Intro

Welcome to the Hacklore April 1 Issue! 🃏

There's a tradition on this date: someone hands you something that looks real, you accept it without thinking, and then you feel a little foolish. We laugh it off. In security, nobody's laughing.

The oldest trick in security isn't a zero-day exploit. It's convincing you that you're the problem. Bad passwords. Wrong clicks. Not careful enough. It's a story that shifts the burden of staying safe from the people who build the technology onto the people who simply use it — and it lets vendors off the hook every time by chalking up another breach to "human error."

Meanwhile, the companies that shipped the vulnerable product walk away clean.

This April Fool’s Day, consider spreading the word about hacklore to two friends. Send them to hacklore.org so they can learn how not to be fooled by antique cybersecurity guidance.

Jester Product of the Month

Here is a data-blocking cable that promises “Juice Jacking Prevention” and says that “demand grows for accessories that guard against data theft via public charging ports, reflecting heightened awareness of data privacy.”

Imagine: A device that offers protection against a crime that literally never happens! What a product! 🧟

Community Update

We now have over 700 subscribers. Encourage two friends to subscribe. Let’s get to 1000 subscribers!

I added a hacklore poster on the Resources page. If you post it in your dorm or breakroom, send me a photo. 📷

Podcasts

Hacklore was covered in these recent podcasts. Check them out and let me know what you think.

1. Exploring Information Security. Timothy De Block and I talked about hacklore. (YouTube version here)
2. Chasing Entropy Podcast. Dave Lewis is another luminary who has taken an interest in hacklore as well as secure by design software, one of my other favorite topics.
3. Hackers on the Rocks. I had a ton of fun making an Old Fashioned with Evan Dornbush. Oh, and we also talked about hacklore! 🥃 😂
4. CISO Series. David Spark, Steve Zalewski, and Tammy Klotz had some insightful comments. The hacklore section starts around the 11:00 mark.

In the News

Here are some top hits from the past several weeks.

• Jaden Beard interviewed me for an Inside Cybersecurity article.
• James Lyne mentioned hacklore in his brilliant RSA keynote address (around the 3 minute mark). James reflects on the stories we tell ourselves, even the ones that no longer serve us (if they ever did). Thank you James!
• The Cyber Readiness Institute (CRI) published a blog post to stop hacklore: Stop Spreading “Hacklore”: What Small Businesses Should Really Do to Stay Secure.
• Jeff Hanson posted on LinkedIn: “When asked to write this article for Safer Internet Day, my priority was ensuring it aligned with guidance from Cybersecurity and Infrastructure Security Agency and reinforced evidence-based security practices—rather than perpetuating ‘hacklore.’”
• Hacklore is everywhere, like the NYT Connections game, which was caught spreading hacklore about password complexity. Oops!

Reminder! Check out our Bluesky account. And to boost it with your followers!

What You Can Do: A Note to Reporters

Journalists are one of the most powerful forces in the fight against hacklore — and, when the incentives are wrong, one of the most effective vectors for spreading it. Here's how to be part of the solution.

Before repeating security advice aimed at everyday people, ask a few more questions:

• How often does this attack actually occur in the wild? Base rates matter. Rare threats dressed up as common ones warp public risk perception.
• What specific product or technology is vulnerable? Vague warnings produce vague fear, not useful action.
• Is there a CVE record posted on cve.org? If someone is claiming a vulnerability exists and can't point to one, push back. That's a foundational accountability check.

Be careful about your sources. Avoid relying on computer science academics who haven't worked directly and recently on real-world breaches — theoretical knowledge and operational experience are not the same thing. And approach security vendors with caution: they are closer to real incidents, but they have a structural conflict of interest. Their business depends on selling fear, which makes them institutionally reluctant to say "actually, things have improved." Weight their input accordingly.

Go to the tech companies directly. Instead of asking a billion users to change their behavior, press the vendors to explain what they are doing to fix the problem at the source. You may find that the company quietly addressed the issue years ago and isn't aware of any current exploitation in the wild. If that's the case, ask them the obvious follow-up: why haven't you said so publicly? In many instances, a single clear statement from the vendor could dismantle years of circulating mythology. Ask why they haven't made it.

The story isn't always "here's what users should do differently." Sometimes the story is "here's why they were told the wrong thing for so long — and who benefited from that."

Closing thoughts

The pranks today are (usually) obvious. The hacklore? Less so — it's dressed up in news articles, white papers, vendor briefings, and well-meaning advice that stopped being true years ago (if it was ever true in the first place). Thanks for helping us call it out. Share this with two people who deserve to stop being fooled!

See you next issue. In the meantime, don't believe everything you read.

— Bob