2024-11-11 - The Old and The New - Talkin' Bout [Infosec] News

Summary4 min read

Podcast Summary: "The Old and The New"
Talkin' About [Infosec] News, Powered by Black Hills Information Security
Release Date: November 15, 2024

In the November 15, 2024 episode titled "The Old and The New" of Talkin' About [Infosec] News, the Black Hills Information Security team navigates through a spectrum of cybersecurity topics, blending technical insights with engaging discussions. This episode covers everything from corporate missteps and software vulnerabilities to significant law enforcement victories and evolving security standards.

1. Opening Banter and Intros Poll [00:01 - 04:03]

The episode kicks off with light-hearted banter about merchandise and an internal debate over the podcast's intro graphics. The hosts discuss whether to stick with the traditional "old finger" graphic or adopt a newer version, ultimately deciding to present both and let listeners decide.

Notable Quote:
John Strand [00:24]: "Wife accrual factor. Wife acquisition factor. Thank you."

2. Mattel's Withdrawal of Wicked Dolls [03:50 - 07:14]

The hosts delve into a recent incident where Mattel pulled thousands of Wicked dolls from shelves. The reason? The packaging mistakenly included the website wicked.com, which Cisco Umbrella’s content filtering erroneously categorized under pornography. This misclassification could lead to both sales issues and parental concerns.

Notable Quote:
John Strand [05:07]: "That's why we just should never ask people their opinions. We should just do it."

3. Office Applications Crashing with CrowdStrike on Windows 11 [07:14 - 11:39]

A critical analysis unfolds regarding the compatibility issues between Office applications and CrowdStrike antivirus on Windows 11. The conversation highlights the broader implications for system administrators and questions the reliability of security software updates.

Notable Quote:
Brian [09:35]: "They're cashing in on CrowdStrike's claim to fame."

4. Good News: Arrest of Suspected Snowflake Hacker in Canada [16:44 - 18:15]

Shifting to positive developments, the team reports the arrest of a suspected Snowflake hacker responsible for breaches at major companies like AT&T and Ticketmaster. The effective action by Canadian law enforcement marks a significant victory in the fight against cybercrime.

Notable Quote:
John Strand [17:28]: "Mounties, by the way, don't mess around with Canadian Mounted Royal Mountain Police. Those guys do not play."

5. Interpol’s Cybercrime Sweep [18:15 - 21:15]

The podcast covers Interpol’s recent operation that dismantled 22,000 IP addresses and apprehended 41 individuals involved in generating spear phishing emails using generative AI. This crackdown underscores the growing threat of AI-assisted cyberattacks.

Notable Quote:
Brian [21:15]: "John, I'm glad you pointed out some good news because usually we have bad news on the website."

6. AI in Cybersecurity and Deep Fakes [21:15 - 29:46]

The team explores the dual-edged sword of generative AI in cybersecurity. While AI can bolster defenses, it also enables more sophisticated attacks like deep fakes in phishing schemes. The discussion emphasizes the urgent need for enhanced security awareness training to combat these evolving threats.

Notable Quote:
Kelly [22:46]: "I don't know that I want to feed the beast that fast and get it to grow that quickly."

7. Google Cloud Mandates MFA for All Users by 2025 [29:46 - 35:00]

A significant policy update is discussed: Google Cloud's requirement for Multi-Factor Authentication (MFA) for all users by 2025. The hosts analyze the potential benefits for security and the challenges it poses for both enterprise and individual users.

Notable Quote:
Kelly [30:04]: "How is this a bad plan? Right?"

8. Acquisition of CompTIA by HIG Capital and Thoma Bravo [49:28 - 58:17]

The episode delves into the acquisition of CompTIA by venture capital firms HIG Capital and Thoma Bravo. Concerns are raised about potential price hikes and reduced accessibility of CompTIA certifications, which have long been an entry point for many in IT and cybersecurity.

Notable Quote:
John Strand [50:25]: "They’re spawning or spinning that particular thing off and they’re going to be focusing on their library, they’re going to be focusing on their certifications and I think they have how many 35 million people, 3.5 million people have been, have been certified by CompTIA."

9. Penetration Testing Standards and Practices [47:28 - 49:28]

The hosts emphasize the importance of varied penetration testing methodologies, from standard vulnerability scans to advanced red and purple team exercises. They advocate for tailored testing approaches to effectively identify and mitigate security risks.

Notable Quote:
John Strand [47:43]: "Any firm that you work with should help you kind of navigate that to get to the right thing."

10. Password Policies and NIST Updates [37:03 - 44:35]

A discussion on outdated password policies leads to the acknowledgment of recent updates by NIST, advocating for longer and more complex passwords. The team criticizes previous standards for minimal security and praises current improvements as crucial steps forward.

Notable Quote:
John Strand [38:44]: "NIST guideline was updated. Minimum of eight characters in length. Should require passwords to be a minimum length of 15 characters. So that's a great update, like nothing but kudos to NIST for Making that change."

11. Closing Remarks and Community Engagement [59:57]

The episode wraps up with an encouragement for listeners to participate in the Sans Holiday Hack Challenge, promoting community involvement and skill enhancement in cybersecurity.

Notable Quote:
John Strand [59:57]: "Thank you very much everybody for joining and we will see you all next week."

Conclusion:

"The Old and The New" episode offers a comprehensive exploration of current cybersecurity challenges and developments. From corporate missteps and software vulnerabilities to significant law enforcement successes and evolving security standards, the Black Hills Information Security team provides valuable insights for both professionals and enthusiasts in the infosec community. Their balanced approach ensures that listeners are not only informed but also engaged, blending serious discourse with relatable conversations.

Loading summary

Transcript249 lines

[00:01]
John Strand
What's this comment? The WAF on my malware Finds a Way shirt is extremely high to the point I thought my wife would steal it before I got to wear it. That's a. Well, your wife has taste, but what's the waf?
[00:14]
Daniel
Wife accrual factor.
[00:19]
John Strand
That might be it. Wife accrual factor. Wife acquisition factor. Thank you.
[00:23]
Daniel
That's the word I was looking for.
[00:25]
John Strand
Yes, yes, yes. That's good. Excellent, Excellent.
[00:28]
Kelly
So that's no joke, man. Y can't bring nothing home.
[00:31]
John Strand
Good.
[00:31]
Kelly
My wife. This is for me.
[00:34]
John Strand
All these people give us links and it's like. And it's like, I've got to. I've got to. Oh, are we streaming?
[00:47]
Zach
We are, yes.
[00:49]
John Strand
Oh.
[00:50]
Brian
So we're talking about wives for a second. Black Hills has new feminine wear. I just want to point out. Very happy with it. Thank you, Deb. Thank you, Jason. Love the new feminine style. Bhis gear.
[01:03]
John Strand
Yup, yup. There we go. Oh, my God. Are we ready to do this? Wonderfully affectionate friend. I like that, too.
[01:13]
Brian
Did we get the finger yet?
[01:16]
John Strand
No. You know what? We got to do a poll. What do we like? Do we like the new finger or the old? Because I'm kind of partial to the old finger.
[01:22]
Daniel
I'm kind of partial to the old finger also.
[01:25]
John Strand
Yeah, yeah.
[01:26]
Brian
Is that the same finger?
[01:28]
John Strand
No. Well, it is, but one's like a. Like a graphic. Like it's a cartoon version of that finger is what we're talking about.
[01:36]
Zach
So the new one then you're talking about here that I see in behind the Scenes.
[01:43]
John Strand
Behind the scenes.
[01:43]
Zach
The old one.
[01:44]
John Strand
I don't know. I don't know. I like the old one, but then again, I have incredibly bad taste.
[01:49]
Zach
Do you?
[01:50]
Brian
Brian gave me the finger. That wasn't very nice, Brian.
[01:54]
Zach
Should we run a poll really quick and ask.
[01:56]
John Strand
Let's do both intros. Let's do both intros and we're going to let the people decide. So bring up old intro.
[02:03]
Zach
Old intro. Here it goes.
[02:19]
John Strand
Hello and welcome. And that was not the start of Black Hills Information Security Talking about news. That was the old intro. Now let's roll the new intro. Hello and welcome to the official start of Black Hills Information Security. Talking about news. My name is John Strand and we need your help choosing old finger or new finger. Are we old school or new school? Let's get some. Let's do this. We got old, old. Anybody like the new? Anybody at all? Anybody like the new intro?
[03:03]
Zach
Wow.
[03:03]
John Strand
Damn.
[03:04]
Kelly
The people.
[03:07]
John Strand
Kelly does.
[03:08]
Brian
It's very 1990s.
[03:10]
Kelly
That's exactly what I thought I was like, man, this takes me back to playing CD ROM games.
[03:17]
John Strand
Because that's exactly what I'm going for in this webcast. That's old. Looks like Ms. Club park versus new. There we go. Oh, I need to hit the play button. All right, let's.
[03:29]
Zach
Poor guy.
[03:30]
John Strand
Let's go ahead. I don't think we're any. Look at that, Kelly. They're rolling in now. New ones. I think we got nowhere closer. I got nowhere. I got nothing. I just got nothing. That's why we just should never ask people their opinions. We should just do it and. All right, so let's get into the stories because we have some good stories here.
[03:50]
Brian
Wicked goods.
[03:52]
John Strand
Let's go through. Okay, we're going to talk about Wicked first. So apparently Mattel pulls thousands of Wicked dolls off the shelves because they were printing adult websites on the package. Apparently they printed on the package wicked.com and I do this research for you all. Let's go www.no. not sharing my screen. What do we have here? So what would Kid O. So apparently Cisco Umbrella blocks this website and it says it's due to content filtering report an incorrect block. So I'm going to click that, I'm going to put in my name and I'm going to say this is a site for dolls. Dense site. No, I'm not. But it's under the category pornography is apparently where they were sending kids. I, I, I can see this mistake. I can, I, I can get this as a mistake. But how many people do you think are running out trying to get these dolls just because they're going to be like super good collector's items?
[04:59]
Kelly
Oh, there's no doubt about it. These, these things will probably fly off the shelves now that they know that this is exactly what's going to happen if they have one.
[05:07]
John Strand
Is it a bit like, how weird is it on a scale of 1 to 10? If I went to Walmart and bought like 10 of them, that would that be pretty creepy.
[05:15]
Brian
Works in South Dakota.
[05:17]
John Strand
In South Dakota, yeah.
[05:20]
Brian
Pretty weird.
[05:21]
John Strand
Pretty weird. Thanks. Yeah, you're probably right about that. But I like this just goes to show that mistakes like this happen all the time. And you know, there's some poor intern that did this or at least some interns going to get blamed for it because, you know, it had to go through nine layers of executive approval before it goes anywhere.
[05:39]
Kelly
So isn't that the whole reason to have interns, John, is so that you can blame people?
[05:44]
John Strand
Right?
[05:45]
Kelly
They are the hired scapegoats.
[05:47]
John Strand
They are the hired scapegoats. That and systems administrators. It's like, we're gonna need another system admin.
[05:52]
Zach
Does that mean you're the default scapegoat here, John, because you're the managing intern?
[05:56]
John Strand
I am the managing intern. I get all of the. Right. That's. Boy, he just brought that up straight to my LinkedIn profile. Damn. Straight to the heart. It is not the first time this kind of thing happened. I remember the air freshener with. Oh, no, with a male anatomy part on it. We got completely swamped people buying that air freshener. So it just goes to show, sex sells. I feel like there's better jokes. I feel like there's better jokes. Like, if I was more awake and more caffeinated, I would have better jokes on this as well. Executive. It was in one of the executive site and they wanted more traffic. How much you want to bet that Wicked.com all of a sudden is getting a lot more traffic?
[06:36]
Daniel
Oh, people are going there for their dolls.
[06:39]
Kelly
Yeah, yeah, yeah, exactly.
[06:41]
John Strand
So. So. But no, it's just how bad it is.
[06:44]
Brian
On a serious note though, remember, there are children, young adults, who do have phones. You know, we've talked about that previously on the newscast, where kids are getting phones that aren't necessarily locked down with security settings and they could very easily go to that website and mom and dad wouldn't know about it. So there is a serious angle to this. I'm not going to tell you not to buy the dolls. I'm going to say, hey, if you don't know what your kids are doing on their phones, probably good time to look.
[07:14]
Kelly
You know, my. My daughter, my oldest daughter, she's. She's almost 11 and she's been asking about a phone lately. I said, honey, here's what you got to understand is when I. I give you a phone, I don't give you access to the Internet. I give the Internet access to you. And that's a scary problem.
[07:31]
John Strand
Oh, I didn't think about that. Yeah, that's really. Dude, that. I don't care how you dice it. I get what you're saying, but that sounds so horrible.
[07:40]
Daniel
Yeah, it does.
[07:42]
Kelly
I'm very hesitant.
[07:44]
John Strand
Yeah, I'm very hesitant. I don't think you want to say that out loud on a webcast with like recorded. Yeah, because. Because somebody could just take that one snippet of what you said without context and be like, honey, I'm giving the Internet access to you. And it's just like, it's. It's bad. It's bad. And I think we're about as far as we want to go down this rabbit hole. Uh, speaking of rabbit holes, do we want to talk about Office apps crashing on Windows 11 with CrowdStrike antivirus?
[08:10]
Brian
Sure.
[08:11]
Kelly
We want to get that SEO, don't we?
[08:13]
John Strand
Oh my God, yeah. Because that's what people are looking for, right? Oh, no. Well, CrowdStrike, would this even be that big of an issue at all if it wasn't for what happened earlier this year?
[08:23]
Kelly
Well, it probably be more focused on the fact that it looks like it's Windows 11's update that's causing it.
[08:30]
Daniel
Not necessarily.
[08:31]
Kelly
Right. It just so happens to be not loving CrowdStrike and not the other way around.
[08:37]
Daniel
Well, this update also had another problem with a voice app that put them onto pause and I hadn't heard that it got. I knew that they had fixed that, but I had not heard that it had gone completely public yet at this point in time. I guess we're finding out now.
[08:54]
Brian
Well, let's talk about responsibility for a second here.
[08:57]
John Strand
Yes.
[08:58]
Brian
CrowdStrike stepped in and said, listen, we know that there's a problem. We're going to turn on enhanced exploit vulnerability prevention policy. And second of all, Microsoft, and this has been happening for years. Those of us who've been around for a while know that Microsoft can control who gets what deployments. They've already addressed the situation and said, we're not going to deploy it to the voice systems. We're not going to deploy it on those running this particular setup. So that's why I say, John, I think it's kind of a non stop story. They're. I think they're cashing in on CrowdStrike's claim to fame.
[09:35]
John Strand
I mean, you're definitely going to get clicks for the article. We're talking about it, right? I mean, but I go back to CrowdStrike, you know, like what they did, of course, I think we can all agree is bad, right? Like from the software development. That's bad. We can all agree. Not good. Right. And after a certain point, like the bad news that you continue to get with these particular stories is it really is just people like chasing the narrative of CrowdStrike being a horrible, horrible company, which they're not. I want to make that clear. CrowdStrike is totally not paying me yet. Although this shirt is Black and empty. CrowdStrike, like you could totally, you could totally buy me off with a whole bunch of low sodium V8, but it's just, I don't think that they deserve this type of the problems and the news cycles that are there. But it's going to be like this for a while, right? It was like, you know, Adobe, they had their time. Microsoft of course had multiple times where they just had really crappy news cycles. But like I said, the biggest thing that concerns me from the previous one is whenever you're crashing hospital systems, there's no way any hospital is going to bring CrowdStrike back in. Even if they. Oh well, they're better now. Trust us. Nobody wants to take on that risk for these very, very mission critical and life critical applications, because if anything goes wrong, the person that brings them in the front door is inevitably going to get blamed. Like an intern, like a managing intern, like a systems administrator. They're going to get blamed for everything that goes wrong because CrowdStrike was in the news. And I think that these stories just continue to feed that cycle for another cycle term.
[11:18]
Kelly
You know, you build a thousand bridges and you have one global outage.
[11:22]
John Strand
I like how you didn't go the goat story. You didn't go the goat story. Well done. Well done, sir. So, all right, let's move on. Does anybody else have a story they'd like to talk about? I'm going to go get myself a low sodium V8 while that news story gets queued up. You guys choose the next one. I'm going to go get a low sodium V8.
[11:40]
Kelly
Albert, what was the one about the. The accidental upgrade from Windows Server 2022 to 2025?
[11:50]
Brian
That's a juicy story.
[11:51]
Kelly
Yeah, that sounds like it was a dumpster fire.
[11:55]
John Strand
So which one?
[11:56]
Zach
What was that under? I'm sorry, I gotta find it.
[11:59]
Brian
It's up towards the top. Zach.
[12:05]
Daniel
It'S the one that says.
[12:07]
Kelly
Oh, there it is.
[12:07]
Daniel
Mislabeled patch sends Windows Server.
[12:10]
Zach
Thank you. I'm sorry, I'm not Ryan. Y'all, it's okay, we'll get there. We know I'm not a serial killer.
[12:19]
Brian
I'm sorry, Daniel, you want to talk about this one?
[12:22]
Kelly
Well, I just thought. I thought I saw the headline and was like, oh, that seems bad. That seems like, because. Right. I love the article. Kind of just goes on to the fact that, you know, upgrades are usually cool thing. You get new stuff, new bells, new whistles, patches, fixes. Things are more optimized.
[12:39]
John Strand
Breaking your existing applications.
[12:41]
Kelly
Everybody loves it. Except when you're not expecting it to happen, you start to pull all your hair out. And that was the incident in 2015. That happened to me. That's why this. But no, we don't like to do it without a plan where we go. You know what we're going to do? We're going to upgrade from one thing to the other because we had tons and tons of testing to do and make sure everything works. Because to John's point, if it doesn't, well, then we're going to need to think our way through that problem before we hit the deploy to production button.
[13:15]
Daniel
You mean you shouldn't yolo it?
[13:17]
John Strand
No, you don't. You just know that somewhere out there, sysadmin did this and it worked and nothing broke.
[13:23]
Kelly
And he's just like, whatever.
[13:28]
John Strand
I'm not taking the bus home. It's like Final Destination. He's looking at the balance of positive and negative karma in his life. And right now he knows. Not that that balance is way tipped too far. Bad things are going to happen. Like Keanu's falling out of the sky and smashing him.
[13:46]
Daniel
He wishes he had played the lottery instead of pushing that button.
[13:50]
John Strand
Yeah, yeah.
[13:51]
Kelly
Have we ever had this happen before? Is this a new thing? Like, I don't remember ever hearing it.
[13:55]
Brian
It's not new.
[13:56]
John Strand
I can't think of an entire operating system upgrade. And am I clipping? Is my audio clipping? No.
[14:04]
Kelly
You sound good.
[14:04]
Daniel
No.
[14:05]
John Strand
All right, Sounds good. Yeah. I can't think of an entire operating system upgrade.
[14:08]
Brian
Yeah, all this happened back with three. Five one to four. Also. It may have happened within the Windows 95 cycle.
[14:19]
John Strand
I think. I love you. That's so awesome. God, that is. That is the coolest thing ever. Windows 3. 5 to 4, it's like. That's dropping like some serious knowledge. Holy crap.
[14:31]
Kelly
That's a deep cut right there.
[14:33]
Brian
I think he just called me old. Thank you.
[14:36]
John Strand
No, I didn't. You know, I have no soapbox to call anybody old. I just don't on that as well.
[14:42]
Brian
Well, the other interesting thing about this article is there's so much noise right now about Windows 10 to Windows 11 upgrade. Remember last week we were talking about the we're going to pay you 30 bucks to be able to run Windows 10. That whole discussion. And then this also happens. So you know Microsoft, they're always working on trust. They tell they've got them the Security Trust center, but this just kind of adds confusion to it. And also when you're sys admin and you're trying to build trust within your organization and it's very easy for something like this to happen, you lose credibility and it's frustrating. And that's why we install Linux.
[15:28]
John Strand
Yeah, yeah, yeah. I didn't See that, that was a hard left turn. Yeah, I agree with that turn. I do. You know we have seen this with software though, right? If you remember, AV would be bundled with all kinds of anti spyware. That would literally just be spyware and adware popping up. I think it was Symantec, McAfee, or both a number of years ago that did that. Just surprise upgrades and surprise software installs are never, ever a good thing.
[15:57]
Daniel
No.
[15:58]
John Strand
Oh, my God. Could you imagine, like from your auditor's perspective being audited in the middle of something like this? And like, you guys do. You guys do auditing? Like, what is it control number two, Are you guys auditing your software and your secure configuration? Yes. Yes, we are. And it's like, why is that server running 20, 25? Like, it. What? Oh, God. It's like the auditor is just like, bam. And then there's like brimstone and you smell sulfur. That's how. That's how I. That's how those types of audits go in my head. I don't know.
[16:25]
Brian
Don't you always smell bribes, offer and bribstone when the auditors show up?
[16:30]
John Strand
Always, always, always like they're walking around.
[16:32]
Kelly
Yeah, it's like going through 27,001 and they were like, well, we're not doing stupid stuff like having, you know, passwords under, under keyboards. They're like, we'll flip one over. And there was a password on it right there.
[16:46]
John Strand
Right there. Yep, right there. All right, so let's talk about some good news. I think, I don't know, but the suspected Snowflake hacker has been arrested in Canada apparently for more than a week. Judge or Waifu, the hacker linked to the AT&T, Ticketmaster and other breaches has been not responding to messages because they have been arrested in Canadia. So. Well done. Mounties, by the way, don't mess around with Canadian Mounted Royal Mountain Police. Those guys do not play. They are hardcore. But that's. I think this is good news. I think anytime we get a win, we should take it, right?
[17:29]
Kelly
Amen.
[17:29]
Daniel
Agreed.
[17:30]
Kelly
And we've been on a tear here lately. A lot of. A lot of hackers being arrested lately and sites being taken down. So, yeah, keep. Keep kicking butt out there.
[17:39]
John Strand
Yeah. And that brings. That brings me to another story, but go ahead. Kelly, you were going to say something about this one.
[17:44]
Brian
Oh, I was just going to ask Daniel, do you think there will be a change in that with the new administration not being political, this is all about cyber?
[17:51]
Kelly
Yeah, I don't think so. I feel like These are one of those things that just kind of like, oh, it's doing fine. It seems to be fairly effective, like with CISA and everything. What's that?
[18:05]
John Strand
Just to keep the ball rolling, right?
[18:07]
Kelly
Yeah, you just, you just keep it going. If it's not doing anything that's causing an issue or. And it's actually being effective, you kind of, kind of go, well, good job, previous administration.
[18:16]
John Strand
Yeah, way to go. Because we all know administrations are like that once again, not being political. They all hate each other is what I'm saying. And that leads into another story that Interpol Cybercrime sweep. This is a. This is an article from PC make, kind of continuing on the theme of good news. But Interpol Cyber Crime Sweep takes down 22,000 IP addresses and arrests 41. And these are cyber criminals. They're using generative AI to spend spear phishing emails, Interpol says, which is just like, I actually felt pretty good because I. Some other stories that I've read about this is this group and these people that were doing this were also some of the groups that were going after, like hospitals and schools and like, just things you shouldn't go after. I mean, you shouldn't hack, period. Right. But there has to be a lie and there has to be some honor among thieves. And I think this is a good news story that once again, we need to take the wins where we can get them.
[19:16]
Kelly
Yeah, it's always nice. I mean, they're fairly depraved on what they'll allow or go for anymore. Like, to me, like, sextortion. Why is this a thing?
[19:29]
John Strand
Oh, one of my friends got hit with that via text message and was like, you know, I just want to let you know, Bill, that I've seen your filthy, filthy browser history and I'm going to send it to everybody and we're going to share with all your family and all your friends. And I saw that and we were all laughing about it when it came in because we all work in computer security. But we sat back and we started thinking about it in terms of just like a normal person getting hit by something like that. Like, that's gotta be devastating. And you're probably thinking, no, they. Maybe they don't have what they say they have, but then again, they might. And I just do. I mean, for me personally, do I want to, like, defend myself for going to wicked.com on my phone at home? Because I have. No, I wouldn't share that publicly. I wouldn't want that shared publicly. By the way, that site, as far as Adult sites. Really, really tame, by the way. Like crazy. Like, I'm sure it gets worse. But. But seriously, you know, you put those threats down on people and it could even be worse. Like, let's say, you know, you're not even, like, you don't ever go to porn websites. They could totally sell. I send. I remember this would have been early to mid 2000s. There was a case that I worked on where somebody broke into someone else's email and sent child pornography to all of the people in that person's address list. So that was probably, I think, one of the worst, like, attacks that I've ever seen because that person was absolutely devastated. It was clearly a hack. It was clearly attack. But talking with that person months and months after the engagement, they were still shunned by the circles that they were in. So just kind of scummy ways of doing things. Yeah.
[21:04]
Kelly
Just ruining people like that. Need for some money.
[21:09]
John Strand
Yeah. For the love of money.
[21:12]
Brian
So the interesting bit about that article.
[21:14]
Kelly
Go for it.
[21:15]
Brian
Yes. John, I'm glad you pointed out some good news because usually we have bad news on the website. The other interesting thing was how they tied in the use of generative AI in the article.
[21:26]
John Strand
Yep.
[21:27]
Brian
And there's so many articles about, oh my goodness, AI is going to be the death of us. It's the worst thing ever. It's nice to see a positive example of gen AI being used to make the cybers better.
[21:40]
John Strand
And I, and I think it can definitely be used for that. Right. I. I just, I'm just worried about it becoming an arms race between the bad and the good. And I hope we don't lose that arms race. Right. Because that generative AI, like, I've seen some of the videos from some of the organizations that we've done incidents on where they set up video conferences and they start demanding that money get transferred. It's. It is so good. It is so well done. I just hope that we're. We're prepared for it. But I think that goes back to training. Kelly. You know, we used to talk all the time with Lance about what is the value of, you know, doing security awareness training. And I feel like security awareness training now is probably far more important than it ever was because, you know, we never got trained for the crap links like, hey, ups, shipping, notification, and now we have to train people for, like, video calls from their boss that looks and sounds exactly like their boss. That's some scary stuff. That's some really scary stuff.
[22:37]
Zach
So do any of you guys worry about that with how Much content you have out there on the Internet right now, like how much video, like somebody could just pull down and generate.
[22:46]
John Strand
I'm going to let Daniel go first.
[22:48]
Kelly
Yeah, I absolutely worry about that. You know, it's something I used to talk with Sophia, who I used to work with. You know, she does voiceover stuff and a lot of on camera things as well. So she was really invested into what AI could be done. She got contacted by quite a few people about Ken, we use your voice to train our AI. We'll pay you X amount of dollars. And it's like, I don't know that I want to do that. I don't know that I want to feed the beast that fast and get it to grow that quickly. I think we need time to adjust and to be able to find an equilibrium of some kind with AI before we just kind of let that dog off the leash and let it run. Because we've seen as to John's point, what horrible, horrible things are already being done. So for me, yeah, heck yeah. I worry about someone clipping up my stuff or using the video and audio that I have out there of myself that is freely available and utilizing it for something I wouldn't want to be a part of. And then you got to go through, how do I. How do I get that taken down? That could take up all your day. Maybe it does something that's really horrible. And now you're like John's friend whose people just assumed it was you because you know how everybody loves to get the full story before they make a judgment call. And now you're just, you're just burned, you're black, all the X, Y and Z places because they thought you did something bad. You didn't even do it. So, yeah, I'm worried about that to that extent. So I'd like to see a slow down the development of it and the implementation of it so that we can kind of get a hold of it. But I don't know how that's going to happen.
[24:22]
John Strand
So it doesn't concern me as much. You know, there's a bunch of reasons why, but I think for a long time I've been protecting myself. And we'll get into this a little bit, but like, I don't travel hardly ever without my wife, right. So if somebody was like, oh, John was at this con and he had an affair, my wife would be like, that would have been a surprise. I don't remember that happening. So if they were trying to use something like that, if it was some kind of Illegal pornography. I've been working with law enforcement for years. I think the thing that scares me the most about AI when we're talking about our field is the idea of stealing who we are to train AI models moving and we'll talk about some training organizations and things like that in a bit. But there are organizations out there that are taking the content that's created by people in this industry. Like see the 404 website showing up again and again and again and now they're going behind a paywall or you look at, you know, CNET articles from years and years and years ago and you tab all this and all of that is just getting fed into this monstrous plagiarism engine and you have all this work and then you have the models for me presenting year after year after year after year after year. I am 99% certain that somebody could create a class of AI John Strand videos. Just doing my class, it could absolutely do. Right. And I think that's the thing that scares me is I feel Daniel, that in a lot of ways, especially people that are in the education realm, right. We are literally training the models that are going to be part of our demise. And as I mentioned, one of the organizations I used to do work with, not sans, different group, just need to make sure that that's clear because usually when I say that I'm talking about sans, they're basically taking all the calls and all of the presentations and everything that their faculty create and they're sending it through AI models and then they're creating these LLMs that the customers can use to get these answers and get these questions taken care of. And there's no reimbursement model, there's no funding model going back to the people that built that data. And that's the thing I think that scares me the most is you have people that develop years developing a skill and then it's just going to be co opted and then just fed into another, another LLM and then kicked out on the other side. So that's, that's my concern.
[26:44]
Kelly
Yeah, no, that's a good concern. I mean that's absolutely right. If someone were to take your years of content and then go yeah, I can use that now to create my own bot or whatever that's AI get the same exact type of training for whatever low, low price it's going to be. I mean we've always dealt with some types of piracy and yeah, we always have. Right, yeah. But this is, this is next level kind of stuff and it's if they, if they create an AI that's not necessarily you, but is trained off of you, that seems like it would be extremely difficult to fight or pin down, right? Yeah.
[27:23]
John Strand
Now it's easier for me because if all of a sudden the, like, if the LLM model starts talking about the deliciousness of the eight or they start spouting off sasquatch memes, you know that they're like, yeah, that model was trained on John Strand's data at that point. Because no one, no one drinks the delicious low sodium B8 except for John Strand. That's it. That's the only.
[27:44]
Kelly
And no one drinks it like you, John.
[27:47]
Brian
So let me add to the conversation when we're talking about communication, right? Because isn't that what training and teaching and consulting is really all about? So when we talk about communications, I, as the communicator, I own my intent. I know what I intended when I said what I said. But usually I don't own the impact. So when we, when we kind of measure in my intent versus the impact on who received the communication or heard the communication, that's where I think AI breaks down. So as long as I can control my intent and I can help form the impact that my communication has on people who are in a webinar or in a training model, I'm more comfortable with that than just dumping it into an LLM and not knowing how it's going to impact those viewing it or.
[28:39]
John Strand
How they could take that intent, twist it into something very, very wicked.
[28:45]
Daniel
This is, we're not the only group that has these sorts of issues. I mean, you could take a look across news, especially the entertainment and voiceover fields, where things are being trained on it, people are using it. It's really an extension of the deep fake models and how much easier those are becoming. And where does the truth lie and where does the truth not lie in at all? And I think honestly what we need is we need these companies that are creating the LLMs to come up with some sort of, I hate to use the term mark of the web, but mark of the AI or something to say that when you create something, this is going to be marked as being AI generated in some sort of way that makes it more difficult for somebody to remove that mark. So that way we know it was generated by artificial intelligence, that it is some sort of deep fake and we can put our stamp of approval or disapproval on it. I think that's really where the future, at least in the short term, has to go on this sort of thing.
[29:46]
John Strand
Excellent. All right, so let's move on. I think that's a good point to kind of close that out because we can talk like we literally just do an entire podcast on that. But one that I think, once again, damn, this is just good news. Google Cloud to mandate MFA for all users in 2025.
[30:02]
Kelly
And that plan.
[30:04]
John Strand
What? Right.
[30:06]
Kelly
How is this a bad plan? Right?
[30:08]
John Strand
Oh my God, this is so good. I. Oh, sorry, John.
[30:14]
Brian
I was just going to say now everybody's aunts, uncles and grandparents are going to be calling them, saying what am I supposed to do?
[30:20]
John Strand
Or more than likely they're going to be like, well, I'm going to move my account over to Yahoo. So I don't have. I don't know if Yahoo.
[30:25]
Brian
Aol.
[30:26]
John Strand
Yeah, Hotmail. It's just, why hasn't this been in place for a long time? Even SMS text, Raddus brought up SMS text. And I know a lot of people like crap on the idea of SMS based two factor authentication. We banned it at bhis, right, because our target model involves, our threat model involves nation states target model. Talk about a Freudian slip. But that's us, right? But for aunts and uncles and grandparents and parents, there's nothing wrong with SMS based two factor authentication because it's going to help them deal with like their stupid passwords of password 1, 2, 3, 4. Because no one's going to guess that this is great. I think that this is just fantastic that they're, that they're moving this and rolling this out to all their users. I mean, by the end of next year, wow.
[31:22]
Daniel
I'm going to be the one to ask the stupidest question in the world on this because reading through the article, all it keeps saying is Google Cloud just like AWS cloud, just like Azure Cloud. Does it really affect Gmail? It does not say anywhere that it's going to be for the home users. This really sounds like we're talking enterprise level only.
[31:42]
John Strand
I took it, as somebody said in a blog post, here we go, let's do it. When they say all users, they took that to mean all users. Well, millions of users worldwide.
[31:52]
Brian
It's a fair question.
[31:54]
John Strand
I think it is a fair question. I don't think it's a dumb question at all.
[31:56]
Daniel
That's all I know how to ask are dumb questions, whether they're fair or not.
[32:00]
John Strand
All right, so here we go. Require it early next year. It's going to be users sign in to password from Google Cloud Council, Firebase G Cloud and other platforms. And then the end of the year Federated users will expend FMA all users who federate authentication to Google Cloud the flexible options to meet this requirement. I don't know.
[32:19]
Brian
That means Shecky goes first.
[32:22]
John Strand
Yeah, that means you get. Am I not going to be happy? Well, it sounds like if you're a corporate account, you're going to have. You're going to have to have it. Which from our perspective of what we're dealing with, you know, maybe not the aunts and uncles that I was hopeful for, but seriously, if we can just push it out to corporate accounts, I think that we would take that.
[32:43]
Kelly
Your aunts and uncles out there are probably more secure than your average C level, right? Because they just set all this security up. I can't do what I want to do.
[32:53]
John Strand
Daniel.
[32:54]
Daniel
Hot takes if Gmail already requires mfa. No, it does not. I know plenty of people that use Gmail do not have.
[33:01]
John Strand
I just had a family member get hit last week and I don't know if you guys have had that conversation. It's like, you know, they call you up and it's like, dear God, you know what, you got hacked. Yeah, I did. Can you talk me through? It's like, well, I had an email and it said it was from PayPal and it looked pretty urgent. And then I clicked on it and it had me authenticate and then I did and it's like, you know. So how long was your password? Well, it was six characters. Oh God.
[33:27]
Brian
I think there's another piece of good news attached to this though. Maybe we Google's addressing small, medium sized businesses that may be using federated accounts that may not be as large as. As bhis or whomever. So we've talked before on the podcast about how small, medium sized businesses don't necessarily have cybersecurity resources or knowledge. So I do believe we are tackling low hanging fruit, even if it isn't our aunts and uncles here.
[33:56]
Daniel
Oh, totally agreed that there definitely is a level of low hanging fruit that's being tackled upon all of this. I want people to be realistic about it as opposed to saying, oh, Google's doing MFA everywhere and all moms and dads and grandmas and grandpas and aunts and uncles are now going to have to be forced to do the MFA thing. It's difficult enough to get them to do it for something like Facebook or any sort of social media, let alone their email.
[34:26]
Kelly
Can we start a phishing campaign for aunts and uncles that tricked them into turning on mfa?
[34:31]
John Strand
There you go. There you go. Yeah.
[34:37]
Kelly
Why can't we use this power for good.
[34:38]
John Strand
I use this power for good, Started spearfishing people. It's like I click the link and all of a sudden I had to enroll in mfa. It's like, you'll get sued. People will be like, look at the damage you've caused me, Daniel. Look at what you've done. I haven't spent literally 10 extra seconds logging in once every 90 days like.
[34:56]
Kelly
That, Bringing a crisis counselor.
[35:01]
Zach
Do you guys ever think we'll get to a point where you'll have more social media sites that are forcing MFA at some point?
[35:08]
John Strand
I think we are. Absolutely. I think that it's just a matter of time. I think it's heading that way because they don't want the liability of that stuff. They just don't. I mean, it's a bad news story whenever it's a third party service that gets compromised just because they allow people to do stupid things. Well, we deal with that all the time, Zach. I think that that's interesting. Not just social media, but as pen testers, if we're doing a web app assessment, we're like, hey, your minimum password compliance is six characters, and there's no mfa. That's a critical. And I get to fight. I get to fight customers all the time on that. Like, so the conversation goes like this. It's like, so you said that this is critical. Yes, it is. But you didn't hack into our website using that technique. I'm like, great. Do you want us to password spray your users, gain access to your user accounts to prove that we got access to that? And usually the customer is like, well, no, that seems bad. Having a pen testing team break into a bunch of our customer accounts. But it's one of those, like, gray areas in computer security testing where the vast majority of pen tests we can show that we can harvest credentials. We may be able to do, like, credential stuffing and not actually use the ATT&CK, but actually gaining access to things like bank accounts, passport information, things like that, that's usually well outside of the scope that we can do in that test. And many times the actual customer thinks they can give us that authorization, they really can't. So these areas don't go tested. And now we end up in a situation where somebody gets popped using that technique. And I think that that's ultimately what's going to move the needle. So I look at it as one of those areas that just doesn't get tested very often. And because it's not tested very often, a lot of organizations Social media sites don't look at it as a problem until it's one that's sitting right on their doorstep.
[36:51]
Kelly
John, can you speak to why you will see that in today's day and age? Like it's not 1996. Why are people creating websites with such low security measures?
[37:03]
John Strand
Like, because they created the website in 1996. It's just. And the guy that wrote the code is dead.
[37:11]
Kelly
Link tags are still on, right?
[37:13]
John Strand
Link tags are still going. The other reason why Daniel is you got to remember, and this gets into my soapbox that I get on all the time, PCI just required, you know, increasing password complexity up from seven last year. Like that was their minimum of seven characters, right? And if we're looking at the NIST framework, they still don't have. Well, I think they did amend that. Now it's up to like I think 13 characters. I can't remember what NIST set it to. I have to go back and look at it again. But you had these standards that had really garbage password complexity standards for years. They go all the way back to the NIST dream book and that's what they build their website to. So when you're talking to developers, they're like, well we're in compliance with pci. Get bet pentester and we'd have to deal with that. And now it's getting better. It's finally getting better. So there's a number of reasons why that occurs, but one of the biggest was because compliance standards suck.
[38:05]
Kelly
That's such an ironic thing that the security standard is telling them that they are secure and not that, oh well, that security standards 10.
[38:17]
John Strand
Yeah, but you know, a lot of people look at it like when they write the standards they always tell me they're like, well this was the minimum. The minimum. We encourage passphrases like as soon as you create the minimum. That's what it's called.
[38:28]
Kelly
That's the standard.
[38:29]
John Strand
Yeah, that's the standard. And that's the standard we've had since 1985. And like I said, kudos to PCI for stepping it up. Nothing but credit for them. Kudos actually for nist. They're kind of modifying things after, you know, I don't think we had anything to do with it.
[38:45]
Kelly
Do you think that they're going to get to where they're creating standards that are forward looking instead of what's now?
[38:51]
John Strand
No, and the, and the reason for that is the standards are created. Like if you're ever part of a standards board, it's one of the worst things you can possibly do. It's a lot like, it's a lot like politics, right? Like all of the people that want to be president should automatically be disqualified for being president because they want to be president. Now, I don't care what your politically political affiliation is. You got to agree with me on that.
[39:16]
Kelly
I do, totally.
[39:17]
John Strand
So you get these people that end up on these boards and whenever they first start creating and assembling the Avengers, they like to look at resumes of people like, this person has a PhD, this person works at this particular company as a CIO or whatever. But a lot of these people just don't actually come with any real world experience in what it actually takes to secure an environment and what it takes to break into an environment, what it takes to respond to an incident. And like I said, I genuinely blame a lot of people in academia because a tremendous amount of them, they have these ideas, they have these beliefs, but they've never really been in the real world. And they end up on these boards and in developing these new standards moving forward.
[40:00]
Kelly
Listen, John, if anything I know about PhDs is that they know about the real life because they took a class on it.
[40:06]
John Strand
They did. They took a class, by the way, simply cyber people. This doesn't apply to Jerry. No, I want to make that very clear. Like Convoy is awesome and if we could have every PhD on the planet emulate him, we wouldn't have this problem. Hack Char said, I quit IEEE due to their terrible security publication. For a while I was with that organization. I just got busy and I couldn't be part of it. But it was the same type of swirl where people would argue about stupid shit over and over and over again. And I remember being on boards, not ieee, but being on boards for different states trying to establish security standards and arguing with them about seven character passwords and how that's really stupid. And I loved it. Anytime I was in the meeting where someone would say, well, can you prove to us it's bad? Yes, yes I can. Let me do a screen share, boys and girls, and then you could actually demonstrate that. But a lot of the people don't understand the risk unless it's demonstrated to them. And I think that that's, that's the big problem that happens with academic level security and practitioners as well. There you go. Nist. NIST guideline was updated. Minimum of eight characters in length. Should require passwords to be a minimum length of 15 characters. So that's a great update, like nothing but kudos to NIST for Making that change. So well done, Nist. Well done. All right, I got a couple more I want to get to, y'all. Cisco scores a perfect 10. Oh, no. It finally happened. I. I think.
[41:36]
Brian
Did they stick the landing?
[41:38]
John Strand
They stuck the landing. They stuck.
[41:40]
Kelly
Mary Lou Retton, she just.
[41:42]
John Strand
Boom. Right to the mat. Arms up. Perfect. Archback present nailed. They're hugging their coaches. They're thinking like they receive their award. They're like. I'd like to thank all the shoulders of the amazing people that I. That I stand on. The backs of the adaptive security appliance crew, the people that invented network address translation. Without you, there would be no Cisco today. Shout out to my peeps. And this history. All the companies, all the companies that Cisco acquired and drove into the ground, we couldn't get here without you all. Like, this type of CDS escort, it just doesn't happen by mistake. All the developers, all the developers that were rushed to get their code out, like, in the middle of the night, security be damned. Like, all of you made this possible. Well done, Cisco. Well done. Perfect 10. And it's in something called the ultra reliable wireless backhaul, which I think is just classic.
[42:38]
Kelly
I'm enjoying. I'm actually on the Cisco the site and it says workarounds. There are no workarounds that address this vulnerability.
[42:45]
John Strand
Hence, 10 right to the mat. Boom. Double feet.
[42:48]
Kelly
It's amazing.
[42:49]
John Strand
They. You know, when they did this, they did it in slow motion to make sure that as they were doing their giant over the high bar, that their legs weren't separated, their toes were perfectly in alignment. Just. They just nailed this qa.
[43:02]
Zach
Rude.
[43:02]
John Strand
Beer says QA is for suckers.
[43:04]
Kelly
That's right. Yeah. No, this is chef's kiss right here. Huh?
[43:09]
John Strand
I. I think it's great. Now watch it. Like, somebody at. They're going to be mad and they're going to be, like, going to drop to a 9.9 and there'll be some political backlash about it being a perfect 10. Porn, honestly, is more likely to get an 11. They don't go to 11. 10. 10 is as high as you go. We're not. We're not. We're not playing by Spinal Tap rules here. Like, we established 10 is 10, although.
[43:32]
Brian
Oh, sorry, Jen.
[43:33]
John Strand
Go ahead, Kelly.
[43:34]
Brian
I was just going to say we've had the conversation on the news before about how many tens or how many high scores there's been. And to the point we had a little earlier in the conversation about the effectiveness of cisa, we are seeing them giving out much higher scores and saying Listen, we're not going to shy away from saying this is really, really bad, but, you know.
[43:57]
John Strand
Okay, so get to that. Does a 10 mean more than a 9.9 or a 9.8 or a 9.7? Like, they're all going to hurt really bad. There's exploits available, they're going to hit. But you know What? A perfect 10 gets to talking about it. That's. That's kind of what we need.
[44:13]
Kelly
Yeah. Do we end up getting Alert fatigue for 9.8?
[44:16]
John Strand
I think we did. I think we did. And it might be good. Maybe they save tens for these special occasions. No, it's. It's just. It's a 10. Wow.
[44:24]
Brian
Maybe a 10 gets a CISO's attention or it's the. The risk committee's attention.
[44:31]
John Strand
I would hope so. God, we got to get something to get the attention there.
[44:36]
Daniel
I think some of the big takeaways on this, because I was looking, I saw this when it came out last week and was talking with my CISO about this, and there were two things that came to mind. Number one, it's an HTTP attack on the web council for it. How many times have we said that those web councils, those admin councils, should not be exposed to the Internet?
[45:01]
John Strand
All the time. All the time. Yep.
[45:04]
Kelly
The second time makes it difficult for me.
[45:06]
John Strand
Didn't we do a check on this, Mike? Didn't we do a check on this? Like, how many of them were exposed on Shodan?
[45:12]
Daniel
I have not done that sort of check at this point in time.
[45:16]
John Strand
Okay, keep talking. I'm going to try to see if I can do a showdown search.
[45:19]
Daniel
The second thing, and I think the more worrying part about it is I don't know many companies that use that backhaul. I've heard of a lot of municipal wireless that does that, Metro Wireless that uses that backhaul. And that is where my concern actually lies in more is in the government sort of thing. Such a wide area thing, especially if they've got the interface open to where a public person can get at it. Over the course of that backhaul, trying.
[45:53]
John Strand
To see if there's a showdown search for this, you would think that it.
[45:57]
Daniel
Would be underneath the cve.
[45:59]
John Strand
But while everybody's doing this with us, see if we can get this. Because you know that these things are exposed. I bet you're talking tens of thousands of these.
[46:07]
Zach
You want to share your screen, John? Show everybody what you're doing?
[46:09]
John Strand
No, I'm just fumbling around right now. But I'm telling you right now, it is not@wicked.com.
[46:22]
Kelly
He'S reading his sextortion email right now.
[46:24]
John Strand
Yeah, I'm reading the sextortion. He wants everyone to know about you, you horrible person. Yeah, there's one. Yeah, I don't know what the header is for that. Then we could do a search on that. Does anybody have access to one of those devices? So we could do a search on that string with a server identification. That doesn't look like it, but like I said, I bet you there's a lot of those.
[46:48]
Daniel
Oh, agreed. I'm sure there's. There's a whole bunch of them, a whole ton of them out there. But it goes back to our point of don't put a management interface out on the Internet.
[46:58]
John Strand
But Mike, that's one of those things. When we talk about it, you. It's another fight, right? Like, we get into pen testing once again, and this is just what we do. And that's fine. It's just. It's just part of the game, and that's okay. It doesn't bother me all that much. But I think that people need to understand that a lot of this stuff just doesn't get checked or doesn't get fixed because it's not being tested properly for a number of reasons. Go. Okay, that's not it. I feel like I'm getting close.
[47:29]
Brian
So, John, to your point about being tested annually, my understanding is companies should have different types of pen tests. Is there a recommendation on how to rotate different types of pen tests?
[47:43]
John Strand
There is. So one of the things that we're working on in developing the new penetration testing execution standard is basically there's multiple levels, right? So you'll have a standard vulnerability scan. And there's a lot of value in doing a vulnerability assessment, right? You do a vulnerability scan, you validate those findings, you work with the customer to get them fixed. And that's the pedo principle. That's 80, 20. When you move up to a penetration test now, you're not just scanning for vulnerabilities, you're actively exploiting those vulnerabilities for the purposes of demonstrating the proven risk around the exploitation of that vulnerability. Now, that takes a little bit more time, and it also increases the risk for the organization. Finally, you start moving up into, like, red teams, purple teams, and, you know, continuous pen testing. And you're getting into highly specialized and tends to be more expensive type testing. But I think a lot of organizations have just got to know what type of test they're looking for. Like, it would be a huge mistake to hire somebody to Do a pen test and expect a red team. Pen tests are not stealthy. It's not meant to be stealthy. A lot of times you're using vulnerability scanners and you're brute forcing password authentication because there's a very short period of time associated with. However, when you move to a red team now, you're being a lot more stealthy. That takes more time. That takes more customer, like, customer bespoke software that you need to create for that particular attack. So I think that that's a really good point, Kelly, that people understand that there's different types of, like, levels associated with the testing. Plus, that's not even talking about web application testing or wireless pen testing or looking at a specific application and doing reverse engineering. So it is very complicated. That's okay. Any firm that you work with should help you kind of navigate that to get to the right thing. Do we want to hit the last story? Then we'll see.
[49:28]
Brian
Is it a juicy one?
[49:29]
John Strand
It is. HIG Capital and Thoma Bravo are acquiring Comptia. Oh, boy. Yeah.
[49:38]
Brian
Well, how many people have a Comptia certification?
[49:41]
John Strand
I think I do. I think I got drunk one night and got one years ago.
[49:46]
Brian
Well, back in the old days, that was really what was available. Or you had your Microsoft 351 certification.
[49:55]
John Strand
Yep. Trying to figure out how much they acquired it for.
[49:58]
Brian
So I think an interesting piece of this story is this is a venture capital firm that acquired Comptia. And those of you who don't know what Comptia is, you know, certification company. But that venture capital firm has a number of technology companies as part of its profile. And while I was looking at it, the thing I couldn't figure out is how Comptia fits in their technology portfolio other than they're trying to go for the training angle. But maybe you guys have a different perspective on it than I do.
[50:29]
John Strand
I think they want that sweet, sweet training dollars. I think you keep having conversations about 750,000 people need to be trained in information security. And I think that a lot of people. Well, if we can get all those people to pay $10,000 of certification, just think of billions of dollars that we'll have, and that's what they're going after. And like, the thing that makes me cry about this is, let's be honest, Coptia had a 501C. They had a nonprofit organization. Right. That was, you know, nonprofit. And what they're going to do is spin that off. Right. So it's very, very clear that they're not interested in pursuing the mission of COMPTIA and trying to be affordable because Comptia Certs were relatively affordable. Like people bitched about them all the time. But they were accessible and they were affordable and for that my hats off to them. But they're spawning or spinning that particular thing off and they're going to be focusing on their library, they're going to be focusing on their certifications and I think they have how many 35 million people, 3.5 million people have been, have been certified by CompTIA. That's a lot of people, right? It is government and it isn't a matter of just yeah, we're going to make money off these certifications but it's a reoccurring revenue gain. Right. It's an idea that people are going to have to recertify. It's the people that are going to have to do CPEs, they're going to have to pay dues like CISSP and that's just an amazing money making machine. And I can see why private equity and venture funding is after that because like it's there, it makes a lot of money, requires very little, little overhead. So your profit margins are insane compared to like writing a software product. And the likelihood of success is far much is much further. You have much better chance of being successful in doing this because there's much lower risk. The only risk I see with this for Thoma Bravo and HIG is this space is saturated boys and girls. There are a lot of information security companies out there and there's a lot of information security training companies out there that are doing this affordable, that have a great mission. Right. You know, anti siphon for self promotion. Right. But then you also have, you know, cyber mentor, there's a bunch of people and now John Hammond Security training. They're all about doing affordable security training and they're in that space and they're damn good. Right. And more importantly, moving forward a lot of these firms haven't taken private equity money. They don't have masters that they have to write massive checks to. They have, they have, you know, it's going to be, I think it's going to be easier to stay nimble and stay small and be effective in this space and take on the burden of a huge amount of debt associated with private equity with very little return on how they're going to make the product better.
[53:20]
Zach
Yeah, I think and you hit on the non for profit part of it, which is really gross to me because when as far, you know, as long as COMPT has been around, they've been huge advocates for quote unquote, creating IT futures and being very, very community or trying to be very community involved.
[53:37]
John Strand
And they've had missteps, right? They've had missteps, but still, hats off.
[53:43]
Zach
Yeah, but so now I look at this as we're going to see another price hike, right? We're going to see another kind of barrier for entry for people who are trying to get into this field because COMPTIA has created such a mammoth in what they do for entry level. You know, people looking to get an it, now they're just raising that barrier even further. You know, you look at something like security barrier, like look at Network Bus, for instance, like $390 and you can get a CCNA for $320 or something. And that is ridiculous to me that you have this Comptia cert that's supposed to be entry level, that's more expensive than something like the ccna, which is ten times more valuable in a marketing sense than the Network plus will ever be.
[54:29]
John Strand
Well, practical as well. Yeah. And Radis brought up the low cost training is great, but it doesn't have the paper that gets past HR gatekeepers. I want you to know, Radis, there's a bunch of us that are working together, unified, that are competitors, that are desperately going to. We're, we're going to burn that gate down. It's, it's going to happen because it's just, it has to, right? And the idea of trying to maximize profits in this day and age, whenever we're having, you know, conversations about info stealer logs and we're talking about millions of accounts getting compromised, it's like every week something gets hacked. With a million records, it doesn't even really make the news. I mean, that's a really jaded place for everything to be. So, Radis, trust me, there's a number of us in this space that are trying to make it better and we will thank you for sucking at capitalism. Just hope we can continue sucking at capitalism. There's a certain level of capitalism that's needed to suck at capitalism. You can suck too much and then you're not sucking in capitalism anymore. You're homeless.
[55:28]
Zach
So, yeah, I worry about the effect on the community for this. It hurts.
[55:33]
John Strand
I do too. It hurts the most because I look at this and then also ISC squared. People love to shit on the cissp, right? They do. But the fact is that CERT is available for people that have put in the time in it, whether it's at Geek Squad, whether it's been a systems admin, whether it's been working at an mssp, that gate is there. And that piece of paper does get you past the HR people for hiring. I think that's phenomenal. It's one of the things I think that's beautiful about this industry that you don't necessarily need to have an expensive four year degree. You can get these cheap certifications and get past hr. Boy, if they start kicking it up like you know you're talking about Zach, if they start kicking these Certs up to 3, 4, 5, 6, 700 based on, well, the most people are taking this one, let's double the price. Good God. And they're going to go down in flames more than likely. I don't see them being successful. Because what's going to happen is they're going to jack up prices to maximize profits. Then they're going to drive down costs within the organization. They're going to lay off a bunch of people, they're going to make customer service far, far, far and away secondary to maximizing the profits. And they're going to end up killing the brand and it's going to be a slow death. That's what I think is going to happen. And I think that that's going to happen because it happens every goddamn time. So I'm more in the loss of COPTIA before it happens. We were talking about this the other day. There needs to be a word in English of mourning the loss of something you haven't lost yet.
[56:58]
Zach
Yeah, but you look at the A plus certification right now just for one of the exams because it's two exams. But one of the exam vouchers is $253. You're already paying over $500 for the most basic entry level certification. And it doesn't necessarily relate to what people are seeing from a practical, real world standpoint these days. And that's what's so frustrating about it on a whole nother level.
[57:24]
Brian
Can I interject for a second here? Absolutely. My understanding is there are some school districts that as part of high school education classes are teaching and helping. They can get. The students can get eight plus vouchers as part of their high school education program. Are you familiar with that?
[57:42]
John Strand
Yes.
[57:43]
Zach
Comptia Spark program, which they're removing.
[57:46]
Brian
Comptia made that decision or the investment.
[57:49]
Zach
Or that's why I think I read it in an article here somewhere.
[57:52]
John Strand
All we know is it's being removed.
[57:54]
Brian
Yeah, that's bad.
[57:55]
Zach
That's really bad. That's again, this is where the community is really going to suffer. And the people who are trying to get in this field, I feel like are going to have a difficult time. That's where like John said, I'm thankful that people like Antisafe and like simply Cyber, the cyber mentor John Hammond are coming in and really teaching people. Some of some of these things for free are really cheap, but really giving these people like the information they need to be successful.
[58:17]
John Strand
And I see people here communicating, they're like, well, you know, cheap, cheap training is cheap bullshit. The people that people that Zach just talked about, I would put them, and I had a little bit of experience in this, I would put them up against any Sans instructor that's ever walked the planet, other than Josh Wright. Josh is amazing. He will kick all our asses. The man is on another level. But that being said, seriously, if you're looking at the quality behind these people, like you look at Jerry, you look at John, you look at the cyber mentor, you look at Anti siphon, that quality is there and it's just you have people that aren't going for the maximizing profits. But if everything goes to hell, as you said, Zach, just everyone please remember that for a brief period of time we had amazing shareholder value and that ultimately is what matters. By the way, I do want to call out. Hakar brought up a great point. Speaking of sans and like Ed SCOTUS and people that do a tremendous amount for the community, the Sans Holiday Hack Challenge is live. So please go check that out. Ed is one of those people that's out there doing the shit for free and putting his, putting his heart right there for the community. So as Andrew just said, let's hack the planet. Let's hack the Holiday Hack channel. So go do it. It's now open. It's awesome. And if you're scared, don't be. It's a really great place to get involved. There's multiple different levels to the challenges now, so there's easy, medium and hard level challenges, which I think is great. And you can also do previous years of holiday Hack challenges with full step by step walkthroughs as well. So with that, let's take it out. Thank you very much everybody for joining and we will see you all next week.
[59:58]
Zach
Finger, Finger.