Digital shots have been fired.
In this episode, we talk about The New York Time’s Wordle acquisition, and Apple App Stores new unlisted apps option. Then we speak with Hector Monsegur, director of research at Alacrinet and former black hat hacker about what a cyberwar between Russia and Ukraine would look like and what its effects could be. Finally, we speak with Jamshid Hashimi, founder of CodeWeekend, a coding bootcamp that is still providing education and hope within the chaos caused by the US pullout from Afghanistan and the new Taliban regime.
Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.
Josh Puetz is Principal Software Engineer at Forem.
Hector X. Monsegur is director of research at Alacrinet and a former black hat hacker.
Jamshid Hashimi is a software engineer, teacher and founder of CodeWeekend, the first and largest developer community in Afghanistan.
[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.
[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.
[00:00:22] SY: This week, we’re talking about the New York Times’ Wordle acquisition, and Apple App Store's new unlisted apps option.
[00:00:29] JP: Then we’ll speak with Hector Monsegur, Director of Research at Alacrinet and Former Black Hat Hacker, about what a cyber-war between Russia and Ukraine would look like and what its effects could be.
[00:00:40] HM: Not only were they able to compromise elements of the software infrastructure and deploy malware through updates, but they’ve reached pretty far, right? It went beyond the scope of Ukraine.
[00:00:52] SY: Then we speak with Jamshid Hashimi, Founder of CodeWeekend, a coding bootcamp that is still providing education and help within the chaos caused by the US pullout from Afghanistan and the new Taliban regime.
[00:01:03] JH: It’s like worries me. I was like, “What if they lose access to the internet? They lose access to electricity and they can’t do that?” Because it is possible that that may happen.
[00:01:16] SY: So we’re starting this episode off with an update. A couple of episodes ago, we talked about the massively popular word puzzle game Wordle, and how clones of the app on the Apple App Store were confusing people like me into thinking that they were the real deal. Apple removed a lot of the most egregious Wordle clones. However, this latest development might be the most effective. Wordle was acquired by the New York Times. In a press release, Jonathan Knight, General Manager for the New York Times Games, says, “As part of our portfolio of games, Wordle will have an exciting future with the help of a team of talented engineers, designers, editors, and more, furthering the user experience.” And Josh Wardle, the creator of Wordle, adds, “If you followed along with the story of Wordle, you’ll know that New York Times games play a big part in its origins. And so this step feels very natural to me.” Wordle became popular as a free web app with no advertisements that Wardle created as a gift for his wife. And there are fears that the times might put up a paywall. But as of now, the time to saying that as the game moves on over to the organization, it will be free to play. We’ll see if they change their minds in the future or create add-ons that’ll require a paid subscription, but now you know, if you want the real portal in the future, head to the New York Times.
[00:03:01] SY: So I am so happy. This story made me so happy. When I saw this, I was like, “Yes! This is so great! Good for him.” It just feels like such a pure internet story, a guy loves a gal and he builds a little game for her, and then he shares his love with the world. Then he gets rewarded with millions of dollars. Just a classic internet story. It just seems so pure and just so beautiful and it just made me really happy.
[00:03:31] JP: The press release for the New York Times, I believe, said that it was in the low seven figures. So that’s like more than a million dollars. Right?
[00:03:40] SY: I mean, it’s at least a million.
[00:03:41] JP: That’s pretty good.
[00:03:43] SY: It was great. I'm sure this took him like half an hour to make.
[00:03:47] JP: I would have taken the high six figures. I think he did great.
[00:03:50] SY: Right? Just give me a free subscription to the New York Times. We’ll call it even.
[00:03:55] JP: Right? If you throw in a game at a New York Times cooking subscription, I mean that’s the high six figures alone.
[00:04:03] SY: Funny.
[00:04:05] JP: Well, Saron, Twitter hot takes and I are here to bring you down to earth by crapping all over this acquisition.
[00:04:12] SY: Okay. Crap away. What you got?
[00:04:14] JP: I’m not going to crap on it, but a subset of people on Twitter are pretty upset. So people are pointing out that the wording of the press release for the Times said that it will initially be free.
[00:04:30] SY: Yeah.
[00:04:31] JP: New York Times Games is a cool set of word-related games, crossword puzzles, spelling bee, a bunch of other things, but it is a paid service. You do have to pay to access it. So the fear is that Wordle is going to get slapped behind a paywall or at the very least New York Times ads. I think that’s a valid I wouldn’t say concern. I think it’s a valid criticism. On the other hand, right now, Wordle players, you’re paying zero. Josh Wardle has to pay hosting costs. So what do you want him to do? Right?
[00:05:03] SY: Yeah.
[00:05:03] JP: But I think the story is really heartwarming. I think it’s great. Who has a daydream of making a little side project and selling it for bajillion dollars?
[00:05:10] SY: Yeah.
[00:05:11] JP: That’s really cool.
[00:05:11] SY: It’s like the dream story.
[00:05:13] JP: It’s a dream story. Yeah.
[00:05:14] SY: Yeah, especially for developers, like this is all we’ve ever wanted, just to like make some silly little thing, and especially in this example, like it wasn’t complicated. It’s not technically challenging. It’s not some crazy technical solution that he spent months and years. It’s this very dead simple little game, but he built on the side. No agenda, no VC backing. It was just a pure little project and then you get millions of dollars for it. That’s just like the dream story. But yeah, I mean, I did see, not a lot, I was happy that I didn’t see, at least in my community, there has been more support of this acquisition, more so than people being upset about it, but I find it just so incredible but anyone feels like they have the right to be upset. That to me is like the most entitled thing ever. First of all, he didn’t make it for you, number one. Number two, he doesn’t owe you anything. You know what I mean? It is crazy to me that people were like, “Oh my God! They’re going to mess it up.” Like people being upset about this is just so ridiculous. Enjoy it for what it is so far. We’ll see what happens in the future. And frankly, I feel like even if this does get put behind the paywall, more than likely one of the hundreds of clones that already exists will then kind of probably just take its place as the new Wordle 2 or whatever. Maybe it’s a different name. I don’t think you’re in danger of not having a little word puzzle to do. I’m sure someone will just copy the idea and make it for free. So it’s ridiculous that people were complaining. They’re very silly.
[00:06:55] JP: Plus, honestly, once spring hits, it gets warm out, we all leave our houses. I mean, we’re all going to forget about this by then. Right?
[00:07:01] SY: Yeah.
[00:07:02] JP: I mean, it’s kind of like a fad right now. I don’t know how much longevity it really has.
[00:07:08] SY: That’s a good point. It feels like a very pandemic game.
[00:07:11] JP: Right. Good for him for striking while the iron’s hot. Yeah.
[00:07:13] SY: Yeah, while it’s hot.
[00:07:29] SY: That’s awesome.
[00:07:30] JP: That’s cheating. That’s spoiling yourself.
[00:07:33] SY: Yeah. Yeah.
[00:07:35] JP: So if you really want Wordle for free, you can save it and load it up at home. But that’s not what makes Wordle fun. What makes Wordle fun is everybody gets the same word every day and you compare your scores with other people. I wonder how much of that will go away when it’s in the New York Times. You got to think, the New York Times, it seems like both a smart acquisition and I don’t want to say dangerous one, but they have to be looking to be like, “Okay, how can we make Wordle fever continue?”
[00:08:03] SY: Yeah. That’s going to be a challenge for them.
[00:08:05] JP: Yeah, exactly.
[00:08:06] SY: Because Wordle has been around for just a few months.
[00:08:09] JP: Oh gosh!
[00:08:10] SY: Has it even been months?
[00:08:11] JP: When does Wordle come out? Is there a Wikipedia article for Wordle?
[00:08:15] SY: It’s a good question.
[00:08:17] JP: Okay. Wikipedia says Wordle was released in October 2021.
[00:08:20] SY: October. All right, so a couple of months. Yeah.
[00:08:22] JP: But I don’t know about you, but I certainly didn’t hear about it until like January.
[00:08:26] SY: I didn’t hear about it then. Yeah.
[00:08:28] JP: Yes.
[00:08:28] SY: Right. Right.
[00:08:29] JP: Okay. Here we go. Here are some stats. Over 300,000 people played Wordle on January 2nd up from 90 players on January 1st. And that figure rose to over two million by the second week of January. We’re talking weeks. We’re talking three weeks at the time of this recording of Wordle fever.
[00:08:46] SY: It’s not been tested. Yeah. This could very easily be a fad. So good for the Wordle guy. We’ll see if it actually is good for the New York Times.
[00:08:55] JP: Yes, exactly.
[00:08:56] SY: We’ll check it. We’ll check in a couple months and see how the world feels about it.
[00:09:00] JP: Well, speaking of the Apple App Store, Apple announced this week that it’s allowing developers to create unlisted apps in the store that are only accessible through a direct link, Apple’s Business Manager or Apple’s School Manager. Those are programs for businesses and schools to distribute applications. In a post, Apple writes that unlisted apps, which are not available to the public and will not appear in any App Store categories or search results are great for things like special events, research studies, or for specific organizations to use for things like employee resources or sales tools. You still have to submit a request for an unlisted app link and just like regular apps, they go through the App Store review and approval process. They also need to be ready for final distribution. They can’t be a beta or a pre-release app. And Apple points out that there’s no protection on the link. So if someone has the link for one of these unlisted apps, they can download it. So they suggest that you put in username and password authentication in the app themselves. I found this kind of a head-scratcher until I was looking a little bit into it and I was reminded about back in 2019, I think we talked about this on the show. I don’t know if you remember this, Saron. Facebook and Google and a bunch of other companies got into a real big trouble by distributing apps through their enterprise app distribution. And these were apps for doing things like installing VPNs on users’ phones and paying them to like run ad programs. There were gambling apps. There were porn apps. They were all being distributed through these enterprise services and Apple very quickly put the brakes on that. And I wonder if this is a response to get that program back up and running with more control on Apple’s side.
[00:10:46] SY: I see. So basically being like, “Okay, we’ll give you a way to do it, but you’re still going to do it according to our rules. It’s still our house and there’s still going to be a review and a process that has to be followed, but we’ll give you a little bit more leeway.”
[00:11:02] JP: Yeah.
[00:11:03] SY: I guess. Yeah.
[00:11:04] JP: Yeah. There was a story that came out, it was back in 2019, a subsidiary of Facebook. It is basically like they would pay you to install a VPN on your phone and then ads got served up and they would do some monitoring. And that obviously is all way against App Store policies. So the way they were distributing it was they were using their enterprise certificates to distribute this. But enterprise certificates are really meant for if you had an internal application at Facebook for employee onboarding or whatever. Apple in response rescinded Facebook’s enterprise certificate. And I remember the stories at the time, it talked about how people could not get work done at Facebook because the apps weren’t working on their phone for like days.
[00:11:42] SY: Oh, no!
[00:11:43] JP: So this seems like it’s maybe a way to re-enable enterprise distribution, but without the dangers of people going around the App Store.
[00:11:52] SY: Yeah, that makes sense. Because when I first heard or read just the headline of it, I was like, “Oh, cool. You don’t have to go through test flight for your betas.” I thought it was a little bit more freedom and I was like, “That’s very un-Apple-like, like but also really cool.” But if you still have to go through the review process and you’re still submitting your request and you’re still doing all this stuff and it specifically says not for beta or pre-release, it’s like, “Okay, well, then who is this really benefiting? How does this affect developers?”
[00:12:20] JP: Yeah. It is kind of interesting to also see Apple make moves in this direction when governments by and large are pushing Apple to open up the App Store and allow side-loading. So for example, if I was a large company and I had an application I wanted to distribute to my employees, the options for me to just send them that application to have them directly put on their phone, well, that doesn’t exist at all without any kind of special certificates right now. And I think a lot of government agencies we’re seeing around the world are pushing Apple to open that part up. This seems like it’s in direct opposition to that, and I’m wondering, this might also be Apple filling out that part of the story saying like, “Oh, you can’t use the argument anymore that side-loading is necessary for you to distribute your employee-only apps.
[00:13:05] SY: Because we’ve given you a way. Yeah.
[00:13:07] JP: We’ve given you a way. We’ve thought of everything. So it seems rather suspicious of that light.
[00:13:12] SY: Yeah. I’m interested to see how companies end up using this and kind of where this goes and if their rules end up changing or being modified and seeing the use case for this. So I guess we’ll see what people do with this in the coming future.
[00:13:25] JP: I am absolutely certain, we will see some sort of maybe an app, like how Clubhouse was very exclusive at the beginning. I am sure we will see an app that has like private-only link for at launch. Right. Yeah.
[00:13:38] SY: Yeah, for sure, for sure. Coming up next, we talk about the cyber-attacks against Ukraine and what the effects of a cyber-war between Russia and Ukraine could look like after this.
[00:14:06] SY: Here with us is Hector Monsegur, Director of Research at Alacrinet and Former Black Hat Hacker. Thank you so much for joining us.
[00:14:13] HM: Thank you for having me.
[00:14:14] SY: So we’ve had you on the show a couple of times in the past already. And typically it’s because something bad has happened in the world and we need you to kind of help us understand it and kind of walk through and explain it a little bit. This time it is that Russia has sent more than a hundred thousand soldiers to their border with Ukraine. And I don’t think it’d be an exaggeration to say that we’re on the precipice of a pretty big war. But even though no physical shots have been fired, there have already been digital shots allegedly fired, so to speak. Can you talk about what this kind of cyber warfare has looked like so far?
[00:14:54] HM: Whenever there is a conflict between Russia and another party, it seems that hackers that are aligned with the Russian Federation tend to target the other country in question. In this case, we have new stories coming out of Ukraine that adversaries defacing and attacking websites in that part of the world. Defacements are not that big of a deal. It’s akin to like maybe graffiti on a Ukrainian building or something, but there have been other more serious effects against infrastructure. And who knows what else? Because usually when you start to hear those kinds of attacks taking place, it’s likely the tip of the iceberg. So there are some things here that I definitely want to bring up that I think is very important and that is that there was a point in time, actually recently, over the last several years where Russian hackers targeted the Ukrainian power grid and took them offline. They were able to dismantle enough or cause enough damage rather that Ukrainians were essentially left without electricity. That’s a bad thing, right? That’s the point we’re on the scope of a website defacement.
[00:16:05] SY: Right. Right.
[00:16:06] HM: But even before that, you had incidents where hackers, again, it’s hard to say whether or not they’re Russian government actors. For now, the consensus is that these are folks that are living within Russia or who align themselves with Russia that are targeting Ukrainian assets. But even before, the conflicts in Ukraine, another incident, pretty big incident with Estonia. Estonia, if you guys don’t know, is a fantastic little country in the region that they’re relatively, I would say, modern. They have a digital-only passport system and they’ve come a long way for sure. Now Estonia itself had issues with Russia and vice versa. You also in that situation had Russian actors targeting and shutting down Estonia by means of denial of service. So distributed denial of service. So this is nothing new. This is nothing that should surprise anyone. It’s kind of in the modus operandi of Russian politics.
[00:17:04] JP: So in this latest round of attacks, Russia is the leading suspect in defacing Ukrainian government websites, as well as putting destructive malware into some of them. And I’m wondering if you could talk about, what do you think Russia is hoping to accomplish with these attacks?
[00:17:21] HM: So that’s a great question. Right? So the way it works over there is that Russian actors, they may not be part of the Russian government, they’re not employees of the Russian government, they’re not in the military, they may be citizens. Okay? Or they align themselves. They could be Russian aligns or affiliated actors in let’s say Kazakhstan, as an example. Okay? They will target enemies of the Russian Federation by any means necessary. So that could be defacements. Like I said, it’s akin to graffiti on a building. They will release things like wiper malware, and wiper kind of malware strains are very similar to ransomware with the exception that there is no ransom to pay. As soon as that malware is executed, it would operate as a ransomware in terms of propagation and lateral movement or at least attempting so. But the end goal is not to pull a ransom, rather it’s to destroy. Some of the news that came out of there recently has been that wiper malware has been deployed across Ukraine, at least in some sectors. And I would recommend anyone listening to this, take a look at Microsoft’s APT debriefs. There’s some really good blog posts by Microsoft and other researchers in the field, by the way, they kind of discuss these wipers and attacks against Ukrainian infrastructure. Going back to your original question. So what’s the goal here? Well, the goal is disruption. Imagine this, and this might sound really crazy, but imagine if a wiper or some sort of malware strain or some sort of hack is so effective that it disrupts the Ukrainian military. One, the actor would be considered like a hero. But two, it might give an advantage to the Russian Military. Now there’s another point I want to make. So remember in the beginning of this I said that we really don’t know whether these actors are just affiliates of the Russian government or they’re just affiliated by means of ideology or politically, whatever, but there’s also the connection where they may be participating in cyber-crime locally in Russia and the Russian government kind of gives them a pass. This may motivate actors to kind of have a certain alliance or allegiance to the government that’s protecting them from rust. So there’s a lot of nuances to this, and I think it’s fascinating from an outsider’s perspective because I’m not Ukrainian or Russian. So being able to kind of see this take place is pretty amazing to me, to be honest.
[00:19:51] SY: Can you talk about some other hacks in the past that Russia has committed against Ukraine, like the 2017 NotPetya attack?
[00:20:00] HM: Unfortunately, Ukraine has been kind of a test bed for a lot of these different tactics, tools, techniques, procedures, malware deployments. I mean, the NotPetya attack was pretty insane because the adversaries were able to compromise essentially a supply chain for a very important product in Ukraine. Not only were they able to compromise elements of the software infrastructure and deploy malware through updates, but they’ve reached pretty far, right? It went beyond the scope of Ukraine. There’s one thing that the audience may find interesting is that whenever there is a new malware shrink coming out of Russia, whether it’s a worm, whether it’s like ransomware, whatever, one of the caveats to its operation is that it will not execute on Russian language hosts. So it wouldn’t execute on a system in Kazakhstan or Belarus or anywhere in Chechnya or in Russia in general or any allies. So yeah, it’s very interesting to see how that’s a place. Again, I feel bad for Ukraine because they’ve been dealing with a lot of these acts for a long time. Estonia is another one. Right? Estonia has had conflicts with Russia and it kind of had to deal with this. Countries like Finland, Sweden, Norway, they’ve had to deal with these kinds of attacks as well. These countries and ones that I mentioned have spent a lot of time and a lot of money on cybersecurity, information security, all sorts of training. Point is if you are an enemy of Russia or any of its allies or affiliates, it’s very easy to become overwhelmed and will take a lot of money to give yourself an edge.
[00:21:36] JP: I’m curious, how hacks like these from one government against another or targeting one country can have consequences for both other countries and civilians? Does collateral damage exist in cyberwarfare? And what does it look like?
[00:21:54] HM: It is a good question. Right? When you look at similar to NotPetya, in other similar attacks that took place on the same time, what you have is the potential for an attack going beyond the scope. What if Ukraine was part of a European grid and taking down Ukraine meant that it had a cascading effect across Europe? That obviously was not the situation, but what if it was? What’s the most damage you can cause in a situation like that? The reality is that people are going to die. There is going to be conflict and people have gone to war for much less. So I think that the Russian government is probably looking at this as like, “Okay, if we’re going to launch an attack, it has to be completely hyper-focused. And if our affiliates or folks that are aligned with us start doing these major attacks, then we need to get in contact with them to kind of limit the scope,” because it could be terrible.
[00:22:47] JP: Due to these attacks against Ukraine, the US Cybersecurity and Infrastructure Security Agency warned last month that, “Urgent near-term steps against cyber threats should be taken.” And I’m curious if you think the US government’s doing enough to protect its citizens from these potential threats.
[00:23:04] HM: We’re fortunate that the leadership in not only our government, but in CISA itself, they’re taking some serious steps. In fact, I would recommend that everybody that listens to this podcast go to CISA.gov. CISA.gov has been doing a great job at dissemination of information, listing vulnerabilities are being exploited, providing actual mediation dates as to when those issues should be resolved. Obviously, they cannot enforce any of their policies on anyone except for maybe organizations that fit within like federal guidelines for infrastructure and so on. But they’re providing that information for free. Right? They’re even providing like free pen testing assessments to organizations that are not federally regulated. So if you have a business and you have a network and you have assets, I would say reach out to CISA, follow their directions, see what they’re offering. If you’re willing to give you a free assessment and by all means do it. We can do more. And I think that we’re in a fortunate place. I think it has to do a lot with the fact that ransomware really affected the world over the last several years, especially US companies as supply chains that CISA stepped up. I think that they could do more for sure. They probably need more funding as well, but right now they’re doing the best they can. So I'm a supporter of CISA. I’m very happy with what CISA is doing, but they are a federal agency at the same time. And with that, you have to assume there’s some sort of bureaucracy. You have to assume that there’s also some other policies that don’t make sense. For example, I reached out to CISA. I let them know, “Hey, I want to do whatever. I support you guys. If you need me to do an event, you need me to retweet something, whatever hit me up. I’m there to support you guys because I think you’re doing great work.” And the email that I got back in response was, “Well, we really cannot ask for outside assistance. We have internal policies behind that.” So in one way I respect it because it is a federal agency. On the other end, I’m like, “Well, we need to be more collaborative. We need to all work together.” Like for example, this podcast, this episode is great because it’s going to touch on subjects that people aren’t really talking about. We have a problem in this country, in our country, that we really haven’t figured out on how to deal with it, how to move forward on it, and that is cyber security. When you have kids and teenagers that are like more astute technologically than their parents or their grandparents, they’re still getting hacked. They’re still getting compromised even though they’ve been on the instances that have been five, six years old. They still don’t have at the very least basic security hygiene, and that’s a problem. Because you would expect that by now, in 2022, with this new generation, with the last several generations that have been technically savvy, they still have the password problem. They’re still having issues with maintaining their privacy and identity. You still have people getting their nudes leaked on the internet. Yeah. So there’s still a lot of awareness training and education that we need in this country for sure.
[00:26:04] SY: Is it even possible to anticipate all the different ways that big cyber-attacks against one government from another might affect our own country?
[00:26:16] HM: Yeah. So absolutely. Right? So we know that we have problems in our country. We saw when we had the colonial pipeline issue, that’s a place maybe last year or the year before. You had an industrial company, essentially a pipeline company that is not a government asset, but they are federally governed or regulated. They were compromised. It took their systems offline, but it affected Southern to East Coast distribution of oil and gasoline and so on. So what does that tell you? That tells you that we do have some weaknesses in our country. If there is a war, let’s say that Russia invades Ukraine today and we participate with NATO to defend Ukraine against the Russian invasion, all of the actors that I’ve mentioned before, the affiliated actors to Russia, the Russian Federation, they will start to target US interests and assets. Absolutely. Whether they’re from Russia or China or North Korea, and by the way, they’re already targeting us as it is. So as you can imagine, if there is a war, you’re going to have a bunch of angry nerds sitting at home that cannot fight in the field, focusing their efforts on our weaknesses.
[00:27:23] JP: President Biden said recently in a press conference that the US might respond to future attacks against Ukraine with its own cyber-attacks against Russia. What do you think of that kind of strategy? Do you think that is something that is useful or are we just expanding the conflict?
[00:27:45] HM: I'm not a big fan on posturing and rhetoric and all that. At the end of the day, It’s a hard situation to be in because Ukraine is not part of NATO. Right? And we’re willing to protect Ukraine because they are an ally. But at the end of the day, if it’s a full-scale invasion, we really don’t have to get involved. Right? We could just sit back and tell Ukraine, “Listen, we’ll handle your refugees, providing some sort of support, but this is a battle that we cannot get involved in. Maybe you should look for your European neighbors.” I mean, it’s a complicated issue. And I think that Biden, I think that his response has so far been more rhetorical than anything. I’m not criticizing him. What I’m trying to say here is that that’s probably not a good way to go about it because all you’re doing is inviting your enemies to kind of like work together. If anything, if there needs to be a threat or there needs to be any sort of vocalization of intentions or whatever, I think something like that should probably happen face-to-face or between diplomats. I don’t think that’s something that should be propagated to the world. Because again, it’s going to really bring in threat actors from around the world that just does not like or do not like the United States whatsoever. Now it brings us to an interesting point. Right? So there was a point where during the height of ISIS, I’m sure you guys remember that, there was a point where ISIS started to recruit hackers, digital activists, and hacktivists. It was a pretty wild ride because ISIS was trying to go beyond their scope and they were successful. They recruited a hacker who eventually got, he got drones by the US military. I think it was the first time in history that a hacker was assassinated or killed in a military zone or whatever. The NATO themselves have also said that they would respond to hacking incidents physically. Okay? So yeah, it’s a weird place because, okay, let’s say there was a full-fledged war and United States Intelligence has location information about hackers in let’s say Russia, they can start wiping out hackers. It’s going to be a game-changer depending on what happens with this political issue here.
[00:29:50] JP: What do you think we should expect in the near future in terms of cyber war escalation? And is there anything we as developers or even just average citizens can do to better protect ourselves?
[00:30:04] HM: I mean, so let’s look at the pattern or maybe the direction of where things are going. So we know that ransomware is effective.
[00:30:09] JP: Right.
[00:30:10] HM: And a lot of the ransomware groups that are successful are based out of Russia or Russia alliance. It is a good way to make money for that. Right? It’s kind of like their modus operandi at this point. They’re quite effective. They’ve disrupted many companies, industries, in some cases governments, local or not. Now what if there was a war? What if the ransomware operators weaponized this capability? It’s already weaponized as it is, but what if they just changed all the payloads to instead of creating a ransom situation or requesting a ransom rather, they just turn all of these payloads into wipers where every time these payloads are executed on a network, the payload tries to propagate itself across the network and at a certain point of the day or a certain day it just destroys everything, destroys all the files, deletes all the files, overwrites the files so that they become irrecoverable? Maybe target backup systems so that organizations cannot recover from that initial attack. We’ve already seen evidence that wipers are being used in Ukraine. I’m sure there may be evidence that wipers are being used here in the US. I haven’t really read any stories on that, but anything is possible at this point. So in terms of an escalation, what you may see is the weaponization of ransomware payloads in games turning their efforts from getting money to instead turning those ransomware payloads into something more malicious, even more malicious than ransomware, if that makes any sense. And at that point it’d be problematic. So I’ll give you a good example. As you guys remember, there was a big attack against SolarWinds. It was a supply-chain attack. It affected at least a thousand companies or more or depending. As you can imagine, the kind of clientele SolarWinds had ranged from anywhere from a medium-sized business to a federal agency or maybe local state agencies and governments. What if that attack wasn’t meant for information gathering lateral movement and it was more of an attack for a wiper campaign? That’s at least a thousand companies that would have been wiped off the internet essentially, or out of operation. That’s big. That’s a major issue. So I don’t want to be the guy that says here spread fear, uncertainty or doubt or fad, but I will say that if there is a conflict, things will get much, much worse very quickly, and I think that is going to hurt a lot of people.
[00:32:25] SY: Is there anything else that we haven’t covered about this that you’d like to speak on?
[00:32:29] HM: I kind of want to touch on your last question, which is what can we do today to try to mitigate that stuff? Right? Well, it starts off with each and every one of us, from you guys here in your studios to your listeners and abroad, simple things, and I hate to beat a dead horse because these topics are so burned out, but like making sure that you have a solid personnel security policy, you have a solid password policy, making sure that if you are an organization, you’re following guidelines. Again, go to CISA.gov. They’re providing free resources on what you can do to safeguard your network. There is a lot that you can do for free right now today. It just takes time. And if you are a person that says, “Well, time is money.” Then yes, it’s going to cost you something. Now in terms of the federal government, the federal government has a problem. The US government has to deal with the fact that the United States is a very broad attack surface, or has a very broad attack surface, meaning that there’s just so many targets. Is it possible to secure it all? So the goal for the federal government would be to start focusing on infrastructure and supply chains and ensuring that even if an attacker gets into a local network, the damage that can be caused is mitigated to an isolated, tiny section of that network. Going back to Biden, President Biden, he signed an executive order. I believe they just awarded Booz Allen Hamilton, a federal contractor, an award or grant rather to develop a zero trust model for the US government. So even when Biden leaves, we’re hopefully going to be able to adapt that, and it’s going to strengthen at least the federal government in terms of security. For the rest of us, unfortunately, if an attacker gets into like your mobile provider or they’re getting into Gmail or they’re getting into AWS or whatever, there really isn’t much you can do, except turning your phone off and going for a nice walk. I would also recommend folks as we are in a weird time to make sure that you buy MREs and canned goods and survival kits because you never know. If that war, if it takes place, goes beyond the scope of Ukraine, then it may make things a bit difficult here in terms of supply chain, distribution of food and so on. We always want to be prepared anyway, and that’s my run of the day. It’s good for us to be aware of the worst-case scenario so that we can at least prepare for it.
[00:34:58] SY: Well, thank you again so much for joining us.
[00:35:01] HM: I’ll catch you guys next time.
[00:35:15] SY: Coming up next, we talk about a coding bootcamp, providing hope and education to those living through the current chaos and daily struggles of the new Taliban regime in Afghanistan after this.
[00:35:41] SY: Here with us is Jamshid Hashimi, Founder of CodeWeekend. Thank you so much for being here.
[00:35:46] JH: Thank you for having me.
[00:35:47] JP: Can you tell us a bit about CodeWeekend? How was it founded? What its mission is? And what kind of things do you teach there?
[00:35:54] JH: Yeah. So I studied in Turkey. And after I finished my studies, I went back to my country, Afghanistan, Kabul, the capital, and I started working. Of course, the tech ecosystem was just starting there and it was in its very like early moments. So after a couple months of working there, I was really bored.
[00:36:19] SY: Oh, no!
[00:36:19] JH: Because there were no communities and I was talking with developers. They were all kind of coming to work, going back. There’s no sense of engagement, community networking that I used when I was in Turkey. So then I said, “Well, I’ll make one.” And that’s how I came up with the idea of CodeWeekend that in my mind was like, “Okay, Thursdays and Fridays are the two good days that we can gather people because they’re like mostly available.” And Friday in Afghanistan is a weekend. So that’s how it’s like CodeWeekend. That’s how the name came. And to my surprise, when I went out to reserve the usernames, it was all available in Twitter and Instagram and then Facebook.
[00:37:07] SY: Nice!
[00:37:08] JH: So that’s how it started actually. So for the past seven years, I am running CodeWeekend and I am in the community. We have over 4,000 members. They are computer science students in Afghanistan. They are recent graduates. They are developers that worked or working or some of them made it outside. So there are different categories of people in our community, which all of them are to be developers or developers. We provide different activities and services. One of the main things that we do is conduct including bootcamps for the developers in Afghanistan and from Afghanistan, which they essentially became refugees.
[00:37:54] SY: Tell us a little bit more about what the tech scene was like before the US withdrawal from Afghanistan.
[00:38:02] JH: I mean, for the past 20 years, we have some growth and development in terms of technology and in software in Afghanistan. When the previous regime of Taliban was ousted from the scene and when the international troops came, Afghanistan started to stand on their feet in all areas, including technology. So there was an attention to hire from locals to educate Afghans in different digital scales so that they can get back to work and come and help the government with all traditional policies and there was kind of like a growing private sector as well. We had like a lot of companies, which I also have a startup back there as well. We were developing applications, websites, databases in many areas. And of course, it was going very nice. We had lots of interests from outside as well. There are like investors coming in. There are programs like Founder Institute, like Startup Grind, and many other initiatives where we’re coming in, which really makes it like an ecosystem for that technology, for the economy, for everything to grow. And to everyone’s surprise and shock, when last year’s events happened and the whole government collapsed in a matter of weeks, we felt and still have the same feeling that we were grounded to level zero again. And because the new folks that took over the government, they do not have any kind of experience in terms of governing, in terms of technology, in terms of like any other stuff that was there for the past 20 years and all the values that began for the past 20 years. So that’s still very shocking and I’m not sure when we can recover from that. But one thing for sure, there are still people there. They may be jobless, but there are opportunities outside of Afghanistan as well. So let’s keep on educating. Let’s keep on empowering them.
[00:40:20] JP: So obviously this has been a huge change for you, also a huge change for your students as well. Can you talk about how the change in regimes has affected your students? I’m curious what their lives were like before compared to what their lives were like now.
[00:40:36] JH: In terms of the life, things really changed dramatically. We had a couple of bootcamp cohorts previously as well. And in that, we’re inviting our participants to come to a place every week. They were having their sessions, the instructors were coming, the mentors were available. They’re all like boys and girls together sitting in the same class and going through the materials that we considered for them in the bootcamp. Now when we started a bootcamp cohort in last October, I really had to rethink about that, and I was a little shocked. For me, that was like, “Hey, I can ask the boys to come to this place, but I can’t ask the girls to come. I can’t guarantee that if someone is going to stop them on the way and say where you’re going or why you are joining this class with boys.” Right? So we have to rethink regarding our programming in that way, but thanks to technology and the tools that are available, we were able to do this virtually and remotely as well, and put more follow-ups and put more remote engagement with them so that they don’t feel lonely, but most importantly that the girls, students, that they feel being part of the program and so that they continue learning and growing and then that the promises that after they gone through this, this program, then we will help them with placing them into internships and jobs that will mostly be remote opportunities. But it was really shocking to kind of think how we need to think differently just in a matter of like months.
[00:42:29] SY: Can you talk about the importance of maintaining alternative educational opportunities like this in Afghanistan?
[00:42:36] JH: So before, we were graduating more people than the demand of the market was before the collapse of the government. And I was watching the trends around the world in terms of like the remote work being something that is in trend. And if you have a connection and a laptop and you gained some quality education, you can work from anywhere. I always say this that the language of the code is the same everywhere. Even for English and British language, for example, there’s accent differences, but the code is the same. Right? So you can sit in Kabul or in London or in Vancouver or in New York and you can write the same quality code if you have those skills. So that was the biggest motivation for me to keep on believing that this is a great way for us to provide a better life and also help the economy in the country. So this was before the collapse of the government. This was the thinking back then. But after the collapse of the government, that only became more prevalent and more stronger, the thinking, because it won’t be an exaggeration that the hundreds of people writing to me that because the government fell and because lots of companies and NGOs closed their doors and shut down their operations in Afghanistan, we now need jobs. We now need to work. We are jobless. So it became really, really important again to upscale these developers according to the demands in the market worldwide, and then place them into different remote jobs or internships that they can take from there and then earn some money for themselves and their family. Institutions in the country currently are unfortunately not in the position to prepare these individuals for the demands as out there in the global market. Of course, the situation in the country, the security, the economy affects the institutions that educate these computer science students as well. So our efforts really filled the gap in here and we witnessed how it transforms their lives and prepares them for the opportunities in the global market.
[00:45:02] JP: So much of your bootcamp now relies upon access to the internet and remote work and remote communication. Are you concerned at all about the government in Afghanistan limiting access to the internet to your students? Is that something you’ve had to work around so far or you think you may have to work around?
[00:45:25] JH: Definitely, that’s a major concern for me, for the students. We ask them to provide daily updates because to practice coding every day, to kind of like help them get the habit of doing that, if we ask them to provide daily updates. And when they’re doing that, sometimes it worries me. I was like, “What if they lose access to the internet? They lose access to electricity and they can’t do that?” Because it is possible that that may happen. Right? We didn’t have like stable electricity back then, but recently we are seeing more problems around their electricity for hours in the day, their electricity for some hours in the night. And that’s how they charge their batteries. They also have a setup mostly kind of with spare batteries and some of them also set up like solar systems on the roof of their houses so that when they have electricity they can reserve it, so that they can use it during the day, and for internet as well. So we send them credit, mobile top-ups, and they purchase internet from the telecoms there. So they get internet in their phone and they connect that internet to their laptop that way. They are all operated like ISPs, operational, still operational in Afghanistan. The cost of getting those is a little high. And most of these folks, their families, their brothers, their father, they lost their jobs. So they are having difficulty. So we are helping them that way so that they get internet access. And we are hopeful that things get better. Of course the concerns are there. We are hopeful that we have a better electricity, we have a better internet and cheaper internet rates, but so far that’s a hope. And for the way that we manage so far is sending them mobile top-ups so that they can buy internet packages.
[00:47:26] SY: So do you worry about safety and taking precautions, whether it’s for yourself, for your students? Are there certain things that are top of mind or that you’re doing to kind of protect yourselves from possible consequences?
[00:47:43] JH: So we completely made our structure virtual that there is no way for us to get into any possible problems conducting these bootcamps. And we are hearing some news about disruptions that happen in the events and gatherings and like the current regime being so much against mixed education. So considering that, we are using these tools and technology to kind of like have this all virtual. And it’s still possible because when they have internet and they have electricity, there’s no problem.
[00:48:22] JP: What does success for your students look like? Is that finding a job in Afghanistan? Is it finding a remote job overseas? Is it going on to teach others? Talk a little bit about your hopes and dreams for your students.
[00:48:35] JH: Of course, upskilling them is a major milestone for us to be able to help them with learning all these tools and techniques and languages that are being used in the global market. For me, I kind of like mark that as a success for a student when they get an internship or a job and they are placed somewhere. It can be locally. Local opportunities are like extremely restricted now because of all the organizations and NGOs and government shutting down and collapsing. But at this point, our goal is to be able to place them into remote internships or job opportunities outside of Afghanistan. It can be neighboring countries. It can be anywhere. So it is just about that. I think what we fail and a lot of like probably media and then they have political situation in the country doesn’t help with us marketing these talents outside and there’s so much happening in the news that we can’t really portray the talents and the skills of these developers and the hard work that they put in learning things and practicing things, but that’s our struggle and what we want to achieve more of like these students being placed so that we can have more stories to tell and more people to believe to hire them.
[00:50:05] SY: And are you partnering with any other companies or organizations to try to connect your students to internships, apprenticeships, that kind of thing?
[00:50:13] JH: Yeah. We had an amazing support of Scrimba, which they provided free access to their platform for all our students, so that they can go through their front-end career path bootcamp, which are the students are using. And we have got a lot of support from different entities and organizations or individuals. Recently, a CEO of a medium-sized company in the US said, “Hey, I need a React developer. Can you shortlist some for me?” And I did that from the community. And one of them got into the job and he’s working now from Kabul as part of the team and he’s getting paid and he’s super happy. So that’s the kind of activities and work that we do with our students and with other communities that are working in this area together.
[00:51:07] SY: Well, thank you so much for being on the show.
[00:51:09] JH: Thanks for having me.
[00:51:21] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show wherever you get your podcasts.