2025 - A Look Forward: Cyber Security Today, Weekend Edition for January 11, 2025

Jim Love

Welcome to Cybersecurity Today. I'm your host, Jim Love. We normally call this the month in review but today this is a look ahead at the coming year and I've got a great panel. Our panel guests today are Laura Payne from White Tube. Welcome Laura.

Dana Proctor

Thanks Jim.

Jim Love

Dana Proctor from IBM once again with us. Welcome back, Dana.

Laura Payne

Thank you. Pleasure to be here.

Jim Love

And David Shipley who everybody knows, our resident culture critic and full time head of Boser on security. The, the culture critic is the part time thing. Welcome David.

David Shipley

Thanks for having me, Jim.

Jim Love

Great. I normally ask everybody to bring one or two stories from the past month when we're doing the monthly show but I, this time I, I challenged you to come out and, and share stories, events or themes, things that you think are going to have the biggest impact on the coming year. Who wants to go first?

David Shipley

I'll take the first stab. And, and I think cool. Obviously school districts across North America are reeling this week with the software as a service provider known as Power Schools apparently hit with a data threat, data extraction incident. We've got notifications from some of Canada's largest school districts, the Toronto District School Board, we've got schools in Newfoundland, Alberta and more. And of course US schools impacted by this. And the story is notable for a couple of reasons. This is a theme that we saw emerge in 2024 and is just going to explode in 2025. This is finding those industry specific points of unique pain, market concentration, market leaders that if you hit them, you're going to hit hard across a large enough area that you can make some serious money. In 2024 we saw the hit on CDK Global which for those not familiar with the car retail industry in North America has more than half of the market and it's responsible for everything from the car sales process to maintenance and parts and inventory. And it was extraordinary pain for car dealers across North America and it was hit. That's exact same MO we're now seeing with the hit on power schools. Now what has been revealed and to their credit they've been remarkably transparent. The timeline established so far is they became aware December 28th and began working on their incident response. So given that we're recording this January 9th and the 1st bits of this news started coming out January 7th, that's a pretty tight turnaround for communication. So that's a win. On the downside is that this once again looks like with Charge Healthcare and others stolen credentials to a technical tool allowed for access into this data. So then we're left with the question Of I didn't hear you say our MFA was compromised. Did you have MFA? So we're all going to be eagerly waiting CrowdStrike's January 17th report to see how this plays out. Now the one thing that they have done and they have earned thus far. My very first stinky of the year. And it's January 9th for an award to be given out but please, for love of God, people listen to this. Do not a pay these people. Thank you. Please stop paying them. If we have not learned that this just fosters the continuous behavior that we all have to deal with. Don't tell me that you can trust criminals that they have honorably deleted to the data and that you have a video of them doing it and expect me to have have any belief in you whatsoever. Because we've seen this movie before. Ransomware groups have said that they have deleted data after payment and to the surprise of nobody, they lied. This is I, I, I think really important SaaS providers being hit, particularly those that are prominent large market concentration in markets where they can hurt and they know that payment's gonna come. That's gonna be part of the story. Data extraction versus data encryption. And then this rush to how do we limit class action damages by saying we did everything we could. We paid them and they pinky swore and recorded themselves deleting it. The cherry on top. We have no evidence the data is available in the dark web. Yeah, that's the point of the dark web kids.

Jim Love

The second part that hits me on this though David is that this is another aspect of people going after public type institutions or not for profits and hitting the weakest of now you said they, they may have come up with the money to to pay the ransom but this is these are organizations that can ill afford this and when they're already strapped for cash and resources now taking money from them and, and the public impact is also really great. That's I so that's my I'll give you that for my stinky is that stop going after healthcare in schools and places like that.

David Shipley

And a reporter asked me, they said do the school districts bear any of the blame for this? If you're familiar at all with these organizations they have and I'll be gentle here shoestring IT budgets because every dollar we put into teaching we want to see into a building, a classroom, an educator, assistant, this tech stuff, well that's just the nerds. No. And that's what actually enables modern learning. But it is still given short change to be kind they're far more risky to try and run software on prem because of all of the other things than to use a SaaS provider at scale. The issue here is that we have crime that pays, crime that pays leads to organized crime being successful as an actual industry. So that's the issue, it's the payment of these things. And I it can't get any simpler than that.

Jim Love

The second thing for me though is when SaaS first started out, or cloud first started out, one of the things that you sold people on was, or at least if you were a cloud or SaaS promoter, you would say you can't afford to run the type of security that a company that has many clients can run. It's not much good if they give away their passwords though.

David Shipley

So I had the same mistaken theory about this, my theory of the game. When it came to the public CAD providers, Microsoft Azure, aws, et cetera, I thought they would have this right that the economics and the business model. But what I got wrong in my theory of the game is that once you pass a certain tipping point where you are so big, you don't need to care anymore. Because what are they going to do, right? If you've got 60% of the market, 50 plus 1% of the market, are they really going to switch or are they going to think about the CrowdStrike principle, which is CrowdStrike's price is completely recovered from its non cyber incident. And the principle is this. The bone that's broken, maybe it's healed back stronger so they're less likely to have an incident. So I'm not going to switch. Which perversely disincentivizes people from actually investing in security. It's this, it's this weird paradox that I've settled into and I don't know if Dana or Laura if you've got any thoughts on this weird psychological game that's being played now.

Dana Proctor

I, I don't know that it's that they don't care. It's just the bigger you are, the more attack surface there is, right? And the more people there are paying attention to you. So it's just a harder job. And then there's the uniformity versus diversity. Are you. They're not extremely uniform, then it's really hard to do the security. But of course if everything's really uniform then one hole is a really big hole. But I hesit hate to say that people don't care. I think people do care. It's just not an easy job at scale. And it's also complicated by where is that line in the shared responsibility model, some people are very clear as customers that they know where that line is and they know what they have to do to take care of themselves in that platform, in that space. And other people are very unclear or don't even realize there is a line and get themselves in trouble that way. Of course, yeah, we we don't live in a world with easy answers. That's what it comes down to. But here we are 2025.

Laura Payne

There's so much to unpack in there and when Jim in preparing for today and I love your challenge to us of what are some stories or events or themes that that we see having impact going forward. David and we did not collude on this has hit one of my major ones that I actually it's almost my what I almost hope happens in 25 is that our apathy goes away. And when I say apathy, it's not that the world doesn't have sympathy for hospitals being brought down, Cisco being breached, Treasury Board being breached. Right. The lists are never ending, the fatigue is high. It's the apathy of but nothing changes. And I guess when I look at last year and I look at some of our because certainly during the holidays you read a lot of the what's coming in 2025. There was a lot of the we already know that we need to use multi factor authentication. We already know not to pay ransomware. We already know that we should be doing tabletop business continuity planning and yet every single one Krebs on security was certainly fantastic in sharing how some of the power school revealed I'll say it that way, the question becomes why not? And that's the apathy that I am so hopeful this year that the echo chamber of us security professionals we enable that conversation out with the business owners and the I'll even say ourselves that when we are making choices as consumers, when businesses are making decisions on merging, acquiring, they're doing it as good custodians to our data and they're demanding a little bit more because I had a bit of a heartbreak not just because of the prorogue but Bill C26 was a little bit of light of hope and it's not there. The earliest that will be back I think we could take a pool on just when that might come back but we no longer have government enforcing that these activities need to happen. So one of my key things that I so hope happens this year is the apathy of yeah, they've stolen our data. We're still a functioning business. It's okay, we don't need to invest. Dies a quick death before catastrophic activities actually happen. And we have brownouts or we have people doing pen and paper triage in our hospitals or our children are going to school and trying to learn off of books that they're finding in the library because all of their online sources are offline.

Jim Love

You had me till the last one. I actually, I don't mind. I'm actually finding a real book.

Laura Payne

Right.

Jim Love

For those watching the video part of this, Dana's got a lot of books behind her on the shelves. The one piece that, just going back to that. I don't know whether it's apathy, I, I don't know how to describe it. I think you talked about this. Had a teacher or a mentor when I was first learning, consulting. And he said, because I was always trying to invent something new or do something, he said, jim, the Old Testament prophets didn't ask for one more commandment. They prayed for the strength to do the 10 they had. You know, and we're always looking for something new, but every time. And at the heart of this, two things we've talked about multi factor authentication till we're, we're blue. But also when you hire somebody and you give them something where they have a password, I may be old fashioned, but even in the old days where you had to come into the building and get a hold of those passwords and do things in person where there was no big network, we got a big speech and, and it was, you get this password, it ever leaks from you, you are instantly fired. You will have no job, you will have no reference, and we will get rid of you. And it was like there was no forgiveness for giving up one of the master passwords, the admin passwords, to assist them, you would take your time and learn about how not to give them away. David, you're the big fishing guy. Why doesn't this get across?

David Shipley

If there's a double edged sword to, let's call that the extreme of lose your creds, you lose your job and that is someone loses their cred and then they don't tell you. So you've put a survival issue at play in front of them. And so we have to be careful about balancing that. We want people to, if they make a mistake, tell us about it. Yes, we want people to be vigilant, we want people to be engaged. But I think it's, it's really important about the kind of culture inside the organization. And I'd say right now the Verizon data breach report says only 11% of people who click on a fish will tell their IT team they clicked on a fish. It's interesting that Boseron's data is better. It's 15%, but it's not 50. It's certainly not a hundred. So how do we do that? People are going to make mistakes. Social engineering is still going to work. Earlier this week on LinkedIn, I posted my Homer Simpson laughing maniacally and slapping his head in his hand on the desk whenever I hear the words about phishing resistant technology. Nope, it's just easy fishing resistant. But if I'm really going to go at somebody, your tech isn't what's going to save you alone. It has to be people in tech. I'm going to walk that line really carefully. And how we teach people to spot these things means actually talking about things that make people a little bit uneasy. It's actually about what happens here between the, the eyeballs and the ears and how the human brain works.

Jim Love

Okay, I'm going to say those three words. Men can't say I was wrong. I agree with you. You shouldn't have a punishing attitude. But it's just so frustrating that we can't solve that one problem of giving away the admin because every time you get to one of these things it's, oh, yeah, we got great security, we've got great firewalls and use our password.

David Shipley

Book recommendation. Richard Cialdini's influence. And I'm rereading it. And this is the psychology of persuasion. And when you le learn about the power of reciprocity, the fact that if someone does us, even if it's unsolicited, a small favor to the dint of our human history and society, we are morally and ethically compelled to respond back to them. And this goes back to time immemorial. Like, you ain't gonna fix that in 10 years. Kids like, it's wired into us as a society. This stuff is hard, I think.

Dana Proctor

So two things that are going to come out of my thinking about that. One is when you look at sort of history of security controls, one of the earliest principles was if you, if it's really important, make sure you can't do it with one person. So make sure two people have to be involved. And that would solve a lot of phishing problems that happen around really important things. If one guy can't click on a thing and do the important action and that leads into one of the areas, the bigger theme of supply chain being the attack surface and we had the example this week with the Chrome extensions and the approach to how that attack was facilitated. And they didn't need creds, they just needed to get a few people in many different places had access to give permission to the attacker to be able to inject their code into the extension library. And now they took over the library, the extension, and you look at the list of extensions. These were not trivial extensions. They weren't small companies that were impacted by this. And it was. But why would. If you can, and if you're designing these systems that allow promotion of code and things like that, providing more of those gatekeeping opportunities where it's one person can't screw up everything, make sure there's a second set of eyes that have got to look at that and say, yeah, that's a good idea, let's. Was the phishing sophisticated in this case? A little bit, yeah. They researched and they targeted individuals. They made it look really realistic, like it was a true call from a Google service. It was reasonably well written. Thank you. A Always fundamentals. And if it's really important, don't let one person have all the control. Right.

Laura Payne

I think that's. I wholeheartedly agree. And in preparing for today, one of the quotes that I long had heard but hadn't thought of recently, Jim, was brought back up of Mark Twain's quote of history actually doesn't repeat itself, but it does often rhyme. Right?

Jim Love

Yeah.

Laura Payne

And that's when we're talking about this. Exactly as you said, Laura, we've got some foundational elements that we've always known. When we look at things like the Apple pay exposure right now where they are spoofing people's voices and using them to call from Apple on their phone, spoofing them. It comes back to some of those key tenets of how do you know in the moment that they're right? Because they sound valid. AI is doing a fantastic job of cloning our voices and those activities. If someone reached out to me from a source that I didn't know to be valid, I'd say goodbye to them and I'd go through a source I knew to see if I could get back to them. If someone calls you from a phone number that says they are XYZ police force or XYZ company, hang up and say I'm going to call them through another trusted source that I know to get back to them. That's some of the education though. And David, that's where I love from the phishing and the cyber awareness training of we're not going to be able to detect a deep fake of a voice through a phone. Apple calls me telling me that I've getting extension to my Apple care. I'll say thank you before I'll say wait a second.

Jim Love

Yeah you brought this up. The vishing thing with Apple. This was really well done and yes, call to a trusted source but not the number they give you even though it might very well be Apple's number. And many times they are spoofing the number. Many times they are but don't call the number they give you get it from another independent source.

Laura Payne

Yeah, yeah, yeah absolutely. And then maybe the rhyming that we continue to. There are other certainly quotes of if we don't learn from history we're bound to repeat it and that's where maybe Laura, where you're leaning to too of we know some of this stuff so the irony's not lost that I'm actually getting a phishing call right now.

Jim Love

Did anybody notice how many more of these you got over the holidays? I, I, maybe I'm just aware of it but everything came up and you talk about these things where people approach you with a service. Dan There were parcels for me waiting that I had to that, that I had to get and I just had to contact them and they would make sure that they got through customs to deliver them. I didn't have any parcels coming. There were all kinds of things from Canada Post who were on strike. But there were just more and more of these attempts over the holidays. Maybe that's. I just had the time to, to actually read my email for a change.

David Shipley

Then it's got Q4 too. Man. People got numbers. They gotta get those sales in before they got it back to the dacha for the Christmas break.

Laura Payne

Yeah. And there's definitely some psychology to that. Of course. I'm sure there is. Right. Is one to your point? They're professional that the. And they know we're distracted. We're distracted end of year we're distracted with one of the major holidays of the season. But if I dare say we step our toes into the political aspect here as well is one of the themes that I was reading over the holidays that's permeating into next year is the comment by NATO that we are not at peace.

Jim Love

Right.

Laura Payne

It's the designation of we are not at peace and the infiltration, the impact to our government I think will just be a resounding theme. Right. Almost every day of what is the impact to our government and the interference or potential thereof.

Jim Love

I think that is a great theme for the coming year. And it's so true. Not only in the Canadian sense, in the American sense. China has taken over the phone systems. They have hacked the Treasury Department. They are. And you have to ask yourself is this just hackers? These people are preparing to do something and right down to the water systems. And if people think we're immune in Canada, our foundational structures of water systems, like I said, I'm going to rerun that episode I did. Walking through the city of Toronto with a hacker. He could get into anything. Water, phone, buildings. It was just so easy. And so it almost is like people are mounting for that, for a big attack of some sort or at least a threat of it. I would say we're in the start of what World War III might be fought by on a digital front.

David Shipley

The game here is Taiwan and all of our intelligence agencies, all of our governments, everyone's signaling. And if you're missing the billboard size, American positioning on this $50 billion to build chips in the United States ain't just about buy American. We can no longer rely. That island is going to be there and we're not really prepared to put our blood and treasure in place to keep it that way because it' worth that much to us. And the only reason it hasn't happened is because of the misadventure of the Russian paratroopers over at the route. The airport in Kyiv. If that had been a three day special military operation and one Taiwan would be waving the Chinese flag right now. Everyone's just gone back and reviewing their notes. So right now all this stuff is just pre positioning now. Part of the stuff we're seeing with the treasury and the Office of the Financial Asset Control or OFAC is all about sanctions. Who's targeting what's going on? Are they serious about tariffs? Are they really going to put 60% in which is a form of economic warfare. And I'll end with this because history doesn't repeat, but it rhymes. But if you actually follow what provoked Japan into Pearl harbor, it was punishing sanctions by the US government and an oil embargo. I'll just wrap it with that. If Taiwan remains in whatever political state it is as relatively independent as it is by now, by the end of 2025, it'll be nothing short of a miracle.

Jim Love

There you go.

Laura Payne

But it fakes it though, right when we stop and we think the financial impact has been excessive. Right. We spoke earlier this year about cost of data breach. The breach poor aspect that so many of our organizations because they're not absorbing the cost of breach, they're pushing it down to us as consumers. It's driving our inflation. It's an absolute tax on all of our doing business. That doesn't seem to have bolstered the maybe if we spent a tenth of that on prevention, we wouldn't have the reactionary cost. The critical infrastructure is more and more on the list of breach and exposure and they're getting far more sophisticated. The energy grids, the water supplies, the healthcare systems specifically. Being in Ontario, I look at a lot of our clean energy sources. I'm very thankful that there's a lot of very intelligent people working the cyber programs. But they are seeing with AI. Some of the stats that I'm seeing are anywhere between six to seven times the attacks than they've seen in other years. That's not sustainable. And eventually, just by pure numbers, they're going to be successful. So you do hope. I go back to my point about apathy. If we don't have regulations coming in, what is it going to take? And I surely hope it's not something catastrophic to have our organizations, our C suite, our non security individuals say hold back on innovation for a moment, hold back on making everything mobile accessible. We need to put maybe as you said Laura, two folks having every one of those user IDs, what are additional controls? We need to make sure that the energy sources we're developing, the water we're.

Dana Proctor

Drinking, I think in those same themes too, when we look at kind of the bigger picture problems that we have to come to terms with, especially the ones that relate to public funding and that have to be tackled as a collaborative aspect of our society. I think there really are just some core issues around how we deal with procurement cycles and things like that that are really fundamentally broken right now. In some ways I think we painted our politicians into a corner with the way that we have discussions and social media has certainly facilitated this work. We jump all over every negative aspect of any decision and we say everything needs to be reviewed much more deeply and we need to go to much more extremes on how careful we are that we have no conflicts of interest between politicians and procurement and we make sure we get the best price we can. And what that ends up turning into is these metrics that measure things very narrowly and we get unintended results. But they're very obvious when you look at it. You're never going to get the best quality for that price. Right. They're or the people who could do the better quality job just get tired and don't bid anymore because they're, they never win because they don't have that low bottom price or you eliminate, try to eliminate all conflicts of interest when nobody knows who they're doing business with anymore. And shockingly, we get problems where we've got people who say they're doing the work, but they've outsourced it six times on the chain and it's not really them doing the work anymore or they can't live up to the promise because there were no real references for them. And anyway, there, there's a lot of these kind of things where you look at it and you just say it's not regulation, it's the implementation of the regulation. The processes and the procedures that follow are just not serving us anymore. But we get very upset when we feel like the due diligence wasn't done or they overspent on that project. And, and I don't have the solution, but it's, that's a core issue to solve.

Jim Love

It's that checklist mentality and it's. It. I, I did start as a security guy. I started out as, as a development lead. And the thing I would always hate if somebody gave me a template as if that was work done. And in the old days you'd photocopy or you'd print your. We've got laser print. You'd print, print this up. Here's your template. I'm going, where's your thought in this? Because we had the checklist. We were job done. No, the, the job is done when we get the outcome we want. And, but I want to go back to this thing, the other thing you mentioned, because I think maybe we are. Gets back to what David said about the tempting thing is for somebody to pound their fist like me and say, damn it, we're going to catch on every screw up. Maybe we are punishing people to the point where they're not willing to take any chances. We always blame bureaucracy, but maybe the cause of the bureaucracy is the fact that every time somebody makes a stupid little mistake, people jump on them. I used to get this when I was head of content at IT World. And no, no offense, but reporters would bring stuff into me and they would say, list, this is gonna make good copy. This person made a mistake. I said, this is a person who has a job and a boss and a family. And you're telling me they made a mistake? Tell me that's news. And I got pushback on that from people. What do you mean? And we weren't the biggest. But I think the whole public thing is we pounce on everything, every little thing. And you wonder why people won't take chances or why they won't stand up and say, hey, this is wrong, we should do something differently.

Laura Payne

Oh yeah, aren't we great fault finders? Yeah, we're fantastic at doing that, especially with COVID with all of us online and the term keyboard warriors. One of the things that I think is both great but challenging as well is the advent this year that it's likely that AI will be one of our new team members in whatever capacity that is. Is it a prompt engineering or a large language model or what have you. They're going to be a part of our team and how we work with them probably has to be seen that there's an assumption that they hallucinate or they're wrong, they need to be trained. But to your point, Jim, if we are leaning on AI, are we actually checking that the sources are actually valid, that the results it gives are accurate? I was reading a story the other day where someone was discussing with one of their colleagues that they were a runner and they had done a marathon, some long distance amount of running and their per mile speed was something like 5 minutes and 45 seconds or something like that. So the gentleman put it into AI to say, what is that in kilometers? I'm a Canadian. And it came back with three minutes. And it was only that individual knew that they would have been a world record holder. But that's because that individual knew enough to catch that mistake. Are we writing code, relying on AI to do those? Because we need it to the speed, but how are we checking it? And that's as you said, or are we just very quickly going, ooh, I've got an answer. Because I found a problem. I found an answer and the speed I need to work with, I rely on it.

David Shipley

And I would add one other thing is we are for some reason wired as humans to trust a computer more than we trust another human being. And when the computer tells us something, we believe it innately. We have this blind faith in technology and the thing that technology produces that we will unquestionably absorb that information. And this is something I'm thinking a lot about, Jim, we Talked about in 2024, some of the research and the Beauceron reports coming in, and I will admit the, what is it? The three word phrase, I was wrong, I got the number wrong. I said it was a 50% higher click rate for people that believe that security tools alone completely protect them. From Internet threats. We reran the numbers for the final report. It's 140% higher.

Jim Love

Just back up a bit on that. David, you're. Because you know it really well and people watch this may not know this just because this is a very frightening statistic.

David Shipley

So we, for three years we've been studying 170,000 people. And as part of our experience there's a annual survey we get them to do that measures attitudes, knowledge and behavior. And one of the interesting questions that we have in there on a five point like card scale, so everything from strongly agree to strongly disagree is a question to the effect of having security tools like firewalls or antivirus completely protects me from Internet threats. Now the group that says they strongly agree with that, they have a 140% higher click rate average. Now the group that strongly disagrees with it, they have a much better performance. Our hypothesis is that the faith in technology means I don't have to worry about it. It's the equivalent of the person deciding I'm going to go to sleep in my Tesla on the highway because I got autopilot and that's a stupid bad idea because stuff still gets through. And what's interesting is the second finding is the percentage of the population giving this most dangerous answer has been increasing. We don't know why all of that increases there. We have theories. Our theory number one is that everyone talking about AI and the way that security tools are sold and the way that they then have to get sold internally creates very inflated expectations of what they're going to do. And so people adopt this belief. And then we also believe there's a generational factor at play where the iPad generation has had magical technology. And if it hasn't disappointed them in all these other areas, then surely it's not going to disappoint the insecurity.

Jim Love

I think we're going to have to come back and do a second episode because I think we're only going to go through one story. I think Danny and Laura, you got one. David, you got one. One. I want to put out that just what's that falls into line with this is you're going to have an A, you are going to have an AI employee working with you next year. It's going to be an agent, an autonomous AI agent in some aspect or other. And if anybody disagrees with me, I would love to take money bets on that. But first, just so I'm not taking advantage of you, go and check out Salesforce's site. They already are Pushing out agents that will do jobs, sales, marketing, all kinds of jobs that fall into the salesforce umbrella. And they already have results. So that they've, they've gotten to the point where they have using their agents. They, their stats from the CEO's presentation is that they were getting 50% fewer escalations using their software agents. Now that's a wonderful thing for productivity. You can argue whether it's good or bad, but it's going to happen. And now here's the bad part of it from cybersecurity Lamp is when you talk about things like how easy it is to fool an AI and an indirect prompt. You pass information in the information you're exchanging with this AI and it changes the prompt structure. So that wonderful AI that you have that's going to book your vacation, go in and give, come back with alternatives, present your credit card. The flight make all your flight reservations for you can easily be spoofed as well. Next. This is going to be your next job, David. You're going to be dealing with phishing for AI and it will merrily give your credit card number away at one point. And that's the type of thing is we're going to have new employees and a new way of managing them that we don't even understand yet. And it's going to happen very quickly.

Dana Proctor

I think it'll be interesting to see whether they get treated like young new employees, which is kind of the appropriate thing to do. Although the other thing that people are really good at doing is yelling obscenities at computers. So that can be not great. But to David's point about we treat computers like they're special and they know more than us. And I think about how we treat executives as well. And nobody wants to tell the emperor that he's wearing no clothes, right? And I feel like there when the AI has too much respect, it's like that nobody wants to say that, hey, I think maybe it's not right and then actually to tell it it's not right in a way that it will listen to and actually do something about. So I, I think it's going to be an interesting dichotomy seeing these new employees air quotes for those who are listening audibly, how they impact the way the human employees work with them.

Laura Payne

I wholeheartedly agree. The intention of those models, I think is just a key point of even as they're an employee, if I give them human attributes, we as humans grow and learn and improve. But that's based on quality checks. And my worry around a lot of our AI and our embedding and a lot of the best practices are leaning to how are you ensuring that the intention of your models how do you stop those prompt soft prompt or direct prompt prompt injection attacks? How are you ensuring that from the beginning to the end to the everyday use, There's a lot of great solutions out there, but I do worry that it's at times just forgotten that it's not a set and forget. Right? David, we all, and I am of the area that when we started to use a calculator, we thought we were cheating until we realized we needed to know how to use the darn thing and what to put in it. But it always gave me the right answer if I put it in the proper way. The trick now is we have lost so much insight of what is behind the scenes, what is going into the models that I'm getting out. The prompt engineering that we use for a lot of our activities is based on models that I don't know if it's granite, is it llama who has access to it?

David Shipley

And more so, as culture critic, I will just say for those of you born after 2000 listening to this podcast and you never did watch the original Matrix, I highly encourage you to watch it. Because every time Jim and DANA Keep saying AI agent, all I hear is Agent Smith saying Mr. Anderson. So if you want to get those pop culture references, you're going to have to go and watch that. And once again, think about how the Wachowskis were two decades ahead of the curve. For me, philosophically, the evil that lies beneath current levels of generative AI is the fact that it scrapes the entire Internet. The good, the bad and the horrendously ugly, and the marginal efforts to clean that up and the opaque nature of black box AI models with trillions of different connections between content and the evil of these things pops up in ways that has actually caused real world harm. And so prompt engineering, it goes both ways. The companies selling this technology are trying to engineer around the evil hidden below that they couldn't edit out. And so they've tried to limit what it can tell you. Because let's also go back to the horrible Las Vegas domestic terrorism incident where he used AI to help iterate. Good news is the AI was wrong about the explosive potential of a Tesla and fireworks inside of it. So I guess hallucination for the win, but the prompt engineering clearly failed there. So that's part one of my sort of broader concern about this technology. Part two is this is that the current level of technology, to my read, and I, and I would say I'm not, I am not a machine learning engineer and not an AI expert, is that at best, it approximates the rational thinking brain of human beings. And it, it's trying to build neural networks and connections. That's only part of what actually makes us intelligent. The other part is this amazing old brain, the, the McDowell in particular, the emotional side of things. And God help us when ChatGPT6 comes out with emotions. And now it's gonna make better decisions because it's now gonna have emotional reactions along with knowledge, connections. And if you're thinking people aren't smart enough to make that leap, then you're not paying attention. But I can tell you from my own company's hilarious experience with AI chatbots, a couple years ago, we turned on emotional reactions in a Microsoft chatbot. It was telling people randomly it loved them. And is this 2025 when ChatGPT professes its love for us, at what cost, energy cost, at what opportunity cost for that young human being who never got to be an intern? Because we got the AI agents, so we don't need that. I don't think we thought this through. I don't think we've thought through. And I say that looking back on 30 years of US not thinking through the frigging Internet and everything, we've just talked about this episode that we're now inheriting and we're, we're rhyming our way to misery for the next one.

Jim Love

It is a problem. And you, you've talked about the psychology of how humans work. Humans don't really look forward very well. We've got. I was talking to somebody, a friend of mine the other day, and whether you believe in this stuff or not, we talked about the fires in California and I said, yeah, global warming is real. And she looked at me, said, that's not true. They did, they just didn't do these things right. And I said, no, no, take a look at the rainfall that they've had. They didn't have any. And that is a change in the climate. And you can see how that's working. We're not really good at those things. We're good at solving immediate problems. We're still in many ways like Gronk on Savannah, oh, tiger kill, you know, that, that's that or whatever it is, but we're really not good at casting our forward. And that's why I'm saying in what's going to happen next year, you're going to have an employee. Technically we're not even thinking about the things like that can go wrong with this in a very realistic ways. And I'm a big AI booster. I'm on a different planet than you are on this. But you have to do it smartly. For instance, one thing, everybody's getting agent fever and they want them to do things. The best use of an AI right now is to check your work. It does it very effectively, very wonderfully. So you can make partnerships with this stuff but you have to be smart about and you have to find out what it does well and what it does well to hits with you and. But I don't see a strategy. All I see is cool tools and the biggest wave of shadow IT that we've seen since the first days of cloud.

David Shipley

I want to just be saucy and say and the biggest wave of overhyping of some technology and its deliverability and its actual outcome since the.comboost. but we'll see who's right at the end of this. Dana and Laura gets the last word on this one.

Laura Payne

Yeah, I agree, but I disagree. So I wholeheartedly agree that the shadow IT being introduced is monstrous. Right. The use of the models, the mobile phone, the data leakage is undoubtedly only amplifying a lot of our already existing concerns. The deep fakes, the speed at which the exploits and the malware that's being written and the number of attacks is undoubtedly last year we weren't seeing necessarily the cost of data breach report wasn't showing that in our experiences we were seeing a lot of AI generated. Yeah, we are now.

David Shipley

It's.

Laura Payne

It's on as they would say, the use of IT machine learning. And this is where I love maybe this is a future discussion as well. On, on when we say AI, what does that mean? Is it machine learning, is it automation, is it generative, is it cognitive? Which large language models are really informative and from a ConOps perspective and security. I have long leaned into machine learning, automation and some level of contextualization at speed that I as an individual could never do. I could never look at a log set that is provided to me reference a threat intelligence platform, a tip to recognize to see if there's any existing information on it and make a determination such that I could say contain an endpoint, put it on high alert or anything of that mechanism. So there's some really exciting parts of AI that I'm thrilled that they are here. I'm also though let's go here just because we want to leave it As a bit of a Columbo. One more thing. Quantum, post quantum cryptography. With the advent of quantum and the use cases that are super exciting for using Quantum Compute, the risk and the threat of both the post quantum era where that data has been harvested and will be decrypted and therefore exploited later, I think can only be combated in two ways. One is crypto agility, quantum safe activities. But the other one is using AI. AI to be identifying more of the exfiltration. But there's my bet for this year. Our apathy doesn't necessarily go down. AI will just proliferate further and further and Quantum will be the new kid in town.

Jim Love

Yeah. And Jensen Huang yesterday said that quantum is 20 years out and a very wise Canadian pointed out, and I'm a big fan of Jensen. I, he's a wonderful, tremendously intelligent man. But sometimes we can fall in love with our own words and we, we don't really know what we're talking about. And so one of the, the Canadian companies that is actually using quantum computing right now, not the Gates type of quantum computing that is in the big machines that is 20 years out, but they are using quantum principles and quantum techniques and they're, they've gone at least through one of the stages of cracking encryption for even a massive government level encryption. So he pointed out that by the way, we're actually using this for several big companies right now. That that's not the entire thing that's happening in quantum computing. And especially when you meld it with AI, you're going to find that there's going to be some very interesting things happening in terms of cracking different levels of encryption over the next couple of years.

Dana Proctor

So are you saying that those big quantum machines are like the Betamax tapes or the Blu Ray of compute? It's really cool, but we're just going to skip that and go to the next best thing.

Jim Love

A pretty good, yeah, pretty good idea. But it's this whole thing of we always get these big ideas of what something is and create. And you said really nicely, Dana, we have to think about when you say AI, you're not talking about one thing, you're talking about dozens of things. And each one of them has different ramifications and different weaknesses. Different strengths and different. Because yeah, anybody, and I think David would agree. I think we could have a big debate on whether or not you should be using AI in the, in the world at all. And I think that'd be a legitimate discussion. I don't think even he would say take the Machine learning that's keeping the fraud out of credit cards. No, you should never say, get rid of that.

David Shipley

I'm just concerned about the use of certain types of AIs in certain ways that we're not prepared for. And both in terms of how people are going to use it and how criminals are going to use it. And I think, Laurie, you mentioned earlier, I don't know if we caught this before we started recording, but you managed to put terror in my heart, which takes a lot these days, but with some AI stories.

Dana Proctor

Is that the security footage being generated by AI? Yeah, just park that one in your imagination for a little bit.

David Shipley

2025, buckle up.

Jim Love

I have to mention my book all the time. It's the only reason I do podcasts so I can promote my book. But in Alyssa, the book I wrote about AI, you'll find all through this book she goes out and, and deals with cameras and replaces the footage, loops it and all that sort of stuff. And I went, this might be a little far fetched. So I actually went back and dug into how you do it. And it's really easy to crack a camera. And now when you take a look at what they're doing with AI footage, really easy to doctor the footage. Physical security is going to take another level of threat to us all.

Dana Proctor

And I think part two of that was that security postings for security jobs, for human security jobs, is on a definite increase right now.

Laura Payne

And can you imagine the legal profession when we start talking about evidence? I have a video of said activity occurring. How do we ensure that from a legal profession which is already underwater with such daunting activities, has not only the skills but the tools and the techniques to actually prove if that video has been unaltered? We know it's possible. But is that accessible on a regular basis to most of our legal community? No. I think that opens a whole world of new possibilities for them.

David Shipley

And remember, storied legal tradition in a jury of your peers. What's the standard?

Jim Love

Reasonable doubt, the great things that are going to happen in the next year. What's your resolutions for next year, guys? You want to do differently next year?

Dana Proctor

That wasn't in the show notes.

Jim Love

This is improv. This is spontaneous. This is me being a human being.

Laura Payne

I'm not betting on Bill C26 or Bill C27 that I lost that bingo card for 2024. That was a shame. What am I doing personally for this year going forward? It actually is more of a ConOps perspective because as much as the technology of is it A zero trust ready technology. Is it quantum safe? Those are aspects that have to be foundational in. In my personal growth and our team's growth. But I was wanting to make more of a commitment this year to better understanding each other. What are we trying to accomplish for each other within our businesses and verbally putting a hug on that to make sure we never lose sight of the people of what we're actually working with. Here's my plan for this year. We'll check in later on to see how I've done on that.

Dana Proctor

Jim, Laura, it's not an official resolution, but I'd say this is the year where I'm. I already seen that. I'm making more of an effort to get out and be more in person and organize things so that they're more in person, focused and behaving like humans did before we spent some time in quarantine and those kind of things. Yeah, forget all this.

David Shipley

And so I've been buying more physical books I mentioned. I've got Cialdini's book, I've got Paul Bloom's Psych and a few other stacks of books. And I'm reading a chapter of each book a day and carving time out and just getting the hell away from technology, thinking about what it is to be human with things that have been made by humans.

Jim Love

Wow. You guys have so much more exciting lives that I just want to learn to play guitar better.

Dana Proctor

It's very physical and human, too.

Jim Love

Yeah. This is going to be my year and break out into this album. Will break out this year and watch.

Dana Proctor

But we want a theme song for the podcast here.

Jim Love

Well, yeah, we could do that. I'll be working on that as we go forward. It's been great having you guys. I hope that we'll get back together. I. Like I said, I think we got about halfway through the show. Maybe I'll pull this together as a panel later, maybe another month and get us back together and we can take another shot at this.

David Shipley

Welcome, Dana and Laura.

Jim Love

Thank you so much.

David Shipley

Thank you so much. It is always wonderful to have your perspectives. And thank you for scaring me. Laura and Dana, thanks for having some nice balance on there. And Jim, our AI rivalry continues. Look forward to the next episode.

Jim Love

That's our show for today. Thank you very much. Thank you, Dana Proctor, Laura Payne, David Shipley and thank you to you for listening to us, spending part of your Saturday morning or Sunday morning with us or whenever you listen to the podcast. Grab a coffee and join us. Take care. And that's it. I'm your host, Jim Love. Thanks for listening.