A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete network stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. Welcome to Cybersecurity Today, our month in review show where our panel takes a look at the month that we've just gone through and maybe looks to the month ahead. So welcome everybody. And I wanted to. We've got our panel. I should introduce him, Laura Payne from White Toque and and David Shipley from Boceron securities. And we get together once a month to talk about what happened this month at some level of depth and, and hopefully we try to go forward into the next month to find things that that may be happening of interest. I'm gonna let you guys start. I've obviously I brought a whole pile of AI stuff to the party because I think that was the big thing that happened this month. But does anybody want to start with a story that's not AI?

B

Well, I'm going to go with the three letter horror story of October for the cloud. Does anyone know what that would be? D N S two cloud providers down. It's wow, amazing. And it the fragility of just how much stuff depends on these things. So AWS go aws US Northeast goes down and the world literally slows down and that's still like we have created this massive cloud based single point of failure that's epic. And my favorite part about this, and I feel, I do feel bad, there were people that bought $2,700 beds. These smart beds had, they're the next generation of those late night TV ads. The beds go up, the beds go down, they're heated, they're cooled. I'm not going to lie, I've got a lot of FOMO when I'm describing these things. But apparently these things require a constant connection to AWS to go down, to turn the heat off, to function at all. And so there were a number of tragic stories during AWS's outage of people sleeping on their floor because their bed was set to roasting, because they like to go into a toasty bed and they got, they got a really bad deal out of that bed. And I will say this, you know, yesterday, it's first time in a long time I had a chance to order from Pizza Hut online and the team had been talking about Pizza Hut all week. I was really excited. I got there, got to the point where I was going to put my credit card in and no Biano credit card was not Processed. So thank you, Azure. I had to pay a dollar extra for my pizza order because I had to pay for it in person and that was at least to my worries. But man, DNS still out there. Still the big Halloween nightmare for it.

A

Yeah, and I think everybody in our audience probably knows what DNS is. The phone book of the Internet, whatever you want to call it, the addresses of everything, a simple thing. How old is this idea? 30 years now. And this is a scary part of this. So just to recap for those who didn't, who missed this, Amazon went down. The northeast region of Amazon went down. And of course because if you believe, if you get the brochures or read the website that they just flip over to a new region. Not a problem. Didn't work. All of those safety devices just took a lot longer. Now as I heard the story, this was, this is a two time story. It's the DNS failure which is a big thing but also one of those just those moments where you just, what did they call it, a race condition in software is that where you both things try to write to the same spot and one and they blank each other out because somebody loses the race or in this case a tie is bad. But just simple things. Knock out something simple and a house of cards comes down. It makes me really sit back and go we have everything from our beds to our houses to our pizza. Everything we do is tied into the cloud and we really haven't advanced a lot in 30 years. As a matter of fact we're sitting on this sort of fragile house of cards and I find that kind of scary.

B

It was funny my technical. So this impacted us. Our report a fish button for 1400 clients and almost a million people. Depends those that are on Microsoft. Not all of them are Microsoft. Some are on Google's workspace. That was great. But vast majority of our customers are on Office365 so they could no longer report suspicious emails. Because of that and everything every provider has to use Microsoft's only way to add an Outlook button in. So there were no HubSpot buttons, there were no before buttons, there were no buttons for anybody that the productivity hit of that was actually massive. And what was interesting was my support team was racing back and forth and I said okay, what's the latest update from Microsoft? And they said basically summary. We don't know what we did but we're going to roll back to a good state. Buckle up. And I was like what do you mean?

A

Did you say Microsoft by accident or on purpose? You were talking with the Azure did.

B

You get so no. So AWS went down earlier in the month and that was epic. And then was it Azure went down. Microsoft went down on Tuesday or Wednesday just this past week and it was almost as bad as the AWS outage. It was also DNS, but it was hilariously we don't know what we did. And so yay for backups and yay for last known good state. But also can't wait to read the post incident debrief on this. Can you figure out what you did so you don't do it again? And I think the point I want to make about both these things is the days of cloud being niche, being novel, being inconsequential to the global economy are long since over. And yet we regulate every other industry that has critical value to at the national level. Telecommunications, banking, et cetera. But not cloud hyperscalers, Good lobbyists. But maybe we should start thinking about that.

A

Yeah, or at least making sure that we try to Nobody's updated. Like I said, nobody's updated this infrastructure since forever. We're still running on the same old concept. So that's piece one, piece two, that's that. There's been this rumbling and I know that Crep got hit by this. There's their DNS botnets out there that are just ginormous that could hammer away and take this down. And we talk about the banks went down, all those things went down. But it really gets down to pizza. Guess your friendly neighborhood podcaster can't edit because my editing is in the cloud. Yeah. Do you hear a lot about it or do you?

C

I think one of the articles that definitely caught my attention along that line is I'm going to say earlier this week, although it may still actually be true at the moment I don't have eyes on it, but the most directed to URL on the Internet so this is between google.com and all the other like big names you would expect is some botnet, which tells you a lot about how much traffic there is. Like we all have the legitimate traffic is dwarfed by this one URL being used for nefarious means. Like not great.

A

Whoa.

B

And then the botnet you're talking about, Asuru, is. It is massive, right? It's the next generation of Mirai. And for some reason, like DDoS, crews love to pick on Brian Krebs. And for those not familiar, Brian is like the OG cyber researcher slash journalist and his book Spam Nation should be required reading in cybersecurity education. Just to Understand the evolution, evolution of this business. And I've had the chance to see Brian speak. I think he's absolutely brilliant. He's terrified me numerous times and just going to his blog on a weekly basis. Buckle up. But there are two camps in cybercrime. They're the cybercriminals that just keep trying to mess with them. And this includes like trying to send him illegal drugs and then have the FBI bust him to DDOSing his site. And to the point where like, major providers like Google and others are backing his site. Maybe it's R and D, maybe it's out of goodwill, maybe it's both. But there's, there's a crew that says, do not use our infrastructure to target Krebs is a test run because you're going to ruin it.

A

And remember that there's that Jim Croce song, you don't mess around with Krebs. And for amateurs out there, Krebs will track you down. He will hunt you down. He's done it a couple of times. He's a sharp guy. If you're going to practice on anybody, not a really good idea to pick on Brian 100%.

B

So it's interesting to see that now the other evolution of Asuru that came out this week fits a trend that we've been tracking all year round. And this one sends a shiver down my spine for conditional access policies. So isuru, for those who aren't familiar, is mostly a router, but also IoT powered botnet. And its power now is so extensive that the outbound blast, not even the receiving server getting hammered with all this garbage traffic, just the outbound blast coming out of US telecommunications carriers is so large now, it's slowing down their networks. This is getting cray, as the kids would say. And what's interesting about it is they've started leasing the service not just for ddos but for residential proxying. And this is deviously brilliant. So all of these conditional access policies are like, you have to be coming from a US isp Russia. Yeah, those aren't going to be worth much anymore because now it's going to be like, hey, maybe I can find a shitty router on a US network in the city, maybe even in the neighborhood of where the target I want to impersonate is supposed to be coming from. So conditional access RIP 2025, question mark.

A

But aren't these players all just hooking up every single house router in North America? Because the security. Nobody changes the password from the factory password. They've just there's just this massive potential network of that. And that's only one of the devices out there. We haven't talked about cameras.

B

And just to fit in this theme, rumor has it, we'll wait to see what happens. That TP Link is about to get Huawei'd in terms of its presence in the US market. Now, TP Link has been getting a lot of negative love for a long time from the FCC and others for security vulnerabilities, outdated attck, et cetera. But that's just one example. But they're far from alone in pushing out routers or ISP branded routers that are terribly insecure.

A

Yeah.

C

And it's not just the routers, too. Right. Like, they're targeting Iot devices that are insecure and things like that too. Right. So it's a pretty broad spectrum of target base that they're going.

A

And the terrible thing is TP Link are really good mesh routers. They're just really horrendously insecure. But I do advise you, you can create your own sort of internal zone where you back it up. And I. So anybody's gonna hack me, my TP Link router is behind another router. A real one? No, but it's great for the house. It's. They're the best of anything for reaching dark spots in the house. And I was sitting there going, but, okay, but, oh, wait a minute, I could put it behind another router. Yeah.

C

To be fair, that is traditional network architecture. You have a firewall and then you have all your stuff that actually is networking really well. Purpose built devices are still the best at doing network stuff. It's when they try to expand and do what they weren't built to do. Oh, wait, that's true for our clients, too. And just about everything else we do in software. Spicy.

A

I hate crying crabs. If anybody attacks me, I'll just fold up like a cheap Venetian blind.

B

Using a AC roo against you at home on a Starlink is like using the Death Star on something enormously tidy.

C

Yeah, there's still the bar. You're always good, Jim.

A

So, Laura, what's your big story from this month?

C

You know what? Just quickly, before we move on to that, I want to go back to when we were talking about people's beds being on fire. Not literally, but roasting them. I would like to reemphasize the escalator principle for all of our listeners, which is when escalators stop working, they are still stairs. And Iot device manufacturers, please consider embedding the Escalator principle. So if your smart light bulb can't connect to the Internet, it should still work as a light bulb. If your bed can't connect to the Internet, here's a tip for everybody. Unplug it and it won't be hot anymore. Oh, it should fail in a way that just becomes what it is without intelligence.

A

Actually that's a. That you said a lot of really smart things since I've known you but that right up there, that's thanks. No but no but that's true. Like you have to think in those terms. Everything's going to fail so how elegantly will it fail?

B

And I think I'm going to squirrel away escalator principle now for one of the things about executives is that or sometimes just fancy parrots for smart things that we hear from other people. I heard this really good thing about the escalator principle. Tell me what happens when certain components of our platform lose connectivity. Can they still function? Because Microsoft's add ins sure as hell can't when Azure goes down. So could we escalator principle that one up a little bit. Microsoft, if you're listening please something simple.

C

All right, so then onto something that's more of a story I think I'm going to pick on first. It's not picking on more of a picking up. Canadian center for Cybersecurity published this week. Very interesting advisory on ICS abuse and highlighting oh, yet another one of our favorite things, the importance of multi factor authentication and not just exposing controllers to the Internet. But that has become an announcement because there have been multiple attacks that have been of significance in the past few weeks. And so just further highlighting that that importance and that it's not, it's interesting, it's shifting into this industrial control system space. Not so much for financial gain at this point it looks like people are just testing the waters. Maybe create a bad look in the current political climate. Right. Targeting some companies because they don't like what they do or they'd like to create an image of instability. A little bit of a different bend from our typical attackers who are out there for financial gain. But we know as soon as they get really good at it for just kicks and because they don't like things right now, they will be figuring out how to monetize it and then that will be the doors open to a lot of things and to dive into.

B

This from some of the details here. To Laura's point, what was frightening about this is that this alert from CCS was about hacktivists. This is not about people that were motivated or equipped or resourced to the full extent. And they hit a water treatment plant and they tried to mess with its functioning. They hit a grain storage facility, potentially creating dangerous. These things are actually surprisingly dangerous. If you don't maintain the proper environmental conditions, these things can go boom. And it comes, of course, as parliament is in second reading for the critical cybersecurity legislation, critical infrastructure cybersecurity legislation, which ironically would not have protected the farm or the water treatment plant or all the other places they were going to. So yay. But it's back at committee being debated again, years after we almost had a pipeline go boom on orders from Russia. Now hearing this, where we're just the script kiddies are having a field day. This is not good. And for anyone in the Canadian government listening to this, could you please get this law passed and then get the regulations done so we can not be the worst performer in the group of seven in protecting cyber at a national level? Pretty please?

A

Well, yeah, but this OT type systems, these industrial systems are everywhere and they are absolutely vulnerable. I think there's only, there's industrial control systems where I think everybody in the world has hacked them, first of all. And now, and I think it's pretty well established principle that water treatment plants and all of that. Almost everybody that has a plant like that has been hacked by either Russia or China. In the US probably we have as well, we just don't know it. And. But now if it's so obvious that the script kiddies are out there because at least Russia, China, the nation state, hackers maybe can at least be frightened by the fact that someone will retaliate. And I think actually I. Behind the scenes, I think people have said that if you come after our infrastructure, we will get yours. But now the sloppiness of these OT systems is just crazy. There's a. There was a. Somebody broke into one of the US government nuclear suppliers. They supply equipment to everybody and all that. And of course they said, oh, but our OT systems are behind their air gapped. Oh, give me a break. I watched a guy in. Now this is not in any of these things. I watched a guy at an industrial system sit there and because I talked to him about how the OT systems and how they're protected, he said, they're air gapped. I said, how do you maintain them? With my laptop. Oh, you think, do you catch something there?

C

Air gap from the control network. But don't worry, it's just connected to the Internet.

B

Listen, as someone who's lived through an ICS incident and involving critical infrastructure that was accidentally plugged into the Internet and thought it was air gap. But because people wanted to make it easier to VPN to get monthly reports, put a second network interface in and guess what? They bridged the gap. And I also, I raise every time I hear air gap today with like software defined networking. Is it really, is it on a separate actual whole set of switches, router fiber, all those things, I bet you not so much anymore. It's one configuration file away from being on the rest of the network. So yay.

A

So yeah, and I'm glad that the Canadian center for Cybersecurity is taking a position on this because I think it's been one of those things that we've just slept through. Everybody knows, I just, I hear about the risk, everybody knows the risk and then we move on. We talk about online security and I.

C

Think people underestimate the importance of some of the components. Right. So you don't have to be able to necessarily hack the actual working devices. Things like one of the attacks was disabling alerts. Right. So you change a configuration, there's no alerts coming in. Right. The operators are now blind to what's happening in the system. And when they're not motivated to actually do any particular thing, they just want to disrupt. The stakes for how hard it is are really low. Right. There's any number of ways you can just disrupt. We were talking about big disruptions at the start of you don't have to be that aggressive in scope, but one little domino falls over and the rest of the system doesn't perform as expected.

B

Yeah.

A

And I want to bring it back to the script kitty thing again too because I did an interview with a black hat hacker that'll be next week's show. It's fascinating. Talk to this guy and he's now working for a larger firm and all that sort of stuff. But he, he said one of the things that he just, that just hits him is at least ransomware people, nation state hackers, they're somewhat professional, they know what they're doing. Said these script kitties now there's, he said there's a second wave of script kitties now and they're going to claim trophy. They're going to go after these systems and they don't know the damage they can do. And he points out one, one group trying to do some ransomware and they actually lock themselves out. They just don't know the tools they've got because they just get These kits or whatever. And so this, they. This could be scary. In terms of water systems like the. If anybody's ever been through an industrial water system, there are chemicals that are released, There are all kinds of things to do. And that water is in everybody's tap in no time. Or people getting hit on elevators. It just goes on and on.

B

And the interesting thing is when it comes to water, it's sewage, actually that worries me because the sewage treatment systems are technological, mechanical and biological process. And you could screw up that biological process. And that's no biano for all kinds of things. Best case scenario, you pull a certain city in a certain province in Canada and dump your mass sewage from millions of people into a giant river for a while because yolo. But it's not good. It's not a great place to be. I do want to evolve from script kitties. I've been working on a new one. We'll see. See how this one lands for you guys. You ready for this? Prompt cowboys, the script kitties, they actually had more technological skills. So this is like a devolution. But they're just prompt cowboys now. They just, they tell it what they want it to do and wait to see what they can come up with. Vibe coding that script kitties have become prompt cowboys. So we'll see if I can get.

A

A take on cowboy.

B

Yeah, yeah, it is. But there's another story I want to tie into this. So you're talking about the proliferation of tools, right? Script kiddies have access to more powerful tools. There's the recruitment and radicalization of kids. So we have a story out of Halifax this week that is absolutely heartbreaking. So for those not familiar, the comm is an Internet subculture of some of the worst of humanity. And there's even worst sub subcultures within the comm, particularly 764, which are, I had to learn this term misanthropic, that is that they are anti human, they're anti everything. They target vulnerable kids from 7 to 17. They will get them to often post compromising material about themselves, either intimate images or other things, blackmail them into also committing horrific crimes against other kids. So we've got a kid up on charges and we've got the proliferation of these groups. And of course, 7, 6, 4 believes in the comm becomes a recruitment ground for scattered spider, et cetera. So you got the, you've got the talent pipeline. And also, by the way, in terms of the talent pipeline, in addition to this negative trend, Canada's youth unemployment hit a new all Time high fairly recently. So we've got a lot of bad things. You've got talent, you've got tools, you've got motivation and you've got chaos. And there was an even a new malware kit that just rolled out that it was a Swiss army knife. It was brilliant. It had capabilities to try and maintain persistence and it was the low price of 200 bucks a month. Evolving with these things. So the trends right now are not good.

A

But and not just Canada. I read a report the other day and it scared the hell out of me. There are 500,000, 500,000 young men between teenage and 30ish who have just gone off the map in California. They don't work, they don't turn up anywhere. They are just living somewhere in their bait. But they're not part of society anymore. And that's a group that could be radicalized, recruited. And many of them spend a lot of their time playing video games. They are tech savvy. And that because we report that the numbers. But they're not turning up in the youth unemployment numbers even they're not part of the workforce. And this is a societal trend that is going to come back to bite us in our are posteriors because this is, you're just, we're just seeing the surface of it. The radicalization of these young people is going to be something and naturally part of it's going to turn to cybercrime.

B

Oh, if you're going to do the crimes nowadays, you're not doing it in person unless you've fallen onto the hardest of hard times. Usually there's substance issues tied into it and that's where the cops are still going to catch you a lot of the time. But go cyber and now go cyber. In the sweet zone of now, less than 1.5 million and certain agencies, even well resourced national agencies are not gonna chase you down.

C

And it certainly speaks to the asymmetry of the kind of damage that can be caused by a very small number of people. So you look at what an individual can actually do, how much damage they can cause, and that's why it's compelling to, I'll call them organizations. I think that's maybe a strong term for what a lot of these are. These groups when they're recruiting, right, they don't need to have a lot of strong recruits. They get a few. There's a snowball effect there too. Right. But one or two agents who've been recruited and groomed can do an incredible amount of damage in a short period of Time. So the. Yeah. The amplifying effect of that cyber connection is just phenomenal.

A

Yeah. Keep a good. That's cheerful.

C

Yeah.

A

So I'm gonna. I'm gonna do a palate cleanser before I go into AI. I'm gonna do. I do something positive on AI which I was really. I call good Clothe Anthropic. And I think there are lots of dangers. We'll talk about those in a minute. But anthropic of all of the AI companies is courting the enterprise market and they are getting smarter. And I just, I feel I want to reward them, give them a little treat. Give them a shout out. Maybe they'll do more of this because they're the only ones who seem to be doing it now. Anthropic is also people that gave us MCP servers which are, which just are like hey, hack me now. Oh, and we'll. And we won't even use tokens in them. We'll just put an API key into them. So they've done their damage but their penance was they've got a new cloth code model that runs on a permission based model and comes and just does something I wish we would do. By default it's read only. By default. It can't write. You have to intentionally go change it. And if we had these in our software tools and it goes back to our. I'm going to use that escalator principle. Right. It's just assume it's going to fail. Why don't we just make it by default so it's read only by default. There are. They put some exceptions in so you just don't have to get annoyed because there's certain. There are a couple of commands that are just like. Yeah, whatever. Like the. You know. But they end. The file systems are isolated by default. And they're not just the file systems but the network. They isolate the network. It can only go through one port by default. And I just look at this and go why can't we have all AI to be put together with just some for just a little. Just a teeny bit of forethought about how you could protect it and then go from there.

B

That sounds like old school boring pre AI time. This is move fast and break things Jim. This is cool time. This is a time to be. Worry about that nerdy stuff later. We're gonna. We're gonna make our trillions of dollars.

A

And we did that. So spent a lot.

C

We spent trillions of dollars. I don't know if we've made any money yet.

A

But we, we Launched we the AI2 browsers have been launched in the past 60 days. AI browsers both built on Chrome, which Chrome never fails. Nobody ever hacks Chrome. So not only are they going to be filled with all of the problems that these AI browsers have and they've already had them just dropping oauth tokens easily. But they're built on Chrome so you don't even have to study up like you could. All that homework you did to try and hack Google's Chrome and this is all. And they've been rushed to market, no doubt about it. And you could see the security failures. And I've been warning people for what it's worth, I'm a big AI booster. I run an AI show. I like AI, I use it. But I would not use these browsers on a corporate network until we figure out how to make them safer. And it's just based on the fact. How long has chrome been around? 10 years.

B

I don't more than that now.

A

It still has problems. These, how long have these been around? 2 weeks. And rushed to market. To make a point I would be, I'd be wandering around my shop right now just saying nicely people, how do you feel about that? Are you using that Atlas browser?

B

I was interviewed about this for one of the tech websites and they asked me for my thoughts. I was like as a ciso, you're sitting around and you're bored and you want to create problems for your organization of which I have talked to zero CISOs. That is the top of things they want to do. Then have at it and good luck, good night and good luck. But Jim, you had me right up to I would not use these browsers, period. Full stop. And to me the greatest signs that OpenAI is desperately trying to maintain any kind of revenue momentum, any kind of attention headspace momentum just ahead of when it's trying to go IPO like this is pets.com and this is the hype before we go get the rubes to buy the shares. When they announced that they were like we're going to have erotica. A company that's about to disrupt all white color work. As far as we've ever understood this, human beings would not be worrying about a niche audience wanting to get into erotica or they would not be rushing out a half assed browser at the last minute. They're scraping the bottom of the barrel before this great market capitalization moment and the bubble's gone.

A

You do know that one of the big lawsuits against Mark Zuckerberg organization has been all the porn they downloaded. This is. They're following in a great capitalist tradition.

C

Here, and it certainly highlights some of the moral and ethical aspects that you can see about a company's culture. And we started with talking about anthropic, which I think on the spectrum of moral and ethics, certainly tries to act more in a. What people would consider a good moral and ethical area, even if they did give us a protocol that belongs with the other protocols we inherited from the Internet from 30 to 50 years ago. But I don't think it was intentionally. They're trying to get something that works. Okay. That's on the other end of the spectrum. We have companies that are publicly announcing their erosion of moral and ethical behavior in order to cater to. And I think using the word niche is probably not quite accurate when we talk about consumption of erotica on the Internet. But a segment that has plenty of material already available, I don't think we need to generate.

B

But the Internet has machines.

A

Well, but the scary thing is, and this is where you get down to, you can consider it moral or whatever you want to consider it, but the OpenAI knows there are lots of lonely people talking to their chatbot.

C

Yes.

A

They know that there are societal issues they're putting together, and they're. Oh, and we'll put erotica on there too. Okay. Just anything for a buck.

C

Yeah. What's the likelihood of it being used for. I'll call it more benign. More benign purposes. And I'm not judging the use of erotica here, but I think there's types of uses that are clearly designed to infringe upon the rights of other people. Right. Creating images that represent a real human being that are not anything that they ever would have allowed to have published of themselves. Creating images that violate basic human principles around what's acceptable for human behavior. Right here, there's kind of these use cases, and that's where people are going because they can't find it in real life. And that. And I think that's the bigger question around, why are we opening this up? To cater. And this is where, yeah, niche, or French does come more into play to create things that other people were not already willing to create.

B

And we've seen dumpster fires around these. More of the extreme end of the erotica side. Remember, There was a SaaS based AI gen. AI based tool to create virtual girlfriends that was being abused to create absolutely disgusting material involving children. And. And they got breached. And all of a sudden their tens of thousands of users detailed kinks were all being abused by criminals. And so that leads to what we saw with ashley Madison almost 10 years ago with self harm. It leads to the opportunity to create insider threat with blackmail. Because how many of these folks have privileged access in various ways or means, private sector or government folks? It's it. The number ain't zero kids. So yeah, it's awful. I think there's a lot that we have to watch with these companies and their desperation for revenue is real. They're not making, they're not break even, they're not profitable and they're going to get into trouble because they're trying to sustain the hype on this. And I will compromise in my ongoing hot and cold war with Jim about the state of AI and its relative value. But automated software that takes unstructured data or restructures data to create new value, which is where generative AI really excels, has some market value, is going to drive some things. But we're watching them flail into some of these more dangerous areas creating browsers. They have no right or experience to be creating a browser right now and they're not being held responsible for that. So that's what's interesting. On the AI side though, I will slightly pivot. This story floored me. So some Australian scientists, these are pretty sharp cats, apparently are doing some really amazing research where they are taking your photo and they are using algorithms and AI to figure out what you sound like. And they have built a proof of concept of photo to voice deepfake that can beat certain detection tools used for voice authentication. And if you're listening to me out there and you're still using voice as a biometric authentication mechanism and you're still going to play this diminishing returns game about cat and mousing with deepfakes, I'm telling you right now it's a losing game when someone can take a photo and beat your systems with the voice that's generated. A, it's creepy, but B, oh, I.

C

Think there's still an opportunity there for red flags. But don't green flag based on voice. Right? Like you can have definitely not a match. Although even with some of these systems they're really poorly built. They don't actually recognize the same person. But don't make it a yes beat.

A

For years a group of Waterloo was beating the bank systems that were that people were using. But now just go, are they actually beating voice recognition systems with these voices?

B

So according to the reporting and I've got the research paper and I got to dive into Everything with it. So caveat on that. They were able to get by WhatsApp's voice fingerprint technology. So good enough to beat some of these. Now I'm sure there's a voice authentication vendor out there who may come across this clip of me saying this and going not our tech. To which I reply, not yet. If at best it's just there are certain biometrics now face and voice guys, these are burned biometrics. You can't use them. Get over it. Find another way. But like this war is over. The keep fighting it at your own deep regret or certainly your customers regret.

C

It's a interesting world out there. And just the. So this actually plays into. There's multiple skins going. Actually we were talking a little bit earlier in the show about not having to show up in person, but we still see blended attacks actually. So an intersection attack that's happening right now in the Toronto area. It is currently focused on the Russian community. But don't expect it to stay limited there. But using synthesized voices of family members to call and to scam somebody into believing that there's an emergency happening right now and. And that the lawyer will come or they'll. They're asking the victim to meet up with the lawyer of this supposed person in trouble in order to hand over a bunch of cash. And people are falling for this because the voice sounds close enough and they keep them on the phone throughout the whole transaction, including the actual physical meetup. They're keeping the person on the phone throughout the whole thing so that it makes it much more difficult for them to verify. It's interesting seeing how people are getting creative about bringing multiple channels of attack together to do that. I will also go out there on a limb and say unless they are really creative, they will get caught.

A

This is real time translators. Real time voice translators are out there. And I just again, this hacker that I interviewed said that he, his father had gotten hit with a real time voice translator. His daughter. But his daughter. The guy had the sense to whatever I don't know whether I liked by making up part of the story that I think is like reception's really bad here. I gotta go to the other room. Went. Went to another phone and phoned his daughter. She was okay.

C

Yep.

A

Good for him. Yeah. So if your son's a hacker, you may be able to pick up a few tips from now and then. But the one thing I would I tell everybody, we need to as a profession to be telling everybody safe words, safe words. Things that nobody would know or nobody could Think about that. That could identify you because you have to have something now because every, everybody over 80 is going to get hit. Everybody. Yeah, it's too profitable.

B

And the downside is some of the counter tools that you can use for this have other persistent surveillance issues like so find my friends is a great way to say, okay, just tell me where you're at. You look at your phone, you say, okay, Jane is not there. You can, you can use it. Wouldn't it be great if we could also see on these kind of things like Jane's not on the phone right now. Actually, Jane's on the phone with somebody else. This is not Jane talking to you. Okay, great. And, but we're gonna have to evolve to this. And it is interesting, this hybrid. There was a story on CTV Canada's national, one of Canada's national news networks about a Vancouver million dollar fraud. And the attackers actually set up a fake police department to actually go that far. They're working at it, they're getting smarter about it and they're using AI and all of these things. But the amount of stories in Canada's media this month alone about hundreds of thousands of losses and million in losses from family members, seniors and others to scammers is. I'm not looking Forward to the RCMP's report this year. And I will say this, I will give some good news. There is slight hope with the announcement by the federal government in Canada, a new financial crimes agency, which I follow, some really smart police officers, the Toronto Police Service and a few other places. And like I pick up and learn things every time I get to meet them and see what they're up to. And they were ecstatic with this announcement. So I take a great deal of stock in that. I'm a little cynical in the sense that I think we still have to figure out police of jurisdiction and we need a new kind of cop that doesn't need to be trained to handle a firearm. They need to be able to handle a spreadsheet and a keyboard. And that's okay. Different kind of cops are different kind of crime. But I will wait to see what the Carney government rolls out. And if anyone from government's listening, I'm happy to give you thoughts before you roll out the legislation because I'll certainly give it to you after you roll it out.

A

And if you're in corporate life with this whole thing of fraud and you're saying, okay, I don't like old people, so it doesn't matter, I don't like vulnerable people. It doesn't matter your corporate reputation. Two banks in Canada, two bank world size banks did not prevent people from being defrauded. And so now after all the money they spend on advertising, all of that sort of stuff, two big stories, front page saying this bank and this bank let these people be defrauded. Now you're going to open an account and you think which bank do I want to have a relationship with? I'm just saying that this is also a matter of corporate reputation. If you aren't, if it doesn't offend you morally, you should make sure at least that your company is not going to be end up on a front page because of something they did in participating in a fraud.

B

The good news about this financial crimes agency and the supporting legislation is allegedly it is going to include the ability for Canadian banking customers to turn off digital features. They do not want to set limits on those things. Like these are a lot of common sense things.

C

No.

B

Part of the reason the banks don't do this is that they are terrified of inconveniencing people. They are terrified of being the harder bank to do business with. They are unwilling to compromise on the growth side of things in the face of the competition that exists as it is. So a level playing field where a regulator comes in and says, yeah, all of you, app based MFA by this date, no negotiation done. That's where the market hasn't been able to fix the problem. That's what regulators have a role to play.

A

I hate to disagree and I don't hate.

B

You'd love to disagree with me.

A

I signed up with, I signed up with a finops player because I was so ticked off about not being able to get a MasterCard that I could just fund. And when it was done for purchases I went through my own credit card. Sorry, yeah, prepaid credit card.

C

So you can just Walmart and get one. I know, but I say that tongue in cheek by the way.

A

But I wanted something I could do electronic transfers to and I could pay because I'm tired of.

C

Okay, so you want to be able to keep topping it up.

A

Yeah, so I want to be able to do it. I want to be able to do it from anywhere, top it up from anywhere and all that sort of stuff. So that's, this is my step up from my Walmart credit card. No, but I wanted to do this. My bank, I'm spending a whole afternoon trying to do this. Not because they're secure, but because they're incompetent. Sorry, it was just, it was. No, this finops operator I go to. They made me jump through every security hoop. They were just effective about it. And I go back to Ann Kavoki who used to be our privacy czar in Ontario, who if you ever said to Ann privacy gets in the way of progress, she would rip you a new one and say I don't have time to deal with idiots. There's no excuse. Privacy does not get in the way of innovation. And I feel the same way. Security does not get in the way of the innovation. Just do it better.

B

But sometimes innovation for solving what they believe to be one set of problems overlooks another. Let me give you an example of that. This absolute push for open banking and particularly for what is known as real time payments terrifies me from a security standpoint. And I understand all of the conveniences, I understand all the business case for this. But I can tell you that old school slow banking process of reconciling transfers between banks of the ACH model and other things that is the reason why people still get some money back when they get scammed. And I'm watching fascinating things. United States is further ahead in this. They've got a system called FedNow. When your money is gone out of your account, it is gone and it's in the other account and done. There's no settlement, there's no pullback, there's no reconciliation. And I asked somebody involved in the system, what's the control here? And like oh don't worry, we got MFA like my phase, good, yay. But the ability to get the damn money back and maybe add not all friction in process or business is bad. Doesn't say that all open banking could be bad. I think the idea that we're at right now where a bunch of Canadian fintechs screen scrape the hell and hack around getting into banking is bad. So I'm happy on that. But I'm very cautious about how are we throwing baby and bath water out with the way that certain friction points are an advantage to us. So I'm cautious on that. By the way, not intended as a commercial but I will say there's a great Canadian financial company that's been huge for startups and others like Float Financial does visual, virtual and physical VISA debit cards and they're like to your point, they are secure, they are easy to work with, it just works. But you can also find really good Canadian banks that are also innovative and you don't have to use either or so just throw that out there.

A

No. And I'm, I might just hit it On a bad day, who knows. But it's just like I say, design a new a system from, from the start you can design it, it can be innovative and it can be secure as it was, was my whole point.

C

And I think the question, and this comes up in multiple scenarios where you're dealing with a diverse audience of potential clientele is I think, yeah, myth busting or fact or just fact check. Right. Is your clientele actually as resistant to this as you think they are? Because a lot of these thought processes were framed 15, 20 years ago, even 10 years ago, when people were significantly less aware of how much fraud was going to happen. Obviously nobody knew how much fraud was going to happen, but how easy it was to conduct fraud against individuals. There's just so much more consumer awareness now and the complainers are increasingly becoming the minority there. Many more consumers are willing to either opt out of digital and just stick with their bricks and mortar because they don't. They're not prepared to deal with whatever is going on online or they would like it to be done properly. And I think we just have to get that mental model shifted, not rely on the old assumptions that people don't want to do the right thing. They do actually, most of the time, yeah.

A

Presenting it to them. I don't care if I have to take my shoes off and put them on something in the airport. If my plane isn't going to blow up, I can be convinced. But I think we need to. Part of it is do it efficiently. The second thing is don't do stupid things because I've had stupid things done where people say this is for security. No, it's not. It's for your convenience.

B

Airport Safety and security just did a tip to the US government to be super great if you could please pay the air traffic controllers because they're currently on four weeks unpaid and I have to fly to your country and the.

A

People who search your luggage.

B

Yeah, yeah, those good folks too. Could you please pay them? Could you just maybe come up with a bipartisan just emotion of as a nation we should probably pay the people that we're going to require to work. I don't know. Or all of you should go unpaid as well. But just a crazy doctor, step away from the politics.

A

But we do accept the fact that yes, the people who do security should not be working delivering pizza after their shift. You want them and or that if they're keeping your plane in the air, you don't want them painting garages on the weekend because they need to make enough money.

B

To feed or running CSIP to stand in our safety.

A

Yeah, yeah.

C

But incentivizing them to find illegitimate ways.

B

To make money legit, there's that too. Yeah, yeah, that's a big concern. I think I mentioned in Monday's episode that they've seen the number of attacks targeting the US government increase massively during the outage. What a surprise. The cats away, the mice will play. Right?

A

Yeah.

B

And this does not bode well. I do want to mention, if I.

A

Can quote David's Monday show, 555 million cyber attacks, 85% over September.

B

That's no Biennale. And the biggest part of that other part of it was it's not particularly in the cyber talent regime that some folks can't find good jobs in the private sector. A lot of the folks I've had the privilege of meeting in Canada, the us, around the world in the public service are mission driven, they believe, right down to their core. And it is not about partisanship, it's just about protecting their people and their country. But they got families and they got bills to pay. And the mission only takes you so many missed mortgage payments. So I'll leave it on that more nonpartisan note and in my deepest sympathy to the folks in those trenches, whether physical or cybersecurity, on that side. But I do want one story I didn't want to miss. Because you knew, Jim, I was not going to miss out on this opportunity. So I got a report from an insurtech provider and it was delicious. It's one of the first times I've ever seen an insurance provider come back and say, here's the claims, we're paying out by the security stack, tool sets and vendors. Interesting. Interesting. And for all of my friends out there that are telling me security awareness doesn't work, we just need more tech. What this insurance provider said is that it's payouts to people using email filters as their primary anti malware and anti fraud tool. They were up 53% except Sophos, which apparently had some edge on fraud detection. Yay for you, Sophos. But all the rest of these and email and what a surprise. Laura, I know you can be shocked. Email and remote access were the root causes for 90% of insurance payouts. What?

C

Who knew the connection point to the Internet for basically all workers would be.

B

Would be the reason where they pay out. But we actually have the monies. And it was interesting. Some vendors got considerably worse. There was one email vendor. I'm not going to go full Scheiden Froud and just Say which one? You can go read the report yourself. But their performance like was almost double as bad like they were. They weren't the leading losers on this. So this isn't to say by the way, email filters bad. It does mean two things. AI is in terms of creating phishing, the volume and effect. You're looking for evidence of it beyond just people talking about it. Here's one of the best data points I can see you. 53% decline in effectiveness this year. Buckle up. But good robust defense is people, process culture and technology. As we wrap up Security Awareness Month, please remember this is humans and tech together.

C

It's interesting to see the email filters get a little bit of the slagging that antivirus used to get. Right where it was like I put a thing on my computer. So everything is perfect now we put a thing in our email system. Everything is. No it's not. It's many layers. There's no cheap security. And even we talk about when we're doing technology builds, right? Like the scale, economics of scale. I am not convinced that in security there are economics of scale because your attack vectors at scale and we saw this in and I'm not remembering which report it was. I've read a few this week in prep. But highlighting that large enterprise. Actually it might have been the same one you were just referring to.

A

David.

C

Large enterprise has significantly higher risk.

A

Why?

C

You just have more people, more attack surface. Right. So you might get lower cost on each component of your security program, but you will need significantly more layers as you get bigger in a security program. So there's no reducing your security spend over the course of time or with the course of scale. It only gets bigger, unfortunately.

B

Yeah. And I'm teasing a little bit of data to Jim that we're. I'm going through our mountain of 180,000 people survey responses over the last 12 months. Our 12 month phishing data as we're working through the Boseron annual report process. And I can tell you because he.

A

Doesn'T believe in AI, he's doing it all on an abacus which is wonderfully secure using calculators.

B

Jim, first of all, if you're using Copilot in Excel, I have big cautions for you. But, but anyway, listen, I know I am using AI to help with my writing and help me, I ask it to check to make sure I'm not being petul or defensive or all of those other pedantic things that I typically will fall into. But what's interesting where I'm going with this is for the second year in a row there's still a very high relationship between people's view that security controls completely protect them and their riskiness. So last year our data had it as high as 140%. That is people that thought the tools provided by their work completely protected them clicked 140% more. This year, good news, it's down. That's 83% more. It's still one of the most risky attitudes to have. So that balanced approach also has to seep down to everybody. People need to know the car still can't drive itself. But the other interesting thing and I've just heard this anecdotally is from a very large enterprise. The volume of email people are processing now has exploded as people are using Copilot and other tools to write the emails. And we have a theory about information load that's starting to get more and more prominent to answering the why the hell is Monday morning so dangerous? We thought we were going to see changes in the answers that people gave. Zero change in the answer statistically significantly. It has something to do with volume we believe at this point. But I heard this hilarious story from a friend or the copilot emails are being written and they're being received by copilot and so like humans aren't even reading the emails anymore. They're reading the summaries of the email and some of these summaries are hilariously wrong. So yay.

A

Yep. Yeah I saved this to the end because so that you didn't have time to Ragamy Osaka survey came out the ISACA survey says for 2026 now how they do the 2026 survey in 2025 I don't know. 59% of cyber pros fear AI threats the most and that's so there you go. But I want to do survey them.

B

When Atlas came out I bet you.

A

That number is it will go up from there But I do want to go off OAI because off AI and go back to because you used to have an award called the Poopies or.

B

Something where whatever it was the Stinkies.

A

Yeah, the Stinkies. Yes. So I've got my own Stinky for this and that is and first it starts out with my title is there a SharePoint self hosted site that has not yet been hacked? I just I and if you have if you're that one would you please get in touch with me.

C

Tear Gap.

A

One of them that they got into the place that where they do most of the work for the nuclear industry in the US that was one and there's a hundred more of them. But how this happened, 2023, this exploit was there. They patched it. And I'm going to give them. I'm going to say they patched it. Maybe somebody evolved it, but it's possible that the 2023 patch wasn't as good as people thought. So in May of this year, a group of kids at a hackathon in Berlin managed to find this exploit, which Microsoft dutifully patched in July, leaving June for this to circulate around and to find its way into Russia and China, who dutifully used it to hack these hundred companies. And just because. And I'm not picking on Microsoft, even though I am, the patch they put out had to be replaced 10 days later with one that worked. So they had an additional 10 days of free for all because they've. Now it's not even. It's not even an end day anymore. It's a come and get me day. It's. I would just point out that, that we. I don't want to be. I don't want to be critical, but we could do better than this.

C

And it's not the first time that this is exactly how it's played out. I will say it is harder to fix things than it is to break them. So there is trying to be a little bit fair to Microsoft. It sucks being on that end of having to fix something, especially the ones and I haven't looked into this one, but I know a previous example where it went like this, where the first patch didn't really work. It's exploiting something that's actually supposed to be a feature of how it works. You have to actually figure out how to still do the thing the software is supposed to do while completely changing the way it does it. Not trivial. And SharePoint of course, is already not trivial. So yeah, that sucks. But it also doesn't excuse the putting bad work out. I don't know, maybe they should have had.

A

I'm suggesting if I'm a $3 trillion.

B

Company.

A

I might be able to pay attention. I might not have laid off enough people that I can pay attention to hackathons and that information and I could reach a hundred companies to let them know there was a vulnerability a couple of days after that. Maybe I don't have a patch, but Microsoft has no problem reaching me to try to sell me crap. Or they have AI. They could actually use this. Sorry, I'm. I am.

C

To be fair, Microsoft quarantines its own emails, its filter is very effective.

B

So. So yeah, so just to jump in a little bit because there's a theme here and I think we're hitting on this one. Laura's this stuff is hard.

A

Yup.

B

Yeah. Jim, why aren't you guys better and what is going on? Is it because you're gutting certain functions and certain investments to shovel money into the AI train that you're hoping delivers to your next level? I think part of it's there with you till then.

A

It has nothing to do with AI. It has everything to do with the fact that we need that. Protecting your customers should be your number one thing. And if you're reducing bureaucracy because everybody talks about it and I'm not picking just on Microsoft, this could be any large company. If you're reducing bureaucracy, don't kill your communication. On security.

B

Listen, the Amazon layoffs that I've seen a lot of LinkedIn posts in the last couple of days of people with things like senior security architect, senior security Product manager and if you think these big tech company layoffs have not been gutting your security teams, I have big words and they have and we're seeing the consequences. But what's interesting is this is one of the worst patch months I have seen Microsoft in years. And like everything from like keyboards and mice not lurking and bricking local host and they almost had their own little mini crowdstrike moment for a lot. A lot of devs were hella pissed off about what happened with those patches and these were like basic fail well like how did this get by a unit test kind of scenario. And then on top of that you've got this WSUS vulnerability in the last couple of weeks which has been super spicy because this is one of those 9.8 remote compromise PWN to own which apparently now Canada's intelligence agency is saying is being chained with continuous Exchange vulnerabilities. We didn't even get in the fact that Exchange whole bunch of those were supposed to be retired this month. And I know of numerous large public sector organizations in Canada that are still running unsupported, unpatched versions of Exchange on the Internet. Fun for you. Not for all of us when you eventually get pwned. But the, the WSS vulnerability had basic deserialization issues like code issues that were known about for a long time, never got fixed. And the interesting thing is they're like if WSUS isn't exposed to the Internet, no big deal. Yes, as originally designed Windows Update Server is supposed to be behind your corporate network, not on the Internet et cetera but this thing happened in 2020, this thing called a pandemic. And all of a sudden all these enterprises had people's laptops at home that by regulation they needed to prove they could still patch. So a bunch of overworked, exhausted, stressed out network engineers and Windows engineers put their WSUSes on the Internet to the tune of get ready for this. One security expert found 10,000 of these floating, exposed, unpatched RC'd in highly sensitive areas. And oh, Jim, that SharePoint site wasn't just nuclear industry, it was nuclear weapons. Amazing. The agency responsible for the nuclear weapons of The United States, SharePoint, got completely pwned. And this comes years after the other nuclear agencies tied to some of their major laboratories were pwned, either through Solar Winds or the Chinese through that exchange bug. All this being said, it's been a rough time for Microsoft. They do have some amazing resources, mystic others the resources they have. But they are now seeing more than the collective of most Western governments. They are fighting fires, but they're also lighting fires and they're not helping themselves.

A

But in all the money that these companies have and they have locked, creating a group of people who had some time to breathe and think and stand back and look, this would be a really good idea in security.

B

Got to maintain those margins, got to pay for them. AI data center somehow.

A

I see. I'll deal with you later, young man. Laura, rescue us from this. Give us some bright spot that we can.

C

Well, I. Okay. I was hoping it would be. You know what? I'm mixed on whether this is a bright spot or not. So following up the RCMP arrest of a couple of individuals who perpetuated large amounts of fraud, they were actually arrested back in February, they pled guilty in August. They've been sentenced. And so those are all positive things. People who commit crimes should be found, should be arrested, should be charged, or ideally, don't waste time in our court by pretending they didn't do it and then get sentenced. Where I have mixed feelings is I don't know that I feel like the sentence is commensurate with the scale of the crime. And this is again the asymmetry problem, right? Two people, even if they sat in jail for the rest of their lives, does that make up for the amount of crime that they perpetuated against individuals and how much loss is experienced for those? There's two people can only give so much in penalty for the crimes that they have committed. Now in this case, they're not even. They will not rot in jail forever. They had I think maybe 3 and 5 ish years where the penalties enacted against them. So good news, they are now recognized criminals and they will have a very difficult time of it going forward for what they have caused as far as damages to other people. Bad news, not terribly long or harsh jail sentences.

B

And for American listeners you might be thinking, oh, they got 10 years. No my friends, one got four years, nine months and the other got two years. And they victimized 600 families, millions of dollars. If they were in the United States, they would not see the light of day for decades. And we have a reckoning coming in this country to rebalance the rights of offenders and the rights of victims and the rights of society. I used to be a crime reporter, so I got, I got feelings on this. And we're trying to work through the insane revolving door of bail in this country for like really bad crimes and criminals are back in the streets. But there is some progress in this story. It is good to see some wins. There is some interesting nuance. I was just reading through the, the story about some of the bail conditions and how they are starting to think about bail for cybercriminals and that's there's pros and cons for that. But I'm going to take the win on this one. And just like when they took down lab host cooperation with others and took down some of the infrastructure, taken down some of the players is good to.

A

See before we, we give such applause to the American law system because first of all, I don't believe anybody this personally, I don't believe anybody who does a crime that is non violent should be in prison. They should be working in a car wash. They should be paying the debt to society in a real way. But because why? Because these guys go to jail. Peter Williams, who ran trenchant and sold the US security secrets to the Russians is now at home and he's, he has to stay in, he's been grounded while he waits his sentencing. These guys go to jail. What's the difference between Peter and them? He's rich, they're not.

B

And in fairness, he's out on bail before he sentenced. And let's hope that the two principles of justice that are coming to sentencing are denunciation and deterrence. And we saw the case of the Hamilton kid that stole $40 million from a US billionaire and got a slap. And guess what? He was back this summer now as an adult and he got nailed by the Americans. So he got some jail time. And guess what? Deterrence is a thing. Well, we can have this whole debate down the road. But those are the two principles we have to balance is that we need to denounce this crime to others and say listen, there are real meaningful consequences and violence doesn't always have to be physical. 600 families losing material wealth. Some of those seniors that we saw the story that lost their entire savings that was supposed to be passed down to their kids and what they would live for. Jim, you and I saw that tragic story from the couple in India that ended up taking their lives because they were fell victims of scams. Nah, I don't buy the white collar crimes, nonviolent side proportional feeling of being violated.

A

I want them to work and pay it back, that's what.

C

But they will never be able to. And that's the asymmetry of the city. They will never earn enough to make up for what has been perpetrated unless they are still holding the cash and haven't spent it and they can actually return it. But they. And the feeling of violation, which is often what we associate with violent crimes is that the person has felt violated afterwards and they've been ill through injury or have died. All of those things can happen with none physical violence in the case of fraud. Right through. Through that feeling that yes, I've now experienced severe depression. There are traumas associated with it and then yeah, unfortunate cases where people have taken their own lives or descended into deep poverty as a result and effectively shorten their lives.

B

Yeah, it's for the same reason that like when intellectual property is stolen from a company and devastates that company and that company is gone, closed up, shut down and people don't get their pensions paid out and jobs and careers ruined. Else that to me is a form of warfare. That's just. It's part of the full spectrum of conflict we have now. It's just. Yeah, there's not a smoking crater where the factory was, but it might as well be because it's gone and all of the impacts are on there. So it's hard to see. I get it. And it's visceral. When we see someone get mugged and it's a senior who gets beat and we see that in the street and we want that. That deep within our DNA retribution. Got it. But this stuff I argue we gotta get angrier about and that righteous outrage of those kind of crimes does apply to this now, is that the same thing as like white collar crime against a bank that's going to make it up in their losses, et cetera? I don't know man, it's just when you steal from families. I just want to see you in jail badly.

C

The bank doesn't have feelings and it's not going to go into depression. I think there is a difference between people and companies that is important.

B

Maybe that's your point, Jim. Like maybe that's where there's a line on that side. I just, I don't know, man.

A

The harm. I just don't think rich people should get off easy. That's all.

B

We agree. We. And it shouldn't be that the degree of punishment will depend on whether you messed with an American citizen or a Canadian citizen. We should be, we should have the same protective rights.

A

Just. And I'll finish with this though. But somebody. You can always find the anecdotal person who goes back and commits a crime. But I don't, I don't know if we keep track of the people who could have their lives turned around. Go do something good with them. And that's. So that's what.

C

It's definitely an aspect of that.

A

Yeah.

B

Yeah. Like yeah.

C

And it's really difficult right now because there are. We could do a whole.

A

Probably pretty sad when I'm not being the hard ass. I'll tell you.

C

Yeah, there are definitely people who are not guilty who are being either incorrectly identified in the wrong place at the wrong time, whatever or small petty theft because we just have a very. We do have a various, very difficult economic situation right now where people are testing into that space because they are desperate. These are not the people who are thoughtful serial criminals who are going to continue to perpetuate crime. And our system if it gets flooded, which it is right now with that kind of arrest and then follow up that's required. That's creating a different challenge.

A

Right.

C

So it's not trivial to solve. But we don't want to, we don't want to over penalize people who do deserve as we still have in our justice system the presumption of innocence until proven guilty.

B

So yes, like 100% there's. But when you're guilty, when you're proven beyond guilty, when you plead guilty, I'm willing to throw a bone if you spare the justice system or prolonged trial and all the expense. Yeah, we'll factor that in. Sure. I'm game on it. When you spare the victims a lengthy trial, when, if you do cooperate to help recoup whatever funds can be possible. Sure these are good incentives to have. But at the end of the day I need all the other folks looking at you saying that's not so rough. Two years in jail?

A

Never.

B

I'm willing to play that game again. Go back to my earlier story about the number of desperate young underemployed folks and this trend, not the signals you want to be sending on this. I wish I had a happier way to end on that.

A

Well, I do. I do.

C

Wait, turn around. Turn around. Joe.

B

Yeah, I think. There we go. Yeah. I love it.

C

Thank you, Jim.

A

This is.

B

And I'm going to take away the elevator analogy. Thank you as always, Laura, for being the voice of sanity and wisdom.

A

I'm going to end with I got a free toque and if you're listening to the audio version of this, you cannot see the white toque that Laura gifted me with before the show. And I'm putting it on. And I have to guarantee you that the picture of me with a toque on would bring a smile to your face. Maybe not for all the right reasons. Anyway, that's our show. Once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity into a space. They design the hardware, write the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo@meter.com CST that's M-E-T-E-R.com CST thank you so much for listening. If you're at this point in the show, you had other things you could have been doing with your time and you spent it with us, so we appreciate it. David will be back on Monday morning with the cyber security news and I'll be back next Wednesday. Have a great weekend.