Mike (1:11)

Exactly. Like, just mime the panic.

John (1:14)

Not.

Ryan (1:15)

Not.

John (1:15)

Is it.

Ryan (1:15)

You're not.

Alex (1:16)

Yeah.

Ryan (1:16)

Kelly was having mic problems, too, and now Corey's having mic problems. Sorry, Mike.

Corey (1:24)

I'm just a problem child. What can I say?

Mike (1:27)

I think Restream reset stuff again. So.

John (1:33)

There we go.

Ryan (1:34)

We got a Corey now.

Wade (1:35)

I didn't do anything. I just switched inputs. I'm sorry.

Ryan (1:39)

You turned it off and then on again.

Wade (1:41)

I did. I switched to Thunderbolt audio and then I switched back. So here we are. Yay. I'm doing great. I'm. I'm great.

Mike (1:50)

Yeah. I'm just going to blame restream updating to try and get its end of year objectives in first performance review. Well, there's so much. There's so much of that going on at so many companies. They're like, wait, before everybody leaves on break, I need to get this thing done so that I can count it in my 2024 goals.

Wade (2:07)

Is the discord. Did it move again? People are scared.

Ryan (2:10)

Yeah, it keeps moving. Jason just can't help himself.

Wade (2:14)

But it's still under live webcasts and news, and it doesn't change every week. It's just there.

Ryan (2:20)

I don't know. It has changed the past two weeks, every week.

Kelly (2:23)

But I See, just the infosec news on the left hand side.

Wade (2:29)

And it's fairly infosec news that doesn't even exist anymore.

Kelly (2:34)

But Ryan just posted in there today.

Wade (2:37)

Well, I mean, the channel, that's not where the audio is. Yeah, it's called Live Chat News.

Ryan (2:42)

Oh, Live Chat is. Yeah, Live Chat is now. Well, it's called Live Chat also.

Wade (2:48)

Does anyone else have an echo? Why do I have the world's quietest echo? Is it me?

John (2:52)

Did it happen when I just joined?

Ryan (2:54)

No, it might be John.

Wade (2:57)

It was happening before. It was just really hard to hear. Maybe it's me. Wait.

John (3:02)

Yeah. Weird being back.

Wade (3:04)

Okay, it was John. It was all John's fault.

John (3:06)

So let me turn down.

Wade (3:07)

It's good. It's gone now. I don't know if you changed anything, Ryan, but it's gone.

Ryan (3:11)

I didn't. I was pinging Kelly to make sure she knows where we are.

Kelly (3:15)

All right, Kelly's never in the right room when she supposed to be.

John (3:19)

I have that same problem. Kelly. It's all.

Wade (3:21)

There's. Yeah, there's still an infosec news chat, but that's the text for posting the news articles. It's not for hanging out with us and making John read your SQL injection.

Ryan (3:30)

For growing the news articles so we can harvest them for the webcast.

John (3:34)

That should be a better mic on my side.

Ryan (3:36)

It. It sounds better.

Kelly (3:38)

A better mic. Mike.

Corey (3:40)

Hey, finally. I'm better.

Ryan (3:42)

All of us have been searching for a better mic this entire time. So far.

John (3:47)

Hey, Radisson.

Wade (3:48)

No, we haven't.

John (3:49)

Does that sound better?

Wade (3:49)

Raddus, there's a delay. Raddus will be in touch shortly.

John (3:54)

Yeah, but for you guys, does it sound.

Ryan (3:56)

It sounds great.

Kelly (3:57)

You know, when you're. When you're not ranting, you sound quiet.

John (4:01)

I know, I know. Looks like John was getting ready to cut down a tree. I am doing Christmas decorations right after this. We've got. We've got Christmas decorations to do, so I was able to drive home. Are we ready to kick this off?

Wade (4:17)

Always, sir. There's still an echo somehow. But I'll just roll with it. As long as the audience isn't complaining, I'm good.

Ryan (4:23)

I don't hear the echo.

Alex (4:24)

I don't hear an echo.

Corey (4:26)

I don't hear an echo.

Wade (4:27)

It's just me.

Alex (4:28)

It's just you.

Kelly (4:30)

Oh, I heard Wade and didn't see him.

Wade (4:32)

I'm going crazy. That's good to know. I'm so happy about that.

Kelly (4:37)

It was Wade's mustache talking.

Alex (4:39)

That was.

Ryan (4:41)

Oh, look at that. I still Got the old holiday open. Let's go with that one today.

John (4:46)

Oh, hello, and welcome to another edition of Black Hills Information Security. Talking about news. I don't know why the hell I'm kicking this off, because I haven't been here in like a month. It's been travel, it's been Thanksgiving, I've been teaching. It's been crazy. But we got a whole bunch of notable stories. We've got. What is it FBI telling people? Hey, don't use your cell phones anymore. Which, honestly, is probably a really good idea, to be honest with you. We have ASA web VPN vulnerabilities. We've got new rule proposing blocking data brokers from selling data. There's all kinds of stuff going on. Joined by the cast of characters that we normally have. Thanks to all of you for showing up. Folks, which story do we want to start with today? Is anyone. Nothing's particularly ranty for me and I'm all ranted out.

Alex (5:52)

I ranted out.

Wade (5:54)

Can I rant? Who will let me rant for a little bit? Have I been on this show enough? Okay. I want to rant about the SMS thing. I want to rant about the sms.

John (6:03)

Got it. Good one.

Wade (6:04)

Because this is personally impactful to me and I'm curious to get the audience and everyone else's take on this. Does anyone. Has anyone in the last couple months just feel like Android and iOS have failed us and we're all just, who knows what we're sending? I don't know if it's angry enough, Corey. I don't know if it's okay. I'm sorry, I don't know if it's just me, but I'm getting random group threads that I'm not even part of. I'm getting dropped off of other group threads. Every time someone with a pixel replies, it creates another group thread with someone else. It's like this whole RCS SMS thing. I don't know if it's just me, but the text message, it's a disaster. Like, in my opinion, I don't know. Has anyone else experienced this? Like, you're sending texts, you're sending RCS messages, it's switching back and forth. You're getting group threads from people with Androids that shouldn't exist. And I don't know. Is this just me?

Mike (6:54)

Yeah, this isn't a recent thing for me. No, I. Like, I. I was. I've been frustrated with that for. For some time, so I'm surprised you.

Alex (7:02)

Guys still use SMS like I have.

Wade (7:04)

Well, you shouldn't, so The FBI says you don't. Here's what I'm going to do in my group thread with all these people. I'm going to say the FBI says not to use SMS anymore and that'll fix all the problems, obviously, because make friends. I will say I do think what's.

Corey (7:19)

Driven me nuts is getting a message from somebody with an iPhone that is sent rcs, but it's the wrong version of rcs, so to reply to them I have to go to sms, otherwise I get a some Sorry, this is undeliverable.

Wade (7:34)

It's so bad. One of my friends is sending emojis in Italian. I'm not even joking. This is possible. I don't know.

John (7:41)

It's an. It's a spicy meatball.

Wade (7:43)

Yeah, it's like, I don't know, I don't get it. It's terrible. So basically now we have a government recommendation to not use sms and I think this is actually a callback to remember how we Talked about the ISPs and telecoms got hacked by China? I bet you that's related to this. That's just my guess.

Mike (8:02)

It has, it seems to be, yep.

John (8:03)

So there's a couple of like, quick things I want to throw out there. I'm going to start with the first one. So if we get a new story that these telcos have been compromised and now the FBI is saying, hey, how about you don't use unencrypted sms tells me it's not fixed or they're not confident enough that it was fixed. I mean, the story was that they got access to the systems that the United States, the United States government used, or they used whenever the United States government came with a warrant. So they can gain like, holy. And now for the FBI to say, hey, that system that we put in so we could tap all your phones for the courts, it got hacked. So how about you guys just stop using the thing that we were like. There is so many layers to this that are absolutely mortifying. I don't think that we're nearly at the end of this and to be honest, this story tells me that they don't know either.

Corey (8:58)

Last I heard from CISA and I was trying to quickly find the article, the news article from them and I can't quite pull it up yet. They were saying, yes, these were compromised. No, we still have not figured out if we've even ejected them from the networks yet. So you should be using encryption. And then the other day I just saw something say, yes, the FBI says use encryption, but Use it with our backdoors in it only.

John (9:24)

Well, blackfest has the great quote. Blackfest says it has to be bad when the United States government is recommending we use communication tools they cannot actively monitor.

Wade (9:34)

That is so true. That is like the quote of the year right there.

John (9:38)

I keep thinking, you know, we talk about all these hacks and all these things, whether it's Snowflake or whatever. I seriously think that the worst hacks are the hacks that you do not know about or the ones that you do not get your, your head around completely. And this is very much in that category of this is bad. We can't get our head around this completely. And I'm going to throw this out there, and I don't, I don't want this to become a political conversation, but a lot of the management @ CISA is YOLOing out in, like, less than 60 days.

Wade (10:08)

Oh, yeah, Jen's already gone. Jen's already gone.

John (10:11)

What the hell? Like, if we're looking at the investigation, one of the biggest things from an incident response perspective is continuity of leadership, continuity of the leads. Like, all of a sudden, we're blowing all that crap up. And I don't know, I don't want to sound Pollyanna ish on this, but I'm going to, because, hey, what the hell? Like, this is bad. Like, am I the only one that looks at this? And like, when the FBI is saying, hey, you shit, we can't tap and we don't know how bad it is, by the way, they got access to all these telcos. I'm freaking out a little about this. And I know it's not the first time. Like, we had the OMB hack. There's been a number of hacks, but this is right up there. And I think it's right up there because we don't have a full understanding of the extent of just how bad it was, is, and is going to continue to be moving forward.

Corey (10:58)

I would agree with that. I think the scariest thing is, you're right on the nail with that one, John, is the IR continuation over it all and what's going to happen if they're even going to continue with that. There are so many rumors flying around about they're going to cut out cisa, they're going to cut out this, the next administration is going to change things up and shake things up. And when you're in the middle of something this serious that can affect government communications, let alone any other communications, who knows how deep these guys actually are in it really Starts opening up your eyes. And I think us on the know that understand this sort of stuff, it's triple scary. 4. I think with all the breaches that we've had, though, the general public's just like, oh, yeah, it's just another breach. Okay, we'll just do this a little bit and everything's going to be fine. And there's a serious thing without the continuity, that things might not be fine going forward.

John (11:57)

Yeah. And that's the scariest part. And I think, Mike, once again, I don't want to get into politics and I don't want to deal with the moral equivalence. However, if we can take it back a couple of steps, we are at the point right now where we're going into a situation like this where, like this is bad and people are looking at each other in America as though the greatest enemy is the Democrats, the greatest enemy is the Republicans. The great. And seriously, the people that broke into these systems are getting exactly what they effing want. And once again, I don't want to play the moral equivalency game on this, but just like you said, we're going into this, we're losing all of these. We're losing all of these really smart people that are working through this. And I just have this fear that we're getting into a situation where we are going to be fighting each other more than actually dealing with the cyber threats. And seriously, that is exactly what they wanted.

Wade (12:49)

Yeah. And we just need. All we need is a bipartisan incident response team. What could go wrong?

John (12:55)

And okay, guys, I don't know how we're going to get that right. You know, how are we going to make that happen? Everyone's.

Kelly (13:01)

We're going. We're going into the holiday season. What are you going to tell your friends, your family, your church, your PTA group about this? And this is a serious question because you're right, John, we're technical. We mostly understand this. But my mom and dad, they don't understand this. What are we going to tell them?

Mike (13:21)

And I've had that discussion. And Kelly, that was one of the things I was going to say because I've talked to people on what are we going to. What are we going to tell them? How are we going to effectively, like, make encryption. Make encryption sexy again? See, it's one of the things to where whenever you have, like, any sort of huge technology change, people don't care about the benefits for it. Like, I go, okay, when they took away, like, the little, like, actual, like, keyboards on the phone and Made it to touch screens. And all the tech nerds were like, well, this is beneficial. People didn't care. But when you make it like, oh, it's like the hot new thing to have is one of these devices that doesn't have like the little buttons. Okay, cool. People will do that. I like, there was a strategy from Mike Basil for getting people to use encrypted communications. If they reach out to you on encrypted comms, you reply right away. If they reach out to you through unencrypted comms. Yeah, still respond. But they're going to have that noticeable delay and go, oh, hey, if I want to get a hold of John or Kelly or Wade right away, I need to use the signal app that they're, they're talking about. Because otherwise, like, yeah, you're going to sit there and go, all of us on the newscast, we're going to be using encrypted comms. But you're right, like our friends, family, they don't care. They don't care, they don't want to use it. But if they sit there and they go, oh, hey, I missed out on this, this awesome conversation, right? I missed out on like awesome memes because I wasn't on signal, you know, hey, I mean, do that like, you know, have it be that, like, you're great inform, you know, your fun, your fun times are on encrypted communications.

Corey (14:58)

There are two problems that I run into with that Alec, and the problem isn't from our side and our vantage point. Signal limits the amount, the size of files that you could transfer back and forth. And a lot of people will use SMS to transfer pictures, to transfer videos of their kids going back and forth besides posting on things like Facebook, etc. Number two is we've got. There's been a lot of blowback on systems that have been encrypted in the past and probably the biggest one that could be used that could offer it. WhatsApp people are just like, no, it's either they're all in or they're all out. And there's so many of them out there. And then you get things like Apple with their RCS versus SMS and the phone makers wanting to control these things. There's too many choices out there. Choice can be a very good thing. But until we all standardize and make sure that it's got the features that the people want, they're still going to fight back on it. It's not as easily usable for them for doing everything that they necessarily want. Potentially as using sms. And this has been a problem with us trying to get them to not use SMS for two factor authentic authentication. Also it's really easy to go ahead and say yes, just text me the code. And that's better than nothing. But it's not as secure as using an app or using a Fido key. And we're going to now be fighting this on another front with encryption.

Wade (16:26)

I think it's so, I mean you're not wrong. I think it's secure by default. That's basically the world we need to live in. And I think now we have government backing for this. We know CZ is big on this. The future of CZ is unknown. But things need to be secure by default, right? So Apple needs to be, I mean they already did it. But forcing RCS by default or allowing it by default allows encrypted comms by default between Android and iOS. That's an important step for the going back to the like argument for the, you know, regular people, lay people. I think the, this closes the loop on the but why question. You can say, hey family, we're going to use encrypted chats or whatever. And they're going to be like but why? And before the argument was just well, because this and you know, because it's better in security. And like we're sitting here being hackers, being like, you know, hacker stuff. But now we don't say hacker stuff. We say because we know that China is actively monitoring our communications because they've compromised ISPs and we don't know how deeply they are. And like I think that's the answer to the question of but why? And we have a real, it's not just fear mongering. You're no longer a tinfoil hat by saying, well what if China hacked our communications? It's actually documented, we know it's happening. And so to me that's a big push. I don't know, that's just, I think.

Alex (17:45)

A lot of, a lot of here's.

John (17:47)

What I'm going to push the secure by design. I think the whole secure by design thing that this is pushing, pushing is bullshit. I want them to push a completely different angle, right? Because they want to go to Microsoft, they want to go to Google, they want to go to Apple and they want to be. We want to pledge that you guys are going to be secure by design. And there's talk about liability and all that, all bullshit. Don't look into it. That's not going to solve anything. Here's what's going to solve it. Open by design, things are only fragile until they break. If it goes back to Cory Doctorow, the coming war on general purpose computing. And I've been talking about this for years and referencing this, all of these vendors are pushing for closed systems, closed on the phones. Apple's trying to close it on the computer with less, less success. But they're creating these closed systems. And with these closed systems it becomes far more difficult to test. And there's this belief that if it's a closed system, then it's more difficult to test, it's more secure. And that is bullshit. They need to have systems that are more open. I should be able to put in a kernel level debugger on my phone. I should be able to put in a sniffer on my phone. I should be able to intercept any and all the traffic that goes from any app that I pay for and I run on my device on my phone. You want to secure things, open them up, get them as open as you possibly can. So it's general purpose so that people can like start analyzing and they can start looking at all the traffic that's coming and going on their system. They can start looking at the APIs. And it's not a handful of people testing the security of SMS on a semi regular basis that it's very, very limited who can actually do that. And it's a gated community on who open everything up. Because things are only fragile until they break. Right? Yeah. And Wade, Yeah, this is an angry John, sorry about that, but this is one of the things that pisses me off. You have all these people that are like, we need to have secure by design, we need to get. Dude, Microsoft had an initiative back in 2001 that was called the Get Secure, Stay secure initiative. I still have the effing T shirt in my closet somewhere. We've been talking about the secure by design principle for over 23 years. Years. And the only way it actually works is if we open up these things so that people can install. They can get root access on their devices, they can start analyzing their apps, they can start analyzing the communications, break everything, hack all of the things because things are only fragile until they break. That's how you get to some level of security. Because we're not allowed to test the ad delivery systems, we're not allowed to test tons of APIs that these different applications are using. You know that they're riddled, you know that they're wide open and they're gonna have massive security vulnerabilities Open it up. Open by design is secure by design. Things are only fragile till they break. All this other stuff is lip service.

Wade (20:41)

Yeah.

Alex (20:42)

I have something to say about dealing with getting your relatives and stuff like that. Infosec at least wary. Right. And the thing I've done is like slowly, slowly implement. Every time I talk to my parents, I talk about a breach every single time just to get them, like, understanding of what's going on. You guys, like, totally. My parents have a small business, right. They definitely have stuff going on. They know what I do. And it's definitely slowly like gone into their head where they now they use secure apps, right. And this weekend my mom called me frantic because she got an email that one of her systems was logged in via an IP address that wasn't too far away from her, but was very suspicious. Right. It got to the point where I'm walking her through password setups. All this stuff changed. After many, many hours of talking to her, I just installed anydesk and just did it all myself. But what this led to is me realizing that she is just. She's at least thinking about it nowadays. And we implemented MFA on a couple different things. And we. Not just cell phone, right. We implement actual token mfa. And then of course, at the end of it, I go and look at that email and realized it was her IP address that alerted and it just rotated.

Kelly (21:54)

You know what? Wade isn't saying he held the. He held his, the grandchild ransom until she did. Good security.

Alex (22:04)

I wish.

Wade (22:05)

I mean, yeah, I mean, I think, you know, I think John's thing of like open it to secure it is a good. Like, if you're going to thump a drum, I think that's a good drum to thump. The other thing I was going to just throw out there for Kelly is should ISPs, like, in this case we're talking about ISPs getting hacked and people monitoring their communications. That to me ups the risk because if you're in the middle, you have everything like that's unencrypted. You have DNS, you have, you know, whatever protocol someone Forgot to secure 10 years ago. You have access to that. So I guess my question for Kelly is, do you think that ISP should be subject to additional security or government regulations or any like, is there anything we can do so that them specifically are, you know, forced for. Into better security standards or what? What do you think?

Kelly (22:52)

Well, that's actually a great question, Corey. And this is. It's been a debate for a couple of decades. Actually, where do telcos fall in? We talked about the whole section 230. That's. Are you an Internet publisher or not? We had that conversation about Facebook and some of the other social media sites. But exactly where do telcos fall in? There are congresspeople who are advocating that telcos are mission critical utilities that should be regulated as such. But nothing's really come out of Congress because, well, they're, they're busy doing other things.

Wade (23:27)

Do you think this will get them, do you think this will get them fired up? Because I mean it's, it's directly targeting them. I mean we already know that one has reported that some of that.

Kelly (23:36)

I, I hope so. Well, you know, it's funny, that kind of leads into our next article about. Of course, I just forgot it. The consumer, Federal Consumer Bureau.

Corey (23:48)

Oh, the blocking data brokers.

Kelly (23:50)

Yes, thank you. The blocking data brokers.

Wade (23:52)

But Financial Protection Bureau. Cfpb.

Kelly (23:58)

Cfpb. A lot of people are asking what's regulation going to look like under the Trump administration? There's been overtures that there's going to be deregulation across the board. Other people are saying, well, there might be a bit status quo for a little bit, but if you're in compliance like I am, I do think we need to assume that there's going to be a bit of deregulation, especially with the new proposed head of the sec. Remember, the SEC, the last couple of years has been strong on enforcement and cyber controls and cyber disclosures. If we're rolling back regulations, it may be we're going to turn the other cheek with the telcos.

Wade (24:39)

Yeah, yeah. I mean, I think it's, it's tough because it's one of those things. What are they going to do, just turn off the servers? There's not like, there's not. They are. It's like, how did you read this email about regulation if not for the ISP itself? Right. Like it's, it's really tough to shut that off or backtrack it or like, you know, it's, it's an existing long standing thing and it's become critical infrastructure. I think. So I do think it's crazy that they're not regulated like critical infrastructure. But.

John (25:07)

Well, whenever you're talking about like data brokers, I keep saying this, like, seriously, all you have to do is take that, that information, that pii, you classify it as phi and then you put HIPAA regulations on top of it and it has to be treated with that same level of rigor because you know, you get someone's browsing history. You get someone's ad history, you get someone's. Actually, just their browser history is enough. That is something that should be treated as phi. It should be.

Wade (25:36)

Every company on the planet has to be HIPAA certified and HIPAA compliant.

John (25:40)

Hell yeah. Yeah. And then all of a sudden their business models start blowing it up. And all of a sudden they can't be making money on targeted ads. And all of a sudden they can't be running AI algorithms to manipulate you as much as they. They do now to try to keep you on a website as long as possible. Yeah, a lot of shit's got to change real quick. I agree with Kelly.

Wade (25:58)

I mean, yeah, it would shove. It would destroy a lot of. I mean, imagine Black Hills information security. We would have to be HIPAA compliant and it would be terrible. Don't get me wrong, it would be.

John (26:10)

Great, but it would shove a lot of small metrics. Well, wait a minute. Okay, yeah, we do.

Wade (26:16)

Yeah, we do. You have my phone number and a spreadsheet. So we have to be HIPAA compliant.

Alex (26:21)

Yeah, but whenever you talk about it.

John (26:23)

You don't have to sell that data.

Wade (26:25)

Go, Kelly.

Ryan (26:26)

Go.

Wade (26:26)

Go, Kelly.

Kelly (26:27)

Okay, so Kelly gets ranty for a second here. There's no such thing as HIPAA certified, so let's scratch that from our vocabulary.

Wade (26:35)

Well, then why is it on this website that I just submitted all too. I'm just kidding. I'm just kidding.

Kelly (26:42)

HIPAA is really. Remember HIPAA is meant to cover. Cover covered entities and business associates. Unless Black Hills defines ourselves as a covered entity or a business associate who. Who gives a crap about hipaa, quite frankly? And honestly, there's talk of a revamping of HIPAA well before the administration change of actually making HIPAA a bit more specific and technical control base instead of, hey, you should do these good things. Yeah, but if somebody tells me they do hipaa, I'm honestly really not that impressed.

Wade (27:17)

Well, I mean, yeah, that's. That's a good point. I like.

John (27:20)

But if you all of a sudden say that all of the information that's being tracked in Google for ads and Amazon for ads and Facebook for ads is covered under Phi, that's going to change their behavior in the way that they handle it.

Wade (27:33)

Yeah, but it would also ruin the business model for a lot of free products that people probably like. Like, it would basically force everyone to pay for everything. I will say, on the whole, like, compliance regulation, we have seen some state regulations that specifically do apply to data brokers. You know, like Oregon, where I live, has One California has one that basically requires them to do certain things and not store certain things. So I do think that a national framework for that would probably be useful to say not, you know, let's go a little bit less broad than every company, every ad based revenue model is now doesn't exist. Let's say every data broker has to comply with these things and we talked about this when national public data got breached. You know These just like ISPs, these data brokers have access to and control over data that is hugely damaging to every American or every citizen that they cover. So having special regulations that apply to them or special requirements for them to not get breached a lot would be cool on that.

John (28:36)

Corey, hold on, I got a question. So on that, do you think in that scenario, and Kelly too, would it be better to move from a compliance framework to an accountability framework? And I bring that up because people were like bringing up again and again the concepts of GDPR and gdpr. There is no like here's how your GDPR compliant. It's literally an accountability framework. If you get compromised, these are what the fines actually look like.

Wade (29:01)

I mean I think, yeah, I totally get that's a good thing to think about and I will say like it kind of dovetails into our next article about vodka. But I think, I think the problem, part of the problem is like these, these data brokers are kind of fly by night and small and if they got slapped with accountability they would just say all right, bye, peace, we're gone.

Mike (29:21)

That's the frustration with, with data brokers and getting your stuff cleaned up is you get it taken down and then it's just a whack a mole for. It's like oh well it's back up to where it's just sort of like well I, I told BHI as to take it down but it's like well this is B H I D. It's different. Like we're completely different entity and we're absolutely compliant with this. But if there was some sort of accountability being like no, this data has been marked by the owner which should be the individual as I don't want this out there among the data brokers. If you are a data broker and you get to see something, I'm just coming up with like a, I'm just spitballing here but if you come across something that is tagged as the no, this needs to be, this needs to be scrubbed totally then you shouldn't have it.

Wade (30:12)

That's a great idea. A central kind of database or whatever I mean this is, I can't believe I'm about to say this, but a central like registry for who's allowed to have data and who's like, it's like, I mean again, it's almost out of here. It's, it's almost like we have this, you know, list of approved data brokers or you know, that kind of thing of like here are. And then those have to be. If you're a data broker you have to be compliant with takedown requests. You know, it's the same thing we're.

Kelly (30:37)

In with says the king of info stealers.

Wade (30:41)

Can I just.

Corey (30:42)

I mean I think honestly while we've got some really good ideas thrown out here, I don't think making them regulations through some three letter agency in the government or some department in the government is going to be the final answer because there's too much that can take that away at this point in time. And we've seen that with different regulations. Overall, I think honestly what we need to do is get an act of Congress, an actual law on the books that's not so easily removed for even the companies themselves to get give a hoot about.

John (31:16)

I want to. Mike, if you're talking about regulation, the same problem exists for laws. So I'm going to ask again. Do you think we need to move away from compliance and here's the rules to accountability where we don't necessarily care what you're doing to secure your environment but if you get compromised, these are the levels and these are the percentages that you're going to be held accountable to. Because I mean I feel like sometimes, and I really do feel this way about a lot of compliance frameworks that so many organizations treat it as a minimum. Like oh no, no, we're fine, we did our due diligence because we met the minimum. But that was never the goal of a lot of these different compliance frameworks. And if we just move to an accountability framework is like y'all do what you want to do but we're going to hit a solid percentage if you get compromised and we found that you were deficient. Is that better?

Wade (32:09)

I think it is a little better. I mean I think if you have to choose. But I will say the problem is the data is already lost, the impact is completely unmitigated. It's just like it's, I mean I guess you do have cases of like a T mobile that just gets breached every year on the year and there's like nothing's ever going to change about it. Maybe, maybe it would prevent that type of thing from happening. I think at the very least it'd be better than nothing.

John (32:33)

And that's what we're trying to change. Right. Like if an incident happens, you're right, cows are out of the barn. That's tough. But what we're trying to do is change behavior of organizations before these breaches occur.

Wade (32:43)

Yeah.

John (32:43)

And what is the thing that we can do in this industry that the government can do to be able to effectively impact and change behaviors for the better? And I feel like we keep coming back to compliance frameworks and every state tries that. Like Florida's, you know, critical infrastructure compliance framework. It's like, right, that's not, that's not a solution. Passing laws, I don't think that's a solution. Right. And I keep wondering, and maybe people in Europe know better. Does GDPR have a positive impact on organizations in Europe?

Wade (33:15)

A lot of pop ups about cookies. That's all we know.

John (33:17)

That's all that we see. Right. That's all, that's the GDPR means annoying pop ups on websites.

Wade (33:23)

True.

Mike (33:25)

I think the accountability framework would help for organization, but not for like these small like flyby nights. It's even like the similar thing with ransomware is, you see, you know, places that are even supposed to be HIPAA compliant going, you know what, like if we get, if we get ransomware, I guess I'm just going to shut down my chiropractic's office and start up a new one like that. Just take the server, put it in the garbage and go. You know, it's same type of thing if you get hit with accountability. He goes, oh, well, I guess we're just going to shut it down and spin it up somewhere else. But for, for large organizations where they go, okay, well we can't really just like, you know, you know, you know, take down Delta and rename it like Echo or Foxtrot. Yeah, you can't just rebuild it like that. You go, okay, well their accountability stings. But yeah, like the, you know, your local car dealership that goes, oh yeah, we still have your driver's license floating around that we scanned from that time you took a Test drive like 18 years years ago and droning drone and.

John (34:25)

Had a drone and had a comment. I feel like that kind of structure would discourage reporting and attempt to hide it. I, I disagree with that. I, I, and that's kind of came up, you know, Alex, from what you're talking about there too, it's not like we live in a wonderful world where everyone wants to disclose when they've been breached. Right. There's already a tremendous amount of organizations that try to hide it. I guess we're going to have to switch to another topic.

Wade (34:51)

Well, okay. Kelly, what were you going to say?

John (34:54)

We failed. Sorry.

Kelly (34:56)

We did.

Wade (34:57)

Kelly, what were you going to say about GDPR?

Kelly (34:59)

I have two little things on GDPR, Mr. Strand. Number one, GDPR introduced Americans to the concept that information about me is my person and belongs to me. My eye color, my hair color. So that was one thing I think has been successful with gdpr. Remember, GDPR was spun out of Nazi Germany in understanding those defining attributes of ethnicity. I can't even say it. Ethnic background. Yes. Thank you.

John (35:31)

And second of all, I got one for pronunciation. It's John 1 Kelly 100 for those of you keeping track at home, this is a great day for me.

Kelly (35:44)

Secondly, we have the ccpa, cpra, the California Consumer Protection regulations when it comes to privacy. So the whole California approach to privacy was influenced very much by gdpr. So perhaps organizationally, maybe it didn't make somebody's job easier, but it introduced the concept of privacy into the United States more frequently to organizations. And I think it started the snowball rolling.

Wade (36:14)

Yeah. One, I do want, I have. I mean, that's a really good point. The other, before we talk about vodka, there was one kind of last final follow up thing I wanted to throw in there on this discussion, which is I think we just need to live in a world where we know that the public impact of a breach is functionally zero. Like there's the public disclosure of a breach from, you know, public relations and, you know, hit to reputation and all that is, I think basically from a risk perspective, zero. Like that. We just have to the whole like, yes, companies still try to hide it. Yes, it looks bad. But we live in a world where functionally every company has been breached one way or the other, whether it was a third party supply chain, one of their employees. Like, breaches are not a yes or no thing. It's not like someone could come to me and say, hey, you're a security expert. What bank can I use that would never be breached? Because they've never been breached. I'd be like, well, I mean, honestly, I don't have a good answer for you. Because the ISPs are breached, all the healthcare processing companies are breached. All the breached. Yeah, Telcos are. Yeah. If a telco is breached, then it doesn't matter what company's breach because the century. So basically I think we just need to live in A post public impact from a breach world. We need to say the this care the stick of well you're bad and you have to publicly disclose. This is not a stick, that's just a fact. So we just need to move on and say we need other consequences for organizations that are material and relevant. What I mean we see with ransomware companies are hugely impacted and pay because they have to, because they can't get their stuff back versus if this is data leakage they're like eh, we'll notify.

Alex (37:52)

I just say annual revenue based fines. How much you making? That's how much you're gonna pay.

John (37:57)

Yeah, I want to argue with you, I want to disagree with you. I can't. I mean I.

Wade (38:04)

No, you can. Don't worry.

John (38:06)

I know and I love taking contrarian positions but you know, one of Kelly and I's friends, David Rice had a really great book. Can't remember it wasn't Freakonomics, that's a different book, but it was a play on that. Geekonomics. No, Geekonomics, the Real Software Security. He tried to make an argument that there was a cost of insecure software and there was a cost of these things. And I think it was very well researched. He's one of the smartest people I've ever met. I think he was wrong. I think Corey was right. When you look at stock price, look at all of these different things, like what are the incentives of trying to do good security? And seriously, I mean we joke about it all the time now, but getting a CISO is just basically for many organizations. Like you're going to be the guy that's going to take the fall when the hack happens.

Wade (38:53)

Yes.

John (38:54)

That's your job.

Wade (38:55)

What's my purpose?

John (38:56)

Taking the fall during a breach. Oh God.

Wade (38:59)

Okay. But, okay, this is so this is the perfect segue. So I, and this is again, I keep saying we're going to talk about vodka. Let's push that one one further into the future because I actually want to get everyone's temperature on this. We've already talked. All right. This has been talked to death in the public news. But talking about the United Healthcare CEO, does anyone see a connection between cybersecurity and this? Is this like, is this a potential impact? Like I don't know, maybe I'm just. No, you don't think it has any.

Alex (39:29)

They took all the. About all the what? All of the healthcare people took all their about mes off their website. Like I think maybe there's some intersection.

John (39:38)

But I, I will, I will say that the. The thing that I see is a. As a similarity in this is I hate it whenever something in computer security happens and everyone tries to turn it into a DN versus our thing. And I see that here, right, where people are like, oh, well, these liberals are celebrating that this. This guy was shot. And, like, liberals are like, no, no, no, no, no. There's lots of conservatives that are. That are celebrating that. And it became a political issue when the fact is a dude was killed. That is tragic. It is absolutely tragic that healthcare is so fundamentally broken that they're literally creating AI programs to automatically deny claims. There's so much tragedy here. And the only thing I see as a similarity into it is I hate it whenever people use this as leverage to try to attack each other. Like, you talk about Thanksgiving and Christmas.

Wade (40:31)

Right.

John (40:31)

I hate it whenever people are talking about computer security and they're like, well, that's all Barack Obama's fault, or this is Trump's fault. It's like, oh, Jesus Christ. And we can't get past that. And I think that that's the similarity that we see on this is. It's just. It's being weaponized. And I hate that it doesn't allow us to solve the fundamental problems.

Wade (40:53)

Yeah. I think it's just a bunch of news articles were typed before the thing happened.

John (40:59)

They're just ready to. It's.

Wade (41:00)

They were ready to go. Yeah. Because if you think about it, it's like the straw that breaks the camel's back. These are how, you know, what is the straw that breaks the camel's back? Well, it's defined, like, by a moment like this. Or maybe this is, you know, who knows how it will plan out in the future? But, yeah, I mean, yeah, I don't think there's a security impact. But I will say, when we talk about scapegoats, we talk about risk. I mean, I don't think we've ever seen an example of, like, someone being physical, having physical reprisal against them because of a breach. But when we start talking about scapegoats and things, it gets a little bit sketchy of, like, if, let's say you are the chief security officer of a company who got breached and that breach led to some huge personal impact for someone. I mean, you got to be thinking about that kind of thing, right? Like, you got to be worried about that kind of thing.

John (41:45)

So here's something that does concern me. I'm willing to bet that more organizations are spending more money on personal security for their executives than they would Spend on increasing security if they were per.

Mike (41:57)

Reached.

John (41:58)

Yeah, like seeing this happen. This executive gets shot down and somebody mentioned he's got kids, he's got a spouse. And yes, I completely disagree with what he, what he did at United Healthcare. But shooting someone down in their front of their house, not cool. It's got, it's gut wrenching. But all of a sudden now you cannot find bodyguards. All of a sudden now you cannot get personal protection for executives. And I really wish to God that organizations would react the same way about cybersecurity whenever somebody gets compromised and react in that type of visceral way to protect their organizations. And Brian, time traveling nerdherder, nailed it. Absolutely. Kinetic attacks always hit harder. This is a much more relatable attack, I think to executives and I don't know, it's. Once again, it's a tragic thing and I really wish it wasn't politicized at all.

Wade (42:55)

All right, let's talk about vodka going forward.

Corey (42:57)

We should all take a shot of vodka after all that bad news and we'll have stolen. Oh, we can't.

Wade (43:03)

I have bad news for you. I have more bad news. This is kind of a. So I mean, basically the news is that Stoli, which is a Russian affiliated vodka brand but also has a US business, has announced that they're shutting down operations in the U.S. i think probably this is a little bit of meh, throw in the towel kind of COVID style. Like, this is bad, we're just going to give up. But it is related specifically to and data breach and ransomware attack. So essentially they took the ransomware, took down their erp, which for those that don't know, ERP is Enterprise Resource Planning, which is basically how much vodka do we send to New York City to accommodate for someone getting assassinated? So like that, you know, planning resource is a business critical asset for this company. And instead of figuring out how to restore it or pay the ransom or, you know, they just didn't have backups. They're just saying we're done. So this is, this is rare. Actually, it reads like they were already.

Mike (44:04)

On their back foot though, because they.

Alex (44:05)

Had, they definitely were.

Mike (44:07)

That were seized by, by Russia. So it's just sort of like if you're, if you're trying to make do with what remains and then what remains gets ransomed, you're sort of like, well, I, I guess, yeah, I guess they're gonna take the ransomware punch in the head. So they were still.

Alex (44:23)

The crazy part is though, they were still worth over a hundred Million dollars. Right. And they defaulted on $78 million worth of debt due to this ERP system failing, which I would say, like someone that big failing due to a ransomware hack is pretty crazy.

Wade (44:39)

I've seen it before, but never can.

John (44:41)

We point to these guys and see, like, See, this is. This is why this matters. You should.

Wade (44:45)

Yes, totally. I would say it's the same thing as the FBI saying no more sms, but for ransomware.

John (44:49)

Yeah, I would say that. But this Bronwyn brought up, ransomware kills about 60% of the small businesses that get hit. The difference is they're not in the news.

Wade (44:59)

No. And they don't make Stoli and they don't make Stol.

John (45:03)

Right.

Alex (45:03)

The second half of this article was pretty interesting where I didn't realize all the drama behind the Stoli and the Russian part where the actual, like, president actually had to flee Russia in the 2000s and become a UK citizen. That was pretty cool.

John (45:17)

Yeah.

Wade (45:17)

Yeah.

John (45:18)

Just a. Just a crazy story.

Wade (45:21)

Yeah.

Kelly (45:22)

I have one other thing to that. This isn't the first time where we were dealing with nation states and taking over alcohol industries. There's a.

John (45:31)

There's a great book about proud history in the hacking community. Okay.

Kelly (45:36)

For those of you who like a good read and it's Christmas time, you might have a little extra time on your hands. There's a great book about the Cuban government taking over. What's the name? One that starts with Ardis taking over most of the Bacardi family's assets and land. So this isn't something that's new.

Alex (45:57)

Is that what happened to 151Bacardi?

Kelly (46:00)

No, I caught on fire.

John (46:03)

There's another situation. Not necessarily ransomware, but I remember when the fires were hitting California's wine country really hard, there was a fake email that went out, I think from Jackson Family Wines. Not from them, but somebody pretending to be them, saying, we need to raise money for all of these people that have lost so much. And it was all fake. And that was. That was a pretty scary attack because there was a significant amount of money that the attackers were able to pull that down. So there's. There's another alcohol one. But once again, they weren't compromised. It was just somebody faking and saying, hey, on our behalf, let's. Let's help out all the farmers. And it was just. Just a way of getting money, so.

Wade (46:40)

And I'm going to go ahead and publish this. EBay listening. Or listening for a bottle of Stoli for $6 million, hopefully. So, yeah. No. So another Follow up. So the UK health service, NHS stuff, they're also still following up on cyber attacks, trying to get battle or it says, you know the articles, the register, British hospitals hit by cyber attacks are still battling. So I mean this is another example of like ransomware stuff. They were attacked last week and they like their, you know, the intrusion hasn't been claimed. They're still trying to restore services, you know, a week later. So obviously in vodka you might have a week or a few weeks or a while but in healthcare you don't have that. You might only have hours or minutes sometimes. So I think, you know, it's not just you know, funny vodka stuff, it's also, you know, healthcare. And we found out last year with the whole change healthcare thing like a lot of these systems are vulnerable to, you know, knock on effects of ransomware.

Kelly (47:44)

Okay, time to get ranty again. Organizations that deal with ransomware now I will make the caveat. There's relatively unsophisticated ransomware and there's very sophisticated ransomware. Some of these ransomware attacks are happening because they're missing very good basic cybersecurity hygiene. And when you look at companies and you ask them, can you give me an inventory of the IP devices you have on your network and the software that they're running? So many companies, big ones all the way down to little mom and pop say meh, I don't have time to do that, I don't have the tools to do that. And at that point I have to say that's B.S. um, I really do believe if we would take cybersecurity hygiene a bit more seriously, these ransomware attacks would dip. John, fight me on this.

John (48:32)

I'm not gonna fight you on that.

Wade (48:33)

I. Yeah, I, the only thing I will say is that I do think I've been reading this book about ransomware called. It's about the ransomware hunting team which is like the people that they mostly focus on like consumer based ransomware but they like decrypted and give out the keys. But anyway, I think ransomware is currently the most, I mean I know we talk about b business email compromises being profitable for threat actors too but I do think like apts have really shifted towards ransomware models for like I think back in the day you could have a basic hygiene and get away with surviving a ransomware attack. But I think nowadays threat actors are so advanced on the apt side deploying ransomware that like by the time they deploy it, they're so deeply embedded, they're so like I Mean, you're not wrong that like, you know, you can, it's not like it's an unstoppable attack. But I will say that like some of these types of organizations that are deploying these ransomwares are really, really advanced compared to what we were seeing maybe five years ago.

John (49:34)

But yeah. Anyway, I got into a Reddit argument on this and I shouldn't have.

Alex (49:41)

I'm surprised they let you back on there.

John (49:42)

That's what Reddit is for, John, techniques. And I'm like, the attackers will use any and all techniques at their disposal that you present to them. If you have a vulnerability, they're going to go after it. And somebody's like, no, they just use a handful of techniques and they move on. Like, that was true a few years ago.

Alex (49:58)

I'll fight, I'll fight you on that. I'll fight you on that. So yeah, they may use the same, they may use any tactic, but the moment you get them to step out of their confidence and their SOPs, right, they're more likely to make a mistake.

John (50:13)

Oh, I agree. And then you're more likely to shot Statistician184.

Alex (50:20)

No, I actually took your cyber deception class and it actually says the moment an apt gets off their Runway, they are more likely to make a mistake and think they're being watched.

Mike (50:31)

I was going to cite John's, John's Cyber deception. They don't want to get caught. So yeah, you get them off normal Runway, they go, yeah.

John (50:42)

Whenever you're talking about a threat actor, that's a nation state threat actor, it's don't get caught for the people that are just spraying and praying, they don't give a shit if they get caught, they're just going to move down the line to another organization. So, and that, that brings up another point, Corey. You know, we spent a lot of time about ransomware business, email compromise. And one of the big concerns I have is there's really like two big things happening in the industry right now. You have the ransomware stuff that's very much on the surface. It's what people see. It's loss of money, it's hospitals getting locked out and then you have telcos getting breached and then you have solarwinds and you have these attacks by advanced APTs that are under the surface for an extended period of time. And I really wonder, are we focusing too much on the ransomware, Too little on the ransomware, Right amount on the ransomware versus like these really nasty nation state apts that want to stay persistent Because a ransomware group is not an advanced persistent threat. Their goal is not to persist.

Wade (51:45)

I would disagree. I would actually disagree base especially based on this book and just general like I think so old school ransomware, once they get caught, they just drop ransomware. But I will see like we have seen ransomware threat actors. So let me like distill this into a couple of points that are actually more approachable. Number one, ransomware isn't just about disabling and encrypting systems and files anymore. It's about extortion. And when you're doing extortion type ransomware, you have to ensure that you've captured enough data that they're willing to pay. That requires persistence. You can't just get in, dump the FTP server and say check out these six updates for Ubuntu server. You got to pay us $10 million. Like you have to go deep enough to get their Crown jewels, their CEOs, emails, corruption related stuff or you know, stuff that shouldn't be public at all or that they're willing to pay. So I do think that requires persistence. It requires an embedded threat actor in a network for a long period of time, moving laterally, elevating privileges, getting access to everything and then extorting them based on.

John (52:49)

Finally I can, I want to disagree with you. Like you and Kelly have just been on point today, but whenever you're looking at ransomware, the fact that you're going to ransom at some point completely destroys the argument of persistence. There's some level of persistence that always has to exist for any threat actor. But whenever you're talking about apts at the nation state level, they have no desire whatsoever to ever let the victim know that they're in their network, right? You want to stay inside of their ODA loop, you want to stay undetected, you want to continue to siphon data off of that environment as long as you possibly can. The goal of an APT is to dwell as long as possible. And I think that's a fundamentally different thing than a ransomware group that's fair. I think it's their date is to announce themselves. The end state of a true APT nation state actor is to not announce themselves.

Wade (53:44)

So here's a point.

Corey (53:46)

Yeah, here's a question, here's a question for you then. What if, and this is just conjecture on at this point in time, although it wouldn't surprise me if this was true, in some instances, some of these ransomware groups are being used as the front cover for the APT group for the actual apt, it's, look at us here. See what we're doing with this hand while this hand over here is sneaking past five other things. And you're not watching that because you're watching that ransomware group.

John (54:17)

You know, I used to wonder that. And when we're working incidents, I don't see that. Right. Like usually whenever a ransomware group announces itself, they've got hooks deep in the organization.

Wade (54:29)

Yes.

John (54:29)

And you're bringing in Mandiant, you're bringing in bhis, you're bringing in these large firms that can come in and actually root the attacker out. A lot of these, like if you're talking about an APT group, they don't want that attention at all. Where I think it's more applicable to what you're talking about Mike, is infostealers. And I think that that's where you have like a lot of these groups running info stealers and APTs are buying that level of access and riding on top of it. I think that that would be more, more in line with what you're talking about.

Wade (54:59)

I mean, I guess what I would say is my response to both Mike and John here is like I don't think there's a super clear definition of what an APT is. I will say John's definition, John's definition of it is I think the most specific and accurate definition of it. And I actually wish that it was more of an industry. I mean maybe there is a definition, I'm just not personally aware of it. But, but I do think it's an interesting concept to say, well if it's an apt, that means that they're never going to announce the leak. Which that's, I think probably like from John's perspective, that's accurate. It's true. But I think when organizations, like if you went to the average CISO and said what's an apt? I don't think they would be aware of that differentiation of like an APT does this and a ransomware does this. So I would basically say like we're talking about a company like if I went to a CISO and said are you prepared to defend against an apt? And I don't think they would be aware of that distinction. And I think that like the general defense when you're talking in the industry of an APT is like just someone who's better than a script kitty basically. So maybe there isn't really a definition for that. It's like an advanced non persistent threat. But I do think that there's a difference between your employee gets rent Somewhere from something that Windows Defender should have blocked, and an organization spends six months compromising every one of your servers, taking down your backups, and then asking for $60 million or whatever. I do. I don't know how we differentiate that from a terminology perspective. I'm curious, Kelly. I'm curious if Kelly has any takes on that. Like, terminology wise, what's up there with an apt, but isn't persistent to the level of never announcing? Like, what is that? Just advanced ransomware? I don't know.

Kelly (56:42)

I honestly don't know, Corey. But if you recommend me to head sissa, I'll make that a top priority.

John (56:52)

Dude, I gotta be honest.

Wade (56:53)

You would be great.

John (56:54)

I would. So can we start a campaign to get Kelly in charge of cissa?

Wade (57:00)

Here's the thing, John. I actually like Kelly, and I don't want to throw her under the bus.

John (57:04)

So I think she would rock it. I think, you know. Yeah, yeah. We begin we be getting some infosec metrics out of organizations that we desperately need.

Wade (57:13)

Yeah.

Kelly (57:14)

Well, Corey, let me truly answer your question. You know, when we've got terms like this that we don't really know how to define or multiple people define it differently, I personally will default to how NIST defines something because we have so many frameworks and regulations based on what start somewhere. Yeah, that's where I would go. And I don't think they've defined advanced. Advanced. Persistent. Persistent.

John (57:40)

APT squared.

Wade (57:42)

APT squared. Yeah. I don't know. I think it's. Obviously terminology gets into a kind of pedantic discussion about what means this, what means that. But I do think, like, ransomware is so vast of a world and has such a different level of. It hits hard. Depending on the threat actor, it can hit almost as hard as an apt or even harder. So it's a kind of a.

Alex (58:06)

Some of them. Some of them are apt. Right. Like, the other thing to think is ransomware of North Korea compared to ransomware operators with ransomware as a service, like different. Completely different games, right?

John (58:17)

Yeah.

Wade (58:17)

Yeah. I don't know. Anyway, I got.

John (58:19)

I got one thing I want to hit real quick. You know, we were talking about the CEO getting shot, and there were some people that are like, oh, you're mourning this person. Do you not care about the thousands of people that they killed for denying claims? No, that's not what I meant. And I didn't want it to come across that way or insensitive to all those people. But here's what is my concern. Whenever you're dealing with political violence, if you live in a society that does not have the conversations around things like personal freedom. If you do not live in a society that has conversations around healthcare and what is good healthcare and what is happening with the society, universal healthcare, and have healthy conversations around those topics, eventually the conversation will elevate to the point of violence. And that is my concern. Because if you look at almost any society where the conversation devolves from having a conversation into actual violence, it never ends well and it should never be celebrated. And it doesn't mean that I'm like, oh no, you know, this life means more than those lives. It doesn't mean that at all. Just I'm terrified about what's to come. So please understand that, you know, whenever we're looking at here, I'm not trying to diminish the conversation of healthcare and how broken it is in this country. I just want to point out that it's really, really effing scary that we're at the point where the conversations that are going to be had on political discourse around this involve violence as part of the possible solution sets for these groups. And it's never going to be a good thing. So that's my take on it. I just wanted to clarify that because there were some people calling it out and they're like, oh, no, you don't care about the thousands of people. No, no, I care deeply about those people. But shooting down a CEO is not saving any of them. So that's. That's my main concern. So must be conversation to actual action.

Wade (60:12)

Yeah.

Alex (60:12)

Any final before we end the DMAs are this weekend.

Wade (60:19)

Oh, yeah, we have. Yeah, we have our friends, Ryan and Rouse.

John (60:26)

Is voting closed, I thought.

Alex (60:28)

Yeah, I think it closed a while ago.

John (60:30)

We can't get any votes for Jerry.

Wade (60:32)

And No, we, we will have a couple. They invited us to the whatever awards dinner or whatever. So hopefully Ryan and Ralph will be there to congratulate Jerry on his win.

John (60:43)

But I think Jason Blanchard is going to be there. He said he's going to be there in his finest BHIS T shirt. Oh, holy God damn. A CEO defending other CEOs. See, this is just like. That hurts, man.

Wade (60:57)

I mean, he's not wrong, but I will say I do. Okay. He's not technically wrong, but I will say I do agree with. I mean, the whole, it's the whole eye for an eye makes a world blind, you know, kind of vibe, which is. I agree with. I mean, like, like you can't. You're right. He didn't bring anyone back. He didn't you know, that person didn't. Yeah.

John (61:16)

And there's so many layers on this. Right. How many people were shot in the United States the exact same day that the CEO was shot? And were there as many resources dedicated to solving those crimes as the CEO being shot? That's.

Wade (61:28)

I mean, I will say. I don't. Yeah. I mean, yeah, there's a lot. I mean, obviously this is a tough issue, but in general, I think we can all agree. I mean, it's the same thing with political violence against Donald Trump. It's like whether you. Whatever your political aisle is, we can all agree that, like, we probably shouldn't have politicians being assassinated just as a general rule. Right. That's like.

John (61:47)

Because that leads to bad things. So.

Wade (61:50)

Yeah. So, Yeah. I mean, anyway. But it is. It's a funny take, though. Yeah. Also, John, just so everyone knows, John doesn't see himself as the CEO of anything.

John (61:59)

I'm.

Wade (62:00)

That the label that you applied to John, it doesn't say CEO in his email signature.

John (62:03)

So you could argue that I do that to protect myself from the eventual revolution, to keep me from getting shoved against.

Wade (62:09)

Is that like asking the AI to please and thank you so that you don't get killed?

John (62:13)

Yeah, it's like, no, no, no. I'm one of the cool ones against the wall. Oh, God.

Wade (62:20)

Yeah.

John (62:20)

I just hope we can avoid all of this. What is that quote from Red October? The stuff's going to be get out of hand and hopefully we all survive it on the other side.

Wade (62:28)

Yep.

John (62:29)

Just paraphrasing that back down.

Kelly (62:31)

So, all right, so the takeaway from all of this is the Cell Typhoon using sms. Tell your friends, your family, your loved ones about using Signal or your other.

Wade (62:42)

Appropriate apps, iMessage, Facebook Messenger, WhatsApp. I mean, I can't believe I'm recommending WhatsApp. Or is WhatsApp and then what's. Actually, dude, you go over.

John (62:51)

They don't even know, like the idea, like, literally their phones are just a Device for running WhatsApp.

Wade (62:57)

Is it end to end? I feel like it is.

John (62:59)

I thought it's supposed to.

Corey (63:01)

It's supposed to.

John (63:02)

Okay, so, yeah, wondering like, we're doing all of this. It's like everyone use signal and the Chinese are just like, excellent, excellent.

Wade (63:09)

Yeah. Well, okay, that's funny. I. I will say, like, this does get into. It's like you were mentioning the capitalizing on the fires. Right? Like, what we don't want is like, check out this new chat app that's super secure from Salt Typhoon.

John (63:24)

Yeah, it's called.

Wade (63:25)

It's just called, like, Stop Salt Typhoon with, like, a big X. And that's the chat app. No, something better than texting is what we need anyway.

John (63:33)

I swear to God, this is like, just leaves me, like, this is another one of those episodes where I think that we should rename our podcast to be Emo Sac. Just nothing but negative bad news. We should dress in black, get black eyeliner, and I can.

Alex (63:46)

There was no good stunt hacks.

John (63:48)

There was no good stuff today. Like, it was just a bad one. All right, let's wrap it up. Bring out True John.

Kelly (63:54)

There was. There was.

Wade (63:55)

Kelly's going to be running the scissor. So that's a good news.

John (63:58)

That would be fantastic news. Let's make that happen.

Kelly (64:01)

The. Okay, Corey, what was it? The Consumer Finance Bureau.

Wade (64:06)

Zero Financial Protection Bureau. Potential potentially throwing regulations on data brokers.

Kelly (64:12)

Yes, there's a little bit of good news there.

Wade (64:15)

Okay. We could also do a last little closeout that the Scattered Spider threat actor had bad OPSEC and got caught and now he's going to jail probably. I mean, that's a little bit of a feel good. All right, bye.