Lock and Code

Growing up is different for teens today. 

Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family—while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that's largely because of one enormous difference: The Internet. 

On the Internet, the lines of friendship are re-enforced and blurred by comments or likes on photos and videos. Bullying can reach outside of schools, in harmful texts or messages posted online. Entirely normal feelings of isolation can be negatively preyed upon in online forums where users almost radicalize one another by sharing anti-social theories and beliefs. And the opportunity to compare one’s self against another—another who is taller, or thinner, or a different color, or who lives somewhere else or has more friends—never goes away. 

The Internet is forever present for our youngest generation, and, from what we know, it’s hurting a lot of them. 

In 2021, the US Centers for Disease Control and Prevention surveyed nearly 8,000 high school students in the country and found that children today were sadder, more hopeless, and more likely to have contemplated suicide than just 12 years prior.

Despite the concerns, we still thrust children into the Internet today, either to complete a homework assignment, or to create an email account to register for other online accounts, or to simply talk with their friends. We also repeatedly post photos of them online, often without discussing whether they want that. 

In today's episode of Lock and Code with host David Ruiz, we speak to two guests so that we can better understand what it is like to grow up online today and what the challenges are of raising children in this same environment now. 

Our first guest, Nitya Sharma, is a Bay Area teenager who speaks with us about the difficulties of managing her time online and in trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

"I think the things that kids find on the Internet, they're going to find anyways. I probably found some stuff too young and it was bad... I think it's more of, I don't want them to become dependent on it."

But our episode doesn't end there, as we also bring in 1Password co-founder Sara Teare to discuss how parents can help their kids navigate the Internet today and in the future. Teare's keenly attuned to this subject, not only because she is a parent, but also because her company has partnered with Malwarebytes to release new reserach this week—available October 13—on growing up and raising kids online. 

Tune in today to hear both Nitya's stories and Sara's advice on growing up and raising children online. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Ransomware can send any company into crisis. 

Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a ransomware attack not only threatens an organization's clients and external customers, but all the internal teams who are just trying to do their jobs. When Northshore School District was hit several years ago by ransomware, teacher and staff pay were threatened, and children's school lunches needed to be reworked because the payment system had been wiped out.

These threats are not new. If anything, the potential damage and fallout of a ransomware attack is more publicly known than ever before, which might explain why a new form of ransomware response has emerged in the past year—the ransomware negotiator.

Increasingly, companies are seeking the help of ransomware negotiators to handle their response to a ransomware attack. The negotiator, or negotiators, can work closely with a company's executives, security staff, legal department, and press handlers to accurately and firmly represent the company's needs during a ransomware attack. Does the company refuse to pay the ransom because of policy? The ransomware negotiator can help communicate that. Is the company open to paying, but not the full amount demanded? The negotiator can help there, too. What if the company wants to delay the attackers, hoping to gain some much-needed time to rebuild systems? The negotiator will help there, too. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kurtis Minder, CEO of the cyber reconnaissance company GroupSense about the intricate work of ransomware negotiation. Minder himself has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training. In his experience, Minder has also learned that the current debate over whether companies should pay the ransom has too few options. For a lot of small and medium-sized businesses, the question isn't an ideological one, but an existential one: Pay the ransom or go out of business.

"What you don't hear about is the thousands and thousands of small businesses in middle America, main street America—they get hit... they're either going to pay a ransom or they're going to go out of business."

Tune in today to listen to Minder discuss how a company decides to engage a ransomware negotiator, what a ransomware negotiator's experience and background consist of, and what the actual work of ransomware negotiation involves.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

The in-person cybersecurity conference has returned.

More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at RSA 2022. In Las Vegas just last month, even more hackers, security experts, and tech enthusiasts flooded the Mandalay Bay hotel, attending the conferences Black Hat and DEFCON. 

And at nearly all of these conferences—and many more to come—cybersecurity vendors are setting up shop to show off their latest, greatest, you-won't-believe-we've-made-this product. 

The dizzying array of product names, features, and promises can overwhelm even the most veteran security professional, but for one specific group of attendee, sorting the value from the verve is all part of the job description. 

We're talking today about managed service providers, or MSPs. 

MSPs are the tech support and cybersecurity backbone for so many small businesses. Dentists, mom-and-pop restaurants, bakeries, small markets, local newspapers, clothing stores, bed and breakfasts off the side of the road—all of these businesses need tech support because nearly everything they do, from processing credit card fees to storing patient information to managing room reservations, all of that, has a technical component to it today.

These businesses, unlike major corporations, rarely have the budget to hire a full-time staff member to provide tech support, so, instead, they rely on a managed service provider to be that support when needed. And so much of tech support today isn't just setting up new employee devices or solving a website issue. Instead, it's increasingly about providing cybersecurity. 

What that means, then, is that wading through the an onslaught of marketing speak at the latest cybersecurity conference is actually the responsibility of some MSPs. They have to decipher what tech tools will work not just for their own employees, but for the dozens if not hundreds of clients they support. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts at Malwarebytes about how MSPs can go about staying up to date on the latest technology while also vetting the vendors behind it. As our guests Eddie Phillips, strategic account manager, and Nadia Karatsoreos, senior MSP growth strategist, explain, the work of an MSP isn't just to select the right tools, but to review whether the makers behind those tools are the right partners both for the MSP and its clients. 

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating "Barons of Hell." 

In 2022, the hacker Sick Codes installed a modified version of Doom on the smart control panel of a John Deere tractor, with the video game's nameless protagonist this time mowing down something entirely more apt for the situation: Corn.

At DEFCON 30, Sick Codes presented his work to an audience of onlookers at the conference's main stage. His efforts to run the modified version of Doom, which are discussed in today's episode of Lock and Code with host David Ruiz, are not just good for a laugh, though. For one specific community, the work represents a possible, important step forward in their own fight—the fight for the "right to repair." 

"Right to Repair" enthusiasts want to be able to easily repair the things they own. It sounds like a simple ask, but when’s the last time you repaired your own iPhone? When’s the last time you were even able to replace the battery yourself on your smartphone?

The right to repair your equipment, without intervention from an authorized dealer, is hugely important to some farmers. If their tractor breaks down because of a software issue, they don’t want to wait around for someone to have to physically visit their site to fix it. They want to be able to fix it then and there and get on with their work.

So, when a hacker shows off that he was able to do something that wasn’t thought possible on a device that can be notoriously difficult to self-repair, it garners attention.  

Today, we speak with Sick Codes about his most recent work on a John Deere tractor, and how his work represents a follow-up to what he a group of researchers showed last year, when he revealed how he was able to glean an enormous amount of information about John Deere smart tractor owners from John Deere's data operations center. This time around, as Sick Codes explained, the work was less about tinkering around on a laptop and more about getting physical with a few control panels that he found online. 

“It’s kind of like surgery but for metallic objects, if that makes sense. Non-organic material.”

Tune in today to listen to Sick Codes discuss his work, why he did what he did, and how John Deere has reacted to his research. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.

Then he went to work.

By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories. 

Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story. 

"It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that,” Miller said.

Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google’s all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

On June 24, that Constitutional right to choose to have an abortion was removed by the Supreme Court, and immediately, this legal story became one of data privacy. Today, countless individuals ask themselves: What surrounding activity is allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?

On this episode of the Lock and Code podcast with host David Ruiz, we speak with two experts on this intersection of data privacy and legal turmoil—Electronic Frontier Foundation staff attorney Saira Hussain and senior staff technologist Cooper Quintin.

As Quintin explains in the podcast, while much of the focus has recently been on the use of period-tracking apps, there are so many other forms of data out there that people should protect:

"Period-tracking apps aren’t the only apps that are problematic. The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches."

By spotlighting how benign data points—including shopping habits and locations—have already been used to reveal pregnancies and miscarriages and to potentially identify abortion-seekers, our guests explain what data could now be of interest to law enforcement, and how people at home can keep their decisions private and secure.

Show notes and credits:

Intro Music: “SCP-x5x (Outer Thoughts)” by Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

http://creativecommons.org/licenses/by/4.0/

Outro Music: “Good God” by Wowa (unminus.com)

When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that hackers face from big companies that want to squash their research.

The fears are not entirely unfounded.

In 2017, a security researcher named Kevin Finisterre discovered that he could access sensitive information about the Chinese drone manufacturer DJI by utilizing data that the company had inadvertently left public on GitHub. Conducting research within rules set forth by DJI's recently announced bug bounty program, Finisterre took his findings directly to the drone maker. But, after informing DJI about the issues he found, he was faced not with a bug bounty reward, but with a lawsuit threat alleging that he violated the CFAA.

Though DJI dropped its interest, as Harley Geiger, senior director for public policy at Rapid7, explained on today's episode of Lock and Code, even the threat itself can destabilize a security researcher.

"[It] is really indicative of how questions of authorization can be unclear and how CFAA threats can be thrown about when researchers don’t play ball, and the pressure that a large company like that can bring to bear on an independent researcher," Geiger said.

Today, on the Lock and Code podcast, we speak with Geiger about other hacking laws can be violated when conducting security researcher, how hackers can document their good-faith intentions, and the Department of Justice's recent decision to not prosecute hackers who are only hacking for the benefits of security.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the "supply chain." Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.

In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know.

While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace—an attack on the digital supply chain.

That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers’ malware was far lower, somewhere around 100 companies and about a dozen government agencies.

This attack, which did involve a breach of a company, had a broader focus—the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.

Show notes, resources, and credits:

Kubernetes diagram:

https://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Tor, which stands for "The Onion Router," has a storied reputation in the world of online privacy, but on today's episode of Lock and Code with host David Ruiz, we speak with security researcher Alec Muffett about the often-undiscussed security benefits of so-called "onion networking." 

The value proposition to organizations interested in using Tor goes beyond just anonymity, Muffett explains, and its a value prop that has at least persuaded the engineers at Facebook, Twitter, The New York Times, Buzzfeed, The Intercept, and The Guardian to build onion versions of their sites. 

Tune in to hear about the security benefits of onion networking, why an organization would want to launch an onion site for its service, and whether every site in the future should utilize Tor.

Show notes and credits:

Why and How you should start using Onion Networking: https://www.youtube.com/watch?v=pebRZyg_bh8

How WhatsApp uses metadata analysis for spam and abuse fighting: https://www.youtube.com/watch?v=LBTOKlrhKXk

Alec Muffett's blog and about page: https://alecmuffett.com/about

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)