Hacklore, the Valentine’s Day Edition
"Celebrating Valentine's Day with security tactics that really work!"
❤️ Happy Valentine’s Day! ❤️
I’ve been experimenting with seasonal moments as opportunities to share better security guidance. Just as we leaned into the holiday travel season at the end of last year, Valentine’s Day offers a timely hook.
While it may seem like a Hallmark holiday, Valentine’s Day is a perennial favorite for hacklore and social engineering. It’s a moment when people are primed for “special offers,” urgent messages, and emotionally loaded prompts, which makes it a perfect time to promote pragmatic security habits instead of fear-based myths.
This issue focuses on examples of advice that keeps getting repeated despite no longer matching how attacks actually work, and what we should be doing instead.
Zombie Advice of the Month
Several organizations continue to publish variations of the same advice around public Wi-Fi, USB charging, and online transactions.
The Better Business Bureau offers classics like:
If you must use a public USB port, avoid potential “juice jacking” by choosing to charge only (without sharing data) when prompted by your device.
and
Never make a purchase or log in to accounts while on public Wi-Fi. Bad actors could be “eavesdropping” on your connection, waiting for you to reveal sensitive, personal information.
Another BBB office adds:
Avoid filing taxes on public wifi. If you file taxes electronically, avoid using public Wi-Fi networks that might be vulnerable to hackers. Use a secure, private network or a virtual private network (VPN).
If you have contacts at these organizations, please reach out and kindly offer to help them update their guidance.
Threat Model Reality Check
Let’s think through the Wi-Fi claims. The above advice assumes that passive network eavesdropping or local network attackers are a dominant cause of account compromise.
In reality, most account takeovers today happen because of phishing, impersonation, reused passwords, and the absence of multi-factor authentication. The IRS uses HTTPS. Modern browsers validate certificates. If a website is vulnerable to interception, the solution is not for millions of Americans to change their habits, but for the site operator to fix their systems.
When advice fails to explain how an action reduces risk, it’s usually because the threat model behind it is outdated.
Instead of warning people away from public Wi-Fi or normal online behavior, better guidance focuses on what actually reduces harm:
- Keep devices and software up to date
- Use multi-factor authentication wherever it’s available
- Use strong passwords stored in a password manager
These measures address the dominant ways real attacks succeed today.
🏆 Hacklore Innovation Award 🏆
The hacklore didn’t subside just because the holiday season ended. The Australian Signals Directorate published a LinkedIn post that said:
Before you go on your next holiday or business trip, don’t forget to turn off your Wi-Fi router. Switching off your router prevents unauthorised access to your network, giving you peace of mind while you’re away.
As people pointed out, this advice doesn’t explain how leaving a home access point on leads to account or device compromise, or why it would be safe to leave it on while you’re in town but dangerous while you’re away. Congratulations on this innovation!
Community Update
A few updates from the Hacklore ecosystem:
- We now have over 600 subscribers! If you find these notes useful, please forward this issue to friends and colleagues and invite them to subscribe.
- I created a Bluesky account as a place to post hacklore sightings in the wild. Follow and share your own examples.
- I posted a couple of Valentine’s Day hacklore images on Bluesky. Here’s one, and here is the other. Feel free to boost them to your followers. Feel free to make your own Valentine’s Day hacklore posts and send me the link.
-
I spoke on a few podcasts recently. Two are now live:
- Firewalls Don’t Stop Dragons, episode titled Debunking Hacklore.
- Application Security Weekly with Mike Shema. Here are the links to the YouTube video and the episode page.
- Hacklore subscribers Alexis Dorais-Joncas and Fanny Tan are giving a talk titled “Stop Hacklore: when bad advice overshadows good advice” at the SéQCure conference. Bravo!
- Based on reader feedback, I added a page summarizing my thoughts on passwords, linked from the top menu here. Feedback welcome!
- If you’re curious why hacklore persists when we should know better, the short answer is because it fits the incentives of almost everyone involved. The long answer is in this blog post.
How You Can Help This Month
If you do one thing this month: fix guidance where you have influence.
If you help write security guidance, training materials, onboarding docs, or customer FAQs, look for advice that exaggerates rare risks and replace it with prevention that actually reduces harm. Quiet fixes compound.
If you’re able to make headway in that domain, please shoot me a note.
Closing thoughts
Thanks for the thoughtful emails and encouragement. It’s genuinely motivating to hear from people who are quietly improving the quality of security advice around them.
And this Valentine’s Day, don’t forget the real gift of love: helping someone you care about update their security posture. ❤️
—Bob
