Week in Review: ChatGPT URL vulnerability, McDonald's password problem, Perfekt Bluetooth blunder - Cybersecurity Headlines

Summary8 min read

Comprehensive Summary of "Week in Review: ChatGPT URL vulnerability, McDonald’s password problem, Perfekt Bluetooth blunder"

Podcast Information:

Title: Cyber Security Headlines
Host/Author: CISO Series
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.
Episode: Week in Review: ChatGPT URL vulnerability, McDonald’s password problem, Perfekt Bluetooth blunder
Release Date: July 11, 2025

Introduction and Guest Update

The episode opens with host David Spark introducing the key cybersecurity headlines of the week. He welcomes back Jim Bowie, VP and CISO of Tampa General Hospital, who shares his recent experiences in the cybersecurity landscape.

Jim Bowie [00:38]: "On one hand it was good. There were no emergent patches from any firewall vendors or anybody with public facing stuff. But it is budget season here so administratively my week has sucked, but overall it's been good."

Jim's balanced perspective highlights a week of relative technical stability juxtaposed with administrative challenges, setting the stage for the in-depth discussions to follow.

1. ChatGPT URL Vulnerability and Phishing Risks

The first major topic addressed is the vulnerability inherent in ChatGPT's URL recommendations, presenting new avenues for phishing attacks.

David Spark [00:00]: "ChatGPT prone to recommending the wrong URLs and creating a new phishing opportunity."

Issue Overview: Threat researchers at Netcraft have identified that large language models (LLMs) like ChatGPT provide incorrect web addresses approximately 66% of the time when queried for official login URLs. This inaccuracy creates opportunities for phishers to exploit users by prompting them to register unverified domains, a modern twist on typo squatting.

Jim Bowie [03:18]: "If you're worried about it on your network, you can do the reactive thing that every CISO did at the beginning and just block it. But if you want to start actually, you know, getting to the modern times, you can let it on the network, but your firewall is going to do the same thing. It's going to block the same links."

Mitigation Strategies: Jim emphasizes proactive security measures over reactive ones. He suggests implementing network-level protections such as firewalls and proxies to filter out malicious links and considering running internal instances of LLMs to better control the information accessed and shared within the organization.

David Spark [04:10]: "That's some really Good, practical, you know, advice as opposed to the reactive, hey, shut it all down and they're going to do it anyway."

Jim's approach underscores the importance of integrating modern cybersecurity practices with emerging technologies to mitigate new threats effectively.

2. US Military Cybersecurity Funding and CISA Cuts

The discussion shifts to the recent tax and spending bill that significantly boosts cybersecurity funding for military initiatives while reducing allocations for the Cybersecurity and Infrastructure Security Agency (CISA).

David Spark [04:10]: "US military gets a cybersecurity boost... Democrats have criticized the package for excluding funding for CISA."

Funding Allocation: Key allocations include:

$250 million for US Cyber Command's AI initiatives
$20 million for DARPA cybersecurity programs
$1 million for Indo Pacific Command's cyber offensive operations

Democrats argue that the cuts to CISA weaken federal cybersecurity infrastructure, while Republicans defend the focus on national defense and military readiness.

Jim Bowie [05:49]: "Critical infrastructure organizations are drowning. We're constantly under attack. So unless that AI is going to somehow shut up... you're ignoring the fundamental problems for the shining things."

Impact Assessment: Jim criticizes the imbalance in funding, highlighting that while advanced AI initiatives receive substantial investment, essential cybersecurity frameworks like CISA suffer, leaving critical infrastructure vulnerable to constant threats.

Jim Bowie [06:16]: "It's great. I guess they can attack F22s with F22AI. I don't know what they're going to do with it, it's cool. But again, you're ignoring the fundamental problems for the shining things."

Jim emphasizes the need for a more balanced approach that doesn’t neglect foundational cybersecurity measures in favor of high-tech advancements.

3. McDonald's AI-Powered Job Application Security Breach

The next story covers a significant security flaw in McDonald's AI-driven job application bot, Olivia, developed by Paradox AI.

David Spark [08:06]: "McDonald's has a new AI powered job application bot named Olivia... contained simple web based vulnerabilities, including a doozy of a 1Password 123456."

Breach Details: Researchers Ian Carroll and Sam Curry discovered that Olivia's backend was secured with the notoriously weak password "123456," allowing unauthorized access to 64 million applicant records, including names, email addresses, and phone numbers.

Jim Bowie [09:31]: "When I read this I was like, are you absolutely kidding me? And it goes back to again like we just talked about. Really cool. You're doing AI flashy stuff but you're still neglecting the hygiene."

Security Hygiene Failure: Jim vehemently criticizes the use of such an easily guessable password, highlighting a glaring lapse in basic cybersecurity practices despite the deployment of sophisticated AI technologies.

David Spark [10:16]: "CPU UK has the comment for this. Must have been configured by a clown."

The incident serves as a stark reminder that foundational security measures must not be overlooked, regardless of the advanced tools and technologies employed.

4. Perfekt Bluetooth Flaws in the Automotive Industry

The podcast then addresses vulnerabilities in the Perfekt Bluetooth stack used by major automotive manufacturers, including Mercedes, Volkswagen, and Skoda.

David Spark [16:01]: "Perfekt Bluetooth flaws impact Mercedes, Volkswagen, and Skoda vehicles."

Vulnerability Details: The flaw, identified as the "Perf Blue Attack," allows over-the-air exploitation with minimal user interaction. Despite Open Synergy releasing patches in September 2024, many automakers have yet to update their vehicle firmware, leaving millions of cars at risk.

Jim Bowie [17:16]: "This is actually funny coming from healthcare. Let me introduce you to the world of medical device vendors... things that haven't been patched in 15 or 15 years old that we have to, like, constantly segment and isolate and segregate because the vendor just like, yeah, I'm not pushing that out."

Impact on Industries: Jim draws parallels between the automotive industry's patch management issues and similar challenges faced in the healthcare sector with medical devices, emphasizing the broader implications of vendor negligence in essential cybersecurity practices.

Jim Bowie [18:06]: "I just want a car that's like the Millennium Falcon with actual Switches again, like give me, let me control my AC with a knob is all I'm asking for."

His frustration underscores the demand for more reliable and secure technological integrations in consumer products.

5. Google Cloud's Gemini AI and Data Sovereignty

The final headline focuses on Google Cloud's efforts to address data sovereignty concerns by offering UK-based organizations options to keep their Gemini AI data processing within the UK.

David Spark [19:36]: "Google Cloud is taking steps to address data sovereignty concerns around AI data by offering UK based organizations the options to keep Gemini 2.5 flash machine learning processing entirely within the UK."

Sovereignty Measures: By allowing machine learning computations to remain within the UK region, Google aims to comply with national regulations. However, support and technical assistance still involve Google's global facilities, complicating complete data sovereignty.

Jim Bowie [20:28]: "This to me is the equivalent of saying, yeah, I lick my envelopes at home before I mail my letter. Right? Sure, we licked the envelopes in house. The in house licking was great and secure."

Critical Analysis: Jim remains skeptical about the effectiveness of such measures, likening them to superficial attempts at data protection that do not address underlying vulnerabilities. He doubts that regulatory measures can keep pace with the rapid evolution of technology and the inherent monetization strategies of big tech companies.

Jim Bowie [20:40]: "Saliva sovereignty."

His metaphor highlights the inadequacy of partial solutions in ensuring genuine data protection and sovereignty.

Closing Remarks

As the episode nears its conclusion, the host and guest engage in light-hearted banter, particularly about the McDonald's security breach, while encouraging audience participation and teasing upcoming episodes.

Jim Bowie [22:49]: "I read that story yesterday and I've been facepalming since."
David Spark [23:14]: "No LinkedIn. Best way to reach out..."

They extend thanks to the guest, sponsors, and listeners, promoting future events and inviting feedback through the podcast's platforms.

David Spark [23:32]: "For myself, for our glorious producer, Steve Prentice, For Jim, for all of us here in the CISO series, Conglomerate Organization, Consortium, here's wishing you and yours to have a super sparkly day."

Key Takeaways

Emerging Threats with AI Tools: The integration of AI tools like ChatGPT introduces new vulnerabilities, particularly in information accuracy, which can be exploited for phishing and other cyberattacks.
Funding Imbalances in Cybersecurity: Increased military cybersecurity funding contrasts sharply with critical cuts to agencies like CISA, potentially weakening national cybersecurity infrastructure.
Importance of Basic Security Hygiene: High-profile breaches, such as McDonald's use of weak passwords, underscore the necessity of fundamental cybersecurity practices regardless of technological advancements.
Vendor Negligence in Patch Management: The automotive industry's delayed patch implementations highlight the broader issue of vendor responsibility in maintaining cybersecurity across all sectors.
Challenges in Data Sovereignty: Efforts by big tech companies to address data sovereignty are often seen as inadequate, failing to fully protect user data against pervasive data collection and monetization strategies.

Notable Quotes

Jim Bowie [09:31]: "You're doing AI flashy stuff but you're still neglecting the hygiene."
Jim Bowie [20:28]: "This to me is the equivalent of saying, yeah, I lick my envelopes at home before I mail my letter."
David Spark [00:51]: "We are now looking forward to some insight, opinion and expertise from our returning guest, Jim Bowie."

Conclusion

This episode of "Cyber Security Headlines" provides a comprehensive analysis of recent cybersecurity incidents, blending expert insights with critical evaluations of current industry practices. Jim Bowie's perspectives offer valuable lessons on balancing technological innovation with rigorous security measures, emphasizing that foundational cybersecurity hygiene remains paramount in an increasingly complex threat landscape.

For more detailed discussions and daily cybersecurity updates, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript39 lines

[00:00]
David Spark
From the CISO series, it's cybersecurity headlines, new phishing opportunities through ChatGPT, US military gets cybersecurity boost and new items on the McDonald's menu. The MC password. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And we are now looking forward to some insight, opinion and expertise from our returning guest, Jim Bowie, VP and CISO over at Tampa General Hospital. Jim, we had John last summer. So glad you could be here. I got to ask them before we jump into the news, how was your week in cybersecurity?
[00:38]
Jim Bowie
On one hand it was good. There were no emergent patches from any, any firewall vendors or anybody with public facing stuff. But it is budget season here so administratively my week has sucked, but overall it's been good.
[00:51]
David Spark
All right, well we can, we can at least take those takeaways, get into the weekend and start a new new one where you know, potentially could get worse. Who knows. So let's be grateful for this moment that we have together. Jim, I'm so glad to be here with you and I'm also glad for our sponsor for today, Vanta A New Way to grc. Remember, if you're listening to this show as a podcast, remember next week you can join us live in our loyal band of vocal experts. Just head on over to YouTube, you can go to cisoseries.com, look for our events page and you can find the link there. Or just subscribe to the ciso series on YouTube and join us each and every Friday at 3:30pm Eastern. We'd love to have you here if you are here. We'd love to to hear your comments. Not hear our comments. We'd like to read your comments in the chat. I guess we could do like a text to speech kind of situation and I could hear them but we already have CCL and Max Tronica, the big boss man, David Spark getting into it in the chat. So you can join those fine folks and get in there as well. And if you're listening later, feedbacksoseries.com we would love to hear from you. Before I even jump into the news, just a quick reminder that these are Jim's opinions that he is going to share, not necessarily those of his employer, his staff or affiliates. We've got about 20 minutes so let's jump into the news first up here. ChatGPT prone to recommending the wrong URLs and creating a new phishing opportunity. Oh Gen AI. What can't you do. Threat researchers at Netcraft are warning of the propensity of LLMs like ChatGPT and others to offer the wrong information. When asked questions like, can you find me the official website to log into my account for any given brand? They found that the AI would produce the correct web address about 66% of the time, which, as long as I checked, is zero nines of correctness. The Netcraft team points out that phishers could ask for a URL and then if the top result is a site that's unregistered, hey, go ahead and buy it and you're doing a phishing site. Basically a new version of typo squatting here. Certainly, Jim, nothing new to the fact that cybercriminals are innovative creatures of exploitation, always finding new ways to crime. Their crime issue is more around people's naked trust of LLMs as a source of wisdom and truth. It's about as naked as a Black Sabbath drummer, you might say. From a CISO standpoint, this becomes similar to standard email phishing, simply following a link out of faith or a lack of time to think critically, I guess. In this kind of situation, what are we to do? Is this just an awareness challenge? Is there anything more beyond that?
[03:19]
Jim Bowie
It depends on where your threat vector is coming from. I mean, first of all, we took gen AI, we trained it on humans and all human output and then are surprised when it's wrong 60% of the time. So I don't know, you know, I'm actually surprised it got it wrong only 29 of the time. But from, if you're worried about it on your network, you can do the, the reactive thing that every CISO did at the beginning and just block it. But if you want to start actually, you know, getting to the modern times, you can let it on the network, but your fire, if, if they're on your network, your firewall is going to do the same thing. It's going to block the same links. If they're clicking on it, if they' off network, you can look at a proxy or you can. We've been practicing here. We actually are trialing some things where we just stood up our own instance of it. So it's accessing the web through our own proxy and so we can shelter kind of what ChatGPT is going out and searching for. So that's another solution.
[04:11]
David Spark
So you're saying the, the LLMs learned it from watching us is. Or the fault in our stars, et cetera, et cetera. Metaphor. Metaphor. No, that is, that is some really Good, practical, you know, advice as opposed to the reactive, hey, shut it all down and they're going to do it anyway. Always, always good to hear, like, hey, let's, let's work with what people want to do and figure out a way to, to, to make everybody better and maybe get a productivity boost while we're getting some URLs. Massively incorrect. Next up here, US military gets a cybersecurity boost. So Congress has passed and the President has signed a sweeping tax and spending bill that includes hundreds of million dollars in cybersecurity funding. That funding is largely focused on military priorities. Key allocations include $250 million for US Cyber Command's AI initiatives, $20 million for DARPA cybersecurity programs, and $1 million for Indo Pacific Command's cyber offensive operations. Democrats have criticized the package for excluding funding for cisa. There's a significant cut in there for cisa, arguing it overlooks key threats and weakens federal cybersecurity infrastructure. On the opposite side of the aisle, Republicans argue national defense and military readiness are core drivers of the bill's cybersecurity spending. So, Jim, avoiding both the sides of the aisle here, just looking at what is in this bill, big increase in funding for military related cybersecurity. I'm curious, how are we supposed to read this as a ciso? How are you reading this in terms of improving this larger thing of improving national security versus these more smaller focus groups like cisa, seeing less funding? I guess. How does that, how are you viewing that this affects the industry and you as an organization?
[05:49]
Jim Bowie
You know, the meme where there's, I think it's the mom or the dad playing with one kid who's swimming and then the other kid's drowning right behind them. Yeah, that's kind of what this feels like. I'll be honest. You're playing with the shiny thing that looks cool and sounds cool and can be very cool, but you're forgetting your basic hygiene. As something, as an organization that is part of critical infrastructure, it is kind of depressing to see that. I mean, Sisa's budget was what, 3 billion last year? This is 1 12th of that. That's a lot of.
[06:16]
David Spark
Yeah, a lot of help.
[06:19]
Jim Bowie
You know, critical infrastructure organizations are drowning. We're constantly under attack. So unless that AI is going to somehow shut up. China, Russia, North Korea and all the, you know, cyber criminals, I, it's great. I guess they can attack F22s with F22AI. I don't know what they're going to do with it, it's cool. But again, you're, you're ignoring the fundamental problems for the shining things. Now, private organizations are guilty of that too. Everybody wants to go AI without patching their 2008 servers. So, you know, it's, it's guilty on both, both elements of it.
[06:52]
David Spark
Yeah, the, and I guess in that meme, the what is the. Yeah, the skeleton at the bottom of the pool that's in the chair, I guess, is, yeah, the cybersecurity poverty line or something along those lines. So, so yeah, it's, you know, I, I, from that perspective, it's like, all right, we're looking where all of these threat vectors are coming from. These are a lot of state sponsored actors. You know, theoretically, you're throwing money at defense organizations. We've heard talk of increasing offensive cyber operations and stuff like that. I can sort of see that. Right. Like, I could see a little bit of a logic. I can see you could be convinced about that. But yeah, the. Seeing what CISA has done over the past eight years, like across two different administrations in providing tools for smaller organizations that really can't for themselves, writing, training, best practices, like literal toolkits. I would have to imagine it's pretty easy to see dividends on that and to see funding slashed even as CISA has its mandate pared back. Yeah, it's tough to see the logic in that. But hey, darpa, they invented the Internet. So, you know, maybe, maybe they'll invent Cybersecurity 2.0.
[07:57]
Jim Bowie
Here's how. Maybe they'll figure out a way to stop it all with AI to do next.
[08:00]
David Spark
Yay. Fingers crossed for AI to solve everything. Hashtag singularity. All right, next up here, new item on the McDonald's menu, the MC password. McDonald's has a new AI powered job application bot named Olivia. Jim, you can't laugh before I finish the read here. This is the greatest story of the week. So there's this bot named Olivia who is responsible for screening and instructing job applicants under the company's McHire program. Because they're on brand for McDonald's security researchers Ian Carroll and Sam Curry discover that the bot built by a software firm, Paradox AI, contained simple web based vulnerabilities, including a doozy of a 1Password 123456. This allowed them to query the company's database that held every applicant's chats with olivia. This means 64 million records that include names, email addresses and phone numbers. McDonald's brass are clearly not loving this. Maxtronic. There you go, you have your reference there as well. Paradox has admitted the fault, but said that the information was not accessed by any third party other than the researchers who are just making a big stinking deal about this, let's face it. So Jim, it's nice that Paradox pointed out that nothing bad happened that they know of, especially considering that they might be served with super sized lawsuit pretty soon. I'm curious though, do you think it might be a good idea to maybe not use the most commonly used password in the world when building an application for the biggest fast food company by revenue, restaurant, real estate, toy distribution, restaurant employer in the world? Or am I just being too picky here?
[09:31]
Jim Bowie
I mean this is the spaceball school, school of cyber security hygiene, right? Like now I gotta go change the password to my luggage. It's just when I read this I was like, are you absolutely kidding me? And it goes back to again like we just talked about. Really cool. You're doing AI flashy stuff but you're still neglecting the hygiene. I mean that's the biggest, the biggest thing I'm seeing lately with across many organizations in many industries. They want to advance so fast, be at the forefront and do all this cool stuff, but it doesn't matter if you don't have your seatbelts and your airbags, right? It's, it's just. And there's no excuse for this. Like if I was McDonald's, I know we're throwing McDonald's out there, this, this third party vendor, like I'd be livid, like absolutely livid.
[10:17]
David Spark
And like the only excuse I can see for this is this was a default that didn't get changed. That default, like that's a design failure of like that that should never even be in the default. Right? Like I understand like maybe keys get hard coded, like you know, get pushed out to GitHub. Like maybe somehow like not 1, 2, 3. Like that should never be the placeholder for anything. I'm going to have to reference though. CPU UK has the comment for this. Must have been configured by a clown. Thank you CPU uk, one of our great chat members having some fun with this story. We're also going to have some fun with the second half of the show. Before we do that though, we have to get with our sponsor for today and thank Phantom. Do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting. And it helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that's V A N T A dot com headlines Maxtronic. You're getting in there with the hamburger reference. I get it. I appreciate it. I see you. Honestly, like, I could just have an entire compendium of McDonald's puns. There could be some fry kids references. If you get those in there, I'll be extraordinarily happy. Just, I mean, just a chef's kiss of a story. We're going to try and have fun with this one because Google being Google here, Google's Gemini. We're off. Does it actually mean off? As of last Monday, Google's Gemini AI will be available to access Android apps like phone messages, WhatsApp, and more, even when users have turned off the Gemini app's activity feature. Oh, you silly user. That setting only stopped the AI from using your data for training, not from tapping into your apps entirely. These permissions allow Gemini to interact with other apps on a user's behalf, potentially to send messages and make calls. To fully block Gemini's access, users must go into settings and manually revoke permissions for each app. So, Jim, Google has said the information Gemini finds is not kept from for long. But again, let's use your CISO instincts and your spidey sense here. Does this not raise a few red flags from a cyber security perspective?
[12:54]
Jim Bowie
There's zero reason to believe that that's actually going to be isolated like they say it is. Like, I'm, I'm not throwing shade at Google any more than I would show it at Apple. Apple's just seems to have a better PR team about it coming from law enforcement. I'm letting you know your OS on those phones is capturing all that anyway. Like it is. It's nice they're trying. I just, it feels like gaslighting almost, if I'm even using that term, term correctly. Like great. And, and that the irritation of having to do it for every single app. We'll, we'll get to it later. But like your data is so important to these people. It's worth so much money that you, you can't believe anything they're saying when they talk about this is my cynical Tinfoil hat.
[13:36]
David Spark
Well and the I and going back to just Google not having as good pr, this is not the first time they've done something like this. They've rep done this with like location data where there's an offsetting to turn that off. But again it's you have to go into a web portal or you have to go into individual apps and turn that off. We've seen that with their initial street view kind of opt out stuff. We've seen this any number of ways where if there is a way to make you to do some privacy theater while they can still get access to all of your data. Most big tech platforms to your point, again not calling out Google specifically but that is a valuable piece of their either revenue or strategy or tech stack or something like that. So yeah, they're not alone but geez, Google, you know how to do it sometimes.
[14:24]
Jim Bowie
That being said, I do applaud them believe it or not. I can't believe my team's going to jump over me. I applaud them for trying to make AI useful. Like I've always wanted the phone to be actually like hey do X, Y or Z for me. AI is not quite there yet. Hopefully they can get it at some point where it's actually like you can actually talk to your computer and say open this, do this, write an email, do that and it'll actually work one day.
[14:46]
David Spark
And that's the thing as we're seeing more well as we've seen Apple mistakenly advertise that Siri would be able to do similar things. These capabilities are like genuinely useful. There are actually to your point, really fantastic use cases for this. It would just be nice if we could go into it with eyes wide open of what are the trade offs that I am consciously making. Allow me to make those trade offs with some kind of visibility. Most people probably won't care. They're just like I just want the benefit whatever, you know, except all cookies, right? Give me the cookie button. But I'm the weirdo that's clicking options and deny everything, right? Like let me be that person. At least I know it's maybe not the right. That's another form of security and privacy theater. But at least let me know the trade offs that I'm making and don't try and hide them behind weird UI stuff.
[15:34]
Jim Bowie
Like it's still not as bad as recall too man.
[15:38]
David Spark
You know what? Big tech undefeated in wanting to gobble up all of your data shmooz. Pointing out bolt on security is a real thing. Well it's it's not even that. It's like. It's like a. It's like putting in a deadbolt, but that doesn't like, attach to the wall, you know, like the other way. Yeah, yeah, exactly. Yeah.
[15:57]
Jim Bowie
Also shrews with the grimacing upon fancy.
[16:01]
David Spark
You know what? Again. Again. Where are my fry kids? Come on, folks. We got so much here. All right, let's move on to our next story here. Just one moment. Perfect. Blue Bluetooth flaws impact Mercedes, Volkswagen, and Skoda vehicles. This flaw impacts the Blue SDK Bluetooth stack from Open Synergy, using vehicles from the vendors mentioned in our headline there, as well as others. Since it's widely used in the automotive industry, it's kind of a standard stack. The flaw can be chained together into an exploit that researchers call Perf Blue Attack and can be delivered over the air by an attacker, requiring at most one click from a user. It was discovered by pen testers at PCA Cybersecurity. Interestingly, Open Synergy confirmed the flaws last year in June and released patches to customers in September 2024. But many automakers have yet to push the firmware updates. At Last one major OEM learned only recently about the security risk. So, Jim, there's the rub. Flaw discovered, Flaw acknowledged. Patch issued. Patch days ignored. Do you know of any, I don't know, lawsuits that have emerged from this type of oversight? Do you anticipate more to come? I mean, like, it seems like we did all the things we needed to do, but someone didn't get. There's a. There's another verification step, right, that has to go before they can push the OTA out to the car. Right?
[17:16]
Jim Bowie
So this is actually funny coming from healthcare. Let me introduce you to the world of medical device vendors, right? Like, there are things that haven't been patched in 15 or 15 years old that we have to, like, constantly segment and isolate and segregate because the vendor just like, yeah, I'm not pushing that out. That's on you. Wow. So, like, my wife has explicit instructions. If certain devices come near me, just go ahead and put a pillow over my head, because I don't want to be patched by that unpatched thing. You know? Like, it's just. And it's. It's not the healthcare industry's problem, it's the vendors just not wanting to patch. And it's that you're just seeing it more publicly here with the cars, because everybody is exposed to cars every day. I just want a car that's like the Millennium Falcon with actual Switches again, like give me, let me control my AC with a knob is all I'm asking for. We don't need a Bluetooth connection for that.
[18:07]
David Spark
You just want toggles on everything.
[18:10]
Jim Bowie
Toggle all the things, right.
[18:12]
David Spark
This actually reminds me a lot of, you know, as, as increasingly these are just technology platforms, right. This technology platform moves. This technology platform sits in my pocket. This reminds me a lot of like all the Android fragmentation like patching discussions that we've seen. This is the exact same thing of, you know, the open source Android gets this patch or Qualcomm issues this patch, but it has to go through Samsung's vetting process before it gets pushed out. And oh, by the way, your device is a year out of support. It's three years old. I see this increasingly like it took us years to get to the point where manufacturers will come up with phones and say, hey, we're going to offer X number of years of security updates. I wonder if we're going to need that, if that goes with your car's warranty as well. If we'll get the 10 year 100,000 mile powertrain and software update warranty coming soon.
[18:59]
Jim Bowie
Or they can have like a BMW I see is the first one will do it. They'll have an E5 Microsoft Level Security license that you need for your car to have patching. Right. Because with the AC switch you can get.
[19:09]
David Spark
Yeah. And the heated seats. Right? Yeah. Classic Beamer move. All right, moving on to our last story of the day. Google Cloud offers partial AI data sovereignty for UK customers. Google Cloud is taking steps to address data sovereignty concerns around AI data by offering UK based organizations the options to keep Gemini 2.5 flash machine learning processing entirely within the UK. This will be presented as an option in which a customer can select a Google Cloud's UK region, in this case Europe West 2 when using Gemini 2.5 Flash to store data in that region. This means that machine learning computation, in other words, the processing of Gemini 2.5 can be limited to within the UK region. However, the same cannot be said for Gemini tech support which will be shared by Google's global facilities and will remain a complicating factor in complete data sovereignty. So Jim, again, on the surface an AI story, but interestingly, and I think we're going to see a lot more of these, it's really a data sovereignty and attempt to keep data within territorial boundaries per different national regulations and stuff like that. Given the economics of big data for AI cloud and just general computing. I'm curious, do you feel These regulations can stand up to the pressure of hey, everybody wants to throw that data around. You know, kind of as we were talking earlier, there's a couple, there's a.
[20:28]
Jim Bowie
Couple of things going on here. One, this to me is the equivalent of saying, yeah, I lick my envelopes at home before I mail my letter. Right? Sure, we licked the envelopes in house. The in house licking was great and secure.
[20:40]
David Spark
But saliva sovereignty.
[20:42]
Jim Bowie
Yeah, exactly, saliva sovereignty. The other, the other part of it is there's a zero way a government regulation is going to keep up with the speed and scale at which everything is moving in the tech, the tech world. We've already seen that for the last 20 years. Also you're dealing with and I think Steve we were talking to earlier, he mentioned that what is Nvidia, $4 trillion. Now do you think media can't pay off a government to lobby for the right to be able to access that data? Like let's, let's take the wool off of our eyes or whatever races at this point. That's me with my tinfoil hat again.
[21:14]
David Spark
So there, there is a lot of incentive industry incentive we will say to, to, to make these things a little bit more amenable perhaps to some of those $4 trillion.
[21:24]
Jim Bowie
Just like CCL there, right? Like GDPR. They want to relax. GDPR. You think that's coming from the people or do you think that's coming from the corporations that want that data?
[21:33]
David Spark
I don't. Ccl, you so canny. I, I can't believe you're that cynical. Ccl, obviously that's a, that's a popular mandate. Obviously there can't be any other way to. Okay, all right. Yes, I agree. That definitely seems, Listen, I understand there are, there are new modes of business opening up, right? You, you, there is a balance to be struck always right between regulatory pressures, consumer protection, what industry kind of wants to push the envelope. But yeah, saliva sovereignty, I'm going to go with that. I'm going to go with saliva sovereignty. We also. I just got to just a big thank you to our audience today. Lots of fun stuff going on in the chat here. Fantastic McDonald's puns, each and every one of you. CCL, Mektronics, Schmooze, CPU UK, just everybody having a really fun time. Thank you so much for joining us. And I hope if you like McDonald's puns, if you had a fry kids pun, by the way, feedbackisoseries.com I need to hear it for that story. Come and join us. Have some fun on a Friday It's a great way to kind of kick start the weekend before we get out of here though for that weekend does start. Jim, any story? Was the McDonald's story the face palm of the day? Is there any other thing we need to mention here?
[22:49]
Jim Bowie
I read that story yesterday and I've been facepalming since. I only took my palm off my face for this pod, for this podcast. Right.
[22:57]
David Spark
It was a driving hazard. He had to take an Uber because he just couldn't just. It was just embedded, embedded face palm. It's a, it's a service now. McDonald's is offering. It's. It's fantastic. Jim, where can people find you on the cyberspace if they are so inclined to check out what you're up to?
[23:14]
Jim Bowie
Apparently through Google.
[23:15]
David Spark
No ask ChatGPT for a URL.
[23:21]
Jim Bowie
No LinkedIn. Best way to reach out. Just I check it every couple of days because everybody's trying to sell me everything all the time. Just say hey, saw you on the show. I'll get to you back, we'll connect and we can talk if you want to chat.
[23:32]
David Spark
So fantastic. Well, thank you so much Jim Bowie, VP and CISO over at Tampa General Hospital. I know you are a busy fellow. You're keeping warm down there in the great state of Florida. So thank you so much for taking time out and spending with us. Lending your wisdom. Had a blast. We will have to have you on before next summer for sure. Thanks also to our sponsor for today, Vanta A New Way to GRC and another big thank you to our audience. We can't always get everything up on the screen but you made it so much fun today. Thank you so so much. And remember, if you can't join us live feedbacksoseries.com we would love to hear from you. Remember to join us next week first for Super Cyber Friday where our topic will be hacking vendor competition. An hour of critical thinking about when sales tactics cross the line. Maybe when they don't too as well. So maybe some best practices for vendors that starts at 1pm Eastern and then come on back for another episode of the Weekend Review that starts at 3:30pm Eastern to register to join us for both. You can either head on over for this show to YouTube, YouTube or just go to the events page CISO series dot com. We've got everything there, all the information pertinent that you need. In the meantime, you can delegate your daily news fix every single day through cybersecurity headlines. Give us about six minutes, we'll get you all caught up until the next time we meet. For myself, for our glorious producer, Steve Prentice, For Jim, for all of us here in the CISO series, Conglomerate Organization, Consortium, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.