 I went back, well, I'm Jay Fiedel. This is Think Tech Tech Talks and time to time we check in with the TELUS Arrest, our side pack. And we're gonna do that again today. We're gonna catch up on ransomware and AI. Ooh. Okay, until the talking to you, I'm already scared. I start getting scared as soon as you come on the screen. So why don't you come on and talk about the developments, that's the wrong word, the negative developments, the scary developments about ransomware so I can get scared? Well, Jay, you know, the best part about fear is it also maybe puts us into action. Right, otherwise we get complacent. And ransomware is one of those things that, you know, people thought they got it all covered. Yeah, you know, they got a good backup. They got things figured out. And unfortunately, a new study came out from the FBI and the FBI every year releases something called the IC3, Internet Crime and Complaint Centers, annual, you know, kind of what their numbers look like. You know, what are people reporting to the FBI? How much is it costing them? It's a data report. And on that report, it says, hey, you know, good news. Ransomware payments are down 38%. So that means that these bad guys are losing money. They're not making the same kind of money they used to. But unfortunately. It seems to mean that. But why do I feel there's a big but? And that's the big but. Unfortunately, these guys are also pretty smart. And they're highly motivated and well funded. So now they're getting a little bit more creative about ransomware and how they're going to deploy it. And so they've deployed double extortion and triple extortion tactics. So I'd like to kind of talk about those so we can. Yeah, please. What do you mean by that? Well, think about what ransomware is. Let's kind of do a review session. So ransomware came out roughly around 2018. And it had peppered billboards across Thailand and UK where it locked up public transit systems. And in fact, we saw most recently colonial pipeline had a ransomware incident. And what that does is that they take encryption, the same kind of encryption that you have on your credit card on a smart chip or, you know, even on this video stream is probably encrypted. And it takes that encryption and it applies it to all your files on your computer, right? So far so good. Everything is encrypted without the key, you can't get to your files. And so they put up this fancy message that says, hey, it's a time bomb. You've got three days to pay us in Bitcoin. Otherwise, we take all the files and we send a remote wipe and we erase everything. And so businesses work out, why is this? Well, if we get ransomware, we certainly don't want our files to get lost, do we? So they put in good backup plans and offsite backup plans and all kinds of other fancy things. And it became kind of a cat and mouse game where bad guys would get inside of your computer network and then disable the backups and then deploy the ransomware. Seeing it firsthand really sucks. So these bad guys have continued to evolve their tactics. And so now we have double extortion. So they deploy the single extortion tactic, which is ransomware. And so they lock up the files after getting inside by either clicking on an accidental email or going to a website or any number of ways they get in. And after that, they silently, before locking up your files, they take them all away. They all download them over our wonderful high speed, fiber internet connections that we have. You know, everyone wants to watch Netflix and everything instantly. Well, that requires high bandwidth. Well, that high bandwidth can also be used to exfiltrate or suck away and copy the data away. And they'll let the business know after all the data's been stolen. Well, we're going to lock up your computers and you got to pay us for that. And then we're going to take this data and we're going to leak it out there unless you pay us as well. So they have your data. Now, in some companies, it's not such a big deal, right? Like, let's say you're a florist shop. You know, who really cares if, you know, who bought who for dinner? And in fact, I'm talking about real breaches here, by the way. So everything from floor shops to vehicle service centers, data breach there as well. Vehicle service centers, you know, who cares when you add an oil change on your car? Big deal, right? But imagine if it's a healthcare provider or if it's a credit card company or a bank. I mean, it's really difficult to change a social security number, your blood type or your medical history. That kind of stuff, once it gets leaked, pretty bad. So that is a double extortion technique. And then we get to triple extortion. So triple extortion, this is the new stuff. How does the double extortion, so now they have your stuff, you didn't pay the ransom. So they're punishing you for failing to pay the ransom and they leak your, you know, your important data. Is that the way it works? Yeah, they leak it or sell it. And up to this point, they were really just thinking about just, they weren't really digging into the data to find out what was in there that they could even add, you know, do anything to put the pressure on. You gotta remember, everything here is designed to put the pressure on the victim to pay. They want money, it's just plain and simple. And anyway, if they can get it by putting on more and more pressure, that's where the problems happen. Now, here's the problem with extortion in general. The FBI does not recommend that you pay the ransom. And it is because what's to stop them from demanding more and demanding more, right? And there's some interesting developments happening now with crypto up until this point, there was this kind of false perception that Bitcoin was untraceable, which by the definition of the blockchain, you've done plenty of, you know, crypto episodes on ThinkTech. I'm sure you've gone over a blockchain. You can probably put a link to that in our show notes. But the idea is that blockchain technology is public. That's the whole point. And there are ways where they can start connecting the dots and figure out in their investigations where this money's ending up. So the idea of paying an untraceable Bitcoin, yeah, it's not so untraceable as it used to be. So we're talking about double extortion here, right? They get in, they smash and grab your systems, smash and grab your files. They want money to get them back. Triple extortion and reputation damage, that's where it gets really interesting. So when it comes to triple extortion, they can do the first two, right? Steal the data, hold the data hostage and threaten to release it, but they can also attack the network. So we've seen this on major retailers. This is where it becomes a problem. They can flood the public sites with so much data that the sites can't respond. We saw something similar to this with Hawaiian Airlines a few months back. We've seen this, I believe, with Burberry and a few other big e-commerce retailers. Is that like denial of service? Exactly, it's a DDoS attack. And here's what's insidious about it, this is fun. So there are, what's the best way to put it? Kind of like an outsourced, like let's say you want to DDoS a company like a bank. Well, it's really hard to kind of take over maybe 3,000 or 4,000 computers to coordinate an attack like this where they can all flood a single place with packets. So the bad guys have found ways to take over a few thousand computer networks and then sell access by the minute. They say, hey, look, you wanna flood this place? No problem, 15 minutes, great. Let's do it. You know, pay us and press a button and off it goes. So it's been completely commoditized. And in those DDoS attacks- You have to pay to use your own system. It's like a special subscription to use your own system. Yeah, think of it like DoorDash for attacking your victims. Why bother going down to the local eatery and picking up the food yourself? You can just go on there with an app and someone will take care of it for you. Isn't that good? They get to be your partner. Yeah, exactly. So it becomes denial of service as a service, really. DDoS is a service. Well, you said at the outset that the stats were down, but that didn't resolve the problem. But it sounds like when you have these three levels of attack, the stats of damage and ransom are up, no? How do you reconcile those stats? Sure thing. So this kind of the triple attack that I'm describing here, this is the new playbook for 2023. We haven't really seen this last year. This is all the new stuff they're doing. And then these, for example, with these denial of service attacks, this sounds serious there. They throw packets, think of them like basketballs. They throw packets at an airlines website so people can't book airplane tickets or they throw it in e-commerce sites so it essentially grinds their sales to a halt. But inside each of those packets, each of those basketballs, if they were to open them up, which friends and guys do, they'll see a little note. And then that note, it'll say, hey, we're attacking you. Here's what you pay and where to send the money for us to stop. Well, if blockchain isn't available anymore, where do you send the money? It is available and it's still what they use. So, you know, there's no way you can like write a cashier's check and send it out. So help me rectify the fact that the stats of attacks are down, but there's three levels of ransomware. And so something maybe, what is the connection? Well, you know, that's kind of the history. So every year it's been going up until last year when it went down about 38%. Because everyone got wise, right? Business owners decided to put together a business continuity plan, backup plans, moved a lot of stuff to the cloud. They said, oh, we're not gonna store this stuff on site anymore, it's too vulnerable. And so because of that, last year payments were down. And, you know, these guys are organized crime. Organized crime means that they have quotas. They have KPIs and metrics. These guys need to make their money from victims. They need to attack networks, find a way to do it. So they've been getting really creative. So I suspect that based on these new strategies, and we haven't even gone through all of them yet, based on these new strategies, numbers are gonna be way up this year because they're getting mean. Like these are really mean strategies. And so they're reacting to the reduction last year by improving, tuning up their systems to be more destructive this year. Correct, exactly. Wow, so D. Wiz, I wanna talk for a minute about the Colonial Pipeline Affair, which you and I talked about. We touched on that a lot of a few months ago. In that case, the FBI was happy to report that they had gotten some of the ransom back, but not all of it. And I really wonder what happened there because I'm not convinced that that demonstrates that the FBI knows in full how to deal with this. What happened? From what I remember, they were able to retrieve some of it by going back through the public ledger, as they described. That's how they were able to point out exactly what happened, like where that money went. And it went to a group, the name escapes me just this minute, but it went to a Russian hacking group. Why am I not surprised? Well, exactly. Now here's the funny part. A few, this was maybe six months ago, something like that. That same group was arrested by Russian authorities. And that same group then was put to work using similar attack patterns out in the wild against other critical infrastructure projects in the Ukraine. So the question remains, like the official release was, hey, look, the US, we did you guys a favor. These are the bad guys that took down colonial pipeline. Russia has nothing to do with this. So we're arresting them because it's the right thing to do. But then isn't it interesting that those same attack patterns that were able to infiltrate colonial pipeline then are being used against Ukraine. So maybe. There's always the possibility of propaganda. By the way, the group was called Dark Side. Dark Side, that's it. There's so many of them, and they're funny too. Well, let's get to the big question. We have a few minutes left, we're about halfway through our discussion. And the big question is we, United States has a lot of very sophisticated computer programmers and telecommunications guys and switch guys, if you will, who can monitor what's going in and out through the internet. And they're not only in Silicon Valley these days, they're in other places too, like New York. Why can't we also up the ante? Why don't we see prosecutions on this? It's interesting that I guess it was some group that was involved in a mass murder within the last couple of days, was tried and sentenced for some extraordinary number of lifetimes, hundreds of years in jail. I guess it wasn't a death sentence, but it was multiple lifetimes. Instead of myself, that's interesting because we have seen so many of them get off the hook. And then I thought of white collar crime. Where a lot of these guys get off the hook. For one reason or another, it's not treated as all that serious. And the judge and the jury was like, ah, it's white collar crime. Let's give them a few months or a couple of years in jail. I want to volunteer for you, Attila, to be on that jury because I treat this stuff as really, really serious and really destructive. And I think the justice system doesn't. And I think what should happen here is when you catch somebody, you lay into them as a major sentence or a lifetime. Unfortunately, that's neither the law nor the fact. But I wonder, you know, you don't hear about any prosecution. If you called up the attorney general of the state of Hawaii and you asked them, how many prosecutions have you done for ransomware? You get a big fat zero. And so I think the FBI is close to that. But why can't we catch them? Well, you know, Jay, there's different degrees of crime, in my opinion. There are some crimes that, you know, they're financially motivated. And in the end, no one really gets physically hurt. You know, there are a lot of these companies, such as Colonial Pipeline. Yeah, it costs them a few million bucks and a lot of issues with PR and et cetera. And in that case, I mean, it was a big inconvenience, right? You know, they were unable to deliver jet fuel. There was... How about the hospitals? How about the hospitals that have been subjected to ransomware? I mean, people probably got sicker or died because of the ransomware and the time factor. Would you consider that more serious? Yeah, so far there's only been one confirmed death due to this and that was in Europe. This was a couple of years ago, specifically with a hospital ransomware. And during COVID time, like hospitals were kind of off limits for hackers. Now it's back, you know, they're after them just the same. But you know, there's a lot of cyber crime out there that's probably not appropriate for this show to talk about where there are really people being harmed by them. And that's the focus of these investigations. When they involve children, when they involve drugs, when they involve people's lives, being in danger. That's where the real focus goes. All of us here, you know, talking about this, you know, ransomware and computer being locked up, that's the real kind of happy side of cyber crime. And I like to stay there because it's kind of depressing the other side. But just know that, you know, they're doing their best to really get the deep and dark evil bad guys and put them in a prison. And they do, they do catch those guys. That's where the focus goes. Why don't we hear about it? Why don't we hear about a prosecution and a sentence? If you like, I can send you some links. They do occur. You know, probably one of the more famous ones was the arrest of an individual who ran Silk Road. That was a drugs assassination human trafficking website on the dark web. Since then it doesn't more popped up. There've been more arrests, more coordinated arrests all around the world for this. Those are the guys they're really after. What we're really focusing on is how do we minimize business interruptions so that you can go on with your happy life? You know, that's the end of it. Well, my life will become less and less happy as these guys get more sophisticated. And I think it's a real challenge. You know, we have seen, for example, in the political arena, we have seen, you know, the media tell us that the Justice Department, the FBI is investigating and it takes a while, it takes a while. And it's lining up a prosecution, it takes a while. So far, you know, in certain cases, it's taken years and years when we all saw what happened on television. Okay, so that's one phenomenon of the times in which we live. The other phenomenon is the phenomenon in Congress where Congress, you know, here's these people that testify about tech issues, social media issues, and they don't understand. There's nobody in the room that understands. They can't even frame up a question to a tech CEO. The tech CEOs have to be, you know, sympathetic to them to try to dumb it down to grade school level so that Congress understands. So I see two factors that stand in the way of immediate, you know, justice delayed is justice denied, right? I see two factors. One is they don't, the investigative and prosecutorial authorities don't understand for that matter, the lawmakers don't understand. And the other, of course, is that, you know, so it takes, the other is that it takes a long time under our justice system to make that investigation even longer if you don't understand and to actually hit home on it. And I wonder if, you know, and that's really not sustainable because this is getting worse and it's getting more threatening to business and to individuals. What can we do? And here's the second major question I'm gonna ask you. What about AI? AI is what, six or seven months old at least in the public sphere. AI should be able to, I'm sure that the organized crime guys are using it or wanna use it or have plans to use it. But what about the rest of us? Can't we use AI to defend ourselves? Well, you know, you have a couple of questions there. I can guarantee you right now, each of us right now in our inbox have email messages that have been generated by AI. Positively, it's out there. So, you know, it's been out for some time and kind of like on these newer forms of attacks like for example, like these Klopp ransomware groups, what they do is they're taking some of the exfiltrated data and they're reaching out to clients. So like you would be a customer and then they put the pressure on the customers making the company look bad. So they'll reach out to you and say, for example, hey, you know, we've locked up Netflix's infrastructure and they're refusing to pay. Those are bad, that's a bad company. You should put pressure on them as a customer of theirs. But let's go back to like what you can actually do about some of this. Now, the biggest attack vector we see and I hate to say it is poor cyber hygiene. And it's not just like, hey, I got two factor authentication. Cause by the way, if you do two factor authentication protects you like a hundred times better than if you didn't have it. Yes, there are ways around two factor but for the majority of folks out there who are going to be listening to this or hopefully listening to this two factor authentication getting that multi factor QR code based, right? With the rotator app, not just the text message that's the best type of two factor. But also, so what we see is this. A company has a CFO and they have let's say a bunch of engineers and those architects and engineers are in operation. CFO is doing money stuff, right? CFO gets an email, clicks on the email, install something on our computer and that computer then looks around and sees what she has access to. And they say, well, let's see, we have some QuickBooks files here and it reaches out to the operations and it sees that there's all these wonderful engineering diagrams of I don't know, let's say the rail or electric grid or sewer system. And it says, wow, this is some really interesting data. How about I, you know, steal all that and then lock it up and go through this whole process? What, do you see the problem with what occurred here? The CFO should not have had access to the operations engineering and architectural files. This is called least privilege. At least privilege is something that's just so overlooked in the everyday working operations. Folks only need access to what they need to do their job. And when there is an interaction. Need to know existence from the early part of the 20th century. So start there, anyone listening should start really there. What are the effective permission structures that you have inside your organizations to the files that you need to do your job? We just, I was just reading about a breach just earlier today and that's exactly what they had done. They had air gap different parts of their network. So when a bad guy digging into them, they just got into the sales database. So it was like a few like, you know, emails and stuff. They couldn't actually penetrate into the main architecture of their network. Cause if they had, then a lot of customers would have been down. So that's what you want to do is really think about how you architect access and who has access to what inside of your company. Cause if everyone has access to everything, it takes one bad move to destroy the entire company. It reminds me of the submarine with watertight compartments. So if one floods, the other doesn't. And I think that's the concept here. The other thing I want to mention to you and see your reaction just today, I got an email about the Ukrainians. You know, they are very smart on computers. And I'm not sure if that's intrinsic or they have help from elsewhere, but what they were apparently able to do, and this is actually amusing. They were able to reach the wife of a Russian pilot by email. And using various, what do you want to call it? Psychological gambits on the email. With her, they organized a party. A party of all the Russian wives of the pilot in Russia who were attacking Ukraine. And they used facial recognition from that party to identify all the pilots. And now they created their own intelligence through this, you know, this breach in the wives of the pilots. It's really smart and amusing, but it's also, it's heavyweight intelligence too. And that facial recognition is probably AI. And some of the stuff they were doing in order to achieve this project was likewise AI. And I'll tell you, one of our software vendors is from Kyiv. And we hold on to that vendor because we want to support Kyiv. But the reality is they're pretty sharp. And so my point to you is that, you know, one good programmer or one cell of programmers appropriately trained and motivated can do enormous good or enormous, enormous destruction. Do you agree with that? Yeah, exactly. You know, the argument I've heard about AI, which is interesting, is that, you know, everyone's seen the Terminator movies where AI comes to a certain point where it decides that humanity is no longer needed, right? And I don't know how many movies have been made about this same thing, iRobot and all these. So the idea is that you have an AI that you think is going to on its own decide that we're no longer necessary. When in truth, AI just does what we tell it to do. And the destruction that we're going to do to ourselves through AI will be far greater than anything that the AI could do to us. Us pointing AI at each other has weapons and using it as you just described as methods to break inside of networks to get inside of things. And in fact, there's new things now that are occurring where the AI is being pushed to the limit work and now hack software. So they were able to successfully generate license keys for like a Windows 95 activation by decoding its algorithm. So these things are starting to occur where password hacking, getting inside of networks, creating software that can break inside of other devices on the network on the fly. All these are things that are already being tested with AI. And we're only on version, what, the ChatGPT-4. I mean, wait till we get to ChatGPT-10. 5.1, 5.1. Oh, 5.1's out now? Wait, no, I'm sorry. That's mid-journey, it's 5.1. Oh, well, what happens two years from now? We're on a much more advanced version. And where do you set up the guardrails? And how do you stop someone from picking up their own AI, self-hosting it and taking the guardrails off and letting it do whatever it wants to do? Well, we do have a couple of minutes and I would like to spend them with you now that we're on AI. There's a fellow named Sam Altman who testified in Congress a few days ago and he is the progenitor of open AI. Open AI, yeah. Yeah. And quite remarkable, what he said to Congress was you need to regulate us because we are dangerous. And I said to myself, well, does Congress understand enough to regulate anybody about this? This is very sophisticated stuff. The people who invented it, the people who are developing it and taking it to the next level of very sophisticated smart guys, whether they finished Harvard or not. And the problem that I see is that how exactly do you regulate it? What do you do? Give licenses? Boy, that would be a First Amendment issue, wouldn't it? What do you do to control the dark side of AI? Any thoughts? Well, it's interesting about regulation. I was listening to another podcast and we're talking about COVID-19 and smallpox and horsepox. These are all really terrifying diseases where the gene sequencing is available, like on the internet. And what used to take millions of dollars and a highly skilled group of people can now be done with some graduate students for $20,000. So who's to stop any nation-state or private company from weaponizing a version of COVID-19, right? Or bringing back the plague or some awful genetic thing that could hurt us. And here's my point behind bringing this up, is that is not illegal. You could generate your own disease and release it. Well, if it's released, it's bad, but you could make your own, and that is not illegal. And that should be highly regulated. And that's something that has got decades of information and billions of dollars in science behind it, major corporate interests. That's not regulated. How are you going to regulate AI? That's my question. It's Congress's question, too. I hope they take him seriously. This guy, Sam Altman, of Open AI. But the other thing that came up that is very, very interesting this week in the paper is that some AI developer in one of the big tech companies that I forget which one said that he had come to believe that AI could be made tension. And we've seen articles along that line over the past few months about AI expressing feelings. I'm angry at you, Attila. You have provoked my anger. And where did that come from? This is like out of Space Odyssey 2001. You know I can't do that for you, Hal. And so you have actual scientists, people, engineer people in the AI realm saying they believe that AI is tensioned now, depending what the form is, or it will become capable of becoming tension. And that is as scary as it gets, isn't it? Could be. I mean, the Turing test is really, that's what that comes about. I mean, Alan Turing created this test in the 70s or 80s where, or maybe it was 60s. It was somewhere mid-century. And the Turing test looks at a computer program and says, can we fool someone into believing that this is real person for three minutes or more? Right? And when it comes to AI, I mean, yes, it is very convincing. But we're also a more savvy society now than we've ever been. So it is hard to tell whether it is tension or not. But I mean, you're going back to a philosophical question that's thousands of years old. We're talking about SART. How do you know that you are a thinking being? How do you know this is not a dream? I don't know. But I can tell you this, that AI is only going to be as smart as we train it to be. So if we put it in front of a lot of people with a lot of negative intent, then it will become a negatively behaving AI. If we put it in front of a positive group of people and ask it to do really creative things, it will continue to do that even better. So it is a learning machine. This is a machine learning device. This is not a, we're building consciousness here. And in the end, it could be the smartest machine in the room and capable of giving the best answers. But it may not have the true emotion that we all have as human beings. We'll see. I mean, we're just moving so fast. We will have further discussion on that issue even in the next few months. And we'll hear various sides of the question. And who knows where it goes. But I suggest to you that the good guys and the bad guys will both be able to get their hands on it. One of the big tech companies that is playing with AI gave away their code recently. I'm not sure why they did that. That just asks for trouble. And it's also against their own economic self-interest to do that. But I suppose they had a reason for it. Are you familiar with that? Yeah, there's a number of them out there. I know one of them that was accidentally leaked was Facebook's version. And there are self-hosted versions. It's out in the wild. And yeah, they are being trained. However, their operators deem them to be trained. But they can train them to attack network so they can train them to defend them. There's the training is where it comes in. Now, ChatGPT has become so popular because lots of people used it and it got really well-trained. And so each successive version has gotten better and better at generating content. A small thing, a small thing. I have to write a lot for think tech. I have to write text. And I thought I could write. I thought I could write. But lately, I take my writing and I make my writing as good as I can possibly make it. I use the right words, grammatically and all that. And then I feed it into ChatGPT. And I say rewrite this for me or summarize this for me. And it does instantly. And you know what, Attila? It's always better. I can never do as well. So here's the problem with that. If you put that on a blog, now the search engines have the ability to detect whether the content was created by ChatGPT or not, or any sort of AI. And so it's a probability scale. But if you're hitting like 95% probability that whatever you just created has been augmented by AI, your SEO goes way down. The folks that are going to be coming to think tech are going to be bots, not real people. So on our blog, for instance, it's all not written by ChatGPT. It's fine. I have a couple typos in there every once in a while. That's a real person. It's me writing them all. These weekly emails that you read from me. So there is some value in that. I think there's going to become a divide at some point where there may be some pride in having something that's completely human-generated, because having things not be human-generated, computer-generated might just be not the same. Yeah. Well, I mean, this is fascinating. And we know that until you and me, we're going to have further discussion about this. I'm going to leave you with one thought, though. OK, go. This just came out last week. The industry that's going to be most affected by AI is legal. Oh, yeah. Yeah, I mean, let me offer a thought that I've had since this came up. So you have one AI lawyer writing one side of the case. You have another AI lawyer writing the other side of the case. And you have a third AI judge who writes the decision about the case. I suppose you could put them all together and say, give me justice. That's really scary. But I leave you with a thought, too, from now on until when I have that GBT rewrite my work, I am going to add, would you please include some strategical typos in your product so nobody will know? What do you think? It's possible. OK. You got to go. Thank you very much. As always, really appreciate you coming out until we'll talk again soon. Thanks, Jay. Stay safe out there. Stay safe. That's my line. Stay safe.