Jan 29, 2021
With the rapid pace of change unleashed this past week through Executive Orders, we are now a lot less secure than we were just a month ago and it is going to get a lot worse. But there are somethings you can do technologically to protect your privacy and stay a little more secure. Cloudjacking is possible mainly due to the failure to use secure passwords and a different password for every site and every application you use. Just doing that makes it almost impossible for hackers to carry out their trade. Chrome and by default Microsoft's Edge Browser have put something in their browser to help -- not alleviate but help with this problem. You can do better by using a true Password Manager and we will get into that as well. Speaking of privacy, the US government is going around its own requirements and buying your location data and other personal information they are not allowed to collect from Data aggregators. We will get into that as well. Then did you know that the new administration has put subliminal messaging into the White House website -- Yes they have. Well, just a taste of today's topics and there is even more so be sure to Listen in.
For more tech tips, news, and updates, visit - CraigPeterson.com.
Tech Articles Craig Thinks You Should Read:
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] Hey, there is a new company out there on the forefront of passwords. We're going to talk about that and a few weather things. Of course today.
Hi everybody. Craig Peterson here.
The biggest problem, pretty much all of us have, has to do with our passwords, what we're doing with them, how often we're changing them, how we are storing them. It is being used for quite a few things out there right now. We're seeing a real emphasis on a term you might not have heard before it's cloud jacking.
This is where someone gained access to your cloud services and then does nefarious things with them. What do you expect them to do now? What does this all mean? It means if you are using something thing, like maybe you're using salesforce.com, maybe you have online banking with your bank.
Most people do. There are so many cloud services that we use nowadays. And cloud jacking is where someone gained access to that online account. You might ask, how do they do that? How do they gain access to it? The simplest and most common way of doing it is something called password stuffing. Now, I know I'm throwing a lot of terms out there for everybody, but basically, cloud jacking means that cloud service is being used without your permission, your cloud service.
So again, think about clouds as just a word for somebody else's computer that you have no control over. Cloud services. Generally speaking, are dangerous. Now I know a whole lot of people who think I don't know much about computers. I'm probably a lot better off having some third party manage my computers for me.
And so I'll just go to Amazon or I'll go to Microsoft or IBM or whomever and have them run my server for me. And in fact, that's what most companies are doing nowadays. Initially, it looked like it was going to save them money. It was going to be a big saving because you didn't have to maintain that data center anymore.
You didn't have to have the personnel who know the systems who did the updates and stuff. In reality, that's turned out not to be true. Most of the slightly bigger businesses, those smaller to mid midsize are moving their stuff. Out of the cloud because of cloud jacking, because of all of the supposedly expenses that we're going to be saved, not only not being saved but because they don't have control over their computer anymore and they don't have control over the network because remember the cloud is somebody else's their computer it's their network. it's something you have very little control over, so they're moving it back into their business. I think that makes a whole lot of sense. In the meantime, we have many more businesses that are saying you cannot buy our software anymore. You have to use it in the cloud.
You have to use our cloud license, which to me is just frankly, mind-boggling. Now I can see how it makes it simpler for them because they only have to have one version of the software, maybe two or three as working on the development and they can roll it out a little bit more slowly. They don't have to worry about it.
People having problems with windows, which is always a nightmare. And we'll try and do support because when it comes to windows, Microsoft, themselves tell you don't run more than one app, one service on that machine. We can't guarantee it. It's not going to work. And then you have to pay them 300 bucks when there's a problem.
And that 300 bucks don't go very far because they don't guarantee they'll solve that problem. So all of these things have led us to move to the cloud and now some moving back away from the cloud and our cloud servers and our cloud services that we're using on our businesses. Are being hijacked.
Now I mentioned that one of the things that these hijackers are doing to take over is something called credential stuffing. Another one is fishing. We're not going to talk a lot about fishing right now, but you probably know this already. It's where you get in the email that looks legitimate. It's from somebody that looks legitimate.
But in fact, it's trying to get you to do something that is going to now give them access to your systems. And in fact, that's what happened to a buddy of mine. I've talked about him before, just a couple of weeks ago. Yeah, he lost his whole paycheck. It's gone and he's not getting it back. And the company is not going to reimburse him for it, which is really a shame, frankly.
So once credential stuffing, it's something that's been used for cradle quite a while. In fact, way back when. They used to use credential stuffing to try like a thousand, 10,000 most recent passwords, or, most popular passwords. Now that's a problem. Isn't it? What is it? Why are they doing it?
Back when life was simpler and people use password as their password, or, ABC one, two, three, or the whole top of the keyboard. There were only a few thousand, maybe 10, 20,000 passwords that were in common use, and we've gotten way smarter since then. Haven't we. No, we haven't.
And I would ask right now that you just take a minute and you go online to have I been poned.com and you can type into, have I been poned your email address? And it'll tell you if it found it anywhere. On the internet. So not just on the internet, but more or less on the dark web on the dark internet, but there's another feature on, have I been poned is spelled P w N E D.
Have I been poned and that's in the passwords tab. So if you click the password. Tab here. It's saying that right now they have a database of 613 million real-world passwords that have been previously exposed in data breaches. And obviously, this exposure makes them unsuitable for ongoing use. Why does it make it unsuitable?
Let's type in right now. We're going to type in P an actually we're going to get fancy P at Sein S w zero R D. So it's a great password, right? Because it's a password with an additional sign instead of an eight and a zero instead of an O. So we're going to type this in and they hit return and let's see what it says.
Oh my gosh. This password has been seen almost 55,000 times before. Okay. So it's not such a great password out there. It has been breached in data breaches and should never be used if you've ever used it anywhere before change it. And it's going through giving you this list. There are a lot of places.
Yeah. 55,000 times it's been used. So check it out, go there, check it out. Make sure your password that you're using. Hasn't been used before. And the question is why? That's where we get into. Okay. Problem with credential stuffing. What they'll do is they will use your email address and your passwords that they found online.
And then they'll try and log in to critical websites like your bank, for instance, we mentioned the bank, so they will try and break into your bank account because they've got your email address and they've got, or password that's what credential stuffing is all about. So they'll just try it on across all kinds of different websites until they can get in.
So this ties back into our cloud jacking problem. And with cloud jacking, they just go to these online services. Again, it's like your bank or might be Salesforce to get access to your client information or QuickBooks. Maybe there's a whole lot of them are out there and they'll try and log in as you know, most of these websites have.
Controls on this. So they limit the number of times you can try and log in. So the bad guys know this and they know the ways around it. And some of the ways are just to do it really fast. One of the ways are to do it from different IP addresses. And they do that using, of course, hijacked computers. We called botnets people's home computers, business computers.
They use them to do their dirty work for them. And now they have control over your systems. Multifactor authentication. That's something I go into in some detail. In my improving windows security course, that's coming up. So if you need more information, that's the place to get it. If you want to find out how to sign up, make sure you just go to Craig peterson.com and sign up for the newsletter.
I'll let you know when that course is ready. Karen and I are finishing it up now. There's just been too much stuff going on. So I apologize. It's been taken a little longer than I had hoped it would take. But it'll be out pretty soon, but multifactor authentication or two-factor authentication is really becoming a standard and you're foolish if you don't need it.
Microsoft, Google, and others have been trying to do away with passwords entirely with some whole new technology, which is. Going back and forth. It may come into play. It might not. We'll see how it all goes. There's been some adoption, but it certainly has not been universal, but multifactor authentication absolutely.
Is universally adopted. So when we get back, we'll talk a little bit more about this. What does it mean? This two-factor authentication multi-factor authentication. How can it stop our cloud accounts from getting hijacked, which is really big? Then we're going to get into Chrome and edge a brand new feature designed to help you with this very problem.
You're listening to Craig Peterson and of course, that's all you will find me online. Craig peterson.com.
We know about credential stuffing and cloud jacking, and we mentioned multi-factor authentication. So we're going to talk a little more about it, but now
hi everybody. Craig Peterson here.
There are a lot of things that we have to understand and take care of when it comes to our computers. But frankly, one of the things that we have to be the most concerned about, and yet, so many of us just haven't been paying that much attention. Is our password. We are hearing stories every week of people who have had their accounts hijacked, who have had people take their bank account money right out.
We've seen that for a couple of years, but it's getting worse and worse. I'm not exactly sure why you guys are not using unique passwords. For every one of your accounts, I really don't get it. It's easy enough to do use 1password. I don't have any money invested in these companies unless you buy 1password through me which I don't sell.
I'm not going to make a dime off of it. Use 1password or LastPass, same thing there. I know the CEO of LastPass had him on the show before I don't make a dime off of it. So use them. It's just so easy to do, but yeah. Two-factor authentication. That's a little bit of a different thing. And we want to get into here in just a minute and how you can use that, how to tie it in.
As I mentioned, I do go into it quite a bit of detail in my course. So if you are interested in that, the improving windows security course, we talk a lot about it. Our friends over at Google have decided they're going to help us out. And here's what they're doing. Number one, they are tying into, have I been poned.com, which you can go to yourself.
You can get an alert from them. If your account shows up in any of these password dumps that are out there on the internet, very handy. So Google is going to have I been poned on your behalf. And if they notice that your account has shown up on the dark web, they're going to tell you, and they're going to recommend that you change your password.
So the easy thing to do right now is. Go to Google. If you're using Chrome that is and check your security preferences. And once you're new security preferences, it'll tell you about the accounts that it knows about that you have that have been hacked. Now, when I say it's been hacked, it doesn't mean your account has been hacked, but your information has been stolen usually via some form of a hack.
If you're using 1password, it has something called Watchtower, which does the same thing. I've got about 2,500 user accounts in my 1password vault. There's actually multiple vaults it's across all of those vaults. So we have some for the business person we have some other stuff that we use for our business clients because we have to maintain the highest levels of security for ourselves, because we have clients that have to have that level of security as well.
So we in fact have better security than most of our clients do, frankly. And that's a little bit sad, many how. 1password will remind me as well. When one of my accounts, email addresses of passwords show up on the dark web. And it'll also tell me, for instance, if I've got my Craig peterson.com to log in and it shows up somewhere on the dark web, it will tell me that.
They found Craig peterson.com out of the dark web, whether or not my password was stolen. So it's really nice. 1password can help you with that and it can generate new passwords and you can use it as well for keeping private notes. And when you are generating. Passcodes for two-factor authentication.
Many times it'll give you a one-time pad. So it'll be a number of single-use passwords that you can use in the event that you don't have your two-factor device with you, as I said, but go into that in a lot of detail in my improving windows security course. But Chrome has done something else and I have to apply them for doing this.
I am not a big fan, already of Google and Chrome, they make their money, their whole living off of you and your information. And I think that a little bit on the dishonest side, frankly. But that's what they do. Okay. They have added now something that's really quite nice and because Google has added it to Chrome, that means that these Chrome-based browsers will also be picking it up.
What are the chromium based browsers? Of course, Google Chrome itself is a chromium-based browser, which means it's a certain codebase Microsoft's Edge browser. The latest version of Edge is not a Microsoft product anymore. They're using Google Chrome as its base. They're using chromium. So in both cases, you now have a strong password generator that you can use when you're signing up for a new account or account, or when you're changing an existing password, again, If you've heard me talk about this before that I'm not fond of having a web browser, remember your passwords because who knows, it's not designed for security. Google Chrome usually does a pretty good job. That's why it's such a popular web browser, but I much prefer an application that's specifically designed for security and they know what they're doing. And that's why I recommend the whole 1password thing. So here's what happens when you are on a web page and you are entering in a username and a password, or you're putting in a new password for your account, how it pops up and says, do you want me to save this password?
Now it is giving you another option here. So rather than having to think up a password, that's really unique. That's a difficult one to guess that is not used anywhere else on the internet. You can now have the generator. Do it for you and generate a very good password. So you're going to look for the browser, suggested password dropdown in the password field, and you can select that and it's going to automatically save your new password to the browser, sync it across all of your other devices.
If you are signed in to your Google account from all of those other devices so that you can use it in the future. There's another feature called password monitor and it's being added to adjuncts already there in Chrome. And it is a password monitor. Again, most of these guys are using, have I been poned would nothing wrong with that?
Although have I been poned isn't being paid by these guys for doing it, but checking your passwords can be difficult. But have I been poned has free signup that you can use that will let you know if your username has shown up on any of these hacks out there. And frankly, that's all of these other people are using.
They've got some very good encryption by the way, for keeping track of your passwords in Epic, they're using homomorphic encryption is what it's called. It's. Pretty new, but it allows computing on encrypted data without decrypting the data first. So that's really cool. It has this hash function that only the server knows they're doing a lot of neat stuff here and Google Chrome team.
Unveiled their own version of this as well. And they've got a fuller featured password manager now built into the browser. So keep an eye out for those on your chromium based browsers. And have a look at, have I been poned P w N d.com online, if you want some more help on passwords, just drop me an email. email@example.com or sign up for my improving windows security course.
You can keep up to date with all of the latest news courses, little training, webinars, by going to Craig peterson.com and signing up right there.
Hey, I got a quick update here on secure communications. You might've heard about what happened. What's going on there and let's talk about alternatives.
Hi everybody. Craig Peterson here.
You might've heard about WhatsApp, WhatsApp used to be really popular. I've had a listener before, ask me about using WhatsApp overseas. It was a family member who was serving in the military and they wanted something that was secure. They asked about WhatsApp and I said, I don't know. A little bit of moaning and groaning there that I, I don't like WhatsApp because of Facebook.
In other words, we won't be able to decrypt your conversations. However, we are going to start sharing your information with advertisers, et cetera. Sharing your information about using WhatsApp, which is an encrypted, supposedly secure chat app might cause some problems, right? You can imagine someone knocking on your door and saying, why are you using encrypted communications?
And in fact, you have every right to, it is the best thing to do. You don't want bad guys getting their hands on it. And in some parts of the world, the governments just can not be trusted and they are trying to monitor everything that's going on. So that's why I've never been a fan of WhatsApp. And why so many people have migrated off of WhatsApp.
Facebook finally realized what a mistake it was to send out that press release w wasn't as the press release, actually, it was something that came up when you used WhatsApp became right up on your screen. You hadn't to accept it. So it is concerning. Where do we go? Now I think that I suggest you use signal and we cover this quite a bit in a bit of detail in the improving windows security course.
So in the course, we talk about all these different types of messengers, which ones are the best ones to use and when and why, but I want to point out something about Telegram. Telegram has picked up. I'm looking at some numbers right now, but tens they're saying tens of millions. Wow. Of people have moved over to telegram.
They said that earlier in January, telegram announced it had hit a milestone of 500 million active. Monthly users and pointed to a single 72 hour period, one 25 million people had joined the service. Now, obviously, this is people who are fleeing some of these censored services that are out there. People who are fleeing from WhatsApp, because who knows where it's going.
Ultimately. But I want to point out something about Telegram. So first of all, don't use it. All right. Not if you want to be secure, but here are the problems with Telegram. First of all. End-to-end encryption is what you want. So if you are talking to someone over one of these encrypted apps, you want that message, that voice conversation, that video to be encrypted from the time it leaves your device.
Until it arrives on the person you're talking to his device. It's almost certainly going to go through a server or two or three or four. It's going to go through routers. There are ways to intercept it, but if it's encrypted end to end, it won't do much good to intercept in the middle. Our encryption today is really quite good.
Now, if the government wants to get its hands on it, they're on your communications. There are ways around it. However, when it comes to just cast casting, a big fishing net, nothing's going to happen. And they're just going to cast a net. They're going to catch all of this stuff and there's nothing in it.
We know that various intelligence agencies around the world try and keep copies of everything in case, later on, they want to go back and examine it and see what was said after the fact. Whatever, more power to them, Telegram by default does not have an end to end encryption. So by default, yes, it has encryption, but the encryption goes from your phone to their server.
And once it's on the server, it is no longer encrypted. And then on the remote side for the person you're talking to, it's encrypted from the server to that person that you're talking to on the far end. See where the problem can come in here. Particularly if you are in a country that does not treat its citizens, residents, whatever you might want to call these people from serfs on up, that doesn't treat them well. They can potentially force telegram to give them a complete copy of everything that was said or done. That is a problem. That is a very big problem. You are not going to get by default end encryption. However, you can turn it on. On telegram now on Signal. It is by default.
It is end to end. It's always end-to-end. Okay. So telegram only encrypt by default messages between your device and the telegram server and the telegram server and the other person on the other end. However, the group messaging feature that telegram has offers no end to end encryption at all. None. So we have a group of people.
Who've got family members that you're talking, or maybe it's some investors, and you're talking about buying some more real estate for your investment trust, or you are talking with your accountant about, bank numbers and things, and yeah. You've got the attorney on, or maybe you're just talking to some friends and you don't have anything you want to share with those prying intelligence agencies in some of these countries out there, you are not secure because right in the middle, you have your messages in cleartext.
So where is Telegram located? It is based in the United Arab Emirates. That is scary. When they have servers over in the United Arab Emirates, you already know that you don't have much of a sense of security over there. And you certainly don't have privacy. So don't use Telegram. If you want to be secure, we've got tens of millions of WhatsApp users who flee the service.
Many of them went to Telegram. No doubt. They were attracted by Telegrams claims of heavily encrypted messaging. But in fact, it's not true. Okay. People do not want to exchange privacy for free services. Now the nice thing about Signal is it is open source and they are not trying to make money off of signal it's available freely.
Anyone can grab the source code and the signal encryption methodology. Is used by WhatsApp as well, but we already expressed some of my concerns about WhatsApp.
Hey, if you want to learn more about this, more about improving windows security, more about communicating securely, I've got it all covered in my improving windows security course that's coming up in a couple of weeks.
Make sure you sign up. Just go to craigpeterson.com. You can sign up anywhere on that website or go to Craig peterson.com/subscribe. And you'll get my weekly newsletter as well.
Shortly after Joe Biden took office, we started seeing some subliminal messages right there on the White House home page.
Hi everybody. Craig Peterson here. Thanks for joining me.
Let me tell you I'm not trying to start some sort of a rumor here. This is absolutely true. You might've heard about Easter eggs before? No, I'm not talking about the type that you know, that little bunny comes with the colored dyed hard-boiled eggs, or maybe they're little plastic aides with candy inside. Some of that Candy's kind of yummy. Of it's just horrific it's at least it's not as bad as mean with those little corn things that are nasty.
Anyhow Easter eggs are in movies. Have you seen them in the Marvel movies? For instance, they use them quite a bit. These are little things that are hidden away so that people who are watching super fans can find them. It might be just something on a shelf. Behind in one of the movies. So it's on a set and it's something from another movie.
It might be a movie that the director loves, or maybe it's another movie. That's part of the series. Those are Easter eggs are hidden away. They're there, but they're hidden. I think those are cool to try and spot sometimes. The White House added an Easter egg, this subliminal ad to the White House website shortly after president Biden took office.
It's really just absolutely amazing, but one of the most famous Easter eggs in software history and this was pretty complex as well as in Microsoft Excel 97, Microsoft Excel, that's their spreadsheet software. And this is from 20 plus years ago, 23, 24, whatever it is back in 97. You could open a new workbook, hit F five type in L 97, colon X 97, enter and then tab and then control shift, click on the chart, wizard icon.
And all of a sudden you are in to. Flight simulator. You didn't have to buy a flight simulator pretty cool. And you flew using the mouse and then when you were done, you hit escape. And that was cool. I thought it was phenomenal, frankly, but this wasn't. Just a hidden, a game is hidden inside of some commercial software.
There was a version of Tetris that was hidden in a spreadsheet as an Easter egg. They had something called boss mode control B. So it was quick to type and it. Popped it up, it a dubious sort of Easter egg intended as decoys, coy. And it had a spreadsheet app as well. She could pop back and forth as the boss is looking over your shoulder.
No, just pop, hit a button and it's a spreadsheet. In this particular case, what happened. Someone at the White House, decided that they would add in some job information isn't this is cool. So if you were looking at the source code for the website, you would see hidden away in there, a job application, Google's done something similar before they have had some.
Coded messages up on billboards, out in the San Jose area, out in California, and people that we're able to decipher it. They, it told you how to apply for a job. Obviously, they want to have a little bit of fun Microsoft edge, by the way, if you go to edge colon slash. Surf as you are AF and it's only available over on the Microsoft edge thing.
You have a surfing theme game when you're offline. All you have to do is type in edge colon slash surf. And it's like the windows game ski free. And it challenges you to ride through the water while avoiding islands. Those can be tricky. Very easy to do. Marvel has an interesting one too.
If you're really totally geeky, you can grab the headers from Marvel.com's website. And the hatters will have a server nickname, field, and call like she helped. Cause I don't know if or not, but Marvel is coming out with a female Hulk. And so this is a. A promotion Ford very geeky stuff.
Here's another one you can go to naked security.sofos.com. And again, if you look at the headers, which you're not going to see just by going there regularly, there is a header in there. It says, if you're reading this, you should visit blah and apply to join the fund. Mention this header. This 2021 White House website added a job ad as well.
Presumably they're trying to get some publicity and to attract job applicants to the US digital service. Done it. And it describes itself this USDS as part of the public service, that quote aims to use design and technology to deliver better services to the American people and its goal is to attract some of these technophiles.
Yeah. That might otherwise be alerted to join the commercial big stuff out there, but you can go there online, directly at usds.gov. And there's a picture there. Fascinating picture. If you ask me because out of one, two, three, four, five, six, seven, eight, nine, 10, 11, 12, people that are in this picture, there is one white male.
Half of them are females and of the males. And about half are males and of the males. Five of them are not white, which is, it's just interesting. It's such a change from what you normally see advertised online. So it's fun. Cobalt call in an older language, something, I wrote a lot of code in back in the day and you've got new.
Languages out there like rust. I don't want to get into all of this right now, but it's geeky kind of fun. I also, by the way, wanted to point out going back to Telegram, which we talked about a little bit earlier in the show today. If you want to use end-to-end encryption with Telegram, you have to turn it on for each and every individual you are going to talk to. Okay. That's a real big deal here. It's what they call their secret chats feature. Every individual has to turn it on. So be very careful in order to do what you have to. Tap the contacts name then hit more and then hit start secret chat, and then confirm one prompt asks whether you're sure. So the conversation history from the default chat does not carry over to the secret one. You have to initiate that encryption option. Every time you pick a conversation with a contact. So it isn't like you can set it once and forget it. This isn't a romp appeal thing. It's if you're using telegram every time you have to you want to start a conversation with someone, you have to go into that more menu than the secret menu, and then are you sure?
Okay. Not good at all. I love this. This comparison saying that this is a guy named. Would you rather go for the car where airbags work every time you get into a crash or going to go for a car where every time you have to turn it on by typing in a pin to enable airbags, why not have them on by default?
I think the idea is. Pretty obvious why they're doing that right. UAE. They're not trying to really keep secure. And speaking of security here, before the hour's up, I wanted to mention this military intelligence is buying location data instead of getting warrants. Now, this is from a memo that came out. We know Homeland security has been doing that.as well, the DIA, the defense intelligence agency, it's like the CIA, but they provide military intelligence to the department of defense confirmed in this memo that it purchases commercially available smartphone location, data to gather the information that would otherwise require the use of a research warrant.
How's that for? Interesting. So they have the ability to get information on you just because you are giving it for free. He just gave it right to these app developers, to Google, et cetera. And Google has decided because of what Apple has done. Apple now has said, if you are an app and you are going to be tracking people.
Apple is going to pop up a permission screen where it informs you that this Google app or whichever app it is asking for permission to track you even across other apps. And you have the ability to say no. Apparently, that really scared Google off. So Google has decided. That they're not going to play that game at all.
And they changed their code Google maps and some of these others, they change their code so that it does not gather that data, but only on iOS, only on Apple devices, because they were concerned, afraid, whatever word you might want to use, that Apple's disclosure of the fact that they are tracking you.
Would turn people off from Google. I think that people should have been turned off from Google a very long time ago. I go into search engines as well in my improving windows security course and how to set the right search engines for your browsers and stuff. But bottom line, I like duckduckGo. They have gotten to be very good.
I've had their founder on the show before it has been, I think, a bit of a godsend because you don't have to use Bing, which of course tracks you. That's Microsoft's search engine. You don't have to use the Google search engine. Just use duck go. It's just harder to say.
Yeah, I'm going to duck duck go that.
Okay. Media also, by the way, found out that customs and border patrol buys, license plate, scanner data to track individual movements. They buy cell phone location, data, they all get it. So remember if you have a smartphone or even a cell phone, that data can be sold and used by whoever cares to use it, it's really that simple.
You might be in for a bit of a shock if you have been working remotely due to this whole lockdown thing. In fact, millions of us are going to have a bit of a shock coming up soon.
We have been busy here for the first hour. Talking a little bit about the Amazon bait and switch reviews. What I do when I'm online shopping and how you can help keep yourself not just safer, but make sure you don't get ripped off.
We went through an article from ARS Technica about how he did get ripped off for gifts this season. We also talked a little bit about mobile endpoint security, some of the problems that frankly we've had with our mobile devices. How Jeff Bezos in fact got a massive problem. I got involved with his divorce and everything else because of his mobile device and denial of service attacks. What that is all about?
We're going to talk this hour a bit about our remote. Workforce the tax implications. We've got another arrest and jail time. So we're going to talk about bad facial recognition and what's going on there. Cyber resilience. And what can we do this year? I really want to get into these hacked home cameras used to live stream police, weight raids in what is called swatting attacks.
Then Solar winds there are so many ways this massive hack could have been avoided. Our federal agencies have been compromised. Microsoft now says that due to these SolarWinds, hack somebody God into Microsoft source code. Those are the key to the kingdom.
And one of the ways Microsoft realizes to stay secure is by keeping its source code secret. And of course we, no, that's work. Microsoft has never had any vulnerabilities. So we'll get into that a lot to talk about this hour. First off, let's talk about this problem with taxes. Many of us have problems, if you work in Maine and you work in Massachusetts, you could have a little bit of a tax problem, but there is a reciprocal agreement that's in place.
So if you had been working in mass and you live in Maine, Okay. I can see that you're driving down to mass every day and you're living in Maine. So the reciprocity agreement covers that. But how about if you have never stepped foot in Massachusetts? How about if you started working for a company out of New York or a company out of California?
Did you realize that many of these, all of them, by the way, Democrat administrations are now going to require you to pay state taxes, Connecticut, you name it. All of these, it is very concerning to me. And when we get right down to workforces and the fact that this whole lockdown has really accelerated this trend of working from home.
And because of that, we've got employers who are letting their workers perform their jobs remotely from home most, if not all of the time. So where does illegal nexus tie in? So they're saying, Hey, listen, your employer. And you both knew exactly where you live and work, but the state departments of taxation can have some very different ideas about where here is.
So as a result, Texas, Utah, Arkansas workers who are working for New York or Massachusetts based companies will have income taxes with health in the paychecks, even if they've never set foot in the home office. Or never set foot in this state. How about that one? The thing for New Hampshire if you live in Maine, of course.
Yeah. A lot of these states that have state income taxes, will go ahead and say, okay you don't have to worry about paying our state income tax as well. Or in some cases, they look at it and say, Oh, you pay less state income tax. Then we charge our residents. I don't want to call them citizens because we are not being treated like true citizens anymore, but you pay less in your home state than our were residents pay.
So you don't have to make up the difference as well. So we've gotten dozens of major companies out there all the way through little guys who have been increasing their support from working from home permanently. And I think that's great. We have businesses closing offices. Thank goodness. I don't own business space.
We've lent our leases laps counting on physical distance, flexible workforce was going to reduce real estate needs. I know one of my daughters is in that boat right now. And in many ways it can be a win-win employers can save overhead costs on those expensive square footage and high-demand cities look at what's happened right now in San Francisco.
For instance, they are a great example of San Francisco. The city has lost 43% of its tax revenue. So you look at it until K while they've lost a lot of tax revenue because of the lockdown and people aren't going out shopping. They're not buying stuff. No. According to the San Francisco economist and yes, indeed the city of San Francisco has its own economists.
Know that a 43% drop in revenue is due to people moving out of the city. New York, San Francisco, Los Angeles, all expensive,, and people are moving to Maine, to Montana, dial in from the woods, or get a nice little place down in Florida for instance. But as far as the state's concerned, your beachside can banner might.
Just as well be right in the middle of downtown Manhattan and you're going to be taxed as such. So we've had these problems for a long time, but living in one state, working in another, but typically it's been adjacent States, just like again, Maine and Massachusetts, right? DC, Maryland, Virginia, maybe Pennsylvania, West Virginia, Delaware.
Kansas City itself goes across two States. You've got Kansas City, Kansas, and Kansas City, Missouri. So traveling across city limits can mean crossing state lines as well. So any major city near a border has lots of workers that go over the lines back and forth every day. And that's always been tricky from a tax perspective.
Because both the state where you work and the state where you live is going to want to try and tax your income, but still typically only one state at a time has been able to tax you for your income. And most jurisdictions with a lot of overlaps have agreements, as I said, main and mass and New Hampshire doesn't really have that agreement because they don't have any state income tax or of course sales tax on almost anything.
But. This is really going to be a problem, frankly. So keep in mind that if you are working for a company that is headquartered or even just has a presence in Arkansas, Connecticut, Delaware, Massachusetts, Nebraska, New York, and Pennsylvania. All of those States have convenient rules on the books that require any work performed for an employer based in their state.
That it be taxed as if the worker performing the job is actually. In the state, no matter where the employee is actually located now, New Hampshire is one of the nine states that does not have an income tax. And it's right now in the process of suing Massachusetts over its convenience rules and for other States, by the way, New Jersey, Connecticut, Hawaii, and Iowa are supporting the suit.
So we'll see what happens there in federal courts. As you probably already know going to court doesn't mean the right thing is going to happen. It's gotten really bad, but at any rate, something to be careful about, if you are working remotely for a company, many of these States are going to become an after you for tax dollars.
We got a couple of things to get in. I want to talk right now about facial recognition. We what a year, maybe more ago talked about this company called clear view AI Clearview. And what they've been doing has been questionable. They've gone online and done searches. They've combed through social media.
And they've found and downloaded every picture. They can get the grubby little paws on, and then what they've done is they've put together some facial recognition software. So they've violated laws. They've violated platform rules. It's almost like Facebook when it got started, where apparently Zuckerberg went ahead and stole.
All of the records of all of the kids that were there, going to school at Harvard and including their photographs and put together this little Facebook thing, the Facebook, and had people rating other people by their looks, et cetera, and just basically stole. To get his business started Facebook. That's the allegation that's been out there.
There'd been a whole movie by this, about what he did. So that's what Clearview did too. They went ahead and decided we'll just steal all of the photos we can of people. They tied facial recognition software into it, and they perform scans of these images that were scraped from the internet and created a biometric database of the images.
We're going to talk about that and how we now have people being only wrongly accused, but arrested, spent jail time. It's a crazy world out there.
The allegations are that Clearview stole your picture without your consent and without the consent of the websites you put them on. Now they are being used in this biometric database by the police and others with wrongful arrests.
Hey, if you want to hear the whole show or an older show, you can find them, just go online to Craig peterson.com. You'll see the podcasts there. I podcast the whole radio show, as well as my appearances on radio and television right there. So you can listen to them as podcasts there or on your favorite podcast app. There you go.
So we were talking about Clearview using these images that were scraped from the internet illegally. In some cases against obvious usage agreement, as well.
Now is that they've got this biometric database of the images and they can use that database to match an image of one person to one of these preexisting images that have been analyzed and scanned and maybe stolen, right? Depending on how you want to look at it, the allegations are all the way across the board.
Now neither you nor anybody else whose image was scraped from the internet, even know that it happened. Let alone give Clearview permission to use your image, right? They didn't get permission to take it, and they're not going to get permission to use it.
So the details of these practices are not well-received by anybody out there. Even the New York Times came out about it last January, which is when I really started talking about it as well. Within three days of the New York times talking about what this Clearview company did, there was a federal class-action suit that was filed.
And the complaint opened with a quote from justice Brandice that the greatest, dangerous to Liberty lurk in insidious encroachment by men of zeal well-meaning, but without understanding. So it's very interesting. There's a whole bunch of cases. I'm looking at the list of them right now. These will take a while before everything is finalized on them, but here's something we absolutely.
Do know for a fact. And that is that there have been arrests that have been made due to this database. Anyone who identifies as a policeman can go ahead and download the app onto their iPhone or other devices. And can then just take a picture of someone casually on the street. There are people who are making police cameras that are constantly streaming video.
And on the backend are trying to do facial recognition. I've had a couple of them on my radio show a few years back, and it's cool because it gives the policemen an idea of, is this a bad guy or not? There is this somebody who we should trust somebody we could trust. I'm not really that worried about it.
Just. Think about the most dangerous thing most pleased officers do, which is a traffic stop. They have no idea who's in the car. If that person's going to try and attack them, et cetera. So having a live stream, thinking about Robocop, which didn't end that well, and what was happening there with the ed two Oh nines as well as Robocop himself, being able to see a person and be able to tell right away what this person's background is if there's any wants or warrants, et cetera, out there.
That's all well and good to a certain degree, but we just had another man. This is a New Jersey man who was accused of shoplifting and trying to hit a police officer with a car. He was wrongfully arrested based on facial recognition. Now, in this case, it's a black man and these facial recognition software programs that are available.
Tend to do poorly with any minority, frankly. And or do terribly with some and do poorly with any of them and also do rather poorly with the good old, regular Caucasian in phases like mine. Okay. So this is a third person who's arrested for a crime. He did not commit. He spent 10 days in jail and paid around $5,000 to defend himself.
So this is a guy that had nothing to do with it. The police got lazy, they said, Oh, we got a facial recognition match. It's this guy because they ran it through some software that had scraped some photos from the internet. Do you see where I'm going with this? And those photos from the internet say it's probably this guy, Nigeria parks.
And we know his social media is saying it's Nigeria parks. This is where he lives. This is where he posts most of his pictures because you remember our pictures. When we take them, Arthur smartphones have embedded GPS information. Oh, my gosh. And in this particular case, he was apparently 30 miles away from the scene of the crime.
Okay. Pretty sad. Pretty sad. They dismissed the case because of a lack of evidence. Isn't that wonderful? But the department is now getting sued along with the prosecutor in the city of Woodbridge for false arrest, false imprisonment, and violation of his civil rights. I think he should absolutely win on that.
2019. And this is an article that came from the New York Times. They're saying a national study of over a hundred facial recognition algorithms found that they didn't work as well on black and Asian. Faces, as I said a little bit earlier see an ACL or attorney named Wessler believes that police should stop using facial recognition technology.
I am okay with it to a degree. I don't think you should be issuing any sort of an arrest warrant based on facial recognition. I think you might get a clue from that and. From that clue, you can look at the phases and decide for yourself and interview the suspect, do some good old fashioned police work, but this facial recognition arresting people, putting them in jail and then costing them thousands of dollars plus their time and their reputation and what it does to your nerves and everything else is just absolutely insane.
And bad arrests. So this article in the New York times goes through what happened. Apparently, the officers had been presented with a fraudulent driver's license, one of the officer's reports or did that. They saw a big bag of suspected marijuana in the man's prof pocket. They tried to handcuff him and that's when he ran, he had a rental car just goes on and on, but.
It was a problem. And even though Mr. Parks had been arrested twice and incarcerated for selling drugs release back in 2016, doesn't mean that he's the guy that did all of this. So let's be careful. I'm not fond of what Clearview has done, obviously, just based on how I described it and who I quoted. And I don't like the idea of using this facial recognition technology to arrest people.
Bottom line. So speaking about arresting people, when we get back, we're going to talk about what is called swatting attacks. I don't know if you've heard of these before. They're pretty common, unfortunately, and some of the technology that we've been bringing into our homes to keep us safer is now being used to put our lives in danger if you can believe that.
Yeah, absolutely true. We'll be talking about that.
You can also follow me online. Just go to Craig peterson.com. You can subscribe to my newsletter. I'm not an active poster in Facebook or anywhere else, so the newsletter is the best place to get my weekly show summaries.
We're going to talk about how some of our technology we're bringing into our homes to keep us safe is actually ending up in killing people. Yeah. Yeah. Death by police officer. Here we go.
If you want to see my show notes, all you have to do is subscribe. Craig peterson.com. And once you're there, you'll see all of the information. That I have available my podcasts and a few articles that we've written, and you'll also have the opportunity to subscribe to my newsletter. So I'll keep you up to date with the latest, most important articles of the week. I don't send all of my show notes anymore.
I found that a lot of people. Just don't open them cause it's overwhelming. So I've been lately trying to focus on one tip in particular. So we'll see how this all goes in the future and you can always let me know what you think. Just email me ME@craigpetersohn.com. I'd love to know, do prefer to get all of my show notes every week, or do you prefer what I've been doing lately, which is a deeper dive into one topic. That seems to be pretty popular, but I'm getting about a 40% interaction rate, which is really good on such a large list.
I just want to get the message out is my bottom line.
We have these home cameras that we have welcomed into our homes. And one of the ones that has been getting a lot of heat lately is the ring camera. I don't know if you've seen these things. They've been advertised on television and it's basically like a little doorbell. You put it out there by your front door, side door, whatever, and it has a doorbell button.
And it also has a camera and a speaker that's built into it. Then the microphone, obviously. So someone comes to the door or rings to the doorbell. There's an app that you can have on your phone. So you could be at the beach. You could be at the DMV. Someone comes to your home and hits that button. You can now converse with them and tell them to leave the package or go away or whatever it is you want to do.
There have been some problems. One of them that has been rather controversial is that there are a number of police departments that are part of a program with Ring that gives them a live, real-time access to all of the Ring doorbells in neighborhoods. And the idea there is the police can patrol the neighborhoods without having to spend money on cameras that might be up on telephone poles, et cetera.
And they get their feeds alive from people's doorbell cams, these ring doorbell cams. So that could be considered good. It could be considered bad, just like about almost anything. Now we're seeing that they have been hacked. Yes, indeed. There is a hack that's out there that has been used and hijackers have been live streaming people's Ring, doorbell cameras.
Now where this gets really dangerous and where it hasn't been really dangerous is something called swatting. You probably know about SWAT teams, the police have, and unfortunately, most federal agencies have their own SWAT teams, which just constantly blows my mind because of why. Does this little department or that little department need of full SWAT team, it should really be a police department of some sort, but at any rate, the whole idea behind a SWAT team is they have special weapons and tactics that they can use in a situation where there might be a hostage or maybe there's a report of a bomb or something else that they have to take care of.
And thank God these teams exist in, they do drills. They'll do drills in schools. I know my police department does that fairly frequently and I was involved with some of those when I was a volunteer on the ambulance squad here in town. All make sense, but what has happened on a number of occasions and far more than we like to talk about is that there are.
The bad guys or people who don't like their neighbors and call in hoaxes. Okay. Yeah. Yeah, exactly. So there here's an example in Wichita, Kansas, this happened a couple of years back where a man had been arrested after allegedly swatting a prank led police to shoot dead 28-year-old man. So this guy, 28 years old, Wichita, Kansas, please surrounded his home.
After they received a hoax emergency call from a man claiming to have shot dead his father and taken his family hostage. And this call apparently stemmed from a kind of a battle between two online gamers playing call of duty online. The way these games work is you can talk back and forth.
You can have teams and you or your team members can be from almost anywhere around the world. And you sitting there with headphones on and talking back and forth. You've got these teams and in some cases, this is just one person against another. Apparently, they believe the report was an act of swatting where somebody makes a false report to a police department that causes the police to respond with a SWAT team.
Now the audio of this emergency call had been made public, a man can be heard telling the authorities. This is according to the BBC that he had shot his father in the head and claimed to have taken his mother and siblings hostage.
The color also said he had a handgun and had poured fuel over the house and wanted to set the property on fire. Sounds like the perfect thing for. A SWAT team to come to. Please say they surrounded the address. They called her given and we're preparing to make contact with the suspect reportedly inside.
When Mr. Finch came to the door, they said one round was released by the officers after the 28-year-old failed to comply with verbal orders to keep his hands up. Why would he, what did he do wrong? Obviously. The police ordered you to put your hands up. You probably should put your hands up.
They said he appeared to move his hands towards his waist multiple times when she probably did. Please say Mr. Finch was late found to be unarmed and was pronounced dead at a local hospital. A search found four of his family members inside. None of them were dead, injured or taken hostage. His family told local media, he was not involved online gaming.
Gaming is a little different than the call of duty and stuff. Gaming typically is gambling. Now we're finding that the hackers are out there who do this swatting maneuver on somebody. Then they have the hacked Ring camera at that house and they watch the SWAT team respond. Can you believe that?
The FBI is saying that this is the latest twist on the swatting prank, some prank, right? Because victims had reused passwords from other services when setting up their smart devices.
How many times do I have to warn about this? My buddy, I was just telling you guys about a couple of weeks ago, he's done that His revenue, his pay from the work he was doing, delivering food to people's homes was stolen by a hacker because he was using the same email address.
Yes, to log in and the same password as had been stolen before. Absolutely incredible. There's also been reports of security flaws in some products, including the smart doorbells that have allowed hackers to steal pet network passwords, et cetera.
In one case in Virginia. Police reported hearing the hacker shout helped me after arriving at the home of a person they had fought might be about to kill himself. That's swatting that using technology you've brought into your home, it causes death, many examples of that, and we're still reusing passwords. Give me a break.
We were busy trying to defend the election this year and had the, what did they call it? The most secure election in history, which baffles me.
But anyway our businesses and government got broken that's what we're going to talk about right now.
Let's get into our big problem here this week. And this has been continuing for what now about two or three weeks we've known about it? This is a hack of a company called SolarWinds. This hack apparently allowed intruders into our networks for maybe a year and a half. But certainly, since March of 2019, this is. A huge deal. We're going to explain a little bit about that here.
Who got hacked? What does it mean to you there? And I'm going to get into it just a little bit of something simple. It could be, haven't been done, right? That I have been advising you guys to do for a long time. Does this, like earlier I mentioned, Hey, change your passwords, use different passwords.
And in fact, That's a big problem still, but we'll talk about this right now. SolarWinds is a company that makes tools to manage networks of computers and the network devices themselves. And my company mainstream was a client of SolarWinds. Sorry. I want to put that on the table. However, about a year and a half to two years ago, it's probably been about two years.
We dropped SolarWinds as a vendor, and the reason we dropped them and we made it very clear to them as we had found security. Vulnerabilities in their architecture, the way they were doing things. We reported these security vulnerabilities to SolarWinds a couple of years ago, and they wouldn't do anything about it.
So we said goodbye, and we dropped them as a vendor. Yeah, we were customer SolarWinds. We were using their stuff, but then we abandoned them when they wouldn't follow what we considered to be basic security guidelines. It turns out they weren't and we got it as a country. This has been called the Pearl Harbor of American information technology.
Because the data within these hack networks, which included things like user IDs, passwords, financial records, source code can presume now to be the hand of a Russian intelligence agent. This is from. The United States of America's main security guide general Paul NACA sewn. It's just incredible what he's admitting here.
He said SolarWinds, that company that the hackers used as a conduit for their attacks had a history of lackluster security for its products. What did I tell you, making it an easy target with current and former employees suggest it was slow to make security a priority even as its software was adopted by federal agencies expert note that our experts noted that it took days after the Russian attack was discovered before SolarWinds websites stopped offering the client the compromised programs.
Microsoft by the way said that it had not been breached and initially here, but now this week it discovered it had been breached and resellers of Microsoft software had been breached too, and we've got intelligence officials now very upset about Microsoft not detecting it. It's just absolutely incredible here.
This wasn't something like we had with Pearl Harbor, but this attack may prove to be even more damaging to our national security and our business prosperity. This is really fast. I love the fact. I'm not going to say I told you because I, I didn't tell you guys this, but I do love the fact that I was right again.
How unfortunately I'm right too often when it comes to security and it is very frustrating to me to work with some clients that just don't seem to care about security. And I want to jump to an opinion piece here from our friends over at CNN. This is an opinion piece by Bruce.
Schneider. You've probably seen him before. He is also, I think he writes for the Washington post. But remember when this came out the word about the SolarWindss hack, president Joe Biden said we're going to retaliate which I don't know that makes a whole lot of sense in this particular case for a number of reasons.
Not the least of which we're not a hundred percent sure it's the Russians, but how are we going to retaliate? Cyber espionage is frankly business as usual for every country, not just the North Korea, Iran, Russia, China, and Vietnam. It's business as usual by us as well. And that it States is very aggressive offensively.
In other words, going out after other countries in the cyber security realm. And we benefit from the lack of norms that are in cybersecurity, but here's what I really liked. The Bruce said. And I agree with entirely. I'm glad he must listen to the show. The fundamental problem is one of the economic incentives.
The market rewards, quick development of products. It rewards new features. It rewards spying on customers, end-users collecting and selling individual data. Think of Facebook when we're saying this, our Instagram, or any of these services that we're using all the time. So back to the quote here, the market does not reward security, safety, or transparency.
It doesn't reward reliability past a bare minimum, and it does not reward resilience at all. And this is what happened with SolarWinds. SolarWinds ended up contracting software development to Eastern Europe where Russia has a lot more influence and Russia could easily subvert programmers over there.
It's cheaper for Russia, not just for SolarWinds short-term profit. That's what they were after here was totally prioritized over product security, and yet their product is used to help secure it.
It just drives me crazy out there. Just absolutely crazy what some people are doing. I read a little quote down.
I'm looking here to see if I've got it handy on my desk and I just don't see it. But they are prioritizing everything except. Security. And that is, I think, frankly, completely in excusable, right. Inexcusable. So this is happening with SolarWindss right now, but it's going to be happening with other places out there.
We have probably 250 federal government agencies that were nailed by this. Can you imagine that? The man who owned SolarWinds is a Puerto Rican born billionaire named Orlando Bravo. His business model is to buy niche software companies, combine them with competitors, offshore work, cut any cost he can and raise prices.
The same swapping corrupt practices that allowed this massive cybersecurity hack made Bravo a billionaire. Another quote here. This is from Tech Beacon. Hey, this is just crazy. Okay. So we know. Okay. I've established it. Craig, stop the stop. The monotonous. Okay. But I got to mention, we've got the US treasury department was hacked the US Department of Commerce's national telecommunication infrastructure administration, department of health, national institutes of health, cybersecurity, and infrastructure.
Agency. SISA the department of Homeland security, the U S department of state, the department of justice, the national nuclear security administration, the US Department of energy, three US state governments, the city of Austin, many hundreds more including Microsoft, Cisco, Intel, VMware, and others. I use two of those.
We use Cisco and VMware. We use Intel, but only peripherally and we actually prefer other processors. So this is a real problem. How are we going to change it? I don't know that we can, you and I, but I can tell you what you can do. Just like I keep reminding everybody - use a password manager and I will have a course on that this year.
Absolutely guaranteed using a password manager, use a password manager and generate different passwords for every website using the password manager, use the manager to log in. Okay. So that's step number one. That's the best thing you can do right now for your cybersecurity next to keeping all of your soccer up to date.
The second thing that we can do. Is block this malware from getting out of your network. If you are a business, and if you consider yourself an IT security person, you need to block all outbound connections. All of them. Only allow connections where they are absolutely mandatory. For instance, your accounting department may need access to some form of cloud services out there.
Heaven forbid. Okay. Maybe you're using an Oracle product, et cetera. Only those people that need access to that cloud service should have access to the cloud service. Does that make sense? Email? You should bring it in through a single server. So you only have 1.4 email coming in and going out SMTP Imam.
They should be controlled and controlled pretty tightly. According to the department of justice, apparently their email accounts were compromised about 4,000 dish. People's accounts were compromised through this hack. So from a professional standpoint, there's a lot of things you could do, but it costs money.
It takes time. How about the rest of us? What can we do to protect ourselves? Use open DNS or Cisco's umbrella service. Umbrella, we sell the professional version that's used by businesses. That's what you need because it allows you to tune it to the people and what they need access to? Umbrella and open DNS will stop most malware from getting out. Most of it, not everything. That is huge defense.
Hey, if you want more information, if you want to go to my initial here, Microsoft security course, that's coming up in a couple of weeks. Just email firstname.lastname@example.org and let me know, be glad to send you stuff.
Take care guys.
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: