, welcome to the cybersecurity Today, the Month in Review show. We have two of our regulars back. Laura Payne. Welcome Laura. Hey Jim. Thanks. Drum roll. And David Shipley. David Shipley back as contestant number one. He's been our reigning champion. No. Oh, that's Jeopardy. Sorry. David Shipley. Welcome. And Anton levaja and Anton. Did I say your last name right again this time? Yeah. Yeah. That was great.
We went through all this and then I spelt it wrong in the interview and people who watch the show will know Anton. We did an interview with him about two weeks ago and I went, this guy's gotta be on the panel. So there we go. For the panelists and for Anton. 'cause you're new to this. This is how the show works. We have asked everybody to select one or two stories and we try and Give a little depth to them. Do a little bit of a deep dive.
The person introduces the story, tells the story, and sets the stage for everybody, and then we discuss it and sometimes we can't get out of the first story. I never promise how many stories we're gonna get there. All I know is if Shipley gets to anything on legislation reach, Laura, you're close to him, you can see, reach over it and just tap 'em. Yeah, we might need a special episode just for that. Just a well yeah. Listen this, but this is because we have a large American audience.
I never know how much they know or care about Canadian legislation. We do care about American legislation. and normally we have such a lack of legislation. We don't have to worry about talking about it too much, but, we do have one bill that's come up and that is a bit of a pain. So We might drift into there. So welcome back guys.
I'm gonna start with the first story, that I want to cover, and that is, the Mystery Leaker and this started, I first wrote about it in the register and I did a story that covered it. And there's an anonymous individual. He has the alias gang exposed who Said he's on a personal mission to fight against an organized society of criminals, and he's been doxing people. He got Stern, the leader of Trick Bot and Conti, and revealed that Stern is actually Vital ko.
and he's also gotten the professor, I think, who, is this 39-year-old Russian named Vladimir Viktor Kko, I think. And that one I had struggled with Kko allegedly living in Dubai. So this guy's been basically revealing all of this information. The curious part is he's, he describes himself as a cosmopolitan who moves from city to city and just wants to stamp out this evil criminal gang. And he's turned down a $10 million reward, by not coming forward. So he's richer than I am. But that's easy.
And that's where I gave it away. I thought it was, first it was Shipley. But then the fact that he turned down the $10 million reward I had to start looking for other people. So you guys heard the fact that he, turned down the 10 million reward means he's smart enough to know that he doesn't want to get found and pushed out into an apartment building, for this and no grapes are quite as sweet as sour grapes. So can you say someone got screwed in an exit scam and payback?
These are my favorite stories, but whatever keeps you warm at night. Yeah. So you think it might be Shipley, but, and you're just turning out the rewards so you don't get pushed out of a window. You're in Fredericton, man. like how far can you fall from a window in an office building in Fredericton?
Russian gangs got long arms, my friend, so I imagine if someone's burning them left, right and center and they're thinking that they are a cosmopolitan, Thinking about showing up at a bank to collect your 10 million and, accidents happen. So I don't know. But I love it. I also love that this is law enforcement creating a persona to do it and then create fear and paranoia that there's an additional untrustworthy element inside of the cyber crime community would be Chef's Kiss.
I will note that law enforcement is doing hilarious things on the Operation End game website. And as your resident culture critic, I have to point out that whatever police officer thought of using AI to do a Japanese anime style trailer for making fun of one of the ransomware groups that they hack back on complete with theme music and characters is a bold move that I am here for. It's been a, it's been a wild week. A wild month, okay.
And now, and we have a brand new website where we're gonna actually be able to properly display the podcasts and the links. So you'll send me that link at the end of the show and we'll. Yeah. No. We should watch it 'cause it's just so spectacularly beautiful. But, it's one time Jim AI art. Woo. You gotta, Anton, you don't know, you don't know David getting him to say anything nice about ai. Is it? It's a magnificent accomplishment letting you guys talk a little bit.
How do, did you guys pick up this story this week? Laura, you anything on it? No I'll admit I had, I had not picked up on this one, but, yeah, it's, it is a, there's been a lot going on as I think we discussed at the end of. At the end of April going into May, there was so much. And then looking at this month again, it was like, oh, it wasn't really any quieter or calmer, so nothing surprising anymore. And Anton your job is to serve and protect people.
I don't, I, I think it's too hard to keep actually fully anonymous identity online, so I don't bother with that. Yeah. It, this one, like I said, this was really something. He has money though, and seriously, or at least has access to things because he picked up a, an FSB list. So he said he paid $250,000 for that, and he's talked to the register. By the way, if you're out there, you can talk to cybersecurity today.
You can reach me at [email protected] before they push me off the building. I'd love to do an interview with him. That was an interesting story, and I think David, you pointed out correctly is. Anything you can do to stir up, trouble on these gangs is a wonderful thing. it's been a great month for trouble. on top of the multi-season YouTube videos will be in the operation end game website that I will send in the link. You've got Loomis Steel going down, so this is perfect.
You're tackling the ecosystem right from the algi right up to the top level sharks. And so getting rid of that info dealer, and given that it the number one market penetration, you're causing a massive disruption inside that space. Then you've got operation end game on top, which is taking out infrastructure and players and naming and shaming, which is interesting, right?
Because one of the leaders that's outed here of Conti, is the group that was responsible, allegedly for the Newfoundland, health attack. Dear Newfoundlanders, which was at the time the largest healthcare cyber attack in Canadian history, to be eclipsed later by the impact on five Ontario hospitals, Sylvie. But this is interesting. We actually have a face for the pain, naming and shaming man.
I think it's incredibly powerful and, restricting these folks summer travel plans and worldwide, freedom of motion that's imposing costs. So I am here for it. It's multi-layered. It's pushing back. I'm gonna enjoy the season of joy that this will bring before the inevitable next cycle, because until we stop paying ransoms, they'll be back.
Yeah. It's interesting to think about whether it's maybe just a really skilled white hat that kind of went undercover and infiltrated those circles and it's now exposing them from within. I love the idea, of that. I feel like it's a, Am I allowed to segue Jim? Yeah, absolutely. 'cause I feel like absolutely when my story Builds on this perfectly. I picked up a story on, LockBit leaks revealing how they are, downgrading their, barriers to entry.
And they're offering their light service now, which I think is just an interesting kind of follow on. So they were certainly seriously disrupted, late last year through police activity. And, this is their next step, in their business evolution. They have to get out there and recruit more ransomware to their ecosystem. So they're offering light now for the grand price of seven, seven, $7.
You two can now be a ransomware distributor, but you need no. Tech experience, you don't need to know what you're doing. And so it just continues to degrade their whole, in the early days of ransomware, we like to think that they had better support than many IT departments 'cause they were almost reliable. And, that is just going to devolve even further with this dog's breakfast of newbie attackers going into the ecosystem. So it'll be interesting to see. It's always interesting.
Every disruption results in a pivot. But I don't know that this will be, this is actually more just, I think they're just gonna make more money off of people signing up than maybe from the ransoms themselves, because the likelihood of paying a ransom on a poorly executed attack is going to go down significantly. That'd be interesting if they're making money on the franchise they've, these guys really are capitalists. Wow. Did they have a referral, program too?
You gotta sell X amount of shampoo bottles and X amount of ransomware. And Russian, Amway has got your path to be millionaire. But wait for the first 10 subscribers, there's more You'll get a shamma. Yeah. And so if you're living in your mom's basement with a computer and try to be a script kiddie, and you actually get invited out to a party somewhere, it's lock bed. I love that we just, Amway lock bed mom, I've got a friend, they've invited me out to a party.
You wanna believe that's getting you the eyebrow. If you tell your mom Amway or Russian. Cybercrime gang. Oh yeah. Yep. Who's up next? I can throw in a story that kind of ties into this, which is, from the crypto industry, which, I will probably tend to bring up more than others 'cause that's a lot of my background, but Coinbase, and because I do dus introductions, tell people a little bit about what you do so they can understand the crypto comment.
I'm a security researcher and I'm a part of a firm that specializes in helping kind of high risk companies keep their assets safe. And a lot of those companies happen to be financial institutions or digital asset companies. We have a lot of background in building vaulting and custodial solutions. So those take a lot of, effort to protect adequately. And that's the gist of what we do.
And we do some consulting and penetration tests, smart contract reviews, but lots of open source, development as well, building the tools that we feel we need to implement security the way we'd like to. Yeah. And Anton's firm, actually, you guys, haven't met 'em yet. Anton's firm actually makes these tools available to help other people, which is, yeah, we found that there was a lot of kind of gaps in, the approach we wanted to take and tooling that makes it easy to do.
So we even built our own Linux distribution, which is solving a bunch of problems that the others just weren't. But anyways, I don't wanna derail the podcast too much, that's how you know you're a Linux guy when you say, I had this problem, so I built a distribution. Yeah. Sorry to your story now. Yeah. so it was actually about Coinbase, which is. I think maybe the biggest, digital assets company in the world. And recently they got ransom.
They had some insiders that, got bribed and they were able to steal a bunch of information. It was like name, addresses, phone numbers, emails, social security numbers. It was for a small subset of their clients. And, the attackers asked for a $20 million ransom. But, Coinbase pulled, a total Uno reverse card and instead of paying them, offered $20 million to whoever gives them info about the attackers. And they, fully covered any loss that resulted from the ransomware attack.
So that cost them about $400 million. So I thought that was one of the better responses that I've seen to a ransomware attack. Of course, not every company has that kind of money to do that. no, you're not getting paid and we're gonna pay whoever gives us intel about you. The same amount you asked for. So I thought that was a cool way to deal with the ransomware group. it's like when those guys take on the mob, they say, I'm gonna blackmail you. Guy goes, you're gonna blackmail me.
I'm gonna blackmail you. I love it. So 20 million. Yeah, we're not gonna pay you the $20 million aggressive, but since we were gonna lose it anyway, $20 million to anybody who finds you. Yeah. And Anthony, one thing I was unclear of, so did they lose 400 million and they're reimbursing their customers, is that 400 million in the wind or that's what it cost them? Yeah, because of the resulting loss from the clients getting hacked because of this information leaking.
So they had a, as a part of that, you had to go through a process of confirming that your loss did actually result from this leak. And then Yeah, if it did, they would cover you. So yeah, it costs them 400. Okay, so these criminals theoretically got away with $400 million, but there's a $20 million bounty on them depending on how many criminals you're talking about. Four way split before taxes. A hundred million each. Okay. Is crime still paying looks at things?
Yeah. Yeah, they definitely got away with a lot and yeah, it makes me wonder, like how they could have done better in preventing that? this is like a thing I see everywhere where it's a lot of regulators require that you collect KYC, but I feel like the regulation around protective methods aren't as stringent.
So one idea that I've had for a while, and I've implemented in some of the companies I've worked with is this idea of you need multiple people to access certain, sensitivity or level of confidentiality on data. So if it's something that's not super sensitive, maybe you can access it individually, but if you need, let's say someone's passport or a more sensitive piece of data, you can build a system where you need to have multiple people, maybe even across different teams, work together.
And not every company could do that, but a company like Coinbase I feel should be able to afford to do that and should be doing that with their size. But just something that seems like a pattern that would work well yet nobody's really using as far as I've seen. Yeah. Or even just simple things like the rate at which you can access data. If you're a sport, person, you shouldn't be able to access more than one record a minute or something.
I don't know what the rate is, but that, that would prevent like, kind of data exfiltration en mass. The amazing thing about this is how low tech this leak was. They basically bribed a bunch of people. Yeah. Just good old, no, we're not gonna hack insider threat, anything like that. We're just gonna b bribe people. One of the people, there's a story out just today, one of the people just took a picture with their cell phone camera.
First of all, what are they doing with a cell phone camera in a highly restricted area? But they actually did catch the person. But it was just dumb stuff like that, that, that gave this away. And of course, they'd off shor it to a company. But, and not that offshoring itself is a bad thing, but it's just, they've taken your records, these sensitive records, and sent them out to a company who they've no idea how, how, what controls they have in place.
And now the company's saying, we're gonna put some controls in place. One of the things to be like a, don't hire North Korean hackers to do this. That'd be good, and but second if you're going to have it, it's like another story that happened. It was not a security story where, there people had 600 people pretending to be an AI in India. In a company. Oh, I saw that. And this, Yeah. And so people would go on code this for me in ai and the AI would come back and say, I guess wait a week.
I have no idea. Its kind of a slow ai, this slow. How about mechanical Turk? Yeah. Oh yeah. this is the mechanical Turk thing. Yeah. Again, for people who don't know that was, somebody had a chess player, I think in the 18 hundreds, I can't remember. basically there was a guy hiding under the table. So they did this whole thing again. But the amazing thing is Microsoft, had them as a service.
all of these supposedly knowledgeable companies dealing with this company, nobody did anything like a real inspection. don't verify just blind trust. Yeah. So if you're offshoring or you're contracting stuff out, you may want to actually find out what types of controls people have about who they hire.
So gather around the campfire kids, because I'm about to tell you, this is not the only AI ghost story you're going to see when you've got a feeding frenzy and overhyped to the extent that's going on. And literally people pouring buckets of money to light on fire for any possibility that we're gonna have artificial generative ai. This is what a hype cycle looks like.
And when you start to see the blatant frauds like this pop, and companies you would think would know better, like Microsoft falling for it, that we're in the insane portion of the hype cycle. And it's hilarious. Like 700. Jim, that I heard about this earlier today and the first person I thought of, so Jim's gonna have fun with this. Yeah. It's, I believe in ai.
I just don't, I think that there's still one born every minute, on the upside, I got so many fewer calls from the CRA this week, so maybe that's where all center folks been directing their attention. No, I think that's, I think that's because the CRA's sitting there, like nursing their wounds after, after getting killed in court this week they went after Shopify. Is that, was that a story you were gonna cover or I no. I wasn't talking about the real CRA calling me.
Oh, the, oh, the Foy. CRA, there's a fake, Jim's not that much trouble. I wouldn't put that out on your, there's story. I didn't even give it outta the program. Yeah. Yes. Yeah. Right up there with the IRS. The calls pretending to be the IRS or the Canadian Puli. I've gotten those calls too, oh, wild. Please send gift cards to your. Your contact I will provide you Yes. To keep them from showing up on your No, thank you.
The moment that they actually have gift cards that we think cops would actually want, like Tim Horton's, they might actually have a higher yield rate, may or may not have just, given ideas, but I'm just saying Yeah. Okay. There goes the guest for my next law enforcement show. Thanks Shipley. I said Tim Horton's. I did not imply what in Tim Horton's, I just implied Canadian brand loyalty. There you go. Yeah. Anybody got another story?
So I wanna stay on the crypto beat because, and I. I'm about to make a very unfortunate segue, the cryptocurrency theme. Because remember we were talking, earlier in May, about this horrific case in New York City, where an Italian man was lured to New York, held, kidnapped, beaten, tortured, threatened with death and escaped. And the story just keeps getting wilder.
Now, there are New York police detectives under investigation for potentially being involved with this, and this is one of a spate of physical, real world crimes targeting cryptocurrency, owners, CEOs, et cetera. this has been a trend that's been emerging the last couple years. Their CEOs have been kidnapped. some individuals have been mutilated. organized crime is, Getting organized and realizing that, if you've got the super secure cold wallet gonna defeat the hackers.
We'll just cut your fingers off. So this is a dangerous asset class to hold the good old wrench attack. They realize that's very effective for this particular kind of, profile. So Anton, you're dealing with companies in that area, do you hear people talking about this? This is actually something we deal with a lot because a lot of our clients are crypto companies. And let's say you have your team going to a conference somewhere. this happened recently.
They were going to an event in France and it just so happens that in France there have been like three cases exactly like this since just the beginning of the year. And the most recent one was where they tried to kidnap in broad daylight in Paris, a van drove up to. The, I believe, son and granddaughter of a CEO of a crypto exchange based in France. And to try to grab them and shove them into a van, they didn't succeed, but they actually caught this on camera. You can watch the video.
It's really, crazy to watch. before that, there was also, I think it was the co-founder of Ledger, which is a hardware wallet manufacturing company based in France. They, kidnapped his partner, I believe, and if I got this right, they cut off someone's finger. So it's serious business. And this is happening, it's been happening for a while. There's a guy, Jameson Lopp, he's actually kept, a GitHub repository that's been keeping track of physical attacks in the crypto space.
And there's like hundreds now. So it's been definitely an emerging trend and more people have caught on. Lately what I'm dealing with is, every so often a client comes to me and is we're going to this event, what should we do? And so there's a number of recommendations we make around this, but some are like, don't wear swag with your company name on it. Wear a hat and a mask. It's normal to wear a mask now. So make yourself more incognito.
Don't post where you are, don't post pictures of where you are. Maybe higher bodyguards where we've actually done a bunch of research on reliable bodyguard services in different regions of the world. But it's very serious. A serious concern. 'cause yeah, when you have the cryptographic material that allows you to move a lot of funds, like you're an immediate target just makes sense for an attacker to come after you.
Again, it would seem that maybe some of the basic things that we use from the physical world could also be applied to this though. And that's, I have a. We have a, like in every small town we have a big drug problem. And all the pharmacies, there's nobody who can unlock this safe after eight o'clock or it takes two combinations to get in here and you'll never get in.
I think, in some of these crypto companies, having one person who's got the keys to get into everything's probably really not a great idea. Yeah, and that's exactly right. Like a lot of companies in this space, and this is something we encourage them to do, is set up multi, party set setups where we need multiple people, ideally across different, separate geographical locations to actually move the funds.
And so if you broadcast that and make it known that this is how your system is set up, the likelihood that you'll be attacked is lower because they'll need to coordinate, working across multiple time zones, jurisdictions. And it's not as simple all of a sudden of, now of course we could go and hold someone. Hostage and still ask for a ransom, but it's not as easy as immediately hitting somebody with a wrench and Ching getting the coin out.
Wow. Yeah. But remember too, like the threat model for this is quite sophisticated. If you're North Korea and you've been relying on billions of dollars of this to fund various programs, including probably a ship relo and repair, if you're not following the awful things that happen in North Korea, they tried to launch one of their new ships, navy ships and it. It did not go well and tipped over on its side and has been structurally damaged.
So they're gonna need a lot more money to build more warships. They're gonna be on the market hard with more wrenches and more hacks because, it accounts for a significant portion of their GDP and it's, their nuclear program, their ship like NA Navy, it's really messed up.
But yeah, it changes the way you need to think, because when a nation state actor is attacking you and they're funding literally everything they're doing, by whacking people with crypto, it's, yeah, all of a sudden all attacks are on the table. for pop culture references that scene in Back to the Future where the Libyans come after Doc Brown for the stolen uranium that he was supposed to get for them, but he was using to help, fuel the, DeLorean classic time machine.
What was once like the butt of jokes of these kind of hostile, very, negative nation state regimes having a very tangible impact on regular people, went from Hollywood to Wednesday. Yeah. And I think it's very much like that cautionary tale is the older institutions, so my background's finance, right? So the older institutions, they dealt with these problems like a hundred years ago, right?
And they learned how to separate people who were very visible and very, would have the appearance of power. And they have quite a bit of organizational oversight from. Anybody who has actual control over the accounts and things like that and implemented, yeah, the classic, two person controls and, all of these and it's really boring and it's not exciting and it's not fun and it's not what FinTech is all about.
It's not what crypto's all about, but it's going to be because these are the consequences of not learning from what other people went through past history. And, there's a reason why you don't hear about, bank CEOs getting kidnapped because. there's a lot of other things that are in place that already protect them. Yeah. And it's Edward, the guy who wears the bad suits who can actually open the vault, Or probably not just Edward, right?
No. I say this, 'cause early in my career, I was the guy who could actually open the vault, right? and it took two of us and you had to get, and there was this other guy, old guy, I have no idea who it was. it took the two of us to get in and I always wondered, why would they let us do this? And you go, oh, maybe now I know. Yeah, it's always uncomfortable when you realize you were somebody else's meat shield But, and I don't mean to go away from the jocularity here, but these guys, are serious.
this is serious muscle. we had Operation Shamrock on the program last week and we were talking about this. These are organized criminals who will do anything. They run human trafficking. They'll kill people. They'll beat people, we are getting into a newer world, where it's really just tough organized crime that is also getting behind all of this. Also, I guess I have breaking news.
I was just quickly looking up to see where the state of that, France kidnapping case, 'cause there's been a string of these. apparently Moroccan police have detained an individual, Mohammed Amid Baju, a 24-year-old dual French Moroccan citizen who's thought to be the mastermind behind a string of brutal kidnappings of crypto entrepreneurs. And, they had a international manhunt since 2023 with a full Interpol red notice. this is, very much tied to this, surge of kidnappings.
In fact, what they were saying is in May 13, someone tried to kidnap the daughter and grandson of Pierre the CEO of the cryptocurrency network. that's it. Yeah. And then, there was a failed rescued the father of a crypto entrepreneur who had been held captive for days, for 7 million in Bitcoin. Yeah. This is crazy. So they may have actually, breaking news literally live as we tape. May have caught one of the folks behind this, but this cat looks like a serious, well-funded individual as well.
Another story that came up just in the normal world not in the cyber world. Quishing we, we've been talking about, Quishing for about a year and a half, but my, this really got my attention and I ran this story. Some old girlfriend , you've been cheating on me And they, and all your friends should know about this, puts it up on a telephone pole with a QR code. What are you gonna do? You know for sure. And bang, there you go. You, they got you.
This, these people are, we've gone from the criminal side of this to the clever side of this, but this is like, how do you deal with that sort of, problem where people are, they take QR codes and I did some work on a law enforcement show and there are people going and peeling these QR codes off parking meters. This is getting to be a big deal. Yeah. Yeah, I saw that too. Yeah. It's very sneaky. It's actually ingenious. So yeah, you click that QR code and, I don't know the tech behind it.
I was actually trying to dig into that. But you've now either downloaded software or done something without taking any other action Yeah. It's not very sneaky, right? It's just taking advantage of getting you to click a link. Except this time you're clicking your camera on your phone. To access the QR code. But yeah, the attack is the same underneath. It's a poisoned website that it directs you to that's taking advantage of a vulnerability and it's just spray and pray.
They don't care who they get. Yeah. Some of them are literally just, they send you to a payment portal and it's here pay here for your parking. Yep. You replicate what you're supposed to get to. If you're where I live and you go to Minden population 6,000 at the best of times, we don't have parking meters.
Actually, you can't do it on a parking meter, but if you go to New York City and the financial district and you put up some QR codes that people start clicking on, you're going to reach a fair amount of people with some significant access in terms of finance and other things, amazing. Yeah. I think what'll be interesting in that is, the middle layer there for the ones that are replicating, say a payment portal or so, whatever, right? They're having to. Sign up into the payment ecosystem, right?
So there are, the credit card providers, MasterCard and Visa of course, in the middle of this, whose fraud departments are really not thrilled about transferring money on your behalf into the hands of criminals. So there are certainly like middle layers in that, that are going to, do what they can to recover the cost. And as a consumer, you have some level of protection to say, look, I was defrauded, right? It was an illegitimate site. it was sneaky on their part, right?
I did not think I was paying them. They posed as a legitimate site. And so usually as a consumer, if you file a request, you will be able to get your money back from that. watch that, it requires your part. Watch that. Because the Bank of Nova Scotia, I believe, and I'll, edit this if I'm wrong, but I think it was the Bank of Nova Scotia tried to stiff somebody they claimed that he'd been defrauded or over about $20,000 and they just claimed you gave it away. Oh, wow.
It definitely depends on the circumstances. Yes. I don't know whether that was a credit card case or whether was that a credit card or was credit card yeah. Credit card. depending on the circumstances, It may be that, they will try to not do it, but for a small charge, they're more likely to keep your good faith. I don't trust, I just don't trust banks. Sorry, but I don't because for years they've been pushing fraud back to people whenever they get the chance.
I'm not gonna dump on BNS only 'cause you keep hearing story after story, people who've been defrauded and they. They inherit all the responsibility of having to track that back. First of all, as a practitioner in the cybersecurity awareness industry, I want to apologize to everyone on the planet for our industry inflicting yet another port Manto that never needed to exist. QR code phishing. But Quishing is just, oh, it's just, it's like nails on the chalkboard for me.
It's triggering all kinds of visceral uncomfortableness. So it's interesting, right? You were mentioning, we've seen a lot of this, parking meter fraud, just covering up the QR codes. QR codes of course, are another side effect of the pandemic, There were another thing tech invented. Everyone was like, this is useless. And then all of a sudden, the pandemic, we couldn't touch anything. We wanted to scan things. Their phone, it became marginally useful.
I would also make the same argument for cryptocurrency, but Anton, he's gone all the way up to marginally useful. that, yeah, no, that's decent. I'll take it. I'll take away. it's super useful for criminals to get paid, but anyway, this QR code, it's just a demonstration of cleverness, right? And constantly thinking about things. The same people that are just spamming to say, you didn't pay your toll, are now gonna do the parking thing. And it's because the cost of doing crime is so low.
Chances of actually being prosecuted near zero. You make a few bucks here and there and it's a dishonest day's living, right? I don't have any data, haven't run any experiments how this plays out generationally. My dad does barely uses the smartphone parts of his smartphone. He's 75 years old. Like he may or may not take pictures with his phone at this juncture. But he ain't scanning no QR code. That's not a thing. So is this Jen Alpha's new poison?
Is this, you know who, who is this really gonna point careful David, one of your friends is closer in age to your dad than you might think. I know I look pretty age, but you're standing all actually out there using our phones and maybe all of the facilities of them, ageist. And the question of what is this target? I think it's really, millennials, right? The stress and I just want convenience, right? And I will admit to being at one edge of the millennial bracket.
So this includes people of my contemporaries is that an edge, fun, fun fact for the viewers, for those far aware visiting a site can be enough to get you compromised. This is largely because the V eight JavaScript engine that powers most browsers is so complex and huge that it's impossible to fully patch. And so even though we tend to think of browsers as sandboxes, they're actually not due to this reason.
And so every year there's, even dozens of zero day exploits for popular browsers that some of them allow you to break out of that sandbox and fully compromise your device. So Jim, I will point out a 2013 study, said that, seniors were only 13% likely to use QR codes, and of course QR codes were brand new by then. And, Statista, what are they saying for usage by age? Looks like our data that the youngest of the ones at risk in this thing may be pretty solid.
Yeah, and that's what I was getting at earlier about this thing and that, if you just get to the website. You've got a problem. it used to be that you actually had to engage, do something. We're getting technically more sophisticated about how quickly we can pass on any sort of corruption infection or attack. I'm gonna challenge you on the used to. there's been exploits forever that you just go to the site and you're done. Ive been subjected to one, like 15 years ago.
It's been a thing for a while. It was a poison. And so in that case it was a poisoned ad, so it wasn't even, the site itself had been hacked. It was just somebody gotten an ad PO that was circulating and the ad itself was the poisoned attack factor. Yeah. this is the thing that we are getting to a level here where, we've talked about the physical attacks that are out there.
We've talked about the fact that you don't, the things that we've warned people about don't click, all of those sorts of things they're not as relevant anymore. Oh, don't click is still very relevant. No, but no, but we yeah. No, sorry, I didn't mean that. They don't, but that's just the cost of entry now. You, we people have to get even much more sophisticated about how they, how we they manage and how we educate them becomes more and more difficult.
Yeah. And I think this is where, the message about patching your devices is so critical, right? By the time Apple or Android releases a patch, there's like x amount of negative day vulnerabilities that are being, dealt with, so these are things that have been around and used for a while.
Lauren and Anton are saying that they finally got around to patching because browser engines are hard, traditionally zero click vulnerabilities were reserved for the most part, for higher end NSO group kind of shenanigans, where they're using, Pegasus to target people, this stuff gets expensive, right? Cyber crime still works on the. Old cheap still works before you have to spend real money. This is the economics and that type of stuff.
The other thing that's an interesting consequence is when we closed off, I remember the day everyone was waving their, mission accomplished flags on the cyber aircraft carrier for those kids not getting the references. The George Bush War on Terror moment that I'm shaping for the visual here. When everyone was like, oh my God, Microsoft killed macros, malware is dead. I'm like, no, my friends, you have just created the next wave of malware innovation.
And there were lots of attack surfaces that have not had the scant amount of attention because it has been like, malware creation. I'm not a coder, but I genuinely think of it like gold rushes, right? There's gold in California. Used to be Microsoft Word. There's gold in the Yukon, that'll be browsers. And the same thing happened when Mac became super popular. They started porting malware from windows to Mac.
And so in I think it's 2017 or something, Mac for the first time had more new novel malware than Windows in the air. We saw that too. this stuff is why I always advocate for people. Vigilance is your number one friend. Being skeptical is important. Keeping your stuff patched is vital. But also anyone whispering into your ear by my beautiful cybersecurity, ai, blockchain technology, and all your security worries go away is selling you snake oil. You forgot to say Quantum. I forgot to say Yeah.
Quantum. Nothing on the bingo card there. You're denied the prize. Anton Circle gets to swear. I missed quantum. I'm just gonna say even though I don't think David is discounting though the value of we, we think of our phone as like somehow not a computer. And it is a computer. So an extra layer of security protection is a good idea, from being trusted and rely is, again, none of them are perfect.
Yeah. But having something else on there besides just hoping and praying the os is gonna do its job is a good plan. I, my strategy is I don't trust the phone for anything that I care about. I, I just go and deal with that elsewhere. So my phone is just considered to be compromised. I actually consider most things to be compromised. And that's Probably a good starting point. I would point people, especially updates.
I would point people at the latest reports coming out about salt typhoon and that assuming everything everywhere is compromised is less and less tinfoil hat. Yeah. But you went back to updates and things like that. And again, we get back to the general people who are, in, in the general populace and many times, 'cause we, our equipment's all not sitting in some corporate place. Much of it is at home.
We're working with phones and all that sort of stuff, and we say things like, you should update your browser. I, I got instructions on a Chrome update because I was doing a story and I decided to go through the instructions that they gave and they're all wrong. Was it written by ai? Was it trying to get you to download malware? No. No. It's just nothing worked. I don't know if anybody ever notices this, but if you actually read instructions, I don't.
I use AI to get my instructions to get it right most of the time for Perplexity. But if you actually go and follow the instructions for most things, they don't work. There's, there's always something wrong or missing. Nobody spends a lot of time on this stuff to make sure they actually could do it. Listen, on behalf of IKEA users everywhere there is absolute truth to what you're saying.
There's that moment where you realize that you have completed a step that cannot be undone, but the little cartoon character did not tell you not to do with a frowny Frowny face. Oh, no. Yeah, that's okay. There's an AI now where you can actually take a picture and it will tell you how to put, I'll have, I assembled a CX five by five within 45 minutes yesterday, ooh, wow. Okay. I, yeah. The good, yeah. Yeah, that's great. See from that, I know Anton likes Lego.
Yes. And he works in crypto and understands actually how the blockchain works. 'cause he can put Ikea together. Yeah. But it's, there's an interesting theme, like as we go back to this entire story, right? The speed of which things are happening online in real life. The scope of the things that we're seeing the ransomware gangs are getting hammered. But physical gangs have picked up business. 'cause the story of the last decade of crime has been, it's all moving.
Virtual, don't have to swing the wrenches now, okay? Police are reacting virtually and wrench swinging has turned out to be back in the toolbox again. these are all things that are just happening in this iterative wheel. I think we're at one of those inflection points where, physical crime, I don't think this one guy getting nailed in Morocco is gonna stop this trend. and it's gonna be interesting how this is gonna play out.
If we continue to see, ransomware and extortion, because we saw ransomware attacks were starting to threaten physical violence. If you didn't pay, they were posting images of people's homes from Google Maps using that threat of violence. So it's interesting what I hold hope for is that generally cops respond a lot more actively to the violent crime portion. And so this may trigger a more visceral police response, but I think we're in for challenging times.
Said. It's very, counterintuitive that we're seeing more physical attacks with advancement in technology, but it's definitely seems to be going up. I feel like the internet of things is fueling into it too. When we look at, crimes that are more easy to perpetrate, if you can defeat the physical security by taking advantage of a digital security control, looking at car theft for example, right? how easy that became to be executed.
My physiotherapist, that his car stolen like twice within a few months. 'cause they used the whole NFC repeater kind of thing where they got near his house and hijacked his car. we literally have a national security law in Canada that's landed with sweeping new powers in part because. Massive amounts of cars are being stolen. Ironically, and I will point this out, that they're not fixing the root cause of these car thefts, which is absolute insecurity of the car as iot device.
To Laura's point, We're gonna do more. We can raid more places in ports and we're gonna spy the crap outta Canadians now. But no, God forbid we make, major auto manufacturers use encryption. I don't know. Crazy thoughts. But again, the things that happened to us, and I just, I wanna pull this back just as we wrap up our hour here, because now I used to say I didn't need an alarm clock 'cause I just woke up in the middle of the night screaming. But that was about backups and ransomware.
Now it's like everything is out there. How do we cope with that? How do we help? Companies and people cope with that. I know on the law enforcement end, they don't have enough budget we're not spending enough money on law enforcement, but they're still making due with their budgets. And I've talked to a couple people this week and there's the idea that the old idea where if you, you thought that you'd been blackmailed or you'd been, or you'd been scammed or whatever, you can go to the police.
And a lot of them are set up, particularly in Ontario right now. they have counselors now they're really starting to step up their game governments don't put enough money into law enforcement for cyber crime. They feet on the street sounds cool and you can get money for that, but fingers on a keyboard, not so much, but they're still doing great work. So one of the things I would say is that people think that there's any problem, violence, ransom, anything like that or fraud.
Go to your police department. There's places like Operation Shamrock that will pick up if the police don't do anything. So we are getting some ways of dealing with this, now. But on the rest of it, how do we educate people? How do we make them be safer? Yeah, I, go ahead. Just wanted to bring something up about, I don't know if you covered this before, but, isn't there like a new cyber security military, unit that was started like last year at some point? In Canada? Not that I know of.
No. Yeah, I was actually, so si cyber command November in, in the calf. But cyber command in the calf is actually more about protecting the Canadian forces. And it's okay. So it doesn't have anything to do with chasing down, like No, citizens. We do have, CSE and CSIS both got updates in various pieces of legislation, allowed them to do what they call active cyber. And actually some researchers in Ontario just published a report.
I just saw it the other day and I apologize to them if they're listening. It is a super cool report where they actually list. What we do know about the numbers of times active cyber are used as part of a disruption operation or other things. It's been used a handful of times. I think the importance of active cyber needs to be coupled with loudly talking about it. It's not speak quietly and have a stick to beat these gangs with a stick and have your Prime Minister out going.
And if you come back for more, you're gonna get three times the beatings, which is what Australia has done. And guess what they're seeing less shenanigans than we are. So it's typically Canadian to be like we don't talk about the things we do because we're polite. I'm like, no. Talk about how you burn their stuff, wreck their servers, expose their criminals. Be loud and proud. We are part of operation End game.
I, I would be very happy if we were responsible for the little animated video that we did, but that was probably the Europeans. 'cause they're, very cheeky sense of humor. But we need to be louder about this stuff. And I think the one thing that I think is gonna be interesting is in, we have this almost patriot act like elements to what's happening in Canada with the border security stuff. So you have this big national security emergency.
In our case it's, oh my God, and we can't sell to the United States as our economic crisis. and our response is to pass a whole bunch of stuff the cops have been asking for in Canada since 1999, and our courts have consistently shut down. So it's interesting, right? Like it's a time. Yeah. And we're gonna do a special show on that, just even for the run of the Canadian audience and probably over the next week or so. 'cause there is, and I think there's a relevance to our US listeners as well.
we never assumed that governments would really, or maybe some of us did, but many people don't assume that governments will abuse. The authority. At least that's the argument that's made. If we get all your data, we're only gonna go after crooks I don't think that's always true. And in Canada, just over the past week, the judges have started to say to, revenue Canada was going for just wild amount of information from Shopify.
And the judges shut it down, said, you just can't do fishing expeditions. You actually have to have a reason due process and all of those sorts of things. That's the thing I get worried about is that in the rush to do things where we make the argument if you're if you're for encryption, then you're supporting pedophiles. We make these arguments at that level.
Instead of saying, no, there's due process and it's there for a reason to protect our privacy and To give us the freedom that we're supposed to have. And my concerns are practical, right? The, CIA, the NSA, in the United States both had all their super cool hacking tools either hacked and stolen or leaked, by their staff.
And if they can't keep the keys safe, I don't know if we've looked at the government of Canada's track record, but global affairs, we aren't exactly paragons of security no, you can't have global backdoor keys and they say they're not asking for back doors. this is the ongoing debate. This is Crypto Wars 3.0. Not cryptocurrency time. Back to the original crypto wars, which was, can I have nice things like secure banking online or are we gonna burn it all down?
I wanna end this with a feel good story, so it's just a nice local story. it was just highlighting that, there's a young man in, the berry area, his name's, I'm gonna find it. Sorry, who? Barry's just north of Toronto. as part of his Chief Scout award project, he, was inspired to research on protecting against cyber fraud and cyber crime. His project got into the kind of things we've been talking about, QR phishing and, deepfake scams.
he put this all together and shared it with the Barry Police who picked it up and said, how can we help amplify this? they actually hosted an evening last night. Just putting that out there, small seeds of interest can have big ripple effects. That is amazing. We're gonna end on that note. Laura g give me the contact. We'll do an interview with this young man. Awesome. That's phenomenal. we need a little more if you're listening, way to go.
And if you're listening, you've got an invitation to be on the show. That's our wrap up. this was an interesting conversation this week, but I think, as we said, Laura, you talked about it when we started, Laura, last month. We said there's a whole lot happening. It's never doll, never. Just wanna thank my guests, David Shipley, Laura Payne, Anton, Levaja Anton. You gotta come back and, and keep us honest at one point. I'd love to. This has been very fun and we'll. Yeah, this has been great.
So thank you to everybody's listening. That's our show. If you've enjoyed the show, please let a friend know. You can find past episodes of our podcast now on our new improved [email protected]. You, by Popular Demand people have asked me to have, make sure we have more information on these things. You'll be able to find them there and you can refer your friends to that and all that good stuff. And just as a little bit of a personal appeal, we do take sponsors, but we're really picky.
We don't want people who are hawking stuff or anything like that, so we're always in a revenue crunch on this show. So if you'd like to support us, and help provide the content we provide to you, please go to buy me a coffee.com/tech podcast. That's buy me a coffee.com/tech podcast. And you can buy me a coffee Thanks a lot. Thanks to our crew and we'll see you next week.