and deleting going on than you probably realize, this causes memory cells to eventually wear out if they get overwritten many times. The more free diskspace you have, the more the diskwrites are spaced out over the available free cells, thus trying to avoid that cells wear out fast.

    • @ckingpro
      @ckingpro 2 роки тому

      @@BoGy1980 I mean by not trimming you are just increasing write amplification. You already have recycling bin as a safety net. That the file is not actually deleted is just an implementation detail on hard drives (SMR are changing it so even hard drives have a version of TRIM). Not to mention VSS can also act as another safety net.

  • @conlon4332
    @conlon4332 Рік тому +1

    10:48 But if you've already downloaded it to be able to upload it to something, isn't it too late?

  • @anon_y_mousse
    @anon_y_mousse 2 роки тому +7

    I've never looked into what quick format does, but I figured it just overwrote the file table, and now that I went back and watched your older video, you confirmed exactly that. Neat that they just did the obvious.

    • @Cheepchipsable
      @Cheepchipsable Рік тому +1

      This was an implementation from back in the day when people would leave their computers running overnight to defrag. The CPU couldn't handle to many operations at once.

    • @anon_y_mousse
      @anon_y_mousse Рік тому

      @@Cheepchipsable I miss those days. I would start it defragging before I'd attempt to go to bed and watch it for a while and fall asleep at the desk.

  • @acylonepleidian9665
    @acylonepleidian9665 Рік тому

    I really appreciate that besides good information, concise, but clear, you have went through the length of mentioning every single edit, its source and provided even links to locations you went to for checking something. That's good editing, and crediting the spots elements you added to your video.

  • @nekogod
    @nekogod 2 роки тому +2

    The password one is such a good one, the company I work for enforces a 30 day password expiration policy with no resuse for 6 months so all that happens is everyone has myfaveword1, myfaveword2 etc and then when they get to 6 or 7 they loop back around the first 1.

    • @TheHellis
      @TheHellis 2 роки тому

      I use the same strategy.
      As long as they require me to change password then I will never create a secure password.
      Complete waste of energy

  • @paulstelian97
    @paulstelian97 2 роки тому +1

    On the quick format: What about encrypted drives? Wouldn't the quick format overwrite the encryption key so that the newly-free space is essentially unreadable (AKA you need to find a backup of the overwritten key in order to recover stuff from there)?
    I mean I believe the SATA secure erase command relies on encryption to do so quickly.

  • @theeternal6890
    @theeternal6890 2 роки тому +3

    *U recommended a password manager. How can one guy trust some password manager more than his memory. Cuz what if the password manager is not really secure and all of ur unremembrable passwords are store there may get leaked all at once by it. Can u please make a video on "Password Managers" on how they are more safe than having many unique passwords remembered. Is there any really free way to completely secure urself on the internet without buying a VPN or physical key?*

  • @miriamrobarts
    @miriamrobarts Рік тому

    3:23 Myth #3 Incognito
    I don't know about other browsers, but Chrome has a notice when you open an Incognito window:
    "Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved. Learn more
    Chrome won’t save the following information:
    • Your browsing history
    • Cookies and site data
    • Information entered in forms
    Your activity might still be visible to:
    • Websites you visit
    • Your employer or school
    • Your internet service provider
    Block third-party cookies
    When on, sites can't use cookies that track you across the web. Features on some sites may break."
    It's basically good for when you're shopping for someone else who uses the same computer & you don't want to have the surprise be spoiled when the things you were searching for show up in your recent history or autofill into fields (such as when they start typing in a Google Search & it happens to start with the same letter).

  • @mobiusevalon
    @mobiusevalon 2 роки тому +4

    I think a pretty big security myth is that security questions are anything but a super easy express lane to stealing your information. People will use basic biographical security questions such as "the city where you met your spouse" or "name of your first pet" which can be located on their public Facebook page in 5 minutes.

    • @futuza
      @futuza 2 роки тому +4

      Sure, but most of these security questions don't have to be answered truthfully or insanely. Yes, I grew up in H5h$oso;5M0aFXwoap'Sn2K so what?
      That said companies/sites that use security questions are evil and trying to get their user's information stolen.

  • @jfbeam
    @jfbeam 2 роки тому +1

    Myth #2. That lock doesn't mean "secure" it just means "encrypted with a trusted chain of certificates." If you have security software installed on your computer, it can be intercepting your SSL/TLS traffic for "inspection". The browser shows a lock because the software installed a trusted root CA certificate so the software can provide a valid certificate for any URL. (for the software my former employer used, that inspection is done by a remote server, not my own laptop. and within the corp. network, that man-in-the-middle inspection happens at the perimeter firewall, not my laptop, so it can't be disabled.)
    [That was a major pain in the ass for us, as every java runtime has it's own private keystore. That CA cert has to be manually installed in those keystores or nothing will work - certificate validation errors to all sites.]

  • @datasciyinfo5133
    @datasciyinfo5133 Рік тому +3

    LastPass got hacked, real pain in the rear. But mostly good advice for the general user.

  • @blahorgaslisk7763
    @blahorgaslisk7763 Рік тому

    That thing about deleting files made me think of a way to illustrate it, and then I realized that a lot of people wouldn't understand what I was talking about. It went something lie this:
    The HDD in your computer works a bit like this. You have a collection of cassette tapes and on each tape you write down what you have recorded on that tape. So you have this C90 cassette with Lynyrd Skynyrd, and one day you realize that it's been years since you listened to it, and if you would want to do so you have the LP, so you strike out the name on the label and now the cassette is free to record something else on and you place it in the box with "empty" cassettes. That's the same as deleting a file on the HDD. Now if you don't record over or erase the cassette and you try to play it there's Lynyrd Skynyrd in all it's glory. Same with the HDD, if you read from the part of the disk where the file used to be stored it will still be there unless it has been over written by something else. Now if you record a EP single on that "empty" cassette that was your Lynyrd Skynyrd cassette then you will have the single recorded, but after that there's still the part of the Lynyrd Skynyrd LP that was not recorded over by the single you now recorded. Again that's the same with the HDD. If a small new file is recorded over a part of the sectors that contained the original file that was deleted you will now not be able to recover the entire deleted file, but parts of it can still be read.
    I got that far and then I realized that a lot of people watching YT will never have had a cassette player. It's even possible they might never have seen one in real life!
    And suddenly I felt old...

  • @MarcioHuser
    @MarcioHuser 2 роки тому +6

    SMS authentication is the WORSE 2-factor. Always avoid it if the site/service allows other methods

    • @CiabattaSensei
      @CiabattaSensei 2 роки тому

      and why is that? I'm not trying to be rude, I am genuinely curious because I know basically nothing about this topic

    • @MarcioHuser
      @MarcioHuser 2 роки тому

      @@CiabattaSensei because they are fragile. Cellphone numbers can be "stolen" (actualy transfered into a new chip, if you have someone inside the cell company to do that for you, or if you can fake away the necessary documents to do that in a store) and thieves/scammers can use it to receive any sms authentication message

  • @TheOnlyName
    @TheOnlyName 2 роки тому

    A few comments I have (corresponding to each myth):
    1. My school does this, it's so annoying! They should watch this video lol
    4. Very well explained, thanks, I'll keep this in mind!
    5. Good point!
    9. I knew about physical security keys before, but I had no idea how good they were! Thanks, I'll keep this in mind as I might purchase one in the future.
    10. Woah I actually had no idea, yet it makes so much sense! Thanks again!!

  • @Arokhantos
    @Arokhantos 2 роки тому +4

    Just have unique password per account tbh thats enough using same passwords everywhere is one of the biggest risks

  • @Allen1350
    @Allen1350 2 роки тому +1

    My UA-cam password hasn't changed in at least 10 years. It's a very long password. I've never been hacked. Now, I know why. Thanks for this informative video!

    • @Leonhart_93
      @Leonhart_93 2 роки тому +2

      Not necessarily just because of that, it's just that Google didn't and shouldn't get hacked, potentially ever. If they don't have the best security in the world, then who would?
      Your passwords can always be attempted to be guessed in brute force attacks, but the databases can't be stolen by your average hacker attacks like with most other sites.

  • @h0tyyAlcatel
    @h0tyyAlcatel 2 роки тому +3

    Remember that malware can be well-obfuscated and have little to no VirusTotal detections

    • @crowdemon_archives
      @crowdemon_archives 2 роки тому

      @notfiveo tbh I imagine it's more like "headache in occupation form"

  • @TruthMadeHuman
    @TruthMadeHuman 2 роки тому +2

    You missed out something EXTREMELY important:
    *Myth:* If you forget your password to your computer and you were signed in with a Microsoft account, your data is gone forever.
    *Fact:* If you forgot your password to your computer and you were signed in with a Microsoft account, you can reset your password on the site, connect to your computer and try again. If that fails, you can always recover it by system restore. Also, your data isn't "gone forever", just access to that specific installed OS on the machine. You can use an external drive to collect your data since Windows doesn't lock a Hard Drive, just the OS installed on it. If you installed another OS, you can still access your files on the partition as if nothing had happened.
    This is something frequent that you need to bring up. Too many people are falling for this and end up senselessly wiping important information.

  • @4cps777
    @4cps777 2 роки тому +3

    Some minor nitpicks:
    LastPass and 1Password are proprietary and should NOT be trusted with your passwords. Also, both of them do cloud synchronization afaik which is another red flag.
    Also, AntiVirus software is useless and does more harm than good. The same goes for 2FA (most of the time).

    • @Madinko12
      @Madinko12 Рік тому

      Agreed on the crappy proprietary password managers. Could you explain why 2FA would do more harm than good though? It's just an extra layer of authentication isn't it? How could that be harmful?

    • @4cps777
      @4cps777 Рік тому

      @@Madinko12 2FA works great in theory. That's it. Now let's look at one of my favourite crappy implementations of 2FA: Discord.
      - In order to use 2FA, you have to give your phone number to the CCP (or rather a company controlled by the CCP)
      - At this point, you might as well post it on doxbin yourself because that is wher it will end up invitably
      because
      - Token stealing still works perfectly fine and since tokens grant access over the whole account (plus some things that aren't accessible through the app) and lare only renwed when the password is changed, you're still fucked
      - Someone getting access to my phone number will now result in me getting locked out of my account because the same phone number can now be used to reset the password
      - I now have to carry a mobile spying device with me at all times
      - I also have to trust my phone provider to not screw up (which is bound to happen because phone providers have a local monopoly and are thus allowed to suck infinitely)
      - I don't have any real gains in security over simply using a secure password
      And the reality is that most implementations of 2FA are trash because someone decided to play the good ol' buzzword game and change the meaning of "2FA" from "two factor authentication" (literally) to "please give us a unique identifier which cannot be changed easily and that has already been used to build social graphs for decades and will continue do be used so indefinitely instead of learning how to use a password manager".

    • @Madinko12
      @Madinko12 Рік тому

      @@4cps777 Thanks for your thoughtful answer. That's insightful :) .
      Yeah, non-standard 2FA are most definitely trash.

  • @eldrago19
    @eldrago19 Рік тому +1

    Great video. Just a word of warning though, Private Internet Access was bought recently by a company that used to make software for computer viruses, so you might want to change that.

  • @dr.stephen.strange
    @dr.stephen.strange 2 роки тому +4

    Good to know that channel that was once known for click baits is now making such great informative videos!! I'm loving these 🤩

    • @joshbrookes6439
      @joshbrookes6439 2 роки тому

      What complete rubbish! This channel has always been the best source for useful and relevant tech information on UA-cam especially for those who aren't necessarily computer gurus or technology experts. If you really must make such negative statements the inclusion of proof usually does wonders for your credibility jus sayin

    • @digdeep28
      @digdeep28 2 роки тому +2

      @@joshbrookes6439 It is true what Stephen is saying, ThioJoe had videos like: How to download RAM, How to speed up internet for free and many more lying videos.

    • @hegedusuk
      @hegedusuk 2 роки тому

      @digdeep how do you download more RAM?

    • @fredericapanon207
      @fredericapanon207 2 роки тому +1

      @@hegedusuk you don't download RAM. RAM is a physical integrated circuit on a physical card that plug into your computer's motherboard. That is the joke.

  • @MateoConLechuga
    @MateoConLechuga Рік тому +2

    Saying that an antivirus software is going to protect you against zero-day exploits was rather hilarious

  • @lordpuff
    @lordpuff 2 роки тому +4

    Im so happy whenever this man uploads. Lets go dude, keep it up

  • @n_core
    @n_core Рік тому

    12:41
    If you use those kinds of apps, make sure you have two devices that have access to the 2FA apps.
    I know at first it sounds counter-intuitive from a security perspective. But having two devices that have access to the 2FA code means that if you lose one device, you can disable the account access on the other device. Authy lets you do this and that's why I use it.
    Also, it saves you time to reset 2FA from all of your accounts (if necessary) since you must log in using the 2FA code which you don't have access to since you just lost the device. Rather than you have to go the hard way of convincing a website or service to reset your account.
    Losing a 2FA device is a nightmare to deal with. Much worse than someone having access to your account.

    • @n_core
      @n_core Рік тому

      Being secured not only makes yourself as secure as possible but also being able to easily deal with it if you lose security.
      You may keep adding layers of security, but if you don't have something to counter the breach, then might as well you're screwing yourself if that happens.

  • @kittentheboss2796
    @kittentheboss2796 2 роки тому +12

    #6 & 7 i don't particularly agree with. Anti-Viruses are a pain for me as the local town tech. Most common day users in my area install anti-viruses without knowing what it does everyday, What most likely happens is they go off and buy a premium version thinking they need it but just ends up constantly scanning the disk daily, taking up disk resources and over all making it slower. The worst is when this goes on for a long period of time. Hard drives only have a 3-6 year life span and anti-viruses do not help this. Windows has one already built in, you don't need a third party anti virus unless you've disabled windows defender. As you mentioned before sites like VirusTotal are out there to help users determine if a file is trust worthy. Personally I have windows defender disabled in the registry because i have malware on my system in a contained environment that i like to mess with on VMs. If i do scan for viruses, it's with malwarebytes. I scan once a year, then make sure it is closed in the task manager after use and disabled on startup.

    • @alphanumeric6582
      @alphanumeric6582 2 роки тому

      Right on! Following this guy's tip being Crazy Suspicious of anything also comes to mind as these antiviruses can be a ploy to collect your data and sell it to third parties without your consent or at least because someone didn't read their terms of service. VirusTotal is a blessing

  • @TheAdwatson
    @TheAdwatson 2 роки тому

    There is a problem with two-factor authentication. A non-technical friend of mine was stuck in the UK due to Covid19 restrictions. This meant that the SIM card for his prepay phone from New Zealand expired. He asked me to help him bring his old number to his new provider because they said it was possible. Unfortunately, part of the process involved me setting up an account with the new provider, which appeared to be successful, until I tried to login to their number transfer page. The two-factor code was texted to the old number, which was not available as it had expired. Several emails later and the new provider still doesn't get it.

  • @FalloutGod
    @FalloutGod Рік тому +1

    9:06 lol that lastpass recommendation hasn't aged well

  • @KenJackson_US
    @KenJackson_US 2 роки тому +30

    They biggest myth of all is that it's possible to keep your Microsoft Windows PC secure.

    • @IIGrayfoxII
      @IIGrayfoxII 2 роки тому +2

      It is possible, one just as to tiptoe and be willing to make changes to make it so.

    • @tysloo81
      @tysloo81 2 роки тому +4

      It can be secure, just not your data. What go online stay online, you can run your browser in sandbox, use onscreen keybroad to prevent keylogger to log what you type, what you type in fishing or scam website still stay on the site.

    • @KenJackson_US
      @KenJackson_US 2 роки тому

      The point is, @@tysloo81, Microsoft unavoidably has access. And Bill Gates is one of the least trustworthy people on earth.

    • @vipervidsgamingplus5723
      @vipervidsgamingplus5723 2 роки тому +9

      Every computer can be secure, just don't connect it to internet.

    • @IIGrayfoxII
      @IIGrayfoxII 2 роки тому +4

      @@vipervidsgamingplus5723 Still not good enough.
      You can still have issues without internet.
      An infected USB drive plugged into the PC.
      A stupid user causing problems

  • @Mariethechaotic
    @Mariethechaotic 2 роки тому +1

    I'm going to binge your videos and claim the hours for work.... I teach a computer school for seniors and people with disabilities at a non profit and most of it is pretty basic stuff that I, as a millennial with a bachelor degree in business/marketing could do in my sleep. However, every once in awhile the more technical problems come up and you've summed up some of those answers really well just in this one video. Thank you!

  • @amandabueno6356
    @amandabueno6356 2 роки тому +6

    pro tip: if you really need/want to change frequently ur passwords, change for a really secure password and note them in a physical notebook. No one in the digital world can mess with your analog stuff :)

    • @pokeyjojo5691
      @pokeyjojo5691 2 роки тому +2

      Until the notebook gets lost :(

    • @RebrandSoon0000
      @RebrandSoon0000 2 роки тому +1

      @@pokeyjojo5691 Or dog eats it, or worse, a demogorgon. :(

  • @luke7387
    @luke7387 3 місяці тому +1

    3:33 I notice while you were showing your previous payments that it says "Login" at the top... bit sus

  • @theeternal6890
    @theeternal6890 2 роки тому +7

    *The fact that many government websites in India doesn't have "Padlock" encryption certification and I have to click "Continue to unsafe site" and then enter my "Secure" information anyway. So it's useless. Even some websites are unopenable because of such security thingy.*

  • @Astromath
    @Astromath Рік тому

    7:36 I heard that the "perfect" password is made from (at least) 3 random words put together and then just adding a random symbol (not a hashtag, something more uncommon) somewhere in the middle

  • @mr88cet
    @mr88cet 2 роки тому +6

    I wouldn’t recommend being *crazy* suspicious, but yes, if you see something that looks weird, then stop and think where your vulnerabilities lie.
    I know people who are convinced that everything they experience that seems weird must mean that somebody has hacked into their computers.
    Most importantly, be aware by watching lots of ThioJoe videos!

  • @Florianski
    @Florianski 2 роки тому

    12:48 but you can back up google authenticator? I have it on separate devices so that if i lose my phone i can still acces my 2FA

  • @pyp2205
    @pyp2205 2 роки тому +5

    Well looks like I didn't really believe in much of those myths. Some I did in the past, but I learned on my own that it's false. Like whenever I would update my passwords at least twice a year, I mostly try to make it longer. And I would possibly change them whenever there might have been a data breach.
    As for Antiviruses, it seems quite obvious that you would always need one even if you're good with tech. Plus whenever there's new malware, then of course your antivirus isn't going to know about it.
    I remember some frustrating things that happen whenever I make normal non-harmful applications. My antivirus can be like "Hold on! This file looks suspicious!", and I'm like "Come on! This isn't even a virus!". One time when I made an audio converter program, when I made it delete the old audio file. My antivirus saw it was ransomware. And I did of course get to restore it, since it wasn't ransomware. Sometimes an antivirus can get in the way of even the most normal stuff. But it's better to have one, than to get an actual virus or malware on your system.

    • @damnstupidoldidiot8776
      @damnstupidoldidiot8776 2 роки тому

      I can only think of rare cases when an antivirus would catch a malicious program that gets past me, and even in that case I'd probably think it's a false positive like it usually is and override it anyways. Don't think antivirus is necessary, gets in the way too much, and I don't think it can protect you from attacks that don't require user interaction.

  • @sshhacker
    @sshhacker Рік тому +1

    People commonly have misconceptions about IP addresses. Whenever someone says "I hAvE yOuR IP AdDrEsS!", I know that they have absolutely no idea of what an IP address *is*. Whenever someone asks me that, I'll just explain to them that "every website has your IP address. Your IP address is the *first* thing your computer gives to every website that you visit." The fact that those people think by simply saying some IP address thinking that others are going to be scared just infuriates me.

  • @Yenkna_PCs
    @Yenkna_PCs 2 роки тому +5

    Last Pass is part of a data breach.

  • @astrosteve
    @astrosteve Рік тому +1

    I used to be one of those people who thought I know what I'm doing, I don't need an antivirus. And I was okay for a few years until one day my computer started acting really strangely and I couldn't figure out what was going on. After a few days of googling and trying everything I could to fix it with no results, I downloaded a virus scanner and ran it. Sure enough, I had two viruses on my system that were causing all the problems. I recently had to disable my virus scanner when attempting to determine the source of a problem and I learned Windows incessantly bothers you, telling you don't have a virus scanner running if everything is turned off.

  • @lunarincorporated
    @lunarincorporated 2 роки тому +12

    “never underestimate windows security”

  • @Shajirr_
    @Shajirr_ Рік тому

    8:16 I did a version of this with ICQ when it was still in use.
    Create a mask for ICQ numbers you want, generate a list of numbers to check for using this mask, pick a password to check for (or a list like in the video example), get a list of IP addresses to pass your traffic through to not get IP banned for password bruteforcing, and off you go!

  • @andrew7720
    @andrew7720 2 роки тому +1

    #1 really hit home.
    On my work, due to company policy and cause its a requirement from most of our clients, our passwords expire every 90 days. And the have to be a min of 12 characters with at least on capital, one symbol and one number in them. It make such a pain in the ass every 90 days to come up with something new, and then remember it.

  • @NFITC1
    @NFITC1 Рік тому

    As an IT professional, I knew all of these from my decades of experience on the Internet. One other option for your Myth 10 is a digital shredder like SafeIT. Those programs can either write 0s or 1s to the newly "freed" disc space. This makes files 100% irretrievable on SSDs and other flash-based memory storage devices. It can make HDDs irretrievable with multiple passes.
    I knew a guy that went through cyber security training and was told that some REALLY sophisticated labs exist that could read shredded files off a HDD by looking at the physical surface of a disc platter. Something about the alignment of the magnetic rings can tell whether it had been changed from a 1 to a 0 "recently". I don't believe this was practical and only used in extreme cases when the FBI might have believed there was seriously dangerous information on a fully formatted HDD.

  • @Jmcgee1125
    @Jmcgee1125 2 роки тому

    14:29 Is there a tool to irrecoverably wipe an SSD? I know DBAN (and derivatives) for hard drives, but that's not going to work on an SSD because of wear leveling stuff.

    • @VadimCool
      @VadimCool 2 роки тому

      If you ask the wrong question, you'll receive a wrong answer. 😆 SSD do not delete data the same way as HDD. HDD would need to use multiple passes, at least 7 passes to wipe most of your HDD data. But SSD have blocks. So once you delete it with even 1 pass, then that block is gone! And I guess he just showed you the tool, the default Windows tool to erase the data with. So what is your question???

    • @Jmcgee1125
      @Jmcgee1125 2 роки тому

      @@VadimCool An SSD can only wipe a full block. Once a drive gets sufficiently filled, it's no longer a good idea (performance or longevity-wise) to delete and rewrite the entire block just to remove some data in it. So, that portion is marked as free but is not overwritten. If my understanding is correct, then you would need to overcome that to do a full wipe.

    • @VadimCool
      @VadimCool 2 роки тому

      @@Jmcgee1125 well 😄 I can't speak for the performance issues as HDD are like x10 times slower often to begin with. But, doing 1 pass on SSD would still wipe the data and that is our goal. But if you do the same on HDD, you would need multiple passes. But 1 pass on an SSD is sufficient. No need to additionally do anything there. It's an overkill.

    • @VadimCool
      @VadimCool 2 роки тому +1

      But if you want a program to erase data, then I use File Shredder.

  • @AidenRKrone
    @AidenRKrone Рік тому

    My employer is one of those companies that makes employees change their company passwords every 90 days, and they make supervisors and managers change the company VPN login credentials every 30 days. It's frustrating and time-consuming, especially since almost everyone who works there, including the managers, are older people who are effectively computer illiterate. Most of them are so bad at remembering passwords that the supervisor keeps a paper document with their passwords in the drawer in the office.

  • @rogercroft3218
    @rogercroft3218 Рік тому

    With regard to Virus Total - what happens to documents (e.g. docs, pdfs, etc.) you upload there? Are they retained on the site and would they then be available to others?
    If so one should be careful not to check any with sensitive information in them.

  • @sadtechgeek
    @sadtechgeek 2 роки тому

    The padlock icon also means your data (e.g. login information) is encrypted both ways. It's good to know because some VPN providers also claim that your connection is encrypted by their service to/from any website you use (padlock icon or not) but that's not possible.
    When you use a VPN, a tunnel is created between you and the VPN that encrypts your data. So it prevents anyone from "seeing" your data between you and the VPN server.
    But it can't do anything about the part between the VPN and the website. If you access a server that doesn't have the padlock icon, your VPN can't protect your data from prying eyes. If it does have a padlock icon, you don't need to worry about encrypting your data, the browser and server do it for you. So if that's the only reason you're getting a VPN, not much point except that it does encrypt part of the path between you and the server so it's doubly encrypted for that section.
    But a VPN is great for the other stuff, hiding your IP, bypassing geo-locking, and hiding your information from your ISP for those non-padlocked sites. It'd also prevent your DNS information from being exposed for padlocked or non-padlocked sites. So your ISP and anyone between you and the VPN won't know what websites you browsed even if they don't know what is in the data. That's good in those more freedom-challenged countries especially.

  • @KiR_3d
    @KiR_3d 2 роки тому

    7:20 - I use some sort of a system for passwords: I have a text file (with no txt extention of course) which serves as a password reminder. There I write every new password with dots or asteriks instead of some letters and symbols that I have in my head and on a paper (in a safe place). So for example I write "my old online-chess password plus my year of birth plus my band's name without spaces" and etc.
    Some passwords has no "base word" (that it's nowhere in the PC), they're just descriptive in a manner like "our died black dog name, semi-pudel-semi-rotweller dog name" plus some year numbers with dots and another explanaition how to get it from my head. Nobody knows any of my dogs' names, these are not in social networks. Nowhere literally.
    But actually the length isn't very satisfying. It's usually about 14-18 symbols. I guess it's not very safe yet :)
    P.S. I have a "trash pass" of course. For "special" sites ;)

  • @duet_1959
    @duet_1959 2 роки тому

    10:13 I love how the guy slamming the MacBook had flipped the lid upside down and using keyboard as his screen lol 😂

  • @Doge36064
    @Doge36064 2 роки тому

    coming back 2 years later watching a video this guy is this making legendary videos.

  • @Liggliluff
    @Liggliluff 2 роки тому +2

    (3:15) So using a VPN isn't going to hide my activity?
    (3:55) So using a VPN is going to hide my activity?

  • @donald-parker
    @donald-parker 2 роки тому +2

    I would be interested in your opinions about Windows Sandbox and/or using virtual machines. For example, for testing attachments or links in emails you think might be ok but you are not 100% sure. Also, I would be interested in security approaches when using touch screens. I am used to using "mouse hover" to see the real link before clicking on it. I have no idea how to "hover" on a touch screen.

    • @rednexie
      @rednexie Рік тому

      The link that you saw when you hover on it might not be secure since there is a trick to hide it. On websites, you can put a link to a page and inside that link element you can use an "onclick" function. That function returns false and prevents default(blocks you to go to the true link) and after that it changes the page location with a different malicious page or clicks a different hidden link element.

  • @iamaylacat3935
    @iamaylacat3935 Рік тому

    15:57
    I generally think of myself as decent with computers. While trying to download a specific driver installer (came preinstalled on my device, had removed it because it was messing with some programs, but needed it as it was the only place to get a few drivers from) I got caught out by Bing of all things - hadn't realised that it reset my default browser. The website I needed was stuck on page 3 of bing, the website I got was adware. I got lucky in recognising the installer, as it had been stylised directly to imitate the program I was after as well.

  • @mastermewtwo5503
    @mastermewtwo5503 Рік тому

    It's funny how in video games and shows, a character might be the head of an important secret organization, but their computer password is like, a pet or a birthday [sometimes the password is a straight name, not even with numbers mixed in]. They don't even have two-factor authentication or anything for the extra security. Those characters really need to watch videos like this or something.