03
13 min read · 5 briefings

Device and Network Hygiene

Updates, encryption, and one grumpy hour with your router — the unglamorous trifecta.

01 Updates: The Boring Superpower

If security advice were ranked purely by protection-per-minute, "turn on automatic updates" would win by a landslide, and it would still be the advice people skip. So here's the mechanism, because the mechanism is persuasive.

When a vendor ships a security patch, it publishes — implicitly but readably — a description of the hole it fixes. Attackers diff the patch, reconstruct the vulnerability, and build exploits, often within days. From that moment there's a race between their scanners and your update button, and unpatched machines lose it on autopilot: mass exploitation doesn't target you, it sweeps the internet for whatever hasn't patched yet.

The canonical lesson: Microsoft patched the flaw known as MS17-010 in March 2017. Two months later, in May, the WannaCry ransomware worm tore through hundreds of thousands of still-unpatched machines in over 150 countries — freezing parts of the UK's National Health Service, factories, and railways. Every infected machine had a fix available for eight weeks. The patch wasn't too hard; it was just not applied.

Your move costs nothing: automatic updates on for OS, browser, and phone — and restart when asked, because a downloaded-but-not-installed patch protects no one. When a device stops receiving security updates at all (old Android phones are notorious), treat that as the retirement bell for any sensitive use.

Signal boost: Patching is the rare defense that requires no ongoing skill, judgment, or vigilance. You configure it once and it wins races for you forever. Nothing else in security has that deal.

02 Encrypt the Slab

Picture the mundane catastrophe: your laptop bag, gone from a cafe chair. The thief is after hardware, but ask what else they're holding — tax documents, saved sessions, photos, that passwords.txt you swore was temporary.

Here's what your login password does not do: protect any of that. Login passwords gate the operating system, but a thief can pull the drive and read it from another machine, no password required. The defense is full-disk encryption — scrambling everything on the drive so it's unreadable without your key. With it, the stolen laptop is expensive scrap; the data simply isn't recoverable.

The good news is this battle is mostly won — the tooling is built-in and free. It's just not always switched on:

  • Windows: BitLocker (or device encryption on Home editions) — check Settings, and crucially, save the recovery key somewhere safe like your password manager. Lost key plus forgotten password equals your data joining the thief in oblivion.
  • Mac: FileVault, one checkbox in System Settings.
  • Phones: modern iPhones and Android devices encrypt by default — but the encryption is only as strong as the passcode that unlocks it. A six-digit code beats four; an alphanumeric one beats both.
  • External drives and USB sticks: the forgotten flank. Both platforms can encrypt removable media; the backup drive in your desk holds everything the laptop does.

Fifteen minutes of checkboxes, one saved recovery key, and physical theft drops from data catastrophe to insurance paperwork.

03 Your Phone Is the Crown Jewels

Your phone is your email, banker, photo archive, location history, and MFA device in one pocketable slab — the highest-value target you own. Three fronts to hold:

The lock. Biometrics plus a strong passcode is the right combo for most people: fingerprint or face defeats shoulder-surfing (nobody watches you type a code you never type), while the passcode backstops it. Know your quick disable: both iOS and Android have a button-press combination that forces passcode entry — situationally useful, since legal protections around compelled biometric unlocks versus remembered passcodes differ by jurisdiction and are still being litigated.

The apps. Permissions are a ratchet — granted once in a hurry, never revisited. Both platforms now show which apps touched location, camera, and microphone recently; sweep it quarterly and set location to "while using" almost everywhere. Install from official stores only — sideloaded apps skip the (imperfect but real) review gauntlet.

Stalkerware. Commercial apps sold for covert monitoring — reading texts, tracking location, activating microphones — usually installed by someone with physical access and marketed for exactly that. Warning signs: battery draining unusually fast, a device that runs hot at rest, settings changed without you, unfamiliar apps with administrator or accessibility privileges, or a person who consistently knows things they shouldn't. The Coalition Against Stalkerware maintains guidance for detection and — critically — safe response.

Threat advisory: If you suspect stalkerware in a domestic abuse context, do not immediately delete it — removal can alert the person monitoring and trigger escalation. Use a safe device to contact a domestic violence hotline or tech-safety specialist, and plan the response with them.

04 Public Wi-Fi: The Threat That Shrank

You've heard the warning: never bank on coffee-shop Wi-Fi. Here's the rare good news story — that advice is about a decade stale.

It used to be excellent advice. In 2010, a researcher released Firesheep, a Firefox extension that let anyone on an open network hijack other users' logged-in Facebook and Twitter sessions with two clicks — because most sites back then encrypted only the login page and sent everything after in the clear. Firesheep made the invisible problem embarrassing and public, and it worked: the industry stampeded toward encrypting everything.

Today, HTTPS is the default nearly everywhere — the overwhelming majority of web traffic is encrypted before it leaves your device. The person at the next table sees which sites you visit (domain names still leak), but the contents — passwords, messages, card numbers — are wrapped in encryption the local network never touches. Even a malicious "evil twin" hotspot mostly just gets to watch ciphertext go by; and if something tries to strip that encryption, your browser throws the big scary certificate warning. The remaining rule is simply: never click through that warning, especially on shared networks.

So is a VPN mandatory at the airport? No — it's optional. It still adds value on hostile networks (hides domain names from local snoops, defeats captive-portal weirdness), and module four covers what it does and doesn't buy. But the modern ranking of Wi-Fi worries puts "fake network phishing portal asking for my email password" far above "someone reading my traffic," because the second one mostly stopped being possible.

05 The Router in the Closet and the Toaster on Its Network

Your router is the border checkpoint for everything digital in your home, and statistically it's run like an abandoned lighthouse. One honest hour fixes it:

  1. Change the admin password. Default credentials for every router model are compiled in public lists; malware tries them automatically from inside your network.
  2. Update the firmware — routers have vulnerabilities like anything else, but nobody patches the beige box. Enable auto-update if it exists; if the vendor stopped shipping updates years ago, the checkpoint itself is the vulnerability and it's replacement time.
  3. Use WPA3 or WPA2 encryption with a strong passphrase; retire WEP and WPS (the push-button pairing feature) — both have known breaks.
  4. Disable remote administration from the internet unless you genuinely use it.

Then the menagerie: cameras, TVs, doorbells, plugs, speakers — every one a small networked computer, typically built to a price with security as an afterthought and abandoned by its vendor after two years. The Mirai botnet made the point in 2016 by conscripting hundreds of thousands of cameras and DVRs — using a list of about sixty factory-default passwords, nothing fancier — into a weapon that knocked major websites offline.

House rules for the toaster class: change default passwords where possible, apply updates where they exist, buy from vendors with a patching track record, and ask the pre-purchase question — does this actually need to be smart? The most effective structural move: put IoT gear on your router's guest network, so the compromised camera can phone whoever it likes but can't reach your laptop.

Field Glossary

Patch
A vendor update that closes a known vulnerability. Once published, attackers reverse-engineer it and race unpatched machines — automatic updates win the race for you.
Full-disk encryption
Encrypting a device's entire drive (BitLocker, FileVault) so stolen hardware yields no readable data without the key. Built into every modern OS.
Stalkerware
Commercial software covertly installed to monitor a person's messages, calls, and location — typically by someone with physical access. Detection requires safety-aware handling.
HTTPS
Encrypted web transport, now the default for most traffic. It's why public Wi-Fi eavesdropping went from trivial (Firesheep, 2010) to mostly impractical.
Evil twin
A rogue Wi-Fi access point impersonating a legitimate network. HTTPS blunts its eavesdropping, but its fake login portals still phish credentials from the unwary.
Botnet
A herd of compromised devices under one attacker's control, rentable for attacks and spam. Mirai built one from IoT devices using about sixty default passwords.

Knowledge Check

Field Assessment

0 / 3

01 WannaCry devastated organizations worldwide in May 2017. What made those infections preventable?

02 Your laptop has a strong login password but no full-disk encryption. What can a thief who steals it do?

03 Why is public Wi-Fi far less dangerous today than the classic warnings suggest?

ESC
↑↓ navigate jack in