A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today. This is the Weekend edition. This is our month in review and we have our panel. We have David Shipley from Beauceron securities and David's also the host of the Monday morning program. Welcome, dav thanks, Jim. And we have Laura Payne of White Toque fame. Laura, welcome.

B

Oh, thanks, Jim. Always great to be here.

A

Yeah. And we have two new people. Neil Bisson's not totally new. Neil is. No, Neil has been on one of the programs before. Welcome, Neil. Just because I think everybody knows David and Laura, just give us a quick two line introduction to yourself, who you are, what you do.

C

Sure. So I'm Neil Beeson, a retired intelligence officer with the Canadian Security Intelligence Service and the director of the Global Intelligence Knowledge Network.

D

Great.

A

And Chris. CJ Johnson. Can I call you CJ?

E

Please do.

A

Oh, yeah. CJ tell us a little bit about

E

you longtime MSP space. ATP space. Recently now, going on four years, I've had the privilege of running cybersecurity compliance programs particularly geared at ITSPs for Global Technology Industry Association. GTIA is what we like to call it. And yeah, we're gearing up for our first North America Community and Councils forums actually next week.

A

And just because we have a rule that whenever you use an acronym, you have to explain it because people might not know it. MSPS being managed Service providers.

E

Let's hope so.

A

Okay,

E

that's my take on it too.

A

The only part we argue about is the managed.

E

Right.

A

Other service providers.

E

That's fair. That's why we've referred to ITSP now as the Information Technology Service Providers, because I think MSPS was too specific and to your point. Not sure everybody in the quote MSP space can define the M part of that.

A

And I know there are lots of great people out there working in it, but if you wanted to strike fear into my heart, when I asked you about your security program, you said, oh, our MSP handles that. That was also like a strike. Okay, maybe we should talk about that. And that's not to say there are a lot of really competent people who are doing this. There's just a lot of people who assume that because they have hosting, they have security. And that probably is a fatal assumption. So welcome the way we handle the program, not just for the panel, for People out there, and I'm sure you're used to it, is everybody brings a story or two and we try to explain that story that's happened over the past month and then do a little bit of a deeper dive and discussion on that. And we'd ask Chris here, because there's a lot of stuff to where we're going to see an overlap with MSPs and with service providers a big time, I think, from this month. But also, Neil, you may not. For those of you who might not be aware, we're in the middle of a war and we are. And that war will bleed over into cybersecurity. So Neil, with his security background and I can't tell you about the rest of it, he'd have to kill you. But. But we did want to talk about the implic of that as well. So Neil joined us at the last minute. Appreciate that very much. Who's got the first story? David?

B

I think.

E

Yeah.

D

The story that's on everyone's mind in to recap from February, of course, is the. I don't think we have yet a formal name for it. I've heard it as the US Israeli attacks on Iran, the Iran war, but I think that one was already used. So we're still trying to figure out what we're calling it. The military action that has not been named by historians yet.

A

Okay, stop. Just hold on a sec. Just there.

D

Yeah.

A

I just want to issue a warning, like one of those warnings that you get on this sort of thing. If you're one of those people who's got a team shirt on and if we talk about your team poorly, you're going to get all upset. This would be a really good time to go have coffee because we try to stay away from politics, but at this point that's impossible. So if you're going to get upset, don't write me a note. Just go and watch another podcast for the morning, I promise you. Back into this.

D

Yeah, I'm not going to get into the geopolitical reasons of that. We're going to stay very much focused on the tax and what we're seeing and the dimensions related to that and the possible impacts on all of us who are not the people making the decisions on this conflict. So the first thing that I wanted to cover with this is we saw this dramatic use of hacks both for the coordination of strikes. And CNN and others have an extraordinary story about the compromise of traffic camera networks and other signals intelligence that was gathered to help with precision strikes on the leadership In Iran, there's a component of AI in there with reports related to the use of targeting prioritization using artificial intelligence, particularly generative AI based systems, which of course it happened in the mix of this ongoing back and forth battle between the U.S. department of War and Anthropic. So we've had that going on. We saw extraordinary impacts on network connectivity. And initially I was wondering if that was a planned attack based degradation of signals to prevent command and control. And it looks increasingly like this was the defensively planned countermeasure. So like Russia, it appears Iran, which has turned off its Internet before during democratic protests, et cetera, it essentially its version of shields up was cutting wires and you saw various charts that have shown Internet connectivity drop BY Almost like 98% in some cases. And it sustained down. And so what's interesting is that just like how what we're seeing in Ukraine is writing the modern chapters of kinetic warfare, we're seeing the new textbook of what attack and defense looks like at the national scale with these kinds of things. So the initial waves of attack which were both used for intelligence and targeting, they were also used for propaganda. Previous wars we would fly planes over various jurisdictions and drop pamphlets and propaganda related to the local population or target to military. And we, a highly popular prayer app targeted and hacked to distribute those messages. And in some reports that hack may have been around for a while and again using intelligence collections methods. So there's a lot going on that's been what's happening in Iran itself adjacent

A

to that back up just to make sure everybody's really clear on that. Is that the defense strategy. When we first heard the news that 97% of Iran's Internet had been degraded, everyone assumed that, that they meant that the U.S. had knocked that out. When the reverse is true, Iran took it down so that people can't communicate, which gives you. We could talk about the implications of that later. But this is a strategy that not a West, that no western country could actually employ.

D

This, this is the Russian playbook. Russia signaled this a few years ago when it became aware of deep compromise within its critical infrastructure sectors by the United States, particularly electricity and other things that it was like, ok, if we get hammered, the only thing you can do is cut the command and control communications back to this. And if you're deeply worried about how many smart systems are feeding back telemetry and targeting data, it's literally like you, you need that to restore what we used to classically call the fog of war. So that's been interesting on that on that scale. And it raises interesting questions. Again, none of these are political questions. It's like we know that when you degrade the Internet, it has harmful spillover effects on civilian population relative to public safety, could be relative to telecommunications, could be it communications abilities between hospitals. There are consequences to these things. I don't think these consequences are severe as the active kinetic warfare that's happening. But it's interesting to note now, aside from what's happening in Iran, that's a very quick recap. We have this issues in the Strait of Hormuz for those of you who watch GoldenEye back in the day, the very first Pierce Brosnan James Bond movie. And this is where I am still the resident culture guy for cybersecurity today. So the famous scene was this idea of being able to redirect this British ship and changing the GPS navigation coordinates that's now wrote it is standard playbook. It's been happening in Ukraine for a while and we had 1,100 ships misdirected in the Strait of Hormuz, both with the GPS system as well as what's called AIs, which is the identification markers and signal system on that side. Some of these ships were showing up like they were at inland airports in various Gulf states. So we've got this massive sort of digital safety issue happening there. And then you have calls from various security agencies at Western countries saying go

A

back, sorry, just to go back again, David, the Strait of Hormuz, for those people who aren't, who are geographically challenged or just don't pay attention to this is where 20% of the world's oil moves through. It is very narrow. And I'm not an expert on this, but I've been told really would take one ship that was sunk at the right place to block it, which means 20% of the world's oil is not moving. And you're saying that a lot of these ships, and I'd heard the same thing, where their command and control was essentially compromised. Their navigation, satellite navigation, which most ships run now people, there's not a captain up there spinning a wheel. They are run by navigation and satellite.

D

And that's.

A

So when that gets compromised, you can no longer pilot a ship effectively.

D

And for the tech industry, something I did not know because I learn every single day, is the massive amount of helium production that comes out of Qatar. And helium being a very important coolant in modern technology, specifically MRIs in the medical space. But a ton of other things, particularly high power compute data centers, et cetera. So there's more than just oil in Demdar Hills that we gotta worry about in terms of supply chain disruption. So we've got that in the Strait of Hormones. Then we pull back and we've got the western countries. And for a quick recap, what does Iranian retaliation look like? In the past on the nuisance scale of low to high, massive denial of service attacks previously against US Banking sector, Canadian banking sectors, other online services. We have seen destructive attempt attacks, particularly targeting U.S. water utilities. And we've seen escalating attacks in that space targeting that. And for those listeners in the United States, when we in Canada think about water utility safety, there's a famous tragedy that happened in a town called Walkerton where the water supply was compromised with harmful bacteria that resulted in deaths, injuries and long term things. So we're really sensitive to that here in Canada. And then you have the use of Iranian crews, sometimes state authorized, sometimes just moonlighting, doing ransomware attacks to attack and generate funds. And one of the risks that I think is real is as the regime collapses, there's a ton of highly skilled individuals who need to make some money and, or maybe ideologically motivated to hit back. So we've created a toxic brew and I'll end with this. We learned in the last 48 hours that the cyber headquarters that was identified to that extent by Israel and the United States in Iran was kinetically struck. And this is not the first time we've seen the use of kinetic to take out cyber operators in various conflicts between Israel and Hamas. Hamas had developed a really clever spy tool on a soccer app and they had Israeli soldiers deploying it, but it was feeding signals back to Hamas about troop deployments and that got a missile strike onto where they believed that development center was. So that's a recap of the war. I don't know how I keep all this shenanigans straight. It's happening hour by hour on this stuff. Thus far, I would say I have not become aware of any major Western hits, critical infrastructure, other things. But this stuff can take time to unfold.

B

Don't that make sense?

D

Don't know if the other panel has other observations.

A

The one thing that I think we have to take into account though is that if you can't respond in terms of attacks with missiles or other things, if that, that's compromised, if your navy's compromised, you only have two options. One of them is terrorism by force and the other is terrorism by electronic means or cyber security. That's. You don't have a lot of other options for attack this, this idea that, that Iran is somehow going to go away or that knocking out one command center is going to somehow affect them in those terms. I think we've got a hornet's nest and you don't. Somebody else kicked the hornet's nest. A lot of the rest of our cybersecurity professionals are going to have to deal with the hornets.

C

And you're not just talking about what's happening in Iran because this has a ripple effect, right? You've got other countries that are now being brought into this conflict that are surrounding the surrounding areas. So that in and of itself is going to be an issue because you're going to have these other countries that are looking at this from the perspective of, okay, how is this going to either advantage or disadvantage us going forward and what do we need to do about that? And there will be hacktivists in those countries that might look at North America as a viable target when it comes to some of these other things that we talked about, whether it's denial of service, whether it's defacing websites, whether it's misinformation, disinformation, all of that is now in a larger mix. So it's not just, okay, what are we going to do about Iran? We have to think about this in a larger scale, even Israel. And we have huge populations here in Canada and North America that are from Iran, from Israel, from Lebanon. They're all in, in play here. And we've seen over the last 10 years that the Iranian cyber security or, sorry, cyber activists and state sponsored cyber espionage and attackers, they really excelled over the last 10 years. And we don't know exactly where they've implanted because it's not one of those things that if they're in a system somewhere, this might be the opportunity now for them to start taking advantage of it. And they might just be looking for when they're going to do it.

A

And Neil, is it fair to say just you can't, there's stuff you can't talk about from your past life, but is it fair to say that my impression is correct that knocking out one cybersecurity headquarters is not going to get rid of Iran's capabilities?

C

No, because just like having a sleeper cell in another country, you could have a cell of cyber activists, you could have a cell of other individuals that are basically proficient on the Internet, that once this is happening, they could say, okay, now we need to, as David had alluded to, we need to take out a water plant in somewhere in North America. We need to shut down a financial institution. We need to do this, we need to do that. Sabotage from a physical component of individuals going in and trying to blow something up or having an attack somewhere, that's one thing. But we could basically, or Iran could basically have cells anywhere in the world that are going to work. From a cyber perspective, the issue that

A

comes most foremost to me, there's two that I think we have to watch out as cybersecurity professionals. One is we've been talking about the failure to be able to protect our infrastructure and those systems, the operational technology systems, for years. We know that people have made great inroads into them and that's been one of the things that we all know about. Water systems are one of the ones. Because like I said, because of Walkerton. If you haven't lived through this, I lived an hour from Walkerton and those people, a lot of people died and those people who didn't or a lot of people by our standards, sorry, it's small population, but it was. It's terrible. Especially when families in the area and then there are a lot of people who were. Will be sick for the rest of their lives. Because once you. Once a water plant fails, the water doesn't stop. It goes to every house. And you know that those types of things. But there are other operational technology pieces in there. One of the things that I was listening to or heard about was that one of the reasons they could attack so easily and find people in Iran was using traffic cameras. And they're easy to get to if you want to do anything in North America, almost everybody's got a ring camera. There are traffic cameras. I will guarantee you that 80 to 85% of those have the factory passwords, default passwords in them. They're not even difficult to hack. And. Or you can go in and just hack their vacuum cleaner and find out it's. These devices are so simple to get to that we. I don't think we're impervious in North America.

C

North American market has. Sorry, David, go ahead.

D

I was going to say for those who don't have a military background, like one of the interesting things about you, don't satellites have a lag to them? You're not always going to have good satellite coverages. You're not always going to have enough drones in the sky or you won't necessarily have the air dominance to have the drones. But the ability to be able to watch from six different cameras and walk your missile strikes in is what we're talking about here. This used to be the kind of stuff that would be extraordinarily difficult. You'd have to sneak in a bunch of guys with some laser pointers sitting around in various spots to guide this stuff in. And now. Thank you Ring. I got triangulation, I got this. One of the reports that was interesting is the level of detail that all of these Internet connected things were able to harness along with other traditional military techniques is they had what's known as a 14 digit locator. And for those who aren't familiar, the more digits you have, you're talking down feet, inches Neil, 14 digit coordinates on targets.

B

So that's it.

D

But I want to call over to Chris for a second. Just talk about the rest of the world like the MSPs, the people who are being told by CISA shields up or by the Canadian Cybersecurity center be aware. What the hell do they expect us to do?

E

Yeah. So I've been tasked with creating sort of a public of our information sharing and analysis organization to stay on top of the particularly the Iranian conflict that's happening right now. And it's funny timing that you asked me that question because the story that I was going to bring is tied to the checkpoint research, tied to the interplay between the Iranian targeting of IP cameras and in the physical warfare that we're talking about like literally this. You couldn't have had a better come to a head and talk about cameras. What's really interesting is the biggest player in the space. I go back in time to when I manage a lot of physical cameras and I remember the warning that said if you're running this particular brand of camera you need to get them out and you need to do it now. The hikvision cameras and it's not the only one, but that's the largest one that is being used. To your point about default credentials, it's worse than that. These are CVE exploits that have been unpatchable, they are not fixable and they're pretty significant throughout Israel and large parts of the Middle East. And they're using this as their hey, I don't need too much on the coordinate side. I just know that this camera and its view so I can plug that into some sort of Google Earth and I go, I know exactly where that is. Oh, there's the longitude and latitude and I am exactly where I want to be. So what's scary is it's twofold. One is the if you don't know, you don't know. So you think about the ITSP space and IT managed services and all of the support that they're providing to their client base. And this is just one more thing that's being added to their to do list of things that they need to provide direction on. And in this particular case, there's actually quite a bit of things that can be done. This is an actionable checkpoint pointed out like, hey, there, there's mitigation to this. And so this goes to what you said earlier, Jim, about regardless of how easy or hard it is to mitigate these risks, are the companies that are responsible for the mitigation capable of mitigating at scale, something of this magnitude? Because I think this is where we have the big opportunity to be proactive and preventative, is make the changes, go in and reduce the vulnerabilities, to quote, any means necessary. And I think that's the hard part right now, is that we can be resilient. We often choose not to because we prioritize something else over that, which we could do because, oh, it's time for dinner. Oh, it's. And if it was, if it was my office and these are my cameras and I know about it, I'd be like, hey, we are going to just unplug the cameras right now because I don't have a better solution.

B

That's awesome.

D

I want to turn to Laura for a second because I always enjoy her sense of this. But Laura, you've got a background. You've worked in the banking sector. You've work with Whitetuk customers of all sizes. Who are you worried about right now? When Cyber center says get prepared, when CISA says shields up. And I'll have some thoughts about the fallacy of shields up in a minute, but I'm curious, like, who's on your list?

B

Yeah, you know, it's. I don't think there's any surprise here. And here's the problem right now. It's very vague, right. Who might be targeted. And I think it really comes down to somebody attracting the attention for that. It makes it somebody feel like from an attacker perspective that there's something to gain out of making some sort of statement by attacking a particular organization or individual. And I think that's where appropriate levels of awareness and diligence can tip over into unfounded fear. Most small businesses in Canada, the Iranians are not out to get you, I think.

A

Can I just jump in? I want to be really clear about that. And I think Neil has raised the issue that there are sleeper cells. There are those things, but we are a multicultural country for sure. That's things that could happen is for us to start fearing our neighbors. And that doesn't diminish the fact that we do have to have some security. We do have to guard against things. But your corner store, Iranian corner store owner is probably still.

B

They are not the one who is going to be leveling something against now an Iranian corner store owner who has perhaps been a little bit more active in speaking out against these atrocities because their family and their friends are in extreme peril over what is happening. They may find that they are rightfully more worried and should have defenses going in place a little sooner. Same with our Jewish neighbors. Same with anybody really who is willing to put themselves out there trying to create justice through their voice. So though from a small or medium business perspective, there'll be. I think the other thing is, you know, just when there are more attacks in general, there's more collateral damage. Just from the perspective of when somebody is doing some spray and prayer just to see what they can get, there'll be people who are attacked who weren't really intended targets, but they're convenient targets. As it happens. It really actually it usually comes down to the same advice as always. The Internet is just the worst neighborhood in the world. We all, if we choose to participate in the Internet should understand that is what it is. So we all need graded grilled doors with proper locks and the metal garage doors over our storefronts or what like those physical analogies when you think about was portrayed of difficult neighborhoods. We need those equivalents in how we treat our online presence. And it's not like they're not that fancy. Right. It's not exposing the administration ports and access to your router on the Internet. Just don't do that.

D

Right.

B

That's simple. Cameras could be an interesting one and here's why. Let's say I'm a convenience store owner. We'll use somebody who has ties to the region so they are at a higher risk. Am I at a higher risk of threat because I have cameras on my store that might help locate me? Or am I at a higher risk of having my store robbed and not being able to do anything about tracking down the perpetrator because I turned my cameras off? These are the kind of problems that hold people up from doing more. Sorry, that might be a more direct comparison of threat versus threat. Usually it's more of a convenience versus threat type of trade off. But they're real problems and I think that's why it's hard for people to just get the solution done. But if nothing else, please think about it and make your choices. I think that's the worst is if you just put it on the shelf and I can't think about it like manana. Right. That's the thing that would be the wrong thing to do. At least think about it and make a conscious choice. If you can't change a security control online, at least know why and know what might change your mind about it.

D

And it's interesting this gets back to. And I'm, I feel I was joking with this on an interview with Carrie Frey, who's the chief security officer with Telus, because Kerry's been a mentor of mine for a long time and I'm still holding some small hope about the important role that government plays in creating regulations. And we saw really good ideas in the United States around a digital trust mark for IoT devices and a voluntary standard. And unfortunately that program seems to have stalled out. And in Canada we still haven't wrestled around with. But it shouldn't be up to the small business owner to make sure that their, their cameras they paid good money for don't can't be patched that the CV goes unaddressed or other things like this is the that there are limits to consumer power in doing this. And we're seeing the limits like the behavior doesn't align. And we saw really good things like California's IoT legislation that says, hey, don't hard code creds. You gotta be able to patch the things. Those are some of the things we have to put boundaries on. Because I think a lot about Chris is mentioning the IFP. The guy who's got two or gal who's got two or three employees. Like there's a small one in my town, they're called PC girls and they support so many small businesses and they don't their phones ring off the hook when the stress levels rise around the stuff. And this is happening. And it's interesting when I think about the community of IT professionals that support and the numbers are the same in Canada and the U.S. 90% of businesses are small businesses and there's this army of IT professionals that this whole thing is flowing back on. And to Chris's point, there are things they can do and they're probably things they've been telling their customers to do for a long time. But all of a sudden it's like the worst version of Black Friday. I can think of where everyone's lining up at the door saying, all right, I gotta do some stuff right now. And that stress that workload that hits these small providers. But I want to shift besides just talking about the regulation around just to

A

wrap this up, David, just for a there. Because I want to go back to Neil and just from the concept of this, I'm not sure that the average small business has to worry about their, you know, somebody taking over their camera or anything like that. What I'm talking about is the collateral damage that can get done to all of these small businesses if other things fail is important. And just from your perspective, Neil, is that a realist? Are we exaggerating or. I believe that countries do have the capacity to hit out and may. Is that something that, that we should think of as a realistic threat?

C

100%. And I'm going to be the opposing view here, and I'm going to throw this out there, is that unfortunately, for decades Canada's supply chain has been compromised. We've had CJ Allude to it when he talked about hikvision cte. Now we're talking about. And David and I have talked about this on the media too. We're talking about China bringing in 49,000 ease from China. The problem is that it's a responsibility of the government of Canada as well as a responsibility of whether it's the large, medium or small business owner to try to have an understanding of what these compromises could be. But the problem is for most businesses, the bottom line is how can we make a profit and how do we keep our costs down? So if you got a country that has already shown that their concerns when it comes to Canada or the Western countries is for data exploitation, theft of ip, all this other kind of stuff, they can turn that around and then use that to their advantage. And we're seeing this already. I just read an article before we got to the mics about how Russia is now providing Iran with intelligence information that they've collected and that they've been able to get through compromised supply chains about the United States. So by the Canadian government not stepping up enough or not stepping up quickly enough to try to inform businesses that your supply chain could be compromised because you've got this type of camera on your, the front of your store, you've got that or you've got this, the likelihood of it happening. It could happen. And it. And when it comes to this, when you've got a conflict of this scale that is basically enveloping parts of the world, you're going to have China, Russia, North Korea, all of those countries will be looking to supply information to Iran because Venezuela, the Oil from Venezuela has basically been shut off. That affects China. China is affected by the amount of oil that's supposed to be coming from Iran. They're not getting it. So you have to look at this in the bigger picture. Right now Iran is trying to strike out to anyone they possibly can with kinetic strikes. That also means that they may be looking to Russia, China, North Korea and others to provide them with that information that they need to strike out in other ways on the cyber field. So this is something that we have to consider going forward. And unfortunately over the last little while, understandably, Canada is more concerned about economics than they are about, okay, what's the next cyber strike going to come from? What's the next compromise that we're going to have?

D

And I want to pivot a little bit because I know we have a lot of American listeners. And what I'm about to say again is not political and I'm going to couch it with this. One of the achievements of the first Donald Trump presidency was the establishment of the Cybersecurity and Infrastructure Security Agency. And they did a lot of really good work and they are become an important asset that a lot of countries rely on. And they've had some great leadership over the years. They have had just an awful, terrible, no good last 12 months on the leadership side. Their current director nominee who is quite, who is quite competent, Shawn Planke, is held up in the product process in Washington. They just lost their acting director who was mired in various controversies that we covered related to, got an Exception to use ChatGPT and posted, not classified but not supposed to be posted to ChatGPT documents and a whole series of fights that were happening in there. They just lost another well regarded member of the team, a cio. And so they've been, they got radically cut as part of US Government policy decisions around right. Sizing government. They've had leadership turmoil and this is literally the worst possible moment and it has an impact outside of the United States. The amount of countries and this is again not political, that depend on the defensive information that can flow into the US is enormous. So it's not just Canada. That's Danielle's point about dropping the ball on some of the stuff we've had folks who've had the ball and they're now dropping it as well. So it's bad time.

A

And the CVE program, the degradation of CISA is not. In the past few weeks it has been on life support for almost a year. It's been cut, its budgets have been cut and one of the programs that is just essential to everyone. As we'd finally gotten a way to be able to identify and label threats in a way that was. That made sense. That whole CVE program has been threatened for some time. And if that disappears, we go back to the old days of everybody's got a file cabinet full of threats and cyber activity. That's not a good thing.

B

Something to learn from that and then is really that there was a big call to government to do more. We love calling on the government to do more. And then when we do stuff, or when they do stuff, we love ignoring it and not listening to them, or worse, telling them that, oh, the government said it, it can't be right, or I, I'm afraid of my government. And we're just in that one of those points in time where there's a number of different factors that are just coming together at the same time. And a conspiracy theorist would maybe look at this, probably does look at this and say, this has been a lot of planning and execution over a long period of time. And there's some of that. Some of it is just the ebb and flow of civilization, unfortunately, I think is also a natural piece of what's happening here. But we have at the same time a degradation of our ability to communicate effectively. Earlier in the program, there was a mention of flying over and dropping pamphlets. And I'm like, man, that's like effective communication these days. There's not. You can't assume. So anyway, back to the point about government, I think it's important that it's also community. Right? It's community and grassroots and people in the space coming together. Maybe it's government funded, but it's Arms Reach Agency. So it's not the voice of the government telling you, this is the experts. But we recognize this is not a business. This doesn't generate revenue to have people come together and provide good advice and do good research. So the money has to come from somewhere, but the expertise should be allowed to do what it's supposed to do, which is work ethically and effectively to get good information out there. And then we somehow have to break through all the noise that is present right now. Also break through the challenges. When people go on their phones, they don't want more bad news. Right. That's why we scroll. Scroll. Yeah, exactly. So how do we get the message? Effective to the point, actionable. Not about fear, just about. These are the things that you need, you actually need to do.

A

Well.

E

Yeah, I just, I wanted to go back to the camera. Thing for a second. We've been talking about all of the bad things that are happening. CVE's the list. But I don't know if any of you watched the Super Bowl. It's this really big thing in the US that people do largely for the halftime show. But that's neither here nor there. But there was a commercial that was talking about the ring cameras and about how you can now find your pet because ring is now voluntarily decided on your behalf, that this is a great thing and the backlash was just insane. But I think that's a piece that we haven't really talked about, is that the private sector, to the economic side of this, they have an agenda, too. And it's about continuously providing value that they see that we need, whether we ask for it or not. That, and this is a great example of we just got the Orwellian scenario of we're all being watched, clearly played out on live television for the whole world to see. This is here. This is real. And everybody was like, cool.

A

Yeah.

D

One of the things I just want to dive in. One of the things that I admire and love greatly about American culture is the we ain't going to lay down and take it. And so when you poke the bear, when you're like, wait a second, that's creepy as hell. I don't want that. And then all of a sudden, it goes across partisan lines. But I think this is a really healthy moment because for the longest time, you've seen in the. In American culture, again, just from an outsider's perspective, the wait a second, government getting too big. And this is ingrained in various aspects of this. But I love the idea that people are starting to go big, tech getting too big. And this segues over into some big conversations we're wrestling with in Canada. And this isn't a cybersecurity story per se, so I'll give it just a quick nudge. But OpenAI, for those listening in the United States, is in a lot of hot water in Canada, where we had a tragedy, a school shooting tragedy here in Canada, and eight people were killed. And it turns out that the perpetrator had been having deeply disturbing conversations with ChatGPT to the point where it raised an alarm bell somewhere in the machinery and staffers and whoever those staffers are, I want to say thank you. They raised the alarm, but somebody inside the company said this did not meet the material threshold for notifying law enforcement. And that has caused a significant amount of outrage. And there are deep conversations happening now within Canada and the Balance on this is very difficult about the onus on big tech companies to alert when there's plausible risk. And that is a cybersecurity and privacy story. What are the lines? What are the boundaries? How does that look? What does online harms look like in this? And I'll just note related to specifically these chat things. There's a Canadian brilliant researcher by the name of Michael Geist and Michael is a brilliant guy lawyer, one of our top minds on privacy. But I deeply disagree that conversations with an agentic generative AI platform where it can become sycophantic and or encouraging of people who have mental health issues potentially putting themselves and others into peril deserve the same protection as a human to human conversation. But I just wanted to just touch base that I'm taking some hope from this ring revolt and this moment we're seeing in Canada of saying wait a second, big tech. Because this gets back to Neil's point. It's not just the Chinese Communist Party that has an agenda. Lots of players have agendas.

A

The AI industries have been distinctly tone deaf. And this is, this is something that, that has been a problem. And I don't think for instance in terms of understanding Canada, I don't think OpenAI understood and I'm not critical of the US at all. But a school shooting for us is a once in a generation, once in a 10 year activity. Sure, you don't trivialize that in the same way that other ways you poke the bear on privacy. There's a ring camera thing. People really misunderstood the need for or the desire for privacy. These companies need to understand this in a way.

B

I just want to provide one maybe slight counterpoint when we talk about the conversations happening in these chat systems and protecting them the same way that they would be protected with a professional. I don't think that's a garbage point. And the reason being professionals also have a duty to report. Where it gets complicated is if I as an individual am engaged with a therapist, that one therapist is the person on the hook to recognize when things have gone too far and they need to report. Organizations have a problem of groupthink. It's not just one person who's feeling they have an obligation to report. It's a team of people who have reviewed something and then usually a team of leadership even who gets involved. And it's first of all very expensive. There's a lot of people getting involved. But it is also very prone to skewing towards doing nothing because a group tends to skew towards inaction rather than Action. So I think that's dangerous, but I think it's not a bad standard to say if this person was having a conversation with a professional, would it be reportable? And if it is, then that's appropriate.

D

And I'll just, I'll end on this note. Jim, is it? New York has proposed legislation and this just came out, I'm fascinated by it. That would prohibit generative AI Chatbot search engine answers from answering in legally licensed fields, psychology, into medicine, law and other things and saying, oh, you have to have a license, you have to be certified to be able to answer these questions. And these little caveats that I'm not a, a licensed professional aren't good enough. You shouldn't be entering into that space. And there, there's economic behind that. I'm not going to kid myself that guilds are guilds, man, and they're going to protect the livelihoods of their guild members. But I also don't hate the idea of saying, you know what, no, let's just not go down the road of somebody hallucinating out some important medical advice or other things. I'm not saying that these tools can't be used properly in the hands of a licensed professional to aid. But I don't hate where we're going with that. But on that note, Jim, I think the other thing, not that I want to go back to too much war, but you flagged something that did catch my attention and I got to say this on LinkedIn, My God, the posts on this have been saucy. But we've seen degradation of Amazon Web service data centers and degradation. They were hit with missiles and people were shocked that their AWS shared security model did not include air defense. No, man, that's not a thing. Like Amazon don't get its own Patriot batteries protect the data center. That's part of your threat model, dudes.

A

This goes back to this whole thing and we take it at the simple level. And David and I were sharing the conversation. I know where two major data centers are. I can see them from the road. It is not hard to knock out a data center in North America if all you would take is somebody who didn't need, who felt they could escape or felt that they could take going to jail. That's it. And the data centers have been knocked out overseas. And don't forget the other piece of it that we can't take away from. This is just the taking a data center down. With DDoS or with other traditional methods. We are very vulnerable. And we've seen It a number of times the eastern seaboard goes down and you talked and I talked about it, David was how much development is now running through anthropic or codex in terms of when they go down, the whole development shop stops. So we are really integrated with. Not only with our usual traditional commerce, e commerce, but almost everything we are doing is tied up. And I don't even know how you begin to think about a business resumption plan but and that was the thing that's been troubling me all week is what do you think?

B

One piece at a time. One piece at a time. That's a great starting question, right? So say your business is software development. You have everybody using anthropic topic. Ask the question, what would we do if Claude wasn't available for a day, for three days, for a week, for a month? And then find what your answer is. Do you switch to another platform? Maybe if it's only Friday, yeah, we're gonna do some manual coding today. Maybe everybody takes a coffee break for a long time. Maybe that's that that and that's a legitimate plan. Sometimes the plan is, yeah, you know what, we can lose a day. It's not the end of the world world. Sometimes the plan is, no, we gotta. You're gonna get over onto this other. This is our alternative but. And I think it's easy to get overwhelmed but we do this with, with all kinds of companies. It's look at what are the key things that you do, what are the things you rely on to do those things, Right? So what are your processes? What are the tools and vendors that support it? What would you do if any one of those things wasn't available? What would you do if all of those things weren't available? Can you fall back fully to manual processes? And if you can't, how long can you live until you're not a business anymore?

E

The AI one's a reality, right?

A

If they.

E

We know right now we are consuming power faster than the, the power delivery can get to those facilities. At some point without any act of war or violence or intent, we are going to have those things just shut off.

A

No, it's already happened, Chris. On the eastern seaboard, two data centers pulled out. And you have to understand how electricity networks work. If they don't shut down properly, they suck power out of the system. You're right when you say this is going to happen. I can't see it not happening.

D

And remember in north america A squirrel 20 years ago. Fortunately it was during the summer. Not the best Necessity for those who have heat intolerances took down a big part of the grid for a couple of days. There's a large number of the Canadian 20 some year old population that owe their existence to that particular power. Statistically actually proven so. But doing that in the dead of winter probably is not going to have the same effect. But the interesting thing about the resilience plan that you mentioned is that what I've learned now, and my dev shop has really embraced the use of tooling in a really cool way and we're building really cool production methodology. The first part of my business continuity plan that I need to have now that I watch Cloud go down Monday morning is immediately switching to decaffeinated coffee for the team. Some soothing music, some little bit of calmness. Maybe we bring in the meditation person because I'm not gonna lie, it was like watching a two pack a day smoker go without it was uncomfortable from an amateur neuroscience biology perspective. The cold turkey of AI just got turned off was uncomfortable to watch.

B

Mandatory fun time.

A

Yeah. And Chris, you've got a unique situation if you're talking about MSPs as well, because there's two sides to that. One is how does an MSP cope with this going down if a major part of the network were brought down and it's going to happen. I think, like I said, we've talked a lot about the fact that it could be done because of cyber espionage or some sort of act of war or just a failure of the system squirrel or the power issues. I can't see us having uninterrupted processing. So how do we prepare for that at that level as well?

E

I think Laura said it at least in part from an AI perspective of FA is. I mean they're largely very similar. Let's be honest. There's formatting differences, there's some other parameters, but when you put three or four of them side by side, which one used a better font? Like it's not largely that different unless it's for particular tasks that you're trying to accomplish. You asked two different systems to create a photo for you. Now we start to go into a different, a different territory of what they. What are they best good best at. But I think that the ITSP not only has that problem, but they also have the problem of they probably sold AI at some level to their client base as well. And that's not as broad. So I would argue that largely in the IT space they're selling copilot like that's the go to for the majority of what's in that space, they're not going out there and saying, hey, we should put you on ChatGPT or we should put you on Anthropic. They're going with Copilot because that's the most profitable, largely for the ITSP community, which to Laura's point becomes problematic if that's the one that doesn't work and that's what they're relying on. And I think today it's annoying when I can't use it because the majority of people using agentic AI are using it to do things like summarize this document. Tell me what I missed on this meeting from yesterday. I don't want to go watch the whole video. Give me the tldr. That isn't really what most of the agentic AI is really good at. It does it. But that's. You get into the human element. Talking about like replacing jobs. I think like at the Level 1 help desk I can remove human error. Like I didn't give the user as the CEO of some company God privileges in their mailbox. I, because I couldn't. Because the routine didn't allow for that to happen. I put a level one help desk person on it.

C

Oh yeah, no problem.

E

Check the box, Boom, you're good to go. Also probably shouldn't give level one help desk admin rights. That's a different conversation. But I think that's, that's what we're going to see. I know we talk about the white collar worker, like literally going away over the next 18 months. I think it's go away because those jobs are being replaced by different white collar jobs. I don't think that's being articulated very well. It's hey, if you want a job in 18 months, you've done some serious learning and job shifting. What you currently are qualified to do by literally just spending some time and learning how AI can benefit you.

D

Yeah. And I think you're bang on, Chris. I think for various reasons the AI big tech industry, which has taken can a a fortune's worth of money ingested into it, needs to try and justify some of that at the speed at which they're ingesting and speed of their spending by saying they're going to have such a tremendous impact. One of the things won't take too much time. But we saw these stock market shutters. Cloud code came out with a. A version of static code analysis. The slightly better version of static code analysis and CrowdStrike lost 10% of its market value. Are you kidding Me, I want to avoid getting that, that losing that clean rating on Apple podcasts. So I'm not going to say what I would have said but like no man, like do you know how many terabytes, petabytes, I don't even know what's bigger Exabytes of bad code are going to be around for a long time that this Claude cool tool ain't going to do nothing about. And trust me, CrowdStrike's going to be around and EDR, MDR, et cetera going to be around a long time. So I think we need to reset a little bit on that. But speaking of AI though and transitioning to another story that I'm curious because I think this one's going to be interesting to get Laura and CJ and Neil, your thoughts as well. Jim, you and I have talked about this. So we had this report out in February of 600 Fortinet firewalls getting pwned and then it got really interesting because they got pwned automated that this was a relatively low skilled threat actor and he took his coffee, went to his agentic AI and said go for it. And we now know the name of that agentic AI. It's called Cyberstrike AI AI Team Simaru's research team published a report on this. So it's an open source tool. It combines 100 different little hacking ethical hacking toolkits together with the power of a model context protocol and yay ha. And you can swap brains with Deep Seq with Claude and other things. And my, my editorial take on this and Jim and I were discussing this is that this has gone from tooling that were the digital equivalent of muskets. You had to know what you're doing, stuff it in there, shoot it. It was relatively automated. We've all had some fun with Kali Linux, but you had to have some level of skill. And now we've gone to a $50 AK47 where it's preloaded and the bolts back and it's just ready for you to pull the trigger. And I think it's going to reignite the really old debate about tooling availability for ethical hackers because just that this is a whole different scale of automation and harm. And I'm curious, I want to turn to Laura because she's usually smart. She is smarter than I am for sure. But you've been kicking around in various sectors, you've been around the block. You do you work in this space in ethical hacking? What are your thoughts about tooling like this landing and Anybody's got it. Okay.

B

I feel like if we can't even figure out how to regulate physical objects, I'm not like super optimistic around and collating objects. So there's a bigger problem to solve obviously of just regulation of anything in the Internet, let alone objects of harm for good or evil. So in some ways because the mechanisms just aren't there, it's almost a non debate. Right. Unfortunately there just aren't. There aren't things there. But yeah, it certainly makes things interesting and it certainly opens up the new attacks. Novel attacks are usually just like replays on old attacks just put together in new and novel ways. Right. So this will be the new bot army will be mass distribution through malware of these things that are command and controlled. But the CNC is just going to be a prompt sent out to go and do whatever instead of having to actually like give it very specific machine instructions as to what to do. Is this going to be like an army of chaos? Great. So I don't know that wasn't a very optimistic or even necessarily an insightful answer but that, so I'm not thinking we're going to do a great job of regulating this. Also the fact that the people who do this are not, they're not doing it because it's legal, it's not in some ways it's not explicitly illegal, it's a gray zone or depending on where you live, there's no laws anyway. But we are continue to stand by a fully interconnected inter Internet as a principle of democratizing information sharing. And so this is. These are the natural consequences. If you let everybody talk to everybody, some of those people are going to be bad and some of them are going to be really powerfully bad. This is the printing press of malware. I guess we're now distributing words to everybody.

D

See what I said about the insightful commentary? I love far better analogy than the printing than the AK47. The printing, the Gutenberg of malware. I love it. Chris, I'm curious like from that ITSP perspective more pwnage everywhere, easier all the time. Is it like how much of the industry is just gonna be like I quit, like I'm done. I just can't keep up with this anymore.

E

I know that the mental health is definitely taking its toll but it's. This is the part that keeps me up at night. I was I think about like network infrastructure. What is the average cycle of switch replacement in a large scale business? Like it could be a multi purpose space, whatever. But I would argue that most Switches in a network are somewhere between 7 and 10 years old. If they aren't older than that, we don't buy to replace, we buy to add. We get frustrated when the model has changed since the last time we purchased a switch. If the switches are 10 years old and the tools in which we use to compromise new infrastructure is way ahead of new infrastructure. We don't need 80% of what could be compromised tomorrow does not need us to do anything special to compromise. I would argue that infrastructure, the digital infrastructure, has become like OT. It's 50 years old. It was never meant to live in the world that it is in today. Where AI is now. The new is the new Internet, if you will, of thinking back to critical infrastructure. When someone's, hey, wouldn't it be cool if we could monitor the water ph balance on a shared computer? And they're like, yeah, but it doesn't get on the Internet, no problem. I've built this device that will connect it and now you have a screen that's got a red button and a blue button. It doesn't say what they do, but you can push it.

D

Yeah. And one of them releases way more lie than you intended to in the water supply, which Neil, I want to ask you about. So motivations are interesting, right? So we've talked about this hacker behind this cyber strike. AI is reportedly a Chinese hacker tied up with various criminal crews, maybe even tied back to the Chinese state, depending on some reports. If you're a hostile country and you just want to, maybe you don't want to do the hacking, but you want to make the web terrible, you want to hurt economies, do you just start releasing more and more of these tools and yeehaw. Is that part of the playbook of disrupt, deny the kind of shenanigans that nation states have been motivated to do?

C

As you guys are talking, I'm looking at it from the perspective of, of from a terrorist organization. So you take ISIS for example, right? And ISIS was 15, 20 years ago, the new kid on the block. And Al Qaeda had this kind of structured, you can't do any operations unless it's signed off at the higher levels, blah, blah, blah. And then ISIS comes along and they're like, you know what, we're the bad boys of terrorism. We're going to do whatever we want. If you want to go out there and just conduct an attack and then say it was us, we're happy for that to happen. And that worked into basically the whole idea of spreading this kind of fear within the system. So you Equate that to what's happening here. And as you just said, whether or not this individual has been identified as being part of a state sponsored hacking group or they're just doing it out on their own, it provides two great things. One, the state that might be responsible for causing this to happen in the first place can just fall back on plausible deniability, which a lot of hacking groups, and we've seen this before, whether it's state sponsored or not, they'll just say, oh, they do what they want, we have nothing to do with them. We're not providing anything, any, unless there's a direct connection that we can show. So we might be seeing the emergence of a new type of state sponsored without any direct connections. Right. Why not just get a bunch of other individuals out there who may be willing to send this out into the ecosystem and see what happens and we're just gonna watch everyone else try to pick up the pieces and have this continue to happen, happen. We talked earlier in the show about the Iranian sleeper cells and how that could be also equated into the cyberspace. We're just bringing this one step farther and there are just individuals out there that are like, I'm just going to do it because I can do it. And whether or not I get related back to whatever foreign state, adversary or not, let's see what happens. So this is definitely one of those things that we're seeing that some will say, like want to look at it from the viral perspective. It's not just one person getting hit with. This is going out all over the place. So other people are picking up on it and then they're using it, propagating it. So yeah, this is not something that we can take lightly. But at the same time, how do you prepare for this kind of stuff, right? How do you know when this is going to happen?

D

And on the note about the preparers, like I take Laura's point to heart, like the Pandora's box is open. There's no undoing agentic AI, there's no rolling back these technologies, there's no regulating. Every time I say cyber weapons, it sounds funny, but there's no regulating these tools. There's like the guy who still has hopes in government, has washed his hands that we're going to be able to deal with this. And then it becomes this issue of what Chris has said, this 50 years of digital cruft technology debt made real that we're going to have to wrestle with. And there's a new website out, out. It's called the zero day clock and it it takes a lot to scare the pants off of me but data and good graphs could really hit me where it lands. And what's fascinating is that they show the median time to exploit particularly over the last couple of years declining from two years to projected to be less than a day. And I mentioned this in the context of Jim and I covered over the course of last year we saw the ability to take published CVE documentation and turn it into an wait get down to 15 minutes in one day from the ESAT researchers. Then at the end of the year we had someone one up them like hold my beer. I got it down to 120 seconds and I'm like I'm feeling for you all you bank patching teams but I think we got a real software quality problem. I no way around it. Like what Jen Easterly was saying towards the end of her term which I think is far more effective than shields up is the root cause of a lot of our cybersecurity pain is irresponsible software pushed out, move fast and break things, patch it later. And I think the bill just arrived at the combination of this agentic AK47 and this timeline. But I'm curious for others thoughts that we have to fundamentally change how we build software.

B

And just I want to anchor back into a little bit of the earlier we were talking about where does this intersect with state sponsorship or lack thereof. And I think there's a lot to learn from the playbook the Russians ran for now decades which was they didn't necessarily explicitly sponsor anybody who was attacking other countries or people in other countries, not necessarily a country themselves. But it was like if you're not making problem here in our turf, you go do you and then the government takes notice and or the state takes notice and leans in to say hey you've built some skills or you've got some information now that's quite interesting to me. Now it's time to pay your dues for all that turning a blind eye that's been done for all this time. But the folks who aren't successful, right just whatever keep doing that.

D

For those listening like here's a great example of this. It also has a hilarious Neil will chuckle about this and maybe shudder a bit. So we have this group called Zarya which is like a D team. These are mostly website defacing DDoS script kitty kids. This is not like fancy dancy bear level here. That's not an official apt name yet but if it does become one I own it these kids are just trolling the publicly addressable IP ranges. They find a Canadian pipeline and it's wide open. Admin, Admin. And it's got enough dials and controls. Chris's very uncomfortable red and blue light analogy triggers me here a little bit with this. And they call back to the GRU and say, hey, we got something interesting here. Do you want us to make it go boom? Jerry's sure, why not? See what you can do. This is exactly what Laura is saying. Like they're aware of these kids, they do their thing, et cetera. Now the tie back for Neil, which would probably make his heart a little sad because the intelligence community is generally full of rural professionals, is the only reason Canada knows of this story is because the US has an amazing intelligence apparatus and they were monitoring the communications between us. And the only reason we know it is because a young officer in the Massachusetts Air Force Guardian wanted to prove he was cool, so he leaked these things on Discord. That's the other side of the world that we live in. So if you're wondering like does do we have the receipts for what Laura just said, yes, we do. Thanks to a kid bragging on Discord. That's a fun place to be as a.

A

We have to wrap up because I think we running past an hour here. But the I do want to leave one thing. We've, we've dealt with a lot of the tough stuff and it might be easy to say, oh my God, I can't, I can't deal with this. And my motto is just because you can't do everything doesn't mean you can't do anything. So my one tip I want to leave with everybody is just a story of a little development shop in Mexico. They had three guys and they spent about $180 a month on their various AI tools and they got a bill for $82,000 to a three person shop because they didn't mask their API key keys. Just for everybody who's out there, who's listening, who's in cybersecurity. Remember, those API keys are when AI companies bill for each token worth gold. Now. And I know we always used to hard code them in and sometimes we put them into the documentation that we put together and they're pretty damn easy to find. But two days worth, two days for $82,000. So anybody who's out there right now, Monday morning, go into your shop and find out where those API keys are. That's my tip for the week. But the other piece that I Just want. I did a. Sometimes the good guys win. I try to do a good guys win story. And it was the FBI, Europol and probably, there's probably a number of other places got together and brought down a site called Leakbase. And it had been, we talked about these, all sites that make these tools and these lists available. Sometimes the good guys win. And the people who are doing this work behind the scenes. And it's easy for us to talk about this government. Government's not getting along with this government behind the scenes. The FBI, the Europol, Canada, Australia, they're still working hard to bring down these sites. And they brought down a site with 142,000 registered users and were able to track down to at least the top 150 of the perpetrators. So sometimes, and Neil, you probably want to wrap up with a comment on this, but sometimes times you guys do a good job.

C

Yeah, every once in a while we luck out and things come together. And that's one of the reasons why in the intelligence community, no matter what's happening in the world, we try to rely on each other to ensure that we watch each other's backs. And some of us just have a lot more eyes out there saying what's happening. But some of the stuff that you guys have been talking about today has made me think about going back to one of the things that this whole conflict in Iran started on was because the US and Israel were afraid that, that Iran would get to the point where they would start building or were in the process of building nuclear weapons. You go back to the 1940s, that was the biggest threat to the world. And now we talk about AI becoming the new threat. We talk about it being the new arms race. And back in the 1940s, 50s, 60s and 70s, getting access to fissionable material in order to make an atomic bomb was difficult. But unfortunately, now when you talk about the AI side of things, when you about talk, talking about cyber side of things, it's a lot easier for people out there to get access to what they need to cause a lot of destruction and damage. We're all looking at this from the perspective of, okay, they're trying to prevent this horrible thing from happening where state that sponsors terrorism gets hold of a nuclear weapon. But the after effect of that is that now we're actually, actually propagating individuals that have access to the new arms race to do more and more damage. So it's really a strange what's old is new again. Except now you have people that have access to this type of information and that can use it and that we're afraid of a lot more easily than back in the 1940s and 1950s. All I can say is to everyone right now is you guys talk about this all the time time make sure that your companies not only prepare for something that could go wrong, but they know if something does go wrong they have the means and the ways to deal with it. I say that for individuals too. In Canada, financial systems may be affected, water energy might be affected. So do the best you can to try to prepare on your own so that you don't make it more difficult for the bigger picture. And that's it.

D

And for those not familiar, there are lots of great guides about the 72 hour preparedness stuff that you should have and everyone else and Laura's kind of given that idea of the business version of that. Is it like what over 24 to 72 hours do you want to have as your plan in the event of critical cloud service provider being unavailable or an outage or other things? I think Ronald Reagan once said the scariest words in politics are I'm from Washington, I'm here to help and Ottawa could be inserted equally there. And and I think a really powerful point that was raised earlier is that it's on us as a community. And when I think about the I.T.S.P. going to memorize that. Chris, now the information technology service provider and the MSP side, it's like you're part of the fabric of this in helping educate your small businesses about their 72 hour plans and those things. That's where you bring value beyond just being the Internet plumber is that you really are their trusted advisor. And I'm sure Laura, this is some of the work that you do with White Toque as a trusted advisor through MSPS and others. I think there's a role for all of us. We Billy Joel I think once said we didn't start the fire. World's been burning since it's been turning. That's not it's role in the politics, it's we just got to keep the world turning.

B

I would love to leave people with something really simple that they can do and what they shouldn't do. And just because this came out in February, which is notionally the month we're wrapping up. But here's a shocker for you. Predictive text generation produces predictable passwords. Don't use chat GPT to make your password. If you're going out to your ad your system and you've been inspired to to change that default password. Do not use Gen AI to produce your password. They produce duplicates. They produce like if it found a password out there on the Internet, it's gonna lean into that and share it with you. To put it anyway, just don't do it that way. Use a proper password generator that's properly randomized. Hot Tip of the Month

A

Chris, any final words?

E

I think it's been covered quite well. I would just share that. I think that we're not. I don't think any of us have said that AI in and of itself is bad, but good grief, this goes back to Just because the app is free doesn't mean that you aren't paying in some way, shape or form for what you are using.

A

Good stuff. Want to thank the crew this week. David Shipley, Laura Payne, our regular panelists in there. Chris Johnson, welcome C.J. it was great. Hope to have you back. Neil Bisson, always great to have you here and everybody who's listening and everybody who's listening in the audience. Thanks for spending the time with us. You could have been doing something else that was hopeful and you spent your time with us. Hopefully we've given you at least a few laughs and a few tips, not just all do. David, do you want to wrap up?

D

And Laura, thank you as always for the Now I have another Laura T shirt I gotta get printed. The Gutenberg of malware, the printing press of malware. So thank you as always for the the memorable quotes.

A

Great. David will be back with the news on Monday morning and actually he's doing Wednesday next week too. So I'm going to put my feet up. So that'll be great. So thanks for spending the time with us. One reminder, reminder. If you do have API keys, check out Friday's story. Go back and check that out on Cybersecurity today. It is important and it's one of those things we don't think about. So please do yourself a favor and do that. But other than that, have a great weekend. We'd like to thank our sponsor Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices to warehouses to large campuses, all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST I'm your host, Jim Love. Thanks for listening.