Podcasts about GPG

  • 78PODCASTS
  • 111EPISODES
  • 52mAVG DURATION
  • 1EPISODE EVERY OTHER WEEK
  • Aug 13, 2022LATEST

POPULARITY

20152016201720182019202020212022


Best podcasts about GPG

Latest podcast episodes about GPG

Talk Python To Me - Python conversations for passionate developers

PyPI has been in the news for a bunch of reasons lately. Many of them good. But also, some with a bit of drama or mixed reactions. On this episode, we have Dustin Ingram, one of the PyPI maintainers and one of the directors of the PSF, here to discuss the whole 2FA story, securing the supply chain, and plenty more related topics. This is another important episode that people deeply committed to the Python space will want to hear. Links from the show Dustin on Twitter: @di_codes Hardware key giveaway: pypi.org OpenSSF funds PyPI: openssf.org James Bennet's take: b-list.org Atomicwrites (left-pad on PyPI): reddit.com 2FA PyPI Dashboard: datadoghq.com github 2FA - all users that contribute code by end of 2023: github.blog GPG - not the holy grail: caremad.io Sigstore for Python: pypi.org pip-audit: pypi.org PEP 691: peps.python.org PEP 694: peps.python.org Watch this episode on YouTube: youtube.com --- Stay in touch with us --- Subscribe to us on YouTube: youtube.com Follow Talk Python on Twitter: @talkpython Follow Michael on Twitter: @mkennedy Sponsors RedHat IRL Podcast AssemblyAI Talk Python Training

RUN GPG Podcast
Front 242 - Patrick Codenys - “Front by Front”

RUN GPG Podcast

Play Episode Listen Later Jul 27, 2022 41:12


Our guest for this episode is Patrick Codneys, the founding member of Front 242, one of the most influential electronic and industrial groups in music history.  Originally from Belgium, Patrick and Front 242 came to prominence during the 80's and 90's as pioneers of the style called ‘EBM,' and as mentioned they were and are still a profound influence on the electronic, experimental and industrial music genres since their inception.  The group has recently released a live album and is on tour again.  We discussed the history of group, what their up to now, as well as the history and current state of electronic and industrial music and these topics:   How Front 242 Created A New 'Genre' Where Did The Name 'Front 242' Come From? Front 242 & The 'Post Punk' Era The Key To Compelling Live Shows Touring With Ministry Thoughts On Al Jourgensen & Ministry How Ministry Changed  The Current State Of Industrial & Electronic Music Why 'The Industrial Crowd' Is Dark  The Success Of 'Headhunter' The Role Of Postmodernism & Architecture  What's Next For Front 242?   Every week, the RUN GPG Podcast aims to provide inspirational stories from people who made a mark in entrepreneurship, business, entertainment, the arts, personal development, and the real estate industry. It is produced by the GREATER PROPERTY GROUP with the intent to help our audience grow and scale their business and their life. Know more about GREATER PROPERTY GROUP and the RUN GPG Podcast by going to www.rungpg.com or by getting in touch with us here: info@greaterpropertygroup.com.     Contact Patrick Codenys: Website: https://www.front242.com/ Instagram: https://www.instagram.com/alfamatrix/?hl=en     Subscribe & Review The RUN GPG Podcast Thanks for tuning in to this week's episode of the RUN GPG Podcast! Please leave us a review on iTunes. This will help us continue delivering beneficial content for you and our listeners each week!

RUN GPG Podcast
Dane Cook - “Self-Actualization & Success”

RUN GPG Podcast

Play Episode Listen Later Jul 14, 2022 57:16


Dane Cook is stand-up comedian and film actor.  He's released five comedy albums, including one of the highest charting comedy releases of all time.  He's been called the “first internet-made stand-up comedy star” who grew a massive fanbase online which slingshot his career to Rockstar status, becoming one of the most prolific and popular comedians of the past few decades, selling out arenas and stadiums, while appearing in a number of movies over that time.  He's also known for his use of observational, storytelling humor with a dynamic on-stage personality.  We talked to  Dane about his life, his incredible career, some highlights, what he's doing now, and the following:   Why I Got Into Comedy Inspired By "Fearless" Comedians The Influence Of George Carlin The "First Internet-Made Stand-Up Comedy Star" How To Create A "Fan For Life"  The "Slingshot" Moment  Rockstar" Status  The Power Of "Self-Actualization" The Changes That Come With Success At A Young Age The Importance Of Mentorship The Success Of "Retaliation" How Stand-Up Compares To Acting Hosting SNL Time Is Precious Advice For Young Comedians My Best Work Yet What I Do For Fun Dinner Guests What "Legacy Means To Me     Every week, the RUN GPG Podcast aims to provide inspirational stories from people who made a mark in entrepreneurship, business, entertainment, the arts, personal development, and the real estate industry. It is produced by the GREATER PROPERTY GROUP with the intent to help our audience grow and scale their business and their life.   Know more about GREATER PROPERTY GROUP and the RUN GPG Podcast by going to www.rungpg.com or by getting in touch with us here: info@greaterpropertygroup.com. Contact Dane Cook: TikTok: https://www.tiktok.com/@danecook?lang=en Instagram: https://www.instagram.com/danecook/?hl=en Facebook: https://www.facebook.com/DaneCook Website: https://www.danecook.com/       Subscribe & Review The RUN GPG Podcast Thanks for tuning in to this week's episode of the RUN GPG Podcast! Please leave us a review on iTunes. This will help us continue delivering beneficial content for you and our listeners each week!

Open Source Security Podcast
Episode 331 - GPG, but nothing makes sense

Open Source Security Podcast

Play Episode Listen Later Jul 11, 2022 35:38


Josh and Kurt talk about their very silly GPG key management from the past. This is sadly a very true story that details how both Kurt and Josh protected their GPG keys. Josh's setup is like something out of a very bad spy novel. It was very over the top for a key that really didn't matter. Show Notes XKCD signed email Shire calendar Guardian editors destroy Snowden laptop

The Race to Value Podcast
Preparing the Workforce for the Future of Population Health Equity, with Dr. Jim Walton, Christina Severin, Dr. Joy Doll, and Dr. Richard Walker

The Race to Value Podcast

Play Episode Listen Later Jul 6, 2022 60:28


While there have been meaningful improvements in healthcare delivery over the last decade, they have not catalyzed the transformation necessary to advance health value and equity. The promulgation of health policy and the implementation of new alternative payment models have created a landscape for experimentation in value-based care, yet the seismic shift needed to facilitate long-term and sustainable improvements has yet to occur. The key enabler for the future of our industry is workforce readiness to deliver on the promise of high-value, high-quality care that delivers equitable outcomes for all. This week on the Race to Value podcast, you are going to hear from a distinguished panel of industry experts on the importance of workforce development in value transformation.  Workforce development will drive success in value-based care by ensuring industry capability, and it will help underserved communities thrive through population health interventions that improve societal outcomes and reduce inequities. As you listen to this discussion with Dr. Jim Walton, Christina Severin, Dr. Joy Doll, and Dr. Richard Walker, think about how the scale and impact of workforce skill and knowledge is either a force multiplier or an impedance for change. If you want to learn more about affordable educational pathways for reskilling and upskilling in preparing for risk-based payment after hearing this discussion, please reach out to the Institute for Advancing Health Value – your partner in developing a competent workforce to win this Race to Value! Episode Bookmarks: 01:30 The key enabler for the future of our industry is workforce readiness to deliver on the promise of high-value, high-quality care that delivers equitable outcomes for all. 02:00 Workforce development will drive success in value-based care by ensuring industry capability, and it will help underserved communities thrive through population health interventions. 03:00 The Institute for Advancing Health Value – your partner in developing a competent workforce for the future of value-based care 03:30 Introduction to expert panelists:  Dr. Jim Walton, Christina Severin, Dr. Joy Doll, and Dr. Richard Walker 06:00 The imperative to ensure health equity and reduce disparities in our most vulnerable populations 07:00 Dr. Walker shares the vision to serve underserved populations through reengineered primary care 08:45 How TVP-Care access to care with both a “high touch” and “high tech” model that reaches patients in their homes 09:30 Dr. Doll on how CyncHealth addresses health equity through data democratization within a longitudinal health record and community-based SDOH support ecosystem 10:30 Dr. Walton speaks to the importance of building an engaged ecosystem and how GPG realizes that “equity is a valuable business model for the future of private practicing physicians” 11:00 The impact of burnout and moral injury and how that will become a “self-fulfilling prophecy” without a value-based business model and workforce strategy 12:00 “We must have an ROI attached to social interventions; otherwise, we are just tilting at windmills.” (Harnessing AI/ML for predictive risk stratification of the patient population) 13:00 Christina Severin on how C3 approaches team-based care, social interventions, behavioral health in its FQHC network 14:00 Establishing a diversity, equity, and racial justice committee and building a data infrastructure to drive health equity 16:00 How CMS is integrating health equity in every stage of payment model development, including the new ACO REACH program 17:30 Christina Severin discusses on ACO REACH is a great step forward in program redesign to have a more adequate benchmark that represents the complexity of the population 18:30 Taking the time to understand the legacy of white supremacy in this country and how it impacts healthcare delivery 20:00 Dr. Walker on the importance of developing trust wi...

Screaming in the Cloud
Granted, Common Fate, and AWS Functionality with Chris Norman

Screaming in the Cloud

Play Episode Listen Later Jun 30, 2022 33:34


About ChrisChris is a robotics engineer turned cloud security practitioner. From building origami robots for NASA, to neuroscience wearables, to enterprise software consulting, he is a passionate builder at heart. Chris is a cofounder of Common Fate, a company with a mission to make cloud access simple and secure.Links: Common Fate: https://commonfate.io/ Granted: https://granted.dev Twitter: https://twitter.com/chr_norm TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Let's face it, on-call firefighting at 2am is stressful! So there's good news and there's bad news. The bad news is that you probably can't prevent incidents from happening, but the good news is that incident.io makes incidents less stressful and a lot more valuable. incident.io is a Slack-native incident management platform that allows you to automate incident processes, focus on fixing the issues and learn from incident insights to improve site reliability and fix your vulnerabilities. Try incident.io, recover faster and sleep more.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. It doesn't matter where you are on your journey in cloud—you could never have heard of Amazon the bookstore—and you encounter AWS and you spin up an account. And within 20 minutes, you will come to the realization that everyone in this space does. “Wow, logging in to AWS absolutely blows goats.”Today, my guest, obviously had that reaction, but unlike most people I talked to, decided to get up and do something about it. Chris Norman is the co-founder of Common Fate and most notably to how I know him is one of the original authors of the tool, Granted. Chris, thank you so much for joining me.Chris: Hey, Corey, thank you for having me.Corey: I have done podcasts before; I have done a blog post on it; I evangelize it on Twitter constantly, and even now, it is challenging in a few ways to explain holistically what Granted is. Rather than trying to tell your story for you, when someone says, “Oh, Granted, that seems interesting and impossible to Google for in isolation, so therefore, we know it's going to be good because all the open-source projects with hard to find names are,” what is Granted and what does it do?Chris: Granted is a command-line tool which makes it really easy for you to get access and assume roles when you're working with AWS. For me, when I'm using Granted day-to-day, I wake up, go to my computer—I'm working from home right now—crack open the MacBook and I log in and do some development work. I'm going to go and start working in the cloud.Corey: Oh, when I start first thing in the morning doing development work and logging into the cloud, I know. All right, I'm going to log in to AWS and now I know that my day is going downhill from here.Chris: [laugh]. Exactly, exactly. I think maybe the best days are when you don't need to log in at all. But when you do, I go and I open my terminal and I run this command. Using Granted, I ran this assume command and it authenticates me with single-sign-on into AWS, and then it opens up a console window in a particular account.Now, you might ask, “Well, that's a fairly standard thing.” And in fact, that's probably the way that the console and all of the tools work by default with AWS. Why do you need a third-party tool for this?Corey: Right. I've used a bunch of things that do varying forms of this and unlike Granted, you don't see me gushing about them. I want to be very clear, we have no business relationship. You're not sponsoring anything that I do. I'm not entirely clear on what your day job entails, but I have absolutely fallen in love with the Granted tool, which is why I'm dragging you on to this show, kicking and screaming, mostly to give me an excuse to rave about it some more.Chris: [laugh]. Exactly. And thank you for the kind words. And I'd say really what makes it special or why I've been so excited to be working on it is that it makes this access, particularly when you're working with multiple accounts, really, really easy. So, when I run assume and I open up that console window, you know, that's all fine and that's very similar to how a lot of the other tools and projects that are out there work, but when I want to open that second account and that second console window, maybe because I'm looking at like a development and a staging account at the same time, then Granted allows me to view both of those simultaneously in my browser. And we do that using some platform sort of tricks and building into the way that the browser works.Corey: Honestly, one of the biggest differences in how you describe what Granted is and how I view it is when you describe it as a CLI application because yes, it is that, but one of the distinguishing characteristics is you also have a Firefox extension that winds up leveraging the multi-container functionality extension that Firefox has. So, whenever I wind up running a single command—assume with a-c' flag, then I give it the name of my AWS profile, it opens the web console so I can ClickOps my heart's content inside of a tab that is locked to a container, which means I can have one or two or twenty different AWS accounts and/or regions up running simultaneously side-by-side, which is basically impossible any other way that I've ever looked at it.Chris: Absolutely, yeah. And that's, like, the big differentiating factor right now between Granted and between this sort of default, the native experience, if you're just using the AWS command line by itself. With Granted, you can—with these Firefox containers, all of your cookies, your profile, everything is all localized into that one container. It's actually it's a privacy features that are built into Firefox, which keeps everything really separate between your different profiles. And what we're doing with Granted is that we make it really easy to open a specific profiles that correspond with different AWS profiles that you're using.So, you'd have one which could be your development account, one which could be production or staging. And you can jump between these and navigate between them just as separate tabs in your browser, which is a massive improvement over, you know, what I've previously had to use in the past.Corey: The thing that really just strikes me about this is first, of course, the functionality and the rest, so I saw this—I forget how I even came across it—and immediately I started using it. On my Mac, it was great. I started using it when I was on the road, and it was less great because you built this thing in Go. It can compile and install on almost anything, but there were some assumptions that you had built into this in its early days that did not necessarily encompass all of the use cases that I use. For example, it hadn't really occurred to you that some lunatic would try and only use an iPad when they're on the road, so they have to be able to run this to get federated login links via SSHing into an EC2 instance running somewhere and not have it open locally.You seemed almost taken aback when I brought it up. Like, “What lunatic would do that?” Like, “Hi, I'm such a lunatic. Let's talk about this.” And it does that now, and it's awesome. It does seem to me though, and please correct me if I'm wrong on this assumption slash assessment that this is first and foremost aimed at desktop users, specifically people running Mac on the desktop, is that the genesis of it?Chris: It is indeed. And I think part of the cause behind that is that we originally built a tool for ourselves. And as we were building things and as we were working using the cloud, we were running things—you know, we like to think that we're following best practices when we're using AWS, and so we'd set up multiple accounts, we'd have a special account for development, a separate one for staging, a separate one for production, even internal tools that we would build, we would go and spin up an individual account for those. And then you know, we had lots of accounts. and to go and access those really easily was quite difficult.So, we definitely, we built it for ourselves first and I think that that's part of when we released it, it actually a little bit of cause for some of the initial problems. And some of the feedback that we had was that it's great to build tools for yourself, but when you're working in open-source, there's a lot of different diversity with how people are using things.Corey: We take different approaches. You want to try to align with existing best practices, whereas I am a loudmouth white guy who works in tech. So, what I do definitionally becomes a best practice in the ecosystem. It's easier to just comport with the ones that are already existing that smart people put together rather than just trying to competence your way through it, so you took a better path than I did.But there's been a lot of evolution to Granted as I've been using it for a while. I did a whole write-up on it and that got a whole bunch of eyes onto the project, which I can now admit was a nefarious plan on my part because popping into your community Slack and yelling at you for features I want was all well and good, but let's try and get some people with eyes on this who are smarter than me—which is not that high of a bar when it comes to SSO, and IAM, and federated login, and the rest—and they can start finding other enhancements that I'll probably benefit from. And sure enough, that's exactly what happened. My sneaky plan has come to fruition. Thanks for being a sucker, I guess. I mean—[laugh] it worked. I'm super thrilled by the product.Chris: [laugh]. I guess it's a great thing I think that the feedback and particularly something that's always been really exciting is just seeing new issues come through on GitHub because it really shows the kinds of interesting use cases and the kinds of interesting teams and companies that are using Granted to make their lives a little bit easier.Corey: When I go to the website—which again is impossible to Google—the website for those wondering is granted.dev. It's short, it's concise, I can say it on a podcast and people automatically know how to spell it. But at the top of the website—which is very well done by the way—it mentions that oh, you can, “Govern access to breakglass roles with Common Fate Cloud,” and it also says in the drop shadow nonsense thing in the upper corner, “Brought to you by Common Fate,” which is apparently the name of your company.So, the question I'll get to in a second is what does your company do, but first and foremost, is this going to be one of those rug-pull open-source projects where one day it's, “Oh, you want to log into your AWS accounts? Insert quarter to continue.” I'm mostly being a little over the top with that description, but we've all seen things that we love turn into molten garbage. What is the plan around this? Are you about to ruin this for the rest of us once you wind up raising a round or something? What's the deal?Chris: Yeah, it's a great question, Corey. And I think that to a degree, releasing anything like this that sits in the access workflow and helps you assume roles and helps you day-to-day, you know, we have a responsibility to uphold stability and reliability here and to not change things. And I think part of, like, not changing things includes not [laugh] rug-pulling, as you've alluded to. And I think that for some companies, it ends up that open-source becomes, like, a kind of a lead-generation tool, or you end up with, you know, now finally, let's go on add another login so that you have to log into Common Fate to use Granted. And I think that, to be honest, a tool like this where it's all about improving the speed of access, the incentives for us, like, it doesn't even make sense to try and add another login for to try to get people to, like, to say, login to Common Fate because that would make your signing process for AWS take even longer than it already does.Corey: Yeah, you decided that you know, what's the biggest problem? Oh, you can sleep at night, so let's go ahead and make it even worse, by now I want you to be this custodian of all my credentials to log into all of my accounts. And now you're going to be critical path, so if you're down, I'm not able to log into anything. And oh, by the way, I have to trust you with full access to my bank stuff. I just can't imagine that is a direction that you would be super excited about diving head-first into.Chris: No, no. Yeah, certainly not. And I think that the, you know, building anything in this space, and with what we're doing with Common Fate, you know, we're building a cloud platform to try to make IAM a little bit easier to work with, but it's really sensitive around granting any kind of permission and I think that you really do need that trust. So, trying to build trust, I guess, with our open-source projects is really important for us with Granted and with this project, that it's going to continue to be reliable and continue to work as it currently does.Corey: The way I see it, one of the dangers of doing anything that is particularly open-source—or that leans in the direction of building in Amazon's ecosystem—it leads to the natural question of, well, isn't this just going to be some people say stolen—and I don't think those people understand how open-source works—by AWS themselves? Or aren't they going to build something themselves at AWS that's going to wind up stomping this thing that you've built? And my honest and remarkably cynical answer is that, “You have built a tool that is a joy to use, that makes logging into AWS accounts streamlined and efficient in a variety of different patterns. Does that really sound like something AWS would do?” And followed by, “I wish they would because everyone would benefit from that rising tide.”I have to be very direct and very clear. Your product should not exist. This should be something the provider themselves handles. But nope. Instead, it has to exist. And while I'm glad it does, I also can't shake the feeling that I am incredibly annoyed by the fact that it has to.Chris: Yeah. Certainly, certainly. And it's something that I think about a little bit. I like to wonder whether there's maybe like a single feature flag or some single sort of configuration setting in AWS where they're not allowing different tabs to access different accounts, they're not allowing this kind of concurrent access. And maybe if we make enough noise about Granted, maybe one of the engineers will go and flick that switch and they'll just enable it by default.And then Granted itself will be a lot less relevant, but for everybody who's using AWS, that'll be a massive win because the big draw of using Granted is mainly just around being able to access different accounts at the same time. If AWS let you do that out of the box, hey, that would be great and, you know, I'd have a lot less stuff to maintain.Corey: Originally, I had you here to talk about Granted, but I took a glance at what you're actually building over at Common Fate and I'm about to basically hijack slash derail what probably is going to amount the rest of this conversation because you have a quick example on your site for by developers, for developers. You show a quick Python script that tries to access a S3 bucket object and it's denied. You copy the error message, you paste it into what you're building over a Common Fate, and in return, it's like, “Oh. Yeah, this is the policy that fixes it. Do you want us to apply it for you?”And I just about fell out of my chair because I have been asking for this explicit thing for a very long time. And AWS doesn't do it. Their IAM access analyzer claims to. Like, “Oh, just go look at CloudTrail and see what permissions it uses and we'll build a policy to scope it down.” “Okay. So, it's S3 access. Fair enough. To what object or what bucket?” “Guess,” is what it tells you there.And it's, this is crap. Who thinks this is a good user experience? You have built the thing that I wish AWS had built in natively. Because let's be honest here, I do what an awful lot of people do and overscope permissions massively just because messing around with the bare minimum set of permissions in many cases takes more time than building the damn thing in the first place.Chris: Oh, absolutely. Absolutely. And in fact, this—was a few years ago when I was consulting—I had a really similar sort of story where one of the clients that we were working with, the CTO of this company, he was needing to grant us access to AWS and we were needing to build a particular service. And he said, “Okay, can you just let me know the permissions that you will need and I'll go and deploy the role for this.” And I came back and I said, “Wait. I don't even know the permissions that I'm going to need because the damn thing isn't even built yet.”So, we went sort of back and forth around this. And the compromise ended up just being you know, way too much access. And that was sort of part of the inspiration for, you know, really this whole project and what we're building with Common Fate, just trying to make that feedback loop around getting to the right level of permissions a lot faster.Corey: Yeah, I am just so overwhelmingly impressed by the fact that you have built—and please don't take this as a criticism—but a set of very simple tools. Not simple in the terms of, “Oh, that's, like, three lines of bash, and a fool could write that on a weekend.” No. Simple in the sense of it solves a problem elegantly and well and it's straightforward—well, straightforward as anything in the world of access control goes—to wrap your head around exactly what it does. You don't tend to build these things by sitting around a table brainstorming with someone you met at co-founder dating pool or something and wind up figuring out, “Oh, we should go and solve that. That sounds like a billion-dollar problem.”This feels very much like the outcome of when you're sitting around talking to someone and let's start by drinking six beers so we become extraordinarily honest, followed immediately by let's talk about what sucks. What pisses you off the most? It feels like this is sort of the low-hanging fruit of things that upset people when it comes to AWS. I mean, if things had gone slightly differently, instead of focusing on AWS bills, IAM was next on my list of things to tackle just because I was tired of smacking my head into it.This is very clearly a problem space that you folks have analyzed deeply, worked within, and have put a lot of thought into. I want to be clear, I've thrown a lot of feature suggestions that you for Granted from start to finish. But all of them have been around interface stuff and usability and expanding use cases. None of them have been, “Well, that seems screamingly insecure.” Because it hasn't been.Chris: [laugh].Corey: It has been effective, start to finish, I think that from a security posture, you make terrific choices, in many cases better than ones I would have made a starting from scratch myself. Everything that I'm looking at in what you have built is from a position of this is absolutely amazing and it is transformative to my own workflows. Now, how can we improve it?Chris: Mmm. Thank you, Corey. And I'll say as well, maybe around the security angle, that one of the goals with Granted was to try and do things a little bit better than the default way that AWS does them when it comes to security. And it's actually been a bit of a source for challenges with some of the users that we've been working with with Granted because one of the things we wanted to do was encrypt the SSO token. And this is the token that when you sign in to AWS, kind of like, it allows you to then get access to all of the rest of the accounts.So, it's like a pretty—it's a short-lived token, but it's a really sensitive one. And you know, by default, it's just stored in plain text on your disk. So, we dump to a file and, you know, anything that can go and read that, they can go and get it. It's also a little bit hard to revoke and to lock people out. There's not really great workflows around that on AWS's side.So, we thought, “Okay, great. One of the goals for Granted can be that we will go and store this in your keychain in your system and we'll work natively with that.” And that's actually been a cause for a little bit of a hassle for some users, though, because by doing that and by storing all of this information in the keychain, it's actually broken some of the integrations with the rest of the tooling, which kind of expects tokens and things to be in certain places. So, we've actually had to, as part of dealing with that with Granted, we've had to give users the ability to opt out for that.Corey: DoorDash had a problem. As their cloud-native environment scaled and developers delivered new features, their monitoring system kept breaking down. In an organization where data is used to make better decisions about technology and about the business, losing observability means the entire company loses their competitive edge. With Chronosphere, DoorDash is no longer losing visibility into their applications suite. The key? Chronosphere is an open-source compatible, scalable, and reliable observability solution that gives the observability lead at DoorDash business, confidence, and peace of mind. Read the full success story at snark.cloud/chronosphere. That's snark.cloud slash C-H-R-O-N-O-S-P-H-E-R-E.Corey: That's why I find this so, I think, just across the board, fantastic. It's you are very clearly engaged with your community. There's a community Slack that you have set up for this. And I know, I know, too many Slacks; everyone has this problem. This is one of those that is worth hanging in, at least from my perspective, just because one of the problems that you have, I suspect, is on my Mac it's great because I wind up automatically updating it to whatever the most recent one is every time I do a brew upgrade.But on the Linux side of the world, you've discovered what many of us have discovered, and that is that packaging things for Linux is a freaking disaster. The current installation is, “Great. Here's basically a curl bash.” Or, “Here, grab this tarball and install it.” And that's fine, but there's no real way of keeping that updated and synced.So, I was checking the other day, oh wow, I'm something like eight versions behind on this box. But it still just works. I upgraded. Oh, wow. There's new functionality here. This is stuff that's actually really handy. I like this quite a bit. Let's see what else we can do.I'm just so impressed, start to finish, by just how receptive you've been to various community feedbacks. And as well—I want to be very clear on this point, too—I've had folks who actually know what they're doing in an InfoSec sense look at what you're up to, and none of them had any issues of note. I'm sure that they have a pile of things like, with that curl bash, they should really be doing a GPG check. Yes, yes, fine. Whatever. If that's your target threat model, okay, great. Here in reality-land for what I do, this is awesome.And they don't seem to have any problems with, “Oh, yeah. By the way, sending analytics back up”—which, okay, fine, whatever. “And it's not disclosing them.” Okay, that's bad. “And it's including the contents of your AWS credentials.”Ahhhh. I did encounter something that was doing that on the back-end once. [cough]—Serverless Framework—sorry, something caught in my throat for a second.Chris: [laugh].Corey: No faster way I can think of to erode trust in that. But everything you're doing just makes sense.Chris: Oh, I do remember that. And that was a little bit of a fiasco, really, around all of that, right? And it's great to hear actually around that InfoSec folks and security people being, you know, not unhappy, I guess, with a tool like this. It's been interesting for me personally. We've really come from a practitioner's background.You know, I wouldn't call myself a security engineer at all. I would call myself as a sometimes a software developer, I guess. I have been hacking my way around Go and definitely learning a lot about how the cloud has worked over the past seven, eight years or so, but I wouldn't call myself a security engineer, so being very cautious around how all of these things work. And we've really tried to defer to things like the system keychain and defer to things that we know are pretty safe and work.Corey: The thing that I also want to call out as well is that your licensing is under the MIT license. This is not one of those, “Oh, you're required to wind up doing a bunch of branding stuff around it.” And, like some people say, “Oh, you have to own the trademark for all of these things.” I mean, I'm not an expert in international trademark law, let's be very clear, but I also feel that trademarking a term that is already used heavily in the space such as the word ‘Granted,' feels like kind of an uphill battle. And let's further be clear that it doesn't matter what you call this thing.In fact, I will call attention to an oddity that I've encountered a fair bit. After installing it, the first thing you do is you run the command ‘granted.' That sets it up, it lets you configure your browser, what browser you want to use, and it now supports standard out for that headless, EC2 use case. Great. Awesome. Love it. But then the other binary that ships with it is Assume. And that's what I use day-to-day. It actually takes me a minute sometimes when it's been long enough to remember that the tool is called Granted and not Assume what's up with that?Chris: So, part of the challenge that we ran into when we were building the Granted project is that we needed to export some environment variables. And these are really important when you're logging into AWS because you have your access key, your secret key, your session token. All of those, when you run the assume command, need to go into the terminal session that you called it. This doesn't matter so much when you're using the console mode, which is what we mentioned earlier where you can open 100 different accounts if you want to view all of those at the same time in your browser. But if you want to use it in your terminal, we wanted to make it look as really smooth and seamless as possible here.And we were really inspired by this approach from—and I have to shout them out and kind of give credit to them—a tool called AWSume—they're spelled A-W-S-U-M-E—Python-based tool that they don't do as much with single-sign-on, but we thought they had a really nice, like, general approach to the way that they did the scripting and aliasing. And we were inspired by that and part of that means that we needed to have a shell script that called this executable, which then will export things back out into the shell script. And we're doing all this wizardry under the hood to make the user experience really smooth and seamless. Part of that meant that we separated the commands into granted and assume and the other part of the naming for everything is that I felt Granted had a far better ring to it than calling the whole project Assume.Corey: True. And when you say assume, is it AWS or not? I've used the AWSume project before; I've used AWS Vault out of 99 Designs for a while. I've used—for three minutes—the native AWS SSO config, and that is just trash. Again, they're so good at the plumbing, so bad at the porcelain, I think is the criticism that I would levy toward a lot of this stuff.Chris: Mmm.Corey: And it's odd to think there's an entire company built around just smoothing over these sharp, obnoxious edges, but I'm saying this as someone who runs a consultancy and have five years that just fixes the bill for this one company. So, there's definitely a series of cottage industries that spring up around these things. I would be thrilled, on some level, if you wound up being completely subsumed by their product advancements, but it's been 15 years for a lot of this stuff and we're still waiting. My big failure mode that I'm worried about is that you never are.Chris: Yeah, exactly, exactly. And it's really interesting when you think about all of these user experience gaps in AWS being opportunities for, I guess, for companies like us, I think, trying to simplify a lot of the complexity for things. I'm interested in sort of waiting for a startup to try and, like, rebuild the actual AWS console itself to make it a little bit faster and easier to use.Corey: It's been done and attempted a bunch of different times. The problem is that the console is a lot of different things to a lot of different people, and as you step through that, you can solve for your use case super easily. “Yeah, what do I care? I use RDS, I use some VPC nonsense, and I use EC2. The end.” “Great. What about IAM?”Because I promise you're using that whether you know it or not. And okay, well, I'm talking to someone else who's DynamoDB, and someone else is full-on serverless, and someone else has more money than sense, so they mostly use SageMaker, and so on and so forth. And it turns out that you're effectively trying to rebuild everything. I don't know if that necessarily works.Chris: Yeah, and I think that's a good point around maybe while we haven't seen anything around that sort of space so far. You go to the console, and you click down, you see that list of 200 different services and all of those have had teams go and actually, like, build the UI and work with those individual APIs. Yeah.Corey: Any ideas as far as what's next for features on Granted?Chris: I think that, for us, it's continuing to work with everybody who's using it, and with a focus of stability and performance. We actually had somebody in the community raise an issue because they have an AWS config file that's over 7000 lines long. And I kind of pity that person, potentially, for their day-to-day. They must deal with so much complexity. Granted is currently quite slow when the config files get very big. And for us, I think, you know, we built it for ourselves; we don't have that many accounts just yet, so working to try to, like, make it really performant and really reliable is something that's really important.Corey: If you don't mind a feature request while we're at it—and I understand that this is more challenging than it looks like—I'm willing to fund this as a feature bounty that makes sense. And this also feels like it might be a good first project for a very particular type of person, I would love to get tab completion working in Zsh. You have it—Chris: Oh.Corey: For Fish because there's a great library that automatically populates that out, but for the Zsh side of it, it's, “Oh, I should just wind up getting Zsh completion working,” and I fell down a rabbit hole, let me tell you. And I come away from this with the perception of yeah, I'm not going to do it. I have not smart enough to check those boxes. But a lot of people are so that is the next thing I would love to see. Because I will change my browser to log into the AWS console for you, but be damned if I'm changing my shell.Chris: [laugh]. I think autocomplete probably should be higher on our roadmap for the tool, to be honest because it's really, like, a key metric and what we're focusing on is how easy is it to log in. And you know, if you're not too sure what commands to use or if we can save you a few keystrokes, I think that would be the, kind of like, reaching our goals.Corey: From where I'm sitting, you definitely have. I really want to thank you for taking the time to not only build this in the first place, but also speak with me about it. If people want to learn more, where's the best place to find you?Chris: So, you can find me on Twitter, I'm @chr_norm, or you can go and visit granted.dev and you'll have a link to join the Slack community. And I'm very active on the Slack.Corey: You certainly are, although I will admit that I fall into the challenge of being in just the perfectly opposed timezone from you and your co-founder, who are in different time zones to my understanding; one of you is on Australia and one of you was in London; you're the London guy as best I'm aware. And as a result, invariably, I wind up putting in feature requests right when no one's around. And, for better or worse, in the middle of the night is not when I'm usually awake trying to log into AWS. That is Azure time.Chris: [laugh]. Yeah, no, we don't have the US time zone properly covered yet for our community support and help. But we do have a fair bit of the world timezone covered. The rest of the team for Common Fate is all based in Australia and I'm out here over in London.Corey: Yeah. I just want to thank you again, for just being so accessible and, like, honestly receptive to feedback. I want to be clear, there's a way to give feedback and I do strive to do it constructively. I didn't come crashing into your Slack one day with a, “You know what your problem is?” I prefer to take the, “This is awesome. Here's what I think would be even better. Does that make sense?” As opposed to the imperious demands and GitHub issues and whatnot? It's, “I'd love it if it did this thing. Doesn't do this thing. Can you please make it do this thing?” Turns out that's the better way to drive change. Who knew?Chris: Yeah. [laugh]. Yeah, definitely. And I think that one of the things that's been the best around our journey with Granted so far has been listening to feedback and hearing from people how they would like to use the tool. And a big thank you to you, Corey, for actually suggesting changes that make it not only better for you, but better for everybody else who's using Granted.Corey: Well, at least as long as we're using my particular byzantine workload patterns in some way, or shape, or form, I'll hear that. But no, it's been an absolute pleasure and I really want to thank you for your time as well.Chris: Yeah, thank you for having me.Corey: Chris Norman, co-founder of Common Fate, as well as one of the two primary developers originally behind the Granted project that logs you into AWS without you having to lose your mind. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, incensed, raging comment that talks about just how terrible all of this is once you spend four hours logging into your AWS account by hand first.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Open Source Security Podcast
Episode 329 - Signing (What is it good for)

Open Source Security Podcast

Play Episode Listen Later Jun 27, 2022 30:54


Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about! Show Notes Twitter thread Kurt's security advisory page Bug 998

RUN GPG Podcast
Tom Wheelwright - “The Win-Win Wealth Strategy”

RUN GPG Podcast

Play Episode Listen Later Jun 24, 2022 46:08


Tom Wheelwright, CPA is the visionary and best-selling author behind multiple companies that specialize in wealth and tax strategy.  Tom is also a leading expert and published author on partnerships and corporation tax strategies, a well-known platform speaker and a wealth education innovator.  Tom is a regular commentator and contributor to publications such as Forbes, The Huffington Post, ABC News, and more.  He's also trusted as the personal accountant and business partner of Robert Kiyosaki who we know as the author of ‘Rich Dad Poor Dad.'   Tom wants to bring a new level of consciousness to the average person and to enlighten everyone on how tax benefits are incentives and how tax law can be used as a roadmap to wealth. The tax incentives that the government incentives us to use are not just for the .01%--they are for all of us to use to have a tax strategy for building wealth and it's Tom Wheelwright's mission to break this down in easily digestible information.   Tom created the WealthAbility System, authored the bestselling book Tax Free Wealth --  which is #1 on Amazon in the Tax Law category a decade after it was first published – and has another groundbreaking book called The Win-win Wealth Strategy: 7 Investments the Government will Pay You to Make that's launching this July, 2022.  With this new book, Tom transforms the way you think about building wealth and challenges the paradigm that tax incentives are immoral loopholes. Backed by deep research in 15 countries, he identifies seven investing strategies that are A-OK with governments worldwide and will fatten your wallet while making the world a better place. You'll learn:   How to tax-effectively invest in business, technology, energy, real estate, insurance, agriculture, and retirement accounts How to use tax incentives to help pay for your next car, house, or tuition bill Why “the rich” are not “a drain on society” and, more importantly, how to become one of them   An indispensable and startlingly insightful exploration of straightforward investing strategies, The Win-Win Wealth Strategy improves your confidence in tax-effective investing, so you make better decisions with your money and supercharge your family's generational wealth while creating jobs, developing technology and improving access to food, energy and housing. Tom will also be the next guest speaker at the Greater Property Group Mastermind on July 12.  You can sign up to get the video link for free by going here:  https://GPGMastermindTraining.as.me/ You can pre-order/order Tom's new book here: https://winwinwealthstrategy.com/     Topics discussed on this episode: Making Taxes "Simple & Fun" How To Legally Pay NO Taxes What's In Donald Trump's Tax Returns? Working With Robert Kiyosaki  What Real Estate Agents Should Be Informing Their Clients Why Realtors Are "Insiders" Cryptocurrency, Real Estate, & Taxes Difi & Blockchain The Win-Win Wealth Strategy Famous Tax Quotes     Every week, the RUN GPG Podcast aims to provide inspirational stories from people who made a mark in entrepreneurship, personal development, and the real estate industry. It is produced by the GREATER PROPERTY GROUP to help the audience grow and scale their business and their life. Know more about GREATER PROPERTY GROUP and the RUN GPG Podcast by going to www.rungpg.com or by getting in touch with us here: info@greaterpropertygroup.com. Contact Tom Wheelwright: Website: https://tomwheelwright.com/ Instagram: https://www.instagram.com/tom_wheelwright/ Facebook: https://www.facebook.com/Tom.Wheelwright.CPA/ To buy books: https://tomwheelwright.com/resources/books/ Subscribe & Review The RUN GPG Podcast Thanks for tuning in to this week's episode of the RUN GPG Podcast! Please leave us a review on iTunes. This will help us continue delivering beneficial content for you and our listeners each week!

Live Like the World is Dying
S1E43 - Elle on Threat Modeling

Live Like the World is Dying

Play Episode Listen Later Jun 17, 2022 72:40


Episode Notes Episode summary Margaret talks with Elle an anarchist and security professional about different threat modeling approaches and analyzing different kinds of threats. They explore physical threats, digital security, communications, surveillance,and general OpSec mentalities for how to navigate the panopticon and do stuff in the world without people knowing about it...if you're in Czarist Russia of course. Guest Info Elle can be found on twitter @ellearmageddon. Host and Publisher The host Margaret Killjoy can be found on twitter @magpiekilljoy or instagram at @margaretkilljoy. This show is published by Strangers in A Tangled Wilderness. We can be found at www.tangledwilderness.org, or on Twitter @TangledWild and Instagram @Tangled_Wilderness. You can support the show on Patreon at www.patreon.com/strangersinatangledwilderness. Show Links Transcript Live Like the World is Dying: Elle on Threat Modeling Margaret 00:15 Hello, and welcome to Live Like The World Is Dying, your podcast for what feels like the end times. I'm your host, Margaret killjoy. And with me at the exact moment is my dog, who has just jumped up to try and talk into the microphone and bite my arm. And, I use 'she' and 'they' pronouns. And this week, I'm going to be talking to my friend Elle, who is a, an anarchist security professional. And we're going to be talking about threat modeling. And we're going to be talking about how to figure out what people are trying to do to you and who's trying to do it and how to deal with different people trying to do different things. Like, what is the threat model around the fact that while I'm trying to record a podcast, my dog is biting my arm? And I am currently choosing to respond by trying to play it for humor and leaving it in rather than cutting it out and re recording. This podcast is a proud member of the Channel Zero network of anarchists podcasts. And here's a jingle from another show on the network. Jingle Margaret 02:00 Okay, if you could introduce yourself, I guess, with your name and your pronouns, and then maybe what you do as relates to the stuff that we're going to be talking about today. Elle 02:10 Yeah, cool. Hi, I'm Elle. My pronouns are they/them. I am a queer, autistic, anarchist security practitioner. I do security for a living now that I've spent over the last decade, working with activist groups and NGOs, just kind of anybody who's got an interesting threat model to help them figure out what they can do to make themselves a little a little safer and a little more secure. Margaret 02:43 So that word threat model. That's actually kind of what I want to have you on today to talk about is, it's this word that we we hear a lot, and sometimes we throw into sentences when we want to sound really smart, or maybe I do that. But what does it mean, what is threat modeling? And why is it relevant? Elle 03:02 Yeah, I actually, I really love that question. Because I think that we a lot of people do use the term threat modeling without really knowing what they mean by it. And so to me, threat modeling is having an understanding of your own life in your own context, and who poses a realistic risk to you, and what you can do to keep yourself safe from them. So whether that's, you know, protecting communications that you have from, you know, state surveillance, or whether it's keeping yourself safe from an abusive ex, your threat model is going to vary based on your own life experiences and what you need to protect yourself from and who those people actually are and what they're capable of doing. Margaret 03:52 Are you trying to say there's not like one solution to all problems that we would just apply? Elle 03:58 You know, I love... Margaret 03:58 I don't understand. Elle 04:00 I know that everybody really, really loves the phrase "Use signal. Use TOR," and you know, thinks that that is the solution to all of life's problems. But it actually turns out that, no, you do have to have both an idea of what it is that you're trying to protect, whether it's yourself or something like your communications and who you're trying to protect it from, and how they can how they can actually start working towards gaining access to whatever it is that you're trying to defend. Margaret 04:31 One of the things that when I think about threat modeling that I think about is this idea of...because the levels of security that you take for something often limit your ability to accomplish different things. Like in Dungeons and Dragons, if you were plate armor, you're less able to be a dexterous rogue and stealth around. And so I think about threat modeling, maybe as like learning to balance....I'm kind of asking this, am I correct in this? Balancing what you're trying to accomplish with who's trying to stop you? Because like, you could just use TOR, for everything. And then also like use links the little like Lynx [misspoke "Tails"] USB keychain and never use a regular computer and never communicate with anyone and then never accomplish anything. But, it seems like that might not work. Elle 05:17 Yeah, I mean, the idea, the idea is to prevent whoever your adversaries are from keeping you from doing whatever you're trying to accomplish. Right? So if the security precautions that you're taking to prevent your adversaries from preventing you from doing a thing are also preventing you from doing the thing, then it doesn't matter, because your adversaries have just won, right? So there, there definitely is a need, you know, to be aware of risks that you're taking and decide which ones make sense, which ones don't make sense. And kind of look at it from from a dynamic of "Okay, is this something that is in my, you know, acceptable risk model? Is this a risk I'm willing to take? Are there things that I can do to, you know, do harm reduction and minimize the risk? Or at least like, make it less? Where are those trade offs? What, what is the maximum amount of safety or security that I can do for myself, while still achieving whatever it is that I'm trying to achieve?" Margaret 06:26 Do you actually ever like, chart it out on like, an X,Y axis where you get like, this is the point where you start getting diminishing returns? I'm just imagining it. I've never done that. Elle 06:37 In, in the abstract, yes, because that's part of how autism brain works for me. But in a, like actually taking pen to paper context, not really. But that's, you know, at least partially, because of that's something that autism brain just does for me. So I think it could actually be a super reasonable thing to do, for people whose brains don't auto filter that for them. But but I'm, I guess, lucky enough to be neurodivergent, and have like, you know, like, we always we joke in tech, "It's not a bug, it's a feature." And I feel like, you know, autism is kind of both sometimes. In some cases, it's totally a bug and and others, it's absolutely a feature. And this is one of the areas where it happens to be a feature, at least for me. Margaret 07:35 That makes sense. I, I kind of view my ADHD as a feature, in that, it allows me to hyper focus on topics and then move on and then not come back to them. Or also, which is what I do now for work with podcasting, and a lot of my writing. It makes it hard to write long books, I gotta admit, Elle 07:56 Yeah, I work with a bunch of people with varying neuro types. And it's really interesting, like, at least at least in my own team, I think that you know, the, the folks who are more towards the autism spectrum disorder side of of the house are more focused on things like application security, and kind of things that require sort of sustained hyper focus. And then folks with ADHD make just absolutely amazing, like incident responders and do really, really well in interrupt driven are interrupts heavy contexts, Margaret 08:38 Or sprinters. Elle 08:40 It's wild to me, because I'm just like, yes, this makes perfect sense. And obviously, like, these different tasks are better suited to different neuro types. But I've also never worked with a manager who actually thought about things in that way before. Margaret 08:53 Right. Elle 08:54 And so it's actually kind of cool to be to be in a position where I can be like, "Hey, like, Does this sound interesting to you? Would you rather focus on this kind of work?" And kind of get that that with people. Margaret 09:06 That makes sense that's.... i I'm glad that you're able to do that. I'm glad that people that you work with are able to have that you know, experience because it is it's hard to it's hard to work within....obviously the topic of today is...to working in the workplace is a neurodivergent person, but it I mean it affects so many of us you know, like almost whatever you do for work the the different ways your brain work are always struggling against it. So. Elle 09:32 Yeah, I don't know. It just it makes sense to me to like do your best to structure your life in a way that is more conducive to your neurotype. Margaret 09:44 Yeah. Elle 09:45 You know, if you can. Margaret 09:49 I don't even realize exactly how age ADHD I was until I tried to work within a normal workforce. I built my entire life around, not needing to live in one place or do one thing for sustained periods of time. But okay, but back to the threat modeling. Margaret 10:07 The first time I heard of, I don't know if it's the first time I heard a threat modeling or not, I don't actually know when I first started hearing that word. But the first time I heard about you, in the context of it was a couple years back, you had some kind of maybe it was tweets or something about how people were assuming that they should use, for example, the more activist focused email service Rise Up, versus whether they should just use Gmail. And I believe that you were making the case that for a lot of things, Gmail would actually be safer, because even though they don't care about you, they have a lot more resources to throw at the problem of keeping governments from reading their emails. That might be a terrible paraphrasing of what you said. But this, this is how I was introduced to this concept of threat modeling. If you wanted to talk about that example, and tell me how I got it all wrong. Elle 10:07 Yeah. Elle 10:58 Yeah. Um, so you didn't actually get it all wrong. And I think that the thing that I would add to that is that if you are engaging in some form of hypersensitive communication, email is not the mechanism that you want to do that. And so when I say things like, "Oh, you know, it probably actually makes sense to use Gmail instead of Rise Up," I mean, you know, contexts where you're maybe communicating with a lawyer and your communications are privileged, right?it's a lot harder to crack Gmail security than it is to crack something like Rise Up security, just by virtue of the volume of resources available to each of those organizations. And so where you specifically have this case where, you know, there's, there's some degree of legal protection for whatever that means, making sure that you're not leveraging something where your communications can be accessed without your knowledge or consent by a third party, and then used in a way that is conducive to parallel construction. Margaret 12:19 So what is parallel construction? Elle 12:20 Parallel construction is a legal term where you obtain information in a way that is not admissible in court, and then use that information to reconstruct a timeline or reconstruct a mechanism of access to get to that information in an admissible way. Margaret 12:39 So like every cop show Elle 12:41 Right, so like, with parallel construction around emails, for example, if you're emailing back and forth with your lawyer, and your lawyer is like, "Alright, like, be straight with me. Because I need to know if you've actually done this crime so that I can understand how best to defend you." And you're like, "Yeah, dude, I totally did that crime," which you should never admit to in writing anyway, because, again, email is not the format that you want to have this conversation in. But like, if you're gonna admit to having done crimes in email, for some reason, how easy it is for someone else to access that admission is important. Because if somebody can access this email admission of you having done the crimes where you're, you know, describing in detail, what crimes you did, when with who, then it starts, like, it gets a lot easier to be like, "Oh, well, obviously, we need to subpoena this person's phone records. And we should see, you know, we should use geolocation tracking of their device to figure out who they were in proximity to and who else was involved in this," and it can, it can be really easy to like, establish a timeline and get kind of the roadmap to all of the evidence that they would need to, to put you in jail. So it's, it's probably worth kind of thinking about how easy it is to access that that information. And again, don't don't admit to doing crimes in email, email is not the format that you want to use for admitting to having done crimes. But if you're going to, it's probably worth making sure that, you know, the the email providers that you are choosing are equipped with both robust security controls, and probably also like a really good legal team. Right? So if...like Rise Up isn't going to comply with the subpoena to the like, to the best of their ability, they're not going to do that, but it's a lot easier to sue Rise Up than it is to sue Google. Margaret 14:51 Right. Elle 14:51 And it's a lot easier to to break Rise Up's security mechanisms than it is to break Google's, just by virtue of how much time and effort each of those entities is able to commit to securing email. Please don't commit to doing crimes in email, just please just don't. Don't do it in writing. Don't do it. Margaret 15:15 Okay, let me change my evening plans. Hold on let me finish sending this email.. Elle 15:23 No! Margaret 15:25 Well, I mean, I guess like the one of the reasons that I thought so much about that example, and why it kind of stuck with me years later was just thinking about what people decide they're safe, because they did some basic security stuff. And I don't know if that counts under threat modeling. But it's like something I think about a lot is about people being like, "I don't understand, we left our cell phones at home and went on a walk in the woods," which is one of the safest ways anyone could possibly have a conversation. "How could anyone possibly have known this thing?" And I'm like, wait, you, you told someone you know, or like, like, not to make people more paranoid, but like... Elle 16:06 Or maybe, maybe you left your cell phone at home, but kept your smartwatch on you, because you wanted to close, you know, you wanted to get your steps for the day while you were having this conversation, right? Margaret 16:19 Because otherwise, does it even count if I'm not wearing my [smartwatch]. Elle 16:21 Right, exactly. And like, we joke, and we laugh, but like, it is actually something that people don't think about. And like, maybe you left your phones at home, and you went for a walk in the woods, but you took public transit together to get there and were captured on a bunch of surveillance cameras. Like there's, there's a lot of, especially if you've actually been targeted for surveillance, which is very rare, because it's very resource intensive. But you know, there there are alternate ways to track people. And it does depend on things like whether or not you've got additional tech on you, whether or not you were captured on cameras. And you know, whether whether or not your voices were picked up by ShotSpotter, as you were walking to wherever the woods were like, there's just there's we live in a panopticon. I don't say that so that people are paranoid about it, I say it because it's a lot easier to think about, where, when and how you want to phrase things. Margaret 17:27 Yeah. Elle 17:28 In a way that you know, still facilitates communications still facilitates achieving whatever it is that you're trying to accomplish, but sets you sets you up to be as safe as possible in doing it. And I think that especially in anarchist circles, just... and honestly also in security circles, there's a lot of of like, dogmatic adherence to security ritual, that may or may not actually make sense based on both, you, who your actual adversaries are, and what their realistic capabilities are. Margaret 18:06 And what they're trying to actually accomplish I feel like is...Okay, one of the threat models that I like...I encourage people sometimes to carry firearms, right in very specific contexts. And it feels like a security... Oh, you had a good word for it that you just used...ritual of security theater, I don't remember...a firearm often feels like that, Elle 18:30 Right. Margaret 18:31 In a way where you're like," Oh, I'm safe now, right, because I'm carrying a firearm." And, for example, I didn't carry a firearm for a very long time. Because for a long time, my threat model, the people who messed with me, were cops. And if a cop is going to mess with me, I do not want to have a firearm on me, because it will potentially escalate a situation in a very bad way. Whereas when I came out and started, you know, when I started getting harassed more for being a scary transwoman, and less for being an anarchist, or a hitchhiker, or whatever, you know, now my threat model is transphobes, who wants to do me harm. And in a civilian-civilian context, I prefer I feel safer. And I believe I am safer in most situations armed in that case. But every time I leave the house, I have to think about "What is my threat model?" And then in a similar way, sorry, it's just me thinking about the threat model of firearms, but it's the main example that I think of, is that often people's threat model in terms of firearms and safety as themselves, right? And so you just actually need to do the soul searching where you're like,"What's more likely to happen to me today? Am I likely to get really sad, or am I likely to get attacked by fascists?" Elle 19:57 Yeah. And I think that there is there's an additional question, especially when you're talking about arming yourself, whether it's firearms, or carrying a knife, or whatever, because like, I don't own any firearms, but I do carry a knife a lot of the time. And so like some questions, some additional questions that you have to ask yourself are, "How confident am I in my own ability to use this to harm another person?" Because if you're going to hesitate, you're gonna get fucked up. Margaret 20:28 Yeah. Elle 20:28 Like, if you are carrying a weapon, and you pull it out and hesitate in using it, it's gonna get taken away from you, and it's going to be used against you. So that's actually one of the biggest questions that I would say people should be asking themselves when developing a threat model around arming themselves is, "Will I actually use this? How confident am I?" if you're not confident, then it's okay to leave it at home. It's okay to practice more. It's okay to like develop that familiarity before you start using it as an EDC. Sorry an Every Day Carry. And then the you know, the other question is, "How likely am I to get arrested here?" I carry, I carry a knife that I absolutely do know how to use most of the time when I leave the house. But when I'm going to go to a demonstration, because the way that I usually engage in protests or in demonstrations is in an emergency medical response capacity, I carry a medic kit instead. And my medic kit is a clean bag that does not have any sharp objects in it. It doesn't have anything that you know could be construed as a weapon it doesn't have...it doesn't...I don't even have weed gummies which are totally like recreationally legal here, right? I won't even put weed in the medic kit. It's it is very much a... Margaret 21:52 Well, if you got a federally arrested you'd be in trouble with that maybe. Elle 21:55 Yeah, sure, I guess. But, like the medic bag is very...nothing goes in this kit ever that I wouldn't want to get arrested carrying. And so there's like EMT shears in there. Margaret 22:12 Right. Elle 22:13 But that's that's it in terms of like... Margaret 22:16 Those are scary you know...the blunted tips. Elle 22:21 I know, the blunted tips and the like safety, whatever on them. It's just...it's it is something to think about is "Where am I going...What...Who am I likely to encounter? And like what are the trade offs here?" Margaret 22:37 I remember once going to a demonstration a very long time ago where our like, big plan was to get in through all of the crazy militarized downtown in this one city and, and the big plan is we're gonna set up a Food Not Bombs inside the security line of the police, you know. And so we picked one person, I think I was the sacrificial person, who had to carry a knife, because we had to get the folding tables that we're gonna put the food on off of the top of the minivan. And we had to do it very quickly, and they were tied on. And so I think I brought the knife and then left it in the car and the car sped off. And then we fed people and they had spent ten million dollars protecting the city from 30 people feeding people Food Not Bombs. Elle 23:20 Amazing. Margaret 23:22 But, but yeah, I mean, whereas every other day in my life, especially back then when I was a hitchhiker, I absolutely carried a knife. Elle 23:30 Yeah. Margaret 23:31 You know, for multiple purposes. Yeah, okay, so then it feels like...I like rooting it in the self defense stuff because I think about that a lot and for me it maybe then makes sense to sort of build up and out from there as to say like...you know, if someone's threat model is my ex-partner's new partner is trying to hack me or my abusive ex is trying to hack me or something, that's just such a different threat model than... Elle 24:04 Yeah, it is. Margaret 24:05 Than the local police are trying to get me versus the federal police are trying to get me versus a foreign country is trying to get me you know, and I and it feels like sometimes those things are like contradictory to each other about what isn't isn't the best maybe. Elle 24:19 They are, because each of those each of those entities is going to have different mechanisms for getting to you and so you know, an abusive partner or abusive ex is more likely to have physical access to you, and your devices, than you know, a foreign entity is, right? Because there's there's proximity to think about, and so you know, you might want to have....Actually the....Okay, so the abusive ex versus the cops, right. A lot of us now have have phones where the mechanism for accessing them is either a password, or some kind of biometric identifier. So like a fingerprint, or you know, face ID or whatever. And there's this very dogmatic adherence to "Oh, well, passwords are better." But passwords might actually not be better. Because if somebody has regular proximity to you, they may be able to watch you enter your password and get enough information to guess it. And if you're, if you're not using a biometric identifier, in those use cases, then what can happen is they can guess your password, or watch, you type it in enough time so that they get a good feeling for what it is. And they can then access your phone without your knowledge while you're sleeping. Right? Margaret 25:46 Right. Elle 25:47 And sometimes just knowing whether or not your your adversary has access to your phone is actually a really useful thing. Because you know how much information they do or don't have. Margaret 26:01 Yeah. No that's... Elle 26:03 And so it really is just about about trade offs and harm reduction. Margaret 26:08 That never would have occurred to me before. I mean, it would occur to me if someone's trying to break into my devices, but I have also fallen into the all Biometrics is bad, right? Because it's the password, you can't change because the police can compel you to open things with biometrics, but they can't necessarily compel you...is more complicated to be compelled to enter a password. Elle 26:31 I mean, like, it's only as complicated as a baton. Margaret 26:34 Yeah, there's that XKCD comic about this. Have you seen it? Elle 26:37 Yes. Yes, I have. And it is it is an accurate....We like in security, we call it you know, the Rubber Hose method, right? It we.... Margaret 26:46 The implication here for anyone hasn't read it is that they can beat you up and get you to give them their [password]. Elle 26:50 Right people, people will usually if they're hit enough times give up their password. So you know, I would say yeah, you should disable biometric locks, if you're going to go out to a demonstration, right? Which is something that I do. I actually do disable face ID if I'm taking my phone to a demo. But it...you may want to use it as your everyday mechanism, especially if you're living in a situation where knowing whether or not your abuser has access to your device is likely to make a difference in whether you have enough time to escape. Margaret 27:30 Right. These axioms or these these beliefs we all have about this as the way to do security,the you know...I mean, it's funny, because you brought up earlier like use Signal use Tor, I am a big advocate of like, I just use Signal for all my communication, but I also don't talk about crime pretty much it in general anyway. You know. So it's more like just like bonus that it can't be read. I don't know. Elle 27:57 Yeah. I mean, again, it depends, right? Because Signal...Signal has gotten way more usable. I've been, I've been using Signal for a decade, you know, since it was still Redphone and TextSecure. And in the early days, I used to joke that it was so secure, sometimes your intended recipients don't even get the messages. Margaret 28:21 That's how I feel about GPG or PGP or whatever the fuck. Elle 28:24 Oh, those those.... Margaret 28:27 Sorry, didn't mean to derail you. Elle 28:27 Let's not even get started there. But so like Signal again, has gotten much better, and is way more reliable in terms of delivery than it used to be. But I used to, I used to say like, "Hey, if it's if it's really, really critical that your message reach your recipient, Signal actually might not be the way to do it." Because if you need if you if you're trying to send a time sensitive message with you know guarantee that it actually gets received, because Signal used to be, you know, kind of sketchy on or unreliable on on delivery, it might not have been the best choice at the time. One of the other things that I think that people, you know, think...don't think about necessarily is that Signal is still widely viewed as a specific security tool. And that's, that's good in a lot of cases. But if you live somewhere, for example, like Belarus, where it's not generally considered legal to encrypt things, then the presence of Signal on your device is enough in and of itself to get you thrown in prison. Margaret 29:53 Right. Elle 29:53 And so sometimes having a mechanism like, you know, Facebook secret messages might seem like a really, really sketchy thing to do. But if your threat model is you can't have security tools on your phone, but you still want to be able to send encrypted messages or ephemeral messages, then that actually might be the best way to kind of fly under the radar. So yeah, it again just really comes down to thinking about what it is that you're trying to protect? From who? And under what circumstances? Margaret 30:32 Yeah, I know, I like this. I mean, obviously, of course, you've thought about this thing that you think about. I'm like, I'm just like, kind of like, blown away thinking about these things. Although, okay, one of these, like security things that I kind of want to push back on, and actually, this is a little bit sketchy to push back on, the knife thing. To go back to a knife. I am. I have talked to a lot of people who have gotten themselves out of very bad situations by drawing a weapon without then using it, which is illegal. It is totally illegal. Elle 31:03 Yes Margaret 31:03 I would never advocate that anyone threaten anyone with a weapon. But, I know people who have committed this crime in order to...even I mean, sometimes it's in situations where it'd be legal to stab somebody,like... Elle 31:16 Sure. Margaret 31:16 One of the strangest laws in the United States is that, theoretically, if I fear for my life, I can draw a gun.... And not if I fear for my life, if I am, if my life is literally being threatened, physically, if I'm being attacked, I can I can legally draw a firearm and shoot someone, I can legally pull a knife and stab someone to defend myself. I cannot pull a gun and say "Back the fuck off." And not only is it illegal, but it also is a security axiom, I guess that you would never want to do that. Because as you pointed out, if you hesitate now the person has the advantage, they have more information than they used to. But I still know a lot of hitchhikers who have gotten out of really bad situations by saying, "Let me the fuck out of the car." Elle 32:05 Sure. Margaret 32:06 Ya know?. Elle 32:06 Absolutely. It's not....Sometimes escalating tactically can be a de-escalation. Right? Margaret 32:17 Right. Elle 32:18 Sometimes pulling out a weapon or revealing that you have one is enough to make you no longer worth attacking. But you never know how someone's going to respond when you do that, right? Margaret 32:33 Totally Elle 32:33 So you never know whether it's going to cause them to go "Oh shit, I don't want to get stabbed or I don't want to get shot," and stop or whether it's going to trigger you know a more aggressive response. So it doesn't mean that you know, you, if you pull a weapon you have to use it. Margaret 32:52 Right. Elle 32:53 But if you're going to carry one then you do need to be confident that you will use it. Margaret 32:58 No, that that I do agree with that. Absolutely. Elle 33:00 And I think that is an important distinction, and I you know I also think that...not 'I think', using a gun and using a knife are two very different things. For a lot of people, pulling the trigger on a gun is going to be easier than stabbing someone. Margaret 33:20 Yeah that's true. Elle 33:21 Because of the proximity to the person and because of how deeply personal stabbing someone actually is versus how detached you can be and still pull the trigger. Margaret 33:35 Yeah. Elle 33:36 Like I would...it sounds...it feels weird to say but I would actually advocate most people carry a gun instead of a knife for that reason, and also because if you're, if you're worried about being physically attacked, you know you have more range of distance where you can use something like a gun than you do with a knife. You have to be, you have to be in close quarters to to effectively use a knife unless you're like really good at throwing them for some reason and even I wouldn't, cause if you miss...now your adversary has a knife. Margaret 34:14 I know yeah. Unless you miss by a lot. I mean actually I guess if you hit they have a knife now too. Elle 34:22 True. Margaret 34:23 I have never really considered whether or not throwing knives are effective self-defense weapons and I don't want to opine too hard on this show. Elle 34:31 I advise against it. Margaret 34:32 Yeah. Okay, so to go back to threat modeling about more operational security type stuff. You're clearly not saying these are best practices, but you're instead it seems like you're advocating of "This as the means by which you might determine your best practices." Elle 34:49 Yes. Margaret 34:49 Do you have a...do you have a a tool or do you have like a like, "Hey, here's some steps you can take." I mean, we all know you've said like, "Think about your enemy," and such like that, but Is there a more...Can you can you walk me through that? Elle 35:04 I mean, like, gosh, it really depends on who your adversary is, right? Elle 35:10 Like, if you're if you're thinking about an abusive partner, that's obviously going to vary based on things like, you know, is your abusive partner, someone who has access to weapons? Are they someone who is really tech savvy? Or are they not. At...The things that you have to think about are going to just depend on the skills and tools that they have access to? Is your abusive partner or your abusive ex a cop? Because that changes some things. Margaret 35:10 Yeah, fair enough. Margaret 35:20 Yeah. Elle 35:27 So like, most people, if they actually have a real and present kind of persistent threat in their life, also have a pretty good idea of what that threat is capable of, or what that threat actor or is capable of. And so it, it's it, I think, it winds up being fairly easy to start thinking about things in terms of like, "Okay, how is this person going to come after me? How, what, what tools do they have? What skills do they have? What ability do they have to kind of attack me or harm me?" But I think that, you know, as we start getting away from that really, really, personal threat model of like the intimate partner violence threat model, for example, and start thinking about more abstract threat models, like "I'm an anarchist living in a state," because no state is particularly fond of us. Margaret 36:50 Whaaaat?! Elle 36:51 I know it's wild, because like, you know, we just want to abolish the State and States, like want to not be abolished, and I just don't understand how, how they would dislike us for any reason.. Margaret 37:03 Yeah, it's like when I meet someone new, and I'm like, "Hey, have you ever thought about being abolished?" They're usually like, "Yeah, totally have a beer." Elle 37:10 Right. No, it's... Margaret 37:11 Yes. Elle 37:11 For sure. Um, but when it comes to when it comes to thinking about, you know, the anarchist threat model, I think that a lot of us have this idea of like, "Oh, the FBI is spying on me personally." And the likelihood of the FBI specifically spying on 'you' personally is like, actually pretty slim. But... Margaret 37:34 Me? Elle 37:35 Well... Margaret 37:37 No, no, I want to go back to thinking about it's slim, it's totally slim. Elle 37:41 Look...But like, there's there is a lot like, we know that, you know, State surveillance dragnet exists, right, we know that, you know, plaintext text messages, for example, are likely to be caught both by, you know, Cell Site Simulators, which are in really, really popular use by law enforcement agencies. Margaret 38:08 Which is something that sets up and pretends to be a cell tower. So it takes all the data that is transmitted over it. And it's sometimes used set up at demonstrations. Elle 38:16 Yes. So they, they both kind of convinced your phone into thinking that they are the nearest cell tower, and then actually pass your communications on to the next, like the nearest cell tower. So your communications do go through, they're just being logged by this entity in the middle. That's, you know, not great. But using something... Margaret 38:38 Unless you're the Feds. Elle 38:39 I mean, even if you... Margaret 38:41 You just have to think about it from their point of. Hahah. Elle 38:42 Even if you are the Feds, that's actually too much data for you to do anything useful with, you know? Margaret 38:50 Okay, I'll stop interuppting you. Haha. Elle 38:51 Like, it's just...but if you're if you are a person who is a person of interest who's in this group, where a cell site simulator has been deployed or whatever, then then that you know, is something that you do have to be concerned about and you know, even if you're not a person of interest if you're like texting your friend about like, "All right, we do crime in 15 minutes," like I don't know, it's maybe not a great idea. Don't write it down if you're doing crime. Don't do crime. But more importantly don't don't create evidence that you're planning to do crime, because now you've done two crimes which is the crime itself and conspiracy to commit a crime Margaret 39:31 Be straight. Follow the law. That's the motto here. Elle 39:35 Yes. Oh, sorry. I just like I don't know, autism brain involuntarily pictured, like an alternate universe in which in where which I am straight, and law abiding. And I'm just I'm very... Margaret 39:52 Sounds terrible. I'm sorry. Elle 39:53 Right. Sounds like a very boring.... Margaret 39:55 Sorry to put that image in your head. Elle 39:56 I mean, I would never break laws. Margaret 39:58 No. Elle 39:59 Ever Never ever. I have not broken any laws I will not break any laws. No, I think that... Margaret 40:08 The new "In Minecraft" is "In Czarist Russia." Instead of saying "In Minecraft," because it's totally blown. It's only okay to commit crimes "In Czarist Russia." Elle 40:19 Interesting. Margaret 40:23 All right. We don't have to go with that. I don't know why i got really goofy. Elle 40:27 I might be to Eastern European Jewish for that one. Margaret 40:31 Oh God. Oh, my God, now I just feel terrible. Elle 40:34 It's It's fine. It's fine. Margaret 40:36 Well, that was barely a crime by east... Elle 40:40 I mean it wasn't necessarily a crime, but like my family actually emigrated to the US during the first set of pogroms. Margaret 40:51 Yeah. Elle 40:52 So like, pre Bolshevik Revolution. Margaret 40:57 Yeah. Elle 40:59 But yeah, anyway. Margaret 41:02 Okay, well, I meant taking crimes like, I basically think that, you know, attacking the authorities in Czarist Russia is a more acceptable action is what I'm trying to say, I really don't have to try and sell you on this plan. Elle 41:16 I'm willing to trust your judgment here. Margaret 41:19 That's a terrible plan, but I appreciate you, okay. Either way, we shouldn't text people about the crimes that we're doing. Elle 41:26 We should not text people about the crimes that we're planning on doing. But, if you are going to try to coordinate timelines, you might want to do that using some form of encrypted messenger so that whatever is logged by a cell site simulator, if it is in existence is not possible by the people who are then retrieving those logs. And you know, and another reason to use encrypted messengers, where you can is that you don't necessarily want your cell provider to have that unencrypted message block. And so if you're sending SMS, then your cell, your cell provider, as the processor of that data has access to an unencrypted or plain text version of whatever text message you're sending, where if you're using something like Signal or WhatsApp, or Wicker, or Wire or any of the other, like, multitude of encrypted messengers that you could theoretically be using, then it's it's also not going directly through your your provider, which I think is an interesting distinction. Because, you know, we we know, from, I mean, we kind of sort of already knew, but we know for a fact, from the Snowden Papers, that cell providers will absolutely turn over your data to the government if they're asked for it. And so minimizing the amount of data that they have about you to turn over to the government is generally a good practice. Especially if you can do it in a way that isn't going to be a bunch of red flags. Margaret 43:05 Right, like being in Belarus and using Signal. Elle 43:08 Right. Exactly. Margaret 43:10 Okay. Also, there's the Russian General who used an unencrypted phone where he then got geo located and blowed up. Elle 43:23 Yeah. Margaret 43:24 Also bad threat modeling on that that guy's part, it seems like Elle 43:28 I it, it certainly seems to...that person certainly seems to have made several poor life choices, not the least of which was being a General in the Russian army. Margaret 43:41 Yeah, yeah. That, that tracks. So one of the things that we talked about, while we were talking about having this conversation, our pre-conversation conversation was about...I think you brought up this idea that something that feels secret, doesn't mean it is, and Elle 43:59 Yeah! Margaret 44:00 I'm wondering if you had more thoughts about that concept? It's not a very good prompt. Elle 44:05 So like, it's it's a totally reasonable prompt, we say a lot that, you know, security and safety are a feeling. And I think that that actually is true for a lot of us. But there's this idea that, Oh, if you use coded language, for example, then like, you can't get caught. I don't actually think that's true, because we tend to use coded language that's like, pretty easily understandable by other people. Because the purpose of communicating is to communicate. Margaret 44:42 Yeah. Elle 44:43 And so usually, if you're like, code language is easy enough to be understood by whoever it is you're trying to communicate with, like, someone else can probably figure it the fuck out too. Especially if you're like, "Hey, man, did you bring the cupcakes," and your friend is like, "Yeah!" And then an explosion goes off shortly thereafter, right? It's like, "Oh, by cupcakes, they meant dynamite." So I, you know, I think that rather than then kind of like relying on this, you know, idea of how spies work or how, how anarchists communicated secretly, you know, pre WTO it's, it's worth thinking about how the surveillance landscape has adapted over time, and thinking a little bit more about what it means to engage in, in the modern panopticon, or the contemporary panopticon, because those capabilities have changed over time. And things like burner phones are a completely different prospect now than they used to be. Actually... Margaret 45:47 In that they're easier or wose? Elle 45:49 Oh, there's so much harder to obtain now. Margaret 45:51 Yeah, okay. Elle 45:52 It's it is so much easier to correlate devices that have been used in proximity to each other than it used to be. And it's so much easier to, you know, capture people on surveillance cameras than it used to be. I actually wrote a piece for Crimethinc about this some years ago, that that I think kind of still holds up in terms of how difficult it really, really is to procure a burner phone. And in order to do to do that safely, you would have to pay cash somewhere that couldn't capture you on camera doing it, and then make sure that it was never turned on in proximity with your own phone anywhere. And you would have to make sure that it only communicated with other burner phones, because the second it communicates with a phone that's associated to another person, there's a connection between your like theoretical burner phone and that person. And so you can be kind of triangulated back to, especially if you've communicated with multiple people. It just it is so hard to actually obtain a device that is not in any way affiliated with your identity or the identity of any of your comrades. But, we have to start thinking about alternative mechanisms for synchronous communication. Margaret 47:18 Okay. Elle 47:18 And, realistically speaking, taking a walk in the woods is still going to be the best way to do it. Another reasonable way to go about having a conversation that needs to remain private is actually to go somewhere that is too loud and too crowded to...for anyone to reasonably overhear or to have your communication recorded. So using using the kind of like, signal to noise ratio in your favor. Margaret 47:51 Yeah. Elle 47:52 To help drown out your own signal can be really, really useful. And I think that that's also true of things like using Gmail, right? The signal to noise ratio, if you're not using a tool that's specifically for activists can be very helpful, because there is just so much more traffic happening, that it's easier to blend in. Margaret 48:18 I mean, that's one reason why I mean, years ago, people were saying that's why non activists should use GPG, the encrypted email service that is terrible, was so attempt to try and be like, if you only ever use it, for the stuff you don't want to be known, then it like flags it as "This stuff you don't want to be known." And so that was like, kind of an argument for my early adoption Signal, because I don't break laws was, you know, just be like," Oh, here's more people using Signal," it's more regularized, and, you know, my my family talks on Signal and like, it helps that like, you know, there's a lot of different very normal legal professions that someone might have that are require encrypted communication. Yeah, no book, like accountants, lawyers. But go ahead. Elle 49:06 No, no, I was gonna say that, like, it's, it's very common in my field of work for people to prefer to use Signal to communicate, especially if there is, you know, a diversity of phone operating systems in the mix. Margaret 49:21 Oh, yeah, totally. I mean, it's actually now it's more convenient. You know, when I when I'm on my like, family's SMS loop, it's like, I constantly get messages to say, like, "Brother liked such and such comment," and then it's like, three texts of that comment and...anyway, but okay, one of the things that you're talking about, "Security as a feeling," right? That actually gets to something that's like, there is a value in like, like, part of the reason to carry a knife is to feel better. Like, and so part of like, like anti-anxiety, like anxiety is my biggest threat most most days, personally. Right? Elle 50:00 Have you ever considered a career in the security field, because I, my, my, my former manager, like the person who hired me into the role that I'm in right now was like, "What made you get into security?" when I was interviewing, and I was just like, "Well, I had all this anxiety lying around. And I figured, you know, since nobody will give me a job that I can afford to sustain myself on without a degree, in any other field, I may as well take all this anxiety and like, sell it as a service." Margaret 50:33 Yeah, I started a prepper podcast. It's what you're listening to right now. Everyone who's listening. Yeah, exactly. Well, there's a value in that. But then, but you're talking about the Panopticon stuff, and the like, maybe being in too crowded of an environment. And it's, and this gets into something where everyone is really going to have to answer it differently. There's a couple of layers to this, but like, the reason that I just like, my profile picture on twitter is my face. I use my name, right? Elle 51:03 Same. Margaret 51:04 And, yeah, and I, and I just don't sweat it, because I'm like, "Look, I've been at this long enough that they know who I am. And it's just fine. It's just is." One day, it won't be fine. And then we have other problems. Right? Elle 51:18 Right. Margaret 51:19 And, and, and I'm not saying that everyone as they get better security practice will suddenly start being public like it... You know, it, it really depends on what you're trying to accomplish. Like, a lot of the reasons to not be public on social media is just because it's a fucking pain in the ass. Like, socially, you know? Elle 51:36 Yeah. Margaret 51:36 But I don't know, I just wonder if you have any thoughts about just like, the degree to which sometimes it's like, "Oh, well, I just, I carry a phone to an action because I know, I'm not up to anything." But then you get into this, like, then you're non-normalizing... don't know, it gets complicated. And I'm curious about your thoughts on that kind of stuff. Elle 51:56 So like, for me, for me personally, I am very public about who I am. What I'm about, like, what my politics are. I'm extremely open about it. Partially, because I don't think that, like I think that there is value in de-stigmatizing anarchism. Margaret 52:20 Yes. Elle 52:20 I think there is value in being someone who is just a normal fucking human being. And also anarchist. Margaret 52:29 Yeah. Elle 52:30 And I think that, you know, I...not even I think. I know, I know that, through being exactly myself and being open about who I am, and not being super worried about the labels that other people apply to themselves. And instead, kind of talking about, talking about anarchism, both from a place of how it overlaps with Judaism, because it does in a lot of really interesting ways, but also just how it informs my decision making processes. I've been able to expose people who would not necessarily have had any, like, concept of anarchism, or the power dynamics that we're interested in equalizing to people who just wouldn't have wouldn't have even thought about it, or would have thought that anarchists are like this big, scary, whatever. And, like, there, there are obviously a multitude of tendencies within anarchism, and no anarchist speaks for anybody but themselves, because that's how it works. But, it's one of the things that's been really interesting to me is that in the security field, one of the new buzzwords is Zero Trust. And the idea is that you don't want to give any piece of technology kind of the sole ability to to be the linchpin in your security, right? So you want to build redundancy, you want to make sure that no single thing is charged with being the gatekeeper for all of your security. And I think that that concept actually also applies to power. And so I...when I'm trying to talk about anarchism in a context where it makes sense to security people, I sometimes talk about it as like a Zero Trust mechanism for organizing a society. Margaret 54:21 Yeah. Elle 54:21 Where you just you...No person is trustworthy enough to hold power over another person. And, so like, I'm really open about it, but the flip side of that is that, you know, I also am a fucking anarchist, and I go to demonstrations, and sometimes I get arrested or whatever. And so I'm not super worried about the government knowing who I am because they know exactly who I am. But I don't share things like my place of work on the internet because I've gotten death threats from white nationalists. And I don't super want white nationalists like sending death threats into my place of work because It's really annoying to deal with. Margaret 55:02 Yeah. Elle 55:03 And so you know, there's...it really comes down to how you think about compartmentalizing information. And which pieces of yourself you want public and private and and how, how you kind of maintain consistency in those things. Margaret 55:21 Yeah. Elle 55:22 Like people will use the same...people will like be out and anarchists on Twitter, but use the same Twitter handle as their LinkedIn URL where they're talking about their job and have their legal name. And it's just like, "Buddy, what are you doing?" Margaret 55:37 Yeah. Elle 55:38 So you do have to think about how pieces of data can be correlated and tied back to you. And what story it is that you're you're presenting, and it is hard and you are going to fuck it up. Like people people are going to fuck it up. Compartmentalization is super hard. Maintaining operational security is extremely hard. But it is so worth thinking about. And even if you do fuck it up, you know, that doesn't mean that it's the end of the world, it might mean that you have to take some extra steps to mitigate that risk elsewhere. Margaret 56:11 The reason I like this whole framework that you're building is that I tend to operate under this conception that clandestinity is a trap. I don't want to I don't want to speak this....I say it as if it's a true statement across all and it's not it. I'm sure there's absolute reasons in different places at different times. But in general, when I look at like social movements, they, once they move to "Now we're just clandestine." That's when everyone dies. And, again, not universally, Elle 56:40 Yeah, but I mean, okay, so this is where I'm gonna get like really off the wall. Right? Margaret 56:46 All right. We're an hour in. It's the perfect time. Elle 56:50 I know, right? People may or may not know who Allen Dulles is. But Allen Margaret 56:54 Not unless they named an airport after him. Elle 56:56 They Did. Margaret 56:57 Oh, then i do who he is. Elle 56:59 Allen Dulles is one of the people who founded the CIA. And he released this pamphlet called "73 Points On Spycraft." And it's a really short read. It's really interesting, I guess. But the primary point is that if you are actually trying to be clandestine, and be successful about it, you want to be as mundane as possible. Margaret 57:22 Yep. Elle 57:23 And in our modern world with the Panopticon being what it is, the easiest way to be clandestine, is actually to be super open. So that if you are trying to hide something, if there is something that you do want to keep secret, there's enough information out there about you, that you're not super worth digging into. Margaret 57:46 Oh, yeah. Cuz they think they already know you. Elle 57:48 Exactly. So if, if that is what your threat model is, then the best way to go about keeping a secret is to flood as many other things out there as possible. So that it's just it's hard to find anything, but whatever it is that you're flooding. Margaret 58:04 Oh, it's like I used to, to get people off my back about my dead name, I would like tell one person in a scene, a fake dead name, and be like, "But you can't tell anyone." Elle 58:15 Right. Margaret 58:16 And then everyone would stop asking about my dead name, because they all thought they knew it, because that person immediately told everyone, Elle 58:22 Right. Margaret 58:23 Yeah. Elle 58:24 It's, it's going back to that same using the noise to hide your signal concept, that it...the same, the same kind of concepts and themes kind of play out over and over and over again. And all security really is is finding ways to do harm reduction for yourself, finding ways to minimize the risk that you're undertaking just enough that that you can operate in whatever it is that you're trying to do. Margaret 58:53 No, I sometimes I like, ask questions. And then I am like, Okay, well don't have an immediate follow up, because I just need to like, think about it. Instead of being like, "I know immediately what to say about that." But okay, so, but with clandestinity in general in this this concept...I also think that this is true on a kind of movement level in a way that I I worry about sometimes not necessarily....Hmm, what am I trying to say? Because I also really hate telling people what to do. It's like kind of my thing I don't like telling people what to do. But there's a certain level... Elle 59:25 Really? Margaret 59:25 Yeah, you'd be shocked to know, Elle 59:27 You? Don't like telling people what to do? Margaret 59:31 Besides telling people not to tell me what to do. That's one of my favorite things to tell people. But, there's a certain amount of. Margaret 59:38 Oh, that's true, like different conceptions of freedom. Elle 59:38 But that's not telling people what to do, that's telling people what not to do. Elle 59:44 It's actually setting a boundary as opposed to dictating a behavior. Margaret 59:48 But I've been in enough relationships where I've learned that setting boundaries is the same as telling people to do. This is a funny joke. Elle 59:55 Ohh co-dependency. Margaret 59:58 But all right, there's a quote from a guy whose name I totally space who was an old revolutionist, who wasn't very good at his job. And his quote was, "Those who make half a revolution dig their own graves." And I think he like, I think it proved true for him. If I remember correctly, I think he died in jail after kind of making half a revolution with some friends. I think he got like arrested for pamphleteering or something, Elle 1:00:20 Jesus. Margaret 1:00:21 It was a couple hundred years ago. And but there's this but then if you look forward in history that like revolutionists, who survive are the ones who win. Sometimes, sometimes the revolutionists win, and then their comrades turn on them and murder them. But, I think overall, the survival rate of a revolution is better when you win is my theory. And and so there's this this concept where there's a tension, and I don't have an answer to it. And I want people to actually think about it instead of assuming, where the difference between videotaping a cop car on fire and not is more complicated than people want you to know. Because, if you want there to be more cop cars on fire, which I do not unless we're in Czarist Russia, in which case, you're in an autocracy, and it's okay to set the cop cars on fire, but I'm clearly not talking about that, or the modern world. But, you're gonna have to film it on your cell phone in order for people to fucking know that it's happening. Sure. And and that works absolutely against your best interest. Like, on an individual level, and even a your friends' level. Elle 1:01:25 So like, here's the thing, being in proximity to a burning cop car is not in and of itself a crime. Margaret 1:01:33 Right. Elle 1:01:34 So there's, there's nothing wrong with filming a cop car on fire. Margaret 1:01:41 But there's that video... Margaret 1:01:41 Right. Elle 1:01:41 There is something wrong with filming someone setting a cop car on fire. And there's something extremely wrong with taking a selfie while setting a cop car on fire. And don't do that, because you shouldn't do crime. Obviously, right? Elle 1:01:42 But there's Layers there...No, go ahead. Margaret 1:02:03 Okay, well, there's the video that came out of Russia recently, where someone filmed themselves throwing Molotovs at a recruitment center. And one of the first comments I see is like, "Wow, this person has terrible OpSec." And that's true, right? Like this person is not looking at how to maximize their lack of chance of going to jail, which is probably the way to maximize that in non Czarist Russia... re-Czarist Russia, is to not throw anything burning at buildings. That's the way to not go to jail. Elle 1:02:35 Right. Margaret 1:02:35 And then if you want to throw the thing at the... and if all you care about is setting this object on fire, then don't film yourself. Elle 1:02:41 Right. Margaret 1:02:41 But if you want more people to know that this is a thing that some people believe is a worthwhile thing to do, you might need to film yourself doing it now that person well didn't speak. Elle 1:02:53 Well no. Margaret 1:02:56 Okay. Elle 1:02:56 You may not need to film yourself doing it. Right? Because what what you can do is if, for example, for some reason, you are going to set something on fire. Margaret 1:03:09 Right, in Russia. Elle 1:03:09 Perhaps what you might want to do is first get the thing to be in a state where it is on fire, and then begin filming the thing once it is in a burning state. Margaret 1:03:25 Conflaguration. Yeah. Elle 1:03:25 Right? And that can that can do a few things, including A) you're not inherently self incriminating. And, you know, if if there are enough people around to provide some form of cover, like for example, if there are 1000s of other people's cell phones also in proximity, it might even create some degree of plausible deniability for you because what fucking dipshit films themself doing crimes. So it's, you know, there's, there's, there's some timing things, right. And the idea is to get it...if you are a person who believes that cop cars look best on fire... Margaret 1:04:10 Buy a cop car, and then you set it on fire. And then you film it. Elle 1:04:15 I mean, you know, you know, you just you opportunistically film whenever a cop car happens to be on fire in your proximity. Margaret 1:04:23 Oh, yeah. Which might have been set on fire by the person who owned it. There's no reason to know one way or not. Elle 1:04:27 Maybe the police set the cop car on fire you know? You never know. There's no way to there....You don't have to you don't have to speculate about how the cop car came to be on fire. You can just film a burning cop car. And so the you know, I think that the line to walk there is just making sure there's no humans in your footage of things that you consider to be art. Margaret 1:04:29 Yeah. No, it it makes sense. And I guess it's like because people very, very validly have been very critical about the ways that media or people who are independently media or whatever, like people filming shit like this, right? But But I think then to say that like, therefore no, no cop cars that are on fire should ever be filmed versus the position you're presenting, which is only cop cars that are already on fire might deserve to be filmed, which is the kind of the long standing like film the broken window, not the window breaker and things like that. But... Elle 1:05:29 I think and I think also there's, you know, there's a distinction to be made between filming yourself setting a cop car on fire, and filming someone else setting a cop car on fire, because there's a consent elemenet, right? Margaret 1:05:34 Totally. Totally. Elle 1:05:47 You shouldn't like...Don't do crime. Nobody should do crime. But if you are going to do crime, do it on purpose. Right? Margaret 1:05:55 Fair enough. Elle 1:05:55 Like that's, that's what civil disobedience is. Civil disobedience is doing crime for the purpose of getting caught to make a point. That's what it is. And if you if you really feel that strongly about doing a crime to make a point, and you want everyone to know that you're doing a crime to make a point, then that's, that's a risk calculation that you yourself need to make for yourself. But you can't make that calculation for anybody else. Margaret 1:06:25 I think that's a great way to sum it up. Elle 1:06:27 So unless your friend is like, "Yo, I'm gonna set this cop car on fire. Like, get the camera ready, hold my beer." You probably shouldn't be filming them. Margaret 1:06:38 See you in 30 years. Elle 1:06:39 Right? You probably shouldn't be filming them setting the cop car on fire either. Margaret 1:06:43 No. No Elle 1:06:44 And also, that's a shitty friend because they've just implicated you in conspiracy, right? Margaret 1:06:49 Yeah. Elle 1:06:50 Friends don't implicate friends. Margaret 1:06:53 It's a good, it's a good rule. Yeah, yeah. All right. Well, I that's not entirely where I immediately expected to go with Threat Modeling. But I feel like we've covered an awful lot. Is there something? Is there something...Do you have any, like final thoughts about Threat Modeling, and as relates to the stuff that we've been talking about? Elle 1:07:18 I think that you know, the thing that I do really want to drive home. And that honestly does come back to your point about clandestinity being a trap is that, again, the purpose of threat modeling is to first understand, you know, what risks you're trying to protect against, and then figure out how to do what you're accomplishing in a way that minimizes risk. But the important piece is still doing whatever it is that you're trying to accomplish, whether that's movement building, or something else. And so there there is, there is a calculation that needs to be made in terms of what level of risk is acceptable to you. But if if, ultimately, your risk threshold is preventing you from accomplishing whatever you're trying to accomplish, then it's time to take a step back, recalculate and figure out whether or not you actually want to accomplish the thing, and what level of risk is worth taking. Because I think that, you know, again, if if you're, if your security mechanisms are preventing you from doing the thing that you're you set out to try to do, then your adversaries are already winning, and something probably needs to shift. Margaret 1:08:39 I really like that line. And so I feel like that's a decent spot, place to end on. Do. Do you have anything that you'd like to shout out? People can follow you on the internet? Or they shouldn't follow you on the internet? What? What do you what do you want to advocate for here? Elle 1:08:53 If you follow me on the internet, I'm so sorry. That's really all I can say. I'm, I am on the internet. I am a tire fire. I'm probably fairly easy to find based on my name, my pronouns and the things that I've said here today, and I can't recommend following my Twitter. Margaret 1:09:17 I won't put in the show notes then. Elle 1:09:19 I mean, you're welcome to but I can't advocate in good conscience for anyone to pay attention to anything that I have to say. Margaret 1:09:27 Okay, so go back and don't listen to the last hour everyone. Elle 1:09:31 I mean, I'm not going to tell you what to do. Margaret 1:09:34 I am that's my favorite thing to do. Elle 1:09:36 I mean, you know, this is just like my opinion, you know? There are no leaders. We're all the leaders. I don't know. Do do do what you think is right. Margaret 1:09:55 Agreed. All right. Well, thank you so much. Elle 1:09:59 Thank you. I really appreciate it. Margaret 1:10:07 Thank you so much for listening. If you enjoyed this podcast, you should tell people about it by whatever means occurs to you to tell people about it, which might be the internet, it might even be in person, it might be by taking a walk, leaving your cell phones behind, and then getting in deep into the woods and saying," I like the following podcast." And then the other person will be like, "Really, I thought we were gonna make out or maybe do some crimes." But, instead you have told them about the podcast. And I'm recording this at the same time as I record the intro, and now the

Les Cast Codeurs Podcast
LCC 280 - Leçon de géographie

Les Cast Codeurs Podcast

Play Episode Listen Later Jun 13, 2022 81:24


Cet épisode une fois n'est pas coutume parle beaucoup de nouvelles dans la rubrique langage et beaucoup de Java, wouhou ! On parle aussi de sigstore, http/3, Micronaut et de VMWare. Enregistré le 10 juin 2022 Téléchargement de l'épisode LesCastCodeurs-Episode–280.mp3 News Langages Sept raisons pour lesquelles Java a a encore du sens après 26 ans communauté (dans toutes les grandes villes) force du langage et de la plateforme plus de problèmes résolus que non résolus (librairies) stabilité Innovation (Java 9 accélère l'innovation) outillage opportunité d'emploi Les débuts du projet Leyden Mark Reinhold lance le projet Leyden, pour adresser les problèmes de temps de démarrage lent de Java, de lenteur du temps jusqu'à la performance max, et d'empreinte un peu lourde à l'aide d'une image statique de votre application une image statique ne fait tourner qu'une seule et unique application sur son JDK, et est un “monde fermé” (ne peut pas charger de classe externes) mais les ingés de la JVM vont travailler sur une approche assez souple, et voire quelles contraintes peuvent être allégées, par rapport à un monde complètement fermé d'une image statique en espérant avoir des améliorations à différents niveaux, pour un max d'appli et de use case différents Le close world c'est ce qui amène la valeur de GraalVM native image et les avantages pour Micronaut, Quarkus et le autres donc pas de closed world: c'est encore un projet de recherche pour l'équipe de la JVM JFR plus facile à configuer dans Java 17 un wizard en UI ou CLI pour generer le fichier .jfc Proposition de structured concurrency via le projet Loom Targeted status for JDK 19. This incubating JEP, under the auspices of Project Loom, proposes to simplify multithreaded programming by introducing a library to treat multiple tasks running in different threads as a single unit of work. This can streamline error handling and cancellation, improve reliability, and enhance observability RedMonk analyse l'apparition du langage Dart, grâce à Flutter, dans leur top 20 des langages de programmation les plus populaires JavaScript, Python, Java, toujours en tête Mais Rust et Dart sont rentrés récemment L'arrivée de Dart coïncide surtout avec l'émergence de Flutter comme framework d'interface graphique, que ce soit pour Android/iOS, que pour le desktop et le web Sur les applis mobiles, il y a toujours eu beaucoup de développement natif, mais est aussi arrivé React Native, mais aussi Flutter Des applis de Google comme Google Pay et Google Ads sont développées en Flutter, mais aussi le récent SNCF Connect ou des entreprises telles que BMW ou Alibaba (modifié) (cf le talk sur le REX par les développeurs de SNCF Connect à Devoxx France) les investissements initiaux de Dart vs Kotlin ou Ceylon qui ont démarrés en meme temps étaient colossaux Dart en natif pour faire des applis iOS… qui tournent aussi sous Android Kotlin 1.7 est sorti Kotlin K2 compiler pour la JVM em Alpha (les plug ins ne fonctionne pas) amélioration des perf de Kotlin et du compilo pour la JVM build incremental Gradle annotation OptIn et inférence de Builder stabilisés classes implementee par delegation automatique sans consommation mémoire (via inlining) Librairies Sortie de Micronaut 3.5 Passage à GRAALVM 22.1.0 Compilation incrémentale lors des builds, en particulier intéressant pour les métadonnées pour GraalVM, ce qui permet d'éviter de faire tourner les processeurs d'annotation inutilement Inclusion de Micronaut Data 3.4, avec support des enums Postgres pour JDBC, la pagination pour les Reactive Repositories Intégration avec Turbo pour la vue (Turbo Frame et Turbo Views) Nouveau module pour MicroStream (un moteur de graphe d'objet natif Java, intégré à Helidon) Mise à jour de nombreux plugins et extensions (y compris plugins de build) Infrastructure Kubernetes signals massive adoption of Sigstore for protecting open source ecosystem Kubernetes 1.24 (sorti en mai) est la première version utilisant officiellement Sigstore, permettant une vérification transparente des signatures pour protéger contre les attaques de la chaîne d'approvisionnement Sigstore est une nouvelle norme pour la signature, la vérification et la protection des logiciels. Elle se veut être un remplaçant pour GPG par exemple. Sigstore offre une variété d'avantages à la communauté Kubernetes comme: Sigstore's keyless signing donne une grande expérience de développeur et supprime le besoin de la gestion de clé douloureuse. Le journal public et transparent de Sigstore (Rekor) avec ses API permettent aux consommateurs Kubernetes de vérifier les signatures. … Web RFC 9114 - HTTP/3 est validée (+ RFC 9204 - QPACK: Field Compression for HTTP/3 et RFC 9218 - Extensible Prioritization Scheme for HTTP) Basé sur le protocole de transport QUIC qui possède plusieurs fonctionnalités intéressantes telles que le multiplexage de flux, le contrôle de flux par flux et l'établissement de connexion à faible latence. QPACK : un format de compression pour représenter efficacement les champs HTTP à utiliser en HTTP/3. Il s'agit d'une variation de la compression HPACK qui vise à réduire la taille des headers. Extensible Prioritization Scheme for HTTP: schéma qui permet à un client HTTP de communiquer ses préférences quant à la façon dont le serveur en amont priorise les réponses à ses demandes, et permet également à un serveur d'indiquer à un intermédiaire en aval comment ses réponses devraient être priorisées lorsqu'elles sont transmises. Outillage VSCode Java 1.5 est sorti Java 18 support, inlay hints for method parameters, and improvements to class declaration navigation are just a few of the enhancements to expect. Architecture L'architecture Netflix Pas fou fou dans les infos mais ça fait longtemps qu'on a pas eu d'archi analyze the system design in terms of availability, latency, scalability and resilience to network failure basé sur AWS clients via un SDK est intelligent, contrôle le backend utilisé et la bande passante en temps réel Open Connect CDN: là ou les vidéos sont stockées le reste du bon vieux microservice en backend ramène les dix meilleurs points d'accès et le client choisi voire change API Gateway via Zuul: dynamic routing, traffic monitoring and security, resilience to failures at the edge of the cloud deployment etc Loi, société et organisation VMWare racheté par Broadcom 61 milliards de dollars Avec un objectif de passer de 3,5 à 8,5 milliard d'EBITA par an Bouger dans la division cloud avec Symantec VMWare était content de sa liberté retrouvée après la spin off de Dell Apparemment pas d'alignement de tech une expansion de portefeuiille dans le software pour broadcom VMWare a beaucoup changé de mains ces dernières années La strategie d'investissement de broadcom: acheter des franchises avec une bonne position de marcher et un potentiel de profitabilité augmenté sans gros investissements La rumeur un ex de VMWare qui pense que c'est la mort de VMWare Outils de l'épisode GitHub Copilot quand le code s'écrit tout seul … (en fait non, les développeurs ont encore des beaux jours devant eux) A voir aussi: Github Co-Pilot : Addictif ou Efficace ? (Johan Jublanc et Simon Provost) à Devoxx France 2022 Rubrique débutant Conférences Source: Developers Conferences Agenda/List by Aurélie Vache et contributeurs June 14: France API - Paris (France) 15–18: VIVA Technology - Paris (France) 17: Cloud Ouest 2022 - Nantes (FR) + Online 21–22: Voxxed Days Luxembourg - Luxembourg 23: ServerlessDays Paris - Paris (France) 24: SoCraTes Rennes - Rennes (France) 27–1: Hack in Paris - Paris (France) 28: Dev nation Day France - Paris (France) 29–1: BreizhCamp - Rennes (France) 30–1: Sunny Tech - Montpellier (France) 30–1: Agi'Lille 2022 - Lille (France) September 9: JUG SummerCamp - La Rochelle (France) 29: Cloud Nord - Lille (France) October 4–6: Devoxx Morocco - Agadir (Morocco) 6–7: Paris Web - Paris (France) 10–14: Devoxx Belgium - Antwerp (Belgium) 13–14: Volcamp 2022 - Clermont Ferrand (France) 20–21: DevFest Nantes - Nantes (France) 27–28: Agile Tour Bordeaux - Bordeaux (France) November 8–9: Open Source Experience - Paris (France) 15–16: ParisTestConf - Online 15–16: Agile Tour Toulouse - Toulouse (France) 17: Codeurs en Seine - Rouen (France) 18: Devfest Strasbourg - Strasbourg (France) 19–20: Capitole du Libre - Toulouse (France) December 1: Devops DDay #7 - Marseille (France) 2: BDX I/O - Bordeaux (France) 14–16: API Days Paris - Paris (France) & Online Nom de la conf du x au y mois à Ville - CfP jusqu'à y mois TODO: reprendre celles de l'épisode d'avant Nous contacter Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Faire un crowdcast ou une crowdquestion Contactez-nous via twitter https://twitter.com/lescastcodeurs sur le groupe Google https://groups.google.com/group/lescastcodeurs ou sur le site web https://lescastcodeurs.com/

Craig Peterson's Tech Talk
Which Anti-Hacker Techniques Can You Use Against the Russian Hackers?

Craig Peterson's Tech Talk

Play Episode Listen Later Mar 26, 2022 84:29


Weekly Show #1158 We know the Russians have been attacking us. I've talked a lot about it on the radio and TV over the last couple of weeks. So I am doing something special; we are going through the things you can do to stay safe from the latest Russian attacks. Last week, we started doing something I promised we would continue -- how can you protect yourself when it comes to the Russians? The Russians are the bad guys when it comes to bad guys. So there are a few things you can do. And there are a few things; frankly, you shouldn't be doing. And that's precisely what we're going to talk about right now. Today, I explain: - How to protect your back-end - Preventative measures - The new rules of backing up your computer As usual, we'll cover the What, Why, and How's. [Automated transcript follows] [00:00:39] So last week he went over some steps, some things that you can look at that you should look at that are going to help protect you. And we are going to go into this a whole lot more today. And so I want you to stick around and if you miss anything, you can go online. You can go to Craig peterson.com, make sure you sign up there for my email. [00:01:01] And what I'm going to do for you is. Send you a few different documents now where we can chat back and forth about it, but I can send you this. Now I'm recording this on video as well as on audio. So you can follow along if you're watching either on YouTube or. Over on rumble and you can find it also on my website. [00:01:26] I've been trying to post it up there too, but right now let's talk about what we call passive backend protections. So you've got the front end and the front end of course, is. Stuff coming at you, maybe to the firewall I've mentioned last week about customers of mine. I was just looking at a few customers this week, just so I could have an idea of their firewalls. [00:01:52] And they were getting about 10 attacks per minute. Yeah. And these were customers who have requirements from the department of defense because they are defense sub subcontractors. So again, Potential bad guys. So I looked up their IP addresses and where the attacks were coming from. Now, remember that doesn't mean where they originated because the bad guys can hop through multiple machines and then get onto your machine. [00:02:22] What it means is that all, ultimately they ended up. Coming from one machine, right? So there's an IP address of that machine. That's attacking my clients or are attacking my machines. That just happens all the time. A lot of scans, but some definite attacks where they're trying to log in using SSH. [00:02:42] And what I found is these were coming from Slovakia, Russia, and Iran. Kind of what you were expecting, right? The Iranians, they just haven't given up yet. They keep trying to attack, particularly our military in our industry. One of the things we found out this week from, again, this was an FBI notice is that the Russians have been going after our industrial base. [00:03:09] And that includes, in fact, it's more specifically our automobile manufacturers we've already got problems, right? Try buying a new car, try buying parts. I was with my friend, just this. I helped them because he had his car right. Need to get picked up. So I took him over to pick up his car and we chatted a little bit with this small independent automotive repair shop. [00:03:34] And they were telling us that they're getting sometimes six, eight week delays on getting parts and some parts. They just can't. So they're going to everything from junkyards on out, and the worst parts are the parts, the official parts from the car manufacturers. So what's been happening is Russia apparently has been hacking into these various automobile manufacturers and automobile parts manufacturers. [00:04:03] And once they're inside, they've been putting in. A remote control button net. And those botnets now have the ability to wake up when they want them to wake up. And then once they've woken up, what do they do? Who knows? They've been busy erasing machines causing nothing, but having they've been doing all kinds of stuff in the past today, they're sitting there. [00:04:24] Which makes you think they're waiting, it's accumulate as much as you possibly can. And then once you've got it all accumulated go ahead and attack. So they could control thousands of machines, but they're not just in the U S it's automobile manufacturers in Japan. That we found out about. [00:04:44] So that's what they're doing right now. So you've got the kind of that front end and back end protections. So we're going to talk a little bit about the back end. What does that mean? When a cybersecurity guy talks about the backend and the protections. I got it up on my green right now, but here's the things you can do. [00:05:03] Okay. Remember, small businesses are just getting nailed from these guys, because again, they're fairly easy targets. One change your passwords, right? How many times do we have to say that? And yet about 70% of businesses out there are not using a good password methodology. If you want more information on passwords, two factor authentication, you name it. [00:05:30] Just email me M e@craigpeterson.com. I want to get the information out now. You got to make sure that all of the passwords on your systems are encrypted are stored in some sort of a good password vault as you really should be looking at 256 bit encryption or better. I have a vendor of. That I use. So if you get my emails every week, when them, there's the little training. [00:05:59] And so I'll give you a five minute training. It's written usually it's in bullet point for, I'm just trying to help you understand things. That provider of mine has a big database and there's another provider that I use that is for. So the training guys use the database of my provider. [00:06:20] In using that database, they're storing the passwords and the training providers putting passwords in the clinics. Into the database, which is absolutely crazy. So again, if you're a business, if you're storing any sort of personal information, particularly passwords, make sure that you're using good encryption and your S what's called salting the hash, which means. [00:06:46] You're not really storing the password, just joining assaulted hash. I can send you more on this. If you are a business and you're developing software that's, this is long tail stuff here. Configure all of the security password settings so that if someone's trying to log in and is failing that, and you block it, many of us that let's say you're a small business. [00:07:08] I see this all of the time. Okay. You're not to blame. You, but you have a firewall that came from the cable company. Maybe you bought it at a big box retailer. Maybe you bought it online over at Amazon, as hurricane really great for you. Has it got settings on there that lets you say. There's 20 attempts to log in. [00:07:31] Maybe we should stop them. Now, what we do personally for our customers is typically we'll block them at somewhere around three or four failed attempts and then their passwords block. Now you can configure that sort of thing. If you're using. Email. And that's an important thing to do. Let me tell you, because we've had some huge breaches due to email, like Microsoft email and passwords and people logging in and stealing stuff. [00:07:59] It was just a total nightmare for the entire industry last year, but limit the number of login retries as well as you're in there. These excessive login attempts or whatever you want to define it as needs to lock the account. And what that means is even if they have the right password, they can't get in and you have to use an administrative password in order to get in. [00:08:25] You also want to, what's called throttle, the rate of repeated logins. Now you might've gotten caught on this, right? You went to your bank, you went to E-bay, you went to any of these places and all of a sudden. And denied you write it blocked you. That can happen when your account is on these hackers lists. [00:08:45] You remember last week we talked about password spraying while that's a very big deal and hackers are doing the sprain trick all of the time, and that is causing you to get locked out of your own account. So if you do get locked out, remember it might be because someone's trying to break. Obviously you have to enforce the policies. [00:09:09] The capture is a very good thing. Again, this is more for software developer. We always recommend that you use multifactor or two factor authentication. Okay. Do not use your SMS, your text messages for that, where they'll send you a text message to verify who you are. If you can avoid that, you're much better off. [00:09:30] Cause there's some easy ways to get around that for hackers that are determined. Okay. A multi-factor again, installed an intrusion. system. We put right at the network edge and between workstations and servers, even inside the network, we put detection systems that look for intrusion attempts and block intrusion attempts. [00:09:56] A very important use denied lists to block known attackers. We build them automatically. We use some of the higher end Cisco gates. Cisco is a big network provider. They have some of the best hardware and software out there, and you have to subscribe to a lot of people complain. I ain't going to just go buy a firewall for 200 bucks on Amazon. [00:10:18] Why would I pay that much a month just to to have a Cisco firewall? And it's like praying pain for the brand. I've got by logo chert on here. Oh, I wouldn't pay for that. No, it's because they are automatically providing block lists that are updated by the minute sometimes. And then make sure you've got an incident response plan in place. [00:10:44] What are you going to do when they come for you? What are you going to do? Bad boys. Bad. Stick around. We've got a lot more to talk about here as we go. I am explaining the hacks that are going on right now and what you can do as a business and an individual doubt. Protect yourself. Don't go anywhere. [00:11:07] Now we're going to talk about prevention. What can you do an order to stop some of these attacks that are coming from Russia and from other countries, it is huge. People. Believe me, this is a very big problem. And I'm here to help. [00:11:23] hi, I'm Craig Peter Sohn, your chief information security officer. We've reviewed a number of things that are important when it comes to your cyber security and your protection. [00:11:37] We talked about the front end. We talked about the backend. Now we're going to talk about pure prevention and if you're watching. Online. You'll be able to see my slides as they come up, as we talk about some of this stuff and you'll find me on YouTube and you'll also find me on rumble, a fairly new platform out there platform that doesn't censor you for the things you say. [00:12:01] Okay. So here we go. First of all, enabling your active directory password protection is going to. Four's password protection all the way through your business. Now I've had some discussions with people over the months, over the years about this whole thing and what should be done, what can be done, what cannot be done. [00:12:26] Hey, it's a very big deal when it comes to password protection and actor directory, believe it or not, even though it's a Microsoft product is pretty darn good at a few things. One of them is. Controlling all the machines and the devices. One of the things we do is we use an MDM or what used to be a mobile device manager called mass 360. [00:12:51] It's available from IBM. We have a special version of that allows us as a managed security services provider to be able to control everything on people's machines. Active directory is something you should seriously consider. If you are a Mac based shop. Like I am. In fact, I'm sitting right now in front of two max that I'm using right now, you'll find that active directory is a little bit iffy. [00:13:21] Sometimes for max, there are some work around and it's gotten better mastery. 60 is absolutely the way to go, but make sure you've got really good. Passwords and the types of passwords that are most prone to sprain the attacks are the ones you should be banning specifically. Remember the website? Have I been poned? [00:13:45] Yeah. It's something that you should go to pretty frequently. And again, if you miss anything today, just email me M e@craigpeterson.com. Believe me, I am not going to harass you at all. Okay. Now, the next thing that you should be doing is what's called red team blue team. Now the red team is a group of people, usually outside of your organization. [00:14:11] If you're a big company they're probably inside, but the red team is the team that attacks you. They're white hat hackers, who are attacking you, looking for vulnerabilities, looking for things that you should or shouldn't be doing. And then the blue team is the side that's trying to defend. So think of, like war games. [00:14:29] Remember that movie with Matthew Broderick all of those decades ago and how the, he was trying to defend that computer was trying to defend that it moved into an attack mode, right? Red team's attack, blue team is defend. So you want. To conduct simulated attacks. Now w conducting these attacks include saying, oh my let's now put in place and execute our plan here for what are we going to do once we have a. [00:15:01] And you darn well better have a breach plan in place. So that's one of the things that we help as a fractional chief information security officer for companies, right? You've got to get that in place and you have to conduct these simulated attacks and you have to do penetration testing, including password spraying attacks. [00:15:21] There's so many things you can do. The one of the things that we like to do and that you might want to do, whether you're a home user, retiree or a business is go and look online, you can just use Google. I use far more advanced tools, but you can use Google and look for your email address right there. [00:15:40] Look for the names of people inside your organization. And then say wait a minute, does that data actually need to be there? Or am I really exposing the company exposing people's information that shouldn't be out there because you remember the hackers. One of the things they do is they fish you fish as in pH. [00:16:04] So they'll send you an email that looks like. Hey let me see. I know that Mary is the CFO, and I know that Joe's going to be out of town for two weeks in The Bahamas, not a touch. So while he's got. I'm going to send an email to Mary, to get her to do something, to transfer the company's funds to me. [00:16:23] Okay. So that's what that's all about. You've got to make sure, where is our information? And if you go to my company's page, mainstream.net, you'll see on there that I don't list any of the officers or any of the people that are in the company, because that again is a security problem. [00:16:41] We're letting them know. I go to some of these sites, like professional sites lawyers, doctors, countenance, and I find right there all, are there people right there top people or sometimes all of them. And then we'll say, yeah, I went to McGill university, went to Harvard, whatever my B. It's all there. So now they've got great information to fish you, to fish that company, because all they have to do is send an email to say, Hey, you remember me? [00:17:13] We're in Harvard when this class together. And did you have as a professor to see how that works? Okay. You also want to make. That you implement, what's called a passwordless user agent, and this is just so solely effective. If they cannot get into your count, what's going to, what could possibly go wrong, but one of the ways to not allow them into the count is to use. [00:17:41] Biometrics. We use something called duo and we have that tied into the single sign-on and the duo single sign-on works great because what it does now is I put in, I go to a site, I put it into my username and. Pulls up a special splash page that is running on one of our servers. That again asks me for my duo username. [00:18:04] So I've got my username for the site then to my dual username and my duo password single sign on. And then it sends me. To an app on my smart device, a request saying, Hey, are you trying to log into Microsoft? And w whatever it might be at Microsoft, and you can say yes or no, and it uses biometric. [00:18:27] So those biometrics now are great because it says, oh, okay, I need a face ID or I need a thumb print, whatever it might be that allows a generalized, a password, less access. Okay. Password less. Meaning no pass. So those are some of the top things you can do when it comes to prevention. And if you use those, they're never going to be able to get at your data because it's something you have along with something, it works great. [00:19:02] And we like to do this. Some customers. I don't like to go through those hoops of the single sign-on and using duo and making that all work right where we're fine with it. We've got to keep ourselves, at least as secure as the DOD regulations require unlike almost anybody else in industry, I'm not going to brag about it. [00:19:26] But some of our clients don't like to meet the tightest of controls. And so sometimes they don't. I hate to say that, but they just don't and it's a fine line between. Getting your work done and being secure, but I think there's some compromises it can be readily made. We're going to talk next about saving your data from ransomware and the newest ransomware. [00:19:53] We're going to talk about the third generation. That's out there right now. Ransomware, it's getting crazy. Let me tell ya and what it's doing to us and what you can do. What is a good backup that has changed over the last 12 months? It's changed a lot. I used to preach 3, 2, 1. There's a new sheriff in town. [00:20:15] Stick around Craig peterson.com. [00:20:19] 3, 2, 1 that used to be the standard, the gold standard for backing up. It is no longer the case with now the third generation of ransomware. You should be doing something even better. And we'll talk about it now. [00:20:36] We're doing this as a simulcast here. It's on YouTube. It is also on rumble. [00:20:43] It's on my website@craigpeterson.com because we're going through the things that you can do, particularly if you're a business. To stop the Russian invasion because as we've been warned again and again, the Russians are after us and our data. So if you missed part of what we're talking about today, or. [00:21:07] Last week show, make sure you send me an email. me@craigpeterson.com. This is the information you need. If you are responsible in any way for computers, that means in your home, right? Certainly in businesses, because what I'm trying to do is help and save those small businesses that just can't afford to have full-time. [00:21:31] True cyber security personnel on site. So that's what the whole fractional chief information security officer thing is about. Because you just, you can't possibly afford it. And believe me, that guy that comes in to fix your computers is no cyber security expert. These people that are attacking our full time cybersecurity experts in the coming from every country in the world, including the coming from the us. [00:22:01] We just had more arrests last week. So let's talk about ransomware correctly. Ransomware, very big problem. Been around a long time. The first version of ransomware was software got onto your computer through some mechanism, and then you had that red screen. We've all seen that red screen and it says, Hey, pay up buddy. [00:22:23] It says here you need to send so many Bitcoin or a fraction of a Bitcoin or so many dollars worth of Bitcoin. To this Bitcoin wallet. And if you need any help, you can send email here or do a live chat. They're very sophisticated. We should talk about it some more. At some point that was one generation. [00:22:45] One generation two was not everybody was paying the ransoms. So what did they do at that point? They said let me see if they, we can ransom the data by encrypting it and having them pay us to get it back. 50% of the time issue got all your data back. Okay. Not very often. Not often enough that's for sure. [00:23:05] Or what we could do is let's steal some of their intellectual property. Let's steal some of their data, their social security number, their bank, account numbers, et cetera. They're in a, in an Excel spreadsheet on their company. And then we'll, if they don't pay that first ransom, we'll tell them if they don't pay up, we'll release their information. [00:23:26] Sometimes you'll pay that first ransom and then they will hold you ransom a second time, pretending to be a different group of cyber terrorists. Okay. Number three, round three is what we're seeing right now. And this is what's coming from Russia, nears, everything we can tell. And that is. They are erasing our machines. [00:23:48] Totally erasing them are pretty sophisticated ways of erasing it as well, so that it sinks in really, it's impossible to recover. It's sophisticated in that it, it doesn't delete some key registry entries until right at the very end and then reboots and computer. And of course, there's. Computer left to reboot, right? [00:24:11] It's lost everything off of that hard drive or SSD, whatever your boot devices. So let's talk about the best ways here to do some of this backup and saving your data from ransomware. Now you need to use offsite disconnected. Backups, no question about it. So let's talk about what's been happening. [00:24:34] Hospitals, businesses, police departments, schools, they've all been hit, right? And these ransomware attacks are usually started by a person. I'll link in an email. Now this is a poison link. Most of the time, it used to be a little bit more where it was a word document, an Excel document that had something nasty inside Microsoft, as I've said, many times has truly pulled up their socks. [00:25:02] Okay. So it doesn't happen as much as it used to. Plus with malware defender turned on in your windows operating system. You're going to be a little bit safer next step. A program tries to run. Okay. And it effectively denies access to all of that data. Because it's encrypted it. And then usually what it does so that your computer still works. [00:25:26] Is it encrypts all of you, like your word docs, your Excel docs, your databases, right? Oh, the stuff that matters. And once they've got all of that encrypted, you can't really access it. Yeah. The files there, but it looks like trash now. There's new disturbing trends. It has really developed over the last few months. [00:25:48] So in addition to encrypting your PC, it can now encrypt an entire network and all mounted drives, even drives that are marrying cloud services. Remember this, everybody, this is really a big deal because what will happen here is if you have let's say you've got an old driver G drive or some drive mounted off of your network. [00:26:14] You have access to it from your computer, right? Yeah. You click on that drive. And now you're in there and in the windows side Unix and max are a little different, but the same general idea you have access to you have right. Access to it. So what they'll do is any mounted drive, like those network drives is going to get encrypted, but the same thing is true. [00:26:36] If you are attaching a U S B drive to your company, So that USB drive, now that has your backup on it gets encrypted. So if your network is being used to back up, and if you have a thumb drive a USB drive, it's not really a thumb drive, right? There's external drive, but countered by USP hooked up. [00:27:02] And that's where your backup lives. Your. Because you have lost it. And there have been some pieces of software that have done that for awhile. Yeah. When they can encrypt your network drive, it is really going after all whole bunch of people, because everyone that's using that network drive is now effective, and it is absolutely. [00:27:27] Devastating. So the best way to do this is you. Obviously you do a bit of a local backup. We will usually put a server at the client's site that is used as a backup destiny. Okay. So that servers, the destination, all of the stuff gets backed up there. It's encrypted. It's not on the network per se. It's using a special encrypted protocol between each machine and the backup server. And then that backup servers data gets pushed off site. Some of our clients, we even go so far as to push it. To a tape drive, which is really important too, because now you have something physical that is by the way, encrypted that cannot be accessed by the attacker. [00:28:20] It's offsite. So we have our own data center. The, we run the, we manage the no one else has access to it is ours. And we push all of those backups offsite to our data center, which gives us another advantage. If a machine crashes badly, right? The hard disk fails heaven forbid they get ransomware. We've never had that happen to one of our clients. [00:28:46] Just we've had it happen prior to them becoming clients, is that we can now restore. That machine either virtually in the cloud, or we can restore it right onto a piece of hardware and have them up and running in four hours. It can really be that fast, but it's obviously more expensive than in some. [00:29:08] Are looking to pay. All right, stick around. We've got more to talk about when we come back and what are the Russians doing? How can you protect your small business? If you're a one, man, one woman operation, believe it. You've got to do this as well. Or you could lose everything. In fact, I think our small guys have even more to lose Craig peterson.com. [00:29:32] Backups are important. And we're going to talk about the different types of backups right now, what you should be doing, whether you're a one person, little business, or you are a, multi-national obviously a scale matters. [00:29:47] Protecting your data is one of the most important things you can possibly do. [00:29:53] I have clients who had their entire operating account emptied out, completely emptied. It's just amazing. I've had people pay. A lot of money to hackers to try and get data back. And I go back to this one lady over in Eastern Europe who built a company out of $45 million. By herself. And of course you probably heard about the shark tank people, right? [00:30:23] Barbara Cochran, how she almost lost $400,000 to a hacker. In fact, the money was on its way when she noticed what was going on and was able to stop it. So thank goodness she was able to stop it. But she was aware of these problems was looking for the potential and was able to catch it. How many of us are paying that much attention? [00:30:50] And now one of the things you can do that will usually kind of protect you from some of the worst outcomes. And when it comes to ransomware is to backup. And I know everybody says, yeah, I'm backing up. It's really rare. When we go in and we find a company has been backing up properly, it even happens to us sometimes. [00:31:15] We put them back up regimen in place and things seem to be going well, but then when you need the backup, oh my gosh, we just had this happen a couple of weeks ago. Actually this last week, this is what happened. We have. Something called an FMC, which is a controller from Cisco that actually controls firewalls in our customer's locations. [00:31:42] This is a big machine. It monitors stuff. It's tied into this ice server, which is. Looking for nastiness and we're bad guys trying to break in, right? It's intrusion detection and prevention and tying it into this massive network of a billion data points a day that Cisco manages. Okay. It's absolutely huge. [00:32:05] And we're running it in a virtual machine network. So we. Two big blade. Chassies full of blades and blades are each blade is a computer. So it has multiple CPU's and has a whole bunch of memory. It also has in there storage and we're using something that VMware calls visa. So it's a little virtual storage area network. [00:32:32] That's located inside this chassis and there are multiple copies of everything. So if a storage unit fails, you're still, okay. Everything stays up, it keeps running. And we have it set up so that there's redundancy on pond redundancy. One of the redundancies was to back it up to a file server that we have that's running ZFS, which is phenomenal. [00:32:56] Let me tell you, it is the best file system out there I've never ever had a problem with it. It's just crazy. I can send you more information. If you ever interested, just email me@craigpeterson.com. Anytime. Be glad to send you the open source information, whatever you need. But what had happened is. [00:33:13] Somehow the boot disk of that FMC, that, that firewall controller had been corrupted. So we thought, oh, okay, no problem. Let's look at our backups. Yeah, hadn't backed up since October, 2019. Yeah, and we didn't know it had been silently failing. Obviously we're putting stuff in place to stop that from ever happening again. [00:33:43] So we are monitoring the backups, the, that network. Of desks that was making up that storage area network that had the redundancy failed because the machine itself, somehow corrupted its file system, ext four file system right then are supposed to be corruptible, but the journal was messed up and it was man, what a headache. [00:34:07] And so they thought, okay, you're going to have to re-install. And we were sitting there saying, oh, you're kidding me. Reinstalling this FMC controller means we've got to configure our clients, firewalls that are being controlled from this FMC, all of their networks, all of their devices. We had to put it out. [00:34:23] This is going to take a couple of weeks. So because I've been doing this for so long. I was able to boot up an optics desk and Mount the file system and go in manually underneath the whole FMC, this whole firewall controller and make repairs to it. Got it repaired, and then got it back online. So thank goodness for that. [00:34:49] It happens to the best of us, but I have to say I have never had a new client where they had good backups. Ever. Okay. That, and now that should tell you something. So if you are a business, a small business, whatever it might be, check your backups, double check them. Now, when we're running backups, we do a couple of things. [00:35:14] We go ahead and make sure the backup is good. So remember I mentioned that we have. Backup server that sits onsite. Usually it depends on the size of the client. But sits onsite at the client's site. So it will perform the backup and then tries to actual restore of that backup to make sure it's good. [00:35:35] And we can even. Client, depending on what they want. So a higher level, if a machine goes down, let's say it catches fire, or disk explodes in it, or completely fails. We can actually bring that machine online inside our backup server or the customer. Yeah, how's that for fancy and bring it back online in just a matter of minutes instead of days or weeks. [00:36:04] So that's true too. If that machine had been a ransom had this data, you raised whatever might've happened to it. We can restore it now. We've never had to knock on wood, except when there was a physical problem with the machine and as. Starting from scratching it, that machine, the new machine online in four hours or less. [00:36:28] And it's really cool the way it works. If you like this stuff, man, it is great. Okay. Protecting your data. I'm rambling a little bit here. You need an archival service there's companies out there like iron mountain, you can at your local bank, depending on the bank. It ain't like it used to be, get a box, right? [00:36:50] A special box in the vault that you. The tapes and other things in nowadays there's cloud options, virtual tape backup options, which is a lot of what we use and we do. Okay. We also use straight cloud at the very bottom end again. It's not located on the network. It's up in the cloud. It's double encrypted. [00:37:13] It's absolutely the way to do now if you're going to have a backup and if that backup, you want to be secure, it must not be accessible. To the attacker, you've got to put some literal air space between your backups and the cyber criminals. It's called an air gap. So there's no way for them to get to it. [00:37:37] Okay. Now I want you to consider seriously using tape these a LTO. These linear tape drives. They've been around for a long time, but their cartridges you can pull in and out. And they're huge. They they're physically small, but they can hold terabytes worth of data. They're absolutely amazing. There's some great disk based backup systems as what we do. [00:38:02] Some of them are been around a long time and they can be quite reasonably. Price. All right. So it's something for you to consider, but you've got to have at least that air gap in order to make sure that you're going to be protected. What should you be looking for in a backup system? This is called 3, 2, 2 1, which means maintain at least three copies of your data store the backups on two different meters. [00:38:31] Store at least one of the copies at an offsite location store, at least one of the copies offline, and be sure to have verified backups without air. Okay. Does that sound a little complicated? 3, 2, 1, 1 0 is what it's called. Just to be 3, 2, 1. Now it's 3, 2, 1, 1 0. I can send you Karen put together a special report on this based on our research. [00:38:57] And I can share that with you. Absolutely free. Hey guys, if you want it, you got it. But you got to ask me, just email me M e@craigpeterson.com. This is absolutely essential. If you're a small business, a tiny business to do it this way. Let me tell you, okay, this is just huge. Physical backups should be stored off site. [00:39:19] I mentioned the bank fault. A lot of people just go ahead and take them home with. That might be a desk. It might be a tape. It can be a little bit complicated to do. And I've picked up customers that thought they were backing up. They were using a USB drive. They were putting it in due to flee every Monday. [00:39:41] And then every Wednesday, what happened? Every Wednesday they bring in Wednesdays desk and then they bring that disc home and then Thursday, they bring in the Thursday disc. And none of them had been working. Okay. So be very careful. All of your backups should be encrypted. We encrypted at the customer site and then we reencrypt it when we bring it over to us. [00:40:06] Okay. Keys are essential. Particularly if you're using a cloud-based backup, don't use the same keys across multiple backups. Very important there. You should have some good procedures that are well-documented test, test your restores because very frequently. We find they don't work. In fact, that's the number one problem, right? [00:40:30] If they had just tried to restore, even once from their backup, they would've known they had problems. And get those backups scheduled on a regular schedule. Okay. So there's a lot more offline backups and more that we can talk about another time, but this is important. If you want any help, send me an email, just put backups in the subject line. [00:40:55] I'll send you some stuff. Email me, M e@craigpeterson.com. Now I am more than glad to help. Pretty much anybody out there. I'm not going to help. What about blah, blah, Amir Putin. But anybody else I'll help, but you got to reach out. Okay. You listen here. And I know some of this stuff is over some of our heads, some of your heads, you're the best and brightest. [00:41:20] That's why you're listening and I'll help you out. I'll send you some information. That's going to get you on the right track. Me M e@craigpeterson.com. That's Craig Peterson, S O N have a great day. [00:41:35] We just got an email this week from a customer and they're saying, oh no, my email has been hacked. What does that mean was a really hacked, we're going to talk right now about email spoofing, which is a very big deal. [00:41:51] Emails spoofing is being a problem for a long time, really? Since the 1970s. I remember when I got my first spoofed email back in the eighties and they was really a little bit confusing. [00:42:05] I went into it more detail, of course, being a very technical kind of guy and looked behind the curtains, figured out what was going on. Just shook my head. I marveled at some people. Why would you do this sort of thing? The whole idea behind email spoofing is for you to receive an email, looks like it's from someone that it's not now, you've all seen examples of this. [00:42:30] Everybody has. And those emails that are supposedly from the bank, or maybe from Amazon or some other type of business or family friend, this is part of what we call social engineering, where the bad guys are using a little bit about what they know about you, or maybe another person in order to. Frankly, fool you. [00:42:54] That's what spoofing really is. There were a lot of email accounts that were hacked over the last what, 30, 40 years. And you might remember this people sending out an email saying, oh, my account got hacked because you just got emails. Back in the day, what people were trying to do is break into people's email accounts and then the bad guys after having broken in now knew everybody that was in the contact list from the account that was just broken into. [00:43:29] Now they know, Hey, listen, this person sends an email. Maybe I can just pretend I'm them. Days it, the same thing still happens. But now typically what you're seeing is a more directed attack. So a person might even look in that email account that they've broken into and poke around a little bit and find out, oh, okay. [00:43:52] So this person's account I just broken to is a purchasing manager at a big. So then they take the next step or maybe this tab after that and try and figure out. Okay, so now what do I do? Oh, okay. So really what I can do now is send fake purchase orders or send fake requests for money. I've seen in the past with clients that we've picked up because the email was acting strangely where a bad guy went ahead, found. [00:44:25] Invoices that have been sent out by the purchasing person and the send the invoices out and changed the pay to information on the invoice. So they took the PDFs that they found on the file server of the invoices went in and changed them, change the account that they wanted, the funds ACH into. And once they had that happen, they just sent the invoice out again saying overdue. [00:44:54] Off goes in the email and the company receives it and says, oh okay, I need to pay this invoice. Now. Sometimes it marked them overdue. Sometimes they didn't mark them overdue. I've seen both cases and now the money gets sent off and that invoice gets paid and then gets paid to the wrong person. [00:45:13] Or maybe they go ahead and they don't send the invoice out, but they just send a little notification saying, Hey, our account has changed. Make sure you. Direct all future payments to this account. Instead. Now you might be thinking wait a second here. Now they send this email out. It's going to go into a bank account. [00:45:33] I can recover the money while no, you can't. Because what they're doing is they are using mules. Now you've heard of meals before. He might've even seen that recent Clint Eastwood movie. I think it was called. But typically when we think of mules, as people we're thinking about people who are running drugs well, in this case, the bad guys use mules in order to move money around. [00:45:59] And now sometimes the people know what they're doing. The FBI has had some really great arrests of some people who were doing this, particularly out in California, some of them cleaned. Yeah. I didn't know what was happening. It was just somebody, asked me to send money. It's like the Nigerian scam where the Nigeria in the Nigerian scam, they say, Hey I'm, I'm Nigerian prince, you've heard of these things before. And I need to get my money out of the country. I need to place to put them. And so if you have a us account, I'm going to transfer money into it. You can keep a thousand dollars of that 5,000 and I'm going to wire in just as a fee. Thanks for doing this. I, this is so important and it's such a hurry and I'm going to send you the. [00:46:46] What they'll often do is send you a money order. It couldn't be a bank check, could be a lot of things, and then you go ahead and you cash it and oh, okay. Or cash just fine. And then you wire the $4,000 off to the bad guy. The bad guy gets the money and is off. Running in the meantime, your bank is trying to clear that bank check or that money order. [00:47:14] And they find out that there is no money there because frankly what might've happened? I, this is one I've seen, I'm telling you about a story w we helped to solve this problem, but I had taken out a real money order from a bank, and then they made copies of it. Basically, they just forged it. And so they forged a hundred copies of it. [00:47:36] So people thought they were getting a legitimate money order. And in some cases, the banks where the money order was, you mean deposited, did conf confirm it? They called up the source bank. Oh yeah. Yeah. That's a legit money order and then they all hit within a week or two. And now the, you are left holding the bag. [00:47:58] So that's one thing that happens. But typically with these mules, the money comes to them in that account. They are supposed to then take that money and put it in their PayPal account and send it off to the next. And it might try jump to through two or three different people, and then it ends up overseas and the bad guys have gotten so good at this and have the cooperation of some small countries, sometimes bigger countries that they actually own. [00:48:30] The bank overseas of the money ultimately gets transferred into. And of course there's no way to get the money back. It's a real. So with spoofing, they're trying to trick you into believing the emails from someone that you know, or someone that you can trust. Or as I said, maybe a business partner of some sort in most cases, it's some sort of a colleague, a vendor or a trusted brand. [00:48:58] And so they exploit the trust that you have, and they ask you to do something or divulge information. They'll try and get you to do something. So there's more complexity tax. Like the ones that I just explained here that are going after financial employees, there might be some, an accountant, a bookkeeper, or bill payer and receivables payables. [00:49:24] I've seen CFO attacks, but the really the spoofed email message looks legitimate on the surface. They'll use the legitimate logo of the company that they're trying to pretend that they're from. For instance, PayPal. Phishing attack. They have a spoofed email sender and typical email clients like you might be using for instance, on Microsoft outlook. [00:49:48] The sender address is shown on the message, but most of the time nowadays the mail clients hide the actual email address, or if you just glance at it, it looks legit. You've seen those before these forged email headers. Yeah, it gets to be a problem. Now we use some software from Cisco that we buy. [00:50:13] You have to buy. I think it's a thousand licenses at a time, but there were some others out there, Cisco again, by far the best and this, the software. Receives the email. So before it even ends up in the exchange server or somewhere else online, that email then goes through that Cisco server. They are comparing it to billions of other emails that they've seen, including in real time emails that are. [00:50:41] Right now. And they'll look at the header of the email message. You can do that as well. With any email client, you can look at the header, Microsoft and outlook calls, it view source. But if you look at the email header, you'll see received. Headers that are in there. So say, receive colon from, and they'll give a name of a domain and then you'll see another received header and give another name of a machine. [00:51:08] And it'll include the IP address might be IVF IPV four of your six, and you can then follow it all the way through. So what'll happen is partway through. You'll see, it took a hop that is. Not legitimate. That's where it comes in. Nowadays, if you have an email address for your business, man, a domain, you need to be publishing what are called SPF records. [00:51:37] And those SPF records are looked at there compared to make sure that the email is properly signed and is from. The correct sender. There's a SPF records. There's a mother's too, that you should have in place, but you'll see that in the headers, if you're looking in the header. So it gets pretty complicated. [00:51:59] The SPF, which is the sender policy framework is a security protocol standard. It's been around now for almost a decade. It's working in conjunction with what are called domain based message, authentication, reporting, and conformance. Heather's D mark headers to stop malware and phishing attacks. And they are very good if you use them properly, but unfortunately when I look, I would say it's still 95% of emails that are being sent by businesses are not using this email spoofing and protection. [00:52:35] So have a look at that and I can send you a couple articles on it. If you're in trusted Craig Peter sohn.com. [00:52:46] So we've established that email spoofing happens. What are the stats to this? And how can you further protect yourself from email spoofing? Particularly if you're not the technical type controlling DNS records, that's what's up right. [00:53:02] Everybody Craig Peter sawn here, your cybersecurity strategist. And you're listening to news radio, w G a N a M five 60 and 98.5 FM. Join me on the morning. Drive Wednesday mornings at 7 34. Of course in the am. There's so much going on in the cybersecurity world. It affects all of us. Now, I think back to the good old days 40 years ago where we weren't worried about a lot of this stuff, spoofing, et cetera. [00:53:36] But what we're talking about right now is 3.1 billion domain spoof. Emails sent every day. That's a huge thing. More than 90% of cyber attacks. Start with an email message. Email spoofing and phishing have had a worldwide impact costing probably $26 billion over the last five years. A couple of years ago, the FBI, this is 2019. [00:54:07] Reported that about a house. A million cyber attacks were successful. 24% of them were email-based and the average scam tricked users out of $75,000. Yeah. So it's no wonder so many people are concerned about their email and whether or not those pieces of email are really a problem for them. And then anybody else. [00:54:34] So a common attack that uses spoofing is CEO fraud, also known as business, email compromise. So this is where the attacker is spoofing or modifying, pretending to be a certain person that they're not they're impersonating an executive or owner, maybe of a business. And it targets. People in the financial accounting or accounts payable departments or even the engineering department. [00:55:01] And that's what happened with one of our clients this week. They got a very interesting spoofed email. So even when you're smart and you're paying attention, you can be tricked the Canadian city treasurer. Tricked into transferring a hundred grand from taxpayer funds, Mattel tricked into sending 3 million to an accountant, China, a bank in Belgium, tricked into sending the attackers 70 million Euro. [00:55:31] It happens and I have seen it personally with many businesses out there. So how do you protect yourself from email? Spoofing now, even with email security in place, there's some malicious email messages that are still going to get through to the inboxes. Now we're able to stop better than 96% of them just based on our stats. [00:55:54] In fact, it's very rare that one gets through, but here are some things you can do and watch out for whether you're an employee responsible for financial decisions, or maybe you're someone who is. Personal email at work. Here's some tricks here. So get your pencil ready. Number one, never click links to access a web. [00:56:19] Where you're asked to log in, always type in the official URL into your browser and authenticate on the browser. In other words, if you get an email from your bank or someone else, and there's a link in there to click that says, Hey oh man, here's some real problems. You got to respond right away. [00:56:42] Don't do that go to paypal.com or your bank or your vendor's site, just type it into your browser, even though you can hover over the email link and see what it is. Sometimes it can be perfectly legitimate and yet it looks weird. For instance, when I send out my emails that people subscribe to that right there on Craig peterson.com, the links are going to come from the people that handle my email lists for me, because I send out thousands of emails at a time to people that have asked to get those emails. [00:57:22] So I use a service and the services taking those links, modifying them somewhat in fact dramatically. And using that to make sure the delivery happened, people are opening it and that I'm not bothering you. So you can unsubscribe next step. You can, if you want to dig in more, look at the email headers. [00:57:45] Now they're different for every email client. If you're using outlook, you have to select the email, basically in the left-hand side. Okay. You're going to control, click on that email and we'll come up and you'll see something that says view source. So in the outlook world, they hide it from you. [00:58:06] If you're using a Mac and Mac mail, all you have to do is go to up in the menu bar email and view, header and cut off. There it is. I have many times in the past just left that turned on. So I'm always seeing the headers that reminds me to keep a look at those headers. So if you look in the header, And if the email sender is let me put it this way. [00:58:31] If the person who is supposed to have sent it to you is doing headers proper, properly. You're going to see. A received SPF section of the headers and right in there, you can look for a pass or fail and response, and that'll tell you if it's legit. So in other words, let's use PayPal as an example, PayPal has these records that it publishes that say all of our emails are going to come from this server or that server of. [00:59:04] And I do the same thing for my domains and we do the same thing for our clients domains. So it's something that you can really count on if you're doing it right, that this section of the headers. And that's why I was talking about earlier. If you have an email that your sending out from your domain and you don't have those proper headers in it, there's no way. [00:59:31] To truly authenticate it. Now I go a step further and I use GPG in order to sign most of my emails. Now I don't do this for the trainings and other things, but direct personal emails from me will usually be cryptographically signed. So you can verify that it was me that sent it. Another thing you can do is copy and paste the text, the body of that email into a search engine. [01:00:03] Of course I recommend duck go in most cases. And the chances are that frankly they've sent it to multiple people. That's why I was saying our Cisco based email filter. That's what it does, it looks for common portions of the body for emails that are known to be bad, be suspicious of email from official sources like the IRS, they're not going to be sending you email out of the blue most places. Aren't obviously don't open attachments from people that you don't. Special suspicious ones, particularly people we'll send PDFs that are infected. It's been a real problem. They'll send of course word docs, Excel docs, et cetera, as well. [01:00:54] And the more. I have a sense of urgency or danger. That's a part of the email should really get your suspicions up, frankly, because suggesting something bad is going to happen. If you don't act quickly, that kind of gets around part of your brain and it's the fight or flight, right? Hey, I gotta take care of this. [01:01:17] I gotta take care of this right away. Ah, and maybe you. So those are the main things that you can pay attention to. In the emails, if you are a tech person, and you're trying to figure this out, how can I make the emails safer for our company? You can always drop me an email as well. Me, M e@craigpeterson.com. [01:01:43] I can send you to a couple of good sources. I'll have to put together a training as well on how to do this, but as individually. At least from my standpoint, a lot of this is common sense and unfortunately the bad guys have made it. So email is something we can no longer completely trust. Spoofing is a problem. [01:02:05] As I said, we just saw it again this week. Thank goodness. It was all caught and stopped. The account was not. It was just a spoofed email from an account outside the organization that was act Craig peterson.com. Stick around. [01:02:24] The value of crypto coins has been going down lately quite a bit across the board, not just Bitcoin, but the amount of crypto mining and crypto jacking going on. That hasn't gone down much at all. [01:02:48] hi, I'm Craig Peter Sohn, your cyber security strategist. And you're listening to news radio, w G a N a M five 60 and FM nine. Point five, you can join me on the morning drive every Wednesday morning at 7 34, Matt and I go over some of the latest in news. You know about crypto coins, at least a little bit, right? [01:03:15] These are the things like Bitcoin and others that are obstensively private, but in reality, aren't that private. If you receive coins and you spend coins, you are probably trackable. And if you can't spend that, the crypto currencies, why even bother getting it in the first place. One of the big drivers behind the price of these crypto currencies has been criminal activity. [01:03:48] We've talked about that before. Here's the problem we're seeing more and more nowadays, even though the price of Bitcoin might go down 30%, which it has, and it's gone down in bigger chunks before. It does not mean that the bad guys don't want more of it. And what better way to mine, cryptocurrency then to not have to pay for. [01:04:15] So the bad guys have been doing something called crypto jacking. This is where criminals are using really ransomware like tactics and poisoned website to get your computer, even your smartphone to mine, cryptocurrencies for. No mining, a Bitcoin can cost as much in electric bills that are in fact more in electric bills. [01:04:43] Then you get from the value of the Bitcoin itself. So it's expensive for them to run it. Some countries like China have said, no, you're not doing it anymore because they're using so much electricity here in the U S we've even got crypto mining companies that are buying. Old power plant coal-fired or otherwise, and are generating their own electricity there locally in order to be able to mine cryptocurrencies efficiently, effectively so that they can make some profit from it. [01:05:18] It's really quite the world out there. Some people have complained about their smartphone getting really hot. Their battery only lasts maybe an hour and it's supposed to last all day. Sometimes what's happened is your smartphone has been hijacked. It's been crypto jacked. So your smartphone, they're not designed to sit there and do heavy computing all day long. [01:05:45] Like a workstation is even your regular desktop computer. Probably isn't. To be able to handle day long mining that has to happen. In fact, the most efficient way to do crypto mining of course is using specialized hardware, but that costs them money. So why not just crypto Jack? All right. There are two primary ways. [01:06:09] Hackers have been getting victims, computers to secretly mine. Cryptocurrencies one is to trick them into loading. Crypto mining code onto their computers. So that's done through various types of fishing, light tactics. They get a legitimate looking email that tricks people into clicking on a link and the link runs code. [01:06:30] Now what's interesting is you don't, even for cryptocurrency crypto jacket, you don't even have to download a program in. To have your computer start mining cryptocurrencies for the bad guys. They can use your browser to run a crypto mining script. And it runs in the background. As you work right, using up electricity, using up the CPU on your computer. [01:06:58] They also will put it into ads. They'll put it on a website and your browser goes ahead and runs the code beautifully. So they're really trying to maximize their returns. That's the basics of crypto jacking what's been particularly bad lately has been the hackers breaking into cloud account. And then using those accounts to mine cryptocurrency, one of the trainings that I had on my Wednesday wisdoms has to do with password stuffing and my Wednesday wisdoms, you can get by just subscribing to my email over there@craigpeterson.com. [01:07:44] But what happens here is they find your email address. They find. Password on one of these hacks that is occurred on the dark web. You weren't on the dark web, but your username or email address and password are there on the dark web. And then they just try it. So a big site like Amazon, or maybe it was your IBM also has cloud services can be sitting there running along very well, having fun. [01:08:16] Life's good. And. Then they go ahead and try your email address and password to try and break in. Now, you know how I keep telling everybody use a good password manager and this week I actually changed my opinion on password managers. So you know, that I really like the password manager that you can get from one password.com. [01:08:44] It really is fantastic. Particularly for businesses, various types of enterprises, one password.com. However, where I have changed is that some of these browsers nowadays, particularly thinking about Firefox Google Chrome safari, if you're particularly, if you're on a Mac, all have built in password managers that are actually. [01:09:09] Good. Now they check. Have I been poned, which is a site I've talked to you guys about for years. To make sure that your accounts are reasonably safe than not being found on the dark web, the new password that it came up with or that you want to use. They check that as well. Make sure it's not in use. So here's an example here. [01:09:32] This is a guy by the name of Chris. He lives out in Seattle, Washington, and he makes mobile apps for local publishers. Just this year, new year's day, he got an alert from Amazon web services. Now Amazon web services, of course, cloud service. They've got some really nice stuff, starting with light ship and going up from there, I've used various services from them for well, since they started offering the services over very many years and. [01:10:04] They allow you to have a computer and you can get whatever size computer you want to, or fraction of a computer. You want to, he got this alert because it said that he owed more than $53,000 for a month's worth of hosts. Now his typical Amazon bill is between a hundred and 150 bucks a month. My typical Amazon bell is now 50 to maybe $80 a month. [01:10:34] I cannot imagine getting a $53,000 bill from our friends at Amazon. So the poor guy was just totally freaking out, which is a very big deal. So I'm looking at an article from insider that you can find a business insider.com. They were able to confirm that, yes, indeed. He got this $53,000 bill from Amazon and yes, indeed. [01:11:00] It looks like his account had been hacked by cryptocurrency miners. So these guys can run up just incredibly large charges for the raw computing power. They need to produce some of these digital cryptocurrencies, like Bitcoin there's many others out there. But this isn't new. This is happening all of the time. [01:11:23] Google reported late last year, that 86% of account breaches on its Google cloud platform were used to perform cryptocurrency mining. So make sure you are using a good password manager that generates good passwords. And I have a special report on passwords. You can download it immediately when you sign up for. [01:11:48] My email, my weekly email newsletter@craigpeterson.com and it tells you what to do, how to do it. What is a good password? What the thinking is because it's changed on passwords, but do that and use two factor authentication. Multi-factor authentication as well. And I talk about that in that special report too. [01:12:11] And visit me online. Sign up right now. Craig Peter sohn.com. [01:12:17] We're moving closer and closer to completely automated cars, but we want to talk right now about car hacks, because there was an interesting one this week that has to do with Tesla. And we'll talk about some of the other hacks on car. [01:12:33] Connected cars are coming our way in a very big way. [01:12:38] We just talked about the shutdown of two G and 3g in our cars. We, it wasn't really our cars, right? Two G 3g. That was for our cell phones. That was. Years ago course now for four GLTE 5g, even 10 G is being used in the labs. Right now. It's hard to think about some of those older technologies, but they were being used and they were being used by cars, primarily for the navigation features. [01:13:13] Some cars use these data links, if you will, that are really on the cell phone network in order to do remote things like remote start. For instance, I have a friend who's Subaru. Of course was using that. And now she's got to do an upgrade on her car because that 3g technology is going away depending on the carrier, by the way, some of it's going away sooner. [01:13:40] Some of it's going away later, but it'll all be gone at the end of 2020. What are we looking at? As we look into the future, I'm really concerned. I don't want to buy one of these new cars at the same time as I do, because they are cool, but I don't want to buy one of those because of the real problem that we could have of what well of having that car. [01:14:07] I need an upgrade and not been able to do it. I watched a video of a guy who took a Tesla that hadn't been damaged badly in a flood, and it was able to buy it for cheap. Why? Because Tesla will not sell you new motors and a new batteries for a car like that. So he got the car for cheap. He found a Chevy Camaro that had been wrecked, but its engine and transmission were just fine. [01:14:37] He ripped everything out of the Tesla and went ahead after that, cause you got to clean that out, and water damage. You spray wash all to the inside. He got right down to the aluminum, everything that wasn't part of the core aluminum chassis was gone. And then he built it back up again. He managed to keep all of those Tesla systems working, that, that screen that you have upfront that does the temperature control, cruise maps, everything out. [01:15:09] He kept that it was able to work. The, automated stuff, cruise control type stuff. And now he had a very hot car that looked like a Tesla. He took it out to SEMA, which is pretty cool. I'd love to see that, but it was a Tesla with a big V8 gasoline engine in it. He's done a, quite a good job on it. [01:15:33] It was quite amazing to see it took them months. It was him and some of his buddies. These new cars are even more connected than my friend Subaru is they get downloads from the. Some of them are using Wi-Fi and 5g. Really one of the big promises of 5g is, Hey, our cars can talk to each other because now you can get a millisecond delay in going from one car to another versus what you have today, which can be a half a second or more, which can be the difference between having a rear end collision and being able to stop in time when it comes to these automated system. [01:16:15] So they are more connected. They connect to the wifi in your homes. They connect to obviously the 5g network, which is where things are going right now. But what's happening with the hackers because really what we're talking about, isn't a computer on wheels. Oh no. Dozens of computers inside that car and your car has a network inside of it and has had for many years, this can bus network and even fancier ones nowadays that connect all of your systems together. [01:16:50] So your entertainment system, for instance, is connected to this network. And that was used. You might remember a couple of years ago on a Chrysler product where the bad guy installed. Or using the thumb drive onto that entertainment system and had a reporter drive that car down the road. This is all known. [01:17:13] It was all controlled. And was able to the bad guy right there, the demonstration in this case, I guess you'd call them a white hat hacker. He drove that car right off the road while the reporter was trying to steer otherwise because cars nowadays don't have a direct linkage between anything in any. [01:17:36] That's why I love my 1980 Mercedes TESOL. You turn the steering wheel. It isn't act

Craig Peterson's Tech Talk
Do You Know How Hackers are Spoofing You? All About Email spoofing!

Craig Peterson's Tech Talk

Play Episode Listen Later Jan 29, 2022 84:50


Do You Know How Hackers are Spoofing You? All About Email spoofing! We just got an email this week from a customer and they're saying, "Oh no, my email has been hacked." What does that mean? Was it really hacked? We're going to talk right now about email spoofing, which is a very big deal. [Following is an automated transcript] [00:00:15] Email spoofing is being a problem for a long time, really? Since the 1970s. I remember when I got my first spoofed email back in the eighties and there was really a little bit of confusion. [00:00:30] I went into it more detail, of course, being a very technical kind of guy, and looked behind the curtains, figured out what was going on. Just shook my head. I marveled at some people. Why would you do this sort of thing? The whole idea behind email spoofing is for you to receive an email, looks like it's from someone that it's not now, you've all seen examples of this. [00:00:55] Everybody has. And those emails that are supposedly from the bank, or maybe from Amazon or some other type of business or family friend, this is part of what we call social engineering, where the bad guys are using a little bit about what they know about you, or maybe another person in order to. Frankly, fool you. [00:01:19] That's what spoofing really is. There were a lot of email accounts that were hacked over the last what, 30, 40 years. And you might remember these people sending out an email saying, oh, my account got hacked because you just got emails. Back in the day, what people were trying to do is break into people's email accounts and then the bad guys after having broken in now knew everybody that was in the contact list from the account that was just broken into. [00:01:54] Now they know, Hey, listen, this person sends an email. Maybe I can just pretend I'm them. Days it, the same thing still happens. But now typically what you're seeing is a more directed attack. So a person might even look in that email account that they've broken into and poke around a little bit and find out, oh, okay. [00:02:16] So this person's account is a purchasing manager at a big company. So then they take the next step or maybe this tab after that and try and figure out. Okay, so now what do I do? Oh, okay. So really what I can do now is send fake purchase orders or send fake requests for money. I've seen in the past with clients that we've picked up because the email was acting strangely where a bad guy went ahead, found. [00:02:49] Invoices that have been sent out by the purchasing person and the send the invoices out and changed the pay to information on the invoice. So they took the PDFs that they found on the file server of the invoices went in and changed them, change the account that they wanted, the funds ACH into. And once they had that happen, they just sent the invoice out again saying overdue. [00:03:18] Off goes in the email and the company receives it and says, oh okay, I need to pay this invoice. Now. Sometimes it marked them overdue. Sometimes they didn't mark them overdue. I've seen both cases and now the money gets sent off and that invoice gets paid and then gets paid to the wrong person. [00:03:38] Or maybe they go ahead and they don't send the invoice out, but they just send a little notification saying, Hey, our account has changed. Make sure you. Direct all future payments to this account. Instead. Now you might be thinking wait a second here. Now they send this email out. It's going to go into a bank account. [00:03:57] I can recover the money while no, you can't. Because what they're doing is they are using mules. Now you've heard of meals before. He might've even seen that recent Clint Eastwood movie. I think it was called. But typically when we think of mules, as people we're thinking about people who are running drugs well, in this case, the bad guys use mules in order to move money around. [00:04:24] And now sometimes the people know what they're doing. The FBI has had some really great arrests of some people who were doing this, particularly out in California, some of them cleaned. Yeah. I didn't know what was happening. It was just somebody, asked me to send money. It's like the Nigerian scam where the Nigeria in the Nigerian scam, they say, Hey I'm, I'm Nigerian prince, you've heard of these things before. And I need to get my money out of the country. I need to place to put them. And so if you have a us account, I'm going to transfer money into it. You can keep a thousand dollars of that 5,000 and I'm going to wire in just as a fee. Thanks for doing this. I, this is so important and it's such a hurry and I'm going to send you the. [00:05:11] What they'll often do is send you a money order. It couldn't be a bank check, could be a lot of things, and then you go ahead and you cash it and oh, okay. Or cash just fine. And then you wire the $4,000 off to the bad guy. The bad guy gets the money and is off. Running in the meantime, your bank is trying to clear that bank check or that money order. [00:05:38] And they find out that there is no money there because frankly what might've happened? I, this is one I've seen, I'm telling you about a story w we helped to solve this problem, but I had taken out a real money order from a bank, and then they made copies of it. Basically, they just forged it. And so they forged a hundred copies of it. [00:06:01] So people thought they were getting a legitimate money order. And in some cases, the banks where the money order was, you mean deposited, did conf confirm it? They called up the source bank. Oh yeah. Yeah. That's a legit money order and then they all hit within a week or two. And now the, you are left holding the bag. [00:06:22] So that's one thing that happens. But typically with these mules, the money comes to them in that account. They are supposed to then take that money and put it in their PayPal account and send it off to the next. And it might try jump to through two or three different people, and then it ends up overseas and the bad guys have gotten so good at this and have the cooperation of some small countries, sometimes bigger countries that they actually own. [00:06:54] The bank overseas of the money ultimately gets transferred into. And of course there's no way to get the money back. It's a real. So with spoofing, they're trying to trick you into believing the emails from someone that you know, or someone that you can trust. Or as I said, maybe a business partner of some sort in most cases, it's some sort of a colleague, a vendor or a trusted brand. [00:07:22] And so they exploit the trust that you have, and they ask you to do something or divulge information. They'll try and get you to do something. So there's more complexity tax. Like the ones that I just explained here that are going after financial employees, there might be some, an accountant, a bookkeeper, or bill payer and receivables payables. [00:07:48] I've seen CFO attacks, but the really the spoofed email message looks legitimate on the surface. They'll use the legitimate logo of the company that they're trying to pretend that they're from. For instance, PayPal. Phishing attack. They have a spoofed email sender and typical email clients like you might be using for instance, on Microsoft outlook. [00:08:13] The sender address is shown on the message, but most of the time nowadays the mail clients hide the actual email address, or if you just glance at it, it looks legit. You've seen those before these forged email headers. Yeah, it gets to be a problem. Now we use some software from Cisco that we buy. [00:08:38] You have to buy. I think it's a thousand licenses at a time, but there were some others out there, Cisco again, by far the best and this, the software. Receives the email. So before it even ends up in the exchange server or somewhere else online, that email then goes through that Cisco server. They are comparing it to billions of other emails that they've seen, including in real time emails that are. [00:09:06] Right now. And they'll look at the header of the email message. You can do that as well. With any email client, you can look at the header, Microsoft and outlook calls, it view source. But if you look at the email header, you'll see received. Headers that are in there. So say, receive colon from, and they'll give a name of a domain and then you'll see another received header and give another name of a machine. [00:09:33] And it'll include the IP address might be IVF IPV four of your six, and you can then follow it all the way through. So what'll happen is partway through. You'll see, it took a hop that is. Not legitimate. That's where it comes in. Nowadays, if you have an email address for your business, man, a domain, you need to be publishing what are called SPF records. [00:10:01] And those SPF records are looked at there compared to make sure that the email is properly signed and is from. The correct sender. There's a SPF records. There's a mother's too, that you should have in place, but you'll see that in the headers, if you're looking in the header. So it gets pretty complicated. [00:10:24] The SPF, which is the sender policy framework is a security protocol standard. It's been around now for almost a decade. It's working in conjunction with what are called domain based message, authentication, reporting, and conformance. Heather's D mark headers to stop malware and phishing attacks. And they are very good if you use them properly, but unfortunately when I look, I would say it's still 95% of emails that are being sent by businesses are not using this email spoofing and protection. [00:11:00] So have a look at that and I can send you a couple articles on it. If you're in trusted Craig Peterson.com. [00:11:07] So we've established that email spoofing happens. What are the stats to this? And how can you further protect yourself from email spoofing? Particularly if you're not the technical type controlling DNS records, that's what's up right now. [00:11:24] There's so much going on in the cybersecurity world. It affects all of us. Now, I think back to the good old days 40 years ago where we weren't worried about a lot of this stuff, spoofing, et cetera. [00:11:38] But what we're talking about right now is 3.1 billion domain spoof. Emails sent every day. That's a huge thing. More than 90% of cyber attacks. Start with an email message. Email spoofing and phishing have had a worldwide impact costing probably $26 billion over the last five years. A couple of years ago, the FBI, this is 2019. [00:12:09] Reported that about a house. A million cyber attacks were successful. 24% of them were email-based and the average scam tricked users out of $75,000. Yeah. So it's no wonder so many people are concerned about their email and whether or not those pieces of email are really a problem for them. And then anybody else. [00:12:36] So a common attack that uses spoofing is CEO fraud, also known as business, email compromise. So this is where the attacker is spoofing or modifying, pretending to be a certain person that they're not they're impersonating an executive or owner, maybe of a business. And it targets. People in the financial accounting or accounts payable departments or even the engineering department. [00:13:03] And that's what happened with one of our clients this week. They got a very interesting spoofed email. So even when you're smart and you're paying attention, you can be tricked the Canadian city treasurer. Tricked into transferring a hundred grand from taxpayer funds, Mattel tricked into sending 3 million to an accountant, China, a bank in Belgium, tricked into sending the attackers 70 million Euro. [00:13:33] It happens and I have seen it personally with many businesses out there. So how do you protect yourself from email? Spoofing now, even with email security in place, there's some malicious email messages that are still going to get through to the inboxes. Now we're able to stop better than 96% of them just based on our stats. [00:13:56] In fact, it's very rare that one gets through, but here are some things you can do and watch out for whether you're an employee responsible for financial decisions, or maybe you're someone who is. Personal email at work. Here's some tricks here. So get your pencil ready. Number one, never click links to access a web. [00:14:20] Where you're asked to log in, always type in the official URL into your browser and authenticate on the browser. In other words, if you get an email from your bank or someone else, and there's a link in there to click that says, Hey oh man, here's some real problems. You got to respond right away. [00:14:44] Don't do that go to paypal.com or your bank or your vendor's site, just type it into your browser, even though you can hover over the email link and see what it is. Sometimes it can be perfectly legitimate and yet it looks weird. For instance, when I send out my emails that people subscribe to that right there on Craig peterson.com, the links are going to come from the people that handle my email lists for me, because I send out thousands of emails at a time to people that have asked to get those emails. [00:15:24] So I use a service and the services taking those links, modifying them somewhat in fact dramatically. And using that to make sure the delivery happened, people are opening it and that I'm not bothering you. So you can unsubscribe next step. You can, if you want to dig in more, look at the email headers. [00:15:47] Now they're different for every email client. If you're using outlook, you have to select the email, basically in the left-hand side. Okay. You're going to control, click on that email and we'll come up and you'll see something that says view source. So in the outlook world, they hide it from you. [00:16:07] If you're using a Mac and Mac mail, all you have to do is go to up in the menu bar email and view, header and cut off. There it is. I have many times in the past just left that turned on. So I'm always seeing the headers that reminds me to keep a look at those headers. So if you look in the header, And if the email sender is let me put it this way. [00:16:33] If the person who is supposed to have sent it to you is doing headers proper, properly. You're going to see. A received SPF section of the headers and right in there, you can look for a pass or fail and response, and that'll tell you if it's legit. So in other words, let's use PayPal as an example, PayPal has these records that it publishes that say all of our emails are going to come from this server or that server of. [00:17:06] And I do the same thing for my domains and we do the same thing for our clients domains. So it's something that you can really count on if you're doing it right, that this section of the headers. And that's why I was talking about earlier. If you have an email that your sending out from your domain and you don't have those proper headers in it, there's no way. [00:17:33] To truly authenticate it. Now I go a step further and I use GPG in order to sign most of my emails. Now I don't do this for the trainings and other things, but direct personal emails from me will usually be cryptographically signed. So you can verify that it was me that sent it. Another thing you can do is copy and paste the text, the body of that email into a search engine. [00:18:05] Of course I recommend duck go in most cases. And the chances are that frankly they've sent it to multiple people. That's why I was saying our Cisco based email filter. That's what it does, it looks for common portions of the body for emails that are known to be bad, be suspicious of email from official sources like the IRS, they're not going to be sending you email out of the blue most places. Aren't obviously don't open attachments from people that you don't. Special suspicious ones, particularly people we'll send PDFs that are infected. It's been a real problem. They'll send of course word docs, Excel docs, et cetera, as well. [00:18:56] And the more. I have a sense of urgency or danger. That's a part of the email should really get your suspicions up, frankly, because suggesting something bad is going to happen. If you don't act quickly, that kind of gets around part of your brain and it's the fight or flight, right? Hey, I gotta take care of this. [00:19:19] I gotta take care of this right away. Ah, and maybe you. So those are the main things that you can pay attention to. In the emails, if you are a tech person, and you're trying to figure this out, how can I make the emails safer for our company? You can always drop me an email as well. Me, M e@craigpeterson.com. [00:19:45] I can send you to a couple of good sources. I'll have to put together a training as well on how to do this, but as individually. At least from my standpoint, a lot of this is common sense and unfortunately the bad guys have made it. So email is something we can no longer completely trust. Spoofing is a problem. [00:20:07] As I said, we just saw it again this week. Thank goodness. It was all caught and stopped. The account was not. It was just a spoofed email from an account outside the organization that was act Craig peterson.com. Stick around. [00:20:26]  [00:20:26] The value of crypto coins has been going down lately quite a bit across the board, not just Bitcoin, but the amount of crypto mining and crypto jacking going on. That hasn't gone down much at all. [00:20:50] hi, I'm Craig Peter Sohn, your cyber security strategist. And you're listening to news radio, w G a N a M five 60 and FM nine. Point five, you can join me on the morning drive every Wednesday morning at 7 34, Matt and I go over some of the latest in news. You know about crypto coins, at least a little bit, right? [00:21:18] These are the things like Bitcoin and others that are obstensively private, but in reality, aren't that private. If you receive coins and you spend coins, you are probably trackable. And if you can't spend that, the crypto currencies, why even bother getting it in the first place. One of the big drivers behind the price of these crypto currencies has been criminal activity. [00:21:50] We've talked about that before. Here's the problem we're seeing more and more nowadays, even though the price of Bitcoin might go down 30%, which it has, and it's gone down in bigger chunks before. It does not mean that the bad guys don't want more of it. And what better way to mine, cryptocurrency then to not have to pay for. [00:22:18] So the bad guys have been doing something called crypto jacking. This is where criminals are using really ransomware like tactics and poisoned website to get your computer, even your smartphone to mine, cryptocurrencies for. No mining, a Bitcoin can cost as much in electric bills that are in fact more in electric bills. [00:22:45] Then you get from the value of the Bitcoin itself. So it's expensive for them to run it. Some countries like China have said, no, you're not doing it anymore because they're using so much electricity here in the U S we've even got crypto mining companies that are buying. Old power plant coal-fired or otherwise, and are generating their own electricity there locally in order to be able to mine cryptocurrencies efficiently, effectively so that they can make some profit from it. [00:23:20] It's really quite the world out there. Some people have complained about their smartphone getting really hot. Their battery only lasts maybe an hour and it's supposed to last all day. Sometimes what's happened is your smartphone has been hijacked. It's been crypto jacked. So your smartphone, they're not designed to sit there and do heavy computing all day long. [00:23:47] Like a workstation is even your regular desktop computer. Probably isn't. To be able to handle day long mining that has to happen. In fact, the most efficient way to do crypto mining of course is using specialized hardware, but that costs them money. So why not just crypto Jack? All right. There are two primary ways. [00:24:11] Hackers have been getting victims, computers to secretly mine. Cryptocurrencies one is to trick them into loading. Crypto mining code onto their computers. So that's done through various types of fishing, light tactics. They get a legitimate looking email that tricks people into clicking on a link and the link runs code. [00:24:32] Now what's interesting is you don't, even for cryptocurrency crypto jacket, you don't even have to download a program in. To have your computer start mining cryptocurrencies for the bad guys. They can use your browser to run a crypto mining script. And it runs in the background. As you work right, using up electricity, using up the CPU on your computer. [00:25:00] They also will put it into ads. They'll put it on a website and your browser goes ahead and runs the code beautifully. So they're really trying to maximize their returns. That's the basics of crypto jacking what's been particularly bad lately has been the hackers breaking into cloud account. And then using those accounts to mine cryptocurrency, one of the trainings that I had on my Wednesday wisdoms has to do with password stuffing and my Wednesday wisdoms, you can get by just subscribing to my email over there@craigpeterson.com. [00:25:46] But what happens here is they find your email address. They find. Password on one of these hacks that is occurred on the dark web. You weren't on the dark web, but your username or email address and password are there on the dark web. And then they just try it. So a big site like Amazon, or maybe it was your IBM also has cloud services can be sitting there running along very well, having fun. [00:26:19] Life's good. And. Then they go ahead and try your email address and password to try and break in. Now, you know how I keep telling everybody use a good password manager and this week I actually changed my opinion on password managers. So you know, that I really like the password manager that you can get from one password.com. [00:26:46] It really is fantastic. Particularly for businesses, various types of enterprises, one password.com. However, where I have changed is that some of these browsers nowadays, particularly thinking about Firefox Google Chrome safari, if you're particularly, if you're on a Mac, all have built in password managers that are actually. [00:27:12] Good. Now they check. Have I been poned, which is a site I've talked to you guys about for years. To make sure that your accounts are reasonably safe than not being found on the dark web, the new password that it came up with or that you want to use. They check that as well. Make sure it's not in use. So here's an example here. [00:27:34] This is a guy by the name of Chris. He lives out in Seattle, Washington, and he makes mobile apps for local publishers. Just this year, new year's day, he got an alert from Amazon web services. Now Amazon web services, of course, cloud service. They've got some really nice stuff, starting with light ship and going up from there, I've used various services from them for well, since they started offering the services over very many years and. [00:28:06] They allow you to have a computer and you can get whatever size computer you want to, or fraction of a computer. You want to, he got this alert because it said that he owed more than $53,000 for a month's worth of hosts. Now his typical Amazon bill is between a hundred and 150 bucks a month. My typical Amazon bell is now 50 to maybe $80 a month. [00:28:36] I cannot imagine getting a $53,000 bill from our friends at Amazon. So the poor guy was just totally freaking out, which is a very big deal. So I'm looking at an article from insider that you can find a business insider.com. They were able to confirm that, yes, indeed. He got this $53,000 bill from Amazon and yes, indeed. [00:29:02] It looks like his account had been hacked by cryptocurrency miners. So these guys can run up just incredibly large charges for the raw computing power. They need to produce some of these digital cryptocurrencies, like Bitcoin there's many others out there. But this isn't new. This is happening all of the time. [00:29:26] Google reported late last year, that 86% of account breaches on its Google cloud platform were used to perform cryptocurrency mining. So make sure you are using a good password manager that generates good passwords. And I have a special report on passwords. You can download it immediately when you sign up for. [00:29:50] My email, my weekly email newsletter@craigpeterson.com and it tells you what to do, how to do it. What is a good password? What the thinking is because it's changed on passwords, but do that and use two factor authentication. Multi-factor authentication as well. And I talk about that in that special report too. [00:30:13] And visit me online. Sign up right now. Craig Peterson.com. [00:30:18] We're moving closer and closer to completely automated cars, but we want to talk right now about car hacks, because there was an interesting one this week that has to do with Tesla. And we'll talk about some of the other hacks on cars. [00:30:34] Connected cars are coming our way in a very big way. [00:30:40] We just talked about the shutdown of two G and 3g in our cars. We, it wasn't really our cars, right? Two G 3g. That was for our cell phones. That was. Years ago course now for four GLTE 5g, even 10 G is being used in the labs. Right now. It's hard to think about some of those older technologies, but they were being used and they were being used by cars, primarily for the navigation features. [00:31:15] Some cars use these data links, if you will, that are really on the cell phone network in order to do remote things like remote start. For instance, I have a friend who's Subaru. Of course was using that. And now she's got to do an upgrade on her car because that 3g technology is going away depending on the carrier, by the way, some of it's going away sooner. [00:31:43] Some of it's going away later, but it'll all be gone at the end of 2020. What are we looking at? As we look into the future, I'm really concerned. I don't want to buy one of these new cars at the same time as I do, because they are cool, but I don't want to buy one of those because of the real problem that we could have of what well of having that car. [00:32:09] I need an upgrade and not been able to do it. I watched a video of a guy who took a Tesla that hadn't been damaged badly in a flood, and it was able to buy it for cheap. Why? Because Tesla will not sell you new motors and a new batteries for a car like that. So he got the car for cheap. He found a Chevy Camaro that had been wrecked, but its engine and transmission were just fine. [00:32:39] He ripped everything out of the Tesla and went ahead after that, cause you got to clean that out, and water damage. You spray wash all to the inside. He got right down to the aluminum, everything that wasn't part of the core aluminum chassis was gone. And then he built it back up again. He managed to keep all of those Tesla systems working, that, that screen that you have upfront that does the temperature control, cruise maps, everything out. [00:33:11] He kept that it was able to work. The, automated stuff, cruise control type stuff. And now he had a very hot car that looked like a Tesla. He took it out to SEMA, which is pretty cool. I'd love to see that, but it was a Tesla with a big V8 gasoline engine in it. He's done a, quite a good job on it. [00:33:35] It was quite amazing to see it took them months. It was him and some of his buddies. These new cars are even more connected than my friend Subaru is they get downloads from the. Some of them are using Wi-Fi and 5g. Really one of the big promises of 5g is, Hey, our cars can talk to each other because now you can get a millisecond delay in going from one car to another versus what you have today, which can be a half a second or more, which can be the difference between having a rear end collision and being able to stop in time when it comes to these automated system. [00:34:17] So they are more connected. They connect to the wifi in your homes. They connect to obviously the 5g network, which is where things are going right now. But what's happening with the hackers because really what we're talking about, isn't a computer on wheels. Oh no. Dozens of computers inside that car and your car has a network inside of it and has had for many years, this can bus network and even fancier ones nowadays that connect all of your systems together. [00:34:52] So your entertainment system, for instance, is connected to this network. And that was used. You might remember a couple of years ago on a Chrysler product where the bad guy installed. Or using the thumb drive onto that entertainment system and had a reporter drive that car down the road. This is all known. [00:35:16] It was all controlled. And was able to the bad guy right there, the demonstration in this case, I guess you'd call them a white hat hacker. He drove that car right off the road while the reporter was trying to steer otherwise because cars nowadays don't have a direct linkage between anything in any. [00:35:38] That's why I love my 1980 Mercedes TESOL. You turn the steering wheel. It isn't actually connected to the wheels to that front end of the car. All it's doing is telling the computer you want to turn and how much you want to turn that brake pedal. Doesn't actually. Compress hydraulics and cause the brakes to engage that fuel pedal doesn't actually move the throttle on the car. [00:36:03] The throttle is really being controlled and moved by the computers. So the car is completely electronic. It feels like a regular car, right? We're not talking about the Tesla's of today or tomorrow. We're talking about Volvos that have been sold for more than a decade. We're talking about a lot of different cars. [00:36:24] So now you have a platform on wheels that can be dangerous because it can be, in some cases, remotely controlled, it can have software that may be crashes. We know that part of the infrastructure quote, unquote bill, which contains almost no infrastructure. It's amazing how they named these things. Isn't it. [00:36:45] And what is it like 6% it actual infrastructure and the infrastructure bill? One of the things in there that is not infrastru. Is a demand, a law that says the car manufacturers have to include a remote. Button, if you will, so that a police officer could go ahead and say, okay, I'm pursuing this car and they're not stomping. [00:37:11] I don't want to risk people's lives. As this bad guy tries to elude me here in backstreets. Kids can get hit, et cetera. So they push the button and the car stops that all sounds great. The problem is that you could potentially be opening some security problems by having this remote stop button that can be used by anybody really right. [00:37:40] Since when is it going to be limited to just law enforcement? Isn't that a problem? According to Caren driver, I'm looking at their magazine right now. They're saying that there were at least 150 automotive cybersecurity incidents in twenty nineteen, a hundred and fifty incidents, part of a 94% year over year increase since 2016. [00:38:05] In other words, every year. The number of automotive, cybersecurity and incidences has doubled. And that's according to report from a company called upstream security. So we're lost. So looking at what w maybe ransomware for a car. So that your car gets hacked. You can't hack my 1980 Mercedes diesel. [00:38:28] It is impossible to hack into an unconnected car, but if you are driving a vehicle it's likely at risk from some sort of digital true. We've even seen from some of the bugs. We've seen cars from Japan that have decided to drive into the Jersey barrier because it misunderstands exactly what it is. We've seen cars from Tesla. [00:38:57] Drive right into the back of a parked fire truck mentioned doing that at speed, right? And cause a fire truck full of water, et cetera. I've actually seen that one happened personally. So the more sophisticated the system is, the more connected your vehicle is. The more exposed you are in Detroit free press has a great little article on that right now. [00:39:23] And in there he's saying we have taken. Whatever model car you think of. And we hack them through various places. I can control your steering. I can shut down and start your engine. Control your brakes, your doors, your wipers, open and close your. There's a lot of people who are trying to break into these cars. [00:39:46] And there's a lot of people who are trying to protect them. That hacker duo back in 2015, who took control of that Jeep Cherokee, just think about that sort of. There's an Israeli based automotive cybersecurity company who told the free press that he expects the current trend of hackers, holding digital data on computers for ransom to also move to cars. [00:40:12] So when this happens, the driver will not be able to start the vehicle until they pay off the rant. Or suffer the consequences, which could be wiping the cars systems operating systems could be Kenning the car to catch on fire. Think of what can happen with each generation with those batteries. [00:40:32] There's no way around it. You're going to have to get it towed and get all of the software reloaded in the company. And now this week, it comes out that in 19 year old kid said that he was able to hack into over 25 Teslas that he tried via a bug in a popular. It's an open source tool that people are using to link into their Teslas to do various types of remote control. [00:41:01] And he posted a tweet on this guy's name's David Colombo. You'll find them on Twitter, went viral and he reported the vulnerability to the people who are maintaining the software and they fixed it. In fact, the very same day and Tesla also pushed updates to their vehicle. That invalidated the signatures and the key exchanges that we're having. [00:41:28] So this is a 19 year old researcher. He's able to hack into cars in 13 countries, 38, 13 countries. Yeah. Worth of Teslas without the owner's knowledge. No, he says I, I can not. Doors, I can turn off the security system. I can open windows. I keyless start and things turn on the stereo, honk the horn view, the cars location, and if the driver was present, but he doesn't think he could actually move the vehicle remotely, but that's a 19 year old. [00:42:02] What's going to happen when we implement the law that was just passed that says our cars have to be remotely controllable by anybody basically. Yeah. It's scary. Hey, I want to invite you guys to take a minute, go to Craig peterson.com. Make sure you sign up for my newsletter there, and I'll keep you up to date on all of this stuff and you'll even get my show notes. [00:42:28] Craig peterson.com. [00:42:30] The hacker world got turned upside down this past week as Russian president Putin decided to crack down on the hackers. Now, this is a very big change for Russia. We're going to talk about my theories. Why did this happen? [00:42:56] hi, I'm Craig Peterson, your cyber security expert. And you're listening to news radio, w G a N a M five 60 and FM 98.5. Hey, you can join me. Wednesday morning, did 7 34 on the morning drive. As we keep you up to date, russian hackers have long been known to go after basically whoever they want. They have really gone after the United States and other Western company countries. [00:43:30] And as part of what they've been doing, they have been making a lot of money and keeping Vladimir Putin pretty darn happy. He's been a happy because they're bringing more. Into mother Russia, he's happy because they are causing confusion amongst Russia's competitors out there, particularly the United States. [00:43:55] But there's one thing that Putin has been absolutely steadfast. And that is not allowing any of the hackers to go and hack any of the countries that are part of their little pact over there. Think of the old Warsaw pack they got that band back together. So as long as they didn't harm any Russian or, a affiliated country, They could do basically whatever they wanted and they did. [00:44:29] And they have caused a lot of trouble all over the world. So Friday Russia. As security agency announced that it had arrested members of the cyber gang called reveal. Now we have talked about them for a long time. They have come and gone. The FBI and other countries have shut down their servers. [00:44:56] So reveal disappears for awhile. Then pops his head up again. And Russia said that they arrested members of revival who were responsible for massive ransomware crimes against us companies the last year. So why would they do that? I'm looking right now at the Russian website here, that's part of the FSB. [00:45:26] And it's saying that the Russian federal security service in cooperation, the investigation department of the ministry of internal affairs of Russia in the cities of Moscow St. Petersburg, Leningrad lips. As, I guess it is regions. They stop the illegal activities, a members of an organized criminal community and the basis for the search activities was the appeal of competent U S authorities who reported on the leader of the criminal community and his involvement in an encroachment on the information, sir, resources of foreign high tech companies by drusen militia software, encrypting information and extorting money for its decreased. [00:46:11] Now that all sounds like the stuff that Vlad has been just a happy about in years past. So why did this happen? What brought this about nowadays in this day and age? What is he doing? I've got a little bit of a theory on that one because there have been some interesting development. One of them is this hacker. [00:46:38] In Belarus. Now, Belarus is one of those countries that's closely affiliated with Russia friend of Russia, right? Part of the old Warsaw pact. And you might remember that Bella ruse is right there by you. And of course, we've got this whole issue with Ukraine and whether or not Russia is going to invade president and Biden said something incredibly stupid where he said, yeah a moral response is going to depend upon what Russia does, if it's just a minor invasion. [00:47:17] You're you remember? The president Biden's saying that just absolutely ridiculous. And then of course, the white house press secretary and various Democrat operatives tried to walk the whole thing back, but it's a problem because Russia has, what is it now like 120,000 troops on the border. [00:47:37] Now, if you know anything about history, you know that the military army. March on their stomachs, right? Isn't that the expression you've got to feed them. You have to have a lot of logistics in place. In fact, that's what really got a lot of the German military in world war two. Very nervous because they saw how good our logistics were, how good our supply chain was. [00:48:03] We were even sending them. They cakes to men in the field that they discovered these cakes in great shape. And some of the German armies, particularly later in the war, didn't even have adequate food to eat. What do you think is happening with the Russian troops that are sitting there? [00:48:20] They need food. They need supplies, including things like tanks, heavy artillery, ammunition. All of that sort of stuff. So how do they do that? They're moving it on rail, which they have done in Russia for a very long time. You might remember as well in world war II, the problems with the in compatibility between the German rail gauge and the Russian rail gauge as Germany tried to move their supplies on Russian rails and Soviet rails, ultimately, but on Russian rails and just wasn't able to do. [00:48:57] So hacktivists in Bella ruse right there next to Ukraine said that they had infected the network of Bella Russa's state run railroad system with ransomware and would provide the decryption key. Only if Bella Reuss president stopped. Russian troops ahead of a possible invasion of Ukraine. So this group, they call themselves cyber partisans wrote on telegram. [00:49:30] Now I got to warn everybody. Telegram is one of the worst places to post something. If you want some privacy, excuse me, some privacy, some security it's really bad. Okay. No two questions. So they have, apparently this is according to what they wrote on telegram. They have destroyed the backups as part of the pec low cyber campaign. [00:49:55] They've encrypted the bulk of the servers, databases and work station. Of the Belarus railroad, dozens of databases have been attacked, including, and they name a bunch of the databases. Automation and security systems were deliberately not affected by a cyber attack in order to avoid emergency situations. [00:50:20] They also said in a direct message that this campaign is targeting specific entities and government run companies with the goal of pressuring the Belarus government to release political prisoners. And stop Russian troops from entering Bellaruse to use its ground for the attacks on Ukraine. Now, this is frankly fascinating from a number of different angles. [00:50:46] One is, it is very easy nowadays to become a cyber hacker. And in fact, it's so easy. You don't even have to do anything other than send N E. And it's been done, frankly. It's been done people who are upset with a, an ax, for instance upset with a particular company, you can go onto the dark web and you can find companies. [00:51:13] And this revival company was one. That will provide you with the ransomware and they will do everything for you except get that ransomware onto a computer. So you could bring it in to an employer. You can send it by email to the ax. As I mentioned, you can do a lot of stuff. And then the. Ms. Cyber hacker guys, the bad guys will go ahead now and they will collect the ransom. [00:51:43] They'll even do tech support to help the people buy Bitcoin or whatever currency they want to have used. And then they take a percentage. So they might take 30% of it. There's a whole lot. We can talk about here too, including trust among thieves and everything else. It is easy to do this. So to see an organization like these cyber partisans, which I'm assuming is an organization, it could be as little as one person taking ransomware, going into specific computer systems breaking in. [00:52:18] Because again, even here in the U S how many of us have actually got their computer systems all patched up to date? The answer to that is pretty close to zero. And they can now go after a government, they can protect their friends. It's really something. When you start thinking about it, right? No longer do you have to be North Korea or China or Russia in order to hack someone to the point where they commit. [00:52:51] And in this case, they're not even after the money, they just want these political prisoners freed and they want Russia to stop shipping in troops supplies, into the area in Belarus next to or close to. Very fascinating. There, there is a whole lot of information about this online. If you're interested, you can read more about it. [00:53:15] It's in my newsletter, my show notes. I have links to some articles in there, but it really is a tool for the under. We've never really seen this before. It's quite an interesting turn in the whole ransomware narrative. It's just in crazy. That's a quote from a guy over at Sentinel one. Alright. [00:53:40] Lots to consider and lots to know and do, and you can find out about all of the. One way, subscribe right now@craigpeterson.com. I promise. I'm not going to her Hess. You stick around. [00:53:55] We've heard a lot about automated cars. And of course we talked about them a lot here too, but that original vision of what we would have, it's gone now. It's fascinating. We're going to talk about that journey of automated cars. [00:54:12] For years, automakers have been telling this story about how these automated cars are going to drive themselves around and do just wonderful things for us. [00:54:24] And as part of that, they've decided that. The way it's going to work. And I remember talking about this, cause I think it's a cool idea is that there will be fleet of these vehicles think about maybe an Uber or Lyft where you get on the phone and you order up a card and it says, Hey that driver will be here. [00:54:45] Here's the license plate, the driver's name and picture. It's really cool, but general motors and Lyft haven't gotten there. They signed in agreement. To have electric autonomous cars as part of Lyft's fleet of drivers. They did a back in 2016, a long time ago. Ford promised what it called robo taxis and that they would debut by 2021 Dimeler of course, the company that makes Mercedes-Benz said it would work with Uber to deploy fleets of their car. [00:55:27] And the logic was really financial and it made a lot of sense to me, which is why I was so excited. I have car outside. You know about my Mercedes, you. How often do I drive that 40 year old car? Most of the time it's sitting there parked, most of the time, because I don't go very many places very often. [00:55:50] What would it be like then to just be able to have an Uber or Lyft type app on my phone that says, okay, tomorrow I have a 10 o'clock meeting in Boston and I want a car to take me there. So the. Checks with the servers and figures out. Okay. At 10 o'clock meaning, that means you're going to have to leave at eight 30 in order to get around the traffic that's normally happening. [00:56:18] And so we'll have a car there for you. So all I have to do is walk out the apple, probably remind me, my butt out of bed and get outside. Cause the car is about to arrive. So the car pulls into my driveway or maybe just stops on the road and the app reminds me, Hey, the car's there I go out. I get in. [00:56:37] And on the way down, I can work on getting ready for the meeting, getting some things done, just really kicking back, maybe having a nap as we go. And I'm there on time for my 10 o'clock. Just phenomenal. And from a financial standpoint, nowadays, how much is a car costing you? Have you ever done the math on that? [00:56:59] How much does a typical car loan run you per month? And I also want to put in how about these leases? How many of us are leasing cars? My daughter leaves to Gargan believe she did that. Didn't leave to me. It didn't make financial sense, but maybe that's just because I've been around a while. But looking right now at some statistics from credit karma, they're saying us auto loans, new cars, your average monthly payment is $568. [00:57:32] For an average loan term of 71 months. Good grief used cars, about $400. A month payment and average loan term, 65 months. I can't believe that I've never had a car loan for more than three years. Wow. That's incredible. So we're talking about six year notes on a new car. Wow. I guess that's because people buy cars based on the monthly payment, right? [00:58:04] So figure that out. If you're paying $500 a month, how about just paying a subscription service? $500. You can get so many rides a month and you don't have to maintain the car. You don't have to buy insurance. You don't have to make any fixes. You don't have to do anything. And the car will just show up. [00:58:23] That's what I was excited about. And it had some just amazing implications. If you think about it, it city dwell over dwellers and people who were directly in the suburbs, it'd be just phenomenal. And you could also have the robo taxis for longer trips. You can abandon that personal car. Really alternate. [00:58:46] So now it's been about a decade into this self-driving car thing that was started. And, we were promised all of these cars, it reminds me of the fifties, we're all going to be driving, flying cars by. George Jetson one, when was he flying around the cities, but that's not happening. [00:59:07] Okay. The progress on these automated vehicles has really slowed automakers and tech companies have missed all kinds of self-imposed deadlines for the autonomy. Look at what Elon Musk has promised again and again, it's. Basically in 2020, late 2020, it was going to have fully autonomous cars even calls itself dry. [00:59:30] When it isn't really self-driving, it certainly isn't fully autonomous it more or less drives. It stays in the lane as it's driving down the highway. But the tech companies are looking for other ways to make money off of self-driving tech. Some of them have completely abandoned. There's self-driving cars, the sensors like the LIDAR, and I've had the LIDAR people on my show before they've all gotten cheaper. [00:59:55] It doesn't cost you $50,000. Now just for one LIDAR sensor, think about what that means to these cars. So some of these manufacturers of these future autonomous cars are shifting to a new business strategy. And that is selling automated features directly to customers. In other words, you're going to buy a car, but that car isn't going to do much. [01:00:24] Think about the golden key that the tech companies have used for years, right? IBM well-known for that, you buy a mainframe or from IBM or a mini computer from digital equipment corporation, and you have the same computer as someone that has this massive computer. But in fact the difference is that they turn off features and we're seeing that right now. [01:00:49] I'm, I've mentioned that Subaru before where they are charging people for upgrades, but some of the companies are charging you monthly to use a remote start feature for instance, and many others. So what's happening is a major change. We have the consumer electronic show, right? January 20, 20 and general motors CEO, Mary Barra said that they would quote, aim to deliver our first personal autonomous vehicles as soon as the middle of this decade. [01:01:22] So again, it slipped, right? I'm looking at it, a picture of what they're considering to be. The new Cadillac car that should be out next year. Maybe thereafter. It is gorgeous. Absolutely gorgeous. But this announcement, right? Yeah. We're going to have autonomous vehicles, middle of the 2020s. She had no specific details at all. [01:01:48] And apparently this personal robo car project is completely separate from this robo taxi fleet that's been developed by GM's cruise subsidiary. And cruise said it has plans to launch a commercial service in San Francisco this year. So they're going after multiple paths. The logic here is financial. [01:02:11] The reasoning has changed and they're offering autonomy as a feature for the consumer market. Tesla, Elon Musk, they've been charging $10,000 now for the autopilot driver assistance feature. They're planning on raising it to $12,000 here early 2022 Tesla technology. Can't drive a car by itself. [01:02:37] But he's going to charge you if you want it. And I expect that's going to be true of all of the major manufacturer that's out there. And by the way, they're also looking at customization, like color changing cars and things. They're going to charge them as features. Hey, stick around. Visit me online. [01:02:58] Craig peterson.com. [01:03:01] Ju [01:03:01] st  [01:03:01] how secure are our smartphones. We've got the iPhones, we've got Android out there. We've talked a little bit about this before, but new research is showing something I didn't really expect, frankly. [01:03:23] hi, I'm Craig Peter sawn, your cybersecurity strategist. And you're listening to news radio w G a. A M five 60 and FM 98.5, like to invite you to join me on the morning, drive Wednesday mornings at 7 34, Matt and I always discussing the latest in cybersecurity technology. And, Matt always keeps you up to date. [01:03:50] We've got some new research that wired had a great article about last week that is talking about the openings that iOS and Android security provide for anyone with the right tools. You're probably familiar at least vaguely with some cases where the FBI or other law enforcement agencies have gone to apple and tried to have. [01:04:17] Old break into iPhones. Apples, refuse to do that one in particular, down in Southern California, where they tried to get apple to open up this I phone and tell them who was this person talking to after a shooting of foul of fellow employees at a. It was really something, there was a lot of tense times and we've seen for decades now, the federal government trying to gain access to our devices. [01:04:51] They wanted a back door. And whenever you have a back door, there's a potential that someone's going to get in. So let's say you've got a. And your house has a front door. It has a backdoor, probably has some windows, but we'll ignore those for now. Okay. And you have guards posted at that front. All in someone needs to do is figure out to how to get into that back door. [01:05:18] If they want to get into your house, it might be easy. It might be difficult, but they know there's a back door and they're going to figure out a way to get in. And maybe what they're going to do is find a friend that works for that security company, that post of the guards out front. And see if that friend can get a copy of the. [01:05:39] That'll let them in the back door. And that's where we've had some real concerns over the year years here, a decades, frankly, our first, I remember this coming up during the Clinton administration, very big deal with the. That they were pushing. This was a cryptographic chip that they wanted every manufacturer to use if they wanted to have encryption and the white house and every gov federal government agency, and probably ultimately every local agency had the ability to break any encryption that was created by the clipper. [01:06:17] In fact, we were able to track Saddam Hussein and his sons and his inner circle. Because he was using some encrypted phones that were being made by a company in England. And that company in England did have a back door into those encrypted phones. And so we were able to track them and we could listen in, on all of their communications back and forth. [01:06:44] And it's really frankly, oppressed. When that sort of thing happens. So what do you do? What are you supposed to do? How can you make it so that your devices are safe? There are some ways to be relatively safe, but these cryptographers over Johns Hopkins university, Use some publicly available documentation that was available from apple and Google, as well as their own analysis. [01:07:14] And they looked into Android and iOS encryption and they founded lacking. So they studied more than a decades worth of reports. How about which mobile security features had been bypassed had been a hack. I had been used by law enforcement and criminals in order to get into these phones. They got some of these hacking tools off of the dark web and other places, and they tried to figure. [01:07:46] So we've got a quote here from Johns Hopkins, cryptographer, Matthew Green, who oversaw the research. It just really shocked me because I came into this project thinking that these phones are really protecting user data. Now I've come out of the project, thinking almost nothing is protected as much as it could be. [01:08:10] So why do we need a backdoor for law enforcement? When the protections that these phones actually offer are so bad. Now there's some real interesting details of if you like this stuff, I followed cryptography for many decades. Now I've always found it. Fascinating. There are some lightweight things I'm going to touch on here. [01:08:33] We won't get too deep in this, but here's another quote. Again, Johns Hopkins university on Android. You can not only attack the operating system level, but other different layers of software that can be vulnerable in different ways. Another quote here on iOS in particular, the infrastructure is in place for hierarchal encrypted. [01:08:57] Now higher are hierarchical. Encryption is various layers of encryption. If you have an iPhone or an iPad, or if you have most Android phones nowadays, if you use a passcode in order to unlock the phone or even a fingerprint or a face. Your method of authentication is used to encrypt everything on the phone, but in reality, everything on the phone is only fully encrypted when the phone is powered off. [01:09:36] Now that's a real, interesting thing to think about because obviously the phone can't work. If everything's encrypted. It needs access to the programs. It needs access to your data. So what they found bottom line was the only way to have a truly safe machine or a smartphone in this case is to turn it off because when you turn it on and it boots up on first boot, now it gets. [01:10:08] Either by bio medical information, like your fingerprint or your face sprint or your passcode, it then has a key that it can use to decrypt things. So apple has on the iPhone, something, they call complete protection and that's again, when the iPhone has been turned off on boots up because the user has to unlock the device before anything can happen on the phone. [01:10:33] And the is protections are very. Now you could be forced to unlock the phone by a bad guy, for instance, or in some cases, a warrant or an order from a judge, but forensic tools that, that they are using the police and the criminals really would have almost no luck at pulling information off of your phone. [01:10:59] That would be useful at all because it would all be encrypted, right? If they could. So once you've unlocked your phone after that first reboot molt, after that reboot, right? You unlocked it after power up. A lot of the data moves into a different mode that apple calls protected until first user authentication. [01:11:20] But it's what I call after first unlock. So when you think about it, your phone is almost always in the after first unlocks. Because how often do you reboot your phone? No, it's pretty rare that your phone might do on. And this is particularly true for I-phones might do updates and boot and reboot. And then of course you have to unlock that phone, but it doesn't go much further. [01:11:49] The net and that's, what's interesting. That's how law enforcement and the bad guys, these Israeli companies and others have been able to get into iPhones and get into Android devices because ultimately if that computer is turned on and you've logged in, there's a lot of data. That's no longer encrypted. [01:12:10] Oh. And by the way, that's also how some of these attacks occur on our laptops. Particularly if you traveled to. In the memory on that laptop that you close the lid on, you have to re log into is the key to UNHCR, unencrypt, everything, right? Because you logged in once. So all they have to do is freeze the memory, duplicate the memory and put it back in part of the reason, by the way that apple laptops have their memory soldered in you can't do that kind of attack. [01:12:44] Stick around. We'll be right back. [01:12:48] VPNs are good and they are bad. It depends on the type of VPN. Many of these commercial VPNs of people are using are actually very bad for you when it comes to your security. [01:13:04] VPNs are problematic. I did a couple of boot camps on VPNs. Probably I think it was about last year. [01:13:13] Yeah, it was last spring. And I went through and explained and showed exactly why commercial VPNs are one of the worst things you could possibly do if you want. To stay secure. Now I lemme just give you the high level here. I have given people copies of this, if you're interested in a link to that VPN webinar that I did, I'd be glad to send it to you. [01:13:45] Just email me Emmy at Craig Peterson, doc. And ask me for the VPN information and I'll send that all off to you. I also wrote something up that I've been sending out to people that have asked about VPNs. Cause it's one of the most common questions we have Franklin, but here's your problem with commercial VPNs? [01:14:05] Most all of them say, oh, your information safe at zero logging, et cetera. And yet we have found again and again that's not. In fact, it can't possibly be true in almost every case because most of these VPN services are running out of other people's data centers. So they might be in an Amazon data center or IBM or Microsoft. [01:14:32] And inside that data center, your data is coming in and then it's going to. So let's say you're using a VPN and you're connecting to a website. I don't care. Go to google.com via a VPN. So you're using one of these services. That's advertised all over creation. And what happens now is. Your web request to get to Google passes over that encrypted VPN and comes to an exit point because at some point it has to get onto the regular internet. [01:15:07] How else are you going to get to that website? On the other side? You can't, unless you get to the regular internet. So at the other side, now the server is that's receiving the end point of view. VPN is going to send the request to Google. Google is going to respond to that VPN server. It's going to be encrypted and sent back to you. [01:15:30] So what's the problem with that? There's multiple problems. One is the data center can see. That there is the request going up to Google. Now he might not be able to tell who it was. But if that VPN server has been hacked. And let me tell you, it is a big target for hackers, government hackers, as well as bad guys. [01:15:54] Then they do know who went out there and depending on how it was hacked and how the VPN was set up, they may even be able to see all of the data that you're sending back and forth. It's called a man in the middle of. And some of these VPN services do it by having you install some software on your computer. [01:16:15] And as part of that installation, they provide you with a master key that they then use to spoon. The keys for the websites. You're going to some, explain that what happens is if you were to go right now on your web browser, go to Craig peterson.com as an example. So Craig peterson.com. I'm typing it in right now in the browser. [01:16:43] That's directly in front of me. Now you'll see a little lock up in the URL. What does that mean? If you click on that lock, it says something about the connection being secure. Are you familiar with that? What's actually happening is it's using SSL TLS keys, but it's using encryption now to send the data from your computer. [01:17:11] To my server, that's hosting Craig peterson.com. And then my server is sending all of the webpage back to you. Encrypted. Any fact, a VPN has been established between your web browser and my web server. So why use a third-party VB? Because your data is encrypted already, right? Could it be more simple than that? [01:17:46] Now, remember again, that the server on the VPM service that you're using is a prime attack target for everybody else. As I said from government agencies through hackers. So your data is likely less safe because if they get a hold of it, they can do all kinds of things to your data and to. And then on top of it, all the VPN service may well be selling your data in order to make money, to support the VPN service because free VPNs, inexpensive VPN sees the ones that are charging you five or 10 bucks a month cannot possibly afford to provide you with that service. [01:18:38] And in the bootcamp, I go through all of the numbers here, the costs involved. With a VPN service it's not possible to do. They can't make any money off of it. So it is a very big problem for you to use one of these public VPN services. Now, I want to talk about an arc article that was on Z. [01:19:06] Apparently your old pole, which is of course the police over there in the European nations has seized servers. What servers, VPN servers in Europe. Now they seized the servers because they were used by who was it? Grandma looking at pictures of the grandkids. Was it people watching cat videos who was using the VPN server? [01:19:33] The paid VPN service. Wow. It was criminals. And when they seized these VPN servers that were also being used by criminals, they found more than a hundred businesses that had fallen victims to attacks. So who uses VPN services? People who want to hide something as well as people who just want to have their data secure. [01:20:01] Another reason not to use VPN services. So as a part of the joint action by Europol Germany's police Hanover police department, the FBI, UK national crime agency, and others seized 15 servers used by VPN lab dot. Okay. So VPN lab.net net, obviously no longer usable. And they started looking at all of the records that were being kept in these servers and use that to find the criminal. [01:20:36] Does that make sense to you? So VPN lab.net was according to these charges, facilitating illicit activities, such as malware distribution. Other cases showed the services use in setting up infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. You like that. [01:20:59] Now they were using open VPN technology, which is actually very good. As part of that VPN information, I can send you if you're interested, just email me M e@craigpeterson.com. Let me know what you're interested in, and I'll whoop you off an email. Give me a few days I can get behind sometimes, but you can set up your own private VPN server if that's what you want to do. [01:21:25] And I've gotten instruc

Government Digital Service Podcast
GDS Podcast #38: Understanding the complexity of users' lives

Government Digital Service Podcast

Play Episode Listen Later Jan 26, 2022 31:41


Why build a product people won't or can't use? Our user researchers share their approach to understanding needs for government's single sign-on. ---------   The transcript of the episode follows:   Vanessa Schneider: Hello and welcome to the Government Digital Service podcast. My name is Vanessa Schneider and I am Senior Channels and Community Manager at GDS. In August, we recorded an episode on digital identity and single sign-on as part of our plans to develop one inclusive and accessible way for people to log in to all government services online. You heard from Will and Helena from GDS, as well as Tom from Veterans UK, who shared how we worked with other parts of government to shape this work. Since then, we passed the digital identity service assessment, integrated our authentication component with the first service, and completed research with more than 800 end users. And it's that research that we want to talk about today. Joining me in this are Lauren Gorton and Charlotte Crossland, both user researchers at GDS in the Digital Identity Programme. Lauren, could you please kick us off by introducing yourself and what you do? Lauren Gorton: So I'm Lauren. I'm a user researcher on the digital identity programme in GDS, and specifically I work in the authentication team. We look at the credentials that people use as part of the single sign-on. And the first steps of our journey went live in October. So specifically, I focus on the end user aspect of that and focus on the citizen side. Vanessa Schneider: Fantastic, thanks. Charlotte, could you please introduce yourself and what you do as well? Charlotte Crossland: Absolutely. Hi, everyone. I'm Charlotte, I'm a user researcher on the digital identity programme, working in the design for adoption team. We've been doing a lot of research with service teams across government. We're building an authentication onboarding journey, as well as looking at identity materials that teams can use to make decisions. Vanessa Schneider: Fantastic, thank you so much, both. So, not everyone will have listened to the previous podcast episode or read the blog posts that we've written about this work. Would one of you mind explaining a bit more about One Login for Government? Lauren Gorton: Yes, so One Login for Government is one of the government's major projects at the moment. On GOV.UK there, there are several different sign-ins at the moment, and many different routes users could take. So what we're trying to do is streamline that down, so that in the future, there'll just be one single sign-on for GOV.UK to help improve the journeys for users and reduce confusion for people. That then opens the door to do lots of other cool things in the account space, so that people aren't having to repeat themselves too often in different services, and it helps government to basically join up a bit better. Vanessa Schneider: Great stuff. I can see the importance in that [laughs]. Obviously, this is a loaded question to ask, given both your roles as user researchers. But I was wondering why is user research so integral to that? Lauren Gorton: So there's no point in building something if people won't or can't use it. And the only way we know if we're on the right track is if we actually speak to the people who are the intended users. That's probably important for any organisation or business, but it's especially important in the context of government, given how important government services are if people can't access them, that can have a huge impact on people's lives. So we can't really afford to build something which people either can't use or won't use. [For] the citizen side of the research, our approach is to gather insights at all stages of the projects and from as representative a sample of people as possible. One thing is that we're not reinventing the wheel. There have been other government projects that have come before us who've done work on sign-on services. So there's a lot of existing research and insights that we can sort of learn from as a first step. So we, we initially did some very extensive desk research, including research artefacts from Verify, Government Gateway, recent COVID[-19, coronavirus] projects, and, you know, getting lessons learnt from peers in the NHS, who are working on the NHS login at the moment as well. So it's kind of given us a running start, really, to see what worked well before us and what didn't work so well. And we then built on top of that with our own research. So for a variety of different techniques, things like doing interviews with people and conducting surveys, testing our journeys as we develop them and iterating them. And since May, despite the impacts of COVID and issues that we had with research - we obviously haven't been able to go out and actually talk to people face-to-face, we've had to adjust how we work and do everything remotely - but despite that, yeah, we've managed to speak to over 800 end users, as you mentioned, since May. On top of that, it is really important to call out that once something's live, it's not live and then done, so now that we're live with the first steps of authentication, we've also got thousands of users who are now going through the live service and we're getting insights from those people as well. So relying a lot on our feedback form and also the analytics that runs for our service to better understand, "OK, so these are real people, using it in a real-life scenario: how is it working for them, and working, we keep improving it." So it's kind of that balance of we're doing a lot of the research with people to help prep them, optimise before we go live. And then as it's live, we're still monitoring it and trying to improve. Vanessa Schneider: Well, there's a lot of work going into it, I can see, and it's really heartening to hear that you're taking on the lessons from the past. And actually, that probably relates to the work that we're doing with other departments because they have existing identity solutions, don't they, Charlotte? Charlotte Crossland: Yeah, absolutely. So our approach from gathering insights from service teams in government has been a bit different from doing research with end users - it's a bit of a different dynamic. The real key to this is collaboration. So like other government platform products our users are peers working across government. I've been working with a range of roles, from product people to service owners, researchers, designers, developers, even data [analysts], both across central and local government. And it's been really fundamental to tap into, again, the existing work that's there; digital identity is a well-trodden area across government. It's a fundamental, it's been creating a space of trust and being as open as possible with teams and departments. It's important that we take aspects of that into our approach, not only internally within the programme, but taking that approach externally across government. Yeah, if the whole team is supporting and involved in that session, we have the capabilities and materials to produce really rich, UR [user research], building up that trust and developing relationships is far more important because they're the teams that are building and developing the services themselves in their everyday lives. Vanessa Schneider: Obviously service teams will have also conducted user research for their services with end users. How did that integrate into sort of your knowledge base? Lauren Gorton: Yes, so that was a part of the desk research that we did, kind of, in Discovery Alpha. We went through hundreds of different documents to, to try and understand that. But, as well, we've also since had sessions with teams so, the basic digital service, so they have a really good component for certain aspects of the authentication journey. So we're trying to make sure, again, we're not reinventing the wheel. So if things have worked for, for their end users, it's going to work for [our] end users as well. So we've been, we've met with them, tried to understand the component, looked at some of the data behind it and have applied that, aspects of that, to our own journeys as well. Vanessa Schneider: Neat, and obviously, this could be really interesting for folks, depending on how long we're going to be in these unprecedented times or with the future of work being maybe more remote working: How was it conducting user research while maybe not having direct access to people? Lauren Gorton: Good question. So, yeah, that's, that's been difficult. I think it was definitely for user researchers, just in general. It's hard if, you know, you're not in the room with them. And something that user research just needs well to do is to have, like, a good rapport with the participants. And it can be hard to try and build that up remotely and so, you know, reassure people and calm them down remotely over a video call. So, yeah, there are different frustrations to it, particularly if someone runs into an issue in the middle of a session. We can see the screen and what they're doing. But if they go onto a different device because they want to search something on the mobile phone, we can't see what they're doing and we can't help them, so that's caused challenges as well. So it's been a big challenge for communication, I think. But there are, there are positives to it as well. It's quite nice to have a video call with someone, they dial in, you run the session, if it goes well, and then you can just dial off, that's the session done. You can go, go grab a coffee, [laughs] to then try and absorb what you've just learnt. So yeah, there are nice things to it as well. Charlotte Crossland: Yeah, definitely echo Lauren's point around that interaction, and no matter who you're researching with, whether it's citizens or service teams. It's really difficult to get that rapport up online compared to in-person, where you can read people's body language, their tone, it's a very different dynamic. And I think what's I've learnt the most about doing research with service teams is that they are our peers and, as we've mentioned before, digital identity is a well-trodden area, and it's about collaboration as much as it is user research with those power dynamics that are often associated with it. I think as well, on the analysis side, so we're really fortunate to have tools that really help bridge those gaps from doing analysis in-person to remote ways. They've yeah, they've been so valuable. Lauren Gorton: Charlotte's raised a really good point there as well, which I totally missed, but afterwards with our colleagues when we're trying to, like, go through what we've learnt in the session. That's been super hard as well because we're not all just sat around the table together with notes and writing on a whiteboard. So yeah, that's been a real struggle as well. Vanessa Schneider: I think that a lot of listeners can relate to the difficulties that you face, the challenges that have presented themselves. But it is nice to know that there are some things that have helped or some things that are manageable at least, despite the circumstances. So that's really encouraging. So it's great to see that we've got these partnerships going with other departments. How do these partnerships come about and why is that so important to us? Charlotte Crossland: Great question. So we're collaborating at multiple levels in government departments, so recently colleagues have kicked off strategic department-level work with the big departments and these will continue to be expanded on. We're also working directly with services at service team-level, as well as clusters of services, to give us a really wide and deep view of requirements. So we've been building on from the robust thinking that– of digital identity that already exists within government. The collaboration has shaped the programme thinking, so the development of the roadmap, the functionality requirements, to prioritise in specific work, such as exploring low levels of confidence, which our team is currently looking at. So, as mentioned before, in the previous Digital Identity podcast, as well as collaborating externally, we need to reflect internally and learn from Verify. So to do this, we're ensuring inclusivity is at the core of what we're doing. We're not using third-party or private sector identity providers to verify users' identity. We're not taking a one-size-fits-all approach. We're designing for the needs of service teams, so doing research with service teams has really sought to address these last two points. I think one of the key collaborations, for example, the one with DfE [Department for Education] has come about through one of our key findings, actually, so this is around cluster services. So end users of cluster services are likely to see the benefits of a reusable set of credentials more readily as they're able to use the same authentication username and password to access them. So we've spotted clusters in well-known departments like HMRC [HM Revenue & Customs] or the Home Office initially, but we've also found clusters in all sorts of places across government. So users of Companies House, [HM] Land Registry, farmers using Defra [Department for Environment, Food and Rural Affairs] services, drivers using DVLA [Driver and Vehicle Licensing Agency] services, as well as teachers or students using DfE services. Lauren Gorton: Yes, so with our end user research, we've always been researching around the single sign-on and how that benefits our users. The single sign-on is the solution that we feel best helps to meet other user needs we found in research. But to do so in a way that also meets people's expectations and fits mental models as to how people look at government. So in terms of user needs, like, at its simplest level, our users need to be able to access government services, they come to GOV.UK with a task in mind, and that's kind of what they care about doing [laughs] and all they care about doing. They need to be able to do that without having to understand all the complexities of government and have to try to unpick that. So a user shouldn't have to land on the GOV.UK home page and say, "OK, today I'm trying to do this task. This service owns that task. This service sits in this department and that department uses this sign-in. So I need to go over there and specifically it's these credentials I have to use if I can remember what that-- what those credentials are". So, you know, users shouldn't have to do that. And it's not just the case, you shouldn't have to do it, but it also doesn't fit into how they look at government. So we found in our research, and this is general, because mental models, are general, not everyone thinks this way, but a lot of people, sort of, look at government and they see it as a single entity. We talk about "the" government and, you know, that, that's how people see it. They don't think about all the complexities behind it. And as part of that, we have heard people in research sessions and participants saying, you know, "I expect to just have the one account because I'm dealing with the government. I need a government account to talk to the government". So that's what we've, sort of, had coming out of our research sessions. And whilst we've heard that in research sessions prior to going live, again, since going live, we've also seen some data that also supports this too. So for instance, we have our feedback form, which people using the live service can come to. One of our most common themes in our feedback form is one we call "queries outside of our scope". And that's just basically for anything that's actually to do with a different service. So what we are seeing is a lot of people hitting our journey, going into our feedback forms, and they're leaving this feedback about different services or they're saying, "I can't sign in" and, you know, when we go back to them, we unpick it, it's because they're trying to sign in into, like, a Gateway or a Verify [account], because they want to do something with their tax, for instance, they've, they've come to us in error. So we are seeing in live that this confusion is a problem. It's the same with our analytics as well. We're seeing people coming to our journey, trying to sign in and having to go down those unhappy path routes because they're confused about whether or not they do have an account. And it's one of those things from a user perspective, that so long as there are multiple accounts out there, that confusion will exist to an extent. There's only so much we can do with research and design. So the more services we get onboarded and the more we reduce the number of sign ins, it's kind of the only way to really completely get rid of that confusion for people. Charlotte Crossland: Definitely, teams that have Sign-in already have seen account confusion from end users, it's a very well-known problem. I think, similarly to Lauren's point around service teams, so authentication and digital identity isn't a straightforward team need. So teams often integrate with identity as part of bigger changes and plans they're going through within their delivery cycle, but related to that. So checking people's identity documents is a really onerous process for service teams and government. It's really costly. Identity checks might not be up to scratch, so ultimately online identity checks could save teams a lot of time and money. It's also important to add to that, the offline routes will always be fundamental, so users and service teams will always need offline routes. Vanessa Schneider: Yeah, definitely important to stress we're not taking anything away from folks. We're just trying to make it easier. We're trying to make it, one, single safe, reliable, fast and effective way for everyone to log in to government services online. That's the mission. So earlier you mentioned trust, and then you also talked about how our new solution isn't going to use third-party providers to verify people's identities. Is that linked? Charlotte Crossland: Yeah, so on the identity side, our research has been really addressing exploring service team mental models around digital identity. So really digging into how teams feel and talk about identity, understanding the types of language that they use. Equally, we've been understanding how services decide on the level of confidence of an identity check. So who's involved in that decision-making process? What are the roles and teams in the department that are integral to this? And I think there's a really interesting design challenge of how we can effectively communicate how teams go about choosing an appropriate level of confidence that maps back to GPG 45, or the Good Practice Guide. There's a lot of evidence that shows GPG 45 doesn't equip teams to understand what identity profile or level of confidence is most appropriate. The guidance doesn't explain how this choice will affect a services' end user journey. That wasn't the aim of the guidance, but equally, the level of confidence the service chooses should be informed by the service's risk appetite. Vanessa Schneider: You did talk about your research reveals there are clusters, for instance, in different departments. Are we working with all of them? If not, why should departments be working with us? Charlotte Crossland: So it's really that sharing of knowledge and insights and that collaboration that can make digital identity a possibility in government, so teams, practical things that teams can expect from the partnership is like access to the technical documentation that we've been testing, so they've really got to shape what that looks like, they've been able to play around with it. How does that work in their integration environment? It's been really insightful for both parties involved. Vanessa Schneider: Well, in that case, I really hope more teams will register their interest in the private beta. As after all, as you said, you know, earlier adopters will reap greater rewards in the situation, really shaping what gets done. So Lauren, I know on your side specifically, there was quite an innovative approach with respect to how we use user insight to provide a full picture of the complexities of user lives. Can you explain a little bit more about what that involved? Lauren Gorton: So that was from our Alpha assessment. So, so during Alpha, rather than using personas, which are the traditional way to basically group your users, we used mindsets instead. So the difference really is that, whilst both tools are used to group your users, you can't focus, unfortunately, on everyone individually, we need a way to, to group our users so that we can see the different types of people using the service, and we can include those in the design process and refer back to it. Personas do that by quite heavily focussing on demographics. So you might create personas where you're having different age ranges from your users represented, represented, different ethnicities, gender - even things like do they have an access need? And then what you do on top of that is say, "OK, so what goals will these different types of users have when they're trying to use a product or service?" So that's how personas work with that very heavy demographic influence. Mindsets are different in that we don't think about demographics at all. Instead, we're trying to group our users based on shared behaviours and attitudes in a, in a particular situation. So mindsets focus much more on the different ways people might behave and the reasons which are driving those behaviours. So sometimes personas are the right tool to use, but there is a risk of things like stereotyping and subconscious bias. And to be honest, just in our, in our context, because our users are everyone in the UK plus international people it is kind of hard to use personas because we'd have to make tens of personas to try and represent that, which just wouldn't be manageable or usable. So we needed a different tool to approach grouping our users to make sure we were designing for everyone. And mindsets kind of naturally [laughs] for researchers are a way to do it. So specifically, we developed our mindsets during Alpha whilst we're doing initial prototype testing. We kept hitting this, the same problem in our journey, that at the point in our journey where we needed users to either create an account or sign in, we were seeing a lot of people choosing to sign in, which was just a bit odd because this was before we'd gone live. So obviously GOV.UK Account was a new account. In theory everyone should be choosing to create an account at that point. And when we spoke to people in the sessions to understand what was happening, what we realised was they were getting confused. They had existing government accounts like a Gateway account or a Verify account, and they were trying to use the credentials from those accounts to, to sign in at that point. They weren't understanding that this was a different type of account and many of the people and different teams in the project looking at different areas of single sign-on, they were seeing the same results as well. So we kind of knew it was a common issue. Naturally we tried to test lots of different variations of the journey to try and resolve that confusion. But the more we were looking at it, the more we could see, there were these, sort of, 5 common groups of participants that we could see coming out of it, and those were the groups that ended up becoming our mindsets. So these mindsets were basically focussing on how much previous experience these participants have of using government services and having government accounts - how confused would they then get at this point in our journey? And really importantly, how were they feeling about that and how were they reacting, what were they saying? So, for instance, participants with very little experience of government services, who didn't have previous accounts, they showed absolutely no confusion at this point in our journey, and their attitude was very much, "OK, fine. If this makes sense, what do I do next?" So those were our clean-slate mindsets, because effectively, that's, that's what that group of users were. But then on the other end of that spectrum, we have participants who, you know, they did have an existing account, like a Gateway account, as an example, and they used it quite frequently. And when they hit this point in our journey, they were getting really confused about what to do. They're trying to sign in, and they weren't understanding our error handling about why they didn't have an account and they were reacting really negatively to it. And there were different reasons why they were reacting negatively. But they kind of all revolve around the issue of single sign-on and the fact that we have multiple sign-ins and accounts that exist today. So for some participants it was the case of, they had a Gateway and it was the only account they'd ever needed because they'd only ever done stuff relevant for Gateway. So they thought that was a single sign-on, and they thought it was a single sign-on because they had the expectation they should only need one account when interacting with government. And for other participants, it was more the case of, they were just frustrated because they'd need to create another account. That's another set of credentials to remember. And they also need to remember where to use those credentials. So, yeah, we found these different groups coming out and ended up with five mindsets overall, which we were then using to input into our design process. Vanessa Schneider: So you mentioned the Alpha assessment. Can you share a little bit about the feedback that you received? Lauren Gorton: Yeah, so, so within our Alpha assessment. So we had another user researcher, one from Department for Education, who was our assessor for the user research aspect. So. They were very happy with the mindsets approach. They thought it was a good way to look at user needs and to try and understand our users. So we actually followed that up with a session where we kind of explained mindsets and they did another cross-session where we broke down user needs in a better way. So it was kind of turned into a cross-learning opportunity so that, that was, that was quite nice to do. Vanessa Schneider: Great, thank you for giving us this overview of mindsets. I was wondering how it might be relevant. How does it strengthen the understanding of complex user needs, maybe beyond single sign-on? Lauren Gorton: Yeah, definitely. So mindsets they're, they're not unique to single sign-on, they're a really nice tool to use if you want to group users in a different way to personas. So how mindsets were most helpful for us, is, you know, we had a problem that we were trying to understand better why this problem was happening, why people were behaving that way and the reasons driving it. So with our mindsets, they were really useful in designing error scenarios in particular. So we knew, “OK, we've got these groups of users. And at this point in our journey, this group in particular is going to struggle. And the reasons why they're struggling is this. So do we need to put content here to help? Do we need to change the design pattern? If we do that, is that going to impact a different group of mindset?” So it gave us that kind of better picture of how to design with our users in mind and also really help with our user needs as well. So we already had our list of user needs that we had insight on, so we could sort of look at those user needs and say, "OK, do any of these apply more strongly to different mindsets? Therefore, do we need to think about those needs more so when designing for this particular group" and in reverse, we could also say, "OK, now we have these mindsets and we're understanding a bit better why people are behaving the way they are. Can we now see new user needs that we missed before?" So yeah, it's a really nice tool to use that is a general tool. So it goes beyond single sign-on and is really a good way for other government teams to, to better understand the way people will behave and the reasons why. Vanessa Schneider: You've done user research with citizens now, you've done user research with other departments. How does it feed into the development of the programme? Lauren Gorton: Yes, so one of our next deliverables in the authentication team will be around account recovery journeys. To create a GOV.UK account, you need to link it to a mobile phone number so that you can authenticate with SMS codes. So when we went live with our MVP [minimum viable product] in October, we knew that account recovery was missing, as a gap for anyone who then loses access for their mobile phone. So it was kind of on our radar as being something that we, we knew we need to-- needed to address at some point after October. Since going live, we have our feedback form, which is one of the best ways for research to really feed into that sort of roadmap and what to work on next. And yeah, in our feedback form we're getting the feedback from people that they are hitting this issue. So that was something that was already planned to do because we'd identified it as a design gap. But the feedback form is helping us to say yes, no, this is definitely a right priority to pursue because people are experiencing that in live. And similarly, also on the themes of mobile codes: again, the feedback form data is also now telling us that the codes are an issue for anyone who lives in a poor signal area and people with international phone numbers, so that's helped us to identify, "OK, actually this is, this is also our next priority the team needs to pick up". So, yeah, we've done some extensive desk research on an alternative to mobile codes, including looking at the whole cyber aspect and security. And we're now doing the design work to introduce an alternative to SMS codes that we can add in as an option for anyone who's either struggling as, as they've told us in our feedback form or who just, they would prefer to use an alternate option. Charlotte Crossland: Yeah, so I guess our work feeds into both the authentication and the identity product, so our work stream is really committed to delivering and inviting service teams into that auth[entication] onboarding journey. So we're now accepting private beta partner requests for service teams and central government. We'll also be doing groundwork around how to add an account to that onboarding journey, and we'll be looking to publish the technical documentation live on the product page. We're also feeding into the identity stream of the programme as the identity onboarding journey will follow in the third quarter of 2022. So we're really doing that groundwork of developing materials to help teams make decisions around identity strengths, around levels of confidence. And this will ultimately play a central part to that identity onboarding journey. And I think it's not just a one-way approach, so we've been working with identity experts within the programme as well to create an identity tool which uses questions and answers to help teams understand what identity strength could be appropriate for their service. So that's helping us really to bridge that gap between the guidance that is already out there and helping teams make decisions and initial feedback from research has been really fascinating. So by translating some of the logic that GPG 45 sits on, we've been using that and turning it into a really more interactive and accessible format for teams. And we're seeing teams really play around with the tool, and it's really empowering them to consider what solution might be most appropriate for their service. And we're also seeing how these materials could help teams navigate conversations with security or risk teams within that department. Vanessa Schneider: Brilliant, so you had mentioned the registration for the private beta. How exactly do folks get involved? What are the steps they've got to go through? Charlotte Crossland: So the easiest way to get involved is to go to sign-in.service.gov.uk. You'll see the GOV.UK Sign-in product page and there'll be a section there saying "Register your interest". So whether you're interested in log-in and authentication or identity, you go to that form and fill it out and then we'll be in touch. And then from there, we'll do a half-hour chat to understand your service at a high level and you'll be then in our pipeline, where you'll be triaged to the relevant next steps. Vanessa Schneider: So if you're part of a service team in government and if all of this has piqued your interest, get in touch. And if you want to go back to the previous episodes on digital identity and other topics, you can listen to all episodes of the Government Digital Service podcast on Spotify, Apple Podcasts and all other major podcast platforms and the transcripts are available on Podbean. Goodbye. Lauren Gorton: Bye. Charlotte Crossland: Bye.

The Pack Heavy Podcast
60. 30 minutes with Suzie Yorke - Board Member & Founder of Love Good Fats

The Pack Heavy Podcast

Play Episode Listen Later Jan 26, 2022 35:30


The vast majority of you may already be familiar with Suzie and Love Good Fats - A quick Google or LinkedIn search will render some fantastic in-depth articles and interviews on her hyper growth business, leadership, marketing and professional career for you to digest. Because of this, I decided to take a different approach for this interview and reached out to LinkedIn with a question: "If you had the chance to sit down with a food based CPG founder who had grown their business to $100 Million of revenue in 3 Years and closed well over 10M in financing - what would you most want to know?" In this episode, Suzie generously provides us with some really insightful and in depth answers to 8 questions from real food based CPG founders and people embedded in the industry just like you! Suzie York has arguably built one of the most interesting businesses to dissect and learn from in recent food based GPG history, and it was an honor to have had the opportunity to sit down with and share a drink with Suzie over the course of this interview. ______________________________________ Web: https://www.lovegoodfats.ca/  LinkedIn: Suzie Yorke ______________________________________ Please support this podcast by checking out our show sponsors FoodPak: https://www.foodpak.com/ Futurpreneur Canada : http://www.futurpreneur.ca/packheavy Leave a review, rate the show and if you have any questions or feedback I would love to hear from you : hayden@thepackheavypodcast.com

Craig Peterson's Tech Talk
Do You Trust Homeland Security And The FBI For Your Cyber Security?

Craig Peterson's Tech Talk

Play Episode Listen Later Jan 21, 2022 84:09


Do You Trust Homeland Security And The FBI For Your Cyber Security? What a week the FBI got hacked, Homeland Security supposedly is sending out emails about hackers in your network. This is what we're going to talk about to start with today. What are these new emails and how are they trying to con you? And can we trust the Feds for our Cyber Security? [Following is an automated transcript] This is a little bit concerning. We know that the FBI's email system got hacked. And for everyone that's sitting there saying gee, if the FBI gets hacked, there's no way my business can possibly survive an attack. Remember that the FBI is a huge target. They have so many systems, so many people and the bad guys really would love to send email out as though they are the FBI. [00:00:47] And in fact, they did, they used the FBI's email servers to send out some of these fake emails. I thought that was funny, but be that as it may, the FBI closed. But there are things you can do to protect yourself, to protect your email. And my wife and I have been working diligently on a guide. [00:01:10] Now, that I protect businesses. I work closely with the FBI, been doing cyber security for more than 30 years. I hate to admit that. But I've been on the internet for more than 40 years. So I've been at this for a very long time and there are things you can do. [00:01:29] So we're making available a guide. So she's taken a lot of my teachings and is boiled it down. It looks like it's going to be 25 ish pages. And it's just the key things, the primary things that you can do. To stop your email from getting hacked, your bank accounts, et cetera. There are some pretty simple things you can do. [00:01:54] So we're putting that together and we're also putting together a bootcamp and both of these are free. Okay. Absolutely free. And in the bootcamp, again, this book isn't about selling you all of the, my services and stuff. It's giving you. Actionable things you can do. Yes, you can do. You don't need to be the FBI or a cybersecurity expert to do them, but five things you can do that will, I don't know, 10 X, your cybersecurity, really? [00:02:30] It's that big a deal. And it's going to take you less than an hour to do all of this stuff. So for those people who like the boot camp, so we're going to have. And one of these zoom things and we're going to do it live and I'm going to explain it to you, spleen it. And you're going to have some homework before the bootcamp, because I want you to have some skin in the game too. [00:02:56] You're not paying me or anything. So I want to make sure that you've done your homework so we can quickly. Go through all of the stuff that we need to cover in the bootcamp and people who are interested in being the example, which means they are going to get more information than anybody else. [00:03:13] You can also say, Hey, listen, yeah, please use mine as an example. So we'll look at all of these different things. We're going to focus in on that first bootcamp primarily on. The stuff with passwords, what should you do? How should you do it? How can you tell if your password has been stolen? If your email accounts been compromised, all of that sort of thing. [00:03:37] And you need to be on my email list in order to find out about this stuff. And in fact, when you sign. I've got three special reports that Karen and I wrote that are really going to be helpful for you. These are three that we've been using with our clients for years, but again, actionable. To do right, is not some marketing sales guy trying to sell you the latest, greatest piece of antivirus software that doesn't work. [00:04:09] So you can get that. If you go to Craig peterson.com right now slash subscribe. If you want the deep link, Craig peterson.com/subscribe. We'll go ahead and sign you up. I have a little automated sequence. It's going to send you the emails with all of the attachments. We got one, that's an introduction to Karen and I, you get to see both of us. [00:04:35] And it's a really cool picture of when we're on vacation one time and you can get all of that again. It's free. This is the free newsletter. This isn't the paid newsletter. Craig peterson.com. Slash subscribe. All right. So I can help you out with all of that free content. And I have lots of it. I'm on the radio every week talking about free, right. [00:04:59] And you can avoid these things. So I hate to bring up this FBI hack because as I discussed again with Karen this week I don't want people to feel like there's nothing that they can do. I have a friend, her name's Laura and she's in one of my mastermind groups. And Laura is, was listening to me because another mastermind member got hacked and it had what was it? [00:05:24] $45,000 ultimately stolen from him. And we helped him out. And so I was explaining, okay, so here's the things you can do. And. Basically all she heard was I'm never going to be able to do this. And she's a technical person. She teaches people how to become business analysts, which is pretty technical, there's a lot of steps involved in doing business and analyst work. And so I was really surprised to hear from her that she had. The securing herself was just too hard. The FBI gets hacked, et cetera. And so that's why when I came to this realization, the bottom line is, yeah. Okay. It can be hard if you're like me and you've been in doing this for 30 years, you've got the curse of knowledge, right? [00:06:16] So all of this stuff, this isn't for you. If you know everything, okay, this is for people who. Quite understand what's going on. Definitely don't understand what they should do. Don't know what they should buy. Don't know how to use the free stuff that Microsoft and apple give you and how to pull it all together. [00:06:37] That's what I want you to be able to understand, and we spend time every. Going through this and every newsletter. I have a, an opening now that is a lot about three to five minute read. If that it can be very quick read and is helping you to understand some of the things that you can and should do. [00:07:00] So you'll get that as part of the newsletter. Again, Craig peterson.com. That's in my free newsletter. You should see the paid newsletter. It's a big deal because it's your life. It's a big deal because it's your business. It's a big deal because it's your job on the line. And most of the time, and when I pick up a new client, it's somebody who's the office manager. [00:07:23] Frankly, more than your office manager, sometimes the business owner, owner operator says to the office manager, Hey, we got to do something about cybersecurity and then I get. Saying, Hey, can you do a cyber health assessment for us and that cyber health assessment, which we'll do for almost anybody out there will tell you the basic self. [00:07:46] Okay. Here's what you got to do. You've got to update this. You should turn off this software or you should do this and that with your firewall so that they have. I a little checklist, that they can run through. That's the whole idea behind one of these cyber health assessment. And then what happens is they say, okay let's talk some more and we go in and talk with them, talk with the owner. [00:08:12] Do they want to do, help them put together a more detailed plan and then they are off and running so they can do it themselves. They can hire someone, they can have us do it for them, whatever seems to make the most sense, but it's very important. To do it, to do something because sitting there trusting the Google's going to take care of you or apple or whomever, it is trusting Norton antivirus is going to take care of. [00:08:43] I was reading a quote from John McAfee. He's the guy that started the whole antivirus industry. Now, of course, he passed away not too long ago, under suspicious circumstances, but he came out and said, Hey, listen, antivirus is. Because right now this year, these weren't his stats. These are stats published. [00:09:04] You can find them online. Just duck, go them. Yeah. I don't use Google for most things. And you'll find that the antivirus is ineffective 77, 0% of the time. What do you need to do? You need to listen to me here because I am going to help keep you up to date here. Some people are auditory listeners. [00:09:23] You need to make sure that you get the newsletter so that you get the weekly updates and you find out about these free trainings and special reports that we put together. Makes sense to you and you can attend the boot camps where we cover the basically one hour meetings on zoom, just like you're used to, and we cover one or more specific topics and we do it live and we use your information. [00:09:54] The information you want us to have a, do you want us to share? So how could that be better? And it's the same sort of stuff, but deeper dives and more interactive obviously than radio. And you can listen to me here every week. I think it's important that you do, and you understand this stuff. So anyways ramble. [00:10:14] It all starts with email. How do you keep your emails safe? You might remember years ago, you, people were getting broken into and emails were sent out using their accounts. That happened decades ago and it's still happening today. Right now, Craig peterson.com. I promise you. I am not a heavy marketer. [00:10:36] Okay. You're going to get good, actionable information that you can put to use in a matter of minutes, Craig peterson.com/subscribe. Hey, stick around. I promise. I'll get you this department of Homeland security warning in just a minute. We'll be right back. [00:10:59] Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a fist sophisticated chain attack. Your, I am trying to put on this like official voice. And it didn't do so well anyways, that's what we're going to talk about. [00:11:14] This is an email that came from the department of Homeland security warning about hackers in our network. [00:11:23] Okay. The subject line here, the one I'm looking at, and this is a justice week, urgent threat. In systems read the email goes on. We tried to black hole, the transit nodes used by this advanced persistent threat actor. However, there is a huge chance you will modify as attack with fast flux technologies. I don't know if that ties into a flux capacitor or not, which he proxies through. [00:11:53] Multiple global accelerators. So this is somebody who doesn't really know what they're talking about. They're just throwing up big words. We identified the threat actor to be. Somebody whom is believed to be in of course, whom wrong usage of the word here is believed to be affiliated with the extortion gang, the dark overlord, comma, uppercase. [00:12:18] We highly recommend you to check your systems and IDs monitoring. Be where this threat actor is currently working under the inspection of the NCC. I see, as we are dependent on some of his intelligence research, we cannot interfere physically within four hours, which could be enough time to cause severe damage to your infrastructure. [00:12:44] Stay safe. USDA department of Homeland security, cyber threat detection and analysis network analysis. Total control panel. So this is classic when it comes to scammers. And the classic part is that you could do. Is the grammars bad. The wording is confusing, his punctuation is wrong and he's throwing out all whole bunch of words that are used when it comes to hackers. [00:13:20] There are things like advanced, persistent threats. That's one of the biggest problems in fact, businesses have today. But in reality, the way he used it, Incorrect now that's something I would notice cause I've been doing this stuff for more than 30 years, but the average person is never going to notice something like this. [00:13:44] So it's been pretty, in fact, pretty successful now, a little different than usual here. These fake messages don't have attachments. They don't have phone numbers. They don't have web links. Therefore what? Your email filter is not going to look at them and say, oh, these look risky. These URL links are going to risky sites. [00:14:11] I'm going to block it. That's what we do. We have the advanced email filtering from Cisco that we use for our clients, or that includes their amazing artificial intelligence for fishing and stuff. So an email like this is not go. To trigger those types of alarms. So they're saying don't panic, avoid contacting the FBI for further details and ignore the accusations that are made in the email. [00:14:39] This is so focused though. So flows is a cybersecurity company. They have a lot of stuff. They have some pretty good stuff. It's not there's not. But spam house is tracking it. Now, if you've ever been blacklisted, it's called black holing really by people who might've used your domain to send spam, or maybe you're a spammer, you've heard of spam house and I've been blacklisted before inappropriately. [00:15:07] The good news is my. That I use for emailing is about 30 years old as well. So it's got a pretty good reputation over the years, but spam house is saying now that this is a scam they've been tracking it. It's a well-known scam and it's been widely circulated. To those office managers that I said are often the people who call us when there's a cybersecurity problem, or we get calls from office managers when something doesn't look right with the emails. [00:15:44] And we have a client that had been getting these weird emails and. We were called saying, what's going on, have a look. We looked and we found all kinds of problems. So that again, an office manager approaching us and thinking everything's fine because they had Norton and they had the more advanced Symantec stuff and it didn't catch. [00:16:09] Any of this really nasty stuff, but that's part of what Spamhaus does. And they're looking at it and saying, oh, okay, wait a minute. Now we're seeing these emails come out. They are definitely not coming from fbi.gov, which is what the return address is. And so spam house tags, it spam. Assassin's going to tag it and it's not even going to make it. [00:16:37] Anything about a log on are our email filter. So a number of people have received it. If you've received this email, I'd love to know it because they really are trying to go after the people who are a little bit more into this now, how do they find them? Apparently? They have stolen the email addresses by scraping them from public sources. [00:17:03] So databases published by Aaron, for instance, the American registry for internet numbers. And I'm assigned my own number is CP 2 0 5 because I was so early on by Aaron they're the guys that have been managing. The basic internet domain stuff here in the U S for very long time. And it also doesn't mean by the way that Aaron had any sort of a breach. [00:17:28] And really just showing that the crooks behind this disinformation campaign have really been focusing on people who appear to be in network administration, because those are the email addresses and names that Aaron is going to have. So why are they doing this? Why are they sending it out into it's frankly, it's kinda hard to tell some of the emails have a QR code in them. [00:17:58] Now that is intriguing because here's how, again, how a lot of these basic email filters work, they look at it, they say what links are in there? How many links, how much of the email is a graphic? And they understand while it's going to internet bad guys.com. There's the link right there. Forget about it. [00:18:22] I'm not going to forward this email to the intended recipient, but if there's a QR code in that email to almost every email filter out through. It only looks like a graphic. So might've been a picture of your mother as far as it knows. Most of them are not very smart. So you getting an email, having a QR code in it and saying, oh, that's interesting. [00:18:47] Let's check out that QR code. That's where the hazard com. All right. So be very careful fake news like this. It's not only unfair to the people who are accused in it, which is what happened here. They can be accusing your own it department. They can be accusing. People within your department, which is typically what's happening and then what they may try and do now that you don't trust your, it people, your security people, because they're mentioned by name in the email, but remember their names are probably scraped off of a. [00:19:27] That you don't trust them. And now they attack you and you don't trust that you've been attacked. So fake news, a term coined by Hillary Clinton during hurricane campaign, but that's exactly what it is entirely fake. So this email, if you get one from Homeland security about threat actors in your systems, almost certain. [00:19:51] Fake stick around. We've got a lot more coming up. Don't forget to subscribe. Get my weekly newsletter. I'm going to be published and even more, I think probably starting next month. I'm going to be sending a couple emails out a week because I got to get you guys up to speed so that you're ready for the upcoming bootcamp. [00:20:13] Stick around. [00:20:15] Everybody knows about the chip shortage, right? Computer chips. They're just hard to find. I'm hearing all kinds of ads from Dell lately on the radio. And they're saying just buy now. They're not selling new high-end machines anymore. [00:20:30] This is a story from the verge about who has allegedly kinda stepped in about Intel's plans to increase chip production. [00:20:42] And you'd think that the white house would be encouraging chip production. Considering the shortages, the justice week, it came out Tesla hasn't been delivering their electric car. Without USB ports. Other manufacturers are no longer providing you with an electric window for your car. It's a crank window. [00:21:05] Car manufacturers did it to themselves, frankly, by stopping orders for chips during the lockdown, thinking that somehow people wouldn't need cars anymore. And yet their sales of cars went up and when they go. Yeah. Guess what happens to the price? The price goes up, right? Inflation. You have more money chasing fewer goods. [00:21:29] So they really nailed themselves. Don't feel so sorry for some of these car manufacturers. We need more chips. I mentioned one of the manufacturers of PCs, the many of us use in our offices and Jews in our homes. Dell is a good company. They have been for a long time. However, you gotta be careful when you're buying computers because Dell makes very low end computers all the way up through good solid servers. [00:21:58] Same. Thing's true with. P Hewlett, Packard, excuse me, Hewlett Packard. Remember those guys back in the day? Yeah. They also make everything from cheap computers that you never would buy should not buy all the way up through really good ones. It's like going to Walmart, you go to the Walmart and you don't want to buy any of the computer sitting there with one exception. [00:22:24] And that is the Chromebook. If you buy a mid tier Chromebook at Walmart, you're going to get a good little computer. Doesn't run windows, doesn't run Microsoft office word, et cetera, but it can still edit those documents. And it's a very good machine that is kept up to date. Just watch the price $110 Chromebook, probably isn't going to last. [00:22:48] It doesn't have much storage on it, et cetera. A $2,000 Chromebook is probably major overhead. So go somewhere in the $400 $500 range for a Chromebook, which is by the way where they're selling some of the laptops. Wouldn't those laptops, same price point. Now again, that's why I just wouldn't buy any of that. [00:23:12] So we need more chips. We need higher end chips. They are very hard to get our hands on right now. We're talking about electrification of everything. And if you've heard me on the radio during morning drive time, I've been just bemoaning how the government's putting the horse before the. They're out there saying electric, and shutting down pipelines and coal mining and coal power plants. [00:23:39] Although coal is one of the cleanest energy sources nowadays because of all of the scrubbing that's going on with the output of the coal plant. And also of course, they're, they've been stomping. Most of the nuclear plants from coming online, even though the new. Technology in nuclear is impossible to fail. [00:24:01] They use basic physics to make sure that these things aren't going to do a Jane Fonda China's syndrome thing. Okay. So it's just crazy. We don't have the electrical. Even if we put up, it would take literally millions of wind farm, our turbines, and obviously millions of rooms and fields covered with solar cells. [00:24:29] We would still need nuclear. We would still need other sources of power because the sun doesn't shine all the time and the wind doesn't blow all of the time. This is just completely backward. People aren't thinking it through. It's again, it's the knee jerk. And of course they're investing heavily. They being the congresspeople of themselves, particularly those Congress people like the Al Gore's of the world and Nancy Pelosi and Chuck Schumer, because they are forcing a move to this technology that isn't ready for prime time. [00:25:05] And at the same time, we are trying to buy electric cars. How are we going to charge them? How are we going to run our homes? It's like Europe, people froze to death last winter in Europe. It's going to happen again this year. And the thing about what happened in Texas last year. Yeah. Some of that was because they weren't prepared, but guess what else happens? [00:25:30] Sometimes the wind isn't blowing in Texas. So there's just all kinds of problems. So Intel is saying we got to increase our chip production. Intel's main business right now, by the way, he seems to be moving towards making chips on behalf of other people, other companies, rather than making their own chips. [00:25:53] Isn't that kind of interesting. And the industry, the chip fab industry, the ones that fabricate the chips, make the chips are spending about $2 billion a week. According to the latest numbers I saw to try and expand the manufactured. Apparently Intel went to the white house because they want some of our tax dollars. [00:26:17] The money they'd take at the point of a gun. They want some of that so that they can build their business, build it back better. And apparently some sources close to the situation told Bloomberg that Intel. Posed making silicone wafers in a Chinese factory, which could start production towards the end of next year. [00:26:44] But in a move that I agree with had the Biden white house, apparently Intel was strongly discouraged due to potential security issues. Yeah, no kidding. Some major security issues here. We don't want to give away our technology to make this leading edge stuff. Think about the us. We were always the country that people came to for technology. [00:27:15] I mentioned this week on the radio, the cotton gin way back when look at how much labor. That that cut look at the internal combustion engine. And again the Teamsters, the horses, the cleanup crews in New York city. All of that went goodbye pretty much because of technology and people got higher technology. [00:27:40] Jobs and everyone became more efficient and that's, what's supposed to happen right now when right now waste, basically we have stagflation in other words, prices are going up, but we're not getting any more productivity out of it. That's a real problem. And that's why they keep talking about the problems we were having in the late seventies. [00:28:01] And I remember those well, I remember gas lines sitting there in California waiting to buy gas. It was incredible what was happening out there. So Intel thinks it needs to secure funding from the federal government in order to ramp up the production. Bloomberg announced, Orwell said that Intel currently has no plans to produce silicone wafers in China after discussing it with governor. [00:28:31] Officials and it will instead consider other solutions. Now I hope those other solutions are to make those plants, those chip fab plant here in the United States. Let's put ourselves back on a leading edge footing here. Google moved its artificial intelligence lab to China talking about. Anti American thing to do moved it to China, artificial intelligence. [00:29:01] That's something we need. The us needs to be the world leader in some of these technologies. And frankly, we're not the leader anymore. It's it frankly, a. So you can check this out. It's on the verge. You'll also find it up on my website. Craig Peter sohn.com. Make sure you sign up for the newsletter so you can get all of these little trainings, five minutes a weekend can make a big difference. [00:29:33] Craig peterson.com. [00:29:35] Hey, I don't want to depress anyone, but Bitcoin is now a 13 year old teenager. And back in January, 2009, Bitcoin was priced at well. Wow. We'll get into this in just a minute. [00:29:51] Bitcoin January 3rd, 2009 is when it was launched. And E Bitcoin was priced at you ready for this point? [00:30:03] Zero 8 cents each. Okay. The and because of that, a lot of people. I have been seen we've got to get into this and that in fact, Elon Musk has been pushing up the price of another digital currency. All of the initial price increases in Bitcoin were due to fraud. [00:30:26] According to a lot of reports and we can get into those if you'd like fraud. Yeah. That's a great way to launch a whole new product. And they also played some other games. For instance, the biggest driver of Bitcoin price for a long time was crux. For ransomware. Yeah. People had to buy ransom and pay ransoms. [00:30:54] How do you pay a ransom while usually it was with Bitcoin and that meant you had to turn us dollars or other foreign currencies into Bitcoin. And as economists in the white house, don't seem to understand when there is more money tracing, a limited commodity, the price of the commodity goes up, whether it's gasoline, food, or Bitcoin, and that's exactly what happened. [00:31:27] Percentage wise, how much of an increase has there been in the value of Bitcoin? Let me see here. If I can figure this out 7 billion, 750000000% increase. Isn't that something now of course we don't all have these magical glasses that let us look forward to figure it out. Out, but it's based on this peer to peer electronic cash system that was written about by someone or a group of people that went by the pseudonym of Natasha Nakamoto. [00:32:07] And there've been a few people over the years who have claimed that they are the person that started it and maybe one of them is, and may be, none of them are who knows, but this was first published, October 31st, 2008. So about a month later is when it started to trade and it is just incredible here. [00:32:29] Bitcoin was really perceived initially. Threat by government and financial institutions. I think it's still perceived as a threat. My government, they are able to track Bitcoin and other cryptocurrencies in many cases and the way they track it as well. If you have Bitcoin, what good is it? Unless you can use the Bitcoin to either buy something or to traded for us dollars or another hard currency, that's how they're tracking. [00:33:03] Without getting into a lot of detail here, but it's interesting to look at because the Bitcoin white papers proposing a solution to prevent what they were calling double spending. And when you don't trust a third party necessarily, and that's where we got these logs, if you will, the. Balance sheets that were being used to track everything. [00:33:29] And then you had the voting, you had to have 50% of these systems that were tracking all of the transactions, agree on a transaction, et cetera. And that's actually been a problem for Bitcoin because of the. Intermediaries, you have to go through or get to approve your transaction. It's a, frankly, a problem that's really slowed down transaction. [00:33:57] So you can't just go like with a credit card and pay for something that's done. It can take your day or more. Now it's interesting that we're getting close to the ultimate limit of Bitcoin offerings. The blockchain's mind blocked number 707,000. Which by the way, offered a mining reward of six and a quarter Bitcoins. [00:34:25] So think about that. It costs you more to mine, Bitcoins than they're worth. If you're trying to do it in the Northeast. Pretty much anywhere in the United States. So don't just run out and start doing it. My son and I don't know, five, eight years ago, something like that, we decided we'd start trying to do some mining and we didn't find any Bitcoins and it was just cooking some machines. [00:34:50] And so we said, forget about it. And we gave out on it. It does have a hard cap. Then it's got a ways to go. I said, it's approaching. It is, but there's 21 million Bitcoin is the hard cap and the community that maintains the software and maintains Bitcoin because it is a committed. Has it been modifying the rules as time went around at about how many Bitcoin you get when you're mining something, into solving these problems and how the blockchain works. [00:35:26] And how many honest and dishonest mentions were in the original Bitcoin white paper and how can they reject invalid blocks? So there's a lot of technical stuff going on and it's changing. All of the time. And ultimately it's the consensus mechanism that has been slowing it. So when it costs you more to mine, a Bitcoin than you get for it. [00:35:54] So let's do a little bit of math here. If we say that how much is a Bitcoin worth right now? So we say current value of Bitcoin. I'm typing it in right now. So it's about $57,000. Per Bitcoin, if say 57,000 here we go. 57,000 times. What did I say? Six and a quarter, right? So $362,000 equivalent is what they, the person who mined this block was paying. [00:36:32] That sounds pretty good. Doesn't it? Yeah, it really does. It adds up quite quickly. But when you consider that it costs more to mine, a Bitcoin than it costs, then you get to paid for it. 350, $6,000. That's a lot of electricity on a lot of hardware. And because of that, China has. Down Bitcoin mining operations, because it uses so much electricity and in the United States and in some other countries, but here in the U S and in the UK, some of these Bitcoin mining operations have been buying. [00:37:11] Coal powered power plants, coal fired power plants so that they can produce their own electricity so they can make it worthwhile to mine. So things are going to change. They're going to be changing the rules. As I said, we've got a total of 21 million Bitcoin ultimately. And so far we've only just mined number 707,540. [00:37:38] So the interchange, the rules, I'm going to keep an eye on this cause that's an interesting one. Elon Musk, his quote is Crip. Cryptocurrency is fundamentally aimed at reducing the power of a centralized government. And that by the way, can be one of the main reasons that Bitcoin hasn't been really adopted in the mainstream yet. [00:37:58] And Ilan has all kinds of tweets. Bitcoin and other cryptocurrencies, he says, Bitcoin is my safe word. Isn't that? Something he's been primarily the guy behind Dodge coin, which is yet another crypto currency, D O G. Coyne D O G E coin doge, coin. And you can find that online. I think it has new doge even publicly traded while it's certainly traded as a crypto. [00:38:28] Okay. So doge coin right now is worth 22 cents. It's down from its month, week, and day highs. I'm looking. Here. Yeah. Yeah. So it's gone up and down. It's been worth more. Yeah. A couple of weeks ago. So that's part of the problem with it. If you don't have money that you can absolutely waste, don't buy this stuff and I'm not an investment advisor, but I've never bought any Bitcoin or any other cryptocurrency. [00:39:01] And the problem is, and from my perspective that it is not real at all. Yeah, you can say, look at this, I could have made 7000000% on that. You could do the same thing almost if you had, instead of buying a brand new Tesla model as eight years ago, seven years ago, and paying $77,000 for that. [00:39:25] If you had bought $77,000 worth of Tesla stock, you'd be in the millions of dollars in value. And so we've got the Raven company out there. I don't know if you know these guys or not. I watched a motorcycle show. They're going from the tip of south America all the way on up to San Diego. And they had this Rivy and electric truck, which is really quite cool. [00:39:52] They are public right now. They just won. And they have a market capitalization. In other words, a value of ribbon, which has only made a couple of dozen vehicles. That's it? Total. And they're owned by people who work for the company. Their market capitalization is 50% more. Then most of the major manufacturers out there, it's just crazy how much it is worth and why it's because people are looking at it saying Tesla appreciated 7000000%. [00:40:30] Ravion's going to do the same. And by the way, they are cool cars. I love the idea behind. Electric vehicles. It's just that we got the cart before the horse who don't have the electricity. We're not making the hard decisions. We're just ripping stuff out. It's absolutely crazy. By the way, they had a 15% drop in the value of their shares on Wednesday. [00:40:54] It'll go up. It'll go down. But it's w it's something we got to test remember? Okay. Cryptocurrency is not it yet of Tesla. Stock is worth something will probably always be worse. Something cryptocurrency is worth something, but tomorrow may be worth zero, and don't go crazy. These market caps of startup companies that have never done anything being worth 50% more than major us auto manufacturer. [00:41:26] What that's crazy. Visit me online. Craig peterson.com. [00:41:33] Clothing prices have been going up. In fact, apparel prices were up 4.2% in the last 12 months that as of August, we've got cotton going up. There's a whole bunch of things that are going up and a company out there called dress X thinks it has a solution for all of these prices. [00:41:58] Hi everybody. I'm Craig Peterson, your cybersecurity strategist, and all around technology guru. And you're listening to news radio w G a. I am five 60 and FM 98.5. I like to invite you to join me on the morning drive right here on w G a N Wednesday mornings at seven 30. The clothing has been going up. [00:42:26] Everything's been going up, I put some gas in my car the other day. I have a, you might know, of course, a 1980 Mercedes and my wife drives a nice little Ford edge, not a particularly big SUV, a, guest's a midsize SUV. And I put, I think it was about 15 gallon Zan and it costs me more. 55, $0. I can't believe it. [00:42:57] We used to have a little diesel little Volkswagen Passat diesel. We would drive around and we were getting pretty close to 60 miles per gallon, around town. And diesel was about a buck, a gallon, and it cost 20 bucks to fill the silly thing up. And we could drive all the way down to New York city and back on. [00:43:17] $20 worth of diesel one fill up. Okay. None of that's true anymore, is it? And we're looking at some increases. It's not like the kind of increase we've seen in certain foodstuffs or gasoline or eating oil. Apparel prices are up and there's a company out there that thinks that maybe they have a bit of a solution for you. [00:43:41] It's called dress ex I found a video online of a young lady. Who's got a lot of followers, interesting lady. And she was trying them out. She'd tried a different dress or different clothes every day for a month. No, I did not watch all of the video, but I got the basic idea. And the idea is that people are buying digital clothes. [00:44:09] Now I think of that for a minute. Would you pay for a designer? And maybe you wouldn't pay for designer dress, already and AOC is dress that she wore, the lady of the people only cost. What was it? $30,000. Per seat for her to go to that banquet. And I think her dress was like five or $6,000. [00:44:33] You can get a dress just like AOC. That's designed by a high-end fashion designer for somewhere between 40 and $60. Okay, but it's a virtual dress. It's not a real dress, not in the real world. It's interesting what they're doing and trying to do. If you have used some of these online sites like Instagram, they have various types of what they call filters. [00:45:01] So you can put a filter on you and there's like a makeup filter, for instance, that makes you look like you're all made up, it gets rid of all of the blemishes on. In, and there's other filters that do backgrounds and do different things and make you look like you're a kitty cat or whatever. They'd all kinds of crazy things. [00:45:22] This company called dress ex has now come out with filters that you can use in their app. And they don't work too well right now, but people have been buying these digital close to. Now you don't wear them out. Okay. There, this is really like the King's new clothes. You might remember that story. [00:45:46] And if all you have on are your digital clothes, you don't have anything on. However, what it does is if you're using their app and you're moving around and with their app, Paste these clothes on you. And it's a little funky right now. It's not the best, but you can bet that's exactly where it's going. [00:46:09] And it reminds me of a blues, a Bruce Willis movie. I can't remember the name of it. And it's I think really bringing up a whole type of. Dysphoria that I think people are going to have more and more where you're living in this artificial life and that artificial life that you're in now that's called SIRA gets, I was just looking up as we were talking that artificial life that you're in is so nice. [00:46:40] You don't want to live. In the real world. And I'm starting to see this now with things like dress X, which you'll find online, address x.com. You can now wear anything you want. You can use the filters that are available generally to change. Parents to change your ethnicity, to change anything you want. [00:47:04] And if you ever saw Sarah gets, it was a very interesting movie. I liked it. I watched it because I generally like Bruce Willis and Rosa Mon pike, who were the two primary actors in this movie. But in the movie, everybody was just sitting there. And they were in these 3d chairs. And while you're in that chair, you could be anybody anywhere doing anything and literally anyone. [00:47:32] And so you're sitting in the chair. If you can see around you, it looks real. It feels real everything about it is real, at least for the most part, but in reality, And none of it's real. And these people, they, some of them got out of those chairs and while they were out a nasty things happen to them. In fact, it was, he was a cop and they were investigating some murders of these people who were again, using what they were calling. [00:48:05] Sarah gets nowadays with what our friends over at face. Or doing, you are going to see it called something else. Facebook, in case you didn't know Facebook changed its name. Now Facebook is still Facebook, but the parent company like Google split off and change the company name Facebook did the same thing. [00:48:27] They're calling it. And the idea is to have this meta universe where again, just like in surrogates gets nothing is real, just like on dress ex you can wear any fashion you want to, and instead of paying thousands of dollars, you pay tens of dollars, basically. Now I mentioned that their video isn't very good. [00:48:53] At least not yet over address X, but you can go to dress X. You can take photos of yourself and send them to dress X. They will go ahead and put whatever clothes you want to be. On you it's basically. Yeah, it's Photoshopping, but they do a pretty good job in general. I looked at a whole bunch of them, but it it, it looked pretty real. [00:49:19] You don't have to consider the fit. You don't have to worry about how big you are because all of these clothes adjust, infinitely a store. Doesn't have to stock a bunch of them. So we're moving. This whole metaverse idea and these digital clothes, which are really a thing nowadays has vice said, vice.com. [00:49:43] We're moving more and more to this unreal world and some real unreal fashions too. I'm looking at some of them and it's hard to even describe them. It looks like there's all of these. Things growing all over the clothes that are coming out and just doing all kinds of weird things. So there you go. [00:50:06] I'm note on fashion. I'm looking right now at a picture that's right in front of the metropolitan museum of art in New York, and a lady is wearing one of the. Digital dresses. Now they tell you what you should be doing. And when you take that picture is aware of skin tight clothes so that they can match the digital close to you a little bit better. [00:50:31] But w we'll see, she's saying that in this. Tweet at the, in front of the mat, she's saying I just can't wait for the met gala. What it will look like in 21, 21, because you know what, she's not wrong about this. It's really coined to change. There's some real cool stuff. Go to my website. If you want to see this, you can find it on vice, but I have a link to it. [00:50:54] Just look for this. Show notes and you'll find it right there. In fact, you're getting even search for on my website because I have everything transcribed. Just look for digital clothes because there are thing now. Hey, I also want to talk a little bit here about. The the next little article, which is what's happening right now with apple. [00:51:17] And you've probably heard about these ID cards in Austria right now, they are stopping people randomly and asking for their papers. They want your papers. If you are, have not been, they call it vaccinated. It's not a vaccine. Really. It's so funny to see the CDC change to the definition of vaccine, just so it meets their jab standards. [00:51:45] But if you're not vaccinated, there's an immediate, it's about of $3,500 fine that the police officer will issue to you. And of course, there's police everywhere. Just stopping people randomly and asking for their papers. Apple is making various us states that have decided they want to use a digital ID card. [00:52:11] For customer support. And also for some of the technology. Now, the initial idea behind this and apple has been working on it for a while, is that you can have your driver's license in the iPhone wallet, app, more secure. It's certainly more convenient for most people. Sometimes you might forget your wallet, but most people don't forget their iPhones. [00:52:38] Yeah. The feature when combined with Apple's biometric security measures really could also cut down on fraud. So we've got about a half a dozen states right now that have signed up with apple and our pain part of the freight for these things. And when they pull you over and ask for your papers, you'll have them right there in your iPhone. [00:53:00] Isn't that handy stick around. We got more to talk about. Thanks for joining. Today and visit me online. Craig peterson.com. Stick around. [00:53:11] I had more than a little guilt installed in me when I was a kid. And I still hear to this day, there's a lot of people who had that right. There was your mother, maybe your father, but man this scammers are using it. [00:53:26] This new scam is an interesting one. [00:53:29] It's a consumer complaint, email scam, and it really is building on your fear of getting in trouble. At work, right? It's your fear of just basically getting in trouble? And man, my, did my mother ever beat that into me as a child. So the bad guys are using this now. Great article over at Sofos and they're naked security blog here. [00:53:59] But the goal of these criminals is really to make you feel guilty, to convince you that if you don't excuse me, that you haven't done anything, you skip doing something, you, maybe you did something wrong and you've caused a serious inconvenience, not only to the company as a whole, but to someone more important than you inside the organization. [00:54:26] Hey, I'm looking at an email right now. It's too Paul Deklan. It says, doc, I'm on my way to the sofa post office. Why didn't you inform us about the class customer complaint in PDF on you? Please call me back now. The main manager assistant is how it's signed. And it's got a link right there to what looks like a customer complaint for. [00:54:51] Supposedly in PDF. So technically this is called spear fishing. It's a targeted attack and this greets you by name and it pretends to come from a manager in your company. So they've done a little bit of research on you and on the company, and that makes it something that really pops out. And because we're all used to ignoring the Nigerian prince scams and I helped to design a system. [00:55:23] In fact, that got rid of those Nigerian prince scams and found some of the scammers. But have you ever had an angry customer who was yelling at you and said something like just you wait, I'm going to report you to your manager. It's scary. I'm going to ask like this, what did I do? I was at a McDonald's this week grabbing a double cheeseburger and the people who were running the drive-through were amazing. [00:55:54] Simply amazing. And the guy who handed me the bag was, again, really great. These, you don't see this type of person very often in so many of these lower end, if you will, jobs. And so I asked to speak to the manager. And so the guy called over his managers says, I don't know what's up. And she came over and I congratulated her on how wonderful per team was that the lady that took the order was just as pleasant and helpful as can be. [00:56:27] And the young man who handed me the food again, Greeted me nicely and just took care of everything. It was just absolutely amazing. But I could tell that he was worried about what I was going to say. Is he going to get in trouble because of something he did or didn't do with his manager? Cause he doesn't want. [00:56:49] Fired obviously, but doesn't want to get down onto her bad side. How about if you got one of these types of messages in your mailbox, because if you're feeling guilty and you're afraid of what's going to happen, they have now activated a center in your brain. Basically the lizard level of the brain that is going to cause you to make mistakes. [00:57:15] And you are going to hurry and feel guilty and click the link. It's just like that customer of ours, where he clicked the link in an email thinking it was from the better business bureau. It's the same sort of thing worried about, oh my gosh, what's going to happen here. Oh, no. Operations manager, the business. [00:57:34] It can be a lot of trouble. The owners are really going to be upset with me and he opens it up. And what is it? It's ransomware now the good news is we were protecting them and since we were protecting them, the ransomware was stopped. In its tracks and that's what you want to have happen. But they were using the same psychological tactic. [00:57:56] So we've gotta be careful, right? This is more believable than a dear colleague or hello. It's got your name in it. And when you look deeply in the headers, you'll see that it's fake. But from the basic text alone, Not so much so interesting. Interesting. Here's another one attention and your name dear you. [00:58:21] You're in big trouble. I suggest you bring your coat. When you come to the meeting, yours sincerely, and it's got the outsourcing manager's name. As a signature. So yeah. Okay. The junior staff in these outsource jobs, like the frontline support, the pressure's high, you're getting these, you're going to make mistakes. [00:58:43] So I just want to warn everyone. Watch for mistakes. Watch what you're doing. The these PDFs that they're sending you are not necessarily legit. You'll click on the link. It's going to have something that usually says something like a customer complaint PDF. You're going to download the thing. And then you're going to click on view my file. [00:59:06] And of course, preview PDF is not really going to preview the PDF. In fact, in this particular case, Sofos is saying that it was a Microsoft app bundle. Okay. It's like a PKG format. So be very careful. The other thing that we've seen a lot of, and it's still happening now is aimed at Adobe. [00:59:29] Now Adobe has had some horrible software from a cybersecurity standpoint, such as flash. You should no longer have flash on your machine at all. Apple has never directly supported flash. They never shipped it because of the major security problems and because of the issues that apple and Adobe had back and forth with each other, that's a kind of a separate thing. [00:59:55] The PDF. Component Adobe reader that so many people have, you don't need it on a Mac is really rare. You need to preview the built-in Mac reader works great. And you can fill out the forms using just preview on a windows machine that doesn't have that feature. So you've got to get the Adobe PDF component knock yourself out and get it, but be careful because. [01:00:23] It is one of the top things people are doing or using to lure you into downloading bad socks. So you can see in this particular case from Sofos, sometimes a trusted app with the check mark and it's totally bogus. Okay. If you click on trusted app, you'll see what purports to be a software bundle from Adobe in the us and the digital signals from an accounting firm in Southeast England. [01:00:56] So it's all stuff to look at. Here's the bottom line. If you get an email like this and you're not. If it claims be from your bank, the IRS, you name it, reach out to them directly. Call them look them up. Do not use a phone number that's in the email. Do not use a phone number. That's in a link page, linked page from the email. [01:01:22] Find out what their number is, call their customer support and find out if it's legit or con. Your security people to find out if it's legit, it's really that simple. Okay. Very simple. So check it out online again, this was a sofa article, but you'll see it at my website. Craig peterson.com. I also want to remind everybody in case you haven't heard, maybe it wouldn't be a reminder, right? [01:01:48] That we're doing some boot camps starting up here in about them. Free cyber-security bootcamps are goon to teach you things you can do over the course of an hour that are going to 10 X, your cybersecurity stance. That's the whole goal of the boot camps and workshops stick around. We'll be right back. [01:02:11] Craig peterson.com. [01:02:13] What are the features these secure email providers are providing? What are the costs? Which ones might you want to consider? We're going to run through the top three right now. What are their features and why would you want to use them? [01:02:30] We started talking a little bit about proton mail, some of the real basics here, and it is still the kind of 800 pound gorilla when it comes to secure email, finally they had to capitulate to the Swiss court because they are located in Switzerland. [01:02:49] So just goes to show that even being Swiss doesn't mean that it is. Completely secured, then there's a difference too. I want to point out between having a government issue, a subpoena and a court order to have your information revealed. There's a big difference between that and a hacker who's trying to hack you and get into your life. [01:03:16] So I think most of us understand that we need to be secure in our documents. We need to have that privacy is guaranteed to us from the constitution, but we also need to have one more level of security, which is okay. How. The hackers. So having a hack free life means you there's a lot of things that you have to be concerned about, email being one of them. [01:03:43] So I'm not too worried about proton mail and the fact that they had a court order to. Provide IP addresses for a specific group of people. And it was a very small group and I can see that. I can agree with that. Proton mail does have a free version. That's the one I have because I want to try it out. [01:04:06] And it has a 500 megabytes of free. The storage, you can get up to 20 gigabytes and proton mail starts at $4 a month. It has end-to-end encryption, which is really important. Again, it means from you all the way to the recipient, all three of these that I'm going to talk about have end-to-end encryption. [01:04:32] They also all have. Two-factor authentication. Remember when we're talking about two factor authentication, a lot of places try to pass off this thing where they send you a text message with a number in it. They try and pass that off as two factor authentication. Yeah, it is a type of two factor authentication, but it's not a. [01:04:53] If you're already doing something like maybe you've got cryptocurrency, you are potentially not only under attack, but I'm very hackable. If you're using a text message in order to verify who you are. So that's an important thing to remember. Proton mail has self-destructing messages, which is a very big thing, very positive. [01:05:18] It tends to be expensive. Proton mail being the 800 pound gorilla kinda dictates what kind of price they want to charge and they are on the more expensive. Side the web client is a little bit on the outdated side. It does not support pop three, which I doubt is an issue for any of you guys out there because nowadays the modern email clients aren't using. [01:05:45] Anyways, any more now proton mail has PGP support. I use PGP, I have a built into my Mac mail and it allows me to send and receive end to end encrypted messages. And that's something you might want to look at a plugin that uses PGP or GPG, which is effectively the same. Which allows you to send and receive encrypted email using your regular email client. [01:06:15] However, the person who's receiving it the far end has to have that PGP client or GPG client as it is. So it might not be the best idea in the world to use that. I use it and I use it for. People within the organization that I know have PGP, because again, we're dealing with third parties information. [01:06:38] We have clients and the clients trust us. So we have to be pretty darn careful with some of that stuff. So that's our first one, proton mail. It's something I've used. I know a lot of you are using it. I had so many responses to that email that I sent out to everybody talking about secure email and specifically proton mail. [01:07:00] And you guys were all telling me, Hey, listen, I'm switched on I'm away from Google forever because Google is by far the least secure of anybody you could be using out there. Now, the next one is called Tata. To U T a N OTA. So it gets just what Tatan call 10 town, tow hours, something like that, but a N O T a I'm sure you guys are gonna all send me pronunciation guides and it has again, a free version, one gigabyte. [01:07:34] So twice as much as proton mail and it doesn't really offer quite as much storage, but it starts at a dollar 18 month. Down from proton mail's four bucks a month. It also has end to end. Encryption also has two factor authentication. It has an encrypted search function, a calendar function, and aliases. I use aliases not only for my hack free life, but I use aliases because I will. [01:08:04] To use a different email address for pretty much everybody I'm dealing with. So these, this way to do that is with an alias. One of the problems here with top I, this is a German company. I bet you it's a German word. Somehow Tottan TOA is that it is injured. Germany is one of those 14 eyes countries. That means it's one of the 14 countries, large countries that share information about people online and spy on each others. [01:08:42] Citizens. See, that's how the government's gotten around it. The government have preclusions from monitoring citizens. So what did they do while they all get together, serve with the five eyes now once twenty-something eyes, but they're part of the 14 eyes agreement. So Germany, for instance, would spy on us citizens while they're in the U S. [01:09:07] And the U S will spy on German citizens while they're in Germany and all over the world. Okay. So that's a negative, however, as a general rule, the European union has pretty good privacy laws, so you're probably safe. And then the third one, which is again, the third in my priorities here too, is called counter mail. [01:09:33] Now it has. Interesting features, for instance, they have what are called Ram only servers. So the server boots up, obviously it has to boot off of some sort of a device, but once it's running, everything's in memory. So if that server loses power, it loses everything. Now that's an interesting thing to do and can be a problem if you're trying to store emails, right? [01:10:01] It has men in the middle attack protection, which all of these due to one degree or another, but counter male makes that a kind of a big deal. They have a safe box and anonymous payment systems that you can use. And it starts at $3 and 29 cents a month. They have a four gig storage limit. They do not have a free version. [01:10:23] So I liked this one counter mail, but I do use proton mail, at least for testing. Some mothers also rans here that allow you to send and receive encrypted mail. Secured mail is Zoho mail, Z O H O mail. The X, Y Z is another one post steel. So I've used Zoho before, by the way post geo P O S T E O. [01:10:51] You might want to look@mailbox.org and start mail. So there you go. Top three proton mail. That's still my recommendation. If you want some secure email and it'll cost you a bit, if you want cheaper, look at this two U T a N O T. T U T a N O T a. All right, everybody make sure you spend right now about a minute. [01:11:16] Go to Craig peterson.com and sign up for my weekly newsletter and training. [01:11:22] Is there no such an example of Silicon valley and they're a attitude of fake it until you make it, or is it the reality of Silicon valley? What's happening out there? We work in another. [01:11:43] Hi, I'm Craig Peter Sohn, cybersecurity strategist. And you're listening to me on news radio, w G a N a M five 60 and FM and 98.5. You can listen to me anytime, anywhere, just grab the tune in app and type in w G a N, or pull out your smartphone. It's all there. Theranose. How many of you guys know about therum knows they had a really great idea and it was started in 2003 by a 19 year old young lady named Elizabeth Holmes. [01:12:24] That is pretty young, but her idea was why do we need to have a whole tube or more of blood in order to do blood? With the technology we have nowadays, we should be able to just use a drop of blood and be able to test for hundreds of diseases with just a pinprick of blood. It seemed pretty incredible at the time, but she was able to. [01:12:51] Been a yarn that got a lot of people right into investing in her company. We're talking about nearly a billion dollars in capital that was put into their nose. How could she have fooled all of these people or was she fooling them? Was she doing what you expect to have done in Silicon valley? That is in fact the argument that her attorneys are using right now. [01:13:21] She is on trial because this company Theranose was never able to produce and tests. They could just take out a drop of blood and run hundreds of tests on it. And there's a lot of evidence that has come out that has shown in fact, a great little documentary that I watched not little on her and the company Theranose. [01:13:47] That showed that they had in fact, been taking vials of blood and using other people's equipment, not the Theranose equipment to do the valuations of the blood, to look for diseases, to look for things like vitamin D deficiency that is in fact, something that could have helped with this whole COVID-19 thing. [01:14:10] A real quick. Check a vitamin D levels in your blood, but what happened? Elizabeth Holmes was really a great talker. She was able to convince a lot of people and a lot of businesses, including Walgreens to invest in her. Not only did she have Walgreens invest in her, but some of the biggest names that you can think of in the investing community, including Rupert Murdoch, he invested in fairness. [01:14:41] Now her argument in her, or at least her attorney's argument is, Hey, listen, we're not doing anything differently than any other Silicon valley company that's out there. It's this whole creed that they have of fake it until you make it. Is that legit. Is it just one more live from Silicon valley? There's a great article that was in Forbes, talking about some of these, what are called unicorns. [01:15:11] These are companies that are startups and are taken under the wing by investors, starting with angels, and then moving into venture capitalist, actually, even before angel. Friends and family and moving into venture capitalist positions, and then eventually public companies, all of these businesses really required proof before they got any funding. [01:15:37] So here's an example from Forbes, Airbnb. Obviously they, hadn't what we consider today to be a rather unique business model. But it had been tried before. The whole assumption was that people would rent rooms in their homes on this huge scale, but they didn't have any. They were the first to make it in this global trend, they built up this whole idea of becoming a hotelier yourself with your home. [01:16:08] But when the founder, Brian Chesky tried to get angel capital, he did not get a dime. He had to prove that renters were interested and people were interested in renting out their homes and that he could pull them together. Once he proved that, then he was able to get the money and prove is you. To have a viable business. [01:16:34] First, it's really rare that you don't have to, Facebook was started by Zuckerberg now, all of those stories, but the whole idea was having Harvard students connect with the. And then he expanded it to students and other universities and then expanded it to the world at large, his natural initial investors, like most are friends and family, people who give the money to you because they want to see you successful. [01:17:01] Eventually. Zuckerberg was able to prove it and get money from Silicon valley. And then VCs, I'm not getting into any of the ethics of how he did it or any of these other people that had Google. Google was started by these two Stanford students page and Brin, and they got angel capital from investors. [01:17:24] And, but these investors were different than most the investors into Google, where people who were already very successful in the computer industry and could understand the ideas behind the algorithm and believed in page and Brynn and that they could grow this company. Microsoft. Again, another company that started with a extremely questionable methods was started by gates. [01:17:52] And now. They didn't have any VCs, either. They started by running programs for other people. They convinced IBM that they needed to license an operating system from Microsoft and Microsoft didn't even have the rights to, and then they went out and acquired it on a non-exclusive basis. IBM acquired it from Microsoft and non-excludable exclusive basis. [01:18:15] Then they got VC money after they started to take off. Okay. Amazon was started by bayzos with funding from his family and small investors from Seattle. He got a VC from Silicon valley after he launched and was already earning thousands in revenues. Bezos had real proof. Walmart was started by Sam Walton with 25 grand from his father-in-law. [01:18:43] He built this business and financing strategy and used his skills to become one of the world's most successful companies as he grew. We work. I don't know if you've seen these. There's a great documentary out there. And we work that I watched too, but again, like Elizabeth Holmes, he was a great guy at standing in front of a group and getting investors to put money. [01:19:08] And he was even great at getting people to buy from. We work that he even started this whole, I think it was called wee life thing where he had people who would move into the building. That they were renting this office space from, and they'd all lived there. They all had their own little units and they'd get together every night and they'd eat together and have community and everything again, collapsed when they couldn't sustain the momentum. [01:19:38] And it was like a Bernie Madoff thing where he needed more money coming in order to support it. And he got incredible amounts of money from this big Japanese investor. And then we've got Theron. Elizabeth Holmes. She failed when this investigative reporter questioned whether the technology really works, the investigative reporter said, Hey, can you really do hundreds of tests reliably with just a drop of blood? [01:20:10] Why did this report, or even have to ask the question at all? How about all of these investors? Huge companies? My, including my medical field companies. How did all of them get built basically into spending about a billion dollars with her in an investor? It is a real problem. And it's a r