Reading view

AI is distorting the Holocaust (Lock and Code S07E10)

This week on the Lock and Code podcast…

In May of last year, a warning about AI came from somewhere unexpected: The Auschwitz-Birkenau State Museum.

Posting publicly on social media, the museum warned about a Facebook account using generative AI to create fake images of people who died in the Holocaust. Despite using AI to generate fake images, the people in said images were sometimes real. They had real names, birthplaces, and stories of deportation that the Auschwitz-Birkenau State Museum itself had shared before. They had real faces captured in real surviving photographs, which were likely abused to generate the false images. 

In other words, someone, or some team of people online, was deepfaking the Holocaust.

As the Auschwitz museum wrote online:

“These are not real photos of the victims. They are digital inventions, often stylized or sanitized, that risk turning remembrance into fictionalized performance. The history of Auschwitz is a well-documented story. Altering its visual record with AI imagery introduces distortion, no matter the intent.”

Months later, the public found out what that intent was: money.

A BBC investigation found an international network of Facebook accounts posting AI-generated images to earn money from those images’ potential virality. It’s a problem sometimes referred to as “AI slop” but it comes with a major incentive. When accounts that make these kinds of images are invited to Facebook’s content monetization program, they can make $1,000 a month for posting anything that gets clicks.

And on Facebook, the BBC found, that means several accounts posting AI-generated images about the Holocaust. As the BBC reported:

“AI spammers have posted fake images purporting to be from inside [Auschwitz], such as a prisoner playing a violin or lovers meeting at the boundaries of fences—attracting tens of thousands of likes and shares.”

The economics of lying are concrete today. People can use AI to make fake images that make people feel good about terrible things or feel scared about untrue things, and they can make money until shut down by the Big Tech platforms themselves, which, in this case, only happened because of the BBC’s investigation. In fact, it’s that type of inaction from social media platforms that compelled the German government and multiple Holocaust memorial institutions to send an open letter earlier this year that asked for better controls and restrictions against this type of content.

As the signatories warned in their letter, the economic appeal for these accounts to distort history is too high a risk to allow. You can read the full letter here.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Clara Mansfeld, a historian working on digital communications at one of the institutions signed onto the open letter—the Foundation of Hamburg Memorials and Learning Centers Commemorating the Victims of Nazi Crimes. In their conversation, Mansfeld discusses digital access to history, the manipulation of factual records through AI-generated imagery, and the threat that society faces when it becomes harder to evaluate the truth.

“What happens when the first thought we have with every historical image is, ‘Is that even real or is that AI?’ I don’t think we have really grasped what that means for us as a society.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

AI is distorting the Holocaust (Lock and Code S07E10)

This week on the Lock and Code podcast…

In May of last year, a warning about AI came from somewhere unexpected: The Auschwitz-Birkenau State Museum.

Posting publicly on social media, the museum warned about a Facebook account using generative AI to create fake images of people who died in the Holocaust. Despite using AI to generate fake images, the people in said images were sometimes real. They had real names, birthplaces, and stories of deportation that the Auschwitz-Birkenau State Museum itself had shared before. They had real faces captured in real surviving photographs, which were likely abused to generate the false images. 

In other words, someone, or some team of people online, was deepfaking the Holocaust.

As the Auschwitz museum wrote online:

“These are not real photos of the victims. They are digital inventions, often stylized or sanitized, that risk turning remembrance into fictionalized performance. The history of Auschwitz is a well-documented story. Altering its visual record with AI imagery introduces distortion, no matter the intent.”

Months later, the public found out what that intent was: money.

A BBC investigation found an international network of Facebook accounts posting AI-generated images to earn money from those images’ potential virality. It’s a problem sometimes referred to as “AI slop” but it comes with a major incentive. When accounts that make these kinds of images are invited to Facebook’s content monetization program, they can make $1,000 a month for posting anything that gets clicks.

And on Facebook, the BBC found, that means several accounts posting AI-generated images about the Holocaust. As the BBC reported:

“AI spammers have posted fake images purporting to be from inside [Auschwitz], such as a prisoner playing a violin or lovers meeting at the boundaries of fences—attracting tens of thousands of likes and shares.”

The economics of lying are concrete today. People can use AI to make fake images that make people feel good about terrible things or feel scared about untrue things, and they can make money until shut down by the Big Tech platforms themselves, which, in this case, only happened because of the BBC’s investigation. In fact, it’s that type of inaction from social media platforms that compelled the German government and multiple Holocaust memorial institutions to send an open letter earlier this year that asked for better controls and restrictions against this type of content.

As the signatories warned in their letter, the economic appeal for these accounts to distort history is too high a risk to allow. You can read the full letter here.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Clara Mansfeld, a historian working on digital communications at one of the institutions signed onto the open letter—the Foundation of Hamburg Memorials and Learning Centers Commemorating the Victims of Nazi Crimes. In their conversation, Mansfeld discusses digital access to history, the manipulation of factual records through AI-generated imagery, and the threat that society faces when it becomes harder to evaluate the truth.

“What happens when the first thought we have with every historical image is, ‘Is that even real or is that AI?’ I don’t think we have really grasped what that means for us as a society.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

From WarGames to Cyberwar

How Nations Hack, Why Attribution Fails, and What AI Changes

Executive Summary:
Code War author Allie Mellen, argues that cyberwarfare must be understood through a human and geopolitical lens to close the knowledge gap between the security community and the public.

Disclaimer:
This post reflects the perspectives shared in the book Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, and does not represent the views of the publisher of this blog.


The summer of 1983, President Reagan watched WarGames at Camp David and couldn't get it out of his head. A week later, he walked into a White House meeting with cabinet members and Congress and launched into a detailed plot summary of a Matthew Broderick movie about a teenager who nearly hacks the world into nuclear war. The room full of defense experts sat uncomfortably, suppressing smirks. Then Reagan turned to General John Vessey, Chairman of the Joint Chiefs, and asked if something like that could actually happen.

Vessey came back a week later with an answer: "Mr. President, the problem is much worse than you think."

Fifteen months after that, Reagan signed a classified presidential directive titled "National Policy on Telecommunications and Automated Information Systems Security" – the first federal policy of its kind. A movie had done what years of expert warnings hadn't: It made the most powerful person in the world stop and ask the right question.

Allie Mellen, author of Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, loves to tell this story, and it captures exactly why she wrote the book. In a conversation recorded at RSA 2025, Mellen joined Threat Vector host, David Moulton, to talk about nation-state threats, attribution pitfalls, and why the security industry's biggest problem isn't technical.

"They're human stories, and if we can communicate them that way to the general public, then we'll get more people interested in cybersecurity, invested in cybersecurity, and invested in protecting their data."

That gap, between what the security community understands and what everyone else grasps, is the core problem Mellen set out to solve. And in today's geopolitical moment, closing it has never been more urgent.

Every Nation Hacks Differently

One of the central arguments in Code War is that you can't understand a nation's cyber behavior without understanding its history, doctrine and social contract. China, Russia, Iran, North Korea and the U.S. each approach offensive and defensive cyber operations from completely different starting points, and those differences matter enormously to defenders.

China operates with patience. Its attacks tend to be low and slow, focused on long-term espionage rather than loud disruption. But that changes sharply in its own region, where operations targeting Taiwan are aggressive and relentless. Russia, by contrast, is bombastic; they want you to know it was Russia. Its influence operations have been some of the most effective in modern history, studied and imitated by Iran and others.

Interestingly, the very system China built to protect itself has become a liability in one specific domain. Because Chinese operators live behind the Great Firewall, without access to western social media, they lack the cultural fluency that makes Russian disinformation so effective. "They try to use memes, but it's like ‘uncanny valley’," Mellen explains. "They just slightly miss every time and so it doesn't go viral." The walled garden that gives China control over its own population makes it harder to manipulate everyone else's.

Attribution Is a Geopolitical Tool, Not Just a Technical One

Mellen is careful about attribution, and she wants defenders to be too. The standard technical signals (coding language, infrastructure patterns, operational hours) are necessary but not sufficient. Nation-states, especially the U.S., have developed tools specifically designed to mimic other actors' signatures. AI will make that problem significantly worse.

But the bigger issue is motivation. Mellen walks through a case from the Olympics where an attack was initially attributed to North Korea, even though North Korea was actively trying to normalize relations at the time by sending Kim Jong Un's sister to the games. The actual perpetrator was Russian, using a false flag to obscure its involvement. The lesson: Attribution requires asking not just "who has the technical capability?" but "who has the motive right now, given everything happening geopolitically?"

The pitfalls are real:

  • Tools once used exclusively by intelligence agencies are now publicly available, making code signatures unreliable.
  • Working-hours analysis is easy to spoof, especially for sophisticated actors.
  • Government-controlled research in adversarial nations can deliberately skew attribution findings.
  • False flag operations are increasingly sophisticated and harder to disentangle.

Why Your Data Is a Geopolitical Asset

One of the more powerful sections of the conversation centers on a question Mellen hears constantly: why would China care about my data?

Her answer cuts through the dismissiveness. These nations aren't collecting data out of idle curiosity. They're willing to constrain companies for it, invest billions in infrastructure for it, and in some cases, far worse. "Whether you wanna be involved in that system or not, you are involved in that system," she says. "And so you can either choose to take control of your information in that environment, or you can just pretend like it's not your problem."

The historical context she offers is striking. One of the driving forces behind GDPR in the EU was the collective memory of how Nazi Germany used data to target Jewish people during the Holocaust. Europe built privacy protections into law because it had seen what happens when governments gain unrestricted access to population data. That's not an abstract concern. It's a lesson written in history that the rest of the world is still catching up to.

AI Makes Everything Harder

Mellen isn't optimistic about the trajectory. Attribution is about to get much harder. Attacks are about to get much more dynamic. And AI is the reason for both.

She points to research on Chinese state-sponsored actors using AI to orchestrate attacks across the full kill chain, with only a couple of human checkpoints in the loop. The implication isn't just faster attacks. It's more adaptive malware that can adjust to different operating environments, more convincing disinformation that clears the cultural context bar, and reconnaissance-to-exploitation cycles that move faster than most defenders can process.

The constraints that have always slowed sophisticated attackers – understanding the operating system, identifying vulnerabilities, crafting exploits, mimicking attribution – all get easier with AI. All of that becomes more dynamic. And most enterprises, Mellen acknowledges, are not yet equipped to respond effectively.

The investment required is in the basics the industry has always struggled to get right, executed now at a pace and scale that demands automation and AI on the defensive side. Fighting AI with AI isn't a vendor talking point. It's the only math that works.

More to Explore

The nation-state threats Mellen describes aren't theoretical. Unit 42 responded to more than 750 major incidents in 2025. See what they found. Download the 2026 Global Incident Response Report.

Listen to the full conversation with Allie Mellen, author of Code War, on the Threat Vector podcast

The post From WarGames to Cyberwar appeared first on Palo Alto Networks Blog.

  •  

Cyberattacks are raising your prices (Lock and Code S07E09)

This week on the Lock and Code podcast…

Your prices could be going up because of a little something that one group has started calling the “cyber tax.”

Not a “tax” in any regulatory sense of the word, this newly named “cyber tax” is instead a consequence of the growing number of cyberattacks on small businesses. According to the latest research from the Identity Theft Resource Center, 81% of small- and medium-sized businesses suffered a data breach, a security breach, or both, within the past year. And of those businesses, more than 50% of lost more than $250,000.

According to the most recent data from the US Federal Reserve, the median American family has just $8,000 in savings, meaning that a hit of $250,000 could bankrupt a family and turn their lives upside down. But there’s an interesting layer within this data—the median American family is quite similar to the median American business. In fact, they’re often the exact same person.

The local grocer, the nearby HVAC repair service, the avid cyclist who just opened a bike shop, and the tax professional, and physical therapist helping out neighbors are everyday individuals and family members. They do not have multimillion dollar corporations at their backs, supporting them with legal teams, insurance policies, and dedicated IT support teams.

A loss of $250,000, then, is a potential loss of their business. And to stay afloat, the Identity Theft Resource Center found, for the first time ever, that 38% decided to raise their prices.

“It was near 40% said ‘We actually had to raise prices—we had to pass this cost onto our customers,’” said Eva Velasquez, CEO of the Identity Theft Resource Center. “We’re now really seeing the long-term downstream effects of cyberattacks.”

As frustrating as the cyber tax can be, small businesses themselves are also facing a new wave of cyberattacks, from AI-powered phishing emails so convincing that small business owners can’t tell the legitimate from the illegitimate, to deepfake calls that impersonate the CEO of a three-person company, to supply-chain attacks that target small companies as a way to reach bigger ones.  

Today, on the Lock and Code podcast with host David Ruiz, we speak with Velasquez about cybercrime’s impact on small businesses, the new threats being deployed because of AI, and what is necessary to protect business owners and their consumers.

“Great businesses with great protocols in place can still have a vulnerability exploited because this is what the cyber bad guys are doing all day long. They only have to be right once, whereas small business owners have to be right 100% of the time.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

Cyberattacks are raising your prices (Lock and Code S07E09)

This week on the Lock and Code podcast…

Your prices could be going up because of a little something that one group has started calling the “cyber tax.”

Not a “tax” in any regulatory sense of the word, this newly named “cyber tax” is instead a consequence of the growing number of cyberattacks on small businesses. According to the latest research from the Identity Theft Resource Center, 81% of small- and medium-sized businesses suffered a data breach, a security breach, or both, within the past year. And of those businesses, more than 50% of lost more than $250,000.

According to the most recent data from the US Federal Reserve, the median American family has just $8,000 in savings, meaning that a hit of $250,000 could bankrupt a family and turn their lives upside down. But there’s an interesting layer within this data—the median American family is quite similar to the median American business. In fact, they’re often the exact same person.

The local grocer, the nearby HVAC repair service, the avid cyclist who just opened a bike shop, and the tax professional, and physical therapist helping out neighbors are everyday individuals and family members. They do not have multimillion dollar corporations at their backs, supporting them with legal teams, insurance policies, and dedicated IT support teams.

A loss of $250,000, then, is a potential loss of their business. And to stay afloat, the Identity Theft Resource Center found, for the first time ever, that 38% decided to raise their prices.

“It was near 40% said ‘We actually had to raise prices—we had to pass this cost onto our customers,’” said Eva Velasquez, CEO of the Identity Theft Resource Center. “We’re now really seeing the long-term downstream effects of cyberattacks.”

As frustrating as the cyber tax can be, small businesses themselves are also facing a new wave of cyberattacks, from AI-powered phishing emails so convincing that small business owners can’t tell the legitimate from the illegitimate, to deepfake calls that impersonate the CEO of a three-person company, to supply-chain attacks that target small companies as a way to reach bigger ones.  

Today, on the Lock and Code podcast with host David Ruiz, we speak with Velasquez about cybercrime’s impact on small businesses, the new threats being deployed because of AI, and what is necessary to protect business owners and their consumers.

“Great businesses with great protocols in place can still have a vulnerability exploited because this is what the cyber bad guys are doing all day long. They only have to be right once, whereas small business owners have to be right 100% of the time.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

Big Tech can stop scams. They just don’t (Lock and Code S07E08)

This week on the Lock and Code podcast…

A dreadful thing happens far too often whenever an older adult falls for a scam: They get blamed for it. Not the scammers who lied and cheated their victim out of money. Not law enforcement for failing to recover funds. Not even the Big Tech companies that could have the most important role in protecting people online—and which, it turns out, knowingly bring in revenue every year from fraud.

Instead, it is the older adults themselves whose stories are often shirked aside because of a mix of ageism and denial. Allegedly left behind by technology, only an octogenarian would hand their password over in a phishing scheme, or open an email attachment from a stranger, or send money to a fake charity online. Everyone else, everyone else believes, is too savvy for the same.

The data disagrees.

When Malwarebytes studied this last year, it found that, depending on the type of scam—especially for things like “sextortion”—younger individuals were far more likely to report falling victim. Further, digging into data from the US Federal Trade Commission revealed entirely separate patterns. For example, while Americans between the ages of 80 and 89 reported the highest median loss due to fraud in 2024, they also made up the smallest share of their population to report a loss at all. And in 2025, that same group represented the smallest share of reported identity theft, a crime far more likely to be reported by people between 30 and 39.

Questions about who reports what crimes at what rate are valid to explore, but it’s important to see the big picture: Americans lost at least $15.9 billion to fraud last year. Protecting older adults is actually about protecting everyone, and that’s because modern scams don’t arrive only where people over 70 spend time. They arrive where we all are, which is online. They come through endless text messages, they slide into social media DMs, and they prey on things any of us can be—a widow, a divorcee, or simply a lonely person.

According to Marti DeLiema, Assistant Professor at the University of Minnesota’s School of Social Work, scams and fraud are now the most common form of organized crime globally, rivaling weapons trafficking, drug trafficking, human trafficking, and sex trafficking. In 2024 alone, she said, the FTC estimated that older adults in the US had as much as $81.5 billion stolen from them. And the tools meant to fight back—broad consumer awareness campaigns, embedded warning messages at the point of transaction, the training of bank tellers and retail clerks—are nowhere near keeping pace.

So what actually works? And who, if anyone, is doing the work?

Today, on the Lock and Code podcast with host David Ruiz, we speak with DeLiema about who is really susceptible to financial fraud, why victims often describe a scam as a form of betrayal trauma, and why the companies best positioned to stop scam messages from reaching consumers may be the ones least motivated to do so.

“This is not a technical capability problem at all. This is a conflict of incentives.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

Big Tech can stop scams. They just don’t (Lock and Code S07E08)

This week on the Lock and Code podcast…

A dreadful thing happens far too often whenever an older adult falls for a scam: They get blamed for it. Not the scammers who lied and cheated their victim out of money. Not law enforcement for failing to recover funds. Not even the Big Tech companies that could have the most important role in protecting people online—and which, it turns out, knowingly bring in revenue every year from fraud.

Instead, it is the older adults themselves whose stories are often shirked aside because of a mix of ageism and denial. Allegedly left behind by technology, only an octogenarian would hand their password over in a phishing scheme, or open an email attachment from a stranger, or send money to a fake charity online. Everyone else, everyone else believes, is too savvy for the same.

The data disagrees.

When Malwarebytes studied this last year, it found that, depending on the type of scam—especially for things like “sextortion”—younger individuals were far more likely to report falling victim. Further, digging into data from the US Federal Trade Commission revealed entirely separate patterns. For example, while Americans between the ages of 80 and 89 reported the highest median loss due to fraud in 2024, they also made up the smallest share of their population to report a loss at all. And in 2025, that same group represented the smallest share of reported identity theft, a crime far more likely to be reported by people between 30 and 39.

Questions about who reports what crimes at what rate are valid to explore, but it’s important to see the big picture: Americans lost at least $15.9 billion to fraud last year. Protecting older adults is actually about protecting everyone, and that’s because modern scams don’t arrive only where people over 70 spend time. They arrive where we all are, which is online. They come through endless text messages, they slide into social media DMs, and they prey on things any of us can be—a widow, a divorcee, or simply a lonely person.

According to Marti DeLiema, Assistant Professor at the University of Minnesota’s School of Social Work, scams and fraud are now the most common form of organized crime globally, rivaling weapons trafficking, drug trafficking, human trafficking, and sex trafficking. In 2024 alone, she said, the FTC estimated that older adults in the US had as much as $81.5 billion stolen from them. And the tools meant to fight back—broad consumer awareness campaigns, embedded warning messages at the point of transaction, the training of bank tellers and retail clerks—are nowhere near keeping pace.

So what actually works? And who, if anyone, is doing the work?

Today, on the Lock and Code podcast with host David Ruiz, we speak with DeLiema about who is really susceptible to financial fraud, why victims often describe a scam as a form of betrayal trauma, and why the companies best positioned to stop scam messages from reaching consumers may be the ones least motivated to do so.

“This is not a technical capability problem at all. This is a conflict of incentives.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

This is all it takes to stop a train (Lock and Code S07E06)

This week on the Lock and Code podcast…

Forget the runaway train thrillingly shot in Buster Keaton’s 1926 film “The General,” and never mind the charging locomotive rescued by actors Denzel Washington and Chris Pine in the 2010 film “Unstoppable,” as there’s a far more frequent (and far less heart-pounding) railcar drama happening across California’s Bay Area: The repeated breakdown of the Bay Area Rapid Transit (BART) system, all because of a few networking errors.

Opened in 1972, BART today carries about 175,000 people every weekday on five separate lines to 50 different stations placed across dozens of cities in the Bay Area, including San Francisco, Oakland, Berkeley, Daly City, Fremont, Richmond, and more. Its tracks and railcars travel both above ground and below, and it is one of the only public transit systems in the US that goes underwater—traveling through what is called the TransBay tube. It is likely the region’s largest public project, spanning 131 miles of track, with a fleet of more than 700 cars, proving vital to workers and residents everywhere, and on May 9, 2025, it all came grinding to a halt, due to what BART officials called a “computer networking problem.”

At the Glen Park station in San Francisco, would-be travelers found yellow caution tape at the entry gates. At the El Cerrito Plaza station, BART staff and police informed visitors that the system was down. And at the Rockridge station in Oakland, a reporter for The San Francisco Chronicle witnessed a small group of people sprinting up the stairs to try and catch a train that never came.

It was the kind of meltdown for public infrastructure that puts an entire system in peril.

And it happened again just months later.

In September, a network crash brought BART to a halt, repeating almost the exact same frustrations and delays for travelers left without transportation to work.

That’s the end of it, right? Wrong. In February 2026, another computer failure caused another outage.

So, in one of the wealthiest regions in America, the subway doesn’t always run, its network is prone to crash, and any money for technology often goes elsewhere. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with San Francisco Chronicle transportation report Rachel Swan about what the BART outages revealed about the state of the system’s aging technology, why public infrastructure so often struggles to modernize, and what exactly went wrong in the three prior outages.

“One piece of equipment—and again, this is old equipment—one piece breaks down and they completely lose visibility, so they don’t know where any of the trains are.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

Bonus Podcast Episode: Privacy’s Defender - Cindy Cohn with Cory Doctorow

While How to Fix the Internet is on hiatus, we wanted to share a great conversation with you from last week. EFF Executive Director Cindy Cohn spoke with bestselling novelist, journalist, and EFF Special Advisor Cory Doctorow about Cindy’s new book, “Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance” (MIT Press).

play
Privacy info. This embed will serve content from simplecast.com

 Listen on Spotify Podcasts Badge Listen on Apple Podcasts Badge  Subscribe via RSS badge

You can also listen to this episode on the Internet Archive or watch the video on YouTube.

Part memoir, part battle cry, “Privacy’s Defender” is the story of Cindy’s fights alongside the visionaries who looked at the early internet and understood that the legal and political battles over this new technology - the Crypto Wars, the NSA’s dragnet, the FBI gag orders - were really over the future of free speech, privacy, and power for all. 

This conversation was recorded on Tuesday, March 10 in front of a packed house at San Francisco’s iconic City Lights Bookstore. For more about the book and Cindy’s national book tour - with stops in places including Seattle, Silicon Valley, Denver, Boston, Ann Arbor, Iowa City, Washington DC and New York City - check out https://www.eff.org/Privacys-Defender  

And finally, stay tuned to this feed; we’re working on a special podcast series featuring key players and moments from the book! 

Resources: 

  •  

Ring doorbells: Won’t you see my neighbor? (Lock and Code S07E05)

This week on the Lock and Code podcast…

On February 8, during the Super Bowl in the United States, countless owners of one of the most popular smart products today got a bit of a wakeup call: Their Ring doorbells could be used to see a whole lot more than they knew.

In a commercial that was broadcast to one of most reliably enormous audiences in the country, Amazon, which owns the company Ring, promoted a new feature for its smart doorbells called “Search Party.” By scouring the footage of individual Ring cameras across a specific region, “Search Party” can implement AI-powered image recognition technology to find, as the commercial portrayed it, a lost dog. But immediately after the commercial aired, people began wondering what else their Ring cameras could be used to find.

As US Senator Ed Markey wrote on social media:

“Ring’s Super Bowl ad exposed a scary truth: the technology in its doorbell cameras could be used to hunt down a lost pet…or a person. Amazon must discontinue its dystopian monitoring features.”

These “dystopian monitoring features” aren’t entirely new, but that’s not to say that most Ring owners knew what they were allowing when they originally bought their devices.

Bought by Amazon in 2018, Ring is the most popular manufacturer of a product that, as of 15 years ago, didn’t really exist. And while other “smart” innovations failed, smart doorbells have become a fixture of American neighborhoods, providing a mixture of convenience and security. For instance, a Ring owner away from home can verify and buzz in their mailman dropping off a package behind a gated entrance. Or, a Ring owner can see on their phone that the person knocking at their door is a salesman and choose to avoid talking to them. Or, a Ring owner can help police who are investigating a crime in their area by handing over relevant footage. Even the presence of a Ring doorbell, and its variety of motion-detecting alerts, could possibly serve as a deterrent to crime.

What has seemingly upset so many of those same owners, then, is learning exactly how their personal devices might be used for a company’s gains.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Matthew Guariglia, senior policy analyst at Electronic Frontier Foundation, about Ring’s long history of partnering with—and sometimes even speaking directly for—police, who can access Ring doorbell footage both inside the company and outside it, and what people really open themselves up to when purchasing a Ring device.

 ”There’s this impression, a myth practically, that ‘I buy a ring doorbell to put on my house, I control the footage… But there is [an] entire secondary use of this device, which is by police that you don’t really get a lot of say in.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

Ring doorbells: Won’t you see my neighbor? (Lock and Code S07E05)

This week on the Lock and Code podcast…

On February 8, during the Super Bowl in the United States, countless owners of one of the most popular smart products today got a bit of a wakeup call: Their Ring doorbells could be used to see a whole lot more than they knew.

In a commercial that was broadcast to one of most reliably enormous audiences in the country, Amazon, which owns the company Ring, promoted a new feature for its smart doorbells called “Search Party.” By scouring the footage of individual Ring cameras across a specific region, “Search Party” can implement AI-powered image recognition technology to find, as the commercial portrayed it, a lost dog. But immediately after the commercial aired, people began wondering what else their Ring cameras could be used to find.

As US Senator Ed Markey wrote on social media:

“Ring’s Super Bowl ad exposed a scary truth: the technology in its doorbell cameras could be used to hunt down a lost pet…or a person. Amazon must discontinue its dystopian monitoring features.”

These “dystopian monitoring features” aren’t entirely new, but that’s not to say that most Ring owners knew what they were allowing when they originally bought their devices.

Bought by Amazon in 2018, Ring is the most popular manufacturer of a product that, as of 15 years ago, didn’t really exist. And while other “smart” innovations failed, smart doorbells have become a fixture of American neighborhoods, providing a mixture of convenience and security. For instance, a Ring owner away from home can verify and buzz in their mailman dropping off a package behind a gated entrance. Or, a Ring owner can see on their phone that the person knocking at their door is a salesman and choose to avoid talking to them. Or, a Ring owner can help police who are investigating a crime in their area by handing over relevant footage. Even the presence of a Ring doorbell, and its variety of motion-detecting alerts, could possibly serve as a deterrent to crime.

What has seemingly upset so many of those same owners, then, is learning exactly how their personal devices might be used for a company’s gains.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Matthew Guariglia, senior policy analyst at Electronic Frontier Foundation, about Ring’s long history of partnering with—and sometimes even speaking directly for—police, who can access Ring doorbell footage both inside the company and outside it, and what people really open themselves up to when purchasing a Ring device.

 ”There’s this impression, a myth practically, that ‘I buy a ring doorbell to put on my house, I control the footage… But there is [an] entire secondary use of this device, which is by police that you don’t really get a lot of say in.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

When Security Becomes an Afterthought

Why AI's Biggest Risk Isn't Technical

This article is based on a conversation with Nikesh Arora on the 100th episode of the Threat Vector podcast.

David Moulton interviews Nikesh Arora
David Moulton interviews Nikesh Arora on the Threat Vector podcast.

"Most technologists think about technology, not about cybersecurity," Nikesh Arora says. "Cybersecurity is kind of like insurance. Let's go make great things happen, and let's make sure on the way we purchase insurance."

Coming from the CEO of the world's largest cybersecurity company, it's the quiet part said out loud, and it explains why AI deployment is racing ahead while security scrambles to keep up.

Earlier this year, Arora spoke with a CIO entirely focused on AI deployment challenges: building viable products, training models, measuring customer impact. Security never came up once. "If you're still going through the motion, trying to understand, ‘Can I actually make this thing work?’ You're not worried about security," Arora notes. The logic is brutal but consistent: Why secure something that might not even function?

In the Threat Vector podcast’s 100th episode milestone, Arora speaks with host David Moulton:

  • Why the gap between innovation and security keeps widening.
  • How to read inflection points before they're obvious.
  • What separates organizations that prepare from those that scramble.

The Gap That Keeps Growing

The disconnect isn't new. It's the same psychology that makes airport security feel like overhead – necessary friction that slows down what should be seamless. But with AI, the gap is widening at an unprecedented pace.

Consider the infrastructure buildup happening right now. Nvidia has become a $4 trillion company selling chips that can't stay in stock. Hundreds of billions of dollars are flowing into AI-computer infrastructure. Cloud providers are buying out entire methane gas companies to power their data centers.

Yet organizations are treating AI security as something to bolt on later. That same CIO told Arora: "We worked on some stuff ourselves, and we're just jerry-rigging some things to make sure this happens securely."

Arora's response:

Jerry rig, production, and security don't work together as three terms.

Reading Signals Before They're Obvious

Arora has watched enough technology cycles to recognize the pattern. "You start seeing signs early, and then you look around, you don't see enough impact. You say, okay, maybe this is going to be just a passing shower. But you don't realize that over time this thing's getting more and more momentum."

The signs around AI are adding up:

  • Individual behavior has shifted.
    Arora went from never talking to ChatGPT or Gemini to conducting 10-15 conversations daily. During a recent Tokyo trip, he used Gemini as his primary navigation tool, asking it to rank sumo wrestling shows for his kids rather than "trying to go read 14 websites and figure out what makes sense."
  • The spend is massive and accelerating.
    Not just chips, entire energy infrastructures are being rebuilt to support AI compute needs.
  • Consumer and enterprise adoption are both surging.
    From coding assistants to business analysis, use cases are expanding faster than security models can adapt.

"This thing's going to change our life fundamentally," Arora tells Moulton. "We're not seeing it at scale in our customers just yet. That doesn't mean we can sit back and wait."

Arora understands the risks involved in being late to new technology.

You have to not just anticipate where the trend is going. You have to prepare your organization and the resources to get there. Otherwise, the risk is that Silicon Valley will go fund those people who are thinking purely about the new world... and one of them's going to hit. Then you'll be two years behind with no organization, no resources deployed against it.

The Bets That Paid Off

When Arora joined Palo Alto Networks seven and a half years ago, he wrote two words on a piece of paper: cloud and AI. The company was a firewall business. Those two inflection points would require fundamental transformation, and, just as with AI now, being late was not an option.

If you don't get the network transformation right, 80% of our business will falter.

That insight drove a strategic bet on moving from point products to platform thinking, consolidating security tools rather than adding to the sprawl.

The platform approach wasn't about vendor consolidation for its own sake. It was about correlation. Unit 42® data shows that 70% of incidents now span three or more attack surfaces. When attacks move across endpoints, networks, cloud services and applications simultaneously, fragmented security creates gaps that attackers exploit ruthlessly.

Today we have coverage for 80 plus percent of the industry, which means our customers can come talk to us about a myriad of problems, and we can actually cross-correlate across all the different things we do.

With AI deployments touching every part of the technology stack, that cross-correlation becomes essential. Data flows between training environments and production systems. Models access APIs across cloud and on premises infrastructure. Applications consume AI services from multiple providers. Security that can't see and correlate across that entire landscape will miss the threats that matter most.

First Principles Over Tradition

What drives Arora's ability to spot inflection points isn't just pattern recognition, it's his refusal to accept how things have always been done.

His pet peeve: "Somebody said, well, this is how we've traditionally done it." The response reveals his approach: "You use the word traditional. I use the historical context saying, yeah, sure, they used to dig fields with picks and shovels, and now they use tractors."

This thinking drove Palo Alto Networks to reimagine SOC performance. The industry accepted four days as the normal time to detect and remediate security incidents. Arora called that unacceptable. "We need to get it to be real time."

The result was a fundamentally different architecture that analyzes data as it arrives rather than waiting for problems to appear, enabling 1-minute detection and response instead of four days.

Traditionally, SOCs would analyze the problem when the problem appeared. We said forget it. We're going to analyze everything to see if there's a problem. That architecture fundamentally transformed what we do compared to everybody else in the market.

The same first-principles approach needs to apply to AI security. Organizations can't simply extend existing security models and hope they work.

What Comes Next

With ransomware attacks now completing in as little as 25 minutes (100 times faster than just three years ago, according to Unit 42 research) reactive security simply can't keep pace. Organizations need security that thinks and responds at machine speed, built into AI deployments from day one.

"AI has become the biggest inflection point in current technology," Arora observes. Organizations are too busy deploying to worry about security. That's human nature. But it's also the moment when security teams need to stay in lockstep.

The question isn't whether to secure AI, it's whether security will be designed in or bolted on. The former takes strategic thinking now. The latter takes crisis management later.

Our job at Palo Alto and our industry is to make sure as they go build these experimental ideas into real production capability that we're staying in lockstep with them and saying, ‘Oh, by the way, here's something that can secure what you just built in a way that is not gonna get you into trouble.’

Listen to the full conversation between Nikesh Arora and David Moulton, senior director of thought leadership for Cortex® and Unit 42, on the 100th episode of Threat Vector.

The post When Security Becomes an Afterthought appeared first on Palo Alto Networks Blog.

  •  

Is your phone listening to you? (re-air) (Lock and Code S07E03)

This week on the Lock and Code podcast…

In January, Google settled a lawsuit that pricked up a few ears: It agreed to pay $68 million to a wide array of people who sued the company together, alleging that Google’s voice-activated smart assistant had secretly recorded their conversations, which were then sent to advertisers to target them with promotions.

Google denied any admission of wrongdoing in the settlement agreement, but the fact stands that one of the largest phone makers in the world decided to forego a trial against some potentially explosive surveillance allegations. It’s a decision that the public has already seen in the past, when Apple agreed to pay $95 million last year to settle similar legal claims against its smart assistant, Siri.

Back-to-back, the stories raise a question that just seems to never go away: Are our phones listening to us?

This week, on the Lock and Code podcast with host David Ruiz, we revisit an episode from last year in which we tried to find the answer. In speaking to Electronic Frontier Foundation Staff Technologist Lena Cohen about mobile tracking overall, it becomes clear that, even if our phones aren’t literally listening to our conversations, the devices are stuffed with so many novel forms of surveillance that we need not say something out loud to be predictably targeted with ads for it.

“Companies are collecting so much information about us and in such covert ways that it really feels like they’re listening to us.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

  •  

Is your phone listening to you? (re-air) (Lock and Code S07E03)

This week on the Lock and Code podcast…

In January, Google settled a lawsuit that pricked up a few ears: It agreed to pay $68 million to a wide array of people who sued the company together, alleging that Google’s voice-activated smart assistant had secretly recorded their conversations, which were then sent to advertisers to target them with promotions.

Google denied any admission of wrongdoing in the settlement agreement, but the fact stands that one of the largest phone makers in the world decided to forego a trial against some potentially explosive surveillance allegations. It’s a decision that the public has already seen in the past, when Apple agreed to pay $95 million last year to settle similar legal claims against its smart assistant, Siri.

Back-to-back, the stories raise a question that just seems to never go away: Are our phones listening to us?

This week, on the Lock and Code podcast with host David Ruiz, we revisit an episode from last year in which we tried to find the answer. In speaking to Electronic Frontier Foundation Staff Technologist Lena Cohen about mobile tracking overall, it becomes clear that, even if our phones aren’t literally listening to our conversations, the devices are stuffed with so many novel forms of surveillance that we need not say something out loud to be predictably targeted with ads for it.

“Companies are collecting so much information about us and in such covert ways that it really feels like they’re listening to us.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

  •  

One privacy change I made for 2026 (Lock and Code S07E02)

This week on the Lock and Code podcast…

When you hear the words “data privacy,” what do you first imagine?

Maybe you picture going into your social media apps and setting your profile and posts to private. Maybe you think about who you’ve shared your location with and deciding to revoke some of that access. Maybe you want to remove a few apps entirely from your smartphone, maybe you want to try a new web browser, maybe you even want to skirt the type of street-level surveillance provided by Automated License Plate Readers, which can record your car model, license plate number, and location on your morning drive to work.

Importantly, all of these are “data privacy,” but trying to do all of these things at once can feel impossible.

That’s why, this year, for Data Privacy Day, Malwarebytes Senior Privacy Advocate (and Lock and Code host) David Ruiz is sharing the one thing he’s doing different to improve his privacy. And it’s this: He’s given up Google Search entirely.

When Ruiz requested the data that Google had collected about him last year, he saw that the company had recorded an eye-popping 8,000 searches in just the span of 18 months. And those 8,000 searches didn’t just reveal what he was thinking about on any given day—including his shopping interests, his home improvement projects, and his late-night medical concerns—they also revealed when he clicked on an ad based on the words he searched. This type of data, which connects a person’s searches to the likelihood of engaging with an online ad, is vital to Google’s revenue, and it’s the type of thing that Ruiz is seeking to finally cut off.

So, for 2026, he has switched to a new search engine, Brave Search.

Today, on the Lock and Code podcast, Ruiz explains why he made the switch, what he values about Brave Search, and why he also refused to switch to any of the major AI platforms in replacing Google.

Tune in today to listen to the full episode.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

One privacy change I made for 2026 (Lock and Code S07E02)

This week on the Lock and Code podcast…

When you hear the words “data privacy,” what do you first imagine?

Maybe you picture going into your social media apps and setting your profile and posts to private. Maybe you think about who you’ve shared your location with and deciding to revoke some of that access. Maybe you want to remove a few apps entirely from your smartphone, maybe you want to try a new web browser, maybe you even want to skirt the type of street-level surveillance provided by Automated License Plate Readers, which can record your car model, license plate number, and location on your morning drive to work.

Importantly, all of these are “data privacy,” but trying to do all of these things at once can feel impossible.

That’s why, this year, for Data Privacy Day, Malwarebytes Senior Privacy Advocate (and Lock and Code host) David Ruiz is sharing the one thing he’s doing different to improve his privacy. And it’s this: He’s given up Google Search entirely.

When Ruiz requested the data that Google had collected about him last year, he saw that the company had recorded an eye-popping 8,000 searches in just the span of 18 months. And those 8,000 searches didn’t just reveal what he was thinking about on any given day—including his shopping interests, his home improvement projects, and his late-night medical concerns—they also revealed when he clicked on an ad based on the words he searched. This type of data, which connects a person’s searches to the likelihood of engaging with an online ad, is vital to Google’s revenue, and it’s the type of thing that Ruiz is seeking to finally cut off.

So, for 2026, he has switched to a new search engine, Brave Search.

Today, on the Lock and Code podcast, Ruiz explains why he made the switch, what he values about Brave Search, and why he also refused to switch to any of the major AI platforms in replacing Google.

Tune in today to listen to the full episode.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

Enshittification is ruining everything online (Lock and Code S07E01)

This week on the Lock and Code podcast…

There’s a bizarre thing happening online right now where everything is getting worse.

Your Google results have become so bad that you’ve likely typed what you’re looking for, plus the word “Reddit,” so you can find discussion from actual humans. If you didn’t take this route, you might get served AI results from Google Gemini, which once recommended that every person should eat “at least one small rock per day.” Your Amazon results are a slog, filled with products that have surreptitiously paid reviews. Your Facebook feed could be entirely irrelevant because the company decided years ago that you didn’t want to see what your friends posted, you wanted to see what brands posted, because brands pay Facebook, and you don’t, so brands are more important than your friends.

But, according to digital rights activist and award-winning author Cory Doctorow, this wave of online deterioration isn’t an accident—it’s a business strategy, and it can be summed up in a word he coined a couple of years ago: Enshittification.

Enshittification is the process by which an online platform—like Facebook, Google, or Amazon—harms its own services and products for short-term gain while managing to avoid any meaningful consequences, like the loss of customers or the impact of meaningful government regulation. It begins with an online platform treating new users with care, offering services, products, or connectivity that they may not find elsewhere. Then, the platform invites businesses on board that want to sell things to those users. This means businesses become the priority and the everyday user experience is hindered. But then, in the final stage, the platform also makes things worse for its business customers, making things better only for itself.

This is how a company like Amazon went from helping you find nearly anything you wanted to buy online to helping businesses sell you anything you wanted to buy online to making those businesses pay increasingly high fees to even be discovered online. Everyone, from buyers to sellers, is pretty much entrenched in the platform, so Amazon gets to dictate the terms.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Doctorow about enshittification’s fast damage across the internet, how to fight back, and where it all started.

 ”Once these laws were established, the tech companies were able to take advantage of them. And today we have a bunch of companies that aren’t tech companies that are nevertheless using technology to rig the game in ways that the tech companies pioneered.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

ALPRs are recording your daily drive (Lock and Code S06E26)

This week on the Lock and Code podcast…

There’s an entire surveillance network popping up across the United States that has likely already captured your information, all for the non-suspicion of driving a car.

Automated License Plate Readers, or ALPRs, are AI-powered cameras that scan and store an image of every single vehicle that passes their view. They are mounted onto street lights, installed under bridges, disguised in water barrels, and affixed onto telephone poles, lampposts, parking signs, and even cop cars.

Once installed, these cameras capture a vehicle’s license plate number, along with its make, model, and color, and any identifying features, like a bumper sticker, or damage, or even sport trim options. Because nearly every ALPR camera has an associated location, these devices can reveal where a car was headed, and at what time, and by linking data from multiple ALPRs, it’s easy to determine a car’s daylong route and, by proxy, it’s owner’s daily routine.

This deeply sensitive information has been exposed in recent history.

In 2024, the US Cybersecurity and Information Security Agency discovered seven vulnerabilities in cameras made by Motorola Solutions, and at the start of 2025, the outlet Wired reported that more than 150 ALPR cameras were leaking their live streams.

But there’s another concern with ALPRs besides data security and potential vulnerability exploits, and that’s with what they store and how they’re accessed.

ALPRs are almost uniformly purchased and used by law enforcement. These devices have been used to help solve crime, but their databases can be accessed by police who do not live in your city, or county, or even state, and who do not need a warrant before making a search.

In fact, when police access the databases managed by one major ALPR manufacturer, named Flock, one of the few guardrails those police encounter is needing to type a single word in a basic text box. When Electronic Frontier Foundation analyzed 12 million searches made by police in Flock’s systems, they learned that police sometimes filled that text box with the word “protest,” meaning that police were potentially investigating activity that is protected by the First Amendment.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Will Freeman, founder of the ALRP-tracking project DeFlock Me, about this growing tide of neighborhood surveillance and the flimsy protections afforded to everyday people.

“License plate readers are a hundred percent used to circumvent the Fourth Amendment because [police] don’t have to see a judge. They don’t have to find probable cause. According to the policies of most police departments, they don’t even have to have reasonable suspicion.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

EFF’s ‘How to Fix the Internet’ Podcast: 2025 in Review

2025 was a stellar year for EFF’s award-winning podcast, “How to Fix the Internet,” as our sixth season focused on the tools and technology of freedom. 

It seems like everywhere we turn we see dystopian stories about technology’s impact on our lives and our futuresfrom tracking-based surveillance capitalism, to street level government surveillance, to the dominance of a few large platforms choking innovation, to the growing efforts by authoritarian governments to control what we see and saythe landscape can feel bleak. Exposing and articulating these problems is important, but so is envisioning and then building solutions. That’s where our podcast comes in. 

EFF's How to Fix the Internet podcast offers a better way forward. Through curious conversations with some of the leading minds in law and technology, EFF Executive Director Cindy Cohn and Activism Director Jason Kelley explore creative solutions to some of today’s biggest tech challenges. Our sixth season, which ran from May through September, featured: 

  • Digital Autonomy for Bodily Autonomy” – We all leave digital trails as we navigate the internetrecords of what we searched for, what we bought, who we talked to, where we went or want to go in the real worldand those trails usually are owned by the big corporations behind the platforms we use. But what if we valued our digital autonomy the way that we do our bodily autonomy? Digital Defense Fund Director Kate Bertash joined Cindy and Jason to discuss how creativity and community can align to center people in the digital world and make us freer both online and offline. 
  • Love the Internet Before You Hate On It” – There’s a weird belief out there that tech critics hate technology. But do movie critics hate movies? Do food critics hate food? No! The most effective, insightful critics do what they do because they love something so deeply that they want to see it made even better. Molly Whitea researcher, software engineer, and writer who focuses on the cryptocurrency industry, blockchains, web3, and other tech joined Cindy and Jason to discuss working toward a human-centered internet that gives everyone a sense of control and interaction; open to all in the way that Wikipedia was (and still is) for her and so many others: not just as a static knowledge resource, but as something in which we can all participate. 
  • Why Three is Tor's Magic Number” – Many in Silicon Valley, and in U.S. business at large, seem to believe innovation springs only from competition, a race to build the next big thing first, cheaper, better, best. But what if collaboration and community breeds innovation just as well as adversarial competition? Tor Project Executive Director Isabela Fernandes joined Cindy and Jason to discuss the importance of not just accepting technology as it’s given to us, but collaboratively breaking it, tinkering with it, and rebuilding it together until it becomes the technology that we really need to make our world a better place. 
  • Securing Journalism on the ‘Data-Greedy’ Internet” – Public-interest journalism speaks truth to power, so protecting press freedom is part of protecting democracy. But what does it take to digitally secure journalists’ work in an environment where critics, hackers, oppressive regimes, and others seem to have the free press in their crosshairs? Freedom of the Press Foundation Digital Security Director Harlo Holmes joined Cindy and Jason to discuss the tools and techniques that help journalists protect themselves and their sources while keeping the world informed. 
  • Cryptography Makes a Post-Quantum Leap” – The cryptography that protects our privacy and security online relies on the fact that even the strongest computers will take essentially forever to do certain tasks, like factoring prime numbers and finding discrete logarithms which are important for RSA encryption, Diffie-Hellman key exchanges, and elliptic curve encryption. But what happens when those problemsand the cryptography they underpinare no longer infeasible for computers to solve? Will our online defenses collapse? Research and applied cryptographer Deirdre Connolly joined Cindy and Jason to discuss not only how post-quantum cryptography can shore up those existing walls but also help us find entirely new methods of protecting our information. 
  • Finding the Joy in Digital Security” – Many people approach digital security training with furrowed brows, as an obstacle to overcome. But what if learning to keep your tech safe and secure was consistently playful and fun? People react better to learning and retain more knowledge when they're having a good time. It doesn’t mean the topic isn’t seriousit’s just about intentionally approaching a serious topic with joy. East Africa digital security trainer Helen Andromedon joined Cindy and Jason to discuss making digital security less complicated, more relevant, and more joyful to real users, and encouraging all women and girls to take online safety into their own hands so that they can feel fully present and invested in the digital world. 
  • Smashing the Tech Oligarchy” – Many of the internet’s thorniest problems can be attributed to the concentration of power in a few corporate hands: the surveillance capitalism that makes it profitable to invade our privacy, the lack of algorithmic transparency that turns artificial intelligence and other tech into impenetrable black boxes, the rent-seeking behavior that seeks to monopolize and mega-monetize an existing market instead of creating new products or markets, and much more. Tech journalist and critic Kara Swisher joined Cindy and Jason to discuss regulation that can keep people safe online without stifling innovation, creating an internet that’s transparent and beneficial for all, not just a collection of fiefdoms run by a handful of homogenous oligarchs. 
  • Separating AI Hope from AI Hype” – If you believe the hype, artificial intelligence will soon take all our jobs, or solve all our problems, or destroy all boundaries between reality and lies, or help us live forever, or take over the world and exterminate humanity. That’s a pretty wide spectrum, and leaves a lot of people very confused about what exactly AI can and can’t do. Princeton Professor and “AI Snake Oil” publisher Arvind Narayanan joined Cindy and Jason to discuss how we get to a world in which AI can improve aspects of our lives from education to transportation—if we make some system improvements first—and how AI will likely work in ways that we barely notice but that help us grow and thrive. 
  • Protecting Privacy in Your Brain” – Rapidly advancing "neurotechnology" could offer new ways for people with brain trauma or degenerative diseases to communicate, as the New York Times reported this month, but it also could open the door to abusing the privacy of the most personal data of all: our thoughts. Worse yet, it could allow manipulating how people perceive and process reality, as well as their responses to ita Pandora’s box of epic proportions. Neuroscientist Rafael Yuste and human rights lawyer Jared Genser, co-founders of The Neurorights Foundation, joined Cindy and Jason to discuss how technology is advancing our understanding of what it means to be human, and the solid legal guardrails they're building to protect the privacy of the mind. 
  • Building and Preserving the Library of Everything” – Access to knowledge not only creates an informed populace that democracy requires but also gives people the tools they need to thrive. And the internet has radically expanded access to knowledge in ways that earlier generations could only have dreamed ofso long as that knowledge is allowed to flow freely. Internet Archive founder and digital librarian Brewster Kahle joined Cindy and Jason to discuss how the free flow of knowledge makes all of us more free.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2025.

  •  

2025 Year in Review at Cloud Security Podcast by Google

(written jointly with Tim Peacock)

Five years. It’s enough time to fully launch a cloud migration, deploy a new SIEM, or — if you’re a very large enterprise — just start thinking about doing the first two. It’s also how long Tim and I have been subjecting the world to our thoughts on Cloud Security Podcast by Google.

We finally got around to writing the annual “reflections blog.” And, honestly, looking back at Season 5, the state of the industry feels a lot like a chaotic Cybersecurity Garage Sale.

We’re all standing knee-deep in a pile of dusty, obsolete junk — the mid-2000s SIEMs, the 1990s unauthenticated vulnerability scans — while clutching shiny, still-in-the-box AI Agent gadgets we don’t quite know where to put. It’s a mess. But within this mess, a few essential, high-value items have emerged.

So, to all our listeners — the veterans and the newcomers — thank you for sorting through the chaos with us. For Season 6, we’re going all video, by default (opening January 5, 2026). Find us on our new YouTube home: Cloud Security Podcast by Google on YouTube.

Below you will find 3 fun sections: Anton’s faves, Tim’s faves and top 10 by listens (“data’s faves” of sorts, or perhaps listener faves)

Enjoy!

Anton: My selections are, perhaps, a bit predictable — but they were immense fun to record and, I believe, are absolutely essential listening! But, hey, I am biased a bit!

  1. EP236 Accelerated SIEM Journey: A SOC Leader’s Playbook for Modernization and AI This fun episode provides a playbook for SOC leaders on accelerating their SIEM modernization journey. We go into the steps the bank took for moving beyond legacy systems, focusing on how to integrate AI for transformative results and build a truly modern Security Operations Center.
  2. EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation This essential episode with Caleb Hoch tackles the “fractions of a century” time lag in vulnerability management, moving beyond endless unauthenticated scans. We discuss how to establish a Gold Standard prioritization model and why running VM Tabletop Exercises is the vital, transformative practice needed for true modernization.
  3. EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025 The single most important lesson from RSA 2025 was captured in this episode: AI is merely “Addressable, Not Solvable.” We cut through the hype to discuss where AI can deliver real, practical security value, and where we still need our smart human colleagues to lead the way. This is essential listening for anyone trying to navigate the flood of vendor claims.
  4. EP242 The AI SOC: Is This The Automation We’ve Been Waiting For? This epic episode tackles the most pressing question for security operations: Can “AI SOC” deliver the transformative automation we’ve been waiting for? We discuss — with Anton’s former colleague — the real-world applications of AI in the SOC, focusing on practical gains (and how to know you “gained” anything) and what it means for the future role of the human analyst.
  5. EP238 Google Lessons for Using AI Agents for Securing Our Enterprise This fun episode brings you practical lessons from Google’s own experience using AI agents to secure our enterprise at scale (see this blog also). We dive (not “delve”, mind you!) deep into the real-world application of this technology, focusing on the wins, the challenges, and what it took to adopt. This is essential listening for any leader looking to leverage AI agents effectively without falling into the hype cesspool.
  6. BONUS: EP237 Making Security Personal at the Speed and Scale of TikTok This unique episode goes into what it takes to secure a hyper-scale, global platform like TikTok. We discuss how to move beyond legacy compliance while living in a modern microservices architecture, balance a consistent global security posture with localized regulatory demands, and, most importantly, empower every user with practical tips (like 2FA and strong passphrases) to make security personal.

Tim: My picks are almost entirely not overlapping with Anton, we started our lists separately, but then realized that we scooped each other on two episodes. We both liked our episode with Manija Poulatova enough to keep her on both of our lists!

  1. EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance This episode is a total delight for both of us. For me, I got to not only meet one of my security heroes, I got to see Anton do the same! We named Bruce in our early planning docs as somebody we’d like to have on the show someday when we’re all grown up. Not a bad way to wrap up five years of weekly podcasting!
  2. EP236 Accelerated SIEM Journey: A SOC Leader’s Playbook for Modernization and AI Manija and I were on a panel together in Las Vegas during Google Cloud Next 2025. A few themes from that panel came through in our episode together that I love and think are vital for anyone. First, aim for transformation not migration. As an industry we are not doing so well compared to air transport safety. We cannot cling to our old ways and hope for a better set of outcomes. Second, AI is here to enable our human colleagues, not replace them. We can find greater meaning, joy, and productivity in our work, even as SOC analysts, once we embrace what AI can automate for us.
  3. EP239 Linux Security: The Detection and Response Disconnect and Where Is My Agentless EDR Craig was introduced to me by Friend Of The Show (and friend of mine!) Vijay Ganti (EP196) as someone building an innovative approach to EDR security. Scheduling this episode ended up a little tricky, and I got to do an episode without Anton. That ended up ok, because in Craig I found a totally kindred spirit. We’ve both built systems to secure Linux without agents, though from two different approaches. His stories of finding badness in places we couldn’t previously look, and doing so scalably even for phone towers up the hill behind his house, really resonated with the part of me that spent four years building out Virtual Machine Threat Detection here at Google Cloud. This is definitely an episode for listeners who like to question conventional security thinking.
  4. EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success Another fun origin story: this episode was conceived in a karaoke booth in Singapore. Alex and Lars are two of our early design partners for the SecOps Triage Agent and their feedback to the team and on this episode is super valuable. Alex gets bonus points on this episode for using the word squelch which I’ve been pushing internally as a metaphor for our noise control systems. This is a must-listen for anyone interested in real AI adoption in their SOC. If Alex and Lars can do it across an unbelievable number of regulatory jurisdictions, you can too!
  5. EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking Bringing Heather back to the show has been a goal of ours for ages. When I read her article, coauthored with Gadi Evron and Bruce Schneier, I knew I’d found our topic. As I said on the show, if I’d seen this article written by anybody else I’d laugh, but with this trio of authors I knew it was something to take seriously. Read the article, listen to the episode, let us know in the comments if you’re as scared as I was!
  6. BONUS: EP232 The Human Element of Privacy: Protecting High-Risk Targets and Designing Systems I get one bonus episode for our top ten, so I’m going to include my classmate Sarah Aoun. She is an amazing Googler and on this episode she offers advice that’s useful almost universally, but especially if you believe that you’re a person who is at risk of being targeted online. This is firmly outside of our “cloud security” wheelhouse, but well worth a listen to understand threat modeling and security response for individuals.

Top 10 episodes by listens (excluding the oldest 3)

  1. EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
  2. EP47 “Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security”
  3. EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All
  4. EP8 Zero Trust: Fast Forward from 2010 to 2021
  5. EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!
  6. EP150 Taming the AI Beast: Threat Modeling for Modern AI Systems with Gary McGraw
  7. EP17 Modern Threat Detection at Google
  8. EP103 Security Incident Response and Public Cloud — Exploring with Mandiant
  9. EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive
  10. EP12 Threat Models and Cloud Security

Related blogs:


2025 Year in Review at Cloud Security Podcast by Google was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

  •  
❌