The Monthly Cybersecurity Review: Data Breaches, Ransomware, and Critical Infrastructure

Jim Love

Welcome to Cybersecurity Today, the month in review. Joining us today are Laura Payne from White Tuke. Hello, Laura.

Laura Payne

Hey, Jim. Great to be back.

Jim Love

Great to have you back. And David Shipley from Beauceron Security. Welcome, David.

David Shipley

Thanks for having me again.

Jim Love

Okay, panelists, you know the game and I'm sure most of our audience does. In this show, we focus on the stories that had the greatest impact over the past month. We try to do a deeper dive into them. And this month started so calmly. A professor and his wife disappeared maybe, and everybody was wondering what was happening to them. Hertz lost a trove of data with an amazing amount. All those things that you tell the people so that you can get insurance as well as a car and all of that, where you're staying, where you're going, they misplaced all of that in a hack. But that was just another day in paradise. Because then things got really weird. Government officials were using a commercial app in the middle of American conflict. They're attacking a group of rebels, the Hootsie, I think they're called. And these guys are chatting away on signal about this with locations and data. Nothing wrong with that.

David Shipley

And then I'll just add, and one meme, the mean use of emojis in a way that we've never seen. Bam. Fire, pow. American flag when the bombs were dropping. Oh yeah, to me was 21st century warfare right there.

Jim Love

It's, I think they were selling, they're probably selling tickets to this. They didn't have to sell tickets because they had a journalist that invited on the call that was just really, that was really special. And then the government using, they're using a commercial app and they go to Chris Krebs and say, let's attack Chris Krebs, the guy who used to run caesa. And that was the start of the month. And I have to say it got more exciting after that. The past few weeks have been overdrive. I seen some of your notes as they come across about how we're going to narrow this down. But we have to find enough stories to go through an hour. Why don't we start with the easy ones?

David Shipley

I want to take a victory lap on Power School first. On this show, the patent pending finger wave of stop paying cyber extortionists was had because what did we say? We said, you can't trust criminals. And what have they done? They didn't delete the data and now they're going for a double payment because why not? Why not get two scoops of tasty data extraction?

Jim Love

So rewind and give us the story. Not everybody remembers David Shipley's lessons on this, so let's give him a little history first.

David Shipley

So PowerSchools is one of the largest software as a service providers to K12 schools, if not globally, definitely in North America. They were hit and hit badly with the data extraction. Not your typical ransomware, but simply the other half of the double extortion via insecure parts of their support infrastructure. And paid a undetermined sum. We can assume it's likely in the millions. That's the way these kind of things go. And then sent the communications on to the regular school districts, which caused all kinds of really interesting conversations about how sensitive is this data? In some cases, highly sensitive in terms of maybe the bus pickup locations and other issues or notes that teachers may have had about students, depending on the school district, how long they've used the platform, et cetera. It was an unholy data notification mess. And affected school districts in Canada from the west to the east, you name it. And of course, one of the defenses that we've seen trotted out in these data exfiltrations, we saw this in Canada at the Life Labs years ago. Man, this feels like a lifetime ago. But a long time ago, somebody else tried to do this and pay this and then tell you it's okay, they deleted it. And I believe, if I remember the story correctly, and we're at. Jim, correct me if I'm wrong, they got proof. They got a video. They showed us that video. They deleted the data.

Jim Love

There's a video of him deleting the data.

David Shipley

Yeah. And now it turns out they're targeting individual school districts for a double dip of the. Of the data extraction, which is as uncouth in cyber as it is with nachos. Right, the single dip.

Jim Love

But it's so funny because ages ago, we used to say that cybercriminals had great help desks. They helped you through pay the ransom. They made sure that they gave you a decrypt key because they were in business it when it became a franchise and anybody could be out there and it got dirty there. There is no longer any rule. You're paying the ransom as power schools did. But now, as you've said, these guys are going around from school to school telling the schools, we have your data. And you pointed out some of the data that's in there, the data on children who are vulnerable. It just goes on and on. If you're a parent, your heart just goes. Just sinks. So what do you do about this power school Will Power School survive? This is going to be a big question at this point. But the second one is how do these local school boards deal with this?

Laura Payne

And I think it comes down to back to we've learned, hopefully, right? It's an education system. So here's your education from the criminals. Fool me wants shame on me or shame on you, but fool me twice, shame on me. Yeah, back to me.

Jim Love

If you don't wanna get rid of that.

Laura Payne

First one was on you, the second one's on me. There's no point in paying this ransom. They're just gonna be back for more. You gotta figure out what you're gonna do about it. The horse is outta the barn and yeah, it might mean that power to school is not in your docket anymore and you gotta figure out something better. Or maybe we're back to paper in the meantime. This is not the kind of thing where it's a click and pay and solve. Right? Money doesn't solve this problem.

Jim Love

Could we have possibly gotten to the point where this might be the straw that broke the camel's back and people might stop paying ransoms, These people might.

Laura Payne

Stop paying ransoms like the decision makers here. But I don't think it's, yeah, there's no universal, oh, we're going to stop paying ransoms because it will depend on situations. It'll depend on the knowledge of the person in that seat making that decision at that time. Do they consult somebody who's going to give them good guidance to know what their options are and what the likely risks are if they pay? I'm sure there are still some, I will call them with a heavy dose of salt, noble cybercrime groups that have good reputations, but they are fewer and farther between. Right. So if you're going to pay the ransom, you just have to know it might give you a spell of time to deal with something, but it's not your end game. You can't delete the data once it's gone. If they've got it, they've got it.

David Shipley

And I think there's a distinction here, like the use case of a hospital paying a ransom to get systems back operational as quickly as possible remains a deeply ethically and morally problematic space. But when we're talking very specifically, it's not about your operational IT infrastructure, it's about data that was exfiltrated. There is no value. And I think the only way we're going to change this is the courts say we don't care if you pay to get them to pinky Swear they deleted that doesn't matter. It's untrustworthy, unreliable. There's no definitive way to prove it. Your penalty is for the loss of custody, not for everything you try to do after the fact. So you devalue the incentive to try and pay this because part of the reason they pay this is so that they can go around and lower their eventual class action lawsuit losses. I don't think they genuinely care as much worth really in their heart of hearts believe the criminals are trustworthy actors that are going to delete the data. We got to get rid of that out of the equation. And I think this is the first step to getting out of the pay the ransom mess that we're in. But definition of crazy man doing the same thing over and over again and expecting a different result.

Jim Love

Are we just looking at this through rose colored glasses? You're saying like the whole game might be just keeping their liability down. So doesn't matter.

Laura Payne

Do we know how much they paid? Anybody know how much they actually paid?

Jim Love

Millions, I think we know.

Laura Payne

If we don't know and they may have negotiated very hard and the ransomers are back. Maybe they did go really big and pay a large ransom and so they figure there's more from the well to draw from. I don't know and I don't know what decisions the payers made going into that. I wouldn't want to be in their shoes. But I think at the end of the day this just does go to prove that, yeah, you can't get the data out of the ecosystem. Once it's out there, it illegally.

Jim Love

For a bit of a surprise, they might be looking at public data and going, oh, the Toronto school board, oh, they've got $80 million in budget. The fact is they don't have $8 in money. As a matter of fact, they owe money. They're in a deficit. So they're not going to be able to come up with a lot of cash. And I don't think the parents are going to go for a bake sale on this one.

Laura Payne

No. And the insurer may have covered that first payment, but they're not going to be up for round two.

David Shipley

The impact on this was $60 million. All the reporting I've seen has said the payout was in the quote unquote, millions. For context, PowerSchool has reportedly 18,000 clients covering 75% of K to 12 schools across North America. And 60 million, 60 million people are in that system. So definitely on the general rule of 10, 10 cents to a dollar per impacted User going market rate for extortion, anywhere between what, 6 and 60 million potentially paid out. It sounds crazy to be talking about tens of millions of dollars, but we had an yet still a Yet unknown Fortune 500 company pay something like 47 or $50 million last year to a ransom. It was the single biggest ransom take. So yeah, I guess that's where we're at. I think the one thing I want to make a point about as well is the end of the first year of international transnational ransomware came with the big takedowns, the lock bit takedown, the other gang takedowns, et cetera, the groups kind of self destructing on their end. And that was the end of the easy days of this crime. One of the things that I had predicted was that their tactics would get more vicious, but that the industry itself would get more resilient. So it'd be harder to take down, but they would also in turn become more ruthless. This was the natural Darwinian evolution of this crime. So what we're seeing now with the re extortion and the retargeting of healthcare post pandemic and other things, this is cybercrime ransomware 3.0 and they are going for the throat. It's interesting to see physics for every action, there's an equal and opposite reaction play out in the cyber battle between the good guys and the bad guys. For some that's an excuse to do nothing and say we were better off just having this as a basically international IT tax that we were paying to Russian and other cybercrime gangs and at least we had X amount, but now it's even worse. I think we have to get through the other side of this. Whether we have the will to get through the other side of this. And keep in mind all this is happening is the counter ransomware initiative and other really good US led initiatives are all for naught. Now there's a giant sucking sound and that is the vacuum of previous incredibly valuable US led leadership on this global issue. And I don't think anyone else has got the heft to keep that charge going. So I think the good old days and the nasty days are also combining. So much fun.

Jim Love

And we'll get to it later. Cease is deader than we think.

Laura Payne

I do want to add one clarifying point on this story because I think we glossed over it, is that we have in this particular story, we had the third party who was breached and they paid the ransom. The attackers are now coming back not to the same third party. They're Coming back to the users of the third party.

Jim Love

The victims.

Laura Payne

Yeah, to the victims. It's not the case where the boards paid out the ransom in the first place. They are coming. They are now being asked to pay a ransom. And who knows maybe the attackers were going to were hacked in the back end. And the data, maybe they really did delete the data but somebody else grabbed it first.

Jim Love

You don't think they're really good at security. Like Lockedbit was hacked this month and.

Laura Payne

4Chan and you know got her among thieves these days.

Jim Love

Yeah. Let's twist around that because you brought up the 4chan story and you were going to. You were going to cover that. That's another story that where of wrong gone wrong. I don't know.

Laura Payne

You know it's a little refreshing to see that bad security affects the bad guys too. And 4chan I guess is not objectively bad in the sense that they didn't start out to be full of evil crap. But here's. That's. That's where they are.

Jim Love

And they're a site that. The counter culture site.

David Shipley

Yeah.

Laura Payne

And just allow whoever. Whatever communities to coalesce on their site and to exchange information and opinions and less information and more opinions maybe. But it got pretty sticky but you know it was. It's pretty full of things that are undesirable from a moral standpoint. And not surprisingly it became more and more difficult for them to engage vendors to provide the hardware and the updates that were needed for their infrastructure. Also, not shockingly, a lot of people weren't willing to pay to advertise. So their revenue streams. And here's another shocker. People who aren't maybe on the right side of moral and ethics don't like to pay for services. So they weren't going to pay for a subscription to 4chan so your revenue model doesn't really work. And so this is a foreseeable circumstance of a very popular site that has no revenue and is known for being on the wrong side of a lot of things. Really not being able to sustain itself. It's back online. It will probably go the way many things do where it devolves, it causes splinter sites to crop up in its vacuum and something else will probably grow out of there. I hope this is the beginning of the end of that particularly large community.

Jim Love

The slight collapsed but they brought it up. It's gasping at least. At last I've heard there's not. They can't bring it all back up. They've lost a lot of data.

David Shipley

We won't miss Them one of the largest purveyors of Deepfake Pornography Services. Mr. Deepfake was taken down and as a result of US legislation now coming after non consensual intimate image deepfakes as well as real non consensual intimate image distribution. Fantastic. But in a sad note for Canada the individual that has been determined to be responsible or a key individual is a, is a Canadian citizen. CDC and a whole bunch of other media outlets work together to piece together this person's identity through OPSEC leaks and actually confronted the individual about it in terms of think about AlphaBay was an expat Canadian who was running that was at the time one of the world's largest dark web narcotics marketplaces and other things on it. Not exactly that moment of Canadian pride of some of these clowns, the biggest clowns out there have been coming from.

Jim Love

Up here at the time when we want to excel in digital industries this is not exactly what we want to be known for.

Laura Payne

Is that not the industry we were aiming to excel in?

Jim Love

Not quite. Yeah. We want to focus on a, on a different clientele I think.

David Shipley

But what's interesting is to see these groups like lock bit in the middle of a fight and things are happening and this gets back into the interesting sort of politics in drama that happens within these environments. Like we've seen these core ransomware infrastructure providers stiff their affiliates and and then we've seen inter fighting like when the. The latest sort of expansion of the war in Ukraine in 2022 which wasn't the start kind of goes back to 2014 but in 2022 the most recent actual official Russian invasion of that area we had gangs that fell apart that actually were Ukrainian and Russian and that leaked all of their sort of internal chats or playbacks Playbooks. This is where we learned about the HR structure, the payment schemes, the, the. The feedback from project managers for your particular ransomware group. So we're seeing this play out and it is nice to see the self destructive but the one thing I will describe 4chan is we're post May 4th but if there ever was a moss ice leaf that den of scum and villainy referred to by Obi Wan Kenobi 4chan was it was the mos Eisley the Internet the den of scum and villainy and you just love to see it burned to the ground.

Jim Love

So wouldn't we rather talk about Hertz talking about starting the month out they just lost a whole pile of our data and we saw the impact of it was the co OP and Marks and Spencers and everybody knows, not everybody knows who Co Op is in the uk, but it a large. I think there's. I forget how many thousands of grocery stores they have, but they cover a vast swath of the UK or England, whether I can't tell the difference between the UK and England. But Marks and Spencer's also got hit and people were starting to wonder whether the new pursuit of ransomware and hacking was going to be retail. This has been a big hit for these stores, though. There was a story just today and it's come up. The stores at Co Op, they can't stock the shelves. They're rationing. Milk rationing has been announced and all of that entails. Never you mind. I said to her, you put on the kettle, we'll have a nice cup of boiling hot water, you've got a big deal beyond the fridge. Fans will like that one. Nobody else will figure it out. But the issue is that just wiped out two major grocers. How much more of our infrastructure that we don't think about is vulnerable at this point?

Laura Payne

Yeah, and this is something I've thought about in the context of the discussion around critical infrastructure and in general the discussion of how do you rank the criticality of different devices, different systems, different industries, and unfortunately do frequently come back to the conclusion that, yes, some are more, quote, critical than others, but everything is so integrated now that the difference between the importance of protecting less critical and more critical is just aligning.

David Shipley

Right.

Laura Payne

Because the things that are so critical, when we think about typically the power grid and water resources and things like that, now we think, okay, food security, transportation and logistics, which makes all of that happen. And then all the suppliers that go into that, whether it's professional services, which typically are smaller organizations and all of these supporting organizations, there really isn't anything left at the end of the day that's not in the circle of supporting a critical service. And so it just reinforces that you can't just protect a few things and the rest of it'll be acceptable. Everything needs to have a reasonable level of security. Not that it'll be perfect, but the risk or that the impact when there is an incident is a smaller impact, that it's more contained, that it's more manageable, and I think a couple of different things.

David Shipley

It's stunning to me that Marks and Spencer did not see what was happening in Canada to both what happened to Empire Sovies, what happened to the drug, and not say, okay, we need an incident plan, we need to invest in this area, it's dupedifying that we've saw ransomware rise. We saw it happen, we saw the impacts in very specific retail food security verticals and we still fail to act. Isn't that fascinating? A realistic level of security. What's your rls? And then one alternatively is your realistic level of resilience. Can you go back to pen and paper? Can you stock the shelves so that people can get milk? Absent regulation, it's very clear the private sector north star of shareholder value will dominate the risk conversation to the point where they're prepared for this. The evidence could not be clearer. Bill Matlock resting his case at the end of the episode. Ah, it's the proof. This is why we need regulation. And yet, as I raised the point on LinkedIn this week, Prime Minister Carney is going to be delivering his speech from the throne here in Canada with the king coming. This is super exciting for us. I hope in that speech cyber regulation for critical infrastructure, at least for what they were trying to do with Bill C26 get some kind of nod attention and back on the legislative radar. But what I will say is that even what we were trying to do before it failed here in Canada didn't even contemplate dealing with food distribution. Food security is not critical infrastructure in this country from a federally resourced mandate. And it means the provinces are off to pick up whatever they can on this. And the good news is some provinces are. I'm aware of conversations happening with in provinces to go. Ottawa is not coming to our rescue. We're going to have to figure this out for American listeners. What you have to understand is that CISA is gutted. Your globally leading Trump created Critical Infrastructure Security Agency, which was a success. And President Trump deserves credit for creating cisa. Absolutely. Term one. That was one of the wins here. I am actually giving appropriate credit for where it needs to be on that show. There's lots of people that were involved in the creation formation of that policy, but it was under his administration. Now Trump 2 is literally butchering one of the successes of Trump 1 and turn around saying the states are going to be responsible for security. And there are some states, New York, California, Texas, sure. But are you kidding me? The rest of the states are being left to their own devices. This is bad news bears.

Jim Love

And CISA was known as the coordinator for critical infrastructure security and resilience. And it's where I think, I don't know the total system yet where you reported a lot of things to.

David Shipley

Yeah, great work. Jen Stuly was advancing so Many amazing. The most recent past CISA director, she was building sort of consensus on really deep long term issues like software quality and holding the software supply chain accountable to creating secure software, secure coding technologies evolving from the things that we know are inherently risky, that we're making it too easy to create. These CVEs, these are big, meaty, substantial national level international issues and all that's gone.

Jim Love

It's worse than gone. For those of us who remember, Chris Krebs was the head of cesa. He was fired for honestly saying that elections were safe. So the head of CESA has learned not to speak truth to power, even if it's the right thing to do. They've learned that it's worse than that. I can't disclose totally why I know all of this stuff, but as I was telling you guys before the show, we've been doing some interviews with whistleblowers and Cease is non existent. It is a political front right now. It is a puppet and it is overruled by political decisions coming from God knows where. But that's it is no longer trusted and that is a crime. And again, not I'm not getting into American politics. You've given Trump a nod. I don't want to talk about Trump or anybody else. But the fact is we have lost one of the best assets in the world at leading the fight on cybercrime.

David Shipley

And Warwick probably can speak more with more intelligence than I about MITRE and the CVE database. We had an asteroid almost hitting the planet moment for the software reliability and resiliency, automation and vulnerability scanning environment previous to the current administration. It was a very fragile budget improvement process, which shame on those for not getting it figured out beforehand. So let's put appropriate blame where it belongs. The fact that it was so brittle to begin with was not good, that it was so heavily depended upon and yet so brittle then it almost came completely unglued. And I don't know what your thoughts are from your perspective.

Laura Payne

Yeah, there were a couple things and I think your comment is very on point that it sounded in some of the write ups around this that it actually wasn't unusual for it to come down to the 23rd hour for approval to come through. But what was different was in previous administrations it was, yeah, we're getting close to the wire, but we're pretty sure it's coming. There was confidence that the job was going to get done. There was not confidence this time that it would actually get done. And what that shows is, yeah, there was that laissez faire nature around it. Maybe not by everybody, but by enough people that it was, yeah, business as usual is, yeah, we just, we get her done instead of saying no, we need these things done in a timely fashion so that there are checks and balances that can reasonably be put in place and so that if the funding isn't going to come through, there's enough time to do something else. And that's really what's been missing. But this is not new for the US Government. The number of times that things have been pushed through or they've gone into, basically the government freezes because they haven't finished passing their budget for the year. This is just another symptom of the larger issue that has been building for quite a long time and really highlights the fact that any one organization who is leading such a linchpin in our system of security, that if there is any trouble in that organization, it has such a huge potential for impact across so many other places. And whether that's government or whether it's nonprofit or a collaboration of governments, whatever it is, our lesson learned out of this is to take a better look at the warning signs as they're coming and try to build as a community that resilience so that, yeah, any organization can fail. So whatever organizations we're putting these key services into, we need to have a better way of staying on top of what's going on there so we can course correct before it becomes a crisis.

David Shipley

Absolutely.

Jim Love

You're talking about the CVE system, right?

Laura Payne

And in particular in April was the fundamental.

Jim Love

Again, not everybody's.

Laura Payne

Not everybody does that security junkie.

Jim Love

Jumping into the. The CVE system is a critical piece of how, like cisa, it's a critical piece of how we manage any sort of hacks or problems. Zero days, all of those things. These are. And do you want to just give us a brief?

Laura Payne

Yeah, yeah, I'll give it. Yeah. The quick primer. So CVE is the common vulnerabilities and exposures database and it is a mass collection of all the known, published, vetted, confirmed vulnerabilities in software. It doesn't mean it's the full enterprise of software or vulnerabilities because we know there are people who found them and they haven't reported them. But it is the biggest single central source for vulnerability knowledge. All of the major vulnerability scanning players and technologies bring CVE data in from this source as part of their ecosystem. It is the most robust, as robust as anything is in this day and age collaboration point for those vulnerabilities so to lose it or to have it not be effectively maintained and it requires staffing as well. It's not just about the technology of the database, but there are real people, people attached to reviewing the submissions, scoring and rating them. And there's lots of people who have lots of debate about the efficacy of the scoring. That's neither here nor there. Because the most important thing is that there are actually people working together to try and make the effort to get these things in a place where everybody can then contribute and use the information that comes out of it. That would have been a huge loss. It would have put new findings at a standstill for being reviewed. It would have meant things that were in progress for finishing, getting through. And then the older findings do get brought back forward and updated from time to time as things change. So all that new context information wouldn't have been being published, would have been a huge win for the bad guys. This lack of communication in the ecosystem for the defenders.

Jim Love

I cannot imagine anybody who listens to the show here, the word CVE, 19, whatever, and they'll know that instead of having to look in 16 or 60 or 600 databases across God knows where to find out. Is, is there something out there? There is one database, archived, normalized to the best possible. And I hear the criticism to the scores, but I don't if it's an 8 or an 8.25 or a 9.13, it doesn't matter. It's bad. And if it's a 3, it's not as bad as a 9. It's not perfect, but it has accuracy.

David Shipley

Well, the one thing critics ignore about it is that it moved us from low, medium, high, low, moderate, high, whatever ways you want to put it, which is even less granular, to something a little bit more specific with a little bit more rationale, harder for organizations to argue, oh, it's not that big of a deal. There's a Beyond Trust report I just came across. Apparently they've been doing this for a number of years where they look at the total number of CVEs that come out of Microsoft per year and how many turn out to be critical versus the total volume. And it enables that kind of analysis, which is our only kind of barometer of software quality. And so if we don't have that kind of data to work with, we really don't know how the trajectory is going. And that's just one example. But I think we rely on so much in our modern digital economy, on so many things that are brittle and fragile like that are just one bad actor away. And I think Jim, you posted this in the prep notes today. It was the Russian hosted Open source software.

Jim Love

Oh God.

David Shipley

Everywhere everyone's oh, all of a sudden this is a problem. And remember the open source community are.

Jim Love

Okay, let's do, let's make a point of going back and giving the audience the context. They don't know what we're talking about at this point. The story I posted was a Russian group is the source of a module that is in practically everything open source. It's a Go package and everybody will know. If you follow Linux, you'll know that GO is where everybody wants to go from C to this new language Go, which is supposed to be more secure except for one particular module that is supported only by Russia. Everybody who supports this module is Russian and the head of this organization that supports it is under sanctions. And what it does is it supplies the interpretation and retrieval from JSON. Now you don't have to be anybody, you don't have to be a smart programmer. JSON, that's used in a lot of places, isn't it? Yeah. So that is what has been discovered and we've all woken up and going wait a minute, this guy named. And he's not, his name's not Vladimir is supporting almost all of our open source libraries for this function. That's a bad thing.

David Shipley

But I want to paint a broader picture for a second. Why did this happen? Remember that at the dawn of the age of Open Source that I just want to give a shout out to the these are some of the best of us as humans. They were thinking about how we genuinely collaborate for the collective benefit of everybody on the Internet that this was non commercial focused. Let's make matter software together, let's advance technology together. And I love that. Like this is the Ben and Jerry's ice cream of the Internet, right? These are still the Internet hippies and I loves me the Internet hippies. Right? It was fantastic. At the time this was happening we were heading towards that Guy Kawasaki end of history view that the, the Cold War was over and it's undulating prosperity and war. Democracy was on the march thanks to the power of the Internet and authoritarianism was done and we're gonna have unending economic growth. Like looking back on that from the 90s, lucky how the 90s is so sweet now. Like you look back with a nostalgia that I think people in the 80s were looking at the 50s. So now I get it. Not to say the 50s were great for everybody. They were nostalgia is a funny thing. But the open source community, that's how you ended up with people for Russia doing cool key things. Because before Vladimir Putin's rise, we thought we were going to have a more normal relationship globally with all kinds of places, including Russia. And now geopolitically, this has changed. And I think this whole idea of a fractured Internet, of this unwinding of globalization, this is a canary in the coal mine of what that means for the open source movement. And what it can tell you is that if the open source movement genuinely is as dead as globalization is for the next 30 years, software costs. Everything's about to get expensive. Everything's about to get real, real expensive if everyone has to do their own coding from the ground up. And I'm not saying that we can't.

Jim Love

And before everybody gets on their high horse and goes, oh, open source, we should get rid of it. But just in case anybody gets on there, it's sort of, well, open source. I always knew that was bad. Can you say supply chain hack, boys and girls, we're reusing modules in commercial software. This is not just what we've got is we've got an explosion of software without any ability to track its providence or where it came from. And that's at the heart of it.

Laura Payne

And I want to challenge that a little bit. There's the ability to do it that's established. It's just whether people do it and whether they put the right checks and balances all the way up the chain. And depending on the limitations of how you're scanning, right, maybe you go three layers deep, you go six layers deep, do you go seven layers deep? Do you go 10 layers deep? And this kind of back to the theme of the critical infrastructure, right? It's all connected. You can't say six layers deep. That was good enough. You need to go all the way back. And then protecting that chain. The open source community, I don't think it's dead, and I don't think the movement is dead. But I think, like all things that we've learned along the way with communication, innovation. And you could say the same thing about the printing press, right? People thought it would be like this great boost for democracy, which it was, but it was also a great boost for authoritarian dictatorship too, right? It's just a hammer, right? What you use it for is what makes the difference and whether it's good or bad. So I think open source is going to be the same, where people will have to get more serious about checking the provenance and being. If You're a software supplier. You need to be more serious about the provenance of all of the modules and libraries you've used. The smaller the code chunks that you can look at, the more likely it is that you'll actually understand what's going on in it and being able to make sure that it's good and less open to security issues. So I'll put that out there.

Jim Love

And David's going to hate this one, but this is a really good use of AI. You can hate the code that AI generates, but there's nothing better for finding out that no code is ever documented or documented well than running AI against it, saying, what does all this stuff do? I can see it, I can't read code that it can read and it can tell me what it's doing. So we have tools. And you pointed out quite well, Lara, is we've got the tools, we know the issue, we're, we just, we gotta do it. That's becomes part of the due diligence or part of the quality of making any software program or taking in any software to your organization is understanding who it hangs out with.

Laura Payne

Because tangible things, people can see and feel a little bit better. Right? We have regulations around how bridges are built. We have strong prominence as far as how the calculations are done. We have a licensing regime around the people who are allowed to sign off on the designs. We have rules around inspection. The materials that go into it are sourced and people understand the full supply chain up to the screws and the rivets, where those things are coming from and the material composition within them. And we want all of that because we drive on them and put millions of tons of weight on them. X number of meters up in the air. I'm going to use meters because I'm Canadian though I wanted to use something else. And we have these expectations of things, but it's so geographically limited and the people who use a bridge are within a confined space. And then we look at systems that we've now extended to billions of users on the planet and there are none of these things in place. And then we wonder why we have the problems we have hitting something really.

David Shipley

Important and it's this is that we still live in an era. And maybe in the next monthly review I'll remember the exact research study, but I came across this just before of the show and it said something like organizations with more security tools are less secure because they keep just buying the stuff, but they don't actually properly implement it. They probably don't actually fundamentally change how their business is operating to be more secure and resilient. Going back to the Marks and Spencer example, right Like I'm sure there's a lot of vendors that are going to sell their next generation firewall or their next generation AI powered MDR full on 14 year old David version eye roll but they're not fundamentally going to fix their ability to have a good tested incident response plan or to review their supply chain for their software and their systems and put in place an S bond and do the thing about security is we always go for the sugar rush quick calorie junk food solution. We don't do the hard work of from the field table of actually that's required for a proper security nutritious meal. You can tell that I'm very much focused on food lately. It's interesting to see where we are right we we've got an Internet that we walked into that was what the nerds did and it wasn't critical to our everyday life to it's now being essential to sustaining the life and well being of 8 billion people on the planet but we still treat it like it's a plaything that's it's just a fun thing. We think about how smart tractors in Canada are solving the labor shortage on farms across the country by having the things go and use AI and run themselves through the field because we don't have enough people to staff them or want to do the job to do that manual labor at the rate we're willing to pay for our food. We depend on this stuff but we don't protect it.

Jim Love

You said a curious word. You said we and I don't want to make it seem like it's the people who are out there working in cybersecurity that are the problem at one point or another. The reason why you can tell where the rivet on a bridge came from or if there's an outbreak of poisoning from E Cola in Minden, Ontario where I live they can trace where the lettuce came from is not because the lettuce farmers wanted it and it's not because the rivet makers wanted it. It's because there is legislation and regulation that says thou shalt provide a chain that tells me where any peace came from. There are standards that must be held from engineering and other places that say you must know this, we've got to step up finally 50 years into our world and maybe I don't know the first virus I saw was in the 1980s let's say 45 years into our world of cybersecurity and start to treat this like it is a profession, like engineers or anyone else who have to obey certain rules. And that goes against the grain right now of this deregulation thing. But I gotta tell you, every time you fly in an airplane you want to know that there was regulation, trust me.

David Shipley

And listen, Jim, I want to give a shout out to AI. I mentioned this the other show, but the AI that does the collision of Weightons, the machine learning, simple logic based structured automation that avoids humans potentially making human error to make a bad situation a tragic one. Yes.

Jim Love

Laura, you were about to say something relevant.

Laura Payne

I was. Oh, that's a shot of shot fired, you know, just, just to wrap up the thinking and what you were saying. And on. And in particular shout out to engineering. There's debates around the term software engineer has been used and abused over the course of time. And it is a sore point for regulated engineers who actually had to do some properly qualified training and ethics to uphold certain promises whenever they sign off on something. I think there are a lot of people who call themselves software engineers who, if they had to put their name to sign off on the code that's published and then it's known if there is a failure in their code that causes a mass issue with availability or security or whatever other issues it might come down to, they are personally on the hook to be sued. That would change a lot of perspective around how quality people feel about the code being put out there. Because at the end of the day, if there's not a person on the hook, whether it's within the corporation or an engineer, the responsibility just gets distributed and people feel like they're safe.

Jim Love

I'm a consultant. I spent like 20 years or 30 years. My world is being a consultant. I am a certified management consultant. I hold a designation that is duly authorized by the province I live in and I'm licensed in terms of being able to do this. I have a code of ethics I have to adhere to. I can be called before a discipline committee in the same way an actuary can or a lawyer can. And I agree though, if you're going to call yourself a software engineer and not just a guy who writes code or a lady who writes code, then you have to step up to have that profession be regulated. But again, we also need regulation and we need those two pieces and they're missing in this industry and in almost no other industry.

Laura Payne

There are no rules to uphold somebody's professional standard right now when it comes to code.

David Shipley

Absolutely. But the other part Is that with this level of diligence and approach, the work that Tanya Janka from Semgroup does on educating developers to create secure code requires investment by company to actually do it, to slow down their build cycles, to do the validation check, to create cultures where developers can actually be assertive and say no, this is an unsafe way to do that. That is going to come at a cost and it is going to significantly increase the cost of. Of cheap software. We live in the era of cheap software. It's incredibly valuable to us. It does amazing things. But we don't pay what it's worth and our willingness to pay to have secure quality software is questionable. That'll be the interesting thing to see is that I don't think the market has ever sent that signal. I think we're in an era of deregulation now with the global largest marketplace. So the pressure's on, is not there. The Europeans are overwhelmed already trying to hold everyone to a higher standard on data privacy, AI and security. Already the software quality may be a bridge too far for them. That leaves us with a lot of questions.

Jim Love

But I'm going to put this to you and not to disagree with you David, but I'm just going to say that Would we really miss half the crap that gets into software? Do we really need a Word program that has 50 million lines of code in it? I'm not so sure that I would really miss some of this stuff. As a matter of fact I've been saying could you slow down the development a little bit? Because I have to use this stuff and I like it. I like to be able to use it regularly.

David Shipley

Put it the other way. Imagine we went back to the days where you had to pay for your annual Windows upgrade, right? And now we're in an era where you get a basically almost a new version of Windows every six months with significant feature enhancements and cost you nothing. But would be willing to pay 150 bucks each for the next six month upgrade of our OS. We used to, but now we expect to have Windows that had half the vulnerabilities. Would we be willing to wait twice as long and pay more for software that's also secure? And that's the interesting challenge. Look at this madness around the AI arms race, right? It's gotta be first, it's gotta be best. We gotta just release this as fast as we can regardless of the harm it can cause. From deep fakes to hallucinations to all kinds of other chaos. The environmental side, we just, we gotta go, we gotta Go. We gotta go. We're repeating the same mistake with AI writ large. And the insanity around that, that we.

Jim Love

Did with software, either you let somebody else develop it or you do. And that's the world we're in. We're in a competitive world. And without.

Laura Payne

I think we need software minimalism. Right. Like we need some Marie Kondo maybe.

Jim Love

Yeah, that'd be good. But we do need. And nobody in AI has been willing to participate in any form of regulation. No, I think regulation is not necessarily bad if it's there to protect you. We went through that with NASA. When NASA first started launching people up into space, you were rated by having no mistakes. After a while it became. You were rated on being faster. And we had the great disaster where we lost seven astronauts. And so we go back and forth in this continuum. But right now, the issue before us here is not probably world hunger. It's. We're in a world where we can't do this any longer with software. We're at a place where stuff's going to start crumbling if we don't address the security in software. And I kept saying providence, Providence in software, where it comes from. And those are two things I think we wrap up on in there. I want to get out one more story. Oh, sorry. Yep. Laurie, do you want to say that? Okay. I want to. I don't want to leave. We can't leave without this story. The story that won't stop. And we all remember back at the Earth early part of the month, the big story was a bunch of people in the Department of Defense were watching a. An invasion of going against Hootie Rebels. And they were merrily putting this stuff out on their phones and in a commercial app called Signal, but of course it's encrypted, so we're okay. All kinds of problems with that and we've had great scandals, but this story just will not go away. So in the middle of all this that we not only had the story of Signal, we not only had the story of how it got there. I don't think anybody's actually been fired over this.

David Shipley

Mike Waltz no longer the national Security Advisor and he's now the UN Ambassador. Fired, transferred, demoted, I don't know.

Jim Love

He can't do any harm. Right?

David Shipley

Not the guy that actually disclosed the timings that airstrikes that. That would be Pete Hagg says he's got a lot of time on tape saying people that do exactly what he did should be in jail.

Jim Love

Yeah, but that's American politics. The what about ism Politics, that's just. That's their game. They put. That's played. You can't do anything about it. But what is frightening to me is that there's a structure by which that's broken down by which these people are saying, this stuff was put on their machines. How could this be?

David Shipley

I just want to back up for a second. But first, we were all calling this signal gate and crank the signal. They just rolled with it, had fun with it. They did a very cheeky software update that I thought was hilarious. But it turns out it wasn't Signal. It was this thing called TM Signal made by a company called Telemessage, which took the Signal open source code and made a third party version of it that could then communicate with other Signal clients. Now here's the delicious irony in some perverse way, what we've now learned that Mike Waltz and others were using Telemessage. The reason you use Telemessage is that it complies applies with archival record keeping required by the US Federal government. So the deep and twisting delicious irony that someone probably went to somebody and said, we want to use Signal and they're like, the only way to do it, to comply, compliant with the legislation is to use this Israeli made check. Okay, great. I get to do what I want and I'm compliant. Great. You have noticed what I'm saying. User need compliance and massively insecure are all in the same paragraph.

Jim Love

Yeah, because somebody came on and hacked Telemessage in 15 minutes.

David Shipley

But it's better. It's better than just the vulnerabilities. So first of all, a shout out to all the hacker nerds who just dove bomb on this. You can tell I spent the weekend Learning World War II stuff and watching movies. But literally, who dove bombed the carrier that was Telemessage to the point where they turned themselves off. They found out that the open source code had hard coded creds. Oh my God, please just stop. And then their infrastructure was vulnerable. They got into that. But the chef's kiss to the person that did the process flow and captured the video and screenshots to show that this app would take end to end encrypted messages from the Signal protocol. It would take a plain text copy of this and save it, including to destinations like your friendly neighborhood Gmail account.

Jim Love

Sweet.

Laura Payne

It's gonna be really interesting seeing what more comes out of this. I don't think anybody has ever actually admitted yet, even though we know which account the person was added by. But I don't know whether that individual ever actually admitted to adding the Atlantic's account. So how much access did some actors maybe have beforehand? Maybe it wasn't the individual and their sloppiness. Perhaps this was actually malicious. I don't know. I'll put it out there.

David Shipley

So the story that I heard about this, and this is one of my David Time patented cheap shots at AI that Jim loves so much. But apparently an Apple autofill thing came in from a media request from this journalist and it had the same name as another contact on this assistant's phone. And it was like, hey, do you want to update so and so's contact information? And he said, yes. And so that was the person he intended to add to the channel chat, not the Atlantic reporter. So I like that story because it fulfills my particular zealotry before you, before.

Jim Love

You do the you burn. Apple has been prosecuted for not being able, not being let to call that stuff that they put out AI. They've been asked legally to remove this, saying that this is this. You can't call this AI. Anyway, back to this. All these people's phone numbers are out there on the Internet. Any one of their devices, they're using, personal devices is not only probably hacked, I will say it is hacked. But once again, and we can make this political or not, but we can also go back to our own worlds and say, every time an executive can overrule your security procedures and not take personal responsibility for it. I'm not saying CEOs or senior executives shouldn't be able to run a company, but they should have to go back to the security person, say, I will take personal responsibility if we change this. And I'll tell you, we've been dumping on CISOs and we've been saying we want to take CISOs to court and we want to prosecute them, let's start prosecuting some of these people who come in and say, no, you're just a, you're just a hack. You're just an IT person. You don't know anything. Let them take responsibility fully and say, I will now personally take responsibility for the fact that if we as a corporation get hacked, it was my decision and this is what I get back to it. You can do it nicer than that. But just going back to your executives and saying, what risk are you willing to run?

David Shipley

And I just reinforce this. Blind compliance creates insecurity. You need to look at your compliance mandates and say, is this way to comply safely and securely? Just because it says it complies doesn't mean it's going to do it in a safe, smart way. That's not say that compliance isn't important. Laws, regulations, contracts matter. So I'm not slamming compliance. I'm just saying don't misinterpret that the software is compliant with the software is secure.

Laura Payne

Yeah, your user requirements are not the same as your security requirements. I think the really important point out of this whole story for sure is that at the end of the day, all of the tools, all of the controls, all of the good things we could put in place, they are all able to be worked around by a user making a mistake, even if it could be intentional or it could be completely by error. But the user who has permission to take an action like adding a person to the chat. If they add a person to the chat that wasn't supposed to be there, there is no security technology that's likely to catch that. Are you sure Is the best we have as a security control for that problem?

David Shipley

So we have to. That's the best way to add it. Yeah.

Jim Love

We have to wrap up but I want to leave with at least one positive story because we've been in the morass of all the things that are going wrong. Laura, you dropped in a note about the fact that we're actually doing some post quantum work now.

Laura Payne

So I mean for the April roundup, AWS has now released their updated libraries or their updated services for kms, ACM and Secrets Manager with the MLKEM post quantum algorithm. The important takeaway from that is if you use AWS and you use those services for encryption, have access to post quantum algorithms that you should be looking at bringing into your usage. Google had in February announced for their KMS that they were supporting 7PQC as well. My challenge with the previous conversations about quantum readiness was that there was nothing tangible for the majority of people to do. There were certainly lots of tangible things for people in the math side to do in the coding side to do once we had the algorithms established. But there wasn't anything for the kind of the majority of people because I do not recommend rolling your own crypto. But now there are things to do. So keep paying attention on. These are the first items really coming out, being ready to go and there will be more. Get your inventory up to date, know where you're using cryptography, where you need to be ready to update to modern libraries and get her done.

David Shipley

Yeah. The other thing I'll just add is that this opportunity that you just mentioned, the inventory is also the opportunity to say do we need this data anymore. Is this system one we want to keep if we're going to talk about software and data minimalism, Our Marie. What was her name again? Marie Kondo. While we're improving security, we can clean our house. And wouldn't that be nice for everybody?

Laura Payne

Doesn't mean you have to get rid of everything, but it has to have joy and purpose in your business.

Jim Love

So prepare yourself for Quantum. And this is a wonderful time. And this is the positive side of a competition, because if AWS announces it, everyone else will have to. So there's our positive side of competition in this industry. And the second is we get to declutter.

David Shipley

Absolutely.

Laura Payne

Organizers rejoice.

Jim Love

Yeah. Thank you, Laura Payne, and thank you very much. And David Shipley. This has been a great piece and I, as usual, I'll have the editing of it to do, but I think we've had a great discussion. I hope the audience has enjoyed it as much as I have. And if you're out there listening, wherever you're listening, I. I never know when people are tuning into this, whether it's on a Saturday morning or sometime through the weekend, whenever you take long podcasts. Thanks a lot for joining us on this. And have a coffee, relax and think about cyber security. I'm your host, Jim Love. Thanks for listening.