In this podcast series, Bruce interviews people from across different communities and industries who, in their own way, are fighting for a better web.
In this episode, Bruce meets with Patricia Egger, a.k.a. Goddess of Security at Proton, for an insightful conversation about privacy, encryption, and what it truly means to build a safer and better web.
The conversation covers the security mindset, the real risks behind AI and “shadow AI,” how small vulnerabilities can escalate into major breaches, and why email and password management are critical foundations of digital security. Patricia also shares practical advice on helping non-technical users improve their privacy, emphasising that progress matters more than perfection.
If you care about protecting your digital life, or want to help friends and family do the same, this episode is for you. Listen now, rethink your security habits, and take your first step toward a more private web.
Transcript
[Bruce]
I always (beep) up the beginning of this, so I might as well swear now.
[Patricia]
Get it over with.
[Bruce]
It’s never over with. Hello, everybody, and welcome to… (beep). See, total professional!
Hello, everybody, and welcome to another edition of the For a Better Web podcast in which I, Bruce Lawson, that’s me, chief technical. officer of chief technical officer. What am I saying? I’m a technical communications officer at Vivaldi browser. Talk to somebody who in their own way, in their own part of the industry, is fighting to make the web a bit better. And this time it is my delight and pleasure to introduce to you. goddess of security at Proton, Patricia Egger. Hello, Patricia. Hello, Bruce. Is your job title really goddess of security?
[Patricia]
It’s not, but maybe I should be talking to HR to change that.
[Bruce]
I thoroughly recommend it. Now, for listeners who are new or don’t know much about us, Proton is, I’ll let Patricia explain what Proton is, but Vivaldi has partnered with Proton to integrate Proton’s VPN inside the desktop browser. So we do have some sort of commercial relationship, but that’s not going to cloud what we say today. Goddess of Security at Proton, Patricia Egger, what does Proton do, and what do you do at Proton?
[Patricia]
So Proton is a provider of online tools, products. So we do mail and VPN. We have a password manager. We have a cloud storage, all of the stuff that people use in their everyday lives nowadays. The difference with the, you know, big tech that most people are used to is that everything is encrypted and to end. So this means that we, as a provider, don’t have access to the contents of our users. So it’s a very privacy-focused company. Adding to the ecosystem maybe not every day, but every year, adding more stuff to allow people to participate fully in digital life just without giving up their privacy.
[Bruce]
Groovy. When you say end-to-end encrypted, presumably that means if a certain orange man across the Atlantic were to demand the Proton give everything that I’ve, Bruce Lawson, has stored on his Proton drive. You could, but you won’t, or you can’t even do it if you wanted to?
[Patricia]
So both, I would say. So we, there’s two aspects to that. The first is that it’s a Swiss company, based in Switzerland. So the Swiss jurisdiction is the one that we adhere to, which also means that, um, only, only a Swiss judge can compel us to do anything, basically. So anything happening outside of Switzerland needs to be important enough for a Swiss judge to take note. And in that case, then they will reach out to us if need be. But even if they do or even when they do, we still would not be able to give them your files, your pictures, or the contents of your emails and things like that. So there’s, yeah, it’s quite different from what exists out there.
[Bruce]
And of course, although Switzerland isn’t in the EU, presumably it shares a lot of similar data protection and security regulations.
[Patricia]
Yeah, the Swiss data protection laws are quite similar to GDPR, so what people are used to in the EU. It’s not exactly the same, but I think they’re also with the new versions, they’re trying to make it even more similar. but it’s a pretty good, pretty good protection for users.
[Bruce]
Excellent. And what does, what’s a day in the life of your average goddess of security at Proton-like?
[Patricia]
So it’s a lot of telling people that they can’t do stuff. I don’t think it is. And there’s a little bit of that, but we try to, I try to not make that how people see me. I try to make people seem as helpful, allowing them to do the stuff that they want to do without creating security risks for the company and therefore for our users. So day in the life, I mean, there’s a lot of writing policies or writing or figuring out how to get people to know what they should and should not do, you can and cannot do that kind of stuff. There’s a, yeah, it’s every day is. kind of different, but basically it’s figuring out, you know, what does, what do we need to do, what’s happening internally, but also out there in the world, how does that impact us? What does that? Do we need to, you know, change a process, get a new tool, build a new tool, you know, change how we tell people to do stuff? It’s a pretty broad spectrum.
[Bruce]
What’s currently on your radar policy-wise, if you can share? If you can’t, please don’t.
[Patricia]
Yeah, I think, I mean, maybe not too surprisingly, the whole AI security thing is a, it’s a thing. And it’s something that we’re looking into. You know, again, we want to allow people to move fast, to build things quickly, but also safely. And so there’s a lot of questions on how do we do that with AI. And so that’s taking up, say, a decent amount of my time right now.
[Bruce]
Yeah, there was something in the press a couple of days ago, I think, in the EU, they’re turning off all the AI stuff that’s in lots of office productivity software, because if you’re typing stuff into a chat bot, and it’s, you know, something you’re writing, where’s that data going? Where’s it stored? You know, it might be very secure in your mind and then you’re sending it off somewhere. Does that keep you awake at night?
[Patricia]
I wouldn’t say it keeps me up awake at night because I’d never get any sleep, I think. But it’s, these are, these are very real considerations. And there’s, I mean, there’s the AIs that are, kind of officially used within an organization or, you know, government, whatever. And there you would have a contract, and you’d have, have some kind of guarantees. I mean, even if they’re just legal guarantees, it’s something, right, that your data is not being used to train or is not being used to do, you know, whatever advertise. And that’s something. That doesn’t mean that that provider is not going to suffer a breach, in which case your data is out there anyway. I mean, not intentionally, but the result as, you know, an organization is pretty much the same. And then there’s all the AI stuff that Maybe people are using that, you know, in their personal lives or that they, even if it’s in their work lives, depending on what, you know, the policy is within the organization, whether they can or cannot, it’s very hard to track all of this stuff. You know, call it shadow, shadow IT usually, but we could call it shadow AI. And there’s new AI’s popping up literally every day. So knowing what’s out there, what people are using. what they’re playing around with is it’s not easy to keep track.
[Bruce]
This is why Vivaldi doesn’t have any AI built into it. It’s just too much to keep track off.
[Patricia]
Yeah, and people are being by people, I mean, attackers, are very creative also. Finding ways to use the features of different AIs and to do malicious stuff. So it’s, yeah, it’s a creative area as well. It’s not all techie tech. There’s also lots of ideas of like, how can we, you know, use stuff to do things that they’re not supposed to do or that people don’t expect could happen.
[Bruce]
It’s a special mindset, the security mindset, and I’m going to ask you about that. But you studied maths, I believe.
[Patricia]
I did.
[Bruce]
Note to the audience. For Americans, it’s the plural of “math”. So if math is adding and subtracting, “maths” adds division and multiplication. Further math does exponents and brackets. You’re like up in the exponents and brackets level of education and maths, I believe.
[Patricia]
I like to say I’m in the Greek letters aspect of the math, actually. So, yeah.
[Bruce]
Well, you’re in the “imaginary numbers are actually useful” school of maths, I can tell.
[Patricia]
A bunch of dimensions, all that stuff.
[Bruce]
You see, maths, I’m an English literature and drama graduate, and maths to me, was something I just couldn’t wrap my head around at school, and I’ve avoided counting anything for the last 40 years, because that’s maths. And I have a similar mental block with security stuff. Luckily, I know that I don’t know. And luckily, we have some really brilliant security people in Vivaldi, to whom all the company defers. You’re working for a very secure company, yet you have to be the police, at least sometimes I imagine internally. What makes a security mindset?
[Patricia]
I don’t know what makes the mindset, but it’s… It is a, I was going to say, weird, special, different mindset.
[Bruce]
I didn’t say that. You said that.
[Patricia]
But it’s very interesting because indeed, at Proton, we have some really smart people, some really technical people, some, you know, very privacy aware. You know, there’s, we’re not the generic, you know, random organization out there. But even here, you see who has a security mindset and who doesn’t. And it’s not common. Most people will see, you know, how does this work? Or how do I make this work? Or what can I do? Like, how can I use this to build something or to create something or whatever? That’s how I think most people see the world and anything in the world. and just tech. And then you have the security folks or the security-minded folks who will see all the ways that stuff can be abused or used to do things that it wasn’t designed to do, but still technically, you know, or still theoretically possible to do. And I’ll always see the, you know, the misuse of stuff and how that can be used to achieve whatever it is the goal is. And that’s really the attacker. mindset and it’s hard to, yeah, it’s not something that you find in a lot of people, like generic population.
[Bruce]
So you have an attacker’s mindset?
[Patricia]
Yeah, I think so. I mean to a certain extent, right? I’m sure some people maybe have it even more so, but yeah, I tend to see like, how is this going to be abused? How are people going to go around this? How are they going to use it to do that they’re not supposed to use it for. And yeah, it’s… Yeah, it’s weird.
[Bruce]
I was reading some terrible espionage book a while ago, and the spy that it was about, it was describing his mindset when he walked into a room, and he can see 27 different common things that he could use to kill somebody, like a pen, or just things that you wouldn’t, you and I wouldn’t think of. I imagine that you’re like that. You walk into a room and work out where all the, where all the vulnerabilities are and how somebody who was minded like you, but like evil Patricia, from another parallel universe, could attack the system.
[Patricia]
Yeah, pretty much. I mean, whether it’s walking into a room or, you know, at work seeing a piece of software or, a tool or a process or whatever. The mind directly goes to like, okay, how is this going to be, how is this going to blow up in our face? How is this going to be misused? How is this going to be, you know, made into something that it wasn’t intended for? You know, what did the person who built this thing, whatever the thing is, what were they, what were they assuming about the people who would use them? About, you know, what it was intended for, all these things? And that also can help you think, okay, well, if this is what they intended, if this is what they were planning, can I use that against them? And I think it’s something that like when you get into security, maybe it’s something that, I mean, maybe some people have it naturally. Otherwise, it can be learned. But then I think now it just becomes like, yeah, automatic that you see the negative in everything.
[Bruce] XXX
I was saying to our security guy, Tarquin, I was saying that a lot of security stuff to me feels counterintuitive, think that I automatically assume are going to be fine, turn out not to be. But it’s trying to be that I hadn’t perhaps understood that properly. It’s not that it’s counterintuitive. It’s that security people seem to be able to see that a combination of 960 different small things can be combined to make a vulnerability, whereas I don’t see that, I don’t have the mindset that combines them all and sees the combination thereof. Am I talking bollocks?
[Patricia]
No, it’s actually extremely common that people don’t, you know, they’ll see maybe even a vulnerability or an incident or something that happened in isolation and think, you know, no big deal or not happy, about it, but, you know, it’s fine. Typically, you know, data breaches now who hasn’t received one of these emails at your data was compromised in a breach or whatever. I mean, I think anyone who’s been on the internet for more than a few years has received one of those. And I think because it’s so common now, so people just think, oh, well, you know, it is what it is. It’s part of the game. No big deal.
And actually what we see in the big incidents, like the exciting ones, the interesting ones. It’s all of the, many of these like small things that in isolation seem entirely unimportant. But allow to gather some information or hop from one place to another, or things like that. And it’s kind of this amazing situation of when something happens. and you kind of you re-cre-you not recreate, but you figure out what happened. And it’s amazing how many different small things that in themselves seem entirely unimportant, how they all come together and make like a massive shit show. And that’s really interesting.
And it’s something that I also find really important to tell people when something happens that’s, you know, maybe seems like nothing. It’s like, okay, maybe this seems like nothing, but like, Remember that there’s also a hundred other nothings. And together, maybe they become something. And I think a really good example of this is like, you can imagine a password leak. You know, there’s been so many. Your password has been leaked online, whatever. It’s something you don’t really care about. It’s not your banking. It’s not your health care. It’s just some random service that you use. Meh, You know, who cares? And this happens to one or two others. And you’re you’re smart about passwords because you’ve heard about, you know, all of these breaches and security and whatever. And so you don’t reuse the same password, which is already pretty great. But you maybe have a methodology to generate passwords that are strong. So you don’t use a password manager for instance. But yes, there are methodologies. And sometimes we can see that people’s methodologies are actually very easy. easily reverse-engineered from like two or three leaked passwords. And that’s something that I think people don’t realize that, you know, it’s sometimes two, three passwords leaked can allow you to either see that, okay, this person basically uses the same password all the time. But even if they don’t, it’s like, oh, maybe they’re fans of like Star Wars. And so every password is a Star Wars name with a three-digit number. Like a three-digit number. Well, you’re like, okay, let’s go through the top 10 Star Wars. words, names with digits or something, and that makes the guessing of future passwords, like orders of magnitude, easier.
[Bruce]
Yikes, I have a methodology, so I’m really going to evaluate that now. Just it’s not, it’s nothing to do with Star Wars.
[Patricia]
Good.
[Bruce]
But it’s, yeah, because I’m a nerd, but I’m not that nerdy.
[Patricia]
Not that big of a nerd.
[Bruce]
Not, no offense to nerds. I know most of the people listening will self-identify as a nerd, which leads me to next thing. We’re all geeks, and including you listeners. But we probably end up doing parental tech support quite a lot. I’m lucky my mum used to be an engineer, so he’s a – she’s – not the average “could my mum use it?” sort of mom. But a lot of people from older people who came to the internet later in life, don’t really worry about security at all. How can we nerds when doing parental support and the debrief afterwards? How can we persuade non-techie people? to a care because a lot of them just say, well, I’ve got nothing to hide. And B, later on, we’ll discuss the top five things they can do or we can encourage them to do. But why should they care? I’ve got nothing to hide.
[Patricia]
Says lots of people.
[Bruce]
Says lots of people. Not my mom, but my dad probably would have.
[Patricia]
Yeah, I mean, if you’re up against the, I have nothing to hide, I think you have a pretty long. long road ahead. That’s not to say that it’s impossible to have conversations or to even make progress, but it is, you know, I think you need to start again with like, why do you have a door on your bathroom? Why do you have curtains in your home? Like, why do you put your mail in an envelope, that kind of stuff? Because it’s, people understand the physical, privacy in the physical world. It seems. And then for some reason, they give that up when it moves into the digital space, which I always find kind of strange. But I think bringing privacy to the physical world, why do you, why do you do this? Why do youput on a bathing suit when you go to the swimming pool? You have nothing to hide. Like, it’s the same arguments, right? There’s no reason other than maybe just because you want to, and it’s not about hiding, it’s about having control and deciding who you share what with.
I think that’s a good place to start if you’re, if that’s the beginning of your conversation. I think for another thing that I find quite helpful, at least with certain people, parents mainly, is to try to think of not just about themselves, but about the people around them, their families, their friends, or whoever they, they communicate with or interact with online. Because I think people don’t really realize the extent to which their decisions, their actions, their inactions, influence, or impact people around them. And there’s the sharenting, the concept of sharenting, so over-sharing, about your kids or whatever on social media. I think that has been talked about quite a bit, at least in my sphere, which is good.
I mean, it’s good for parents to understand that if they post a bunch of pictures of their kids online there could be consequences to their kids later on or, you know, even immediately. But again, that concept applies to everything that they do online. You know, it applies to their emails. It applies to their emails. this stuff. So I think making people realize that if they’re using email, that’s not, say, intend encrypted, even if someone is using, say, Proton or something, something that is encrypted, if you then email a non-encrypted inbox, then the provider of that will also see the Proton on protected email. So it’s, it’s not just “I’m using Proton, so I’m safe and like nothing else matters”. If everyone that I communicate with is using something else, I’m also, my privacy is not protected. And so it’s the decisions of the people around me that impact my privacy. And I think, yeah, I think we need to talk about that more. I think people need to understand and take responsibility for what they’re doing. And if they’re too lazy to protect themselves, maybe they’re, or not too lazy. I mean, it’s not about judging people, but maybe they’re not interested in protecting their own privacy, but maybe they should think about others.
[Bruce]
Well, it’s effectively the vaccination argument is, you know, I get vaxed against chickenpox, so that somebody who chickenpox could easily kill is kept slightly safer.
[Patricia]
Yeah, I mean, it’s close enough. It’s this, the argument that you’re protecting other people, I think, is indeed, it’s exactly that. And I think that that can help maybe perhaps some people re-evaluate their engagement with encryption and private tools.
[Bruce]
So you’ve persuaded. your dad that even if he doesn’t care about his privacy, he shouldn’t put photographs of his grandchildren, your children, on Facebook for the world to see. And you’ve persuaded your dad that it’s a really bad idea to show the world where he lives, post pictures of him by his front door, which can be found on Google Maps and saying “Hey, I’m off to Torremolinos for two weeks. Hope the house will be okay”. What’s the next thing that you tell him to do? What’s the next sort of big low-hanging fruit that you could ask you non-tech savvy dad to do to protect him?
[Patricia]
So I think they get people to care is the first part and that they want to try, right, to use. if they’re using all clear, not-end encrypted stuff, is like, be willing to put in the effort to give it a shot. And I did this. I mean, I, my dad actually, I got him to switch over to Proton. And like a lot of people, he’d been using email for decades. So it’s not, it’s not an easy thing. And I knew that it would be an easy thing. And I knew that that meant that there’s going to be a decent amount of tech support on my side. But okay, we did it.
And I think in his case, and I’ve done this with a few other people before, what we did was we’re not doing this cold turkey. You know, I don’t want to make this more stressful than it needs to be because, I mean, this is a stressful thing for people. They think, you know, my email is my life. It’s where I … everything is connected to this. I might lose access to, you know, whatever. And so I try to make it as non-stressful as possible. And I think one way of doing this is to keep things going in parallel for a little bit of time.
We set him up, for instance, with like a Proton account, got that all sorted, and then had everything forwarded to that account from his old email so that he could start using it and whatever, but he didn’t have the stress of like, oh, but I’m going to lose up. The other one was still there, it was still operating. And then once he felt comfortable, we got rid of the old email, and he was just using a Proton from that point on. So I think that’s a good, it’s a good way to get people to, you know, relax a bit, is to say we’re not you don’t need to change from one day to the next. We’re going to do this in steps whenever you feel comfortable, it takes a week, it takes a month, it takes a month, like whatever, it doesn’t matter. Because ultimately, in that amount of time, you’ll be, you’ll be better off. And so you should not be overly dogmatic about it. I think there’s maybe a tendency for the really super security privacy folks to be, you know, too intense for people. And I think, you know, that pressure to do things perfectly or entirely is not good and is not conducive to actual change. So I think, you know, saying start with email, or let’s start with another tip, I think, or something that I find useful is to start with a tool that they don’t already use because then it’s not changing something. It’s starting something new, starting for. And that can be a little bit less scary potentially. And so typically like a password manager, at least in my, the non-tech folks around me, nobody uses a password manager. And so they have methodologies or they reuse passwords also linking back to what we said before. But so maybe, so maybe. maybe the way to start is to get them a password manager, have them try that for a bit and then get used to the ecosystem, the concept, you know, how this is super convenient and how it can help you. You know, you can see that you can create aliases and all the great things that password managers allow you to do. And that’s maybe the foot in the door that helps them be like, okay, I can do this and then take the next step.
[Bruce]
Which password manager do you use?
[Patricia]
I use Proton Pass. but it’s not a plug. I actually think it’s a really great product.
[Bruce]
Okay, okay. Yes, I saw a security person and it struck me as being really weird, but I can see the method in the madness.
Somebody said, write down on your passwords and a little book and store it somewhere that’s not near your computer. And the rationale was that if you wrote them down, you let yourself sort of off the hook for remembering them. So that you didn’t find yourself doing password one or I love Google for Google. I love Facebook for Facebook or similar. That nonsense, or does that pass the goddess of security’s pearly gates?
[Patricia]
It’s not nonsense in some sense because indeed people are, afraid that that’s the main reason why people have weak passwords is because they need to be able to remember them. There’s, I mean, that’s life. That’s how human brains work. It’s not easy. I think there’s studies that like people use 200 or something services. So if you remember 200 passwords, yeah, it’s going to be tough. Writing all of them down in a book doesn’t seem the most convenient though to me because if you’re not going to remember, if you have to go to that place, and then insert it into your computer that seems like you’re not going to do that so you can revert back to having really bad passwords. But for instance, having a password manager that manages all this stuff for you, and then having that master password maybe stored in a safe or whatever, like some people are going to say, oh, my God, that’s the worst idea. But again, if it’s a method, a recovery, method, right? And if you were very confident that that master password is safe, then that might be, that might not be a terrible idea. I mean, it depends, you know, who are you protecting yourself from? What is your threat model? How important are you type of thing? I think for a lot of people that’s already pretty good.
[Bruce]
You said it depends. I think everybody who works in computer says it depends. At least four times a day. I know. know, excuse me, my previous job as an accessibility consultant, you know, people say, is this website accessible? Well, it depends. When I asked you, what’s the first thing you should get your platonic ideal of non-tech savvy dad to do, you mentioned email, and it strikes me that email is probably actually the first service that people should really think about protecting because at some point, your bank is going to send you an email and ask you to press some code to activate an account. It’s probably the place where if somebody could get into your email, they could do the most damage, I would have thought. Or am I talking nonsense?
[Patricia]
No, I mean, emails are extremely important these days. they’re kind of part of our digital identities because as you said, like you use your email as your username to log into everything else. That’s where you get your, you know, the links to access whatever. So it is a very important part of our digital lives and therefore the security of the digital life. And I mean, I encourage everyone to ultimately get there. But I’m just saying that maybe if you want to, if that’s too scary for you for a start, then maybe, you know, start with, start somewhere else. Or I think the method of having the two in parallel is pretty good. Like it’s, you know, it doesn’t take away the risk of the other inbox, obviously, because you have both going in parallel. But if that’s what you need to, you know, to make the move, then I think that’s totally reasonable.
[Bruce]
So, yeah, it’s better to take that potential. short-term risk of having two emails in parallel and therefore doubling the attack surface, but it’s building better habits in the medium to long term, I guess.
[Patricia]
Better is better, right? You don’t need to be perfect. Perfect would have been maybe never have one of these non-encrypted emails, but you can’t go back in the past. So what that is to start, you know, start. today. There’s not too late. You’re not too old. You’re not too young. You’re not too whatever. Just start somewhere, start small. Baby steps. And in a year from now, I think you can see crazy progress because things that would seem maybe completely unachievable. You know, today maybe once you get started and start working on it in a year from now, you’re like, I can’t believe it was so easy or I can’t believe I waited so long or, you know, That’s at least the people around me who switched over. They’re like, yeah, this was easy.
[Bruce]
I really like your stance that Perfect is the enemy of the good. Better is better. I would just say this with people with accessibility. Don’t try and make everything perfect. Just try and do something a little better, every time you happen to be tweaking some code, because better is better. “It depends” and “perfect is the enemy of the good” are the mantras of both accessibility and security.
[Patricia]
Yeah, I mean, I think, and that’s one of the things that also, I think I mentioned it kind of, when you ask me what a day in the life is, but, you know, figuring out what is important is a big part also of, of what security does. And it’s, you know, the easy answer would be, oh, you know, everything’s important. And like, you know, all the data is equally important. We’re going to protect everything. And I think it’s important to push back there and say, well, no, if everything’s important, then nothing’s important, especially when you’re starting. If you already are super well-established and have a ton of resources and time, and everything is a-okay. then sure, expand your definition of important.
But if not, if you’re starting, then, you know, choose. And (b), accept that for this year, important means my, you know, important stuff is my emails. And everything else is not important. Not that you don’t care about it. Of course you do, but that means that that’s going to be the focus. And I think it’s very uncomfortable for a lot of people to have to make these kinds of decisions, because they feel like, oh, but then this is also important. I’m like, sure, but like maybe it’s less or maybe we’re starting with this. And so focus on one thing at a time, figure out what, what you care about most. Tackle that and then move on.
[Bruce]
And it’s individual, I suppose. You and I can’t say to somebody else, this is not important. So, for example, my daughter, she’s a tattoo artist, and all of her shopfront is Instagram. Email is just spam and bullshit mostly. So for her, the security of her Instagram account is much more important than email. I don’t care. I don’t have an Instagram account, but if I had, I wouldn’t care because I’m… I’m boring, but I have millions of email or so. I’m going to let you go because I’ve noticed I’ve noticed I’ve kept. kept you much longer than I undertook to. And there could be a server burning down right now.
[Patricia]
No alert so far. But yeah, you never know.
[Bruce]
Apart from competitors to Vivaldi and competitors to Proton, which will take as a given. What software would you, if your dad told you we installed it, you would be immediately driving at 100 kilometers an hour? around to his house to remove it and burn his computer?
[Patricia]
I mean, anything that gets installed from a sketchy call center, that’s one of them. And that’s still amazingly still happens and still works. And I’m always surprised by really smart people who tell me stories that they installed random horrendous things. That would be one. So anything that someone convinced him to install that he didn’t actually want or whatever, that would be a massive red flag. I think some of these now, you know, some of these AI things, I would ask very specifically which ones, you know, what did you accept on the permissions, what can they do type of thing? I think that would be another one that would make me pick up the phone pretty quick. can I’m like, hey, what are you doing here? Yeah.
[Bruce]
So if you had a phone call from somebody who pretended to be from Microsoft, telling him that his computer was running slow and he should just download this.
[Patricia]
Yes, just install this little piece of harmless software, which you also have to pay for because, of course, it’s important security software. And then you have an infected device, and a few hundred bucks gone from your account. So it’s great. But yeah, it’s the worst.
[Bruce]
I had a phone call the other week, and it was legitimately, it was from my bank. And they phoned me up out of the blue and said, I’m going to have to ask you some security questions. You phoned me!
[Patricia]
Yeah. But, you know, this is actually, this is an interesting thing, and I don’t think anybody really does this, But a lot of times, if you call your bank, they’re going to say, we need to check that you are who you are, right? They’ll ask you a bunch of questions and you answer that. But it’s interesting that if you flip the tables and you try to figure out if they are, who they say they are, they’ll be very confused.
But I think it’s a very legitimate thing. And I think you have, you should feel empowered and to have every right to make sure that who you are talking to is the right person. And sometimes with phone spoofing, hang up, and call back. If you get to the same person, then okay, you can have more confidence that you are talking to your bank or something, not calling back the same phone number, but like call your usual bank, whatever, asked to speak to your representative, yada, yada, yada. Like, I think this has to become a lot more common because it’s a common thing to trick people and to call: you’re the police, you’re the whoever you’re the bank, you’re, you know, God knows what. and people should know that they can hang up and call back and make sure that the person on the phone was indeed their bank, their doctor, their whoever.
[Bruce]
A lot of security is not technical at all. It’s basically, I suppose, equipping people to ask sensible questions, check the credentials of a person who’s suggesting you install this or type in your CCV number into a website, etc. So it’s a lot of social engineering goes on in bad actors’ repertoire, I guess.
[Patricia]
Yeah, 100%. And it’s probably in the vast majority, if not all, cases where there’s some level of social engineering, sometimes a bit more, sometimes about less. But yeah, 100%. And that’s why I think it’s having, you know, having, kind of security by default wherever possible. And, you know, so if you’re talking like products that are being built, that’s really important because, you know, if people don’t know, don’t take the time, whatever, they might have issues. And yes, making it accessible to everyone without having, you know, having to teach them the security mindset is a good way to go. And I think the other thing I like to think about it. I mean, I’m biased because of where I am in my life at the moment. But the way I like to see it as well is if you compare again to your, you know, your physical life, your home, the more stuff you have at home, the more you let things get into a mess, the more difficult is going to be to clean it up or to keep it, you know, tidy. The less stuff you have, the easier it is to, you know, to keep things tidy. And so I think that’s people can use that, I think, analogy to, you know, do you need 5,000 apps on your phone? Probably not. And the less apps you have, the more realistic it is to be able to like scroll through this, you know, the permissions of said apps and check that that they’re appropriate. But you can’t realistically do that if you have thousands of things installed. Or it takes a lot more time.
[Bruce]
That’s security advice worth its weight anyway. It’s like don’t tp install apps. Use the web. Yeah. You heard it from the goddess of security approach on everybody, so it’s not just me talking nonsense. An actual real expert said it. Patricia, it’s been lovely to talk to you. It’s been here. Thank you for being here. Thank you for understanding maths. So that idiots like me don’t have to do complicated things with Greek numbers. And thank you for having the security mindset so that ordinary mortals don’t have to wander around in an eternal, eternal state of suspicion and paranoia.
[Patricia]
Yeah. Thank you for having me and for asking some really good questions.
[Bruce]
You’re very welcome. Say hello to Andy Yen for me when you speak to him next. He was a very popular guest last time.
[Patricia]
Yep.
[Bruce]
So everybody, the halibut of time catches up with us all. The sun is sinking down over the yard arm. Patricia is doubtless needed to help keep another customer protected and happy. And I have to go and dust all this things. When you’re talking about, you need all this stuff and how difficult it is to keep it. tidy. I was trying to dust all these picture frames and regretting it. So I’m going to do that. Until we meet again, gentle listeners and brave viewer who has to look at me. Thank you for coming. Thank for your attention. Do check out Proton. It’s easily done. It’s in desktop Vivaldi or typing Proton into your search engine of choice. Download it and give it a spin. Bye, Patricia. Bye, viewer. Bye, mum.
[Patricia]
Bye. Bye.
