Quick hits

Here is a summary of this newsletter:

• We have over 500 newsletter subscribers across media, government, security teams, and regular people. Thank you for joining!
• We found numerous examples of hacklore in the wild. Some of it will give you a chuckle. (We use humor here because the advice is often absurd, but the consequences of bad guidance are not.)
• We got some great feedback on the first newsletter. Keep those cards and letters coming.
• If you want to help push back on this kind of advice, there’s a short list of ways to help at the end.

Welcome

Happy New Year!

Welcome to the second hacklore newsletter. It’s hard to believe how much has happened since we launched the hacklore.org website at the end of November 2025. We now have over 500 subscribers to the mailing list. I hope you enjoy this edition.

The holiday travel season is behind us now, and it will be no surprise that it brought out a good deal of hacklore in the news. We’ve captured some of those reports below.

Hacklore in the wild

Since the last newsletter we found some hacklore in the wild. Some of it was old, and some was new.

TSA spawned hacklore

During the holiday travel season, reporters resurfaced a Transportation Security Administration Facebook post from March 5, 2025, warning travelers about the risk of malicious USB charging stations and Wi-Fi access points. There is an irony in a security agency that tightly controls what enters secure airport areas shifting responsibility to travelers to defend themselves against supposed threats inside those same spaces.

Here are some articles that uncritically recycled that old hacklore post:

1. USA Today: TSA urges travelers to avoid two tempting airport freebies
2. Forbes: TSA Warning—Do Not Use These Networks On Your Smartphone
3. The Austin American Statesman: TSA warns travelers against using these 2 free airport services. Here's why
4. ZDNet: TSA's plea: Don't make these airport Wi-Fi and public charging mistakes this holiday

ANSSI report

Not all hacklore comes from clickbait. Sometimes it comes from misapplied expert guidance. PC World wrote an article based on an ANSSI report and applied guidance meant for high-value targets to everyday people, a common mistake. On page 5, the report explicitly states that its intended audience includes “senior authorities in the civil service, elected representatives, executive committees of strategic companies, lawyers, journalists, militants or activists, dissidents or people close to those type [sic] of individuals”.

This is a recurring failure to distinguish between everyday users and high-value targets. The result is advice that sounds serious but does little to reduce the real risks of account and device compromise for most people.

Thanks for the tip from Eric deRuiter.

Some classic hacklore

1. New York Post: What is 'Quishing'? Scanning a restaurant menu could lead to being hacked — here's how to protect yourself
2. WTVD-TV Raleigh-Durham ABC 11 Here's how to avoid scams during your holiday travel at airports or on the road and the corresponding video.
3. TechRadar: Can public charging cables steal your data? Experts explain how to avoid 'juice jacking' in 2026. This is a muddled article, including sections like this: “This is a 'myth' that isn’t actually a myth. The threat does exist and attacks like this do happen. But the context, probability and modern safeguards tell a much more balanced story.” Huh?
4. Gadget Review: The Great Juice Jacking Scam: Why the FBI Warns About a Hack That Doesn’t Exist. They write that “simple precautions provide protection against both real and imaginary USB threats.” It’s important for everyone to implement protections against imaginary threats! 😂
5. Insight.com posted a video on LinkedIn promoting classic hacklore and added a warning about RFID skimmers.

The Hacklore initiative in the news

• Bob Lord appeared on the What the Hack podcast with Beau Friedlander…
• …and also the TPRM Podcast with Nate Lee.
• The CISO Series podcast featured a segment on hacklore, offering insights on why security guidance should focus on how account and device compromises take place in the wild. The video is here. This video might be useful to share with people who still cling to lessons from days gone by.
• McCrary Institute for Cyber & Critical Infrastructure Security newsletter
• SANS Stormcast Tuesday, November 25th, 2025
• The Cyber Wire: Don’t let public ports bite. The Hacklore section starts 32 minutes in.

Updates

Here are a few posts that I have published since the first newsletter.

I published two blog posts exploring what it would look like if cybersecurity practitioners wrote guidance for elevator safety and for buckling your car’s seatbelt. You can read them here:

• If Seatbelt Guidance Worked Like Cybersecurity Guidance. Ciaran Martin writes that the seatbelt article is “one of the best, most revealing (& funniest) things I’ve ever read on our subject.” What an honor!
• PSA: Elevator (un)safety!

I also published a post based on recent stories of QR codes placed on parking meters to trick people into entering credit card information. The piece argues that we need to clearly separate the method of delivery of a scam from the method of compromise. Methods of Delivery vs. Intrusion (The Hacklore Edition).

Feedback

We received some thoughtful feedback from the first newsletter and through the hacklore.org website. Here were some of the top suggestions.

Widen the scope. A few writers noted that there’s a lot more hacklore than we documented on the website. For example, we’ve all heard statistics like over 60% of companies that suffer a breach go out of business within some time period after a cyber incident. Or that there are X millions of unfilled cybersecurity jobs. Or that losses of cybercrime are in the trillions of dollars per year. We never see credible sources for these statistics, and some people think we should widen the scope of the initiative. Another person suggested adding in newly minted AI hacklore. What do you think?

Improve the password strength section. We had a couple of requests for more information about passwords, why character composition (complexity) isn’t as important as we used to believe, and what password “strength” is. I created a new page to include my current thinking at an (unlinked) page: https://www.hacklore.org/passwords. I’d love some feedback on that page.

Add guidance to install browser ad blockers. One reader asked whether hacklore.org should recommend browser ad blockers. After discussing this with several experts, we decided not to include ad blockers in our core guidance, at least for now. While ad blockers can reduce exposure to malicious ads and scareware, they do not materially reduce the most common risks to accounts and devices, such as account takeover driven by phishing, impersonation, or social engineering.

Hacklore is intentionally scoped to account and device security, where confusion and outdated advice are most prevalent in public guidance and media coverage. Other online harms, including financial scams and privacy concerns, are important topics, but they sit outside the (current) focus of this project. For readers who want to explore those areas further, the Consumer Reports Security Planner is a solid resource.

🏆 Hacklore Innovation Awards 🏆

Myths, urban legends, and hacklore are not static. They evolve over time, sometimes in surprising ways. One bit of hacklore caught my eye recently, and I felt compelled to create the Hacklore Innovation Awards. (The envelope, please…)

Winner for the biggest innovation in hacklore: FCC

In the first newsletter, we noted that the FCC took down their page on juice jacking: https://www.fcc.gov/juice-jacking-tips-to-avoid-it That page now reports that “Public access to this page has been disabled by the content owner”. This is great progress! Unfortunately they still have some work to do on other pages.

In addition to classic hacklore like “Do not use the public Wi-Fi to make online purchases or access bank accounts”, the FCC’s Cybersecurity Tips for International Travelers (Date Last Updated/Reviewed: Tuesday, November 25, 2025!) introduces some new hacklore that I had not seen before.

1. “Do not use the same passwords or PINs abroad that you use in the United States.”
2. “While using a public Wi-Fi network, periodically adjust your phone settings to disconnect from the network, then log back in again.”
3. “Try purposely logging onto the public Wi-Fi using the wrong password. If you can get on anyway, that's a sign that the network is not secure.”
4. “Electronics and devices used or obtained abroad can be compromised. Your mobile phone and other electronic devices may be vulnerable to malware if you connect with local networks abroad. Update your security software and change your passwords on all devices on your return home.”

These recommendations are strikingly untethered from how modern technology actually works and from the ways malicious actors compromise accounts and devices in practice. Any one of them might qualify for an innovation award on its own, but introducing four new variants of hacklore at once is a genuinely impressive feat. Bravo!

How you can help stop hacklore

Hacklore doesn’t get fixed by one person or one organization. It changes when lots of people make small, practical corrections wherever they have influence. Even a little effort from each of us can make a meaningful difference. Here are some actions you can take in the coming weeks.

1. Share one piece of modern guidance

If you see outdated or fear-driven security advice at work, school, a bank, or a government site, share the updated guidance from hacklore.org with the people who own that content. One corrected page beats a thousand retweets. Remember to be kind and helpful! ☺️🤝🙏

2. Send one example from the wild

When you encounter hacklore in the real world, a flyer, email, poster, training slide, or blog post, send it our way. These examples shape future debunks and help show patterns across industries.

3. Fix guidance where you have influence

If you help write security guidance, training materials, onboarding docs, or customer FAQs, remove advice that exaggerates rare risks and replace it with prevention that actually reduces harm. Quiet fixes compound.

4. Tell us what went well

It’s easy to spot what’s going wrong. It’s harder, and just as important, to notice when things go right. If you come across guidance or news coverage where you might expect hacklore but don’t, let us know. Those examples matter, and they’re worth celebrating.

That's a wrap. Thanks for reading this far! Bad security advice spreads easily. Better guidance spreads when people choose to share it. Thanks for being part of the effort to reduce hacklore and focus on what actually keeps people safer.

Bob Lord
hacklore.org