 Hello everyone, can you hear me? Okay, good. As you know, we've been having a couple of issues, but I think we bought new cables, and so we should be fine. A couple of very brief announcements. Please turn off your cell phones. I wanna remind you that we have our annual meeting, first one since 2019, on the 28th of April, which is our last lecture, so it will precede that. We'll start at 1.15, and we want the people on Zoom to also join in. We'll start sending out a few documents this coming week and then follow it up with others week or so before the meeting. Feedback forms, thank you. Thank you for filling those out and sending them back. We're still accepting them. If you didn't have a chance, please do send those back to us. We would really appreciate that. And those of you who signed up for Front Porch Forum, thank you so much. Cindy, who's coordinating that, has had a computer issue, has nothing to do with Triple E. So next week, she will be sending out to all of you who have signed up, instructions on what to do. So thank you so much for that. Okay, so now without glasses, this could be a bit of a struggle. I wanna introduce Sergio, whose last name I cannot pronounce, and he gave me permission to just say Sergio. So he holds a PhD in information systems and technologies in the field of cybersecurity and is currently associate professor and department chair of cybersecurity at Champlain College, serving as program director for the undergraduate degrees in cybersecurity and in software development and for the master of science in digital forensics. His experience includes academia, industry and public service, and his research interests include information security, intelligence and information warfare. He was a researcher in several projects, including a project promoted by the Ministry of Defense of Portugal. And he was an academic member of the NATO multinational cyber defense education and training project, very impressive. He is a member of the editorial committee of the International Journal of Electronic Security and Digital Forensics, participates in the scientific community of several international conferences and regularly serves as reviewer for multiple scientific journals. His publications have close to 700 citations. I know. Sergio lives with his wife and daughter in South Burlington when he's not working. He enjoys wood carving, following the investment market's reading and assembling jigsaw puzzles. We have a couple of things in common. Please give a warm welcome to Sergio. Thank you. Can everybody hear me all right? So first of all, thank you for having me. Thank you for welcoming me in your community, not just the EE community, but also the Vermont community, which became my house in 2018. And the Vermont community is becoming my family and we couldn't love it more. So welcome for, thank you for all of that. It's a pleasure to be here, not only because I really love talking about this topic, but also because it takes me out of the house. I've been working fully remotely since COVID started and I am in the Champlain College online division, which means that our close to 2,000 students are all over across the nation, 50 states and some abroad. And our faculty members, one of them is here today and thank you for your service with us. Our faculty members are also across the nation. And I usually say that while I miss being in a classroom, the online space is really great for our mission, because we can help the students wherever they are. They can work and study, which is an equity issue, and we can select the best instructors in the nation instead of selecting the best instructors in Vermont. So happy to be here and we don't have much time, so I'm going to go through the presentation. And the agenda that I have today for you, here it is, is a brief overview of why cybersecurity matters for all. And I'll start by going from outside in from the international perspective that brings us to the national security aspects, to corporations and then to individuals. And then I'll go through a non-technical description, this is not zeros and ones, and I know that's not what you want. A non-technical description of the type of threats and attacks that we face and a few practical tips. All going well, we'll have time for questions and you can use that time to ask more about whatever in this you feel you need. I also know that we have a limited time, but after we finish, I'll be happy to stay and chat with whoever has additional questions. So why cybersecurity matters? So to start, Russia is all over the news right now, don't need to explain why, but Russia has been playing in the cybersecurity space for a long, long time. Back in 2007, Russia attacked through computers, Stonia, bringing the country to a halt. Just imagine what would be life without ATM machines, without digital payments at supermarkets, without being able to file the IRS, anything that we do remotely, the computers at hospitals couldn't work, the country was brought to an halt. And it was a transforming time for the Western world. NATO, as you probably know as an agreement, if one country is attacked, everybody's under attack, but the spirit of that agreement was not a computer attack. And so, Stonia asks for help from NATO. And honestly, nobody's going to start a nuclear war over a war on computers, so there was a lot of politics going around. And from the technical perspective, it was extremely challenging and nobody was ready for it. And there was no way to stop the attack, except to disconnect the international cables and isolate Stonia from the rest of the world. So they could operate internally, but if an Estonian citizen was abroad, they could not use their credit cards, for instance. And so that changed NATO, and NATO has worked since to develop agreements. That also resulted in Stonia having a center of excellence for the research of cyber security, so I know this is on TV, but I'll say it anyway. We threw a couple of million dollars into Stonia to kind of quiet things down. But that prepared us to what was coming next and Georgia was attacked one year later. That attack was combined with boots on the ground attack. Georgia was not so developed, so the impact was not the same, but it did transform the way we see Russia as a player. And I can tell you that we estimate that in 2021, cyber criminal activity coming from Russia cost the US more than $500 million. So it is significant. China, another big player. You probably heard the news last few days about the TikTok and stuff like that. China was the first nation to actually identify computers as a weapon. And in 1995, there was a publication out of the Military Academy of China called the Challenge of Information Warfare that discussed how computers could be used for a smaller country or a country with less military capabilities to kind of gain an edge in a confrontation with the West. In 1999, they went beyond that and wrote a paper, three authors, two of them are now important generals in China, and one is an important academic called War Beyond Limits, where they discussed where how they could use environmental warfare, floods, generating floods and things like that, financial warfare, economic warfare, and cyber warfare in case they had to have a war with the US and its allies before they had the military capability to confront us in traditional terms. So since then, since the late nineties, all of the allies in the Western world have been paying close attention to a country that has a very different culture and a very different way of approaching any situation. When we talk with someone with that type of culture, yes means I understood, doesn't mean I agree. So it's a challenge in many, many things. North Korea, a strange partner of our adversaries. I don't need to say much about the weirdness of the situation in North Korea, but between 2011 and 2020, they were able to steal from the US about a billion dollars through cyber criminal activities. And in 2021, we estimated just in that year, more than 400 million dollars of money stole from the US through from North Korea. So this is complicated and there are other places in the world where we have significant tension. We, in the broader sense of the Western allies, slow down the Iranian nuclear program through a virus. There's conflicts constantly between Israel and Palestine on the cyberspace. Indian Pakistan have constant quarrels in the cyberspace. So this is an ongoing aspect of national security. And somewhere in here, I have a phone. This is my piece of the border of the United States. It's through this phone connected to the internet that somebody from outside can attack us. And so I'm responsible for keeping this small piece of the border safe and protected. That's my responsibility to you all. And that's why from an international perspective, and the national security perspective, cybersecurity matters for every single one of us, because we are going to be as weak as our weakest link. I'll talk about these charts in a second just to say that this is also a significant threat to the corporate world. Some of you might know that a corporation in Vermont was recently attacked. We all know about what happened with UVM recently. So the corporate world is also being attacked. 2021, we lost more than a billion dollars in ransomware. To those who don't know what this is, I'll explain in a few minutes. That's the risk of data destruction, industrial espionage, leakage of client data. Denial of services, it's a very easy attack and very hard to defend where they just can't operate. Doesn't take a lot of sophisticated means to stop someone from operating in the internet. Just think of the internet as a service, just like a clerk. And if we ask too many things of it, it's going to take time to reply. So if a million people decide to ask my computer something right now, it's going to take a million milliseconds to give the answer. If all of those are fake and one of you actually has a legitimate request, my computer is going to put you on the queue and it's going to take forever. So it's a very complicated thing to defend from. Defacing is transforming the websites of companies just to create bad public relations for the company. The corporate world is at threat here. And the reason why these two shards are here, the chart on top is the price of Bitcoin, the cryptocurrency in the last five years. And you can see that we are kind of in the low there. The chart on the bottom is the price of Bitcoin since January 1st. And so you can see that it's been growing and it's up 70% this year. Historically, what that means to cybersecurity professionals is that another wave of attacks is coming because they ask for ransom and they usually ask in cryptocurrencies and then they are going to need time to do the laundry of all that dirty money. So they don't want to do that when the price is going down because by the time they have done all of the washing of their clothes and the money is worth far less. But if they do it when it's going up, they're actually gaining value while they go through the laundry process. So looking at this chart at the bottom is scary for people like me because we know that soon we'll have the situations like we have with the fuel pipeline where the UVM attack was a ransomware attack, colleges, hospitals, nobody is safe. And so another challenging time seems to be coming. For a citizen, there's the risk of identity theft, social security numbers, date of birth, all of that information that we keep placing everywhere and that we are asked to place in so many places can be used to do unauthorized, open fraudulent accounts for unauthorized purchases, even commit crimes in the victim's names. Privacy invasion, disclosure of health information, disclosure of communications, private communications, which usually what they do with that is that they come back to you and say, we have this on you that we know that you don't want others to know, you can pay us or this will be published. And financial loss. There's a lot of ways by which they try to get our money. It can be by ransom, it can be by tricking us to giving them the money for some reason, like the IRS is calling and you owe $500, you pay now or the police is going to knock on your door. There's usually a sense of urgency attached. Or just by capturing what you do on your phone, on your computer to get your credentials to your credit card account, to your bank account, and then just using that to steal your money. And then there's psychological harm because often there is also cyberbullying and online harassment in these spaces. And the social media for me and the internet is one of the best things we develop in the world. I'm able to talk with my mother every day because I have social media and we talk through an app that I'm not going to name because I don't want to advertise any apps. But it's amazing how we stay in touch with colleagues from college that would be much harder we would meet maybe once a year. Now we can follow each other's lives. But just like the car is great, but it's also a dangerous tool, it's the same with the internet. And so we need to be aware. So this is, in my perspective, an overview of why cybersecurity matters. It's our social responsibility to our neighbors, to our corporations and to ourselves and our family. So some common attacks. Just to realize that my computer started counting the time a long time ago, so I will need to look at the watch which is something I don't like doing when I'm doing this. Common attacks and some practical tips. And I won't go into much detail. I want you to have an overview of what it is and offer the practical tips and then we'll use the time for questions and I'll expand on whatever you want. I could talk for, we have bachelors that take four years, a master that takes two. I can talk at least for six years about this. So passwords. Passwords, I've always said that there's a thing called, actually missing the word, the paradox, the password paradox. So what makes in theory a good password? It has to be long, complex, have no complete words in it like semantics or no semantics attached. We need to change it every month and have different passwords in every single place that we use them. And then we need to memorize them. Okay, so we need to memorize them. So what does that mean? That means that they have to be simple and that we can reuse them, right? And it has to be easy to memorize. That's a paradox, passwords are never good. That's why I started working in cybersecurity back in 2002, professionally. Professionally, I started a collection of computer virus when I was a freshman in college in 92. So I was already into cybersecurity, but professionally I started much later. And my area of focus has always been authentication. How do we know who the person is so that nobody can impersonate me in the internet? And it has been puzzling me for the past 20 years that we are still using passwords as the tool to know who we are. And for many years, I went against the tithes and I always said this idea that we cannot write the password down is absurd. It contradicts who we are in nature. It made a total sense when passwords were for computer professionals that as one, maybe two passwords to access in their corporation, the big servers, but now how do they want me to have the 50, 67 passwords that I have changing constantly and being complex? Passwords are never good. However, we need to wait for the technology and the corporations to make the changes. And so we have to deal with them. In my phone, I don't use a password. I use a graphic authentication to access which is better than passwords. I also have biometric authentication there as a second tool. And I don't like it as a second tool because then we have the worst of wherever fails it's what they are going to use to attack but that's a different conversation. We need to wait for that. So what do we do with passwords? Well, my recommendation where we are right now and I know I'm switching the approach to this is that I use sentences. Easier for me to memorize an example there that now I can't use is March has 31 days. It's a sentence that I can memorize and I could just take a note on March on my notebook and then I know what my sentence is because I know that March has 31 days. And if you look at that sentence it actually has a bunch of characters. I don't even need to know how many they are. It's five, six, seven, eight, nine, 10, 11, 12, 16 if I'm not mistaken. It has symbols because the space is a symbol. And we could add an exclamation mark or something like that at the end if we wanted to. And it has numbers, the three and the one as uppercase letters, the M, and there's a lower case. So it kind of fits the bill of what a good password is now considered to be. My recommendation, and that's what I do is keep a notebook, have more complex passwords that you can still memorize in some way but keep a notebook with them. Just be careful to where you have that notebook. Don't carry it around in your purse because then if your phone is stolen, somebody steals your purse, the phone goes and the passwords go too, right? So mine is at home inside the safe. It can be a drawer with a key or just behind some of the other books, a place that you feel it's safe. And this is all a balance of risk. There is no such thing as 100% security. We balance risks. So is it more likely that somebody is going to attack my email if I have a poor password? Or is it more likely that somebody is going to steal my home and take the notebook? Right? And so we balance the risks. Everything from the personal attitude towards cybersecurity to the national security is about balancing risks. We don't own one F-35 for each person. Makes no sense. When we talk about gun legislation, we talk about balancing risks. What is, and if it was an easy decision, we wouldn't be challenged with this as a nation for so long. There are pros and cons everywhere. So we are going to find different balances, but we need to find the right risk balance that works for us. That's how we need to do. And one good thing of America is that this is, for the most part, a free country. And so we have responsibilities and we know or should know what they are. And then we do our best to deal with that. And don't let anybody tell you that the way you're doing it is not right as long as you have an informed decision. Because professionals, if they are good, they also are not going to tell you what's correct. They can tell you what they think is the best approach, but every single person is different. Just think of a situation where you have a challenge in your home. Maybe somebody at your family is dealing with addiction. That's a situation where we don't want to have a notebook with all the passwords for the bank accounts hanging around. So every situation is different. Just think of all the, spend the time to make the decisions. And two factor authentication is that terrible thing where to enter anywhere, not only we need the password, then we need to receive a text in our phone, and it's not convenient at all. But for the bank account, the credit card, the more sensitive things, it's worth that extra effort. Again, I'm not the type of cyber security professional that is going to tell you, use two factor authentication for everything. That's not how I see this. For every single situation where you are offered the possibility of having two factor authentication, spend the time to think about the risk. Do I want the convenience? Do I want the security? And knowing that if we lose too much convenience, we are going to do what we used to do before. Write things on a post-it and place it under the keyboard, right? People are going to be people. We are human beings, and we are going to circumvent if we ask too much of ourselves. So we need to select where we spend our energy. So why are passwords a problem? I skipped that. I get excited when I'm talking and then kind of lose track, but that's why I need the slides. Criminals can use brute force attack attacks to find simple passwords. A brute force attack is a system where they just try every single possible combination. They have a computer to do that. That's why we are often timed out. If we try more than three times, you're going to need to wait 20 minutes. That's a defense mechanism from that website to prevent that type of attack. Sometimes they can circle around some of those protections. So that's why we don't want short passwords because the computational power has been growing. And now it doesn't take that much to guess a six or seven character password. But it's unbelievable. As we add one, the time grows like crazy. And the 15 characters passwords, they might still find it, but not in our lifetime. It's going to take a hundred years as we are right now. We could talk about the impacts that quantum computing might have in a few years, but I'll leave that in case someone wants to ask about it. Criminals can use dictionary attacks to find passwords that are just one word or common use passwords, or passwords that they found in other places where the information leaked and they have a list of all the passwords that were used in LinkedIn, for instance, in 2015. So they'll use those lists as dictionaries. And instead of trying all the possibilities, they'll start with those. And so if your password is the same password for the last 10 years, and it was in one of those incidents, then it's going to be in that dictionary and it's going to be found really quickly. Fishing scams. So fishing with a pH. A fishing scam is an attempt by cyber criminals to trick individuals to sharing their sensitive information. And this applies to individuals like us, citizens, and it also applies a lot into corporations. This is a type of email where somebody sends you a coupon. You click on the coupon to activate the coupon and you're directed to a website that looks like the original website. So they ask you, okay, to get the coupon, insert your date of birth, insert this information and that, and you want the coupon. And this happens a lot with kids. My niece should know better, even that I'm... But she was excited with a really cool price for an iPhone. And there she went and she shared information and then we have a problem. So there are tons of ways for them to try to trick us. And the tips here, the most important is stay visually. Suspicious emails, text message, phone calls. I've been receiving a ton of text messages from people that just say, hi, John, how are you doing? And the expectation is that I reply, I'm not John. And start a conversation and then trick you into something. Sometimes people ask me, so how does this work? Why, if they get $300, this works for them to spend the day trying to trick people to get $300 here, $400 there. Sometimes it's really a lot of money. I dealt with situations where it's hundreds of thousands, but for most people, we are talking about $300, $400. It's easier to get people there. You need to think that most of these attacks are not coming from inside the country. Most of these attacks are coming from places where $400 is a ton of money. And so if they get one victim per month, they are already doing well. But if they get one victim per day, then they are doing really well. And one thing I've learned through my life is that there is no such thing as a criminal organization that works just in one thing. When we start going to track the money, all of that, we find that the criminal organizations are large corporations operating in the entire spectrum of criminal activity, from weapons. I can tell you that back in, so Estonia was 2008, 2000, yeah, around 2009, we were tracking what happened in Georgia with the Russia cyber attack. And we found that the same group that was behind the Russia cyber attack to Georgia also had websites where they would sell credit cards from American citizens. They would basically steal that information when they were traveling abroad as tourists. The Russia, as you know, came from the Soviet Union. There was a lot of unemployed military personnel, intelligence personnel, and a lot of them dedicated to crime. And so they would target tourists from Western countries, mostly the US, and just find a way to copy it. You went to pay for gas, you give the credit card. They swipe or didn't work. Let me try another machine. Finally, pay you. The first machine just copied your card. And so they would sell 100 credit cards from the US, along with the pin that they captured through the camera when you were actually paying. And the website was amazing for me at least. It was my first experience dealing with this type of situation. It had a frequently asked question and the support service. And the frequently asked question said, do all of these cards and pins work? And the answer was no, some of them, the owner changed the pin in the meantime or the credit card expired, just to return those to us and really replace them. So better client support than some of the business I know. So, and they were also selling fake passports. You could buy a US passport, a UK passport, and the Russian passports that they were actually selling, they were actually legitimate passports, which tied us back to the government of Russia and served as the final proof that the government was, not always 100% proof, but beyond reasonable doubt that the Russian government was involved. And so when we go with this, these are organizations that recruit people to do criminal activity, and that are involved in very different activities from illegal guns to human traffic to this type of scam. And because of the changes in currencies, this type of wide net attack works because getting $400 a day is going to pay for more than a salary of the person attacking them. So if you receive a phone call from an unexpected source, this is a tip that I think it's really important to not talk. So our natural reaction is to be polite. That's how we usually do it. And even more in Vermont, where people are really, really nice. And so we say hello or something like that and people will ask you to tell us something. And we are talking until we realize that this is not working well and something is off and maybe we turn off the phone or something. That's not the way to do it for a simple reason. They are recording what you're saying. And a lot of places now use your voice to confirm that it's you. So you call your bank. You say you are. The software is analyzing your voice to give them an indication that it's you. What they do is they record your voice. It used to be just to assemble parts. Now with artificial intelligence is just to reconstruct your voice so that they can say whatever they want with your voice. So they'll try to ask you things that don't seem like a red flag just to capture your voice. You'll notice that some of those calls when you answer, if you don't say anything, nobody speaks on the other side. What I usually do is I just snap. That will trigger the system on the other side to actually assign the call to somebody. And when they speak, because if it's a normal person, we'll hear something like a low or something. And my limit of what I say is a low. Anything beyond that, unless somebody on the other side, say it's on, oh, got you. But usually I have their number. But this will trigger the reaction you'll know who's calling, say no more. They're calling saying it's your bank and the phone. Go to another place, the internet or your phone book or whatever. Find the number of the bank and you call them back. Don't make the mistake of calling that number back. You want to make sure. Even if the number seems to be the same, don't just reply. There's a ton of tricks that go into the way the number is presented to us. The number that is calling us might not be the one that is showing on our phone. So even if you pick up the phone shows, UVM is calling me and you answer the phone and they say it's UVM and they ask for your social security number. Sorry. But ideally when they call you, either you already expect that call, you're expecting them to call you because you're expecting an appointment, that's fine. But if they are calling you and you are not expecting that at all, try to limit what you say to ask, where from UVM are you calling me? They will tell you, you hang the phone, call them back and ask, and I talk to cardiology. And so you are initiating that conversation and you know who you're talking with. So try to limit in those situations being polite because they will capture things like, how many kids do you have? That doesn't sound like an important information. I'm going to reply one. Can you please confirm the number of your building? Well, I live in a building with 40 other units, one-on-one shouldn't be too bad to say, but now they have my voice to say one and to say one, oh, right? So if they, how many grandkids do you have? Four, now they have exactly one, zero, and four. So in some places where you call, they are going to ask you, can you please confirm your pin? And now they have numbers, right? They'll challenge you to say things. And so really be aware of your voice. Best practice using the internet or email, I'll talk about that in a few fishing. Most of the attacks we see on email right now is about fishing because that's how they get, even the UVM attack and things like that, the things get there through fishing. Mildware and botnets, this is not something that we need to worry from a technical perspective, but it's really important for us to understand why we have that corporate responsibility. This is basically huge groups of computers that come together to do an attack. So if we want to stop UVM from operating without infiltrating their network, we can just throw in 500 million requests to their website per second. To do that, we need 500 million computers. So criminals don't want to buy 500 million computers and pay the power of 500 million computers and all of that. So what do they do? They spread computer virus that we get infected and then we don't know, but our computer starts when we are not all, most of the time, even when I'm using the computer right now, 70% of my computer computational power is not being used. I'm using the network to transmit this, but about 70% of the network is not being used. So what the computer starts doing is running an attack in the background. And so they spread virus so that all of us become the attackers. And that's why even malware that doesn't hurt us directly is going to affect our community or our nation. And malware, both nets are that malware can make us a bot in that net, but malware can, we usually call it virus. Technically, I wouldn't write their virus because technically that's not correct. There's a multitude of categories of virus, but it is what we usually call them, a computer virus. Computer virus can do that and make our machines weapons to attack others, but computer virus can also do other things, like capture every single thing I type and send that to an attacker. That includes the website where I just typed the bank and then the login and the password. It includes the emails that I wrote to my family. It includes everything that I type and that is send and then used to be criminal sitting behind the computer and analyzing, going through that. And now we have a artificial intelligence that can do that for them and find and make it. So artificial intelligence is great in the sense that it's going to transform our lives and make amazing things. But it's almost, at the same time, it's the most dangerous technology that we created. And so it can steal all of that, including banking credentials and send them away, use us to commit attacks or simply destroy our systems. And since the beginning, the Friday 13th virus that was popular in the late 80s, attackers had the capacity to install once we help them install because it doesn't just get here. Once we fail and in some of our protection we let the virus end, it can just sit there waiting for a specific moment in time. It can be a specific time date or it can be an order coming remotely. So if you think of a scenario of an international war with one of our adversaries, if they have the ability to just delete everything in our machines at a push of a button, you can see the impact that that would have in our ability to defend ourselves. So some tips, do not download software from untrusted sources. I know that we all like to save some money and get some free software if we are looking for. We don't want to pay the office license. Yep, but it's a price to pay and update your software regularly. I know that it's tempting to say snooze, update later and we keep going. Right now, some systems force us after some time to do it. But the fact is the moment you get that alert that an update is available, that update exists because somebody found a vulnerability in the system, already used it to attack. Somebody found that, we found the solution and then create, send the update. So if you update immediately, you're already one to four months late. So you don't want to be even later than that. So finish whatever you're doing immediately, that thing that needs to be finished right there, conversation with your grandkids or, and right after that, before starting the next task, just let it update and reboot if needed. Install untrusted antivirus and this is my personal touch to this recommendation from a geopolitically aligned company. Some of the antivirus companies that are really, really good come from East Europe. If things turn south, we don't want the wolf taking care of our ship. And so an antivirus software has a lot of control over our computer, needs to see everything that is happening, control all the traffic that is coming in as really a high level of power inside the machine. So again, I'm not going to name brands. Some of them are usually works for them in the past, but you really don't want to have software, antivirus software that is coming from China, Russia or any Eastern country. It's not discrimination, this is security. The same way we wouldn't be flying with jets that were made in Russia, we should not have antivirus that were made by Russia or their allies. And for security practice, for internet navigation and email use, I keep saying this, but it's late. Social engineering is very similar to the phishing scams. It's tactics trying to manipulate you to give information. We place it in a different category just because they use a ton of more complex things to like navigating through your social media. Actually, the difference that I see in the phishing scam and the social engineering is that the phishing scam is like large scale, what do you call it? Drag net phishing, I think that's, you throw the phishing net and whoever falls on it, that's your target. Social engineering is you select the target and you apply the same tricking things, but you spend the time, imagine that I know that one of you is a millionaire. If you are, don't forget that I'm a nice person, maybe. Maybe I know that one of you is a millionaire. I go into social media, track your profile, try to find out the name of your kids, your grandkids where they go to school, stuff like that. I call you saying, hi, I'm Paul, I'm your grandkids goes to Champlain with me, is a little bit of a complex situation. He got himself into a mess. He doesn't want anybody to know, but I'm his good friend and I wanted to reach out to you. It needs $400 to get out of jail right now before this becomes public. And this type of situation that now might seem like, oh, under the pressure of the moment with all the information that they throw in that makes it like, oh, this person knows who Paul is, the major, the age, is the name of his girlfriend. All of that in that pressure of the moment, a lot of people fall for it. And then it's going to be wire this immediately, I need that or just buy one of those pre-paid cards and just give me the number on the phone, something like that, because it's really urgent and we love our family. And so when we are placed between rock and the hard place, sometimes we take the risk or we just lose track of what's going on. But it's amazing how many of these situations have been happening. About to finish. So do not engage with suspicious or unexpected contacts, do not provide personal data over the phone and follow the best practice. Safe browsing, there's a lot there. I'm going to skim because I only want you to get away with one thing. You need to look for that lock pad in the address. If the lock pad is not there, anybody on the internet can see all the information you're sending. If the lock pad is there, doesn't mean you're safe. But if it's not there, close it. That as simple as that. Let's the big getaway. And the recommendation is be careful with the places you go to, trusted sources only. If you receive an email with a link, I'm going to show you that link is to the irs.gov. Everybody can see, even in the back, okay? I'm going to place my mouse there. It is. But just because I messed this thing up, it'll be all set. Ah, I changed, okay, now it says Champlain. But it's pointing to a very completely different thing. That's my purpose. Links on the web, email internet, have two layers. One that is what we see, the other is where it is actually going. So don't trust what you read. Place your mouse without clicking and it will show you where it's actually pointing to. And if I have done this correctly, when I started it would show irs and then point to Champlain. But I'm running out of time, so you can see that it's different thing. Don't click, don't download attachments, unless you really trust the person. And sometimes even those Christmas time is terrible with all the postcards that come with virus. And if you receive a text, an email, something that you were not expecting, call the person. Did you send me this before following it? Keep your mobile phone updated. Do not access banking or email apps from public wifi's. And be really careful with texts that are becoming a problem. So the big thing here is be suspicious. Never trust anything. It's a zero trust by default approach. And that's it. Thank you so much. This is wonderful. Okay, we're gonna start with a question from Zoom. Okay. Do you recommend password manager software? I do not. A lot of people do recommend that. For me, the concept of a password manager software is the same concept of placing all the eggs in the same basket. And we have, just last month, another incident where one of those managers got leaked. And if you have all your eggs in the same basket, when that happens, until it happens, it's great. But when it happens, all the eggs go. All right. The other question is, would you please speak about how artificial intelligence can be the most dangerous thing to be abbreviated? Thank you. Thank you. Thank you. Yeah. Are there practical solutions that we can apply before we get caught in the web of artificial intelligence? Yeah, I worked with artificial intelligence for several years in this space. Not only of cyber security, but also, we worked on early detection of cancer through mammogram images using artificial intelligence, early detection of prostate cancer using artificial intelligence. And that's why I say it's one of the most amazing technologies we have. But the fact is that we are able to feed artificial intelligence engines with billions of data points with different attributes to it in a way that our brain just can't process it. We can't get there. So artificial intelligence can find the relations between data that we just can't do. It's like having a super brain that can capture everything that is available online and process it in a way that we just can't. That means that while we can use artificial intelligence to think for things like creating new medication and detecting diseases earlier, an artificial intelligence system can detect and attack much faster than any human, but it can also find a vulnerability much faster than any human. And artificial intelligence can detect a weapon in a large crowd much faster than a human, but it can also find the weak spot in that crowd to place a weapon much faster than a human. And so the problem we have with artificial intelligence is that we are in a weapon race between the US and China, and we are losing. And there's a ton of money going into our adversaries. And human beings tend to take technology to the point that kills them. We saw that with nuclear weapons. Nuclear energy is amazing, and we built nuclear bombs. And I'm excited with all the great things that we'll have with artificial intelligence, but I'm really fearful for the future. And I'll try to be briefer in my future. A few years ago, I think. Okay, Microsoft has come a long way. So the question was, do we trust the built-in security of Windows, or do we need to have a VPN? So Microsoft came a long way in their security practices. They were not that famous for that. But that's not their expertise. And again, this comes a little bit with the risk management thing. What do you do online? What type of websites you need to visit and all of that? Because if you're going to have an antivirus, you're going to demand more of your computer. You're going to need a new computer earlier. So there's the trade-off. So depending on what you do with your computer, if it's just to zoom and talk with your family, maybe browse Facebook. I would say the built-in Windows protection is good enough. Now, if you start accessing accounts, bank accounts, and so forth, then you need more and more layers. The VPN is not that important right now. It's the antivirus software that is critical. The antivirus is going to protect your machine. The VPN is going to protect your connection. If you have that padlock, it's already encrypted. So the VPN is not adding a lot, and you are adding one point in the middle of your communication that has access to everything that you do. How far you trust that entity is up to you. How do you know if your antiviral software is from California or Eastern Europe? I'm using malware bytes right now, but I do not know where it comes from. Yeah, a simple Google search will tell you that. Most of the Eastern Europe have an easy-to-read name, but some don't. Send me an email. I'll reply. I really don't want to advertise any product public, but send me an email. I'll let you know the answer to that question. You mentioned the UVM hack, and they lost a billion dollars. How did they do that? I was up there, FBI was everywhere, and they still had to pay the ransom. Yeah, it was much more than a million. I don't want to speak to the specifics of that concrete case, but I will say that sometimes we save money in insurance. Not the insurance insurance that most companies now also have, but there's a saying in Portugal that we only lock the door after we have been stolen. Companies need to spend a ton of money to be ready to, not if, but when they are attacked. They can recover fast, and that's a minimum loss. I will not comment on the specifics of UVM, but I will say that it took far too long for what would be expected. I'm stepping out. This is terrific in terms of personal protection for all of us and understanding, but I'm also interested if you're going to be a victim of a crime in Shelburne, I think it's a, you call the police, local police you say, I think I'm going to be a victim or I am a victim of crime, what are you going to do in these circumstances? How do we punish the offenders? How do we, what do we do to protect ourselves? Yeah, that's an amazing question. When we were talking about Stonier, I wasn't there, but I was told that one of our generals said, nuke them, and another general, smart one, replied, nuke who? That's the problem with internet, to have, it's hard to know. We can find out most of it, often by tracking the money. We can find out a lot of things, but it's late. And most of this happens in international jurisdictions where we actually can't do anything. But there is a layer of this that happens inside our country, sometimes not directly, sometimes in terms of collaboration. There is a ton of work that the FBI and other organizations do to collaborate internationally. And what we tried to do is have mechanisms. I know of a situation recently where somebody was, ended up doing a wire transfer to the wrong account to close a real estate deal. And because banks have mechanisms in place, and this was detected in less than 24 hours, it was actually stopped and we were able to, they were able to recover that money. And so I would say that we are, Champlain College has a bachelor's and a master's in digital forensic science because of that. The problem is that not all situations will have, will rise to the level where we will do all of that work. $400 here, $500 there, it's a ton of money and for the people that lose it a lot, law enforcement does do their best, but it's one of those spaces where we are just learning. Just think of banks and Western movies and how people would steal banks at the time and how hard it is right now. The internet is only, what, 30 years old in terms of general access? So we are still riding the western of IT. In terms of artificial intelligence controlling electronic devices remotely, there have been some episodes in a report in the paper where it was suspected that even automobile functions were corrupted and there were a lot of accidents taking place. Where is it now in terms of artificial intelligence in your opinion that maybe like the entire grid for all electrical power worldwide is at risk? Is that a potential or does it even exist now? No. The problem now that you are talking about exists but it's not coming from artificial intelligence yet. We do have a serious problem of critical infrastructure security. Our administration just came out with a cybersecurity strategy that they hope will help us with that. But we do have our critical infrastructure at risk from power supply to water to have all of that. But right now for a different reason, it's that software is the only product that you buy knowing that it doesn't work well and then you pay for them to operate every month. That's the only product that works like that. And so every single piece of software that we have has vulnerabilities. There's an extreme shortage of cybersecurity professionals that can work on the other side not only looking for the vulnerabilities but also looking at the attacks and preventing them and doing that incidentally response immediately. But there's a ton. We need to spread our cybersecurity defense across all the vulnerable places but the attackers when they attack they focus on one place all coming together on the same place. And so it's very hard to defend compared with attacking. And so for now it's humans attacking the systems and artificial intelligence for now helping in the defense. And the problem is that artificial intelligence is becoming more and more available and as we move from the half a dozen players to a situation where either the player is a nation state attacker or criminals start having access to that, that's when we will be at risk. Cars and autonomous cars and every single car that we have is a computer right now. It's software, which means give me time I'll find a vulnerability and I'll be able to attack it. The question is, does your car justify that an attacker is going to spend all of those resources to attack you? But if I was the president of the United States I certainly would be driving in a 1965 car, not in America. That's a perfect place to leave this. Thank you so so much.