A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution. It's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today, the month in review. It seems like only yesterday we did an update in mid December and then the holidays came and we were theoret off for the holidays but we had to come back to do updates because of all of the things that were happening during the holidays now boohoo for us. For those of you who are out there stuck working because of this and saying to yourself, it's only once a year, Mr. Scrooge, we're sorry and I hope you got some rest. And we're all now back to work and we want to take a look at the key stories and events from Believe it or not the past three weeks. Close to a month, although it feels like much more. We have our panel, we have Tammy Harper from Flair. Welcome Tammy.

B

Hello. Thank you for having me.

A

Laura Payne from White Toque. Welcome Laura.

B

Thanks Jim. Always glad to be here.

A

And the new mascot for White Toque. No, the our our Monday morning host and the CEO of Beaucer on security and looking really good there, David Shipley. Welcome.

C

I, yeah, thank you so much. I, I, Santa found me and I got some amazing white to merch and our IT team like IT teams everywhere, loves merch. So the T shirts and ads went over really well. So thank you so much to Laura and Rob and the entire crew.

A

I think this is an industry thing though, right people? I don't know what it is. Like you put stuff out, people just gotta grab this merch stuff. My, my wife saw all this stuff come up, said why do these people send you these things? I'm going because it's cool. It's cool.

C

It's not just cool, it's practical.

A

Yeah, yeah. I do admire the toque. The Beaucer on cap will only be really good in the summer when I'm trying to keep from getting sunstroke without cutting the lawn. But yeah, so I've got all the seasons covered. And you'll notice for those of you who are watching this on YouTube, I got some Christmas gifts myself. I got a new plaid shirt in a different color. So men in plaid continue. But there you go. I guess we should get to work. Okay, let's start with the first story. David, this is the one that you actually came back in. We had to do a new episode on this, this was your Christmas gift to me was being able to edit the program. I'm not blaming it on you, but do you want to go for the MongoDB story?

C

Yeah. So Mongo Bleed, which is a vulnerability in almost a decade's worth of MongoDB instances that was appropriately named because of some of the similarities to the workings of Citrix Bleed and other things with respect to the ability to gather from memory potential secrets from a MongoDB database, credentials, API keys, et cetera, and query them at an almost RCE level vulnerability. So I think it scored an 8. 7 on the CVSS. So bad. Now, this vulnerability was disclosed on December 15th. What made it particularly problematic and newsworthy for our discussion was on December 25th a researcher for Elastic Security released POC code to demonstrate this exploit. And then things went bananas. The number of exploits ramped and all of a sudden you've got a high severity vulnerability in a database system that's used massively in particularly in cloud deployments in many different ways at the most sort of downtime in at least the Western world in terms of the holiday sequencing. So it was a perfect storm and it raised some really interesting questions in my mind about responsible disclosure and what this means and what really stood out for me from this story. And I've spent a bit more time now paying attention to Reddit and I understand that Reddit's like most social media and anger factory heard, but there were a lot of big feelings between IT teams and security researchers over this move. And I got a much clearer sense for we have a growing fracture in the relationship between the people responsible for cleaning up things and the people responsible for finding things. And I think that's going to become more and more problematic as AI accelerates vulnerability discovery and disclosure timelines and then the pressure on the patching timelines. And I'm that's an interesting sort of way to start the year. I don't know how other people felt about this, But I thought December 25th, maybe we could arrive at an international convention that certain major holidays and I don't know, they don't have to be exclusively Western holidays, it's not okay to drop POCs at this time. Maybe, but maybe there's more nuance to this discussion and I'll hand it over to the smarter folks like Jammy and Laura to weigh in. Or Jim on your side as well.

D

I have to say, like all this process, like these procedures and of how to disclose and everything like this all predates artificial intelligence. And since artificial intelligence really speeds up a Lot of stuff. I think we're going to have to start rethinking like policies like not just like everywhere. So like how do we have like how can AI? Because there is going to be a point where it's just going to be AI talking to another AI that are going to be saying like, hey, I found like a vulnerability. Here's the disclosure. And it's all going to happen in the background, right? And you're going to have some people just like keeping an eye on things.

C

But.

D

And then it's the AI that are going to fix things and then there's going to be human reviewer. It's going to be a push notification from an AI, like a push request. What I think is we have to really start thinking about how are we going to do said guidelines for AI, especially once AI is able to like be. Once we take the training wheels off of AI and it's like, like doing its own thing. I think it's going to be really interesting to see that.

C

And I'm curious to query Laura, who has experience in large enterprise environments on because if you watch the YouTube video the wheels Were Turning and I could see you think about this. But also the, oh dear God, the like the AI talking to the AI talking when they're going to push the patch and the update.

B

It does feel like we've just given up in a sense. And yep, the machines are just going to do it all faster and we can't keep up, so let's just let them do it. But we haven't actually given up that control yet. So from a human perspective, just because the tools find things faster doesn't mean that we should disregard the ways we've tried to create human engagement between the people finding the vulnerabilities and the people who have to now implement some sort of fix to defend against the vulnerabilities. Like the tools aren't there yet, so let's still be human with each other and try to give people time to respond appropriately. And I know, yes, this vulnerability was found and it was disclosed on the 15th. And yes, somebody worked on it and disclosed the proof of concept code. And it could have been somebody else who was not somebody who we would normally think of as being like on the good side, one would. When somebody puts the label researcher in front of what they're doing, you imply that you were doing this for the good. December 25th release of proof of Concept Exploit code blurs those lines on what's good and what's not good. But we aren't There yet where we know the responders, the people who are going to have to deal with the fallout from what you've done have necessarily those tools at their disposal. They or they may have access or be aware or maybe they're playing in their private labs at home with those kind of tools but their enterprises have not caught up to adopt those tools and to allow them to do these things. So it really is just about I think trying to hold onto that piece of humanity that says we need to allow people to work at people speed even if we have AI tools running at AI speed.

A

Did I miss something on this? Is there. Was it the AI that was the reason this was disclosed on December 25?

C

No, it was.

A

Let's. I always want to be careful we don't ascribe to AI what we can ascribe to human stupidity 100%.

B

I think it's the question of are we allowing the fact that in in our general conscience now this idea that the computers are fast and so we have to be faster. Are we using that excuse to say we we can't be human with each other anymore on the chance that yes, I the human found this but there must be some machine out there that's trying to find it too.

C

But if I'm going to argue against my own point about this particular release just to be devil's advocate for a second and because I'm, I'm still trying to get my head around Jim what this researcher may have if we assume Laura's point was trying to act in goodness, I still feel like they behave like the Grinch to it. Sysadmins on the holidays. No. Who hash for you. You're gonna get patching phones is if the point is that and I didn't see this in any of the justification for why this is released. Hey we see bad actors doing this. We've developed this POC code so you can see if you're vulnerable because we think they're gonna ramp up, et cetera. It just seemed like it was just like ha, here's my code, it's go. And that seemed irresponsible to me and I' struggling with the timing of it and did the severity justify it. The so that that part is that part two?

A

Yeah, the because the. The we don't know the research. We're actually going to dig around, see if I can find them because I think it's a really reasonable question to be asking. I'm going to do some digging after this show and see if I can locate them. But the and if you're out there, send me a note. But the idea of I can't ascribe this to them. Maybe it was the person thought, this has been out there for 10 days. It's really high. Nobody's doing anything. I have to say something. You don't have to ship the code to do that. You could have just said I have the code just as a tip to the person for the next time.

C

And even that it's so interesting now, I think the broader point that Tammy's making is that the. And Jim, you covered this in the interview with those researchers who developed POC code in 15 minutes for less than a dollar using code. The speed of taking vulnerability research that's published to exploit code development is now at machine speed. How we choose to respond to that and to Laura's point, we may have to, for a variety of reasons accept that there's a uncomfortable period of time where this POC code is going to be out there. You hope your other mediating controls are going to help, but you can't patch that fast. Change management process, testing robustness. It's at the breaking point now with the current timelines of critical.

A

Yeah, and I think we often say you should patch now. There are people who are more current than me. I'm, I'm a retired CIO for a couple of years at least now, so I'm not doing this every day. But when we did patching, it was a big deal. We had a patch weekend. We had to test everything. We had to make sure that we could still come up, that we had systems for our users on Monday morning. So all of this patching is generally weekend and night work. Maybe the world's changed over the past couple years. I don't think so. It's a big deal. So when we say you're not patching, I want to make sure we're not just kicking out a criticism to people. This is a lot of work and a lot of planning goes into it because if you make a mistake on this, especially if you have a financial system or some operating system and you don't come up Monday morning, people aren't happy that you saved them from hackers.

B

Well, I think the layers is a really important point in this story as well. If you let your mongodb sit out there on the Internet exposed, I don't have words like don't do that. That's not how to have a database. This is self hosted. So the right architecture is always that these should be protected networks. They're not even exposed to your regular user networks like your regular users shouldn't be connecting directly to your MongoDB server either. It should be an application that's in the middle handling those connections. So what this announcement really potentially does to an IT team isn't actually change the level of risk if they have done their architecture correctly. It's a relatively protected environment this database should be operating in. So I am giving you, if you did your job correctly in the first place or got the correct support to do the right architecture in the first place, you've got a lot of, a lot of things that buy you time. That's what I'm getting, a lot of things that buy you time. But now you've got some executive who opened up their tech feed and saw that this is going on and they're now making noise. And it's the noise that's actually worse than, than the patchy because you may have had it planned. You've had 10 days, you probably had it planned. But now you've got to deal with the noise and the escalations and with so many things security related. It's not just the tech that's the problem. Right. It's the people and the process altogether. And getting people's hackles up and creating noise where it isn't justified is another big piece of the problem. And that's again, you know what? December 15th, if December 17th somebody released proof of concept code, that's before holiday time and people can deal with noise and they're in the office and you can talk and collaborate. December 25, making a big noise about this. That is really disruptive to people's well earned downtime. Yeah, that's where I have a bigger issue.

C

I think the brand that the individual worked for possibly lost some brand equity on that one and maybe carrying in some bad feeling mojo into this. But it's probably enough on this story. I don't know if we want to, but there's.

A

Yeah, I don't want to come back to this because I can talk about this responsible disclosure later in terms of whether pumping the code out into the world is responsible disclosure and how we do that. But also, Laura, I want to go back to your thought in there and this is something I want to think about as we go through and I'd love to hear comments from people. We have to have architectures that buy us time. If we're not going to get time as people, we really need to start thinking about architecture in a way that buys us time. And it's beyond just pure segmentation. But you talked about a couple of things. I want to gel that around in my head for a while because I think that's one of the things, one of the defenses we have to really concentrate on in the coming year. Things are going to move faster than you can move. You better find a way. It's like being on a battlefield where you put stuff up to keep the tanks from rolling over. We have to have something like that in our architecture. Good point.

C

It's interesting because when I was in the Armored Corps, when we were taught defensive tactics by the military, you have this idea of a defensive action. And so you had a series of lines set up on a map, and you knew when you were falling back based on certain conditions. Okay, like, we lost 50% of our fighting strength. It's now time to withdraw. And every time in this organized withdrawal, you were buying time for something better to happen, to reorganize than be able to approach this. It's interesting because this is the first time, just in this idea of buying time. We've always talked about defense in depth. Like, somehow the defense in depth eventually just stop something. And it's not been so much about the time. It's been how many layers of the Swiss cheese we need to have. So I really like this notion. And now we're actually. We're saying, listen, with the defenses we have, we think with a critical vulnerability in an architectural part of our stack, we can buy 7 days from POC code exploit development. That's now our time window. Okay. And then a CIO or CTO could make better decisions saying, okay, what buys me 15 days?

A

Yeah. Moving on to our next story, because I think there's a segue to this. Although, is there a job you haven't done, David? Because I sit there and go, I bring up this great tank analogy, goes, oh, yeah, I did when I was running a tank. Never mind. But this Rainbow Six Siege. Now to show you how out of touch I am with gaming, which is really crazy because my next novel has a big gaming structure in it. So I'm going to take this as my time to get educated. Was the Rainbow Six Siege you suggested this story, David? I think was that because it was a MongoDB hack as well, or.

C

So we still don't have the full root cause analysis, but the timing is awful, auspicious. And currently there are two predominant theories of how Rainbow Six Siege, which is played by tens of thousands of people at any given moment and a couple of million player accounts. So they were popped shortly after this POC was released. And some threat actor groups who've since been discredited had claimed that they had done a broader hack of the game's maker, Ubisoft. And they had claimed that MongoDB was the root of this. Now, what's interesting about that is some of these claims were not accurate. They didn't get into Ubisoft. At least we've seen no credible evidence thereof. And it may be some really great examples of using misdirection to to squirrel IR teams. If you do have a better way or you have some kind of persistence and you want to distract them from that persistence. More to follow on that. Because not only were they hacked on, I think it was the 27th. And this is interesting because it's the first time I've seen the economics of video games so thoroughly savage. All these people have been talking about the cyber Pearl harbor and all the things that could happen to destroy a national economy. Anyone else we just a simulation of this in a video game economy. And it was fascinating. They flooded the market with billions of dollars of ingrain credits. Now, for those who aren't gamers, you'll be like, who cares about in game credits? Turns out part of the monetization model of modern video games is getting people to pay real cash for virtual currency to buy virtual goods. I have never bought a single virtual good in my life, and I refuse to on principle, but lots of people do to the equivalent of Ubisoft lost $13.3 million in real US cash, potential opportunity for all the credits that were given away. So they ended up cleaning all this up. They had to shut the entire game down, which is incredibly disruptive. You're getting people out of their habits to use the game. So there's all kinds of things happening. And then they got hacked again. And then two days ago they got hacked a third time. And now this is my pop culture reference as our resident pop culture guys, as I'm sure you weren't sick of in 2025, 6, 7. Huh? They were randomly banning people for 67 days and proving the attackers were still in control of the environment. So it is most interesting because I have never seen a game economy so thoroughly destroyed. I have never seen an incident response. Absolutely countered back and forth. They took the entire damn thing down and put it back into play, pun intended. And then they had to do it again. And if that is a snapshot of what we could be seeing in other contexts, we're in trouble in 26.

A

I think the gaming world though is vulnerable. And this is one of our next supply chain pieces. This is a whole new world that we have to police. I'm not sure what the overlap is into our own commercial world where most of us spend our time. But I gotta tell you, if you're gaming on the same machine you're working on, I'm. I'm getting a little nervous and here's the insane.

C

I'm gonna toss over Tammy because one of my favorite pieces of research of all of 2025 came at a flare and it had to do with gaming. So I'll let her get into what was going on there. But what it would go. Jim, just lastly on your point, it's not just that it's the adult using the machine for gaming and other things. It's if anything, sensitive on a home PC where your kids are doing gaming on it. You gotta treat that computer like a community pool. It's not hygienic. I wouldn't do things in that pool or drink the water from that pool. I wouldn't do my online banking or secure login to my work stuff from a tool that a child to teenager ever touches. But that's just me. I don't know Tammy, if you, if that's a good segue over to the research you guys were doing. But it was somewhat mind blowing.

D

Yeah. Like we found this was by a fellow researcher, Estelle, who did this incredible piece. And basically it found that a significant part of stealer or infosteeler compromises came from cracked video games. And so it's fascinating to see because people want to play games, so they're going on BitTorrent or on these like worst sites and these forums and just oh, I can. Or even trying to get like cracks that will give them like in game virtual currency. Right. And all these things. So it's fascinating to see like that still is one of the main ways people are getting compromised indirectly.

C

And for all those who were probably born after 2000, the, the wares like this used to be the way you got your Doom and you downloaded it from a bbs. Yes, I am that old. And that's how generally you got some malware back in the day because you're trying to get free versions of Duke Nukem. As you see what regulatory action will happen in current times with respect to cryptocurrency that's not about a bunch of people making a lot of money. But as we see tumblers being targeted and taken down, as we see crypto get greater scrutiny in certain jurisdictions, where the rule of law still applies the pressure to find other ways to launder money. And now that certain banks are out of the money laundering business to the tune of billions of dollars, games are going to be the place that I think we're going to see more money laundering as well. So it's all kinds of hurt coming to someone's good time.

A

We're doing more and more stories following up on what you were saying, Tammy, and maybe we should post a link to this paper because people should be thinking about this. Video games are the perfect place to hide malware. They're complex code. There's all kinds of stuff happening. They have emotions attached to them. You get the best game. What are you thinking? Play it, not check it.

D

It's also because like games have a lot of. At least the big games have a lot of drm, like digital rights management that like protect it from getting pirated. So you have these like crews that are experts at specific types of drm, like specifically like Dunevo. And you have these people that basically crack these games and then they release it to a smaller group of people that's called the Scene. And then the Scene has, it's like just a smaller group of forums. These are private forums that have the game now and they do what's called a peer to peer release. And these peer to peer releases then go up onto the more like generic and more public torrent sites and the pre release DBS and like all these other sites. And there's then you get into the world of repackers and then the repackers are the ones that have to compress because these are massive releases. Sometimes games are like 100 gigabytes, 50 gigabytes, 70 gigabytes. So you want to compress these games so that you can like download them faster and more effectively. And so there's so many places that in the piracy world that it is okay to touch the integrity of these files and you're just inserting. And then there's also like the modding community, right. And so they're like interacting with games and changing a game's code is not something that a lot of people like think about.

C

Right?

D

It's very common to do that. And, and there's also like a lot of the things of protect, like how to crack a game. People will say, oh, it's a false positive. You got to deactivate your antivirus, don't worry about it. Like it's just the key gen that's getting flagged, right? There's a lot of conditioning that happens to get to. That allows you to get infected.

A

And on that happy note, let's move on to our next story. And I'm going to do a little bit of a disclaimer on this piece. David and I debated this story when we ran with it and had quite a large debate about it. And it was the. Because it was. And I'll let David introduce it or whoever's going to take this story, but there's a fake video that came out of Venezuela, and it was obviously a fake. It was used in propaganda. And there's some other. Another layer of this story as well that was. And that was the whole idea of attacking infrastructure. So there were two pieces in this story that were right within our wheelhouse. Unfortunately, it also hits an area where there's all kinds of emotions. There's good guys and bad guys or whatever. I want to stay off of that. That's not the point. But in the end, we ran the story because if we walk away from. From stories because there's an opinion or something that we shouldn't touch and we start censoring ourselves, we start stop talking about cybersecurity, then where do we stop? And we can't. So we can't do that. So that was what went through my head, was you can't censor yourself just because it's in a sensitive area. The second thing, and I've pointed this out to people who've written, and God bless you, please write. You don't have to agree with me or agree with what my editorial piece is, because I'm the end. I'm the head editor here. I take responsibility for every story we run. But the issue is if we, as cybersecurity professionals, we don't. We're not. We don't live in a jar. We touch the world. People, process society, all of those things. So we're going to. We're going to. We're going to get ourselves bruised against those things. But just to focus on this, there were two elements that jumped on the story, and this is why we did it. The first was there was a video that came out immediately after this attack and whatever you want to call it, forget, but it came out and it was a picture of people who were crying because they felt that they. That they had now, and they were crying with happiness because of the change, the regime change. It turns out it was an obvious fake. You want to take it from there, David?

D

Yeah.

C

So there are a couple of interesting things. So we're seeing that hyperspeed of creating hyper realistic deep fakes to socialize narratives and other things. Again, not going to take any kind of an editorial opinion on the politics or geopolitics of this. So there was that the misinformation, disinformation, narrative shaping part of this, which is interesting in context because NATO has just released a brand new 30 page report and we haven't covered this yet, but it comes at the same time talking about this, reexamine this concept of cognitive warfare. So this is an example of just how multi dimensional conflict is fought. The other thing that was really interesting, and it's notable from a cyber policy standpoint, is in the briefing at Mar a Lago for the US military operation, the President of the United States disclosed that they used, quote, technical means to turn the lights off around the Capitol and Caracas and other things, which is really interesting. This is different than just dropping a thousand pound JDM on a power substation. That's not what was inferred from this. And then following up to that, you had the head of the Joint Chiefs of Staff saying we used a variety of layered effects and he talked about cyber command and space command and other things in this operational side. Now what's really interesting is that we've known for a long time that nation states have had the capacity to impact critical infrastructure, power, water, lights, et cetera. The Russians demonstrated this twice dramatically in the buildup to the Ukraine war, 2015, 2016. We've seen attacks by Iran against Saudi Arabia using attacks on critical infrastructure. We famously, Jim and I talked about Stuxnet and the Netanz in Iran. So we've known these capacities have been there. What's different about this is publicly talking about it, setting a new norm around. This was not a declaration of war. This was a military operation. This was part of a law enforcement operation by how it was portrayed. But normalizing the use of cyber on targeting civilian critical infrastructure and that's a signal and it comes at a time when we're seeing a lot of stress on defense. We just spent a big part of the first part of this episode talking about how hard it is to patch and critical infrastructure and operational technology. Is that on 10x difficulty mode? So we've. That was our primary interest is seeing the implications from a cyber policy standpoint of normalizing the use of cyber to achieve part of a multi stage military operation by a western democratic nation in that context. So that was interesting. But it also came just a few weeks after Pinavasa. So that's the petroleum petrochemical company of Venezuela suffered a massive cyber attack and it had some hallmarks of what we weren't sure if it was as nation state based attack, a ransomware crew or other things. No one that I'm aware of had claimed responsibility. And Venezuela accused the United States of being behind the attack. Again, we don't have independent verifiable information, but these are the two interesting things that tie together in that theme. So now cyber as a tool of state conflict is now being openly discussed and that changes the defensive calculations and for not just government, but private sector. That's the context that we're looking at, this particular lens, if that makes sense. And I don't know if Laura or Tammy, you had any thoughts on the headlines flying around this.

B

We'll say it's difficult to wade into this one without getting into the geopolitics. And I think that maybe that is the story here.

C

Right.

B

You were saying David is normalizing and this isn't like the first one.

C

Right.

B

You can go back to Stuxnet and there were ones before that. Right. Stuxnet might be the most famous kind of early days discussion about how our side, the good guys, we like to think. Right. And sometimes it's just, you know what, there's one side and there's another side. But making use of a cyber vector in order to achieve a particular outcome and. But certainly in the current context where who is doing what for what reason is much more convoluted and difficult to discern the truth. And there the truth is not the kind of thing where there's only one narrative. Right. There are multiple streams in truth that are. It can all be true at the same time and are non exclusive to each other. That I think is the. When we get to talking about the misinformation aspect of it and the disinformation is core to those things because there's always a thread of truth that makes misinformation credible. It's just. Are all of the threads that have been woven into that narrative true or is it just one or two anchor threads that are doing it?

D

A lot of.

A

Yeah.

B

I think this is just indicative of how difficult it is right now to separate cyber action and used in a military context from the narrative that is created around the action and whether this is legal or not, whether it is for the greater good or not, or all just the aspects around what the actions actually were.

C

Yeah. And you know what's interesting is I thought about this from a military standpoint. In theory, using cyber in a targeted manner to turn off the Power for a defined period of time and allowing recovery could arguably be seen as more moral than dropping a thousand pound bomb. And the power's out for weeks impacting hospitals and other things. So again, it's not without multiple views on that particular side. The danger is normalizing the use of these things to achieve state policy aims, but not war.

A

And even if we get past the argument of normalizing it, I'm not even going to get to whether or not it normalizes this. Just get to the wake up call that we've had here that we keep ignoring. And I lived near Walkerton here in Ontario when the water plant stopped working, people died. And I don't want to be a big downer on this, but the fact is our infrastructure is exposed. The security on it is next to terrible. We did a show on it last year. I bet you I could go back and rerun that show and it would still be accurate. So our infrastructure supports our health, it supports our society and we've sort of whistling in the wind going, well, nobody will attack it. Maybe this is a wake up call. Maybe somebody did us a favor to say wake up folks, because nation states have been in, we know that nation states have been in the telephone system. We know they've demonstrated they can shut the water plants down. We know that they're. And that's in the US where I think, God forbid, I think they're a little more sophisticated in some cases in Canada. I'm scared it is a question of this could be our wake up call for people to say we need to start protecting infrastructure at a level that we at least afford to our commercial systems.

B

And I see.

C

Tammy, do you want to jump in?

D

Yeah. So it's related, but it's a little befirst, a little bit.

B

It's.

D

I want to see and I want to know if any private companies were involved in that because there's like as this becomes more of a thing and if we ever get into a major conflict, what's going to be the role of all these elite cybersecurity companies? There's for sure the governments of all sides are going to start recruiting all the talent and officially on the books and off the books, like how's that going to look like? Like I, I want to know if that, like, that's my point. I want to know what happened there.

C

And not for, not because they're. Towards the end of December there was a big discussion and we're expecting some more policy on the US side to drop about expanded role for the private sector in offensive cyber. On that, which is the jokingly. And again, I'm a maritimer, so I'm going to bring up Barrett's Privateers. If you're unfamiliar, if you ever meet someone from my region, and, and the year was 1778, you're going to get a song. It's just going to happen. And if you hear about a broken man on Halifax Pier, you'll understand more about that. But this idea of cyber privateers and can they keep their tools? Given that one of the best hacking tools of the decade was eternal blue and even the NSA couldn't properly keep that secret, the idea of cyber privateers building specialized toolkits to turn lights off and potentially losing it is an interesting one.

A

Tammy gave us a perfect segment segue, and that was to my question, of course, people in the industry couldn't be corrupted, could they? And I think. I don't know who put this story up, but was two defenders plead guilty to aiding ransomware gangs. Who's got that one?

D

Yeah, so it basically was two Americans, Ryan Goldberg, 40, from Georgia, and Kevin Martin, 36 from Texas. They pled guilty in a federal court in the Southern District of Florida for their roles in ransomware extortion attacks. They were affiliated with the group Alvi Alpha V, or a gay black cat. And so these crimes occurred between April of 2023 and December of 2023, and they were targeting multiple US victims with ransomware. Now, what's really the reason why this is so big is because these were two cybersecurity professionals, right? They were both defendants that. They were both defendants that had legitimate industry roles. The first one, like Goldberg, managed incident response at a big cybersecurity firm. And Martin worked in ransomware threat negotiations. And they used their skills to attack others. Right. They were using their skills to pray and have the upper hand. And what I want to know, and this has never been made completely clear, and this is really the one where I think is crazy, is did they work on their own? Like incident response? Did they like respond to it? Right. That's never been made clear.

C

Right.

D

It hasn't been denied or, or, or validated. But they actually stole like they extorted a whole bunch of cash. Like one victim, like one known case, is that they, a victim, paid them about 1.2 million in Bitcoin. And so the defendants, George and Martin were able to. They took that money and 80% of that it went to them. And it's. They split a three way and then the 20% went to alpha V. Black Cat. And then they were started laundering that money. So the thing is that the. This plea of like from the DOJ and the FBI is including like the takedown. And this was like really like it came up with this takedown from 2023 of LV and Black Cat. It's terrifying. I don't know. Like, it's, it's the thing that we don't want to. To admit in our industry because we interact so closely with a lot of individuals like, that are on the bad side. And a lot of us, like, play the role of criminals to gain intelligence and, and deem the upper hand. But corruption, it, it's. It can be tempting to say, hey, I can. I know how to pull this off. I know how to launder the money. What's stopping me? It's just ethics and morals stopping me from pulling off and making banked over the course of a couple of months. So it's. And that's where you have people with like, weak morals and weak and weak ethics that get into that, that succumb to this temptation and just to jump in quickly.

C

And Jim's gonna mock me again. Probably because one of the other jobs that I had for multiple years was I was a crime reporter for a newspaper. I know it's hilarious. But to Tammy's point, the. They pled guilty. I don't believe they've been sentenced yet. I think that will.

D

March 12, 2026. That's.

C

And so what's going to be really interesting for us to pay attention to is what sentence they actually get. There's some things are going to play in their favor. They pled guilty. They didn't drag out a lengthy trial. The way the American justice system is, they'll account for that in the final sort of sentencing. But big thing that they're going to want to do to Tammy's point is that beyond ethics and morals, there's this concept of deterrence. Oh, I get. I do this, I'm going to jail for five to 10 years and 20. Sorry, I was using Canadian math. Just like Canadian dollars, our jail sentences are much lower.

A

Stop. Now wait a minute. I'm gonna just stop. You're stop, Laura. Yeah, I just want to go back to Laura's point on this because it was her. The late last year, and I think it was one of the last two shows we did where Laura was actually warning about the layoffs and unemployment that was affecting security professionals and that this was a potential risk for us. Do you feel vindicated, Laura?

B

I'd rather not be. Or great, I'll take.

A

It's nice to be wrong sometimes, isn't it? Yeah.

B

No. And reading through some of the other reporting on this particular story, because what's interesting is always the why, right? You have a job, you've got, one presumes, because this is a high demand industry, a good paying job, what gets you to turn to more? And in this case, at least for Goldberg, and there's a third unnamed accomplice and the other one hasn't really. I didn't find what his justification was, but in Goldberg's case, it was personal debt. And for however that personal debt was acquired, which in the States could be anything from you made a trip to a hospital to you got into some pretty gnarly other activities on your own time. But personal debt is a huge motivator. Right. If you can't see the bottom of the bucket that you are drowning in, you get creative. And that's really unfortunate. And I'm sure that will play out in sentencing as well is what was the motivation behind this. And deterrence, of course, is super important. If this is somebody who really found themselves in a bad situation and just didn't know how to get themselves out of it, but at least they finally found the bottom of the bucket when they turned, got themselves in and pleaded guilty, there is something to be said for that. But I don't think this will be a unique story where, you know, and they're listed as former employees. So how former were they former and then became affiliated? Were they working there, had some moral feelings like, yeah, I can't be doing both of these at the same time and left or are they formal former because, yeah, they got arrested. Now that now they are former, I'm not.

A

And. But the cybersecurity lesson in this, that knits all of this together, whether it's Tammy's point or Laura's or your point, David, is internal threats. And I've warned about this, not just for people who get into money trouble. And we get into money trouble in Canada too. So it's not just in the US People get. We're not immune from that. People get into money trouble. I worry about sextortion and things where people are being extorted. We have to not think of cybersecurity. And this will coin your line, David, as only being a technical thing.

C

No, Laura points to a good point. And we can talk about this more as the year goes on, but I do believe the proliferation, the massive proliferation of online sports betting, I'm just saying Gambling as a thing to Laura's broader point about debt is there. And I'll end off with that.

A

I got one more story we're going to walk into because I don't want to leave this one. And then we'll wrap up. But the. My favorite story of the week. And I took some grief from doing this one. The hacktivist Martha Root, who wiped the floor with three white supremacist websites live on stage at the Chaos Communication Congress in Hamburg. She took out three sites. White Date, White Child, and White Deal. And somebody sent me a note saying, what's the big deal about white people being able to date each other? I don't think we're talking about that. But you didn't just knock them offline. And. But also, you got to give her style points. She arrived in a pink Power Ranger suit, did this live on stage, took them down and said, they've got poor cybersecurity hygiene that would make your grandma's AOL account blush. Now, that was the big deal. Now. And we go. I want to tie this around. The reason why I want to go back to the story. She took those sites down. And I think there's a big. There's something we could talk about hacktivism and where the limits of it should be. But she did responsibly disclose the information. She didn't dox them. She sent it to a company or an organization called DDoS Secrets. I've been in touch with them. I'm going to bring them on the show to talk about how responsibly making this information available for researchers and legitimate journalists is what they do. So I give her credit for that. But I'll ask you both the questions. We're. It's nice when it's our side, as you said. Somebody wrote me a letter and said, where do they. Where do we draw the line? I said, I don't know if this is a white supremacist site. It's offensive to me. But what if it's kiddie porn? Where do you know is there a place for hacktivism? And that's the question we're gonna have to answer this year. And thanks to this wonderful lady in a Power Ranger suit, we're gonna have to talk about this in a real way.

B

I think it really circles back to the discussion we were having about the privateering aspect of things.

D

Right?

B

And it's like, how do you make actions from a private, whether it's an individual or an organization that are aligned with the best interests of the society they operate in. So we'll take a country as an example. Right. How do you make those actions permissible and legal while being clear that it is not open season to go and just take down anything because you disagree with it? And I think that's where it's not so much a line as it's a process of permission. Because in this case, one hopes and presumes the culture that one operates in says that, you know what, people of all colors and races deserve equality and we shouldn't be promoting supremacy of any of them. So this kind of activity is not acceptable. So let's say that's okay, we can take that down. Good job. But somebody else disagrees with something that is more socially permissible, but they decide they're going to go and take it down. Where's that permission? Or who is the judge? Is it? Do we wait till after the fact? I think I would argue it's probably better to have some sort of distinction before the fact to say that you. I've been authorized. And here we go. Because otherwise the other thing we get into is inconsistent application of the law. Right. Technically, this is not a legal activity depending on a number of factors, jurisdiction and where the servers are and all sorts of other things. Right. So it's a gray zone as to. Without more information, was this even legal to do? And if it's not legal, just because we like the outcome, does that mean that's okay? If we have two people who get into a fistfight in the street, they generally both get detained and then it's sorted out was somebody assaulted first and who was in the right or who was in the wrong. We feel less inclined, I think, sometimes in the digital world to be as consistently applicable in how we apply law.

A

I was interested in hearing what you had to say, Laura, and I'm interested in hearing what Tammy has to say too, because this is cultural. We always think of the people that you're. That you're studying as being crooks and that sort of stuff. But there are people out there who are hackers who may be doing it for what they think are good reasons.

D

Yeah, there's the whole, like, concept of the greater good. And you want to be. You want to try to be on the right side of history. And there's this whole, like, back and forth of am I doing what is right or what am I doing is what is wrong? And that's always. It's not as clear black and white as it always is. For example, I run in association with, like, other individuals In Europe, I help run and maintain an admin website called Ransom look, and that's an open source project and where we basically like, list and supply information on the latest, like, ransomware victims. And a part of that is I. It's a part of it is Omi, like victimizing the victims more because I'm showing them. I'm like amplifying the disclosure of these victims or am I doing the right thing by being as objective as I can be in how I present and collect this information and present it to the community so that the entire cybersecurity community and defenders can use this information to defend themselves against these threat actors better. So there's always these, like, concepts of, like, how you do it is also just as important as why you do it.

A

Yeah. Which I think is the lesson I'm going to take away from today. And that's something I think will wrap up the show with. That is we're not just in a technical world anymore. We're actually having to deal with not what we do only, but how we do it and how important that is. I want to thank our panel. Tammy Harper from Flair. Thank you very much.

D

Thank you very much for having me. It was great.

A

Laura Payne from White Toque. Always a pleasure, Laura.

B

Thanks, Jim. Uplifting as always.

A

Yeah. And the disappeared, David Shipley running out to probably do a client meeting. But David will be back on Monday morning with the cyber security news. I'll be back next Wednesday. And as much as I want to keep the news show from being news and less opinion, it is our job to put news in context when we can. The weekend shows do allow us to discuss themes on a deeper level, technical and otherwise. And as I've said before, technology and cybersecurity don't exist in a vacuum. They affect people, process, strategy and our lives in general. But this is not an echo chamber. I look forward to exchanges with you. Look forward to hearing from you. So you can reach me tech newsday.com or CA, take your pick, depending which country you're in. You can reach us there on the contact us form. If you're looking at this on YouTube, just leave a note under the video and you can Find me on LinkedIn. Glad to talk to you, to our guests. Thank you very much to all of you. Have a great weekend and we'll see you Monday.