Tech Articles Craig Thinks You Should Read:

Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack

Samsung just out-Googled the Pixel at guaranteeing Android updates

Google’s Getting Rid of Third-Party Cookies, But Their Replacement Is a Terrible Idea

Google claims it will stop tracking individual users for ads

Tesla asks fans to lobby the government on its behalf

Make Deepfake Videos of Your Ancestors, But Consider Your Data Privacy When Making MyHeritage 'Deepfakes'

 

China’s and Russia’s spying sprees will take years to Unpack

A new type of supply-chain attack with serious consequences is flourishing

---

Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] If you've been listening to me for a while, you may not believe this, but I've got a recommendation here on Android phones. Coming up we're going to talk about Google's new replacement for cookies, and a little bit about what Teslas' been up to. I don't like this.

I have never been a fan of Android phones, and you know why I haven't been a fan? The biggest problem with Android phones is the lack of security updates. That really does concern me a lot. Google also has not been the best when it comes to the Playstore and making sure that everything on the store is actually safe.

Here is some very promising news for people who like the Android platform or maybe dislike the Apple platform for one reason or another. Frankly, there's a lot of reasons there too.

Samsung has always been the leader when it comes to keeping their number one phones updated in the past. I've always said, make sure you can get updates. Samsung with its Galaxy phones has been good for about two years. They provide you with the security updates you need with some patches.

Even if Google comes out with a patch, most of the phones out there that are running Android, do not get the updates. Ever.

Some of these phones are older, they don't bother supporting them. Some manufacturers drop support within months after you buy the phone.

Samsung has been good for about two years. So my rule of thumb has always been, if you're going to buy Android, if you gotta do it. Stick with Samsung and stick with their number one model.

It is now promising four years of security updates for more than 130 Galaxy phones. That's pretty big when you consider that frankly, Android phones have been the butt of many a joke over the years.

Samsung is working pretty hard to make sure that they are really able to deliver for the Galaxy owners. Now, this is cool because Samsung just early, I think, this year it was that the Samsung promise that most new Galaxy phones would be getting about three generations of Android version updates. Now, that amounts to a few years, as a rule, the generations in the Android world are pretty much about a year.

Google has been providing updates for its own phone that it has. They provided to these other companies, like Samsung, to then take it and modify it to fit what they want and then they provide it to you. So, three generations are good. Now, they have said four years of security updates. Now, that's a pretty impressive promise. What they're trying to do is compete with Apple that has historically provided about five years of support. There's a big difference, obviously between two years and five years, but there isn't as much of a difference between four years' worth of security updates, and the five, six, seven years that Apple has been doing depending on what kind of security updates. That's very impressive.

Of course, Samsung just a year ago wasn't guaranteeing anything in terms of updates. Most new phone purchases were good for a year or two of updates, but only the Pixel, which is made by Google and Android. One base phones were on the record about how long you could be getting updates from the manufacturer.

Now Samsung is doing one better than Google. Remember, Google is the guy that actually provides the Android operating system. Google's only guaranteed three years of version and security updates for Pixel phones and that's not very many phones.

Frankly, Google Pixel is not been selling well. It's the standard that all of the Android manufacturers use in order to have a kind of proof of concept. So this is what it should look like. This just should be how it acts.

I'm looking at this list here. This thing is huge of all of these phones from Samsung that is going to be supported, here.

You've got the Galaxy foldable devices. The whole family of folds. The Galaxy S series and starts at the  S 10 plus moving on to the S 20, S 25 G, S 20 plus blah, blah, blah. A bunch of different S 20 models and the S 21. That's pretty darn good. That's a lot of phones. Also, the Galaxy Note series, starting at the Note 10, all the way up to the current Note, 20 ultra-five GS the Galaxy AA series. Again, certainly, the 10 going up to eight 45, the Galaxy AMS, the up through the Galaxy X covers series and again tab series, which has been pretty popular for a lot of people.

If you're thinking about picking up one of your Android phones here soon, maybe you should give a second thought to the Galaxy. Now, they're guaranteeing that they're going to provide these security updates for you for four years. Yeah. Yeah. Okay, a guarantee we'll see how long that lasts. The other problem is how quickly are they going to get it out?

You'll see Apple devices, who just this week they had a security patch, they pushed it out and they expect to see 70, 80% of all of the phones with that security patch installed within a week. That's your Apple iPhones.

Google comes out with a security patch. They push it out. It has to go to the vendors like Samsung and then the vendor like Samsung has to take that add the device drivers that need for all of these models. Think about that for a minute. That's a lot of device drivers. That's a lot of different models. I think it's going to take them a while to do that and then they'll get it to you.

That security update that comes from Google, we've seen takes six months in the past before it gets on to your phone. If you're looking at. Security, if that's a real concern of yours and sure should be particularly after this disaster of a company called Microsoft and their windows products. Particularly now this Microsoft exchange server bug.

I'm so upset with Microsoft, but you know what? We'll get into that a little bit later.

The Samsung, the galaxies, the Google Androids are not designed for all of the safety and security that you really do need, frankly. When you think about the models were talking about 130 models that Samsung is going to be providing new updates for. Okay.

When we look at Apple and the iPhone models let me see how many iPhone models are there out there. I'm going to Google that right now, even as we're talking. So 2007, that is when they first came up with them. Okay. So since the very first iPhone, according to the pho iPhone Wiki, there have been 29 models of the iPhone. 29. Two nine. How many did I say Samsung is going to be updating? 130. So who has an easier time of providing updates, security, updates, testing the updates, pushing the updates, having people install the updates, the company that in the last, how many years has been making iPhones yet since 2007? Okay. So all the way up to 2021, that's a lot of years. Versus the Android who has been making these Galaxy's for many years, but is only going to be providing updates back to the Galaxy S 10 from 2019. That covers the 130 models. Are you getting what I'm selling here? Are you buying it? Yeah, it's impossible. Really? For Samsung, even with all that, they're trying to do here. They're trying to help out. It's impossible for them to keep up with security-based unless they have this massive team. I don't expect that they do have a massive team that's going to be working in parallel. 130 teams, one for each phone. That just isn't happening.

So again, if security is a concern, Android is not the way to go.

If, for some reason you morally, ethically, religiously cannot use an iPhone and then have a solid look at Samsung because of this promise they came up with, here in the last two weeks, of four years of security updates for more than 130 phones.

Finally, there is an Android phone that will have security updates at some point in time, versus what we've had over the years of really, you can only count on it for one or two years. It's just not worth it. Not a good thing.

Hey, I am sending out on my newsletter, not just my show Notes, but I have also been sending out one or two other emails a week that have some very narrow training. What I've been doing is making audiograms for you guys.   This is a video that is of me speaking, explaining something.  On that video, you can see all of the words you can read along, which is great for people who are hearing impaired, or maybe you want to have that computer muted for whatever reason. It makes it easy.

You can find me on YouTube, just go to Craig peterson.com/youtube, and you can catch those audiograms.

You can also get them. If you are an active subscriber to my newsletter, active means you open it. You read it. I know you do. If I don't consider you active you just don't get this extra information. So, make sure you open those emails.

A lot of us have been complaining about cookies and tracking for a long time. Google has finally heard us? I'm not sure about this. We're going to talk about third-party cookies, right now.

Hi, everybody. Thanks for joining me, Craig Peterson here.

Well, third-party cookies are where you go to a website, and that web browser kind of squeals on you, shall we say.

What happens is Google, for instance, is trying to track you as you go online. As you go between websites. They're calling this kind of an advertising surveillance industry on the web.

Frankly, this third-party cookie has really been an important part of this whole surveillance industry. What it does now is it allows a website to have a look at where you have been online. When I say it allows a website, it's really Google, that's doing the tracking. Obviously, you're going to a website, Google doesn't own every website out there. In fact, it barely owns any, when you look at the number of websites that are out on the internet.

So Google has this whole concept of if you're visiting this site and you have visited this site and this other site, I know something about you. So it sells that information because it's seeing the pattern, right? That's the whole idea behind the advertising.

Phasing out these tracking cookies and these other persistent third-party identifiers have been something people have been trying to get rid of for a very long time. The Electronic Frontier Foundation you'll find them [email protected] has been jumping up and down trying to get everybody to pull up their socks if you will.

One of the first players to really jump into this was Apple. Apple has pretty much told the whole industry, you got to stop doing some of this tracking. Some of the tracking is okay.

Again, how many times have I said, if I'm looking for a Ford F-150 then I don't mind seeing ads for the Ford F-150.  Why would I want to see ads for a motor scooter when I'm looking for a pickup truck. Frankly, if I'm looking for an F-150, I expect to see ads maybe for a Chevy Silverado or a Dodge truck, does that make sense to you?  I'm looking for something and that's when I'm interested in seeing it.

Google is now jumping on this bandwagon because Apple has said we are going to be doing a couple of things. We are going to be forcing you, app developers, to tell everybody exactly what you are doing with their information, what you're tracking, who you're selling it to, what it's being used for. That's a very big deal.

It's got the whole advertising industry very worried. Google is coming along saying, okay, Apple will do you a little bit of one better. Of course, the biggest complaint from Facebook who ironically has been buying newspaper ads, if you can believe that. Google has been destroying the newspaper industry and now it's going to newspapers to try and get people to stop Apple from destroying Facebook's industry by blocking some of the advertising tracking that Facebook has been doing.

Now, what Google is doing is looking to replace these third-party cookies. How were they going to do that?

They are already doing a few rather sneaky things. For instance, they fingerprint your browser. Your browser has a fingerprint because you have certain extensions on your browser that you've added. You have your computer, which has an operating system that has a certain version. It has a certain amount of memory. It has a certain amount of disc storage. A lot of the private information, personal information about your computer can be gleaned by a website.

One of the things they've been doing this, you're blocking cookies. No problem. I can still figure out who you are and they don't necessarily know exactly who you are, but they have a very good idea.

One of the proposals Google has come out with is called the federated learning of cohorts, which is very ambitious and could be the replacement, if you will, for these third-party cookies that could be the most harmful. What it is is a way to make your browser do the profiling. Itself.

Historically they've been able to track your browser as you go around and then they have to pull all of that information together. They pull it together and they come up with a picture of you and who you are. Yeah. You're interested in buying a pickup truck, particularly an F150. This is an example.

That picture gets detailed about you, but it's something that the advertisers have to put together. What this flock or federated learning of cohorts is doing is it's boiling down your recent browsing activity into a category. They're calling this a behavioral label, and then they're sharing it with websites and advertisers.

The idea is basically your web browser itself is going to put you in one or more buckets and the websites that you're visiting and the advertisers that are advertising on those websites will be able to get that label that your browser has put on you. Yeah, you like that?

So what EFF is saying is that this could exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting. You can guess what those things mean, right? They're calling this a privacy sandbox, right? It's always the opposite.

If Congress is passing a bill, that is a COVID relief bill, you can bet that there's very little to do with COVID relief in the bill. Wait a minute, actually, that's true. There's only 9% of the money in this almost $2 trillion spending plan. 9%, that actually goes to COVID relief. Instant COVID relief bill.

Same thing here with Google, right? This is the privacy sandbox and it's going to be better, Google says.

In the world, we have today where data brokers and ad tech giants, track and profile everybody with complete impunity. Just like Equifax has. Just like Equifax lost our personal identifiable information, our social security numbers, or addresses or names or date of birth, et cetera, et cetera. Yeah. Yeah. Okay. We pay a small fine. Yet. We go on.

Are they out of business? Have they lost business? In fact, they gained business because people have been paying Equifax to monitor their credit. Oh my gosh.

That framing that Google is talking about is based on a false premise that you have to choose between tracking and new tracking. Does that sound familiar? Yeah.  It's not an either-or. We really should be rejecting this whole new federated learning of cohorts proposal Google has come out with.

You can bet that Apple is going to reject this outright because it's really rather terrible.

If you care about your privacy on the other hand again, I look at it and say I want an F-150. I don't mind ads for pickup trucks, so what's wrong with that? Okay. There's two sides to this.

I just don't like them calling me by name when I walked past a billboard.

Stick around, we'll be right back.

I'm a fan of much of what Elon Musk has done, what he's trying to do when it comes to technology, and being a proponent of technology.

I'm not fond of Elon Musk taking over $3 billion from the taxpayers though.

Hi, everybody. I appreciate you spending a couple of hours with me here on the weekend. There's so much to cover.

Elon Musk it was $3 billion that he had received in government subsidies. Now we're looking at this, according to good jobs, first.org. We're looking at $4.9 billion dollars that Elon Musk has received basically from the taxpayer.

It's really sad when you get right down to it. Now, Tesla got money from taxpayers he's paid some of it back. It's really the government trying to name a winner.

There's a lot of competing technologies. There's even non-electric cars out there. How many of you even aware of this? That use, for instance, hydrogen instead of electricity. Now there's, of course, with any technology there's complications here and there. Hydrogen is absolutely amazing. It's an electric car. You fill it up with hydrogen and the only byproduct of the burning, if you will, the hydrogen, is water. In fact, it doesn't burn the hydrogen. It combines it with oxygen to make the water and produce electricity all at the same time. Very cool.

There are some prototypes out already on the roads out in California and some other places around the world.

When the government's giving out billions of dollars to electric cars, they're effectively naming a winner. Aren't they? Does that make sense? I don't think so. We've got to have a free market and this is not a way to have a free market.

It's just like with solar, wind, some of these other technologies where the government is taking our tax dollars and is saying this particular technology, and even worse, look at Solyndra, look at some of these others just absolute debacles.

Now, even worse they give money to a specific company within a certain industry. That is not a good thing. Government has a terrible record at picking winners. Even investors, you look at people who are angel investors and who are venture capitalists. They are lucky. If they make money in one of 10 of their investments. It is not a great way for them to make money.

A professional investor does terribly. Imagine how poorly a politician does.  The politician is going to be listening to the people knocking on their door, saying here's some money for next time you run for the house or Senate. Or locally, in local elections, it even happens. That is a very bad thing.

It's been proven again, and again over particularly in the last about 140 years. Governments' terrible about picking winners. Yet they do it every day of the week. Tesla has gotten money, right? Some, of its tax benefits, some of it is actual cash.  The bottom line, they've some great technology.

Now what's happening is Tesla is asking Tesla fans to lobby the government on its behalf. Great article by Rachel Kraus over on Mashable about this week. I love it.

She says a Tesla fan. Your mission. Should you choose to accept it is to go to bat politically for the company. Check this out online. You might want to too because Tesla has launched a new online portal called the Tesla engagement platform. CNBC spotted this about a week ago, and this is a hub where Tesla posts actions its users can take like contacting government officials when there is a potential law that would affect the company.

In fact, it says in a blog post on this hub Tesla built. Engage Tesla is a new platform for both Tesla's public policy team and Tesla owners clubs. Its goal is to create a digital Homebase for all of our work and to make it easier for Tesla community members to learn what's top of mind for us. Take meaningful action and stay in the loop. We hope you'll enjoy our, excuse me, will we hope you'll join us in getting involved? Oh my gosh.

So, I'm on Engage Tesla, it is at engage.tesla.com. Very pretty pictures. By the way, of some of these new Tesla cars, very cool cars. I would absolutely drive one of these things.

One exception, I don't like the handles. I talked about that a couple of years back. About door handles on the outside. Having been in emergency medicine for a while. EMS, I can tell you, in accidents, you want something you can grab onto and have serious leverage. The doors get bent, things happen.  There's at least one case I'm aware of where someone got trapped inside the car that was involved in an accident and then burned to death because the people who were trying to rescue him could not get him out of the car because there are no door handles to pull on.

Yes. I know the handles come out automatically when everything's working right.  I'm talking about the most extreme of problems here. Anyhow, I'm digressing again.

Uber is doing much the same thing, by the way. It isn't just Tesla. Uber is, in fact, they had their drivers this was October last year, sue Uber over what these drivers called pressure to vote and advocate for the proposition in California. Not a good thing when you get right down to it.

It is it's a real problem when you look at this in detail now. I'm not sure it's a terrible problem, but I do have a serious problem with companies soliciting the government in order to get things like tax subsidies in order to get special favors.

A lot of people do too. Look at all of the people who were upset with Tesla for trying to get a tax holiday for its battery plant and for some of its other facilities and things that they're doing.

By the way, there is currently a post on this Tesla engagement platform asking Nebraska residents to contact lawmakers about a law coming up for a vote that would enable Tesla to open showrooms and service stations in the state where it's currently prohibited.

Now I brought that one up, particularly because I think again, free market. There's no reason in today's world. No legitimate, let me put it that way, reason to have dealerships. I think we should be able to buy a vehicle directly from a manufacturer. If they want to have certified repair shops, knock yourselves out, but we don't need somebody sitting there anymore in a dealership. Same thing with most of these distributorships. I think we have been shown that a car can be ordered online, configured, online shipping to us. We can be pretty darn happy with it. By the way, that they are shipping it to us in our state gives them what's called a legal nexus. So, they do have a presence in the state. They can be sued in the state if there is a problem. This whole thing in Nebraska, I don't think there should be dealerships that are exclusively provided the right to sell vehicles within the state.

My opinion. All right. Hey, stick around. Cause we will be back.

We're going to talk a little bit about deep fakes. This is cool because MyHeritage is doing something that's scaring a few people.

You're listening to Craig Peterson.

Make sure you check out my website, Craig peterson.com and sign up.

You might've seen some of these deep fakes out there. Videos where it's putting Elon Musk's face on people or others in videos. Did you know that there's audio as well? They're using it to bring back our ancestors.

Hi guys. I really appreciate you listening to me.

There is a website out there called MyHeritage and it's very popular. It's a site that allows you to do a genealogical examination of yourself, a little look at DNA, they'll look at your family tree. They've got some research stuff up there. They have something new called Deep Nostalgia and I think this is very cool.

It really introduces some interesting problems, frankly. This allows you to animate a face in a photo. It's unnerving. When you have a look at this thing. You can check it out, again. MyHeritage.com/deep-nostalgia N O S T A L G I A. In case you're wondering how to spell it.  They require you to create an account on their site and then you upload the photograph.

It takes that photograph and it has them pose it's really uncanny. I'm looking at a picture black and white that was taken it's right there on their site of a couple. I would guess this is a 1960-ish-era photograph based on the hairstyles and the glasses. It's just so weird because they have this photo. It's a head-on face-on photo and they've animated it so that the woman in this photo she's moving her head around. She's smiling. This is a really great smile. She blinked. She moves her head up and down and looks over to her and looks back again. Wowsers. It is absolutely amazing. You might want to check it out.  It's a form of artificial intelligence that's doing this.

Of course, it has to make a bunch of assumptions. So if you look, you don't even have to look that closely, but if you look fairly closely at the picture, you'll see some detailed problems with her hair, the ends of her hair. At the top of her head, because you can't see the whole top of her head in the original picture. You can obviously not see both sides of her face or her head because that particular picture just a straight-on shot.  It's making it up as it goes.

We're seeing deep fakes more and more. We're going to see a real problem, coming up in another couple of years, certainly by the time 2024 arrives with deep fakes.

We've already got Russians influencing our elections. Of course, not as much as the oligarchs out in Silicon Valley have been influencing our elections, but they are already influencing us in a very big way.

China, as well, imagine what'll happen when they start producing deep fakes of our presidential candidates saying things or doing things that they have never said nor done.

What I did is. I figured I want to give you guys an example. Audio seems to be a little bit harder for the deep fakers than some of the videos. At least the technology and audio hasn't quite come as far.  I'm going to play for you right now. A deep fake of my voice.

This is not my voice, you're about to hear. Then I'm going to play a completely computer-generated deep, fake. So let's go here. I'm going to play my voice right now. This is an example of a deep fake using my voice. Did you catch that? That wasn't me. That was a computer again. I'm going to play it for you one more time.

This is an example of a deep fake using my voice. Now you can hear some of the problems with it. If you listen really closely that it's not really me, but it's close enough that if you weren't paying a whole lot of attention, you would not notice that it really wasn't me saying something.

Expect within the next year, that type of technology to get to the point where you won't be able to tell.

So think about it. What would happen? If a tape was released, talking about, Mitt Romney for instance, saying half of the voters that are never going to vote for me anyway, and that was recorded. I guess, by one of the waiters, it was at an event.

If you took this voice of mine and you created a deep fake, cause all you need is about five seconds worth of someone's voice to make a deep fake. You had politician X, let's say that Hillary is running again for precedent, okay in 24. You could have her say almost anything. The audio quality might not be up to it, but with most of these recordings that are made on people's cell phones either, is it.

I want to play another deep fake. This is a completely fabricated female voice. This is an example of a deep fake using a completely generated voice. Yes, indeed. I created that. I can make her say anything I want to.

Help me. Craig is holding me hostage inside his computer. Yeah. This is going to be a huge problem in the future.

There are concerns about what they are doing over at MyHeritage. Look at some of these pictures. Here's one it's cool. It's unnerving. Here's again, a guy with a family, this one's in color, he's got a right ear, the really pops out there, but he's looking around.

Have you used an iPhone and taken a picture and they call them live pictures. You can see the person right before the shutter is closed. You can see the person moving around. It's really a little video right in front of the picture. That's what these things look like.

Ah, here's this little kid he's looking around. Here's one, a very old one. Oh my goodness, it is creepy. You got to check this out online. MyHeritage is.com/deep nostalgia.

Now here's where the concern comes in. In an article on Life Hacker. By David Murphy, he is talking about taking these old pictures could be very old pictures of somebody sitting around somewhere, uploading it to the site. Then you get a little bit of nostalgia. I get creepy nostalgia that only comes from this static image now moving around on your screen.

I don't get it, really, I don't myself. I think that it's just plain creepy, but if you decide to do it, cause it is cool. Okay.

You probably should use a temporary account to make it to make your account over on MyHeritage and maybe also delete the photos that you upload and turn into these deep fakes. So many other websites out there, if you do go ahead and upload it, they go and claim the rights to it because it's a derivative piece. They made this little video from your photos. So, that's not your photo anymore. It's now theirs.  It gives them a royalty-free worldwide perpetual and non-exclusive license to host copy, post, and distribute the content. It could be a problem, but I can tell you one thing that definitely would be a problem, that is if you use a username and the password you've used elsewhere.

Now, I have to bring this up because most of us are using the same password on every website or maybe, yeah we're really smart. We got three passwords and we vary them. I did that for years, but that was many decades ago. We just can't do that anymore.

If you are going to make an account on MyHeritage or anywhere else, make sure you don't use a password that you've used anywhere else because it is a problem.

Ultimately, it's a real problem for you and you can't believe your eyes or your ears anymore.

You share these pictures. I don't know that they allow you to download them because I did not put my own pictures up there. If these pictures are watermarked. Delete your account. Click that blue link under the big grid text to get started.  That's supposed to delete anything anyways. You can figure it out but have a look anyway, it's in my newsletter that comes out on Sunday morning. There'll be a link in there that you can click on and see what they've been able to do.

Remember. When it comes to particularly things coming up in this next election where it really matters who we vote for, it really matters. Other countries have a very big opinion about who we should be electing to office.

Look at what happened with Rep Swalwell out in California. Here's a guy who was running for mayor the Chinese socialist government decided they would put a honeypot into his campaign. So they got this woman who was trained in seducing people. They seduced Swalwell and she raised money for him, for his campaign as mayor and stuck with him over the years, all the way until he was in Congress.

Then in Congress, she helped him get onto the very influential committee in Congress, where he had full access to our government secrets. Certain secrets that are. She apparently was feeding all the information right back to China. That is not a good thing, not a good thing at all. It goes to how much. China is willing to do to directly influence and infiltrate our government and our businesses.

If they will assign one of their spies to seduce a mayor of a small city in California, and then help elevate him to Congress and to the chairmanship in Congress. By the way, The speaker of the house, Nancy Pelosi has not removed him from that seat. She's got a Chinese spy problem herself. That's another story.

They're willing to do anything.

It's going to be a rough little time here going forward. Let me tell you these deep fakes are getting more and more real.

I'll be right back with a whole lot more.

You're listening to Craig Peterson.

I've been talking about this on the radio all week, at least since midweek.  I want to talk about it now, and why I am so upset with Microsoft. I can hardly contain myself. This is crazy.

This is Craig Peterson here. You heard it right. The guy that's very upset with Microsoft. What shall I say? We're going to be getting into that in just a couple of minutes.

This is a real problem. What are we supposed to do? We have bad guys now doing what is called supply chain attacks.

The simple way to explain this is you have someone who is supplying software for you.  It could be Microsoft. We heard about something, that happened very recently with SolarWinds and how they had software that they were providing their customers, which included government agencies. All kinds of them. It included many businesses. A lot of managed services providers were hacked by this.

A very, very big problem, because they were trusting the software that came from SolarWinds, and that software had been digitally signed, so they knew it was legitimate. Everything's good. Nothing to worry about here, let's go on with our lives.

However, the reality was that the SolarWinds software had been hacked many months prior to anybody really noticing.  It was hacked in such a way that when SolarWinds provided their software to their customers were now infected.

Now, you might look at it and say SolarWinds, they should be signing their software. They should be watching the chain of custody for their software. They did, in both cases, they were signing it digitally so that their customers knew, okay, this is legit. This is really from us. You can install it. It's good.

But you're checking the signature didn't do any good. You were still going to be hacked because it was in SolarWinds software.

Microsoft has been providing us with software for many years. I helped develop some of the Windows NT code ways back when. Their new technology, that's what the current versions of Windows are based on.  I can remember way back then, just what a mess it was I couldn't believe the way they did so many things. It was just absolutely crazy.

Of course, David Cutler, VMS guy, for those of you who remember all of that, really spearheaded that NT project. There were a lot of VMS systems in it, but then Microsoft ripped them out. They ripped them out because they didn't want to have to support an operating system that enforced security. VMS has been a very secure operating system is written by true programming professionals, not interns, as it was exposed with Microsoft, having interns develop one of their versions of their operating system, like 80% of it. It was crazy. That was only found out because of discovery.

Yet Microsoft is sitting on cash. A whole lot of cash. It's billions of dollars. Let me see. I'm looking up right now.  Microsoft is sitting on $136 billion in cash, right now, according to MacroTrends. Now, were they using that cash, that $136 billion in cash, to make their products more secure? Doesn't look like it does it.

They had such a huge hole. You could drive a freight train through. The Chinese were able to infiltrate,  in fact, many of our machines. This isn't tens of thousands of our machines, this isn't just something like ransomware, where you know about it because Hey, they're asking a ransom, right? They're threatening they're going to release our secrets, our software, our personal information. If we don't pay up it wasn't one of those things.

What they did is they got onto these machines in education. In other words, school districts. Hospitals, doctor's offices, government agencies, including defense department guys, Homeland security guys. Okay.

Our businesses all the way across the world.  They put back doors on. What a backdoor is. it is something that allows them to go to your machine anytime they want?  In this case do pretty much anything they want it to.

Microsoft comes out with fixes this last week. This is specifically for the Microsoft exchange server. By the way, if you're running Microsoft Exchange server, either locally in your business or in the cloud, you have this bug. They released a patch that supposedly closes the hole. It was used by the Chinese to install permanent back doors and what did they not do? They didn't remove the back doors that the Chinese had put in.

What's Microsoft saying to us then, are they saying, Hey, listen, you're fools for buying our software. I don't think they're saying that.

I am at the point now where I'm saying that we are fools for trusting Microsoft. We're fools for trusting these companies that have a product to sell. All they're trying to do is sell the product.

Look at what's been happening with some of these antivirus products. Look at what's happening with these VPN products. They have the software to sell and they're going to sell it.

They're not going to tell you the whole truth, nothing but the truth. Forget about it. They're going to do anything they can to sell you the product. So are Microsoft people.

Are people getting fired for buying Microsoft? It's like IBM in the seventies and the eighties, you never got fired for buying IBM.

People should be fired for buying Microsoft.

If you have a Microsoft Exchange server, not only do you need to make sure you install all of the patches. There were four critical Microsoft exchange servers, zero-day vulnerabilities patch.

In other words, things that they hadn't been able to patch it and know about yet. Supposedly, right? There are articles I've read that say they've known about at least one of these vulnerabilities for a year plus. There are other vulnerabilities Microsoft knows about that they haven't bothered closing the door on.

They are in our supply chain. They are getting us the software that we need and they're signing it and it's installed in it.

We're upgrading our machines. Sometimes the upgrades that they provide, the security patches actually work, in this case. It may close the door. What it's not doing is providing us with a way out of this huge mess.

Velma agrees with me here. Okay. No, she absolutely does.

They released fixes on March 2nd. Microsoft has been saying they've been used in limited and targeted attacks against law firms, infectious disease researchers, defense contractors, policy think tanks among other victims. Yeah. Yeah.

How is it a problem? I don't see it.

Oh, my goodness. Companies are seeing abuses of these Microsoft exchange server problems starting in January. There are reports that I found out there online. There are three clusters of vulnerabilities. Tens of thousands of US-based organizations are running Microsoft exchange servers that have been backdoored by these threat actors, who we are thinking are Chinese. They are stealing administrative passwords. They're exploiting these critical vulnerabilities in the email systems and calendaring application.

They've done nothing, Microsoft to disinfect the system's already been compromised. Can you believe this?

I got this from Krebs on security. They were the first ones to report this mass hack and Krebs has got some great stuff they have had for many years now, frankly.

Brian Krebs put the number of compromised US organizations, at least at 30,000 worldwide. Krebs said that there were at least a hundred thousand hacked organizations. Now, an organization is a government agency. It could be a hospital, could be a doctor's office, could be a business, right? Anything is an organization, tens of thousands in the U. S. This is the real deal. This is a very big deal.

You have to assume if you are running a Microsoft Exchange server, this is the server that is used for email. This is how small businesses often run. Their email is an exchange server. This is how hospitals and government agencies, et cetera, run their exchange server, which is ridiculous.

I have never purposely used an exchange server, right? If there's any way around it I've always has gone to something better, a Unix-based system.

Postfix, almost anything rather than the incredibly buggy software from Microsoft. It is just horrible.

Anyway, you have to assume that you were compromised between near the end last week of February and the first week of March.

Absolutely incredible limited targeted attacks. This isn't something that was just absolutely widespread. They went after companies because they knew they could get something out of the companies, a very skilled hacking group from China.

They're focused primarily on stealing data from US-based infectious disease researchers. As I said, law firms, right? Higher education institutions, defense contractors, policy, think tanks and NGOs. It's absolutely incredible what they've been doing and we cannot put up with it anymore.

I want to put a little word here. If you are a business and you have been using Microsoft exchange server restore from a backup. I would say in the January timeframe, you'd probably be safe. Probably, didn't have any back doors in January. Hopefully, you've got a backup that goes back that far. Okay.

Then find something else. Don't use this. Microsoft does not care. You cannot have $136 billion cash on hand, and not spending serious amounts on security. You can't tell me they care. Because frankly, I don't think they do.

Hey, go online. Craig peterson.com get some of the free training, other things, and I'm offering right there. Craig peterson.com.

Hey, welcome back everybody we're talking right now about InfoSec, information security. Have you thought about maybe taking up a bit of a new career? Well, there are some estimated 2 million open jobs in this one?

This is Craig Peterson. Thanks for joining me today.

This article appeared in dark reading. Now, dark reading is an online magazine, right? It's a website. And they had this article that I absolutely had to read because it reminded me of someone I know. One of our listeners, who decided he needed a new career. He'd lost his job. He'd been out of work for over a year and he had been managing a retail camera shop and they shut it down. He was stuck. What do I do? He'd been listening to the show for a long time. He decided he wanted to go into information security. He took some courses on it and he got himself a job. A full-time job being the chief IT security guy for this company after just a few months.

So that tells you how desperate these companies are. Kind of jerking his chain a little bit, but not right, because he just barely had any background.  If you want me to connect you with him, if you are serious about thinking about one of these careers, I'll be glad to forward your request to him, just to see if he's willing to talk to you. Just email me M [email protected] and make sure you mentioned what this is all about. So I know what's going on.

Ran Harel, who is security principal and product manager over at Semperis said, when I was growing up, I was quite an introvert, by the way, that sounds like a lot of us in it. I didn't realize until much later on in my career, just how great the security and tech community is looking back. I realize how quickly I could have solved so many issues, by just asking on an IRC channel or forum.

IRC is an internet relay chat, a bit of a technical thing, but it's an online chat.

I would tell my former self, the problem you are facing now is probably been dealt with multiple times in the past year alone. Don't be afraid to ask the InfoSec community and then learn from them.

That's absolutely true. I found an online IRC channel basically, and they were set up just to talk about CMMC is this new standard that department of defense contractors are having to use.

As you probably know, we have clients that are manufacturers and make things for the Department of Defense and they have to maintain security.  It's been interesting going in there answering questions for people and even asking a couple of questions. It is a great resource. This particular kind of IRC is over on discussion.

You can find them all over the place. Reddit has a bunch of sub- Reddits. It's dealing with these things, including, by the way, getting into an InfoSec career. So keep that in mind.

There's lots of people like myself that are more than willing to help because some of the stuff can get pretty confusing.

All right. The next one. Is from Cody Cornell, chief security officer, and co-founder over at swimlane. He said, apply for jobs. You are not qualified for everyone else is.

Man. I have seen that so many times everybody from PhDs all the way on, down throughout a high school and who have sent me applications that they were not even close to qualified for.

Now, you can probably guess with me, I don't care if you have a degree. All I care about is can you do the work. Can you get along with the team are you really going to pull your weight and contribute?  I have seen many times that the answer to that is no, but I've seen other times where, wow, this person's really impressive.

So again, apply for jobs you're not qualified for because everybody is. Security changes every day. New skills techniques and the needs of organizations are always shifting. And to be able to check every box from an experience and skills perspective is generally impossible. Looking back at 20 years of jobs in the security space, I don't believe that I was ever a hundred percent qualified for any of them, but felt confident that I could successfully do them.

So keep that in mind. Okay.

Again, imposter syndrome, we're all worried about it. This applies to more than just InfoSec. This applies to every job, every part of life, we all feel as though were impostors and that we're not really qualified, but the question is, can you figure it out? Can you really do it?

Next up here is Chris Robert, a hacker in residence, he calls himself over at Semperis and he says, overall, the most important lessons that I'd tell my younger self are not tech-based. Rather they focus on the human aspect of working in the cybersecurity industry. I think cybersecurity professionals in general, tend to focus on technology and ignore the human element, which is a mistake and something we need to collectively learn from and improve.

I agree with him on that as well. However, we know humans are going to make mistakes, so make sure you got the technology in place that will help to mitigate those types of problems.

Next up, who's got, Marlys Rogers. She's CISO over at the CSAA insurance group that's a lot of four-letter acronyms. You are nothing without data. Data is queen. Coming from an insurance person, right? Without hard data, you can only speak to security in more imagined ways or ways. The board and C-suite are aware of in the media cost-benefit is only achievable with related data points. Demonstrating how much we are fighting off and how the tools, processes, and people make that happen.

Next up we have Edward Frye, he's CSO over at our Aryaka. When I first started out, I was fairly impatient and wanted to get things done right away. While there are some things that need to be done right now, not everything needs to be done. Now have the ability to prioritize and focus on the items that will have the biggest impact.

I think one of the biggest lessons I've learned along the way is while we may need to move quickly, this race is a marathon, not a sprint.

Patience is essential for security pros. I can certainly see that one.

Chris Morgan, senior cyber threat intelligence analyst over at Digital Shadows, despite the way that many in media liked to portray cyber threats, not everything will bring about the end of the world.

For those getting into incident response and threats, try to have a sense of perspective and establish the facts before allowing your colleagues to push too quickly towards remediation mitigation, et cetera.

Expectation management amongst senior colleagues is also something you'll frequently have to do to avoid them breaking down over a mere phishing site. The quote, one of my former colleagues try to avoid chicken, little central.

I've seen that before as well.

The next one is things are changing daily and the last one is a perception of security is still a challenge.

So great little article by Joan Goodchild. You'll see it in my newsletter, which we're trying to get out now Sunday mornings.

You can click through the link if you'd like to read more.

As you can see. 2 million open jobs while between one and 3 million, depending on whose numbers you're going at in cybersecurity.

You don't have to be an expert. As I said, one of our listeners went from not knowing much about it at all. He can install windows. That's it. To having a job in cybersecurity in less than six months, stick around. We'll be right back.

I'm doing a special presentation coming up next month for the New England Society of Physicians and Psychiatrists. We're going to be talking a little bit about what we will talk about right now. What can you do to keep your patient information safe?  What can we do as patients to help make sure our data's safe.

Hi, everybody. You'll also find me on pretty much every podcast platform out there. Just search for my name, Craig Peterson. I have a podcast and it makes it pretty easy. I've found some of them don't understand if you try and search for Craig Peterson, tech talk, some of them do.

I've been a little inconsistent with my naming over the years, but what the heck you can find me. It's easy enough to do.

I've got this new kind of purple-ish logo that you can look for to make sure it's the right one. And then you can listen to subscribe, please subscribe. It helps all of our numbers.

You can also, of course, by listening online with one of these devices, help our numbers too. Cause it's you guys that are important.  The more subscribers we have, the way these algorithms work, the more promotion we'll get.  I think that's frankly, a very good thing as well.

What do you do if you need to see a doctor, that question has a different answer today than it did a year ago. I won't be able to say that in about another month, right? Because mid March is when everything changed last year, 2020, man, what a year?

To see a doctor nowadays, we are typically going online aren't we. You're going to talk to them. So many doctors have been using some of these platforms that are just not secure things like zoom, for instance, which we know isn't secure.

Now, the fed kind of loosens things up a little bit under the Trump administration saying, Hey. People need to see doctors. The HIPAA PCI rules were loosened up a little bit in order to make things a little bit better. Then there's the whole DSS thing with HIPAA. All of these rules are just across the board are loosened up.

That has caused us to have more of our information stolen.  I'm going to be talking a little bit about this FBI, actually multi-agency warning that came out about the whole medical biz and what we need to be doing. Bottom line, Zoom is not something we should be using when we're talking to our doctors.

Now, this really bothers me too. Zoom is bad. We know that it's not secure and it should not be used for medical discussions, but Zoom has been private labeling its services so that you can go out and say, Hey, zoom, I want to use you and I'm going to call it my XYZ medical platform.

People have done that. Businesses have done that. Not really realizing how insecure Zoom is. I'm going to give them the benefit of the doubt here. You go and you use the XYZ medical platform and you have no clue of Zoom. Other than man, this looks a lot like Zoom, that's the dead giveaway.

Keep an eye out for that because a lot of these platforms just aren't secure. I do use Zoom for basic webinars because everybody has it. Everybody knows how to use it.  I have WebEx and the WebEx version of it is secure. In fact, all the basic versions, even of WebEx are secure and I can have a thousand people on a webinar or which is a great way to go. It's all secure end to end.

Unlike again, what Zoom had been doing, which is it might be secure from your desktop, but it gets to a server where it's no longer secure. That kind of problem that telegram has, frankly.

If you are talking to your doctor, try and use an approved platform. That's how you can keep it safer.

If you're a doctor and you have medical records be really careful. Zoom has done some just terrible things from a security standpoint. For instance, installing a complete web server on a Mac and allowing access to the Mac now via the webserver. Are you nuts? What the heck are you doing? That's just crazy. Just so insecure.

This is all part of a bigger discussion and the discussion has to do with Zero trust architectures.  We're seeing this more and more. A couple of you, Danny. I know you reached out to me asking specifically about zero trust architectures. Now Danny owns a chain of. Coffee shops and his family does as well.

He says, Hey, listen, what should I do to become secure? So I helped them out. I got him a little Cisco platform, and second Cisco go that he can use as much more secure than the stuff you buy the big box retailers or your buying at Amazon, et cetera, and got it all configured for him and running.

Then he heard me talk about zero-trust and said, Hey, can I do zero-trust with this Cisco go, this Muraki go, is actually what it is and the answer is, well so here's the concept that businesses should be using, not just medical businesses, but businesses in general and zero trust means that you do not trust the devices, even the ones that you own that are on your network. You don't trust them to be secure. You don't trust them to talk to other devices without explicit permission.

Instead of having a switch that allows everything to talk to everything or a wifi network where everything can talk to everything, you have very narrow, very explicit ways that devices can talk to each other. That's what zero-trust is all about.  That's where the businesses are moving.

There's zero trust architecture, and it doesn't refer to just a specific piece of technology. Obviously, we're talking about the idea that devices, and even on top of that, the users who are using the devices only have the bare minimum access they need in order to perform their job.

Some businesses look at this and say that's a problem. I'm going to get complaints that someone needs access to this and such. You need that because here's what can happen. You've got this data that's sitting out there might be your intellectual property. You might be a doctor in a doctor's office and you've got patient records. You might have the records from your PCI your credit card records that you have. I put on. Those are sitting there on your network that is in fact a little dangerous because now you've got something the bad guys want.  It's dangerous if the bad guys find it and they take it, you could lose your business. It's that simple.

They are not allowing you to use the excuse anymore because of COVID. That excuse doesn't work anymore. The same thing's true with the credit card numbers that you have the excuse of I'm just a small business. It's not a big deal. Doesn't work anymore. They are taking away your credit card privileges.

We had an outreach from a client that became a client, that had their ability to take credit cards taken away from them because again, there was a leak.

So we have to be careful when you're talking and you have private information, or if you don't want your machine to be hacked, do not use things like Zoom. I covered this extensively in my Improving Windows Security course. So keep an eye out for that as well. If you're not on my email list, you won't find out about this stuff.

Go right now to Craig peterson.com. If you scroll down to the bottom of that homepage and sign up for that newsletter so you can get all of what I talk about here and more.

Hey, thanks to some hackers out there. Your application for unemployment benefits might've been approved and you didn't apply for it in the first place. Turns out somebody stealing our information again.

Hi everybody. Craig Peterson here.  This is a big concern of mine and I've often wondered because I have not been receiving these stimulus checks. I did not get the first round. I did not get the second round and I contacted the IRS and the IRS says depends on when you filed for 2019.

Oh my gosh.  Of course, I was a little late filing that year. They still haven't caught up. I guess that's good news, right? That the IRS data processing centers are terrible.

It goes back to aren't you glad we don't get the government we pay for is the bottom line here, but I've been concerned. Did somebody steal my refund?

Did somebody steal my unemployment benefits, did somebody steal my stimulus checks? It is happening more and more. There is a great little article talking about this, where someone had stolen the author's John personal information again. Now we probably all have had our personal information stolen, whether you're aware of it or not.

As usual, I recommend that you go to have I been poned.com and pwnd is spelled, pwn, D have I been poned.com and find out whether or not your data has been stolen and is out there on the dark web.

They have a really good database of a lot of these major hacks.  Many of us have been hacked via these credit bureaus and one in particular Equifax who have all kinds of personal information about us, had it all stolen.

It's easy enough for people to steal our identities file fake tax returns. That's why the IRS is telling you, Hey, file your return as soon as possible. That way when the bad guys file, we'll know it's the bad guys' cause you already filed it. As opposed to you file your tax return and the IRS comes back and says, Oh, you already filed. We already sent you a refund or whatever. You already filed it.

That is a terrible thing to have to happen because now you have to fight and you have to prove it wasn't you. How do you prove a negative? It's almost impossible. At least in this case, hopefully, the check was sent to some state 50 States away, another side of the world. So you can say, Hey, listen, I never been there, then they can hopefully track where it was deposited.

Although now the bad guys are using these websites that have banks behind them, or maybe it's a bank with a website that is designed for people to get a debit card and an account just like that. That, in fact, is what was used to hack my buddy. My 75-year-old buddy has been out delivering meals and had his paychecks stolen through one of those.

These fraudulent job claims are happening more and more. It's really a rampant scam. We've had warnings coming out from the FBI and they have really accelerated during the lockdown because now we've had these jobless benefits increased, people, making more money staying in their home than they made on the job. Disincentives for working, frankly.

He's saying here the author again, John Wasik, that a third of a million people in his state alone were victims of the scam. This is an Illinois. This is where he lives. A third of the people in the state of Illinois, including several people that he knew.

We've got some national tallies underway. I don't know if you've seen these. I've seen them on TV and read about them, California. It is crazy. People were applying for California unemployment that didn't live in the state at all, would come into the state and once you're there in the state pick up the check, right? Cause that's all they were doing. Some people have been caught with more than a million dollars worth of California unemployment money.

Of course, it wasn't a check, it was actually a debit card. The same basic deal and California is estimating that more than $11 billion was stolen. Can you imagine that tens of millions of people could have been scammed because of this?

This is the third time the author had been a victim of identity theft and fraud.  He wanted to know how could they get his information.

Well, I've told you, check it out on, have I been pwned. It'll tell you which breaches your information was in. It does it based on your email address.  It'll also tell what type of data was stolen in those breaches. So it's important stuff. I think you should definitely have a look at it.

He is very upset and I can understand it. Data breaches last year, more than 737 million data files are ripped off according to act.com.  Frankly, that was a digital pandemic, with more and more of us working at home.

I just talked about the last segment. Your doctor's office and you are talking to your doctor. How now? Cause you don't go into the office. There are so many ways they can steal it.

The FBI's recording now a 400% increase in cybercrime reports that we had this mega hack of corporate and government systems.

This whole thing we've talked about before called the SolarWinds hack, although it was really more of a Microsoft hack, and it went out via SolarWinds as well as other things. Be careful everybody out there. If you find yourself in these breach reports, have I been pwned make sure you go to the website. Set yourself up with a new password. At the very least use a password manager.

I just responded to an email before, when it went on the air today, from a listener who was talking about two-factor authentication.  He's worried about what you're to use. I sent him my special report on two-factor authentication, but it is the bottom line, quite a problem.

Again, Use one password, use two-factor authentication with one password. Don't use SMS as that and you'll be relatively safe.

I don't know I can't say do this and you'll be safe. I don't think there's any way to be sure your safe.

Having these organizations, businesses, government agencies hacked all the time that don't seem to care about losing our data, right? Oh, it's a cost of doing business, some of these businesses, and I've talked to them, they'll look at it and say, how much will it cost us in fines if our data is stolen? Versus, how much will it cost us to keep our data relatively safe?  For even a larger small company, a hundred employee company, you're talking about something that is going to be costing you about 25 grand a month.  That's if it's outsourced.

If you're trying to do it yourself and a hundred-person company, you can easily be spending a hundred grand a month. It's expensive to do.  They'll look at it and say, okay, this is going to cost us a million dollars a year, odds are, it'll be two years, maybe three before we're hacked. That's this statistic, although you're rolling the dice, it might be tomorrow that you get hacked. $3 million versus our fines are going to be about a million dollars. We'll just take the fine.

That to me is just disgusting. How can these people live with themselves? I don't know. Maybe it's just me. I'm going crazy.

That leads us to this New York Times article I was talking about on the radio this week. The New York Times article talking about how the United States, really, we are losing control of information warfare. Our warriors have been working at the national security agency and the FBI. They leave those agencies and go to work for private contractors. The tools that we've been using to hack other people have been stolen.  The tools that we're paying to be developed, we meaning the US taxpayer, the tools that we have paid to develop aren't even being used, and that mega attack I was just talking about. That's an example of one of these attacks that would have been stopped had we been using the tools that the federal government paid for.  It's just crazy. What's going on?

So here's the bottom line, everybody you can't trust most of these vendors that are out there. They have a product to sell. They don't have the best solution for you, right? They really don't. If they cared about you they would not be selling you antivirus software because it does not work.

If Microsoft cared about you, they would have come out with their anti-malware stuff. Windows defender, years and years ago. They would have redesigned Microsoft Office and Microsoft Windows, as well, because those were huge security holes.

Look at Adobe. They've been the source of the most security problems of anything out on the market, bar none. Flash was terrible. Java, another example of something that's been a terrible security hole for years. These businesses are trying to get a product to market as quickly and as inexpensively as possible. Quick is usually the number one goal.  It has to be inexpensive for them to develop it. That means now they go out and they sell it because they got it. They're going to sell it. It doesn't matter if it's good. It doesn't matter if it even works overall for you.

That's why I'm doing these courses, these classes, these emails, I'm recording special stuff for you each week. I've got special emails that are going out for you each week.

We've got these radio show podcasts. This stuff is all free. All of it.

Now I charge for some courses, but everything else is absolutely free. Now I hope I have some clients that come from some of this stuff and I do get them, but most of the clients I get are by referrals.

I really believe in this. I'm putting my time, my money, my energy where my mouth is. But you have to take a step. You have to go to Craig peterson.com and you have to sign up right there. Craig peterson.com. Scroll down to the bottom of this screen. You'll see a little signup thing and I will start sending you my weekly newsletter.

Some of these little micro pieces of training that only take you a few minutes and information on courses and more. Craig peterson.com.

---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553