Lock and Code

This is the story of the world’s worst scam and how it is being used to fuel entire underground economies that have the power to rival nation-states across the globe. This is the story of “pig butchering.”

“Pig butchering” is a violent term that is used to describe a growing type of online investment scam that has ruined the lives of countless victims all across the world. No age group is spared, nearly no country is untouched, and, if the numbers are true, with more than $6.5 billion stolen in 2024 alone, no scam might be more serious today, than...

It’s often said online that if a product is free, you’re the product, but what if that bargain was no longer true? What if, depending on the device you paid hard-earned money for, you still became a product yourself, to be measured, anonymized, collated, shared, or sold, often away from view?

In 2024, a consumer rights group out of the UK teased this new reality when it published research into whether people’s air fryers—seriously–might be spying on them.

By analyzing the associated Android apps for three separate air fryer models from three differen...

Everything’s easier with AI… except having to correct it.

In just the three years since OpenAI released ChatGPT, not only has onlife life changed at home—it’s also changed at work. Some of the biggest software companies today, like Microsoft and Google, are forwarding a vision of an AI-powered future where people don’t write their own emails anymore, or make their own slide decks for presentations, or compile their own reports, or even read their own notifications, because AI will do it for them.

But it turns out that offloading this type of work on...

In the final, cold winter months of the year, ChatGPT could be heating up.

On October 14, OpenAI CEO Sam Altman said that the “restrictions” that his company previously placed on their flagship product, ChatGPT, would be removed, allowing, perhaps, for “erotica” in the future.

“We made ChatGPT pretty restrictive to make sure we were being careful with mental health issues,” Altman wrote on the platform X. “We realize this made it less useful/enjoyable to many users who had no mental health problems, but given the seriousness of the issue we wanted to get this right.”

T...

Google is everywhere in our lives. It’s reach into our data extends just as far.

After investigating how much data Facebook had collected about him in his nearly 20 years with the platform, Lock and Code host David Ruiz had similar questions about the other Big Tech platforms in his life, and this time, he turned his attention to Google.

Google dominates much of the modern web. It has a search engine that handles billions of requests a day. Its tracking and metrics service, Google Analytics, is embedded into reportedly 10s of millions of websites. Its...

“Connection” was the promise—and goal—of much of the early internet. No longer would people be separated from vital resources and news that was either too hard to reach or made simply inaccessible by governments. No longer would education be guarded behind walls both physical and paid. And no longer would your birthplace determine so much about the path of your life, as the internet could connect people to places, ideas, businesses, collaborations, and agency.

Somewhere along the line though, “connection” got co-opted. The same platforms that brought billions of people together—including Facebook, Twitter, Instagram, TikTok, and Sn...

There’s more about you online than you know.

The company Acxiom, for example, has probably determined whether you’re a heavy drinker, or if you’re overweight, or if you smoke (or all three). The same company has also probably estimated—to the exact dollar—the amount you spend every year on dining out, donating to charities, and traveling domestically. Another company Experian, has probably made a series of decisions about whether you are “Likely,” “Unlikely,” “Highly Likely,” etc., to shop at a mattress store, visit a theme park, or frequent the gym.

This isn’t the data most pe...

In the late 2010s, a group of sheriffs out of Pasco County, Florida, believed they could predict crime. The Sheriff’s Department there had piloted a program called “Intelligence-Led Policing” and the program would allegedly analyze disparate points of data to identify would-be criminals.

But in reality, the program didn’t so much predict crime, as it did make criminals out of everyday people, including children. 

High schoolers’ grades were fed into the Florida program, along with their attendance records and their history with “office discipline.” And after the “Intelligence-Led Policing” service analyzed the data, it instructed law e...

If there’s one thing that scam hunter Julie-Anne Kearns wants everyone to know, it is that no one is immune from a scam. And she would know—she fell for one last year.

For years now, Kearns has made a name for herself on TikTok as a scam awareness and education expert. Popular under the name @staysafewithmjules, Kearns makes videos about scam identification and defense. She has posted countless profile pictures that are used and repeated by online scammers across different accounts. She has flagged active scam accounts on Instagram and detailed their strategies. And, perhaps most...

The internet is cracking apart. It’s exactly what some politicians want.

In June, a Texas law that requires age verification on certain websites withstood a legal challenge brought all the way to the US Supreme Court. It could be a blueprint for how the internet will change very soon.

The law, titled HB 1181 and passed in 2023, places new requirements on websites that portray or depict “sexual material harmful to minors.” With the law, the owners or operators of websites that contain images or videos or illustrations or descriptions that “more than one-third of which is sexual...

For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications.

The weird thing, though, is that it's already happened—sort of.

US intelligence agencies, including the FBI and NSA, have long sought what is called a “backdoor” into the secure and private messages that are traded through platforms like WhatsApp, Signal, and Apple’s Messages. These applications all provide what is called “end-to-end encryption,” and while the technology guarantees confidentiality for journalists, human rights activists, political dissidents, and everyday people across...

“Health” isn’t the first feature that most anyone thinks about when trying out a new technology, but a recent spate of news is forcing the issue when it comes to artificial intelligence (AI).

In June, The New York Times reported on a group of ChatGPT users who believed the AI-powered chat tool and generative large language model held secretive, even arcane information. It told one mother that she could use ChatGPT to commune with “the guardians,” and it told another man that the world around him was fake, that he needed to separate from his family to break fre...

There’s a unique counter response to romance scammers.

Her name is Becky Holmes.

Holmes, an expert and author on romance scams, has spent years responding to nearly every romance scammer who lands a message in her inbox. She told one scammer pretending to be Brad Pitt that she needed immediate help hiding the body of one of her murder victims. She made one romance scammer laugh at her immediate willingness to take an international flight to see him. She has told scammers she lives at addresses with lewd street names, she has sent pictures of ap...

Complex problems often assume complex solutions, but recent observations about increased levels of anxiety and depression, increased reports of loneliness, and lower rates of in-person friendships for teens and children in America today have led some school districts across the country to take direct and simple action: Take away the access to smartphones in schools.

Not everyone is convinced.

When social psychologist and author Jonathan Haidt proposed five solutions to what he called an "epidemic of mental illness" for young adults in America, many balked at the simplicity.

Writing for the outlet Platformer...

There’s an easy way to find out what Facebook knows about you—you just have to ask.

In 2020, the social media giant launched an online portal that allows all users to access their historical data and to request specific types of information for download across custom time frames. Want to know how many posts you’ve made, ever? You can find that. What about every photo you’ve uploaded? You can find that, too. Or what about every video you’ve watched, every “recognized” device you’ve used to log in, every major settings change you made, every time...

There’s a problem in class today, and the second largest school district in the United States is trying to solve it.

After looking at the growing body of research that has associated increased smartphone and social media usage with increased levels of anxiety, depression, suicidal thoughts, and isolation—especially amongst adolescents and teenagers—Los Angeles Unified School District (LAUSD) implemented a cellphone ban across its 1,000 schools for its more than 500,000 students.

Under the ban, students who are kindergartners all the way through high school seniors cannot use cellphones, smartphones, smart watches, earbuds, smart glasses, and any...

“Heidi” is a 36-year-old, San Francisco-born, divorced activist who is lonely, outspoken, and active on social media. “Jason” is a shy, bilingual teenager whose parents immigrated from Ecuador who likes anime, gaming, comic books, and hiking.

Neither of them is real. Both are supposed to fight crime.

Heidi and Jason are examples of “AI personas” that are being pitched by the company Massive Blue for its lead product, Overwatch. Already in use at police departments across the United States, Overwatch can allegedly help with the identification, investigation, and arrest of criminal suspects.

Understanding exactly how...

If you don’t know about the newly created US Department of Government Efficiency (DOGE), there’s a strong chance they already know about you.

Created on January 20 by US President Donald Trump through Executive Order, DOGE’s broad mandate is “modernizing Federal technology and software to maximize governmental efficiency and productivity.”

To fulfill its mission, though, DOGE has taken great interest in Americans’ data.

On February 1, DOGE team members without the necessary security clearances accessed classified information belonging to the US Agency for International Development. On February 17, multiple outlets reported that DOGE sought access...

It has probably happened to you before.

You and a friend are talking—not texting, not DMing, not FaceTiming—but talking, physically face-to-face, about, say, an upcoming vacation, a new music festival, or a job offer you just got.

And then, that same week, you start noticing some eerily specific ads. There’s the Instagram ad about carry-on luggage, the TikTok ad about earplugs, and the countless ads you encounter simply scrolling through the internet about laptop bags.

And so you think, “Is my phone listening to me?”

This question has been around...

Google Chrome is, by far, the most popular web browser in the world.

According to several metrics, Chrome accounts for anywhere between 52% and 66% of the current global market share for web browser use. At that higher estimate, that means that, if the 5.5 billion internet users around the world were to open up a web browser right now, 3.6 billion of them would open up Google Chrome.

And because the browser is the most common portal to our daily universe of online activity—searching for answers to questions, looking up recipes, applying for jobs, posting on forums, ac...

Something’s not right in the world of location data.

In January, a location data broker named Gravy Analytics was hacked, with the alleged cybercriminal behind the attack posting an enormous amount of data online as proof. Though relatively unknown to most of the public, Gravy Analytics is big in the world of location data collection, and, according to an enforcement action from the US Federal Trade Commission last year, the company claimed to “collect, process, and curate more than 17 billion signals from around a billion mobile devices daily.”

Those many billions of signals, because of the...

Insurance pricing in America makes a lot of sense so long as you’re one of the insurance companies. Drivers are charged more for traveling long distances, having low credit, owning a two-seater instead of a four, being on the receiving end of a car crash, and—increasingly—for any number of non-determinative data points that insurance companies use to assume higher risk.

It’s a pricing model that most people find distasteful, but it’s also a pricing model that could become the norm if companies across the world begin implementing something called “surveillance pricing.”

Surveillance...

In February 2024, a 14-year-old boy from Orlando, Florida, committed suicide after confessing his love to the one figure who absorbed nearly all of his time—an AI chatbot.

For months, Sewell Seltzer III had grown attached to an AI chatbot modeled after the famous “Game of Thrones” character Daenerys Targaryen. The Daenerys chatbot was not a licensed product, it had no relation to the franchise’s actors, its writer, or producers, but none of that mattered, as, over time, Seltzer came to entrust Daenerys with some of his most vulnerable emotions.

“I think about killing myself som...

It’s Data Privacy Week right now, and that means, for the most part, that you’re going to see a lot of well-intentioned but clumsy information online about how to protect your data privacy. You’ll see articles about iPhone settings. You’ll hear acronyms for varying state laws. And you’ll probably see ads for a variety of apps, plug-ins, and online tools that can be difficult to navigate.

So much of Malwarebytes—from Malwarebytes Labs, to the Lock and Code podcast, to the engineers, lawyers, and staff at wide—work on data privacy, and we fault no ad...

The era of artificial intelligence everything is here, and with it, come everyday surprises into exactly where the next AI tools might pop up.

There are major corporations pushing customer support functions onto AI chatbots, Big Tech platforms offering AI image generation for social media posts, and even Google has defaulted to include AI-powered overviews into everyday searches.

The next gold rush, it seems, is in AI, and for a group of technical and legal researchers at New York University and Cornell University, that could be a major problem.

But to understand their co...

You can see it on X. You can see on Instagram. It’s flooding community pages on Facebook and filling up channels on YouTube. It’s called “AI slop” and it’s the fastest, laziest way to drive engagement.

Like “click bait” before it (“You won’t believe what happens next,” reads the trickster headline), AI slop can be understood as the latest online tactic in getting eyeballs, clicks, shares, comments, and views. With this go-around, however, the methodology is turbocharged with generative AI tools like ChatGPT, Midjourney, and MetaAI, which can all churn out endless waves of images and text w...

Privacy is many things for many people.

For the teenager suffering from a bad breakup, privacy is the ability to stop sharing her location and to block her ex on social media. For the political dissident advocating against an oppressive government, privacy is the protection that comes from secure, digital communications. And for the California resident who wants to know exactly how they’re being included in so many targeted ads, privacy is the legal right to ask a marketing firm how they collect their data.

In all these situations, privacy is being provided to a...

Two weeks ago, the Lock and Code podcast shared three stories about home products that requested, collected, or exposed sensitive data online.

There were the air fryers that asked users to record audio through their smartphones. There was the smart ring maker that, even with privacy controls put into place, published data about users’ stress levels and heart rates. And there was the smart, AI-assisted vacuum that, through the failings of a group of contractors, allowed an image of a woman on a toilet to be shared on Facebook.

These cautionary tales involved “smart devices,” products...

The month, a consumer rights group out of the UK posed a question to the public that they’d likely never considered: Were their air fryers spying on them?

By analyzing the associated Android apps for three separate air fryer models from three different companies, a group of researchers learned that these kitchen devices didn’t just promise to make crispier mozzarella sticks, crunchier chicken wings, and flakier reheated pastries—they also wanted a lot of user data, from precise location to voice recordings from a user’s phone.

“In the air fryer category, as well as kn...

The US presidential election is upon the American public, and with it come fears of “election interference.”

But “election interference” is a broad term. It can mean the now-regular and expected foreign disinformation campaigns that are launched to sow political discord or to erode trust in American democracy. It can include domestic campaigns to disenfranchise voters in battleground states. And it can include the upsetting and increasing threats made to election officials and volunteers across the country.

But there’s an even broader category of election interference that is of particular importance to this podcast, and that’s...

On the internet, you can be shown an online ad because of your age, your address, your purchase history, your politics, your religion, and even your likelihood of having cancer.

This is because of the largely unchecked “data broker” industry.

Data brokers are analytics and marketing companies that collect every conceivable data point that exists about you, packaging it all into profiles that other companies use when deciding who should see their advertisements.

Have a new mortgage? There are data brokers that collect that information and then sell it to advertisers who believe new...

Online scammers were seen this August stooping to a new low—abusing local funerals to steal from bereaved family and friends.

Cybercrime has never been a job of morals (calling it a “job” is already lending it too much credit), but, for many years, scams wavered between clever and brusque. Take the “Nigerian prince” email scam which has plagued victims for close to two decades. In it, would-be victims would receive a mysterious, unwanted message from alleged royalty, and, in exchange for a little help in moving funds across international borders, would be handsomely rewarded.

The scam w...

On August 15, the city of San Francisco launched an entirely new fight against the world of deepfake porn—it sued the websites that make the abusive material so easy to create.

“Deepfakes,” as they’re often called, are fake images and videos that utilize artificial intelligence to swap the face of one person onto the body of another. The technology went viral in the late 2010s, as independent film editors would swap the actors of one film for another—replacing, say, Michael J. Fox in Back to the Future with Tom Holland.

But very soon into the t...

On August 24, at an airport just outside of Paris, a man named Pavel Durov was detained for questioning by French investigators. Just days later, the same man was charged in crimes related to the distribution of child pornography and illicit transactions, such as drug trafficking and fraud.

Durov is the CEO and founder of the messaging and communications app Telegram. Though Durov holds citizenship in France and the United Arab Emirates—where Telegram is based—he was born and lived for many years in Russia, where he started his first social media company, Vkontakte. The Facebook-esque platform gain...

Every age group uses the internet a little bit differently, and it turns out for at least one Gen Z teen in the Bay Area, the classic approach to cyberecurity—defending against viruses, ransomware, worms, and more—is the least of her concerns. Of far more importance is Artificial Intelligence (AI).

Today, the Lock and Code podcast with host David Ruiz revisits a prior episode from 2023 about what teenagers fear the most about going online. The conversation is a strong reminder that when America’s youngest generations experience online is far from the same experience that Millennials, Gen X’...

Somewhere out there is a romantic AI chatbot that wants to know everything about you. But in a revealing overlap, other AI tools—which are developed and popularized by far larger companies in technology—could crave the very same thing.

For AI tools of any type, our data is key.

In the nearly two years since OpenAI unveiled ChatGPT to the public, the biggest names in technology have raced to compete. Meta announced Llama. Google revealed Gemini. And Microsoft debuted Copilot.

All these AI features function in similar ways: After having been trained on m...

In the world of business cybersecurity, the powerful technology known as “Security Information and Event Management” is sometimes thwarted by the most unexpected actors—the very people setting it up.

Security Information and Event Management—or SIEM—is a term used to describe data-collecting products that businesses rely on to make sense of everything going on inside their network, in the hopes of catching and stopping cyberattacks. SIEM systems can log events and information across an entire organization and its networks. When properly set up, SIEMs can collect activity data from work-issued devices, vital servers, and even the softwa...

Full-time software engineer and part-time Twitch streamer Ali Diamond is used to seeing herself on screen, probably because she’s the one who turns the camera on.

But when Diamond received a Direct Message (DM) on Twitter earlier this year, she learned that her likeness had been recreated across a sample of AI-generated images, entirely without her consent.

On the AI art sharing platform Civitai, Diamond discovered that a stranger had created an “AI image model” that was fashioned after her. The model was available for download so that, conceivably, other members of the community could ge...

More than 20 years ago, a law that the United States would eventually use to justify the warrantless collection of Americans’ phone call records actually started out as a warning sign against an entirely different target: Libraries.

Not two months after terrorists attacked the United States on September 11, 2001, Congress responded with the passage of The USA Patriot Act. Originally championed as a tool to fight terrorism, The Patriot Act, as introduced, allowed the FBI to request “any tangible things” from businesses, organizations, and people during investigations into alleged terrorist activity. Those “tangible things,” the law said, included “books, records, pap...

🎶 Ready to know what Malwarebytes knows?

Ask us your questions and get some answers.

What is a passphrase and what makes it—what’s the word?

Strong? 🎶

Every day, countless readers, listeners, posters, and users ask us questions about some of the most commonly cited topics and terminology in cybersecurity. What are passkeys? Is it safer to use a website or an app? How can I stay safe from a ransomware attack? What is the dark web? And why can’t cybercriminals simply be caught and stopped?

For some cybersecurity...

This is a story about how the FBI got everything it wanted.

For decades, law enforcement and intelligence agencies across the world have lamented the availability of modern technology that allows suspected criminals to hide their communications from legal scrutiny. This long-standing debate has sometimes spilled into the public view, as it did in 2016, when the FBI demanded that Apple unlock an iPhone used during a terrorist attack in the California city of San Bernardino. Apple pushed back on the FBI’s request, arguing that the company could only retrieve data from the iPhone in question by wr...

The irrigation of the internet is coming.

For decades, we’ve accessed the internet much like how we, so long ago, accessed water—by traveling to it. We connected (quite literally), we logged on, and we zipped to addresses and sites to read, learn, shop, and scroll. 

Over the years, the internet was accessible from increasingly more devices, like smartphones, smartwatches, and even smart fridges. But still, it had to be accessed, like a well dug into the ground to pull up the water below.

Moving forward, that could all change.

This...

You’ve likely felt it: The dull pull downwards of a smartphone scroll. The “five more minutes” just before bed. The sleep still there after waking. The edges of your calm slowly fraying.

After more than a decade of our most recent technological experiment, in turns out that having the entirety of the internet in the palm of your hands could be … not so great. Obviously, the effects of this are compounded by the fact that the internet that was built after the invention of the smartphone is a very different internet than the one before—supercharged with algor...

Our Lock and Code host, David Ruiz, has a bit of an apology to make:

“Sorry for all the depressing episodes.”

When the Lock and Code podcast explored online harassment and abuse this year, our guest provided several guidelines and tips for individuals to lock down their accounts and remove their sensitive information from the internet, but larger problems remained. Content moderation is failing nearly everywhere, and data protection laws are unequal across the world.

When we told the true tale of a virtual kidnapping scam in Utah, though the teenaged victim at the cent...

A digital form of protest could become the go-to response for the world’s largest porn website as it faces increased regulations: Not letting people access the site.

In March, PornHub blocked access to visitors connecting to its website from Texas. It marked the second time in the past 12 months that the porn giant shut off its website to protest new requirements in online age verification.

The Texas law, which was signed in June 2023, requires several types of adult websites to verify the age of their visitors by either collecting visitors’ information from a government ID o...

Few words apply as broadly to the public—yet mean as little—as “home network security.”

For many, a “home network” is an amorphous thing. It exists somewhere between a router, a modem, an outlet, and whatever cable it is that plugs into the wall. But the idea of a “home network” doesn’t need to intimidate, and securing that home network could be simpler than many folks realize.

For starters, a home network can be simply understood as a router—which is the device that provides access to the internet in a home—and the other devices that...

A disappointing meal at a restaurant. An ugly breakup between two partners. A popular TV show that kills off a beloved, main character.

In a perfect world, these are irritations and moments of vulnerability. But online today, these same events can sometimes be the catalyst for hate. That disappointing meal can produce a frighteningly invasive Yelp review that exposes a restaurant owner’s home address for all to see. That ugly breakup can lead to an abusive ex posting a video of revenge porn. And even a movie or videogame can enrage some individuals into such a fu...

For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents.

In 2024, that’s changed, as the uses for fake IDs have become enmeshed with the internet.

Want to sign up for a cryptocurrency exchange where you’ll use traditional funds to purchase and exchange digital currency? You’ll likely need to submit a photo of your real ID so that the cryptocurrency platform can ensure you’re a real user. What about if you want to wa...

If your IT and security teams think malware is bad, wait until they learn about everything else.

In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on unsuspecting employees, steal corporate credentials, slip into business networks, and, for a period of days if not weeks, simply sit and watch and test and prod, escalating their privileges while refraining from installing any noisy hacking tools that could be flagged by detection-based antivirus scans.

In fact, some attacks have gone so "quiet" that they involve...

If the internet helped create the era of mass surveillance, then artificial intelligence will bring about an era of mass spying.

That’s the latest prediction from noted cryptographer and computer security professional Bruce Schneier, who, in December, shared a vision of the near future where artificial intelligence—AI—will be able to comb through reams of surveillance data to answer the types of questions that, previously, only humans could.  

“Spying is limited by the need for human labor,” Schneier wrote. “AI is about to change that.”

As theorized by Schneier, if fed enough conversa...

On Thursday, December 28, at 8:30 pm in the Utah town of Riverdale, the city police began investigating what they believed was a kidnapping.

17-year-old foreign exchange student Kai Zhuang was missing, and according to Riverdale Police Chief Casey Warren, Zhuang was believed to be “forcefully taken” from his home, and “being held against his will.”

The evidence leaned in police’s favor. That night, Zhuang’s parents in China reportedly received a photo of Zhuang in distress. They’d also received a ransom demand.

But as police in Riverdale and across the state of Utah would soo...

Hackers want to know everything about you: Your credit card number, your ID and passport info, and now, your DNA.

On October 1 2023, on a hacking website called BreachForums, a group of cybercriminals claimed that they had stolen—and would soon sell—individual profiles for users of the genetic testing company 23andMe.

23andMe offers direct-to-consumer genetic testing kits that provide customers with different types of information, including potential indicators of health risks along with reports that detail a person’s heritage, their DNA’s geographical footprint, and, if they opt in, a service to connect with relative...

It talks, it squawks, it even blocks! The stocking-stuffer on every hobby hacker’s wish list this year is the Flipper Zero.

“Talk” across low-frequency radio to surreptitiously change TV channels, emulate garage door openers, or even pop open your friend’s Tesla charging port without their knowing! “Squawk” with the Flipper Zero’s mascot and user-interface tour guide, a “cyber-dolphin” who can “read” the minds of office key fobs and insecure hotel entry cards. And, introducing in 2023, block iPhones running iOS 17!

No, really, for a couple of months near the end of 2023, this consumer-friendly device could crash iPh...

Like the grade-school dweeb who reminds their teacher to assign tonight’s homework, or the power-tripping homeowner who threatens every neighbor with an HOA citation, the ransomware group ALPHV can now add itself to a shameful roster of pathetic, little tattle-tales.

In November, the ransomware gang ALPHV, which also goes by the name Black Cat, notified the US Securities and Exchange Commission about the Costa Mesa-based software company MeridianLink, alleging that the company had failed to notify the government about a data breach. Under newly announced rules by the US Securities and Exchange Commission (SEC), public companies wi...

A worrying trend is cropping up amongst Americans, particularly within Generation Z—they're spying on each other more.

Whether reading someone's DMs, rifling through a partner's text messages, or even rummaging through the bags and belongings of someone else, Americans enjoy keeping tabs on one another, especially when they're in a relationship. According to recent research from Malwarebytes, a shocking 49% of Gen Zers agreed or strongly agreed with the statement: “Being able to track my spouse's/significant other's location when they are away is extremely important to me.”

On the Lock and Code podcast with host David Ruiz...

In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media... but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company's flagship hotel complex near the southern end of the Las Vegas strip—that didn't involve the whirring of slot machines or the sirens and buzzers of sweepstake earnings, but, instead, row after row of digital gambling machines with blank, non-functional screens. That same TikTok user commented on their own post that it wasn't just errored-out gambling machines that were c...

What are you most worried about online? And what are you doing to stay safe? 

Depending on who you are, those could be very different answers, but for teenagers and members of Generation Z, the internet isn't so scary because of traditional threats like malware and viruses. Instead, the internet is scary because of what it can expose. To Gen Z, a feared internet is one that is vindictive and cruel—an internet that reveals private information that Gen Z fears could harm their relationships with family and friends, damage their reputations, and even lead to their being...

When you think of the modern tools that most invade your privacy, what do you picture?

There's the obvious answers, like social media platforms including Facebook and Instagram. There's email and "everything" platforms like Google that can track your locations, your contacts, and, of course, your search history. There's even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. 

But here's a surprise answer with just as much validity: Cars. 

A team of researchers at Mozilla whic...

In 2022, Malwarebytes investigated the blurry, shifting idea of “identity” on the internet, and how online identities are not only shaped by the people behind them, but also inherited by the internet’s youngest users, children. Children have always inherited some of their identities from their parents—consider that two of the largest indicators for political and religious affiliation in the US are, no surprise, the political and religious affiliations of someone’s parents—but the transfer of online identity poses unique risks. 

When parents create email accounts for their kids, do they also teach their children about strong passwords? Whe...

Becky Holmes is a big deal online. 

Hugh Jackman has invited her to dinner. Prince William has told her she has "such a beautiful name." Once, Ricky Gervais simply needed her photos ("I want you to take a snap of yourself and then send it to me on here...Send it to me on here!" he messaged on Twitter), and even Tom Cruise slipped into her DMs (though he was a tad boring, twice asking about her health and more often showing a core misunderstanding of grammar). 

Becky has played it cool, mostly, but there's no denying t...

"Freedom" is a big word, and for many parents today, it's a word that includes location tracking. 

Across America, parents are snapping up Apple AirTags, the inexpensive location tracking devices that can help owners find lost luggage, misplaced keys, and—increasingly so—roving toddlers setting out on mini-adventures. 

The parental fear right now, according to The Washington Post technology reporter Heather Kelly, is that "anybody who can walk, therefore can walk away." 

Parents wanting to know what their children are up to is nothing new. Before the advent of the Internet—and before the creatio...

Earlier this month, a group of hackers was spotted using a set of malicious tools—that originally gained popularity with online video game cheaters—to hide their Windows-based malware from being detected.

Sounds unique, right? 

Frustratingly, it isn't, as the specific security loophole that was abused by the hackers has been around for years, and Microsoft's response, or lack thereof, is actually a telling illustration of the competing security environments within Windows and macOS. Even more perplexing is the fact that Apple dealt with a similar issue nearly 10 years ago, locking down the way that certain ext...

The language of a data breach, no matter what company gets hit, is largely the same. There's the stolen data—be it email addresses, credit card numbers, or even medical records. There are the users—unsuspecting, everyday people who, through no fault of their own, mistakenly put their trust into a company, platform, or service to keep their information safe. And there are, of course, the criminals. Some operate in groups. Some act alone. Some steal data as a means of extortion. Others steal it as a point of pride. All of them, it appears, take something that isn't thei...

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and online. 

But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the...

When you think about the word "cyberthreat," what first comes to mind? Is it ransomware? Is it spyware? Maybe it's any collection of the infamous viruses, worms, Trojans, and botnets that have crippled countless companies throughout modern history. 

In the future, though, what many businesses might first think of is something new: Disinformation. 

Back in 2021, in speaking about threats to businesses, the former director of the US Cybersecurity and Infrastructure Security Agency, Chris Krebs, told news outlet Axios: “You’ve either been the target of a disinformation attack or you are about to be.”

That same y...

In May, a lawyer who was defending their client in a lawsuit against Columbia's biggest airline, Avianca, submitted a legal filing before a court in Manhattan, New York, that listed several previous cases as support for their main argument to continue the lawsuit.

But when the court reviewed the lawyer's citations, it found something curious: Several were entirely fabricated. 

The lawyer in question had gotten the help of another attorney who, in scrounging around for legal precedent to cite, utilized the "services" of ChatGPT. 

ChatGPT was wrong. So why do so many people beli...

On January 1, 2023, the Internet in Louisiana looked a little different than the Internet in Texas, Mississippi, and Arkansas—its next-door state neighbors. And on May 1, the Internet in Utah looked quite different, depending on where you looked, than the Internet in Arizona, or Idaho, or Nevada, or California or Oregon or Washington or, really, much of the rest of the United States. 

The changes are, ostensibly, over pornography. 

In Louisiana, today, visitors to the online porn site PornHub are asked to verify their age before they can access the site, and that age verification process hinges...

Ransomware is becoming bespoke, and that could mean trouble for businesses and law enforcement investigators. 

It wasn't always like this. 

For a few years now, ransomware operators have congregated around a relatively new model of crime called "Ransomware-as-a-Service." In the Ransomware-as-a-Service model, or RaaS model, ransomware itself is not delivered to victims by the same criminals that make the ransomware. Instead, it is used almost "on loan" by criminal groups called "affiliates" who carry out attacks with the ransomware and, if successful, pay a share of their ill-gotten gains back to the ransomware’s creators.

Thi...

In January, a mental health nonprofit admitted that it had used Artificial Intelligence to help talk to people in distress. 

Prompted first by a user's longing for personal improvement—and the difficulties involved in that journey—the AI tool generated a reply, which, with human intervention, could be sent verbatim in a chat box, or edited and fine-tuned to better fit the situation. The AI said:

“I hear you. You’re trying to become a better person and it’s not easy. It’s hard to make changes in our lives, especially when we’re trying to do it al...

The list of people and organizations that are hungry for your location data—collected so routinely and packaged so conveniently that it can easily reveal where you live, where you work, where you shop, pray, eat, and relax—includes many of the usual suspects.

Advertisers, obviously, want to send targeted ads to you and they believe those ads have a better success rate if they're sent to, say, someone who spends their time at a fast-food drive-through on the way home from the office, as opposed to someone who doesn't, or someone whose visited a high-end department stor...

How many passwords do you have? If you're at all like our Lock and Code host David Ruiz, that number hovers around 200. But the important follow up question is: How many of those passwords can you actually remember on your own? Prior studies suggest a number that sounds nearly embarrassing—probably around six. 

After decades of requiring it, it turns out that the password has problems, the biggest of which is that when users are forced to create a password for every online account, they resort to creating easy-to-remember passwords that are built around their pets' names, their addres...

Becky Holmes knows how to throw a romance scammer off script—simply bring up cannibalism. 

In January, Holmes shared on Twitter that an account with the name "Thomas Smith" had started up a random chat with her that sounded an awful lot like the beginnins stages of a romance scam. But rather than instantly ignoring and blocking the advances—as Holmes recommends everyone do in these types of situations—she first had a little fun. 

"I was hoping that you'd let me eat a small part of you when we meet," Holmes said. "No major organs or...

Government threats to end-to-end encryption—the technology that secures your messages and shared photos and videos—have been around for decades, but the most recent threats to this technology are unique in how they intersect with a broader, sometimes-global effort to control information on the Internet.

Take two efforts in the European Union and the United Kingdom. New proposals there would require companies to scan any content that their users share with one another for Child Sexual Abuse Material, or CSAM. If a company offers end-to-end encryption to its users, effectively locking the company itself out of being ab...

In November of last year, the AI research and development lab OpenAI revealed its latest, most advanced language project: A tool called ChatGPT.

ChatGPT is so much more than "just" a chatbot. As users have shown with repeated testing and prodding, ChatGPT seems to "understand" things.  It can give you recipes that account for whatever dietary restrictions you have. It can deliver basic essays about moments in history. It can—and has been—used to cheat by university students who are giving a new meaning to plagiarism, stealing work that is not theirs. It can write song lyrics...

In 2020, a photo of a woman sitting on a toilet—her shorts pulled half-way down her thighs—was shared on Facebook, and it was shared by someone whose job it was to look at that photo and, by labeling the objects in it, help train an artificial intelligence system for a vacuum.

Bizarre? Yes. Unique? No. 

In December, MIT Technology Review investigated the data collection and sharing practices of the company iRobot, the developer of the popular self-automated Roomba vacuums. In their reporting, MIT Technology Review discovered a series of 15 images that were al...

Last month, the TikTok user TracketPacer posted a video online called “Network Engineering Facts to Impress No One at Zero Parties.”  TracketPacer regularly posts fun, educational content about how the Internet operates. The account is run by a network engineer named Lexie Cooper, who has worked in a network operations center, or NOC, and who’s earned her Cisco Certified Network Associate certificate, or CCNA. 

In the video, Cooper told listeners about the first spam email being sent over Arpanet, about how an IP address doesn't reveal that much about you, and about how Ethernet isn't really a cable—it's a pro...

When did technology last excite you? 

If Douglas Adams, author of The Hitchhiker's Guide to the Galaxy, is to be believed, your own excitement ended, simply had to end, after turning 35 years old. Decades ago, at first writing privately and later having those private writings published after his death, Adams had come up with "a set of rules that describe our reactions to technologies." They were simple and short: 

On June 7, 2021, the US Department of Justice announced a breakthrough: Less than one month after the oil and gas pipeline company Colonial Pipeline had paid its ransomware attackers roughly $4.4 million in bitcoin in exchange for a decryption key that would help the company get its systems back up and running, the government had in turn found where many of those bitcoins had gone, clawing back a remarkable $2.3 million from the cybercriminals.

In cybercrime, this isn't supposed to happen—or at least it wasn't, until recently. 

Cryptocurrency is vital to modern cybercrime. Every recent story you hear abo...

Decades ago, patching was, to lean into a corny joke, a bit patchy. 

In the late 90s, the Microsoft operating system (OS) Windows 98 had a supportive piece of software that would find security patches for the OS so that users could then download those patches and deploy them to their computers. That software was simply called Windows Update. 

But Windows Update had two big problems. One, it had to be installed by a user—if a user was unaware of Windows Update, then they were also likely unaware of the patches that should be deployed to Wi...

A cyberattack is not the same thing as malware—in fact, malware itself is typically the last stage of an attack, the punctuation mark that closes out months of work from cybercriminals who have infiltrated a company, learned about its systems and controls, and slowly spread across its network through various tools, some of which are installed on a device entirely by default. 

The goal of cybersecurity, though, isn't to recover after an attack, it's to stop an attack before it happens. 

On today's episode of the Lock and Code with host David Ruiz, we speak to...

Last month, when Malwarebytes published joint research with 1Password about the online habits of parents and teenagers today, we spoke with a Bay Area high school graduate on the Lock and Code podcast about how she spends her days online and what she thinks are the hardest parts about growing up with the Internet. And while we learned a lot in that episode—about time management, about comparing one's self to others, and about what gets lost when kids swap in-person time with online time—we didn't touch on an increasingly concerning issue affecting millions of children and teenagers today...

A thief has been stalking London. 

This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod's—the thief has expensive taste. 

At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught. 

But for at least one victim, the story is...

Growing up is different for teens today. 

Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family—while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that's largely because of one enormous difference: The Internet. 

On the Internet, the lines of friendship are re-enforced and blurred by comments or likes on photos and videos. Bullying can reach outside of schools, in harmful texts or messages posted online. Entirely normal feelings of isolation can be negatively preyed upon in online forums wher...

Ransomware can send any company into crisis. 

Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a ransomware attack not only threatens an organization's clients and external customers, but all the internal teams who are just trying to do their jobs. When Northshore School District was hit several years ago by ransomware, teacher and staff pay were threatened, and children's school lunches needed to be reworked because the payme...

The in-person cybersecurity conference has returned.

More than two years after Covid-19 pushed nearly every in-person event online, cybersecurity has returned to the exhibition hall. In San Francisco earlier this year, thousands of cybersecurity professionals walked the halls of Moscone Center at RSA 2022. In Las Vegas just last month, even more hackers, security experts, and tech enthusiasts flooded the Mandalay Bay hotel, attending the conferences Black Hat and DEFCON. 

And at nearly all of these conferences—and many more to come—cybersecurity vendors are setting up shop to show off their latest, greatest, you-won't-believe-we've-made-this product. 

T...

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating "Barons of Hell." 

In 2022, the hacker Sick Codes installed a modified version of Doom on the smart control panel of a John Deere tractor, with the video game's nameless protagonist this time mowing down something entirely more apt for the situation: Corn.

At DEFCON 30, Sick Codes presented his work to an audience of onlookers at the c...

When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.

Then he went to work.

By hard-wiring his laptop into the co...

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless indivi...

On June 24, that Constitutional right to choose to have an abortion was removed by the Supreme Court, and immediately, this legal story became one of data privacy. Today, countless individuals ask themselves: What surrounding activity is allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that...

When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that...

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the "supply chain." Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.

In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know.

...

Tor, which stands for "The Onion Router," has a storied reputation in the world of online privacy, but on today's episode of Lock and Code with host David Ruiz, we speak with security researcher Alec Muffett about the often-undiscussed security benefits of so-called "onion networking." 

The value proposition to organizations interested in using Tor goes beyond just anonymity, Muffett explains, and its a value prop that has at least persuaded the engineers at Facebook, Twitter, The New York Times, Buzzfeed, The Intercept, and The Guardian to build onion versions of their sites. 

Tune in to he...

Last year, Whitney Merrill wanted to know just how much information the company Clubhouse had on her, even though she wasn't a user. After many weeks of, at first, non-responses, she learned that her phone number had been shared with Clubhouse more than 80 times—the byproduct of her friends joining the platform.  Today on Lock and Code with host David Ruiz, we speak with Merrill about why hunting down your data can be so difficult today, even though some regions have laws that specifically allow for this. We also talk about the future of data privacy and whether "data loc...

Earlier this year, a flashy documentary premiered on Netflix that shed light onto on often-ignored cybercrime—a romance scam. In this documentary, called The Tinder Swindler, the central scam artist relied on modern technologies, like Tinder, and he employed an entire team, which included actors posing as his bodyguard and potentially even his separated wife. After months of getting close to several women, the scam artist pounced, asking for money because he was supposedly in danger. 

The public response to the documentary was muddy. Some viewers felt for the victims featured by the filmmakers, but others blamed the...

Every few months, a basic but damaging flaw is revealed in a common piece of software, or a common tool used in many types of programs, and the public will be left asking: What is going on with how our applications are developed?

Today on the Lock and Code podcast with host David Ruiz, we speak to returning guest Tanya Janca to understand the many stages of software development and how security trainers can better work with developers to build safe, secure products.

Data protection, believe it or not, is not synonymous with privacy, or even data privacy. But around the world, countless members of the public often innocently misconstrue these three topics with one another, swapping the terms and the concepts behind them. 

Typically, that wouldn't be a problem—not every person needs to know the minute details of every data-related concept, law, and practice. But when the public is unaware of its rights under data protection, it might be unaware of how to assert those rights.  Today, on the Lock and Code podcast with host David Ruiz, we spea...

In 2017, a former NSA contractor was arrested for allegedly leaking an internal report to the online news outlet The Intercept. To verify the report itself, a journalist for The Intercept sent an image of the report to the NSA, but upon further inspection, it was revealed that the image was actually a scan of a physical document. 

This difference—between an entirely digital, perhaps only-emailed document, and a physical piece of paper—spurred several suspicions that the news outlet had played an unintended role in identifying the NSA contractor to her employer, because the NSA did not have...

Three years ago, a journalist for Gizmodo removed five of the biggest tech companies from her life—restricting her from using services and hardware developed or owned by Google, Apple, Amazon, Facebook, and Microsoft. The experiment, according to the reporter, was "hell." 

But in 2022, cybersecurity evangelist Carey Parker, who also hosts the podcast Firewalls Don't Stop Dragons, wanted to do something similar, just on a smaller scale, and with a focus on privacy. Today, on Lock and Code with host David Ruiz, we speak with Parker about lessening his own interactions with one of the biggest tech com...

How would you feel if the words you wrote to someone while in a crisis—maybe you were suicidal, maybe you were newly homeless, maybe you were suffering from emotional abuse at home—were later used to train a customer support tool? 

Those emotions you might behaving right now were directed last month at Crisis Text Line, after the news outlet Politico reported that the nonprofit organization had been sharing anonymized conversational data with a for-profit venture that Crisis Text Line had itself spun off at an earlier date, in an attempt to one day boost...

Two years ago, the FBI reportedly purchased a copy of the world's most coveted spyware, a tool that can remotely and silently crack into Androids and iPhones without leaving a trace, spilling device contents onto a console possibly thousands of miles away, with little more effort than entering a phone number.

This tool is Pegasus, and, though the FBI claimed it never used the spyware in investigations, the use of Pegasus abroad has led to surveillance abuses the world over. 

On Lock and Code today, host David Ruiz provides an in-depth look at P...