A

Federal government wants to move its patch window from two weeks to three days. Is that a real possibility? We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats while also taking you behind the scenes of the biggest stories in cybersecurity.

B

An attack is coming.

A

It's about keeping us safe.

C

He's just a disgruntled hacker.

B

She's a super hacker. Stay Al.

C

Stay safe.

B

Stay safe.

A

This is Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment, we're going to be talking with Todd Beardsley, the VP of security research at Run Zero. But in a past life, Todd was responsible for oversight of DHS's known exploited vulnerabilities list, the Kev list. As most of you know it, there's been recent reporting about the federal government shrinking the patch deadlines around the Kev and Todd reached out after that reporting. It was like, I definitely want to talk about this. This is something we should definitely talk about it. So invited him on the show and we dove into it for this week's interview segment. But first for our reporter segment, talking with Matt Kapko about a really interesting FBI report about a ransomware group running schemes that are actually involving in person meetings in enterprises. Matt, take it away. This one was really, really interesting. Jumped off the page when we got word of this.

B

Yeah, certainly. Thanks for having me on, Greg. So, yeah, the FBI released an alert earlier this week about silent ransom group. This crew doesn't, just doesn't encrypt files or systems. It steals data for extortion. That's its main play. It continues to hit US based law firms. That's FBI was alerting folks to. The group has claimed responsibility for more than 100 attacks and activities surged during the past few months. As you noted. What's extraordinary about this group is that it sometimes sends an associate to victim locations to steal data from their computers in person. Researchers I spoke with said this is without parallel.

A

Yeah, I mean this is, we talk about brazen crimes all the time. This, this one is really, really brazen in that it happens just in person. Like the, the, the mechan here are, are really interesting and let's dive into the, the sector. There's one particular sector that the FBI brought up that this is affecting.

B

Yeah, they're, they're really Going after law firms, some very high profile law firms. The way that they're, they're getting in is they're, they're impersonating IT support in voice, phishing calls and emails. But if they can't gain access to a victim's computer that way via remote access tools, that's when they'll have an associate actually go to the victim's location, physically attach a storage device to the victim's workstation. We've seen some aggressive data theft. Extortion groups harass and threaten executives and employees with physical violence. But like we said this in person visits for data theft are just incredibly rare. They've claimed 30 victims since the start of this year. And it's having a noticeable impact on the sector. Halcyon said that legal firms are the fourth most targeted industry in the first quarter of this year from ransomware attacks.

A

This is not just people walking into necessarily small law firm like this is something that is affecting some pretty big law firms. I know there hasn't been any names dropped in the FBI report, but this isn't just, you know, your run of the mill lawyer firm that you know is a Main street usa. Like we're talking some, some white shoe, high priced law firms that are victims of this, right?

B

Certainly. I mean that's what stood out to me too. I was like, okay, this must be small or mid sized law firms. But they're, these folks are walking right into some of the largest law firms in the country. It's, it's, it's hard to understand how that happens. But once they build that trust with that, that person that they say they're an IT support person, they may be telling the front desk person, hey, I'm expecting an IT support staff to come in and help me with an issue on my computer. Please let them in. That's kind of the process that experts think is happening here. But it's still pretty hard to believe how they're walking right in, stealing pretty sensitive data and walking out with it.

A

So also let's talk about the scheme here. Like there is a big part of this that like maybe not everybody is all caught up to date that they're being part of a scheme. Like it seems like a lot of these in person workers might even be contract workers. Like it kind of reminds me of the North Korean scams that we've been following where the laptop mules that we have here in America. Maybe not understanding that it's North Korea on the other end in much of the same fashion that this might be somebody Answering, you know, an upwork listing or some type of freelance listing where it is vague on what exactly it is going on, and they are just doing stuff for, you know, gig work. And then all of a sudden they are roped in to a international ransomware scheme.

B

Yes, certainly. So this group, it emerged in 2022 after Conti disbanded. They had that massive leak and members splintered off into new groups. That's also a pretty long time for a ransomware group to be active. Since 2022, over four years. Usually they infighting, find some reason to split up and break away, or they're caught. But researchers believe Silent's operators are still based in Russia, which is where Conti originated as well, which as you can imagine, makes it pretty difficult for one of them to show up at a US Law firm, plug a USB stick or external hard drive into a computer. So like you said, experts think that the group is likely using freelancers that may not necessarily know they're committing a crime. They're trying to make some money. You can't blame them for that. The FBI didn't provide any details about this, but it does appear to be another example of criminals exploiting gig workers.

A

So with the experts that you talk to, I'm interested to hear more about what they said in terms of like, is this a signal that ransomware schemes are evolving to be more dangerous and harder to handle, or is this ultimately what happens when the federal government imposes costs like they have to find weirder ways to conduct their schemes? I can see it on both sides, but I'm interested to hear what researchers are saying.

B

Yeah, I didn't get a sense from researchers that they thought that this, you know, portended more attacks involving in person visits like this. But we have seen activity ramp up more aggressive tactics to try to encourage their victims to, to pay these ransom demands. I'm not sure if this signals a change in terms of how they're operating, but they are taking additional steps, clearly, as is the case here, to find a way to steal that data that they can extort victims with. It does showcase that they're not willing to give up if they run into some technical hangups. They're willing to go a bit further than that. We'll see if this expands to other groups for sure.

A

Yeah, we definitely will. Hey, as the world turns in the ransomware space, just always an absurdly fascinating slice of what we cover here, you do a great job covering it. So thanks for coming on the program and keeping us up to date on what is going on. In this wild, wild world.

B

Thanks so much, Greg.

A

All right, now to our interview with Todd Beardsley. And like I said at the top of the show, Todd used to oversee the KEV list, which comes out of DHS and the federal government uses to determine patch time when it comes to the vulnerabilities that get released on that list. And there's been some reporting that the deadline to patch the vulnerabilities that comes out on the Kevlis is going to move from two weeks to three days, which if you understand the world of vulnerability management and patching, that's like the blink of an eye. So we saw this reporting and Todd reached out to me to be like, we definitely need to talk about this on the podcast. So we hopped on and Todd walked us through the practical limitations and the practical applications of what would happen if this three day window does in fact become a reality. There are a lot of moving parts to this. It's not just necessarily patch and patch. Now there are a lot of ancillary repercussions that can come with moving this deadline to three days. So Todd is an expert in this space. Really interesting conversation. And we're going to dive into it right now. Check it out.

C

All right.

A

Joining us now on this week's interview segment is Todd Beardsley, the VP of security research for Run Zero. And Todd, welcome to the program. Really appreciate you hopping aboard. I know that, you know, you do great work at Run Zero. Run Zero does a lot of great intel stuff, but I'm having you aboard to talk about things that you did when you were on the public sector side.

C

Sure.

A

My last job, especially with the news that CISA looks to be changing, or at least debating whether they change the way that the federal agencies respond to known exploited vulnerabilities or the Kev list and having that patch window dropped to from weeks to three days total. And, you know, we've seen this reporting out there, and there was a mutual friend who popped into our inbox who was like, I bet Todd has some, some strong thoughts on this. So welcome to the program and thanks for hopping aboard.

C

Sure. Thank you so much, Greg. I love nothing more than talking about the KEV or the Kanone exploited vulnerability catalog.

A

So before we dive into what may be changing, a little bit of background. What does the operational reality of the process of a KEB being released and then the patching that goes on, what does that look like when a vulnerability gets added and what does that look like when a clock gets put into motion? Sure.

C

How much time you got so it's more complicated than people think. A lot of the time that I used to take when I was, when I was over there working on the KEV is verifying that an actual exploit actually happened. Right. And that doesn't mean there is a metasploit module or there is a NUCLEI template. It means that exploitation as a verb took place against a system non consensually. So pen testing doesn't count, red teaming doesn't count, nothing like that. And that system has some relevance to federal government, government interest. Right. You know, most people would take that to being like, oh, it has to be like a government system that got popped. Nope, there's, there's lots of, lots of target space there. There's state, local, tribal, territorial governments like that, that matters to the federal government. We care very much about the states. Critical infrastructure is another big one for them. So any kind of like water and power utility, something along those lines, you know, action in an allied country. So something that happened in Canada or Mexico or the UK or something like that. Right. Like close trading partners and allies would, would also, would also fit the bill. Right. Because we, we care, we, we care about our friends around the world. And so a lot. So that, that is the bulk of it is like assessing whatever evidence we have. Sometimes it comes from a victim, sometimes it comes from like the vendor. They would say, like, oh, we're seeing things popping off with this particular vulnerability that has a CVE identifier that are hitting systems that we know you all care about. And so we would take a look at that, assess it and then make the call up or down, like, is this good for the KEV or not? The entirety of what makes it into the KEV is described in binding Operational Directive 2201, or BOD 2201. My favorite bodies familiar with it.

B

Yes, Yep.

A

And

C

that's the thing, that KEV is there to serve. Right. You know, the BOD says like CISA must identify these known exploited vulnerabilities and tell federal agencies that rest in CISA's authority. And these are all federal Civilian Executive branch agencies or FSEB. And there's like 102 of them right now. And they range from many agencies you've heard of, like the IRS or NASA to agencies you've never heard of. So like some of the many, you know, retirement funds for farmers and stuff like that. Right. So like across the board, so big target space, a fairly, a fairly wide ranging possibility of target space. And, and all of this is done when I was there fairly Manually like we would, we would need to like verify the exploitation happened, like I said, and also verify that there's something to be done about it. Like usually that means a patch or some kind of fix, configuration change, simple configuration change. Or it's possible to like do whatever the mission is by and also turn off like the vulnerable system if that, if that's the only choice. Right. And so all of that comes together in the KEV and then it comes time to like deciding the timeline. The BOD opens with a two week like as a baseline. Two weeks is, is the baseline per the bot. But it gives CISA the authority to adjust that up or down like however they, they feel like they need to in order to be effective. And as, as you have implied here, it, it looks like that timer is, is going, you know, according, according to rumor. Don't know. They haven't made any announcement or anything like that. But I can't say of just, I've just eyeballed it. Just before we started recording, five of the last seven kevs landed on the KEV with a three day turnaround time. And sometimes that's like over a weekend. Like it'll get added on Monday and must be fixed by. Or added on Friday. It must be fixed on Monday. Right. Which is hard, hard to do, you know, because like I said, There's 102 agencies that must follow the KEV advice and then everyone else should follow the KEV advice and that's everyone else in the world. Because one of the big features of Bot 2201 and the Kev is that it's public. And so because, and that itself was like a real innovation at cisa. It could have very easily gone the other way of saying like oh no. Talking about any software vulnerability is a matter of national security and we can't just broadcast it to everyone. But it turns out like lots of people in industry really follow the Cav, really care about the Kevin and people around the world do too. Right. And so reduce. So once upon a time low those, I don't know, two months ago seeing something land on the cab with a very short time turnaround time for patching as a deadline of like one day or two day or three days would be a real signal that like, oh no, this is something that the government actually really cares about. Usually. Sometimes. I wouldn't say usually, but sometimes it would. It would strongly imply that yes, indeed, this is an attack that did affect, you know, something in the State Department or something like important inside federal government. Right, right. And so and which would itself imply like state level attackers, espionage actors, stuff like that, right? So by reducing the, if CISA goes down this route and reduces the kind of default timing to just a three day turnaround, a couple of things fall out. One, we lose a signal, we all lose like an urgency signal. Because just like with everything, like if everything is priority one, nothing is, right. You start running into that problem. And there's like a sociology psychology argument to be made against this. When I was at kev, we found that like that zone between like two and three weeks was a pretty good zone to get people to actually do the thing. A lot of times we'd put out the bulletin or, you know, we'd issue the KEV and then agencies would act like that day, right? Like, great, perfect. This is, this is what you want. Obviously you want to patch everything all the time. You want to patch it more when there is actual exploitation. Because most vulnerabilities don't see exploitation activity. You know, the vast majority, something in the order of 98% of CVE identified bones don't ever see any exploitation. And so these ones are already special, right? And so people know that and they're, they're smart and they, they, they panic appropriately. But when you are, when, when it's your job to follow a deadline that's set by somebody else and then that deadline happens and then goes past, you can't miss the deadline any harder, right? And so if it comes to day four and you haven't patched the thing, and also it looks like it's about the same priority as everything else, including today's, which may be new and now has a new three day timer, it's harder. I don't want to say anyone's lazy or anyone's like shirking or anything like that, because they're definitely not. But it gets harder to justify, like, well, why should I put any, why should I put extra effort into this thing that's four days old versus the one that I have now, that's only one day old. And so you will have a longer tale of no patching.

A

Generally speaking, yeah, you're hitting on something that I wanted to hit upon in that where, okay, let's say hypothetically we do move to this new reality where three weeks and two weeks suddenly does become three days. From your experience on the inside, which part of the remediation is the hardest part to compact into that three day window? Is it the detection? Is it the testing or deployment? I guess from a detection standpoint, we already know like there is, there is some level of detection already done for you on sys behalf, but with anything else there, what, what really becomes compacted and could eventually lead to errors, I guess because we all know the, the more you try to fit into a smaller window, doesn't matter if it's patching or any sort of real intensive work, the more chance that there is for error.

C

Yeah, I mean we, we all saw the movie, the, the Apollo movie. Like when you start throwing out time, you also have to throw out things like testing, right? And say like, well, I mean the time we must act and what's the worst that can happen? The machine I'm trying to patch like doesn't take the patch well or something like that, right? Or it doesn't come back when I reboot it. And this will be especially important for things like firewalls and routers, which we see a lot of attacks on these days because that will take out your entire Internet facing network. And maybe that's bad, right? And so you remove some of the testing, you know, safety that, that you, you would normally do, right, if you had a luxurious three week window. And like a lot of these agencies have change control windows, right? And so like, and a three day timer is, is rarely going to work its way into a kind of normal patch schedule. Now these are all, these all appear to be emergencies. So ideally like the, the sophisticated modern agency anticipated something like this, right? Like there's an active attack on a known vulnerability. We have to like, you know, break the glass and do, and do the thing quickly. And regardless of a KEV deadline or not, like if they're seeing an attack, right, like maybe they're the source of why it's on the kev, then they're going to want to act fast and they're going to want to do their forensics and do their lockdown and do all the things that you would normally do during an active incident, but every other agency is not experiencing that right now. And you know, the whole idea of the KEV is like, well we know that these vulnerabilities are very special because someone went out and attacked it, which already like kicks it into your top 2%. And then once it gets on the kev, that's 2% of those, right about, you know, something along those lines. And so for starters, like you say like the testing window gets a lot shorter. Luckily today, like for most very mature software stacks from giant vendors you've heard of all before, right, like the patches tend to be okay, but then there are things so like the most recent Kev as we're recording, this is something for Microsoft Exchange server, right?

A

Okay.

C

Interestingly enough, this one did not get the three day treatment, which is great because patching Exchange even today here in 2026 is still a bear. It is really hard to patch that thing. Like it takes a lot of planning, a lot of like timed downtime. You have to like fail over to one than the other usually if you don't want to drop mail. And so patching Microsoft Exchange is still really, really, really hard. And, and doing, doing that by itself inside three days is going to be, is going to be a challenge for sure. Even in the face of like an ongoing attack. Like the thing you would do normally was just shut it down, right? Like, sorry, we're not taking mail right now as we patch this thing. The fact that they didn't do it for Exchange tells me that there is still, there is still analysis happening and saying that oh, maybe not Exchange. So I'm not terribly worried about like this being very automatic and mechanistic and all that. I, you know, and I, and I still am in touch with people who are actively working on the KEV today and they're like, yes, we, we, we understand, you know that like some decisions still have to be made, right. Like all the way up until posting. And that's great. Like, that's really good. This is why we pay them. This is why we have Expo in there. And by we, I mean Americans is why Americans pay them. Because they're all paid by tax dollars.

A

Right?

C

And so but like on the, on the other side, you know, I have to keep coming back to like this whole if everything is priority when nothing is and, and just the lag time, like sometimes you will like with a three week window you have a really good chance of hitting a normal change control window. And so you don't have to do anything special, right? Like you're, oh, okay, like I have this thing on the cab. That's great. Oh, I have that affected technology. Is it likely I'm getting going to get attacked by that? Like that agency makes that assessment. Because KEV does not say like batten down the hatches because the attack is coming. All it's saying is like, we know this has been exploited, therefore there's a higher risk.

A

Right?

C

But like for many of the KEV vulnerabilities are not like the initial access vulnerability, right? Like sometimes they're lateral movement, sometimes it's privilege escalation. All of which means like the attacker's already inside and doing things. And if you can. And if you can assert through your normal logging and all your normal defensive posture that that's not the case, then I would say, like, maybe don't pull the fire alarm on those, you know, inside of, you know, at a breakneck pace. And Sizza is. Seems to be. This is the. This is the behavior they want to change. They want. And I don't know, like, they haven't told me. They didn't consult with me. Weirdly, you know, they haven't. I just don't think that they. They are trying. I don't think they're trying to couch everything as priority one, but they do know that, like, you know, attackers are moving faster and like. And if I. And if I get a good hit in federal government for this vulnerability, once I'm already in, I could use that same technique once I'm already in somewhere else. Maybe I'm using a trust relationship between two agencies or something like that. On that side, it is smarter. But remember that the baud 22.01, the whole point it was trying to solve was machines that were years out of date, and it was just unconscionable that they were still running. And this is the problem. Kev was trying to solve that. And, like, they didn't. And it's a real hassle to, like, issue an emergency directive for, like, every exploit, of course. And so it made it a much faster Kev enabled. Like, three weeks was fast, you know, when Kev. When Kev came on the scene in November of 2021, and, you know, the world is changing out from under us. Like, everything is moving faster. You know, we've got mythos breathing, breathing down our neck with new vulnerabilities. And I'm hopeful that, like, the agencies will continue to take Kev seriously and do what they can. I don't know how you get around the human part of it, though, of like, well, I missed my deadline. I'm not going to miss it any harder. It's not going to kill anyone if I have to wait another three days for my normal change window to get this in. Because my agency, I know, is not particularly at risk from this particular vulnerability.

A

Right. You're hitting upon something that I wanted to get to, especially with, like, the. The antiquated technology that we know is inside federal agencies or, I mean, just.

C

Oh and everywhere.

A

Yeah, I was gonna say not just federal agencies, just government across the board. And going back to what you were saying about the Kev being a signal to not just federal agencies but also what's going on at the state, local level and also what it does for a private industry as well. So if that federal baseline does move to three days, what are you worried about when it comes to the pressure looks like for organizations with far fewer resources or are dealing with legacy stuff like you said that whether, you know, exchange is just one example how might not be able to turn exchange off, it might be something else that is critical that you can't necessarily turn off. So, you know, how does the timeline really affect that when these systems are so critical?

C

I think what CISA ultimately one of the upsides, the silver lining, right, is communicating the urgency of being able to do. And so what this may end up doing is for federal agencies and everyone else who follows the kev, which is everyone is really reminding people of how critical it is to have a procedure when you know something is happening out in the world, you know, you're at risk, you know, like, you may be next on the block for this particular exploit. You must move faster and building systems and deploying systems in such a way that you can move that quick, right? Like, everyone has changed. Well, not everyone anymore, especially in the days of AI assisted continuous integration. But once upon a time, we used to have these things called change Windows and you would have a set time of when you could update things. And that might be like once a week on a Tuesday night or something like that. That. Right? And, but, and so having. And once a week would be great, right? Like some places are monthly, some places are quarterly. Like, you know, we want to make sure that our, everything we, we think we have running out in the world is actually what we have running out in the world. This is all a question of like, not just like, you know, software development and software stability, but like even asset management, right? Of like adding new things, taking things down, all of that, right? So having, so having that as, as your, your fundamental baseline of like, this is when we are allowed to change things and we, when we know we're going to get alerts of down, you know, downtime and all that, because we know we're changing it or something like that. Like, you can coordinate with everybody, everybody in your ops team, everyone in your dev team, all of that, right? What reducing this is, man, that was real blabbery. But what I'm getting at is by reducing the time, it is putting front and center, this notion of like, emergency action is not only, you know, possible, but almost inevitable. And so it could help build the muscle of like, okay, well, how do I patch Rapidly. How do I make sure, how do I engineer things so my Exchange server doesn't take two days to update? What if I lived in a world where it only took six hours? Wouldn't that be amazing and I could start it at 9am and be done by 3pm? That would be incredible. You know, and so building systems to respond to fast changes that are incidentally also safe and guarantee uptime could be an outcome of this. Right. This is a lever CISA can pull and if it works out, great. And I'm excited for them to do the measurements of seeing how this change, should it actually happen for real, how this change impacts, you know, time to patch. Right. Like that's going to be the metric for them to look at. And furthermore they can look at particular agencies and then say like, well how come this agency is really slow at it and how come this agency is like you know, meeting and beating expectations and what are they doing differently and what's what, what are the differences there and how do we take the lessons learned from, you know, the good actors and help those that are struggling today? Yeah, I think that that is an outcome that could, could, could, could really, really level up like everyone.

A

Yeah, I want to dive into that a little bit more because I'm wondering from your perspective what would need to be true in terms of like tooling or staffing or process for a three day default to actually be achievable rather than like you just said, just somebody sitting around going, well does it matter if it's on day four, day five or day six, like what needs to happen in order for it to be this three day thing that actually becomes, you know, part and parcel with the way that enterprises are patching these vulnerabilities.

C

Yeah, I mean it's going to be different for every agency. Right. Like some agencies are going to have like loads of system administrators and you know, really sharp DevOps people and great contractors that are like keeping everything running and running smoothly. Right. And some agencies are going to be on a shoestring budget, have gone through a bunch of cuts recently, have lost hundreds to thousands of permanent employees, have drop contracts. Right. And so like every agency is going to have to see like, well how do we, how do we move from a three week default to a three day default? Does this impact my staffing? Does it impact like the kind of automation I do? Does it impact like my contract, my, my contractor services? Right. Like maybe I need to hire a new contractor and that's going to need me more money. And so now I'M going to ask Congress for more money in my budget. You know, don't, don't ever let the crisis, a good crisis, go to waste. After all, like. And so cisa, by inventing a cr. Really, I don't think they're actually inventing a crisis, but they, but agencies can, can use this to say, like, well, if we're, if CISA is holding us to the standard, we need the support to actually meet that standard. And here's exactly what we need. Like, that's the work to be done right now.

A

Yeah, it certainly seems like the loss of significant funding and the loss of significant expertise. We've written about it, Others have written about it too. I mean, that, that plays a big part here. Like, there's, there's still people that need to communicate and do all of this.

C

You don't get to just say, well, do less and faster.

A

Right. So, yeah, I'm, I'm, I'm wondering what I, this is what I wrestle with because too, while, sure, from a technological standpoint and the AI angle, like, yes, we could. There is maybe a level of automation here that I think could help with this. But I look to the significant funding lapses and the expertise that has drained and goes. Is this really a possibility? So I'm, I'm, you know, I, I ask you that that Isn't. Isn't there a human element too, that goes into this in order to make this a reality?

C

Yeah, and like, that will take like, skillful management and, you know, managing the expectations of both CISA and ultimately, you know, the OMB and dhs, who get all the reports for, like, how agencies are doing on the Kev. They, they are, they typically are supposed to have like an annual report that goes to those agency heads. And those agencies just need to, like, whoever's running those agencies today, right. Like, needs to take, should take this seriously and see it as an opportunity. Right. To help modernize. Because, you know, KEV has been around since 2020, November 2021. So coming up on six, five years, you know, total. And if you're doing the same, if you're doing it the same way you were doing it five years ago, you're already kind of behind. And so juicing this deadline can, can help kickstart like, you know, some emergency acquisitions, emergency funding calls, stuff like that. Right. Like, so, you know, I'm hopeful that the agencies do take it seriously. It is, you know, it's a bummer for me that I don't, that I no longer have a good signal of urgency between three days and three weeks, you know, at least according to like how the KEV has gone for the last month or so. Like there's been a lot that seem like it's kind of testing this out. You know, I don't, I don't know like if the last, you know, five of the last seven were really that kind of like three alarm fire kind of level of three days patch turnaround. So I'm bummed about losing that signal. But there are plenty other signals, right? Like there are other players in the space that aren't just Sizakav like Volchek. Kev is good. EPSS is pretty. Okay. Pretty decent, I would say, for like thumb in the air. Like, how bad is this kind of, kind of measurement? You know, I work at Run Zero. We do our own squaring.

A

Hey, that's okay. You can give a little bit of a prop. That's all right.

C

We do rapid responses ideally same day of finding a new vulnerability that looks like it's going to pop off. And so like there are other sources other than just kev. Also, CISA has other mechanisms. They still have, you know, the capability of issuing like emergency alerts, you know, and other agencies can do this too. They don't do it very much anymore without like a Syzaco seal. But like, we'll see things occasionally from like the FBI or overseas from like NCSE uk. Right. Is like a big source, you know. So anyway, like, I don't think we're all suddenly left in the dark because of this. It's. It is. It is removing a signal. But we have many other signals and like I said, like, the agencies can take the opportunity here to. To level up their own patch management.

A

Great, Todd. Really fascinating discussion on what may be hypothetical in the long run, but nonetheless, I know this is something that the government is definitely rumored to be talking about, and it's good to explore all the ways that it could change the cybersecurity landscape. So thanks for hopping aboard.

C

My pleasure, Greg.

A

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital products privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.

C

Sam.