A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack with wired, wireless and cellular all in one integrated solution that's built for performance and scale. You can find them@meter.com CST Welcome. Welcome to everybody and thanks for joining us for our year end show. This is Cybersecurity Today with our weekend show, but our Month in Review show and our year end show. I'll welcome our guests. Our guests are Tammy Harper from Flair. Welcome, Tammy.

B

Thank you very much for having me.

A

I've got Laura Payne from White Toque. Laura, welcome.

C

Thanks, Jim. Always a pleasure to be here.

A

David Shipley from Beauceron securities. David, hello.

B

Bill.

A

Also the co host of our Monday newscast and he's been, he's actually been letting me have a couple days off over the holidays too, which I'm immensely grateful for. And John Pinard who joins us, he's John is some of you might know him, he's the head of IT operations and cybersecurity at a large credit union. But more famously, he's one of the co hosts of Project Synapse, which is our AI show. And he's joining us as well for this show. So thank you for all of you for turning up for this. This is great. It's great to have you back this month. I want to also thank our audience and I really do. We had 2 million downloads of our show this year and we will hit. We will. We are clocking now at 2 million, 4 even in a month where we have reduced shows and we couldn't have done that without our listeners. So thank you so much to all of you for joining us. My goal next year is to become the most popular cybersecurity show in North America. And as the Blue Jays would say, we're going to swing for the fences and knock this one out of the park. So welcome to the panel. I want to go through this. I put together a theme for this and I because there's two things happening that at all, both at the same time. And I've said the theme is naughty and nice or hopeless and hope. We've seen a lot of stories in this past month, particularly that have been just depressing from a cybersecurity point of view. A lot of stuff beating MFA mostly by stealing session cookies. We've done stories on that. I did one and we were talking about this in sort of the warmup to this show. I had someone who came to me and they had found more than 800,000 secrets openly exposed on the Internet by programming carelessness. We've seen some incredible phishing attacks, including one I went through this morning, an Apple phishing attack. It was so believable, I believe I would have fallen for was just so incredibly done. Fake torrents. If you can't even get a movie that somebody sends you now by the way, it is illegal, so don't do that. But the fact is they're putting malware into torrents. It's been the most incredible time. I don't know but does everybody feel the same way?

D

I'm sorry Tammy. At first to say it just feels like the dumpster fire is extra warm this year particularly is it as we end the year with flop is back like Eminem, the real slim shady of mass organization breaches. But maybe I'll see if Tammy feels the same way.

B

Yeah, so what's interesting, I just want to talk briefly about that fake torrent. I don't think this is something necessarily new because like fake torrents have been around forever. Back in the day what they would do is they would like you would download like a fake MKV or a fake AVI and they would ask you to install a compromised or infected codec or like a player so that you can play this like this weird format. And that was the virus. What we're seeing I think now is a resurgence in piracy is because a lot of these like streaming platforms are like consolidating and just the prices are keep increasing. People are like going back to piracy. It makes sense in terms of like club just got, just finished their first campaign on the Oracle electronic business suite. And so they posted around a hundred victims and from the, from the rate of removal. So these are the victims that were claimed on their blog and then these are the victims that were removed from their blog. You can infer that there was some form of settlement. Now if this was a paid settlement or some other form of settlement in terms of whatever, we can't really always tell but typically it leads towards paying. There's been an about a 9 to 10% payment rate on EBS campaign. So now what's the return on investment? So how much are each of these like 10 victims paying or 11 victims or 9 victims paying is to be determined. But it's definitely fascinating that corp now and clap just started a new campaign now on next hack which is targeting file sharing and targeting like FTP servers. That's their bread and butter. That's what they've been doing and but now they like before there was like a Period of four or five months between campaigns. And now like they just finished their previous campaign and now they're right back into the other one. That is definitely new for Klopp.

A

And just to recap on that. Yeah. Just want to go back to explaining that to the audience. There were a hundred Oracle business suite compromises. I think probably the best number I've seen. And this is, it's like the SAP or it's an enterprise software. If you compromise that, you compromise the entire business. And so that was Klopp's last escapade. And you're saying about. Looks like about 10% paid them. Paid them some sort of ransom.

B

Yeah. Again, we're inferring payments because they were removed from the blog.

D

I think it's a pretty solid. Looks like a rabbit, hops like a rabbit, wiggles its nose as it eats carrots like a rabbit. They probably paid. So Timmy, I know that he like for clarity purposes, we cannot 100% prove they paid. But unless they were feeling overly generous, he wrote a really compelling Please, sir, criminal, heartless Russian gang, take pity on thou and remove my data. Oh, they just, they said it so nicely, Jim. We gave him a freebie because they're altruists. So yeah, I think it's. But Tammy, I hadn't put that together about that. They normally had a four to five month break but they're like bang back to back and that's.

A

And you did a story, David, they're back again.

D

Yeah. Now is it because as Tammy saying, they had expectations of higher payoff from the business campaign and almost like a company, like a realistic business, they launched a product, they didn't get the sales. They just launched another product to try and make up. They got quarterly targets to meet shareholders.

A

Pay you like Microsoft and Copilot.

D

No, no. Purely for you to throw in. Me?

A

No. There's a lot of stuff that people aren't selling in AI that they, that. And I'm the AI like cheerleader. But so when I tell you that the stuff isn't selling as well as people thought it might take it to.

D

The bank, I wanted to go back to. I'm sorry. Go Jen.

E

Sorry, David. I was just going to say I'm curious what you guys are seeing as far as actual pay or pay that I've always heard initially people used to say, yeah, they're paying the ransom because then they'd get their data back. Then you start hearing about people that they pay the ransom but don't get their data back or they get their data back but it still gets ends up out on the black market. There was a story that I saw last night that talked about ransomware. There was a national survey that was done that said 24% of Canadian organizations reported ransomware attacks last year and 74% of them paid the ransom. I was shocked that the number was that high. I'm curious what you guys are seeing.

D

I'll defer to Tammy and then Laura and then I'll weigh in based on some data that I've seen.

B

I wanted to say yes. So it's hard. Okay. If we're talking about Clop Clop recently is not necessarily encrypting. Right now they're just exfiltrating data off of the FTP servers and then they're dropping a ransom note. And so their entire workflow right now goes towards finding like 0 days or n days proof of concepts in terms of exploits and vulnerabilities that target specifically FTP or file shares and basically then investing that in exfiltration infrastructure and then paying for data distribution. That's what they're doing right now. That's their, their expenses. In 2023, Klopp allegedly made millions of dollars off of their Move IT campaign. So that set a very high standard for what they're looking for in terms of, and, and it showed that it's possible to, to make a lot of money off of exfiltration. But now then there was like Clio after Move it and there was like a 6, 8 month gap between move it and Clio and maybe even a year I think. And Clio wasn't very. I didn't hear the same numbers again like I didn't hear millions of dollars were made from Clio and now again like Oracle, the Oracle EBS suite stuff again, how much are each victims paying? Oracle was actually named as a victim in this whole campaign. So and Oracle was removed. So how much is, did. How much did Oracle pay is a big question. That's a bunch of things like we have to figure out. And now like with Connect, I saw someone do a quick research article on it and it was saying there's, there was around like 200, like someone's been quickly fingerprinted. I think it was Shadow Server that quickly fingerprinted some stuff and they released, they said that there was like around 200 exposed, potentially vulnerable Connect stacks out in the open and some of them belong to like governments again. But then if you look at previous years like specifically Move It Klopp said that they would delete for free all government data. So I don't know if, like how good this campaign's going to be, so we'll see. But yeah, specifically towards ransomware. Like payments are from the research I've seen, and my research is based off of chain analysis there and where they're saying that payments are decreasing in frequency but increasing in amount. That's. And that goes towards not just ransomware, but all of like ransoms and extortion.

E

Yeah.

D

Laura, I don't know if you have any thoughts.

C

Yeah, I just. I think when you look at data in a pool like that, it's always important to look at how comprehensive the source is. So if we say it's 74% of whatever this data pool is of reporting people did pay, I think you already have sort of a biased data stat because you have a group of people who reported in the first place. And we know there's many more instances of ransomware attack that's successful than what is reported. So if we make some assumptions, which are always dangerous unless you name them out loud, but we make some assumptions, like somebody who's reporting already is in a bad spot.

D

Right.

C

They're not able to contain it themselves. They're not able to handle it on their own. Most likely there's a few good Samaritans who are going to report for the sake of numbers. And I always encourage people to report because it helps our law enforcement do a better job, but the majority are in trouble. That doesn't surprise me then, that you'd have a larger proportion of people in that population who would say, I'm going to take the gamble because I am really stuck and I'm going to cross my fingers and hope that I've got good bad guys and not bad guys and they can actually do what they promise for the money that I pay them. But I do think it's also very interesting that we're seeing this at least with Clop, this playing in the space of straight up data extortion as far as data that is being leveraged not because it's not available to the customer anymore, but just because it's damaging to the customer. That's always been a more fickle space to try to get payment. And a lot of companies just don't believe anymore that, like, you can show me all the proof you want. I don't believe you. That you actually deleted it, that you haven't shared it with anybody else.

E

Exactly.

C

Just take my losses and move on. Do my best to manage it on behalf of anybody else who is also impacted.

D

So from the Data that I've seen and keeping Laura's sage, as always, points about samples and everything else in mind, I think there's some variability depending on the industry and the sensitivity of the data and the timeliness of the data. So the compelling reasons, I think to Tammy's point, there's differences in payment rates between my stuff's encrypted, I can't operate and data's been stolen. I do think an interesting point for the courts, particularly in class action lawsuits and civil lawsuits, is to stop giving incentives to pay the ransom as saying, we did everything we could, we paid off the threat actors and they pinky swore they deleted the data. Please stop doing that. Do not give any credit in a lawsuit because they paid. If anything, be like, no, that was dumb, don't do that. The data's out there. Like you don't get to push and undo or you get to mitigate at that point by, by taking the promises of criminals who've been proven time after time again to not have actually deleted the data. And what's interesting, the Power Schools breach of course was a big one this year and fits into that narrative of everything that happened. On the positive side, Jim, the signs of hope, they got the leader of that little effort. We are seeing some really nice law enforcement wins in 2025. We're seeing not necessarily the core gangs taken down, but we're seeing infrastructure disrupted, we're seeing affiliates arrested. We're seeing really good disruption efforts. And on the theme of hope, we've been made aware through the RCMP and others of a really cool initiative here in Canada called Operation Maple Disruption. And what it was, a coordinated voluntary, private sector, public sector fraud, information sharing at scale. Like we're talking thousands of unique individuals or IOCs or data points and a real disruption of real meaningful fraud operations campaign that stretch from a great awareness raising. And we saw leadership from BMO, RBC, CIBC here in Canada really putting a push out. JPMorgan Chase was doing like a 22 city blitz. Like there was a real counterpunch happening this year. That's awesome. And we've also seen some interesting geopolitical developments relative to Cambodia and Thailand with the scam compounds and some of the military actions happening back and forth are tied to the destabilization of these GAM compounds. It's not going away. It's been proven now as a business model, it's franchised out to other continents now. But we've seen some really good wins. So I know I'm normally deep downer But I'm just going to point out the arc of this. I think ransomware payments are getting harder to extract. I think we're fighting back more harder against fraud. I think there's some really good signs. And then there's everything AI is doing to upset the table. Again, just to.

A

Before we get on to AI, you mentioned these, the story, and I don't think, I think we did a story on this, but people may not be totally up on. I did an interview with Project Shamrock and that led to understanding that they're the factories overseas, many of them in Southeast Asia. And these are people who think they've applied for a job. I don't say normal people, but they're people who think they've applied for a job. They end up getting scooped up into these factories. They're held prisoner, they're beaten, many of them are sexually abused. And those are the people who are making a lot of these phone calls and running a lot of these scams. And only lately have I started to hear. And that was you mentioning that some governments are starting to interrupt these compounds. Maybe too little too late, but at least there's some hope that some of these things are being busted up.

E

There is very encouraging that they're even starting to break down any of this.

D

Yeah. And to our point of things that we can highlight that are good this year as we head into this season of reflection, Aaron West. What an awesome, amazing lady. For those who haven't followed her or met her. So Operation Shamrock found her former prosecutor. I bumped into her at a talk she gave at RSA and connected her up with Jim and they had a fantastic interview. It's well worth going back and listening to. And she's doing awesome work.

A

That interview will be rerun over Christmas as well, along with another lady who's one of my favorites, begins with T. I think you might know we're going to rerun some of my favorite shows over the holiday and that will definitely be one of them. Other stories, guys, one of the things that came up for me was just how much has been done to beat mfa. And I think a lot of us started the year and we were, I think in with good intention saying, look, you got to get multi factor authentication. You got to do this. And I'm afraid of two things. One is I'm afraid of how sophisticated things have become, but I'm also afraid that people are going to stop believing in mfa. And I challenge myself when we do these stories like we talk about the ways that it gets beaten and I'VE got. I've got a story I'm going to do on an Apple hack that was that I found in, I think in substack, and it was just like, it's incredible how sophisticated this is to beat mfa. But I don't. I want to start it with the fact that we can't let this become the message that MFA is useless. It is protective.

C

I want to jump in before David does because I know he's probably keen on this, but I'm going to borrow David's point that he often makes, which is there is no technology that is a perfect protector at all. Layers. Right? And no end technology is the single silver bullet. Does MFA protect your account against password brute force? 100%. Does it protect your account against session hijacking? No, it does not. MFA has nothing to do with session hijacking. So I think that's one of the things that I really wish cyber reporting would get better at is not saying putting these things together that don't make sense. And we've seen this many times over the course of security reporting is you mix things up. And I haven't read the latest story, so maybe there's a flavor where that is really more conflated than usual. But even I would say no single technology is the perfect protection. You still need layers and you still need to take responsibility as the human in the chair and in this world.

D

I'll jump into on that point. So there's multiple sides to this. There's the reporting side, the Laura nails, there's the industry side. And there was a reason I was vociferous in my criticism of people pushing Fido 2 and saying, we solved phishing. And I was like, my dudes, my ladies, you have made phishing harder. But this phishing resistant. I was like, and you're setting people's expectations way beyond what the tech can actually deliver because you've stopped the casual. You have not stopped a dedicated social engineer who stops and plans and thinks through the process of how to work a person. We. The first crack in MFA was the unfortunate Okta MFA bombing case. And that was that. Should have been alert. We saw some positive changes from Microsoft with using number matching and other things. And hey, maybe just push to approve wasn't the right way to do it. Great. And now with this Azure CLI vulnerability that Push talked about this week, it's my line from Ian Malcolm in Jurassic Park. He famously said, life finds a way, hackers find a way. It's literally the job description. So we have to be nuanced in our communications. And this is why I like the thing that I dislike the most of ending this year is hacker lore and just saying, oh, dear user, you only need to remember four things. And if you do mfa, you're good. No, you need to use MFA and.

A

Still be vigilant and remember we did this story. But hacker lore, just for the listeners who may not have caught every news story, is someone who had really, a cyber security professional had put out and really said, oh, stop paying it. I don't know if I'm being fair. I want to characterize them fairly. They criticized a number of things, including education. And they said some good things that, you know, that you. That some of the things we talk about, passwords, this 8 character, the 4 and 4 is nonsense. But I thought we were all past that. So many of the things they corrected were stuff that I think is history. But the more that you try and go, you don't have to worry about this stuff. I think you have to be very careful as a cybersecurity professional when you start telling people not to pay attention to things, particularly training. Because I'm. I know this is your business, David, and probably most of you believe this as well, but I think that people who are skeptical and curious are our best weapon of all.

E

Two things that I wanted to add. One is that regardless of what technology you put in place to protect you, whether it's MFA or Fido 2 or any of those, to me the weakest link is still the human. It's still the person sitting at the keyboard that is opening an attachment or, you know, any of those things that it. And that kind of leads into your comment, Jim, about the training that we. I won't get into the numbers, but we just did a phishing campaign recently at work and we do them on a regular basis and we're making them more and more realistic as we go along. And I can tell you that the results of this last one were horrific. And it's because people are busy. They get an email, it's got an attachment. They quickly click on the attachment and by the time they have time to think, oh my God, what have I done? It's too late. I used to work at a retirement home company in Canada, and this is probably 10 plus years ago where somebody in the accounts payable department received an email that said, please pay. The attached invoice immediately happened to be a zip file. They double clicked on it and before you could say, Adam, they had encrypted everything, not only on their computer, but on every single drive that they had access to. The only saving grace for us was the fact that this was in the early days of ransomware. And so the attackers weren't all that smart. So we were able to recover from a pre from and this was a Monday morning, we were able to recover from the weekend backups, but they've gotten smarter now they'll infect all your data and let it get backed up so you can't recover from the backups.

D

And to be clear, like, it's always going to be a layered defense. I will never be the person that says just train your people and you don't need an email filter or you don't need MFA or you don't need those things. And the awareness industry, I have yet to find anybody. If dear listeners, you find anybody in the awareness industry saying awareness is all you need, I will help happily jump on LinkedIn and give them a talking to. But reality is, it isn't. But on the other side, I'm still running into people. I ran into one earlier this week on LinkedIn who's stop doing training and phishing simulations. Here's this study that shows they don't work. And I was like, no, just use MFA instead of it's never either or. And Jim knows that. This particular study that gets into my skin. And for listeners who are following, we've done a number of stories about this and we've had Michael Joyce on from the University of Montreal and sharing research results that show, hey, training can work, but there are limitations and there are bad ways to do training and there are bad consequences for things. But also, email filters don't stop everything. In fact, one thing I can share as we head into the new year, huge surge in phishing in the last 30 days. Now, we typically see a big sort of end of year push, but even at my own company, the amount of phishing attempts targeting us and you think bold move targeting a company that literally is in the space. But hey, it was up 100% compared to the previous 30 days and the amount that got by our email filter hit almost 1 in 10 through it does matter. There, there are impacts and AI much as the industry overhypes certain things. And I think we're approaching that point relative to deepfakes. I don't think that every S and B needs to worry about their CEO being deep faked. That's a lot of compute. That's a lot of things. There are some industry vendors who are pushing right now and I'm like, that's not the biggest threat they need to be worried about. Sure it's important to know the overall thing, but email man, still the way.

E

Yeah, I I actually saw, I can't remember the name of it, but I actually saw a a tool last night that somebody was showing to create deep fakes. Which is frightening that at how easy and how accessible it is. But I agree with you. I think that there's the traditional ways of getting in through email is probably still the biggest threat to anybody. And back to your the comments about training. Training is not the be all and end all. But just because it's not the be all and end all doesn't mean you get rid of it. I think email phishing campaigns phishing campaigns to me is right up there with disaster recovery tests. You hate to do them, but you still gotta do them. And that's what's gonna tell you whether you've got any weaknesses.

C

And I think the real poison pair here is people adopting I'll call it naive AI agents as they assistant. We think it's easy to trick people. It's trivial to trick most implementations of AI assistants at this point. We need security awareness training for AI. Apparently, yeah, it's the same problems but exacerbated because they just behave naively. And we already see this with calendar exploits and we talked about that in the November one as well. And again, email is such an easy vector. It's so hard to turn off, it's so hard to filter effectively. And it really does rely on those last stops of protection of the critical thinker just being careful. And we're seeing more and more that people are giving that away, believing a new tech myth, which is that the AI will take care of them.

D

And probably the most important research this year that we've talked about when it comes to AI and social engineering is that University of Pennsylvania and Robert Cialdini's study called me a jerk. And if you haven't taken a look at it, it is readable by the layperson. It is worth looking at the TLDR is that social engineering techniques proven to work on humans work just as well, if not to Laura's point, even better on AI. And while we sometimes throw technical terms in like prompt injection, everything else and there are some nuance in terms of character manipulation and other things you can do in prompt injection. Most prompt injection is just simply social engineering, the AI and telling it do this thing. So I have big, big concerns about where we're at in the in the AI mad race. And I think Jim Maybe I'll kick this open to everybody else. Probably the thing that floored me the most was, and I'm still thinking about this is the research that recently came out about IDE disaster. So Ari Marzouk had just this damning series of 30 like Whammo vulnerabilities all tied to IDs. And what really made me sit up and think about this wasn't the fact that a piece of software could have a lot of vulnerabilities. It's that IDEs were never designed as a tool to think about how automated agentic actions would interplay with this. That's where we always crash and burn in cyber is at the intersection of new approach. But a tool that was never designed.

A

For that agentic AI though. And this is one of the things that we have to cope with. It should be a no brainer to think we're putting something in that can take independent actions. And Laura said we should train the AI partly in humor, but you wouldn't put an employee behind a computer keyboard and tell them nothing and just leave them there so that they could keep typing. And that's when an uncontrolled agentic AI is exactly that. It's unvetted. It's unprotected. And that's a huge problem. Now the one piece that I will say is the reaction to that cannot be ban AI. It will not work. It never has worked. You will just get shadow AI. But we've got to start giving people places to play that are safe and to learn and to try things out that aren't our production systems.

E

Just a thought and quite frankly go back to the good old days of just regular traditional programming that you'd never write a program and just throw it into production without testing the hell out of it. And that included making sure that it was safe and secure and all the rest of it. But yet we seem to be doing that all over the place with AI.

A

The answer though, John, is in the current world they are throwing programs up that aren't tested. It's why we have major crashes. This idea that, that run fast and break things. Yep. And I'm, I'm a big believer in, in getting a productivity level that we could, that I think it has suffered from lack of productivity and I think that's something that I've been a big proponent of. But you don't make productivity by behaving stupidly. You make productivity by getting closer to the business user, by doing, by, by removing the waste in the process, not by saying just do it faster.

E

Yeah. And you don't cut corners by, by eliminating worrying about security when you're building things, security's got to be built in, not bolt on. Because when it's bolt on, it never fits. Sorry, Laura.

C

It's okay. I see. I think the other thing we see though is making a mistake as far as transposing the idea of launching code with the idea of launching AI. Because as much as we want to think about it as this kind of contained, fixed, I pushed it in production, it will behave as I expected when I tested it. Which is generally true of code. Not always true, but generally true. But we know that AI models don't work like that. They are models that actually behave and respond in tandem with the inputs that are received over the course of time. And even with as much guardrailing as you try to put around them, which a lot of course cases are not actually really put around them, they do respond and grow just like employees. But on the flip side, you can't fire your AI. There is a big problem with consequences for bad action. There are no consequences you can inflict. Shorten is shutting it down, but it doesn't have feelings and it doesn't have a family to feed. And there's like, there's this whole kind of complex where does the buck stop? And even if you say, okay, it's attached to whichever human authorized it, what if this is a group developed AI, it's group trained, it's been approved and signed off by some executive to go forward. Are you firing the executive because somebody three layers down didn't quite understand the guardrailing properly? Like you don't see that in code. It's probably not going to happen in AI.

A

But I will say that when the recent story we did on the person who took Gemini connected that to their machine and thought, I can become very efficient if I could just get it to. To delete cache files and things like that. When it deleted all their files because it gave. Because he gave them access to all those files to delete. Gemini, to its credit, did say that it had been a bad person or a bad AI.

C

It apologize that feeling to people. It can parrot apologies as well as any four year old who's told apologize now.

D

Yeah, except this four year old has the emotional depth of a psychopath. As in it just. It simulates emotions and it's a four.

C

Year old's not sorry when they just did that thing and they've been yelled at by an adult to say they have to apologize and shake hands and Move on. Like, there's no sorryness to it anyway.

D

Sorry, Tammy, in your world, in the threat world, like we've been talking about AI and all the disruption and bad code and haywire and all those things, but from what you've seen last year, what's changed, if anything?

B

Yeah, threat actors are getting, are using it more. Right. Also I seen. Because it makes the, it lowers the. And this is something that I've seen. It just applies to everything. But with AI, it lowers the bar to expertise. Right. And it low. And it doesn't mean that because you have access to something that can give you like a lot of code, even if it works, that it makes you an expert or actually like good at something. I'm seeing a lot of threat actors spin up forums that are vibe coded and like DLS site like dedicated sites that are vibe coded and it works like. Yeah, okay, so like it makes, it allows like lower skilled threat actors to hop into the. What was previously a level or two above them and now they're operating at that. But again, they don't have the experience to operate at that level. And so there's a lot. They're making more mistakes, they're getting caught, they're fumbling a lot more. It's that over reliance on, on artificial intelligence to, to help them navigate the, this new world that. Because they think it's going to be easier, but it actually opens them up to more OPSEC errors and it leaves them open to issues. Another thing that I find really interesting is that not only does it allow people to do stuff, but it allows other user, other threat actors to help them. Like we, the first thing we thought we were going to see was like polymorphic AI that would rewrite malware on the fly. But that's not going to happen for a while because it's not necessarily like we saw one research proof of concept that was flagged by ESET earlier this year, but that turned out to be like a student project, like a research project. And like it was like it was phoning like llama servers and it was like creating these like LUA commands to help it like spread and escalate privileges and all these things. But again like it needed access to call either a local llama server or a remote llama server. And without that, like it wasn't going to be able to do anything. And it came with a set of instructions that made the original payload almost like a gigabyte. So it's not efficient. But I'm. The way I'm seeing it mostly Used now and besides all of these like concepts is it's very effective at phishing and it's very good at social engineering. It's helping threat actors negotiate and negotiate. What I mean is not necessarily giving itself like legal or tactical advice but more on just like obfuscating and like replacing machine translations. Before there was this method of and this mythology methodology of trying to figure out in game the person that you. It was more of like a one on one can like that my, one of my favorite animes, Death Note. But now it's really. Now it's like you don't necessarily know what you're talking about. LLM and you might have an idea but at the same time like this. But it's never just the LLM that's taking care of all of the negotiation. It's like always assisted and it's used to hide like markers or things that can. People could skip could reveal opsec. So like hours of operation or style it could fool like style of metric analysis really well. So all these things are weeding in. So the combat area like I'm saying like our enemies are evolving. We have to evolve and we have to get. We have to not just play catch up to their techniques but we have to also innovate like threat intelligence researchers. We have to start really thinking like criminals and trying to see like where are they going to go next.

A

I think that somehow that's brilliant. I mean the idea that we're always on defense, we're always on our heels it feels and maybe at point there's. Maybe we should be thinking more aggressively about. I wouldn't call it attack but at least some of the things you've talked about. One of the strategies that you talked about mid year that I thought was really brilliant was in sowing discontent in these groups and turning them against each other and really taking psyops against them which I thought was a brilliant technique and maybe we need more of that.

D

Yeah, no, I always learn, I always learn from everybody else on the panel. Whether it's words of wisdom from Laura that always leaves Gemini just nodding our heads or Tammy's just extraordina depths of knowledge on the deep dark web and the criminal gangs. And I think Tammy, you're 100% correct like in Benoit and the gang at University of Montreal and the brilliant criminology team are really showing the value of these different disciplines and ways of thinking and working through this problem. And John, same as the experience, actually running the IT shop for an organization is great. One of the things to John, to, to Jim's sort of themes, I would ask what's one thing that kind of just really frustrated you for 2025 and what's one thing that gave you hope? And I'll save mine for the end. But I'm curious, maybe I'll start with John and see.

E

Oh, the fear is just that it's. They seem to be coming out of the woodwork everywhere. That does not seem to be. There's no reduction in attacks. I think one of the things that gives me hope, I guess partially anyways, is that we're starting to see more, at least publicly, we're starting to see more involvement from the government of recognition that they need. There needs to be something done. I don't know whether we'll get to where we need to with the help of the government or not. I think it's still going to require businesses to, to take the reins. I think, I think the more that everybody talks about it, the more it's, the more awareness there is for everyone. And this is going to take a, the whole. It takes a village to raise a child. This is going to take a village or a country to help to protect the country and the businesses within the country against these attacks.

D

Laura, any what's the thing you want to shake your fist at or that gives you fear or on the negative side and what's the positive side?

C

No, I think my biggest disappointment, at least maybe it's just because it's the most recent one, but would be the reporting that OpenAI has decided to disclose ahead of time that they know their next model is going to significantly advance capabilities for attackers in the cybersecurity space. Thanks for telling us ahead of time. But instead of doing it the right order, which would be giving better tools to the defenders first, and Microsoft is, it will have a tiered program for people who are vetted and we know they're defenders. I'm like, okay, so cash grab, really? I just find it so frustrating that some of the people with the most ability to influence for good are they just continue to disappoint in positioning themselves as being financially motivated. And I know it's a business and they are trying to pretend they're making money and nominally somewhere along the way all these data centers have to be paid for somehow. I think we have no concept of the cost that this technology is unleashing on us. But for the leaders in that space to say, yeah, you know what? We know it's going to be used for bad but. And more bad than good, but we're just going to release it anyway. Buckle up.

A

Yeah.

D

Okay, so where's the whole joke?

A

If it was only just money. If it was only just money. But this is the ego of. Of several people who can't lose. And we got the early model from OpenAI, which was wonderful, but it's six weeks ahead, which means something got sacrificed to bring that model out so that they didn't look like fools because Gemini had been launched. I've said before, one of the things. Don't. People don't. People might think of this in what they've seen in movies. Gordon Gekko, greed is good and all that sort of. That's not the meeting you have. The meeting that you have as you. When you're. The person in charge of security is you sit down with somebody and the executive says, this can be really awful for our share price. We don't want you to be. We want you to be safe. We don't want you cutting corners. But, gosh, could be awful for your team and for our. For a lot of people who depend on us for their living. And how do I know that? I've had that speech made to me. And so it's not. It's never evil. It's the banality of let's. We'll just skip a few weeks of that security piece. And that's a tough. I totally agree with you. It's a scary thing right now for.

D

Me, competitive pressure with this AI race is the moral equivalent of I was following orders. And it's a. It's an abject abandonment of individual and corporate responsibility. But I want to go back to Laura. Laura. So obviously I agree with you on the negative on that one hope any.

C

Maybe I'm channeling David's negativity, but my hope is that this bubble will burst sooner than later and that rationality will prevail. So it'll have to slow down because the investment will no longer be at the rate it is right now. Right now there's this delirium of cash good money following bad into this space. I find the technology is exciting and it is interesting, and it could do some really amazing things. So it's not to be anti AI, it's to say, can we just take a moment and maybe try to do it in a better way? But anyway, that's my hope is we know there's going to be a reckoning that more money is coming in than the business model supports. So if it could just hurry up and get here a little sooner so we could get Some sanity. That would be great, by the way.

D

For everyone's stock market portfolio. David and Laura's Sincerest wish for 202026 is no BNO, but we'll be better off for it in the long run.

C

And move into some blue chip stock. I'm not a qualified advisor.

D

Yeah, okay. But, yeah, for the purposes of Canadian financial security regulators, we are not advising you to do anything with your money.

A

The one question I would like to leave everybody with, though, is what are you going to be doing next year? What people should be doing next year. I've talked about my hope and what I want people to be doing is AI is not going away. Find places for people to express that creativity and play with it that aren't on our networks. Teach them to do the things that are simple, that can help them be more productive and focus on that. Because if you tried the doctor. No, it's not. It's just. It's never worked. It's never going to work. So my hope for next year is that we'll use the simple things and find places for people to play and try things out. If AI won't take a breather, we can.

D

Yeah, so I will. One of the things that I'm going to take a piece of advice. I came across this amazing video from a sociologist professor in the U.S. her name is Tressie McMillan Cotton Cottam. And she was interviewed recently about how AI is being forced down the throats and how as part of the power dynamic, people are saying, it's just, it's done, it's over, it's decided, this is the way the future is going to be. And her point is to say, no, it's not decided yet how this is going to be. I get a voice. We get a voice into this, then this isn't to say AI good or AI bad. It is to say, no, tech bro. You are not setting the rules exclusively for how we're going to evolve this technology. This is going to be a shared experience. And maybe as a society, we will decide to put boundaries and guidelines and responsible use and obligations and all of those things on this. But the one thing that probably Jim and I can agree on is the future of this technology. The future in general for us is not a settled matter. It is the most unsettled it has ever been. And we all have the right to have our say in that future. Do not surrender your agency in 2026 to the tech bro saying, there's nothing you can do. Garbage. You can get informed. You can learn the technology you can see where it benefits, you can see where you don't like it. You have lots of agency in 2026 and if that agency included, as Jim says, taking a break, walking away, getting a breather, this is not settled. The future is not written. There is no fate. But what we make would be the line. I would quote Sarah Connor very in a circular way on this.

E

I think for me, for next year, a couple of the things is AI is not going away. I think we need, from a corporate standpoint, we need to figure out where it makes sense to have AI versus where it doesn't, because it's not soup to nuts. But I think before we go too far into it, we also need to make sure that we have increased our security measures to protect ourselves against what might happen with the use of AI. And then I think the other thing to me is the whole training piece is going to training, phishing campaigns, somehow being able to show people what can happen if something goes wrong, whether it's AI driven or not, to make them aware. The. The best way to get people to stop doing things wrong is show them what happens when it goes wrong. So I think those are the big things for me for next year.

A

And Tammy, what's going to happen for your hopes and what we should be doing next year?

B

So I just wanted to say this first, is that as companies move to and replace people with AI, like we were even seeing this now, there's some really smart people that are getting laid off. And once it gets to a tipping point, some of these people are going to turn to cybercrime, right, to pay the bills, to just survive. And they're extremely smart and they know exactly how to do it. And they know how to do it well. These were the people that were defending us and now they're going to be the ones attacking us. And I want, like, it's really sad. That's going to be something that is going to happen. But what I want to do is I want to see more programs that can help people like that and hopefully the job market can survive this change. But what I want to do next year is I want to. It's really not about tech. It's more focusing on my friends and family and looking at how I can build out my like, human to human, person to person, community better. And because that's going to be the ultimate network that you're going to have to rely on. And that's what I wanted to focus on.

D

Powerful. Wow.

A

I don't think I'm going to say Anything after that? Anybody else got anything?

C

Because I. I'll springboard one lunch or one point off of Tammy's awesome point there, which is I think we have huge opportunities to make good use of terrible tools like social media. So if I talk about T and Consent, a lot of people know what I'm referring to. We need those kind of videos for critical thinking and media awareness and security. So I hope more of those kind of things will be developed and shared and just start to again. Humans are incredibly adaptable, so I will actually get hopeful here. We're incredibly adaptable if we leverage that human connection we have with each other and, and build into our social conscious awareness, our culture, this ability to think critically. We can discern between that's a funny fake cat video and that's a funny fake scam video and, and just learn to enjoy the little things.

D

Well said.

A

Yeah. One of the things I like to leave everybody with is a story that I'm hopefully I'm going to run in the next day or so. Be proud or probably early in the new year. And that is when you look at it statistically, we think that social media is a cesspool. And it is. And we think that a lot of the things that are happening on the Internet are terrible, but we forget that it's a loud minority and that people really are basically pretty decent. And if we lose that, we really do lose something. And I'd like to extend that to people in cybersecurity as well as it's really easy, especially when you're going to lose your Christmas Eve because somebody overseas is doing something. And it's easy to get upset about this stuff. But one thing I wish for all cybersecurity professionals is compassion. And that is that we never lose that sense that we're dealing with humans. And I'm not criticizing. We say things like people are the weakest link. We say things like alt. And I know we don't mean that intentionally, but I hope that our compassion for each other is something that we can look forward to because I think it's important. I still say that the protection is a curious employee. Who asks, should I do that?

D

There's a line from the Superman movie that just came out this year and I loved it and it was kindness is the new punk rock. And wouldn't that be an amazing 2026 in an age when selfishness, when me first is the dominant in so many areas. A little bit more kindness, a little bit more compassion, a little bit of that E word empathy in our industry. How amazing is that?

A

Absolutely. That's our show, folks. Thank you so much. Thank you to our panel and we'll be back with you again in the new year looking at the new challenges. I want to thank Laura Payne from White Toque, Tammy Harper from Flair, David Shipley. I'll never forget Beauzer on and my, my, my coffee. And John Penard, my co host of Project Synapse. So thank you so much and thank you to the audience. As I said, I started this out saying we'd hit when I first did these shows, if we got a thousand people or 1200 people listening to an episode, it was a big deal. And we're now at 2 million downloads for the year, which, if you do the math, is more than 10 to 15,000 people per episode. And my goal for next year is to make that even bigger and expand this community. So have a great Christmas. I hope that you get at least a couple of days off before the phone rings in the middle of the night. And to our panel, thank you so much. Great to have you.

D

Take care, everyone.

E

Take care.

A

We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices to warehouses and large campuses to data centers. Book a demo@meter.com CST that's M E T E R.com CST.