Episodes
Sunday May 22, 2022
Hunting down your data with Whitney Merrill
Sunday May 22, 2022
Sunday May 22, 2022
Last year, Whitney Merrill wanted to know just how much information the company Clubhouse had on her, even though she wasn't a user. After many weeks of, at first, non-responses, she learned that her phone number had been shared with Clubhouse more than 80 times—the byproduct of her friends joining the platform.
Today on Lock and Code with host David Ruiz, we speak with Merrill about why hunting down your data can be so difficult today, even though some regions have laws that specifically allow for this. We also talk about the future of data privacy and whether "data localization" will make things easier, or if it will add another layer of geopolitics to growing surveillance operations around the world.
Show notes and credits:
Intro Music: "Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)
Sunday May 08, 2022
Recovering from romance scams with Cindy Liebes
Sunday May 08, 2022
Sunday May 08, 2022
Earlier this year, a flashy documentary premiered on Netflix that shed light onto on often-ignored cybercrime—a romance scam. In this documentary, called The Tinder Swindler, the central scam artist relied on modern technologies, like Tinder, and he employed an entire team, which included actors posing as his bodyguard and potentially even his separated wife. After months of getting close to several women, the scam artist pounced, asking for money because he was supposedly in danger.
The public response to the documentary was muddy. Some viewers felt for the victims featured by the filmmakers, but others blamed them. This tendency to blame the victims is nothing new, but according to our guest Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network, it's all wrong. That's because, as we discuss in today's episode on Lock and Code with host David Ruiz, these scam artists are professional criminals.
Today, we speak with Liebes to understand how romance scams work, who the victims are, who the criminals are, what the financial and emotional damages are, and how people can find help.
Show notes and credits:
Intro Music: "Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)
Monday Apr 25, 2022
Why software has so many vulnerabilities, with Tanya Janca
Monday Apr 25, 2022
Monday Apr 25, 2022
Every few months, a basic but damaging flaw is revealed in a common piece of software, or a common tool used in many types of programs, and the public will be left asking: What is going on with how our applications are developed?
Today on the Lock and Code podcast with host David Ruiz, we speak to returning guest Tanya Janca to understand the many stages of software development and how security trainers can better work with developers to build safe, secure products.
Sunday Apr 10, 2022
Why data protection and privacy are not the same, and why that matters
Sunday Apr 10, 2022
Sunday Apr 10, 2022
Data protection, believe it or not, is not synonymous with privacy, or even data privacy. But around the world, countless members of the public often innocently misconstrue these three topics with one another, swapping the terms and the concepts behind them.
Typically, that wouldn't be a problem—not every person needs to know the minute details of every data-related concept, law, and practice. But when the public is unaware of its rights under data protection, it might be unaware of how to assert those rights.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Gabriela Zanfir-Fortuna, the vice president for global privacy at Future of Privacy Forum, to finally clear up the air on these related topics, and to understand how US law differs from EU law, even though the US helped lead the way on data protection proposals all the way back in 1973.
Monday Mar 28, 2022
Telling important stories securely, with Runa Sandvik
Monday Mar 28, 2022
Monday Mar 28, 2022
In 2017, a former NSA contractor was arrested for allegedly leaking an internal report to the online news outlet The Intercept. To verify the report itself, a journalist for The Intercept sent an image of the report to the NSA, but upon further inspection, it was revealed that the image was actually a scan of a physical document.
This difference—between an entirely digital, perhaps only-emailed document, and a physical piece of paper—spurred several suspicions that the news outlet had played an unintended role in identifying the NSA contractor to her employer, because the NSA did not have to find people who merely accessed the report, but only people who had printed it.
This is what journalism can look like in the modern age. There are countless digital traces left behind that can puncture the safety and security of both journalists and their sources.
Today, on the Lock and Code podcast with host David Ruiz, we speak with security researcher Runa Sandvik about how she helps reporters tell important stories securely and privately amongst many digital threats.
Monday Mar 14, 2022
De-Googling Carey Parker’s (and your) life
Monday Mar 14, 2022
Monday Mar 14, 2022
Three years ago, a journalist for Gizmodo removed five of the biggest tech companies from her life—restricting her from using services and hardware developed or owned by Google, Apple, Amazon, Facebook, and Microsoft. The experiment, according to the reporter, was "hell."
But in 2022, cybersecurity evangelist Carey Parker, who also hosts the podcast Firewalls Don't Stop Dragons, wanted to do something similar, just on a smaller scale, and with a focus on privacy.
Today, on Lock and Code with host David Ruiz, we speak with Parker about lessening his own interactions with one of the biggest tech companies around: Google. Tune in to hear about privacy-preserving alternatives and unforeseen obstacles in Parker's current de-Googlization effort.
Monday Feb 28, 2022
How Crisis Text Line crossed the line in the public’s mind
Monday Feb 28, 2022
Monday Feb 28, 2022
How would you feel if the words you wrote to someone while in a crisis—maybe you were suicidal, maybe you were newly homeless, maybe you were suffering from emotional abuse at home—were later used to train a customer support tool?
Those emotions you might behaving right now were directed last month at Crisis Text Line, after the news outlet Politico reported that the nonprofit organization had been sharing anonymized conversational data with a for-profit venture that Crisis Text Line had itself spun off at an earlier date, in an attempt to one day boost the nonprofit's own funding.
Today, on Lock and Code with host David Ruiz, we’re speaking with Courtney Brown, the former director of a suicide hotline network that was part of the broader National Suicide Prevention Lifeline, to help us understand data privacy principles for crisis support services and whether sharing this type of data is ever okay.
Sunday Feb 13, 2022
The world’s most coveted spyware, Pegasus
Sunday Feb 13, 2022
Sunday Feb 13, 2022
Two years ago, the FBI reportedly purchased a copy of the world's most coveted spyware, a tool that can remotely and silently crack into Androids and iPhones without leaving a trace, spilling device contents onto a console possibly thousands of miles away, with little more effort than entering a phone number.
This tool is Pegasus, and, though the FBI claimed it never used the spyware in investigations, the use of Pegasus abroad has led to surveillance abuses the world over.
On Lock and Code today, host David Ruiz provides an in-depth look at Pegasus: Who makes it, how much information can steal from mobile devices, how does it get onto those devices, and who has been provably harmed by its surveillance capabilities?
Monday Jan 31, 2022
How a few PhD students revealed that phishing trainings might just not work
Monday Jan 31, 2022
Monday Jan 31, 2022
You've likely fallen for it before—a simulated test sent by your own company to determine whether its employees are vulnerable to one of the most pernicious online threats today: Phishing.
Those simulated phishing tests often come with a voluntary or mandatory training afterwards, with questions and lessons about what mistakes you made, right after you made them.
But this extremely popular phishing defense practice might not work. In fact, it might make you worse at recognizing phishing attempts in the future.
That's what Daniele Lain and his fellow PhD candidates at the ETH Zurich university in Switzerland revealed in a recent 15-month study, which we discuss today on Lock and Code, with host David Ruiz.
Tuesday Jan 18, 2022
Why we don’t patch, with Jess Dodson
Tuesday Jan 18, 2022
Tuesday Jan 18, 2022
In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior.
This was the WannaCry ransomware attack, and its final, economic impact—in ransoms paid but also in downtime and recovery efforts—has been estimated at about $4 billion. All of it could have been avoided if every organization running a vulnerable version of Windows 7 had patched that vulnerability, as Microsoft recommended. But that obviously didn't happen.
Why is that?
In today's episode of Lock and Code with host David Ruiz, we speak with cybersecurity professional Jess Dodson about why patching is so hard to get right for so many organizations, and what we could all do to better improve our patching duties.