B (10:06)

Hold on.

A (10:07)

We're just blowing out all the copyrights today. Yeah, it was Fat Joe. Terror Squad. I knew. See, don't try to question me on early 90s hip hop. All right, Lean back, lean back. Okay, and then do me a favor. After you're leaning back, I need you to relax and just close your eyes and let the cool sounds of the hot news wash over you in just an awesome wave. I will see you at the mid roll. Hero culture is still distressing, bro. I was so geeked up about getting the 311 song dialed up this morning that I forgot to fix the podcast. Nothing to see here. Everybody can continue to sit back and relax. I will be the one who's not relaxed on one second, bruh. As you were. From the CISO series. It's cybersecurity headlines.

B (11:09)

These are the cybersecurity headlines for Wednesday.

A (11:12)

All right, we're going to issue a policy exception to Poner Joe. He can sit back and relax, right? Poner Joe, use that recline button. But he is driving, so let's not have him close his eyes. Unless you're going to be like Bill Murray and Groundhog Day where he lets The Groundhog Drive.

B (11:29)

March 11, 2026. I'm Rich Trofalino. Oh, NSA and Cyber.

A (11:34)

I'm sorry, Dream Logic and Everybody International 3 11. Today is March 11, right? The day is 3 11. There is a rock and roll band from Omaha, Nebraska that was big in the 90s. I think they came out around 93, 94 called Three Hundred and Eleven. They're still around, but they're terrible now. They did not age well like Red Hot Chili Peppers or Metallica, Rolling Stones. They, they came out with several amazing albums. I, I was a huge fan. Okay. Like my handle gaming handles Jerry guy 311. Okay. And after they released an album called Sound System, which was great and then everything after that is absolute hot garbage. So. So if you're interested in learning about great music, I would cap it from 311 Music, which is their first album technically studio album to Sound system command head confirmed.

B (12:24)

In a rare floor vote, the US Senate voted 71 to 29 to confirm Army Lieutenant General Joshua Rudd as the head of US Cyber Command and Director of the National Security Agency. The post had been vacant for almost a year with Lt. Gen. William Hartman serving in an acting capacity. Rudd currently serves as the Deputy Chief of US Indo Pacific Command and previously has held jobs in Special Forces leadership. He has no prior experience in signals intelligence or cyber operations. Rudd will continue the dual hat leadership of Cyber Command and the nsa, with the record sources saying President Trump told aides he settled on a clean 18 month extension for the leadership format. Senator Ron Wyden called for the floor vote as part of his opposition to Rudd's nomination and citing his lack of experience and vague answers about using the NSA surveillance tools for warrantless spying on U.S. citizens.

A (13:16)

Okay. I don't know how you have vague answers to like surveillance on US Citizens. That seems concerning. But, but this story, this story doesn't like this doesn't make a difference to you. And I like for the most part. Right. I mean maybe you are, maybe you are working in some like forward operating base or something or you are, you know, tightly coupled with nsa maybe. But I would say on balance, the greater simply Cyber community membership. This story is like interesting, but does not modify anything. Now what I do want to point out is Lieutenant General Joshua Rudd is taking over the command of NSA and Cyber Command. Now, he has no prior signals intelligence, but he did. It's. It said in the story that like he was involved in commanding a special Special Forces unit. Okay, listen, I'm not saying that you could put Me in charge of a movie theater and I would crush it. Or you could put me in charge of a financial services company or I'd crush it. But, but what I would say is from my limited experience in business and watching some of my, you know, friends and family run businesses and stuff, what I can tell you is normally if you're really good at leadership, it doesn't matter if you're in charge of a. Oh my God, what do they call those things? Oh my God. There's like this rolling shaved ice truck that comes to my kids school every other Friday. Oh my God. It doesn't matter if you're an ice cream, running an ice cream truck thing or a video game company. Leadership is putting the right people in place and enabling those people to be successful. So I'm not super sweaty about this guy not having cyber experience. Like I don't need Lieutenant General Joshua Rudd to hop on a keyboard and hack through Napster to reroute and you know, ping off a satellite. Right. I'll leave that to the nerds. Right. Like us. But you know the tech surveillance thing, I don't know. Here's all I would say about this. Number one, they voted 7,129. So that's cool. Number two, Guy, we haven't had someone in the position for like a year in, in case. Kona Ice. Thank you very much. Code Brew, South Carolina, own Kona Ice. Yeah, Jim Wales is in here. Yeah, so Kona Ice. Final thing I'll say about this guys. We, we are at war. Like I don't, like people are mincing words. There's people in high positions or like we're not at war, they're at war. Like it's. No, I mean like we are straight up in a war right now. So by the way, like we have, you know, we're, we're running military operations in Ecuador also effective today. So my point is when you are in a, not a peacetime era, having somebody in charge of NSA and Cyber Command is, is pretty important to me. That's a capability that I would like full access to if I was a N nation state and wanted to be able to utilize all of our resources to effectively, you know, win whatever conflict it is that we are currently in. Whether I agree with it or not, I don't, you know, it just so I'm not surpr. Basically I'm not surprised that this guy got hired. Okay. The good news is I haven't heard any type of like sycophant, you know, rhetoric coming out of this guy. In fact, I haven't heard jack squat coming out of this guy. So military man, you know, obviously Timothy Ho was the prior guy who got fired because he believes in dei. But like, this story doesn't affect any of us.

B (17:06)

Russians targeting encrypted messaging app users. The Netherlands Defense Intelligence and Security Service and the General Intelligence and Security Service published details about a campaign by entities tied to Russian state actors targeting users of signal and WhatsApp. This didn't crack either app's end to end encryption. Instead, Dutch intelligence saw Signal users targeted by people posing as the app's support team, warning specific users about data leaks and trying to get their PIN codes. These codes could be used to register a new device and intercept new messages. On WhatsApp, the attacks tried to trick people into using the link device feature to gain access to all messages opening.

A (17:45)

All right, so I can't speak to WhatsApp, but I can talk about Signal, right? So they're both, they're both messaging apps, okay? If for me, for my money, quote, unquote, Signal is the one to use. I use Signal. I recommend everybody in this chat use Signal. Signal is as secure as you can get. Now because the technology stack is secure, social engineering is really the only attack sequence that can help an adversary get into your signal. And because Signal allows you to connect multiple devices, right, I have Signal on all my computers and my phone. I get a new tablet or phone, I can link in my signal. And one of the security features is that you don't get historic history of chat, right? Like you get, you start getting the chat the second you join. Now I was unaware that there is a history ability to, you know, basically play back the history of the chat. Super valuable from an espionage perspective. Also super valuable from an integrity perspective, right? Because if I can, if I can trick Gary Sturgiatis. What's up, Gary? If I can trick Gary to like, you know, let me connect my phone to his signal. Well, now I look like Gary on in Signal, right? I don't look like Gary at all. Gary's big and burly and has a phenomenal beard. And I, I, I have like, you know, I have more of your, I have more of your Silicon Valley nerd beard. But anyways, on Signal, I could then look like Gary and say, hey, you know, send 5, 000 burritos to X, Y and Z or don't send the troops or whatever. They, they are not targeting me and Gary though. They are targeting high ranking military officials who have been directed to use messaging Apps for secure communications. And I'm not going to bother to pull it up on stream, but trust me, there was a, an order that came out last year because China was all up in the telecommunications back when salt typhoon was getting ham all over US Telecom equipment that either SISA or the executive office came out and was like, you've got to use messaging apps for secure comms. We've seen multiple screenshots of like Pete Hegseth sending Signal chat. Like, again, for better or worse, like noting, what was that operation? Midnight Hammer. Oh my God, don't you know what I think? I think that operation was called Midnight Hammer and like his wife was on the group chat, which was kind of weird, but like, also as a side note, don't Google Midnight Hammer because I don't think that operation is the first thing that comes up. You know what I mean? Okay. All right. So anyways, the Dutch is warning, this TLDR signal is a very secure messaging app. However, it is not completely secure in the utility of it. And this is actually something that two things, two things I like to give you guys. Again, I like to go beyond the headlines, beyond the value and give you like, the lessons learned that you're not going to get in a classroom. Number one, you can use Signal. You, you can use it. It's secure. I love Signal. I'm all about some signal. But just know in the world of grc, there are technical risks, operation, I mean procedural risks and human risks, adversary, like administrative, operational risks. Right. So the signal is secure on the tech stack side, but, but it can be compromised via social engineering and human like fault. So don't think that this thing's bulletproof. You don't get to just go yolo. You do have to practice. Good. So what I'm trying to tell you is educate your executives. If they are using Signal, if they are doing secure communications, don't ask them to tell you why. Like what, what kind of naughty stuff are you sending? What kind of salacious things are you doing? Don't, don't get into the bits and bolts. Don't go above layer four. This is a really nerdy joke for, for the nerds in chat. Don't go above layer four. Okay? You don't need to know what's the data. You just need to tell them, hey, the signal engineer, no one's going to contact you and say they're troubleshooting your signal, period. Full stop. That's the message. That's it. No one's going to contact you and, and say they're from help desk or IT support for signal. Okay. All right. Also, if you'd like to weigh in, if you are a 311 fan, it is March 11th here in the United States. Well, I guess it's March 11th everywhere, maybe not Australia. If you want to weigh in on your favorite 311 album, if you have one, please do. Casually Joseph is saying 311311 is his favorite I think in transistor. I'll reveal mine at the mid roll.

B (22:53)

I rolls out Vulnerability Scanner it was big news when Anthropic rolled out vulnerability scanning in Claude code and so it's a big deal when OpenAI did the same now with Codex. Codex Security was previously known as Aardvark in private beta testing since last year and now available as a research preview to ChatGPT Pro Enterprise business and EDU customers. In testing, OpenAI said it found over 10,000 high severity issues with Codec security, including in widely used projects like Chromium, Open ssl, PHP and gnutls. Anthropic's announcement had stock market implications mostly. If that becomes part of the story with Codec security, Finn's all right, dude,

A (23:36)

you ever tried to hold back a. You ever tried to hold, you know, like you go to the beach and the waves are crashing. You ever try to hold back a wave and you just get bamboozled? That's what Open AI is doing. There have been multiple attempts in the past to, you know, basically publicly disclose vulnerabilities of software. Obviously CVEs and bug bounties are one way that that happens. But back in the day, Mudge from the loft crew, Peter Zapko and his wife Sarah, they actually tried to put out a lab called citl. It was like a, supposed to be an independent testing lab to test software and give like, basically like the nutrition facts of what was in that software and how vulnerable it was. It ended up shutting, get shutting down. And I think it was because like they were being, I'm, I'm speculating here, but I think it was because, you know, the, the company's lawyers got lawyered up and was like, oh, you can't put this stuff out. So OpenAI is just straight up steamrolling with a vulnerability scanner that's finding hundreds of critical vulnerabilities in software in the last month. So the sheer volume of what they're finding is amazing. So this does have implications. Okay, so there's two things here. Number one, this is awesome. This is awesome for us as, as people who are tasked with protecting organizations like you and I are to have software that's just, you know, written by humans and has faults in it. And then there's zero days and you've got exposure Windows and you got to do Patch Tuesday. Yesterday was patch Tuesday, right? Ah, you gotta. Patrick. So to have Open AI doing this is wonderful. Now, two things to point out here. Number one, just because they're finding hundreds of critical volumes does not mean that they are patching hundreds, hundreds of critical Vs. That is the responsibility of the software developers who are responsible for the software that the vulnerabilities are being discovered in. Which means. Think about it for a second, okay? Like, think about it like a timeline. Vulnerabilities are discovered, software engineers verify and then identify how to fix it. Then they push out patches, then patches are applied. Every single step takes time. Just because OpenAI can point at any piece of software and, and let's just like, be. Let's play fantasy for a minute, right? Let's do role playing for a minute. Not role playing, I guess that doesn't make any sense. Like, fantasy time, whatever. I don't know. I was trying to be funny about it, but I don't think I'm saying it right. You can just see how pedestrian and conformist I am with my, like, fantasy. So in a perfect world, OpenAI can look at any software and find every vulnerability in it. Okay? That. The extreme example, that's not happening. But just pretend every vulnerability discovered, okay? Now, how much time does it take for them to communicate to the software developers and the software developers to confirm it, right? Just because OpenAI says it's a vulnerability doesn't mean that it's confirmed. This happens all the time in bug bounty. Once it's confirmed, then they have to fix it, right? Fix the code and, and it's not as simple as, like, oh, let me just change it from a lowercase I to a capital I. There we go. Everything's set up. Sometimes you got to rewrite functions, sometimes you got to rewrite underlying modules, right? Okay, so that, let's say that takes weeks. Ideally, let's say it takes one week, which is insane, right? So every vulnerability, then one week to, to fix it, okay? And push patches and then one week to patch the environment, right? Which is hyper unrealistic, right? We're talking like, even in the best of scenarios, two to three weeks, which is not what's going to happen. It's 2026. We're talking about, oh, you gotta patch it like Windows xp. Oh, you gotta patch it like, you know, freaking Eternal Blue, which blew up with WannaCry from the Vault 7 Shadow Brokers leak back in 2017. The Eternal Blue dropped in February. Microsoft fixed it immediately pushed patches all over the place. It was like literally a blinking red button that said, if you don't patch this, you are absolutely going to get pwned. And even weeks later, North Korea went ham across the world. And we're, we're just pony machines left, right and center. So even in a perfect world, none of this happens. So this, this is a great step one, but you've got to do steps two, three and four. We'll see how it goes. I love this. I do want to point out as a side note, I know there's no patches for XP and Windows 7 and stuff like that. I, I get that. As a side note, really quickly, this could, this could. This is a hot take, okay? So for those who are squad members, please, little tinfoil hat, okay? This could low key, destroy the bug bounty market. Like hacker one bug crowd, these ones, right? If this tool can scan code repositories and find hundreds of crits quickly. You know what I mean? Like, either, either. I, I don't know. It's like you're gonna need like Jason Haddix of the world to find the one that AI didn't find. You know what I'm saying? So I don't know. I, I just think that this is going to, I don't know, man, not eliminate everything, right? But if you hire, if you hire someone, if you hire a group of people, right? This is like, hey, group of people. If you see a piece of trash on the ground, pick it up. And for every piece of trash you pick up and throw in the bin, you'll get a dollar, right? So you kind of crowdsource it. People are like, I could use a couple bucks. They go, pick up some trash. I could use a couple bucks. There's people like, this is my job. And they like, they bought their own reflective vest and they're like throwing trash away everywhere. Well, if you, if you make a machine, that's basically the two guys from Heavy Metal, the movie, the two aliens who are big into going skiing, right? And they can suck up all of the trash, right? That was an incredibly obscure, super narrow reference. I just made analogy. So let me back up for those, for those who know, you're probably laughing, but imagine if you just created a super vacuum that you could walk down the street and it would just pull in all of the trash like a cartoon. Now, most of that's Done. But hey, there's a piece of trash wedged in a sewer. Grateful the vacuum isn't going to pull that in. So then you would need some advanced person like Jason Hacks to go grab it. So there is potential for this to

B (30:40)

really disrupt the bug bounty market of persistent cyber espionage. According to a new security assessment from the Finnish Security and Intelligence Service, the country's tech sector, government and research institutions face sustained operations from Russian and Chinese intelligence services. The assessment painted a bleak picture, stating that the country faces continual attempts at cyber espionage with no prospect of such operations subsiding even in the long term. These attacks are attempting to steal sensitive research and intellectual property, supplement traditional espionage efforts that were scuttled after Finland expelled Russian diplomats and spreading misinformation as part of larger influence operations. And now, thanks to today's episode sponsor, Drop Zone AI.

A (31:26)

All right, CESA shortens patch window. Hey, like, by the way, I forgot to say this in the intro. Hold on, hold on. I didn't say this in the intro. I don't research or prep for the show. I have no idea what stories are coming. Ain't nobody got time for that. I literally am finding out as you are finding out. And then I'm just giving you my, like, CISO hot. Take a very emotionally engaged hyper, passionate for cyber thoughts on this one? Okay, CESA is the information security agency for the United States, right? Or what is it? Infrastructure and security agency. Anyways, the whole point is they provide threat intelligence to the United States and also kind of, you know, give insights into, like, vulnerabilities that need to be patched and how bad is it and all these things. Anyways, you could see here they have intelligence, right? So CESA has intel that these three vulnerabilities are now being actively exploited in the wild. Going back to that example I just gave you of open AI finding VS Software, engineers fixing, then patches all during that window. At some point when the vulnerabilities are discovered, it becomes a race. The race is the good guys are, you know, developers are fixing it and then good guys are patching it. Or good l. You know what I mean? Good people are patching it. At the same time, there's a fork where the threat actors have the vulnerabilities and they are able to try to weaponize that vulnerability, develop an exploit, shoot the exploit, and then compromise assets. Go look at the cyber kill chain. You can see where it forks off. Look, Google Lockheed Martin cyber kill chain. Okay, so these three vulnerabilities are being actively exploited, which means if you have these vulnerabilities in your environment because you haven't patched it. Ah, you gotta patch it. Then you are going to be having a bad day. Critical vuln in SolarWinds web help desk. This has literally been around for a minute. You can see here just by the CVE title 2025. That means this is from 2025. Ew, sad girls. Oh my God, Becky. Look at her cbe. It is so big. Drink. That was a sure mix a lot reference. I. Listen, I stopped growing culturally in 1998. So that's why everything is 90s references all the time. What is going on with this thing? Is there a date on this guy? Why does this say date added March 9th, bruh. All right, so this was published September 2025. Let me just do some quick math here. Yes. Judges, I'm getting nods from off camera here. Yes, we're confirming. That was six months ago. Half a year, my man. If you're running SolarWinds help desk and you haven't patched it in six months, you know, Linda and HR, like, if you have this bug in your environment, okay, and I'm being playful here, if you have this bug in your environment, you haven't fixed it in six months. I'd like to schedule a 15 minute meeting between me, you and HR. Just, just a real quick one. You don't have to bring your computer or anything like that. We'll take care of that for you. You can find it in the cardboard box. That'll have your little desk plant in the lobby there. Dude, you've got to patch these things. This isn't a joke. These things are being actively exploited. Help desk has access to all sorts of things, including oftentimes, remote management. There's definitely details in there around, you know, passwords and, you know, history and stuff like that. Even, even the basic benign type information. Okay? You can see here asset tracking is definitely used by the government, which is why CISA is involved. Let's see what the vulnerabilities actually are though. CESA G. Wow. CESA gave the agencies four days to patch and now they're updating it to three days. Here's my thing. My, my guy really quickly. Hold on one second. When you get a. When you get an email saying that you have three days to patch something, that's. That's like all hands on deck, okay? You really, really should prioritize this as always. Let me, let me just tell you a couple things. Number one, you should patch this. Number two, an enterprise application like this, like Avanti or SolarWinds, you definitely know you have it or don't have it. There's no way in hell that you like are running SolarWinds as shadow it. Like that's not going to happen. This is a wide enterprise grade solution, which means it is difficult to patch because when you take enterprise applications down for maintenance, they affect, wait for it, the entire enterprise. Oftentimes you got to have, excuse me, you got to have maintenance windows. The final thing I'll say about this is, number one, don't screw around. If you have this, patch it. Period. Full stop. Patch it. Number two, if you don't already have this, you should seriously consider working with leadership to define an emergency maintenance process. Something like this dude, like, like the WannaCry in the SMBV1. Like granted you had weeks and weeks to patch, but I'm just saying if, if SISA comes down or whoever comes out and says you have three days to patch this and it's Monday and maintenance windows are every Saturday, it's not going to cut it, Jack. You've got to have an emergency maintenance process period. And just like rolling the dice and being like, oh, we'll take our chances. Suck an egg, dude. Like I'm not saying we make emergency maintenance windows the new norm, but you should have an emergency maintenance process. You should have talked through it. You should know who the right people are to put on the email to let everyone know emergency maintenance. You should have the CIO get your back and be like, yes, we are doing this. It's moving forward. Right? Period. All right, super. Who? Dude, you put on the run GRC shirt and everything and all of a sudden everything GRC becomes super important. Awareness training, maintenance windows, educating staff, talking about vulnerability management. Oh my God. Let it rain, let it rain. And on 311 day.

B (38:10)

Remember yesterday's 3am threat intel. Here is how it plays out with Drop Zone AI the threat intelligence drops dropzone, picks it up, turns it into a threat hunt and runs it across your sim, EDR and cloud data while your team sleeps. By morning your analysts have answers, not a backlog. That is the AI Threat Hunter, the newest agent on the team. Debuting at RSAC booth, 455 South Expo Hall. To learn more, head on over to Dropzone AI.

A (38:50)

All right, all right. Maybe we do a 3:11 song for the mid roll, you know what I mean? Let's see what, let's see what we can pull up from the crates here. Yeah, I said crates. All right, here we go. It's hard for me to listen to 3:11 now and not get angry, which I know is hilarious. All right, we'll. We'll do it later. We'll do it another time. Actually, they did cover. They covered a. A Cure song. That was pretty good. All right, guys. Hey. Every single day of the week has a special segment. Oh, wait, really quickly, I want to say shout out and thank you to the stream sponsors, Threat Locker, Anti Siphon, and Flare. Straight Killing it like a bunch of bosses. Thank you and thank you, all of you guys. Shout out to the mods. We have a. If you're a squad member, we actually have a mod. Love Emote. The mods are very active in chat, and I try to. I try to recognize them and give them flowers with regularity, but shout out to the mods. Thank you very much, guys. So every single day of the week has a special segment. I gotta make a card for this. Kimberly, can we make a card for Way back Wednesday? Every day of the week has a special segment. And on Wednesdays, I like to throw it back in the Wayback Machine and talk about old tech. That was like, so hot at the time. And ladies and gentlemen, I want to present you with what was so hot. And for those who are old in chat, this is gonna hit. Okay, I give you the pager. And not just any pager. The clear neon pager. Oh, yeah. This thing was so hot. I didn't even have any friends, but I had a pager. Okay. I mean, I had friends, but they were all with me at the same time. Hey, Larry, thanks for the squad membership. 20 months. Looking good. So if you had a pager, it was sick, right? You would get. You could get paged like 143, which means I love you. You could get paged 911, which means call right away. Right? Pages were sick. I will say pagers are still used in healthcare. Physicians run around with them so they can get communicated with. But back in the day, you would get paged and then you'd have to go to a pay phone. So shout out to pagers. You know, if you had one, how cool it was. Some people had multiple pagers. I want to take you into the way, way back machine. Check this one out. Look at this. This is hilarious. Pager, black speaker. My uncle owned his own business and he actually owned a pager company and he owned a restaurant. A couple other things. Okay, I want to share this pager with you. This is ridiculous. I hadn't thought about this in a minute. You guys see this pager? Listen, this pager didn't have a screen. It literally had a speaker. So what you would do is you would call the phone number and leave a message at the beep, like, hey, Jesse, it's Jerry. Give me a call. Or hey, casually Joseph, your commander Deck's terrible. Hahaha. Click. Okay. Then it would relay it to the thing and then the. The. The pager itself would go beep and then it would just play the audio file, like just. I remember my uncle being like in the restaurant and would just blast it into the restaurant. Like, no matter where you were, everybody got had to hear the page. Insane technology. And not in a good way, but anyways. Yeah, that's your. That's the pager situation. All right, all right, quick word. Let's do the La la la la la. And if you're enjoying the show, I saw Brown Brown Coyote. Enjoyed the show. Love it, love it. Dude, mod chat's out of control right now. All right, let the la la wash over you guys. Let's. La. If anyone sees Alpha Sierra, please let her know that we've been playing the song again. I feel like she left because we stopped playing. I'm joking. She's definitely got some responsibilities that's keeping her from it. But hold on one second. Oh, man, I love this song. I love the new Midnight album. I'm like, so in love with it. All right, hold on. Let's keep going.

B (43:58)

Meta acquires Molt Book. You'll be forgiven if you've already forgotten about the AI flavor of the week. That was Molt Book. This was a Reddit clone designed for use by AI agents created by Matt Schlicht and Ben Parr. Well, Meta didn't forget them acquiring the platform and the team behind it in an undisclosed deal. Schlicht and Part will roll into Meta's Superintelligence Labs unit on March 16, with Multipook itself shutting down around the same time. Multipli was notable in that it left its production database completely exposed at launch, revealing that a large number of accounts were created by just a few users and that it had no system for verifying if users were actually bots. This comes a month after Open Call creator Peter Steinberger was hired by OpenAI.

A (44:41)

I was trying to find, like, the number is not disclosed, but I was trying to see if anybody had an estimate or guess on what it was. So Mold Book. Mold Book is basically Reddit for AI to AI users. And it was kind. This isn't a cyber story, like, at all. Like, this is like, shall we play a game? I. I like Live, breathe, love, work, sniff, play, bathe in cyber. Okay? I love cyber security. Okay, so this is not cyber security at all. At all. Zero. Yeah, I can't even make a cyber point. I can't. I can't find some tangential element. Actually, I can. I can. Okay, but. But what I want to point out is moat book was this Facebook for AI to AI. And basically it was like, like, look at this. They're creating their own religions and talking about their own talk. Dude, it came out like there was like just a few people who created all the agents. There were actually humans in there. Humans are supposed to have read only access, but humans were getting. Right. Access and kind of poisoning the well. So don't come at me with mo book. What I do want to point out is two things. One, for cybersecurity professionals, if you are likely or potentially going to be involved with mergers and acquisitions, that is an American psycho. People, murders and executions. Yes. Lol. Lol. If you work in health care, there's a good chance you might be involved with a merger acquisition. If you work at a tech startup, good chance you might be in merger and acquisition. You should be mindful that there is a lot to do with cyber when you do mergers and acquisitions across, like the human layer, the data layer, the data play together. Where is redundant data? The application layer. Do we have redundant applications? The legal layer, what contracts do we have with whom? The network layer, who has, you know, access to the VPNs, what remote users, what remote tools, like the, the maintenance window. Like there's a million things it. Where are these sites? Physical security. It's like bananas when you get into mergers and acquisitions. So just shout out to all that. That is my tangential piece of cyber to give you for this story. The other thing I want to tell you and, and shout out to Phil Stafford again. I know, like, I mean this with all the love and respect in my heart. Like, Phil Stafford and I are old. Like we were. Phil was definitely there. I was definitely there. And I know some other olds. DJ B definitely was there. He knows where the bodies are. Jenny Housley. Listen, just to be inclusive, in 2001, 2002, dude, there were companies getting acquired. This was like the doom boom. There were companies getting acquired that like didn't even exist. Like, think about that for a second. Me, DJ B, casually, Joseph, Justin Gold, Jesse Johnson and the rest of the mod team, Kimberly, Jenny, everyone, we'd get together and we'd be like, we should create a tool that does this right. We should Create a tool that will like find water, you know, in, in a stone. Okay. And we would write up a business plan, put it on paper that we all work there, never develop a single piece of code, and then we would get acquired. It was called vaporware. It was like an entire thing. This, this AI thing right now is so stupid that like I'm seeing it again. I don't know if anyone else feels this way, but like people are so thirsty for AI and AI everything that every business is friggin ham fisting AI into all the things and looking to get acquired. And people with infinite money, cheat codes like Meta, Google, Microsoft, they're like, yes, like, let's buy all the things, like let's hoard these things and then we'll figure out later if we got some good ones or not. This is like, this is the equivalent of buying like bulk magic, the gathering cards from a storage container and just like, oh, I'm just gonna, just gonna take this and we'll figure it out later that that's what's going on right now. I mean, shout out to Molt Book and shout out to the other guy who created openclaw. These guys are getting paid out. So like I'm not gonna hate on it. Great cash, homie, but it's just ridiculous. What are we doing here?

B (49:02)

Nap Botnet targeting ASUS routers Researchers at Black Lotus Labs detailed the newly discovered CADNAP botnet. Active since August 2025, this currently has about 14,000 enabled devices communicating through a customized version of the Cademlia distributed hash table protocol to conceal IP addresses. About half the botnet is made up of asus routers. With 60% of all infected devices in the US CADNAP spreads through a malicious script that establishes persistence on routers and edge devices. As a cron job that runs every 55 minutes. The researchers believe CADNAP is tied to the Doppelganger proxy service.

A (49:39)

All right, first of all, love the chat around pagers, people really enjoying that. That's great. Cadnap Botnab hijacks ASUS routers Guys, if you're running routers, routers are devices that connect networks to networks. Many of you have a, a router in your home, right? You might have ASUS routers at your corporate network, right? If you're like a small midsize business trying to make, trying to make a dollar out of 15 cents and you couldn't afford like, you know, Cisco, Cisco, Cisco or Juniper or Aruba or whatever, these things are getting popped. Shout out to Black Lotus Labs, you had my attention. Magic, the G. The most, the most OG iconic card in all of magic is the Black Lotus. So you know, go on as you were security researchers, basically they discovered this ASUS router is infected with a payload called cadnap and it downloads malicious scripts from this IP address. So obviously not obviously, but for those who are in chat, I would recommend dropping this IP address in your sim. Just see if anyone in your environments pulled it down. It is running an ELF binary which is basically a Linux executable because the ASUS routers are running on a Linux build. Okay. Then it starts doing some initialization, uses NTP and uses NTP to figure out where it is. I'm now looking at it. What's the point of it? Here's the thing, like okay, you can own my router, but like what, what, what is happening? Are you just using in denial service attacks or using a foothold? Are you. Sometimes a threat actor will take over like a, like say take over my home router with the intent of attacking a business. But then when the business does the forensics and they, they hunt down where it came from. It comes from my house. Right. And that's bad, right? Let's see. There's a lot of hard coded stuff in this. There's a lot of hard coded stuff in this malware. Let's see. Yeah, so it looks like the, it looks like this is infrastructure that is set up as business to business sales for criminal activity. And it's using like, again, I don't research or prep for these shows. It's using the service for the way I just said you basically people are routing through you. Like this is a Mission Impossible movie. So instead of me attacking a target from my home computer or going through a vpn, I can compromise, you know, a Kona Ice truck and then attack through the Kona Ice truck as a proxy and funnel my malicious traffic through it. And that way it looks legit, right? Resident ip, real home IP addresses from different countries so you can bypass locks and restrictions. It's kind of like a VPN service except it's, it's even more criminal. Not more criminal like VPNs aren't criminal, but like nobody can query law enforcement can't call my neighbor and be like, hey, we need to pull your records because someone is routing through you. They can do that with VPN providers, therefore giving anonymity. Right. So be mindful of this. I would say if you running ASUS routers, you know, you might want to take a look at this. My only question is how is it initially infected? Is it initially infected through crappy credentials? It doesn't say how it works in here. They do talk about, uh, it's used. All leading initially to CADNAP victims. Yeah. So denial of service attacks, crowd stuffing, brute force attacks, which when you do the forensics shows, you know, these, these, these other victims who are being basically proxied. It doesn't say in here how they're finding it. So unfortunately, I don't know if it's like a zero day on the ASUS router that's being exploited or if it is just crappy credentials. Standard best practice, guys. Do not run default creds on any network. On any equipment, frankly, but any networking equipment ever. All right, everybody be cool. Zach Hills here. Okay, Zach. The way back Wednesday was pagers. Did you have one? I bet you did.

B (54:28)

Microsoft rolls out passkey support for Entra. Microsoft says it will allow users to create device bound passkeys stored in the Windows hello container and authentic using Windows hello. Each Entra account will register a passkey per device with support for multiple accounts per machine. These keys will be device bound and not synced. Passkey support will go into a opt in global public preview in mid March and run through the end of April. After that it will roll out to government cloud environments starting in mid April through mid May. CISA shortens patch time.

A (55:01)

Okay. What? Hold on. I was, I apologize. I was like daydreaming about mergers and acquisitions. Fireside Chat and how, how we could bring that to the community. Great idea, DJ B sec. Also, you buffer overflowed my brain. All right. Fishing resistant window sight ins via entrapass keys. Yes, yes. Yeah, you know, this is what list. Like this is when I see fishing resistant Windows pass keys, this is. Yes, yes, yes. Let's get. Let's. Let's take passwords off the table. Okay. I love it. If you want to know what a pass key is, my good friend Bruising Hacks and I made a video for that Simply Cyber Bruise and Hacks Foreign. Let's see if it comes up. Ladies and gentlemen, even though I put in like the explicit title simply Cyber bruise and hacks. And there we are. Look at this. Slightly below the fold, Ryan. Anyways, if you want to know why you should ditch a password, check it. Oh, I filmed this in Massachusetts. Check this out. Look at this. It launched quickly and then fell off. Anyways, if you want to know what a passkey is and why it's awesome, check this out. So Windows has been super pro security for a minute and they've been working on passwordless authentication for years. Okay, so this is not new. Passkeys are awesome. Okay, A threat actor can't phish you and have you give up your passkey. You don't go to a lookalike website and put in your passkey. It just doesn't work that way. So you know, obviously you not old but like people who are less technical have been, have been acclimated to using passwords. So when you start talking about passwordless authentication like they're, they're, their eyes roll back in their head. But anyways, yeah, personal devices, shared devices, passkey, everything. If you get a chance to do a passkey, take advantage of it. Okay, Microsoft entra pass keys on Windows is coming and it's probably knowing Microsoft, it will likely be available but not required. And then they will be make it the, the default option and then they'll just get rid of passwords maybe. I mean that, that could be like years down the road. But each entra account will register its own passkey per device. That's another thing about passkeys, they're device dependent. Multiple accounts can coexist on a single machine. However, passkeys are device bound and cannot be synced across devices. This is another part of why passkeys are more secure. If a threat actor gets, you know, like somehow gets your passkey, it's tied to the device itself. So they'd have to steal your computer also or your phone or your tablet or whatever. It is slightly painful because you'll have to register every device if you're an end user. Oh, that sounds inconvenient. Yeah, it is. Guess what? Suck it up, buttercup. You want access to this environment get you pass key. All right, for public preview, if you want to try to roll this out at your org IT admins, you have to enable the passkeys, which is FIDO 2, which is basically just the standard for secure authentication in the entrance authentication methods policies. Then create a passkey profile with the required Windows hello, AA GUID and assign it to the appropriate group. Okay, so you can do this. Okay, this block may not apply only once the user exceeds 50 total creds across passkey. All right, here we go. May 2025. All new Microsoft accounts will be passwordless by default to secure them. So this has already been in place. Like I told you guys, this has been the case for years with Microsoft. They're just slow playing it. Okay, way to go Microsoft.

B (59:14)

I love it for critical bugs. Generally when CISA adds a vulnerability to its known exploited vulnerabilities. Catalog. Federal civilian agencies have three weeks to patch. However, the latest round of additions have been given tighter deadlines.

A (59:28)

My guy.

B (59:29)

Monday.

A (59:30)

Listen, hold on. We're at 9 o'. Clock. Anyways, it's. What, like, it's not uncommon for CISO series to put the same story two days in a row because they have different people aggregating. This might be the first time. I think this is the same story twice in one day. Okay, hold on. Did I. Did we mess that? Did we miss this? Why was I talking about. Huh? Did I, Did I black out or something? I'm looking at the stories for today. I'm looking at the stories today. I swear to God. We covered this story already, but it. It doesn't show. Like, how did I. I don't know what's going on. I don't know if I just entered a time vortex or, like, you know, a black cat walked by and then it glitched and walked by again. I don't know if Agent Smith's about to bust through the wall like the Kool Aid man over here, but I swear to God, we already did this story, so I'm going to skip it. You know what, judges? Yes, I'm getting. I'm getting nods from the judges. I don't know what happened. Whatever. That was a Matrix reference, by the. By the way. All right, guys. Hey, Hala, Hala, Hala, Hala. I want to say shout out to all of you, thank you. Thank you for coming today. Thanks for being here. If you were a first timer, thank you so very much. If you were listening to us while you were driving, working out, getting set up for the morning, taking the kids to the bus stop, or just, you know, grinding at the desk at your work desk, I genuinely appreciate that you choose to make simply cybers daily cyber threat brief part of your routine. It does not go unnoticed. It's very difficult for me to individually thank every one of you, but I'm. I'm telling you, thank you. I. I know. I. I just know that, you know, it's. It's special to me. I was thinking about it this morning. To be part of a morning routine is a very, you know, it's very privileged and I, I just want you to know I don't take it for granted. Thank you all so very much. Don't go anywhere, because I'm going to be flipping the script like an absolute mother trucker and doing some jawjack and I'm going to answer your questions. First time live. Gold XX barrage. 2900. Welcome to the party. Far get in one was on the treadmill. I'm Jerry from Simply Cyber. Don't go anywhere. I'm gonna do some jawjacking and answer all your questions. So if you got questions, put them in chat with the queue. Let's go. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your. What the hell? Hold on one second. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field. Live, unfiltered, and totally free. Let's level up together. It's time for some jawjacking. As you were. What's up, everybody? Welcome to Jawjacking. I am your host, Jerry Guy. Two thumbs, all smiles. This is a fun show, but it's designed to be helpful. I am all about mentoring at scale. I love educating. I love talking about cyber. I love helping people. And this show is 30 minutes of doing all of that rounded up into one. All right, we got our first question coming in. I also want those in chat to know I ordered. I ordered several magic cards to start building out my new pauper commander deck because I was getting hate about my pauper commander deck. So now I'll have another one. That way, Zach Hill. I can't have the best pauper commander deck because I'll have two. So one of them by default can't be the best. First question coming in. Mariah Green says, would you recommend someone to get an OCEG cert when getting into grc? This question was asked yesterday. Eric Taylor dropped it in chat. I do want to say thank you, Mariah. Now, two things. One, I'm not wicked familiar with oceg. However, I want to pull something up for you guys on chat, on stream. This is it right here. I don't know anything about this organization. When I review this page, it looks pretty good. It. The marketing copy looks good. You know, they have testimonials recognized as the best, right? CIO magazine, one fee, all certs, so it seems legit. Okay, now here's what I would say. And this is. This isn't like a disrespect thing or anything, but like, I've never heard of OCEG before, so maybe. Maybe I just live in a bubble, right? And I don't know anything about anything, but I. I've never heard of it, which means I don't know how much market value it Has. Okay, so what I would recommend you do, Mariah Green. And I would recommend this to everybody. This strategy works for any certification. Any, you know, any discipline anywhere, even, Even outside of cyber, frankly. Take the cert, right? O, C E G. The GRC one. They have GRCP for professional, GRCA for, for auditor, a couple other ones. Those are the two GRC ones. Here's what I'd recommend you do. Look through 50 GRC job postings, which I know is a lot. Maybe AI can help you, right? Look through five GRC job postings. Look to see if they're asking for this certification. If no one's asking for it, that means that it doesn't have market value. Okay? It doesn't mean it's not a great cert. It could be the best cert ever. But, but what is it like if you invest your time and money and energy into getting this certification, why are you doing it? You're likely doing it to make you a more desirable candidate. You're likely doing it so you can get a job, right? Like, no. Like, I would assume that your employer is not going to give you a pay bump if you get the cert, right? So then it's for market value, just like any cert. Okay? Now check it out. If there is a. I'm gonna make an analogy kind of similar to what I do. Like if there was a cert like say the Isaca cisa, which does. It's a GRC Certain, has lots of market value, right? That, that, you know, has roa. Imagine if you will, you go to a car dealership and there's two identical vehicles on the lot. They're, you know, they're both the color you like. They're both exactly what you like. What's the difference? And you look at one and it says it has, it gets 400 miles to the gallon. You're like, jesus, that's awesome. I know exactly what that means. That means I don't have to go to the pump as often. Gas prices are about to skyrocket. This car is awesome. I can see the value in the 400 miles to the gallon. Now imagine you look at the other car and it's. One key differentiator is, is that it has, it uses metric bolts instead of US Standard imperial unit bolts on the, on the lug nuts, right? Okay, cool. The hell does that do for me? Right? You see what I'm saying? Like, again, I'm, I'm not saying that the, the lug nuts and in the, in the metric system is a Bad idea. I'm just saying it doesn't have any value to the buyer, to the employer, to the mark, to the market, frankly. Okay, so that's my thoughts about that. And you can apply that standard to any cert, any industry, anything. What is the market asking for now? Sometimes a company like oceg, it's their responsibility to get into market and, and establish a awareness and value. I'll give you one final example, then I'm going to move on to the next question. Just take the, take the, any, take any related non objective information and, and, and just don't, let's not talk about it. Okay? Tcm. Okay. Tcm. The Cyber Mentor before, years ago, okay. He released his own, or they released their own certification, the pnpt. Right. No one ever heard of pnpt. Like Heath just made it up. Okay. And it was a great one because it was very practical. Okay. Now I would say the same thing. No one's asking for pnpt, so what's the value? They then went to market and got it. And then companies like McDonald's. Yes. The big Macs and the Happy Meals, they were asking for practitioners with PNPT because Cyber Mentor made the effort to market that this cert is good and why it's good and all that stuff. So honestly, it's up to OCG to get into market and make those certs valuable. All right, thank you. Wait. All right, let's keep going. What kind of joint ointment do you recommend for arthritis? Which brand of walker do you use? Tennis balls or no tennis balls? You got to do the tennis balls, Phil. I mean, I personally would go with like orange ones or something just to of kind, kind of be unique and stand out. As far as joint ointment goes, I gotta tell you, there's no ointment. I, I love modern medicine. These, these people are like, I just don't get why you wouldn't be all in on modern medicine. My joint ointment is 3 Advil for lunch. How can someone use a CCISC 2 sir to get into GRC? No problem. Yeah. So Mariah, Maria, Mariah. Basically this cert just gives you a foundational understanding. If you want to get into grc. This cert doesn't necessarily help you with that. Yeah, what this does is this gives you a foundational baseline. If you want to get into GRC, start leaning into frameworks, right? Like NIST CSF. Learn that. If it's too complicated, learn the CIS18. That's NIST CSF Cybersecurity. Framework. And if that's too complicated, get into CIS18 Center. I think center for Information Systems or Center for information security. Just CIS18. Okay. Get used to those. Learn to do some awareness training. Understand how risk and risk calculations go. Learn about Miter Attack framework. Learn about NIST837. Special Publication 800. 837. You've got to get those things. The ISC2CC that is. Listen, like, if you're going to build a house, at least in the. In the south, you got to put a concrete slab down first. And then you build the house. The concrete slab doesn't give you a homestead. The concrete slab doesn't give you a place to stay and get out of the rain. The concrete slab is. Gives you the foundation to then build on top of. That's what it is. ISC2CC is like the foundation. And then all the things I just told you is the infrastructure in the. The structure itself that you get into to get into grc. Michael Fink, when I. I generally agree with you. I generally agree your hot takes. Why the hate for the Voyager album? I thought it was a good call back to sort of trans. I don't know, maybe Voyager. I haven't heard the Voyager album. Listen, I tried with 311. I tried. I. I gave him like two albums. They're just. They're just so bad. Here, let me. I'll. I'll. I will tell you what. I will give the. I will give it a chance. Okay? What I will tell you is I'm. I'm looking it up right now. Okay, really quickly. Where's the albums in order, bro. Okay. Sound system was 1999. Very good. Okay. After that from Chaos. Meh. Then Don't Tread on Me was an absolute train wreck. That is. Oh, my God. Hold on. This song. If this song was playing in an elevator, I would get off on whatever floor was there and walk the rest of the way. That's what I gotta say about that. I'll check out Voyager. That came out in 2019. Listen, when this album came out, I was done. It was the last album I ever bought and I threw it away. And then Uplifter came out. I listened to it on streaming and I was like, no, I'm officially done with 311. So Voyager came out long after I, you know, divorced 311. I'll give it a shot, dude, but I just. I don't know, man. I feel like they're just, you know, cashing checks at this point. All right, let me keep Going. I, I do have a certain soft spot obviously for 3:11. So. Okay, let's keep going. This is jawjacking. It is a 30 minute AMA. It goes till 9:30. We're about halfway through. Shout out to the 305 people who are still in chat if you are. Hey, listen, just as a quick aside, if you're getting value from the conversation, just, just let, if you can, just let me know if you have constructive feedback. For me, I'm always trying to be of service, okay? And I'm doing it the way I'm doing it, but that doesn't mean this is my show and it's my way or the highway. If you have any constructive feedback. Hey Jerry, how about shorter answers so we can get more questions answered? Hey Jerry, maybe you could show more screen shares when you're talking about something, let me know. And if you're just like, hey, thumbs up, everything's cool, let it fly, then that's fine. I'm talking specifically about jawjacking, not daily cyber threat brief. I, I do want to make it as valuable as possible for everybody. B Boy says, what would you recommend for sisu? Who wants to educate new hires? B Boy, new hires in the cyber department or new hires, like general workforce with best practices? I'll try to answer both. If you're going to educate cyber security professionals, right, like, you know, people coming into your environment, I would definitely educate them around what is your general vibe and approach to cyber security and whatever the framework is and where, where you currently are in that framework, right? So say you're NIST CSF and you're like a 1.5 maturity level. Give them that breakdown. Hey, like basically orientate them to where you are in your cyber security program journey, right? Because as a C. So you should, if, if you're just yoloing it, that's not a good thing. You should be, you should be, you know, kind of building towards something. If you're talking about general end users and workforce. Listen, if you get to be part of orientation, like when they bring in all the new hires and it's like you get your 15 minutes or something like that. What I would focus on is two things, really. Number one, kind of like the technical level, like, hey, like, show them like, like show them the magic trick, right? Like this is what a fish looks like. Hey, here's a landing page. Looks real, right? Well, this will steal your password. So just. And make it personal. Don't make it about the business. Make it about like their bank account or their email, right? So it sticks with them. Number two, make them feel, I don't want to say friendly, but like, listen, the, the end users are the ones who are going to be seeing things first. They're the ones who are going to be falling for things. They're the ones who are going to be enabling signal for a threat actor to get up in their stuff. Right? So establish a. A rapport with them in the sense that, hey, you know, there's. There's no dumb questions. There's no, there's nothing. You're never going to get in trouble, right? Hey, you're like, just, if you think something's weird or you're not sure, just call the office. We have a team of ex information or cyber people whose entire job it is is to make sure that you can do your job safely. So. So like basically make an open line of communication that's super valuable. We just become best friends.

B (76:26)

Yep.

A (76:27)

All right, Daniel. Daniel's with a ten dollar super chat. I'll get to that in just a second. QKB3128 says what? 14 week cyber security school is legit. I. You got to be careful. There's a lot of bad ones out there. I will say tj, Find the True and Kyle. Not Kyle Devin out of Miami who I got to eat lunch with at Zero Trust World. They keep changing their name. There was one called Thrive. Thrive dx, I think. What's his name? Michael Small, I think is associated with that. That one I've heard good things about. Okay, ask tj, AKA Find the True in chat. He might be able to let you know. Oh my God. Yeah. By the way, as far as my albums go, wall to wall to midnight. So true. All right, hold on, I'm flagging questions. What's up, Cyber risk Witch? Good to see you in chat. All right, hold on. I'm flagging all the questions right now. I'm flagging questions so I can get down to that super chat without missing anyone. Also, hey, mods, I. This is kind of a. An extra ask. This is me being extra. I asked the community for any feedback to make me better and make Jawjacking better, but it's very difficult for me to scan for questions, answer questions and be able to pull that feedback. So if you guys see anything, will you grab a screen cap and just drop it in chat and I'll. I'll review it after the show ends. All right, continuing to look. Lots of questions coming in. This is phenomenal. Thank you guys for the questions. I'm super pumped to be able to helping you. I'm just, I'm scrolling down to get to the super chat since you know obviously Daniel paid made a donation to the channel. Oh my God. A lot of great questions in chat. Ellipsis. Ellipsis says I love you Jerry. Don't tell my wife. It's funny. Okay, come on, come on, come on, come on. Where's the super chat? There it is. Okay, here's the super chat says assert I've been considering is the GRC ISSMP from ISC2. Been getting mixed reviews. Your thoughts? So I had the CISSP in 2009 for those who don't know ISC2 released like a basically a bolt on plus up senior level focused area for CISSP. That was. There was three, there was ISSMP which is the management one, ISS EP which was the engineer one and then I think, correct me if I'm wrong, was it ISS AP like an architecture one? There were three. I will tell you I've never heard, seen sniffed anything when I was hiring around this the the extension past the cissp. So just my thoughts is it's probably fine but I don't know if you're going to get value from it. I will say hey for any cert whether it's the O OCEG one that I said I've never heard of or the issmp if you can get your employer to pay for it, get all of them. Okay. If you can get your employer to pay for it, definitely get it. But I, I don't know if this has any credibility or value. Thank you for the super chat by the way. Here we go. What comments do you have on CSA series? You missed Finished. Intel warns of hybrid espionage blitz from Russ. Hybrid espionage blitz from. No, I mean I guess as far as Russia and China goes, guys we're basically in a. In I'm reluctant to call it WW3 but like we are in a multinational state. First world power on first world power. Low key little bit of proxy wars going on. Iran is, I don't know why Iran's getting painted as like some you know, third world. Like they have infrastructure, they have a very solid cyber capability, they have nuclear weapon. Like they are a first world. So you know it's espionage definitely you know being done with human as well as cyber in or sigint. It's the playbook of first world powers when they're doing operation. So I'm not surprised that they're attacking or they're doing things that would attack EU countries. Just like I'm sure the United States and NATO based countries are doing similar things around BRICS countries. So that's it. I, I don't know much about the story though Roswell UK so it's difficult for me to give any insights deeper than that. How would you get a military person who wants to enter grc? Oh my God. All day long, you know every military program has to go through. They used to call it DIA cap. I I don't know what they call it now. I guess fisma compliance or CMMC compliance for the private sector side. If I was going to get into grc, the military personnel I would immediately get involved with the PM for whatever projects you're working on. The program manager and start interacting with the cyber security professionals. They're typically contractors are responsible for doing the the RMF packages or like basically the authorization package around the security of the program. Get involved with that, start absorbing that. You'll learn NIST853 pretty quick and then you can transition into private sector as a SME. Plus when you're military, private sector loves to hire prior military because you basically have a Rolodex of people that are going to be paying for their services. Which car company has the best cybersecurity? Oh, you know I, I don't know entirely. You know Jaguar Land Rover had a, they were down for like months because of an issue. Nissan's gotten hit. If I had to I would say if I was gonna just like put five bucks to let it ride, you know what I mean? Like make a, make a casual prop bet. I would say Tesla has the best cyber security. Which type of laptop you got? Does it have AI Soul Shine? Yeah, I have a Legion. Lenovo Legion. I had the five eye. Lenovo Legion 3 years it did its job. I just did a software recycle because I'm the CEO and the CFO and the CIO and the CTO and the janitor. I get to decide when software life cycles happen or or system life cycles. And for the 2026 season I've replaced it with a Lenovo Legion 7i and it does have AI. There's a CO pilot button on it that I accidentally hit from time to time and absolutely want to choke slam it like I'm the undertaker. Good morning Comptia SEC plus still relevant? Oh yeah, definitely America definitely security plus still relevant in 2026. How will you guide? Okay, is this is a follow up question I suppose. Is doing cyber security ops a good route or it. No. I mean if you want to work in grc, both of those are great operations. Cyber operations is great because if you understand how the real, how the real threats attack and how to use threat intelligence and how to harden environments and stuff, GRC people are going to be playing nicely because you're going to be working with both the operations people on one side and the business on the other side on, like, credibly hardening environments. So, yeah, definitely, both of those routes are fine. If you can get in cyber, do it. Is cyber security job market expanding? It's very difficult to tell right now. Runfish. I, I, I don't think the answer is yes right now. I haven't seen any signals to indicate the market's expanding. We're seeing rifts reduction in force. We're seeing layoffs. I mean, the AI bubble is getting funded incredibly quickly, which means there's a lot of startups, which means they need some cyber. CMMC in the United States is blowing up. Obviously, we're going to war, effectively. Oh, we got two cyber chicks today. Can you drop a link, please? Cyber Shimgami. What's the next round of three? Analyst question review. Dropping Pen Test edition. Give me a second and I will tell you the answer to that one. Kimberly, can you drop a link to the two cyber checks, please? We have two cyber checks. We're going to go over and raid. I'm looking right now at. You guys can look behind the screen. Come on. Computer load, bruh. All right, you can see here. These are the upcoming shows that exist or don't exist. They're coming starting March. March 15th. So this Sunday is the start of those videos. March 15th. All right, thanks for the question. All right, let's see. Oh, yeah, here we go. How women are rewriting the rules of cyber leadership. Talking about CISOs and leadership. Get some of that. This premieres in two minutes. Shout out to two cyber chicks. Erica McDuffie, Jack Scott, absolute bosses out there. It's just coincidence they're females. It's not because they're females. Right. So definitely, let's do this. Outpost Gray. Seven minutes to go time. You can see Jax is in the chat already. Very nice. I'm gonna drop a link to this for the raid. Two cyber chicks. Raid. There we go. I'm gonna pin it in chat and see if I can speed run. See if I can speed run the questions. Jerry, you have a library on your website. Is there a collection of music recommendations or is it the midnight. The rest be damned. Yes, I do love the midnight. Space tacos. I will say, if you go to Bruh, if you go to Simply Cyber IO Socials, I've made a mixtape that's right here. This has no midnight on it. This is exclusively. This is exclusively late 80s early 90s hip hop starting with Award tour. To me, very much a great way to start a mixtape. So here, check this out. Simply Cyber IO Socials. That's the answer to the question. All right, we got 60 seconds till we go live. Looking at chat Rob. Hey, did you get a new car, man? Have you caught anything in the Sierra in Vegas yet? So I didn't see a concert. I watched Postcards from Earth. Made me feel horrible about myself. Is basically a documentary pointing out that humans are a plague. But dude, if you're gonna see Fish there in April, holy crap. I would love to see any concert at the Sphere in Vegas. I mean the midnight would be the dream scenario, but. Cubot. So check out Thrive T H R I V E. I think Thrive DX and I think Michael Small was involved. I could tell you for of fact at Find the True Two. At Find the True Two, he's in chat right now. He went through one that was pretty good and can recommend an option. What did I do my dissertation on it. Basically small health care, cyber security leadership. Like basically, why does cyber security suck at small healthc care businesses in the state of South Carolina? If you are Interested, trap creates 1346. If you are interested, I will link to it. This is my actual dissertation right here. It's in PDF format. It's like a couple hundred pages. Who said it? I don't know. It's not showing up as a name. Like here's my dissertation. I just dropped it in chat if you want to giddy up on that. But it was called Flashlight in a Dark Room. A Grounded theory study on Information Security Management and Small Healthcare Providers. I basically created a new theory. When you do a dissertation, you create new knowledge that's like the stick. And I created a theory on why information security sucks at small health care organizations. All right, we got just 60 seconds until we go live. Going to keep answering questions, but go on over there. Space Taco says she appreciates how I give examples of things to help non IT people make sense of it. Oh, thank you very much, Space Tacos. I'm very. I. I feel like my analogies are pretty good. And it's just. I don't. I didn't like take a class on doing analogies. It's just. What's up 311 champagne? Your computer's not a Pokemon. I work in healthcare. And we have seen an influx in attacks the last week is possible. My org's info is listed on the Dark web somewhere. Hey, STV0887. I would absolutely tell you go to Simply Cyber IO Flare, SimplyCyber IO Fair. Literally. You can get two week free trial of Flare's threat intelligence. You will absolutely be able to see if your organization is on information is compromised on the Dark web. I'm telling you, this is the best, best, best, best way to do it. And it'll cost you $0. I promise you. Simply cyber IO/flarestv. That's not even like. Because it's a sponsor, like, it's legit the answer. All right, guys, I'm Jerry from Simply Cyber. Let's go raid two cyber chicks. I'll be back tomorrow at 8aM until next time, stay secure.