July 16, 2025 • 48 mins
In this episode of Ransomware Rewind, I interview Alexandre Blanc, a strategic cybersecurity advisor at Alexandre Blanc Consulting, to discuss critical issues in data protection and cybersecurity. He shares practical advice for consumers and businesses to manage their digital footprints, employ multi-factor authentication, and use encrypted passkeys.
We also discuss the implications of digital identities, data leaks, AI in cybersecurity, and the importance of maintaining control over personal data. Moreover, the conversation covers the future of AI, the need for public awareness, and tips to enhance personal and organizational cybersecurity postures.
00:00 Guest Introduction
00:46 Massive Credential Breach Discussion
01:07 Data Protection and Cloud Security
04:09 Risk Management for Individuals
05:11 Password Management and Security Best Practices
07:50 Digital Footprint and Dark Web Investigations
10:57 Identity Theft and Real-World Examples
13:06 Public Cloud Risks and Data Privacy
14:47 AI and Data Collection Threats
22:18 Digital Transformation and Human Impact
25:26 The Disappearance of a LinkedIn Contact
25:57 The Role of Technology in Human Control
26:19 The Debate on Connected Cars
26:54 Data Ownership and Privacy Concerns
27:33 Psychological Profiling and Media Influence
31:19 The Impact of AI on Cybersecurity
32:33 The Future of AI: Star Trek or Skynet?
32:51 Balancing Technology and Human Freedom
33:51 Generational Differences in Tech Perception
38:38 The Responsibility of Content Creators
44:44 Practical Advice for Digital Privacy
Joe Erle, Cyber Group Practice Leader at C3 Insurance
Tiktok / https://www.tiktok.com/@itscyberjoe
Insta / https://www.instagram.com/itscyberjoe/
Meta / https://www.facebook.com/joeerle/
LinkedIn / https://www.linkedin.com/in/joeerle/
Questions about cyber insurance? Email joe@c3insurance.com
Get the 14 Steps to protect your data here: https://c3insurance.com/secure-your-companys-data/
Mike Dowdy
LinkedIn / https://www.linkedin.com/in/mikedowdy/
Special Guest: Alexandre Blanc Cyber Advisor - Consultant - President and Owner
LinkedIn / https://www.linkedin.com/in/alexandre-blanc-cyber-security
Don't forget to like and subscribe!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:36):
you're listening to the Ransomware Rewind
where we break down the latest cyber threats
data breaches and security
solutions that matter to you and your business
stay secure
stay informed
enjoy the show
welcome to Ransomware Rewind
Today I'm honored to have our guest
(00:56):
Alexander Blank of Alexander Blank Consulting
a strategic cyber security advisor
and
I'm a consultant with deep experience in instant
response dark web investigations
and helping organizations
from luxury brands to governments
with their cyber security stance
including privacy
and helping them navigate the toughest
cyber challenges that they face
(01:17):
today in this AI ransomware enabled world
he's recognized voice in the cyber community
and a leader at Infosure
did I say that right yeah
yeah that's right
I mean it was long
but that that's okay
and thank you for having me
I'm always happy to speak and share awareness
and discuss topics so that's the whole point awesome
awesome let's jump right in um
(01:39):
there's been this massive breach of 184 million
credentials uh
through Google Apple
Microsoft Meta
and they're just sitting online unprotected
how was this part of the this public cloud or how
how does the public cloud relate to this
ah well
you know that's touching my favorite topic there
(01:59):
uh data Protection and the cloud environment
well one of the main key we can is
you know when we see a big breach like that
that touch so many organization
this is triggering one keyword right now
it's SSO like single sign on and
you know it's been there for a long time
and basically the issue is like
SSO came as a great way to implement
(02:19):
audit and visibility on the security
authentication of users
and bringing one credential package per user
allowing to connect on many
many services
but the main issue with that is that you got a single
key for so many services
which make the leak of credential
a big burden to handle
because it's granting the attacker
(02:40):
whoever grab them access to so many services
that you don't even remember
you know
what like the key things from a victim standpoint
you got all that credentials out and you know
and let's say you have a Microsoft credential
or Facebook credential out
it's easy to remember that
that was the Facebook credential
but if you use that feature
like login with Facebook
(03:01):
or login with Google on third party services
it's way more difficult
for a user to realize the potential impact
of such leak so aside of the the incident himself and
of such leak so aside of the the incident himself and
and if people know me
like it must have been the cloud leaking once again and
you know I mean I
I don't know the
the root cause investigation and the result about it
(03:22):
but let me bet on some um
improper security control in place
or lazy security
control on an object storage or something like that
usual culprits um
and and
and sometimes also we get a lot of
info stealers running around
and we cannot rule out that things
if people don't know
like malware running on the computers
(03:42):
which only goal
it is to steal all the stored credential
usually in the browser
and a lot of people use Chrome and Chrome is a easy
and a lot of people use Chrome and Chrome is a easy
easy target for attackers on that so
but so that's bringing so many things
you know so
so many identities outside
and when I see that
and I see the way the technology is growing
(04:04):
and our digital transformation
is being embraced by organization
and government
and that our life rely on our digital identity
and that we see that all these digital identities
leaked at once I'm like hell
I hope that we get some uh
you know fail safe mechanism to authenticate people
because there are so many credentials floating around
(04:26):
that it will not be long before we cannot
trust the online digital
authenticity or authentication
uh for verifying who is who that that would be my
uh for verifying who is who that that would be my
my take on that like a quick stuff
so what can we do as consumers and as businesses to
detach from the
(04:47):
besides like not storing our
our stuff in Chrome
I mean and using like password managers
I don't know
if you recommend a certain password manager
but what other things can we do from
keeping our data out of there
well the first thing is I think as
as individual as a person
we have to realize that we are now
(05:07):
due to the technological landscape
we are all a risk manager
you want it or not you are a risk manager
you own your risks
that means that any account that you have online
you are the administrator of yourself and and you know
you think like you create an account on Microsoft
on Facebook or anything a shop online
Amazon and you think that the service is handling you
(05:31):
but this not this is not the case
you are the admin of you
because if your account get abused
you are gonna be the victim
you are gonna be the one in trouble
you're you're gonna be the one to be able to fight
to recover it and stuff like that
so key aspect understand that risk
and ideally reduce your digital footprint
like the less account you have
the less application
(05:51):
the less fancy stuff you have connected
the less risk you take
doesn't mean that we live in the woods
you know it just you just have to pick your fight
and for the one that you decide to use
you should make sure that you apply the best practices
so whatever the
the solution and the platform allows you to use
you should
like if you have the multi factor authentication
(06:11):
you should have it even if it's painful
you should have it and also as an individual
you should know that let's say you have a TOTP
you know you scan a QR code
you get a code generation and that's your 2FA
if you decide to go this way
you should have that on two devices
because if you go to the swimming pool
and you forget your your phone in your pocket
or it goes in the water or your phone is stolen
(06:33):
like all these 2FA tokens is gonna be gone as well
and you will be locked out of all your account
so that's like the balance to have
you must have a backup plan
and yeah that that's so that in to key aspect
enable security
and make sure you have a recovery strategy
for anything that matters to you
(06:53):
because most of the time like the I forgot my password
receive an email to reset the password
is not gonna work
if you have the multi factor authentication on
or any kind of advanced security
the more advanced security
stuff that we see online now is called the passkey
it's basically no password less
you don't have a you do not have a password
this is a encrypted with a cipher
you get a private key and public key
(07:13):
this is usually managed either in a password manager
or on a device and then you log in
this is just the device that is the key
you could have a physical one
you know like a Fido key whatever and um
and that's the most secure one because it's encrypted
and you cannot you know make a fake out of that
but the issue is like
(07:35):
if you do not have access to your key
uh like your key card
you need a backup plan to access the accounts
and this is where people keep
like a recovery email and stuff like that
and usually the attacker love it
because they will use the recovery approach
and therefore the security and safety is like
as low as the lowest I option you have
(07:56):
yep alright
so right yeah
and if you uh have your backup keys
you know
they sometimes have those uh 10 letter 10 word uh
backup keys
you don't want to keep those on your platform
or on your computer
you want those you know printed out in a lock box or
or somewhere safe
yep gosh yeah
(08:17):
it's a lot of things to think about
what are some practical steps that people can take
or businesses can take to
to tighten up those weak spots
well well
that you know I
I think over time we kind of as we grow and you know
as as the teenage
the teens now
and they grow and they have more and more accounts
and they forget about the account they have
and so so we do as well
(08:38):
and the idea is to keep an idea of
where and what account you have
so the password manager is a great
great way to know what kind of account you had
another option is to subscribe to um
credential leaks information
you know like have I been pwned
you can just put your email
and subscribe to notification
about breach
and you could have dark web monitoring option as well
search for any credential
(08:59):
and the fun fact is that when
because I was doing dark web investigation as well
in my job I do that from time to time as well
uh usually
this is when
looking for the digital footprint of an organization
and looking for a way to like
attack them or find weakness in their posture or
or information that would allow me to get in
and that would enable access to system to
(09:22):
or through something they forgot
like in case of people
these are credential that they actually forgot
on service they no longer use
but they are still active
and they could in a way escalate
that's one thing for organization
sometime what we found is like
you know a good old server that no one uh
dare to disconnect in case it breaks something
(09:43):
and that thing is highly vulnerable
and that thing is usually connected
like to the public side to the private side
it's a great way in for for any attacker that want
you know exploit it
and get lateral movement into the organization
and use that as a starting point
so like knowing your digital footprint
your digital trail that's one thing
and this is quite different for an organization and
(10:05):
enterprise or an individual
individual it's about your own account
credential and information you leave around
that would allow to manipulate you
and usually you're a lower target
because you cannot
make much money out of an individual
except if you are
in a critical position for the attacker
let's say you are the CEO of a company
of a company or you are I don't know
(10:27):
working in insurance
and someone has a claim and it's like big
big amount stuff
and you are the one able to make the decision
then you may become the target
because gaining access to your account
or being able to pressure you
is granting some kind of access
and then it's worth looking into you so
and that that's people you know
people growing in companies
taking more and more responsibilities
they have the duty to make sure that their personal
(10:50):
stuff is as safe as their responsibility grow
that's something we don't think about
you know the risk posture of people
if you start as an employee at tech support
and you grow as a administrator
and then you get on the board
you become an advisor then you better
manage and know a lot about your posture
because these are
you are now a big target for whatever happen and
(11:14):
and to understand that
you have to understand the motivation of the attackers
it's either financial or strategic economical
usually we have like you know
the east against the west
or Chinese who like to pull information
or sometimes it's somebody closer and uh
you know like something's called like ocint
(11:35):
Open Source Intelligence
when you want to do some reconnaissance
reconnaissance phase about people
and you gather all the information about them
it's amazing how much you can collect about people
and build sometime lead to actually identity theft 1
1 story you know that people don't realize um
I'm based in Quebec in Canada and um not long ago
I think a year and a half ago you didn't need uh
(11:58):
you did they didn't save on the driver's license
the picture of you in the database
that means that if you wanted to recover the identity
or get the driver license of someone else
you need to have two invoices of utilities
like phone and electricity okay
and then you will go that's it yeah
and you will go to the police say I lost my wallet
(12:20):
I'm gonna place a claim I'm that person
I have the invoice and that's me
so then you get the claim and with that claim
you then go to the the equivalent to DMV
it's the SAC in Quebec and um
s H a Q and you would go there and say hey
I want a new driver's license
because my wallet got stolen and stuff like that
and they would take a new picture of you
(12:41):
and make a new license because you had the
you had the document and they didn't have
any way to check that you are not you wow
because they have a you know
and and so that's that's that easy it was that easy
thankfully now they posted they
they they fix the stuff
the photo remain in the system when it works
and if you
if you want to go and ask for a new license and the
(13:02):
the face doesn't match
it's gonna raise a flag hopefully
we're gonna you know we always
hope that the employee behind the desk is well awake
and it's gonna catch the thing
but yeah and that's as simple as that
because once someone has a driver's license
with your name on it
then they can go in any bank or financial institution
and open an account under your name
(13:24):
and if you had a good credit score
uh then they can apply for anything you know
buy a car that's the most
cheapest and easier way that criminal
make money out of identity theft
they buy cars and they just leave the loan running
they sell the car and disappear
and then people get someone coming at their door saying
hey uh
you did buy a car you didn't pay
(13:45):
but you didn't buy the car
someone did it with your identity and that's
that's very easy to do so so that's
you know I
I did drill down from
the information and digital footprint that you have
and from the cloud so if we go back in
the sky
and go to the cloud and the magnificent public cloud
we all that public information and people will say oh
(14:07):
it's not true it's not public well
you'd better read the terms and conditions
under which you run your stuff
you know what one key thing is
like a lot of people run on AWS for the cloud stuff
alright and in the edible US term and condition
alright and in the edible US term and condition
when you run a service
it's mandatory that in your own application
(14:27):
in your own online service
anything you provide to a third party
that you disclose
the exact terms and condition that you are bound to
with Amazon
it's written
you have to transfer that stuff to the end user
because you are tied to it
so it's applicable to them well man
there are not many that do that so and the thing is
(14:49):
you know
because lately we speak a lot about um data location
you know who's hounding the data
where is the data located
and these service providers specified that in a gal
to be able to provide the service and stuff like that
we reserve the right to move the data wherever
we need to be able to serve you and provide the
(15:11):
the service
but when you have regulation and governance
governance restrictions
and your data should not move in another country or
or or any condition like that
then you are not able to use a third party solution
with in the public cloud
because otherwise
you need a disclaimer about where is the data going
to be able to comply with the the
(15:32):
the governance requirements
so again that's such a complex thing right now
and on top of that
the cherry on the sundae is the AI stuff
ha ha I'm not gonna go too far on AI
but it's just that machine it it's you know
it's building data
like by extracting any public information
(15:54):
and there is a it's the
the overall guidance
for data to be acceptable in the dataset
to build an AI model as fair use
in the US at least if it's fair use
then you can actually build your AI
model and stuff like that
the thing is if your data is left unsecured
in a public cloud and exposed
and it's only fair use for an AI
(16:15):
company to mine it and use it
because it was left public
so you left it public it's public
you see you see the point and that's where um
we are seeing growing threats
of massive data collection
that will hello
automated hacking fishing and stuff
(16:38):
we already we already see that in you know
people say hacker and criminal use AI
to build a very nice fishing
or fishing but that's not what I'm speaking about
I'm speaking about the data collection
that is being built
and when we learn how to dig into the data and build um
like very very real case
(17:00):
and not like the fake case that some lawyers use in
in court you know
if you seen like so many people use chat
GPT to use as a reference
it was all made up and fake
I'm speaking about using big data
to use the collected data
make a lot of correlation
and basically rebuild a case frame
(17:21):
anyone you like you know
you have an enemy or you have a challenger
or you have the CEO of another company you don't like
you already have today
enough information about them to build a case
about anything
and AI will bring automation about that because it's
it's great at linking data
so point is back to the public cloud
(17:43):
uh that's my point
you need to be able to
protect and decide who access your data
and because data right now is the core of identity
is the core of of the root of trust
and you see government Canada
US everywhere they want to switch to digital identity
digital driver license when I see that in the news
I'm freaking out because we are not ready for that
(18:07):
we technically it works I mean
we can have a you know
a private key
that
make sure that the integrity of the license is good
we have a certificate it's
it's a true thing but the point is that we cannot
protect the information that allows to build that
and we will have some very realistic
fake identities floating
around that we have no way to rule out and control
(18:30):
so it will be putting crime on steroids
so sadly
I think we should slow down a little bit and you know
think before we actually do right so that would I got
I was listening to a a YouTube video
I can't remember the the gentleman's name
but he was talking about privacy
in relation to location services
(18:52):
and how these aggregators can
take all this public information
and basically identify you
and tell and law enforcement and other companies
that have subscription to this information
can know like
where you were at a certain time
and I even heard that there was a biker
that was accused of a crime
(19:14):
because he was at a certain place where
the crime took place when he had nothing to do with it
yeah yeah
I saw this one
and I think that one triggered at the lawsuit
against Google
where they were claiming that the Android phone
mobile phone system
was not tracking people while it was actually doing it
and that was a main major lawsuit against that
(19:35):
and when you see this again
it's fueling my my anti public cloud thing you know
Google is providing GCP
public cloud infrastructure that you can rent
so if the same company tells you oh no
we don't collect data and they get caught
and they actually logged every single move of yours man
what is happening with your data
you know you you gonna trust them when they say no
(19:56):
we don't mind your data for our own benefit you know
we wouldn't do that but at the same time look
your Gmail mailbox is is getting the benefit from AI
because all your data look super classification
we can actually even
know the schedule that's coming for you
we know what's you know
we did analyze all your behavior you like that and and
and
(20:16):
and we can serve you amazing ads that you didn't know
you needed that product
but you're gonna need it so they do analyze it right
we're all gonna get ads for
uh phone Faraday cages after this yes
yes yes
well
you you have a service it comes with risks
(20:37):
you have to be aware of the risk
to decide if you are willing to give up on that
on that and use the service instead
I mean I have a mobile phone
I know it's tracking me uh
I I obviously
make sure
that I don't put any sensitive information on it
or anything that I would not want to be made public
(20:57):
but uh that that's that's a risk thing
and as long as it's the government
you know and you are not a target of the government
although these days
we have to be careful about what's going on everywhere
part of the trucking association yeah
or or something like that
where it could be weaponized against you
just from you know
giving money to the trucking association
or something like that exactly yeah yeah
(21:19):
so so yeah
we have to be careful about that
it's it's serving us
it's very convenient but again
what's the price to pay and most people are like
yeah we are fine
you know nothing to hide yeah
nothing to hide
nothing's gonna happen yeah
well you can see the evolution of AI
more and more
(21:40):
decision making process is being given to AI
with automation and I can tell you because I
with automation and I can tell you because I
one of the example is that I've been banned on LinkedIn
one of the example is that I've been banned on LinkedIn
by what they claim AI uh
because one of my post was rated
as leading to malware or something like that
(22:00):
and that's funny
because it was a nice example about the total loss of
control on a process where
you know I've been LinkedIn top voice in 2020
so LinkedIn knows me they have my address
I've been also a customer of them
I have all the goodies I have they sent me at my own
they sent me all the the hoodie with Lincoln stuff
so they know I'm real you know
it's like it's me they invited me in California
(22:22):
I could not go but they invited me and um
so you know the guy
you know and
but yet it didn't stop the AI for banning my account
kicking me out and I was out of the system
and when this is happening on LinkedIn
you do not have access to support anything
nothing no more contacts
you just no no information no way to get out of this
(22:45):
so thankfully on my end
because I had a lot of human connections
which humans know me and they did uh
start a lot of you know
publication reach out to people
reach out to LinkedIn team and stuff like that
so that was one case it was really stressful
I was disconnected for like 12 days and that was yeah
(23:06):
that was painful because I left my business
rely on LinkedIn anyway
so that's the example of technology taking over control
where we have no failsafe possibility
and I think that as a society
as humans aside
of being aware of the risk of privacy and security
(23:26):
we need to make sure and advocate for
fail safe mechanism like your identity
you should keep a passport
you know or an identity
a paper based even if it has a chip inside
we don't care you know
something physical that you have with you
that is actually allowing you to prove who you are
and can help you recover that identity
if you don't have it in the digital world
(23:48):
we should have ways to reach and raise a flag
because I see more and more
I mean everything is being digital transformed
you know and
and when this is happening you
you I
I don't know about you
but if ever you have to call your ISP
because your internet goes down
and you enter with level 1 support
that's the most painful thing
you know like did you unplug your madame
(24:11):
did you have power on it like
so you have to dumb down that's crazy
even if you work in the field and that's so painful
so the issue is that the digital transformation
everything is taking us humans
down to the level 1 support of anything
anything that is digitally transformed
we will have to face the level 1 support
(24:33):
and we do not exist as a human or as anything we are
and that's the risk I see
because when the machine works
it's it's great
you have remote access remote management
but when it start to mess
oh man
it's painful because you can scream all you want
like the system is rejecting you
so you are powerless and you just by chance
(24:55):
if you have the contact of people you used to speak to
that are still in the system
they can raise flag you know
send a ticket to support to question or anything
but yeah that's one of the key the yeah and else uh
12 12 days that you were um banned from the platform
how how did that feel
oh man it's terrible
(25:16):
because we used to know people
by their LinkedIn profile picture
and many of them I did even conference with them except
but I didn't meet them in real life
like I did meet some of them
but out of I don't know a few thousand people
I didn't meet all of them even if I did in conference
you know going to whatever cyber security show
or speaking at events you don't you don't remember
(25:39):
you know you don't bound personally
your brain cannot accommodate so many people
so it's all relying on LinkedIn
and I was not taking backups back then
because I was totally relying on the system saying
it's LinkedIn you know
it's gonna be there right
if I need to reach to someone
I would find him
and it turns out that when you are blocked out
and you didn't take any backup of your account
(26:00):
you don't have any contact at all
and the worst is that when you disappear for a SIS from
from the system
the other ones do not realize it because the algorithm
the feed the information is a continuous thing
you know you have constant news
there is a continuous new catastrophic stuff continuous
the never ending news feed did yeah yeah
(26:21):
yeah and and if something disappear from it
you don't notice you I mean
there's one guy that disappeared on LinkedIn
I was used to discuss
it took me a year to realize like yeah
where is that guy
and today I did some investigation search about him
contact ex coworkers
I could not find him so I think he passed away
(26:43):
but there is no way to know you know
and and that's that's the sad thing
so with all that tech
we should make sure that the tech serve the humans
and the humans have a way
and a fail safe approach to keep control of a thing
same thing with connected cars
you know and because it's all it's all about connecting
(27:05):
it's all about losing control in a way
you got some we don't like those here in California
yeah yeah yeah
oh boy the riders attack the weemo cars first
yeah which I mean
I don't like destruction of public good or anything
but I I don't like the idea of having robot
if you are
if you have a handicap or you need some service
(27:27):
and you have the ability to use it
that's fine but if you decide that you do not want it
you should have the choice
the key is sorry leaving the options
for human to decide whether or not
they want the connected stuff
if they want to give away control or not
because in the end this is stuff that you own well
(27:47):
you used to own and we used to own the data
but the
the public cloud came and internet and leaks and stuff
and we no longer own our data anymore actually
we if you think about you know
all the data brokers
and all the big tech data accumulation
they have more data about you or me
than we have about ourselves
(28:08):
because we forget stuff you know
we lost a backup
we had an old laptop that we threw away
and we wiped the disk
and forgot to take these pictures and
but them they have it hahaha
and and and in the end
they have no more about our everything
and also because the technology is amazing
you know the
the psychological profiling of a user
(28:30):
the like the reaction you know
to if you had to
to really know what's in the mind of someone
and you had access to the
one of the social media
you would pull out all the comments of that person in
in line you know
and that would give you hell of a straight idea
what are the levers
(28:50):
what the person like what make the person react
what are the psychological levers that make him react
more or less and you will have a full power
by giving this user the data you want to
to trigger reaction so that's actually being used
but it's just so and and us as users
we do not have the ability
because the comment that we put disappear over time
(29:12):
we do not see them
and we do not have a way to pull all of them
or all of them for another user
so
that's the kind of power that is granted to the media
and what happened is and I'm
falling back to the decision making process of a human
but it's because this is all tied together
how do we decide or how do we take decision as human
(29:33):
we take decision based on information that we get
we learn that something is right
we learn that something is wrong
we like to do something
or we are taught to like something
and this is
this is actually driving our decision in the future
you know so
when you control the information that a person receive
(29:55):
and you know exactly what make them react
you can actually control the behavior
the decision making process is under control
because to be honest
who is doing due diligence or fact checking
the information that you get
of course if you look at X or Twitter
you know this is all crap
and you know that anything you look at
that is about
(30:16):
burning your brain and triggering addiction
about scandalous thing
and then turning you into a zombie of information
and driving you nuts
and you are so irritated that you are like ah
like the barking dog of internet
anything to get that engagement right yeah exactly
but that's what the algorithms made to do
is get you to engage and if that means pissing you off
(30:36):
or are showing you things that you hate
then they're gonna put that in front of you correct
so we have to be smart and know about it
so if you feel that you are being you know
annoyed or stressed about something
you have to raise a warning and say
oh yeah no no no
they're tricking me this is crap you know
like cut cut the feed
like this is not real information
(30:58):
let me do my my due diligence
let me do my fact checking on my own
let me focus on reliable sources as we can find them
and finding reliable sources without bias is
is a challenge these days
we all we know we are human made of bias but um yeah
it's always we have to cool down
(31:19):
think twice and wonder why we see that information
if it's relevant and sort out the mess
because we are quickly going into that
is it tied to cyber security
it is because that's you know
connect that's what's used in social engineering
if I know about your behavior
if I know your stress if I know about your life event
I'm gonna be able to use that against you
(31:40):
if I know you just been married
or you are going to be married
oh man I can just have some very nice
targeted emails about anything
if I know where this is happening
or who you are dealing with
I can send fake invoice I can hijack the payment
it's it's
it's very easy
because the brain is focused on one task
which is sometimes stressful with and and so it's
(32:01):
it's easy for an attacker or anyone who want
to have anything from you
to use that information
this is why privacy matters using a oh sorry
now they're using AI to do this right
like to uh do the correct
yeah it's it's AI is basically accelerating the attacks
it's like full automation
(32:24):
if it's from a technical standpoint
like finding vulnerabilities
and building exploit and giving access
before AI you know
speaking about cyber security and vulnerabilities
there was a tool that came out it was called
you know that is Metasploit
which comes with all the vulnerability
you can test and load and hack stuff with that
and came later on
before autosploit is something called Autosploit
(32:45):
Autosploit is a tool that was actually using
in a sequential manner
all the exploit against a target
and you basically gave a target and give
and tell to the script give me a shell
and then you wait and the machine does it all
that was already before AI
now with AI it can go very
very further uh in
you know recognition creating pattern driving you
(33:07):
guiding you through through
it could even teach you how to social engineer someone
you could actually feed the interaction
you have with someone
and get AI to optimize the answer
where to get to your goal
or you can let AI do it all for you as well
OK I always ask this question uh
you know in the next 20 years with AI
(33:28):
are we gonna get Star Trek or Skynet
both
both of them actually we already have in a way
each of them in a certain way and the question is
I mean we need awareness
and we need people to find proper balance
(33:48):
and not being enslaved into the tech stuff
because the risk is that our only feed
our only reliance on learning on information
on human relationship
is to be controlled by the machines by
by AI by systems
and not being true or free as in freedom of thinking
(34:09):
and you know
having critical thinking
that's something that we must develop and and and feed
I did read an interesting actually story
it was saying that a Gen Z uh
was better at spotting AI created deepfakes
than we are like older people older
I mean like 40 50 year old um
(34:31):
because we tend
yeah
yeah yeah
it's like yeah
and it happened so fast I don't know what happened yeah
I don't know like time is running crazy
this is why we need to slow down as well
the the study was showing that basically
because we grew with tech
we it was a magical revolution for us
I mean we knew times before it did exist
(34:52):
before mobile phone with things were things
and before information before internet
we knew that so it was a huge
huge crazy innovation for us as human
so and it brought so much good things as well
I mean it did free us from from so many things
so we tend to think
unless you are a bit paranoid like me
(35:13):
we tend to think that
technology will save us from everything
you know
that's that's the spirit when you see a open AI
like it's gonna solve all the sickness
it's gonna find new energy
it's gonna alright
you are really like us like you grew
you think about the magic of stuff like that
the thing is it's a tool
and it will help some people to achieve things
(35:36):
but by itself it's not magical
it it
it will not and it should not
because we live on a planet as humans
we should not serve a system
and if that system is that smart
and people are searching a lot for that
because I don't know
there was a nice investigation as well
I saw online documentary it was in French um
they were saying that
(35:56):
we will not stop the development of AI
the autonomous AI because if America do not do it
or the west side
then the Chinese and the other the Asian side will do
and whoever has the best
the more autonomous and the strongest AI
will take over the world
and that's interesting because it's like
(36:17):
we're doomed anyway
you know we won't stop out of the
fear that someone else does it
if we do something wrong
we better do it ourselves and I'm like hmm
I hope that in the meantime
we will use what we know and learn about tech
teach our new generation
how to be aware of it and how to handle it
(36:40):
I'm like I'm not yet fully into Terminator 2 movie
you know
when they teach the kiddos how to resist the machines
but it's it's kind of getting there you know
right right
we have to use uh tarps to get away from the uh
Thermal imaging from the drones and uh
all sorts of things like that
and you know while you were talking
(37:01):
I was thinking about Star Trek too
and I think in this Star Trek Discovery
we did fight the machines too
so either way we're
we're gonna fight the AI machines and it's
it's almost inevitable that we'll have some kind of
robot war in the future
unfortunately
yeah I mean it's already taking place
(37:22):
you know like the drones took over the human pilot
I mean you don't go yeah
I mean when I speak about drones
this is like the
the autonomous planes now you see in Ukraine
they use like
the small drones with explosive
that dismiss anything that
you know because they can stop you
so they attack they did in Russia
and like a swarm of drones with explosive
(37:43):
like there is no way you stop that stuff well
you some US companies like to provide some
like
crazy electromagnetic pulse stuff that pull them down
so that's interesting uh
I would like to have one actually
if if you listen and you want a tester
I'm gonna take
it at home and we'll keep it in my garage
so if there is a swarm of them
yeah yeah
I will keep it you know
in this kind of puff and everything out
(38:04):
like down there right
well
and this book Red Rising have you heard of this book
no
uh
it's it's a popular book I think
it's probably like science fiction for older teens
but I love that stuff um
and uh the the people the resistance use
you know these mini EMP's
(38:25):
so they use the EMP's and it disables all the new tech
the armor and it takes away the advantage of like the
uh
you know the Empire right
and then they have like their backup like regular guns
um that they can fight with
but then you know they adapt and everything so it's
it's a constant cat and mouse game like anything
yeah and and
(38:46):
and so we are heading there
and the key is
we have to bring enough awareness as a community
as people as humans
so as we can help taking the good decision
we cannot you know
run away from the threat
because another adversary is gonna build that stuff
but by thinking about how do we defend
we can actually have some defense ourselves too
(39:09):
that's that's the ID cause yeah
as a you know content generator
I don't like the word influencer
you know
because all the bad connotations but like as a oh yeah
content creator on LinkedIn and
you know someone that is followed by
you know hundreds of thousands of people
uh what do you feel like our you know
I make some content I'm not of course not like uh
(39:33):
as as big as you but uh
what do you think our responsibility is
as content creators um
in order to educate the public
well we all to raise awareness about the risks
we have sadly to go through the marketing
it's a BS of the promises that are actually um
(39:55):
lying a little bit
or deceiving into building fake trust
because obviously companies
government
like and want trust to get and follow the decisions
but we need as take aware people as risk managers
we need to bring the majority
whoever want to know that there are risks
(40:15):
and that we should think before we accept everything
and make sure that this is well understood
then as a as
you know as as communities as countries as cities
depending of the scope of wherever you talk
you speak about
if we accept the risk and we decide that well
this is what we want to do fine
you know
the majority that's the kind of democratic approach
(40:37):
the majority say well that's what we wanna try
uh here we go
obviously you have some controls in place
and make sure that if it goes sideways
you you catch it before it depends
and our role as influencer is to
to bring information about that
to be transparent about what we do
not to deceive that's that's my thing I mean
0 BS on posting I I tell people what it is
(40:59):
what is and always invite people to do their search
because you should not follow one
and just trust
or blindly follow whatever the person says
we have a lot of bias you know
I have a bias I don't like public cloud
I just I cannot trust it
I don't want to put my data in it
and if you listen to me
you're not going to use it but for some purpose
if you want to provide an application and you know
(41:22):
whatever you know
they're not used for it
so it could be and it could do good things
just because you saw me speaking
then you gonna think twice about the security control
you gonna put great governance
you gonna protect your data
you gonna make sure you encrypt everything
and this kind of stuff
so that's our role to try to pull up the game
(41:45):
to make sure that we're not doing stupid things
cause sadly
the more we offload the process to the machines
the less we master it
and the less we understand the risk in the
in the outcome in the process
in the implementations so
and you see that I mean
new generation
(42:05):
they don't want to know where's the rack
what's the server how to rack it
where the data is physically stored
I don't care and I mean
you don't want to be the machine to steal your stuff
but I do but you know
I'm an old guy I'm an old guy who rents
but the new one
they just want a Dropbox stuff or Google Drive
or ideally Proton Mail or Proton Drive
because it's encrypted and private
(42:26):
I'm not plugging as a I I use it
because I think that's a proper balance
between convenience and privacy but
I used it too but I forgot my password
yeah
I mean
you have to have a need my my need about that was um
because you know I used to run my own servers
my own email server at home
(42:49):
I was running my DNS and all that stuff
and I had the whole family on it
but as I was getting older
I'm not that old I'm like 46
but I said like
if I have an accident or anything that happened
and I am the only one who knows how that works
they should be able to you know
still exist and use the tools and what happened is as
(43:10):
as I was saying
society is going more and more digital now
if you have any process you need an email that works
you need to be able anything that happens
you know so
I just didn't want my wife or kids
or parents to be stuck in a system that would go down
and they would not be able to do what they had to do
the administrative task
like send me an email and or access their own data
(43:30):
so this is why I made the family stuff on Protonmail
so as it's not relying on my existence to exist
and it was a like a proper balance between privacy
security and the need to survive myself
right and it's stored in in Sweden or yeah
Switzerland yeah
Switzerland yeah
(43:51):
so there's
yeah the government can't
you know
go and subpoena that information and get it right
correct correct
although I don't it's just a principle because I don't
you know hide anything wrong or whatever right
we don't have anything to hide
we just just like being private yeah
yeah yeah
it's just I don't want hackers
(44:11):
I don't I want bad guys to be able to frame me
or frame the family
so that's why I want to keep it private
because in regard to privacy
that's the fun part I mean
I don't know about you
but I did work with some government entities
and I had to sign waivers for some clearance
for some military work I did
I'm not a military
but I did collaborate with some military stuff
and basically I had to go to the state police
(44:34):
like it's G R C in Canada
like gendarmerie but
and give my footprint
and grant them access to an information
they have
they can track me record anything I say anything I do
and that's I
I signed a waiver for that and this is life stuff
I cannot revoke
so technically you're giving
away some privacy in order to get the work
(44:55):
which is exactly it's reasonable yeah
yeah you're making that choice so that yeah
so that's why when I put my data
and I fight for privacy this is privacy for good
this is not privacy for evil
this is privacy against the bad guys
this is privacy and and that's where it's in
that's the middle ground that you have to deal with
but yeah
because you don't want to be tricked by someone
(45:18):
taking the identity of someone
you know
and leading you to do something that you weren't to do
and you didn't want to stuff like that
so
that's the idea of the responsibility that we all have
and yeah
so we have to make choice try to find a balance on that
right well
let's uh let's bring it home uh
maybe one
(45:40):
one thing that we can tell our listeners that they
a practical advice they could do
and then just tell us where people can find you
yeah so people can find me on LinkedIn
you know Alexander Blanc cyber uh
the guy that complained against the public cloud
all the time you know
I have this cloud equal leak
it's like a warning you know
(46:00):
and as a general rule um
if you put anything in the
in the technology in the digital format like
you know eventually it will leak
it will be online
because everything is connected together
so do it accordingly
assess the risk don't do stupid things and uh
I mean you still can have fun
but know that that fun cool leak and get public
(46:24):
and these days with the bullying with schools
I have two teens at home so I know where
near the risk with your private data
getting exploited and stuff like that
so yeah be careful about that be mindful
use critical thinking
just wonder why you are asked the data
do we really need to provide the data
if you don't need to like put fake data
(46:44):
put fake data we don't care you know
like anything that is not government related
put fake stuff ha
because I only need to know your birthday yeah
yeah because uh and and when you put fake stuff uh
you don't care
because it cannot be used to steal your identity
you know so you basically lower the risk
you cannot do that everywhere
but uh it's it's a way to to assess the risk be aware
(47:08):
understand
because we cannot escape it all and enjoy the tech
but if you have an option
let's say to not connect everything in your home
because it's fancy
or it's like the super trend to have like
everything connected but you don't really need it
then don't because why putting the risk
you know someone if you have a connected doorbell
(47:31):
and someone breach that stuff
because it's not updated and get into your network
and you have a NAS or a network connected
and your passport is on it
they can pull it out so why you risking it
you know so it's just as
as bad as think
anything you connect is growing your attack surface
how big is your attack surface
you probably never thought about that
(47:51):
but then you might
you might want to disconnect all that useless old crap
right
alright well
that's that's awesome
thank you so much for
for
uh coming and
and uh educating our audience
and we definitely have to do a round two
that was really a great conversation
so thank you so much for for coming on the podcast
thank you for having me it was a pleasure
you're listening to the Ransomware Rewind
where we break down the latest cyber threats
data breaches and security
solutions that matter to you and your business
stay secure
stay informed
enjoy the show
welcome to Ransomware Rewind
Today I'm honored to have our guest
(00:56):
Alexander Blank of Alexander Blank Consulting
a strategic cyber security advisor
and
I'm a consultant with deep experience in instant
response dark web investigations
and helping organizations
from luxury brands to governments
with their cyber security stance
including privacy
and helping them navigate the toughest
cyber challenges that they face
(01:17):
today in this AI ransomware enabled world
he's recognized voice in the cyber community
and a leader at Infosure
did I say that right yeah
yeah that's right
I mean it was long
but that that's okay
and thank you for having me
I'm always happy to speak and share awareness
and discuss topics so that's the whole point awesome
awesome let's jump right in um
(01:39):
there's been this massive breach of 184 million
credentials uh
through Google Apple
Microsoft Meta
and they're just sitting online unprotected
how was this part of the this public cloud or how
how does the public cloud relate to this
ah well
you know that's touching my favorite topic there
(01:59):
uh data Protection and the cloud environment
well one of the main key we can is
you know when we see a big breach like that
that touch so many organization
this is triggering one keyword right now
it's SSO like single sign on and
you know it's been there for a long time
and basically the issue is like
SSO came as a great way to implement
(02:19):
audit and visibility on the security
authentication of users
and bringing one credential package per user
allowing to connect on many
many services
but the main issue with that is that you got a single
key for so many services
which make the leak of credential
a big burden to handle
because it's granting the attacker
(02:40):
whoever grab them access to so many services
that you don't even remember
you know
what like the key things from a victim standpoint
you got all that credentials out and you know
and let's say you have a Microsoft credential
or Facebook credential out
it's easy to remember that
that was the Facebook credential
but if you use that feature
like login with Facebook
(03:01):
or login with Google on third party services
it's way more difficult
for a user to realize the potential impact
of such leak so aside of the the incident himself and
of such leak so aside of the the incident himself and
and if people know me
like it must have been the cloud leaking once again and
you know I mean I
I don't know the
the root cause investigation and the result about it
(03:22):
but let me bet on some um
improper security control in place
or lazy security
control on an object storage or something like that
usual culprits um
and and
and sometimes also we get a lot of
info stealers running around
and we cannot rule out that things
if people don't know
like malware running on the computers
(03:42):
which only goal
it is to steal all the stored credential
usually in the browser
and a lot of people use Chrome and Chrome is a easy
and a lot of people use Chrome and Chrome is a easy
easy target for attackers on that so
but so that's bringing so many things
you know so
so many identities outside
and when I see that
and I see the way the technology is growing
(04:04):
and our digital transformation
is being embraced by organization
and government
and that our life rely on our digital identity
and that we see that all these digital identities
leaked at once I'm like hell
I hope that we get some uh
you know fail safe mechanism to authenticate people
because there are so many credentials floating around
(04:26):
that it will not be long before we cannot
trust the online digital
authenticity or authentication
uh for verifying who is who that that would be my
uh for verifying who is who that that would be my
my take on that like a quick stuff
so what can we do as consumers and as businesses to
detach from the
(04:47):
besides like not storing our
our stuff in Chrome
I mean and using like password managers
I don't know
if you recommend a certain password manager
but what other things can we do from
keeping our data out of there
well the first thing is I think as
as individual as a person
we have to realize that we are now
(05:07):
due to the technological landscape
we are all a risk manager
you want it or not you are a risk manager
you own your risks
that means that any account that you have online
you are the administrator of yourself and and you know
you think like you create an account on Microsoft
on Facebook or anything a shop online
Amazon and you think that the service is handling you
(05:31):
but this not this is not the case
you are the admin of you
because if your account get abused
you are gonna be the victim
you are gonna be the one in trouble
you're you're gonna be the one to be able to fight
to recover it and stuff like that
so key aspect understand that risk
and ideally reduce your digital footprint
like the less account you have
the less application
(05:51):
the less fancy stuff you have connected
the less risk you take
doesn't mean that we live in the woods
you know it just you just have to pick your fight
and for the one that you decide to use
you should make sure that you apply the best practices
so whatever the
the solution and the platform allows you to use
you should
like if you have the multi factor authentication
(06:11):
you should have it even if it's painful
you should have it and also as an individual
you should know that let's say you have a TOTP
you know you scan a QR code
you get a code generation and that's your 2FA
if you decide to go this way
you should have that on two devices
because if you go to the swimming pool
and you forget your your phone in your pocket
or it goes in the water or your phone is stolen
(06:33):
like all these 2FA tokens is gonna be gone as well
and you will be locked out of all your account
so that's like the balance to have
you must have a backup plan
and yeah that that's so that in to key aspect
enable security
and make sure you have a recovery strategy
for anything that matters to you
(06:53):
because most of the time like the I forgot my password
receive an email to reset the password
is not gonna work
if you have the multi factor authentication on
or any kind of advanced security
the more advanced security
stuff that we see online now is called the passkey
it's basically no password less
you don't have a you do not have a password
this is a encrypted with a cipher
you get a private key and public key
(07:13):
this is usually managed either in a password manager
or on a device and then you log in
this is just the device that is the key
you could have a physical one
you know like a Fido key whatever and um
and that's the most secure one because it's encrypted
and you cannot you know make a fake out of that
but the issue is like
(07:35):
if you do not have access to your key
uh like your key card
you need a backup plan to access the accounts
and this is where people keep
like a recovery email and stuff like that
and usually the attacker love it
because they will use the recovery approach
and therefore the security and safety is like
as low as the lowest I option you have
(07:56):
yep alright
so right yeah
and if you uh have your backup keys
you know
they sometimes have those uh 10 letter 10 word uh
backup keys
you don't want to keep those on your platform
or on your computer
you want those you know printed out in a lock box or
or somewhere safe
yep gosh yeah
(08:17):
it's a lot of things to think about
what are some practical steps that people can take
or businesses can take to
to tighten up those weak spots
well well
that you know I
I think over time we kind of as we grow and you know
as as the teenage
the teens now
and they grow and they have more and more accounts
and they forget about the account they have
and so so we do as well
(08:38):
and the idea is to keep an idea of
where and what account you have
so the password manager is a great
great way to know what kind of account you had
another option is to subscribe to um
credential leaks information
you know like have I been pwned
you can just put your email
and subscribe to notification
about breach
and you could have dark web monitoring option as well
search for any credential
(08:59):
and the fun fact is that when
because I was doing dark web investigation as well
in my job I do that from time to time as well
uh usually
this is when
looking for the digital footprint of an organization
and looking for a way to like
attack them or find weakness in their posture or
or information that would allow me to get in
and that would enable access to system to
(09:22):
or through something they forgot
like in case of people
these are credential that they actually forgot
on service they no longer use
but they are still active
and they could in a way escalate
that's one thing for organization
sometime what we found is like
you know a good old server that no one uh
dare to disconnect in case it breaks something
(09:43):
and that thing is highly vulnerable
and that thing is usually connected
like to the public side to the private side
it's a great way in for for any attacker that want
you know exploit it
and get lateral movement into the organization
and use that as a starting point
so like knowing your digital footprint
your digital trail that's one thing
and this is quite different for an organization and
(10:05):
enterprise or an individual
individual it's about your own account
credential and information you leave around
that would allow to manipulate you
and usually you're a lower target
because you cannot
make much money out of an individual
except if you are
in a critical position for the attacker
let's say you are the CEO of a company
of a company or you are I don't know
(10:27):
working in insurance
and someone has a claim and it's like big
big amount stuff
and you are the one able to make the decision
then you may become the target
because gaining access to your account
or being able to pressure you
is granting some kind of access
and then it's worth looking into you so
and that that's people you know
people growing in companies
taking more and more responsibilities
they have the duty to make sure that their personal
(10:50):
stuff is as safe as their responsibility grow
that's something we don't think about
you know the risk posture of people
if you start as an employee at tech support
and you grow as a administrator
and then you get on the board
you become an advisor then you better
manage and know a lot about your posture
because these are
you are now a big target for whatever happen and
(11:14):
and to understand that
you have to understand the motivation of the attackers
it's either financial or strategic economical
usually we have like you know
the east against the west
or Chinese who like to pull information
or sometimes it's somebody closer and uh
you know like something's called like ocint
(11:35):
Open Source Intelligence
when you want to do some reconnaissance
reconnaissance phase about people
and you gather all the information about them
it's amazing how much you can collect about people
and build sometime lead to actually identity theft 1
1 story you know that people don't realize um
I'm based in Quebec in Canada and um not long ago
I think a year and a half ago you didn't need uh
(11:58):
you did they didn't save on the driver's license
the picture of you in the database
that means that if you wanted to recover the identity
or get the driver license of someone else
you need to have two invoices of utilities
like phone and electricity okay
and then you will go that's it yeah
and you will go to the police say I lost my wallet
(12:20):
I'm gonna place a claim I'm that person
I have the invoice and that's me
so then you get the claim and with that claim
you then go to the the equivalent to DMV
it's the SAC in Quebec and um
s H a Q and you would go there and say hey
I want a new driver's license
because my wallet got stolen and stuff like that
and they would take a new picture of you
(12:41):
and make a new license because you had the
you had the document and they didn't have
any way to check that you are not you wow
because they have a you know
and and so that's that's that easy it was that easy
thankfully now they posted they
they they fix the stuff
the photo remain in the system when it works
and if you
if you want to go and ask for a new license and the
(13:02):
the face doesn't match
it's gonna raise a flag hopefully
we're gonna you know we always
hope that the employee behind the desk is well awake
and it's gonna catch the thing
but yeah and that's as simple as that
because once someone has a driver's license
with your name on it
then they can go in any bank or financial institution
and open an account under your name
(13:24):
and if you had a good credit score
uh then they can apply for anything you know
buy a car that's the most
cheapest and easier way that criminal
make money out of identity theft
they buy cars and they just leave the loan running
they sell the car and disappear
and then people get someone coming at their door saying
hey uh
you did buy a car you didn't pay
(13:45):
but you didn't buy the car
someone did it with your identity and that's
that's very easy to do so so that's
you know I
I did drill down from
the information and digital footprint that you have
and from the cloud so if we go back in
the sky
and go to the cloud and the magnificent public cloud
we all that public information and people will say oh
(14:07):
it's not true it's not public well
you'd better read the terms and conditions
under which you run your stuff
you know what one key thing is
like a lot of people run on AWS for the cloud stuff
alright and in the edible US term and condition
alright and in the edible US term and condition
when you run a service
it's mandatory that in your own application
(14:27):
in your own online service
anything you provide to a third party
that you disclose
the exact terms and condition that you are bound to
with Amazon
it's written
you have to transfer that stuff to the end user
because you are tied to it
so it's applicable to them well man
there are not many that do that so and the thing is
(14:49):
you know
because lately we speak a lot about um data location
you know who's hounding the data
where is the data located
and these service providers specified that in a gal
to be able to provide the service and stuff like that
we reserve the right to move the data wherever
we need to be able to serve you and provide the
(15:11):
the service
but when you have regulation and governance
governance restrictions
and your data should not move in another country or
or or any condition like that
then you are not able to use a third party solution
with in the public cloud
because otherwise
you need a disclaimer about where is the data going
to be able to comply with the the
(15:32):
the governance requirements
so again that's such a complex thing right now
and on top of that
the cherry on the sundae is the AI stuff
ha ha I'm not gonna go too far on AI
but it's just that machine it it's you know
it's building data
like by extracting any public information
(15:54):
and there is a it's the
the overall guidance
for data to be acceptable in the dataset
to build an AI model as fair use
in the US at least if it's fair use
then you can actually build your AI
model and stuff like that
the thing is if your data is left unsecured
in a public cloud and exposed
and it's only fair use for an AI
(16:15):
company to mine it and use it
because it was left public
so you left it public it's public
you see you see the point and that's where um
we are seeing growing threats
of massive data collection
that will hello
automated hacking fishing and stuff
(16:38):
we already we already see that in you know
people say hacker and criminal use AI
to build a very nice fishing
or fishing but that's not what I'm speaking about
I'm speaking about the data collection
that is being built
and when we learn how to dig into the data and build um
like very very real case
(17:00):
and not like the fake case that some lawyers use in
in court you know
if you seen like so many people use chat
GPT to use as a reference
it was all made up and fake
I'm speaking about using big data
to use the collected data
make a lot of correlation
and basically rebuild a case frame
(17:21):
anyone you like you know
you have an enemy or you have a challenger
or you have the CEO of another company you don't like
you already have today
enough information about them to build a case
about anything
and AI will bring automation about that because it's
it's great at linking data
so point is back to the public cloud
(17:43):
uh that's my point
you need to be able to
protect and decide who access your data
and because data right now is the core of identity
is the core of of the root of trust
and you see government Canada
US everywhere they want to switch to digital identity
digital driver license when I see that in the news
I'm freaking out because we are not ready for that
(18:07):
we technically it works I mean
we can have a you know
a private key
that
make sure that the integrity of the license is good
we have a certificate it's
it's a true thing but the point is that we cannot
protect the information that allows to build that
and we will have some very realistic
fake identities floating
around that we have no way to rule out and control
(18:30):
so it will be putting crime on steroids
so sadly
I think we should slow down a little bit and you know
think before we actually do right so that would I got
I was listening to a a YouTube video
I can't remember the the gentleman's name
but he was talking about privacy
in relation to location services
(18:52):
and how these aggregators can
take all this public information
and basically identify you
and tell and law enforcement and other companies
that have subscription to this information
can know like
where you were at a certain time
and I even heard that there was a biker
that was accused of a crime
(19:14):
because he was at a certain place where
the crime took place when he had nothing to do with it
yeah yeah
I saw this one
and I think that one triggered at the lawsuit
against Google
where they were claiming that the Android phone
mobile phone system
was not tracking people while it was actually doing it
and that was a main major lawsuit against that
(19:35):
and when you see this again
it's fueling my my anti public cloud thing you know
Google is providing GCP
public cloud infrastructure that you can rent
so if the same company tells you oh no
we don't collect data and they get caught
and they actually logged every single move of yours man
what is happening with your data
you know you you gonna trust them when they say no
(19:56):
we don't mind your data for our own benefit you know
we wouldn't do that but at the same time look
your Gmail mailbox is is getting the benefit from AI
because all your data look super classification
we can actually even
know the schedule that's coming for you
we know what's you know
we did analyze all your behavior you like that and and
and
(20:16):
and we can serve you amazing ads that you didn't know
you needed that product
but you're gonna need it so they do analyze it right
we're all gonna get ads for
uh phone Faraday cages after this yes
yes yes
well
you you have a service it comes with risks
(20:37):
you have to be aware of the risk
to decide if you are willing to give up on that
on that and use the service instead
I mean I have a mobile phone
I know it's tracking me uh
I I obviously
make sure
that I don't put any sensitive information on it
or anything that I would not want to be made public
(20:57):
but uh that that's that's a risk thing
and as long as it's the government
you know and you are not a target of the government
although these days
we have to be careful about what's going on everywhere
part of the trucking association yeah
or or something like that
where it could be weaponized against you
just from you know
giving money to the trucking association
or something like that exactly yeah yeah
(21:19):
so so yeah
we have to be careful about that
it's it's serving us
it's very convenient but again
what's the price to pay and most people are like
yeah we are fine
you know nothing to hide yeah
nothing to hide
nothing's gonna happen yeah
well you can see the evolution of AI
more and more
(21:40):
decision making process is being given to AI
with automation and I can tell you because I
with automation and I can tell you because I
one of the example is that I've been banned on LinkedIn
one of the example is that I've been banned on LinkedIn
by what they claim AI uh
because one of my post was rated
as leading to malware or something like that
(22:00):
and that's funny
because it was a nice example about the total loss of
control on a process where
you know I've been LinkedIn top voice in 2020
so LinkedIn knows me they have my address
I've been also a customer of them
I have all the goodies I have they sent me at my own
they sent me all the the hoodie with Lincoln stuff
so they know I'm real you know
it's like it's me they invited me in California
(22:22):
I could not go but they invited me and um
so you know the guy
you know and
but yet it didn't stop the AI for banning my account
kicking me out and I was out of the system
and when this is happening on LinkedIn
you do not have access to support anything
nothing no more contacts
you just no no information no way to get out of this
(22:45):
so thankfully on my end
because I had a lot of human connections
which humans know me and they did uh
start a lot of you know
publication reach out to people
reach out to LinkedIn team and stuff like that
so that was one case it was really stressful
I was disconnected for like 12 days and that was yeah
(23:06):
that was painful because I left my business
rely on LinkedIn anyway
so that's the example of technology taking over control
where we have no failsafe possibility
and I think that as a society
as humans aside
of being aware of the risk of privacy and security
(23:26):
we need to make sure and advocate for
fail safe mechanism like your identity
you should keep a passport
you know or an identity
a paper based even if it has a chip inside
we don't care you know
something physical that you have with you
that is actually allowing you to prove who you are
and can help you recover that identity
if you don't have it in the digital world
(23:48):
we should have ways to reach and raise a flag
because I see more and more
I mean everything is being digital transformed
you know and
and when this is happening you
you I
I don't know about you
but if ever you have to call your ISP
because your internet goes down
and you enter with level 1 support
that's the most painful thing
you know like did you unplug your madame
(24:11):
did you have power on it like
so you have to dumb down that's crazy
even if you work in the field and that's so painful
so the issue is that the digital transformation
everything is taking us humans
down to the level 1 support of anything
anything that is digitally transformed
we will have to face the level 1 support
(24:33):
and we do not exist as a human or as anything we are
and that's the risk I see
because when the machine works
it's it's great
you have remote access remote management
but when it start to mess
oh man
it's painful because you can scream all you want
like the system is rejecting you
so you are powerless and you just by chance
(24:55):
if you have the contact of people you used to speak to
that are still in the system
they can raise flag you know
send a ticket to support to question or anything
but yeah that's one of the key the yeah and else uh
12 12 days that you were um banned from the platform
how how did that feel
oh man it's terrible
(25:16):
because we used to know people
by their LinkedIn profile picture
and many of them I did even conference with them except
but I didn't meet them in real life
like I did meet some of them
but out of I don't know a few thousand people
I didn't meet all of them even if I did in conference
you know going to whatever cyber security show
or speaking at events you don't you don't remember
(25:39):
you know you don't bound personally
your brain cannot accommodate so many people
so it's all relying on LinkedIn
and I was not taking backups back then
because I was totally relying on the system saying
it's LinkedIn you know
it's gonna be there right
if I need to reach to someone
I would find him
and it turns out that when you are blocked out
and you didn't take any backup of your account
(26:00):
you don't have any contact at all
and the worst is that when you disappear for a SIS from
from the system
the other ones do not realize it because the algorithm
the feed the information is a continuous thing
you know you have constant news
there is a continuous new catastrophic stuff continuous
the never ending news feed did yeah yeah
(26:21):
yeah and and if something disappear from it
you don't notice you I mean
there's one guy that disappeared on LinkedIn
I was used to discuss
it took me a year to realize like yeah
where is that guy
and today I did some investigation search about him
contact ex coworkers
I could not find him so I think he passed away
(26:43):
but there is no way to know you know
and and that's that's the sad thing
so with all that tech
we should make sure that the tech serve the humans
and the humans have a way
and a fail safe approach to keep control of a thing
same thing with connected cars
you know and because it's all it's all about connecting
(27:05):
it's all about losing control in a way
you got some we don't like those here in California
yeah yeah yeah
oh boy the riders attack the weemo cars first
yeah which I mean
I don't like destruction of public good or anything
but I I don't like the idea of having robot
if you are
if you have a handicap or you need some service
(27:27):
and you have the ability to use it
that's fine but if you decide that you do not want it
you should have the choice
the key is sorry leaving the options
for human to decide whether or not
they want the connected stuff
if they want to give away control or not
because in the end this is stuff that you own well
(27:47):
you used to own and we used to own the data
but the
the public cloud came and internet and leaks and stuff
and we no longer own our data anymore actually
we if you think about you know
all the data brokers
and all the big tech data accumulation
they have more data about you or me
than we have about ourselves
(28:08):
because we forget stuff you know
we lost a backup
we had an old laptop that we threw away
and we wiped the disk
and forgot to take these pictures and
but them they have it hahaha
and and and in the end
they have no more about our everything
and also because the technology is amazing
you know the
the psychological profiling of a user
(28:30):
the like the reaction you know
to if you had to
to really know what's in the mind of someone
and you had access to the
one of the social media
you would pull out all the comments of that person in
in line you know
and that would give you hell of a straight idea
what are the levers
(28:50):
what the person like what make the person react
what are the psychological levers that make him react
more or less and you will have a full power
by giving this user the data you want to
to trigger reaction so that's actually being used
but it's just so and and us as users
we do not have the ability
because the comment that we put disappear over time
(29:12):
we do not see them
and we do not have a way to pull all of them
or all of them for another user
so
that's the kind of power that is granted to the media
and what happened is and I'm
falling back to the decision making process of a human
but it's because this is all tied together
how do we decide or how do we take decision as human
(29:33):
we take decision based on information that we get
we learn that something is right
we learn that something is wrong
we like to do something
or we are taught to like something
and this is
this is actually driving our decision in the future
you know so
when you control the information that a person receive
(29:55):
and you know exactly what make them react
you can actually control the behavior
the decision making process is under control
because to be honest
who is doing due diligence or fact checking
the information that you get
of course if you look at X or Twitter
you know this is all crap
and you know that anything you look at
that is about
(30:16):
burning your brain and triggering addiction
about scandalous thing
and then turning you into a zombie of information
and driving you nuts
and you are so irritated that you are like ah
like the barking dog of internet
anything to get that engagement right yeah exactly
but that's what the algorithms made to do
is get you to engage and if that means pissing you off
(30:36):
or are showing you things that you hate
then they're gonna put that in front of you correct
so we have to be smart and know about it
so if you feel that you are being you know
annoyed or stressed about something
you have to raise a warning and say
oh yeah no no no
they're tricking me this is crap you know
like cut cut the feed
like this is not real information
(30:58):
let me do my my due diligence
let me do my fact checking on my own
let me focus on reliable sources as we can find them
and finding reliable sources without bias is
is a challenge these days
we all we know we are human made of bias but um yeah
it's always we have to cool down
(31:19):
think twice and wonder why we see that information
if it's relevant and sort out the mess
because we are quickly going into that
is it tied to cyber security
it is because that's you know
connect that's what's used in social engineering
if I know about your behavior
if I know your stress if I know about your life event
I'm gonna be able to use that against you
(31:40):
if I know you just been married
or you are going to be married
oh man I can just have some very nice
targeted emails about anything
if I know where this is happening
or who you are dealing with
I can send fake invoice I can hijack the payment
it's it's
it's very easy
because the brain is focused on one task
which is sometimes stressful with and and so it's
(32:01):
it's easy for an attacker or anyone who want
to have anything from you
to use that information
this is why privacy matters using a oh sorry
now they're using AI to do this right
like to uh do the correct
yeah it's it's AI is basically accelerating the attacks
it's like full automation
(32:24):
if it's from a technical standpoint
like finding vulnerabilities
and building exploit and giving access
before AI you know
speaking about cyber security and vulnerabilities
there was a tool that came out it was called
you know that is Metasploit
which comes with all the vulnerability
you can test and load and hack stuff with that
and came later on
before autosploit is something called Autosploit
(32:45):
Autosploit is a tool that was actually using
in a sequential manner
all the exploit against a target
and you basically gave a target and give
and tell to the script give me a shell
and then you wait and the machine does it all
that was already before AI
now with AI it can go very
very further uh in
you know recognition creating pattern driving you
(33:07):
guiding you through through
it could even teach you how to social engineer someone
you could actually feed the interaction
you have with someone
and get AI to optimize the answer
where to get to your goal
or you can let AI do it all for you as well
OK I always ask this question uh
you know in the next 20 years with AI
(33:28):
are we gonna get Star Trek or Skynet
both
both of them actually we already have in a way
each of them in a certain way and the question is
I mean we need awareness
and we need people to find proper balance
(33:48):
and not being enslaved into the tech stuff
because the risk is that our only feed
our only reliance on learning on information
on human relationship
is to be controlled by the machines by
by AI by systems
and not being true or free as in freedom of thinking
(34:09):
and you know
having critical thinking
that's something that we must develop and and and feed
I did read an interesting actually story
it was saying that a Gen Z uh
was better at spotting AI created deepfakes
than we are like older people older
I mean like 40 50 year old um
(34:31):
because we tend
yeah
yeah yeah
it's like yeah
and it happened so fast I don't know what happened yeah
I don't know like time is running crazy
this is why we need to slow down as well
the the study was showing that basically
because we grew with tech
we it was a magical revolution for us
I mean we knew times before it did exist
(34:52):
before mobile phone with things were things
and before information before internet
we knew that so it was a huge
huge crazy innovation for us as human
so and it brought so much good things as well
I mean it did free us from from so many things
so we tend to think
unless you are a bit paranoid like me
(35:13):
we tend to think that
technology will save us from everything
you know
that's that's the spirit when you see a open AI
like it's gonna solve all the sickness
it's gonna find new energy
it's gonna alright
you are really like us like you grew
you think about the magic of stuff like that
the thing is it's a tool
and it will help some people to achieve things
(35:36):
but by itself it's not magical
it it
it will not and it should not
because we live on a planet as humans
we should not serve a system
and if that system is that smart
and people are searching a lot for that
because I don't know
there was a nice investigation as well
I saw online documentary it was in French um
they were saying that
(35:56):
we will not stop the development of AI
the autonomous AI because if America do not do it
or the west side
then the Chinese and the other the Asian side will do
and whoever has the best
the more autonomous and the strongest AI
will take over the world
and that's interesting because it's like
(36:17):
we're doomed anyway
you know we won't stop out of the
fear that someone else does it
if we do something wrong
we better do it ourselves and I'm like hmm
I hope that in the meantime
we will use what we know and learn about tech
teach our new generation
how to be aware of it and how to handle it
(36:40):
I'm like I'm not yet fully into Terminator 2 movie
you know
when they teach the kiddos how to resist the machines
but it's it's kind of getting there you know
right right
we have to use uh tarps to get away from the uh
Thermal imaging from the drones and uh
all sorts of things like that
and you know while you were talking
(37:01):
I was thinking about Star Trek too
and I think in this Star Trek Discovery
we did fight the machines too
so either way we're
we're gonna fight the AI machines and it's
it's almost inevitable that we'll have some kind of
robot war in the future
unfortunately
yeah I mean it's already taking place
(37:22):
you know like the drones took over the human pilot
I mean you don't go yeah
I mean when I speak about drones
this is like the
the autonomous planes now you see in Ukraine
they use like
the small drones with explosive
that dismiss anything that
you know because they can stop you
so they attack they did in Russia
and like a swarm of drones with explosive
(37:43):
like there is no way you stop that stuff well
you some US companies like to provide some
like
crazy electromagnetic pulse stuff that pull them down
so that's interesting uh
I would like to have one actually
if if you listen and you want a tester
I'm gonna take
it at home and we'll keep it in my garage
so if there is a swarm of them
yeah yeah
I will keep it you know
in this kind of puff and everything out
(38:04):
like down there right
well
and this book Red Rising have you heard of this book
no
uh
it's it's a popular book I think
it's probably like science fiction for older teens
but I love that stuff um
and uh the the people the resistance use
you know these mini EMP's
(38:25):
so they use the EMP's and it disables all the new tech
the armor and it takes away the advantage of like the
uh
you know the Empire right
and then they have like their backup like regular guns
um that they can fight with
but then you know they adapt and everything so it's
it's a constant cat and mouse game like anything
yeah and and
(38:46):
and so we are heading there
and the key is
we have to bring enough awareness as a community
as people as humans
so as we can help taking the good decision
we cannot you know
run away from the threat
because another adversary is gonna build that stuff
but by thinking about how do we defend
we can actually have some defense ourselves too
(39:09):
that's that's the ID cause yeah
as a you know content generator
I don't like the word influencer
you know
because all the bad connotations but like as a oh yeah
content creator on LinkedIn and
you know someone that is followed by
you know hundreds of thousands of people
uh what do you feel like our you know
I make some content I'm not of course not like uh
(39:33):
as as big as you but uh
what do you think our responsibility is
as content creators um
in order to educate the public
well we all to raise awareness about the risks
we have sadly to go through the marketing
it's a BS of the promises that are actually um
(39:55):
lying a little bit
or deceiving into building fake trust
because obviously companies
government
like and want trust to get and follow the decisions
but we need as take aware people as risk managers
we need to bring the majority
whoever want to know that there are risks
(40:15):
and that we should think before we accept everything
and make sure that this is well understood
then as a as
you know as as communities as countries as cities
depending of the scope of wherever you talk
you speak about
if we accept the risk and we decide that well
this is what we want to do fine
you know
the majority that's the kind of democratic approach
(40:37):
the majority say well that's what we wanna try
uh here we go
obviously you have some controls in place
and make sure that if it goes sideways
you you catch it before it depends
and our role as influencer is to
to bring information about that
to be transparent about what we do
not to deceive that's that's my thing I mean
0 BS on posting I I tell people what it is
(40:59):
what is and always invite people to do their search
because you should not follow one
and just trust
or blindly follow whatever the person says
we have a lot of bias you know
I have a bias I don't like public cloud
I just I cannot trust it
I don't want to put my data in it
and if you listen to me
you're not going to use it but for some purpose
if you want to provide an application and you know
(41:22):
whatever you know
they're not used for it
so it could be and it could do good things
just because you saw me speaking
then you gonna think twice about the security control
you gonna put great governance
you gonna protect your data
you gonna make sure you encrypt everything
and this kind of stuff
so that's our role to try to pull up the game
(41:45):
to make sure that we're not doing stupid things
cause sadly
the more we offload the process to the machines
the less we master it
and the less we understand the risk in the
in the outcome in the process
in the implementations so
and you see that I mean
new generation
(42:05):
they don't want to know where's the rack
what's the server how to rack it
where the data is physically stored
I don't care and I mean
you don't want to be the machine to steal your stuff
but I do but you know
I'm an old guy I'm an old guy who rents
but the new one
they just want a Dropbox stuff or Google Drive
or ideally Proton Mail or Proton Drive
because it's encrypted and private
(42:26):
I'm not plugging as a I I use it
because I think that's a proper balance
between convenience and privacy but
I used it too but I forgot my password
yeah
I mean
you have to have a need my my need about that was um
because you know I used to run my own servers
my own email server at home
(42:49):
I was running my DNS and all that stuff
and I had the whole family on it
but as I was getting older
I'm not that old I'm like 46
but I said like
if I have an accident or anything that happened
and I am the only one who knows how that works
they should be able to you know
still exist and use the tools and what happened is as
(43:10):
as I was saying
society is going more and more digital now
if you have any process you need an email that works
you need to be able anything that happens
you know so
I just didn't want my wife or kids
or parents to be stuck in a system that would go down
and they would not be able to do what they had to do
the administrative task
like send me an email and or access their own data
(43:30):
so this is why I made the family stuff on Protonmail
so as it's not relying on my existence to exist
and it was a like a proper balance between privacy
security and the need to survive myself
right and it's stored in in Sweden or yeah
Switzerland yeah
Switzerland yeah
(43:51):
so there's
yeah the government can't
you know
go and subpoena that information and get it right
correct correct
although I don't it's just a principle because I don't
you know hide anything wrong or whatever right
we don't have anything to hide
we just just like being private yeah
yeah yeah
it's just I don't want hackers
(44:11):
I don't I want bad guys to be able to frame me
or frame the family
so that's why I want to keep it private
because in regard to privacy
that's the fun part I mean
I don't know about you
but I did work with some government entities
and I had to sign waivers for some clearance
for some military work I did
I'm not a military
but I did collaborate with some military stuff
and basically I had to go to the state police
(44:34):
like it's G R C in Canada
like gendarmerie but
and give my footprint
and grant them access to an information
they have
they can track me record anything I say anything I do
and that's I
I signed a waiver for that and this is life stuff
I cannot revoke
so technically you're giving
away some privacy in order to get the work
(44:55):
which is exactly it's reasonable yeah
yeah you're making that choice so that yeah
so that's why when I put my data
and I fight for privacy this is privacy for good
this is not privacy for evil
this is privacy against the bad guys
this is privacy and and that's where it's in
that's the middle ground that you have to deal with
but yeah
because you don't want to be tricked by someone
(45:18):
taking the identity of someone
you know
and leading you to do something that you weren't to do
and you didn't want to stuff like that
so
that's the idea of the responsibility that we all have
and yeah
so we have to make choice try to find a balance on that
right well
let's uh let's bring it home uh
maybe one
(45:40):
one thing that we can tell our listeners that they
a practical advice they could do
and then just tell us where people can find you
yeah so people can find me on LinkedIn
you know Alexander Blanc cyber uh
the guy that complained against the public cloud
all the time you know
I have this cloud equal leak
it's like a warning you know
(46:00):
and as a general rule um
if you put anything in the
in the technology in the digital format like
you know eventually it will leak
it will be online
because everything is connected together
so do it accordingly
assess the risk don't do stupid things and uh
I mean you still can have fun
but know that that fun cool leak and get public
(46:24):
and these days with the bullying with schools
I have two teens at home so I know where
near the risk with your private data
getting exploited and stuff like that
so yeah be careful about that be mindful
use critical thinking
just wonder why you are asked the data
do we really need to provide the data
if you don't need to like put fake data
(46:44):
put fake data we don't care you know
like anything that is not government related
put fake stuff ha
because I only need to know your birthday yeah
yeah because uh and and when you put fake stuff uh
you don't care
because it cannot be used to steal your identity
you know so you basically lower the risk
you cannot do that everywhere
but uh it's it's a way to to assess the risk be aware
(47:08):
understand
because we cannot escape it all and enjoy the tech
but if you have an option
let's say to not connect everything in your home
because it's fancy
or it's like the super trend to have like
everything connected but you don't really need it
then don't because why putting the risk
you know someone if you have a connected doorbell
(47:31):
and someone breach that stuff
because it's not updated and get into your network
and you have a NAS or a network connected
and your passport is on it
they can pull it out so why you risking it
you know so it's just as
as bad as think
anything you connect is growing your attack surface
how big is your attack surface
you probably never thought about that
(47:51):
but then you might
you might want to disconnect all that useless old crap
right
alright well
that's that's awesome
thank you so much for
for
uh coming and
and uh educating our audience
and we definitely have to do a round two
that was really a great conversation
so thank you so much for for coming on the podcast
thank you for having me it was a pleasure
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!