Stop Hacklore – An Open Letter

Summary

Released Nov-24-2025To the public, employers, journalists, and policymakers:We are a group of current and former Chief Information Security Officers (CISOs), security leaders, and practitioners who have seen how compromises unfold in the real world across industry, academia, and government. We write to correct a set of persistent myths about digital risk to everyday people and small businesses (as opposed to high-risk individuals) that continue to circulate widely online and in public advice columns.The outdated adviceSpecifically, we aim to retire the following outdated pieces of advice:Avoid public WiFi: Large-scale compromises via public WiFi are exceedingly rare today. Modern products use encryption technologies to protect your traffic even on open networks, and operating systems and browsers now warn users about untrusted connections. Personal VPN services offer little additional security or privacy benefit for most people and don’t stop the most common attacks. Never scan QR codes: There is no evidence of widespread crime originating from QR-code scanning itself. The true risk is social engineering scams, which is mitigated by existing browser and OS protections, and by being cautious about the information you give any website. Never charge devices from public USB ports: There are no verified cases of “juice jacking” in the wild affecting everyday users. Modern devices prompt before enabling data transfer, default to restricted charging modes, and authenticate connected accessories.Turn off Bluetooth and NFC: Wireless exploits in the wild are extraordinarily rare and typically require specialized hardware, physical proximity, and unpatched devices. Modern phones and laptops isolate these components and require user consent for pairing.Regularly “clear cookies”: Clearing (or deleting) cookies doesn’t meaningfully improve security or stop modern tracking, which now includes identifiers and fingerprinting other than cookies.Regularly change passwords: Frequent pa...