Interviews from The Underground Economy Conference – Part 6

Children of the Internet

Welcome to the final post in the series of interviews from the underground economy conference.
WHAT WE ASKED…

Did you ever think you would be doing this as a child?

How can the Internet Security community collaborate to improve online safety for children?

How do we convince young people not to fall for the dark-side of the criminal easy-profit life?

 

Q: Did you ever think you would be doing this as a child? 

 

A: “Yes, I always wanted to be a garbage man and it turns out that is exactly what I am, I am a custodian of the internet.”

Neil Schwartman – Neil is the executive director of Coalition Against Unsolicited Commercial Email. https://ca.linkedin.com/in/spamfighter @spamfighter666

 

 

A: “I was born in a Kibbutz in Israel, I don’t know how many people know what a Kibbutz is, it’s a commune of people. We didn’t have a computer back then; it was the beginning of the 90s. It’s a long time for me but not for everybody, I guess. I come from a family of farmers, we worked in the orchards, wake up early and pick apples, so if somebody would have told me when I was five or seven, I’m gonna be in the security industry, I would have laughed. No, I never believed it, I thought I’m gonna be picking apples in the orchards until the end of my days, but I guess fate has a sense of humor and I’m here with you guys.”

Dror Avrahami – Dror was born in Israel and moved to the Tel Aviv, which is one of the largest cities he has lived in. Dror has been working for ThreatSTOP for three years now. https://www.linkedin.com/in/droravr/ @oldmanonaporch

 

A: “As a child, I was really drawn to the hacking world through movies, like war games and even the movie hackers.  As corny as it is these days, it was one of my favorite movies as a kid. To think that I would be able to do that as an adult, as a child, it kind of seemed as far out as saying I wanted to be a spaceman or I wanted to play with the NBA or something like that. By then, the world started to change, and things started going online and the industry began to emerge. I was fortunate enough to be able to take part in some of the more recent developments of it.”

Alexander Heid – Alexander is the chief research officer of Security Scorecard and the co-founder of the Hack Miami organization.

 

A: “Actually, No.  Not even close.  When I was a kid, I had different plans for my life.  I was actually dreaming about being a ski trainer and chasing snow around the globe…. winter in Europe and summer in South America.  But life changed.  I started working in Guardia Civil for the Intelligence branch there. The opportunity came up for me to join the cyber security community because they were just starting and needed young people with techie knowledge.  They gave me a chance and here I am 15 years later…still working on this.”

César Lorenzana – César is from Spain; he works for the Guardia Civil in the Cyber Crime Central Unit.  He has been there for the last 15 years fighting against cyber-crime.

 

A: “It was a long time ago that I started in the digital information security industry. I was three years old when I got my first computer that each morning told me “Good Morning Selena.” At five years old I started breaking down the computer with my father, taking apart the pieces and mount and so on. So, when I was young, I had passion for this field.”

Selene Guipponi – Selene has worked in the digital forensics’ environment in cyber security for more than 10 years

 

Q: How can the Internet Security community collaborate to improve online safety for children?

 

A: “The children thing is something I didn’t think about a lot until I had kids and I think that’s the case for a lot of people.  You don’t really think about that kind of thing. But I think a lot of the mistakes I see people make today, that are big mistakes on the Internet, they could have learned as children. The methodology we use to teach children today, not involving technology or the Internet or something like that, the methodology we use is that we kind of put them in a space and allow them to fail. They go to school, they fail a test, they have to learn to study or they do poorly in a sporting event or whatever and it helps them learn that situation, but we don’t have digital space like that as well. I’ll give you an example. I have two kids and they want to play games online and of course I’m in the “no no no no you can never be online” type of thought process, but then it hit me.  You will never learn to put your phone down and use it sparingly if you don’t have one and know what it’s like to set it down and police yourself.  You also will never learn about fraud and about the tricks and things that can happen to you online if you’re not online, so I let them play with people. They play Roblox.  It’s one of their favorite games and somebody stole their password….an 8-year-old and a 6-year-old and somebody stole their password in Roblox.  They had a game that had them type their password in to get some free stuff installed by typing in their password and it took some of their costumes or something (I don’t know exactly how it works) but that lesson is in their minds forever now. When they’re online, they’ll understand the ideology behind what a scam is, what does it look like, and so on.  I believe to help children today, we need to create sandboxes and playgrounds where they can fail, where they can be tricked and they do they don’t lose all their credits or get all their money stolen, but it hurts a little.  That’s the biggest thing I think, education for security should be based on failures and teaching what that looks like, that way when they get older, they don’t make mistakes everybody else does.”

Elliot Anderson – Elliot is a developer at Shadow Dragon, he leads trainings as well as a lot of other things. Shadow Dragon is not a huge company, so Elliot wears a lot of hats. Elliot has been in the information technology and cyber security world for almost 20 years.  He has been doing this a long time and loves doing it. https://www.linkedin.com/in/lemmingrush/ @lemmingrush

 

 

A: “Improving online safety for kids is really an entire community effort! It is not just mom and dad, it’s the teachers in the school, it’s the IT professionals at the school, and it’s our industry of Internet cyber and information security professionals. All of us that are information security professionals have a, in my opinion, a public duty and a public responsibility and obligation to work within our community to teach our kids and teach those who are teaching our kids, best practices and good common-sense things to help our kids make the kinds of decisions we want them to make that are smart and help protect their infrastructure and protect their lives online and that online experience. So, it is a community effort, we all have to work together, things that I would tell kids is that they need to take a step back and think about what it is that they want to do online, what the application is or the device they are wanting to purchase and is that really something that is necessary for them and what is the impact of the information that might come out of that device and how that might impact them down the road. As parents we need to help guide them and understanding how to make those choices and decisions.”

John Brown – John is a part of an internet service provider business called CityLink Telecommunications that is based in Albuquerque, New Mexico. https://www.linkedin.com/in/john-brown-cissp-020135

 

 

A: “We have a lot of stuff to help and collaborate for the safety of children. First, I have a lot of cases where children were being spied on by a smart phone, so a lot of trainings have resulted now, and some sensibility from the European Union and to also other schools and organizations. So, first, the best way is to introduce children to information security. There is a good project, and open-source project, called Heckara School – so next year I would like to set up a class in Italy for children to stay safe, from children from 5 years old to 10 years old and to teach how they can stay safer. Because it is our job, and now it is a society problem, a social problem, that all the children are alright, and it could be a boost.”

Selene Guipponi – Selene has worked in the digital forensics’ environment in cyber security for more than 10 years.

 

A: “That is a difficult question, I’m not really dealing with the topic through my work, let’s say I’m touching this through the family and relatives, but I believe that again, it’s a shared responsibility which goes through all levels of the cyber security lifecycle. So, it needs to start I believe at home with the family, when the kids are very small (2 /3 years old) and start using devices such as tablets. The advised must be given at a level which they could digest and understand, the same principle I believe should be done for older children. At school – it should be the cyber security and the safety online program introduced during lessons.  And At homes for every age group in a different way, so there is an accumulation of information dependencies and seriousness of the topic. And finally, it is the whole society responsibility. Example: you cannot just be a cybersecurity expert at work and give recommendations and then come home and not follow it yourself that is not secure and responsible. The same applies for kids because they need to see it everywhere, the family, school again, and then in the society in general. Nowadays it is different situation I believe the kids could reach awareness more easily from everywhere. I would say in 90’s and 2000s it was more difficult because we were actually growing by learning about what it is cyber-security, so I believe for the future if we really engage as a society and put online safety in every aspect of our lives and our children’s lives, we might do better, but it will take some time.”

Andrea Dufkova – Andrea works for ENISA, the European Union Agency for Cybersecurity. She is Czech by nationality and lives in Lamia, Greece but her job takes her all over Europe

 

Q: How do we convince young people not to fall for the dark-side of the criminal easy-profit life? 

 

A: “I think that profit is not always the motivation for young people.  The motivation that I have often seen in my career is that cybercrime or getting involved in nefarious activity online is often just a result of really needing a challenge and getting involved in something that presents a challenge.   I think 3 steps are very important for trying to divert young people away from getting involved in online criminality. I think firstly, making them aware of legitimate outlets and initiatives designed to improve their technical gifts and give them a challenge such as a hackathon, capture the flag, coding challenges I think are legitimate ways they can be challenged, and they can use their technical gifts, and they can find that outlet outside of crime. I think we also need to stress the opportunities to young people available out there in the wider IT industry, legitimate IT career choices that gives them jobs, roles, advancement, the opportunity to make money. I think when young people are informed of those opportunities often, they can move away from crime into legitimate careers.  And, I think thirdly, role models are really important with young people…. people who can mentor them such as teacher’s parents and peers who can support them and give them that sense of belonging and being needed.  And, I think a lot of young people I have experienced in my career have got involved in online crime with groups simply because they feel part of something.  They feel they belong to something.  We need to divert that sense of belonging into something more wholesome and legitimate for them.”

Scott Mellis – Scott is an Australian Federal Police Cybercrime Liaison Officer to the United Kingdom.  He is originally from Melbourne and currently lives in London.  Scott has been in cybercrime and cybercrime intelligence for around 17 years. www.linkedin.com/in/scott-mellis-cissp-cism-9097706

 

A: “For young people to be told that they should do the good thing, the right thing…that doesn’t necessarily mean anything to them.  It’s securing their future and securing all the possibilities that are in front of them.  We need to provide those possibilities to them.  It’s so much easier to get into stealing people’s user information, stealing credit cards, just very basic things that you can teach someone to do in five minutes.  We need to have those possibilities in front of them to do good as well.  Right now, we are tucked behind certifications, degrees, x amount of years of experience.  We don’t need that.  We need actual entry level positions for these people that pays a reasonable amount so that they have those opportunities without having to say, “I’ve done this, this, and this, and spent $100,000 so I can make $30,000 a year.”

Josh Carney – Josh is a software developer from Alabama. Josh currently works for Shadow Dragon and has been doing infosec and software development for the past five years.

 

A: “So, my advice is that if you want to have a normal life, and be quiet, and have your family and live quietly.. not being worried every night about someone would break into your house, don’t do that because criminal things and the dark side of the cyber security is not paying so much anymore, because it’s very complicated to make money with criminal activities, because law enforcement and cyber security companies are getting better at being able to unveil criminal crews. However, that thing of being a romantic hacker trying to break into the companies so you might be hired……. That’s something from the past. Nowadays, you unlikely get a job in the industry if you have criminal records. So, it’s up to themselves, but I’d rather be an employee, working for an international company, than be part of an international criminal organization. Those guys don’t have a benefits program for employees; they don’t pay good salaries; and don’t have company morals.  So, if you become expendable, they will remove you and obviously you will freak out.  If you want to bet for a quiet and regular life, don’t do that because it’s not going to be profitable for you.”

César Lorenzana – César is from Spain; he works for the Guardia Civil in the Cyber Crime Central Unit.  He has been there for the last 15 years fighting against cyber-crime.

 

 

A: “I understand there are a lot of traps during our lives. When you are young, or even after you get older, this is a fact. For younger people though, I would like you to have someone you can really trust, and you can talk whenever you are in trouble. This may not be easy but if you can find such trusted person(s), that makes a significant difference.  I personally believe if you have several smaller and minor mistakes and if you can learn lessons from them, you may be able to avoid serious mistakes which may give you and importantly others more serious damages. Crimes may be a part of such big mistakes.  If you suspect you might be involved with a crime, think how many people would be victimized, how many people, including your loved ones, would feel sad, how many people would be in trouble by a simple crime you may be involved.  Think you may be losing most important things you cannot buy by going to criminal easy-profit life.  Try to find an excellent mentor or mentors whom you can trust and talk about your concerns BEFORE you lose something most important to you.  Keep in mind younger people are easier to be exploited.  That’s why you may be targeted by criminals.”

Shin Adachi – Shin has been doing information security and system administration for decades. He works mainly in incident response and gives advice to other incident responders around the globe. Shin is based in Silicon Valley, California, while majority of his teams are based in Tokyo. https://www.linkedin.com/in/shin1adachi/ @s_adachi

 

A: “I think there’s a lot of education involved around that part. Probably investigate telling them and show them recent cases where law enforcement was able to get the guys that were showing themselves on the Internet with big cars, lots of money, and then right away bring them down in handcuffs, probably in fear. I can remember one phrase that the professor told me once, if you don’t look good in orange don’t do bad things and that’s the reality of that. Being smart, learn from the past, learn from what we see on the news every day and keep going. Keep doing your good work and you’ll be on the right path.”

Pedro Bueno – Pedro is a Brazilian who has been working is Cybersecurity for around 20 years.  In the past 10 years, Pedro has done work in the financial sector as well. https://www.linkedin.com/in/pedrobueno/