The Power of Probability with Alex Cosoi

You are alive against stupendous odds.

And I take the posture that because of this, life should be cherished.

Welcome to StarTalk, your place in the universe where science and pop culture collide.

StarTalk begins right now.

This is StarTalk’s special edition, Neil deGrasse Tyson here, your personal astrophysicist.

And of course, we got Gary O’Reilly.

Gary, former soccer pro, sports commentator.

Hi, Neil.

And longtime co-host of StarTalk, Chuck Nice.

What’s going on, guys?

Today’s topic is one of my favorite, just as an educator, simply because it’s where people misthink things most often.

And I feel extra responsible to try to get in there and make it work for them.

We’re going to talk about probabilities.

So, Gary, it was your idea to do this topic.

I love the topic.

I devoted a whole chapter to it in a recent book I published.

So I’m pretty fresh in commentary regarding it.

But more specifically, where did you want to take me on this?

So probabilities, Neil.

Calculating risk gambling.

Call it what you will.

We all do it.

Stand on a wobbly chair.

Eat that food in the fridge that’s been there two weeks.

It’s a gamble.

Probabilities has its own branch of mathematics.

And it’s intertwined into so much of our everyday lives.

Risk and assessment for insurance.

Predicting extreme weather models, which has been very, very important in the last few weeks.

It’s baked into AI and especially that annoying predictive text program in my computer that tells me what I should be typing.

And I hate it for that only.

It’s probability that’s used in cyberspace.

And we do without realizing have that baked in again.

And we’ll get to that later on in the show when our guest Alex Cosoi, he’s chief security strategist at Bitdefender, the cyber security experts, and we’ll open up what it’s all about, where it’s going, what it’s likely to look like going forward, and our approach to risk itself.

So having said that, Neil, let’s find out more about what happens when a bunch of physicists turn up in Las Vegas.

Well, let me preface this by saying, back in the 1980s, the my community of physicists, the American Physical Society, the APS, have annual meetings, and one of them was scheduled for San Diego.

San Diego, especially of late, is a big convention town, Comic Con, the most famous of the world’s Comic Cons, takes place there, and the whole city adjusts for it.

There’s a convention center and everything.

Anyhow, the Community of Physicists had booked hotels and was ready, and it turned out there was a snafu where the hotel reservations failed, for some reason, and I don’t remember why.

So here’s this convention that was supposed to happen, and it can’t happen, so what do you do?

Well, the MGM Grand, then the MGM Arena in Vegas says, we’ll take you.

We are the largest hotel in the country.

We can take you on short notice.

So the APS pivoted to Vegas, pivoted.

And so that year’s convention was in Vegas, where people give talks and they’re public talks and professional talks and this sort of thing.

All right, a lot of breakout rooms.

It’s where we sort of reconnect, especially in an hour before there was much emailing going on.

It’s a geek fest.

Geek fest, thank you.

Physics geek fest.

Well, a week later, there was a headline.

This is after the conference.

Physicists in town, lowest casino take ever.

The American Physical Society has been asked to never return to the city.

That’s great.

And so you can ask, well, did the physicists sort of know the odds and play the odds?

No, they just didn’t.

They didn’t play because, here it is.

It is the only activity where the people tell you, we are legally cheating you.

Now, we just want you to know this.

When you come in, the reason why we say good luck is because we already win.

And the great thing is, Chuck, when you start, when you get a little bit of a run going, if that ever happens, they see you and they bring you free drinks.

Well, I was going to say, any place where that brings you free drinks, there’s a trap somewhere.

There’s nobody that says, hey, just drink up all my liquor.

And yeah, and that’s all.

We’re good.

No.

So, no.

Here’s the cabinet.

Here’s the key.

Like, I had a party where my best friend at the time opened up my cabinet and took out a bottle of the Macallan 30-year-old Scotch.

Oh.

Right?

Which I don’t share with anybody.

Okay?

And proceeded to pour off my Macallan to my other friends.

And I went around and picked up the glass and what the hell are you doing?

You don’t get to do this.

So anybody giving you free liquor is a catch.

That’s all there is to it.

So that lets you know what Vegas is up to.

Nice to know you’ve let that go, Chuck.

Yeah.

Chuck is still in therapy for many things.

Yeah.

Many things.

That is one of them.

Yeah.

So I thought I’d look a little more deeply into this, only to discover that if you look at various branches of mathematics, right, of which there are many, but let me list a few.

Let’s go in sort of historical order.

There’s sort of geometry.

Geo, geometry means earth measurement, by the way.

Yeah.

From, I guess that would be Greek, geometry, earth measurement.

You have geometry, you have arithmetic, you have algebra.

Which is the terrorist version of mathematics.

Algebra is that.

I’m sorry.

Just move on.

Let’s keep moving.

Algebra, we keep going.

You can get to calculus.

There’s trigonometry.

Whole branches of math that we remember, even if you’re part of the walking wounded of those classes, we remember these from perhaps as early as middle school, certainly high school.

If you sequence these, do you realize all of those branches of math were discovered, invented before it occurred to anyone to take the average of numbers?

Okay.

Oh, interesting.

I see what you’re saying.

Okay.

Yes.

That’s weird.

That is.

That’s weird when you think about it.

So here are these numbers.

You add them together, divide by the total.

Somebody had to do that first, okay?

That didn’t happen until, when did I have?

Late 18th century?

Long after calculus.

Newton had calculus in the bag, okay?

By the late 1600s, early 1700s.

Calculus, people.

And now someone later on says, hmm, let me sum these numbers together and divide and see if that means anything.

Well, that’s early statistics.

Right.

And there are books as late as the 1800s that believed, these are official math books that describe how you can influence the outcome of a certain set of probabilities, because they believed that was the case, because probability and statistics was not yet properly formulated as an authentic and bona fide branch of mathematics.

Right.

The point is, why is that so?

How is it that people, we in our species can say, we need calculus and there’s no probability, okay, there must be something absent in our brain wiring.

Yeah.

That prevents us from thinking natively in this space.

Yeah.

It’s called heuristic hubris.

That’s who we are.

Because outcomes are what we want them to be, not what the math says they will be.

And we still do that.

We still do that.

We still do it.

To this day.

Are we not hardwired, Neil, to calculate risk as a survival mechanism?

Well, okay.

So if you speak with sort of evolutionary biologists, they will frequently, and I think without much debate, tell you that we do make certain assessments.

For example, if this will take us to an aspect of how the brain works, but consider there’s something that repeats multiple times, and you learn that and it hurts you.

Then you say, well, let me not do that again.

So then you don’t and then you avoid it.

So this is simple.

So this is the act of how repeated occurrences decide for you what the future is going to be.

All right?

And this matter is for survival.

My favorite survival fact is how we put order on things, even if there’s no order there.

That has extraordinary consequences.

Exactly.

Let’s look at how it might have begun.

So we’re in the Serengeti, and you don’t want to get eaten by a lion.

And there’s the grass, you know, the amber grass is blowing in the breeze.

And you say to yourself, I wonder if there’s a lion there.

In fact, I think there is.

Let me go check.

Yeah.

Yeah.

Right.

Okay.

This will summarily remove sort of the curiosity gene in…

Because you don’t get to have children to be curious.

If it is a lion, you don’t get to have curious children to the extent that curiosity is inherited.

Okay.

So it turns out we are better off thinking there’s a lion in the grass.

Right.

Whether or not there is and then going in the opposite direction than not thinking there’s a lion in the grass, missing it and having it eat us.

But consider that we think there’s a lion in the brush, whether or not there is one, and that’s the genes that got protected.

Okay.

So this is pattern recognition.

We will see patterns even if there isn’t a pattern there.

We can put a set of random dots, right?

And you say, oh, I see this and I see that.

You must have done that on purpose.

Clouds.

I see it.

And your life experience overrides the mathematics of what just happened, or your life expectations or your life belief system overrides it.

The pattern recognition, Neil, is the probability that that will happen, as you say, from experience.

And we use this in sport a lot, from analyzing gameplay.

So, let me bring this to the present.

We have this feature in our brain wiring to detect patterns even if they aren’t there, because that was in the interest of our survival.

We’re not making those same decisions anymore about whether we might get eaten by a lion, but that brain feature remains within us.

And we see patterns in everything.

And we think because we see a pattern, that the pattern is real.

Even we think the absence of patterns is a pattern.

You had a roulette table.

And I said, why do you keep betting on seven?

It’s due.

It’s due.

It’s right here.

And I said, how do you know it’s due?

Because the roulette table shows you the previous 10 rolls.

Okay, spins.

Or the previous 20.

And you don’t see a seven there.

It’s due.

No, it’s not due.

Take the fucking probability class.

Yeah, it’s not due the same way the Washington Generals are not due to beat the Harlem Globetrotters.

Yeah.

How about that?

They didn’t play the Washington Generals?

I don’t know what they’re called now.

I don’t know.

They did this like 40 years ago.

Made up name.

So this notion that because it hasn’t happened recently, it’s bound to happen in your next bet is how casinos make money.

Casinos exist to exploit these frailties of the human brain wiring.

They exist for that purpose.

But it goes back to the point you had about magicians.

The casinos know more about how you sink than you do.

Yes.

And they manipulate that, obviously.

And it’s completely manipulated.

And like Chuck said, they tell you that going…

Tell you straight up, hey, by the way, we’re going to cheat you today.

Enjoy yourself.

Is that why they get cheated?

Is that why they call Las Vegas lost wages?

Lost wages, yes.

And so, by the way, as a scientist, we know how important probability is to separate your own bias on what is going on in the world from what is objectively going on in the world.

So every year I was in school, we had some element of probability and statistics taught related to the aspect of the sciences that we were addressing.

So I would say all told, I might have had eight years of probability and statistics.

Yet, if you look in a school curriculum, it’s not there at all.

No.

At all.

Now, will you grant me one conspiracy theory?

Go ahead.

Depends which one it is.

No.

See, Chuck believes in me.

He just says, go ahead.

Go for it.

If he doesn’t like it, he’s going to slam you down, but never mind.

There it is.

You know, the state lottery systems?

Yes.

Do you know how they get funding for that and what they, you know, there’s tax levied on that.

Do you know where that money goes to typically?

Well, they tell you that it’s for education.

Let’s assume that’s true.

Let’s even assume that’s true.

So it’s for education.

And I said, oh, that’s good.

Public education, you know, K through 12.

And then I looked at the curricula across the country of what is taught.

And probability, if it’s taught at all, is only an elective.

It’s not a fundamental part of the math curriculum.

And so it occurred to me that as long as they don’t teach probability in school, you are susceptible to playing the lottery.

Which funds the school.

Which funds the school.

Oh, playing for your education.

If you take off probability, it could be the end of the state lottery system.

Well, yeah, because anybody who knows something about probability does not play the lottery.

As a matter of fact, my father used to tell me, take a dollar a day, the dollar you would play the lottery, start right now, and just take that everyday dollar and put it in the bank.

And through compound interest, it will take 20 years, but you will hit the lottery.

That’s good.

People trying to assess their health or their security based on risk, risk factors.

And I think in the book, there are people who smoke knowing that there’s a risk of cancer.

And I think if you’re an active smoker, there’s a one in eight chance that your tombstone will say died of lung cancer.

And so then I thought, let me glorify that up a bit and say, okay, instead of you just taking that risk, let’s do it this way.

Today, everyone who lights up a cigarette, one in eight of them on that first puff, their head will explode and they’ll fall over in a pile of blood on the pavement.

And if that is not you, you get to smoke for the rest of your life without cancer.

Would you take that risk?

Well, what brand of cigarettes are we talking about?

The exploding kind.

The exploding kind.

So, what I tried to do in the book was rejigger the risk into something that might be a little more tangible, a little more devastating for you to hear, even if the numerics remain the same, just to try to get at the fact that a brain is not wired for this to happen.

So, yeah, Gary, it’s sad even.

I drive by casinos and it’s like, man, I’m sad for our brain wiring and for the education system that doesn’t address that fact.

You drive past a casino, Neil.

How often is the car park full?

Full, all the time.

Yeah.

All the time.

Yeah.

That’s why you gotta be an especially bad business person to lose money if you own a casino.

Or in a movie where George Clooney turns up with some friends.

Ocean’s 11, 12, 13, 14, 15, 20, whatever they’re up to now.

Yeah, the franchise just keeps paying off.

So, Neil, we’re programmed, we’re hardwired, but how do we get here?

What’s the probability of actually us existing, being alive, being born?

Now, do you mean like having a mother like mine and making it to adulthood, or do you mean like being conceived at all?

Well, let’s start with conception.

Oh, okay.

And then move through the laundry list.

Obviously, humans have no trouble making more humans, right?

Eight billion in the world will go to asymptote probably to 10 billion in the coming decades.

So having a person of any kind is not the issue here.

We can ask the question, what are the chances of you, specifically you, Gary O’Reilly, having been born?

Yeah.

And so we look at your genetic code, and a way to address that is, how many possible configurations of that genetic code exist?

Wow.

And you’re the one that’s you.

Yes.

Okay?

So you can do that.

Now, there’s lots of ways that they arrange, and many of them, it makes a human, but it’s not entirely viable, where you have like three arms and two heads or whatever.

So if you remove all the ones that create oddly different but still living humans, okay?

And so we talk about what we call a normal human.

There are different ways you can estimate this, but we think it’s one in a billion, trillion, trillion.

That’s not even a number.

What you just said, it’s not even a number.

It’s what a kid says, right?

It’s a billion, million, trillion.

But there’s a lot of configurations.

Point is, the total number of humans who have ever been born, you can estimate that, is about 100 billion.

Okay, that’s a round number, but that’s about what it is.

So you can ask if 100 billion humans have ever been born, yet we have the capacity to make a billion, trillion, trillion humans, a vanishingly small fraction of all humans who could ever exist, have ever been born.

Interesting.

So, what are the chances of you showing up once again in this genetic code?

The answer is never.

It’s never, okay?

Because of how much larger the total number of possibilities are compared to anything we will ever create on this earth.

So, you are alive.

You, Gary O’Reilly, are alive against stupendous odds.

And I take the posture in the book that because of this, life should be cherished.

Great.

And by the way, even if you did show up again in the genetic code, there’s no reason to think it would be you.

No.

It would look exactly like you.

But we’ve done these experiments.

They’re called twins.

We have identical DNA.

And you’re not the same person.

You have independent thoughts, okay?

You even have different fingerprints, turns out.

So, the clone experiment doesn’t require machine to wonder how that’s going to turn out.

People said, we shouldn’t have clone machines because we’ll clone people for their organs.

And I’m thinking, do we do that with twins today?

Do we purposefully have twins to take out their organs?

No.

Why would we behave any differently with a cloning machine than we do in the presence of twins that already walk among us?

Point is, you’re never going to get another Gary.

And so, armed with that information, that cosmic, that scientifically-informed cosmic perspective, we should treat life as the most cherished thing on Earth.

And not enough people do, leading to all manner of misery and bloodshed and war and in this world.

And I wonder if people really knew the statistics of this, if we treat each other more kindly and more considerably than we do.

Depends on how much you like war and bloodshed, you know.

Oh, some people, some people are into that, you know, not in their own bloodshed.

That’s right.

No, that’s the point.

Yeah, it’s so funny.

You’re such a scientist because you actually went at that from the DNA configuration perspective, which I find fascinating because I thought about this like, I think everybody thinks like, you know, could there ever be another me or how many like, like what did it take for me to get here?

And I looked up the average number of viable sperm in an ejaculate, which is somewhere around 200 million.

Yeah.

Yeah.

Half a billion.

Yeah.

Some somewhere around there or it could be somewhere.

And that means that for just me in that one batch, you’re one in 200 million.

I’m one in 200 million just in that one little batch.

Forget the other batches that we don’t even want to say, what happened to them?

You know, I’m just saying, like, you know, dad was once a teenager is all I’m saying.

It was 117, yeah.

You know, but that alone gives you an idea of just how hard it is for a human being to come to existence.

Right.

And that’s another another angle that probability takes you into.

Yeah.

The rarity of who you are as an individual.

Wow.

Yeah.

So yeah, I don’t, Gary, did I hit all the points you were looking for?

Yeah.

I mean, the thing is, if we go and do every single one, we are going to be here for another day.

All right.

So Gary, where else are we going to take this?

All right.

So we look at our everyday lives and without realizing it, we are calculating as we’ve discussed, and it’s kind of like baked into a number of things.

We are living our lives online.

Some people conduct a whole part of their life online.

They’ll have maybe a dozen, ten or so online accounts which they manage, which means passwords, which means protection, which means security, all those things, and the probability of all the bad stuff, probability of it being okay.

So I think what we need to do is speak to someone who’s really at that cutting edge of cyber security.

And for that, we have our dear friends at Bitdefender, the cyber security experts, and we have Alex Cosoi.

I can’t believe that’s how you pronounce it.

If I got it wrong, I’ll stand in a corner.

He is their chief security strategist.

So this guy is a guy who doesn’t just try and look after things.

He will go after botnets with Europol or Interpol and bring them down.

They’re on a large scale level as well as the personal level.

So there’s a whole different range of how they operate, which I think could be very fascinating.

And add another facet to how probabilities are entwined into our lives.

Yeah, because lately when I choose a password, it tries to tell me whether it’s a good password or a bad password.

And presumably there’s some risk factor calculated to assess that.

Otherwise, why would it know anything at all?

Like one, two, three, four is a bad password.

I mean, there’s information that you have, right, that’s in the public domain.

For instance, your birthday.

Maybe the probability of something bad happening is greater.

So we need to speak to that expert.

And Neil, here is Alex.

Alex, hey, welcome to StarTalk.

Hi, Neil.

Hi, guys.

Thank you for having me.

You have the bad-assest title of anybody ever.

It’s made up.

Nobody made it.

It’s just made up.

What?

Chief, give me the title again?

Chief what?

Chief Security Strategist.

Chief Security Strategist.

We should salute, shouldn’t we?

So Alex, let me start with a couple of questions here.

The word risk is related to probability and statistics.

People think they understand risk.

Generally, they don’t.

Or what they do understand is not the full story typically, but they’re making decisions about their lives, about their health, their wealth and their security based on their understanding of risk.

So Alex, in what way does the probability of a cyber attack fold into your decisions and your job?

Yeah, this is, as you were talking earlier, because I’ve been listening, the probability of somebody being attacked, I would say it’s biased.

From my perspective, it’s 100%.

Everybody will be hacked, or attacked, or scammed at one point or another.

But we also did a study a few years back, and all the respondents in total, like 76% of them said, I don’t think that somebody will target me, I don’t have enough money, why would I be of any interest?

Super false.

That’s not how things are going in the cybercrime industry.

They’re practically attacking everybody, and it’s probability and presence of who actually says and accepts that link and clicks on that button and does the next step.

So I’m pretty sure, Gary, Neil, Chuck, you’ve been targeted by a scam at least once in the past two years.

I put $10,000 on that.

Yeah, of course.

Can I have that $10,000?

I’ve actually targeted people in scams myself.

I know, it’s a little bit funny, but the thing is, there’s a sophistication to the scam, because if someone comes in, and this has happened to me, they take a very small amount to begin with, and if you don’t notice it and let it skip through your bank statement, they come back in and go, grab.

No, there’s an uproar to that.

So, they tell you, you can invest in this particular business.

You put like $10 and you receive a return of $50.

And then they tell you, if you put more, you’ll get more.

So, you put 10 grand, nothing comes back.

How about that?

Wow.

Okay, so it’s a con game.

It’s not just a cyber attack, all in cyber.

There’s somebody has to communicate with you.

Correct.

To gain your confidence.

And then, so this is just another con game then.

It’s a show game.

You know, you’re moving the shows around, there’s a whatever the stone underneath.

It is, it is.

But all these things happen now in the cyber world.

So we’re talking about WhatsApp, Telegram, Instagram, Facebook, things that you actually use every day.

And these platforms are actually challenging you into spending more and more hours in front of them.

So when the scammer shows up in your platform, you already believe that this has already been vouched.

It has been like checked if it’s safe or not.

So you already have like a 50% bias to do it, right?

To fall for it.

So our familiarity with these platforms, with our time spent on a screen, that familiarity breeds the complacency.

Is that what you’re saying?

I’m sorry, guys.

I hate to interrupt.

But as you can see, I got to answer this call.

It’s potential spam.

How about that?

So you know that it’s just coming in right now.

So you know that.

That’s hilarious.

Clearly, that’s a scam.

I hope somebody tried to get something from me.

Yeah.

The idea is that when you received an anonymous call from a number you don’t know, or an email from somebody you don’t really know, you’re like, yeah, it’s probably a scam.

I’m going to ignore it.

You have your phone with potential scam.

But when you receive these ads directly to a platform that you trust, you’ve been using it for years, the chances of you being biased and ignore, Neil, as you’re saying, the probability of being scammed, you pass the bias, are so much higher.

Like, oh, so I received this ad on Instagram to buy a ticket to some concert, OK, maybe Taylor Swift, because it’s super in the news right now.

And it’s so much cheaper than the actual prices.

And it’s on this Instagram or Facebook or whatever.

You’ll buy it.

Oh, wow.

And if you read the news, it’s about at least a million or more on every concert.

A million dollars.

Yep.

On every concert?

Per country.

Per country, per concert, yep.

That’s a very good business.

Yep.

So now a lot of bands use one particular outlet.

We’ll spend our times doing PhDs and research.

So can I ask, why do they want your emails?

Like, I get a lot of emails from, I just delete them because there’s either nothing in the body or it’s a link.

And I’m like, okay, everybody who knows me knows I’m not opening any links.

So I just delete it.

Why would you want to get my email list?

You hear people say, oh, I got hacked.

Don’t, you know, my email list got hacked.

What is the value in an email list?

Okay.

So if I get a single email address, okay, I can search known databases of passwords associated with that email address.

Oh my God.

With the next hacked companies or other leaked databases.

Okay.

So I have your email address and now I have a list of passwords that you use on different websites.

Oh, what?

I can go further.

Anyone else scared right now?

With both passwords.

Dude, you’re freaking us out.

Alex, you’re freaking us out.

Oh my God.

This is terrible.

Shut up now.

I don’t want to hear anything more from you.

I’d rather live in my blissful…

If you want, you can give me your email addresses and I can do the search for you.

No, no, no, no, no.

You already said, trust me.

Now you want my email address.

You did say, trust me.

So wait a minute.

First, they get your email.

Then they get the passwords.

And what else can they do?

I mean, what’s the next step?

Well, there are many steps later on, because I can see if these passwords are still working.

So getting it to your various accounts.

I can also see if you have the same password to a different email address that I don’t know about, like your business email or your Yahoo email that you used 10 years ago and you didn’t change a password.

And I can see all your previous girlfriends from when you were 17s.

How about that?

There are so many possibilities.

If you work in a company and email and passwords work, I can use those to connect to your VPN account, launch a ransomware attack, make some billions out of it.

OK, mental note, change all email passwords.

Alex, OK.

Every password, I must change.

Change it every day.

Every day, yeah.

We see hacks, we see data leaks and breaches, and it seems to be one a week almost.

And I know you do these, you fight these bad actors daily.

And thank God the people like you are out there.

But are we not now kind of desensitized and people are to the point where it’s going to happen?

So what the hell?

Have we lost that sensitivity to the impact that this could make?

Yes, but not with the right mindset for this conclusion.

Because yes, there are news of cyber attacks literally every day.

So when I wake up and read the news, at least one hack per day, right?

So people are reading this and they’re like, yeah, yeah, yeah, yeah, not going to happen to me.

That’s unfortunately the bias and the conclusion of having been desensitized by this news.

And when it happens, and I’ve been talking to hundreds of victims, they’re like, I had no idea this is going to happen to me.

You know, I just came up with an idea that I’m sure somebody else has had to have.

But why isn’t there a service where I subscribe, I have a master password, but then that service changes my password on a daily basis.

And all I need to do is have the one password to get in to them.

Yes, these services exist.

They don’t change your password every day because you don’t have to do that.

It’s recommended to change your password, I would say, maybe every three months, the password that you use on these accounts.

But these password managers, this is how they’re called, they will do what, when you subscribe to a service, you don’t have to think about, okay, what password should I use?

Should it be long, short, numbers?

So these are going to suggest the password, they’re going to save it for you, you don’t need to know it.

Every time you need to log in to that service, the password manager will fill in the password for you.

Some of the browsers already have this functionality built in, so that’s fine.

Then our other dedicated software that they’re going to keep this passwords list super protected with super encryption.

But yes, the idea is that you remember one single master password, and everything else is being taken care of.

Because for us, every regular people, let’s be honest.

Okay, so now in 2024, we might have an education of this.

But I bet you we have accounts that have been created in 2010.

We stopped using them in 2012.

They’re still active.

The passwords are still poor.

I don’t know, 1234, for instance.

And there is information in there that can still cause us trouble if it goes out.

Oh, crap.

I’ve got a different angle here.

If password hacking occurs because someone gets access to a file of previous passwords, then they’re not actually decoding your password.

No, they’re not actually figuring out your password from scratch.

Why is there any difference at all between a simple password and a complex password?

They’re not decoding your password for its complexity.

That is correct.

That’s the other reason why you should have a complex password because there are different ways into finding out a person’s password for a particular account.

One of them would be just brute forcing, trying all the passwords.

Another technique would be password spraying, which means trying the most common passwords on a particular account that are known to be used by people.

And in many cases, this actually functioned because for particular languages, statistically, people use similar passwords.

Test 1 to 4, that’s quite similar.

From 1 to 9, that’s quite similar.

I know, in 2024 sounds stupid.

Even nowadays, we find these passwords in reality.

My password is password, they’ll never figure that one out.

Yeah, yeah, yeah.

Somebody from like the military, in like a high-end grade in the military saying that I had a very simple password because I thought they will never try that out, considering my job title.

It was a big assumption.

Do you run algorithms based on the probability of a certain set of characters?

Where do you have a language?

Is that right?

Not necessarily the probability set of languages, but also by words in that particular language.

And also there are billions or hundreds of billions of passwords that already are in the public space or the public domain from previous hacks.

So you can make a statistic on that.

You can say, hey, 20% of the people use this password.

Let’s try that on first.

Wow.

And chances are to work, huh?

We know probability, criminals know probability.

So they will do their math first.

Damn.

Wow.

You want to talk about using math for terrible purposes.

You can use it for many things.

Because you know that joke with a very important mathematician that received a Nobel Prize and he had to fly to get it.

And he was so afraid to fly because he thought somebody will be with a bomb in the plane and he want to reach the destination.

But eventually at the event, he shows up.

Everybody knew about his fear.

So they asked him like, hey, we knew your fear about a bomb exploding.

So why are you here?

Well, how did you come?

Like, well, I took a bomb with me.

What were the odds of two bombs being in the same place?

No, that joke is older than TSA, right?

Because before they checked for BOMB.

Exactly.

So, Alex, we’re in October 2024 right now, but last month, there was the National Institute of Standards and Technology, that’s the US National Institute, that stated, and this was an article that was written in Forbes, so it’s a reputable news outlet.

But complicated passwords can make you less safe.

Yes.

Now, we’re talking about how to make complicated different characters and different cases and numbers and all sorts of things.

But why now complication is an issue?

Because otherwise, it’s password 123.

Yeah, there are two ways of defining the complicated passwords, and one of the ways is actually okay.

The other way is not really that okay.

So, by complicating a password, by making it longer with alpha characters, numbers and everything else, that’s going to make the password super hard to remember.

So unless you’re using a password manager, it means that you’re going to have to write it down and so on, which basically sets in the mindset of just giving up, just giving up, putting the same password because it took you so long to create it, or just bring them down to make it easier for you.

However, you can make long passwords without doing all these characters, unless the website or the service forces you to, by having a passphrase, I went to the moon and back in a car.

That’s pretty safe, okay?

Or an even longer phrase, something that’s easier to remember.

But I think NIST, and also our recommendation, is to use a password manager that’s going to make your life a whole easier, and also use a multi-factor authentication or two-factor authentication.

So besides the password, you can use something else, or even eliminate the password at all.

You can use all these things.

You’re going to have a better piece of money by that.

Yeah, in fact, I have a couple of websites that don’t use passwords.

Exactly.

And it’s two-factor authentication.

And don’t you love going to those websites?

Yes, it’s beautiful.

Okay, so Neil has quite a distinctive voice and he’s in the public domain.

Are we now at the point where we no longer use voice recognition as the password?

That was like in style for like six months, a couple of years ago.

Are we out of that phase because there’s just too much AI coming along to replicate?

Yeah, I don’t think voice recognition can be still considered a way of authentication.

And even face recognition, that’s not going to work any longer.

I was in a meeting with some of my colleagues and one of them was in vacation, but he was showing up in the meeting on Zoom.

It was the fake AI, somebody was playing a joke, which was very nice because he seemed a bit younger.

He probably had photos from a previous training, but it was scary for us because we know the possibilities, but it was very nice to have.

Wait, wait, wait, wait, you just said you had a business meeting and someone duped you into thinking an AI version of an attendee.

Yes, but it was a colleague.

It was a colleague.

However, there is…

Yeah, it was on purpose.

We knew what’s going on.

We were just analyzing it and we were like, oh, this is so cool.

He looks so close by.

But I remember reading an article quite last week about a scam in China where somebody paid $55 million because he was in a Zoom meeting with, I don’t know, 13 or 14 other people from the organization.

His manager, CEO, CFO, everybody was saying it’s safe.

He did it.

He was the only real person in there.

Everybody else was deep fake.

Oh my God.

That’s Bonvillain badness.

That’s the level we’re talking.

That is, yeah.

I have a question, and plus we got to sort of think of landing this plane.

In the old days, a computer virus was really just mischief.

People just trying to see if they could harass you in one way or another.

There wasn’t much financial motive behind it.

And so it was a nuisance.

Now, this kind of hacking always seems to have a financial objective.

What is the total money earned by bad actors?

So I would say a total would be what a total last year was, $1.5 trillion.

What?

There’s a T in there.

We’re talking about ransomware and other scams.

Yeah.

These numbers vary.

I mean, if last year was 1.5, this year can easily go to 2 or 3.

Trillion dollars.

We’re talking about scams that target consumers.

Right.

I mean, that’s a national debt for some countries.

Yes.

Oh, great.

Like I said, these are just money that are earned by cyber criminals.

These are not money that count in your financial loss as a victim.

Because if you’re a company, when you pay, that’s one number.

But you also have a loss in your education.

You have a loss of productivity.

You have a loss of, you know, yeah.

So I, God, I can’t believe I’ve been telling my son that he should continue to study to be a biochemist.

What the heck?

He’s in the wrong business.

He’s in the wrong business.

I got one other thing I have to like, just get clear in my head.

So that means in your business, you’re worth one and a half trillion dollars to this world.

If you can prevent that, if you can prevent it.

Right.

Okay.

That’s fact one.

Fact two.

It would protect everybody, which is not the case.

Okay.

But here’s my thing.

If someone retains you to protect their organization, then they’re putting all their trust in you.

So maybe the organization won’t get hacked.

But suppose you get hacked.

You’re a single point failure of that entire system, because we’re all entrusting you in this one, what do you call it, bottleneck of trust.

Yes, that is called supply chain attack.

So basically when you’re targeting a customer, you can actually target all the software that they use in their organization.

So if we have a vulnerability, that’s going to affect most of our customers.

Yes, that is a correct statement.

So now why aren’t you just, why aren’t you a good guy?

Why don’t you become Dr.

Evil?

What the heck is your problem?

Yes, we get that, we get that question a lot, you know.

You can make a lot more money on the dark side, but then again, how will you sleep at night?

On a very expensive mattress, that’s how.

That is correct.

Because I’m part of a trillion dollar industry that I created.

So Alex, you’re chief security strategist.

Yes.

How much of your strategy is, oh, this is a supply chain bottleneck.

We have to get ahead of a story.

How many stories are you getting ahead of rather than putting out fires?

Oh, good point.

Interesting.

I think it’s an equal amount, I would say.

Because yes, there are some situations that you can actually prevent because you thought about it, you knew that would happen and you make some plan.

But then by working with your customers and victims and having a lot of conversations with law enforcement, they’re going to come up with stories that you were like, whoa, I’m an engineer.

I never thought of that scam.

So you start to figure out what can you build from a technological point of view to prevent that.

So I would say it’s a fair equal amount.

So I think we would be remiss if we didn’t leave our viewers and listeners having you at our disposal, at least one or two of the top things they should do to protect themselves from a cybersecurity incident.

So we were discussing about passwords.

So that will be the main thing.

Get the password manager, make him take care of your passwords, and try to remember all those accounts that I’m pretty sure are connected to your present accounts, but you no longer use them.

They’re still active, they’re still there, they can still be hacked if they’re not already.

And second, still for consumers, minimize your footprint, your internet footprint, don’t post stupid stuff, okay?

Now you tell me.

I’m pretty happy I’m a dinosaur, 41 years, so I don’t have online all the stupid shit I did.

Oh, don’t post stupid things that you did.

Exactly.

Oh, I got it.

No, no, I don’t do that.

And for enterprises, there is a wide range of tips and tricks, but the idea is that since ransomware is the number one threat right now, make sure you have backups and make sure you have systems that are going to log things that happen in your organization.

So when we come in and say, let’s see how you were hacked, if you have blogs, we’re going to tell you how.

If you don’t, we’re going to say, well, it happened.

Wow.

Wow.

All right.

Well, those are lessons for the ages, really.

Yeah.

Actually, for the current age, months.

They’re lessons for the next couple of years.

Yeah.

Maybe even that.

Maybe even that.

So Alex, great having you on StarTalk Special Edition on a topic that we all care about.

Gary, thanks for putting that together.

My pleasure.

Thank you, Alex.

Good.

All right.

Chuck, thanks for doing nothing.

Someone hug Chuck.

Chuck, thanks for showing up.

Okay.

This is Neil deGrasse Tyson.