librarypunk - 068 - Ransomware
Episode Date: October 4, 2022This week Sadie is teaching Jay and Justin about cybersecurity. Phishing, bitcoin, CISA-lords, and more! Readings https://www.bleepingcomputer.com/news/security/leading-library-services-firm-baker-a...nd-taylor-hit-by-ransomware/ https://publiclibrariesonline.org/2021/05/ransomware-attacks-at-libraries-how-they-happen-what-to-do/ https://www.spiceworks.com/it-security/cyber-risk-management/guest-article/why-are-small-businesses-suffering-for-steep-cyber-insurance-premiums/ Media mentioned: Demon core - Wikipedia Line Goes Up – The Problem With NFTs Kevin Mitnick - Wikipedia Kitboga - YouTube CISA can’t definitively say if ransomware is getting better or worse | Cybersecurity Dive How the YubiKey Works | Yubico Just Delete Me | A directory of direct links to delete your account from web services. https://unroll.me/
Transcript
Discussion (0)
Okay, let's go.
I'm telling you, Doc, they, them pussy is different.
Ah, puffy is pussy.
Just watch me.
That was the wrong button.
Interesting choice.
I was like, that's not our great new theme.
I like the ending of that.
It reminds me of the old Tsunami theme.
We're just kind of cut out.
I'm Justin.
My pronouns are he and him.
I'm Sadie.
My pronouns are they, them.
And I'm Jay.
My pronouns are he.
We're not librarians tonight, apparently.
Fuck, fuck that.
It was just quiet.
I didn't know.
I was like, oh, are they waiting on me?
Okay, hang on.
It's Sadie's episode tonight.
We're talking around somewhere.
Was there anything else we wanted to talk about, like, Italy?
Liza does something cool.
Yeah.
Yeah, no, girl boss, Mussolini.
The Lizzo thing was pretty cool.
I wanted her to, after she did like the do-to-do-do to, like,
smash it like a guitar.
Yeah, that'd fucking roll.
That would have been like, couldn't do that twice.
Call me a live, but I was, I got, I was touched.
I don't even like, like, like, Lizzo that much.
But I was like, oh, this is cool.
People were, like, cheering in the audience for like, yeah, fucking libraries.
And I was like, yeah.
That was cool.
Thank you, Lizzo, for doing better outreach and advocacy than anyone in our profession
has ever done ever.
I did not hear about this.
She got to play James Madison's, like, Crystal Flute.
that like no one has ever heard been played before.
Like I'm assuming that old bastard probably played it.
But it's part of Library Congress's like big ass flute collection.
And Carla Hayden was like, hey Lizzo, you should play the flute.
And she did.
And they record some like behind the scenes of like touring and she got to practice with it.
But they had like a librarian like bring it on stage at her show on Tuesday, which I'm assuming was in D.C.
or something.
I don't know.
Yeah, I think she was coming to D.C.
And Carla Hayden tweeted at her and was like, you should come try out our flute collection.
Yeah.
And so she, like, did a little run on the, on the crystal flute and did a trill and, like, started twerking with it.
And then was like, yeah, and like, lifted above her head and was like, thank you, Library of Congress for preserving history and letting me do this, like, really cool thing.
And, like, was, like, hyping up, like, libraries and stuff.
And the crowd was like, yeah.
And I was like, yeah.
So it was really cool.
And she's also like, I'm going to steal it.
Before she played it, she was like, I'm going to steal this.
I'm going to steal the Declaration of Independence.
But with a flute, that'd be such a good movie.
That should be like the National Treasure reboot is Lizzo stealing the fucking flutes.
Nicholas Cage, are you listening?
It could be a heist movie about flutes.
Hell yeah.
Get the American Animals guy to direct it.
Yeah.
That was like a good library thing finally that happened.
Yeah.
Like I said, I mean, when she held overhead, I really thought, like, it would be really great.
She just went shattered it into a million pieces.
I saw someone say that she should have pissed in it.
And I was like, yeah.
It's not that kind of party.
It's a concert.
Not with that attitude, Justin.
I guess it's good that it was a crystal flute and not one of those, like, glass harmonicas
that would give you lead poisoning from the same era.
Because, like, glass all had lead in it.
And so people.
thought the glass harmonica drove you mad.
But actually, it was because you would absorb the lead through your fingers while you played it.
It was secretly the lead poisoning all along.
The real treasure.
It's so weird how we've known lead is bad for you for like thousands of years.
We're just like, put that shit in our paint.
But what if we put it in our makeup, would that still be bad?
What if we put it in exhaust fumes for everyone to inhale for a hundred?
hundred years.
And the dishes we eat off of.
I love those radium dishes, though.
People are like, I collect the radium dishes, and it's like it shows how radioactive they are.
I'm like, why would you do that?
It's like, I collect demon cores.
Open up and let the devil in, baby.
Yeah, I'm a demon cord juggler.
What's a demon cord?
What's up? TikTok.
It's a big uranium piece of ore that killed a guy because he,
was doing tricks with it in the 50s,
and he accidentally had the two halves touch each other,
and it hit him with so much radiation.
He died, like, three days later.
Oh, I thought you were, I thought it was going to be some, like, anime thing.
No, it's a real thing that killed a lot of people.
Yeah.
I think he killed, like, everyone in the room.
Not to laugh at the suffering, but I thought you were going to do some weeb shit.
Demon core would be a good anime where it's just 10 minutes long.
Oops.
Oops.
Oops. All radiation.
Yeah.
Oops, all neutrons.
Okay, we're talking about ransomware, which is a thing that people do.
Yeah, because Baker and Taylor got hit and was down for like two weeks and couldn't take any orders.
And I think they might have been even like taking orders like via phone call and like paper.
I don't know how archaic they had to get, but they were out of commission for like two whole weeks.
The ransomware is something we talk about a lot in the Discord, but we haven't done an episode about it.
Have we talked about it a lot on the Discord?
It's like your biggest fear. You talk about it a lot.
Oh, yeah, that's because it keeps me up at night.
L.A. Unified School District got hit recently, too, just like a couple of weeks ago.
And it's like one of the biggest ransomware attacks on like a public entity that's ever like happened.
They're the second largest school district in the country.
apparently not going to pay the ransom and are partially back up on their feet.
Apparently they figured out what was happening, went to do a massive password reset, got
halfway through the password reset, and then realized that the bad actors were still in the system
and just changed the passwords again.
So they like started to do this whole massive thing and then got halfway through it and realized
it was all for moot because then they were just changing the passwords on them again.
So apparently for their like, what, like 60,000 students and employees and stuff to change their password, they have to go to an L-A-U-S-D campus to change their password because it's not possible.
Yeah.
They can't do it off network.
So for whatever portion of their network, they have backup and running.
But yeah, this is the shit that keeps me up at night because it's pretty much an inevitability.
People talk like it's something that only happens sometimes.
but it's actually like super duper common.
It just doesn't get a whole lot of publicity
because nobody wants people to know
that their systems were cracked, basically.
But yeah, like, Justin, you put this thing in here
about the huge rise in attacks since COVID-19
because everybody went to working from home,
and that's like a gigantic gap,
especially with how fast so many people,
or how fast so many organizations had to stand up outside stuff,
like VPNs and all of that.
Just so much shit got missed.
And so many places are still-
And how do you even like force your employees to use VPNs, right?
I mean, they can't access the shit they need to access unless they're on it.
Sometimes.
Sometimes.
It depends on your setup.
Like, that's how we have it set up in my work.
Like we can't get to the ILS.
You can't, like, I can't log into any server.
or run a handful of programs that, like, monitor stuff unless I'm on the VPN.
So at least in my job, it's absolutely, like, critical.
But yeah, so.
I think I have to be on the VPN to be on my P account.
I think.
I'm not sure.
But that's like three levels of security.
I never had to be on one at UNH when I was at home.
Never.
Because none of the stuff that I was, I wasn't working with.
It was only if you were working with specific kinds of information or something.
And I wasn't working with any of those.
I had to get like two different signatures to get a P account itself.
Like my university is pretty paranoid, which is good because I worked for a university that wasn't paranoid.
And I would just like find fishers in our system.
And I would be like, hey, this person's name is Myra Fisher.
I'm pretty sure it's a fishing account.
Like this person does it because I knew everyone who works here.
I'm like, I don't think this is a person here.
And so they were like, oh, yeah, we'll do something about it, I guess.
We'll block them.
I was like, that's unsettling.
Yeah.
Yeah, I'd say unsettling.
L-A-U-S-D, I didn't realize how big they were.
Is that why it was, I didn't realize that was why you put it in the notes.
I read the article.
I just didn't notice how big a deal that one was.
Yeah, it's a pretty big deal because they're such like the second largest school district in the country.
And also because as things have progressed,
the bad actors have alluded to not only wanting a ransom for to be able to decrypt the data,
but also the ransom for not leaking all of the student data that they scraped before they encrypted everything.
So it's like a double threat now, like of blackmail.
You know, not only do you not have any of your shit, but you also now are going to, you know,
have a massive breach of privacy and data breach, but they're not going to pay the ransom.
Maybe you should explain technically for people who don't understand how a ransomware attack
actually works because maybe people...
And like what ransomware is, yeah.
Aren't aware, yeah.
Yeah, good point.
So ransomware at its most too long didn't read version is basically when a bad actor or,
you know, malicious hacker or whatever gets on your network gets to your data.
and then encrypts all of it.
So nobody can access it anymore and then says,
you need to pay me this much amount of money in Bitcoin,
and I'll give you the decryption keys so you can have your shit back.
There are a lot of things that you can do to try to prevent,
like protect yourself against it or what to do if it happens.
So like having solid backups and not just one set of backups,
but backups of your backups and backups of your backups offsite.
And I think it's the 3-2-1 rule where you have three copies of your backups.
Now I'm trying to remember.
Like one of them is like two types of...
Yeah, three copies of your backups on two different mediums and one off-site.
Although I don't think the two different mediums thing stands as much anymore because nobody uses like backup tapes.
Or you could have like a drive versus the cloud maybe.
Yeah, yeah.
Or like offline backups are a thing too.
Yeah.
So like, you know, you have your backups stored somewhere,
but that storage stays offline unless it's actively being backed up to.
Yeah.
But yeah, some of that doesn't work as well anymore because a lot of the time,
even cloud backups, if they're in the system long enough,
they'll figure out how to encrypt the backups too.
and one of the major things that IT always struggles with is testing backups.
So you can have backups all day long, but if you don't know if those backups will actually
restore shit to the state that you need, then you might as well not have a backup.
But it's also tedious and time consuming.
And a lot of IT shops let it absolutely fall by the wayside.
One of my previous positions, I was there for nine months.
And then I realized that we had literally no backups, not a single backup,
like our email server, our ILS server.
Well, I think we had some scattered backups of our ILS server,
but I was just like absolutely panicked because like how the fuck do you not have any backups,
not even dated ones?
I feel like John is going to listen to this episode and have a heart attack.
So maybe we should like put a trigger warning for him specifically at the beginning of this episode.
Yeah.
Hi, John.
I should show this one to my dad because he used to work in IT as well.
for like an internet company as well.
So like double trouble.
Yeah, but how that's kind of the end point of ransomware.
And it always always starts with fishing.
And it usually takes a lot of time.
It's not like all of a sudden we've been hacked and shit's been encrypted.
Usually if it gets to the point where ransomware hits,
they've been in your systems for weeks because it takes time to have.
hack a system. You have to get credentials to get in and then you figure out how to get those
credentials escalated and then, you know, put in your back door. So even if the initial malware
gets caught, you could still find a way in and, you know, you have to data harvest. And this just,
it's a very involved process, but a lot of it can also be automated. There are a ton of hacking
tools out there that you can basically you don't have to have a whole lot of knowledge to do
like to run them.
Bored teenagers can do a lot of this and I did a lot of shit as a bored teenager.
I took down my middle school's website on accident.
Oops.
Luckily we had a backup and we got it back up.
Like you as the teenager had the backup and put it back up?
It was like saved in the browser cache.
But yeah, we were we were just.
goofin. We were just, we were changing like the president, the principal's name to like Fidel Castro.
And, and then we accidentally just did a oops. We don't know how this pirated version of
Adobe works. And we hooked down the index. Dot php file or whatever we did. And then the next day
my friend got questioned by the IT guy. And he was like, were you on the website yesterday around 5pm?
And he was like, nope, don't know anything about it. Okay.
Sure.
We didn't try it again.
Tell Castro.
Well, at my work, we've recently had somebody trying to hack the public computers.
And to me, it's really funny just because you can sit there and see it happening.
And you can, like, we could all tell that it was just somebody figuring out how to use these tools and how to do this shit.
It was not somebody who does it professionally, I guess.
So we're all just like, okay, we got to get this guy to stop doing this eventually because he's just,
fucking up a whole bunch of our computers.
But, like, nobody was actually, like, worried because it's, it's just a public computer
and those things get beat to hell and reimagined and, you know, completely wiped and rebuilt,
like, all of the time.
So.
I probably do worse shit to my workstation, like, regularly just because I find something
IT did to it annoying.
This is why when you get fired, they close your email immediately.
Yeah.
Yep.
if they know what's good for them.
Yeah.
Yeah, I have full admin privileges on my work computer.
Really, the only restrictions I have are the same restrictions that everyone has is that
there are actually internet filters, even though I work at a university, which makes me sad.
Because sometimes I'll be researching something for the homosaurus.
And it's like, sex, band.
I'm like, okay.
We had like a Dell one that I hated because it would, it would all, it was extremely aggressive.
I think we have one at my current job, but like I almost never hit it.
Yeah.
It's got to be like an actually dangerous site to like pop up something.
And then there's, um, for our email.
And again, especially with with fishing, because it's mainly through email that the fishing happens is we have this thing called Mimecast.
know if you've heard of it, Sadie. It like, you can set it to certain levels of, like, restriction
and it will, like, quarantine things that, you know, don't fit what's allowed. And then you have
the ability to, like, block it, allow it that one time or, like, permit it and, like, add the domain to the
safe cinder list, basically. Which means I get so many emails a day because I'm on, like, the
Music Library Association listserv. And anytime it's a person I haven't added yet.
It's so fucking annoying. But also we have it set that it like really doesn't like external email
addresses. So even if it's a student or a new applicant emailing from a Gmail account,
it will block it. That is one hyperactive email filter. Yeah. And so like I was actually glad that like,
because I probably shouldn't have been applying to jobs with my UNA email address. But I was actually,
after I learned that, I was glad I did because otherwise my emails may have gotten lost and stuff.
Like, yeah, it was external, but it was at least a dot edu.
Whereas once I accepted the job offer and we moved to Gmail, shit kept getting lost,
including my like ability to even get my account because of that filter.
So it's my one frustration in life right now is mine cast.
Otherwise, things are fine.
But I fucking hate it so much.
But I understand why.
But that doesn't mean I like it.
That's fair.
There are a lot of things.
Sometimes you have to eat your veggies you don't like, you know.
Exactly.
Yeah.
So that's kind of how ransomware works almost always starts with fishing.
So like Kevin, have either of you heard the name Kevin Mittnick before?
It sounds familiar.
He was a, he was a hacker in the early night.
I feel like, who actually got caught, served time in prison, and then got out and immediately
became a cybersecurity expert and now runs like a cybersecurity like education company and all
of the shit.
But he, the one that he has and runs is called No Before.
And basically it's just like how to spot fishing.
To me at least, it's like so obvious and easy.
but that's because, like, I stay up at night thinking about these things.
So I understand when other people, like, don't catch shit.
But it's always going to be people is the thing.
We can build as much technology and apply it as much as possible, as much U.S. as possible.
U.S. as possible.
But, like, it's always going to come down to the actual people are always almost going to be the first breach that has, that leads to something like ransomware happening.
Because it really depends on what they're after.
They might be after money.
They might, if they're a state actor, if they're like, you know, Russian sanctioned hacking group,
they probably aren't going to care about ransomware.
They're going to go for, you know, proprietary information and stuff.
So it varies a lot.
But ransomware is almost always just like money motivated.
One thing that I saw recently that I was like, oh, yeah, huh?
That makes a lot of sense is that ransomware is actually a Bitcoin problem.
because if Bitcoin had never taken off, cryptocurrency in general had never taken off,
then there would be no way for these transactions to even be untraceable.
So if you crack down on the financial side of things, you can make that shit stop a lot faster.
Like somebody quoted in the notes from one of the links that I put in there, but the Viagra thing,
like 10, 15 years ago, it was like every email had Viagra in it and it was scamming, you know, individual people out of two or $300 at a time or whatever.
And then there was this massive shift where things like ransomware and large ransoms started happening more often.
And it was because they were able to trace down a lot of those Viagra spammers and scammers back to their financial institutions.
and go to the financial institutions and be like,
hey, you've got to shut this shit down
or you're going to get, you know,
I don't know, sued by the government or whatever.
You get, like, sanctioned and, like,
other banks won't lend you money.
So it doesn't even have to be, like, a government thing.
It's just, like, other banks will stop dealing with you.
They won't let you, like, they won't play nice with you anymore.
They won't let you sit at the cool bank table anymore.
And, like, with crypto and ransomware,
that's also, like,
and I believe it's in Dan Olson's video.
What is it?
The line goes up.
That's the title of the problem with NFTs.
It talks about how like they talk about how secure like the blockchain and like the proof of whatever stuff is because they're thinking of man in the middle attacks, which apparently those soft, those securities are kind of effective against maybe.
But what mostly happens is fishing and ransomware, which like where they're.
They're invited in, basically.
It's people pretending to, like, sell or barter or buy and stuff.
And then that ends up happening.
So it's like they're also being, like, they're the problem.
Like, they're the cause, but they're also being targeted by it.
And, like, that's the huge flaw in that whole security system is that it's ignoring
what the actual problem is and is completely ineffective against it because people are
going to be people.
I fell to a scam, like, last year.
because I had put my name on a mutual aid list for my local area.
And apparently someone found it and was like,
oh, hey, I saw that you were on like the mutual aid thing.
Like, you know, could you give me some money for like diapers and stuff for my,
my kid real quick?
And I was like, yeah, sure.
Like, how much do you need?
Like, I just got paid.
Like, how much do you need?
And they're like, oh, my God, thank you.
I was like, yeah, great.
And then like it keep happening every once in a while.
And then like the stakes started getting higher.
And also the number would change each time.
time and I was like, why is your number changing? I was like, oh, it's Google phone. And I didn't
know anything about like how Google phone numbers work. I'm like, okay. But it just like kept
to the point where if I didn't answer right away, they'd start spamming my, like, calling me over and over
and over again, but never leaving a voicemail. And I just thought like, oh, this person is just like,
doesn't have boundaries or anything. But I would feel bad because they like, I was like,
how did you get my number? How do you know who I am? They're like, you're on the Dover Mutual A list.
or not Dover, it was like the Seacoast mutual aid list.
And I was like, oh, okay.
Like, they obviously got to that somehow.
But yeah, and then I was like, wait, am I being scammed?
Because I'd given them, like, one time I gave them like over $100 in money because they were like, I'm in like a serious thing right now.
I was like, oh shit.
Like, yeah, I'll help you.
I have the ability to do that right now.
Like, I just got my tax return or something.
Like, yes, I'd be more than happy to like give you, do a mutual.
aid.
I was like, oh, shit, I think I'm getting scammed.
It's harder when you don't know the person.
Because people with no boundaries like that exist.
Yeah, exactly.
Absolutely.
Especially if you're desperate.
Yeah.
Yeah.
But yeah, like, you know, as like savvy as I am, like my little like, oh, mutual aid bleeding
heart got me, you know?
Yeah.
Well, I mean, there's a reason shit like the Nigerian prince.
and all of that stuff, like, works because, like, it's less about technical savvy and more
about psychology and knowing how to, and, like, just being a good con man, because, like, that's
what it basically comes down to. It's like, the types of fishing that I see all of the time at my
job are previous or current employees' personal emails got hacked, but they had emailed
somebody at their organization, either by, like, forwarding stuff to themselves, or,
or, you know, not having access to their work email. So they email like a colleague from like their
personal email or whatever. And then all of those contacts get grabbed. And so now all of a sudden,
you know, you have Betty from finance asking you if you can get her like emergency get her a Google
play card for her nephew's birthday kind of stuff. And people are like, well, it's coming from,
you know, Betty's actual address. So they fall for it. So there's that. And that. And that
happens on social media, that happens in email, that happens in phone calls and text messages even,
then there are we, you need to pay us right now.
Like your account is past due, here's the invoice, you have to pay us right now where
your service will be shut off.
And it's always like, it's the panic.
If it's inducing you to panic, then you should probably stop and think about it for like
just a split second, please.
Or it's, you have an email waiting for you.
So click this link and I'd like,
we'll release the email to you.
But what it's really doing is just harvesting your credentials
when you plug it into like some rando web page
that is created to look like Microsoft Outlook login page, right?
And those are the ones that like are the most common
because they want your credentials,
they want you to pay the money,
and yeah, those are pretty much the things.
They want your logins and they want your money.
And no matter how they can get those,
they'll figure out how to do it.
Or we recently had a rash of, oh, hey, I need to check.
I need to change my bank for my direct deposit.
It's almost payday.
How soon can I change this if I send you this information?
Can you like do it for me?
And I got to the point where an employee actually lost a paycheck
because it got pushed all the way through, and their paycheck went to a bank that wasn't theirs.
And nobody realized that this had happened until after payday when the, you know, employee went,
why didn't I get paid?
And they went, no, you got paid.
So that shit happens a lot, too.
And again, like, it escalates from like a couple hundred dollars to now, you know,
going into thousands of dollars, whole entire paychecks.
to millions of dollars with ransomware. It's not that the stakes are higher. They're just
aiming differently, I guess is really kind of what it is. But yeah, those are super, super common
avenues of fishing that I see tons of all of the time. And half the time, if your email filter
doesn't catch it, your users need to catch it. And if your users don't know how to contact you
or what to look for, or they don't want to seem stupid because everybody in IT is mean to them,
then they're not going to tell you what happened or they're not going to tell you everything that
happened.
Oh, I clicked this link or I downloaded this thing.
I'm not going to tell you that it brought me to a webpage and I plugged in my credentials
or it brought me to a web page and my computer did a weird thing afterward.
You know, so there's a service sort of position there too.
And this is like, this is me back on my bullshit of IT actually being like a service in a lot of ways a service job.
Because like if people don't trust you, they're not going to tell you the shit you need to know.
And it's always going to be your users.
So what's the best thing you can do?
Make sure your users don't feel stupid for not knowing everything you know.
I will probably just, I will probably stand on that soapbox for my entire fucking career.
I'm not going to lie.
Have you seen the, I think his YouTube name is Kit Boga.
He does scam baiting because his grandma, I think, fell prey to like a fishing like ransomware scam and lost a lot of money, like almost like all of her retirement or something, I think, because of it.
And so now he goes and like fines where it be obvious, like especially like the IT scams and trolls.
them for hours, sometimes days, and fucks with them. And he streams it so that he uses it as an
educational thing to show people how like the types of methods. And like he'll do like he'll mute
himself for them and be like they're doing this or like this is this kind of script they're using.
So they're probably going to ask me for this or like that kind of stuff or like especially when it
gets to the like, oh, let's go into your bank account and how they will go into the like block
your screen from you, but he hasn't set up. He has like a special thing set up and how they go
into the browser like HTML and change it manually to be like, oh no, you transferred the wrong
amount of money. Oh no. You have to send it all back now. It was accidentally $25,000. Oh no.
and stuff like that.
And then it gets to like the,
you know,
the gift card thing.
He just starts fucking with him.
Sometimes he'll like pretend to be like an old grandma
because they target the elderly a lot like in like in general.
But yeah,
it was interesting to sort of learn all of the different like psychological methods.
Um,
even out,
even outside of like the tech methods,
the psychological methods.
Oh yeah.
Used in this kind of stuff.
It's like classic con kind of stuff and the,
term forward is social engineering in like IT because have either of you ever watched leverage?
I have a friend who really likes it, so I know a little bit about it.
Basically, they're like a group of con men and whatever.
And like almost everything they do is some sort of social engineering, figuring out how to get somebody to trust you for a second.
Shoulder surfing, like so much of it has nothing to do with technology.
And they call it social engineering.
So it sounds fancy, but it is basically just knowing how to call on somebody.
This is the show where they had a criminal consultant, and they were planning an episode, and the guy goes, you're basically a criminal gang now.
Like, this is what criminal gangs do.
Yes.
Like, you don't need me anymore because, like, you've just mapped out a plan exactly the way I would do it.
Yes.
So it sounds like a good show.
I watched most of it, and I really liked it.
And there was, like, a reboot personally.
fan fiction for it, apparently.
But yeah, going back to...
I was just... I was so excited I knew something
about TV because I never do.
If it's not...
I've watched the first ten episodes
of Evangelion like ten times and I can never
finish it. So like I don't...
I can never talk about TV shows.
It's like the opposite of the American
American animals like
kids who were like, we're going to
learn how to heist from
watching movies. And meanwhile, this
TV crew is like actually figuring
out how to plan a heist through fiction.
On here on the notes, I'm assuming it was you, Justin, who put common targets and, like,
email servers, and then there's domain controllers, which are basically control all of the
logins and a bunch of the credentials and stuff for pretty much any Windows-based, like,
network system.
You know, data server is so, like, ILS databases or basically anything that has a personally
identifiable information that a lot of like these hackers and stuff go for. But those are like the
endpoint targets. The actual targets are always the people first. I guess is basically it. So it's like
you could know what systems are eventually going to get hit, but that's not prevention.
It has to go through people first to get there. It has to go through people first to get there.
So that's what that made me think of. And then yeah, there's the sort of the, the, the,
double thread of both the data loss and the data leakage. And then not only with ransomware,
does that affect like, you know, your budget because you're paying out a whole bunch of money.
But if you choose to pay the ransom, but like, you know, you lose your reputation. You often have
to report, you know, report certain kinds of data breaches to, you know, the government and
you, you know, your operations are completely disrupted for weeks at a time. Like the
the pipeline ransom
ransomware that happened a couple of months
back that was a huge deal
like those sort of
critical infrastructure
are giant targets
for ransomware because
they often have legacy systems
that use
code that hasn't been changed or updated
in 30 years and
it's like almost impossible to move
off of because changing
like moving it on to a different
software system would cut
people's power and water off kind of thing. And it's much more embedded than like your sort of
personal computing environment is. So what's the term? Oh, I can't remember it now. But basically
it's...
Technical debt? Huh? No. Technical debt? Actually, I know what that is now. And that's a
completely different thing. But there's a term for sort of the sort of critical infrastructure
systems that work.
They're basically like custom operating systems for very specific purposes.
So like, you know, you go into a factory and it's like, we got some very specific tools
for some very specific things.
It's that, but it's software.
And a lot of times it's using code that nobody knows anymore.
Hasn't been updated in a really long time.
It's written in like Fortran or something.
What is it?
Colbalt, cobalt?
Yeah.
Yeah, basically you're so specialized that the dude who actually knew how to do anything with it retired 20 years ago and nobody's been able, like, it still runs so nobody dares touch it because it'll fall apart, right?
And then not only do you like whatever your business or, you know, thing is comes grinding into a halt, but a lot of times it's financial institutions.
So, like, banks will use a lot of this kind of stuff.
Y2K almost happened.
Yeah, exactly.
that kind of thing.
And like it's just, it's such a giant target now that the U.S. government is actually
starting to take cybersecurity seriously at a decent level.
I was in one of those articles and it was like director of cyber and digital infrastructure.
I was like, why wouldn't you, what does cyber by itself mean?
And like, is it a Greek word?
Like, why would, it's just such a weird thing to be like, cyber.
when as a millennial, that just means to jerk off on the internet.
Basically.
It's very funny to watch boomers talk about cyber, just as a noun.
Was it the cyber security infrastructure, cyber infrastructure security administration?
No, I mean, cyber security makes sense.
It was cyber and infrastructure manager.
It wasn't like, it wasn't used as a prefix.
It's whenever government officials use the word cyber.
just like by itself.
And everyone made fun of Trump for doing this.
But this is like how government officials at the federal level talk.
And they're just like, yeah, I'm the director of cyber.
I'm.
Cyber what?
Yes, exactly.
What does that mean?
Does it mean anything?
What are you cyber security?
Cyber infrastructure, cyber sex.
I mean, cybernetics.
Dildo Tel-Donics.
Is that what that was, Jay?
The dildonics?
Yeah, Dildonics, that's it.
Ted Nelson being a Chad, yeah.
Yeah.
I watched the cyberpunk anime.
Yeah, how was it?
Which one?
The new one, the new cyberpunk anime that Netflix put out.
It's good, but there's a time skip, and then it gets confusing.
So, but there's a lot of nudity, which is good.
I like naked people.
It starts off really strong, but I think it suffers from not having a good critique of
capitalism, which is the whole problem with the
cypherpunk game that came out.
And cyberpunk is a genre in general.
Yeah. Well, I think it started
out kind of that way. I watched Johnny
Nemonic the other day, though. And everyone's like,
oh, this is such a great movie. This is why Keanu Reeves
was put in the video game. I watched
Johnny Nemonic. That movie doesn't make any
fucking sense. I've never seen it.
It's the most confusing thing. It's not
a good movie, but everyone's like,
oh, this is like a cyberpunk classic. I'm like,
it's not... It's not good.
It's... Kianu's great.
It makes no sense.
The bunny is judging, yeah.
Cost of cyber insurance.
Okay, what's cyber insurance?
Okay, so cyber insurance is basically you buy insurance so that when ransomware eventually
happens to you, you have money to either pay the ransom or have money for resources
to recover from whatever sort of cyber attack has occurred.
And yeah, it's basically like life insurance, but for your cybersecurity.
Except cyber security is a constantly changing thing in which it is almost impossible to accurately gauge risks like, you know, insurance is supposed to do.
And also almost impossible to gauge exactly how much of it is going on in real time because there aren't regulations about reporting.
there aren't concise
ways to
know how much
of these kinds of things
are actually happening.
So Sissa,
which I think is
cybersecurity,
infrastructure,
fucking whatever.
It's a government thing.
Sissa.
They, like,
honest to God,
came out with a report
recently and they were just like,
we don't know
whether or not ransomware is getting better
or worse.
We literally just can't tell
and where like the national security were the exact sort of administration that's supposed to know this kind of thing.
And they don't.
So how do you measure insurance for a risk that nobody can predict or foresee?
So basically all of these, you know, different organizations or businesses and stuff are either not able to buy cyber insurance because they're not big enough to have a cyber insurance.
because they're not big enough to have a cybersecurity program to begin with,
or their cybersecurity insurance is so expensive and has so many stringent requirements
that it's cost prohibitive.
And that's something that I've been seeing a lot, at least for the two libraries I have worked for in the past year or two.
So does everyone have this?
A lot of people.
basically any major organization is going to have it.
Who's more likely to be targeted a organization, like major organization with the money to be able to get this kind of protection or maybe smaller organizations that don't necessarily maybe have the budget to get this kind of insurance or something that might protect them against when this kind of stuff happens?
That's part of what they can't really tell.
But a lot of, yeah, the smaller organizations, small cities, small libraries, small counties,
basically anywhere that has an infrastructure that people rely on, but not enough of a budget to actually have Arthur,
to actually have a good cybersecurity program already in place.
So probably the smaller organization, kind of more likely.
For the listeners at home, the reason why I say he went, oh, Arthur, is because Arthur,
like puts his tail around my shoulders, like when you're in high school and you go to the movies
on a date and you do a big stretch and then you put your arm around the shoulder. Arthur did that
put with his tail.
Just full body lean into Jay's back.
It was really cute.
He's so cute.
I loved him.
But both of these libraries that I've worked for have had cybersecurity insurance requirements
like go up so fast that it's actually like a struggle.
Basically they're saying you have to use multifactor oftentimes.
on all of these different systems, or we're not going to renew your insurance,
which is a really bad position to be in.
But also, like, if you work for any sort of corporate thing, there's, of course, might be a
little easier to figure out how to get your employees to use multifactor authentication
when they're logging into the VPN or they're logging into their email or, you know,
whatever.
But a lot of our employees literally only log into a computer to check.
their email and don't have a computer otherwise. So they're also not going to have a smartphone
probably. Or if they do, they're not going to be able, they're not going to understand how do we
use an authentication app, not to mention a lot of these sort of public entities also have
cell phone reimbursement. So if you use your cell phone for multifactor authentication to your workplace,
they owe you money basically for using your personal cell phone for work purpose. And then, you know,
If you use something like a UB key, which is like a USB key, those get lost.
Which everyone should get.
Which everyone should get.
And then, you know, it's also training time because the sort of technical savvy of employees ranges so very widely.
Like it's perfectly reasonable to expect your IT staff to be able to use multifactor authentication
and reimburse them for that use for their personal cell phones because they check email.
or use a multifactor authentication app or, you know, all of this stuff that is pretty common.
It's another thing to ask your part-time custodian who checks their email for 20 minutes every day
and doesn't have a smartphone and doesn't have Internet at home and doesn't want it, quite frankly,
to be able to navigate multifactor authentication.
To be clear, if you can do multifactor authentication, especially on your personal accounts,
please do it. It is actually one of the best stopgaps to bullshit happening to your personal,
to stuff. So multifactor authentication is basically you have one of, you have two out of three things,
something you know, something you have, or something you are. We all know passwords. That's always,
almost always the very first thing. And then the second thing is something you have. So like the way that like Google
authenticator or Okta or all of these other.
Apps work is you have your phone.
You have the app on your phone.
It's not the app itself.
It's the fact that you have it on a device that you're not currently using to log into.
So like it wouldn't be multifactor authentication if you were using an app on your computer
that you also know the password to because it's just kind of redundant.
It's not a separate thing.
So something you have or something you are, which is biometrics, which I think is completely
absolutely fucking scary for any organization to get into.
But there are things like Windows Hello or fingerprint scans, all kinds of stuff that is
possible as that like third factor for multi-factor authentication.
And that works really well in a lot of ways because that second check does stop a lot of things.
So like your email gets hacked, somebody's trying to log into your bank, your bank forces you to use multifactor authentication.
You get a text saying, hey, is this you?
If so, click on this or put in the code from your app and you go, that's not me.
I'm not doing that shit.
And so they can't get in.
So to be clear, multifactor authentication is a good thing.
It's just hard for organizations like libraries or like small cities or basically.
anything that has a constrained budget to really get off the ground in any sort of fast fashion.
And most of the time, these cybersecurity is like, we won't renew.
These insurances are like, we won't renew your insurance next year.
So you would have anywhere from a year to less to implement these things for your entire organization,
which is just a massive undertaking.
And you're probably already stretched thin on your budget and your staff time anyways.
Yeah, so cyber insurance keeps skyrocketing.
The needs to or the requirements for cyber insurance keep skyrocketing.
And basically, the thing that you need is money.
You need to pay for new systems and new subscriptions.
You need to pay for staff to learn how to do it or teach how to do it.
You need to pay for the hardware itself like Ubikis or whatever else it is.
So it's just, it's escalating rapidly.
and there's no clear way out.
I guess I'm not really sure if I had a point with bringing this up,
but it's just one of those things where I'm just like,
how can capitalism sucks.
I mean,
and like the fact that it targets libraries,
because so often I feel like when you think of hacking and stuff,
and I know this isn't technically hacking,
I guess hacking's part of it.
I don't know.
But you think of hacking happening to organizations and people
that have something worthy of being,
hacked, like where the data or what you can do with whatever system you get into is, like,
the point that's like, it's of value.
Whereas, like, if you think of library stuff, like, yeah, obviously there are potential,
like, especially like any sort of financial security stuff in a library.
But when I'm getting, you know, library, ALA, code ethics is going to get mad at me for saying
this.
Patron privacy is important.
I would not share stuff.
But also when I think of, like, a patron record.
Like hopefully the most, that's probably like check out history, their address, which like, yeah, doxing's bad, but it's like, it's not like getting into a bank account.
Yeah.
A library, I guess, is like, city.
Yeah.
There's shit there.
And also like the types of systems that you have the access to if you hack like a city, whatever.
But library, it's like it doesn't seem like it would be a target just because of the type of.
information and systems that are there.
But when money is the point, I guess it doesn't matter what the, you know, the bounty within
the systems might be.
And if you know that it would be easy to get into the system because you might not be
able to require the more strict security, because when you think about maybe the level
of literacy is a bad word, but like, you.
literacy and skill of these types of things that your average patron might have. I hope we're
not giving people ideas. No, well, no, they already happen. Well, and part of the thing, too,
is like with libraries, that sort of patron data that in a lot of ways is common addresses, full
names, phone numbers, emails, etc. That is valuable in its own way because you can take that large
dataset, sell it.
Oh, yeah.
And that then fuels it even more because now, you know, this collection of personally identifiable
personally identifiable information, that's at PII, gets sold.
And then because they know that it's accurate information, it then gets used for more
accurate breaches and attacks. So like if you don't know if this email and this person and this
address are all the same thing and you're guessing, then it's easier to spot it as scamming than if
you know all of those things align and you use that information to get somebody to trust you.
You know what I mean? So like you have. Yeah. Yeah. That makes the last thing. Oh yeah. No, I'm
absolutely legitimately your bank because this is the address we have on file for you and this is the
phone number we have on file for you. And you know, you're able to. You're able to. You're able to
to cross-reference those data sets that are for sale and say, oh, well, yeah, you purchased this
off of your credit card. Like, you may not know the actual credit card, like number, but you can
correlate that data and be like, this is a credit card. This is a charge on your credit card that you
had last year. And somebody will go, okay, well, nobody but my banquet, know all of that,
which just straight up isn't true. It's like when you ever have had to do like a background check
software thing or even to like confirm like do like electronic check-ins for my doctor's appointments.
Often one of the things that asks you is like which one of these addresses is like relevant to you or something.
It doesn't necessarily have to be the one you live at now.
But a previous one or the ones that are really annoying where it's like, this is like a financial one,
but it's like when did you take out a car loan?
Was it 2015 or 2016?
I was like, I don't remember.
I know I've had this car for a long time.
Well, and the thing is, with that information, you can get that off of credit checks.
Yeah, exactly.
So.
But they've got five of those in a row, which are really weird.
It's like, did you live at any of these addresses?
It's like those fucking tweets that are like, you know, like the, what would your, like, stripper name or something to be able to be?
But it would be like, yeah.
What's your mother's middle?
It's, you know, it's your mother's middle name.
And it's the street you grew up on it.
It's the name of your first pet.
Yeah.
And it's your password.
Yeah.
And what's your social security number?
What's that post going around on Tumblr?
It's like, I don't want to know about your taste of music.
I want to know what was your mother's maiden name.
I want to know what was the street you grew up on?
I don't do small talk.
What was your pet first pet's name?
What's your password?
But the multi-factor authentication thing is we've, we create, we started with duo authentication.
I want to say in 2019, maybe 2020.
And now we have Microsoft authentication.
And someone, there was an email that had to go out to everyone, which was like someone got into our system because someone approved a two-factor authentication that they weren't actually doing, which sounds crazy.
But I get them all the time on my fucking phone.
and I know my password hasn't really been breached.
I change my password all the time.
So someone's like still trying to change my password or something like that.
And it's giving me multi-factor authentication all the time.
But if someone did have my password and asked me for a multi-factor authentication,
and I just was saying yes to all of these things.
I get them, you know, pretty randomly.
Someone I supervised was like, why did I get a multi-factor authentication request I didn't send?
I'm like, I don't know, man, it just happens.
Like, don't say yes if it ain't you.
Well, and last pass, which is like a password manager, they recently had a breach into their development environment, which then had a whole bunch of proprietary information stolen.
That's how that, that's how they got in is because they had somebody changing.
They had the credentials of somebody who had access into the development environment.
They had their credentials.
They sent the multifamily.
factor request, I forget exactly how it went.
Like, we're able to intercept it and then change the password again.
So basically, they were able to circumvent the multifactor authentication and then use
that to get deeper until the development system and get the information that they wanted.
And it had nothing to do with how strong their encryption and stuff was.
Exactly.
And cybersecurity is like, it's about layers.
It's about having a moat around a fortress with archers.
on top kind of shit. Yeah, it's like an onion. It really is like there is absolutely no one thing
you can do that will make you secure for a lifetime or even secure for two days. It's just as fast
as we are finding ways to secure things. People are finding ways to undo it. So the very best thing
that you can do is have a lot of ways to secure your information. But one thing I want to
wanted to talk about too was, especially for any sort of public entity, security systems are
massively expensive. When you buy like a hardware firewall, like an app appliance, which you
have to have to have any sort of like security over your internet traffic coming in and out of your
network, not only do you have to pay for the hardware, you also have to pay for support and
subscription for the hardware. So like you get, you're getting all of the latest updates to
your antivirus signatures and all of that stuff.
So there's a lot of ongoing costs on top of hardware costs,
which hardware costs, a lot of them are covered by things like E-rate,
which make it a lot easier for the compromise,
for the filtering compromise,
which we have discussed many times.
That's how they get you with the cop shit.
That's how they get you with the cop shit.
No, this is also how they get you with the cop shit.
Because when you can get decent security systems or decent security help,
A lot of the times it's coming from places like the Department of Homeland Security, which SISA is like under that umbrella.
And they basically run all of a bunch of the infrastructure and election security stuff in the entire country.
But how do they get their information?
They get it from fusion centers, which is cop shit.
What's a fusion center?
A fusion center is a...
It's like some sailor moons stuff.
Yeah, it is basically a multi-agency hub for things like the Department of Homeland Security, FBI, state, federal, local authorities, basically to compile all of their cop-shit data and surveillance data and be able to use it for cybersecurity purposes.
But so much of that data is surveillance data.
Like fusion centers are where bad shit happens, right?
But at the same time, like, as a library, we get a ton of information from the state
fusion center on what IPs to block and what we should be watching out for.
So it's like being a public entity and a lot of these services, too, are discounted or free
for some sort of governmental entities.
So like we can get, like libraries can get discounted network security,
basically keeping track of things at the boundary between your like internal networks and the
internet and keeping that traffic and being able to bounce off known like risks.
So if it's coming from an IP or a URL that like is known to be like malware,
they'll just bounce it and not let it through, which is great for your cybersecurity.
security, but that also means that the organization that is doing that for you has access to
a record of all of your internet traffic that's coming into your network. It's like a constant,
like, it's like a double-edged sort because you can get help from the government, but at the
same time, place things like the Department of Homeland Security and libraries, you know, missions
to be advocates for privacy are like in direct conflict with the exact kind of thing where you
can get help. For the longest time at my previous job, ransomware keep me up at night. I had the
phone number for the SISA Security Operation Center on a Post-it note on my monitor at work.
Because if ransomware hit, there was no guarantee I would actually be able to look up that
phone number. And it's like you got to call your cybersecurity insurance. And then you got to call
somebody to come help you out because you don't know how to do it yourself. Because you're just
an IT administrator, you're not a cybersecurity forensics expert, and that's the kind of shit you need
to know how bad the breach is, how long it's been going on, how to bounce back out of it, and how to
recover. So when I think about... And that's not even necessarily a thing of like, oh, libraries
don't have budgets so they have to outsource everything. Like, that's just like there's not that
many people in the... It's not like every library can have their own like cyber forensics team, right?
Exactly. And a lot of libraries, especially.
smaller ones will have like IT companies on call, especially if they don't have their own
internal IT. But there are plenty of, are plenty of like cybersecurity firms out there that can
do this stuff for you. They're just very, very expensive. So the ones that you can rely on
are the ones who are taking cop shit data and giving it to you to protect yourself,
like to protect your own network. Or if you're lucky you have one person who has an
interest in this kind of stuff. And it's like, oh, yeah, the cyber forensics is like my thing.
And they're just like willing to test out your systems for you. But you're not paying them any
extra. Yeah. It's not. That's not enough. I can tell you hands down it for a library system,
you would have to be a gigantic library system because cybersecurity is like not even close to
being a one-person job, even if your entire job was cybersecurity. So, like, my job encounter,
like, cybersecurity is part of my job, maybe about a fourth of my job. So to actually have a full
cybersecurity team, we would need like eight people. And we're a pretty large library system.
And that's expensive because people with that sort of, there's a shortage of cybersecurity
personnel. It is a traditionally high paying career path. So as a library, you're not going to be
able to pay the same thing as, you know, I'm in Washington as Microsoft or, you know, any of those
other tech firms. So you have to take what you can get out of an already diminished pool.
So if you have somebody on your team who's like, yeah, I'm really into pen testing and I'll run
these scans and stuff for you, it's still just one thing. It's still just one thing. It's
That's still just one aspect of the level of cybersecurity you would need to be able to say,
like, yes, we have confidence that if this kind of thing happens, we could bounce back from it.
And it's not even necessarily, we have a confidence we can prevent this because that's just
straight up not possible. Part of the reason it keeps me up so night at night so much is because
it, like, it's basically an inevitability. It is common. It's very common and it's very likely.
So like when you're doing risk management or like risk weighing, an earthquake is high level of damage, not very likely.
Workplace shooting, high level of damage, not as likely.
Ransomware, high level of damage, high level of likelihood.
Has that ever happened at a place you worked at?
No, not to that point.
Places I know of a library system in the state of Washington who in the past couple of years got hit with ransom.
kept it completely mum and paid the ransom.
I only heard about that because I work library IT.
One of my previous employers had a ransomware attack, not a ransomware attack, but a breach
start to happen and was able to remediate it.
And very, very recently, a library county system in Washington was hit with ransomware,
and it was something that was like talked about in the news.
But for everyone that you hear about in the news, there's like,
at least five more instances of it happened that didn't hit the news.
So basically you have to approach ransomware as a sort of disaster planning.
Like it has to be part of your disaster recovery plan, like for your backups and all that stuff.
And that's all part of IT to begin with because if you hit with an earthquake, you have to have a plan on how to get your systems back up online for your outside backup system.
If the comrade sharks like eat the internet in the ocean, like what are you going to do?
Exactly.
And then but.
I need a blaha.
or I pronounce it.
That's like the internet eating comrade sharks.
Yeah.
But like an earthquake doesn't damage your reputation.
You know what I mean?
So if you get hit with ransom rates, high damage, high likelihood, also can completely
obliterate the trust in the community that you serve if people don't understand exactly
how common and devastating it can be.
And how it probably has nothing to do with the security systems.
It has very little to do with the security systems.
Yeah.
Because zero-day attacks happen.
Like literally the whole point of zero-day attacks is that you can't see them coming.
Like nobody knows that it's out there until the attack hits, right?
So that's why it keeps me up at night.
That's why I say this all of the time.
And I'm just like, I don't sleep over this is because it is incredibly high pressure in a sense.
But it's also because I don't want this to happen to my community.
Which, you know, kind of sounds cheesy.
Like, of course, I'm thinking, like, about the community and the impact.
But, like, I feel like it's doubly so because I work in library IT.
And we are, like, you know, try to be privacy advocates and try to have open access.
And all of these things can't coincide together peacefully.
And then, you know, you get dinged for having a ransomware attack happen kind of thing.
Yeah.
I do have a question based off of that.
I know any time I've taught, like, you know, digital privacy and security info and stuff, especially when you get to threat modeling, there's always that, like, balance between having people take this seriously and that, like, there are indeed threats while also not freaking them out.
So, yeah.
Like, obviously it's all bad, but like, I think there's maybe sometimes a difference between, like, a personal breach versus an institutional breach like that.
Like, they both have their, like, seriousness.
But, like, the degree to which, like, someone can connect with, like, what the risks are and stuff.
Like, so I guess how would you say, like, how would you say that we should educate,
both our librarian and library worker like colleagues, as well as our patron communities,
about ransomware with the like, this is a threat.
Please take this seriously while also not tinfoil hat freak out people.
We're like, oh, no, I can't stop, but I'm not perfect.
Therefore, I shouldn't try.
I'm already in too deep.
That's the one I hear a lot with like passwords and stuff.
Yeah, yeah.
Yeah.
So yeah, like you said, like it's very different on an institutional level.
And this whole time I've been talking at an institutional level or trying to, partially just so maybe people understand that there is a difference.
Because I feel like a lot of what we hear in the news and stuff about ransomware attacks and all of this stuff happens at this institutional level.
But then people sort of retroactively apply it to their personal, right?
So there's like a factor of freakoutness there that just straight up doesn't apply to like an individual.
Yeah.
And so like I would think of those as different spheres, at least when I have like gone into privacy and security with like staff trainings or with providing resources to staff to provide to patrons towards sort of within IT orientation.
like you have to understand the level that you're trying to speak at.
So like this whole episode, I've been talking at like an IT level.
Most of this stuff that keeps me up at night is not actually anything that most
individual people need to worry about.
I'm worrying about it so people don't have to worry about it, right?
And so, and this also just comes back to IT workers not treating their users like they're all
stupid because you have to know how to teach well and separate out what's relevant to you
from what's relevant to your staff person that you're trying to teach or the staff person
that you're trying to teach who's trying to teach a patron because it does vary so wildly.
So when I talk to staff, I try to, I try to approach it as practical as possible, I guess.
when it comes to what staff can do to keep the institution safe when it comes to cybersecurity.
So things like changing your password, you know, a lot of the sort of basics that we teach people,
but also things like I was just having a conversation about this with one of my coworkers,
not sort of crossing your work and your personal domains.
So if you use a password at work, the advice you'll hear from an IT person is don't repeat any of your
passwords. Use a password manager. Don't repeat any of your passwords. It's completely unrealistic
for your average person, right? But that's the advice an IT person would give you. So recognizing
that that's not practical for your average user and then figuring out what is practical. So
I would tell people, you know, if you reuse passwords, don't reuse them in work and in your personal
life, have a set of passwords for your work life, a set of passwords for your personal life,
keep those separate and then reuse them within those domains as much as you want. And that not only
helps protect the organization like the institution because a personal breach then gets filtered
over into a workplace breach, but then it also protects the person because if your institution
suffers a breach and those passwords get put out on, you know, the market, it's much less
likely that your personal life will be breached through that avenue.
Oh, that's a really good strategy.
I hadn't heard of that one.
And like there are tons of password strategies out there beyond, like the best thing
you can do is use a password manager and a unique password for everything.
But there are other avenues to have better passwords that don't involve doing things the IT way.
So like recognizing that and just being practical about what people can spot in fishing
attempts. You know, like this is the number one way you can help us out. The rest of the advice,
maybe not so relevant, but this is what you can do. You can learn how to spot fishing. You can
not complain about having to change your password every three months. And a lot of that also pleads
over into people's personal lives. So if you make it advantages for both things, I feel like
they're more likely to take up those sort of tactics. So something like threat modeling is really
useful from that sort of angle because it helps them assess their own personal risks.
You're just helping, like, trying to help them do that, but through, like, this is what we need
you to do for threat modeling for the institution as a member of the institution kind of thing.
And then with, like, staff who are then teaching patrons, a lot of that, I haven't done, like,
a training for staff on how to, like, come across, like, how to teach these sorts of
concepts to like patrons because patrons vary so wildly. You'll have the dude who
insists absolutely insists. He talked to an IT person about this because you're being hacked right
now, which is absolutely not happening. And then there's the person who, you know,
struggles to log into a computer kind of deal. And I would say there, it's just,
it's about resources. It's about knowing how to guide your patrons to the correct resources.
and if that means you take a sort of threat model approach to it to help the patron figure out
what they are concerned about and what they need to guard against the most.
Also, reminding them that because security is so concentric and has so many layers that even small things
can really help.
And I know we've talked about this with privacy stuff with like Callin and Allison and, you know,
that sort of thing too. It's like literally any step you can take is a good step.
Even if you haven't changed your password to your main email in 15 years, changing it today
is better than continuing to not change it. You're never like too far gone. You're never too far gone.
You can recover, you know, like even if everything goes to shit and like you have identity
theft happen or you have ransomware happen or you lose a thousand.
$1,000 to a scammer, you can always reach a decent baseline.
So much of it is like prevention.
So like a lot like, you know, privacy, like the little bit of knowledge and action can go a
really long way.
And asking questions, knowing who you can ask questions to, find your approachable
IT person who can help explain things in a way that doesn't make your head catch on fire.
Don't cross your personal and work domains.
Learn how to spot fishing because that's good for.
for both your institution and for you all the way through your personal life.
Pay attention to font curning and email addresses.
That too.
Yeah.
Like, you really don't have to be a tech savvy person to be able to do a lot of the things that will help safeguard you against it.
So, like, also one thing, just fucking update your apps and your computers, please.
When Windows tells you that it needs to restart for an update, please don't push that shit off for six months.
because every time, every month you push that off, there are more things in those updates that are vulnerabilities.
Most updates are security related. Most updates are security related.
Automate that shit as much as possible. Set your browsers to automatically update. Set your OS to automatically update. Please, dear God, keep up on your update.
And that is, that's one thing I wish a lot of people would understand about IT, is that IT,
is at its base about maintenance.
It's infrastructure and it's about maintenance.
So technical debt, Justin, happens to be the idea that this is the debt that you take on to
keep a system up and running.
So like any sort of repairs that you, like, or fixes you have to apply to something,
that's you making up for technical debt.
And keeping things updated is the same way.
It's a technical debt that you have to keep up on.
So yeah, that's kind of what that means.
But yeah, for the love of God, please keep your shit updated.
Or like, I know one thing that Allison has said is that like keep things updated and also remove what you're not using.
Yes.
Especially on your phone.
Yes.
Try to go through and delete old accounts you don't use anymore.
If you can't delete them, at least change them to a gibberish password you're never going to use again.
Do an audit of your digital life every once in a while.
that'll go a long way.
And whenever a survey asks you, do you know what Doritos are?
Say no.
I've never heard of them.
It's always lie to robots.
Yes.
Always lie to robots.
What was it?
In a world where big data threatens to modify our lives telling online surveys,
I don't know what Pringles are constitutes heroism.
Keep up that junk data, people.
I mean, that's a good point about when it asks you for,
password hint questions of like what was your mom's maiden name, lie. And remember what lies you told.
But don't put the actual answers in there because a lot of that is public, like even if you're not posting the answers on Twitter, a lot of this is publicly available information.
Yeah. And if you're a public employee too. Especially if you're a public employee. Especially if you're a public employee. Like, you know, people not only can they FOIA that shit, they can also probably just find it if they spend an extra 10 minutes digging for it, right?
not hard to find out what your mom's
middle, uh, made name was.
I don't even get those kind of questions that, like, I haven't had to answer security
question anymore. It's mostly like trying to remember what my general password is for my
main email address and my last pass and my Apple account. They're all different passwords.
I use bit warden. Please use any unique password for your bank account. I think it's probably just
a gibberish thing.
I know one thing my bank account doesn't, I don't see too many others.
Instead of doing like security questions, it has a security image.
There's a website called Have I Been Poned?
You can put all your email addresses into it and it'll email you if you're part of a data breach.
And I haven't been in any of data breaches in a while.
Some password managers will do that for you now as well.
And also they can do an audit as to like when was the last time you changed this password and how many of your accounts
have the same password and they'll like help you change it like they'll help you go through your
password hygiene and stuff they're really they're really nice Firefox will also do the check for you
use Firefox use bit warden use bit warden it's free and open source and not based in the
united states hold on there's there's another one host your own server of it if you want trying to
find and it's free unless you want to pay for premium like if you want to use like ubi key
you have to get the paid version but there's also like a family play
So like, I had to switch to, I had to switch to last pass because my work because they blocked the password manager I was working.
I was using before.
My, uh, Longey and I bitch about it because I don't like it.
But for our like two factor authentication and our single sign on are the same thing.
We use one login, which you get like, you like log into it.
So it's more like a master password kind of thing and sends you a two.
two-factor authentication if you're not in the IP range.
And then you go in and then there's all these like titles,
which you click.
And then those have like a randomly scrambled password in them.
But then like that's how you get in.
So it's like a password manager,
single sign on.
Because you can also like add accounts that aren't the ones created by the school.
But I also don't like this because it makes it hard to like link to resources.
And also it doesn't really.
work a lot with like library systems that are expecting like easy proxy or you know open athens or
something but the fact that like the two-factor authentication and the password manager which i don't use
for that i still use but warden and are like single sign on they're all the same since it's one
less thing for the students to have to download that's kind of the idea behind single song
you're more likely to have the secure password if you only have to remember one yeah and it's like
like it's like their student account password and login and stuff. And that's what their one login is.
I'm going to have to dig around and find it. But I know that there's a website where you can plug in your email and then it checks a whole bunch of really common websites and tells you whether or not you have an account on that website.
Oh. Which is really useful for sort of doing a digital cleanup. Because like if you haven't touched your Coursera account in 10 years like I have, maybe I should go ahead and delete that.
I completely forgot I had it.
And there's one that will also help you delete.
Like, maybe it's the same one, but like, not only will it check, but it'll tell you how to delete the account because sometimes it's not always obvious.
Just delete me.
Just delete me.
Just delete.
Just delete.
Just delete.
Just on a live me.
Just fucking end my shit.
I'm going to make a service called Just End My Shit.
There's a similar thing for you.
for like in your email, like for like newsletters and shit that you get, like unroll.
that me or something where after time you have to pay for it, but at least you can like start
for free.
It will help you like unsubscribe from newsletters as well as like mailers and all sorts of
stuff and that can also, you know, help.
Also just keeps your email from being annoying.
Yeah.
Fellow transes out there who have done a legal name change.
that doesn't even if you went did like your social security and whatnot that doesn't mean it got
changed everywhere um especially in like records and stuff so you might even if it sucks you might also
want to check under your dad name for stuff if you ever have to do that i i have to do that
sometimes especially like i still haven't changed my name on one of my credit cards because they won't
let you do it online and i have ADHD so that that means it's not getting changed and um my birth certificate
hasn't been changed.
One, because I don't want to, but two, because I was born in Ohio, and apparently it's
real hard to do it there.
And, like, I haven't changed my name on my degrees or anything.
So, like, check both if you have, I mean, anyone who's changed their name, even if it
hurts to do it.
Just, like, rip it off like a Band-Aid.
Yeah, but I have a whole one note full of useful digital security and privacy links.
So hit me up if y'all, if anybody wants.
Which like shout out to like Library Freedom Project and a ton of the guests on here.
And like I didn't come across these on my own, I guess is what I'm trying to say.
I made like a GitHub repo with a bunch of that I made when I was doing like in 2020 in the summer when like protests were happening.
There was like a local activist group that I did a little training for.
and I made like a GitHub repo of like digital security and like protest security resources.
So like GitHub repos because just markdown files and, you know, playing text to download and stuff.
So that's also an avenue.
But I know people hear GitHub and get scared.
Okay.
Well, we should go.
It's been two hours.
Good night.