3 Lessons From a Hacker Conference That Can Keep You Safe Online

Microsoft retired its widely attacked Internet Explorer browser and moved its Edge browser to the same framework as Google’s Chrome. And that yielded further upgrades in software we all use online.

Silvanovich also shared a heartening statistic about how much faster developers fix flaws: When Project Zero started in 2010, its researchers saw vendors patching 14 percent of vulnerabilities within 90 days of the team reporting them. Now it's 97.5 percent. ​

2. Websites and devices have encryption built in

Web browsers almost always encrypt connections to sites, ensuring that any snoop on the same network knows only the domain names of sites you visit — for instance, aarp.org but not this page’s address.

Google’s statistics from Chrome users who opt to share usage data show that 94 percent of all pages loaded in Chrome for Windows are encrypted against eavesdropping, with shares for Android and macOS even higher. Reputable websites have helped by moving to the hypertext transfer protocol secure (HTTPS) standard, ensuring that URLs, cookies and other sensitive data aren’t able to be monitored, modified or impersonated.

So while using a virtual private network (VPN) service can stop a site from tracking you via your device’s Internet Protocol address, you don’t need a VPN for baseline privacy online.

Similar encryption secures almost all consumers’ email in transit. Other Google stats show that 98 percent of messages sent from Gmail travel encrypted and 99 percent arrive encrypted. Ten years ago, about three-quarters were sent encrypted and less than two-thirds arrived encrypted.

But some older mail systems used in businesses lag behind this, leading to the weird phenomenon of some Black Hat attendees sending messages unencrypted at a hacker conference. In that network panel, Wyler mocked those services’ obsolescence: “It is 2024. You have to try to send an email insecure.”

Macs, PCs, iPhones, iPads and Android devices also now encrypt their storage automatically. Unless somebody knows your passcode or password, someone who finds your device shouldn’t be able to read your data, even if the person dismantles it.

3. Human beings remain vulnerable to exploitation

Determined attackers with sufficient resources and time still can do grave damage. One talk explained how to use a laser beam to compromise a computer chip’s security and read data from it, but so many attacks these days target a system easier to circumvent and harder to patch — the human brain.

• Phishing scams and ransomware lures exploit our trust in familiar-looking sites or messages to fool us into following hostile links.
• Data breaches become more damaging when people reuse passwords across multiple sites to cope with password overload.
• Messages and calls impersonating friends and family in trouble, which artificial intelligence (AI) makes easier to stage, prey on our willingness to help loved ones.

That’s why pressure to act quickly remains a part of scammers’ repertoire, and verifying information on your own before engaging is still important.

Security experts recognize that their systems can’t demand expert-level caution from users. These days, password managers flag reused passwords and make it easier to change them, and passkeys were developed to thwart phishing sites.

Moxie Marlinspike, the pseudonym of developer Matthew Rosenfeld of the Signal encrypted-messaging app, told attendees in a keynote session that their core task is to manage complexity for their users, not expect them to appreciate that complexity as much as developers might.

In the panel that closed out the conference, Window Snyder, CEO of the security firm Thistle Technologies, offered a concise definition of what the goal should be for consumers: “Clicking on the link should not be a dangerous prospect.”