This week on the Lock and Code podcast…

You’ve likely felt it: The dull pull downwards of a smartphone scroll. The “five more minutes” just before bed. The sleep still there after waking. The edges of your calm slowly fraying.

After more than a decade of our most recent technological experiment, in turns out that having the entirety of the internet in the palm of your hands could be … not so great. Obviously, the effects of this are compounded by the fact that the internet that was built after the invention of the smartphone is a very different internet than the one before—supercharged with algorithms that get you to click more, watch more, buy more, and rest so much less.

But for one group, in particular, across the world, the impact of smartphones and constant social media may be causing an unprecedented mental health crisis: Young people.

According to the American College Health Association, the percentage of undergraduates in the US—so, mainly young adults in college—who were diagnosed with anxiety increased 134% since 2010. In the same time period for the same group, there was in increase in diagnoses of depression by 106%, ADHD by 72%, bipolar by 57%, and anorexia by 100%.

That’s not all. According to a US National Survey on Drug Use and Health, the prevalence of anxiety in America increased for every age group except those over 50, again, since 2010. Those aged 35 – 49 experienced a 52% increase, those aged 26 – 34 experienced a 103% increase, and those aged 18 – 25 experienced a 139% increase.

This data, and much more, was cited by the social psychologist and author Jonathan Haidt, in debuting his latest book, “The Anxious Generation: How the Great Rewiring of Childhood Is Causing an Epidemic of Mental Illness.” In the book, Haidt examines what he believes is a mental health crisis unique amongst today’s youth, and he proposes that much of the crisis has been brought about by a change in childhood—away from a “play-based” childhood and into a “phone-based” one.

This shift, Haidt argues, is largely to blame for the increased rates of anxiety, depression, suicidality, and more.

And rather than just naming the problem, Haidt also proposes five solutions to turn things around:

• Give children far more time playing with other children. 
• Look for more ways to embed children in stable real-world communities.  
• Don’t give a smartphone as the first phone.
• Don’t give a smartphone until high school.  
• Delay the opening of accounts on nearly all social media platforms until the beginning of high school (at least).

But while Haidt’s proposals may feel right—his book has spent five weeks on the New York Times Best Seller list—some psychologists disagree.

Writing for the outlet Platformer, reporter Zoe Schiffer spoke with multiple behavioral psychologists who alleged that Haidt’s book cherry-picks survey data, ignores mental health crises amongst adults, and over-simplifies a complex problem with a blunt solution.  

Today, on the Lock and Code podcast with host David Ruiz, we speak with Dr. Jean Twenge to get more clarity on the situation: Is there a mental health crisis amongst today’s teens? Is it unique to their generation? And can it really be traced to the use of smartphones and social media?

According to Dr. Twenge, the answer to all those questions is, pretty much, “Yes.” But, she said, there’s still some hope to be found.

“This is where the argument around smartphones and social media being behind the adolescent mental health crisis actually has, kind of paradoxically, some optimism to it. Because if that’s the cause, that means we can do something about it.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

This week on the Lock and Code podcast…

Our Lock and Code host, David Ruiz, has a bit of an apology to make:

“Sorry for all the depressing episodes.”

When the Lock and Code podcast explored online harassment and abuse this year, our guest provided several guidelines and tips for individuals to lock down their accounts and remove their sensitive information from the internet, but larger problems remained. Content moderation is failing nearly everywhere, and data protection laws are unequal across the world.

When we told the true tale of a virtual kidnapping scam in Utah, though the teenaged victim at the center of the scam was eventually found, his family still lost nearly $80,000.

And when we asked Mozilla’s Privacy Not Included team about what types of information modern cars can collect about their owners, we were entirely blindsided by the policies from Nissan and Kia, which claimed the companies can collect data about their customers’ “sexual activity” and “sex life.”

(Let’s also not forget about that Roomba that took a photo of someone on a toilet and how that photo ended up on Facebook.)

In looking at these stories collectively, it can feel like the everyday consumer is hopelessly outmatched against modern companies. What good does it do to utilize personal cybersecurity best practices, when the companies we rely on can still leak our most sensitive information and suffer few consequences? What’s the point of using a privacy-forward browser to better obscure my online behavior from advertisers when the machinery that powers the internet finds new ways to surveil our every move?

These are entirely relatable, if fatalistic, feelings. But we are here to tell you that nihilism is not the answer.

Today, on the Lock and Code podcast, we speak with Justin Brookman, director of technology policy at Consumer Reports, about some of the most recent, major consumer wins in the tech world, what it took to achieve those wins, and what levers consumers can pull on today to have their voices heard.

Brookman also speaks candidly about the shifting priorities in today’s legislative landscape.

“One thing we did make the decision about is to focus less on Congress because, man, I’ll meet with those folks so we can work on bills, [and] there’ll be a big hearing, but they’ve just failed to do so much.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

It takes a little to receive a lot of online hate today, from simply working as a school administrator to playing a role in a popular movie or video game.

But these moments of personal crisis have few, immediate solutions, as the current proposals to curb and stem online harassment zero in on the systemic—such as changes in data privacy laws to limit the personal information that can be weaponized online or calls for major social media platforms to better moderate hateful content and its spread.

Such structural shifts can take years (if they take place at all), which can leave today’s victims feeling helpless.

There are, however, a few steps that everyday people can take, starting now, to better protect themselves against online hate and harassment campaigns. And thankfully, none of them involve “just getting off the internet,” a suggestion that, according to Leigh Honeywell, is both ineffective and unwanted.

“The [idea that the] answer to being bullied is that you shouldn’t be able to participate in public life—I don’t think that’s okay,” said Honeywell, CEO and co-founder of the digital safety consultancy Tall Poppy.

Speaking to me on the Lock and Code podcast last month, Honeywell explained that Tall Poppy’s defense strategies to online harassment incorporate best practices from Honeywell’s prior industry—cybersecurity.

Here are a few steps that people can proactively take to limit online harassment before it happens.

Get good at Googling yourself

One of the first steps in protecting yourself from online harassment is finding out what information about you is already available online. This is because, as Honeywell said, much of that information can be weaponized for abuse.

Picture an angry diner posting a chef’s address on Yelp alongside a poor review, or a complete stranger sending in a fake bomb threat to a school address, or a real-life bully scraping the internet for embarrassing photos of someone they want to harass.  

All this information could be available online, and the best way to know if it exists is to do the searching yourself.

As for where to start?

“First name, last name, city name, or other characteristics about yourself,” Honeywell said, listing what, specifically, to search online.

It’s important to understand that the online search itself may not bring immediate results, but it will likely reveal active online profiles on platforms like LinkedIn, X (formerly Twitter), Facebook, and Instagram. If those profiles are public, an angry individual could scrape relevant information and use it to their advantage. Even a LinkedIn profile could be weaponized by someone who calls in fake complaints to a person’s employer, trying to have them fired from their position.

In combing through the data that you can find about yourself online, Honeywell said people should focus on what someone else could do with that data.

“If an adversary was trying to find out information about me, what would they find?” Honeywell said. “If they had that information, what would they do with it?”

Take down what you can

You’ve found what an adversary might use against you online. Now it’s time to take it down.

Admittedly, this can be difficult in the United States, as Americans are not protected by a national data privacy law that gives them the right to request their data be deleted from certain websites, platforms, and data brokers.

Where Americans could find some help, however, is from online resources and services that streamline the data removal process that is enshrined in some state laws. These tools, like the iOS app Permission Slip, released by Consumer Reports in 2022, show users what types of information companies are collecting about them, and give user the opportunity to request that such data be deleted.

Separately, Google released on online tool in 2023 where users can request that certain search results that contain their personal information be removed. You can learn more about the tool, called “Results about you,” here.

When all else fails, Honeywell said that people shouldn’t be afraid to escalate the situation to their state’s regulators. That could include filing an official complaint with a State Attorney General, or with the Consumer Financial Protection Bureau, or the Federal Trade Commission.

“It sounds like the big guns,” Honeywell said, “but I think it’s important that, as individuals, we do what we can to hold the companies that are creating this mess accountable.”

Lock down your accounts

If an adversary can’t find your information through an online search, they may try to steal that information by hacking into your accounts, Honeywell said.

“If I’m mad at David, I’m going to hack into David’s email and share personal information,” Honeywell said. “That’s a fairly standard way that we see some of the worst online harassment attacks escalate.”

While hackers may have plenty of novel tools at their disposal, the best defenses you can implement today are the use of unique passwords and multifactor authentication.

Let’s first talk about unique passwords.

Each and every single one of your online accounts—from your email, to your social media profiles, to your online banking—should have a strong, unique password. And because you likely have dozens upon dozens of online accounts to manage, you should keep track of all those passwords with a devoted password manager.

Using unique passwords is one of the best defenses to company data breaches that expose user login credentials. Once those credentials are available on the dark web, hackers will buy those credentials so they can attempt to use them to gain access to other online accounts. You can prevent those efforts going forward by refusing to repeat passwords across any of your online accounts.

Now, start using multifactor authentication, if you’re not already.

Multifactor authentication is offered by most major companies and services today, from your bank, to your email, to your medical provider. By using multifactor authentication, also called MFA or 2FA, you will be required to “authenticate” yourself with more than just your password. This means that when you enter your username and password onto a site or app, you will also be prompted with entering a separate code that is, in many cases, sent to your phone via text or an app.

MFA is one of the strongest protections to password abuse, ensuring that, even if a hacker has your username and password, they still can’t access your account because they will not have the additional authentication that is required to complete a login.

In the world of cybersecurity, these two defense practices are among the gold standard in stopping cyberattacks. In the world of online harassment, they’re much the same—they work to prevent the abuse of your online accounts.

Here to help

Online harassment is an isolating experience, but protecting yourself against it can be quite the opposite. Honeywell suggested that, for those who feel overwhelmed or who do not know where to start, they can find a friend to help.

“Buddy up,” Honeywell said. “If you’ve got a friend who’s good at Googling, work on each other’s profile, identify what information is out there about you.”

Honeywell also recommended going through data takedown requests together, as the processes can be “extremely tedious” and some of the services that promise to remove your information from the internet are really only trying to sell you a service.

If you’re still wondering what information about you is online and you aren’t comfortable with your way around Google, Malwarebytes has a new, free tool that reveals what information of yours is available on the dark web and across the internet at large. The Digital Footprint Portal, released in April, provides free, unlimited scans for everyone, and it can serve as a strong first step in understanding what information of yours needs to be locked down.

To learn what information about you has been exposed online, use our free scanner below.

This week on the Lock and Code podcast…

Few words apply as broadly to the public—yet mean as little—as “home network security.”

For many, a “home network” is an amorphous thing. It exists somewhere between a router, a modem, an outlet, and whatever cable it is that plugs into the wall. But the idea of a “home network” doesn’t need to intimidate, and securing that home network could be simpler than many folks realize.

For starters, a home network can be simply understood as a router—which is the device that provides access to the internet in a home—and the other devices that connect to that router. That includes obvious devices like phones, laptops, and tablets, and it includes “Internet of Things” devices, like a Ring doorbell, a Nest thermostat, and any Amazon Echo device that come pre-packaged with the company’s voice assistant, Alexa. There are also myriad “smart” devices to consider: smartwatches, smart speakers, smart light bulbs, don’t forget the smart fridges.

If it sounds like we’re describing a home network as nothing more than a “list,” that’s because a home network is pretty much just a list. But where securing that list becomes complicated is in all the updates, hardware issues, settings changes, and even scandals that relate to every single device on that list.

Routers, for instance, provide their own security, but over many years, they can lose the support of their manufacturers. IoT devices, depending on the brand, can be made from cheap parts with little concern for user security or privacy. And some devices have scandals plaguing their past—smart doorbells have been hacked and fitness trackers have revealed running routes to the public online.

This shouldn’t be cause for fear. Instead, it should help prove why home network security is so important.

Today, on the Lock and Code podcast with host David Ruiz, we’re speaking with cybersecurity and privacy advocate Carey Parker about securing your home network.

Author of the book Firewalls Don’t Stop Dragons and host to the podcast of the same name, Parker chronicled the typical home network security journey last year and distilled the long process into four simple categories: Scan, simplify, assess, remediate.

In joining the Lock and Code podcast yet again, Parker explains how everyone can begin their home network security path—where to start, what to prioritize, and the risks of putting this work off, while also emphasizing the importance of every home’s router:

Your router is kind of the threshold that protects all the devices inside your house. But, like a vampire, once you invite the vampire across the threshold, all the things inside the house are now up for grabs.

Carey Parker

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

This week on the Lock and Code podcast…

For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents.

In 2024, that’s changed, as the uses for fake IDs have become enmeshed with the internet.

Want to sign up for a cryptocurrency exchange where you’ll use traditional funds to purchase and exchange digital currency? You’ll likely need to submit a photo of your real ID so that the cryptocurrency platform can ensure you’re a real user. What about if you want to watch porn online in the US state of Louisiana? It’s a niche example, but because of a law passed in 2022, you will likely need to submit, again, a photo of your state driver’s license to a separate ID verification mobile app that then connects with porn sites to authorize your request.

The discrepancies in these end-uses are stark; cryptocurrency and porn don’t have too much in common with Red Bull vodkas and, to pick just one example, a Guatemalan coup. But there’s something else happening here that reveals the subtle differences between yesteryear’s fake IDs and today’s, which is that modern ID verification doesn’t need a physical ID card or passport to work—it can sometimes function only with an image.

Last month, the technology reporting outfit 404 Media investigated an online service called OnlyFake that claimed to use artificial intelligence to pump out images of fake IDs. By filling out some bogus personal information, like a made-up birthdate, height, and weight, OnlyFake would provide convincing images of real forms of ID, be they driver’s licenses in California or passports from the US, the UK, Mexico, Canada, Japan, and more. Those images, in turn, could then be used to fraudulently pass identification checks on certain websites.

When 404 Media co-founder and reporter Joseph Cox learned about OnlyFake, he tested whether an image of a fake passport he generated could be used to authenticate his identity with an online cryptocurrency exchange.

In short, it did.

By creating a fraudulent British passport through OnlyFake, Joseph Cox—or as his fake ID said, “David Creeks”—managed to verify his false identity when creating an account with the cryptocurrency market OKX.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cox about the believability of his fake IDs, the AI claims and limitations of OnlyFake, what’s in store for the future of the site— which went dark after Cox’s report—and what other types of fraud are now dangerously within reach for countless threat actors.

Making fake IDs, even photos of fake IDs, is a very particular skill set—it’s like a trade in the criminal underground. You don’t need that anymore.

Joseph Cox, 404 Media co-founder

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Today on the Lock and Code podcast…

If your IT and security teams think malware is bad, wait until they learn about everything else.

In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on unsuspecting employees, steal corporate credentials, slip into business networks, and, for a period of days if not weeks, simply sit and watch and test and prod, escalating their privileges while refraining from installing any noisy hacking tools that could be flagged by detection-based antivirus scans.

In fact, some attacks have gone so “quiet” that they involve no malware at all. Last year, some ransomware gangs refrained from deploying ransomware in their own attacks, opting to steal sensitive data and then threaten to publish it online if their victims refused to pay up—a method of extracting a ransom that is entirely without ransomware.

Understandably, security teams are outflanked. Defending against sophisticated, multifaceted attacks takes resources, technologies, and human expertise. But not every organization has that at hand.

What, then, are IT-constrained businesses to do?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Jason Haddix, the former Chief Information Security Officer at the videogame developer Ubisoft, about how he and his colleagues from other companies faced off against modern adversaries who, during a prolonged crime spree, plundered employee credentials from the dark web, subverted corporate 2FA protections, and leaned heavily on internal web access to steal sensitive documentation.

Haddix, who launched his own cybersecurity training and consulting firm Arcanum Information Security this year, said he learned so much during his time at Ubisoft that he and his peers in the industry coined a new, humorous term for attacks that abuse internet-connected platforms: “A browser and a dream.”

“When you first hear that, you’re like, ‘Okay, what could a browser give you inside of an organization?'”

But Haddix made it clear:

“On the internal LAN, you have knowledge bases like SharePoint, Confluence, MediaWiki. You have dev and project management sites like Trello, local Jira, local Redmine. You have source code managers, which are managed via websites—Git, GitHub, GitLab, Bitbucket, Subversion. You have repo management, build servers, dev platforms, configuration, management platforms, operations, front ends. These are all websites.”

Tune in today.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
LLM Prompt Injection Game: https://gandalf.lakera.ai/

---

Overwhelmed by modern cyberthreats? ThreatDown can help.

The 2024 ThreatDown State of Malware report is a comprehensive analysis of six pressing cyberthreats this year—including Big Game ransomware, Living Off The Land (LOTL) attacks, and malvertising—with strategies on how IT and security teams can protect against them.