> The book's not trying to make you feel bad, like, "Hey, your password's too short." And I'm not trying say that we're all going to die. The truth is in the middle. For most people, the risks are not big at all. The culture presents to us a picture of hackers which is a sensational caricature: Somebody who is almost completely asocial, maybe has mental illness, maybe is morbidly overweight. There's the 400-pound person sitting in their pajamas in their basement in their parents' house, socially maladapted human beings who are malicious and evil. There have been hackers in the last several decades who've challenged that picture.<p>That's all true, though this vision of evil amoral hackers feels at least 10 years out of date, it's how Hollywood has historically portrayed it but not what people think about today. The new unhelpful assumption that I often encounter is that cybercrime is so widespread and automated that anyone who isn't a security expert has no hope, they've already been hacked. Maybe there's a generational difference.<p>>Yes, of course, hacking is a real risk. But the vast majority of hacking, of cybercrime, is financially motivated— to make money. They do not want to break into your computer specifically. They want to break into lots of computers easily to create a botnet or to distribute spam or ransomware. They don't really want to spend that much time on you. So for most of us, basic precautions make it just a little bit more expensive to attack you. They're more likely to move on to somebody else because these are basically automated tools that are very low-level type of things.<p>I don't really like this framing. The advice to make yourself a little harder to attack is good, but "they don't really want to spend that much time on you" doesn't match the experiences of many actual victims of cybercrime. Being part of a botnet is technically getting hacked, and it's very common, but I don't think that's the kind of hacking the average person considers a risk they'll expend effort to avoid. People who have their social media accounts broken into for sextortion are basically automatically targeted, yes, but it gets very personal once the hack happens. Victims of tech-support scams and the like are often faced with someone willing to spend hours or days working to get control of their bank accounts and target them again and again. I think any advice aimed at average people needs to acknowledge the actual threats they face online, not dismiss them with the broad brush of "spam and ransomware", and show how basic measures make you a more difficult target for these common types of cybercrime.