Hi, and welcome to Backup Central's Restore it All podcast.

I'm your host w Curtis Preston, AKA Mr.

Backup, and I have with me, my post vacation depression

consultant, Prasanna Malaiyandi.

How's it going, Prasanna?

I am good.

Jealous of your vacation.

Also really upset that you decided to come back from said vacation rather

than just like being like, yeah, I'm just gonna stay remotely and extend

my vacation by another week or two weeks or a year, whatever it is.

I had to come back because a, I was going broke.

I was spending like $250 every time I got on a scuba boat, it was very, the

diving is really expensive over there.

Partly cuz I had to rent a wet suit.

I brought all my gear, but left my regulator behind like a moron.

So I had to rent a regulator every time I dove.

It was great diving.

I was at the big island, so I was diving in Kona.

I did a pelagic dive where you, you interact with like transparent

and, and, and translucent.

And what, what do you call the bioluminescent creatures by

diving over 5,000 foot of ocean?

Oh, that was, that was, that was way cool.

So, so I think that you need a new profession,

Curtis, in addition to Mr.

Backup, I think you need to be like in the water all the time.

Maybe there's something about like backup in the ocean or

like data centers in the ocean.

I am so happy.

Like, and it's been so long since I've dove, like, because I, I,

my, my gear on my last dive to, to Hawaii was my last dive and my gear

broke and, um, you know, it's, it's expensive to replace that stuff.

And so.

Uh, so yeah, it was, I, I forgot like how happy I am when I'm in the water.

So I, yeah, so that was, that was really good, but it, but it was stupid expensive.

Like, I mean, I, I spent, you know, close to a grand going out scuba

diving, but it was, but it was great,

was well worth it though, to you look

at how happy relaxed you are.

And,

Yeah.

And

and hopefully, after this podcast, you will still continue to

be happy and relaxed, but we shall see,

We'll see, we'll see right now I'm in the, oh crap.

I'm back at work this morning.

I had to do some training.

Now I gotta do a podcast and you know, it's just, you know,

welcome back to the real world.

Um, Let's bring on our guest today.

Uh, I'm excited.

He is a cybersecurity advisor who helps with assessment remediation

and management of cybersecurity.

He currently leads an it services practice called Tech and Maine, and is also the

host of Tech and Maine presents podcast.

You can find both of them at techandmain.com.

Welcome to the podcast, Shaun St Hill.

Curtis.

Thank you.

It is an honor to be here, super excited and looking forward to our time together.

And we're not gonna get any, uh, sympathy from you

well, I was gonna say, and I didn't know how this would be

taken, but let's just jump right in.

You went to Hawaii, sir, you get zero sympathy.

If you went to the bank and said, could I withdraw some sympathy for

the trip that I took to Hawaii?

They would say, sir, you need to walk right back out because you'll

get, you can take out zero sympathy

I get it.

I get it.

You know, I got, I had a great trip to Hawaii, my wife had a great time.

She, she hung out with her best friend who lives in Hawaii.

It was a great all around trip, but oh man, it was, so it was a little

warm and, and I had to spend lots of money while doing awesome things.

Sounds sounds very first world to me

I know seriously,

world

#firstwordproblems.

Yeah.

Yeah.

Meanwhile, you know, The world is fall.

I, I left for a week and you know, the queen died.

Uber got attacked.

Like what, what happened while I,

Well, I remember asking you, I was talking to you.

What was it yesterday?

Yeah.

Yesterday, right?

I was like, oh, Curtis, did you hear about this Uber thing?

You're like I'm behind on everything.

I don't know what, yeah.

You're I.

did a real vacation.

Like I tried really hard not to look at my phone.

Certainly didn't respond to any work emails.

So I, I thought we'd take this opportunity since, you know,

you're in that cybersecurity world to discuss the Uber attack.

Um, and, and I'll, I'll mention that.

Um, for five years now, uh, I, back when I was underemployed for a minute, I actually

became an Uber driver, uh, five, six, actually, I guess it's six years now.

And so, and, and I, I have stayed active, so I still, you know,

occasionally drive for them when I want to get out of the house.

Right.

Um, . And so I am both an Uber passenger and an Uber driver.

And then I hear that, you know, they got attacked.

I, I guess the good news that we're hearing, uh, that you can either

confirm or deny or, or whatever is that the no user accounts were affected.

That's what I'm hearing.

I don't know.

What, what, what have you heard?

Curtis I've I've heard the same thing.

So this really, to me is very interesting.

On a number of fronts.

The first being back in, I want to say 2016, Uber had

another cybersecurity incident.

One that ended up costing the then CISO his job.

And I believe there was some sort of lawsuit associated with that.

Hmm.

The other thing that always is interesting to me, When the

company that had the security incident immediately comes out and says, oh,

well, no, no customer information.

Or, you know, P you know, PII was, was touched.

yeah.

And no code.

No, you know, well, what did, what did they

well, I think I thought it's actually said, like

they were, I was reading a earlier, very specific about like no sensitive

personal data or some very specific term they were using to reference to

like what they said was not accessed.

A, and so that's that, like I said is always interesting

to me because it sounds very much like someone that was coached

by a public relations agency.

Well, you know, that they're coached by a

Oh, of course of of course.

So, so, so the, so the thing is one, what really happened

and two, how soon will we know.

The, the person that this hacker that was, or has, um, self-identified

as the person that got in.

It's interesting.

There's a company, uh, a game company.

I think it's rocket games.

Maybe they put out grand theft auto.

right.

rockstar that just got GTA six grant theft, auto six,

uh, Got released way ahead of time.

They, I think they had hacked in, they had basically stolen the game

that no one had knew was actually happening and leaked it on the web.

So thank you.

Prasanna.

What's interesting is the same person has self identified as the hacker.

So,

And they're, they're connected to Lapsus$ by the way.

ah, interesting.

So, so, so here, so we here, we have this, these amazing

connections and not amazing as.

They're the right kind of connections, but it's just, it's

it makes for an interesting story.

The, the last thing is when you, when you think about a company, the size of

Uber, going back to that 2016 security incident, you'd want to be sure that

your name doesn't come up in the news.

Also posted on one of the social media platforms, a screenshot

of Uber's career portal.

And so it looks like there's all of a sudden, you know, multiple openings for,

you know, cybersecurity positions, which, which, again, Curtis it's like what.

Do we not have the time and the money on the front end or on the back end?

Like, you know, why does it always take an incident like this for you to

be able to find budget and then open up these jobs and then spend millions

of dollars to hire these amazing consultants to help you do what,

according to what happened in 2016, you said you were doing or should have done.

So I think so I'll take a stab at that.

And Curtis, I think we should throw out our disclaimer first.

Yeah.

Yeah.

out our disclaimer, uh, Prasanna and I work for different

companies, uh, he works for Zoom.

I work for Druva.

We're not representing either company and the opinions that you hear are ours.

And also, uh, you know, if you'd like to rate us, we'd love to,

you know, see your rating, just go to your favorite podcatcher.

And, uh, you know, give us, give us all the stars and comments.

We love comments.

In fact, we're currently running a comment promotion, uh, that

if we get I, I went and checked.

It's gotta be 25 comments by the I'm.

I'm gonna push it.

I'm gonna push it out.

I'm gonna push it out to the end of October.

Uh, if we get 25 comments total, by the end of October, I will continue to grow

this beard and I'll do my best to look like Santa Claus by come Christmas time.

So, um, and if you'd like to join the conversation, please reach

out to me @wcpreston on Twitter or wcurtispreston at Gmail and Prasanna.

You're probably gonna mention that maybe you work a little

bit in the, in the privacy area,

Yeah.

Well, that's one of the things I wanna talk about.

And even before I got into privacy, right?

I think the challenge is security is seen as a risk reduction

function of an organization, right.

It's to protect the organization now, uh, I'm not saying this

is how it is everywhere.

Right.

But in some places that's kind of how it's seen.

And so one of the challenges becomes you have this tension between

security, privacy compliance, right?

All of these sort of risk reducing.

Organizations which wanna keep the business protected versus sort of

your revenue driving parts of the business, which are like, we gotta ship

something, we gotta ship something, we gotta get it out the door.

Right.

We gotta get more money.

And so there's this tension because the revenue side wants to go fast.

Right?

Wants to innovate, wants to get things out there quickly.

And the security side.

Doesn't always have, like you said, the budget, the number of people, right.

To be able to look over all of the things that the revenue side is doing to make

sure it's being done the right way.

And so you kind of have to pick and choose what you focus on.

And sometimes it's accepting the risk, right?

It's like saying, Hey.

I can only cover 30 or 40 or 70% take whatever number you wanna take

of the products going out the door.

And that's what I'm gonna be focused on and making sure that at least

those are good enough and there are no major vulnerabilities.

Now it could be done better where you get security, privacy compliance.

Earlier on in the process.

So it's sort of privacy by design security by design, right, where

they're working hand in hand as product is being developed.

So you make sure that security is baked in, right?

All of these other processes are baked in rather than having to

worry about it at the end, but it's always that tension, right?

People will always wanna spend more on R and D and not necessarily more

on security and privacy in other compliance parts of the business.

by the way, and, and this is not in any way, a defense of Uber.

The problem for Uber is that they have I'm, I'm just gonna say dozens, but I

think it might be well over a hundred different versions of the same product

for those of you that aren't Uber drivers.

They run different features and different functionality.

And they're constantly AB testing.

What if we did this for drivers?

What if we did this for passengers?

And they're like, let's do it for everybody in San Diego for two weeks.

Right?

So they're, it's not just one product that they're releasing out across the world.

They're constantly tweaking the algorithm.

And so, so they've got that push, like you were saying to spend a lot of money on R

and D and perhaps a little bit less on, on the things that you're talking about.

I, I just wanted to mention, by the way, um, Shaun, the.

The I, I, I pulled up the breach, the, the old breach, uh, and it was actually 2014.

The reason why you're thinking 2016 is they didn't tell us about it until 2015.

Uh, and that's, and so that's why.

And then, and then they talked to the, the FTC in 2016, um, Yeah.

And so, so the, basically this is referred to as the data breach

and coverup timeline, which goes all the way until 2020, right?

Yeah.

So there were, there was a lot because it, it, because basically

they tried to cover it up.

So I will say at least Uber has learned that lesson.

The,

good for them.

it looks like they've learned that lesson they've come out

right away as far as that's what we think.

Of course they may not have been given a choice because

this person did it publicly.

Uh, anyway, sorry.

I,

Now the, the one other thing I wanted to bring up too

is I think, I know I was talking about product security, but if we look at the

Uber side of things and what happened, it was more of an operation security,

Yeah.

breach, right?

It was, uh, contractor who basically got fooled into sharing their

multifactor authentication codes, right.

With the hacker, which then allowed that hacker access into Uber's environment.

Now the fact that the, uh, the hacker was able to laterally

move within the environment.

Right.

Isn't great.

right.

That they were able to access the AWS infrastructure and hacker one systems

and their VMware infrastructure.

Right.

That things weren't isolated and alerts weren't going off right.

Is worrisome.

But I, I think it's less about the product side, right.

And more about the operation side

What do you think about the contractor aspect, John?

So this honestly is something that you would think

companies have a better handle on.

And that is who has access to the kitchen, so to speak, who

has the keys to the kingdom.

You, you hear so much about zero trust and the need to make sure that whoever

has access to the source code or to, you know, some other part of the environment,

you know, they, they need to verify going in and then as soon as they come out,

you make sure that, you know, they're not able to go back in, you know, pry the door

open, so to speak and for a company, the size of Uber's for that to be the case,

I think there, there needs to be, there needs to be some comeuppance for that.

That's a good word.

I like that word.

Um, now you, there was something on the pre-call.

You, you talked about you, the companies are very quick to throw

the contractor under the bus.

Yes.

So before we actually started recording, we were talking about colonial pipeline

and a number of other organizations.

And again, this isn't

target was one of them.

target.

Right?

So these are.

Stories and information that's out in the public domain.

We're not throwing shade at any one particular company we're just

stating what's already out there.

And so these companies during their security incidents made sure to tell

you that, oh, it was the intern or, oh, it was the HVAC contractor as a,

as a person who now has to go through signing up for whatever credit monitoring

you're throwing out to me that doesn't give me the warm and fuzzies, nor does

it as a shareholder or an investor.

Give me the warm and fuzzies to know that the money that we've

given either through stock purchase or through, you know, a round of

funding that that money was used for.

Offsite leadership retreats or something other than securing and locking down the

important things, customer data, whether that customer's internal or external.

So, so for me, there's, there is this need to own the situation.

Like my, like my daughter and her teenage friends will say, I own that.

There needs to be that aspect of it.

And then again, the, the, the comeuppance, so to

Prasanna mentioned about lateral movement?

We don't know what type of contractor this was, but I hope it was like an it

admin contractor, because if he wasn't an it, she wasn't an it admin contractor.

The fact that they were able to modify the open DNS configuration

that by the way, if, if one of the things that happened was.

They modified the open DNS configuration so that if anybody went

to any webpage, what they got was a pornographic image and message.

Right.

Um, so, so either this was an admin level contractor, or they had a

serious, least privileged problem,

well, I think what happened though, was I believe that

the hacker got in, he then found he, or she then found a share, which contained

passwords for other parts of the system.

I can't.

I just can't even with this, I can't, you know, the last one, the last

was an open S three bucket, right.

You telling me inside your company is a share with admin passwords.

I don't know what type of passwords they were, but I think I

did read in an account in one of the blog posts, that there was a, uh, a share that

the attacker used that had the passcodes.

can't Shaun, stop me.

Just an editor's note here.

I researched what persona was talking about and what it appears happened was

that there was a PowerShell script with admin credentials hard coded in it.

So after they got the mFA hack.

They then scanned the internal network and they found this PowerShell script,

which was unprotected from those that did not have admin credentials, and

that's what they used to escalate their privileges to, which I just want to go.

Ugh, I I'm back to, I just can't.

I, I, I just don't understand how that happened.

There seems to be this common theme of slackness no pun intended.

Slack was thank you.

You know, slack being one of the tools that was named, um, and

abused in this particular incident.

But there, there, there seems to be this indifference and this,

oh, no one will ever find out no one will ever be able to access.

Right.

It's it's that, it's that virtual sticky note under the keyboard, if you will.

No, no one will ever think to look under the keyboard, to see all of

the passwords that I've written.

So how, how about this?

Let's talk about what we, what we can learn.

What, so here, the, the thing that we're sort of dancing around is this

concept of least privilege, right?

I'm thinking about there was a GDPR breach in Europe.

I'm thinking Spain.

I can't remember exactly.

And it was a hospital we've talked about it on the podcast.

This was a couple years ago.

It a hospital.

And when the, the breach, what the breach was, was it was an investigation.

And the investigation showed that.

They didn't understand the concept or they just, they just didn't care

about the concept of Lee's privilege.

They gave doctor level access to every single employee in

the, in the, uh, hospital.

That, that was, that was the easiest thing to do.

So it didn't matter if you were the janitor or if you were a surgeon,

you had access to everything, including medical records and such.

The, the big thing I would say is to, to make sure like use Okta, right.

Okta isn't evil and, and it's not, I'm not picking Okta, but it's just,

it's the one that's off the top of my head, use something like Okta,

but then don't just give everybody access to everything, give them access

to the things they need access to.

Another editor's note here, because we ultimately found out after the

recording, that the big breach here was that there was a PowerShell

script with admin credentials.

The other big thing that we can learn here is don't do

that number, number one, right?

Don't put admin level , credentials in a script.

We had to do that 20 years ago maybe, or.

You know, I, I, I don't, I don't know if that's that shouldn't

ever have to be the case.

There are other ways to get credentials or to require that the

script be run as an administrator.

There are ways around that issue.

And if.

You can't get around that issue.

And again, I don't, I'm not a PowerShell expert.

I'm not a Windows expert by any means, but if you can't get around that

issue, then make sure that any script like that is stored in a way that

only people that already have admin credentials can get access to it.

But again, I don't think you should have to write a script like that.

The other thing I would add to that is internal pen tests, right?

Why is it only the hacker that was able to scan around to see if there were scripts

that, that an ordinary person is able to access that have admin credentials?

Why didn't they do that?

You should be doing that.

So.

Again, if you don't have that internal access, there are

services, there are SaaS services.

There are consultants, there are all sorts of people that you can hire or

pay for a service to do penetration testing, both externally and internally.

so that you can find out these vulnerabilities before they bite

you the way that Uber got bit.

So the, the thing that comes to mind for me, Curtis, if you don't

have the people internally that care and, or have the skill set necessary to help

put those controls in place, then please.

For the love of God, reach out to a managed security service provider who

is literally frothing at the mouth to be able to add you as a logo.

Right.

and then take that responsibility that could or

should be assigned to a full-time employee, allow them to come in

and take that excuse away from you.

Yeah, absolutely.

Cybersecurity.

Has a different problem than data protection.

So data, the problem with data protection backup.

So nobody wants to do it right.

Nobody, nobody wants to do that job that, that, you know, I've been in this

business coming up on three decades.

That part has never changed.

Right?

Cyber security, at least people wanna sign up, but there is a global skill shortage.

And you may not have anyone at your company that, that

knows what they're doing.

Right.

And so I, I wholeheartedly concur with you to, to use an MSP, to use, you

know, you know, consulting companies.

The episode that we published today was with Horangi, which, which

automates cloud security and, um, you know, and specifically for the

Asian market, but they're broadening into the, into the rest of the world.

Uh, and Horangi is apparently the Korean word for tiger.

So there you go.

or the other thing is if you are running in the

cloud as a SaaS service or whatever else, reach out to the cloud company,

because they have well architected reviews, they have best practices.

They have tools already, right.

To sort of help you cover the basics to make sure you're not

doing something obviously wrong, like making a public S3 bucket.

Yeah.

Can you think of any other big lessons from this particular, um, hack Shaun?

The other big lesson is make sure that what is

done internally is, is checked.

Right?

So.

sure that if someone does have responsibility for a particular tool

or particular part of the environment, make sure that there's someone

that, that follows up if you will.

And I forget the exact saying, but what, what gets inspected?

Uh, it, it slipped my mind.

It's, it's the one where if you, if you wanna make sure that it's

done, it has to be inspected.

right.

So that, that would, that would be my thing, you

know, make sure that there is some follow through and some, you know,

coming behind the person or behind, you know, the tool to make sure.

What is to be protected or, you know, what is to be passed

has a, has in fact taken place.

Right.

And I will also say one lesson I would say is that, you know, we, we talk about

MFA a lot and I'm a huge fan of MFA.

And if you don't have, if you don't have MFA, then What

What at this point, but it's not infallible.

in fact that's what happened here again,

right?

Just like, yep.

Just like with Okta.

That's what happened.

So just be careful,

Yeah.

I mean, I don't understand this concept of, I, I get 57 MFA requests and so

I just approve it to make it stop.

I don't understand that person.

Like I would be calling it going.

What the hell

so what happened in the case of Uber though, is that

the person, uh, pretended to be Uber it and pinged them on WhatsApp and

said, oh, by the way, I'm, Uber's it.

Please accept the MFA.

Right.

And so they kept doing that.

If you wanted the MFA to stop.

. Yep.

And so then eventually the person's like, okay.

And then they just said, yep, good to go.

Okay.

I'm I'm done talking about this.

I want to go onto your second subject, Shaun.

You, you, you, it's still in the same area, you in our pre-call you

had talked about, um, you know, K through 12 funding and specifically

funding for, uh, this kind of thing.

Why don't you, why don't you talk about that.

Sure.

Mid-September of 2022, LA unified school district had a massive security incident.

LA unified school district is the second largest school district in the nation.

And so along with the security incident, came a request from some high ranking

government officials in California, along with the leadership from the school.

Asking the FCC to immediately consider allowing eRate to be used eRate funds.

So just

for a quick, yeah.

So for, uh, for those that may not be familiar, eRate is a government program

where each year school districts across the country can basically petition the

government for services like internet.

Access points.

So things that will help from a technology standpoint within the district.

And so interestingly enough, cybersecurity is not one of those technology services

that they can get government funding for.

And so they're asking the government to issue some sort of waiver that would

allow for that to take place immediately.

And as I was mentioning before we talked, or before we started

the podcast, The cares act.

And then the follow up, which was the American rescue plan, allocated billions

of dollars to school districts for them to use, to spend on technology.

And one of those technology expenditures could be in the area of cybersecurity.

So what I was saying is not that school districts don't deserve or need.

The money from E-Rate, but I would first ask what have you done with

the funding from cares and from art to upgrade your cybersecurity?

And I wonder actually, if they were even thinking about

cybersecurity, when they were looking at that funding that came in, right, maybe

they were like, Hey, we need more laptops.

We need to worry about remote education.

We need to put all these other equipment in place.

Maybe cybersecurity didn't even like, come to mind.

And, and Prasanna.

I think that is a wonderful that's.

That is a, that is a reasonable assumption.

However, if you dig into K12 and the number of security incidents, it's

it's on the rise.

it's it's, it is, it is very much on the rise.

And so me being the cybersecurity and data nerd that I am.

There are websites and different tools available to show that this

has been a thing before the pandemic.

And so, again, your, your, your question or your, your concern is very reasonable.

We, we needed to get laptops and People out in the community

to help distribute that.

We had to, you know, make sure that our teachers had what they needed.

And so yes, there were very legitimate, immediate concerns

that needed to be addressed.

no one focused on this at all.

this, this, this is such a critical thing that.

if, if this was 2008 or 2009, we could give you a pass

Yeah.

and say, you know what?

There's so much to this.

It's, you know, not only do we not have the employee or the staff, we don't have

the budget there again, 14, 15 years ago.

Totally get.

Times have changed.

Times times have changed so much so that these school districts

are partnered with other providers.

So think of illuminate is, is a big one that was in the news recently where

these companies provide software to the school districts and every parent,

every child in the school district, every administrator, every teacher uses.

This software to help with a particular function, you know, um, within the school.

And so it's, it's, it's not as though you aren't aware that

these things are happening again.

The, the very reasonable question that you asked.

Well, we have all these other priorities.

Yes.

But you also have this awareness that you need to take care of.

Right.

Your your kids and their parents and your staff.

Prasanna Malaiyandi:

One of the things is I.

Prasanna Malaiyandi:

If you think about the disruption that could happen at schools, right?

Prasanna Malaiyandi:

It's not just, I think LA unified, right.

Prasanna Malaiyandi:

They had a ransomware attack, right.

Prasanna Malaiyandi:

That kind of took down their infrastructure.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And that's disruptive because just imagine, I, I can't

Prasanna Malaiyandi:

remember the exact number.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

But hundreds and thousands of kids no longer in school because they

Prasanna Malaiyandi:

can't go, they can't get attendance.

Prasanna Malaiyandi:

They can't check in.

Prasanna Malaiyandi:

If they're doing remote learning, they can no longer access things.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

That's so disruptive.

Prasanna Malaiyandi:

The other side though, is I know a lot of time when we talk about ransomware,

Prasanna Malaiyandi:

we also talk about exfiltration of data right now, kids' data, right?

Prasanna Malaiyandi:

Imagine that you now have access to kids' records, you're stealing

Prasanna Malaiyandi:

their social security numbers, or other pieces of information.

Prasanna Malaiyandi:

Right?

Prasanna Malaiyandi:

These are kids who don't have credit.

Prasanna Malaiyandi:

Imagine now starting using that for identity theft and other purposes.

Prasanna Malaiyandi:

It's a lot of sensitive, sensitive data that could potentially be

Prasanna Malaiyandi:

exposed that you may not find about.

Prasanna Malaiyandi:

Find out until the kid turns 18.

Prasanna Malaiyandi:

Right?

Prasanna there are 10 year olds right now who have

Maseratis and Porsches in their name.

They have homes in Hawaii, Connecticut that are in their name and they

won't know it until many years.

Hence, and it's because of what we're talking about now, the, the,

the need to take cybersecurity seriously is, is way overdue.

A thought did occur to me and I do wonder about at what point.

So like I locked down my, my, um, credit reports, right?

So, uh, so at least minimizing this risk personally, uh, on my side.

And I'm wondering at what age.

Would could, should you do that with a minor,

right.

Like,

when you're still in the hospital.

well, like when can you CA you know, can you, can you do this?

Like, as soon as they have a social security number, I would think

you would be able to do it, right?

You can So it's, it would be, it would be

incumbent on the parent to do that,

Yeah.

to go ahead

and

lock

gonna talk, I'm gonna talk to my kids.

I'm gonna keep my, keep my granddaughter from owning a Mo home in, well, maybe

I'll let her have that home in Hawaii.

I think the challenge though, is like, we're

talking about it now and you're you were aware of credit freezes, right?

Curtis.

But there are a lot of parents who aren't even aware of a lot of the tech or possib

process and possibilities that they might be able to leverage like credit

or freezing the credit of their child.

Right.

And so what do you do for those parents?

Right?

How do you.

Inform them or let them be aware that, Hey, there are these other

options that you should be thinking about to protect your kids.

Well, I can only help the lucky few that are smart

enough to listen to this podcast.

So go do that, right.

I, I think, and I've never, I never thought about it myself.

I am well aware of the concept of freezes, but I never thought of

freezing my granddaughter's credit.

She doesn't need.

You know, an open credit report right now.

Um, what, you know, what's really weird, you know, it's a bit of a non-sequitur,

but what's really weird is there are like, if you Google, should I, or how

could, how do I freeze your credit?

You will find.

Um, blogs that tell you that don't do it because it's, uh, it makes getting

credit cards, inconvenient and such.

And I will agree.

It absolutely did.

When we got our first new car in a long time, uh, but you

know, what else is inconvenient?

Having your identity stolen?

Having your identity stolen?

Um, yeah, it's just, you know, it's, it's like security,

security is never convenient.

Right.

Um, you know, having to unlock my front door when I come to

the house, not convenient.

Right.

But it minimizes the number of yahoos running through my house.

Um, Shaun, we're about to wrap this up.

Uh, any, any final thoughts regarding the school system.

There are a number of things that I'd yet say about security

and the, the school districts, the one that I will put out there is, again, the,

the amount of funding that is available through the sources that we mentioned, you

know, cares and the American rescue plan.

But beyond that, there are local and state grants available for technology

upgrades that include cybersecurity.

What am I saying?

There really isn't an excuse, right?

Until you have turned over every stone and exhausted every

possibility, you don't have an excuse.

There is no reason that your school district should be easy pickings.

For someone to come through and get tens of thousands of, you know,

student records and parent records.

There's, there's just no reason for it.

Yeah, that sounds about right.

, I would suggest anybody that, you know, wherever you live, reach

out to your school district, find out what they're doing.

Ask how they're securing your data.

Maybe they're completely clueless, right?

Maybe you should volunteer.

I don't know.

I don't know what the answer is there, but starts with this is a represent.

Our podcast is listened to in more places than there are representative governments.

But if you have a representative government you gotta represent

Exactly.

Yeah.

Yeah.

All right.

Well, uh, thanks Shaun.

For, for coming on.

It's been great

Prasanna Curtis.

Thanks for your time.

Appreciate being on you guys are doing a great job.

and, uh, Prasanna, thanks for not giving any care

about my post vacation depression.

That that's the least I can do, Curtis, you know, it

was nice talking to you too, Shaun.

And thank you to our listeners.

Remember to subscribe so that you can restore it all