 I was just thinking at 5 p.m. on a given Tuesday, and we're here with Attila's arrest of Salandia, and we're talking about mysterious malware on Apple's brand new, well, almost brand new M1 chip. Welcome to the show, Attila. Thank you, Jay, for having me. I really appreciate you taking the time to make this show. You know, this is an important topic. Well, there are many topics that are important on your desk, so we gotta hit a couple of them anyway, but let's start out with the M1 chip. What's special about it? Well, you know, if you use your cell phone, you'll notice after a period of time, it gets a little warm, but it doesn't get all that hot. But if you compare that to, say, a PC, well, you know, use your PC for a while, and that fan starts to spin, it gets real nice and warm. That has a lot to do with the architecture of the CPU itself, and the M1 is so revolutionary, because if you look at the architecture, and this is on Apple's website, you can see it for yourself, they put everything all into one big, big pie. And that includes the CPU, it could use the RAM and the storage of the system, but it also includes something called the GPU, which is a graphics processing unit. And the GPU makes a big difference, not just in your day to day web browsing, but really when it comes to creative work. So a lot of the creative folk are really excited about the M1 chip, particularly video and photo editing folks. But if you really think about the other type of creative work that this is going to spread into over the next one to two years, it's going to be engineering, because an engineering laptop can run, you know, five to $10,000 easy versus an M1 chip powered MacBook can run between one to $2,000. So there's a big price difference and a big performance advantage. I mean, I like to compare this this MacBook that I'm talking on right now, you know, to the surface that I just got maybe less than two years ago. And it's about 20 times the processing power at roughly half the price. So that's a big leap forward. And so there's going to be a lot of excitement, you're going to hear a lot of that in the Apple community over the next I would assume next 12 months. And if Apple sales are any indicator, quarter over quarter, Apple is reporting record earnings and sales because of this phenomenon. There's they're making better and better products and this M1 chip that came out last November is a whole game changer for this reason. Now, one of the things that, you know, that I think of when you when you talk about this is that, you know, the world is moving and computer users and use all moving, you know, to new new functionalities. So for example, for example, database processing, very important, although that is frequently in the cloud or on some remote server, rather than in the unit on your desk. No word processing has to me word processing. And for that matter, spreadsheet processing is pretty much plateaued because how much functionality can you use? Can an ordinary human being use it? You know, it's like we don't need a whole lot of additional functionality. But where where it's really going places, and you alluded to this is in, you know, heavy calculations, you know, like for science and technology and engineering, and also in graphics, graphics or everything, because whatever functionality you're using graphics is in an ancillary function to that. If I make a financial statement or a spreadsheet, I want to see that in a pie form pie chart, I want to see that. And that's actually more important in terms of presenting the information. So what I'm saying is my perception anyway, is that we are moving in the direction of graphics graphics becomes more more important going forward. And the, you know, the classical office programs, they're stable, and we don't have to worry about them, because the computer is well, any computer is well able to handle it. All right, am I? Well, there's there's a byproduct here we haven't talked about. And this addresses your concern directly. So if I bring out my surface, I'm likely to get at best maybe four to six hours of real computing time using that device before I need to plug it in. And that's that's about enough of an airplane ride from here to the mainland. And that's great. But with this new M1 chip architecture, the MacBook Pros have been rated up to 24 hours of uptime. So that means that you can start typing a lot longer just because of this chip architecture. And remember, this is just M1. What about M2 M3? They're already working on the the next version of these chips. So I predict that we're going to have not just, you know, stronger processing power, but a lot longer battery life similar to what you would expect from, you know, your cell phone, you know, cell phones used to last a couple hours. Now they last a couple of days if they're set up correctly. So there's going to be a big future, I believe, in this new architecture. So it's really exciting, more expensive. Well, that's the thing. It keeps getting cheaper and cheaper. The reason that this architecture is so critical is because it involved a rewrite of the entire Apple operating system. So this new version called Big Sur is designed to take advantage of this new architecture called ARM. And that ARM architecture is the same kind of architecture that you've seen in cell phones. You've gotten kind of used to that. But that highly segmented, highly efficient architecture is not something that Microsoft can quickly emulate. It's not something that Intel and AMD can quickly, you know, switch things over because it involves a complete software rewrite to address unique hardware. That's where Apple, I think they merged the two, right? Because they have the supply chain control over both. And, you know, when Apple and AMD and Microsoft eventually do kind of collaborate, and I'm sure they probably are, to address this new problem. I mean, they could be years behind by that point. And meanwhile, Apple just keeps pulling further and further ahead. Now, to be fair, you know, I use both. I got PCs, I got Macs, you know, everything. But we have to look at what is it that our clients are using and how do we protect them? And of course, that segments into the new vulnerabilities we're seeing with the M1 chips, because of course, whenever people start using something new that works really well, everything starts to become more vulnerable because it becomes a target. You called it mysterious malware. What can you say? Well, you know, I don't speak the foreign languages like you do, Jay, but I can tell you this. It's pretty scary. Silver Sparrow is a piece of malware that was adapted specifically to take advantage of the M1 chip. It also works on the Intel versions of the MacBooks. But the reason it was so scary is because, first of all, it popped up right away. And they said, oh, we've got this on 30,000, you know, machines all across the globe, 150 countries. How did it get there? Nobody knows. What's it doing? Nothing. So it was essentially, it opened up a back door, it stuck it onto the computer, and it just sat there and nobody knew what was going to happen. Now, luckily, Apple has since passed the systems. And if you feel that you're potentially infected with something like this, any up-to-date antivirus program can catch it and remove it. Obviously, on all of our clients, we ran a script that automatically patched and removed and checked for any of these infections. So having a good cybersecurity company in your corner can really help if you're a little nervous about this kind of scenario in your Apple environment. You know, we haven't used the pillory in the stock for a long time. But I think there's a place for it. With due regard for human rights, there's a place for it. And you take those hackers, put them in the pillory in the stock, maybe it'll help. Well, nobody, they're not getting caught, you know. No, that's the thing. I mean, these guys are not stupid. And they're highly organized. They're very smart. They pick the best of the best. There's a lot of money at stake. In fact, the reason that we're having to deal a lot with compliance, specifically with CMMC and State 171, these kind of maturity model frameworks, they're bringing them out at the federal level and it's going to trickle down to the state level, eventually is my prediction. But the reason that they're bringing this out is because billions of dollars of intellectual property, U.S. based property is being stolen every year. And it just keeps getting worse. And a lot of it has to do with not having strict enough standards and having good cyber hygiene, which leads to all these problems occurring. And that's how all the news articles get out. I mean, you mentioned that there was a camera leak. And of course, it was because a vendor did not do a good job in securing their infrastructure and allowed folks to tune in to cameras at Tesla and at hospitals. Yes, that makes 150,000 cameras to be specific. It's old news. I mean, the cameras for a long time at many companies have not been secured correctly. We've had to go on there ourselves and secure camera sisters after they become infected. This stuff is an ongoing problem. Cameras are Internet of Things devices and there's no security standards on them that's uniform. Do I care if somebody hacks my camera? Well, it depends. If you have it in your bathroom, for sure, yeah. Trust me, it's not the bathroom. Well, and that's the thing. One of the concerns that comes up with PCI compliance of having cameras that cashiers is that if you put your credit card onto the counter there, can the camera see it? And if it can, then yeah, that is a PCI compliance violation. So you've got to be careful of that. Interesting. Interesting. So we spoke a little before the show about, you know, the solar winds issue a few weeks ago. And it's very troubling. I mean, it seems to be a horrendous story about this every few weeks. The solar winds was scary in the sense that it was a hack that happened inside this country by actors outside this country. And now, according to this story that just came up today, it was not only the Russians, it was also the Chinese working, not in tandem, but in parallel. They're all on us. They're all working on us. What happened? What can we do? Solar winds, and you'll notice if you go through our blog, there's not really too much. I brought up about solar winds. We've had to deal with solar winds directly as a vendor, even though their Orion product was the one that was technically compromised. I suspect, and you know, I could get in trouble for saying this, but you know, I suspect that their other products are also compromised due to the kind of unusual activity we saw on them. And that just goes to show that they don't really have a good gauge on how bad the infection was. And for those viewers who have not heard of the solar winds attack, it's real simple. At some point in the, about a year ago, the solar winds products were, you know, left open and vulnerable and someone inserted some code that then was able to trickle out to all their systems. And you may have not have heard of solar winds because it's an industry product. And much like the, you know, the back end type of industry products, they have a lot of fingers in a lot of places. And this is specifically a management product. Think of it like, like a big wrench that you can use to control computers, thousands of computers across corporate and government networks. And that's exactly where solar winds specialized in, especially the Orion product. So federal, states, even Microsoft uses solar winds products, and it allows them to, you know, wrench and, you know, manage, update, patch, keep them all secure. It's a great tool for that. But unfortunately, if someone up the upstream is able to infect those computers, then now whoever's monitoring that has full access to whatever the technicians can see who are using the solar winds platform. So in this case, they can put in footholds inside of networks that we still don't know about. And that's not likely to go away anytime soon. So even though they pull the plug on Orion, I believe that that brand is tarnished. And since then, by the way, solar winds has spun off and says, oh, we're going to have another product called Enable. So we're no longer solar winds enable, we're just enable. And, you know, they want to distance themselves from the name. And, you know, it is unfortunate, but it is also one of those things that is not the first time we've seen supply chain attacks. Vendor reputation management is very difficult. It's a growing industry that I don't think even existed more than a few years ago, where they were looking at the vendor supply chain and making sure that they were secure up to the point of doing business with your company. And, of course, when it comes to doing business with the government, they decided to set up their own private way of ensuring the supply chain through the CMMC that's a cybersecurity maturity model certification program. And that's something that they promised to roll out last year. But of course, because of the pandemic and because of the complexity of the program itself, they're not going to be rolling that out until the next, next, I believe, is 2025. But that's going to be slowly rolled out to government contractors and anyone doing, you know, business with the Department of Defense as a requirement of the actual awards being given. And so there is quite a lot behind making that happen. And in fact, we just learned also that the SBA is going to be requiring a CMMC level one certification for anyone who is applying and wants to be approved through the 8A program. And that's the program that benefits those who are either a minority, a woman-owned or veteran-owned companies. Well, has the government been doing a good job on this? Because, you know, at the end of the day, if you ask the guy in the street, who is supposed to be protecting us, he's not going to say it's the manager or the solar man. He's going to say the federal government. We have all these intelligence agencies. We have cyber security left and right and up and down. They're protecting us. Are they? Yeah, that's a great question. It reminds me of an interview and also in our dealings with the FBI and Homeland Security. We've had the same experience. People like to use the word they. And the more you work with them, the less there is no they. It's just everyone working together to do the best job that they can. There's no, there's unlike this, you know, nefarious overlord, despite what you may have heard, dark, deep, you know, government shadow government that's. Sure, the deep state. But you know what, if I if I call the FBI one afternoon, today's a little late in the day, but say tomorrow, my name is Jay. And I want to collaborate with you guys. I think everybody has to work together to stop the cyber crime. Do you think I'd get past the receptionist? FBI is very good at collaborating with private sector. It's just you have to remember that they are working with critical infrastructure companies. So those that are energy, transportation, food and shipping, of course, and what they want and utilities. And they want to make sure that those companies are taken care of first. So if you call them up and said you had some sort of insider information that would show that you knew about access to a utility company, they do have a good process for this kind of thing. And you know, I think that's Jay is going to make you feel good is that it's not that, you know, everyone's just kind of running around with their chickens with their heads cut off. They have a very structured approach to working with other departments within homeland security with the private sector. And that communication line is pretty well established. So yeah, Jay, you know, if after this you want to get in touch with some some contacts, I can put you in touch. It's, you know, they're all very open and very honest and everyone's doing their best to try to mitigate this problem. But they appear with you here today. What's that? Would they appear with you here today? Yeah, we could talk about that. Sure. They do try to have good community outreach because they do want to educate the the anyone that they can about common cyber threats and how to avoid them. Because what it really comes down to is security awareness training, that whole idea that much of this can be stopped through the human firewall. When it came down to this Mac and more distribution, you know, when it came down to Silver Sparrow, that's that's the that's the vulnerability specifically. They said, well, we don't know how it spread, but there's only so many ways. And it's, you know, someone clicked on email, they should know someone clicked on a website, they shouldn't know. And someone maybe went on the internet somewhere that they shouldn't know. And that the and that ends up flowing into the machine. And we see that over and over again, it's employee behavior that has the largest impact on an organization and on our society as a whole. This troubles me that we have Russia and China both working on us, you know, it's bad enough we have other geopolitical contentions around the world and both on Russia and China. But now to find that they're both working, you know, on hacking us to say nothing, not even to go to the question of what they're doing on voting rights. But I just got a call the other day from a lady who didn't know where to turn. She saw one of our videos on YouTube. And, you know, I just I felt really bad for her. And we tried to like help her out the best we could. But she called up because she was a victim of, I'm not sure if it was romance scam, which is one of the top, top types of scams out there. And no one, you know, no one's going to pay attention to her because, you know, she's not a big corporation or, or a big, you know, well-known company of Fortune 500 or whatever. But she had someone who was giving her death threats, if she wouldn't pay them in Apple gift cards or wire them money. I mean, that's the kind of, that's the kind of like horrendous activity that, that I mean, gets overlooked, right? And who's going to care about someone like that? And that's why they do it to somebody like that. Yeah. Yeah, exactly. So yeah, the big boys, the guys with the, you know, $100 million government contracts, they're just being lazy. What about everyone else who's just doing the best they can to survive a pandemic, to use their computer to work? And, you know, they're dealing with infected ad networks, they're dealing with, you know, incredible amount of sophisticated email targeted spearfishing attempts. And, you know, they're getting duped and exposed to these kinds of things. And this is why the training is going to be so important. I mean, everyone talks about, you know, why we make changes in society. Well, it's because people at one point decide that this is not going to be okay any longer. And we're going to do something about it. And you can only do that at the individual level, right? And that, that comes to any topic, whether it's cyber or climate or political, you name it. It's at the individual level that people can make a difference. Well, we have to be, we have to be more Akamaya about it. You know, one thing I wanted to ask you about it is, is my cell phone. Because I can download things on my cell phone and do all the time. I can email messaging this as well through a portal of some kind. And that means there's vulnerabilities on my cell phone. You're the guy, by the way, who showed me the way to Android. I don't know if you remember you counseled with me and showed me and I've been an Android user ever since. But query, you know, and people say, well, if they, if they hacked my cell phone, I just throw it in the trash. You know, I get another one and it's not a problem. You know, the cell phone is not really an exposure to me. But we know that's not true, is it? Well, an interesting study came out, this is about a year ago, where a company said, you know, let's just watch what kind of cell phone traffic is going on on these cell phone networks. And they looked at the big boys, I think it was AT&T, Verizon, T-Mobile, and they found that up to 60% of the traffic that was going on on cell phone networks, the data traffic, didn't look right. Meaning it was going to compromised ad networks. It was cell phones attacking other cell phones. It was cell phones attacking critical infrastructure. And these, this findings alarmed them. And it traces back to infected apps in the app store. And we've done several, you know, entries on this on how there are apps that are discovered to be vicious and you want to remove them from your device right away. But that all falls into that whole supply chain problem also. So remember SolarWinds, how it was a vulnerability that trickled down from the, from an original source and ended up inside the code, which then ended up at the customer. Right. It's the same problem with apps. And that's very difficult to mitigate. Apple does a decent job. You know, Google does a decent job. They all do the best they can. It is all best effort. But it also comes down to employee, I'm sorry, individual education. If you launch an app that is, let's say a game and it wants to know your location, that's, that's kind of odd. But you think, why would an app that's a video game or a little game like Solitaire or some harmless game, why don't we need to know where you're at? Why would it need access to your camera? Why does it need access to your contacts? Right. And most people just say, oh, yeah, sure. I want to play, I want to play the newest version of Bejeweled or Candy Crush or whatever. Right. But those are, those are malicious apps. They don't need access to your phone in that way. So don't let them through. Okay. So you say no when they want to know your location, but how do I know my phone is clean? How do I know my phone doesn't have some sort of trojan horse on it that will, you know, connect up with a nefarious network somewhere and do bad things not only to me but the community. How do I know my computer doesn't have that? Well, luckily there is some safeguards so you can enable trusted apps in the Google Play Store because you're an Android user. So you can go in there, you can change the trust rating. So you want to make sure that that's enabled on your phone. And then just in general, you can look at background processes and just kind of see what's going on. So for example, Internet of Things, they seem to use apps, but Internet IoT devices like the, you know, like smart turn on, turn off my lights kind of apps that are on your phone. Those will sometimes run in the background. You kind of wonder like, why are they running in the background? Why does it need access to my information and such? Those are kind of the kind of apps for you. If you have any suspicion, just remove them from your device altogether, return the device. There have been more IoT hacks probably this year than I've ever seen before. And there have been known vulnerabilities that in such things as smart TVs and FBI disclose some years back. I don't know about new ones, but, you know, the CISA website, that's a great place to go. The FBI website, great place to go. And believe it or not, a lot of times when we talk to the FBI, they say, you know, there's this great article from Bleeping Computer that really explains this problem very well. Bleepingcomputer.com is a great website to find out about how some of the internal workings of some of these vulnerabilities, how these hacks work. And of course, if you're using a product that's listed there, then you want to remove that product right away from your mobile device. Yeah, yeah, something about the price of liberty is eternal vigilance. But let me ask you one other thing, you know, there was a piece on 60 Minutes a month ago about how these ancestry type sites that take your DNA, you know, and they keep it in a big database, and then, you know, your whole family is in there. It's remarkable how much they know about you. I mean, for example, you get married, all right, and the thing knows who your wife's family is right there. What you're going to do is tell it you got married. Now it knows, you know, all the DNA for it. Not only that, but there's a whole genome thing going on. And apparently, some of these ancestry type sites have shared or lost data to organizations in China. Let's say China could be Russia as well, but let's say China. And they collect it. Now they know. They know your, they know your DNA, know your genome, they know your, your health. They know your family. God knows what else they know, because they have other sources, which they can integrate with that kind of medical information. And people say, I don't care. I don't care if they know I have a weak source. It doesn't matter to me. But what should it matter? Well, and add insult to injury. You paid for it too. Right, exactly. So it wasn't, it wasn't even so much that they kept your data, but you paid for it. One of the real concerns is how they, you know, that data is supposed to be kept private and yet it's being used for law enforcement. So that, that I think there were a few arrests last year based on some DNA, they were able to trace some DNA data back and forth. I'm sure if you Google, you'll see. I'm not sure if it was ancestors. It wasn't ancestry. It was one of the other big ones. And well, that, that is going to be a real risk. So it's, it's more than just, you know, maybe China has a copy of your ancestry record. You know, if they're, if you ever commit, commit a crime, or you know, someone who does, they may be able to track it using that information also. I think I lose out here is I, let's assume they had the, they had this ancestry type information for everybody in the country. So what, what are you going to do with it? Well, have you seen Gadica? No. It's a movie about this exact scenario. And in the future, or should I say in the future of the movie, they talk about how I created a class system. So some people had access to some resources who had good genes and those did not, did not have access to some resources. If you want to live in that kind of world where we start breaking up, you know, your ability to, you know, excel in society based on your genetic code that you have no control over. Or even if, you know, if we have genetic manipulation prior to birth, and then you become, let's, you know, let's just say a more perfect version of a human being than, than the last generation that has maybe access to more things. You know, do we have that kind of society? These things don't happen overnight, but they do happen pretty quickly. And with any worry, you know, during the Trump administration, we came close to a dictatorship and that's still possible for sure. And in a dictatorship, if the government can control by the dictator, can get data on you, on your health, on your personal information, on your friends and relatives, on, on your geolocation, you're a great disadvantage. And that can be used by a wayward police organization to make your life miserable, as, has never been the case so much so before. So I, you know, I do worry about that. And I wonder what your thoughts are. This is another show sometime until I wonder what your thoughts are, at least in general, about what I can do, what I should do to limit that, you know, that, that, that, that hole in the boat. You gotta, you gotta be educated, use common sense. You know, that all this, all this stuff we talk about is all human nature amplified by technology. Right. I did a piece some time ago about the romance scammers, the, of the, of the, or the Bedouin romance scammers, and they dress up like Johnny Depp. And you can go into, where is it, where they have the, the city's carved into the rock faces. And, and they're all kind of sitting there. And, you know, they, they romance tourists. And they've been doing it for hundreds of years. Now it's just digital. Right. They found a better way to do things. Folks have been working for years on a computer. Now we're using cameras, but, you know, nothing's really changed that much. So having a good foundation, having healthy skepticism, not be completely trusting of authority. These are all really good human traits to begin with. Have a free thinking mind. Be educated. I mean, one of the criticisms I remember back in economics class, one of the criticisms of capitalism was they had to be an educated consumer. Well, we're all educated consumers about the products that are around us. Why not be educated about the information that comes into a, comes across your screen. Right. Do you really trust it? Is it something you're going to act on? And especially if it's acting, if it's asking you to act on something right away, that's your big red flag right there. That's your big takeaway. If you want to write it down. Anything asking you to take immediate action right away? Yeah. That's, that's a big red flag. Don't, don't. We're going to put that on the final exam. So what about one last question and we'll have to go. You know, what about the government in that? I mean, this is an awful lot of hacking and, and fraud online fraud is especially during the pandemic here. I mean, these guys are stealing, you know, lots and lots and lots of money from ordinary people. I think it all could, using the power of the internet and programming and scripting and all that, to steal your money from you with all kinds of scams. I mean, it's everywhere. I don't think the government is doing jack about it. And I really think the government should do jack, but it takes, it takes money. It takes personnel. It takes somebody to meet them at the pass and, and then prosecute them. Are we doing that? I don't think we are. And if we're not doing it, what can we do? Well, you know, you just got to go back to the source. If you know that if you know that you cannot get that money back after it's been stolen from you, you know that safety net is not there. You're aware of that fact that maybe you'll be more skeptical about these things. There was a recent, one of the associations here was in locally in Hawaii had an AOAO. They had $250,000 stolen from them. And this was about two years ago. And they never got that money back. And I just heard today from one of our clients that, you know, they got about $26,000 attempted to be stolen, but their bank was much more vigilant, was able to stop the transaction. So I believe that over time, the banks are becoming a little bit more of a safety net, which is, which is good. But let's just assume the safety net does not exist. Don't be using fax machines to try and wire money. That's silly. Do things the proper way. Use reputable sources for, you know, for these kind of things. And especially when it comes to money, just call the, call the bank or call the, call the company or call your credit card. These kind of things are going to happen. You have to assume that every citizen's personal information is out there and has been taken. So let's just start there. No, no one is, no one is 100% safe. Even if you're off the grid, then, you know, maybe you have a family relative that's, that's had their information stolen and they're going to try to extort you somehow. So you're not safe. So let's just start there. So using that common sense, having that, having that, you know, vigilance and a lot of the personal training is, is free. There's a lot of kind of like personal training available. If you're an individual for businesses, we do a lot of training, but there are plenty of other vendors out there you can talk to about making sure that your staff is trained. And the reason I like to harp on businesses more than individuals is because there's more money at stake. There's more businesses with millions in the bank than individuals with millions in the bank. And even though an individual could get wiped out, they could probably get back on their feet. But if a business gets wiped out, we're talking about a community destroying event. Everyone who's employed by that company can be out of work and may not get back on their feet. And unfortunately, I've seen that happen. And that's just not what we need in this kind of economic climate. No, especially in this kind of economic climate. Well, let's, let's circle back again a few weeks from now. And perhaps you can tell us that all these matters have been cleared up that we need not worry at all. Who knows? I've got a good job. What am I going to do? I would hate to see that. And tell us the rest. Cylinder, thank you so much for joining us today. Thanks, Jay. Stay safe out there.