A Cyber Security Pandemic Has Started

---

Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] Feds are saying that Facebook broke US immigration laws. Flash, finally dying. Goodbye and good riddance Adobe.  We're going to talk about business email compromise versus something a little bit newer and different, EACs.

Hi everybody Craig Peterson here. No, we're not going to get crazy with talking about some of the problems we're having with email.  I really want to talk a bit about this because fear only goes so far.

A great, great article this week in the Wall Street Journal. We will be getting into it in a little bit.

How we can really help our family and our business associates when it comes to security. We're always hearing about, Oh my gosh, business email compromise. It's just been terrible. It's destroying our businesses, which it is. But the problem that we've been facing because of the way we've responded is that people are much less able really to get the work done because they have fears every time they turn around.

So we'll get into that a little bit more as well. I love this thing about the Nazi Enigma cipher machine that was found in the Baltic sea. At the end of world war two, the boats, the submarines particularly were all ordered to destroy them. So they threw them overboard thinking that would probably be good enough. Of course, we already had broken their cipher, no big deal there.

Kmart here. National business got a lot smaller and it just suffered a ransomware attack from a new form of ransomware. We'll talk a little bit about that.

We've got hackers now breaking into an Alaskan voter database. Grabbing information on a hundred thousand voters. Very big deal. We'll talk about that.

We'll also be talking about police and this program in one community. We talked about something about six months ago, that was spreading a little more nationally. One community and what they're going to be doing with ring cameras and live streaming your doorbell to the police department.

Then we are going to get into the next global crisis, which is a cybersecurity pandemic. It has gotten really bad out there. a shame, frankly.

Hey, you're listening to Craig Peterson. welcome. Did you know if you have one of those smart home devices you can listen right from there? I've got my Amazon echo tied in via Bluetooth speakers that we put into the roof of the kitchen. We had a water leak.  We had to replace the roof in the kitchen. So while I was in there, let's put in some good speakers and I did. I've got a little Bluetooth module that I got in fact from Amazon that hooks right up to an amplifier that drives the speakers. I have an Amazon echo there in the kitchen too. very handy. So I've got it configured to use Bluetooth so that it uses the speakers up in the roof.

it's just, it's phenomenal. I do that all of the time.

let's get into our friends here over at Facebook. I have been talking for years about this whole H1B visa problem. It's been a problem in the tech industry. Primarily now there are other types of temporary worker visas that are used in other industries.  For the most part, I think in most other industries, they're not misused. But in the US, it is very misused. It's crazy, frankly, when you get right down to it.

We have some of the top consulting companies in the country bringing in foreign workers. When we have US citizens that really could do the job, should do the job. By law, it has to be given to our US citizens versus these foreign workers. So really what is going on? Well, the justice department, just this Tuesday, alleged that Icon systems were routinely discriminating against US workers by posting job ads specifying a preference for applicants with temporary work visas. That company failed to consider at least a single US citizen applicant. This one person who applied to this discriminatory advertisement. It's a very big deal. Last week, the feds come out and sued Facebook in a very big way. They were arguing that Facebook hiring practices truly discriminated against US workers.

Now you might be asking yourself, first of all, why would they discriminate against US workers in preference for a foreign worker? the big answer to that, number one is these workers don't fall under all of the same rules and regulations that US workers do. You can mistreat them pretty badly. I've seen it done many times. That poor person who has been brought over from overseas at some potentially third world country, most likely a third world country is afraid to say anything because they don't want to lose their job. We know of cases that have been reported online again and again, where there were half a dozen, even a dozen people staying in a single apartment, working for some of these major giants.  We're talking about big companies that can and do pay good money for US workers and certainly charge a lot.

I have really ranted and raved about some of these consulting firms who have gone in, have overbid on some of the stuff. This one that I'm thinking of, there was a proposal out, an RFP, basically from a company that had been a client of mine for 20 years. They were looking for someone to run their Microsoft infrastructure if you will. Mainly, their email server.  They wanted this email server to be hosted by the company and maintained by the company.

Now, if you know how to do that stuff, it's pretty darn easy. This one consulting firm whose name you would recognize if you're in the computer business came in and bid twice. what we bid, twice as much.  I really had to question it. I poked around and I found that, yeah, indeed, they were out golfing with the head of the division and we're buddy with them. So they got the job.  Then I dug into it more and found out that they had one of the top rates of bringing in foreign workers on H1B visas. Those foreign workers were being paid up a fraction of what the US workers would have been paid then I would have paid.

So there they are charging twice what I was going to charge and paying their people about a fifth of what I had to pay my people.

In my case, my people are somewhere around a third of their time is spent in classes. Is spent on training. Is spent on exercises, red team, blue team stuff.

In these cases, they bring somebody who probably lied on their application. I certainly know a couple of them that absolutely misrepresented their skills. Can you tell, I'm just spitting mad here.

Off they go now saying, yeah, we can do all of this. Then they bring in the people to do the job cause they didn't even have the skills in-house.

come two months later, they, after having had that contract awarded this firm, had still not been able to get Microsoft's email server working. Two months later.

If much about this, it is not that hard.  A few months after that, they finally had it all working and they were bouncing emails and wondering why are we bouncing emails?

They had us have a look at it. It was completely misconfigured. They didn't have some of the stuff done that needed to be done, like double reverse lookups and things because people don't want spam.

So if your email server is not properly configured, your emails are going to bounce. My head is throbbing just thinking about this, something we could have had up and running for them in a matter of a couple of weeks and would not have had any of the problems that they had.

Oh and by the way, their system crashed this exchange server, this email server, and they had no good backup at all.

What we had proposed to them was a complete failover where if one of the exchange servers went down, the other one would take over. They would actually both be running in parallel the rest of the time. So performance would have been better and we were still half the price. It just drives me crazy.

In this lawsuit against Facebook, that justice arguing that even though there are requirements to advertise the job, make sure Americans can apply and do apply for the job.  You need to hire Americans first, apparently, that's not what they did. are required to place ads for permanent jobs in print publications. Candidates are supposed to submit their applications and they go into HR, that whole trick right?

The jobs had an average salary of more than 156,000 dollars a year, which by the way, is the poverty level out in the Bay area. Yet out of 1100 jobs posted between July 2018 and April 2019, 99% received no applicants or just a single applicant, which means, yes indeed, they were hiding these specific jobs.

It's just crazy. They had another one where they had done it correctly and they had more than 2,600 applications for 22 jobs shows you what's going on over there. All right.

We've got a lot to cover today, but we're going to talk about something that changed the internet and is now going away.

Hey consider this, we're now close to the end of Flash. That software that we've used to watch little videos online and even training and two and a half percent of internet users are still using it every day.

Craig Peterson here.  Thanks for being with me. I appreciate the time you're spending today.

A little bit of breaking news as the day turns here is a way to look at it apparently. I don't have a lot of information on this right now. We'll probably have a lot more next week, but the Federal Trade Commission along with 48 other States has filed suits to break up Instagram and WhatsApp from Facebook. Facebook bought both of those companies. We'll see what happens, This is probably not something that would change under a Biden administration, since it is 48 States that are suing. This is not the federal government suing them.

This has really been long-awaited. This whole antitrust lawsuit against Facebook because the allegations I think are pretty clear that Facebook has abused its power in the marketplace. It has neutralized competitors by acquisitions, as we have just seen here. I just mentioned, WhatsApp and Instagram. Buys them and then prevents anybody else from getting really into the market. What are you going to do? have a competitor that's great for Facebook and if you do, I'd love to hear from you.

But wow. How do you do this? Facebook isn't going to sell you information about their customers. How are you going to advertise? Facebook will take some advertisements for some competitive things, but overall there's been a lot of allegations that Facebook in fact will basically block any competitors from advertising.

So here's a quote from it. "By using its vast troves of data and money. Facebook has quashed or hindered what the company perceived as potential threats". That's from New York attorney general Letitia Ann "Tish" James who was the head of this 47 state coalition quote in an effort to maintain its market dominance.

Facebook has employed a strategy to impede competing services. Man, this goes back, right? Does it flashback here a hundred years ago? 150 years ago. What was going on? I would love to see this happen. I think the biggest problem, frankly, and this is my opinion, but the biggest problem is we bail out these big companies when they fail. Right too big to fail, we can't let GM go under, because just think of all of the people there, the union people, the employees. So instead of that, we keep these companies that should be failing alive and on life support. With somebody like Facebook, they have really just grown too far, too fast.

We've talked a lot about what should happen with their immunity from the prosecution about things that people post on their sites. Did you realize that in Europe, there are laws that require them to take down content that's offensive or that might be a little slanderous?

That's true here too. You can sue someone and have it taken down, but over there, it's government regulators. So this is an interesting story. I just wanted to pop that up cause that just broke mid-week this week. I think it was Wednesday. We do want to cover that in a lot more detail. It's going to be interesting.

Next, up here we are going to really delve into this whole Flash story. This was a technology that was badly needed in the day, and I'm afraid that the model that developed Flash. As I recall Adobe ended up buying Flash and then it took it over and ran with it. The business model that developed it, developed from something that is all too common, which is, Oh, wow, there is a market window we need to jump on this and we need to jump on this hard and fast.  So people jump on it and they don't pay attention. In fact, when they first came out with this, they paid zero attention to Flash's security implications.

It's just absolutely. Terrible. It Flash is one of the worst pieces of software ever to plague our security. Our cybersecurity. Flash and Java both have had just horrific histories. Flash has become a software security killer.  This is going to happen again and again, and it's what I've been bemoaning with Microsoft forever.

I remember working when it would have been in the nineties on the replacement, Microsoft operating system called Windows NT, their next technology.  I worked on it in pre 1.0 days in some of the kernel stuff. It was patterned after an operating system called VMS, which was an operating system that DEC, digital equipment, had made.

It was designed to be secure. It had security holes, everything does, Some worse than others. Nowadays security is much better than it ever used to be, but it was designed after a real operating system versus just the quick get to market let's add every feature under the sun because of the way people buy things.

We should talk about that sometime too. It is a little infuriating. People look to eliminate things as opposed to looking for things they want. So if you're trying to buy a piece of software, if you want a word processor, are you going to buy one that has a hundred features, or are you going to buy one that has 20 features?

I don't probably want a hundred features. That's how most people do it. Even though Microsoft for decades, until you got to version four, it was said Microsoft software was pretty much useless because most of the features didn't work, but they were there.

Versus maybe you liked one of the alternatives I used to use WordStar way back in the day that just worked and worked well. It was innovative in so many ways that Microsoft just wasn't. Anyhow. We have been plagued by that Microsoft symptom for years and the same thing's true with Flash. Everybody knew Flash was bad. 10 years ago, Steve Jobs came out when he announced the iPhone had said, we will not run Flash.

There were a couple of reasons for it. It had to do with Postscript or PDF, if you will, files that Adobe had some patents on. Apple butting heads with it. You might remember that pre OS10 days, the Apple equipment all used postscript and in fact, it still does. Postscript still much better language in many ways than some of these others. Like what HP uses for printers. Anyhow. We're going down at another angle on another road here. They had some fights, but Steve Jobs was really adamant that because Flash was a major security problem, he says, I'm going to ban it from iOS devices. The letter was called thoughts on flash. It's still available online. If you'd be interested. And it came out in I think it was June of 2010, but it really pointed out how abysmal security track record Flash had even in 2010, and it's gotten worse.

Nowadays, if you are using Flash in your business, you need to move to HTML five, a much more modern, much more secure way of having little moving things or quizzes and things on your website. Take a look at it. There are ways to move.

I was talking with a friend of mine who was saying that all of their training is done using flash. It's been a real problem for them since they are a training company. We've gotta be careful. Developers need to be more careful. If you have software that you make or you distribute, you really got to look into it and make sure that they are paying attention to security.

We have a client that has third-party-developed software for their hardware and they weren't paying any attention to it and that lent some liability to them.

According to the FBI business, email compromise attacks were responsible for more than $26 billion in damages over the last three years.  What is BEC? What has it evolved into nowadays?

You're listening to Craig Peterson here.

Getting down into business email compromises, two things I want to get to here. I'm going to talk about this BEC as well as email account compromise, which is also called the takeover.  I also want to get into this great article that the Wall Street Journal had out this week on what you should do.

As a company and basically they're saying you should stop scaring employees, but I think you got to know the numbers. So we'll go through a little bit of that.

Email. We've been using it for years. I've had emails since 81, I think it was. So I've had email for a very long time on the internet since the early eighties, myself, and have just been around this stuff forever. I guess I grew up around it.  talk about generation Z and millennials growing up around technology. I've been around it a very long time.

I remember way back in 1970 designing and making my own little computer from scratch that played chess? It was mostly switches, lights, and release. It has come a long way since then, but it's fascinating how it's evolved, and way back when, email was fun.

We used it to announce, Hey, we're doing to get together. We used it for some of the information sharing. So what do I do with this?  I remember in some of the earlier days of the web saying, I'm having this problem with Sendmail, how do I get that working? Just so many things, it's been very useful. We had all kinds of fun threads over usenet and things. Man, the memories.

Nowadays email really can be awful. It is still the number one way we communicate, but there are so many varieties of spam now that are getting through to our email boxes. We have some filters, we have some special filters that have been designed by Cisco.

Even our clients who are using Microsoft exchange online version, where they're now calling it, what Microsoft Three 60 as opposed to Office Three 60, but Microsoft does not do a great job at eliminating spam and some pretty nasty stuff gets through. Even with those guys, we route it through our system Cisco email filter which just does a bang-up job and allows individuals to control it themselves.

Then it sends it off to Microsoft servers for that cloud email service Microsoft office offers as well as we filter it and we send it to other email servers.

We use Zimbra as one of them, and there are many others. We'll send them right to the customer. If the customer has their email on site, and there are legitimate reasons to still have it on-site and very legitimate ones.

This is important, everyone, because frankly if Email is coming through and it has spam in it, what are you going to do?

What are you going to do as a business, right? You want your workers to be vigilant. What do you do? The Wall Street Journal had some great examples.  I've heard of these before, where there are people whose businesses have cyber awareness training.

And the employee knows. Okay. Well, this could be a phishing message, et cetera. Then, they will send out little tasks to see if someone opened this email.  In some cases you open it three times, you open three of these spam emails, you're out of a job, they fire you. In some cases, some of these businesses are fining employees as much as half of their annual salaries. If you can imagine that it is just crazy.

There's a little study here that was done on the use of the fear factor when it comes to cybersecurity. Should you be just scaring your employees? Should you tell your employees, listen, you, we're going to trick you up, and if you fall for it three times, you're fired. What they're saying is no, don't do that. I do so agree with this.

I should come up with a little program on that. Hey here's what's going on. You really scare the heck out of an employee and it's going to leave them in a permanent state of uncertainty. It's almost like PTSD, frankly. Certainly, nothing like our men and women or the military can get from being in combat, but it is a type of post-traumatic stress disorder. The productivity's likely to plummet because the employees go to mistrust every email that arrives in the email box. And they're not sure if they click on a link, is it safe?

Am I being scammed here? really going on? Fear-based approaches do not encourage genuine watchfulness. Even when you look at these stats, $26 billion that was lost stolen in most cases over the last three years, that's still a very small percentage of how much income all of the businesses have when you put them all together.

Getting right down to it in the classic business email compromise, what they're trying to do is convince an email recipient that a message is coming from a legitimate trusted source, when in fact it's coming from a bad guy. They might have a misspelling in the domain name or something out that looks legitimate at first glance.

But most people, if you just spend an extra five seconds having a closer look at it, you'll see, Oh, wait a minute. Now, this is not legitimate. Okay. And I'm going to tell you what should happen as the next step here. But the other one and this is frankly, more of a problem because we're talking with this next one, about it, a legitimate email address where you've got an email account compromised where someone's email account has been taken over.

How do they take over the email account? they go in and look on the dark web and they find email addresses and password names, physical addresses, business names, Put it all together and then they try and log in as you. Using the passwords that they found online. So they might go to Gmail and login as your Gmail account using your passwords that you've used for the Gmail account on other services that have been compromised.

So now they've got access to your Gmail account. Now it could be your company x.com email account as well. They're doing it again and again. So they might be doing a password spray. They might be doing fishing malware to compromise email accounts. Okay. But ultimately they're gaining access to legitimate email boxes.

So once an attacker has access to the accounts, they can do all kinds of stuff. They can grab the emails that are in there with all of their attachments and. Download them. And technically that's called exfiltrating data. Sounds like a spy thing, but it read frankly, yes, they can change forwarding emails.

They might even put a silent forward in there that you never notice. And it's forwarding to them. You can see, they can now see emails between you and the other people in the office, knowing that you're going to be out on vacation and they use that against you. It goes. On and on. So a business, email compromise, and an email account compromise are related, but they're different threats.

And I want to tell you what the Wall Street Journal had to say here and add my two bets as to what you shouldn't be doing when it comes to. Emails and fishing and employee training and hanging them out to dry as some of these businesses that are obviously doing.

should we be scaring our employees to death over emails and phishing and account compromises? Or are there some better ways to do it, or maybe it really is a middle of the road solution that'll work? that's what we'll talk about right now.

Craig Peterson here. Thanks for joining me. If you're just tuning in.

We were just talking about the basics here of business email compromise, each account compromise, and how it has cost industry worldwide here over $26 billion. That's what the damage estimate is over the last three years, it is a very big deal.

You can also. Of course, just follow me on any of the major podcasting apps. Just look for Craig Peterson. You should find me on that good-looking guy. And, and then you can listen for about two hours every week.

If you subscribe to my podcasts. I mentioned our friends over at the Wall Street Journal. They had a very good article written by Karen Reno. And I assume she pronounces it the French way. Maybe it's reneod. I'm not sure how she pronounces it.

So we'll stick with the French way. Karen said that the problem is fear. Does not work. And she quotes a number of discoveries, including from Mark dupli, from the University of Washington. Yeah. Wow. French name again? about how it works. Yeah. In the short-term at the moment, but scare tactics, don't get people invested in security over the term.

And she was involved as well with Mark on this research that came out, I'm looking right now at it. You can actually grab it online. it's fascinating what they had to say here, but, a comprehensive look at what really motivates people, what motivates and behavioral changes, and how cybersecurity researchers are really starting to experiment with these fear appeals and what.

Will work for them, what can work from them? So let's get into that right now. I, of course, I fear makes sense to me as a business owner because frankly, I want to know what the stats are. I want to know what the hard numbers are. Is this something I need to be concerned about? I would say more than fearful of and what they found Karen and Mark is that fear can have the opposite effect on people than what's intended, because fear can leave employees in this continual state of anxiety. And that's in the last segment when I was mentioning post-traumatic stress disorder, that's along the same lines here. So when you are in that anxious state, You cannot think clearly about the threats.

So having the heavy-handed scare messaging can also take those employees to the point where they're very disgruntled and frankly, completely uninterested in security. People think the threats are exaggerated. Look at what's happened with all this over and over again. People seem to be. You just numb now to the security threats that are out there.

So let's dig first here into why they say fear does not work. And number one is it's a short-term emotion. And what we're really looking for is a long term solution, right? You work at home. You were working with, other people in the office, you as a business owner, what do you need to do? And it's long-term vigilance.

It's the real point of cybersecurity so that after this initial surge, the fear's going to wear off and convert to an understating of anxiety. we were constantly talking about using strong passwords. Using password managers like last pass and one password using multifactor authentication, like DUO or some of the others.

Okay. So they go into, I think, a great solution here, but. They say, consider Jane's told Jerry awareness training that any email could be an efficient message. That's true. Of course, it is. So if she clicks on an embedded link or opens an attached Tatcha and she learns that malware could be installed and she will lose all of the files on her machine and be the cause of a major cyber incident at her workplace.

Okay. So now she's in this permanent fear state too. She has uncertainty. She has anxiety. Her productivity is going to drop off the cliff because she mistrusts every email that arrives in your inbox. And she's not sure if she clicks a link in a message that she's not going to cause the whole business to fail.

So just looking at it from that aspect, the authors are saying that this fear-based approach does not encourage genuine watchfulness. And I can see that, frankly, I can see that's a really big point here. There's a book out there by Paul Brown and Joan Kingsley and Sue Patterson. And it's called the fear-free organization.

And they've got some great points in there about how the brains get fully occupied in dealing with this fear emotion, and it's like fight or flight. You lose your fine motor coordination when you're in fight or flight mode because you are now pumping adrenaline and you're ready to fight her or run okay.

Much the same things. True here. And then people also don't believe these fear appeals and Tony 20 in hindsight, there's gotta be a good phrase for that one, but, what a terrible year it's been, we all have fear in the government and the media. I've been continually putting more and more fear into us to the point where we just don't trust other people.

Because of the lockdown because of the fear they've engendered over this latest Coronavirus. one of the issues that emerged during their study was that while many people might believe in fear-based appeals too much, others think that the appeals exaggerate the risk in order to give the message more power.

So I, I mentioned this UK organization up to 50% of employees, salaries find for clicking on it. their organizations, you click on one of these little tests, messages that they send in three times and you're fired. It is terrible. David rock is suggesting in his research into the neuroscience of collaboration that any employee who's singled out already feels bad about being deceived and now gets what's the equivalent of the physical pain of being shamed.

One of these businesses even posted names of people who had fallen for these little tests and clicked on something, they shouldn't have clicked on that the business had sent out. They're even posting their names on the communal refrigerator. Okay. It's pretty sad what they're doing. And these businesses just don't seem to understand the harm they're doing to the employer, employee relationship.

So what works better? And I'm so glad the wall street journal put this in here and you know what I'm agreeing with this. And this article was forwarded to me by a friend who's in one of my masterminds, Walt. He was just phenomenal. And, my mom. Thoughts and prayers go out to Walt is his dad just passed away this week as well.

But, he must've been doing some reading and for this along, but what's the alternative. What is the other side of the coin to fear? And they're saying creativity and trust. So here's the trick giving you and employees more leeway and giving them the support that they need. Works a lot better than building up anxiety and creating frankly aversions to doing their jobs because whose job does not include opening emails.

They all don't they? So here's a more productive three-pronged approach. And this is from professor Sydney, Decker, the Griffith University in Australia. He's a former submarine captain, leadership expert, David Marquette as well here. They've all put it all together. And. They're saying create a buddy system.

Yeah. It's just like when we were kids and we were outside, And we were going on a trip to the museum or walking down the street to the park, that teachers, they assigned us all buddies and we stuck with our buddy. They're saying don't put people in a room and talk at them for hours about security.

Give them a buddy. Who's there to help them in the office every day to help them carry out the actions you want in the system. Instead of trying to train everybody. One employee in each department is appointed to serve as a cybersecurity expert. This employee is close by to support colleagues.

Day-to-day available to answer questions about things like potential phishing messages. And if the message does turn out to be a phishing message, the buddy can warn the rest of the department immediately, or they could help somebody with a question about how to send files outside the company. Securely many of our businesses, we have restrictions too on things like thumb drives and whether you can use them, if you can bring them in, I would, by the way, recommend if you are using thumb drives to get the drives that have encryption built-in that little thumbprint.

So I think this is phenomenal. The authors say that they have talked to some businesses that were doing this and he says, it's really worked well. They spoke to one of these cybersecurity experts. I don't remember. Experts right there, but they are the person that's been designated the expert within bat group within the business.

So he says first, he always thinks of the people that come to him for consulting with him. If the email's not a fish, he lets them know it's safe to click on the link, open the attachment. If it is a fish, he praises them. Their alertness. Now, all of this can also be mostly solved by really good email filters.

I'm talking about the cheap stuff, the stuff from Barracuda or some of these others that are out there. I'm talking about all levels of high-end email filters so that you rarely get. Any of these phishing emails. In fact, nowadays from our clients and we have hundreds of thousands of emails reprocess every week, we get maybe one fishing plain to every few weeks, maybe once a month, it can be done.

Take that pressure off your employees.

Coming up in this hour, we're going to talk about some old-school encryption, the Nazi enigma, cipher machine. Another one was found.

Kmart just suffered another major attack using a new way of doing this stuff.

We'll talk about Alaska's voter database stolen. You listening to Craig Peterson. Thanks for being with me today. 

My thoughts about a massively open election system. I think part of the problem we have with the elections is the fact that it's really quite closed. We had complaints in some States of Republican poll Watchers, not being able to do their duty and see those ballots as they were counted and were put in with one candidate or another, or this scanning that happened when all of the observers had been sent home, along with the media. It is not a good thing at all.

Then there's, of course, were the machines tampered with? I heard all kinds of stuff. I saw stories about every vote for President Trump counted for 0.75 of a vote. Every vote for Biden counted for 1.25 and on. I think there is an extremely transparent way to do this.

That will actually save the states a ton of money. We're talking about tens of millions of dollars per state saved and will dramatically increase the confidence that people have in the vote. What really happened with the vote?  Let me just explain this simply. Simple's best, I grew up in the mainframe world and then the Unix world, and in the Unix world, rather than having one program that does everything, the whole idea is you have small programs that are very good at what they do. They're optimized for performing a certain function like sorting for instance. They might show you the date or who knows what? There are thousands of these little programs that are available in the Unix world, and you can tie them together.

Now. Microsoft tried to adapt and adopt the same type of technology using pipes and it has it, but it's not the same as a Unix world. Classic Unix is how long tail? How narrow can we make the function of this one little program? For instance, let's just use GREP as an example. GREP is a global regular expression program. So the idea is if you want to look for a pattern in a file, you can just say grep space and the pattern you're looking for, like Biden, for instance, and poof out of the standard output right there on your screen will come to every record with the word Biden in it.

It was very good at doing what it was doing. It was programmed in C, some of it in fact, would have been programmed in machine language. Particularly some of the library routines to make them very efficient. People wanted the more fancy stuff, so we ended up with FGREP and EGREP  all these different commands that did a different variation of searching for this pattern. But added things like Unix regular expressions, which have been adopted in many parts of the world.

What has not been adopted in Windows or now in the voting systems is that same concept. You get a machine like one of these ballot marking devices that are being sold and were used in the election this year that are far more complicated than certainly, these Unix commands we're just talking about.

So my proposal is let's go back to the basics and let's open it all up and make it so that the elections can be observed massively. Here's what my thinking is. This would absolutely work. If the State House wants me to go up and testify and put together some stuff, I'd be more than glad to. 

Here are the basics. You've got your sheet to vote on. That sheet is the bubble sheet that many of us are used to. That bubble sheet you just fill it in with your little flair pen or whatever it might be. You fill in that little bubble for the person or people that you're looking to vote for or the cause you're supporting in a referendum or whatever it might be.

Then the State, County, or whoever's doing the counting uses a simple scanning machine. Now it could be a fancy one, right? It could be one of these machines that'll scan a thousand per second. I don't really care. I'll actually probably get that fast, hard to handle the paper that fast, but it could be a very fast scanner.

It could be something that's very simple as well, depending on how many of these votes you need to count. So you've got the card, you're feeding it into the scanner.

We're talking about commercial off-the-shelf, regular scanners that are creating images. So the scanner spits out a PNG image or whatever it might be. I don't really care. It's probably better not to have it compressed. Just have the raw image and use a very standard image format that anybody can read and understand. So that's part one.

We're not talking about these fancy ballot marking devices, where you've got an Android tablet that may not have been updated or Windows Seven or heaven forbid some are still kicking around Windows XP voting machines. And then you. You touch the screen and Oh, magical out comes a paper tape with the people you voted for with a little scanning UPC type code over on the side that you then take, and it's run through the other machine and now your votes been validated.

There are so many things that could go wrong with that. So many things it's, first of all, it's really expensive, cause we were talking about a specially built machine to tabulate votes.

It isn't just a scanner. It has been set up. It is looking for the votes in specific places and then it tabulates them. Do you know how many things can go wrong with that? Even with the ballot marking device that I mentioned you are now relying on that ballot marking device to have been correct. How many times have we heard voters say my vote was changed from Trump to Gore. Wow. You probably ever heard that one. It was interim Trump to Biden or whatever might be. This would eliminate that you've got the card.

So now the secretary state's office or the County, or the city, whoever might be doing this particular plebiscite, this particular election, whatever it might now have all of these images. So let's say it's got a million, just for lack of a better number of these images in there. So these are the votes.

What happens next is. All of those images are posted online and they're posted online so that anybody can grab a copy of those images and look at them.

So now we can look for identical votes. We can look for these votes that have been fed through the machine dozens of times, right? You've heard those allegations.

We can look for the votes that were pre-printed, the votes that were copied on a machine, and then run through. We can look for all of these. very easily. If we have the images of the vote is available of the ballots.

So obviously you keep the ballots. Obviously, you're going to want to do some hand counts just to verify everything.

We have images of all of these votes available to us. The Secretary of State or whomever now can run two or three different pieces of tabulation software that aren't going to cost them a hundred thousand dollars or millions as in the case of some of these, we're talking about 800 bucks to buy the software, buy a license, use the software.

So I'm saying use two or three different pieces of software because it's different. People are going to code it up differently. Make sure it really is different, not like dominion, where all of these different systems are using the exact same software under the hood with maybe a few modifications to make it work with their hardware.

Completely different systems. So there's going to be some value judgments that are made by the software saying, Oh, this looks like a smudge more than a vote. So software A says that and then it flags it as I don't know what the hell this is.  Then software B looks at it, it says, Oh, this is clearly a vote for Craig and chalks up to Craig. Then what can happen is people can be sitting at a terminal and every one of these questionable votes can then be shown to them and they can figure it out. If the initial ballots were all serialized without some sort of a good check digit on them, you can actually dig them up and look at the original if you needed to.

Talking about just disclosing everything.  Now people can download all of the images of all of the votes that were cast. They can easily write software that looks for all kinds of discrepancies and tabulate it themselves. Of course, there's going to be now a bunch of people that are going to say, Oh, no, that was wrong my software did it better, whatever it is, but at least there's something to discuss.

If votes are fed into the system, especially if they're all serialized with a really good checksum on them, we'll know. It'll be obvious to even the most casual of observers.  We're no longer counting on software that may have been written in Venezuela. Maybe tabulated in Germany, whatever. It's run locally, and you and I can check and double-check the results of the election.

That's my proposal. Anyways. I haven't heard it anywhere else, but I think this makes a lot of sense.

We've got a lot more to talk about.

Hey, we really are going to get to it. Now, the old technology that almost helped the Nazis, the national socialists win the war in World War II, the German enigma cipher. Another machine was just found.

Craig Peterson here.

Let's get into this whole rusty story. This is very cool. There's a story that's out there right now about some guys that were out dragging the Baltic sea. Now, if you're not familiar with dragging and what that's all about.

A lot of fishermen drag the bottom with their nets in order to catch fish, right? Certain types of fish. And in this case, there were divers that were going around the bottom of the Baltic sea, looking for discarded fishing nets. Those draggers often they'll get caught on something. Subterranean might be a mountain, might be a ship.

It might be who knows what? It might even be a World war two national socialist encryption machine, which is exactly what happened. This is one of the rarest of finds down there an Enigma encryption machine.

These things were absolutely amazing. I remember reading about them, studying them. Trying to understand how this all worked way back when I was very young and I, in fact, was just so enthralled with it. I wrote some software that basically did the same sort of thing.

This was basically like a typewriter, think of it, like a typewriter. If you haven't seen one it's electromechanical. The idea with encryption is that you have to obscure or the meaning of something, So how do you do that? And there are many different types of encryption and you can bury messages, even in the clear, inside of other things. pictures have been used a lot. Video has been used a lot. There are a lot of ways to hide messages.

Of course, if you're a fan of some of the different spy books out there, you're familiar with the idea of a cold drop.

There are many ways to, get a message across. Let's just leave it at that now.

There have been ciphers like the railroad cipher. You guys might've heard of that. The idea behind the railroad cipher is that, just a simplified version. If the tech says A really means G. we, for years on Unix, if we had something that might be considered offensive, we would post it on there in what's called rot 13.  Rot 13 is just shifting the alphabet, remember 26 letters in our alphabet. So A through N I think it was L M N a would become, M through Z or whatever the right split is. I don't even remember anymore. It's so you would type something up. You'd send it out. It was encrypted by rot 13. Now anybody could break this encryption.

It's very easy to do. In fact, the readers who we were using at the time, just you just hit one button and it would rot 13, eight again, because of course, if you split the alphabet in the middle, And you use the last half of the alphabet, meaning the first half and the first half translating to the last half. You just have to do that again to see what's going on.

So there've been a lot of simple ciphers used over the years. Some of the best ciphers of course are book ciphers or one-time pads, but those are not particularly useful in wartime, back in the day.

Nowadays we're using them a lot more. So what the Germans did is they invented this machine and it had three or more of these rotors in the machine. And as I said, it looked like a typewriter. So you would hit the letter a, if it was a railroad cipher that we talked about, it might come out as a G every time. So if I said, how are you today? If someone typed enough in the message was long enough when we had enough examples in order to break that encryption, all we'd have to do is look at the repeats here. How many times does the letter G show up? it shows up at the same frequency as a letter A, therefore we can assume that letter G and the encryption is really an A and solve it.  The national socialists knew this, right? They didn't want other countries to know what the socialist government was doing and where they were directing the Wolfpack submarines to sink the British and American ships.

So what the socialists did is they had these three rotors and every time you typed a letter, the rotors would turn. So basically what you were doing is like the railroad cipher, where a is G, but the next time you, for instance, you typed two A's in the row. The next time you typed a letter, those rotors would've moved.

So a would no longer necessarily be G a might be Q. Now. And so what would happen is that little typewriter and Enigma device would have a little light that would show up under the letter Q so you'd know. Okay. Q. So they'd write it down and then they'd usually be sending it off by a Morris code. A is much easier to send than Q is, by the way. But they would send that out in Morse code, which is really neat.

The idea was they would start the rotors. Those three rotors would be started in a certain position. And that way, if you typed in that message, now that queue would become an E, et cetera. So there'd be a nice direct translation. They also were supposed to change those initial settings every so often in the codebooks, So the initial settings would be one way for a week. And then the next week they'd be a different way, but they got lazy and they stopped changing the codes. You might know that the whole story of what happened and how we broke the socialist code and how we were able to then defeat the socialists in World war II, which is just a phenomenal thing. Where they were trying to just gain power, gain power, gain power, and eventually try and take over the war world. So very cool.

And if you aren't familiar with this, if this is something that intrigues you, you do look it up. There are videos, it was a machine you can actually buy. I saw one on eBay, a German enigma machine that was not a real one. It was a reproduction, but they worked then and they still work. Now. They're actually pretty good.

We're doing much better now with our encryption, believe me. But it's funny, looking at this lead diverse statement, Florian Huber who told the DPA news agencies as a colleague swam up and said, there's a net with an old typewriter in it. They pulled it up and, had a look and the diver said that I've made many exciting and strange discoveries in the past 20 years, but I never dreamt, we would one day find one of the legendary enigma machines. The divers suspecting, and I think correctly here, that the enigma was lost shortly before the German socialists surrendered in May 1945.

At that time, the Nazi leaders issued an order for the submarines to be scuttled up in this Bay to prevent their capture by allied forces. They also tossed all of these enigma machines overboard.

So credit to Alan Turing, a phenomenal man, brilliant man, very troubled man, as well, but he was able to break the encryption. It's a fascinating story. Watch the movie about it. If you haven't. I absolutely enjoyed that movie.  It was all kinds of breakthroughs that were made by scientists from the Polish Cipher Bureau that made it possible for the allies to decipher the messages about the German military movements. Absolutely fascinating.

Then of course you get into the second part of the problem. How do we use this information? Because we don't want the socialists to know. But we know what they're going to do next. It's fascinating.

We've got more coming right up. We're going to talk about a newer type of ransomware attack and how Kmart fell victim.

Hopefully, you got my email last week, my newsletter, where I went through the steps that the latest types of ransomware are taking in order to get even more money out of you. They got Kmart too. So here we go. I guess I don't have an I told you, so isn't it.

Craig Peterson here.  Thanks for sharing your time with me this afternoon. I appreciate it. And if you have any questions, by all means, drop me a line. One of the questions I do have for you though, is what is it you enjoy most about the show? Let me know. Cause that's going to help me, help you with the show. Just email me [email protected]. What is it that you enjoy the most about the show? I've had lots of feedback from you guys over the years, and I'd love more. Make sure I keep up to date and get you guys the information you're interested in.

By the way, I also have some training courses coming up, so I'll make sure you keep an eye out for that. You'll find them in my newsletter when I have them. So make sure you're on that list. Craig peterson.com. If you want a copy of last week's newsletter about ransomware, just drop me a note. I'd be glad to forward you a copy. Just email me [email protected], and you'll get it. Me. Yeah. Just as the name implies.

Man, the poor guys at Kmart. Who remembers it, K-Mart used to be the place to go. The blue light specials. You'd keep an eye out for that. While you're in the store. It was really fun.

Reminds me of Sears in the day, going there. Do you remember, are you old enough to remember getting dressed up to go to Sears.  Now, Oh my gosh, these poor companies. Sears owned, what was effectively the online shopping business, 120 years ago. The Sears catalog. Every year for Christmas or for birthdays or other special events. We would get a copy of the Sears catalog and we'd go through, we'd dog-ear pages, where there was stuff that we wanted.

Do kids even know what dog-ear pages are anymore? But dog-ear those pages and just enjoy dreaming of it. You could order a house on Sears catalog back in the day. Sears completely missed the online shopping revolution. They could have owned it. They had the distribution in place. They had the catalog technology in place. I knew how to do all of this stuff, but they decided they would stick with the old ways and, that didn't work out so well for them, but they still were doing better than Kmart.  Kmart was going under and Sears bought them. Well, Sears holding company originally owned both Kmart and Sears.

Sears Holding Corp filed for bankruptcy in 2018. It was bought by this transform co in 2019 K-Mart, which was a household name that was multinational. I remember them in Canada. Is now down to 34 stores remaining. Isn't that amazing?  I'm thinking about our local, K-Mart just, Oh my gosh. But it is still open. They still have the stores. They had originally over 2100 stores in all 50 States. It's a very sad time for Kmart. It really is. I'm looking at some pictures of some of the stores that are open right now. It's a problem. It's a real problem.

Now they've had another problem.

Bleeping computers reporting, and they also have some great articles. You can check them [email protected] that Kmart suffered a cyber attack by the Egregor ransomware operation this week. Now they found at bleeping computer because they went to Transform Co human resources site, which is 88sears.com.

Now I went there this morning and it is online. It is their human resources page, but then when they brought it up, they found that indeed they were suffering an outage and they have posted bleeping computer on their website, a screenshot of that outage now, Egregor is known for stealing un-encrypted files before deploying the ransomware.

The bottom line is they're going to nail your twice. A lot of these bad guys. Nowadays, what they'll do is they'll grab your files. They'll download them and then they will encrypt them. And that isn't what Egregor does. And then they will put up then all too familiar, ransomware notice. You've seen it before, That red screen, demanding payment, and almost always in Bitcoin. And you can then hopefully find some Bitcoin, send them some money and you're off and running. And remember, I reported this a couple of weeks ago. If you pay a ransom, you could be in big trouble with the feds. And the reason for that is you are supporting terrorist organizations.

So you could indeed end up not only being sued by the Feds but going to jail over, paying a ransom. So think about that one. But they've escalated it now. So even if you pay the ransom or you don't pay the ransom, some other guy's going to come along. it's really the same people.

Okay. Some other guy's going to come along and say, Oh, guess what? I have your files. And they'll send you a list of the files and they'll probably send you some samples of some of the word docs or spreadsheets. And then they'll say, Pay up now, they're extorting you saying if you don't pay up. We are going to post your data online onto one of these data leaks sites.

And there are many of them. I'm looking at a list of them right now that bleeping computer is published, a through Z, and believe me, there are a lot of them out there. And so many of these look absolutely legitimate. Man alive. Do they ever, but with the Gregor, they will now say, I want to say, thanks for paying us the ransom on the encryption.

but they'll say, okay, now you owe us money or we'll post it on one of these sites and they do, and it's legitimate. Okay. What happened here apparently is that the bad guys targeted Kmart human resources website. And if it, if all of this is correct, Egregor would have stolen all of the data that was on that web server, about all of the employees within this.

Company. Okay. This transform co full name is Transformhold Co, LLC. So they are in some trouble. I'm sure if this really happened. And I've got to also add into all of this, that most of the time, these businesses don't actually know what was stolen because they don't have logs sufficient enough for logs at all.

To tell them exactly what happened. So a very big deal. It's a scary thing. And I went into it as well as what you can do about to help stop it in my newsletter last weekend. So if you miss that, have a look in your email box. If you need me to send another copy to you, just drop me a note me M E at Craig Peterson.

And I'd be glad to do that. But this is the next evolution and it works really well for businesses because think of the other angle, these bad guys have, they can get money from you. To give you the decryption key. They can get money from you in order to not release your data, which they may release anyway.

But they know who you are because they have your files. So they know you are a doctor's office and they'll charge you more. Or they know that you're a manufacturer in the DOD department of the defense supply chain. And so they'll extort even more out of view. Okay. very bad. yeah, it's a shame.

Good old Kmart. Oh, she's still around, I guess it'll be around for a little bit longer, but this sort of stuff is really happening. This can be the death nail and it is the death knell to the majority of companies. It happens too. Hey, stick around when we get back. Oh my goodness. I can't believe this.

We're going to talk about the Alaska voter database hack and more including police live streaming your Amazon Ring camera.

I guess our election system isn't as safe from hackers as we might've thought. We're going to talk about hackers breaking into an Alaska voter database.

We'll be talking about police piloting a program to live stream Amazon ring cameras and more.

Craig Peterson here.  I talked about what I think the answer is to technology and the elections. In fact, what I described at the top of the hour would completely eliminate some of these major technology problems without a doubt.

This is a different type of problem from the gateway pundit.com, which you can find online.

Alaska state officials reported that hackers stole personal information for more than 100,000 individuals from the state voter database, that's a very big deal. Alaska is saying that information included birthdates driver's license numbers of more than a hundred thousand Alaskan voters.

If you think about these voting databases in most States, they are also going to contain your signature. They're going to have your home address. They're going to have a lot of information from you. Okay.

Now they stressed that there was no effect on the results of last month's election. Oh, okay. But your personal data was stolen and that's part of the reason I have such a problem with the driver's license databases as they are in most States. They also include things like your social security number now and think of these real ID licenses that are now being issued. I don't even want one of the silly things, but in most States, you're being forced into having one.

I've already got a passport, which is good enough for me to get in and out of the country. Why do I need one of these tamper-proof supposedly driver's licenses with all of the data that they're collecting? Think of what you have to do to get one of those things. You have to prove your residency. You have to prove all of this other stuff. I don't know. Maybe it's going to be a good thing for voting anyway, because if you have to present this type of ID, at least we know that you're legitimate.

Then there's California and that's a whole other issue.

It says the hackers gain unauthorized access to the data and the state's online voter registration system. It was built and maintained by a contractor and operated by the Alaska division of elections, goes on and on talks about the sad news.

So officials said the flaw that exposes the data has been fixed and Alaskan's information is now secure. Isn't that wonderful?

Now that the horse is out of the barn, they're going to close the doors, but it's still not known exactly which records were stolen. Again, that's a real problem. Most regulations that are out there for the private sector require us to know was stolen.

Oh, gay. let's keep all of that in mind. Just don't trust this stuff. I don't trust it to, the government. I don't trust it to, private companies. Look at what happened with Equifax. Basically, all of our personal information was stolen probably by the way, by the Chinese government. Anyhow, we talked about something similar to this next article fairly recently, and this is from eff.org electronic frontier foundation. They're very much a very pro-free speech place to a degree. As long as your speech agrees with them. But they want open software and, they do want to help keep more basic information safe, the civil libertarian side of things.

Let's see. So the police surveillance center in Jackson, Mississippi is going to be conducting a 45-day pilot program to live stream the security cameras in Jackson, Mississippi, including the Amazon ring cameras from residents who are participating. The idea behind this is it gives the police department real visibility, live visibility into neighborhoods.

So they can record it as well. They can play it back. If there are porch pirates, those people that are stealing our Amazon packages out there, they can hopefully find them. Of course, if there's a porch pirate that just stole your package. you've probably got them on tape, right?

So you can do a little bit of something about that. I have multiple cameras out there doing it, but the police want this live stream. Now there've been stories out there in the past about ring cameras being used by the police.  in some cases, these stories have said that in the, in fact, the police departments, according to these guys have been doing it without a warrant.

in fact, that's going to be the case here again in Jackson, Mississippi, because people are going to be able to opt in to this program. So it sounds like they're trying to do some of the right things. There are concerns here from the EFF about rings 1000 plus partnerships with local police departments.

And that's kinda what I was talking about back in June this year, but there are a lot of people that are concerned about the police department, and you've probably heard of this socialist-communist in fact group called black lives matter. That has been out there protesting the police, defund the police, all of the things that have been promised to us about just drawing a lot of the local police departments. This is a real concern because people are buying ring cameras and these other cameras and putting them on the front door effectively to help keep the packages safe. The police are using them to build these comprehensive closed-circuit TV camera networks that are blanketing whole neighborhoods and it allows the police departments to get that type of video feed without having to buy surveillance equipment.

Think about what some of our local cities have done to put in surveillance cameras. It's really rather expensive. Then the second point here that E FF is making, is that evades the natural reaction of fear and distrust that many people would have if they saw cameras up on the street lights.

By the way, some of these new street lights do include cameras that are fed to the police department. Okay. So they are there, but they're hidden away. It's Oh, it's Joe's doorbell is basically what it is and it's supposedly. Going to be a little bit safer, but the police and these thousand different partnerships with different police departments now are allowing them to set up an array of cameras without anybody really noticing, by the way, Jackson.

Was the first city in the Southern United States to bland banned police use of face recognition technology. So they understand this invasive surveillance technology, but, in this case, maybe they've overstepped their bounds. They've got, also by the way, this national movement called community control over police surveillance.

See cops. These are different ordinances. The residents have put through legislatures in different States that have more say in whether or not please can build a program like this. I also have had concerns over the years about the ability to videotape or record, official police or otherwise in the performance of their duties.

Main is what is known as a single-party state, which means only one person who is part of that recording needs to be aware of the recording. And they, one person has to say, yeah, okay. I'm going to record, but the other person on the other end of the line or the other end of the camera doesn't have to say anything.

New Hampshire and many other states are two-party States. In other words, Both parties or all parties that are part of that recording have to consent to be recorded. So something like this ring system really could be a bit of a problem. And depending on the state you're in Maine, wouldn't be because you knew you had a camera up.

I think in most States, including New Hampshire, you would, which is a two-party state. I think you're are going to be safe enough because. You got a Ring doorbell with a camera. I think most people nowadays know that it could be recording what's going on and I have security cameras up as well. And you might want to do the same thing.

I use security cameras that meet the federal department of defense standards. Okay. they ain't feeding ring or anybody else out there, but it's something to seriously consider. the last article here before we disappear is about the cybersecurity pandemic that's going on right now. This is a scary thing.

It's a big thing. The next war is really worldwide going to be a hybrid war. We're already seeing that where businesses and governments are targeted by cyber attacks. There's espionage going on. I've told you about some of the clients I've picked up because something weird was happening and we looked into it and we found.

Direct evidence of espionage and got the FBI involved. That it's amazing what's going on. But the threat from hostile nations like China, Russia, Iran, and North Korea is really growing. And we've got our critical national infrastructure. Now such as your water, electricity plants that are relying on network connections and also.

for changing valves, opening, closing them as well as for monitoring, we've got these SCADA systems, which are also used for monitoring and control in our manufacturing plant. This is a bit of a problem. And particularly when we think now about all of these people that are at home, working from home, that may be connected to a business.

That is part of our critical national infrastructure and they don't have the right kinds of security. It's it is mind-blowing. Anyway, I'm thinking about doing something about this article we talked about earlier from the wall street journal, the buddy system. Where you can really increase the security of your business by using it.

I'm thinking, how can I help with that? I'm not sure yet we'll figure out how I can help you with that sort of thing. Maybe we should just have a little report line where you can send stuff and let me know, and I can respond.  Let me know at [email protected] and we'll be back next week.

---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553