 All right, the two o'clock block here on Think Tech. I'm Jay Fiedel, and we're going to be talking about tech today, because tech is our middle name. The name of this show is Think Tech Talks, Think Tech Talks, Think Tech Tech Talks. Steve Larson from Slippery Rock University, near Pittsburgh in Pennsylvania. Wow. Thank you for joining us today, Steve. Thanks for having me. There is so much to talk about. We're talking about cybersecurity today, and as the internet grows, and as all those vipers out there and hackers and what, they grow, we have to be more and more careful, we have to be more knowledgeable. It ain't like the old days, is it? Nope, not at all. You're teaching this course in Slippery Rock University? Yes, I teach a course. We call it practical computer security, and we teach all the students how to secure things like what we're going to talk about today. And then those students take that knowledge, and then they teach other students. And we even bring it to junior high school across the street, and teach the sixth grade teachers how to keep safe on their smart phones and things, because we're noticing that sixth grade is when most kids have a smart phone. You know, people think that the technology, and I do, think that technology is so great. You can do so much for you. They put aside the risk, because I don't care about the risk. I don't care about the risk of privacy, I don't care about the risk of losing my data, I don't care about any of that, because I really, really love to have the technology around me. And they trade in security for convenience, or privacy for convenience. Those two don't really mix very well. Stakes are higher all the time for individuals, small businesses, and large businesses for that. And it is, you know, one of the ones that came up recently is something called FaceApp. This is a Russian thing. You don't want to do it. Yeah, what are the risks about that? I mean, it takes your picture, and then now your picture is sort of in the nether, it's everywhere, and it can be used against you. How does it work? Well, like I said, it takes picture, and then they apply a filter, and you can turn yourself older, younger, or whatever. But not only does the app take your picture, but it also takes information about what operating system your device is running, what your IP address is, and they can get your location from the IP address. Other things that are on your smartphone or on your device, and it's just gathering too much information. And a lot of apps will do that. For example, there's a flashlight app that goes on your phone that checks your location, your IP address, it checks your server information on what carrier your phone is running on, all these things just to turn on the light. Just to be used as a flashlight. It's not a good trade-off. No, it's not a good trade-off, but people don't read the user agreement or the privacy statement or anything like that, and so they let these apps do all of these things that they don't even have any business doing. One of the remarks was made today by Robert Mueller, and the hearings in Congress was, it's not only Russia, it's other countries involved, too. And FaceApp happens to be a Russian product, and I'm sure that in Russia the government can get to whatever data is in that product, in that company. But it's elsewhere, too, and so what happens is when you get out in the nether and you're in the global interconnection, your data, your face, all the information they can gather about you goes into some kind of cumulative database somewhere, and the people who hold that database, they paid for it. They spend time and energy for it. They're not going to just let it sit there. Correct. They're going to use it, and that means using it against you. Correct. And if you don't pay for an app, which I don't know the last time or you paid for an app, but I haven't paid for an app. If you don't pay for an app, you are the data that they are selling and using. So that the app is just a way to gather your data. Theoretically, though, even if you do pay for it, yeah. Yeah, even if you do pay for it, they're going to see that, yes. You have to read the user agreement very closely. But when you don't pay, it's clear. Correct. When you don't pay, it's clear that the deal involves getting your data. Correct. It's very scary. There's no more privacy. No more Walden Pond with Henry Soroe and all that. Even as late as 20 years ago, Larry Ellison from the CEO of Oracle, he told us there's no more privacy on the internet. Once you're connected, your privacy is gone. So anyway, you have a course that you teach, and we want to go through some of the points you teach. So we have some slides, and let's just go through these points so that people are aware of what you're telling your students. So the first one has to do with malware, malware in general. What is on that slide, and where do you cover in your course on malware? Well, on malware, there's different types. Most of the time, malware, you see it as a virus on your computer, but it could also be a worm or a Trojan horse application or something like that. Basically, what happens is you click a link in an email, takes you to a website, and from there, the websites give you cookies, of course. And with the cookie, you can get a malware downloaded, or you open up an attachment. And mostly, it's Microsoft Office attachments that have malware embedded in them. PDF is the most popular one to put malware on, because everybody likes Adobe PDF. There's different things that happen when you get the malware. You might notice that your computer starts running slow. It starts sending information in and out when you're not doing anything. And if you have certain applications, you can watch your data going in and out of your computer. And if you're not doing anything, it'll still be showing that there's data going in and out. But mostly, people see it when it goes slow. Also, there's pop-ups that will happen, pop-up windows. Advertisements. Yeah, pop-up advertisements, things that nature. So go ahead. But they don't do it to make your computer run slow. It's not that. It's running slow because they are putting some kind of software on your computer. That is doing what they want to get. That's doing what they want to do. So they're reading things. They're gathering information on you. I don't know if you know this, but we'll talk about it when we go to safe surfing and safe browsing. Every website you go to tracks what your operating system is and what browser you're using, just as a matter of course. Scares. Yeah. What do you do? I mean, let's talk about the malware. But in general, what do you do to avoid this? I mean, one guy, he just cleans his computer, he refreshes it. Go back to the operating system, resets it every so often. I rebuild my laptops every six months. Six months? Yeah. And it may be a little work, but actually you feel better like a good shower after you finish. And that's the only way you can completely get rid of everything. You have to wipe your hard drive, which means totally wipe all the information off of it and then reinstall the operating system all from fresh. I think more and more that's going to be the only way you can really deal with this. Because the malware you described, it changes and it gets better and it gets more hard to find and deal with. Correct. And in order to keep that off of your PC as much as possible, you need to have a good antivirus program and set it to update antivirus signatures two or three times a day. Yes, if you leave your computer on all day. That is a little bit often. However, the virus makers will morph that virus every few days so the antivirus software products cannot catch it. So you need to grab it every as often as possible. So are there programs, I mean reliably, that can protect you and clean it up? Well, yeah. Most antivirus programs will handle it. Every once in a while, there'll be what we call a zero day vulnerability, which is a virus that has just appeared into in the wild and nobody has a signature for it yet as soon as they find the signature and they can guard against it and wipe out the virus. Well, you want a company that'll do quickly. Oh, yeah. And if you want Windows, Windows has a built in antivirus called Defender. And that's Microsoft. Yeah, Microsoft gives you that. There's no reason to go and buy one. Oh yeah, it's just as good as Kaspersky or Norton's or McAfee. It just happens to be free. I just got a Windows machine, so I'm really happy to hear that. Already built in. And you don't have to pay extra. And you don't have to pay extra. Good for Microsoft. That's right. So you know that the malware is happening because you see these Windows popping up. You see it going slower. And so it seems to me that when you see that, you got to take action. You can't let it fester. Because it's going to get worse. Am I right? Correct. And there are some that run in memory only. In other words, only while the computer is running. So what I recommend to my students is every night when you're done using your computer or if you're using it in the morning, you're not going to use it all day, shut it down. That way, the memory in the computer or the RAM is cleared and the virus would go away. What about disconnecting it from the internet? Disconnect from the internet. You want to do that when you are cleaning the antivirus off or cleaning the viruses off your computer. All antivirus software has a scan program. And you want to scan your entire computer at least weekly, if not more often. It will take about an hour. But it will fetch all of the files in memory, all the files in temporary directories, all of your data. And it will also actually go into all of your program files to make sure that they are still the correct files. The word comes to mind. It's time. Before, we didn't worry so much about this. Nope. We trusted the system. We remain to find that anybody had bad intentions on the internet. Now we find a lot of people have bad intentions on the internet. The internet wasn't created with security in mind. It's an afterthought. Because people that created it, they trusted each other to send things that were correct. A new adventure, a new frontier. Now we find there's a lot of jerks who would like to waste our time and money and threaten us and all that. Yeah, there's a ton of jerks. Yeah, I don't know. If you had unlimited amounts of money, make you a billionaire. You could avoid some of this by simply throwing the thing out every week and starting fresh. Correct. Just grab a new computer, physically destroy your hard drive of your old computer. Grab a new computer. Now there are some tools that will help us. Like there's ad blockers and pop-up blockers, and that will help a little bit. You can scan with your antivirus program, scan software, scan your PC. If you want to visit a website that you're not sure if it will download a virus on your computer or not, you can scan that too. There's a company. I don't own stock in this company. It's a website called VirusTotal. And you can point it to a website or two files on your computer, and it will scan it for you and tell you whether there's any malware on it or not. So much to discuss here. And really, you could spend your whole life fooling with these things. And still, you want it, you love it. You need to be ahead of the game, either the latest or greatest. But you wind up spending more time. I know I do. OK, passwords is the next one on this. We got the password slide. There it is. Yeah, there we go. What do you think about passwords? Well, I don't like them. I wish we could have DNA be our password, because it's hard to copy DNA. What we found recently, NIST, the National Institute of Standards and Technology, they used to say complexity is the best for a password. Now they're saying the length is more important than complexity. The password-breaking software that is out now can break any password really quick. But the longer it is, the more time it takes to break. So we always like to say length is greater than complexity. And when you create a password, make it something unique that you can understand or that you will remember. Don't use anything like your dog's birthday or something of that nature. Don't relate it to the software you're on, like if you have a password logged on to Microsoft, you don't want your password to contain the word Microsoft. There's two-factor authentication, and this is something that's really important. You want to make sure that not only you have a password, but you have a second way to authenticate who you are. A lot of people say, send me a code to my smartphone. Some people say, send me an email. If somebody's saying, answer a security question, then that could work too. But you want to have at least two ways to identify who you are. One of them will be a password. Another one will be something else. So password is something you know. You could have a biometric, which would be something you are. That could be a fingerprint. That could be DNA, a drop of blood, or whatever you want to do. And also, you want to make sure that it's something that you know or something that you and nobody else knows. So we want to try to do at least two-factor authentication, if you can. Authentication is to protect you. It's not to make it easier to get on. It's to protect you from somebody who might be. From somebody hacking into your account, yes. Well, I tell you, this is pretty scary. But one thing that occurs to me, and it's just me now, is that if somebody developed an alternative to the password system, I would be liberated. I spend my time with passwords every day, every day. It's such a hassle. Oh, yeah, it is. And sometimes I'm unsuccessful. And the biometrics, that would be pretty interesting. We're reading your eyes. Yeah, the iris scanning and stuff like that. Yeah, or who knows what? Something different voice, maybe. And that would save me jobs of time. And I would pay money for it. And the guy who developed this, he's going to be another Bill Gates. He's going to be in the tens of billions. The guy that invented the password just passed away recently. He invented computer passwords. He just passed away. The problem with passwords is we have so many places that we log into. I've got probably 28 places that I log into on a daily basis. Because I log into it all the time, I remember those passwords. But some people only log into it once a month, maybe. Freaking flyer miles or something of that nature. I'm online banking. You may not do that for three weeks at a time. So some companies have come up with, they develop password managers. And they will save the passwords for you. So if you forget it, you don't have to try to. You don't have to reset the password. Just log into the password manager. They'll tell you what the password is. Or you go through the password manager to log into the website. And there's some that are free and some that are for pay. Of course, if they're free, you have to be suspicious. Are they using my data for something? Well, your password. Yeah, correct. If you pay for it, then you should have some expectation of privacy. Yeah. Well, but if they hack into your password file, you're in terrible shape. You're in terrible shape, yes. Yeah. I'm still waiting for somebody to develop a cut through all this. So far, I continue to spend enormous amounts of time on it. And I feel there's always risk. Because you use a password like the other password, you can't sit and think of unique passwords all day. And I think most people just try to get through it. Yeah. And they forget about the security part of it. This is an inconvenient thing I need to do. It's like I have to put the key in the car and start the car, or else the car's not going to go anywhere. And yes, it's necessary. You remember the movie Gattacup, where they were sending people off world? And then Star of the Movie had a little hatch with blood in it. Their password to get into the building was a little drop of blood. So he would take the person he was impersonating, and a little drop of his blood, put it on his finger, and put it there. That would be wonderful if we could do that. But then every computer would have to have that. And how would a website authenticate you? You'd have to go through your computer. Well, if your computer gets hacked, then your password is gone already, right? It has got to be a way. After this show, you and I should spend five or 10 minutes and do a brainstorm on this. Maybe we could come up with something. Yeah. DNA password, right? OK, moving along here, browsing. We covered that already. Just a little bit, yeah. Let's talk about browsing and what your suggestions are about browsing. Well, for safe browsing, the best thing to do is only go to websites that start with HTTPS. HTTPS is Hypertext Transfer Protocol. And it is basically how we communicate on the internet. If you add the S on the end, that means it's secure. So basically what it's doing, it's kind of like a virtual private network between your computer and the website. And everything is encrypted in between those two sites. So if you can, do HTTPS only. Google now only does HTTPS. Well, you can't just put an S in there and assume it's going to be more secure. No, it has to be an HTTPS site. It has to be an HTTPS site. And it costs an extra money to encrypt that and make it HTTPS. But it's worth it. But it's worth it, yes. Well, that takes me to, yeah, it's the next on your list. And the Wi-Fi thing. Right. You know, my wife says, there's a guy outside our house, and he's just parked right outside our house. Are we safe? Is it safe? He could be hacking our machines. Is that really a risk? Yes it is. There was a school teacher in Indiana who got hacked like that. And she lost her job because they thought that she was doing bad things on the internet. And an elementary school teacher shouldn't be doing those things. Turns out somebody was parked outside her house, and he was hacked into her Wi-Fi router. So we're using public Wi-Fi. I wouldn't do anything except browse the internet. I wouldn't do email. I wouldn't do banking. Anything like that, just any time browsing the internet is fine, reading the news or something. If you do need to do things like that, you should use a virtual private network. It's called a VPN. And that way, just like HTTPS, it creates a tunnel between your computer and the website you're going through. But what it does do, it encrypts it twice, once through the VPN and once through HTTPS. If your site you need to log into does not have HTTPS, which it should if you're putting in a username and password, and you want to make sure you use a VPN. Are you saying that the password on my router in my house, my wireless router, is not enough? If you want to secure the Wi-Fi router, yes, that's not enough. What you need to do is have a really non-password for your Wi-Fi router. Turn off the broadcast of the Wi-Fi router. In other words, when you boot up your PC or your smartphone, there'll be a list of Wi-Fi routers that you can connect to. And then you're going to choose yours. Unfortunately, most everybody, when they do this on their smartphone, they choose it and it remembers it. So next time, if you don't have to log into it, it automatically connects. You need to turn that off. The best way to do it, though, with your home Wi-Fi router, turn off the broadcast of the Wi-Fi name, called an SSID, a service set identifier. Turn that off so nobody knows it's there. Now, experts can find it, but the average person just driving by will not be able to find that. You know, part of me wants to say, Steve, don't watch. They can have all my data. I have nothing to hide. But think about that. My students say the same thing, but then they say, and the guy will get my student debt. So they can pay my student debt if they want to take my ID, right? It's your life. If you don't care that it gets destroyed, go ahead. When somebody steals your identity, it takes an average of 18 months to clean everything up after that. I have a brother. He had his identity stolen, and he's still working. He still gets mail. People are subscribing him to different publications and things like that. He still gets bills in the mail, things that he didn't do, and he's got to go through the bank and make sure that that gets cleared up. You have to work with the FBI. And it's no surprise the FBI. They get thousands of calls every day from people whose identity. And what that means, again, is time. It's time. That's what you're at risk for more than anything. Well, I mean, it's pretty scary. I don't know how you fix this in terms of protecting yourself. You have to really commit to not letting anything get out. Right. There's a couple of things you can do on public Wi-Fi. Watch out for evil twins. If you bring up the graphic, we call it an evil twin router. If you bring up the graphic, you can see the top one. There's free airport wireless, and there's Nashville airport wireless. The one with Nashville is the legitimate one. The other one, somebody set up their own wireless router, and they're catching your traffic. So if you put in a username and password, they've captured that. Another one that's at my school. Can you pick it up, Justice? And you think it's the airport. Oh, yeah. You think it's going. Oh, yeah. It's just going through that person's computer before it goes to the internet. So you don't even know he's there. We call it a man in the middle of attack, because the man in the middle between you and the internet is stealing your information. And if you look at the bottom right, or the right-hand side, you see I've got in that circle SRU1X, SRULX, SRUIX. Well, SRU1X is the right one. But we modified it, and we put SRUIX and SRULX, lower case out, to see how many people we could catch that would try to log into those. Even my students that know about this, some of them chose the SRULX. The I is kind of easy to identify, because it's got a little dot. But the L looks like a lower case L, looks like a 1. You have to watch out for these evil twins that are going on there. You have to be so sharp these days. You have to be careful. Like, don't go to McDonald's. Who knows who's sitting in McDonald's? Just the next chair, the next seat. Exactly, catching all your information. Nara, Brad, anybody that's giving free Wi-Fi out, only do simple browsing of the internet, reading the news or something like that. Don't do anything that you have to put a username and password in. No, they don't. They don't give it if they're not quite there. Prosecuted, and they keep on doing it. And they sell your information to somebody overseas who then can do whatever they want to do with it. And it's always for money, isn't it? I mean, in the old days, it was meant to be mischievous. Oh, yeah. But that's past now. It's for money. Oh, yeah. It's the money now. I remember a big handle about the Internal Revenue Service that slide themselves in between you and the Internal Revenue Service to get your refund check. Correct. Or that I'll steal your identity and file your taxes for you. And then they get the refund that way. And then when you file the taxes, this isn't an amended return. This is a regular return. What's going on? Yeah. And you can't go to the Northwoods anymore. The Northwoods are simply not available. OK, let's talk about social media. That's more and more the rage, you know? Correct. My daughter, I've got a teenage daughter. And she spends all day on her phone if she could. And Instagram and Snapchat is the social media that teenagers like. Most people in their 20s and older are used to Facebook and things of that nature. The tips that I give for there is, if you don't know the person in real life, don't add them as a friend on Facebook. Don't add them as a follower on Instagram or don't follow them. Same with Snapchat. Just have nothing to do with them. If you have never touched and felt them or talked to them personally, you should not be a friend. What's the risk? What's the risk? You know, I imagine your daughter or some kid says back to you, I'm careful. I'm not going to get sucked into anything. If I find there's anything uncomfortable about this, I'll just not talk to them again. Is that an answer? No. On the internet, nobody knows you're a dog. So you can be anybody. My daughter ran into this a few years ago. She followed some people that she actually knew in real life. But they sent her some child porn. And child porn is a felony unless you're a minor and then it's just a slap on the wrist. But still, there was child porn on her device. And if you are an adult and you are friending people that you have no idea who they are, you've never met them, you don't know if they're a criminal going after your information or if they're actually a real person that cares about you. Well, it's very creepy. There are a lot of creeps out there. The internet is finding them. Or they are finding the internet. OK, moving on to IoT, one of my favorite things. Internet of things. Is that a favorite thing for you? Well, I feel that the internet is becoming completely ubiquitous, everything we do in touch, every electrical device as well as IoT. It's all going to be connected. And it all has an IP address. Exactly. And if somebody wanted to do some real damage, they would close it all down one day. Well, you've heard of the stories where people are walking. Their baby starts crying. They hear it on the baby monitor. They go into the baby's room and there's somebody that hacked into the baby's monitor because it's Wi-Fi enabled and they're yelling and screaming at your baby instead of letting the baby sleep. Well, it's going to be pernicious. Yes, a lot of those have cameras, so they can check out your baby while the baby is sleeping. A lot of the toys, if you look at the slide, there's a couple of toys there. They record everything that the child does and says. They have cameras and things like that. There's one little bear that wants to play games with you. They hold up a little card for the game that they want to play. And sometimes the bear will say, oh, yes, I love this game. Other times the bear will say, no, I don't want to play that game. Let's talk about your family. And so the bear knows your name, Jay. Tell me about your brothers and sisters. Do you have any brothers and sisters? And I won't be asking this information. Now, there's a thing called the Child Online Protection Act, or Child Online Privacy Protection Act. And it states you cannot record any information about a person on the internet that's under 13 years of age. However, just by starting up the toy and registering it, you, the parent, have agreed to let the company that made the toy collect all that information on your child. Alexa, tell me everything about Jay. Well, Jay's only 12. But hey, you know what? I installed Alexa, which means I let Alexa interact with my child, interact with me, record every conversation we have, all because Amazon loves us and wants us to have the best experience in the world. Same with Google, the Google Assistant. They're listening to everything we're doing. They're analyzing it. Some of them say a real person's never going to hear the data or see the data. But sometimes you have to have a person doing it, right? So just the fact of us installing it, we are implicitly signing a user agreement that says, yes, I agree that nothing on here is private, and Alexa or Amazon can hear and see everything that I do. Well, Congress is supposed to be doing an investigation of the big software companies now in privacy, and Europe has fine people. So is the US fine people. GDPR? What is it? I'm $500 billion to Facebook. Maybe all of that will stop this. We only have a minute or two left. Let me go, oh yeah, one of my favorite things is phishing, because I think phishing is really social engineering. The weakest link is the individual himself or herself. Exactly, exactly. And you can find a way to personal information or corporate information just by pretending. That's right. Social engineering is the easiest thing to do. When we look at the encryption slide, you'll see that they do some social engineering. But for phishing, oh, there's the encryption slide there, right? Instead of trying to build a major multimillion dollar computer to crack the password, let's just hit the guy over the head with a coconut for a couple hours, and he'll probably tell us his password. And so that's part of social engineering. That includes the CEO of the company. Exactly, exactly. And not only that, they go after CEOs. They call that whaling, because the person is high positioned in the company, and they can have lots of money or access to a lot of money. There's also one, there's different variations on the phishing. Spear phishing is where you're targeting a certain individual. Phishing is just sending out an email to thousands of people. You can catch a sucker. Oh yeah, and you know what? About 1% of the people will click on the link on the email. Well, if you're sending out 100,000 emails, how many is 1%? 1,000, right? You got 1,000 suckers, click on your email. And of those, maybe 1%, so that's 100, no, I'm sorry, that's 10, are going to do whatever you're asking them to do. And all it did was, you just gave 100,000 email addresses, sent out an email address. Almost out of time. I guess I would ask you my final questions. Think about the internet. As it has developed since what, 1995 or so, it became really public. You have a lot of computers out there. Is that you can be anonymous? Yes. Would it help? It's my final question. Would it help? Before we talked about biogenics, biometrics, but would it help to have the, set up the internet so that nothing that is anonymous gets through? In other words, you want to go on there, you want to play, you want to do anything, you have to identify yourself. And that has to be verified, otherwise you don't play. Wouldn't that shut all this down? Until somebody stole your information, you'd have to have a good biometrics like DNA test or something of that nature. But I would not like that because I do, I set my browser to be private. We're incognito, depending on which browser I use. So it does not record anything that I do. It doesn't save my browser history or anything like that. If we could get it so nothing anonymous got through, that'd be wonderful. But, and again, we have to authenticate the user. How are you going to 100% with 100% accuracy authenticate that you are J? I'm wearing a Hawaiian shirt. You're wearing a Hawaiian shirt. Aren't we good? I'm Jay. I'm wearing glasses, you're wearing glasses. Some kind of AI, let's come up with something like that and we'll be the next billionaires. You know, I was telling you that time comes to mind, but you know what else comes to mind at the end of our discussion here? What's that? It's paranoia. You have to be paranoid if you don't live in this world. And a lot of the young people aren't. You remember the book 1984, George Orwell? Sure I do. You remember what the main thing was? The main thing, brother's watching, right? There's cameras everywhere. Now, the young people are worried that there are no cameras. They're worried nobody's watching me. That's why they're posting everything to Instagram and Snapchat because they want to become the next Instagram star. So they snap them, they take selfies all the time, movies and everything of that nature. And they're just, they're hoping that somebody will be watching them. That's why they want hundreds of thousands of followers. And that's why when, you know, the government puts in hundreds of thousands of cameras in your city, there's no real feedback reaction to that. Because I take your point, because people like to feel they're being watched, they're relevant, they have a meaning, a validation, have an identity in the community. And if you're lacking that, go to London because London is full of security cameras. We live in interesting times and you are, I don't want to say the point of the spear because you already talked about spears. Spear fishing, yeah. You are right at the front end of that. And I think your students have a great benefit to know about all these things. And of course to evolve and change with the times must be a very interesting subject. Yeah, I have to keep up with it. I read every day something about cybersecurity is changing all the time. Well, thank you very much, Steve Larson. Thanks for having me. Of Stupi Rock University near Pittsburgh in Pennsylvania. I'm glad you're here and I hope when you come back, I will catch you again. Okay, I visit often. There's family here, hello, thank you.