Personal Finance – Career & Education

The UK moves another step closer to banning phones in schools

Mobile phone ownership has become standard for people of most ages, and, while there's a convenience argument, experts and regulators alike have expressed concerns about children's well-being and distraction while learning. To that end, the UK government has become the latest to announce guidance for banning the use of phones during school. It follows other European countries like France and Italy, which prohibit phones in classrooms. 

Some schools in the UK already have no-phone policies in place, but these guidelines could bring widespread adoption and uniformity. "This is about achieving clarity and consistency in practice, backing headteachers and leaders and giving staff confidence to act," Gillian Keegan, the UK's secretary of state for education, said in a release. "Today's children are growing up in an increasingly complex world, living their lives on and offline. This presents many exciting opportunities – but also challenges. By prohibiting mobile phones, schools can create safe and calm environments free from distraction so all pupils can receive the education they deserve."

While the UK government encourages schools to create their own policies, it outlines a few overarching options. The first — and most extreme — is a complete ban on mobile phones from school premises. However, the guidance acknowledges that this could create complications or risks for children when traveling to and from school. The next option takes care of that problem while still taking phones away. It suggests having students hand in their phones when arriving at school.

Then there's the locker route, where phones are kept strictly in students' lockers or whatever personal storage they get at school. While this allows students to keep possession of their device, it still wouldn't be usable at any point in the day, even when accessing the locker during breaks. The final option aligns with what many schools do — let students keep their phones in their bags, but they should be turned off and never accessed. 

The guidance also recommends teaching students about the mobile phone's potentially harmful impact on young people. Study after study has found that social media, in particular, can negatively impact young people's mental health. The UK government argues that, in addition to combating the social media issue, restricting phone use can increase students' concentration, time being active and spending time with peers face-to-face. 

Parents are encouraged to contact the school directly rather than through a private phone if they need to get in touch with their child. The guidance also encourages parents to discuss the rules at home and, once again, the risks of phones and the internet.

This article originally appeared on Engadget at

The UK moves another step closer to banning phones in schools Read More »

How security experts unravel ransomware

Hackers use ransomware to go after every industry, charging as much money as they can to return access to a victim's files. It’s a lucrative business to be in. In the first six months of 2023, ransomware gangs bilked $449 million from their targets, even though most governments advise against paying ransoms. Increasingly, security professionals are coming together with law enforcement to provide free decryption tools — freeing locked files and eliminating the temptation for victims to pony up.

There are a couple main ways that ransomware decryptors go about coming up with tools: reverse engineering for mistakes, working with law enforcement and gathering publicly available encryption keys. The length of the process varies depending on how complex the code is, but it usually requires information on the encrypted files, unencrypted versions of the files and server information from the hacking group. “Just having the output encrypted file is usually useless. You need the sample itself, the executable file,” said Jakub Kroustek, malware research director at antivirus business Avast. It’s not easy, but does pay dividends to the impacted victims when it works.

First, we have to understand how encryption works. For a very basic example, let's say a piece of data might have started as a cognizable sentence, but appears like "J qsfgfs dbut up epht" once it's been encrypted. If we know that one of the unencrypted words in "J qsfgfs dbut up epht" is supposed to be "cats," we can start to determine what pattern was applied to the original text to get the encrypted result. In this case, it's just the standard English alphabet with each letter moved forward one place: A becomes B, B becomes C, and "I prefer cats to dogs" becomes the string of nonsense above. It’s much more complex for the sorts of encryption used by ransomware gangs, but the principle remains the same. The pattern of encryption is also known as the 'key', and by deducing the key, researchers can create a tool that can decrypt the files.

Some forms of encryption, like the Advanced Encryption Standard of 128, 192 or 256 bit keys, are virtually unbreakable. At its most advanced level, bits of unencrypted "plaintext" data, divided into chunks called "blocks," are put through 14 rounds of transformation, and then output in their encrypted — or "ciphertext" — form. “We don’t have the quantum computing technology yet that can break encryption technology,” said Jon Clay, vice president of threat intelligence at security software company Trend Micro. But luckily for victims, hackers don’t always use strong methods like AES to encrypt files.

While some cryptographic schemes are virtually uncrackable it’s a difficult science to perfect, and inexperienced hackers will likely make mistakes. If the hackers don’t apply a standard scheme, like AES, and instead opt to build their own, the researchers can then dig around for errors. Why would they do this? Mostly ego. “They want to do something themselves because they like it or they think it's better for speed purposes,” Jornt van der Wiel, a cybersecurity researcher at Kaspersky, said.

For example, here’s how Kaspersky decrypted the Yanluowang ransomware strain. It was a targeted strain aimed at specific companies, with an unknown list of victims. Yanluowang used the Sosemanuk stream cipher to encrypt data: a free-for-use process that encrypts the plaintext file one digit at a time. Then, it encrypted the key using an RSA algorithm, another type of encryption standard. But there was a flaw in the pattern. The researchers were able to compare the plaintext to the encrypted version, as explained above, and reverse engineer a decryption tool now made available for free. In fact, there are tons that have already been cracked by the No More Ransom project.

Ransomware decryptors will use their knowledge of software engineering and cryptography to get the ransomware key and, from there, create a decryption tool, according to Kroustek. More advanced cryptographic processes may require either brute forcing, or making educated guesses based on the information available. Sometimes hackers use a pseudo-random number generator to create the key. A true RNG will be random, duh, but that means it won’t be easily predicted. A pseudo-RNG, as explained by van der Wiel, may rely on an existing pattern in order to appear random when it's actually not — the pattern might be based on the time it was created, for example. If researchers know a portion of that, they can try different time values until they deduce the key.

But getting that key often relies on working with law enforcement to get more information about how the hacking groups work. If researchers are able to get the hacker’s IP address, they can request the local police to seize servers and get a memory dump of their contents. Or, if hackers have used a proxy server to obscure their location, police might use traffic analyzers like NetFlow to determine where the traffic goes and get the information from there, according to van der Wiel. The Budapest Convention on Cybercrime makes this possible across international borders because it lets police request an image of a server in another country urgently while they wait for the official request to go through.

The server provides information on the hacker’s activities, like who they might be targeting or their process for extorting a ransom. This can tell ransomware decryptors the process the hackers went through in order to encrypt the data, details about the encryption key or access to files that can help them reverse engineer the process. The researchers comb through the server logs for details in the same way you may help your friend dig up details on their Tinder date to make sure they’re legit, looking for clues or details about malicious patterns that can help suss out true intentions. Researchers may, for example, discover part of the plaintext file to compare to the encrypted file to begin the process of reverse engineering the key, or maybe they’ll find parts of the pseudo-RNG that can begin to explain the encryption pattern.

Working with law enforcement helped Cisco Talos create a decryption tool for the Babuk Tortilla ransomware. This version of ransomware targeted healthcare, manufacturing and national infrastructure, encrypting victims' devices and deleting valuable backups. Avast had already created a generic Babuk decryptor, but the Tortilla strain proved difficult to crack. The Dutch Police and Cisco Talos worked together to apprehend the person behind the strain, and gained access to the Tortilla decryptor in the process.

But often the easiest way to come up with these decryption tools stems from the ransomware gangs themselves. Maybe they’re retiring, or just feeling generous, but attackers will sometimes publicly release their encryption key. Security experts can then use the key to make a decryption tool and release that for victims to use going forward.

Generally, experts can’t share a lot about the process without giving ransomware gangs a leg up. If they divulge common mistakes, hackers can use that to easily improve their next ransomware attempts. If researchers tell us what encrypted files they’re working on now, gangs will know they’re on to them. But the best way to avoid paying is to be proactive. “If you’ve done a good job of backing up your data, you have a much higher opportunity to not have to pay,” said Clay.

This article originally appeared on Engadget at

How security experts unravel ransomware Read More »

OpenAI and CommonSense Media team up to curate family-friendly GPTs

You will soon find a kid-friendly section inside OpenAI's newly opened store for custom GPTs. The company has joined forces with Common Sense Media, a nonprofit organization that rates media and technology based on their suitability for children, to minimize the risks of AI use by teenagers. Together, they intend to create AI guidelines and educational materials for young people, their parents and their educators. The two organizations will also curate a collection of family-friendly GPTs in OpenAI's GPT store based on Common Sense's ratings, making it easy to see which ones are suitable for younger users. 

"Together, Common Sense and OpenAI will work to make sure that AI has a positive impact on all teens and families," James P. Steyer, founder and CEO of Common Sense Media, said in a statement. "Our guides and curation will be designed to educate families and educators about safe, responsible use of ChatGPT, so that we can collectively avoid any unintended consequences of this emerging technology."

According to Axios, the partnership was announced at Common Sense's kids and family summit in San Francisco, where OpenAI CEO Sam Altman shot down the idea that AI is bad for kids and should be kept out of schools. "Humans are tool users and we better teach people to use the tools that are going to be out in the world," he reportedly said. "To not teach people to use those would be a mistake." The CEO also said that future high school seniors would be able to operate at a higher level of abstraction and could achieve more that their predecessors with the help of artificial intelligence. 

This article originally appeared on Engadget at

OpenAI and CommonSense Media team up to curate family-friendly GPTs Read More »

QR code attacks probably aren’t coming for your scan-to-order menus

QR code-based phishing attacks appear to be on the rise. For this “new” hacking vector, someone gets a phishing email asking them to scan a QR code, that code redirects to a malicious link (usually to steal credentials) and an account takeover occurs. Local news organizations have warned the public to watch out, security leadership publications tell executives to be careful and security companies really, really want you to call it quishing.

To be fair, there have been some notable headlines about it lately. A large-scale version of this against an unnamed “major” US energy company went after Microsoft logins, according to a Cofense report in August. Security researchers have unanimously reported some level of uptick or spike in the attack vector this year. Even the Federal Trade Commission warned consumers of the dangers.

The fanfare around these attacks, however, mostly outweighs the threat of using QR codes in your daily life. Phishing has been, and will likely always be, a prevalent way to trap victims, and what we’re seeing when people talk about QR code attacks is just another way to do that. That’s why despite how the reports may generalize the dangers of QR codes as a whole, some common sense security practices that you already use to avoid phishing can help you avoid this tactic, too. Other, advanced QR-based attack vectors outside of phishing are likely too technically complicated and low reward for bad actors to attempt, or for you to worry about.

Phishing attacks that work by pointing a victim to a malicious link are incredibly common, and QR codes are essentially just another way to execute them. QR codes are “jumping into a security gap,” said Randy Pargman, director of threat detection at security firm Proofpoint. It forces a victim away from their computer and onto a cell phone or another device, adding a level of distraction. Plus, people are more likely to fall for a phishing link on a mobile device, according to Pargman.

The smaller scale makes it harder to tell what’s legit, for example you can’t easily see a full link to point out discrepancies, and we generally tend to feel safer in our handheld world. Scanning a QR code on a phone takes a victim away from their computer. That could mean it has fewer security plugins installed on its browser that would warn you to stay away from suspicious sites, although more browsers have automatic protections against both. Or, if it's taking you from a work device to a personal device, a security team probably supports the computer, but not your cell phone, with extra protections in place to stop you from falling victim. But on the flip side, this is a lot less efficient for scammers to set up. It assumes the victim has access to two devices, rather than just clicking a link.

Plus, people tend to scan the QR codes, even if they’re from an unfamiliar source, because we’re so used to it, according to Fae Carlisle, principal security engineer at VMware Carbon Black. “People are regularly told to scan a QR code to show them a map of a place, to vote in a competition, to visit Instagram, etc,” Carlisle said. “Because of inherent trust, people go along with it.” Hackers seemingly saw this trend and figured out they could exploit it.

While the application of QR codes to phishing attacks is fairly straightforward, the hype around their use in other malicious vectors mostly ends there. Security professionals advise against scanning unknown QR codes, in the same way you shouldn’t plug a random thumb drive into your device. But, while you should always be on guard to protect against phishing attacks, you don’t really have to worry about using QR codes in your daily life because it’s still rare to see them used as a hacking tactic.

This matters because when we think of QR codes, we don’t usually think of getting them in emails. You’re probably more familiar with them from real world interactions, like a call to action on a flier or a scan-to-order menu at a restaurant. Looking at my own inbox and desktop, the instances of getting a QR code are few and far between, with maybe the exception of some multifactor authentication apps and cross-login for VPNs. Basically, for a hacker going after everyday targets, the less effort the better, and plastering a poisoned QR code all over physical space in the hopes someone will scan it is a whole lot of work, according to Pargman. Bulk sending phishing emails is just a heck of a lot more efficient.

While it’s also possible to imagine a link takeover situation, where the destination of legitimate QR codes is redirected to a malicious URL, that really hasn’t been seen yet. Not only is it a lot of effort, but it would require an attacker to identify a widely-used QR code. That would mean sourcing the code information, and then hoping it was worth the work. “Quishing” may be legit, but avoiding QR codes at all costs probably goes a step too far.

If something seems off about scanning a QR code, pause before proceeding. “If you're scanning a menu of the restaurant's and it's asking you to login to your Gmail account to access the menu, that's a highly unexpected step,” said Olesia Klevchuk, product marketing director at security company Barracuda Networks. “Those are the kinds of things we want to be on the lookout for.” But if you just want to learn more about an exhibit at a museum or have a contactless check-in at the gym, you probably have nothing to worry about.

This article originally appeared on Engadget at

QR code attacks probably aren’t coming for your scan-to-order menus Read More »

What we bought: How YNAB gives me peace of mind and keeps my money in check

I’ve always been pretty money-conscious, but I didn’t really get into budgeting until I was in my mid-twenties. “Budgeting” is generous — I thought I was budgeting, but really I was using a crude Google Sheet system to track my expenses every month. I didn’t truly understand the difference between those two things until I started looking into ways to upgrade. It had been working fine for me, but as I got older and wanted to grow my savings, save up for a home down payment and a wedding and generally do more “adult” things with my money, I started to scour the internet for alternatives. I settled on You Need a Budget (YNAB) about four years ago and I’ve enjoyed it so much that I keep using it even after achieving some of those milestones.

The YNAB Method is an approach to budgeting that resonated with me then and still does today. I won’t belabor the basics here, but put simply, you’re to give every dollar a “job” as soon as you get paid by taking care of immediate needs first and then accounting for the rest of your true expenses. The way YNAB does this is basically by acting like a digital envelope system where you can customize all of your envelopes (or “categories”) and the amount of money you need for each (“targets”), and dump money into all of them every time you get paid. For example, I know I need $65 each month to pay for internet, so I have an internet category in YNAB with a target of $65 each month that’s due by the 15th, since I’ll need that money to pay the bill on the 20th of every month.

Follow that example for all of the rest of your expenses like rent or mortgage payments, groceries, electricity, insurance premiums and you’ll have a full YNAB budget in place. You can (and should) also do that for “true” expenses, which include things like hair cuts and car maintenance in the YNAB system. You may not need a specific amount of money for things like that every month, but you can plan for them by saving a little every time you get paid — so by the time you need to get that hair cut ahead of a wedding or unexpectedly need a new set of tires, you have at least some, if not all, of the money necessary to pay it.

You Need a Budget (YNAB)

I was already taking stock of my standard expenses and setting aside money for those first and foremost, but YNAB made the process much easier. It’s worth noting that was already part of my routine. I was privileged enough to get a decent financial education from my parents growing up (mantras like “pay yourself first” come to mind, and I see taking care of your most necessary expenses as a way of accomplishing that).

The game-changer for me was considering my “true expenses,” which added up quickly. The inevitable weekly takeout order, veterinary bills for our cat, train and rideshare fees and the like were all things I knew I needed to pay for but didn’t previously deal with until the time came. In YNAB, you can create categories for all true expenses and plan for them each month (or week, depending on how you budget/get paid) so there’s (hopefully) never a question of how you’re going to pay for any of them.

If you’re able to do this and get your expenses in order, it’s possible that you’ll find you have money left over each paycheck. Then you can expand your budget to think about other true expenses or sinking funds you may want to address. My line between true expenses and sinking funds is blurry at best, but the latter are just allocated monies you set aside for variable expenses that you know are inevitable like home maintenance or insurance premiums.

Holiday gifts were big for me; every year, I have even more people in my life that I need to buy gifts for during the holiday season and I never planned for that in advance before using YNAB. Now, I have a “holiday gifts” category with a generous target that I put money toward every month and set to be “due” every year in early October. As soon as sales start to kick in during the fall, I have a pool of money with which I can buy all of my loved ones’ gifts.

I should say that YNAB appeals to my Type-A, über-organized personality, but you can’t plan for everything. A few years back, I unexpectedly had to spend about $500 for some car repairs and I didn’t have quite that much in my “car maintenance” sinking fund. Instead of panicking, I moved some money over from my “clothing” category to cover the remainder of the costs. It was a bit painful psychologically (I love seeing those little green progress bars in the YNAB app), but it didn’t impact my finances at all. YNAB accounts only for the money you actually have, regardless of which category it’s in, so I wasn’t spending anything that I couldn’t afford. That’s really important to me, as someone who tries to live within their means — and as much as possible, below it — to avoid lifestyle creep.

You Need a Budget (YNAB)

Getting back to those “adult” priorities I mentioned before: YNAB was one of the key things that helped me and my partner save up a home down payment and the funds we’d need to pay for our wedding simultaneously, without feeling too stretched along the way. We cut down (not cut out, mind you) on all unnecessary expenses and aggressively saved during this five-year period, and YNAB made keeping track of it all easy.

But I would like to stress that the service was just one of the things that helped, and there were other factors that contributed as well. It’s not realistic to suggest budgeting alone is the answer to all of one’s money prayers. But it’s certainly a step in the right direction and a good habit to build over time.

I consider YNAB up there with 1Password as one of the few services I’m happy to pay for every year because of how much it adds to my life. However, it’s worth noting that you don’t have to pay for YNAB to start budgeting using its tenants. The YNAB method, the envelope system and zero-based budgeting are all very similar and you can do them all with less expensive tools, and even manually with physical envelopes and cash. There are plenty of online communities with flourishing examples of how you can get started without paying for yet another subscription. I recommend checking out Taylor Budgets, Budget Treasures and other similar YouTube channels for more inspiration.

This article originally appeared on Engadget at

What we bought: How YNAB gives me peace of mind and keeps my money in check Read More »

The best 15 last-minute Christmas gifts for 2023

The holidays are right around the corner and you might be a little more behind on your shopping than you’d like to admit. We don’t blame you — between family gatherings and the final work rush before PTO kicks in, it’s hard to find the time to go to a store to pick out presents. And once you get there, you could find half-empty shelves and very few choices. But that’s why we have the internet: you still have time to buy holiday gifts online.

USPS, UPS and FedEx have laid out their holiday shipping deadlines for 2023: Ship your items via USPS by December 16 to have them safely arrive before Christmas, while FedEx and UPS have deadlines of December 15 and December 18, respectively, for standard shipping. At this stage in the game, we recommend picking up small, affordable gifts that will ship quickly so you have plenty of time to wrap them up nicely and make it look like you had everything well-planned from the start. Here are the best last-minute Christmas gifts you can get right now and still have in time before the holidays.

Amazon Echo Dot with Clock


Anker 511 portable charger

JLab Go Air Pop

TP-Link Kasa smart lights

PopSocket Phone Wallet

Amazon Smart Plug

UE Wonderboom 3

Stanley IceFlow Tumbler

Anker magnetic power bank (10,000 mAh)

Apple AirTag

Tile Mate

Blink Mini Pan-Tilt Camera

8Bitdo Pro 2

Audible Premium Plus

This article originally appeared on Engadget at

The best 15 last-minute Christmas gifts for 2023 Read More »