2016-08-17



"You're not hacking Bank of America where someone has spent a lot of money to make sure that no one can get into that."

On a recent episode of Too Embarrassed to Ask, The Verge’s Russell Brandom spoke with Recode’s Kara Swisher and The Verge’s Lauren Goode about what happens if America’s voting machines get hacked.

You can read some of the highlights from their discussion at that link, or listen to it in the audio player above. Below, we’ve posted a lightly edited complete transcript of their conversation.

If you like this, be sure to subscribe to Too Embarrassed to Ask on iTunes, Google Play Music, TuneIn or Stitcher.

Transcript by Celia Fogel.

Lauren Goode: We've brought in Russell Brandom from The Verge. He is my esteemed colleague over at The Verge, and he covers all things cyber security. Russell, thank you for joining us.

Kara Swisher: Yes, he's sitting right across from me and he's giving me the creeps with all this hacking situation. I wrote a lot about hacking this weekend, I'm very excited to talk about it. There's a lot going on.

LG: So Russell, tell us what the latest is. We're talking about this because news reports [have] started to leak out that it was believed that Russian intelligence services hacked the DNC. Tell us what's going on.

KS: Yeah, it's Putin essentially. And then they also possibly hacked the Clinton campaign computer systems and possibly others.

Russell Brandom: So this is one of the weird things. My pet thing is the word "hacking." While it's catchy, it's a little weird because it lumps all this stuff together. The thing with the DNC was [that] they’ve got this huge email archive that somehow found its way to WikiLeaks.

KS: Somehow.

And it was really embarrassing. This is not something that's going to be worth a lot of money if you're a criminal hacker, but it certainly was really embarrassing. Debbie Wasserman Schultz ended up resigning as chair of the DNC.

KS: This is the representative who's chairman of Florida.

It was clearly very damaging to her, and damaging. This was not the impression that they wanted to be starting the convention with.

LG: And she resigned because her emails were showing a bias toward the Clinton campaign and against Bernie Sanders.

Yeah and there was a lot of, you know — after you get off the phone with someone you don't like and you’re like, "I cannot believe this horrible person!"

LG: Yeah, like every time Kara wraps a podcast taping with me.

So the Democratic Congressional Campaign Committee hack was a little weird, because it seems like it was intercepting information that people were sending to the DCCC.

KS: Yeah, financial information.

Which is obviously bad news for the donors, but it also doesn't necessarily mean that the actual DCCC website was compromised, or any of the information that they had themselves was compromised. It wasn't that their big list of names and credit card numbers came out, it was that some of [what] they thought they were sending to the good guys, they were really sending it to the bad guys.

And then, the Clinton campaign: There had been rumors that they may have been targeted for a while. There was, I think, a New York Times report a few months ago. And then we got, late Friday this, admittedly good scoop: They weren't just attempts, someone got in. But then it's kind of not clear what they got. If you read the article, all it said was, "It was hacked."

KS: An analysis part of the program. They're being very…

Yeah. Well so this is the thing: So then the Clinton campaign says, "Oh no, it was just our voter targeting information," which is like, well, you know, rust belt voters care about the economy and we should talk about the economy when we... and like, if we know this about a person, what messaging do we want. Which I'm sure they spent a lot of money on but is not super sensitive or it's not politically sensitive, you're not going to gain anything by releasing that.

But also the Clinton campaign, it's in their interest to minimize it, so I don't know that we can entirely take them at their word, but it is one of these things where it's just…

KS: Well, you're not going to say, I mean it's just like Sony. You're going to be very quiet about what was taken, how was it taken, and everything else so you don't set off a chain reaction.

Yeah. So it's one of these things where they're all hacks, but when you lay it out like that it's not clear if all of these people want the same thing.

KS: Let's just say it's not good.

No, it's certainly not good.

KS: Russell, this is not good, and it's Putin.

LG: It's a breach of some sort.

You're going to get me in trouble now! I mean, it is just like Sony in that Putin is sort of, you know, someone…

KS: I'm just using that as a broad Russian thing.

Well yeah. No, but I mean this is very dicey. Anytime one of these things come up, attribution, who did it, is the first question.

KS: I believe most of the reporting says it's the Russian intelligence services, which he ran once. So I mean, this is essentially an attack from Russia apparently. And then there's a question of how our administration, our government, should respond to it.

I think the weird thing about it, though, and I think the reason there's a lot of — amongst security writers everyone [is] very very nervous basically about ever saying anything. I mean, Vice just did a whole documentary about how Sony wasn't North Korea and everything's fine. But I think the really sort of proof, evidence, you never really see. It's never really publc. And also the only people who get it are private security companies and the government and we aren't really trustees to those people. So you very easily end up in this place where it's like, "Well, there have been indications but who really knows?" and yadda yadda.

KS: Yeah, but still. Is it part of a larger wave of cyber security hacks? It just seems like every day there's something and for whatever nefarious reason or whatever political reason or financial reason, it's just increased. Or maybe we just know about it.

Well, I think there is this sense of, you know, it's the IT revolution. That's a couple revolutions ago now, but as more of these things come online, it's harder and harder to make sure everything is locked down. And no one really knows what the best practices are. And there's no easy answer to it, like, "Let's just buy everyone an iPhone and everything will be taken care of." There isn't a simple fix for it.

KS: What kind of hack was this exactly? This recent hack.

Which one?

KS: The DNC hack.

The DNC hack seems to have been spearfishing. So they sent someone an email with some attachment and they opened the attachment.

KS: Which is common and easy.

Yeah, no, it's just generally how these things came in. It doesn't seem like they had a new vulnerability to it but it was just that it was sort of downloaded through this email system and then once some user of it clicked "yes" to the attachment then from there it sort of spread until they had everything on the email system.

LG: Russell, when we were chatting earlier about this, we were basically saying how it feels like everything is vulnerable these days, right? And so most of the security solutions that we're seeing are just — there are vulnerabilities and some people are keeping on top of them and patching them as needed. And in other cases, the patching is not being done. And so it's just a race to [see] who can expose or patch these vulnerabilities first and it seems like it's almost inevitable.

Yeah, I was going to say in this case there wasn't a zero day vulnerability, which is one where no one even knew it was out there. We've known about it for zero days. But generally you don't really need one of those. It's something like 99 percent of intrusions that happen, it's sort of a known vulnerability that either no one had written up a patch — which does happen, it's like six months between when these are disclosed and when people get around to fixing them. Or it had been patched but the patch just hadn't made it out. I think the thing with the DNC, and this is a little tricky because I'm going to get in a little bit of trouble in terms of free software, but probably the worst, if you were to pin it down to a single choice they made, they were running their own email server. Not in a Hillary way, although sort of like that…

KS: [laughs] In a Hillary way.

We don't know exactly the software they used but it was —

KS: It probably wasn't the finest grade.

— similar to Exchange. A sort of Microsoft [product].

KS: It was not weapons grade.

Yeah, exactly. But the main thing is, it wasn't just an instance of Gmail where you would have, if someone attacks your instance of Gmail, it's sitting on the same cloud server with all the other instances of Gmail and they have some person who's looking at all of them and if weird stuff starts happening …

KS: They can shut it down. So what is the most common form of hacking these days?

I would say generally if you talked to the penetration testers, which is someone you hire to hack your own company —

KS: It sounds dirty.

[laughs] Right. They say the simplest thing is always spearfishing because it's specific. So you say, "Okay, who are Russell's friends? What's the name of Russell's landlord?" And then I'm going to dummy up an email that's from Russell's landlord, it's going to have this attachment and then I'm going to say, "Oh my gosh, we need you to sign this document or you're going to be evicted tomorrow." And then that's a pretty good way for me to open an attachment. So then I open it and that's it. That's generally how they get in. And it's just a matter of, you know, you've got mice in your house, how do you get the mice out of the house?

KS: I move houses.

[laughs] Oh really? Sometimes you have to.

LG: What are some other examples of that? Was the Target hack from a couple of years ago a result of spearfishing? Was the Sony hack?

That one [Target] was interesting. The whole cycle of payment processes — they weren't really payment processes but point-of-sale hacks. So this was Target, Home Depot, PF Chang's was in there I think. And it was sort of different versions of the same software that would just hit place after place after place. Now we have a whole different, you know, we’ve permanently changed the balance of power between stores and credit card companies. They were trying to get onto this point-of-sale terminal which is the tiny computer you put your credit card into, which is harder to get into because it doesn't go onto the internet. You're not opening your email on it. So they went in, they compromised — I think in Target specifically, they compromised the company that was providing air conditioning services to Target Corporate? And then they compromised them and then somehow from there they were able to jump over to the Target network.

KS: So there's almost no way to keep people out, it feels like that at this point.

Well, yes. The change in perspective in the last few years has been, it's not about building a high wall, it's about finding out as soon as they’re in. So you sort of have awareness of when they get in and then being really good at getting them out as opposed to just saying, "Our plan is no one ever gets in." So instead of just having a big wall and then people just chip at it until eventually they get through the wall, you're kind of keeping an eye on it and then you see everything that comes in. And so you just have a very good awareness of what's happening instead of really hardening it and counting on nothing ever getting in.

LG: So there's spearfishing attacks, there's attacks on financial services or point-of-sale systems we should say in this case, there's obviously like Stuxnet which was a zero day event, right, which is categorized differently from the other things we're talking about. What are [other] kinds of hacks? Does skimming count as as hack?

The wording kind of means everything. The way I think about is the motivation. And sometimes that can be a little fuzzy too. But fundamentally, most of the time it's just people looking for money. And so they want anything that they can get: They want your credit card number, or they want your social security card number, or they want a large database that they can sell for money, and then this sort of gets passed around. And that's most of it and most of those people aren't very good.

KS: It's like petty thievery.

Yeah, exactly. And that's also the thing that you probably have to worry about the most. If it's just in terms of, "Who took over my mom's Facebook account?" It was just some random criminal so he could ask people to wire him money.

KS: But in a more serious way we talk about that and everyone's sort of like, "The way things are going to be." But I had written a story this week about Bruce Schneier’s blog [in which] he talked about voting machines, which has been a debate for years about the vulnerability of voting machines. It was even a plot point on "Scandal" — the president won his job from a voting machine.

LG: And if it was on ABC Primetime…

KS: But he was talking about the serious vulnerability of voting booths and that Russians could target these voting machines, and suggested a number of things like a paper trail, and no internet voting whatsoever. Like he was sort of underscoring that idea, which is coming, I think: Internet voting.

It's tricky. I think the big thing is you would have to change politically what voting means. Because the main reason we have non-remote voting is just old school Tammany Hall era voter fraud where, you know, Bankoff calls us all into a room and he's like, "Guys, I'm really excited about all of you voting for Jill Stein." [laughing]

LG: Is this going to happen??

And then he watches us fill out the ballots, or the union boss or whatever. And this is kind of the classic model of voter fraud and this is why they say, "Okay, no. You all, we have to make sure it's just you heading into the booth and no one else sees it and you can only fill out one ballot," and do that thing. I think otherwise yeah, it's a real concern. The people I would be worried about hacking voting machines would be the people with direct access to the voting machines. I think it's tricky. I feel like this is a scenario in which we should be able to make sure that doesn't happen. Like I don't know that I have that much faith in our government and I think also one of the lessons of the DNC hack is we do have these organizations that are vital to our democracy whether or not you like them. Like we need to be able to have these political organizations that have the capacity to communicate privately, right? But they're not very well funded and they're all sort of shoestring operations.

KS: As are many voting operations.

Yeah exactly, as are the voting operations. And this is part of the thing: You're not hacking Bank of America where someone has spent a lot of money to make sure that no one can get into that. And then also spent a lot of money —

KS: Are you worried about voting machines?

Absolutely. I'm worried about voting machines just not working. But I also don't know that it's extremely likely but the result of it would be so catastrophic to the body politic. "Okay, you know that election? Do we think it was fake?" We're going to go back and forth on whether it was fake based on this information. I mean, just the conversation over each time we have the DNC or Sony, there's this back and forth over attribution because it's such high stakes even though we never really do anything about.

KS: Well, that you know of.

LG: Let's just say worse case scenario there was a hack on our voting system for this presidential campaign. I mean, there would have to be some type of recourse, I would think, if that was exposed after the fact. If we all went out in November and voted and then it was three days later and there's been a major hack on the voting system, I just don't see how we would rest on the results.

But I think that's the trickiest thing. I don't know that you would actually get to a point where —

KS: — you could attribute it to anything.

Or you could say definitely, "You know what? We know that this was electronically tampered with." And that's sort of what's weirder.

KS: And then it would enter the political spectrum.

Yeah. So I mean are we just all going to go back the week after that and say, "Okay, guys, new election, mulligan." Whoever won the election isn't going to be thrilled about that. [LG laughs]

KS: Lauren, you're forgetting the chads. That went on for some while.

No, exactly!

KS: Who knows who won that election.

LG: I just like that you used the term "mulligan" because Kara doesn't really like sportsball.

KS: I know what a mulligan is. Every week we ask our readers and listeners to send in their questions, comments and complaints about tech topics. You can do that by tweeting us at #tooembarrassed or emailing us, tooembarrassed@recode.net. This week we asked our listeners for their questions about hacking. Lauren, do you want to read the first question?

LG: Sure. And we should say, too, that some of these questions were all over the place in a good way. Some of them are broader questions about hacking. Some of them are more about personal protection for your own accounts and information and that sort of thing. So they run the gamut. But the first one is from Sonny Jon. That's @Sonny_Jon on Twitter, and he asks, "Where do most of the hacks in the U.S. originate from and what entities are targeted the most?" This is a tough one. Russell? Do you have any insights into that?

Yeah. So I mean, this is the tricky thing. We were talking about attribution. We kind of don't know. I would say in terms of foreign attacks that don't originate in the U.S., Russia and Eastern Europe tend to be very very active. Credit card companies are extremely aware of sudden surreptitious charges from Russia or Ukraine or that region. Actually, if you're traveling, you can call your credit card company and say, "Oh, I'm going to be in Moscow next week, just so you know, make sure the charges go through." One of my friends was going to Russia and called her company and they said, "Oh don't bother, just bring cash. You can call us and tell us but it doesn't matter, we won't honor it no matter what." Just sort of having built up this thing of having been in the U.S. ... There are a couple of hot spots where they just don't —

KS: There's also flavors of hacking. So the Russians hack credit cards, the Chinese hack this. I was with one CEO and he was going on and saying which countries like to focus on financial services and others. And he didn't mention any U.S. hackers at all. And I said, "What about U.S. hackers?" And he's like, "Ech, they're terrible." He was like, they're just not even in the same class.

LG: Terrible like not good at it or terrible like …?

KS: No, terrible at hacking compared to the worldwide group of hackers.

There's a bit of a gentleman's agreement where like U.S. companies don't [hack each other]. There are companies all over doing reports on all sorts of state-based hacking but, you know, Kaspersky Lab, which is based in Russia, tends to focus on U.S. and European and Chinese state hacking and the U.S. firms focus on Russian and Chinese hacking.

KS: Well, he was saying the U.S. hackers just aren't as good as the ones from somewhere else.

No no, I'm sure, yeah, totally.

KS: Which was really funny. Alright, the next question is from Jonathan Bernstein, @DFcampfin. "Is it worthwhile to have a unique, random password for each of our website logins?"

Yes. Definitely. So the thing that you will see is —

KS: You mean 1234 isn't — [RB laughs]

LG: I_Love_Lauren_Goode is not good Kara, so change it.

KS: Well, that's all of them, everybody. None of them. By which I mean none of them.

So for most passwords it's a web service. So it's not just, you know, if the hacker is alone in a dark room with your computer and it's not checking onto anything, then they can potentially just cycle through a lot of passwords in which case it is good to have the random one. Although in the long term you're kind of screwed anyway because they're just going to eventually guess it. But if it's Gmail you're not just going to run through a thousand passwords. Google will know that you're guessing more than a password a second and say, "Hmm, I think something suspicious is going on here." But the case in which it does matter is a lot of times you'll get a situation — and this is true for data breaches in general — where a company loses control of a password database but it's still encrypted. If they know some passwords that are likely to be in the list, then they get an unencrypted version of the whole thing. And so having a lot of them be random things that are hard to guess makes that process a lot harder. In terms of having different passwords for the same service, once they do get it unencrypted — maybe they have everyone's LinkedIn password, which is not just a hypothetical example, that did happen — then the first thing they do, they're not really going to get anything from a LinkedIn account, so they'll try it on your bank account and your email account.

KS: I have different passwords for every single thing.

LG: That's what you're supposed to do.

And that's the important thing. Because then if one of them gets breached you don't have to say, "Oh, wait, was I using that one for all of these others?" And there are a lot of good services, One Password is one that stores —

KS: Well that's the next question.

LG: Yeah, the next question is from Bobby Perrotti, he's @Rotzo on Twitter: "Maybe our goal as tech literate people should be just to educate on One Password first. Get people to stop reusing passwords." So in short, what you're saying, Russell, is if you have a long complicated password, randomly generated with a lot of different characters, then you're less vulnerable to brute force, which is this idea of a hacker cycling through several potential passwords in seconds and trying to figure out what your password is. And then, worst case scenario, they do get past the entry point. They're not able to use that same password and cross-reference it across multiple accounts and get access to, let's say, your financial services.

KS: So what do you think of One Password?

LG: I love One Password personally.

KS: I do, too.

LG: I use it and I like that it does device-to-device syncing over Wi-Fi rather than storing things in the cloud. I find it really easy to use. I mean, it's not like a learning curve, it just takes some time to set it up and get all the shortcuts in the browser setup and just get all your accounts in there, but once you use it, I think it's great. But I haven't tried many others. Have you tried others, Russell? What are the others? Dashlane and Lastpass, there are a bunch of them.

I use Lastpass, which is the cloud version of One Password. And probably just by virtue of it being the cloud version, you get fewer security points for doing it because it is kind of — if they ever had a problem, I would be really up a creek. There was something, I think it had to do with how they autofill because I noticed that they changed it, but I think that they recently got a bug report and changed what they were doing because there was some concern. Anyway, from a usability perspective, yeah, it's been perfectly easy to use.

LG: And for those of you, by the way, just very quickly, who have never used one of these password managers before, what it's doing is it's taking, let's say, your LinkedIn account (just because we used that example before), and you're saying, "Here's my email that I use to log in," and then it will generate a random password for you and you use that to sign up for your account and then that will store it for you, store that lengthy multi-character-confusing-you're-never-going-to-remember password for you. It just means that every time you go to log into those accounts now, you might have to go back and cross check this password, copy and paste and put it in. So it makes the signing in process a little bit more of a pain. Totally worth it.

KS: You can also have your own passwords. You can also put your own passwords in there, too.

LG: You can, but they'll rank them for you. In One Password, if it's not a very strong one, if it's weak, it'll be yellow, I think, a yellow color will pop up and then once you have a strong one it'll turn green. So anyway. But they do cost money.

KS: We recommend them. Alright, the next one is from Eric Johnson, who works for us. "Serious question, for once."

LG: Our producer!

KS: Yeah, for once. "What is the lowest hassle way to do two-factor authentication? Think of non-techy friends and family."

So I actually have —

KS: I've got my mom sitting here. Mom, do you know two-factor authentication?

[Kara's mom: Obviously.] Obviously, oh she does, okay, fine. Let's move along. Explain it for the regular people, not Lucky.

Two-factor authentication is probably more important than having a password manager. It means that if they have your password they don't have everything because it also is going to [require] either an authentication code ... Well, usually there's an authentication code which you get either through an app or —

KS: A text.

Yeah, a text. So the text is not great. Like the text is probably the easiest one to get around because they can just clone your phone if they hack into your AT&T account. I wrote a story a while ago that was how they got through this guy's two-factor. I actually have this YubiKey USB thing — it's like $20 for a USB key, which is a little steep but it's not just storage, it's sort of doing some fancy handshake. And so I just put that into my computer's USB drive to log into my Gmail. And I am not the kind of person who loses their keys, but I respect that some people might and so it would be a pain for them. But if you are not the kind of person who loses your keys, I totally recommend it. I believe they have mobile versions although I'm not sure entirely what you do.

KS: So you put it into your computer?

Yeah, I just put it into the computer and then I push the little doohickey.

KS: And you have to have that particular device.

I need this particular device. And also —

LG: What happens if it ends up in someone else's hands? Your USB key.

KS: They would have to have his computer and the device.

How would they know what my Gmail account is? And also what my password is.

KS: But then what if you lose that? What happens?

What if I lose it? Well then I'm really in trouble.

KS: How do you get back in?

I would use one of the codes that Gmail gives you. They give you the ones that you print out and put in your wallet, so I would use one of those.

KS: You don't put them in your wallet, you're supposed to put them in a safe.

LG: Well, I guess this is a First World problem but every time I switch hardware devices, I switch phones a lot because I'm testing them, and I have 2FA set up on one of them, then it's still, it's device specific. So it's still on that piece of hardware, and then I switch phones and I have to go through the whole process and set it up all over again. But I realize that's not a lot of people, a lot of people don't have that problem except for the very rare occasions when they switch phones.

But this is really the weakness in the system. What you do if you're trying to break that then is you say, "Okay, well, I lost my key, I forgot my password, like come on, reset it for me." And the question is, what's the standard then? This is how they got Matt Honan back in the day, they called up Apple customer service and said —

KS: They're a little more savvy on that one these days.

Hopefully, yeah.

KS: I tried the other day and they wouldn't give it to me. Not for anything.

That's good news. It was probably bad news for you at the time.

KS: Not for all the hackers in China.

[laughs] But yeah, I mean that tends to be the weak point in the system and at that point it's really just leaning on companies to make sure that they do the right thing.

KS: You'd recommend two-factor authentication compared to not having it.

Oh, strong recommend. Definitely do that in every available thing.

KS: It's like having a better lock on your door. They're going to get in if they want to but…

And I would say also, especially for your phone service. So I'm on Verizon and I push for that. Because that's often how they get around it.

KS: Alright, Lauren. Last question?

LG: Last question is a long one. Daniel Smith. He's @JavaJoint on Twitter, he said we can use his name, though he did send me this in a private message. He said, "Greetings. I have a security question for your show."

KS: "Greets." He says "Greets."

LG: "Greets!" I know, I'm going to start using that, it's quite nice.

KS: That's a Brooklyn hello.

LG: You would know, you've been spending a lot of time there. You and the hipsters hanging out at the Apple store in Williamsburg going to Whole Foods and Warby Parker after this. Okay. "It's considered good practice to use a VPN over Wi-Fi but what to do about places like cafes, airports, etc., that have captive portals? One can't start their VPN until they are connected so for a short time they are exposed. Any ideas? Like a pocket router gateway?" This guy's like really getting granular, I kind of love it. "Interested in what your guest will say. My own experience is that I prefer to tether my laptop to my phone via Bluetooth and then VPN from my laptop." So taking a step back first of all, what is a VPN? We've all used VPNs but explain briefly what a VPN is and then this idea of captive portals in the brief interim he's talking about.

Ok, so —

KS: Start with captive portals like open Wi-Fi that you have in an airport.

Defcon and Blackhat, the hacker conferences that are going on right now — this is a common trick they do where if you're connecting to an open Wi-Fi that there's no sort of password handshake between you and the Wi-Fi, you don't know what it is that you're connecting to. So someone else could have a fake Wi-Fi network that has the same name and they're sitting next to you. So you think you're connected to …

KS: The coffee shop.

… the coffee shop, but really you're connected to Joe Cybercriminal that's sitting next to you. And you don't even know when the switch took place because your computer just sees another network with the same name. He thinks it's just the same network with two routers.

KS: Right. Is your computer a he? Mine's a she.

[laughs] Yeah, I suppose I gendered it.

KS: Or they. The new thing's they. My computer's a they.

So that's very tricky. And this is also true — by the way, we're just down the street from one of the new New York City public Wi-Fi terminals.

KS: Right, which is called?

LinkNYC. Owned by — or operated by, I should say— a Google spinoff.

KS: Yeah. Everything's operated by a Google spinoff.

Yeah [laughs]. And so they have tokens that you can do for a more secure connection but most people are going to be connecting in this open way and there is this concern: Is someone else going to make a fake LinkNYC thing and then use it to spread a virus onto your computer? And so when he's talking about the brief interval there, the concern is that the interval when you're signing on — because if you're in a coffee shop a lot of times they'll flash a terms of service up front and ask you to click continue. Is someone else going to masquerade as the Wi-Fi and when you're clicking continue, really you're getting a virus. So one of the things you can do is you can get a VPN which means instead of connecting to the internet at large, you're connecting to this sort of third-party service which you're then browsing the internet through.

KS: Right, which is supposed to protect you.

And it's sort of because you have the password connection, or HTTPS connection with that, you can be sure that everything you're talking to is really the thing that it says it is.

KS: Do you go on open Wi-Fis?

I don't.

LG: Never? Is it a hard, fast rule?

I just stay on my phone.

KS: You do it from your phone?

LG: I do the same.

I just go on cellular data from my phone and resist the temptation to do more than email.

KS: Okay, but what if you have a laptop and you're somewhere ... Say you're a reporter for a fantastic tech publication and —

LG: He's saying he's using his phone as the hotspot. Is that what you're saying? Or you're just literally on your phone.

I won't say that I've had 100 percent —

KS: But why wouldn't you use the phone as the hotspot?

— saint-like. I'm actually on T-Mobile and I'm not even tetherable, it's a bad situation.

KS: Say you're on Verizon and you could be. Is that safer?

That, I think, is a solid, secure way of doing it. And I also think in general it is harder to compromise an iOS device. That's actually a fairly difficult thing just because [its] software controls [are] fairly serious. It's not going to just let you download and install a third-party program that doesn't come through the App Store. So unless it's got an enterprise certificate or something, it's going to be fairly hard to …

KS: What about going through a MiFi that you plug into your computer?

That's absolutely true. I'm thinking in terms of threat levels.

KS: Okay, the safest would be a MiFi or something like that.

Well, the safest is not using your computer.

KS: Not using, I got that part. But that's like, you don't want to get a communicable disease, don't have sex. And that's usually not the choice.

LG: The safest is live in a bunker! Without Wi-Fi!

I can do lots of stuff on my phone!

KS: You can do lots of stuff that's not sex.

I can use a modern media stack and publish to the web on my phone, so it's fine.

KS: I get it, but sometimes you have to be on your laptop. What is the list? Do the list.

I would say the MiFi is good, tethering your phone is good.

LG: VPN, right?

VPN if you're connecting as soon as you do it — there's no portal, you're going directly — the VPN, that's good. And using a passworded Wi-Fi.

KS: Never an open cafe, I'm in a coffee shop.

LG: Kara, remember when you went to China and you were looking for VPNs to download? We used one when we were in Vietnam last year, we had to use one through Hong Kong.

KS: I gave up. I just bought a crappy Android thing and threw it out afterwards.

They say if you're like a Boeing executive and you're traveling to China and you know that you're going to be a target, they say just bring another laptop that's absolutely clean and has nothing.

KS: I did that and then I had already signed in to everything so I didn't have to re-sign in, so I didn't have to put my password in, and then I used that and threw it out.

There you go. That's the move.

KS: I assumed it was dirty, but I don't know. I had no idea if it was, but I don't care.

Sometimes into The Verge we'll get an email where someone sends a PDF and they say, "This is secret," and yadda yadda — and we have to open it. What if it's the new iPhone or something. Or something even more newsworthy. And what we do is we get a Chromebook because, like iOS devices, it limits what's available to run on it. And so the software controls on Chromebooks are generally better and then we open it with a burner Gmail address.

KS: So you sent it to a Gmail.

We send it to a separate test Gmail address that we have set up and then we open it with a Chromebook which has just been factory reset and then we look at it with that.

KS: And then Nilay sets it afire.

[laughs] Well, then we factory reset it and send it back to Google when we're done with it.

KS: Oh you give it back! "Here, Google. Here's a dirty computer. Sorry."

LG: Russell, do you recommend people use PGP for email? Or for anything?

PGP?

LG: Yeah, do you use it?

I have it. People can send email to me.

KS: I do not understand it, I try it but it's so confusing.

It's not great.

KS: I know all these geeks are going to write me, but it is, I'm sorry to tell you.

It's funny, actually, we wrote this piece about Uber a little while ago that they were getting sued for this various thing. It was for contracting this investigation that then turned out to commit fraud in the process of the investigation. Anyway, it doesn't matter. But the point is, they wanted to communicate secretly with the investigators, and they were going back and forth in PGP and eventually the Uber executive said, "Look, I'm sorry, I can't open this email, it's horrible. Just get Wickr and send it to me through Wickr." And then we have the decrypted conversations up to that point. But once it's on Wickr, it self-deletes and we don't have anything. So they were able to be effectively secure.

KS: Wow, that's interesting.

LG: We had Nico from Wickr at Code Conference last year.

KS: Yeah, we did. I can't believe she even showed up. She wore sunglasses onstage.

LG: She actually wore sunglasses for longer than Kara did, which I didn't think was possible, indoors.

KS: I just got from Mr. Robot, the thing to cover up, this is my last question and then we have to go.

Oh yeah.

KS: I got from Mr. Robot a little cover-up of the camera which I use all the time. Before Mark Zuckerberg did, but I cover up all the cameras.

I think that's a good idea. Again, we haven't seen one of these on OS X yet, but like black shades, if you Google black shades, it was a very popular tool; remote camera access was a very [big] part of it and it costs like $40 to get this program that if you could get someone to click on the email you would be able to take over their camera. And it's an easy fix. It's a piece of tape. What's the problem?

KS: I've seen it on Hollywood shows and they're way behind so I'm assuming it's …

No, it's a real thing. The thing I like about it is it's a very easy fix and you just do it once.

KS: That's how I monitor Lauren all the time.

LG: I was just going to say, during this podcast, Kara, I actually hacked into your email because that's how easy it is. So I have a few that I just want to read here if you don't mind.

KS: [laughs] Noo. Go ahead.

LG: So this one is from Arianna Huffington from over the weekend. She wrote to you, I just want to let you know, she wrote to you on Saturday morning and said, "Dear Kara, while I usually enjoy your podcasts, especially that brilliant co-host of yours, I have to say that your impression of my accent is pitiful. Would you please stop trying to imitate me. I know it’s the sincerest form of flattery but there can only be one me. Best, Arianna. PS: Take Uber." Here's another one that actually came into your inbox last Friday that I saved for you. "Hey Kara, can you call me when you get a sec? We need your advice. Verizon, having second thoughts. Tim."

KS: [laughs] They should have third thoughts. Very funny.

LG: Ummm, and then this last one is from you, I don't think you want people to know that you sent this one, but... "Hey, I heard you had another party on Saturday and once again did not invite me. Listen, I'm really hoping we can put the past behind us now. I wasn't hiding out in the air vents all those years, only sometimes. But really! Marissa, can't we be friends? Please? Let me know the next time you're having a gathering, I make a mean trifle." So this is what's in Kara Swisher's inbox, everybody.

KS: You know what, those are good emails. But, fascinatingly, everybody, all these people that you're discussing, text me. That's really fascinating. Or Facebook me.

LG: Well, then I have to get into your iMessage.

KS: We don't use the emails anymore. We use text and other ways of communicating. Sometimes we Snapchat each other. Ariana loves my way to talk about her. Have you heard my Arianna impression?

Oh no, I'm very curious.

LG: We have to make it a weekly thing.

KS: Alright, let me just do it for you, Russell. [Arianna voice] This has been another great episode of Too Embarrassed to Ask.

[laughs]

KS: [Arianna voice] Thank you to our special guest, Russell Brandom from The Verge. Okay, go ahead.

LG: I just can't even follow that anymore.

KS: [Arianna voice] Go ahead baby, come on baby.

LG: Thank you Arianna. If you enjoyed the episode as much as we did and did not sleep through it even though Arianna encourages everybody to sleep, be sure to subscribe to the show and leave us a review at itunes.com/tooembarrassedtoask.

KS: Let me just tell you, every time I write her at two in the morning, she responds to me and asks me why I'm not sleeping and then I'm like, why the fuck aren't you sleeping? I'm just saying. I'm just going to tear the sheet off that one.

LG: Debunking the whole sleep revolution.

Show more