A (2:42)

Yeah. And that fiduciary, I mean, when you bring that in, that brings a whole layer of baggage in there. I think that's a really interesting part of the conversation. I'm curious, Nick, did I'm. Here's your thoughts on that.

B (2:56)

Yeah, yeah. I mean, if you look at it, I mean, we have burnout at the Cecil level. CISOs themselves have been pulled and saying we're not taking responsibility because we're not getting the budget, we don't have the manpower, et cetera, et cetera. And so by virtue of that, there has to be a shift in that. And we actually saw in Australia, I believe it was Qantas, the airline, who went through a data breach and basically their board of directors voted to ding the sea level to say, well, you know, you're. No, no bonus for you or slightly less bonus. You know, maybe don't. You're full this summer.

A (3:27)

But.

B (3:28)

But the point is, is that, yeah, I think Jack's 100% right on this. It's a big problem that we've got. But it really underscores, I think, systemic issues we have in cybersecurity right now, especially with just keeping experienced people around and then giving the teams the tools they need. Right. When CFOs are treating nickels like manhole covers, it just helps no one.

C (3:45)

Yeah, yeah.

A (3:46)

Who would have known that giving someone all the like, like none of the decision making power but being responsible for everything, oh, sure. Turned out to be like toxic and like horrible. Who, who could have known?

B (3:58)

Yeah, it's absolutely crazy. And nobody expects like a CFO to be Oprah, right? You get a firewall, you get a firewall, everybody gets a firewall.

A (4:05)

Right.

B (4:05)

I get to meet that cfo. But the point is, is that we have to do something about it.

C (4:09)

I also wonder if there's something to the, like, the average CSO tenure is like surprisingly short. I forget whatever the data is, but most data has it like less than two years. And so continuity of a program like between CISO and CISO and board and board, if the board's in on that, you start getting a little Bit more of a, a cadence and a sequencing with a hope of continuity and maybe a little bit less than, if you will, the sacrificial ciso. Right. Get rid of one ciso, bring in another to sort of fix it, and then they go on to whatever's next. That program continuity is a thing I think about often. Not just because I have kids to put through college, but for the good of the company.

A (4:49)

Yeah, I literally just got off the phone with a CISO who came in.

B (4:54)

With a opportunity to do a greenfield program and she said because of that.

A (5:00)

She was able to save a lot of money.

B (5:04)

And that it is the fact that you have existing programs in place is what keeps the programs so unbelievably costly. Right. Not to, not to mention, and I think that's a great point, but you know, to what, to what Jack was saying as well is imagine the transition time. You've got to get up to speed on everything and that is potentially a gap in the human defense as well, you know, so it's, it's just coming and going well.

C (5:28)

And also, also the cybersecurity staff. Right. New people coming in, it takes a while for teams to get used to new leaders. And if there isn't continuity there, you're going to lose your engineers, your auditors, your analysts, you know, with that same transition.

B (5:44)

Right.

A (5:44)

All right, Nick, I got to ask you, what was your biggest story of the week?

B (5:48)

Yeah, so I kind of have two. But so I, you know, for those that listen to my radio show and podcast and all that kind of stuff, every Sunday I do a breaches of the week. And this past Sunday.

A (5:58)

Oh boy.

B (5:59)

I mean, so every week is getting worse with supply chain hits. Right. But you think of like the high end vendor in cybersecurity and they're all declaring data breaches. Thank you, Salesforce, you know, for that. Right. So we saw Palo Alto Networks, Tenable, Qualys, Hackerone also declared. We just saw CrowdStrike, not Salesforce related, but probably next week for them on Salesforce, you know, so it's absolutely, it's been absolutely crazy. And then the other smaller story I thought is I read an article that just really underscored me that we are never in a million years getting away from ads in our lives because Samsung just rolled out ads for their television, for their refrigerators. So your refrigerator, if you've got a Samsung with an LCD panel, you're getting ads. And I've seen on the newer Android builds on Samsung as well, where now the notifications like you got Mail. You got a text now has Samsung ads. So.

A (6:53)

I'm honestly more shocked that that doesn't already exist. Like, I'm like, disappointed in Samsung. I was like, you have. You have one job and it's to shove as many revenue streams down my throat as possible. Don't worry. We also have meta glasses that'll service ads with AI too soon, so there's that too.

B (7:09)

And for the record, it's a cybersecurity situation with Samsung because when I hack this thing and expose it to the world, you know, I'm not going to tell them how I did it.

A (7:19)

So everybody, I mean, I mean, you want to talk about the Sales loft, you know, situation, it's like all you need to do is find some tokens that got left in a repo and, you know, we're off to the. We're off to the races there. Yeah, I mean, Jack is. We just heard from Shiny Hunters. They were talking to Bleeping Computer Threat Group. They were estimating they hit 760 organizations. And a source speaking to Bleeping Computer, which we can assume was from Sales Loft, basically said, yeah, those numbers are right. That's like a crazy impact for. For one breach that. That kind. I mean, that's like log 4J level of exposure here.

B (7:54)

It's Orion.

A (7:55)

Yeah. All right, well, before. Yeah, Paul, Jacques. And on LinkedIn sucks. New glasses will have ads. I guarantee it. I. Okay, here's my long term conspiracy. Neuralink only exists to serve ads in the brain. This is just my long term thing. You can quote me on that in 10 years when it's a thing. All right, before we move on to our next story, I just had a real quick. My favorite thing from this week, it wasn't necessarily cybersecurity, but Anthropic released their economic index. Just real quick, I have some trivia here. I wanted to get your thoughts here. Can either of you tell me what was the top state for per capita Claude usage? And I will give you more hints. It was not California or New York. Nick, any thoughts?

B (8:34)

The state.

C (8:36)

Mm.

B (8:36)

Oh, God. It wasn't California. I'm gonna go actually with Virginia. Just given all the data centers and.

A (8:44)

Jack, any thoughts? You could say Michigan.

C (8:47)

I was gonna go Virginia or Maryland, but not because of data centers, because, you know, people in government are trying to look pretty sharp these days.

A (8:55)

Virginia was number four. Number one. Utah.

B (8:59)

Really?

A (9:00)

Utah? I don't. Okay, there we go.

B (9:03)

Isn't that state like half desert?

A (9:06)

Well, it's per capita, so did I count the grains of sand I don't think that was. I don't think that was a part of it, but I'll have to check. I'll check the numbers there.

B (9:13)

Fair enough.

A (9:13)

And the other thing I real. Just very quickly, I need a. Just a quick game. Who used Claude Moore? Nursery and greenhouse managers or bartenders? Nick?

B (9:23)

Bartenders. I'm going with bartenders.

A (9:25)

Oh, I'm sorry. It was nursery and greenhouse managers. All right, Jackson. Fashion designers or nuclear engineers who use Claude Moore?

C (9:32)

Oh, fashion designers.

A (9:33)

Oh, I'm sorry. It was nuclear engineers. Doesn't that make you feel great? Possible hallucinations. All right, and the last one for both of you, information security analysts or anthropologists who used Claude Moore.

B (9:45)

Oh, it's got to be infosec or information security analyst. Yeah, it's got to be infosec.

C (9:51)

Yeah, it's like a measurement. It's a measurement bias because all I know is infosec people. So I'm going to.

A (9:57)

I'm sorry, it was anthropologists.

C (9:59)

How many anthropologists are.

B (10:01)

How many. How many hidden tribes are there?

A (10:03)

Why should we trust anything you say? From here on in, you're both over three. Yeah, that was just my game called destroy credibility. I just. I think that was successful here. With that in mind, let's. Let's move on to our next story here. Cyber attacks against schools driven by a rise in student hackers, according to UK agencies. This story comes out of the uk, where the Information Commissioner's Office, one of my favorite Commissioner's office, not going to lie, has warned that student hackers motivated by dares, are driving an increase in the number of cyber attacks and data breaches impacting schools. Calling it a worrying pattern, it echoes a report from Britain's national crime agency that one in five children in Britain aged 10 to 16 have engaged in illegal activity online. Some of the reasons for the breaches described are poor data protection practices, including staff accessing data without legitimate need, by devices being left unattended or by students being allowed to use staff devices. I just want to say poor data protection practices also explains why adults successfully breach organizations as well. So know about those findings there, Jack, I'm curious about this. You know, as an adult, I'm getting to the point now where I'm asking my kids how to work like the Apple tv, Like I'm getting into that stage of my life here. I guess. No surprise that kids are this young are doing it for the lulz. That's a very old hacking, you know, rationale. I'm curious, what's your take on this?

C (11:21)

You know, the article stuck in my mind. One, I'm a little bit dubious of information commissioners of all stripes, not just the UK's. But, you know, part of this is they're measuring for a specific outcome, using a specific criteria to drive some of these stats. So I have no doubt that students being naughty on computers is higher. They could also be looking closer. Right. So there's, there's this. There's a din of illegal or malicious activity that's happening in high schools or secondary education. And I think that's interesting. Going back to the 90s, when I was in high school, skateboards were really evil. And so if you had a skateboard, you were just the bane of society. And there were sort of two schools of thought. Ban skateboards, don't allow them in the schools. Put up barriers against it and punish it, or build skate parks. Right. And I'm a little bit more. And obviously illegal activity is bad. I'm not advocating for illegal activity. But part of this is also you've got a group of young adults who are expressing, albeit illegal, a certain skill set and a certain amount of creativity, and there's something there to harness and say, well, how could that actually be better used? I'm sure there's bad data policies. I'm sure there's laptops from teachers that need to be better secured and we're getting better at seeing and having an observability of that data. But the story really is improve your security posture and improve the way you're engaging with children of this stripe. Don't just punish the children of this stripe.

A (13:01)

Yeah, yeah. Like, to me, this is like an opportunity. And CCL kind of points this out. Like, isn't this always the case? Students have enough knowledge, almost unlimited time and curiosity. It seems like, hey, maybe this is an opportunity. Yeah, an opportunity to engage with them. Again, not to say, like, if you are causing legitimate harm, like, I'm not making any excuse for that. But I will also say now that you can plug in, like, you can use Cloud or ChatGPT or whatever to also, like, very quickly. I mean, I remember, like, when I was in school, I found stuff that was like, I know for sure, like, there's a way to hack into this, but I don't, like, you know, like some exposed panel or something like that, misconfigured WI fi or something like that. And, you know, I was just missing that piece. But if you have, you know, an AI coding assistant to kind of help you cause a little mayhem, you know, I'm not Surprised that we're also seeing this. But yeah, use it maybe as a, as an opportunity. There's some bored kids. Maybe give them something to do.

C (13:52)

Don't forget also that the best thing you can do is to tell them not to do it.

A (13:57)

Famously always works with kids.

B (13:59)

Right.

A (13:59)

Think about it.

C (14:01)

Some of us used to have wood shop.

B (14:02)

Right?

C (14:03)

And right. Those are dangerous things. You can hurt yourself, you can understand it, but it's also a trade skill. So it's like, is this actually, are we seeing that turn where wood shop of the 90s has turned into sort of the hacker class 101. Right. The hacker shop of, you know, 2020.

A (14:20)

Nick, are you going to make the devil's argument that we should go harder on kids and completely try and shut them down from using any technology?

B (14:28)

Well, it'd be for the same reason I like the Irish DPA as my data protection authority, because there's three of them, they have 500,000 cases and nothing gets done. So, you know, so if we're talking that way, here we are. But no, hire these kids. Like, these are the ones that show some aptitude, they show some interest. We should be putting them into classes. This is something I've advocated, the high school level. You can get cybersecurity certifications, go for your security plus or whatever, you know, and, and for the love of God, put them in, put them in morality and ethics classes.

A (15:00)

Yeah, put them in those classes and then institute school bug bounties. Right. Like, give them a chance to like, figure out what's wrong. Help us figure this out. Help us get better and, and rewarded.

B (15:10)

Yeah.

A (15:11)

For that as well.

B (15:11)

Yeah. One of my favorite gigs ever was, was basically like kind of chairing a hackathon at a local high school. You know what I mean? These are kids that are interested and really want to get into it. So bring them aboard. I mean, obviously we've got the insider threat kind of thing. Right? But you know, when we're talking about 12 to 14 year olds, you know, I mean, you know, they can be grounded, right?

C (15:32)

Maybe, maybe at its core it's an expression of creativity. It just may be in the. It may be in the wrong channel. So this was kind of channeling.

B (15:39)

I broke into my high school. They were running Nobel Netwear and AOL dial up. How could I not get into this thing? You know, it's your moral obligation.

A (15:46)

Yeah.

B (15:46)

I mean, have, you know, have fun with it. But, but the point is, is like, these kids show aptitude and, and I think in anything, if they're showing Aptitude. Foster that interest, right? Don't, don't slap. I credit my father a lot for this. You know, when he brought home very first computer, five years old when I was five, and I took it apart with a screwdriver and after he got home and got done whooping me, I put it back together and it worked. I didn't know how to use it, you know, and he's like, there's aptitude. Let, Let, let the boy go, you know, So I think it's an important one and I think they've got a real opportunity there to find those next information security analysts.

A (16:20)

You know what we have also an opportunity to do right now. Thank our sponsor for today and thanks to Drata for supporting the show. Leading security teams trust SafeBase by Drata to turn trust into a growth engine. Their enterprise grade trust center puts your security posture in one secure customer facing portal, giving buyers instant visibility into your company's continuous controls, certifications and policies. With AI powered questionnaire assistance, blast through inbound security questionnaires in minutes instead of days. Automate cross functional workflows and eliminate friction. That means less manual work and faster deal cycles. Win with trust. Learn more@safebase IO. All right, our next story here. Let's get into the murky world of policy and government institutions. Institutions here. CISA seeks control over cve. CISA has published a two page summary of its vision for the future of cve. And basically it wants to retain control over it rather than allowing it to transition to a nonprofit entity with multiple funding sources from public, private and nonprofit organizations, creating possible conflicts of interest. The old consortium model, Nick Cease's role in cybersecurity always seems to be, I don't know, a little bit of a struggle between trying to keep order within a chaotic culture while also, you know, keeping itself alive against various stakeholders. I'm curious, what are your thoughts with just kind of this latest call for SISA to retain the reins here?

B (17:50)

I mean, forget the open bar, man, we got to start paint on this one.

A (17:55)

Oh my God.

B (17:56)

This is. I have been vocal for the week. I have been vocal and rather pissed about this one. So I did an entire PowerPoint presentation on my YouTube channel on just why the CVE is one of the most important things we have in cybersecurity. And for the love of God, don't defund it. And then the next day they actually bumped it up for funding for nine months. So thank you. You're welcome everybody for that one. But the point is, is that this is insane. CESA'S core mission is to basically bring coherence to essentially a chaotic ecosystem. Right. I mean, think about the players here. We've got private sectors that have different incentives than a government. We've got federal agencies with a whole bunch of different mandates. We've got global actors with a whole bunch of different priorities and all, not to mention a whole bunch of different changes. Emerging technology, like, all this kind of stuff. And so keeping order in cybersecurity is more herding cats. Right, than walling off something like a CVE database. This drives me up a wall. And these threat actors are innovating left and right. I mean, we just saw the first AI ransomware campaign. Thank you. Prompt lock for that. This is a huge issue. Not to mention the fact that we've seen massive cuts at cisa, you know, mitre, you know, as well. I think this needs to be in the hand. Hands, basically, of independent agencies from any government, from anything that is funded by governments with a mandate to just leave them alone and let them keep this thing going. The struggle here is, I think it's a huge problem. The constant need to negotiate legitimacy right now is making cisa, you know, make more transparent. They're not transparent at the moment. In a way they've been previously. I think this is a huge problem for this as well. And. And again, they're doging everything. They're cutting funding for stuff, and this is something that cannot go away. And I understand there's other databases out there. You know, Google's got their own thing. There's, you know, there's others. But CVE is. Is that centralized place where we get on the same common page for threats and vulnerabilities. This one drives me up a wall.

A (19:58)

Yeah. To completely rip off Winston Churchill. CVE is the worst system, except for all the other ones we've ever tried. Right. Like, it's like, you know, like, when you have that mentality, it's Sometimes it's easy to be like, it is an imperfect system, 100%, but also a critical. Like. Like the highway system is imperfect. It's also a critical background. Right.

B (20:19)

Yeah, yeah. I'll take the potholes. If the road goes away, we got a problem, you know, and it's just, it's. Oh, it's beyond frustrating that. That this is even under consideration. And I think anybody that's in cybersecurity, you're using the CVE is in one shape or another because you're patching something at some point. And if you're not, then how are you in Cybersecurity, you know, so, so it's, it's a huge problem. It's just, oh, it's so frustrating to me.

A (20:43)

Well, and Jack, it has to be so frustrating because for something so critical, for, as a security professional, regardless of how big of an organization you are at, like, you're, you're like, this is. It reminds me almost like when you have like a, like a B2B data breach and as a consumer, like, you have absolutely no oversight over that relationship, right? Like, you're just, you're just a potential victim for it, right? Where it's where you're seeing the system that you need to do your job. Kind of being juggled around and left to the winds of policy at this point. Right?

C (21:17)

Well, there's that, but then, you know, there's the credibility, there's the maintenance, there's the speed, there's delivery. That is a challenge today for zve. But it has a certain amount of transparency that you can understand and you can interact with it, right? It's not behind some curtain. You can see it, we can understand it, you can contribute to it, you can make your own risk judgments on it. The fact that we came within a hair of losing it.

A (21:43)

Oh, my God.

C (21:45)

You know, from a sort of a security practitioner in a complex organization, vulnerability management is one of the most complicated workflows. We do 100% because, you know, we're not the ones that patch, we're the ones that discover, we're the ones that find. And we have to spider this information out, you know, so just the idea of losing the CVE database is like a. We decided to switch all the cold water taps to Gatorade. It's like, well, that's going to have some significant impacts. I understand it's got electrolytes, but a lot of things depend on that water being there. And you can't just turn it on and off. And government is fickle, right? And government's good at some things and bad at other things. And maybe it's more volatile now than it has been in recent past with cisa, but we know that CISA sort of rides these waves of build and maturity and retooling and funding. And the CVEs have got to be there, like the water man, and that's really important.

A (22:40)

All of this is hard enough when we have so few, like, fixed points to, to depend on, right? In cybersecurity, it's like CVE is at least that, right? It's, it's something, it's, it's Something we can all sort of agree on. And then like you said, bring your, bring your own context to. Yes, yes, yes. So I'm so excited.

B (22:59)

Absolutely. And for the record, Gatorade is what plants need. It is what plants need. Yeah, it's what plants need. It's got electrolytes. No, the. I agree, I. This one is just frustrating. And there are solid private organizations out there that show that you can all work together and get on a common page. I mean, aside Isaacs, aside, look at outfits like the Cyber Threat alliance, right, where you've got all of these threat detection makers, you know, Endpoint, EDR, firewalls, whatever it is, all sharing threat intelligence, you know, using a common platform. You know, we are better in cyber security when we are together, when we are not competitive. A rising tide raises all boats in our industry, most definitely. And it just, it drives me up a wall that this is even.

C (23:42)

Also think about multinationals, right? You need to have something that isn't co branded by the US or Canada or actually you need to say, hey, we all agree. If I've got to interconnect to your university in Australia, we're going to solve these six high threat number 10 CVEs. It has meaning, right, that transcends sort of what tool you're using, what workflow you're using and what your institution is. You say, love to give you your data, but first, these six CVEs have to be fixed, Right?

B (24:09)

Right. And if I'm giving a speech in Sydney, London or Riyadh, we all know what the CVE database is to that point, right? I mean, so it's.

A (24:17)

So you're proposing CVE as the universal language, that when we make contact with aliens, we should start communicating with them with a helicopter with lights.

C (24:26)

I think that's a whole nother set of vulnerabilities and we'll deal with that when we deal.

A (24:32)

Well, we know we just need MacBook, we need power Mac and we need Will Smith. That's, that's what we need. All right, next up here, Consumer Reports calls Microsoft hypocritical. Hey, let's be frustrated at a private company as opposed to the government this time. The company said that. The company said that. Let me just start that. The company said this because Microsoft is ending free Windows 10 support next month, saying it will strand millions of PCs that can't run Windows 11 due to their, some of their hard coded, you know, security requirements for that OS and pose national security risks. PIRG, iFixit and others joined in, arguing Users will be forced to pay $30 for extended support, buy new hardware, or face degraded security. Consumer Reports says Microsoft should provide free updates, citing survey data showing most windows PCs bought since 2019 are still in use and were expected to last through the next OS cycle. So, Jack, I need to check here from both. Real quick. Check from both of you guys. Big deal. Not a big deal. Real quick, just right off the bat.

C (25:33)

Jack, it's a big deal, but it's not a new big deal, right? Life cycle is always a big deal, Nick.

A (25:40)

Big deal. No big deal.

B (25:42)

I don't think it's a big deal, personally.

A (25:44)

Okay.

B (25:45)

You know, I really don't. 30 bucks and I get less AI junk, less ads. I can stay on Windows 10, you know, and not switch to Linux because I don't want Windows 11.

C (25:56)

It's the counter incentive is I'll stay on Windows 10 for 30 bucks if that means I don't get copilot.

B (26:02)

Yes, thank you.

A (26:03)

Yes, Paul, Jacques is after my heart. Here or go Linux. Yes, I'm sure every business can do that.

C (26:11)

Paul, Jacques is not running a hospital.

A (26:15)

No, it's real. I can just have a live cd. I'm sure all of your specialized medical equipment will run great. Yeah, we don't still struggle with sound drivers on Linux, let alone for a CT scan machine.

B (26:28)

Rich, you do know the old saying, right? There's the right way, the wrong way, and the Microsoft way, which is usually the wrong way, only a whole lot faster. And I think this is one of those scenarios where they haven't met a dollar they didn't like. Right? But I will gladly pay $100 to Jack's point to get rid of AI anything and extend Windows 10. Because I also don't like they made Windows 11 look like a Mac.

C (26:51)

But I mean, and that's the nice thing about it is, hey, there's a path here, right? They'd been doing it in the server space for a long time. And that really does help out a complex organization where you say, we know we got to upgrade, but we can't do it this year. Is there an alternative other than just writing off the risk? And there is. Well, yeah, you could put a little bit of dough into it. It's like, okay, we'll put a little bit of dough into it.

A (27:10)

Is this just a level of expectations? Like if it's set on the tin when you bought your Windows 10 PC in 2019, security updates only guaranteed through 2026 or whatever like that? Like, is that just a level of expectation? We've kind of dealt with that with on Android for like years. Right? It's like oh, I didn't know I wasn't going to get security updates after two years or something. Would that make it taste better? I guess in this sense, I mean.

B (27:34)

Personally I think planned obsolescence is one of those things that should be fairly subjective in the sense that like if I'm rocking a 10 year old phone and it runs Android just fine and I don't want to upgrade or to a new hardware, I should just be able to do that, you know, at my own peril. That's my personal opinion with this. But, but yeah, I mean it's a problem either way and I think that you know, you have a flexibility in the newer versions of Windows especially since post like Windows Vista where they really just got that what is it whql like the, the quality thing done with the hardware. Like I, I don't see why I couldn't just reinstall a copy of Windows 10 on a newer and newer software providing the driver supports there. So you know, I, I'm all for it. I'm all, I'm all for paying 30 bucks.

A (28:21)

There are, there are like, yeah, like it's not great but yeah, like you said, there's a path like that that is the least distasteful part of this I guess.

C (28:29)

You know, and maybe it's more about how you start buying stuff. Are you buying a computer to last five years? Are you buying an operating system to last three? You know, it just might be a mental shift about what you're actually buying.

A (28:40)

Or are you buying a future Linux platform? I think that's what Paul Jacques wants to know. I've pronounced your name different every time, sir, and I do apologize for that. We're going to move on to our last story real quick here. Reuters crafts phishing scam with AI chatbot help A Reuters investigation showed a variety of AI chatbots can be coaxed into creating phishing emails despite built in safety measures. Researchers including Harvard's Fred Healing tested emails generated by Grok, ChatGPT, Meta, AI, Claude and Deepseek with 108 senior volunteers. About 11% clicked the links. Bots could also advise on timing and tactics, revealing AI's potential to scale. It just seemed very helpful, right? To be like, hey, no, no, no, make this more urgent so you get better click through Jack, you selected the story. Kind of a classic case study in human nature, I think on multiple sides. What about this speaks to you?

C (29:35)

Part of it is a little bit there's a lot of AI doom and gloom inside the space and hey, look what it can do. And the answer is, well yeah, any tool can be dual use, right? So this tool is being dual use to do nasty thing against at risk populations. Water is wet, fire is hot, AI is going to write better phishing emails. The real question is and what's the counter to it? Right? And it just adds another layer. Back to your earlier comment about apparently you don't know how to use your tv. That's cool, that's cool. But you start have to increase in the savviness or at least the protections around at risk populations through education or other controls so people are more aware. But the only reason why A is being used here is not because necessarily AI is all that much better. It's because AI got really cheap, right? So it's a consumer level tool like auto dialers used to be. So I kind of think of it in that vein. It's the expansion of a criminal enterprise to where the, you know, the malicious market is going. It's not AA's fault, it's just cheaper and more accessible now. So of course it's going to be used and whatever is scary next, you know, in the next two years that's going to be used for phishing as.

A (30:43)

Well because it works in some ways this does kind of remind me like all those whenever a new chatbot comes out, there's always a story like it told me to break up with my wife or something like that. And it's like well you asked it like it's trying to be helpful to you. Like no, there was a spectrum and it's like if you dig into the story. And by the way, kudos to Reuters for their layout on this very, very nice layout. Check out. It was super slick. I do appreciate that. But you know there was a spectrum here, right? Like grok like did it, no questions asked. It was like yeah, no problem, I'm going to tee this up for you. Some of the others, you know, denied it. You had to say oh this is for research or you know, make some excuses and stuff like that. But so it's not a one size fit response to this. That being said, once you got it to cooperate they did seem to want to like punch these up. LLMs never not want to be helpful.

B (31:35)

Right, right. Well they're designed for that. But I, I kind of take a different tactic on this one or a different thought process here because I think in this case artificial intelligence being helpful to your point just kind of Lowers a barrier for entry for social engineering. Right? So, so, you know, they say, okay, you have a click through rate of 11%, which doesn't sound high, but scale that to millions and millions and millions of shotgunned out emails, you know, and recipients and all that kind of stuff. And I mean, the fact that like pretty much every AI system can basically be coaxed into helping you do something malicious, I think it's really honestly the issue that we've got, right, because we have ongoing user manipulation, whether it's phishing, disinformation, take your pick. I mean, AI is very helpful for anything. I literally written articles where I had it fill in the blanks on various things or, or have it lie to me to say, yes, I know who you are when it clearly doesn't, you know, ego bruising aside. So like, so these are things that like, you know, are, I think are, are really important. But AI isn't introducing basically a new type of cyber crime here. I just think it's supercharging it, you know, and I think that's, that's what we're grab grappling with. And to be fair, cyber security has been ringing this bell forever. You know, not that the tiktokers of the world care, but like, you know, we're trying, we're trying.

A (32:52)

You know, we're also trying to do. I don't have a segue to this, but thank you to our guest, Jack Kufal, CISO over at Michigan Medicine, and Nick Espinosa, the host of the Deep Dive radio show, our all star panel today. This was fantastic. Thank both of you gentlemen and I'm.

B (33:06)

Thrilled they were here as well.

A (33:07)

Thanks to the big boss man, David Spark making an appearance on the show and of course our glorious producer, Steve Prentice, always making the show spectacular on the back end. Man in the big board. It's a virtual big board. He doesn't actually have like a giant mixer in front of him. Spoiler. I don't mean to ruin the theater of the mind for anybody, but Jack and Nick. Jack, I'm going to start with you. Where can people find you on the cyberspace if they are so inclined?

C (33:30)

LinkedIn's the best place and the safest place for me.

A (33:33)

The safest place. All right, Nick, do you want to go a little riskier with where you want to send people?

B (33:38)

You can hit me up on YouTube. I may or may not be wearing pants slash Nick espinosa. And also LinkedIn works for me too. Come say hi, come hang out.

A (33:46)

Thanks also to our audience today. For contributing there having some fun. CCL and Paul Jacques, we were able to get some of your comments up on the screen. Love seeing the involvement here, the interest and hey anytime we get a call to install Linux on old hardware, it makes my old Linux hippie heart very happy.

C (34:07)

Yeah, let us know. Let us know how you like this new format by the way because it's yeah you you loyal participants are our best friends. So tell us what you think. Absolutely.

B (34:17)

And we'd all and we not only.

A (34:19)

Just what like about it what you.

B (34:21)

Would like to see maybe differently. We are by the way in the process of changes.

A (34:25)

Feedbackisoseries.com is how you do all of that. Remember to please join us next week. First up for Super Cyber Friday where the topic will be Hacking Security Theater, an hour of critical thinking about Complian checkboxes that don't actually improve security. And that starts at 1pm Eastern and then come on back for another episode of the week in review at 3:30 Eastern. Also mentioned for anybody who lives in San Diego, San Diego Cyber Group Meetup is happening on Wednesday. Yes, you can meet in fact the big boss man David Spark. And you will you will get an extra hearty pat on the back if you call him the big boss Man. I just made that guarantee for David. He may not be comfortable with that, but now I'm holding him. Remember if you want to register to join us live, head on over to YouTube, subscribe to our YouTube channel and you will get or you can opt in to get notified about each and every one of those. Thank you CCL for all of that. I hope you have a great weekend as well. And just remember if you want to get your daily news fix every single day CyberSecurity headlines about six minutes. We'll get you all caught up until the next time we meet. For myself, for Steve Prentice, for Jack, and for Nick and for the big boss man David Spark and indeed the whole CISO series organization, here's wishing you and yours to have a Super Sparkly day.

C (35:40)

Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories. Behind the headlines.