05/15/2020

#59 – Security is not a Band-Aid

#59 – Security is not a Band-Aid

The Grepcast is joined by a special guest today, Sarah Pruski, Director of Security Operations at Harvard’s Graduate School of Education for a conversation about all things cyber security. But! Before we get into cyber security, we touch back in with our best friends – Spot the Dog and Silicon Valley. Check out the transcript of this episode below:

GREPCAST #59 – Security Is Not a Band-Aid

Adam Fisk
What’s up, everyone? You’re listening to the Grepcast from TSP LLC, bringing you a bi-weekly look into the world of technology and technology-adjacent ephemera. My name is Adam Fisk and today we are joined by Michael Oh.

Mike Oh
Hello!

Adam Fisk
And Kelly Ford.

Kelly Ford
Hello!

Adam Fisk
And it is a special, special episode because we do have a special guest.

Kelly Ford
So special!

Adam Fisk
We’ve got a special guest here today to join us in all the frivolity of talking about COVID and cybersecurity. Today we have Sarah Pruski, the Director of Security Operations at Harvard’s Graduate School of Education.

Sarah Pruski
Hi, hello! Longtime listener, first-time contributor.

Adam Fisk
Not the first-time caller.

Sarah Pruski
That’s true!

Adam Fisk
You have sent in musings before, which has been great.

Mike Oh
Oh, Adam, I really enjoyed — for those of you that obviously can’t see because it’s an audio podcast — but he kind of like, did this arm gesture, as if Sarah was like, right next to him like, “here’s our guest!”

Adam Fisk
Well, with how my windows are placed, she is to my left. I’m pointing right here.

Mike Oh
Yeah, that’s probably true.

Kelly Ford
It’s correct on mine!

Adam Fisk
[laughs] But yeah, in terms of kind of kicking it off normal workflow today: we’ve got an episode for you, starting off with some quick hits. Our first article is actually coming to us from Wired.com, written by Matt Simon with fan favorite, podcast favorite, Spot the Dog, who has now graduated medical school and we’re really glad to hear it. Spot the dog has been found at Brigham and Women’s Hospital in Boston. Now traipsing around with a tablet on their face helping out with Coronavirus treatments. And honestly, I’m into it. I’m here for whatever Spot the Dog can bring us that isn’t busting through doors or opening them or anything like that.

Mike Oh
Or throwing grenades at people.

Kelly Ford
That’s true.

Adam Fisk
I would prefer that one not happening.

Kelly Ford
Not yet. I mean, it’s still under the lease program, right? So…

Adam Fisk
Yeah.

Kelly Ford
I think they can they can prevent any kind of genocide actions from Spot the Robot Dog. Thank you, Boston Dynamics.

Adam Fisk
I’m into it. The best part of this article is the opening where [they’re] acknowledging how surreal the age of Coronavirus has been. And the most surreal portion yet is Spot the Dog roaming around and helping us out, and the fact that nobody is actually weirded out? A quote from Dr. Peter Chai, part of the Department of Emergency Medicine over at Brigham and Women’s, [they] have been saying that essentially at this point, everybody’s pretty into it. It’s already weird enough. The world is strange and a weird walking dog robot that has been all over the news and YouTube with a tablet on their face? Maybe not the weirdest thing that we’re seeing right now.

Sarah Pruski
Which is shocking. I mean, alright. So, huge fan of Spot. Love him. Always have. Equal parts fear and love, just due to my inability to not anthropomorphize anything even remotely close to an animal. I mean, we name our plants. So, there you go. But I think it’s a great use of Spot, particularly when I imagine remotely defusing bombs or doing a cartel raid, much lower these days, less to do, so I mean they’re giving Spot some community service on his CV, help round out the law enforcement and military experience for that application he submitted.

Mike Oh
I think he was forcibly unemployed perhaps, you know?

Adam Fisk
He’s furloughed?

Mike Oh
He’s furloughed, right. And then he’s like, “Oh, I got nothing to do.” And then he found an application. “Let me go to Brigham.” And lo and behold, they had an opening for him. I do find Spot kinda weird because he has three heads now. Like, he has sort of the sensor head on his body. And then another head, which is like kind of this round thing where I guess it probably rotates? And then a human had on an iPad. So it’s sort of…yeah, I can’t really process that image.

Kelly Ford
Well apparently, that’s one of the things they’re talking about in terms of they’re not sure how it will be received by patients. Though I imagine, if you’re sick, you’re going to receive what you can, what care you can at this point in time. But I was also remembering that there’s this science, it’s called “human-robot interaction.” They actually study this. And they were mentioning, you know, the reception of people to this but I recall the episode we have where there was the robot in the French nursing home, right? Yeah, that everyone loved and so I’m like, “I don’t know.” Spot for me is a little bit like the French nursing home robot. And I hope he’s faring well in the pandemic. As well as his friends.

Adam Fisk
Yeah, I feel like Spot the Dog is being received more warmly because of really great PR. Ultimately, we’ve seen Spot the Dog through its original, “Hey, look at this cool four-legged robot!” to jumping on ice, doing all these things. They’re all over YouTube. Versus when COVID was really breaking out and there were articles about how patients were being seen by the more kind of — again, this is a weird localism — Marty the Robot, which is the Stop and Shop robot style. Where doctors were going to visit COVID patients like that, and that was not received warmly at all. There [were] a lot of articles, a lot of angry tweets about this, but I think it’s people saying like, no, this is a dog though. This is a robot dog. So he’s cool. And eh…I get it.

Kelly Ford
Well and…he also requires like, they said, he requires human help if he gets stuck in a hallway. I mean who doesn’t?

Adam Fisk
Right? You get turned around. You just need to ask!

Kelly Ford
Yeah! I empathize.

Mike Oh
Does he get lost in the hospital just like the rest of us? Like, he’s just looking up at all the signs? Like “Where am I supposed to go?”

Sarah Pruski
Absolutely. I mean, it sounds pretty cool because, you know, his operator sounds like they can navigate him through patient lines. And I guess a big selling point for them was that, you know, he wouldn’t break any of the sensitive equipment and things like that, but I don’t know, I have some concerns. Are they sure he’s not going to accidentally break a patient? Right? Like I’m not saying genocide-level. I’m talking anxiety attack, heart attack. He’s cute, right? Like, my first instinct is to pet the military robot. Not a good one. I’m not proud of it. But I would. But other people may not have the same reaction. Just…he’s a little creepy. Some people may have other reactions. I don’t know. It’s a 50/50 for me.

Adam Fisk
Yeah. I think at this point at the Brigham, they are Using Spot for deliveries. Being, I think in the article they call them, the ideal medical professional, in that they don’t get sick, they don’t take breaks. And they can do tasks like delivering supplies and with the added bonus of the 5 million cameras on Spot the Dog, not gonna bump into things not gonna destroy anything, as opposed to Marty the robot, which has almost run me down so many times.

Mike Oh
Not a Boston Dynamics robot! Well, I say if Spot the Dog was delivering stuff to me, basically, and I woke up in the ICU after having COVID I’d probably just think that Spot the Dog was delivering that iPad to me. And I’d just rip its head off. I’d be like, “Oh, the new iPad Pro!” ‘Cause that looks like the 12-inch/13-inch model, which looks really nice.

Kelly Ford
Yeah. I mean we always say you know, “We welcome our robot overlords!” But I say “We welcome our robot co-workers!” They need a little bit of help, right? They’re kind of like the intern, right? Because I love how Boston Dynamics is like, “We’re not really sure what they’re good at? But let’s just send him out, let people try things out with Spot and see how they want to use them!”

Mike Oh
So we were just talking about this. Like, planning for when the lockdown ends. How are we going to come back to work? And I think I’ve come up with a new idea. So the original idea was like, “We’ll split the company in half.” Because you gotta do social distancing. So, you know, in the office you’re just gonna have every other seat, every other desk kind of occupied. Why don’t we put Spot the Dog in between? So everybody else who’s not there can be a Spot the Dog and we’d have like a whole army of these just roaming around the office.

Kelly Ford
Why not?

Sarah Pruski
Yeah, most high-tech hall monitor ever.

Mike Oh
Yeah, what could go wrong?

Adam Fisk
Yeah. But moving along to less fun stuff. We don’t have any heartwarming robot dogs. We have new Silicon Valley trends, which I always love to read about them, certainly doesn’t make me mad. This is coming to us from the BBC written by Chris Stokel-Walker: “Is Dopamine Fasting Silicon Valley’s New Productivity Fad?” Ugh!

Mike Oh
I just want to say, Adam, if it weren’t for Silicon Valley, what would we have to talk about on Grepcast?

Adam Fisk
That’s a great point. The hand that feeds…

Kelly Ford
And by “talk” you mean “dump”, right? Who would we have to dump on?

Mike Oh
Besides Spot the Dog, yeah.

Adam Fisk
Hey, there’s no dumpin’ on Spot.

Kelly Ford
I mean [this] is from November, 2019 too. So we have to remember, these are pre-pandemic points. I don’t know what they’re doing right now. Actually, I have some updates.

Adam Fisk
Okay, good, good, good, good [laughs] But the thing about this is, when this article was sent over, and I think this was a Mike-send. Was it is a Zoku [article]?

Mike Oh
It was a Zoku!

Kelly Ford
Oh my god, of course it was! You’re addicted! You need a dopamine fast from Zoku articles! Sorry, Adam, to interrupt, but I just had to point that out.

Adam Fisk
No worries. I feel it [laughs]. But this is just another one of those instances of reinvention of something that already exists. So we have reinvented the library. We have reinvented the grocery store. And busing. And just public transportation. Now we are reinventing… taking a break…taking breaks. Taking breaks?

Sarah Pruski
Yeah. I have…I have so many feelings here and none of them good. I think this practice mostly strikes me as a very privileged person’s version of, at best, sort of a hot take on self-control, and at worst, some self-inflicted solitary confinement. And I’d also like to point out, in the Year of our Lord 2020, and as a fallen Catholic, I am fundamentally opposed to any commentary — especially from Silicon Valley — telling me what to, or not to do, to find small pockets of joy. Especially now. I mean, with all due respect, COVID-19 IS our dopamine fast, right? Mostly?

Adam Fisk
Or the inverse, from what they’re saying. We cannot escape technology. The digital leash has grown shorter than ever. I was privileged enough to see the Zoom scheduling that you two have right now, and it seems pretty chock-full. But yeah, this is…nothing. It’s nothing. But I will say, to give equal time to both parties: proponents of the dopamine fast, from the article, believe that we have become overstimulated by “quick hits of dopamine from things like social media, technology, and food.” I can understand social media, technology, 100%. I get it. We, as a culture, as a smartphone culture, honestly, can’t get away in the same way that we used to. And that totally makes sense. But what they do say is [that] because of these constant baby hits of dopamine, we no longer appreciate the unfiltered uncut dopamine of the past. “Only 80’s kids will remember,” like level garbage here. But yeah, so this is…it’s an interesting article to read through, especially when you get to the portion where, I believe it’s Dr. Amy Milton, a senior lecturer of psychology, and Ferris Willits, Fellow in Neuroscience at the Downing College in Cambridge says, “I don’t think this is anything.” This is not real. Quote: “Which is not to say it’s a bad idea to occasionally look at the habits you’ve got and do it.”

Kelly Ford
Yeah. It’s just rebranding. I mean, like you said, it’s what they do. Remember, they rebranded, um […] what was it, rent or something? There were spaces in San Francisco…what was it?

Adam Fisk
They uh, it was rebranding hostels. That’s what it was.

Kelly Ford
Yes, right! So there were two updates I saw from this. Because this made the rounds in November, and I was looking for new updates. So in February 2020, this hit the rounds again. I don’t know what was happening in February, we were on the cusp of a pandemic, it was, at least here in the US. It was already happening elsewhere. But Harvard Med School blog — I didn’t get who said it — but the quote is “You can’t fast from a naturally-occurring brain chemical.” [All laugh]

Mike Oh
Touché!

Kelly Ford
And then there was another article and unfortunately, this was Psychology Today, which is sometimes kind of like, if you’ve ever flipped through a Psychology Today, when you get to the ad, you’re kind of like, “Oh, dang, this is kooky science here!” But one of the proponents of dopamine fasting is Dr. Cameron Sepah. He’s a startup investor, as well as being a professor at UCSF Med School. But he admits quote, “The term is technically incorrect,” but quote, “stimulus control one on one for dealing with addictive behavior just doesn’t have the same ring to it.”

Mike Oh
It’s branding!

Kelly Ford
It’s true. So I don’t know. I’m kind of like, “Dude, you could be investing in some life-changing medicine and getting in like, the annals of history,” but it’s like VC culture. “Let’s invest in these ding dongs.” Because part of my joy in this too, and it’s one of my plugs, is just doing a deep dive into this company that they’re featuring in all these articles. And they started out as — I think it’s like three or four guys — started out as a coffee extraction company.

Mike Oh
Alright…

Kelly Ford
And then they moved into cannabinoid extraction

Mike Oh
Cannabinoid, okay.

Adam Fisk
Got it…avoid the noid.

Kelly Ford
And then it went to cannabinoid synthesis sleep aid. And now? They’re sleep-coaching.

Sarah Pruski
100%. That’s a natural arc.

Mike Oh
Absolutely. That’s beautiful. I mean, such meticulous research Kelly, I’m so impressed.

Kelly Ford
Well, you’re gonna love this one too. I swear I’ll stop. But I have to because it’s too funny. This is my plug, I’m just gonna do it now, the New York Times article. Because the quotes from the guys about dopamine fasting, when they’re dopamine fasting, [one of them said] “I avoid eye contact because I know it excites me.” [All laugh].

Sarah Pruski
That’s like a…that’s like, right out of a Barbra Streisand move, right? Like, wasn’t there a thing a few years ago, like people couldn’t look her in the eye? Maybe she was fasting?

Adam Fisk
Yeah, I know that’s an Ellen [DeGeneres] thing, so who knows?

Kelly Ford
That’s true, maybe she dopamine fasts.

Sarah Pruski
Thanks for indulging me.

Adam Fisk
Yeah. Ultimately, this is a thing, like all items that become fads, that because it has the Silicon Valley tag [on] it — and I think even the BBC article touches on this — people think it’s real. And that it’s big because everybody in Silicon Valley is so smart and so cutting edge that they’re just not talking about normal stuff. Take your dopamine where you need it. Eat something interesting. Go, I don’t know, having have a video chat with people. I dunno.

Mike Oh
Go walk around your living room!

Adam Fisk
Yeah. Like I was gonna go into more stuff. But like, your living room? Hey, have you looked at the top left corner of your living room? It might bring you that dopamine rush that you’re really looking for. But again, you cannot fast from something that just happens in your brain.

Mike Oh
Thank you, Silicon Valley! We need to come up with a good term though. I mean, there’s “weaponization,” “militarization,” like, this is very…it needs to be the “valley-ization”. That doesn’t quite have the right ring to it. It is a branding exercise. But it seems to be happening time and time again.

Kelly Ford
It has to be something with the uncanny valley. What rhymes with “uncanny”?

Adam Fisk
If you have a rhyme, send us an email over at grepcast@tsp.me! [All laugh].

Kelly Ford
Sarah, I know you love rhymes, so I want you to be thinking on —

Sarah Pruski
— I know. For the rest of the episode, my wheels are gonna be turning and in the middle of something, a totally cogent thought, I’m just gonna interject with what rhymes with “uncanny.” So get ready.

Adam Fisk
So with that great knowledge of your, your rhyme successes, we do want to turn it over to Sarah, who’s our special guest for today. So first off: in true, what is it Kindergarten Cop styling? Who are you? And what do you do?

Sarah Pruski
Yeah, “who are you? Who is your daddy?” So I am the Director of Security Operations at the Harvard Graduate School of Education, as you very kindly mentioned earlier. Essentially, in a very non-schmancy way, my job is to secure The Stuff. So any sensitive or confidential data that people entrust to the organization, it’s my job to make sure that that’s not accessed or disclosed without authorization. And that’s everything from student data, faculty data, research data, you name it. If it’s sensitive or could get people in trouble, I’m the person you point the finger at or call. So that’s what I do.

Mike Oh
So, I mean, I think the Graduate School of Education, right, if you look at the title, it’s not like it’s the Nuclear Science Academy, you know, like, “this is where we store all the secrets about weapons” and all this kind of stuff. But I think it’s really kind of a good point. It’s like every organization, be it a company, private, public, whatever, has really important data that needs to be secured. So how did you sort of come across this position there? What is it that sort of drew you? Other than Harvard’s great benefits of course [laughs]. But what brought to you to find this position [at the] School of Education?

Sarah Pruski
Yeah, I mean, I was formerly law enforcement. I was at Homeland Security for a few years right out of college. And then that got a little bit dicey as one can imagine. If you’ve ever, ever read the news, you can read between the lines there. So I decided I needed to sort of get out of there in a hurry. And, you know, basically on a keyword search decided to maybe pivot into cybersecurity, as any rational adult does. Just upend their life on a keyword search. So eventually got into that in higher ed, I specifically chose higher ed, because they are known for, you know, an interesting balance between freedom and security, in addition to just that great quality of life balance that I was, you know, noticeably lacking in the government. They own you. They own you. And that works for some people. I mean, Kelly still thinks I’m a CIA operative, secretly, and that she’s my cover.

Kelly Ford
I’m not the only one!

Mike Oh
I mean, you are in your secret lair, right?

Sarah Pruski
I am. So low-tech. But it’s one of those things [where] all the right factors happened at all the right times. And when the posting came up for Harvard, you know, who doesn’t know Harvard, right? And so the thought of Harvard really appealed to me and the different challenges that you can face there because it turns out, I’ve learned about myself [that] if I don’t have a challenge, and I think that’s relaxing, 100% no! I will go find a problem to then fix or solve [laughs].

Mike Oh
So what’s like the most unexpected thing that you found in that role? Like walking in, you probably had some preconception about what it was like, what it was that you were doing, that you were going to take care of some hoity-toity academic who is about to like, email away his Google credentials. But like, what completely unexpected thing, you know, took you by surprise?

Sarah Pruski
Now it’s kind of embarrassing to think back on because it seems so obvious and so basic to me now, but I think when folks think about cybersecurity, your automatic instinct is to go to “Okay, I’m securing servers, I’m securing sensitive data, things that could get us giant fines from, you know, legal organizations and things.” But when you think about the name, that is Harvard, you don’t necessarily think that a big component of your job is helping to secure sort of the personal identities and personal security of the people who work there, including faculty because, you know, even if it’s the Graduate School of Education, if folks don’t think we have sensitive data, you know, plus-minus, we have well-known people on our staff, on our teaching boards, faculties, committees, things like that, which makes them giant targets. And the first rule of security, if you’re trying to hack something, is go for some low-hanging fruit and then pivot from there. And, you know, the number of folks and the importance of folks that are employed across Harvard? It’s a big ol’ target. And I didn’t see that necessarily walking in and then day one, it was like, “Wow, okay, here we go.” For sure.

Kelly Ford
And one thing I wasn’t aware of until of course, knowing and being married to Sarah — by the way!

Sarah Pruski
Oh, full disclosure…

Adam Fisk
This is the Sarah that you have heard [about] for the last 57 episodes [all laugh].

Unknown Speaker
But so much of the security too is talking with folks like grad students about […] the rules around — I mean FERPA is such a huge thing for you and a lot of the students. And just teaching them things like, yeah, you can’t video some of your students, right? So it’s some of that other — like the secure data room you talked about. That sort of stuff.

Sarah Pruski
Yeah. Well, I mean, you have your basic, most everybody knows types of sensitive data, right, like your HIPAA data and, you know, social security numbers that you give, because you’re employed and things like that. But when it comes to research, and you start peeling back a few layers, you know, every graduate school at Harvard is different. What they focus on, what they specialize [in]. Kennedy School obviously has a lot of ambassadors, things like that, governmental folks. And at GSC, you know, primarily the research that’s done is with small kids, it’s about learning, pedagogical type studies. And so you have to really do a deep dive on what folks will be collecting. And the sensitivity of that. I immediately go to worst-case scenario as former law enforcement, which is why I perhaps excel in this field, and my bosses hate me for it. I go down the rabbit hole really quickly, right? Like, let’s imagine all the things you can accidentally capture in a classroom when you’re videoing it, right? Sure. It’s the teacher doing instruction and you want to coach on that. But then my head immediately goes to, well, what if a kid gets bullied? You know, what if a kid walks in with a black eye, and then all of a sudden you have a domestic violence thing on your hands? You know, what if a kid walks in is undocumented? What sort of things does that open up? You very quickly can be on a slip and slide of issues and you just have to really consider the research from all of the angles. So it’s challenging, but it’s never boring. I will say that it is never boring.

Kelly Ford
I always find it fascinating because it’s very much the real-world application of cybersecurity. As opposed to what we always see in movies, right? We always joke about, what is it Minority Report? And it’s just like, when you say “cybersecurity,” it’s like you see the screens and the moving [the screens] with your hands [laughs]. So it’s always fascinating to me. And it’s kind of like when I’m always talking about crime stuff. I’m like, “That’s not really the crime stuff!” The crime stuff is far more mundane but interesting. I would posit, so.

Mike Oh
Yeah, absolutely. I mean, I think we find this with cybersecurity in the private sort of sector, dealing with our clients. The boring stuff is the effective stuff, right? It’s education. It’s training. It’s talking to people. It’s understanding, you know, their sort of psychology of how they might get hacked into. It’s not sort of servers and — it’s funny, my kids like literally yesterday, they asked, “How do you hack stuff?” [All laugh].

Adam Fisk
It’s very boring.

Mike Oh
They were like, “Well, how do you hack this video camera?” And I was like, “Well, usually it’s just about like…the password!” Right? Like, it’s literally like a username and password. And I was explaining to them they come with a username and password. And a lot of the time, people forget to change it from the default. And they were like, “No, no, really tell us how to really hack something”

Kelly Ford
It’s not exciting!

Unknown Speaker
“How do you get to somebody’s files?” Well, you start with their username and password…[all laughing].

Kelly Ford
Hacking but make it sexy!

Mike Oh
I know. Like, I don’t really have that. Sorry, kids. Sorry.

Adam Fisk
I was just gonna say — I suppose one thing that is a little bit different, I suppose about how TSP has approached cybersecurity in the past, is that we work with our clients on kind of a very almost one-on-one point of view, in that we are their IT provider and consultant in these matters. And we have the ability to say and work with the points of contact to say, “Hey, these are the rules. You have to follow these rules.” But I know from some experience and some hearsay that education is a little bit different. Especially when you’re working in a kind of larger organism where you do have all these satellite schools that you — you are one part of a larger cybersecurity focus, how has that kind of altered moving with the various kind of threats and systems?

Sarah Pruski
Well, I think it’s actually pretty similar to my experience when I was at DHS, and that you have this push/pull in the government between, you know, federal and state and local and whose job it is to do what and, you know, “get off my turf” otherwise. And when you’re at Harvard — and I like to think of the larger Harvard, the mother Harvard, if you will, and she has sort of satellite schools underneath it. There is a little bit of a push/pull between, you know, Central Harvard, which, you know, many schools rely on for some critical services. And then each school has their own infrastructure in their own environment, which they have to maintain. So you both rely on Central, but you’re also aggressively independent when it suits you. And that’s just the nature of academia as well. You want rules and structure, but when it suits you, you know, step off, please. You cannot tell me to do this. Absolutely not.

Kelly Ford
So like America [laughs].

Sarah Pruski
America. Yeah. Yeah. I mean, even…I’ve literally had conversations, not at Harvard, thankfully, at my other job in cybersecurity and in higher ed, where, you know, a faculty member was just like, “Can I do this?” I said, “No.” And they said, “Why?” And I said, “Because it’s illegal.” And they said, “But…but why?” And I said “Because it’s illegal!” And it continued to go downhill from there. My script did not change. Did they do it? 100%. So I think you sort of have to choose your battles. And there’s always some CYA there. But it’s good to have a “Mother Harvard” to be able to collaborate with and other schools to collaborate with. Because if you run into a problem, you know, you can bet your buns that you’re not the only one. And so that’s when you can reach out and sort of query people to say, “Hey, what’s the deal? Have you guys figured this out?”

Mike Oh
So how has your job evolved with the lockdown and COVID? Like, are you still doing like the exact same job, doing the same stuff? Or are you just like dealing with Zoom-bombing like every single day, like that’s your job?

Sarah Pruski
Yeah, no, it’s kind of the same thing I was doing, just on steroids. Because everyone is now remote and while the University — just by nature of the business that we do — our students, our faculty, our staff, many of them need to be remote anyways, they have other jobs, they have other lives and things like that. So I would argue that our infrastructure was really strong, even 5-10 years ago, let alone now. And so it wasn’t necessarily a huge curveball aside from, you know, on Monday, everyone is tentative. On Tuesday, things are a little bit more dicey. Then on Wednesday, it’s “Get your stuff and don’t come back. You’re now going to be on Zoom.” Which, luckily, you know, the university has been adopters of, you know, for some time now. So we didn’t have to spin anything up, not in a real way, very quickly. We just had to sort of be prepared to spoon-feed a little more, not for anyone’s lack of willing willingness to learn or things, but just by the nature of it, right? Like, everyone and literally their mother is on Zoom now, so be prepared to speak to the mothers as well about how to do this.

Mike Oh
And what do you think about all of the sort of debate about Zoom and their quote/ unquote, “security issues?” I mean, do you feel — as a cybersecurity expert — do you feel like those are real concerns? Or is it sort of overblown PR stuff?

Sarah Pruski
Yeah, I think — well, so no tool or platform is ever perfect, right? Zoom is no exception. I think the issues and the concerns were real. But that being said, Zoom, bless their hearts, their visibility in the public eye went up about 7,000% maybe more in the span of one week. Versus, you know, maybe a more traditional five to 10 year slow-burn of an industry leader, right? They’ve been around for some time. Nobody really does what they do. I mean, you can argue WebEx or what have you, but you know, some people think it’s all garbage. And so they experienced a whiplash that goes with being thrust into the public eye of being barely recognizable to the average Joe, to sort of the “It Girl.” And as I know, it’s a long-standing tradition of this podcast to look at the dark underbelly of things — [All laugh]

Mike Oh
What?!

Adam Fisk
I’m ready for it…

Sarah Pruski
While the tidal wave of new attention is overwhelmingly positive and connective, like for instance Babcia, my Polish grandmother in Buffalo, she had a Zoom call from like the elderly person’s home — she has advanced stage Alzheimer’s — she had a Zoom call with my parents for the first time. And it was really, really wonderful. But then the other side of that is that more eyeballs on a platform mean more malicious actors are going to be drawn to it immediately because they know everyone is on it. You know, picture the Eye of Sauron whipping around when it finds that homing beacon for the ring. So I do think they’ve done a truly first-rate job at responding appropriately. They weren’t altogether defensive or indignant or defiant of the criticisms, they adjusted quickly to the tidal wave of legitimate concerns and criticism. And then actually provided actionable solutions for their users. So, for instance, you all know Zoom is incredibly robust. It has a million features. If you’re using the enterprise version, it has 1,000,001 features. Which is great, because then it allows users to fine-tune a tool to their needs, right? Like, it’s not a one-size-fits-all. The problem with that is that 90% of your users are going to drown in the options, in indecision, right? And just shut down completely. It’s like looking at a Cheesecake Factory menu. I’m overwhelmed by page nine and I’m super gonna miss the avocado burger on page 36 because I just need to make a decision.

Mike Oh
What?! There’s an avocado burger on page 36? Ugh.

Sarah Pruski
To Zoom’s credit, they tweaked their UI a little bit to help. So security features for Zoom are incredibly robust. And Zoom-bombings have been around for as long as the platform. This isn’t new for them. But what they did is, if you’ll notice if you’ve ever used it, now on a host’s screen, when they’re doing a meeting, there’s a new little security button right at the very bottom next to all of your standard user buttons, which helps consolidate some of the more popular security features for people to easily access. They don’t have to go hunt down where this one thing is. They don’t have to figure out if they need to turn this other thing on. It’s all a little bit of a one-stop-shop in that little button for folks. So nothing new. It’s just helpful. It’s spoon-feeding, right? Because you kind of need to. So I have fewer concerns, overall, with Zoom. Well, I guess I have fewer concerns about Zoom as a platform and Zoom as a secure product, than I do, I guess about the systematically problematic attention spans of the general population to actually learn a tool, they need to use it, then take ownership of it. Which is a problem. It’s a real problem, you know?

Mike Oh
Yeah, yeah. No, I mean, I think they’ve had to react in a way and adapt their user interface really, you know, to address this much larger set of users but I think they have done a phenomenal job at doing it. And also at scaling. I mean the numbers — and we’ve covered this on a previous Grepcast — are insane. But I don’t want to like, spend the entire episode talking about Zoom.

Adam Fisk
We’ve already done that a few times.

Mike Oh
Yeah, that’s true. Actually. That’s true.

Kelly Ford
But we didn’t get the Eye of Sauron before, so…

Mike Oh
[laughs] No we didn’t. And I’m and I’m cruising right by contact-tracing. Because that’s so boring.

Sarah Pruski
Oh, we’re all being traced all the time. For everything. Trust no one. It’s fine.

Mike Oh
[laughs] But you know, going back to the discussion about users in this sort of world of supporting users and education… I think, like this is kind of an interesting topic in the world of COVID. Because fear has a role to play, both in COVID and cybersecurity, right? Without fear, people wouldn’t act differently. And in the last couple months, we’ve seen the entire world change massive social behaviors, because there’s the fear of a lot of different things happening. And then now people are saying, “Oh, well, the fear was overblown,” and all this kind of stuff. But focusing on cybersecurity, I think I’ve seen fear as a very useful tool in cybersecurity in the sense that people won’t do anything unless they fear a certain action. So, you know, you’re not going to really worry about phishing attacks until you actually hear of somebody that you know, or a company that you know, losing $10,000. How do you see that kind of relationship of fear and cybersecurity playing out in your job, or what do you do?

Sarah Pruski
Unfortunately, I mean, honestly, I wish there was more fear [laughs]. I’m fear-mongering proponent number one. I mean, most of my job is politely and articulately, scaring people in the most, you know, pleasant of manners. So they can, they can be, you know, armed with the right knowledge and tools to do what they need to do. But I think, unfortunately, the human brain is amazing at filtering. Too good, really. And I think people tune things out a lot of the time. Aside from my previous vote of no confidence for folks just due to human nature. I think, you know, people don’t take a lot seriously much anymore, particularly in the security and privacy realm, because there’s just…there’s just too many instances too many news articles about people crying wolf. Right? It’s just breach fatigue. It’s incident fatigue. I mean, who among us did not receive an email From LL Bean and Lucky Brand and Converse about all the amazing steps they’re taking to secure you from COVID-19. Right? So it’s like, “Great LOL sure, yeah, go on Lucky Brand, that’s fantastic. But also did you really need to contribute to this conversation?” Right? It’s kind of just more noise. So people end up clicking “Delete” a little bit quicker than they maybe should have on a lot of things that are very relevant to them. But, again, unfortunately, in my cybersecurity and law enforcement experience — and also just in my own personal academic studies with like, comparative religion and anthropology — people don’t do something, fear or otherwise, until they’re directly affected. To your point, Mike. And I think it’s not just affected of somebody I know. It’s, it’s visceral. It’s in a really tangible way. Until You get phished. Until you’re the one being escorted away in handcuffs. Right? Until you’re the one being prevented from entering the polling station. Like, people just don’t get it until it’s right in front of them. And so, I don’t know, I think fear is good insofar as humans over learn from negativity versus positivity. And I don’t know, I think it’s good. It can be harnessed to an extent. And after that, it’s just white noise. Everything else is just a cluster data point that you disregard.

Mike Oh
Well, yeah, I mean, I think it’s — from my standpoint, and this is here in the UK, there’s this sort of an I don’t know, maybe it’s big in the US, hopefully not. But there’s this big thing over 5G and how it’s causing COVID and people are actually burning down cell towers.

Sarah Pruski
Ugh, garbage.

Kelly Ford
That’s crazy.

Mike Oh
And so yeah, yes. I mean, I agree with you that like generally in sort of a normal conscious human brain, people have to feel, you know, viscerally that they’re under threat. And then they’ll change their behaviors. But then there’s this completely [different] side of it, which is like, “I’m just being told that 5G is causing COVID, so I’m gonna go burn down things!” So, I mean, I don’t really understand how that all relates to each other. And I’m not necessarily asking you to enlighten me, but I just think it’s really interesting to see how all of these things are kicking around right now. And what it means, you know, in our worlds and our business, you know?

Sarah Pruski
Yeah, and I mean certainly the current situation presents a whole bunch of new challenges. With COVID-19, many organizations, just when you’re at a point when you had blessedly gotten to a stage where your organization — your people — are finally taking security seriously, on some level, some baseline level. You’re investing in staff, in firewalls, encryption, password changes, password managers, all this great stuff. All of a sudden you’re forcing people back home on their wi-fi. All of a sudden it’s a whole new can of worms, right? Because you’ve forced them now out of this beautifully-gilded birdcage that is network and enterprise security of your organization — which is a privilege right? It comes with employment sometimes. — but now they’re plugging in a router or a wi-fi station from their nephew Bobby that they got five years ago on Black Friday. You know, password’s never been changed, never been patched. Absolutely, let’s plug it in. Let’s connect. I have a committee meeting. And all of a sudden you have really important, you know, sensitive issues being discussed over completely unsecured networks and things like that. So the general rule of security is that really obnoxious but true saying, you know, you really are only as strong as your weakest link. And you go for the low-hanging fruit, which may be someone’s unprotected home network. And then pivot from there. So, yeah. People generally, in my experience, want to do the right thing. But they just don’t know what they don’t know. And you have to react quickly to that, with situations like this. And unfortunately, some people react to that [by] attacking 5G towers, because garbage.

Mike Oh
Well, so the lesson is: don’t blame 5G for COVID. Blame your, what was it? Your cousin Bobby, that gave you that crappy router [laughs].

Sarah Pruski
NEPHEW Bobby. COUSIN Bobby understands passwords [all laugh]

Mike Oh
Ah okay, alright. That evil nephew, Bobby [all laugh]

Adam Fisk
Well, I suppose, kind of wrapping it all together and bringing it right back to our best friend, Spot the Dog, the unfortunate — and I’ll quote Julie Carpenter here, who is a roboticist and researcher at the Ethics and Emerging Sciences Group at Cal Poly — “the unfortunate truth is crisis situations have always pushed technology forward.” And this is now true [with] COVID, cybersecurity, everything. I think Zoom is probably the one that is going to open a lot of people’s eyes. To your point, it is now happening firsthand. They are seeing their book clubs kind of get Zoombombed or all these things are now having to take into consideration “Oh, I haven’t ever thought about my home network, because I’m at work. Oh now my home network is actually the problem. Okay, how do we move forward? What do we do next?”

Sarah Pruski
That’s right, and people generally wanna do the right things, but again, the human brain being the filter that it is, it will pull stuff out, right? There’s only just so much people can take. Trying to manage their job and lock themselves down at the same time. I don’t think the first thing on people’s minds, even after considering your home network — what about everything that’s connected to it? What about your Internet of Things? Is that baby monitor up-to-date on its patches? Because if it’s not, someone could pop that and then pivot and then move on from there. What about your Furbo, you know? Kelly, by the way, I should patch our Furbo machine [laughs].

Kelly Ford
I know! I was just like “Oh god!” It’s unplugged, it’s cool.

Sarah Pruski
It’s gonna just start rogue throwing treats in the middle of the night, it’s fine.

Adam Fisk
Simon will be excited, don’t worry about it.

Sarah Pruski
It’s fine, yeah. He’s in his golden years, he deserves it. But yeah, it’s all these considerations, so you kind of have to look at every situation, fortunately — and unfortunately — more holistically. You know, where’s the data coming from? What are you doing with it? Where’s it going to? And just try your best to secure it at each of those stages. Because security is not a band-aid for — an easy band-aid, I guess I should say — it’s “defense and depth”, right? Like, that’s the industry term. It’s a bunch of layers. If you get through the first layer, hopefully — you know, if you hop the fence, hopefully on the other side of that fence there’s a locked door. If you get through the locked door, you know, you might find my father-in-law with a shotgun, right? Like, that’s “defense and depth.” It’s doing the best you can with what you have.

Adam Fisk
Totally. Well, that is the time that we have this week on the Grepcast. I wanna thank Sarah for joining us as our special guest. And if you are interested in any of the other stuff we’ve talked about you can always check us out over on our websites, tsp.me and tsp.space. You can also find us over on LinkedIn, Instagram, Facebook, your local social media network of your choice. Provided you are not in the middle of a dopamine fast. In terms of plugs, Sarah, I know you’ve got one.

Sarah Pruski
I do! My plug today is for Radio Galaxy Zoo, run by the good folks of Zooniverse, which apparently — I learned recently — is the world’s largest platform for people-powered research. They have over a million volunteers assist. Professional researchers in different fields. And this particular project is one that was sent [to me] by my lovely wife, Kelly. Anyone can register to help astronomers locate and identify supermassive black holes and star-forming galaxies. It’s really incredible. It makes my heart happy in so many ways. But mostly it helps me fill a void in me — lifetime regret of not becoming an astronaut because [I] super cannot do simple math. So this is just one fun thing to do in the spare moments around the edges. And, bonus, if you actually help find something that leads to new discoveries and such, you get credit in any scientific articles and publications and things. Kind of fun.

Adam Fisk
Not too bad! And I know Kelly, we have your snark-based plug this week in that New York Times article.

Kelly Ford
Yup. The ding dongs of dopamine.

Adam Fisk
The ding dongs of dopamine, I love to hear it. And actually, pivoting off of a plug Mike gave us a couple episodes ago, specifically around i-racing and NASCAR. There’s an article over on Vice, written by Rob Zacny, which is really, really interesting. Because Indie Car had a virtual race. And the headline here is “Indie Car’s Virtual Race Crashes Sparked Real-World Controversy Among Drivers.” Essentially, if you can’t be trusted to not intentionally crash into each other in a video game, how can people be trusted once people get back on the actual road.

Kelly Ford
I mean, [they] can’t That’s the answer. [They] cannot be trusted [laughs]. Nope!

Mike Oh
And then there were like, Nascar drivers that were rage-quitting over, you know, people doing things in virtual races, and it’s basically like “Yep, you’re just a 13-year-old.”

Adam Fisk
I think that guy got banned, at least, so…

Mike Oh
Yeah, exactly. Oh man. The world is just all going virtual and it’s not pretty [laughs]

Sarah Pruski
It’s a hot mess.

Adam Fisk
But until we talk to you again…wash your hands. Stay cool.