Cybersecurity Today: Insights from BSides and RSAC

Jim Love

Welcome to Cybersecurity Today on the weekend and my we have David Shipley now he's not a co host, he's a roving correspondent. I always wanted to do this. We got a reporter from the field, David Shipley, over to you. But you've been at BSides and RSAC. I always thought it was called RSA but it's RSAC right.

David Shipley

It just was renamed this year to RSAC and the C is supposed to stand for community and culture and conference and so yes, RSAC is brand spanking new.

Jim Love

I was hoping the AC was for acronym. Right.

David Shipley

I was just glad it wasn't rsa. AI. Dear God.

Jim Love

We know your passion for AI David. So let's start with. And I was really glad we could do this because a lot of people can't get down there. It's a big deal for travel, it's a fairly expensive trip too and the hotels are not cheap but even if you can it's a bit of an investment of time. But you've been down there. So I wanted to cover what happened, what your observations were, what you saw, what you learned and some of the things that we can maybe do a little pre research for our shows coming up to see some of the guests we might invite or some of the topics we might be looking at in the next year as well. So that's that. That was my intent for this weekend show. Can we start with B sides? I have to say this, maybe I'm just losing it but I really didn't know anything about it until you said you were going there. And then I started to look up the website. Interesting place. Can you tell us a little bit.

David Shipley

About bsides, the B sides conferences? And I can't remember if they got started in Las Vegas or it was San Francisco but it was the other conference to some other major industry conferences back in the way and they've been going for a couple of decades now and they appear in your local communities. New Brunswick, we have B Sides Fredericton, Halifax is B Sides Halifax, AX or Speights Regina. And what's really awesome is that the, this volunteer sort of community driven organization helps the industry really create these events in a box and for many speakers it's their first time and we think about how we do skills development in this industry and build people up. This is such a tremendous moment and I can tell you like there, there have been some just outstanding talks there and again a lot of people don't get to get in front of defcon or Black Hat in the US or sector in Canada. And you'll often find that there's some really great speakers that never made it there that were totally worth your time. Besides San Francisco, I was excited. I we didn't have a booth. I didn't have to go work it. I was going for RSA to a number of meetings as a startup with clients, business partners, investors, all that fun stuff. And so I told my team, said, I want to go on the weekend and I just want to be a nerd again. No one knows me there. I'm not that famous. I can just disappear into the crowd and see some amazing folks. And occasionally, like these larger ones will also bring in just some rock stars like McAlpine from the electronic.

Jim Love

And by the way, I know what it's like. The groupies for this program are incredible. I'm sorry, but it was. I thought it was really cool. You had a picture with a fan there in like thousands and thousands of people. You've got listeners of the show there. I got to get outboard and meet some people.

David Shipley

Let's talk about the RSA media thing in a bit. So I got there, and as far as B Sides go, like, this is one of the larger conferences. Over 2,500 people at this particular B Sides over the weekend. And they took over the Metreon theater, which is near the Moscone campus complex that RSA takes over for that week. And they had lineups for every single talk. And I had a chance to catch quite a bit the one session that. There were two sessions in particular I mentioned on the show earlier this week that just jumped out at me both for the quality of the presentation, but the nature of the content. And I can happy to go into those two shows.

Jim Love

Yeah, that's part of the thing. I do want to talk about those. The speakers you saw, and particularly new things. These are the shows where you hear about the stuff we're going to hear about for the next year.

David Shipley

I think the first one that obviously jumped up was the CEO and founder of the company that made Truffle Hog, which is one of those network packets, differ kind of companies. And he was giving this talk on the AI Apocalypse. And first of all, I just want to give Daniel a Ray a shout out because he incorporated these AI rap mixes of some of the things he was actually talking about. And they were funny. They were actually lyrically decent. Jim, I'll give the AI a check mark on that. I'll be a little harder on it later. And then throughout his talk, he really did one of the Clearest, cleanest explanations. And I've tried my best to follow some of this conversation on how large language models work. But one of the things I didn't know or hadn't fully realized is that in this whole statistical mapping of word relations, when generative AI is going to put together what it thinks is, the best response is this notion of a three dimensional space. And so the linkages of the words and the strength of those linkages and the distance between those linkages is part of how this calculus happens. Which is fascinating, right? Because for me, I've been doing a lot of thinking about the human mind, how we evolve. Spatial understanding is actually critical. Physicality is critical to how our brains actually work. The bots are mapping things out in this kind of geospatial way was fascinating, but that wasn't the key point. We pointed at this great research paper. The name of the paper is eluding me, but it's in the show notes from last week. We'll make sure to put it in the show notes. We pointed this really great academic paper that talked about this issue of the 3D mapping and the AI guardrails that exist inside of these models can be found and that they exist as a single direction inside that three dimensional space. So if you've got an AI guide rail that says we're not going to let you make a nuclear whatever, and I'm purposely avoiding that so we don't get filtered by poor AI content filters for podcast things, which is the exact same reason, interestingly enough, why in Daniel's presentation he did not say the other part of nuclear something. So they were trying not to do it. But it was interesting because it got the ire of the community. Their back started to go up a little bit when they thought, okay, what people are being censored. But it was because we're trying to work around the non human AI sensor bot. But anyway, the point being the researchers are able to find these guardrails. These guardrails could everything don't create malware. And A Ray's point was you can build really effective worm factories and command and control infrastructure using existing tech. And so his whole point about the AI apocalypse is it's closer than you think. And he had this great chart which I thought was phenomenal, that showed the impact of different worms and the cost. And then we go back to notpetya, it was now into the multi billion dollar cost. Remember the one that started in Ukraine?

Jim Love

The he was describing a worm.

David Shipley

So he with AI, he was describing how easy it is to create like.

Jim Love

He was laying out the cookbook despite guardrails.

David Shipley

Just what we. Because purposely you could go and find the guardrails and just remove them and build your own with not that high level of difficulty. And I think that's the point that I was most impressed with @BSides. Whether it was deep fake creation or malware creation. We're not talking PhD levels of brilliance here to be able to figure these things out.

Jim Love

Oh no. I'm surprised if he says he can find them and disable them because nobody knows what's happening in these models. And as a matter of this is one of the problems that we have is if you take a look at it was Amade from Anthropic was talking about this. And Anthropic is one of the companies that's trying to actually do some stuff on safety. They're the best of a bad lot. I don't think that there's a great amount there, but the best. They've been trying to map the neural networks and find out and they've been able to track a little bit of sentences. And this is why this 3D model is actually a better way of thinking about AI than what we usually think about. It's a complex model, next to impossible to understand, easy to fool.

David Shipley

So the paper already laid out how to do this. Now, they looked at a particular. I don't know if it applies to every single model out there, but they looked at multiple models that were available to go and do this. And fundamentally I think what this gets to is the guardrails that are built into these large language models are superficial. Right. They're bolted on after the fact. The fact that these material were trained on the widest possible data set, including how to make a nuclear bomb of a certain kind, that was interesting to me because what it was saying was that he was showing this up into the right graph which the startup founders the. That's the catnip, right? We love seeing those up when it's malware and its malware losses compound and increasing from the Morris worm to not Petcha. With that he was able to say chart shows that already multi billion dollars of damage have done by worms. So therefore AI chained this way can be a multi billion dollar damaging event. Which was interesting because California, there was a lawmaker here that tried to pass a law to say these AI makers would have to be accountable and would have to demonstrate additional safeguards if they were going to build something that could cause a half a billion dollars worth of damage.

Jim Love

And Avery was Like never going to happen.

David Shipley

Yeah.

Jim Love

And because the next thing they'll be going after the people who run social media networks and accountable. Let's not live in a fantasy world.

David Shipley

So that legislation did get vetoed by the governor. It did not happen. But it was interesting to say this wasn't some hypothetical that the politicians were worried about. This is laid the groundwork of the irresponsible behavior and gold rush attitude towards this technology is setting us up for a lot of pain. And we'll get into some of the talks at RSA that were broadly supportive of how AI is being integrated into the tool set of adversaries. But. So A Ray's talk was really good. And what was great was it's really approachable. So I thought it was great. His delivery style was phenomenal. But the next talk that really jumped out to me and obviously I have been a huge fan, speaking of people who have fans. But the Electronic Frontier foundation, eff, the.

Jim Love

Only big organization that came out to defend Krebs.

David Shipley

Yeah, yeah. And we're going to talk about Chris because he actually came to RSA and moderated a panel and was warmly received by the community, notwithstanding the fact that this week, in a. An escalation, they yanked his version of the. The Nexus, the. The additional security to cross airports called Global Entry. So they're just. Anyway, so the other talk at B sides, that was really good. Eva Galprin and Quentin from eff. But they came and they did this talk about the world's dumbest cyber mercenaries. And it was hilarious.

Jim Love

I was hoping you'd talk about that one I saw because we've been obviously slipping notes back and forth and this was my favorite title from all of the ones you sent me.

David Shipley

They're tracking this particular threat actor since about 2018, and they studied this from 2018 to just over 2023. And what's fascinating is they lay out all the comical mistakes that he made in building his tool set. And what was fascinating is he was using a Windows baseline, a Linux baseline for his command and control infrastructure. And so a lot of stuff was just done very quickly, not properly locked down, poor operational security. And they were able to just start pulling on all of these fascinating threads to understand who this threat actor was, who they were targeting. And it was just a fantastic talk. It's a fantastic talk to watch, to really understand how much work goes to painting this picture. A shout out to Maltego, which is a German manufacturer of software for creating complex graphs and mapping and understanding cybersecurity stories, because they had one of the coolest Maltego graphs I have ever seen of this particular character. What was amidst all the laughs, and trust me, there were a few laughs because it was well delivered talk was just this piercing moment that for as comical and silly as some of the mistakes that were made, this threat actor was still highly effective. And to me it was just like, wow, this is just the example of how the environment is still so toxic that someone that's not that high on the food chain can be so effective. Notwithstanding high levels of what we perceive to be incompetence. It didn't matter.

Jim Love

Are there any good story, any of the best humorous pieces that you remember from that?

David Shipley

I think the biggest laughs I got was just the very specific misconfigurations. Like even simple stuff like it wasn't set up so his command and control servers weren't set up so that if you didn't have an index HTML you could do full directory listings. This is the bare bones basics. And I was just like, oh my God, this is hilarious. But it was also nice to see that securing your stuff, even for criminals is hard. It's, hey, welcome to our pain, man.

Jim Love

Good to know. Yeah. But this also promotes this idea. Know me, I'm much more optimistic about AI than you are. Tool sets we are giving to people. It was bad enough two years ago when people could have these little franchises and any idiot could become a hacker and often did. They're not script kiddies anymore. These were sophisticated tools that people could run. Now we're giving them the keys to the Manhattan Project of intelligence and saying go to town. Thank God they're sloppy. And there is a trend covered it on the program where. And I hope that the FBI and I hope that Canada in the RCMP is going to wake up and start to go after some of these guys because the more you trot them out, the better. Like the more you trot some guy out who could. I don't care if they're 24 years old or 68, working in their basement, whatever, whoever they are, trot them out and let them see what happens when they play with these toys. Because that would be a good thing.

David Shipley

But having worked with the policing community now and got a chance to learn from them, they're doing some of those things now. So the takedown of lab hosts, so that was phishing as a service based provider. The consumers of that product were getting door knocks over the last couple of months. And whether or not they were getting prosecuted or they just got the we know who you are and knock it off speech, which was a follow on act for when the Genesis Marketplace was taken down here in Canada, you had Quebec, you had rcmp, even though they weren't necessarily going to be able to prosecute these criminals. Because dear listeners in Canada we have underfunded our justice system and we can't even get people through with serious crimes through the justice system. We can't get around to getting these folks through the system. But at least they know we know who you are.

Jim Love

So you've, you've got, you had this the world's worst hacker show or. And what else jumped out to you?

David Shipley

So one of the cool things. So I decided to give Jim's love for AI a chance. So I went and I with the AI village folks because I would have been the village idiot in that crowd. That's okay. These are some of Silicon Valley's like whiz kids showing off what the latest and greatest. So they put together this demonstration and unfortunately the laptop they were trying to get it to work on just fell apart and died when they were about to do it. So we're sitting in this theater and they're scrambling and they get this six year old laptop. And what they were trying to do was going to be very ambitious. Their whole concept was to do live deep fake karaoke. And that's what got my attention. Now what really was impressive was right there in front of us as we were having this very interesting and deep conversation about deep fakes, et cetera, they were trying to get this thing up and running on six year old hardware and it was interesting to watch. And if you can get drivers to work in Linux, which I mean no small feats sometimes that's the level of difficulty it is to build a deepfake machine these days. It's not that hard. And everything they were showing was open source packages, some cool research from Japan, a few other things, and this is all available on GitHub and other things to build this little deep vape factory. And they almost got it fully working again on really old hardware. We didn't want to out them because they were trying to show us the concept, but they took a very unpopular celebrity right now and had their face involved in some of these deep fake karaoke scenes, which was very funny. I thought that was fantastic. But what's interesting was also to learn the depth of some of the counter deepfake technology and the limitations of those deep fake technologies. So what I mean by that is we had a very interesting conversation that you can measure someone's heartbeat. We can't see it with the human eye but a sensor can actually measure your heartbeat in a video through your skin tone. Which is absolutely fascinating. That's really interesting to see some of these technologies. And then they were talking about how there are counter deepfake technologies emerging. So the arms race is fully on on deepfake video detection. Which I thought was interesting. But the last thing I'll say is this. One of the things that was very interesting was all the latency issues. And one of the cool things about seeing them try and work this on a 6 year old piece of hardware was watching the latency issues almost get resolved. But we had this deep conversation about the audio because they were talking about cloning someone's voice with deep fake. They were talking about cloning the face with deep fake stuff. And what was interesting was the point the researchers made is that. And we're actually experiencing this right now. Jimmy can't see this is the video quality on many video calls suffers. And so people are willing to forgive and they're just used to forgiving stuff that could happen in a deep fake model that's trying to do this in live. And they'll just assume it's just the video connection, it's just the WI fi. And I hadn't really given that enough consideration in all this.

Jim Love

Yeah. And it's. But don't forget people were fooled by in the olden days two years ago, three years ago by just garbled voices on the phone. These fakes. I don't know what you saw. I'm just intrigued by the fact that they could do this on six year old hardware. The video cards would be the biggest issue for me on those. Right now I'm working on an AI project with some people who are going to do a reveal of something. It'll come up with to manifesto about AI and project in there. And we wanted to have somebody read it. And one of the guys because we're all into AI said I'll just dial somebody up to do that. And even we freaked out went no. But he came back with two deep fakes narrating this thing in less than 10 minutes. It was. And they were hard to spot.

David Shipley

It was very interesting. One of the other talks at BSIDES that I loved was a local professor came in and he did AI101. All the different kinds of AI and the solutions they provide. He had this fantastic example. We get into rsa, we'll talk about this. But generative AI, large language based AI is only one Part one system of AI. I forget there's lots of other different ways of doing it. He was talking about collision avoidance systems in air traffic control. These are simplistic models, not generative AI, thank God, because you don't want these things hallucinating that have a clear benefit over a human. Normally I am team human over AI at that point, but because people in these situations can have these different error sets and you can have two planes make the same move and then make the situation even worse when they're under a kilometer away from each other. He was explaining this very simplistic logical machine model that didn't need to be generative AI and thought that was really powerful. And he had some really great points on it. There was a lot about AI and a lot to learn from it. The good news is a lot of the sessions were recorded. If you go to bside, San Francisco's YouTube channel in the next couple of weeks or months, there's some fantastic content that's coming down the pipe and you'll get a chance to see these talks and maybe you'll agree with me or disagree, but there were way more content and talks than I could possibly get to. So just mark that on your calendar. If you want to have some really good conversations or the conversation really good learning, check it out.

Jim Love

And yeah, we'll have to check out to see where the local B sides are. You've got some in the East Coast. I haven't been as aware of them out in the Ontario area, but maybe I've just missed them.

David Shipley

A really good one is BSides Ottawa. And actually last year, the most recent one, they started to work on creating a policy village. And what I mean by that is teaching the hacker and security community. Okay, if you're concerned about the state of laws, legislation, regulation, the education level of our lawmakers, how do we change this? I thought that was phenomenal. I had some brief conversations with some of the organizers ahead of it. I had some scheduling conflicts so I can participate more actively. But I thought it was awesome. Right? Like, there's a small group of security professionals and hackers in Canada that are starting to replicate the hackers on the Hill, which was that moment almost 20 years ago where Mudge and a few others just marched into Capitol Hill to go tell the man what was coming their way. So that's phenomenal. But yeah, they're phenomenal ones. I've been. I've had the pleasure to go to B sides in Vancouver. Ended up doing it virtually because of the pandemic once as well. So I, I think we could do a lot more to cover these. So if you're listening and you organize A B sides and we would love to know about it.

Jim Love

Yes sir. And yeah, because if I missed it in Ottawa I'm. I. People don't. People who watch the show don't know. I don't live in Toronto or Ottawa. I'm probably equidistant to both of them. No, this would be great. Let's talk about rsac. Just as a contrast. This is, I presume this is you. This is. RSAC is a little more commercial than B sides.

David Shipley

Listen, what I'm about to say is I will fully acknowledge I own a cybersecurity company. I am a vendor. Right get this. But even I like it is something else to go see this. Now for those not familiar, what's the scale of this conference? Between 42 and 48,000 people descend on San Francisco for this conference. In the area there's this campus of massive conference centers called the Moscone Center. But there's Moscone North, Moscone South. In there is typically this absolutely massive collection of vendors. There are 400 almost vendors on the floor. And some of these booths are multimillion dollar investments. And it's not even just the booths to paint a picture around this multi building campus in the heart of San Francisco. Various vendors rent out entire bars restaurants for the week. And they have one that's for the mid tier folks and then they have the other ones for the executives that actually write the multimillion dollar checks that are even higher end than that. Some of them like CrowdStrike had multiple locations at this thing. Proud to say Canada's 1Password. I think we can still lay claim to them. They had a pretty wicked setup on one of the nearby blocks as well. So this is massive. And the trade show floor is incredibly loud. I easily got about five to six kilometers worth of walking per day cruising through the vendor floor. Now obviously I'm there to learn. I'm there to figure out what is going on here. And there are two things that I saw way too much of at that conference. Patagonia vessel and Agentic AI on every vendor's thing. So you know that I've got my fill of those for a while.

Jim Love

I always hate to toss in a term. Agentic AI is the new independently operating AI. In other words, it can take a task and execute it from start to finish without human intervention or at least a large part of that. This is the thing that is going to Fill our hearts and minds for the next 12 months. From the commercial side of AI, there's a lot of other great stuff happening which if you follow my AI program you can, we could talk about, but this is going to be on everything. So get your BS meters going on this stuff because it you're going to get hit with it on every sales pitch out there for the next 12 months.

David Shipley

Your Python script is not agentic AI.

Jim Love

It's just that we're only a marketing brochure away from it though.

David Shipley

Oh my God, everybody and their dog. And here's the funny part, I'm so agentic AI in particular is built on many cases, large language models and generative AI again. And they have the same hallucination problems. And in fact there's some really interesting research that says right now they only actually do the thing you want 20 to 40% of the time. It gets really interesting. And then what I find fascinating is the possible collision of agentic AIs, because let's assume that multiple pieces of software running on the same device or endpoint and are they running locally, are they running in the cloud, are they running hybrid between those things? What happens when they compete with each other in unintentional ways? And all of a sudden you're like that very overworked manager with a bunch of interns. High school level interns require constant attention. Is this the productivity boost we think it is.

Jim Love

And this is where it's so important to use these tools, to understand these tools and use them correctly. Because you're going to say hallucinations and I'm going to step in and say these models are probabilistic. Hallucinations are not a bug, they are a feature. They're probabilistic models. They will not even answer the same question exactly the same way twice. And the larger you restrict them to exactness, the more they just become search engines, find the text and repeat it. And so that there's a constant game there. You don't take a sledgehammer to go installing Windows and you don't take a probabilistic engine to do exact things. This is why I'm such a big critic. The marketing piece of this is because there's lots of good things you can do with AI you should do. Who wants to read logs? Nobody. You can now read logs. If you get. No, but if you get. If you could read logs where you could never hire enough people, never do it. And yet if it misses 2%, that's 2%. You weren't going to get that 2% anyway. But putting it in there to land your plane, probably a really dumb idea. You probably want an algorithm. Yeah.

David Shipley

So speaking of transportation and AI, inevitably one of my friends convinced me that we had to try out Waymo. And for those not familiar, this is the Alphabet company that in certain cities in the United States, to think Phoenix, Arizona, Los Angeles, San Francisco, have fully self driving cars, robo taxis on the road. Eat that, Elon. I take a great deal of pleasure in being able to say that.

Jim Love

But anyway, we're going to get letters on you again.

David Shipley

Listen, like a lot of people were waiting for the Tesla robo taxi that was yet to emerge. But here's the thing. So I get in this thing and first of all, like props to Waymo. This is not like a budget car you get into. This is a Jaguar. She's nicely. They know their crowd, right? San Francisco, like California. This is a nice car. And you get in, it's very comfortable. But I swear to God, it is the freakiest thing. And I feel like this moment where I'm a horse and buggy driver, seeing the horseless car go by, driven by somebody, that was the moment of realization. And so everyone in the car gets their phone out and we're videotaping and we go through Chinatown and we're going on a little bit of a rip with this thing. And Jim, I hate it, pains me to admit it, but that car was safer driving than some of the Ubers I was in this week. It was patient. It didn't, it didn't feel like it had to rush. There was a, there was one particular sticky traffic situation, right. And I was like, oh my God, how is this thing just going to have a breakdown? Are we about to get into a bricked Waymo that's just going to give up? Nope. It waited for the right moments and it was safe to do it. It executed the maneuver around a vehicle that was in the intersection, that shouldn't have been in the intersection, driven by a human. Fascinating. So it was interesting to see that particular use case of technology. It was stunning. It was sitting into the future. And the reason why I support this idea of this high tech mobility solution is when I think about, when I get older, the possibility in 30 years that this is going to be more normalized and that a senior may not need to have a driver's license anymore, but they can still own a car. Or even better yet, they can partially lease part of a car in a very affordable way and they can still have independence.

Jim Love

Having had to remove my mother's driver's license. Probably being the oldest son, probably went down there about a year too late in terms of her driving. Went to visit her and convinced her that she couldn't drive the car anymore. I'm much more comfortable with a Waymo than I am with some of the people on the road, never mind my mother Drive on the 401 in Toronto. You'll know that you'd rather have AI driving cars, but this is a good example of statistically dealing with probabilities. Statistically you're safer in a Waymo than you are in a car driven by a human. Just nothing wrong with that if you want to sidetrack on driverless car driving. Waymo took the expense and time to develop both a radar or what they call lidar approach and a camera. And Musk has rushed his self driving to production or is a genius and has not and whatever that will be adjudicated by the accident rate in self threat. But he has only used cameras. And so the cameras because people are can only see. So why not? Why should you have this lidar? The you should have it because it makes it twice as safe.

David Shipley

And There is a YouTube video you can look up and it uses the roadrunner analogy and it shows a Tesla going 40 miles an hour through a painting on a desert highway. That's the limitation of that.

Jim Love

But anyway, and that on the show it was actually a brilliant demonstration of why you need a belt and suspenders with AI and bringing this back to security or cybersecurity. This is the type of logic we and people who listen to this go why are these guys just going on and on about AI? We need to become educated in this. This because it's going to matter in terms of our ability to evaluate these tools and understand these how they work and understand which ones are just hype and where they're useful.

David Shipley

On that note, there were some really great discussions I got to have this week about the security implications of AI. Let's go right back to nist, right? Identity and access management. We suck at that for human beings. Still, notwithstanding all of these things, we're even worse with non human identities already existing. Just think API keys. Think about all these things and if you have a combinatorial explosion in identities, we are in a lot of trouble on that foundational piece. Now what was really interesting is a very smart senior executive I was talking to, we had dinner and he said okay, so let's game this out. You've got a or multiple agentic AIs working on your behalf and an incident happens, how am I going to be able to know from the security perspective? Did David click on the fish or did his agentic AI click on the fish? What are we going to do about attribution and understanding things? The complexity of this is really fascinating. So that was one very interesting angle on this issue around Gentech AI that I thought and AI in general is the synthetic identity management. And I really enjoyed that. The other part that was interesting was in some of the discussions there was a lot of hype thinking that people felt the self aware criminal AI was imminent based on all the vendor language on the expo down the and then they pulled it back and they said this is how criminals are using it in the attack chain in smart ways. You still need a criminal. It's just the scalability that criminal's able to do. Gen usually highlighted in one keynote, the ability to do malware and vulnerability, discovery and development. Just speeding that cycle up in interesting ways. Because Rob Joyce, who's the former head of the NSA and a few other things had pointed out that the AI bubble and the hype around it. But he was originally a skeptic but came to see, okay, now this is becoming part of the tooling that's used and to the credit of the software industry and security industry, finding zero days is a lot harder. And there's no single 1o day to completely own something. You've got to chain an O day or at least numerous end days together to get something. It's not as easy as it was a decade ago and thank God. But on the other side of productivity boost on the criminal side means the ability to build really clever chains is now going to surge again. This is the ebb and flow of our industry. So those are some really interesting conversations. And again some of the academic track that was happening was kind of taking a calm breathing breath of okay, the vendors are down hyping the ever living hell out of the threat of this, but here's where it's actually at. You can't dismiss it to your point, we're spending a lot of time talking about this because it's not going away. It's not a flash in the pan. This is one of those big technological epoch shifts. Who knows how it's all going to play out. It's not the immediate threat, but what I loved about some of the programming messages that were there, whether it was keynotes or not, was still the basics guys. It's still the basics.

Jim Love

Yeah. The thing I was was just we were going into this call, I was doing some things and I was looking at the number of we did the World Password Day show. How much I always forget what day it was until I've already recorded the show and say to hell with it. But I actually got tuned into World Password Day this year looking for a password story wasn't hard. 1.7 billion passwords on the darknet dumped out there. That was a really easy thing. And I started to think we need to get past passwords in a world of AI that what I get. But until that time a 12 digit password that's not reused is a really powerful thing to have. Two factor authentication a lot of these things and we mystify AI. To anybody who's listening to the audience out there, self awareness is irrelevant. The power that we have now in the computational abilities of AI to affect us in industry is already there. There's just no question about that. Self awareness is an interesting psychological and philosophical thing and maybe an impact on human society and all that sort of stuff. But don't think you escape because we're not an artificial general intelligence. It's the tools are incredibly powerful. But when you look at that, evaluate all of those tools and bop them up against just good old fashioned doing the right thing and you will find that even an AI can at least be slowed enormously. There are some places I think, and I wanted to ask you about this, that where I think are people talking about this AI encoding is. By the way, anybody who thinks you're going to stop AI from being used in coding, that horse left the barn as well. Just announcement here. Google's doing 30% of their code with it. Microsoft's doing 30% of their code with it. But there's some real problems in rushing that out as well. And I didn't know if anybody was talking about that. One of the things is AI code tends to make stuff up occasionally not and hallucinations aren't as big a thing as everybody says they are but they're there and statistically they will appear. It'll make up a library that has no that where there is no library. And if you're smart enough to scan that code using AI, find that library is there and go wait a minute, I could plug something into that. Oh, so there's all kinds of flaws in the security. I'm more worried about the security of AI generated code than I am about the accuracy of AI generated code.

David Shipley

Yeah, we saw this when we were reporting earlier in April about the that trend of going and sniffing for that what they called the slop slop squatting and and then registering an actual repo and library with that and then poisoning a code base. The other part that's interesting is something you mentioned earlier about the probabilistic nature of the the engines is you're never going to get it to write the same code exactly the same way. And one of the things that I think deeply about is and this is the liberal art to me and maybe I'm completely wrong, I'm going to have a moment of vulnerability on this but I think that you really need to understand the structure and grammar and purpose of language, whether it's a human language or a programming language. Because languages evolve, code evolves. The way that we talk about things evolve. And if you don't understand how that code actually was designed to work and how to improve it if 30% of the code was generated by a machine and you have no idea what the logic and structure and argumentation it was trying to make to achieve that if it was just bashed together, notwithstanding the fact that this code may become ever more inefficient. It works. Lots of code works, man. But it's not great code either from a security vulnerability perspective or it's wasteful. And the best programmers I've ever had the privilege of hanging out with and again keeping in mind the limitations of my languages are web based or a little bit of Python. But the best code developers are equal parts translator. Sure taking the idea and turning it into a computational language but they're really good ones artists like and I actually mean that. Is that the cleverness of how they put together? I have the privilege of working with my CTO is one of those off the charts guy is if he's listening to the podcast probably doesn't listen he's so busy but he's ten a hundred times smarter than I am at doing this. But no generative AI has that creative artistic nature that he has and the ability to go and do that. I do think that there's challenges but I know we're running low. But there's a couple other things I want to talk about RCC because we this Krebs. So for those listening, Chris Krebs is the inaugural director of the Critical Infrastructure Security Agency, or CISA in the United States in November 2020 after the US election he came out and said there's no signs that this election was interfered with from the perspective of the actual voting process, et cetera. Fairly innocuous statement. Not politically loaded, just statement of Fact, he told the truth. That got him fired. And that really should have been the end of the story in some respects. But, of course, in the last couple of months, we've now seen this revenge streak from the Trump administration. Administration where his security clearances were yanked. Clearances of his current previous employer, Sentinel One, were under threat. This created an untenable situation for Sentinel 1 and for Krebs. So he had to leave his job and is now fighting multiple investigations. So that's the context of what's going on with Chris Krebs. And he came on stage. He is an incredibly brilliant and eloquent speaker, clearly knows his stuff. Again, one of those, like, really smart folks you just. You bump into, and you're just like, wow, like Jen Easterly, like Rob Joyce. And, yes, I am clearly a fan of all these, like, cyber superstars. Who knew that we would have that? But he got up there and he did this great panel where they had the guy from the New York Times that was the executive producer of the Netflix series Zero Days, and they were talking about how and why the Hollywood effect and what they were trying to accomplish and whether it accomplished what it did. And it's a really great talk. But towards the end of the talk, the elephant in the room came out, and Krebs had said, listen, the organizer of this conference, they asked me to do this way before this whole thing blew up. I was originally really reluctant, but they really wanted me to come, so I did. I'm a man of my word. He showed up and he did it. He didn't make it political. If it was on me, there I'd be. I would be a emotional wreck.

Jim Love

Right.

David Shipley

There's a lot of heat, unwarranted heat on there, but composed, classy on that side. I was thrilled that the community gave him such a warm reception. I would love to see more from the community, because his point at the end of his speech was, what's happening to him isn't just about him. It's about the. It's about trust. And that's a fundamental part of the cybersecurity community.

Jim Love

And I worry about this because, like I said, we get complaints when we get political. I get that. And I'm. And I am personally political. I have my own personal beliefs. And they might surprise you, as I've said, because you've had to rein me in. I'm. I'm. I could be a law and order guy with the best of them at times, and people have had to soften those edges of me. The issue here is in corporate life is we've all been that person in the room who had to speak truth to power and tell them there is a problem here. And if you've had a career as long as mine, you've heard these words, Jim, we want you to be honest, but sometimes you can be a little too honest. And that serves no one. And we all know leadership comes from the top. So if the best people in our industry can be smacked down and told that if you say the truth, we'll stomp you out. We'll take your career and all the people you work with, that should be sending warning lights off to everybody. Now, if you're a citizen, whether you're a citizen in the US or Canada, or we get people in Denmark and Britain, around the world who listen to us, if you're a citizen and you have people who are working on cybersecurity in your government who don't feel that they can speak the truth, you are at risk. That it. So it's not a political thing. It's. This is a professional thing.

David Shipley

It is. And it's a community thing. Right. This is bigger than one man being persecuted because of a vendetta. It is about trust and integrity in our profession in what we do. Do you want to go back a couple other things about rsac, One of the most fantastic panels, and obviously I have a passion for the human side of cyber. A good friend of mine, Dr. Jessica Barker, to full disclosure, known her for almost a decade now, one of the world's top experts on the human side of cyber. She had this phenomenal security champions panel. And Tanya Janka, Canadian Tanya Janka, who's written several amazing books on AppSec, along with two other brilliant women, gave this phenomenal journey about how you create positive security cultures through champion programs. What was really interesting was at one point, I think it was Tanya that said, and she had done some work with the federal government in Canada. And by turning developers into security champions, by changing the culture of software coding from constantly reacting to vulnerabilities and incidents to proactively caring about security around things, their sick day utilization down massively. People and these are government employees that normally take a large amount of sick days, probably because the environment is not always ideal and their turnover dropped. And she actually got a call from HR one day and said, what are you doing? And she said, okay, what is this about? And that they laid the numbers out, she said, and painted the picture. And they're like, we need more of this. And oftentimes I hear executives like oh, security awareness. Oh, security culture. Oh, security champions. Let's get back to how are we going to buy more hardware, software. But here it was the clearest, cleanest return on investment argument. I heard that entire conference happened at that session.

Jim Love

We're going to get her on the program.

David Shipley

Oh yeah, I've seen her talk at several conferences, including Atlantic Security Conference. And again, we have such brilliant community members to learn from. And for anyone listening to this and going, how could I possibly catch up? And we're all running our own races, but there is just so phenomenally number of people to learn from. So going to these local conferences, these B sides and other ones, educating yourself, following some of these really smart, not the influencer cyber folks, but the actual folks that write books, that do stuff and that type of stuff. So always be learning on that side. So one of the talks that hit the hardest for me emotionally at RSA was by Aaron west, who is a former prosecutor in the US who created Operation Shamrock. And Operation Shamrock is tracking the proliferation of pig butchering scams. And she's gone to Southeast Asia. She has seen these complexes. She had pictures of them. She had stories of the horrific violence visited upon the individuals who were lured in human trafficked to be part of this. And it hit hard. What was really interesting was Aaron was bucking the trend of there's been a movement to stop using the phrase pig butchering because people find it unsympathetic to the victims. They find it culturally insensitive in terms of the original languages that were used to create it, et cetera. And so there's been a lot of this discussion about calling it romance baiting or financial grooming. And she said, no, we need to keep this visceral, we need to talk about it. Because the, her point was, and I thought this was interesting, is that the idea is that they are going to fatten the target up and then they are going to take everything from snout to tail and they're going to keep taking. It's not just the way that these people see their victims. It's this extraction of everything potentially possible in this visceral way. So. So I thought it was interesting because it was a really powerful counterpunch to the movement. Now, even in my own company, we've moved away from pig butchering because it was making people so uncomfortable. But it was that moment we're sitting in the audience and going, damn, she has a point about some of this. So yes, it makes us uncomfortable, it should make us uncomfortable.

Jim Love

I really want to make sure we're clear on what this is. You've got two elements. You've got the people who are the victims and the people who are doing this are also victims. One is vulnerable people who are taken advantage of because they're lonely or they have problems or they're somehow easy, easily led. Usually maybe having problems with their lives. Maybe they're seniors, maybe they're whatever. But these are the people who are most easy to victimize and they take everything. And we did that story about the couple that committed suicide. I There may be a lot of suicides. There just may be a lot of people who lived miserable lives. You picture I'm retired now, more or less. If you took all my retirement savings that would be just devastating. How would you come back and tell your partner that had happened to you? How would you live? You go from being retired to being impoverished. But the second part is people who are human trafficked, they are beaten, they are prisoners and as you point out, horrendously treated makes me sick.

David Shipley

Yeah. And then. And you've got the top tier criminals who bail out of these complexes when and if finally a raid actually happens. She showed this satell image and I apologize camera which country it was at the start of the pandemic it was just a couple of buildings. By the time it finally got raided it was a multi city block camp. Like it was like a downtown, small Canadian city downtown. And one of the stories she told that just broke my heart is like some of them, some of them the perfect violence on the people but also they had cycles of victimization. So if you hit your numbers in one particular scan compound they had a group of trafficked individuals who were then in sexual enslavement. And so the reward for one criminal was to go victimize another group. The depravity and the scale of this and then what she was mentioning was that this movement is now spreading like a cancer outside of Southeast Asia. It's now starting to pop up in Latin America and in other jurisdictions. And when you look at the numbers and I reported on this earlier in April or later in April was the IC3 report came out and it was 16.6 billion in reported cybercrime. Of that 13.5 billion was cyber enabled fraud. And of that this pig butchering, romance fraud, financial grooming was 5 to 6 billion. This is six times larger than ransomware. As much as we have this giant conference dedicated towards stopping apts the cyber fraud side. And what was interesting is Jen Easterly the most recent former director of CISA when she was talking about that Hollywood thing in zero days and the whole original discussion about the Cyber Pearl harbor, cyber 9 11. She said, what worries me more is the cyber boiled frog that we're seeing in this explosion of fraud and that we're. We're being boiled alive and we don't realize it. And I thought that was really interesting. So that was one. It was just. Yeah. Unnerving. Yeah, yeah. No, Aaron did a great job of putting a human face to it. The last thing I'll mention in case I was worried that CrowdStrike was not going to be a thing post Crowdpocalypse last summer. No, they're doing just fine. And two things that I learned about our community, that vendors have got us dialed right in. So actually three things. Number one, our obsession with Lego in this industry is fascinating. And everybody had a Lego giveaway, right? So that was interesting. Crowdstrike gets the award for most sought upon tchotchke. They had little action figures of the different criminal groups. Apparently every year they have a different limited edition like statuette action figure. To get it, you gotta go and sit for a demo and see various product lines and give little tokens and have gamified the people going to that conference to chase to get that Chotchki. And I, I just gotta. Again, as a behavioral scientist amateur, as a psychologist, amateurs and neuroscience amateur, I just thought, man, you guys have dialed this right in. But the third one, Dear vendors, honest to God, I went looking actually to try and do some shopping. And it was the most frustrating experience of my entire life trying to get a straight answer of how much will this thing cost me? Give me a ballpark. So I know whether to have this conversation. And I saw every iteration of that dance possible. And I'm going to go back and do some deep reflection about my own company. Because now, man, walk a mile in someone else's shoes as a buyer for a bit and all of a sudden get some great deal of empathy. But the last thing I'll leave with this is, Jim, we desperately need to build a sense for the cost of security. I've been thinking about this more as a possible research project and how to do this ethically, et cetera, but in many ways, like how we build the CPI basket of goods that's loaded with everyone's feelings of what's in the basket, out of the basket, et cetera. But we need to build a cybersecurity basket and talk about the cost. Okay, this is the annual cost this year to cover all possible threats. And it's going to be an astounding number. And you're going to realize that we are living in an age of one side security solution, plethora, cornucopia of solutions. And we are literally starved because we could never come close to affording them. And anybody, bonus point. Anybody that says this industry is consolidating. I picked up Richard Steinian's awesome security yearbook. There are 4,000 vendors still listed in there and there were 400 of the most well off vendors at this conference. This industry is nowhere close to consolidating.

Jim Love

We'll leave it on that the motto of the show, just because you can't do everything doesn't mean you shouldn't do anything.

David Shipley

Clean up your active directory.

Jim Love

Yeah, David, the hour has evaporated. I'm glad I couldn't make it, but I'm glad I had the chat with you because I at least get filled in on some of these things.

David Shipley

You're very welcome.

Jim Love

But over the next weeks and months, we'll be calling on some of the people that David saw and doing some interviews and talking about some of these topics. Thanks for spending your weekend with us and have a great rest of it. I'm your host, Jim Love. Thanks for listening.