Crucial TechMay 09, 2023
Episode 7.29 - Would you bet your job on that post?
Disinformation (intentional misinformation) has become a major support for both sides of all conflicts in the world. Once called propaganda, technology, mostly social media, has turned state-controlled information into a virtually immortal beast that can end up turning on its creator.
Episode 7.28 -- Privacy Not Included, in pretty much anything
Two years ago we interviewed Jen Caltrider, head of Mozilla foundation's Privacy Not Included group and got an earful about how bad Meta's privacy was in its products. This year we caught up to Jen and she said they are still bad, but in two years they've been surpassed by Amazon and Google. Before you head out to buy those IoT gifts for Christmas, you might want to listen to this podcast and then check out the site.
Episode 7.27 - Deep fake acceptance increasing but at what cost?
Synthedia, a data research company focused on generative AI and synthetic media markets, dropped a study recently on awareness of deep fake and voice cloning technology that raised some interesting numbers. We are doing a deeper dive on the subject at Cyber Protection Magazine next week, but we sat down with Vijay Subramaniyan, the CEO of PinDrop, a study sponsor, to talk more generally about the findings and what the dangers of the technology are.
Episode 7.26 -- Update your software, but pay no attention to the statistics
The bulk of this episode is about the importance of updating your software no matter how painful it is, and we learn some valuable information about the FREE services of Trackd from its CEO Mike Starr that will help you do that with minimum fuss.
But the REAL reason I did this interview is that in their pitch to me and in Mike's interview, they used some statistics about the problem of cybercrime and its effects that are not based on truth. They've just been repeated over and over again.
That is an inherent problem in technology companies in particular: nobody checks their "facts" and, eventually, the customers learn that the vendors don't know what they are talking about, which kills sales. That is at the heart of the SEC lawsuit against SolarWinds. What the company thought their services and tools could do was not accurate. They weren't trying to fool the customers, but they did fool themselves.
For the next few months, I'll be digging into the theme of "Lies, damn lies, and statistics" in this podcast and on Cyber Protection Magazine. This is the first shot. That's why people like me exist...and there aren't many of us left, which explains why mis/disinformation is so widespread.
Episode 7.25: Linkedin account hijacked? It's not hopeless
Instances of LinkedIn users having their accounts hijacked are a familiar occurrence on social media. Reddit has multiple discussions about the nightmare of trying to restore access to this crucial business tool. So when a friend called me in a panic about having it happen to him, I knew it would be a great opportunity to test out the advice I give to others who have been hit.
It isn't easy. It requires patience. And you need all the help you can get from friends. But it can be done.
Episode 7.24 -- MGM Grand Breach, Social Engineering, and how to protect yourself
Episode 7.23 - Defense against the AI Arts
The rise of generative AI products for commercial use is probably the fastest and most controversial of any technological advance in history. Governments are scrambling to understand and regulate its use. Billions are being invested in development. At the same time, the general public’s interest in the technology has waned and industry pioneer OpenAI announced a potential bankruptcy in 2024 unless significant new investment is forthcoming.
But there is apparently no putting the genie back in the bottle and it is left to all of us to figure out what we can do with it without causing outright disaster. So, for this episode, we have brought this panel of experts to talk about how we can defend against the malicious use of the technology while we mine the benefits. Hyrum Anderson, co-Not With a Bug But a Sticker and an accomplished data scientist with a historical understanding of the tech going back decades; Haseeb Khan, Generative AI Ambassador and at Google; and representing the user base, Milan Lazich, a senior marketing executive, who will discuss concerns and best practices of generative AI.
The transcript of this discussion will be available in the AI special issue of Cyber Protection Magazine and will be distributed to attendees at the it-sa exhibition and conference October 10, and then available to the magazine subscribers in an electronic version after the conference
Episode 7.22 -- Canada in the crosshairs for cyber attack
An August report from the Canadian Centre for Cyber Security said over the next two years, Canada is going to face significant threats from state-supported cyberattacks from Russia, China and North Korea.
Canada? What the heck did Canada do to earn the ire of those folks. Canadians are arguably the nicest people in the world. So we called up our favorite Canadian “cybersleuth”, Ian Thornton-Trump, Cyjax’s CISO. to get the skinny.
Episode 7.21 - Security is dependent on your access to the internet
Most people don't think about accessibility when it comes to the internet. We think of ramps and braille signs and audiobooks. But physical and developmental issues are much more complex than being able to get into a restaurant, especially when it comes to security. I talked with Justin Merhoff, chief of security for Deque (pronounced Dee-cue) Systems in Virginia about the need to make software and digital systems usable for all people, not just most people. And there is an action item for all you in the audience. The National Institute for Science and Technology is working on the first draft of NIST SP 800-50, a standard for cybersecurity and privacy learning, but this draft contains virtually nothing related to people with physical and learning disabilities. If you or people you care about fit that category, now is your chance to give feedback for that standard≥ Go to the site and download the form for comments. Make your voice heard now.
Episode 7.20 -- There's a hard wind coming for cybersecurity companies
There are several reports indicating that the gravy train is about to come to a screeching halt in the cybersecurity industry. Fortune 1000 companies are freezing or cutting back on purchasing budgets for tools and services, which will hit the majority of private and start-up companies that have focused on that segment for 10 years. It's not all bad news. 80 percent of the potential market is all blue water, but it comprises small to medium businesses (SMB) that are not cyber-savvy, and are ready to buy... as long as you can explain what you do in their terms, and demonstrate it works. We talked with Richard Stiennon, founder and chief analyst for IT-Harvest, and Grant Wernick, CEO of Fletch that is enjoying remarkable success and growth by serving the smaller customers.
Episode 7.19 - ETSI is doing the heavy lifting on AI protections
As generative AI (GAI) platforms become more commonplace, concern over their security issues is growing. As with any digital product, security relies on four arenas. User responsibility, corporate accountability, government regulation and industry standards. The first two are unreliable because users feel put out by having to protect themselves and corporations don’t like to spend money on security upfront. That leads to the third arena, legislation produced by people who don’t know the difference between a thumb drive and a thumbtack.
That put a lot of the load on industry standards and one of the most active is the European Telecommunications Standard Institute (ETSI). Cyber Protection Magazine’s (CPM) editors Lou Covey and Patrick Boch sat down with Scott Cadzow, chair of ETSI’s Specification Group for Securing Artificial Intelligence about the progress and problems of standardizing safe GAI.
Episode 7. 18--Ethics in an AI platform? Shut the front door!
One of the major points of contention in the SAG-Aftra/Writers Guild strike is over ownership of the image and voice of performers. Bob Iger said allowing actors to control the use of the image is disruptive to the current paradigm. But my conversation with Anna Bulakh of Repeecher revealed what the studios want is actually the disruption. Anna is the head of ethics for Respeecher. Yes, you heard that right. The HEAD OF ETHICS. Blows my mind.
Episode 7.17 - Generative AI as a defense against cyber attacks
Most of the discussion about generative AI is either focused on how good or bad it is, without ever discussing that it is JUST a tool. We talked with Anurag Gurtu, chief product officer of StrikeReady, about how the technology can enhance, not replace human involvement.
Episode 7.16 -- Perspective: Things are getting better
It's hard to stay positive about the state of the world as long as you listen to everyone complain about it. One truth overrides that for me: Nothing is as bad as it seems nor as good as some people might tell you. The trick is to focus on the goal. When you see progress... anywhere... take heart.
Episode 7.15 - VR Headsets: Boondoggle or Breakthrough?
The team at Cyber Protection Magazine doesn't just look at cybersecurity technology. Sometimes we just argue about tech in general. Chief editor Lou Covey and co-founder Patrick Boch have been talking about the Apple Vision Pro headset since it was first announced and still don't agree on it, but we thought the discussion would help others make up their mind on whether to invest $3500 now or wait until the price comes down, So we recorded our last discussion.
Episode 7.14 -- Taking a step toward stopping AI fraud with Pindrop
Generative AI is BIG business. Maybe too big. In the rush to commercialize and cash in on billions of dollars of investment, Big Tech is letting security slip through the cracks again. Adversaries are weaponizing AI to supercharge phishing attacks, destabilize governments and blackmail innocent people. This episode is the first entry in a months-long series of storeis, podcasts, videos and panels on "Defense Against the AI Arts (with Apologies to Harry Potter". Our first subject Vijay Balasubramaniyan, CEO of Pindrop.
Episode 7:13 -- How companies can assure customers their data is safe
Telesign is part of a growing security niche market dedicated to providing the infrastructure companies need to keep customer data safe. We talked with company CMO Kristi Melani about how the industry needs to educated not just corporations but the users in what is available to them.
Episode 7.12 -- Data for All by John K. Thompson: A book review
This episode is our very first book review. I edited Data for All late last year and had my eyes open to both the massive amount of customer data collected by almost every corporation in the world, and the amount of digital waste produced by the effort. There is also a mini-review of Not with a Bug, but with a Sticker. These are two books that if you read them (and they are both easy reading) will make you sound like an expert in AI and data science in any gathering of people. That may not be a good thing but I enjoy it.
Episode 7:11 -- Rohit Ghai on the promise and problem of generative AI
#GenerativeAI was front and center at the RSA Conference 2023 in San Francisco. Companies were either promoting it as a means of improving security or warning against it as a security weakness. It was even the keynote on Tuesday by RSA CEO Rohit Ghai, who took a neutral position that leaned positive on its potential.
But as he spoke, for the most part, glowingly about the AI age we are entering there were some questions that arose. So we contacted him through his PR agency and he graciously accepted an interview appointment to answer those questions. Our focus was, primarily, on the ethical use of generative AI and the failure of the tech industry to live up to its own stated ethics. The conversation was frank and illuminating.
Episode 7.10--What's up with Generative AI
You cannot spit without hitting a news story about generative AI (AKA ChatGPT, Bard, etc.). Some of the news is good, some of it bad, and all of it fairly confusing. Cyber Protection Magazine has been digging through the detritus and find what really is good or bad about it and today we continue that with an interview with a very smart man: Dr. James Norrie, a full-time professor in the Management, Marketing, and Entrepreneurship department at York University and founder of the cybersecurity company CyberconIQ. He holds advanced degrees in cybersecurity and intelligence analysis, copyright law, and project management. And he has a very specific take on generative AI.
Episode 7.9 -- Getting to the bottom of the TikTok issue
TikTok has been in the news for quite a while, but at Cyber Protection Magazine, we are pretty sure we aren't getting the whole story, so we are starting a series of articles and podcasts to get to the bottom of the issue, starting with this episode.
We talk to Ian Thornton-Trump -- raconteur, iconoclast, cyberwarrior, and CISO for Cyjax -- and he, as usual, has a lot to say. As you listen you will find that the real problem is not in the app, but in ourselves... and in bad algorithm design.
Also, this is an ad-free episode. If you want to support the work we are doing, go to Cyber Protection Magazine and donate to the cause. The button is on the bottom of the page.
Episode 7:8 - Advertising isn't what you think
You can't talk in polite company about politics or religion, but everyone can talk about how they hate advertising. And for good reason. I take a break from discussing technology to rant about what tech companies do to get you to buy their stuff, and why you don;t trust them.
Episode 7.7 -- Sextortion is a thing. How big a thing is questionable. But it is scummy
“Sextortion” is a popular theme in media and the news, but it may or may not be a big deal. No one can really come up with a consensus about what it is and how widespread it is. It’s even difficult to pin down whether it is a crime. We talked with Ken Kuglin from Digital Forensics Corporation, a cybersecurity firm in Ohio, about how to deal with the attacks and their free services to educate people about how to avoid or deal with sextortion.
Episode 7.6 -- Axiado seeks to crowd source a "data lake" for comprehensive cyb ersecurity
Cybersecurity has a healthier and older relationship with artificial intelligence (AI) than pretty much any other industry niche. That’s because the information available on cyber threats is better vetted than 90 percent of what is fed into ChatGPT and the Google and Microsoft versions of generative AI. But putting that data to use in security is not that easy… yet.
Cyber Protection Magazine has been tasing with companies for several weeks as we study the constructive uses of AI in security, and try to find a way through the hype. We interviewed the CEO of one company recently, Gopi Sirineni of Axiado. They are about to launch a security co-processor driven by a unique AI that will be based on the Sirineni calls a “data lake” of attack schemes. This information is a “living” database that will constantly be updated. But to make sure it is as comprehensive as possible, they are enlisting the help of the worldwide cybersecurity community. To participate, you can contact Axiado through their website, on the corporate Linkedin page, or to Sirineni directly. More will be available at the magazine in the next two weeks.
Episode 7.5 - That IRS agent that called you is a criminal
Vishing, short for "voice phishing," is on the rise again. But then, it’s been rising almost exponentially for the past two years. Last summer various organizations were reporting anywhere between 500-650 percent increases over the previous six quarters. Now, as US citizens prepare their tax returns, the scam is getting another bump. We had a chat with Brian McDonald, director of product development and Mutare, about their technology and the problem of vishing.
Episode 7.4 -- Avoid being a big, stationary target
Being a security company that gets hit with a data breach or malware attack is embarrassing, besides the fact that it scares the hell out of your customers. But the current tech fad of "decentralization" has a pretty good lesson for anyone thinking about establishing a security operations center, virtual or otherwise. We talked with the CEO of Dispel about how they've been decentralizing security operations in infrastructure clients for years now.
Episode 7.3 -- All things Data Privacy!
If you're like us, #dataprivacyweek snuck up on you and almost got by before you knew it. But we were still busy. This podcast includes an interview with Brandon Rogers, a senior security engineer at Halo Security, an attack surface management company, who discusses the rash of data breaches at T-Mobile over the past couple of years and what they SHOULD be doing about it (Note, T-Mobile has not responded to requests for input), and then we have our first All Hands discussion with the team at Cyber Protection Magazine as we talk about the larger issues of data privacy.
Episode 7:2 -- Diversity and Civil Rights Progress with Rockwell's Nicole Darden Ford
It's Martin Luther King day today, which is an important holiday for me. This interview was incredibly satisfying because it demonstrates how far we've come since Dr. King Spoke in Washington DC in 1963. We have a long way to go, but this is a celebration of what is being accomplished.
Marketing and Media: Most of what you know is wrong
To kick off the new year and our seventh season, Joe Basques and I tackle the conundrum of distrust in media and why marketing doesn't work the way it's supposed to in the technology world.
Episode 6:19 - End of the Year finale with Ian Thornton-Trump
For the second year we are publishing predictions for 2023 in Cyber Protection Magazine by asking people and organizations to submit a brief, one-paragraph statement. Our friend and Cyjax CISO sent an entire presentation. And it was fun and scary all at the same time.,So we went with it. Check out the other predictions on the magazine and let us know what you think.
Episode 6.18 - Account takeover attacks are inevitable
A personal bank account was hacked this week, but because I was getting regular alerts from my bank we kept the damage at a minimum. As luck would have it, I had scheduled this interview with Bruno Farinelli of Clearsale who explained how even when you do everything you can to keep your finances safe, criminals have a way to get around your protections.
Episode 6.17 - Avoid Black Friday deals. Enjoy your time off
Guess what? Black Friday doesn't give you good deals and the ones you may be looking at may be scams. Take 15 minutes and get smart.
Episode 6.16 - The future of democracy, technology and media
A few weeks ago I was on a panel at San Jose State, #yesyoucan, about the future of democracy and how it intersects with technology and media. It went over an hour, which twice longer than what I normally do, but it included Harry Hursti speaking on election security and Sari Stenfors regarding a "hopeful future." After what we've been through the past few months, it might help.
Episode 6.15 - As tech investors cower, Cybersecurity looks like a good bet
You've read the headlines about the stock market and the tech sector in particular. Self-proclaimed genius tech bros are hemorrhaging wealth, portfolios are crashing. But while the cybersecurity industry isn't completely unaffected, it is still attracting billions in new investment and private equity acquisitions. We talk to Brad LaPorte of Lionfish Advisors about why investments are falling in tech and why cyber is the new darling.
Episode 6.14 - Are we turning the tide on cybercrime? Depends on who you talk to
I'm working on a story about some interesting numbers regarding the state of cyber crime. The number seem to indicate that, overall, we might be making progress on reducing it, though not eliminating it. But to be sure I've spent the past two weeks talking to experts about the numbers who are totally pessimistic and doubtful. One of them is Gerry Kennedy, CEO of Observatory Strategic Management, an organization that advises industry and governments about insurance issues. In our discussion he recommended other sources, which will be included in the article on Cyber Protection Magazine.
Episode 6:13 - Finally, some good news is coming
Want some good news about technology? Stay tuned
Episode 6.12 -- Quad9: Where you should start your cybersecurity program
I was pleasantly introduced to a non-profit cybersecurity company this week. Quad9 was established 6 years ago with the goal of reducing human error as the source of breaches, which makes of more than 90 percent of all successful cyberattacks. And they do it for free. Their website (www.quad9.com) has a lot of easy to understand and use tools to block malicious actors from accessing your systems and data. Check it out.
Episode 6:11 -- Office Phishing and the three Ms with Adam Levine
The most innocuous things can be open invitations to criminbals to hack your data, or infiltrate your company. Adam Levine, cybersecurity podcaster and founder of Credit.com talked with Crucial Tech about "office phishing" and the "three M's" of personal cyber protection.
Episode 6:10 -- Quantum Computing: Not Just for Stealing Secrets
Quantum computing is often in the news, mostly about how it's going to destroy the world as nation states bust the hardest encryptions around so they can steal national and corporate secrets. However, there are no quantum computers available today that can actually accomplish the task and, thankfully, there are whole industries popping up to deal with the worst aspects of the tech while encouraging some good things. We talked with Eric Garcell of Classiq, one of the companies dedicated to protecting quantum computing intellectual property, about why quantum computers are a good thing and that, in some cases, are doing good things now.
Episode 6.9 - Hybrid Vishing. It's such a thing.
I get a new report from a different research company almost every week about the state of cybersecurity. Most of them say the same thing, but I do read them all the way through. Recently received a report from a company called HelpSystems, a cybersecurity services company that works with some pretty big name companies and they issued a report that got me yawning almost immediately. But their research subsidiaries, Agari and PhishLabs, buried a couple of items that perked up my ears so I said yes to an interview. What follows is a 30-minute discussion about the report focusing on a couple of areas, hybrid vishing, and vulnerabilities criminals are using to target Office 365 users. John Wilson, senior fellow for threat research went on to talk about which email platforms are most popular for criminals and how criminal activity using cryptocurrency is on the rise. You can get a copy of the report here.big-name
Episode 6.8 Virtru offers privacy in period trackers
Period and ovulation trackers have been around for quite a while but they are not, for the most part, privacy forward. In fact, according to the Mozilla foundation, only a few even have privacy policies. That is problematic for women in states that are criminalizing abortion where they are subpoenaing records of women even searching for options. Virtru, a security software company decided to fix that problem at and Def Con 2022 the demonstrated a concept app that put complete control of access to the data in the hands of the user. In preparation for Women's Equality Day on August 26, we talked with the team leader that developed the app, Cassandra Bailey, and the senior vice president of product strategy, Rob McDonald about the process. Unfortunately, they have no plans to make the app available to the public but have put the building blocks on Git Hub for app developers to run with. You can see a demonstration of it here. Maybe somebody out there will make a secure app.
Episode 6.7 - Bruce Schneier on Cryptocurrency and Blockchain. It's not pretty.
Episode 6.6 - A Quantum Cryptography Primer from SandboxAQ
Episode 6.5 - Passwords. I hate them. You hate them. Can’t quit them.
Even the promising announcements from Apple and Google about the end of passwords is going to take a long time to spread through the user base. But the technology exists to make them disappear if only we weren’t so stubborn about using them. We talked to Boian Simic, CEO of HYPR, a company making true passwordless tech… that is yet available to anyone but the wealthiest among us.
Ep. 6-4 -- Roblox and other MMO games vulnerable to lateral attacks
The wildly popular massive-multiplayer online games don't make the news much for big security breaches, but it appears they are vulnerable to lateral attacks that can steal data and abuse children. The companies that run these platforms tend to blame the users for breaching security. We spent some time with Raj Dodhiawala, CEO of Remediant, a cybersecurity SaaS company that defends networks against lateral attacks. He was pretty hard on companies that expect users to protect the network. Look for a larger article on game platform breaches in Cyber Protection Magazine
Ep. 6.3 - Those who ignore history are the most likely to be hacked.
One of my favorite security gurus, Ian Thornton-Trump sent me a text recently about the top-five security failures in recent history that we have yet to learn from. So I decided to call him and ask what he meant. It's worth listening to.
Ep. 6.2 - The Metaverse for Education is here... but not yet
The Metaverse can be used for immersive education that can engage students and enhance the experiential aspects of education. It certainly makes for more interesting field trips. But the potential for disaster looms. Luckily there are some, while recognizing the upsides of the technology, who take a very realistic view of the potential downsides. One of them is Jaime Donnelly.
Donnelly is an author, and speaker on immersive technology for education. She’s also the engagement director for Identity Automation, a company dedicated to identity and access management tools for K-12 and universities. She is also a great promoter for the future of immersive technology for education.
We sat down to chat about her extensive collection of VR goggles and her realistic expectations. She makes an old curmudgeon feel a bit better about the future.
Ep. 6-1 Defending against imposters at RSAC2022
The week after #RSAC2022 seems to be a good time to start a new season of Crucial Tech, so here we go.
I talked to a lot of people at the conference about how to keep foreign agents out of your network and some of what I learned is in a larger article in Cyber Protection Magazine, but.I went to someone who wasn't there -- Grant Wernick, CEO of #Fletch -- to chat about the problem, how to find them and how to stop them from doing real damage. Grant gave me a view into how you can find them and root them out once they infiltrate.
RSAC preview and tips
I'm going to the RSA Conference in San Francisco this week, so I didn't do a full episode yet. This is a preview of what's to come so stay tuned.
Episode 5.14 - A starting place for the most vulnerable to cyber attack
The realities of cyberattacks are not going away. Based on what we know, we have no idea how big the problem is because a lot of individuals and organizations just don’t report attacks. Conservatively, Cyber Protection Magazine estimates that half of all the attacks are unreported. More knowledgeable people than us say it's more like 90 per cent. As we have reported in past podcasts, that is likely due to a combination of complacency and just not knowing what to do.
We talked to Emil Sayegh, CEO of Ntirety, a company that helps small to midsize organizations reach security compliance with best practices and new privacy legislation. Ntirety is one of dozens of similar companies that are doing quite well. Sayegh claims they have 2400 customers, which is impressive in and of itself. But 2400 customers is a long way from any one industry being protected. Even 240,000 would be a drop in the bucket. That doesn’t mean you have to be their customer, or a customer of any competitor to get started. Sayegh outlined a five-point plan in our discussion. Grab a coffee and have a listen.