 Okay, here we are, trying to investigate the world around us through the technology of Zoom and remote talk shows on ThinkTech. And we keep on trucking. We do 40 plus shows a week, just like this. We reach out to everywhere in the world. I'm not kidding. I'm not kidding you. And we talk to people who can really elucidate what's happening around us. It's like being aware. Anyway, today we're going to talk about cybersecurity with Randy Minus of the Schuyler School of Business who has developed a master's in science program and who can talk to us about not only cybersecurity but ready the psychology of cybersecurity. Hi, Randy. Hello, how are you? Thanks for having me today. Yeah, well, I want to get into this because I have a theory and I want to bounce it off you that COVID is affecting the reliability of our technology systems. We have assumed, for example, that our food chain is okay, but the Sauce Brothers line, I guess they have barges from Portland to Hawaii, they give up the route. And then the Star Advertiser cut a substantial part of its reporters and staff yesterday over the weekend. And so things that we assume are operating okay, may not be. And today we've had a lot of trouble on the telephone systems. Some carriers have gone down and you can't make calls to their exchanges. So, you know, we're approaching chaos here. And my theory is that there's got to be chaos, you know, in the internet, where you assume we all are sort of delighted that it still works even in the time of COVID where we're locked in and all that. But in fact, you know, there are things happening around cybersecurity that we should know about and sort of fold into our thinking. Can you talk about it? Yeah, yeah, I can talk about it quite a bit. I think that there's the interesting part that you're bringing up with the reliability of the technology that we're actually interacting with and how we've kind of reapportioned most of the bandwidth to like residential communities versus commercial. And if people's Wi-Fi at home is not set up as secure in general as something that is set up at a commercial location. But the other part of it is the psychology part that I'll speak to is the work that I do a lot on is understanding how our mind works in processing cybersecurity type messages. So in some situations or in most situations where we're operating in this automatic processing type mode, Daniel Kahneman, a Nobel winning economist, has a book called Thinking Fast and Slow where he talks about two different modes of cognition. And so there's the system one mode, which is like the automatic mode where you're kind of like on autopilot. I wrote a paper about this in relation to cybersecurity last year that are two years ago now. And so most of us are operating in that space where we're going from thing to thing, not thinking too much about certain aspects of it. Most of the time, actually the majority of the time, system two cognition is this deliberative cognitive thought, which is where we're talking like you and I are talking right now. So when you're interacting with like a sphere phishing message, or you get some weird email from, you know, you don't know where or it looks like like we're talking about for that it's an email from a legitimate person that you would be communicating with, but it's got a weird address that whatever you're going very quickly or processing in this automatic mode, I would get an email from Jay, I will I'll I'll look at that email and and if you're not really, really careful about how you how you're responding to that you could be, you know, subject to a sphere phishing message. So the other the other aspect is there is a difference between a utilitarian mindset and a hedonic mindset. So some of the work we've done with social media, you're in a hedonic mindset most of the time, meaning that you're there for pleasure, you're there to, you know, find out what your friends are doing or see what articles are reading or something like that. When you're in the hedonic mindset, you're actually much more susceptible to being basically just being coopted by something and not even realizing it. This is the true this is true with cognitive biases as well as just, you know, if a cyber security event happens on your computer, you might not notice it in the same way that you would notice it if you were using your computer and not utilitarian mindset for purpose, like, like, like a business related purpose like doing a product review or, you know, whatever your business might be, right? Yeah. So, okay. So yeah, if I'm in business, I'm going to be thinking to protect the business. It's beyond me. It's an organization. And I have a duty, you know, not to let anything sloppy happen on my watch. I'll be criticized if I do. But I understand completely about the hedonic thing. And so, you know, I'm just schmoozing with my friends. We're exchanging little chatty things, maybe passing passing documents, news article links or something like that. And so, you know, it's not serious. And so I don't think too much about it. I don't worry about it. I told you before the show began that one of our hosts got an email ostensibly from me and it had my name. But when you look behind and you can always, you know, like, click on the name on the right side of the name, and it'll tell you the email of this person who sent the email. And it was an address, an unintelligible address with a bunch of, you know, letters, not a name. And then it had the FR extension for France. So I don't know anybody by an unintelligible name in France. And it's certainly not me. Yeah, none that you can remember anyway, right? I'm saying to myself, okay, this is God. And it was an innocuous mail they sent to him. And he was quick enough to spot it. Because he didn't think it was my style, I guess, and call it to my attention. And then, you know, you get into the question of so somebody did this, somebody targeted him in order to fool him in some way. Why? And I get to think of these guys that actually go to college to learn how to do this kind of fishing. And they have a big blackboard in there, a little room down in the basement, which has a scenario about what they say, what you say, what they say, and how they draw you in to some kind of scam. And I'm thinking, well, you know, it's almost like sleuthing. It's like investigating. So you get this ridiculous email and you say, okay, well, I'll answer it. It seems hedonic. And then you're somehow in, you're caught, you're in the net. And you're on the blackboard, you know. Yeah. And with the amount of data that's out there on every one of us, if somebody has some, you know, reasonable knowledge about who you are and what your job is and those types of things, they can lead you into a discussion that seems like it could be authentic, especially via the email. And, you know, we're also, I mean, it is not a separate thing that we're also inundated with, you know, in this information overload mindset, especially with email, where we have so many of them come in that we feel like we have to respond to them right away. But you feel it needs to respond right away. So you're trying to act and maybe you're having this innocuous, hedonic conversation about with friends about, you know, meeting up for a beer afterwards. Your mind's not necessarily going to switch right back to like, oh, I'm, you know, I need to respond to this other email from perhaps my boss or supervisor. And I need to be very, you know, scrupulous about the way I respond to it or who is sending it. And the way that the phishing has become targeted at various people, it can come from somebody you know, it can be written in a very, in a language almost that you would think that they would use. And then there's just, you know, there's just one or two cues. So in terms of psychology, there's there's something called the feeling of rightness. And so when this automatic processing is going on, where you're just like, running from one step to the other, trying to get through what you needed to get done through the day and not thinking a whole lot about specifics, there's this kind of at the threshold of consciousness, this thing called the feeling of rightness. And if everything falls in line, and it seems like what you would expect, you're not going to process it much further. Now, if you have something that falls into the category of it doesn't feel quite right, there's something a little bit off of this, maybe, you know, Jay uses a word that he usually doesn't use or makes a typo in a way that he wouldn't that you wouldn't usually make a typo, then then the feeling of rightness may go off for somebody that's paying at least a little bit of attention. And that would cause more processing of the information perhaps, catch it. So I imagine that's what you're what your friend did. But there are probably, you know, if they can get one or two percent that are that are in the mindset where they don't catch that, then hey, they're gonna, they're gonna be able to get some information out of them. Yeah, that's exactly consistent with with my experience. You know, I look for the feeling of rightness, I look, I look for this feeling of gratification that I'm doing what I have to do, but I'm responding to people who, you know, need to hear back from me and who will be ticked off at me if I don't get back to them soon. I live in that world all day long. Yeah. So I want to just like a tennis game, you know, I get I get the ball, I get the ball back over the net. And every time I do, I feel right, I feel good. There's a gratification there. And the guy at the other end is playing with that, isn't he? Yeah, yeah, exactly. Especially if they know enough about you just to be able to do the basics of this person's most likely to respond to, this is the organizational structure in this, in this environment, this person's most likely to respond to this spoofed email versus, you know, subordinates or something like that. And information is not hard to find. I mean, it's whether or not, how high a risk are you being targeted by an intelligent hacker versus some AI generated mass phishing attempt, right? So somebody's pulling a few pieces of information together and putting it in an email, they can probably pull quite a few people. Well, you know, I mean, we're talking, I think, correct me if I'm wrong, mostly about phishing. Why, why phishing? Because you don't have to be a rocket scientist to do phishing. You can just be an ordinary schlub who wants to have fun, maybe harass people or give them a hard time, maybe steal from them. But you don't have to know that much. And you have, what you have to do is you have to have the blackboard and some psychology on how to handle this. And maybe as you say, a little background on your target. Right. And, and the phishing seems to be the thing to worry about now in the time of COVID because there's more phishers out there than there are rocket science, rocket scientists who know a lot about, you know, hacking into business enterprises. Although I'm sure that still happens and maybe happening even more right now. But let's talk about phishing. You know, what are my risks here? What, you know, suppose, oh, you know, now that now that we've had this conversation, the guy that got this email from me, it actually works for the government. That could be on the blackboard. Yeah, yeah, that could be. There could be something that, for some reason, they are targeting in particular. There are, you know, if you are a wise person that's trying to do the spear phishing attempt and can the things, can the things you're not supposed to be into, you're going to be kind of focused on who you're going to pick as a target. And it could be a bunch of people, you can send these out, you know, thousands of these phishing messages out. But you might be targeting in a certain group or something like that. And I think that you're absolutely right. I think a lot, when people come into my cyber security classes, generally they think a lot of the cyber security attacks are like brute force attacks or, you know, penetration type of packing. And that's not really as much of what we're seeing going on right now. We're seeing a lot more of the social engineering type attacks like phishing where you try to trick somebody into thinking, oh, this is from a legitimate source, and then you gain access to the computer in some way. Or, oh, this document that I've downloaded came from a reliable location. And then, you know, it's now installed something on your computer. So it's really about tricking us, because I think we might be the weakest link in the whole process into doing something that's going to compromise our system. Yeah. I don't know why, but it reminds me of a show, a radio show that Think Tech did 10 or 15 years ago about a guy who went to prison. There are not enough of them for hacking. His MO was really interesting. He would send an email to his target saying you know, do you want a free program? We'll do this and that. Let us know. And the target would say yes. Okay. And a few days later, the criminal would appear at the target's door one morning in a UPS outfit. And he would hand him a box. And in the box was a disk. Remember, this is 15 years ago, before downloads were coming in. And the target would take the disk and he would install it, had instructions and he would install it on his machine. Now they had him. He was part of their, you know, network. And the way this guy got caught was so interesting that he appeared in front of one guy's house one morning with one of these boxes. And the guy opened the door and he said, where's your truck? I don't see a UPS truck out there. There's something wrong with this picture. And that resulted in a fellow going to jail. Feeling the rightness was off there. I mean, you know, this all plays off people being, you know, being, what's the word, gullible and falling for these deals. And, you know, I think, I think right now we're all in the, in the hedonistic, hedonistic category you talked about. And so we have to follow some rules. So you have some rules for us to follow to sort of screen out where they get us. Because otherwise I think we'll be on the blackboard. Yeah, yeah. I mean, I think that the, the most important thing, one of the things I've advocated for organizations to do is to, and some of them have started doing this already, is to send out phishing emails that's like tests to see if their, their employees will click on them. And if they do, then go to some training or, or, you know, they might get locked out of their account for 15 minutes, who knows. But you can, you can put a bunch of different ways into it. But in terms of us as, as the consumers of the phishing emails and the consumers of the social engineering attacks, it's really about recognizing any type of thing that would throw the situation off. And so you're getting a, you're getting an email. Maybe it seems like it's coming from a legitimate person, but just take that extra few seconds to scrutinize it a little bit better. The idea is to improve the underlying heuristics with how we process this type of information. So some of it has to come tapped down. I know that some of the universities and some businesses now flag emails from external people that are external to the organization. So if I get an email from somebody, it might say this email is coming from somebody outside the organization, pay extra attention. Now, whether or not that actually works is still probably yet to be seen if it really has a measurable impact. But for now, now that it's more of a novel thing, people pay more attention to those. Now they say, oh, okay, I have a, I have a warning. Let me make sure this is coming from the right person. And especially if you know, like I was talking about you, if my department share sends me an email in a context that was completely expected to happen. And asked if I can meet up with them in a few minutes. And that was all within the realm of something he would normally do. And there was a flag on it that said it was coming from an external member of the organization or somebody outside my organization. I would have been much more likely to catch that. I caught it luckily anyway, but just like barely. But I would have been much more likely to catch it had there been a flag that said, this isn't from your department shares email account. This is from somebody else's. So that's the top downside. Now the other side is just, yeah, we got to kind of pay more attention. When you're in these modes of like, I just got to like, get out these, these emails, I'm going to respond to like 50 emails, just triage the ones that seem like they're just a little bit out of place that you can look at a little bit closer later. I think it's probably the best. That's way forward I'm fishing for right now. You can train yourself to do that. You can actually, I mean, I've been trying to train myself to do it, to look at it with the drone's eye just for a second and say, does this fall within the, what did you call it, the feeling of right? Yeah, yeah. Is it in these boundaries of what I would normally expect? Or is it right on the fringe of it? Or is it far away? I mean, like now if we get an email from somebody in a faraway land is talking about our, you know, aunt that just died, we all kind of have that schematic of, oh, that's most likely not something I should be responding to. But, but of course, the attackers evolve and they, and they get a little bit, you know, it's more specific with, especially if that's some information on you where they can be like, okay. I've noticed too, and maybe it's just me, but in the past 30, 60 days, I have received more junk mail, including a lot of political mail. Then you can shake a stick at it every day. I, my thumb is sore from deleting all of it, my index finger, whatever. And it keeps coming at me and everybody wants my email address. Whatever you do, they always get your email address and then presumably they sell it or give it away to somebody and it travels around the internet probably for price. And, and then you got all these people who are sending me junk mail. And some of that junk mail is going to be dangerous. Some of it is going to be fishing mail. So the question is, and this is a sort of a broader question, is I'm having trouble managing this. I don't know how, I tried in the Apple case, I tried to screen it out by saying, you know, mail from this sender, you know, delete it. I don't want to see it. That didn't work because then it was be another sender. They, it's like they're scanning radio frequencies. You know, as soon as you nail one address, you know, sender, then they got another sender. Yeah, yeah. So you can't, you can't get away with it. They'll be on you as long as they have your address. I tried to change my address. That didn't work either because they found me in no time. So, so the question is, you know, how do you protect yourself? Now, a lot of gravy local guy, been successful in something called power spam. And my law firm used to use that. I don't know exactly, you know, what he's doing in the local market right now. Maybe, you know, he's everywhere. I don't know. And his, his claim to fame is that he's going to screen out all the spam. But query, do I look at something like that? What do I do to protect myself from this onslaught every day? And in there is this danger in there. I have to look at it all. Well, I think the number one thing and I, and this is probably the most important thing you can do to protect yourself is make sure that you have second factor authentication built in. And it's obnoxious. And people don't like it. I mean, people don't like having to do that second step. So the idea of second factor authentication is your password is something, you know, and then you have a device that is something with you, it could be a hardware device that you plug into a USB, or it can be your phone that has an app installed on it, so that you have these two steps of verification. That way, if your emails compromised or an account compromised, because you accidentally fall for a phishing email, you will not have the same amount of damage as if, as if that weren't set up where they could get in and start sending emails from your address. So having that second factor authentication, yeah, when you log into your email from, especially if you're not at a normal computer, you have to have your phone with you. It's like what the bank does with the code that they text you, there's a few problems with that. So that's, that's the number one thing you can do to protect yourself. Now, how do you stop the onslaught of information is a completely different, a different thing. And I would say, you know, we have spam filters that the University of Hawaii uses and stuff gets through it all the time. And we'll get an email from our tech guy, and he'll say there's a spam that's been a phishing attempt that's been sent out to the professors. Here you go. But sometimes we don't even get that. And sometimes it is, you know, literally the department chairs being spoofed and they're trying to get something specific in terms of account access or information. And so that other than being vigilant right now, and using those spam filters, and maybe, you know, with calls, it seems to still work a little bit where you can block the calls and they're starting to put spam filters on calls as well. Those things work a little bit. But like you said, they're gonna find a, find your new address or you're gonna, they're gonna get through in one way or the other. So it's what you do to protect yourself after, if you were to accidentally call for something that's probably more important at this point. You know, I have, I have a password, you know, program, which they tell me that's very secure. I'm not sure I feel all that comforted by it, because if anybody hacked into it, I'd have a real big headache. And I wonder if that's adequate or maybe the technology is moving to a point where it becomes adequate, where there's enough security around these password, password database type programs that are accessible on the net, right? You can, you can find them from any number of machines and places. You think, you think they're a worthy risk? Because if I have to remember them or carry around a little yellow pad with all those things, I, you know, I, I'm not functional. I have to have something like that. Yeah. Right. And the ridiculous thing that cybersecurity professionals like me, like advocate, use a different password on every site that's impractical right now. So the best, the best advice I can give is triage the site. It's like your bank site should probably have a unique password. Whereas the blog that you randomly post on every once in a while on the comment that it doesn't need to be, it can be a common password and, you know, you don't need to triage that and memorize it. Now the password managers, I used to, I used to have a different feeling about it until a few years ago. One of them was hacked and the, it was last pass and the way they dealt with it was actually comforting, which is they, the two, the way that it was just technically set up is that there were two different basically databases and the one that was breached was the account information, but you couldn't get through to the actual passwords. As soon as they detected that breach, they shut all of the accounts down in last pass and then they made you go through a, they sent you an email and they made you go through several different steps to verify that you were you and that you could have access back to your passwords. So for them at least, it was, it was a demonstration of what would happen had it been hacked. And since then I've been a little bit more comfortable because, you know, you see somebody's cybersecurity plan in, you know, in effect and, and that seems to be effective also having, they didn't have any passwords that, that got out from it. It makes you feel a little bit more comfort in the whole process. You know, in entrepreneurship, which you guys at Scheidler talk a lot about, you know, the, the first priority is to find out what the problem is. And sometimes what the client wants may not be the, the real problem. You have to use Stanford, what you call design thinking to figure out what the real problem is. Okay. But in other cases, the real problem is obvious. Then you and I today are talking about real problems that need to be solved. So one of those problems is how I can have easy access, individual access, reliable access, safe access to my passwords. And I've always said that that's the kind of problem where the guy who invents an acceptable solution will make Bill Gates look like a piker. So what, what, what kinds of technology do you think will ultimately prevail? Because there will be an answer. Somebody will invent something. Is it the retina in your eye? Is it your, well, we already have fingerprints. I'm not sure that works really well. What do you think will happen here? Because the, the notion of having a password manager, which is a hassle anyway, and which may not be all that secure like last pass, you know, it may not be a long-term adequate solution. There will be one though. I think, I think, you know, whatever mankind can devise, mankind can get around to. Yeah. Well, you know, I would love to be the next Bill Gates, but I don't think that's happened in any time. But, but what I would say is that biometrics is, is not the solution, at least in the way that it's being used right now. So like retina scans and fingerprints. What, what happens is that your phone or your computer is creating a digitized fingerprint for you, like in, in hexadecimal and passing it on. So if that, you know, if that hexadecimal string of characters gets hacked, they may have essentially your fingerprint, right? It's not your real fingerprint. It's a fake one, right? And the same thing can happen with retina, with facial recognition technology. Somebody that comes across your phone might not be able to do it very effectively. But in terms of getting through into an account, having, having a, you know, a fingerprint that gets you, gets you through to it, I don't think is going to be the ultimate solution of where we move from. Now, in terms of like wearables and things like that, something like that that could do authentication. I know, you know, my Apple Watch, you know, for second factor authentication, it kind of like the Duo app is the one that UH uses. It comes through on my wrist. I can just hit approve on the second factor authentication and get through into my email. And so it's not as where's my phone? I got to pick up my phone and got to bypass the lock on that and then hit the accept button. It's just like I looked down and I'm watching it. Okay. So I mean, it's just, I think, I think the first step is making that easier and more accessible to more people, something along those lines. And I don't know what the innovative solution is going to be. There will be one, though, I mean, because effectively, you know, passwords are pretty much junk these days. You know, the longer and with quantum computing, you know, you get longer and longer passwords that are easily hacked. So we've gone to talking about past phrases, which is you put in, you know, a really long line that you remember or use some sort of thing that you have memorized. And that'll work for a while, but there will be computers that are able to act through that at some point as well. And so, so yeah, I think you're absolutely right. There's going to have to be a solution that for the person that comes up with this, which is probably going to make a lot of money. Yeah. I would say voice, voice print. But I think, you know, voice, you know, the waveform of your voice, that that doesn't sound that it would be, I mean, you can, you can, they are copying voice prints all the time. There's, there are technologies out there that can copy that and they can create your voice. So I'm not sure that would be, you know, fail safe. And then of course, there's DNA, you know, the double helix, which is unique to you. But, but, you know, and these days, we can, we can get a kind of sample of your DNA so easily, but then so can a third person get a sample of your DNA so easily. It's being passed through computers and not like you actually need my, my double helix to actually authenticate me if it's being passed through the digital medium, then that's going to have to be digitized in some way that can be copied. So it's not necessarily the DNA that is going to have to be copied. It's the whatever the DNA is created, whatever the computer does with the DNA, and then passes it along to the server for authentication. So there is something that's more interesting that's a little bit more dynamic and there's certain behavioral biometrics is what they're called. So like, there are algorithms that can pick up on, with pretty good accuracy, pick up on your keystrokes and how you type. And so the pattern in which you type the pressure that you're putting down, all these different types of things could be used and that would be much harder to replicate because it's more continuous and it's more, there's more, like I said, more dynamic than just passing, you know, 256 hash of somebody's DNA to another computer. Sure. It's the rhythm of your keystrokes, how much pressure you put on your keystrokes. Yeah, I've read about that too. That might be a solution if somebody can come up with it. Yeah, I think that's probably more promising. Suffice to say that we are in a time when, I mean, this goes larger than just fishing and for that matter, hacking, even really felonious hacking. Because we live in a time when low on order is under attack and people are going to feel that if they can find an opportunity, they can use it. And in truth, you know, I mean, we can speak about this maybe the next time is, you know, people who do this sort of thing are usually not caught. They're usually not prosecuted if they are caught. And if they are prosecuted, they don't get, you know, a long sentence as would, you know, deter others from doing the same thing. It's still kind of a gag, I think, in a lot of jurisdictions. Yeah, and there's differences. Another, right, like there's, if somebody's doing something in another jurisdiction, they might, it might be really hard to track them down that, you know, there's a Melissa McCarthy movie identity, basically talked about that, how the states have different, you know, rules with that. So yeah. Well, Randy, the world is our oyster on this. And the chaos is definitely there. So let's, let's be on the solution side instead of the chaos side. Let's do some more. Randy, minus the Schuyler College of Business in information systems, professor of information systems, who has developed the master of science program there. We'll talk again soon, Randy. Thank you so much. Sounds good. Thank you. Aloha.