News / August 2020

Citizen Clinic leaders talk security on “The Edge” podcast

A recent episode of The Edge, a podcast produced by California magazine (and the Cal Alumni Association), showcased the work of the Citizen Clinic, through which UC Berkeley students help organizations with limited resources to defend themselves online.

The podcast’s hosts, Leah Worthington and Laura Smith, interviewed Sean Brooks, Director of Citizen Clinic, and Steve Trush, Deputy Director, about best practices in online security for individuals and organizations alike. (Also making a cameo was Trush’s dog, Ralphie, the “Citizen Clinic mascot.”)

In advance of the interview, the hosts invited Brooks and Trush to dig up their personal information online. “In this episode, we’re going to find out just how cyber-insecure we are and what, if anything, we can do to protect ourselves,” Smith explained.

Brooks and Trush talked about the importance of having a strong password — and why that isn’t enough. “The easiest way to get access to someone’s account is for them to just give [the password] to you,” Brooks said. “So what you would do is send a phishing email. And the best way to send this phishing email is with targeted information about that person, really tailored to their interests.”

They also showed how, simply by using Google searches and data aggregators, they were able find out the hosts’ past addresses, telephone numbers, financial data, and other information.

The conversation also showcased the Citizen Clinic itself, profiling how this unique program trains UC Berkeley students to help clients fend off real-world digital security threats.

There’s a basic level of cybersecurity practice that you should take, regardless of what you think your adversaries and threats may be.

“A lot of things that we work with our student teams on when they’re working with nonprofits,” Brooks explained, “is something called threat modeling, thinking about who the bad guy is and what the bad thing is specifically that we’re worried about, so that we can help the organizations that we work with spend the limited time and resources they have to address those needs.”

They also shared tips for how the average user can better secure their personal data, including using password managers, “YubiKeys” (a USB-based form of multi-factor authentication), and virtual private networks (VPNs).

“There’s a basic level of cybersecurity practice that you should take, regardless of what you think your adversaries and threats may be,” Trush said. “And those are things like having the multi-factor authentication, using a password manager, and using unique passwords on every site. If you have to, write them down in a book if that works for you. There are certain things that we do that we know are safer practices…. There’s like a herd immunity that we need to encourage. Where, not only are you worried about yourself, but if someone was targeting you, they could also be targeting your family members. And that kind of raises the stakes.”

Listen to the full podcast on The Edge website, or on Apple or Spotify.