Internet Security Interview: Carey Parker of “Firewalls Don’t Stop Dragons”

I had the privilege to do an Internet Security interview with Carey Parker, author of Firewalls Don’t Stop Dragons: A Step-By-Step Guide to Computer Security for Non-Techies, a book I reviewed (and highly recommend!).

Below you’ll find an audio recording of the interview, and Parker’s answers to my questions about Internet security, online privacy, and keeping kids safe online.

Questions and Answers About Internet Security and Online Privacy

Below are my questions, and summaries of Parker’s answers. You’ll get more by listening to the interview, but I thought this summary could be helpful.

1. What piqued your interest in cybersecurity and privacy in the first place?

Parker is a software engineer who’s been coding for 26 years. He’s always been interested in cryptography (crypto) and cybersecurity. The Edward Snowden revelations in 2013 shocked him; he says they were “a wake-up call,” and he felt like he “needed to do something.” 

Parker is the “IT guy” for his family, and they’re constantly asking him questions. He had always wanted to write a book, so he looked at the available books about personal cybersecurity and privacy and found only one, which was outdated. He decided to put his answers to his family’s questions into a book, which led to Firewalls Don’t Stop Dragons. He considers that his contribution to the cause of increasing security and privacy.

2. What are the biggest challenges or threats consumers face related to cybersecurity?

Parker lists several:

1. Phishing
2. Ransomware
3. Identity theft

3. What are the biggest challenges or threats consumers face related to digital privacy?

Parker says he’s come to see cybersecurity and privacy as separate issues, though they’re related. He says the threats to privacy are “myriad and legion.” He says they’re coming from two main sources:

1. Corporations
2. Government

Corporations buy and sell consumer data. “It’s a total wild, wild West,” according to Parker.

Parker points out the dangers of the Internet of Things (IoT). He explains that because the profit margins on these devices are so small, manufacturers don’t want to spend money on security. Yet because the devices are connected to the Internet, they’re “easy prey for hackers.”

Parker has seen 3 studies of smart TVs that revealed that “they’re watching what you’re watching.”

The second source of privacy threats, according to Parker, is the government. He expected more public outcry after the Snowden revelations. He suggests a few reasons that didn’t happen:

• People think they’re not affected.
• People think they have nothing to hide, so it doesn’t matter.
• People think they need to give up privacy to have security (which Parker calls “a false choice”).

Parker describes the current state of surveillance as the Panopticon, a prison designed by Jeremy Bentham in the 18th century, in which prisoners had to assume they were being watched at all times.

Parker explains that the government is using data for purposes other than it was collected, such as DMV photos being used by government agencies outside the DMV.

4. In your book, you list 6 priorities, which are the first items people should focus on. How did you arrive at those 6 items?

Parker says he selected the top tips out of the over 150 tips in the book, so that readers wouldn’t be overwhelmed. He says he picked them because they have “the most bang for the buck. And honestly, it’s like infinite bang for the buck, because most of these are zero cost.”

Parker expanded on the 6 priorities:

1. Back up your files.

If something happens, such as malware, your device dying, etc., you need a backup, says Parker.

2. Keep your computer and phone software updated.

As a software engineer, Parker knows firsthand that software can contain bugs (flaws). The best way to get fixes to these bugs is to have your software automatically update.

3. Use strong, unique passwords for important sites.

Parker warns that biometrics (fingerprints, face recognition, etc.) should only be used as secondary authentication factors (in addition to a password, or to unlock a phone), but that passwords are still the best primary authentication factor. 

Don’t use the same password on multiple sites, says Parker, because if one site gets hacked, bad guys will use the stolen passwords to try to break into other sites. This is called credential stuffing. Parker says the only way for humans to create long, strong passwords is to use a password manager.

4. Turn on two-factor authentication when possible.

Parker explains that two-factor authentication follows the security principle of “defense in depth.” It protects you in case someone gets your password, or gets around the password authentication mechanism. It requires a second factor, such as a code from your phone, to log in. Parker has heard that two-factor authentication could stop 99% of credential-stuffing attacks.

5. Browse the Web safely using a good browser with security plugins.

Parker says you want a “privacy-respecting browser with some privacy-respecting plugins.” He says most major browsers are secure, but they differ in how much they respect privacy. He recommends that you not use Chrome because Google’s business model is selling ads.

6. Don’t open attachments or links you’re not expecting.

This is to protect against phishing, says Parker. His rule of thumb: if you didn’t ask for it, don’t trust it.

5. You’re a parent. What were, or are, the biggest challenges or threats your kids have faced related to cybersecurity or privacy?

The main thing with kids is they just don’t have the life experience, they don’t have the frame of reference for how dangerous these things could be.

He says social media has opened up a lot of social pressure and cyberbullying opportunities that previous generations didn’t need to worry about.

Many kids don’t understand the value of privacy yet, says Parker. They don’t understand that you can’t trust everyone on the Internet; they may not be who they say they are, and there are bad people out there.

6. How can parents protect their kids online, and help their kids protect themselves?

Parker told his kids to “be careful, be smart.”

The Internet is forever … anything that goes on the Internet … assume it will last forever and it can be seen by anybody.

Parker shared his “Grandma Rule”:

Don’t do anything on the Internet you wouldn’t happily show your grandmother.

Stay involved in what your kids do online, is Parker’s advice to parents.

Keep track of what they’re doing without being pushy or overprotective.

One of Parker’s rules for his kids was to keep computers in a common room in the house, rather than in bedrooms. He also had his kids charge their phones in a common room before they went to bed.

Parker didn’t allow his kids to communicate online with anyone that he hadn’t met in person, because many predators misrepresent themselves online.

Parker says it’s good to use parental controls, such as those included in operating systems.

He also mentions using OpenDNS to prevent kids from getting to sites they shouldn’t.

7. How can people best help their elderly relatives and friends? 

Parker points out that the elderly can usually do what they need with a phone or tablet, rather than a full computer, and those mobile devices tend to be more secure. “There are a lot fewer ways for you to shoot yourself in the foot,” he says.

Parker recommends that all adults think about their “digital afterlife” (what will happen to their digital assets when they die). One option he gives is to use a password manager, and put the master password in a safe deposit box or your will with your lawyer, for access by your survivors.

I added that people often overlook their “digital legacy.” When I first wrote my will, my lawyer said almost none of his clients had anything in their wills about digital accounts or assets!

8. There’s still a lot of apathy about personal cybersecurity. Do you think that will ever change? If so, what do you think it will take to make people care?

Parker thinks people want to be secure, but they feel overwhelmed. There’s too much to do, they don’t understand the technology, so they just give up. He describes it as resignation; “I can’t do anything, so why bother?”

There really is a lot you can do; there’s a lot of low-hanging fruit. There’s a lot of what I like to call seatbelts, sunscreen, smoke detector kind of level things, brush your teeth, floss. There’s a lot of things in our physical world that we’ve just learned to do.

You don’t have to outrun the bear; you just have to outrun your friend. … Just being a little more secure than the other guy often is enough. … Don’t give up; there’s a lot of things you can do.

9. Same question, but this time about digital privacy. Will people ever care? What might make them care?

“There definitely is some apathy out there,” Parker replies. He says some people think privacy is no big deal, and others think they have to give up privacy to have security, which he calls a false choice.

Another problem, according to Parker, is that people think they have nothing to hide. In response, Parker quotes Edward Snowden: 

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.

Edward Snowden

Parker says the issue of privacy is bigger than each of us, so we need to band together to defend it.

10. You’re helping individuals take more responsibility for their security and privacy, but do you think companies should be working harder to defend people? If so, what should they be doing?

“For sure,” answers Parker. He says there aren’t enough consequences when companies violate the security and privacy of their users. He notes that the issue isn’t so much that there are bugs in software, which is inevitable, but how a company responds to bugs.

Parker points out that tech companies are taking steps to protect users, such as filtering spam email and flagging suspicious attachments. But, he says there’s a lot more tech companies could be doing.

Parker thinks some amount of regulation is needed, similar to how the FAA oversees airline safety, and the FDA oversees food safety. He thinks that it would be helpful if regulation required more transparency about how data is being collected, used, sold, etc.

11. You’ve witnessed digital security and privacy trends over the last couple of decades. Are you optimistic or pessimistic about the future of personal cybersecurity and privacy?

Honestly, both. I think there’s—it’s one of those things where it’s this cat and mouse kind of a thing where the bad guys keep getting better but the good guys are getting better too. …It’s going to be this constant struggle … Overall, I think we’re definitely making progress. I think it’s going to get worse before it gets better. But I am optimistic that it will get better.

Parker says that unfortunately, we may need to suffer more big incidents before the changes happen.

I personally as a software engineer think that these problems can be solved.

12. What role do you predict artificial intelligence (AI) will play in the future? Do you think it will be a net positive or net negative for personal cybersecurity and privacy?

I think it’s going to be a little bit of both.

Parker gives the example of AI-generated news stories, complete with fake quotes from real people. He also mentions deepfakes, which are fake audio or video recordings. Yet AI can also be used to detect such fake news.

Parker recommends that you search (using DuckDuckGo) the word deepfakes to learn more about them. He mentions a deepfake of Jennifer Lawrence with Steve Buscemi’s face:

I added that I’ve seen or heard of deepfakes of Mark Zuckerberg, Barack Obama, and Donald Trump.

https://www.instagram.com/p/ByaVigGFP2U/

Parker noted that AI can be used to create fake news and deepfakes, but also to expose them.

He also pointed out that AI can be used to catch viruses, stop ransomware, stop spam, stop scam emails, etc.

These are just tools. They can be used for good or evil, and I think we’ll see both.

13. Your book is a great resource, and you provide a lot of info through your website and podcast. How else do you recommend people stay informed of cybersecurity and privacy issues?

Part of why he wrote his book and started his site and podcast is because there weren’t enough resources for the average person, Parker says.

He recommends these resources:

• Naked Security blog by Sophos: timely articles and advice
• Electronic Frontier Foundation (EFF): articles and self-defense resources
• privacytools.io: privacy-respecting tools
• DuckDuckGo: privacy-oriented search engine
• Spread Privacy blog: DuckDuckGo’s blog about privacy, with guides

14. Off-topic: Your book uses a castle analogy, and you mention that you’re a fan of fantasy literature. What are your favorite works?

“I’ve always really been a sword and sorcery kind of guy,” says Parker. He played Dungeons and Dragons in middle school. He listed:

• Piers Anthony, including the Xanth series
• Terry Brooks, including the Shannara series
• David Eddings
• Terry Goodkind, including The Sword of Truth series
• The Wheel of Time series by Robert Jordan
• A Song of Ice and Fire series by George R. R. Martin
• The Harry Potter series by J.K. Rowling
• Jim Butcher, including The Dresden Files series

Parker asked what fantasy I’ve read, so I listed:

• J.R.R Tolkien‘s works (The Hobbit, The Lord of the Rings, The Silmarillion, etc.)
• The Wheel of Time series by Robert Jordan
• The Mistborn trilogy by Brandon Sanderson
• The Harry Potter series by J.K. Rowling
• The Chronicles of Narnia series by C.S. Lewis
• The High House, part of The Evenmere Chronicles series by James Stoddard

Note: these book links are all Amazon affiliate links.

15. Do you have any other warnings, advice, or encouragement you’d like to share before we conclude?

There’s a lot of really simple things we can all be doing. … The main thing is don’t panic. … don’t give up. There’s a lot you can do that will make you safer.

Parker emphasizes the importance of everyone increasing their security because we all benefit from an overall increase in security.

Become an informed consumer, advises Parker; learn about products before buying. He encourages “voting with your pocketbook”; buying products that are good for security and privacy, and avoiding those that aren’t. He notes that products with good security and privacy often cost more, because it costs money to do security and privacy properly.

Parker also recommends being involved politically, even at the local level, on security and privacy issues.

Additional Resources

I recommend that you read the book, Firewalls Don’t Stop Dragons: A Step-By-Step Guide to Computer Security for Non-Techies by Carey Parker.

The Resources page has additional cybersecurity and privacy books.

You can also read my review of the book.

Where to follow Parker:

• Firewalls Don’t Stop Dragons website
• Firewalls Don’t Stop Dragons newsletter
• Firewalls Don’t Stop Dragons podcast
• Carey Parker on Twitter

What You Should Do

1. Buy your own copy of Firewalls Don’t Stop Dragons: A Step-By-Step Guide to Computer Security for Non-Techies.
2. As you read the book, take the time to follow its advice, to increase your digital security and privacy, and help your kids do the same. You’ll find some of the following points in the book.
3. Regularly back up your files.
4. Keep your computer and phone software updated.
5. Use strong, unique passwords. The best way to do this is with a password manager.
6. Turn on two-factor authentication when possible.
7. Don’t open attachments or links you’re not expecting. If you didn’t ask for it, don’t trust it.
8. Teach your kids (and remember yourself) that anything you put online could last forever and be seen by anyone.
9. Stay involved in what your kids do online.
10. Consider keeping your kids’ devices in common rooms in the house, and disallowing them to be taken into bedrooms.
11. Plan for what will happen to your accounts, files, and other digital assets after you die. A password manager can make it easier to grant access.
12. Consider using parental controls.