 This is State Tech Hawaii, Community Matters here. Welcome back to the Cyber Underground. I'm Dave Stevens, your show host. We have some lively content and discussion going to happen today. And joining me today is Andrew, the security guy, and Hal, our network guy. Welcome, guys. It's great to have you aboard again. Good to be here. We're going to just tackle some topics right away that just like, we're just going to get all fired up. I know we are. The one that's firing me up, though, we're just going to jump right into Rod Rosenstein, the deputy attorney general of the United States. So Tuesday he's giving a speech. Last Tuesday he's given a speech in Maryland. And apparently they're going to start the full court press on breaking encryption in the United States for tech companies. So they want tech companies to either give them the keys to the kingdom or build in a backdoor to all their security systems so the government can come and look at all your data. What do you guys think about that? What's the point of having encryption if it has a backdoor? We keep the bad guys out as their point. We keep the bad guys out of the data that we're storing places and data in transit. But then as we've seen with other federal organizations like the Office of Professional Management, who does the DOD security. Personnel. Personnel management, sorry. OPM. OPM. They leave out my data, by the way. Yeah, if you go for security clearance, they know everything about you, right? Every last little detail, especially top secret clearance. And they got breached. So they released all their data. Equifax released all their data. So we're supposed to trust the government to build in a backdoor to all of our encryption and then trust them not to get breached because if they got breached, that's secrets out. And now all the bad guys can now look at our data. And again, we're back to what's the good encryption? Why are we encrypting things? Then there is no more encryption. So their argument is this is a law enforcement issue. We've got to look at what the bad guys are doing. But then it seems to me, and you tell me if I'm thinking about this, right, it seems to me it comes down to just like snail mail, the post office, right? The government doesn't come on to open all our letters and open all our packages and look through all our mail. But this is equivalent. We're sending email, and they want to read it all. So if we encrypt our email, and they're saying, no, we want to read that email, but why don't they just go to the post office and open all the letters? I'm of the opinion that they already do, just so we're clear. They just x-ray it or something? No, not our snail mail. But they could, obviously. Pre-send, pre-package, pre-post, right? And so a couple of things. If they want the encryption keys, we don't need to have a hard-coded backdoor. They can just decrypt the information and read it, right? If they have a chance. They don't need to weigh in because they're going to, they can get in with standard protocols because they know the encryption, right? So we don't need to give them a back, because the backdoor is bad. We know that. We can't have hard-coded backdoors in anything. But if we give them the keys, isn't it the same thing? Of course it is. And they have not really demonstrated much of a track record for maintaining things like that over time. You're so nice to say they haven't had a good track record. I just don't see it. They've got complete failures across the board. There's a lot of stuff that hasn't been stolen, but there's a lot of things to have. That's true. We know this. We haven't heard about it. And we don't know. Some database is getting out. Yeah. And obviously we know when someone breaches something, especially government agencies who are trying to get intel about each other, they don't just go in, get in today, and take your stuff today. They go in and hide and work their way laterally. So there's an advanced persistent threat. Yeah. So they're waiting to sifting through, seeing what's valuable, some of it's good, some of it's from the guy on the grass. He knows who gives a crap, right? He's already gone. Those are the worst. The APTs, advanced persistent threats, because they're there for a long time, and they might not get something today, but there might be something juicy tomorrow. And that's the door to install other tools with, right? So to gain leverage on the networks, because how it's how he breaks in, and he just stays there, and he never leaves. I can't confirm that. So that's what I think about that. I think that compelling us to give them something is ridiculous. I think they should hack it, figure it out themselves. Like, just keep working on your quantum computers, and you can break off our encryption. Anyway, they can afford quantum encryption and quantum computing, and we can't. So they should be able to beat us to the punch. I mean, I don't think it might be there. Who's this guy? Was he a senator or something? Rob Rodensey? Yeah. Rob Rodensey, deputy attorney general of the United States. What does he know about encryption? Anything? What's your feeling? Absolutely nothing. Probably a bureaucrat or a legislator. The only thing they understand is that it's blocking them from looking at you. Investigations, sure. And I think that people need to be able to protect their information, right? That should be my choice to encrypt it or not, and my choice to let you read it or not. And if I'm a criminal, then I think the cops should be smart enough to break whatever I'm using to hide it, you know? So it goes back to the Apple iPhone right after the San Bernardino attack, right? My personal opinion was the FBI was a whining bunch of crybabies. Go get better at your job. Stop asking us to break open doors. And someone did they ultimately found someone who broke it open for them. That's what I'm saying. I think breaking these technologies is pretty strict. And they made themselves look bad in the whole process, right? Telling everybody we can't break this and having to hire an outsider. That being said, I would like them to shut down all this child slavery, sex slave trade. I'd like them to get in there and break also. I kind of think they are. I mean, a lot of these busts that happen, it seems like they're kind of in tour already and gathering information. So I'm functioning from a position they're already in there. These are the door in the dark web. Yeah, well, I think that all these encryptions broken is what I think. And so I think they want to keep acting like it's not. So they say, we want you to give that. So I think it's a big media stunt. I think they're already in there. They already know. And they can get to it whatever they want to get to. They just don't. No, that's a good question. That's really critical. From a law enforcement perspective, that is a great strategy. Don't let anyone know you're in. And that's the best spot right? He knows you. Yeah, he's begging like, oh, we really got to get this law, but you know, you're already there. That's a show. Yeah. You know, it's funny that this is a kind of a conspiracy theory that we're launching here. And in our last show, I got a comment on YouTube. And I told you guys, I was calling. I was called a fear mongering show. We're not fear mongering. I'm taking some. Cyber security, people shouldn't fear it. We know what to do, how to protect yourself to the level you can. Now, if you're a criminal, I hope you don't know how. That's what I say. Yeah, I hope so. I hope that they are broke. I mean, they can look at whatever I've got. I'm not hiding anything. This is what freaks me out a lot about the privacy war, right, the privacy issue, which people are entitled to their privacy. And you're entitled to all your privacy all day and twice on Sunday until you're doing something wrong. And then I don't think you should have your privacy more personally. That's just me. So they come to me. They want some help. How can you ask? Because you're a criminal. I'm helping. I don't want to be big brother, but I want to be his little helper. His little helper? For that kind of stuff. You know what I'm saying? People trying to steal state secrets. People trying to steal our technology. People trying to steal intellectual property from companies. We have a right to try to protect ourselves from that stuff, right? Sure. But in private citizens, up to nothing at all, the cops are going to come looking for you. Man, they're busy. There's a bunch of bad guys out there. It's all a matter of who's most important. Yeah. But that doesn't satisfy the privacy argument that this is based in. And I understand that, right? They want everything wide open to make it just completely for them. And so I encrypted it all then. Let's just make it wide open. I figured it already is. Well, it seems to me that if the law enforcement agency wants to break your stuff, they should get to be as good as the hackers that they're trying to protect you against. And they are. And fight a war on equal terms, not a whine about, hey, we need less encryption, because that's just given the bad guys tools, too. We're pretty good. I mean, you remember that little Stuck Snet problem? Yeah, we're pretty good. For our audience who does not know what Stuck Snet was, can you go over Stuck Snet? That was an air-gapped attack, right? So developed to walk. Because this stuff's not on the internet, right? What they attack. It doesn't exist. OK, this is air-gapped. Air-gapped. So this system that they attack aren't connected to anything. I've got to somehow get my malware introduced into a system that's not connected to anything. So just think it's in its own little box somewhere. And somehow I've got to get in that box. So what I do is I give a person something. A flash drive. To take in there. That's right. Walking a sneaker net. And they walked it right in there, as predictable, because humans are a problem. We know that. And they know they're not supposed to do that, but somebody did it. I want to know what's on that flash drive. They walked that virus. They walked that malware right in there. And infected that place and, in fact, tore it down. No, that was the attack on a nuclear plant. Yeah, Iranian, what do they call it? Centrifuge. Centrifuge facility, exactly, for enriching uranium. So those centrifuges operate on stepper motors, an electrical circuit, that have certain numbers of microscopic turns per cycle. And this virus apparently stepped that up quite a bit. So they spun. I think it burned them all up. It burned them out. Well, showing the operators that it was operating. Yeah, it looked normal. It's like, yeah, no alarms. How's that, right? But I'm going to spin you up at maximum and put you up. How's that? Yeah. So I'm saying. I mean, that stuff. So Stuxnet, I think if we wanted to, we could. And I just think if the attorney general, whoever's clown, is, if he wants to be in there, he's already there. So what he has to have, this is where there's protection, right? Because the FBI, people like that do these investigations, they got to go through some lawful processes to go investigate you, right? And so that's what he's trying to get around all that. Just have it evolved. He's just being lazy. They already can come in and look. So that speaks to the Trump administration, I think. Oh, you see. I do. I think they want it all. They want it right now, and they don't want to work for it. That's but the theme since he's been in there. Well, the rest of us have to work out here. I mean. I hate to admit it, but that's most of America. We want it all. But right now, we don't want to work for it. We just ain't been raised right? Or I mean. No, none of us have. We're selfish. What is it, the instant gratification people now? It's because of the, yeah. We do have access to a lot more than we've ever had, right? I mean, isn't it easy? Yeah, it's too easy. We talk about how our vice-hosts internet smart, right? You can go in because you read Wikipedia, now you know something. You really know enough to be dangerous is really the issue. Who does 50 pages of research? They just take the top of the link and go, oh, this must be what it is. They go read that stuff when they read it. Oh my gosh. So the person they call me a fear-mongering shill, I guess my statement to that person is please get your news from something other than Fox News, Facebook, or write nation.com. Go out someplace else and see that there's a bigger world out there. I have no idea how you stumbled across my video for Think Tech Hawaii. It must have been that I put gun laws in the title. Great, come on back sometime and have an intellectual discussion with me. I put a comment in your response saying that I'd like to have some kind of a dialogue with you if you could list your concerns. Other than that, fear-mongering shill. I take you seriously. Yeah, me and me. I'm fear-mongering. Name, call, and help. I mean, we're all about solving the problem here. We're not trying to make people afraid of the problem, especially when it comes to cybersecurity. There's many, many, many things that you can do. And people need to just do them. This is what we find. People are like, oh, it's mysterious. No, it isn't. It's well-written, well-designed, how to go in there and start assessing yourself for vulnerabilities and how to protect yourself. And that's what we're about. We're about to educate. We're about here to help. We're not trying to create fear. We were in fear mode like years ago. Now we're not afraid anymore. Now we know what to do. Now we're in the fight. We've crossed over. Yeah, we're in the game. We're in the fight now. And we're in the game. And it's, I think, who was it that said it? It said it to you and I both that we were somewhere and they said, cybersecurity, it's no longer a career. It's a crusade. Yeah. Yeah, you're on the front line, the vanguard of the assault, and you're fighting all the time. Because the moment you stop fighting, someone gets you. Yeah. This is how it is. And that's life. That's how it is now. And I love when people say, what have we come to that? Cyber security is such a big issue. And that's just so complicated. Well, if you go back any decade in the history of the world, there was always some horrible thing going on that you always had to watch out for. We had smallpox. We had polio. We had wars. We had the wars before. We're far worse than we were. War is very, very strange warfare. Yeah, World War I, man. You go back to the Roman eras where 400,000 people die in a single day. How's that? We don't have that anymore. Well, we have nuclear weapons. Maybe that'll happen. Do you think that's going to happen? What happened once? There was a couple of days there where we were testing. The technology worked. It did work. That's right. We have a passion for, as you mentioned, cheaper, easier, faster, more value, blah, blah, blah, technology delivers that to everybody. So they just get hungrier for more and more. But what they did, and a lot of you don't realize, that's what the consumer has asked for. That's what business built you, but they didn't build security into it. We've had cybersecurity forever in the IT space. It was built into the spec, the IEEE specification for all these protocols, all this stuff. Security's in there. But when they built the webcams, they didn't have that. The guys who designed it just didn't bake it in, because it was more expensive. And you, Mr. Consumer, wanted it cheaper. That's right. We wanted cheaper. We wanted great. We wanted right now. We wanted great. We're not so concerned about quality anymore. That's kind of it. Especially security, because you can't see it. They didn't know. So you know. But the UL's coming out with a standard now? 2,900. I was just talking with them today, as a matter of fact. Underwriters' laboratories. You guys are going to get on that standard. There's a new standards development group. You guys should get on it. OK. Now send you the link. All right. Yeah. I'm up for it. For sure, because they need that convenience. They need that one. I can do it. I can do it. Yeah, it's all right. We have nothing else on our plate. We're going to take a little break right now. I'm going to pass the bills. I'll be right back until then, everybody. Stay safe. Hi, I'm Ethan Allen, host of a likable science on Think Tech Hawaii. Every Friday afternoon at 2 PM, I hope you'll join me for a likable science. We'll dig into the science, dig into the meat of science, dig into the joy and delight of science. We'll discover why science is indeed fun, why science is interesting, why people should care about science, and care about the research that's being done out there. It's all great. It's all entertaining. It's all educational. So I hope you'll join me for a likable science. Guys, don't forget to check me out right here at the Prince of Investing. I'm your host, Prince Dykes. Each and every Tuesdays at 11 AM Hawaii time, I'm going to be right here. Stop by here from some of the best investment minds across the globe. And real estate, finances, stocks, hedge funds, managers, all that great stuff. Thank you. Hey, Laha. Welcome back to Think Tech Hawaii. You're on the Cyber Underground with Professor Dave, Professor Howe, and me, Andrew, the security guy. Anyway, it's National Cyber Security Awareness Month. It's also the Governor-proclaimed Hawaii Cyber Security Awareness Month. We're giving classes all over town in the libraries and the malls. So if you're worried about cybersecurity for your home systems or for your small business or whatever, you really don't know anything about it. And you want to come out. We've got some great advice that we're going to share with you, things you can do about how to lock down your log-ons, how to clean your PCs, clean your machines, what kind of backups you ought to be doing, things like that. So come on out and learn. Check out. There's a website up on the State of Hawaii website. So go just Google NC SAM, National Cyber Security Awareness Month. And you'll find us. And sign up and come out and learn how to live, how to stay safe online. I think that's the motto, stay safe online. That's right. So thank you. All right, guys, back to the episode here. OK, so I think the website you're talking about is OHS.Hawaii.gov forward slash cyber. See, that's why we have a professor here. Somebody knows something. I just met with Randall yesterday. He's trying to recruit me for stuff. Yeah, we need more teachers. I'm going to hon a car. I hope you guys are ready for me out there, Monday night. We're actually going to do our student club does pen test for local companies out here. We're looking for volunteers from the DHS, the FBI, the NSA to come out and mentor our students during the pen test. Nice. It's going to be big, two of maybe 30 students. Turn your stuff off, people. This is going to be awesome. Five different locations for this one company across the state, different islands. And students are cyber security qualified now, some of the CEH recipients. And they're going to participate. That certified ethical hacker. Yeah, sorry about that. Yeah, I'm usually pretty good about that. There's also an event coming up on October 25th. Hal, you want to tell us about that? Sure. At Capriani Community College, we're going to be having a wet wear Wednesday. You know, what's wet wear Wednesday? Describe this to our audience, they might not know. It's kind of a networking slash social event for people in IT and students and professionals to just kind of get together and meet each other and share some information. We have a couple of speakers showcase some student projects. Yeah, some of the student projects that we showcase are the former pen test that we've been doing for the student clubs. So they can show us the results of their last phishing email scams on certain companies. And they actually make some money for themselves. So how do I be there? Hope you guys can join us. October 25th. 6 PM to 8 PM, free parking, free food. And green spot. And no. We're not allowed to have alcohol on campus. Although I would say. That's the after party. That's the after party. Which is what you really want to get invited to. Well, you drink too much green spot, you have that what's that nerd argument? We always have Star Wars versus Star Trek. Oh, that's the kiss of death. Yeah, you lose all the girls at that time. That's bad. Let's talk about something else that's just a hot topic that's going to kill us. And this one, we're so passionate about this one. What's up with this thing called cyber insurance for companies? So companies want to sell you cyber insurance. And their premise is, if you get breached, if you get hacked, we'll pay for something. But that's kind of ambiguous. And you were telling me the applications you fill out completely irresponsible, if you ask me. Because if you do get breached, then the real questions come. Can you describe your experience so far? You've actually seen these applications from insurance companies to apply for, quote unquote, cyber insurance. They don't like me very much. Well, you know what you're talking about. No, I know what questions to ask. And what I find is when we talk, we all talk about the NIST, the Cyber Security Framework. We talk about the control set that NIST developed, the 800-53, which is a set of technical controls primarily, you know, 99% technical, about 1,700 of them in the whole 853, I think. These are things that you need to go check to make sure you're doing it and therefore you're secure for that rule. Yeah, for that particular control. Local factory authentication of door locks that work that can be monitored and logged. You have rotating backups. You have a security plan. These are things that are just common sense to a lot of people. Yeah, administrative privileges. All these types of things are controlled, right? And so how they're described, what the control implementation that you have, is it monitored? Is it automated? Do you report on it daily, weekly, monthly, right? So there's a lot of measurement that goes on there. And these applications for cyber insurance don't talk in that language. They keep it very, very generic. And so it's, I think, most people that fill it out, like they, you know, do you have encryption? So they'll go, yes. But that's not the appropriate way to question. The thing to do is to look at the control set and see how you've applied encryption to the types of data that you have. Is it level one, level two, level three? According to the NIST has the RMF, right? The risk management framework. So, you know, there's all these other... Well, let's tell people we can get that information out. It's on the NSA website. On the NSA website. And at the National Institute of Standards and Technology, NIST, right? Yep. .gov. Yep. And you can go there and you can get the cybersecurity framework. All this stuff's there. All of the recommendations for all businesses. Even small businesses, enterprise, all of it. They're 871 for small businesses out there. So it's those small business regulations. We're talking about NIST makes special publications. And they code them 800-53, 800-171. And the 171 is for small businesses doing business with the federal government. Isn't 800 the IT series, right? It's been... Because there's 812 and all of those, right? There's a lot of other stuff addressed in there. But it's been around a long, long time. It's on Rev4. We've had this stuff for a... Rev5. Rev5. Rev5 is on Rev5. That's right. So, you know, so anyway, so this stuff's tried. It's tested. It's true. The best in the DOD, the best in the Fed, these guys, these are the rules that you... Now, it doesn't mean they always get them right. It doesn't mean, you know, that's our 1,700 controls. You might get one wrong and get hacked anyway. So we know this has happened, right? That's Snowden. That's Equifax. And then inside, our threat was Snowden. Sure, he had administrative privileges to go places. Well, he made an account and then elevated that account's privileges and then logged in as that account. So he didn't need a trace of himself. He went and did another account. What a guy. Yeah. Well, no one was monitoring that. There you go. They're not supposed to have privileged access that easily. That's right. And they didn't follow the rules. So you don't follow the rules. You get breached. And that's not if it's when. And so this stuff's out there. And when it comes to these insurance guys, and I've just been in some rooms with some of them and speaking with them. And it's not that they're trying to scam me by. They just haven't been doing it long enough. It's not a mature industry. It's not a mature offering. You know, for your automobile, how long have we had cars now? 150 years or something? I don't even know. About 100. I mean, that's how old mine is. I don't know about you guys. I think 1890s, yeah. So you know, there's a lot of information about cars and safety. And they've compiled all that. They built great actuarial tables based on age groups and where you drive. And just all kinds of stuff's known about it. But cyber for small business, there's just not enough information yet. All we know is it's all bad. So they give you this policy. It's very generic, right, with a lot of generic questions that you answer. And probably you're going to say yes, because you think that's going to lower your policy. Instead of actually going to discover the answer internal to your organization, like how's my firewall really configuring? No, let's stop for a second and ask the networking guy. OK, so if you're filling out a questionnaire and you say, do you have a firewall? You say yes. What's wrong with that? That could mean a lot of things. What could that mean? That could mean that you have a play school firewall or that you get a play school firewall for 25 bucks on a price list or something. Or it could mean that you've got an enterprise-level real Cisco ASA, something like that. In the box on a shelf. Right, just setting it up. You didn't actually set it up. The other thing is, do you have it plugged into your network? And if so, is it actually doing any kind of thing? Or is it just set up to let everything through? Yeah, where is it on your network? Is it preventing everybody from going out, except through the firewall, coming in through the firewall? It's supposed to be right there at that point, right, the transition point. Did you change the administrative password? Are you applying that? Did you lock down remote access, right? You really want to work on it from the inside. You don't want to get to it from the outside. It's a much, much more complex question than do you have a firewall. Yeah. It needs to be a whole set of standards that the firewall needs to be configured according to. So I think we get back to Nest. Yeah. I refer people, user NSA has the commercial solutions for confidential. So they have guidance for things like Palo Alto, Cisco, Fortinet, Brocade, all of your major players. And if you put in this gear, you configure it this way. In theory, you're supposed to have one of their certified companies do that to actually claim your NSA. They only have like two of those companies in the state. You only want, I think, referentia. Is it referentia? Yeah. The only one. Which is, they're great. So I mean, use them if you really don't know. But you could follow that yourself and get, that's pretty good security. I mean, if you don't know what you're doing, that's some reasonable guidance. And the goal is not to make it impenetrable, because you're never going to make anything impenetrable. The goal is to make yourself such an unattractive target that they move on. That's right. Right? To have somebody layers to get through. To have layers, exactly. Somebody else is more easily hacked than you. So you're no longer the big target. If you want to find out, go to Shodan and just see if you're there. Shodan, the website that tells you all the default passwords for all the devices, like the firewalls and the considerate Wi-Fi. Or you can search it for port attacks, like just port 28, port 40, which ones are open out there. And this isn't even on the top right. 25, I guess, in Shodan.io, is it? Yeah, people have this stuff. Except if they're sitting there exposed, right? Shodan can find it. And it can see it in the northern. And then they publish it. And there's a tax that you can, there's a tax that they run against that, right? So I'll be saying, oh my gosh. So if you show up on Shodan, you better make some changes. Your firewall is not going to work very well. So here's my few of the cyber issues. You're already owned. You're right. Here's my fear with the cyber insurance, right? They ask you, do you have a firewall? And you say yes. And they give you your premium. But then you get breached. Then the questions come out that are probably in the fine print in size two font in gray on the very last page right below the signature line where it says you must have properly configured your firewall. Yeah. And they don't ask you that question. It's usually not even there. Yeah, it's not in the fine print. But then the investigators come out to try to not pay you. Yeah. Well, you didn't have this firewall configured. Yeah, you just asked me if I had one. It's in the box. It's right there on the shelf. There it is. I answered the question. You didn't really have to pile it up. Yes, it is. It's a pretty box, too. I've never seen it. But it looks like an expensive box. I mean, you know, so for, but anyway, that's, it's, and I don't get the sense they're trying to not pay. But I do get the sense, and it's, they're big, big companies, right? And they really know how to do insurance well. And I don't get the sense that they're doing, they're investigating cybersecurity. They're getting guidance, following known guidance, like from NIST or whatever. And this, this is what irks me because we can't all, Maybe you've called us. We can stay vague. We can talk and, and we can talk about stuff like it's not solvable, but, but when we know what to do, then we're just being ignorant when we don't address it properly, you know? And cause we need to talk in the language of controls. I think that's, that's a common language. It works across ISACA, NIST, and whatever it needs. All kinds of agencies in Australia, 35, doesn't matter where you go. They, there's cross indexes for all that. So we're just talking about, we're out of time. What? I know we can talk about this forever. I thought about it. While that's fast. Sorry, that doesn't mean to rant. It's fast. So I think the point is AIG travelers, everybody call us cause we know what we're doing. Apparently you don't. So thank you so much for watching the show. And remember, stay safe.