Lock and Code

Last month, the TikTok user TracketPacer posted a video online called “Network Engineering Facts to Impress No One at Zero Parties.”  TracketPacer regularly posts fun, educational content about how the Internet operates. The account is run by a network engineer named Lexie Cooper, who has worked in a network operations center, or NOC, and who’s earned her Cisco Certified Network Associate certificate, or CCNA.  In the video, Cooper told listeners about the first spam email being sent over Arpanet, about how an IP address doesn't reveal that much about you, and about how Ethernet isn't really a cable—it's a protocol. But amidst Cooper's bite-sized factoids, a pair of comments she made about something else—the gender gap in the technology industry—set off a torrent of anger.  As Cooper said in her video:    “There are very few women in tech because there’s a pervasive cultural idea that men are more logical than women and therefor better at technical, 'computery' things.” This, the Internet decided, would not stand.  The IT industry is “not dominated by men, well actually, the women it self just few of them WANT to be engineer. So it’s not man fault," said one commenter.  “No one thinks it’s because women can’t be logical. They’re finally figuring out those liberal arts degrees are worthless," said another.  “The women not in computers fact is BS cuz the field was considered nerdy and uncool until shows like Big Bang Theory made it cool!” said yet another.  The unfortunate reality facing many women in tech today is that, when they publicly address the gender gap in their field, they receive dozens of comments online that not only deny the reasons for the gender gap, but also, together, likely contribute to the gender gap. Nobody wants to work in a field where they aren't taken seriously, but that's what is happening.  Today, on the Lock and Code podcast with host David Ruiz, we speak with Cooper about the gender gap in technology, what she did with the negative comments she received, and what, if anything, could help make technology a more welcoming space for women. One easy lesson, she said: "Guys... just don't hit on people at work. Just don't."  Tune in today. You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)  

When did technology last excite you?  If Douglas Adams, author of The Hitchhiker's Guide to the Galaxy, is to be believed, your own excitement ended, simply had to end, after turning 35 years old. Decades ago, at first writing privately and later having those private writings published after his death, Adams had come up with "a set of rules that describe our reactions to technologies." They were simple and short:  Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works. Anything that's invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. Anything invented after you're thirty-five is against the natural order of things. Today, on the Lock and Code podcast with host David Ruiz, we explore why technology seemingly no longer excites us. It could be because every annual product release is now just an iterative improvement from the exact same product release the year prior. It could be because just a handful of companies now control innovation. It could even be because technology is now fatally entangled with the business of money-making, and so, with every one money-making idea, dozens of other companies flock to the same idea, giving us the same product, but with a different veneer—Snapchat recreated endlessly across the social media landscape, cable television subscriptions "disrupted" by so many streaming services that we recreate the same problem we had before.  Or, it could be because, as was first brought up by Shannon Vallor, director of the Centre for Technomoral Futures in the Edinburgh Futures Institute, that the promise of technology is not what it once was, or at least, not what we once thought it was. As Vallor wrote on Twitter in August of this year:  "There’s no longer anything being promised to us by tech companies that we actually need or asked for. Just more monitoring, more nudging, more draining of our data, our time, our joy." For our first episode of Lock and Code in 2023—and our first episode of our fourth season (how time flies)—we bring back Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to ask: Why does technology no longer excite them?  Tune in today.  You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

On June 7, 2021, the US Department of Justice announced a breakthrough: Less than one month after the oil and gas pipeline company Colonial Pipeline had paid its ransomware attackers roughly $4.4 million in bitcoin in exchange for a decryption key that would help the company get its systems back up and running, the government had in turn found where many of those bitcoins had gone, clawing back a remarkable $2.3 million from the cybercriminals. In cybercrime, this isn't supposed to happen—or at least it wasn't, until recently.  Cryptocurrency is vital to modern cybercrime. Every recent story you hear about a major ransomware attack involves the implicit demand from attackers to their victims for a payment made in cryptocurrency—and, almost always, the preferred cryptocurrency is bitcoin. In 2019, the ransomware negotiation and recovery company Coveware revealed that a full 98 percent of ransomware payments were made using bitcoin. Why is that? Well, partly because, for years, bitcoin received an inflated reputation for being truly "anonymous," as payments to specific "bitcoin addresses" could not, seemingly, be attached to specific persons behind those addresses. But cryptocurrency has matured. Major cryptocurrency exchanges do not want their platforms to be used to exchange stolen funds into local currencies for criminals, so they, in turn, work with law enforcement agencies that have, independently, gained a great deal of experience in understanding cybercrime. Improving the rate and quality of investigations has also been the advancement of technology that actually tracks cryptocurrency payments online.  All of these development don't necessarily mean that cybercriminals' identities can be easily revealed. But as Brian Carter, senior cybercrimes specialist for Chainalysis, explains on today's episode, it has become easier for investigators to know who is receiving payments, where they're moving it to, and even how their criminal organizations are set up. "We will plot a graph, like a link graph, that shows [a victim's] payment to the address provided by ransomware criminals, and then that payment will split among the members of the crew, and then those payments will end up going eventually to a place where it'll be cashed out for something that they can use on their local economy." Tune in to today's Lock and Code podcast, with host David Ruiz, to learn about the world of cryptocurrency forensics, what investigators are looking for in reams of data, how they find it, and why it’s so hard.  You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

Decades ago, patching was, to lean into a corny joke, a bit patchy.  In the late 90s, the Microsoft operating system (OS) Windows 98 had a supportive piece of software that would find security patches for the OS so that users could then download those patches and deploy them to their computers. That software was simply called Windows Update.  But Windows Update had two big problems. One, it had to be installed by a user—if a user was unaware of Windows Update, then they were also likely unaware of the patches that should be deployed to Windows. Two, Windows Update did not scale well because corporations that were running hundreds of instances of Windows had to install every update and they had to uninstall any patches issued by Microsoft that may have broken existing functionality. That time-sink proved to be a real obstacle for systems administrators because, back in the late 90s, patches weren't scheduled. They came when they were needed, and that could be whenever Microsoft learned about a vulnerability that needed to be addressed. Without a schedule, companies were left to react to patches, rather than plan for them.  So, from the late 90s to the early 2000s, Microsoft standardized its patching process. Patches would be released on the second Tuesday of each month. In 2003, Microsoft formalized this process with Patch Tuesday.  Around the same time, the United States National Infrastructure Advisory Council began researching a way to communicate the severity of discovered software vulnerabilities. What they came up with in 2005 was the Common Vulnerability Scoring System, or CVSS. CVSS, which is still used today, is a formula that people rely on to assign a score from 1 to 10, 10 being the highest, to determine the severity of a vulnerability. Patch Tuesday and CVSS are good examples of what happens when people come together to fix a problem with patching.  But as we discuss in today's episode of the Lock and Code podcast with host David Ruiz, patches—both in effectiveness and education—are backsliding. Companies are becoming more tight-lipped about what their patches do, leaving businesses in the dark about what a patch addresses and whether it is actually critical to their own systems.  Our guest Dustin Childs, head of threat awareness for Trend Micro Zero Day Initiative (ZDI), explains the consequences of such an ecosystem.  "If you're not getting the right information about a vulnerability or a group of vulnerabilities, you might spend your resources elsewhere and that vulnerability that you didn't think was important becomes very important to you, or you're spending all of your time and, and energy on." Tune in today.  Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

A cyberattack is not the same thing as malware—in fact, malware itself is typically the last stage of an attack, the punctuation mark that closes out months of work from cybercriminals who have infiltrated a company, learned about its systems and controls, and slowly spread across its network through various tools, some of which are installed on a device entirely by default.  The goal of cybersecurity, though, isn't to recover after an attack, it's to stop an attack before it happens.  On today's episode of the Lock and Code with host David Ruiz, we speak to two experts at Malwarebytes about how they've personally discovered and stopped attacks in the past and why many small- and medium-sized businesses should rely on a newer service called Managed Detection and Response for protecting their own systems.  Many organizations today will already be familiar with the tool called Endpoint Detection and Response (EDR), the de facto cybersecurity tool that nearly every vendor makes that lets security teams watch over their many endpoints and respond if the software detects a problem. But the mass availability of EDR does not mean that cybersecurity itself is always within arm's reach. Countless organizations today are so overwhelmed with day-to-day IT issues that monitoring cybersecurity can be difficult. The expertise can be lacking at a small company. The knowledge of how to configure an EDR tool to flag the right types of warning signs can be missing. And the time to adequately monitor an EDR tool can be in short supply. This is where Managed Detection and Response—MDR—comes in. More a service than a specific tool, MDR is a way for companies to rely on a team of experienced analysts to find and protect against cyberattacks before they happen. The power behind MDR services are its threat hunters, people who have prevented ransomware from being triggered, who have investigated attackers’ moves across a network, who have pulled the brakes on a botnet infection. These threat hunters can pore over log files and uncover, for instance, a brute force attack against a remote desktop protocol port, or they can recognize a pattern of unfamiliar activity coming from a single account that has perhaps been compromised, or they can spot a ransomware attack in real time, before it has launched, even creating a new rule to block an entirely new ransomware variant before it has been spotted in the wild. Most importantly, these threat hunters can do what software cannot, explained Matt Sherman, senior manager of MDR delivery services. They can stop the people behind an attack, not just the malware those people are deploying.  "Software stops software, people stop people." Today, we speak with Sherman and MDR lead analyst AnnMarie Nayiga about how they find attacks, what attacks they've stopped in the past, why MDR offers so many benefits to SMBs, and what makes for a good threat hunter. You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)  

Last month, when Malwarebytes published joint research with 1Password about the online habits of parents and teenagers today, we spoke with a Bay Area high school graduate on the Lock and Code podcast about how she spends her days online and what she thinks are the hardest parts about growing up with the Internet. And while we learned a lot in that episode—about time management, about comparing one's self to others, and about what gets lost when kids swap in-person time with online time—we didn't touch on an increasingly concerning issue affecting millions of children and teenagers today: Student surveillance. Nailing down the numbers on the use of surveillance technologies in schools today is nearly impossible, as the types and the capabilities of student surveillance software are many.  There’s the surveillance of students’ messages to one another in things like emails or chats. There’s the surveillance of their public posts, on platforms like Twitter or Instagram. There are even tools that claim they can integrate directly with Google products, like Google Docs, to try to scan for worrying language about self-harm, or harm towards others, or drug use. There's also surveillance that requires hardware. Facial recognition technology, paired with high-resolution cameras, is often sold with the promise that it can screen school staff and visitors when they approach a building. Some products even claim to detect emotion in a person’s face. Other software, when paired with microphones that are placed within classrooms, claims to detect “aggression.” A shout or a yelp or a belting of anger would, in theory, trigger a warning from these types of monitoring applications, maybe alerting a school administrator to a problem as it is happening. All of these tools count when we talk about student surveillance, and, at least from what has been publicly reported, many forms are growing.  In 2021, the Center for Democracy and Technology surveyed teachers in K through 12 schools and simply asked if their schools used monitoring software: 81 percent said yes.  With numbers like that, it'd be normal to assume that these tools also work. But a wealth of investigative reporting—upon which today's episode is based—reveals that these tools often vastly over-promise their own results. If those promises only concerned, say, drug use, or bullying, or students ditching classes, these failures would already cause concern. But as we explore in today’s episode, too many of schools buy and use this software because they think it will help solve a uniquely American problem: School shootings. Today’s episode does not contain any graphic depictions of school shootings, but it does discuss details and the topic itself. Sources: School Surveillance Zone, The Brennan Center for Justice at NYU Student Activity Monitoring Software Research Insights and Recommendations, Center for Democracy and Technology With Safety in Mind, Schools Turn to Facial Recognition Technology. But at What Cost?,  EdSurge RealNetworks Provides SAFR Facial Recognition Solution for Free to Every K-12 School in the U.S. and Canada, RealNetworks Under digital surveillance: how American schools spy on millions of kids, The Guardian Facial recognition in schools: Even supporters say it won't stop shootings, CNET Aggression Detectors: The Unproven, Invasive Surveillance Technology Schools Are Using to Monitor Students, ProPublica Why Expensive Social Media Monitoring Has Failed to Protect Schools, Slate Tracked: How colleges use AI to monitor student protests, The Dallas Morning News Demonstrations and Protests: Using Social Media to Gather Intelligence and Respond to Campus Crowds, Social Sentinel New N.C. A&T committee will address sexual assault, Winston-Salem Journal BYU students hold ‘I Can’t Breathe’ protest on campus, Daily Herald Thrown bagels during MSU celebration lead to arrests, Detroit Free Press Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

A thief has been stalking London.  This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod's—the thief has expensive taste.  At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught.  But for at least one victim, the story is more complex.   In August, Charlotte Morgan had her bag stolen during an evening workout at her local gym in Chiswick. The same pattern of high-price spending followed—the thief spent nearly £3,000 at an Apple store in West London, another £1,000 at a separate Apple store, and then almost £700 at Selfridges. But upon learning just how much the thief had spent, Morgan realized something was wrong: She didn't have that much money in her primary account. To access all of her funds, the thief would have needed to make a transfer out of her savings account, which would have required the use of her PIN.  "[My PIN is] not something they could guess... So I thought 'That's impossible,'" Morgan told the Lock and Code podcast. But, after several calls with her bank and in discussions with some cybersecurity experts, she realized there could be a serious flaw with her online banking app. "But the bank... what they failed to mention is that every customer's PIN can actually be viewed on the banking app once you logged in." Today on the Lock and Code podcast with host David Ruiz, we speak with Charlotte Morgan about what happened this past summer in London, what she did as she learned about the increasing theft of her funds, and how one person could so easily abuse her information.  Tune in today to also learn about what you can do to help protect yourself from this type of crime.  Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

Growing up is different for teens today.  Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family—while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that's largely because of one enormous difference: The Internet.  On the Internet, the lines of friendship are re-enforced and blurred by comments or likes on photos and videos. Bullying can reach outside of schools, in harmful texts or messages posted online. Entirely normal feelings of isolation can be negatively preyed upon in online forums where users almost radicalize one another by sharing anti-social theories and beliefs. And the opportunity to compare one’s self against another—another who is taller, or thinner, or a different color, or who lives somewhere else or has more friends—never goes away.  The Internet is forever present for our youngest generation, and, from what we know, it’s hurting a lot of them.  In 2021, the US Centers for Disease Control and Prevention surveyed nearly 8,000 high school students in the country and found that children today were sadder, more hopeless, and more likely to have contemplated suicide than just 12 years prior. Despite the concerns, we still thrust children into the Internet today, either to complete a homework assignment, or to create an email account to register for other online accounts, or to simply talk with their friends. We also repeatedly post photos of them online, often without discussing whether they want that.  In today's episode of Lock and Code with host David Ruiz, we speak to two guests so that we can better understand what it is like to grow up online today and what the challenges are of raising children in this same environment now.  Our first guest, Nitya Sharma, is a Bay Area teenager who speaks with us about the difficulties of managing her time online and in trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet. "I think the things that kids find on the Internet, they're going to find anyways. I probably found some stuff too young and it was bad... I think it's more of, I don't want them to become dependent on it." But our episode doesn't end there, as we also bring in 1Password co-founder Sara Teare to discuss how parents can help their kids navigate the Internet today and in the future. Teare's keenly attuned to this subject, not only because she is a parent, but also because her company has partnered with Malwarebytes to release new reserach this week—available October 13—on growing up and raising kids online.  Tune in today to hear both Nitya's stories and Sara's advice on growing up and raising children online.  Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com)

Ransomware can send any company into crisis. Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a ransomware attack not only threatens an organization's clients and external customers, but all the internal teams who are just trying to do their jobs. When Northshore School District was hit several years ago by ransomware, teacher and staff pay were threatened, and children's school lunches needed to be reworked because the payment system had been wiped out.These threats are not new. If anything, the potential damage and fallout of a ransomware attack is more publicly known than ever before, which might explain why a new form of ransomware response has emerged in the past year—the ransomware negotiator.Increasingly, companies are seeking the help of ransomware negotiators to handle their response to a ransomware attack. The negotiator, or negotiators, can work closely with a company's executives, security staff, legal department, and press handlers to accurately and firmly represent the company's needs during a ransomware attack. Does the company refuse to pay the ransom because of policy? The ransomware negotiator can help communicate that. Is the company open to paying, but not the full amount demanded? The negotiator can help there, too. What if the company wants to delay the attackers, hoping to gain some much-needed time to rebuild systems? The negotiator will help there, too. Today, on the Lock and Code podcast with host David Ruiz, we speak with Kurtis Minder, CEO of the cyber reconnaissance company GroupSense about the intricate work of ransomware negotiation. Minder himself has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training. In his experience, Minder has also learned that the current debate over whether companies should pay the ransom has too few options. For a lot of small and medium-sized businesses, the question isn't an ideological one, but an existential one: Pay the ransom or go out of business."What you don't hear about is the thousands and thousands of small businesses in middle America, main street America—they get hit... they're either going to pay a ransom or they're going to go out of business."Tune in today to listen to Minder discuss how a company decides to engage a ransomware negotiator, what a ransomware negotiator's experience and background consist of, and what the actual work of ransomware negotiation involves.Show notes and credits:Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: “Good God” by Wowa (unminus.com)

The in-person cybersecurity conference has returned. More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at RSA 2022. In Las Vegas just last month, even more hackers, security experts, and tech enthusiasts flooded the Mandalay Bay hotel, attending the conferences Black Hat and DEFCON.  And at nearly all of these conferences—and many more to come—cybersecurity vendors are setting up shop to show off their latest, greatest, you-won't-believe-we've-made-this product.  The dizzying array of product names, features, and promises can overwhelm even the most veteran security professional, but for one specific group of attendee, sorting the value from the verve is all part of the job description.  We're talking today about managed service providers, or MSPs.  MSPs are the tech support and cybersecurity backbone for so many small businesses. Dentists, mom-and-pop restaurants, bakeries, small markets, local newspapers, clothing stores, bed and breakfasts off the side of the road—all of these businesses need tech support because nearly everything they do, from processing credit card fees to storing patient information to managing room reservations, all of that, has a technical component to it today. These businesses, unlike major corporations, rarely have the budget to hire a full-time staff member to provide tech support, so, instead, they rely on a managed service provider to be that support when needed. And so much of tech support today isn't just setting up new employee devices or solving a website issue. Instead, it's increasingly about providing cybersecurity.  What that means, then, is that wading through the an onslaught of marketing speak at the latest cybersecurity conference is actually the responsibility of some MSPs. They have to decipher what tech tools will work not just for their own employees, but for the dozens if not hundreds of clients they support.  Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts at Malwarebytes about how MSPs can go about staying up to date on the latest technology while also vetting the vendors behind it. As our guests Eddie Phillips, strategic account manager, and Nadia Karatsoreos, senior MSP growth strategist, explain, the work of an MSP isn't just to select the right tools, but to review whether the makers behind those tools are the right partners both for the MSP and its clients.