2024-12-09 - A Better Mike

John

Boop.

Kelly

Well, hi, guys. Good to see you.

Corey

It's good to be seen. I hope everybody has been staying well out of the weather. That's been crazy. Is everything all over the place?

Kelly

There's been weather?

Mike

Yeah, yeah. When you're in the Midwest, there's no escaping it. Like, it's just.

John

Hey, we've had weather, Kelly.

Ryan

It got down to the 50s.

Wade

I know.

Kelly

It was the coldest I've ever been.

Corey

Hey, we're supposed to get down into the single digits later this week.

Ryan

Yeah, yeah, but you're talking Celsius, aren't you?

Mike

No, no, no, I. And I did that. Like, I was on. I was on a call with my team and I was like, it is 15 degrees here. They're like, celsius. That's.

John

That's comfortable.

Mike

I'm like, no, no, like Fahrenheit. They're like, wait, let me convert that. And like, holy cow, that's a negative 9.4 repeating in Celsius. Like, yeah, that's. That's not fun.

Corey

How are you doing, Corey?

Ryan

Right way.

Corey

I can't.

Ryan

Muted. Corey, you're muted. He's behind seven mutes. Not yet. Not yet.

Wade

Right.

Corey

Today's news.

Mike

We're getting there.

John

Cory's in a silence.

Corey

News will be pantomimed by Corey.

Mike

Exactly. Like, just mime the panic.

John

Not.

Ryan

Not.

John

Is it.

Ryan

You're not.

Alex

Yeah.

Ryan

Kelly was having mic problems, too, and now Corey's having mic problems. Sorry, Mike.

Corey

I'm just a problem child. What can I say?

Mike

I think Restream reset stuff again. So.

John

There we go.

Ryan

We got a Corey now.

Wade

I didn't do anything. I just switched inputs. I'm sorry.

Ryan

You turned it off and then on again.

Wade

I did. I switched to Thunderbolt audio and then I switched back. So here we are. Yay. I'm doing great. I'm. I'm great.

Mike

Yeah. I'm just going to blame restream updating to try and get its end of year objectives in first performance review. Well, there's so much. There's so much of that going on at so many companies. They're like, wait, before everybody leaves on break, I need to get this thing done so that I can count it in my 2024 goals.

Wade

Is the discord. Did it move again? People are scared.

Ryan

Yeah, it keeps moving. Jason just can't help himself.

Wade

But it's still under live webcasts and news, and it doesn't change every week. It's just there.

Ryan

I don't know. It has changed the past two weeks, every week.

Kelly

But I See, just the infosec news on the left hand side.

Wade

And it's fairly infosec news that doesn't even exist anymore.

Kelly

But Ryan just posted in there today.

Wade

Well, I mean, the channel, that's not where the audio is. Yeah, it's called Live Chat News.

Ryan

Oh, Live Chat is. Yeah, Live Chat is now. Well, it's called Live Chat also.

Wade

Does anyone else have an echo? Why do I have the world's quietest echo? Is it me?

John

Did it happen when I just joined?

Ryan

No, it might be John.

Wade

It was happening before. It was just really hard to hear. Maybe it's me. Wait.

John

Yeah. Weird being back.

Wade

Okay, it was John. It was all John's fault.

John

So let me turn down.

Wade

It's good. It's gone now. I don't know if you changed anything, Ryan, but it's gone.

Ryan

I didn't. I was pinging Kelly to make sure she knows where we are.

Kelly

All right, Kelly's never in the right room when she supposed to be.

John

I have that same problem. Kelly. It's all.

Wade

There's. Yeah, there's still an infosec news chat, but that's the text for posting the news articles. It's not for hanging out with us and making John read your SQL injection.

Ryan

For growing the news articles so we can harvest them for the webcast.

John

That should be a better mic on my side.

Ryan

It. It sounds better.

Kelly

A better mic. Mike.

Corey

Hey, finally. I'm better.

Ryan

All of us have been searching for a better mic this entire time. So far.

John

Hey, Radisson.

Wade

No, we haven't.

John

Does that sound better?

Wade

Raddus, there's a delay. Raddus will be in touch shortly.

John

Yeah, but for you guys, does it sound.

Ryan

It sounds great.

Kelly

You know, when you're. When you're not ranting, you sound quiet.

John

I know, I know. Looks like John was getting ready to cut down a tree. I am doing Christmas decorations right after this. We've got. We've got Christmas decorations to do, so I was able to drive home. Are we ready to kick this off?

Wade

Always, sir. There's still an echo somehow. But I'll just roll with it. As long as the audience isn't complaining, I'm good.

Ryan

I don't hear the echo.

Alex

I don't hear an echo.

Corey

I don't hear an echo.

Wade

It's just me.

Alex

It's just you.

Kelly

Oh, I heard Wade and didn't see him.

Wade

I'm going crazy. That's good to know. I'm so happy about that.

Kelly

It was Wade's mustache talking.

Alex

That was.

Ryan

Oh, look at that. I still Got the old holiday open. Let's go with that one today.

John

Oh, hello, and welcome to another edition of Black Hills Information Security. Talking about news. I don't know why the hell I'm kicking this off, because I haven't been here in like a month. It's been travel, it's been Thanksgiving, I've been teaching. It's been crazy. But we got a whole bunch of notable stories. We've got. What is it FBI telling people? Hey, don't use your cell phones anymore. Which, honestly, is probably a really good idea, to be honest with you. We have ASA web VPN vulnerabilities. We've got new rule proposing blocking data brokers from selling data. There's all kinds of stuff going on. Joined by the cast of characters that we normally have. Thanks to all of you for showing up. Folks, which story do we want to start with today? Is anyone. Nothing's particularly ranty for me and I'm all ranted out.

Alex

I ranted out.

Wade

Can I rant? Who will let me rant for a little bit? Have I been on this show enough? Okay. I want to rant about the SMS thing. I want to rant about the sms.

John

Got it. Good one.

Wade

Because this is personally impactful to me and I'm curious to get the audience and everyone else's take on this. Does anyone. Has anyone in the last couple months just feel like Android and iOS have failed us and we're all just, who knows what we're sending? I don't know if it's angry enough, Corey. I don't know if it's okay. I'm sorry, I don't know if it's just me, but I'm getting random group threads that I'm not even part of. I'm getting dropped off of other group threads. Every time someone with a pixel replies, it creates another group thread with someone else. It's like this whole RCS SMS thing. I don't know if it's just me, but the text message, it's a disaster. Like, in my opinion, I don't know. Has anyone else experienced this? Like, you're sending texts, you're sending RCS messages, it's switching back and forth. You're getting group threads from people with Androids that shouldn't exist. And I don't know. Is this just me?

Mike

Yeah, this isn't a recent thing for me. No, I. Like, I. I was. I've been frustrated with that for. For some time, so I'm surprised you.

Alex

Guys still use SMS like I have.

Wade

Well, you shouldn't, so The FBI says you don't. Here's what I'm going to do in my group thread with all these people. I'm going to say the FBI says not to use SMS anymore and that'll fix all the problems, obviously, because make friends. I will say I do think what's.

Corey

Driven me nuts is getting a message from somebody with an iPhone that is sent rcs, but it's the wrong version of rcs, so to reply to them I have to go to sms, otherwise I get a some Sorry, this is undeliverable.

Wade

It's so bad. One of my friends is sending emojis in Italian. I'm not even joking. This is possible. I don't know.

John

It's an. It's a spicy meatball.

Wade

Yeah, it's like, I don't know, I don't get it. It's terrible. So basically now we have a government recommendation to not use sms and I think this is actually a callback to remember how we Talked about the ISPs and telecoms got hacked by China? I bet you that's related to this. That's just my guess.

Mike

It has, it seems to be, yep.

John

So there's a couple of like, quick things I want to throw out there. I'm going to start with the first one. So if we get a new story that these telcos have been compromised and now the FBI is saying, hey, how about you don't use unencrypted sms tells me it's not fixed or they're not confident enough that it was fixed. I mean, the story was that they got access to the systems that the United States, the United States government used, or they used whenever the United States government came with a warrant. So they can gain like, holy. And now for the FBI to say, hey, that system that we put in so we could tap all your phones for the courts, it got hacked. So how about you guys just stop using the thing that we were like. There is so many layers to this that are absolutely mortifying. I don't think that we're nearly at the end of this and to be honest, this story tells me that they don't know either.

Corey

Last I heard from CISA and I was trying to quickly find the article, the news article from them and I can't quite pull it up yet. They were saying, yes, these were compromised. No, we still have not figured out if we've even ejected them from the networks yet. So you should be using encryption. And then the other day I just saw something say, yes, the FBI says use encryption, but Use it with our backdoors in it only.

John

Well, blackfest has the great quote. Blackfest says it has to be bad when the United States government is recommending we use communication tools they cannot actively monitor.

Wade

That is so true. That is like the quote of the year right there.

John

I keep thinking, you know, we talk about all these hacks and all these things, whether it's Snowflake or whatever. I seriously think that the worst hacks are the hacks that you do not know about or the ones that you do not get your, your head around completely. And this is very much in that category of this is bad. We can't get our head around this completely. And I'm going to throw this out there, and I don't, I don't want this to become a political conversation, but a lot of the management @ CISA is YOLOing out in, like, less than 60 days.

Wade

Oh, yeah, Jen's already gone. Jen's already gone.

John

What the hell? Like, if we're looking at the investigation, one of the biggest things from an incident response perspective is continuity of leadership, continuity of the leads. Like, all of a sudden, we're blowing all that crap up. And I don't know, I don't want to sound Pollyanna ish on this, but I'm going to, because, hey, what the hell? Like, this is bad. Like, am I the only one that looks at this? And like, when the FBI is saying, hey, you shit, we can't tap and we don't know how bad it is, by the way, they got access to all these telcos. I'm freaking out a little about this. And I know it's not the first time. Like, we had the OMB hack. There's been a number of hacks, but this is right up there. And I think it's right up there because we don't have a full understanding of the extent of just how bad it was, is, and is going to continue to be moving forward.

Corey

I would agree with that. I think the scariest thing is, you're right on the nail with that one, John, is the IR continuation over it all and what's going to happen if they're even going to continue with that. There are so many rumors flying around about they're going to cut out cisa, they're going to cut out this, the next administration is going to change things up and shake things up. And when you're in the middle of something this serious that can affect government communications, let alone any other communications, who knows how deep these guys actually are in it really Starts opening up your eyes. And I think us on the know that understand this sort of stuff, it's triple scary. 4. I think with all the breaches that we've had, though, the general public's just like, oh, yeah, it's just another breach. Okay, we'll just do this a little bit and everything's going to be fine. And there's a serious thing without the continuity, that things might not be fine going forward.

John

Yeah. And that's the scariest part. And I think, Mike, once again, I don't want to get into politics and I don't want to deal with the moral equivalence. However, if we can take it back a couple of steps, we are at the point right now where we're going into a situation like this where, like this is bad and people are looking at each other in America as though the greatest enemy is the Democrats, the greatest enemy is the Republicans. The great. And seriously, the people that broke into these systems are getting exactly what they effing want. And once again, I don't want to play the moral equivalency game on this, but just like you said, we're going into this, we're losing all of these. We're losing all of these really smart people that are working through this. And I just have this fear that we're getting into a situation where we are going to be fighting each other more than actually dealing with the cyber threats. And seriously, that is exactly what they wanted.

Wade

Yeah. And we just need. All we need is a bipartisan incident response team. What could go wrong?

John

And okay, guys, I don't know how we're going to get that right. You know, how are we going to make that happen? Everyone's.

Kelly

We're going. We're going into the holiday season. What are you going to tell your friends, your family, your church, your PTA group about this? And this is a serious question because you're right, John, we're technical. We mostly understand this. But my mom and dad, they don't understand this. What are we going to tell them?

Mike

And I've had that discussion. And Kelly, that was one of the things I was going to say because I've talked to people on what are we going to. What are we going to tell them? How are we going to effectively, like, make encryption. Make encryption sexy again? See, it's one of the things to where whenever you have, like, any sort of huge technology change, people don't care about the benefits for it. Like, I go, okay, when they took away, like, the little, like, actual, like, keyboards on the phone and Made it to touch screens. And all the tech nerds were like, well, this is beneficial. People didn't care. But when you make it like, oh, it's like the hot new thing to have is one of these devices that doesn't have like the little buttons. Okay, cool. People will do that. I like, there was a strategy from Mike Basil for getting people to use encrypted communications. If they reach out to you on encrypted comms, you reply right away. If they reach out to you through unencrypted comms. Yeah, still respond. But they're going to have that noticeable delay and go, oh, hey, if I want to get a hold of John or Kelly or Wade right away, I need to use the signal app that they're, they're talking about. Because otherwise, like, yeah, you're going to sit there and go, all of us on the newscast, we're going to be using encrypted comms. But you're right, like our friends, family, they don't care. They don't care, they don't want to use it. But if they sit there and they go, oh, hey, I missed out on this, this awesome conversation, right? I missed out on like awesome memes because I wasn't on signal, you know, hey, I mean, do that like, you know, have it be that, like, you're great inform, you know, your fun, your fun times are on encrypted communications.

Corey

There are two problems that I run into with that Alec, and the problem isn't from our side and our vantage point. Signal limits the amount, the size of files that you could transfer back and forth. And a lot of people will use SMS to transfer pictures, to transfer videos of their kids going back and forth besides posting on things like Facebook, etc. Number two is we've got. There's been a lot of blowback on systems that have been encrypted in the past and probably the biggest one that could be used that could offer it. WhatsApp people are just like, no, it's either they're all in or they're all out. And there's so many of them out there. And then you get things like Apple with their RCS versus SMS and the phone makers wanting to control these things. There's too many choices out there. Choice can be a very good thing. But until we all standardize and make sure that it's got the features that the people want, they're still going to fight back on it. It's not as easily usable for them for doing everything that they necessarily want. Potentially as using sms. And this has been a problem with us trying to get them to not use SMS for two factor authentic authentication. Also it's really easy to go ahead and say yes, just text me the code. And that's better than nothing. But it's not as secure as using an app or using a Fido key. And we're going to now be fighting this on another front with encryption.

Wade

I think it's so, I mean you're not wrong. I think it's secure by default. That's basically the world we need to live in. And I think now we have government backing for this. We know CZ is big on this. The future of CZ is unknown. But things need to be secure by default, right? So Apple needs to be, I mean they already did it. But forcing RCS by default or allowing it by default allows encrypted comms by default between Android and iOS. That's an important step for the going back to the like argument for the, you know, regular people, lay people. I think the, this closes the loop on the but why question. You can say, hey family, we're going to use encrypted chats or whatever. And they're going to be like but why? And before the argument was just well, because this and you know, because it's better in security. And like we're sitting here being hackers, being like, you know, hacker stuff. But now we don't say hacker stuff. We say because we know that China is actively monitoring our communications because they've compromised ISPs and we don't know how deeply they are. And like I think that's the answer to the question of but why? And we have a real, it's not just fear mongering. You're no longer a tinfoil hat by saying, well what if China hacked our communications? It's actually documented, we know it's happening. And so to me that's a big push. I don't know, that's just, I think.

Alex

A lot of, a lot of here's.

John

What I'm going to push the secure by design. I think the whole secure by design thing that this is pushing, pushing is bullshit. I want them to push a completely different angle, right? Because they want to go to Microsoft, they want to go to Google, they want to go to Apple and they want to be. We want to pledge that you guys are going to be secure by design. And there's talk about liability and all that, all bullshit. Don't look into it. That's not going to solve anything. Here's what's going to solve it. Open by design, things are only fragile until they break. If it goes back to Cory Doctorow, the coming war on general purpose computing. And I've been talking about this for years and referencing this, all of these vendors are pushing for closed systems, closed on the phones. Apple's trying to close it on the computer with less, less success. But they're creating these closed systems. And with these closed systems it becomes far more difficult to test. And there's this belief that if it's a closed system, then it's more difficult to test, it's more secure. And that is bullshit. They need to have systems that are more open. I should be able to put in a kernel level debugger on my phone. I should be able to put in a sniffer on my phone. I should be able to intercept any and all the traffic that goes from any app that I pay for and I run on my device on my phone. You want to secure things, open them up, get them as open as you possibly can. So it's general purpose so that people can like start analyzing and they can start looking at all the traffic that's coming and going on their system. They can start looking at the APIs. And it's not a handful of people testing the security of SMS on a semi regular basis that it's very, very limited who can actually do that. And it's a gated community on who open everything up. Because things are only fragile until they break. Right? Yeah. And Wade, Yeah, this is an angry John, sorry about that, but this is one of the things that pisses me off. You have all these people that are like, we need to have secure by design, we need to get. Dude, Microsoft had an initiative back in 2001 that was called the Get Secure, Stay secure initiative. I still have the effing T shirt in my closet somewhere. We've been talking about the secure by design principle for over 23 years. Years. And the only way it actually works is if we open up these things so that people can install. They can get root access on their devices, they can start analyzing their apps, they can start analyzing the communications, break everything, hack all of the things because things are only fragile until they break. That's how you get to some level of security. Because we're not allowed to test the ad delivery systems, we're not allowed to test tons of APIs that these different applications are using. You know that they're riddled, you know that they're wide open and they're gonna have massive security vulnerabilities Open it up. Open by design is secure by design. Things are only fragile till they break. All this other stuff is lip service.

Wade

Yeah.

Alex

I have something to say about dealing with getting your relatives and stuff like that. Infosec at least wary. Right. And the thing I've done is like slowly, slowly implement. Every time I talk to my parents, I talk about a breach every single time just to get them, like, understanding of what's going on. You guys, like, totally. My parents have a small business, right. They definitely have stuff going on. They know what I do. And it's definitely slowly like gone into their head where they now they use secure apps, right. And this weekend my mom called me frantic because she got an email that one of her systems was logged in via an IP address that wasn't too far away from her, but was very suspicious. Right. It got to the point where I'm walking her through password setups. All this stuff changed. After many, many hours of talking to her, I just installed anydesk and just did it all myself. But what this led to is me realizing that she is just. She's at least thinking about it nowadays. And we implemented MFA on a couple different things. And we. Not just cell phone, right. We implement actual token mfa. And then of course, at the end of it, I go and look at that email and realized it was her IP address that alerted and it just rotated.

Kelly

You know what? Wade isn't saying he held the. He held his, the grandchild ransom until she did. Good security.

Alex

I wish.

Wade

I mean, yeah, I mean, I think, you know, I think John's thing of like open it to secure it is a good. Like, if you're going to thump a drum, I think that's a good drum to thump. The other thing I was going to just throw out there for Kelly is should ISPs, like, in this case we're talking about ISPs getting hacked and people monitoring their communications. That to me ups the risk because if you're in the middle, you have everything like that's unencrypted. You have DNS, you have, you know, whatever protocol someone Forgot to secure 10 years ago. You have access to that. So I guess my question for Kelly is, do you think that ISP should be subject to additional security or government regulations or any like, is there anything we can do so that them specifically are, you know, forced for. Into better security standards or what? What do you think?

Kelly

Well, that's actually a great question, Corey. And this is. It's been a debate for a couple of decades. Actually, where do telcos fall in? We talked about the whole section 230. That's. Are you an Internet publisher or not? We had that conversation about Facebook and some of the other social media sites. But exactly where do telcos fall in? There are congresspeople who are advocating that telcos are mission critical utilities that should be regulated as such. But nothing's really come out of Congress because, well, they're, they're busy doing other things.

Wade

Do you think this will get them, do you think this will get them fired up? Because I mean it's, it's directly targeting them. I mean we already know that one has reported that some of that.

Kelly

I, I hope so. Well, you know, it's funny, that kind of leads into our next article about. Of course, I just forgot it. The consumer, Federal Consumer Bureau.

Corey

Oh, the blocking data brokers.

Kelly

Yes, thank you. The blocking data brokers.

Wade

But Financial Protection Bureau. Cfpb.

Kelly

Cfpb. A lot of people are asking what's regulation going to look like under the Trump administration? There's been overtures that there's going to be deregulation across the board. Other people are saying, well, there might be a bit status quo for a little bit, but if you're in compliance like I am, I do think we need to assume that there's going to be a bit of deregulation, especially with the new proposed head of the sec. Remember, the SEC, the last couple of years has been strong on enforcement and cyber controls and cyber disclosures. If we're rolling back regulations, it may be we're going to turn the other cheek with the telcos.

Wade

Yeah, yeah. I mean, I think it's, it's tough because it's one of those things. What are they going to do, just turn off the servers? There's not like, there's not. They are. It's like, how did you read this email about regulation if not for the ISP itself? Right. Like it's, it's really tough to shut that off or backtrack it or like, you know, it's, it's an existing long standing thing and it's become critical infrastructure. I think. So I do think it's crazy that they're not regulated like critical infrastructure. But.

John

Well, whenever you're talking about like data brokers, I keep saying this, like, seriously, all you have to do is take that, that information, that pii, you classify it as phi and then you put HIPAA regulations on top of it and it has to be treated with that same level of rigor because you know, you get someone's browsing history. You get someone's ad history, you get someone's. Actually, just their browser history is enough. That is something that should be treated as phi. It should be.

Wade

Every company on the planet has to be HIPAA certified and HIPAA compliant.

John

Hell yeah. Yeah. And then all of a sudden their business models start blowing it up. And all of a sudden they can't be making money on targeted ads. And all of a sudden they can't be running AI algorithms to manipulate you as much as they. They do now to try to keep you on a website as long as possible. Yeah, a lot of shit's got to change real quick. I agree with Kelly.

Wade

I mean, yeah, it would shove. It would destroy a lot of. I mean, imagine Black Hills information security. We would have to be HIPAA compliant and it would be terrible. Don't get me wrong, it would be.

John

Great, but it would shove a lot of small metrics. Well, wait a minute. Okay, yeah, we do.

Wade

Yeah, we do. You have my phone number and a spreadsheet. So we have to be HIPAA compliant.

Alex

Yeah, but whenever you talk about it.

John

You don't have to sell that data.

Wade

Go, Kelly.

Ryan

Go.

Wade

Go, Kelly.

Kelly

Okay, so Kelly gets ranty for a second here. There's no such thing as HIPAA certified, so let's scratch that from our vocabulary.

Wade

Well, then why is it on this website that I just submitted all too. I'm just kidding. I'm just kidding.

Kelly

HIPAA is really. Remember HIPAA is meant to cover. Cover covered entities and business associates. Unless Black Hills defines ourselves as a covered entity or a business associate who. Who gives a crap about hipaa, quite frankly? And honestly, there's talk of a revamping of HIPAA well before the administration change of actually making HIPAA a bit more specific and technical control base instead of, hey, you should do these good things. Yeah, but if somebody tells me they do hipaa, I'm honestly really not that impressed.

Wade

Well, I mean, yeah, that's. That's a good point. I like.

John

But if you all of a sudden say that all of the information that's being tracked in Google for ads and Amazon for ads and Facebook for ads is covered under Phi, that's going to change their behavior in the way that they handle it.

Wade

Yeah, but it would also ruin the business model for a lot of free products that people probably like. Like, it would basically force everyone to pay for everything. I will say, on the whole, like, compliance regulation, we have seen some state regulations that specifically do apply to data brokers. You know, like Oregon, where I live, has One California has one that basically requires them to do certain things and not store certain things. So I do think that a national framework for that would probably be useful to say not, you know, let's go a little bit less broad than every company, every ad based revenue model is now doesn't exist. Let's say every data broker has to comply with these things and we talked about this when national public data got breached. You know These just like ISPs, these data brokers have access to and control over data that is hugely damaging to every American or every citizen that they cover. So having special regulations that apply to them or special requirements for them to not get breached a lot would be cool on that.

John

Corey, hold on, I got a question. So on that, do you think in that scenario, and Kelly too, would it be better to move from a compliance framework to an accountability framework? And I bring that up because people were like bringing up again and again the concepts of GDPR and gdpr. There is no like here's how your GDPR compliant. It's literally an accountability framework. If you get compromised, these are what the fines actually look like.

Wade

I mean I think, yeah, I totally get that's a good thing to think about and I will say like it kind of dovetails into our next article about vodka. But I think, I think the problem, part of the problem is like these, these data brokers are kind of fly by night and small and if they got slapped with accountability they would just say all right, bye, peace, we're gone.

Mike

That's the frustration with, with data brokers and getting your stuff cleaned up is you get it taken down and then it's just a whack a mole for. It's like oh well it's back up to where it's just sort of like well I, I told BHI as to take it down but it's like well this is B H I D. It's different. Like we're completely different entity and we're absolutely compliant with this. But if there was some sort of accountability being like no, this data has been marked by the owner which should be the individual as I don't want this out there among the data brokers. If you are a data broker and you get to see something, I'm just coming up with like a, I'm just spitballing here but if you come across something that is tagged as the no, this needs to be, this needs to be scrubbed totally then you shouldn't have it.

Wade

That's a great idea. A central kind of database or whatever I mean this is, I can't believe I'm about to say this, but a central like registry for who's allowed to have data and who's like, it's like, I mean again, it's almost out of here. It's, it's almost like we have this, you know, list of approved data brokers or you know, that kind of thing of like here are. And then those have to be. If you're a data broker you have to be compliant with takedown requests. You know, it's the same thing we're.

Kelly

In with says the king of info stealers.

Wade

Can I just.

Corey

I mean I think honestly while we've got some really good ideas thrown out here, I don't think making them regulations through some three letter agency in the government or some department in the government is going to be the final answer because there's too much that can take that away at this point in time. And we've seen that with different regulations. Overall, I think honestly what we need to do is get an act of Congress, an actual law on the books that's not so easily removed for even the companies themselves to get give a hoot about.

John

I want to. Mike, if you're talking about regulation, the same problem exists for laws. So I'm going to ask again. Do you think we need to move away from compliance and here's the rules to accountability where we don't necessarily care what you're doing to secure your environment but if you get compromised, these are the levels and these are the percentages that you're going to be held accountable to. Because I mean I feel like sometimes, and I really do feel this way about a lot of compliance frameworks that so many organizations treat it as a minimum. Like oh no, no, we're fine, we did our due diligence because we met the minimum. But that was never the goal of a lot of these different compliance frameworks. And if we just move to an accountability framework is like y'all do what you want to do but we're going to hit a solid percentage if you get compromised and we found that you were deficient. Is that better?

Wade

I think it is a little better. I mean I think if you have to choose. But I will say the problem is the data is already lost, the impact is completely unmitigated. It's just like it's, I mean I guess you do have cases of like a T mobile that just gets breached every year on the year and there's like nothing's ever going to change about it. Maybe, maybe it would prevent that type of thing from happening. I think at the very least it'd be better than nothing.

John

And that's what we're trying to change. Right. Like if an incident happens, you're right, cows are out of the barn. That's tough. But what we're trying to do is change behavior of organizations before these breaches occur.

Wade

Yeah.

John

And what is the thing that we can do in this industry that the government can do to be able to effectively impact and change behaviors for the better? And I feel like we keep coming back to compliance frameworks and every state tries that. Like Florida's, you know, critical infrastructure compliance framework. It's like, right, that's not, that's not a solution. Passing laws, I don't think that's a solution. Right. And I keep wondering, and maybe people in Europe know better. Does GDPR have a positive impact on organizations in Europe?

Wade

A lot of pop ups about cookies. That's all we know.

John

That's all that we see. Right. That's all, that's the GDPR means annoying pop ups on websites.

Wade

True.

Mike

I think the accountability framework would help for organization, but not for like these small like flyby nights. It's even like the similar thing with ransomware is, you see, you know, places that are even supposed to be HIPAA compliant going, you know what, like if we get, if we get ransomware, I guess I'm just going to shut down my chiropractic's office and start up a new one like that. Just take the server, put it in the garbage and go. You know, it's same type of thing if you get hit with accountability. He goes, oh, well, I guess we're just going to shut it down and spin it up somewhere else. But for, for large organizations where they go, okay, well we can't really just like, you know, you know, you know, take down Delta and rename it like Echo or Foxtrot. Yeah, you can't just rebuild it like that. You go, okay, well their accountability stings. But yeah, like the, you know, your local car dealership that goes, oh yeah, we still have your driver's license floating around that we scanned from that time you took a Test drive like 18 years years ago and droning drone and.

John

Had a drone and had a comment. I feel like that kind of structure would discourage reporting and attempt to hide it. I, I disagree with that. I, I, and that's kind of came up, you know, Alex, from what you're talking about there too, it's not like we live in a wonderful world where everyone wants to disclose when they've been breached. Right. There's already a tremendous amount of organizations that try to hide it. I guess we're going to have to switch to another topic.

Wade

Well, okay. Kelly, what were you going to say?

John

We failed. Sorry.

Kelly

We did.

Wade

Kelly, what were you going to say about GDPR?

Kelly

I have two little things on GDPR, Mr. Strand. Number one, GDPR introduced Americans to the concept that information about me is my person and belongs to me. My eye color, my hair color. So that was one thing I think has been successful with gdpr. Remember, GDPR was spun out of Nazi Germany in understanding those defining attributes of ethnicity. I can't even say it. Ethnic background. Yes. Thank you.

John

And second of all, I got one for pronunciation. It's John 1 Kelly 100 for those of you keeping track at home, this is a great day for me.

Kelly

Secondly, we have the ccpa, cpra, the California Consumer Protection regulations when it comes to privacy. So the whole California approach to privacy was influenced very much by gdpr. So perhaps organizationally, maybe it didn't make somebody's job easier, but it introduced the concept of privacy into the United States more frequently to organizations. And I think it started the snowball rolling.

Wade

Yeah. One, I do want, I have. I mean, that's a really good point. The other, before we talk about vodka, there was one kind of last final follow up thing I wanted to throw in there on this discussion, which is I think we just need to live in a world where we know that the public impact of a breach is functionally zero. Like there's the public disclosure of a breach from, you know, public relations and, you know, hit to reputation and all that is, I think basically from a risk perspective, zero. Like that. We just have to the whole like, yes, companies still try to hide it. Yes, it looks bad. But we live in a world where functionally every company has been breached one way or the other, whether it was a third party supply chain, one of their employees. Like, breaches are not a yes or no thing. It's not like someone could come to me and say, hey, you're a security expert. What bank can I use that would never be breached? Because they've never been breached. I'd be like, well, I mean, honestly, I don't have a good answer for you. Because the ISPs are breached, all the healthcare processing companies are breached. All the breached. Yeah, Telcos are. Yeah. If a telco is breached, then it doesn't matter what company's breach because the century. So basically I think we just need to live in A post public impact from a breach world. We need to say the this care the stick of well you're bad and you have to publicly disclose. This is not a stick, that's just a fact. So we just need to move on and say we need other consequences for organizations that are material and relevant. What I mean we see with ransomware companies are hugely impacted and pay because they have to, because they can't get their stuff back versus if this is data leakage they're like eh, we'll notify.

Alex

I just say annual revenue based fines. How much you making? That's how much you're gonna pay.

John

Yeah, I want to argue with you, I want to disagree with you. I can't. I mean I.

Wade

No, you can. Don't worry.

John

I know and I love taking contrarian positions but you know, one of Kelly and I's friends, David Rice had a really great book. Can't remember it wasn't Freakonomics, that's a different book, but it was a play on that. Geekonomics. No, Geekonomics, the Real Software Security. He tried to make an argument that there was a cost of insecure software and there was a cost of these things. And I think it was very well researched. He's one of the smartest people I've ever met. I think he was wrong. I think Corey was right. When you look at stock price, look at all of these different things, like what are the incentives of trying to do good security? And seriously, I mean we joke about it all the time now, but getting a CISO is just basically for many organizations. Like you're going to be the guy that's going to take the fall when the hack happens.

Wade

Yes.

John

That's your job.

Wade

What's my purpose?

John

Taking the fall during a breach. Oh God.

Wade

Okay. But, okay, this is so this is the perfect segue. So I, and this is again, I keep saying we're going to talk about vodka. Let's push that one one further into the future because I actually want to get everyone's temperature on this. We've already talked. All right. This has been talked to death in the public news. But talking about the United Healthcare CEO, does anyone see a connection between cybersecurity and this? Is this like, is this a potential impact? Like I don't know, maybe I'm just. No, you don't think it has any.

Alex

They took all the. About all the what? All of the healthcare people took all their about mes off their website. Like I think maybe there's some intersection.

John

But I, I will, I will say that the. The thing that I see is a. As a similarity in this is I hate it whenever something in computer security happens and everyone tries to turn it into a DN versus our thing. And I see that here, right, where people are like, oh, well, these liberals are celebrating that this. This guy was shot. And, like, liberals are like, no, no, no, no, no. There's lots of conservatives that are. That are celebrating that. And it became a political issue when the fact is a dude was killed. That is tragic. It is absolutely tragic that healthcare is so fundamentally broken that they're literally creating AI programs to automatically deny claims. There's so much tragedy here. And the only thing I see as a similarity into it is I hate it whenever people use this as leverage to try to attack each other. Like, you talk about Thanksgiving and Christmas.

Wade

Right.

John

I hate it whenever people are talking about computer security and they're like, well, that's all Barack Obama's fault, or this is Trump's fault. It's like, oh, Jesus Christ. And we can't get past that. And I think that that's the similarity that we see on this is. It's just. It's being weaponized. And I hate that it doesn't allow us to solve the fundamental problems.

Wade

Yeah. I think it's just a bunch of news articles were typed before the thing happened.

John

They're just ready to. It's.

Wade

They were ready to go. Yeah. Because if you think about it, it's like the straw that breaks the camel's back. These are how, you know, what is the straw that breaks the camel's back? Well, it's defined, like, by a moment like this. Or maybe this is, you know, who knows how it will plan out in the future? But, yeah, I mean, yeah, I don't think there's a security impact. But I will say, when we talk about scapegoats, we talk about risk. I mean, I don't think we've ever seen an example of, like, someone being physical, having physical reprisal against them because of a breach. But when we start talking about scapegoats and things, it gets a little bit sketchy of, like, if, let's say you are the chief security officer of a company who got breached and that breach led to some huge personal impact for someone. I mean, you got to be thinking about that kind of thing, right? Like, you got to be worried about that kind of thing.

John

So here's something that does concern me. I'm willing to bet that more organizations are spending more money on personal security for their executives than they would Spend on increasing security if they were per.

Mike

Reached.

John

Yeah, like seeing this happen. This executive gets shot down and somebody mentioned he's got kids, he's got a spouse. And yes, I completely disagree with what he, what he did at United Healthcare. But shooting someone down in their front of their house, not cool. It's got, it's gut wrenching. But all of a sudden now you cannot find bodyguards. All of a sudden now you cannot get personal protection for executives. And I really wish to God that organizations would react the same way about cybersecurity whenever somebody gets compromised and react in that type of visceral way to protect their organizations. And Brian, time traveling nerdherder, nailed it. Absolutely. Kinetic attacks always hit harder. This is a much more relatable attack, I think to executives and I don't know, it's. Once again, it's a tragic thing and I really wish it wasn't politicized at all.

Wade

All right, let's talk about vodka going forward.

Corey

We should all take a shot of vodka after all that bad news and we'll have stolen. Oh, we can't.

Wade

I have bad news for you. I have more bad news. This is kind of a. So I mean, basically the news is that Stoli, which is a Russian affiliated vodka brand but also has a US business, has announced that they're shutting down operations in the U.S. i think probably this is a little bit of meh, throw in the towel kind of COVID style. Like, this is bad, we're just going to give up. But it is related specifically to and data breach and ransomware attack. So essentially they took the ransomware, took down their erp, which for those that don't know, ERP is Enterprise Resource Planning, which is basically how much vodka do we send to New York City to accommodate for someone getting assassinated? So like that, you know, planning resource is a business critical asset for this company. And instead of figuring out how to restore it or pay the ransom or, you know, they just didn't have backups. They're just saying we're done. So this is, this is rare. Actually, it reads like they were already.

Mike

On their back foot though, because they.

Alex

Had, they definitely were.

Mike

That were seized by, by Russia. So it's just sort of like if you're, if you're trying to make do with what remains and then what remains gets ransomed, you're sort of like, well, I, I guess, yeah, I guess they're gonna take the ransomware punch in the head. So they were still.

Alex

The crazy part is though, they were still worth over a hundred Million dollars. Right. And they defaulted on $78 million worth of debt due to this ERP system failing, which I would say, like someone that big failing due to a ransomware hack is pretty crazy.

Wade

I've seen it before, but never can.

John

We point to these guys and see, like, See, this is. This is why this matters. You should.

Wade

Yes, totally. I would say it's the same thing as the FBI saying no more sms, but for ransomware.

John

Yeah, I would say that. But this Bronwyn brought up, ransomware kills about 60% of the small businesses that get hit. The difference is they're not in the news.

Wade

No. And they don't make Stoli and they don't make Stol.

John

Right.

Alex

The second half of this article was pretty interesting where I didn't realize all the drama behind the Stoli and the Russian part where the actual, like, president actually had to flee Russia in the 2000s and become a UK citizen. That was pretty cool.

John

Yeah.

Wade

Yeah.

John

Just a. Just a crazy story.

Wade

Yeah.

Kelly

I have one other thing to that. This isn't the first time where we were dealing with nation states and taking over alcohol industries. There's a.

John

There's a great book about proud history in the hacking community. Okay.

Kelly

For those of you who like a good read and it's Christmas time, you might have a little extra time on your hands. There's a great book about the Cuban government taking over. What's the name? One that starts with Ardis taking over most of the Bacardi family's assets and land. So this isn't something that's new.

Alex

Is that what happened to 151Bacardi?

Kelly

No, I caught on fire.

John

There's another situation. Not necessarily ransomware, but I remember when the fires were hitting California's wine country really hard, there was a fake email that went out, I think from Jackson Family Wines. Not from them, but somebody pretending to be them, saying, we need to raise money for all of these people that have lost so much. And it was all fake. And that was. That was a pretty scary attack because there was a significant amount of money that the attackers were able to pull that down. So there's. There's another alcohol one. But once again, they weren't compromised. It was just somebody faking and saying, hey, on our behalf, let's. Let's help out all the farmers. And it was just. Just a way of getting money, so.

Wade

And I'm going to go ahead and publish this. EBay listening. Or listening for a bottle of Stoli for $6 million, hopefully. So, yeah. No. So another Follow up. So the UK health service, NHS stuff, they're also still following up on cyber attacks, trying to get battle or it says, you know the articles, the register, British hospitals hit by cyber attacks are still battling. So I mean this is another example of like ransomware stuff. They were attacked last week and they like their, you know, the intrusion hasn't been claimed. They're still trying to restore services, you know, a week later. So obviously in vodka you might have a week or a few weeks or a while but in healthcare you don't have that. You might only have hours or minutes sometimes. So I think, you know, it's not just you know, funny vodka stuff, it's also, you know, healthcare. And we found out last year with the whole change healthcare thing like a lot of these systems are vulnerable to, you know, knock on effects of ransomware.

Kelly

Okay, time to get ranty again. Organizations that deal with ransomware now I will make the caveat. There's relatively unsophisticated ransomware and there's very sophisticated ransomware. Some of these ransomware attacks are happening because they're missing very good basic cybersecurity hygiene. And when you look at companies and you ask them, can you give me an inventory of the IP devices you have on your network and the software that they're running? So many companies, big ones all the way down to little mom and pop say meh, I don't have time to do that, I don't have the tools to do that. And at that point I have to say that's B.S. um, I really do believe if we would take cybersecurity hygiene a bit more seriously, these ransomware attacks would dip. John, fight me on this.

John

I'm not gonna fight you on that.

Wade

I. Yeah, I, the only thing I will say is that I do think I've been reading this book about ransomware called. It's about the ransomware hunting team which is like the people that they mostly focus on like consumer based ransomware but they like decrypted and give out the keys. But anyway, I think ransomware is currently the most, I mean I know we talk about b business email compromises being profitable for threat actors too but I do think like apts have really shifted towards ransomware models for like I think back in the day you could have a basic hygiene and get away with surviving a ransomware attack. But I think nowadays threat actors are so advanced on the apt side deploying ransomware that like by the time they deploy it, they're so deeply embedded, they're so like I Mean, you're not wrong that like, you know, you can, it's not like it's an unstoppable attack. But I will say that like some of these types of organizations that are deploying these ransomwares are really, really advanced compared to what we were seeing maybe five years ago.

John

But yeah. Anyway, I got into a Reddit argument on this and I shouldn't have.

Alex

I'm surprised they let you back on there.

John

That's what Reddit is for, John, techniques. And I'm like, the attackers will use any and all techniques at their disposal that you present to them. If you have a vulnerability, they're going to go after it. And somebody's like, no, they just use a handful of techniques and they move on. Like, that was true a few years ago.

Alex

I'll fight, I'll fight you on that. I'll fight you on that. So yeah, they may use the same, they may use any tactic, but the moment you get them to step out of their confidence and their SOPs, right, they're more likely to make a mistake.

John

Oh, I agree. And then you're more likely to shot Statistician184.

Alex

No, I actually took your cyber deception class and it actually says the moment an apt gets off their Runway, they are more likely to make a mistake and think they're being watched.

Mike

I was going to cite John's, John's Cyber deception. They don't want to get caught. So yeah, you get them off normal Runway, they go, yeah.

John

Whenever you're talking about a threat actor, that's a nation state threat actor, it's don't get caught for the people that are just spraying and praying, they don't give a shit if they get caught, they're just going to move down the line to another organization. So, and that, that brings up another point, Corey. You know, we spent a lot of time about ransomware business, email compromise. And one of the big concerns I have is there's really like two big things happening in the industry right now. You have the ransomware stuff that's very much on the surface. It's what people see. It's loss of money, it's hospitals getting locked out and then you have telcos getting breached and then you have solarwinds and you have these attacks by advanced APTs that are under the surface for an extended period of time. And I really wonder, are we focusing too much on the ransomware, Too little on the ransomware, Right amount on the ransomware versus like these really nasty nation state apts that want to stay persistent Because a ransomware group is not an advanced persistent threat. Their goal is not to persist.

Wade

I would disagree. I would actually disagree base especially based on this book and just general like I think so old school ransomware, once they get caught, they just drop ransomware. But I will see like we have seen ransomware threat actors. So let me like distill this into a couple of points that are actually more approachable. Number one, ransomware isn't just about disabling and encrypting systems and files anymore. It's about extortion. And when you're doing extortion type ransomware, you have to ensure that you've captured enough data that they're willing to pay. That requires persistence. You can't just get in, dump the FTP server and say check out these six updates for Ubuntu server. You got to pay us $10 million. Like you have to go deep enough to get their Crown jewels, their CEOs, emails, corruption related stuff or you know, stuff that shouldn't be public at all or that they're willing to pay. So I do think that requires persistence. It requires an embedded threat actor in a network for a long period of time, moving laterally, elevating privileges, getting access to everything and then extorting them based on.

John

Finally I can, I want to disagree with you. Like you and Kelly have just been on point today, but whenever you're looking at ransomware, the fact that you're going to ransom at some point completely destroys the argument of persistence. There's some level of persistence that always has to exist for any threat actor. But whenever you're talking about apts at the nation state level, they have no desire whatsoever to ever let the victim know that they're in their network, right? You want to stay inside of their ODA loop, you want to stay undetected, you want to continue to siphon data off of that environment as long as you possibly can. The goal of an APT is to dwell as long as possible. And I think that's a fundamentally different thing than a ransomware group that's fair. I think it's their date is to announce themselves. The end state of a true APT nation state actor is to not announce themselves.

Wade

So here's a point.

Corey

Yeah, here's a question, here's a question for you then. What if, and this is just conjecture on at this point in time, although it wouldn't surprise me if this was true, in some instances, some of these ransomware groups are being used as the front cover for the APT group for the actual apt, it's, look at us here. See what we're doing with this hand while this hand over here is sneaking past five other things. And you're not watching that because you're watching that ransomware group.

John

You know, I used to wonder that. And when we're working incidents, I don't see that. Right. Like usually whenever a ransomware group announces itself, they've got hooks deep in the organization.

Wade

Yes.

John

And you're bringing in Mandiant, you're bringing in bhis, you're bringing in these large firms that can come in and actually root the attacker out. A lot of these, like if you're talking about an APT group, they don't want that attention at all. Where I think it's more applicable to what you're talking about Mike, is infostealers. And I think that that's where you have like a lot of these groups running info stealers and APTs are buying that level of access and riding on top of it. I think that that would be more, more in line with what you're talking about.

Wade

I mean, I guess what I would say is my response to both Mike and John here is like I don't think there's a super clear definition of what an APT is. I will say John's definition, John's definition of it is I think the most specific and accurate definition of it. And I actually wish that it was more of an industry. I mean maybe there is a definition, I'm just not personally aware of it. But, but I do think it's an interesting concept to say, well if it's an apt, that means that they're never going to announce the leak. Which that's, I think probably like from John's perspective, that's accurate. It's true. But I think when organizations, like if you went to the average CISO and said what's an apt? I don't think they would be aware of that differentiation of like an APT does this and a ransomware does this. So I would basically say like we're talking about a company like if I went to a CISO and said are you prepared to defend against an apt? And I don't think they would be aware of that distinction. And I think that like the general defense when you're talking in the industry of an APT is like just someone who's better than a script kitty basically. So maybe there isn't really a definition for that. It's like an advanced non persistent threat. But I do think that there's a difference between your employee gets rent Somewhere from something that Windows Defender should have blocked, and an organization spends six months compromising every one of your servers, taking down your backups, and then asking for $60 million or whatever. I do. I don't know how we differentiate that from a terminology perspective. I'm curious, Kelly. I'm curious if Kelly has any takes on that. Like, terminology wise, what's up there with an apt, but isn't persistent to the level of never announcing? Like, what is that? Just advanced ransomware? I don't know.

Kelly

I honestly don't know, Corey. But if you recommend me to head sissa, I'll make that a top priority.

John

Dude, I gotta be honest.

Wade

You would be great.

John

I would. So can we start a campaign to get Kelly in charge of cissa?

Wade

Here's the thing, John. I actually like Kelly, and I don't want to throw her under the bus.

John

So I think she would rock it. I think, you know. Yeah, yeah. We begin we be getting some infosec metrics out of organizations that we desperately need.

Wade

Yeah.

Kelly

Well, Corey, let me truly answer your question. You know, when we've got terms like this that we don't really know how to define or multiple people define it differently, I personally will default to how NIST defines something because we have so many frameworks and regulations based on what start somewhere. Yeah, that's where I would go. And I don't think they've defined advanced. Advanced. Persistent. Persistent.

John

APT squared.

Wade

APT squared. Yeah. I don't know. I think it's. Obviously terminology gets into a kind of pedantic discussion about what means this, what means that. But I do think, like, ransomware is so vast of a world and has such a different level of. It hits hard. Depending on the threat actor, it can hit almost as hard as an apt or even harder. So it's a kind of a.

Alex

Some of them. Some of them are apt. Right. Like, the other thing to think is ransomware of North Korea compared to ransomware operators with ransomware as a service, like different. Completely different games, right?

John

Yeah.

Wade

Yeah. I don't know. Anyway, I got.

John

I got one thing I want to hit real quick. You know, we were talking about the CEO getting shot, and there were some people that are like, oh, you're mourning this person. Do you not care about the thousands of people that they killed for denying claims? No, that's not what I meant. And I didn't want it to come across that way or insensitive to all those people. But here's what is my concern. Whenever you're dealing with political violence, if you live in a society that does not have the conversations around things like personal freedom. If you do not live in a society that has conversations around healthcare and what is good healthcare and what is happening with the society, universal healthcare, and have healthy conversations around those topics, eventually the conversation will elevate to the point of violence. And that is my concern. Because if you look at almost any society where the conversation devolves from having a conversation into actual violence, it never ends well and it should never be celebrated. And it doesn't mean that I'm like, oh no, you know, this life means more than those lives. It doesn't mean that at all. Just I'm terrified about what's to come. So please understand that, you know, whenever we're looking at here, I'm not trying to diminish the conversation of healthcare and how broken it is in this country. I just want to point out that it's really, really effing scary that we're at the point where the conversations that are going to be had on political discourse around this involve violence as part of the possible solution sets for these groups. And it's never going to be a good thing. So that's my take on it. I just wanted to clarify that because there were some people calling it out and they're like, oh, no, you don't care about the thousands of people. No, no, I care deeply about those people. But shooting down a CEO is not saving any of them. So that's. That's my main concern. So must be conversation to actual action.

Wade

Yeah.

Alex

Any final before we end the DMAs are this weekend.

Wade

Oh, yeah, we have. Yeah, we have our friends, Ryan and Rouse.

John

Is voting closed, I thought.

Alex

Yeah, I think it closed a while ago.

John

We can't get any votes for Jerry.

Wade

And No, we, we will have a couple. They invited us to the whatever awards dinner or whatever. So hopefully Ryan and Ralph will be there to congratulate Jerry on his win.

John

But I think Jason Blanchard is going to be there. He said he's going to be there in his finest BHIS T shirt. Oh, holy God damn. A CEO defending other CEOs. See, this is just like. That hurts, man.

Wade

I mean, he's not wrong, but I will say I do. Okay. He's not technically wrong, but I will say I do agree with. I mean, the whole, it's the whole eye for an eye makes a world blind, you know, kind of vibe, which is. I agree with. I mean, like, like you can't. You're right. He didn't bring anyone back. He didn't you know, that person didn't. Yeah.

John

And there's so many layers on this. Right. How many people were shot in the United States the exact same day that the CEO was shot? And were there as many resources dedicated to solving those crimes as the CEO being shot? That's.

Wade

I mean, I will say. I don't. Yeah. I mean, yeah, there's a lot. I mean, obviously this is a tough issue, but in general, I think we can all agree. I mean, it's the same thing with political violence against Donald Trump. It's like whether you. Whatever your political aisle is, we can all agree that, like, we probably shouldn't have politicians being assassinated just as a general rule. Right. That's like.

John

Because that leads to bad things. So.

Wade

Yeah. So, Yeah. I mean, anyway. But it is. It's a funny take, though. Yeah. Also, John, just so everyone knows, John doesn't see himself as the CEO of anything.

John

I'm.

Wade

That the label that you applied to John, it doesn't say CEO in his email signature.

John

So you could argue that I do that to protect myself from the eventual revolution, to keep me from getting shoved against.

Wade

Is that like asking the AI to please and thank you so that you don't get killed?

John

Yeah, it's like, no, no, no. I'm one of the cool ones against the wall. Oh, God.

Wade

Yeah.

John

I just hope we can avoid all of this. What is that quote from Red October? The stuff's going to be get out of hand and hopefully we all survive it on the other side.

Wade

Yep.

John

Just paraphrasing that back down.

Kelly

So, all right, so the takeaway from all of this is the Cell Typhoon using sms. Tell your friends, your family, your loved ones about using Signal or your other.

Wade

Appropriate apps, iMessage, Facebook Messenger, WhatsApp. I mean, I can't believe I'm recommending WhatsApp. Or is WhatsApp and then what's. Actually, dude, you go over.

John

They don't even know, like the idea, like, literally their phones are just a Device for running WhatsApp.

Wade

Is it end to end? I feel like it is.

John

I thought it's supposed to.

Corey

It's supposed to.

John

Okay, so, yeah, wondering like, we're doing all of this. It's like everyone use signal and the Chinese are just like, excellent, excellent.

Wade

Yeah. Well, okay, that's funny. I. I will say, like, this does get into. It's like you were mentioning the capitalizing on the fires. Right? Like, what we don't want is like, check out this new chat app that's super secure from Salt Typhoon.

John

Yeah, it's called.

Wade

It's just called, like, Stop Salt Typhoon with, like, a big X. And that's the chat app. No, something better than texting is what we need anyway.

John

I swear to God, this is like, just leaves me, like, this is another one of those episodes where I think that we should rename our podcast to be Emo Sac. Just nothing but negative bad news. We should dress in black, get black eyeliner, and I can.

Alex

There was no good stunt hacks.

John

There was no good stuff today. Like, it was just a bad one. All right, let's wrap it up. Bring out True John.

Kelly

There was. There was.

Wade

Kelly's going to be running the scissor. So that's a good news.

John

That would be fantastic news. Let's make that happen.

Kelly

The. Okay, Corey, what was it? The Consumer Finance Bureau.

Wade

Zero Financial Protection Bureau. Potential potentially throwing regulations on data brokers.

Kelly

Yes, there's a little bit of good news there.

Wade

Okay. We could also do a last little closeout that the Scattered Spider threat actor had bad OPSEC and got caught and now he's going to jail probably. I mean, that's a little bit of a feel good. All right, bye.