Cybersecurity Today: Month In Review - Microsoft Patch Fails, Fortinet Issues, and AI Risks

A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. And you can find them at meter.com CST welcome to Cybersecurity Today, the Month in Review show. Forget Groundhog Day, it's turning into Groundhog Month. It seems like no time at all. And then we're at it again. A lot. The issues we talked about last month are still here, and some have come back with a bit of a vengeance, although there are some new things that have exploded onto the scene. But one thing I want to take a moment for is to thank our audience. Every Monday, David asks that you share the show or give us a review on one of the podcast programs. And somebody's doing something, you must be doing it, and it's working. We've been in the top 1% of podcasts for some time, thanks to you, but I went through the stats this week and we were officially the number six technology podcast in Canada, number eight in the US and number 10 in the UK. So thanks to you all. But why stop there? To paraphrase that famous Canadian philosopher, Randy Backman, looking out for number one. So if you can introduce someone else to the show or leave a review or a. Like, it all counts, especially you guys in the uk We've got to move you up. And it. It's not a big deal of the numbers, but I will tell you, it makes me easier to get top guests for you. And speaking of top guests, let me welcome our panel. We have our regulars, David Shipley, the CEO of Beauceron Security. Welcome, David.

B

Thanks for having me.

A

And we have Laura Payne, CEO of Whitetuque. Welcome, Laura.

C

Thanks, Jim. I'm excited to officially have made regular status.

A

Ooh, yeah, yeah. You're with the cool kids. Yeah. And Mike Puglia. And Mike is the general manager of security at Kaseya, and he leads the company's security research unit. Is that got that right, Mike?

D

That is correct. Thank you very much for having me.

A

Welcome to our merry group. Those of you who know this show know how we conduct. The Month of review is basically everybody brings a story or looks at a story from the past month, and we try and do a bit of an outline on it and give a little of a. To get the context of it. And it's one of those rare times when it's not just the news blasting at you, but you can actually talk about some of the things that underpin the story, and I think that's important. I'm going to start us out because I. And I'm taking the easy shot here again. Another great philosopher, Meatloaf, said, two out of three ain't bad. But I'm not sure that Microsoft even got one out of three last month. And I think they made three official attempts at patch Tuesday, and including one major one where the only remedy was, can you roll back our patch? And before we get the pitchforks out and go burn the castle, I want to cut the vendors some slack. Software is more complex than ever before, and the speed at which these companies have to move is incredible. I remember when I was doing development, we were developing for one technical environment and we made mistakes. Now you're developing for thousands, but we still have this problem. And the problem gets pushed. Not from Microsoft. They have a problem with their reputation, all that. But the real problem is the IT operations head who now has a question of do we upgrade fast and protect ourselves and potentially I get a huge operational interruption that I take the blame for, or do we take the risk knowing that there's not just a weakness? And if that was it was just a weakness that was out there and nobody knew about it, maybe you could slide for a week and see how everybody else does. But the minute somebody publishes a patch, they're putting out a sign to every hacker in the world, hey, there's a weakness here. Check for somebody who has it patched. So it's an impossible dilemma. And I don't know whether Microsoft really gets that. I really don't. Because having all the money in the world and spending it on all kinds of things, the one thing they can't seem to get straight over the past year, and I'm not trying to be unreasonably critical, is getting that patch out there that actually works or a way of doing it that does less harm. That's my intro to this. What do you think?

B

I'll take a stab and then hopefully it'll open up the. The doorway in this. So a couple of different things about this. If even Microsoft, with its world of resources is struggling at the speed that this is operating, it's a sign of the strain. Jim, you talk about complex, but I'll also add the layer of there are so many O days they're now trying to close at the speed that they're being generated that we are now caught in an impossible loop. And I think we're heading to a really big moment about quality in software. Jim and I have been talking over the Last month, I've been retooling our software development life cycle. Laura. I did not realize how much of a policy and process nerd I am, but big time. And it's been interesting because we're moving away from the Agile Manifesto. The Agile Manifesto says ship software quickly as the number one goal. And we are actually going back to the Toyota way. And quality is the number one goal. And that efficiency will be an outcome of that goal. There are still things that we're going to keep in terms of elements of agility in that process. But this is what Jen Easterly and Sisa were trying to signal in the previous administration about changing how we build software. And that the old way is now truly unsustainable. It was dangerous before and it caused consequences. But in the age of AI, and even if the AI skeptic guy is telling you we have to change the way we build software, this is now the reality we're living in. It's probably time to change the way that we build software. And that's the languages, that's the processes, that's the motivators, and it's, we need to have an obsession with quality. And this is my last point about this. If we're going to call software teams engineers, which, by the way, drives engineers nuts. Like nuts. Because you didn't go to engineering school unless you actually did software engineering to an engineering school, they really don't like it. Letters may be pursued. Sometimes organizations have received those, but we do need engineers. But engineers come with responsibility for the quality of the goods that they produce. This is our moment to change that. And I think we're going to have a big conversation this year about software quality. And the good news is this. I don't think we need government to tell us this. I think the movement is starting where quality is demanded because it's the only sane path forward.

D

Yeah, I think that's a great point. It is one of the fundamental differences you have between software and physical goods, right?

B

Cars.

D

Cars get recalls, but it's devastating to the manufacturers. And if you think of the amount of stuff in a car, very simple, but very complex. It doesn't happen all that often in software. We can fix it. Right. That's one of the problems in general is not that people are necessarily trying to ship poor quality with bugs, but you may take a different approach. If, you know, you can't touch it, maybe, you know, hey, we can optimize this later on. And that optimization never gets around to happening because you're onto the next thing and so I would agree with the ability certain software that touches everything. Microsoft, Apple, Google, slowing down to doing things better would be a good step. At the same point from a security perspective what worries me is one, the vulnerabilities that aren't out there for patching.

B

Right.

D

Because the only real way when the bad guys have it, it could they're not going to tell anybody until somebody discovers it after the fact doing forensics and second, looking at to your point Jim, about do you wait to patch or don't you patch? In a regular environment that we do a pen test or vulnerability scans a majority of the systems are not even close to up to date. So consistency I would say is better than rushing out the latest patch unless the little caveat it is on the widely exploited list that they're out there automating. So it's a double edged sword. But I would say consistency overcomes the fast patching by far. I'd say in almost every engagement we do with our pen testing we see things. We just did one the other day. 20% of a business's computers are still on Windows 10. Without the extended software security updates, it's just open season.

A

That's that old Kodak ad open me.

C

First I want to take one slightly different direction with this. And we have a huge challenge right now which is even if you wanted to start over again, it would be really like you'd have to basically follow the Nintendo model, which is they put a product out and then they make a ton of money, right? They have really deep pockets and then they go, it appears dormant practically for a while, but what they're doing is they're actually working in the back end to build the next product. And they aren't beholden to any of the problems of the previous product because they're practically building new based on what they learned. And I wonder with the model Microsoft has moved to, they've had those opportunities before, right? You had your major new releases and then they would pivot into a new operating system every five to eight years. I'm just making a number up but that feels right in my head. But now with basically they're just it's going to be Windows 11 forever and ever the way they're running right now. And when is the opportunity to sit back and take a reset? Because even though it's software, there are certain fundamental design decisions that are made early in the process that are effectively irreversible once you get you built enough stuff on top of it. So where's the opportunity to Go back to the foundation and redesign and rebuild up again and we even look at somebody else could develop a new operating system. Totally separate. They could. But look at adoption of Linux for personal computer use. Right. It's not anywhere close to the adoption of the two big players.

A

So any day now.

D

Any day now.

C

So it really, it comes back to either there has to be a groundswell shift away from those players onto something new, which is really unlikely to happen or the big players have to commit to every so often going back to the target board. I think Apple still does that with their with the Mac releases but Windows has effectively committed not to doing that for the foreseeable future.

B

Yeah, and I want to jump on this and so 2026, the year of Linux on the desktop. No, I'm kidding, sorry, still searching for that. But what I will say is that Apple, Apple did this for a variety of really important business reasons. But you had to jump to Mac OS X which was we abandoned everything about how we do software and they took next and really good Unix Linux underpinnings and just said we're going this way. But it's hard. But reason it's hard is that traditionally the thought of creating amazing, complex robust software is expensive in people and time and in the future AI world that's coming into shape. I truly believe the work that even we've. Jim gets another point today on the board. The work that we've done with Claude alongside our developers is the equivalent of adding the modern machinery in the Toyota factory. And it doesn't get rid of all the humans. My humans are doing really important new and more value add activity than ever before. My team is not shrunk but their capacity to build at speed. I think we're hitting a point where you could do a Nintendo moment without necessarily disappearing for years. To Laura's point and for those who are new to the show and Mike is a guest. Laura often says among the most profound things regularly on the group and you nailed it. There are certain irreversible choices with software. We think think that software is not hardware. We traditionally associate this idea of hardware is baked in. But there's a certain tipping point in software code where you cannot go back and undo that thing. So I wonder if this is this new production methodology, if the end state of this revolution of how we build software is that we can stop and have a Nintendo moment. And that might be saner than this. This patch and patch. It's almost like I live in New Brunswick. I'll leave this last analogy anyone who's ever been to rural Canada and rural New Brunswick? If you've ever driven a highway that's not one of our major highways, you've had a ride. And that road sucks because it's patch, end patch, end patch, end patch, end patch, end patch. Eventually someone says tear it all up, put a new road down. Maybe we can be faster and better at tearing it up and putting a road down and stop the insanity.

A

And this may be true the last and I was just going to check my to see make sure I got the versions right and everything but I keep my Mac very much up to date and the last major upgrade is a piece of crap. More stuff has stopped working than ever before. So even for us Mac heads out there the idea that maybe it is time to draw a line and say we got to fix some of these things. I've maintained that Bill Gates is still around because they haven't fixed all the bugs in Windows 95 yet. But that's another story and quickly on.

B

That note about software. So I decided to do the full Copilot license, full Kool Aid mode on my Mac and Somehow Excel managed E16 gig, Mac 77 gigs of RAM and everything started dying. So for those listening who are familiar with the meme with the Grim Reaper and Chrome where it's have you been a bad boy eating all your ram? Copilot is now giving Chrome and this is not an award. I would have chased a run for its memory, run for its money, Freudian slip in eating every God forsaken piece of memory on my Mac. So speaking of maybe we go back to the drawing board kids and this thing was not ready for prime time because wouldn't work. Word is crashing seven times a day like I'm 2,000 and I don't have my hair back. That is so profoundly unfair.

D

Yeah, I think one of the Laura, that was an excellent point that so much of the software we use today is built on stuff that might be 10 plus years old because we're iterating on the same foundations but the ultimate thing that comes down to it is what is the market forces that require a change or drive them to be better, faster, cheaper, whatever. And are you going to go out and use Word Perfect because it's better with Copilot or something? When you've reached this point where there are no reasonable alternatives Linux on the desktop in 2026 then what is it? The beatings will continue until morale improves.

A

So that's the Linux desktop motto.

D

Yeah, it creates a condition for a company to innovate and launch and take that away, which we've seen time and time again. The question becomes, when someone owns the entire infrastructure that's built around, how long does that take?

B

Jumping off of this, but taking us in a second story direction, because this one's been the story. And it feels like every episode that we're doing, we're saying the word Fortinet a lot. And this series of continuous bugs and the scale of this latest 40 cloud SSO mess. So if you haven't been following the background, Fortinet's been having a bad time.

A

Can I jump in? David, sorry, and I'll let you finish this thing, but there's a meme that you've always circulated, and it's from Homer Simpson with the Simpsons, and they're kicking this guy's, stop it. He's already dead. I'm starting to feel like that with our stories on Fortnite. I'm sorry, and I don't mean to pick on the guys, but every. I'm almost like, I look at a Fortnite story and I go, can I do one more of these? I don't know.

B

I made the joke at the start of the year about the three names that I've seen way too much in the last couple years. And the Harry Potter meme of this is McGonagall, and he's got Harry, Hermione, and Ron. And it's like, why is it when something happens, it's one of the three of you are involved and it's usually Fortinet, Cisco, and Avanti. Please stop. But Fortinet. So the latest, of course, they thought they had this bug patched back in December around a very high severity issue with Forticloud sso. And turns out that the kids found a way that it wasn't patched. I want to give full credit to Adam Barlow at Risky Business because he did a really good dive on this in the last couple of weeks where the MO that he's observed from Fortinet has been, they will fix the endpoint bug. That's the start of the vulnerability without going back and looking to see if that same decision chain, that vulnerability is present throughout the thing. And guess what, kids hack is going to go, hey, you've got a bad tendency for this kind of bug. Let's go look other ways. We could look for this kind of thinking. And surprise, they find more bugs. And I can imagine.

A

David, David, Sorry, can you back up for those of us who are slow? I missed what you. I missed what you said sorry, yeah.

B

So they're fixing the point problem, not the root bug. And what I mean by that is that or the bug class. Okay, this type of bug this time was used to get rce. But what they should be doing is going deeper and saying, okay, if in our processes we made this decision, where else could we have introduced this kind of decision or logic flaw or bug into our code and they go back and stamp it all out. It's like putting out a forest fire and then you got all the members out and you're like, oh, we're good. And you don't actually stamp out all the rest of the stuff. And then the fire starts again. Really bad idea. And again I'll defer to Mike and his team are probably way better at smashing and talking about smashing bugs than I am. But my thing is about culture and process. And so you can point fix something, but you have to go back. And this is where I go back to Laura's Nintendo moment. I almost feel that the quality of the code is so poor right now for. And it's not just Fortinet Sonic Balls had its smashes, but it's hey guys, you are the shield providers. If you need to go back and have a Nintendo moment, go have your Nintendo moment and stop. You can't keep treating this like you're a 50 person SaaS. That's nice to have, but not the core firewall for large enterprises. And I'll end with this point. Cirk Polska, which is the National Emergency Response Team for Poland, debriefed on a major Russian attack across numerous energy assets on December 29th. And they pummeled this thing in the cold trying to cause harm to humans. So this is the worst of the worst. This is to Mike's point about cars and consequences of bad design and flaws. And they almost did. Hundreds of thousands of people almost lost power in the European winter because people were pwning fortinet devices left, right and center. We've got to fix that. And come on, our shields can't be fatally flawed.

C

I see one of the big problems if we look at there was an earlier point around where's the business driver for this? And no tech step forward that is meaningful was driven by good business decisions. It's obvious in what we see happening in AI. But what also is happening right now is a lot of tech talent, a lot of people who would be really great at fixing these problems of building the next operating system, of writing better fire firewall code are distracted right now with all of this other noise that's happening in the industry, just like mainframes didn't go away like just to bring another old company into or old technology into this. Right. We still need people who are really good at mainframe. There's a lot of Internet that runs on mainframe by the way. For people who think this is a dead tech or it's only like old banks use it. There's a shocking amount of the Internet that relies on mainframes doing their job. So we need people who are still really technical to get interested in these areas because they aren't going away. AI is not replacing all that technology. It might help us build better technology in those spheres, but it is not the be all, end all replacement for everything. And I think honestly that's a big part of what's happening where you're diluting our ability to maintain or improve core functions of the infrastructure we've built. Because we have a lot of people chasing the next shiny blinky light.

D

Yeah, I'd agree with that. And I actually worry for the next group that is coming because it's the top level at Microsoft or all the companies, even small companies, their bored and their investors are screaming AI, AI.

B

Right.

D

And then the next level down, what are our projects for AI? Do more AI. What do you want us more of what AI theory did? Just say it louder. And so you have people making claims.

C

I don't.

D

I used to work at Salesforce like Mark Benioff. 50% of our code is written by AI. It's not if that's the driver in our society you come in, you get an entry level job and then you move up the ladder and you become experienced. If you're coming out of school in 2026, a lot of companies aren't hiring entry level not because they probably don't need them, but because that's the mantra of what we're going to replace. So it may create a gap down the road of having those skilled people. The Fortinet stuff in 2025 we have a SoC and we monitor through MSPs who monitor tons of small to mid sized businesses. And probably May June is when we see a compromise and you trace it back. Oh, it came from this ip, it's our firewall and it was across the board and it was like whack a mole. Whether it was Fortinet, whether it was Sonic wall, Cisco, et cetera. Right. Palo Alto at the high end and it just keeps moving. It's whack a mole. Right. Unfortunately for Fortinet it's been a few in a row. But sometimes I think organizations have to ask themselves what it was it in Jurassic park. You never stop to ask, should we have this functionality? Should we allow this? And there isn't a software company in the world that hasn't had issues we are not immune to that we had. I don't want to go back to 2021, but we had a significant issue and when we got to that situation, there is a tremendous pressure to fix that problem. David, Right at the core. Tomorrow, Yesterday. Right. The usual. And we looked at it and one of the things we did is we stayed shut off for a week. We said no. We went through every potential attack surface and we looked at things and said, you know what? We ripped whole pieces of functionality off because maybe this piece of functionality shouldn't be in a product that does this with endpoints. Our customers asked for it. We wanted to make people happy. And maybe we shouldn't allow people running on premise or at least put a big blocker in the thing to turn the management interface onto the Internet just because we let them and we failed them by having a vulnerability that was exploited. But sometimes it's probably a better idea to say no, because we can't assume that every organization in the world will know to say example doesn't solve everything. But I'm going to take the management interface and I'm going to tie it down to only access from this ip, which would knock out X number of percent of hits on it. Maybe it's time for companies like in the firewall market, you do have a ton of competition. So you could say we're not just a firewall that implements security. We're the best secure firewall.

A

Yeah, it's interesting. There's a story I'm going to tell. It's true. Actually not. It'll sound like fiction, but it's true. I got a job one time as director of IT with a major financial institution at the time. And I know this comes a shock, but I didn't know what I was doing. I got promoted way ahead of where I was not imposter syndrome. I was an imposter. So I read everything and I found a folder in the desk. I'm not kidding. From the guy who had the job before and it was his old plan. And I read it and I went, yeah, this is good. So I started implementing it. Within three weeks, the boss of the guy who had been fired came to me and said, if the last guy had what you had, he'd still be Here. And it was, sadly, fixing root causes. I learned a lot about from that experience. Learned a lot that was humbling. And I learned a lot that was about the fact that sometime. And I don't know how to. I don't know how to get there, but we have to find some way to get back to architecture and understanding the architecture of our software. That's what I got from my. One of my mentors, John Thorpe and others was we. As much as this, the world's screaming around you. You have to find that silent moment to actually sit there and what have we built? How. Where are the root causes of it? I don't have the answer for everybody. I just know what the solution is. And there's a.

B

Well, and a really good example and probably a great segue from, hey, just because we can do a thing, should we do a thing? Jurassic park, another person being our culture person on the team just brings so much joy. I quote Jurassic park at least quarterly. So. Mike, I appreciate the drop on that lure. Oh, man, another Jurassic park reference, Doug. But this Molt book. Molt open claw. Hot smoking. Honest to God, I needed a URL and I owned the whole database for these agents that could do really interesting and terrifying things. These are the John Hammond Award of 2026. Guys, what the hell? Maybe Jim, like, you followed me.

A

Okay, if anybody's vacationing off planet, let's give them a little bit of yeah.

B

Maybe I'll defer to you because you.

A

Were the Claude Bot. Somebody put together a way to knit together agents and they really. They started to go through the stuff on Claude that was. And Anthropic had already built a lot of this stuff, being able to have agents that could operate, solve problems on the fly, link agents together, do things like that. Somebody put all this together and he was vibe coding, as I understand it, putting. Knitting all this stuff together. And he got a call back from one of the agents using Whisper, which is an OpenAI tool. So it's not. He didn't. This guy didn't invent anything, but he put it together and he had that aha moment and. And this struck a chord with everybody. I'm just going to go and move faster to the future. He introduced it. It was called Claude Bot. The people from Anthropic were a little. And I think they were really good about it. They didn't threaten them with a lawsuit. I love these guys. They didn't threaten them with a lawsuit. They just phoned him up and said, not cool it, Claude. Or I say Claude but everybody. It's not. You can't say. So they changed it. And then he changed it to Multbot because the whole mascot was a lobster. Nobody got that. Proof positive, I think. Did you say that no. Good tech is driven by a good business decision. No. Good marketing decisions in AI tech too. Including calling.

C

Users are not good at naming things.

A

Yeah. Including calling your software Claude when it's supposed to be the smartest thing in the world. But I digress. Anyway, so he's got this lobster thing and he does Moltbot. Then they figured that's really bad, so they call it Open Claw. That's where we got to. It is knitting together agents. Then the hype machine took over and it is now. It is the greatest thing in the world. The agents are talking to each other and we are just. It's taking off and getting out of control. But so they put together an agent network. And this is my favorite part of this. Just because you can do something, maybe you shouldn't. They put together an agent network and they had the agents talk to each other Again, nothing new. There are experiments earlier of having AIs talk to AIs. They evolve their own language. They talk about taking over the world and all that sort of stuff. But they put this together and then they have this agent marketplace. Now back up just a little touch. In order to make agents work, I have to do two things. I have to remember stuff and I have to give them access to everything, pretty much. So you've given access to software code you've downloaded on the Internet from a guy who's a vibe coder. And I'm not taking anything away from him, but I'm just saying maybe security wasn't the biggest thing he was thinking about. So you've downloaded that. It stores stuff. And people said, oh, it remembers and learns. No, it doesn't. It writes everything to a file, a JSON file. And for those of you who are technical out there, is it really hard to read JSON? So anyway, so you've got a file on your computer. Give it total access. Let it remember everything. Make that really exposed so anybody can find it. What could possibly go wrong? One more thing went wrong in the agent Marketplace. Hackers discovered they'd be there too. McCoy Security did an inspection of 2,900 of these agents. 431 of them had malicious code. I'm going to preach one more thing because I put it on the show and I think it's really important for us to get this message out. This will not Be victimless. Some poor sod out there. And I've been warning people if you don't understand the command line like nobody else, don't touch this stuff, wait for it to settle in. It won't take long. It'd be weeks, not months. But if you don't understand the command line just and make it sing, stay away. Because you're going to have your bank account in there somewhere. You're going to have your crypto wallet in there somewhere. You're going to have something in there somewhere on that machine and it's going to get stolen and you're going to get taken. And who's going to get taken? The people who are think they're experimenting. Who can least afford it. A couple of amens and the sermon's over.

B

So I want to just give mad props to Cert Belgium, which I think had the cleanest and clearest warning on this. Vulnerabilities in open claw permit remote code execution and unauthorized access to locally store data and credentials when the bot processes attacker controlled web content. Developers, automation engineers and organizations building or operating automation workflows are particularly vulnerable to this issue. TLDR1bot to pwn you all man this was so very foreseeable and so very hilariously bad.

D

Yeah, unfortunately it's another. It's just like I said, it's whack a mole. It's another hey what was it last month? Fake notepad plus executables to get malware on machines. Phishing to get malware and machines. Oh this is even better. We let's use multiply and put up a fake agent and take over more so at this point point running widely available, untrusted to some extent software without knowing what you're doing Jeff on any machine in an organization is a recipe for disaster. And that's why unfortunately giving you know people in organizations so many of them have local admin rights and unfortunately it's when do we come to the push comes to shove that they can't just install anything and run any command which isn't them doing it. Somebody else is doing it.

A

Yeah, that local admin rights. We can talk about that. Not something another lesson I had to learn the hard way. I've learned too many of these things the hard way sometimes but this idea and the one rosy thing that comes out of this though is we've been to the future quickly. This will burn out. By the way this is one of those buzz things. Whatever you want to call a meme or whatever, it'll settle down there'll be some disasters and it'll settle down a little. But at least we in the corporate world because are not going to be replaced tomorrow. I don't know if Everybody followed the $300 billion in one day out of the market because people think that somehow this basket of agents is going to replace SAP and Salesforce tomorrow. Newsflash, it's not. But at least we've seen the future and we know that it's agentic and that is true. That will happen. So we've at least got some time to step back and say how are we going to plan for that? How are we going to deal with that? And I know everybody's fighting in today's moment but somebody has to be thinking about the agents are coming anyway regardless of what we think or want. How are we going to deal with that? That and we've got a little bit of time. I would suggest we need to use it wisely.

C

I think my only comment is what a waste, right? We have all of these resources at our disposal. We have so much opportunity that this could be potentially used for something positive and we're wasting it on creating a fake farm of toddlers. I don't know what we're doing.

A

It's the end of that bad science fiction movie. If only that power could be harnessed for good.

D

I think it's the biggest thing in it. It's the biggest mass deployment of it. Of a technology that is not well understood under the covers and completely opaque to security. That being said, as you pointed out, Jim, it's capital happening. You cannot just stand up as the security person and say we're not going to do this. You'll be run over by the truck. So it is interesting. The size and scale of the deployment of this technology in 2026 is something we haven't ever seen before and we need to do our best because it will just understand it's not going to stop. You're not going to be a guard risk.

A

But I think we. Oh, sorry.

D

You have time to do things about it.

A

But it's the old management thing. Don't waste a good crisis. A crisis is going to come out of this. Don't waste it. And I try to post these things. Even sending out this thing of from koi Security saying 431 agents are in there. Here's what they can do. Keeping that in front of people I think is a good thing. The other one I keep telling people is we talk about agents and all of that. These agents are built on top of foundation models. So when we say they remember us, the foundation models remember us. And they are eminently hackable. And they're not a great place to store data either. And one of the things I do is I say ask, have you been using ChatGPT or Cloud or Gemini for a while? Ask it what it thinks of you, figure out what it knows about you. And I think we've got to start making these things as pictures for people so that they can appreciate the risk. Business people don't appreciate a long, long technical discussion and that's fine, but I think we got to draw that picture when we can. It knows all this about you. Are you into crypto? Do you have a crypto wallet? Do you know how safe that is? Have you got an agent on your machine? I think we have to come up with those things to reach people. I hope we can.

B

And meanwhile, by the way, those questions are sponsored by North Korea, who would very much like to know if you do have a crypto wallet on your computer and but you are using please, so they can come and rob you.

A

Yeah, can I talk about a couple of more minor stories? Because they're minor but they're important. One was Magecart, which we talked about, which is really a way of scanning and picking up credit card information on a website. It was pretty simple thing. I don't. Canada Computers, nice place. I bought stuff there. This is where this becomes real for people of small and medium sized businesses who think this isn't going to affect me. Canada Computers is not that big, but it's a place like, like I said, I bought a lot of stuff. There you go. You put your credit card down on a store and you trust them. So you buy something on their website and then you find out they've got mage cart on there and all of a sudden your credit card has been compromised. Are you going to go back? And this is a real moment that I asked myself, would I go back there to buy something? And so these things, when they come out and Magecart's been around for a month, we did a show, it was in our last month in review and somebody else had to find it on their system. So as much as the explosive stuff is out there, you have to pay attention to the things that are relevant to your business. If you're in Canada, computers, maybe agents aren't, maybe that's an interesting thing to talk about. Maybe they're not your biggest thing. Maybe your credit card processing is where you need to focus. So I think that's the other Thing that we can we might inadvertently do sometimes is to talk about the big interesting stories when the business of security is often doing the dull well and.

B

So a couple of different things about Canada computers and I think this is a really good example the there's an often in euphemism in politics that it's never the scandal it's always the COVID up I would disassemble I'm not saying they cover anything up it's about how you communicate when mistakes happen is more important important than the fact that mistakes happen I don't think people in 2026 expect any organization is hack proof I think they expect when did you know about it, how fast did you deal with it how soon could you communicate what you knew, when you knew it and what did you do to learn from it are really important and the speed of that cycle determines the extent of the trust blast radius If I had to sum it up on that side Skimmer is going to skim man. Anytime you can figure out there's a start the supply chain any of big credit card online web processing add in providers their threat model has got to be that's why they're being paid the per transaction fees they're paying paid is to make sure you don't get skimmed Then you get into okay who builds the website for Canada computers? Did they get pwned? Was it part of their supply chain? Then you get even further where is this sucker hosted? Not hosted is interesting because we had another smaller but interesting story with E scan and it's antivirus software which is popular in some parts of India getting one of its update servers proned and a clever little piece of malware getting downloaded and then finger pointing back to the hosting provider versus a supply chain compromise originating with the AV manufacturer So all this to say this stuff is hard. I would say signals matter when someone takes the time to drop you a note at security and I swear to God they're not talking about your dkim SPF or DMARC regular record hey beg bounty kids but they're actually saying hey man like here when I did this transaction I looked at this and it looked like this bad that's a pretty good signal to roll your ir. And by the way Laura did not prompt me for a book to say this is when you call people like Laura and others or the mics and say hey I got this email might be legit. Should I do something about it? Yes. The answer is always yes. It's.

D

It's challenging. There's for every News story is there's exponentially more that you didn't read about. And it, I liken it, it goes down to when I talk to small to mid sized businesses, this won't happen to me or nobody's going to target me. I'm like, they are literally scammers calling your grandparents on the phone, right? As soon as they get more information, they'll sell that information off, give it to them. It's a whole marketplace ecosystem of all the way down to we're going to call individuals. What I find interesting across all of these and on the defensive side, we can change software, we can get better, we can layer our defenses, but at some point, if you look at it as just pure crime, right, that's fundamentally what it is. Cybercrime is treated differently than any other type of crime in society. I'm getting tangentially out there, but it is all on the victims or defenders. There is no. The number one deterrent to crime is the fear of getting caught and then the consequences go to jail. That's Crime and Punishment 101. We don't have a lot of that in cybercrime for two reasons. One, in many cases the threat actor is in Russia, China, North Korea and when you talk to cisa, FBI, dhs, et cetera, et cetera, whatever, the Belgian security group, they know exactly who it is, usually down to the individuals in the group. But there's nothing they can do about it because there is no extra data condition. And number two, and this is more of a theoretical or a phys philosophy discussion about cryptocurrencies, how do we catch financial crime? Throughout history we've all made as society we've made tracing the money is the way people ultimately get caught. And once we have enabled the ability to have a very opaque cryptocurrency, good, bad or indifferent. Yeah, I hate banks, I love banks, whatever. We took that tool away from people in law enforcement and as long as I can turn that into dollars, pounds, euros, real money, I don't mean disrespect, crypto, those two things together, there isn't any banding together of law enforcement that has consequences to stop that. So we'll always have vulnerabilities, we'll always have hackers. But the vast majority today originates from several countries with ways to get paid and no consequences. So I don't have an answer for that. But it seems really in the last 10 plus years that has driven what you see almost daily from small companies all the way up to Fortune 500. We're not joined in the fight, shall I say? And we become dependent now that in the United States, now that we tax, tax cryptocurrency, you could forget about anything blocking that. We have great organizations, CISA in the US, the Belgian group, Canadian, there was 18 of them that just signed on to an advisory in September of last year that most of the major telcos were breached by state sponsored Chinese attackers. And they wrote a very good article but that was the extent of what those organ, they inform us we can take action but that's the extent of what we were able to do. A strongly worded letter. So I don't have an answer for that. That's a policy.

A

Maybe there is some hope on this though and that is. And if we got, if we could raise awareness enough, there are a number of new trading blocks that are put there. I don't want to talk about the politics of this but the fact is trade is realigning in the world world and trading blocks are going together. And maybe, just maybe somebody would stand up. If politicians were educated well enough, somebody would stand up and say we need a secure market because that drives prosperity. I don't know, maybe there is some hope there somewhere.

B

I think this is the hard part where technology, geopolitics and economics mixed together to form a wicked problem. And wicked problems are really hard to simplify and find easy solutions. I was talking to a good friend of mine, Michael Joyce in our monthly sort of research chats and he's working on an interesting thing where they're going back to and I can't remember the criminology model, but it's actually, it's really sophisticated but it starts off really basic. In order to have a crime you have to have a motivated threat of actor. They have to have an opportunity and you have to have the victim. And I said to Michael, I said there's never not going to be that case on the Internet. All three of these things will always exist. And then there's other layers to the model that get into the guardians, right. So when there's a guardian. Mike, your point about this, there's someone that might actually deter me, there might be consequences for this or the model layers up from there. But for as long as we allow humans to connect digitally from around the world, we are going to have these problems. And, and so it's just interesting on that side. But I do think, I think the market plays a role in driving better quality products. And I think we're going to hit this idea that we can patch it away dies in 2026, I think it dies because in 2025, researchers figure out how to take a CVE from published spec to POC code in 15 minutes for a$. So I think the economics finally collapsed on. We'll just ship it and fix it later. And then I think the bigger questions of who do we want to trust in terms of the trade environment are getting really interesting. France is moving away as a government from Microsoft Teams, and I think that's probably a mix of geopolitics and Microsoft Teams.

A

Please, David, don't hold back. Say what you really think. Honestly, the great. We've hit the hour, guys, and thank you very much. This has been a great discussion. I'll have a teams meeting later with you, David. We'll talk about this, the show. Just kidding.

B

If we can connect. If we can connect, I might get your message.

A

I want to thank our panel, Mike Puglia of. He's the GM of security at Kaseya. You did good there, Mike. Yay.

D

Thank you. It's great being here.

A

Yeah. Yeah.

D

And don't I wear my little tinfoil hat and say that all the governments can't stop.

B

Stop it.

D

But I have great hopes for what we're doing.

A

Great. We hope to have you back and as long as you don't encourage David, because David Shipley, always a pleasure, sir.

B

I appreciate it. I will be back on Monday.

A

You will. And Laura Payne, the voice of sanity.

C

Thanks, Jim. If you'll indulge me, I have one last thought I want to drop on this one, which is because going from the computing that we've had into this AI era, I'm going to draw a car analogy here. How do we go from wooden drum brakes to carbon ceramic disc brakes with abs? Because that's what we need. We've made that big of a jump in what we're doing. So hopefully there's some people out there smarter than me thinking about how do we put brakes? Because the only way you can go fast in the car is if you've got brakes that can stop you when you need to.

A

We're going to do a show on EVs. We're going to drag you into that. Lauren, this is great. That's the image. No, but that's the image we want to end with, is, yeah, we've accomplished this before, though. That's the beauty of this. We've accomplished this when we set our mind to it. Great stuff. I'll be back or no. David will be back on Monday with the cybersecurity news. You can catch me. By the way, just to prove I work Monday morning with trending, I do a five day a week tech news show as well as hosting Cybersecurity Today when David's not there. So you can catch me there and we'll look forward to you next week. Have a great weekend folks. And that's our show. We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and even run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST I'm your host Jim Love. Thanks for listening.