0:01

All right, we're on the air. All right,

0:03

so let's stop talking about what we're just now. We're on

0:05

the water. We're on the water. We're

0:07

on the tubes. I

0:09

think the firmware update fix the camera. So

0:11

it actually kind of looks like it did.

0:14

Yeah. Yeah. Good job. Wow. And

0:16

update that actually worked well in

0:18

the fence. Oh, great.

0:24

Now I got to install Ralph's firmware. Oh,

0:27

I was like four major versions

0:30

behind. So I think it was

0:32

a definitely needed to be done.

0:34

Whoa, computer into your upgrade and

0:36

it didn't break anything in the

0:38

process. Although it was

0:41

a wonderful and actually fixed. Yeah. Well,

0:43

I'd already tried three different USB ports. I'm just going to

0:45

rock with the glitches. I kind of like them. I feel

0:47

like they're a feature. Yeah, they're feature.

0:50

Not a bug. No, I'm documented

0:52

features. That's an undocumented

0:54

feature, right? They're added bonuses. Yeah,

0:57

I mean, documentation is

0:59

overrated. I'm telling you, Corey, I'm going to get

1:01

a huge screen behind me so that I can

1:03

like put up other things, right? You know, you

1:05

have like little lights. I'm just going to get

1:07

a TV. I think if you're going to do

1:09

anything, you got to go green screen and then

1:12

let Ryan Ryan just set your background to whatever

1:14

he wants. Yeah, just get a little macro pad

1:16

that Ryan can control. Yeah, no, I'm going to

1:18

do like put other stuff into our better. Let's

1:20

have a so the discord can change it. Oh,

1:22

yeah, I get so like people can vote. No,

1:26

no, no, no, no. I'm not saying they can change it to

1:28

whatever image they want. I'm saying they can choose different

1:30

modes. They can go like Rolf's in

1:32

a gator swamp. We're off to the

1:34

data center. Yeah, yeah, yeah. Ralph's

1:37

running a marathon. Doesn't

1:39

go off the rails enough. Exactly.

1:42

Yeah, like we need more. All

1:44

right. Are we ready to take this thing off? Oh,

1:47

we were born ready. Let's do it. Last

1:49

night. All right. Hello

2:10

and welcome to another edition of Black Hills

2:12

Information Security talking about news. I'm your host,

2:14

John Strand. In this particular edition, we're going

2:16

to be talking about all kinds of very

2:18

weirdly named things. General

2:20

Electric is investigating a breach. We got a

2:23

phishing attack. It's now using AI. We've

2:25

got fidelity. Financial

2:28

mortgage network is compromised. This has got a

2:30

new exploit of privilege escalation on Linux. We

2:32

have tons and tons of things. But

2:35

today I am joined once again by

2:37

an illustrious cast of InfoSec professionals. Otherwise,

2:39

we have Ryan once again always making

2:41

us look good and sound good. Ryan,

2:44

how are you doing, sir? Doing

2:46

pretty good. All right. Good

2:48

to hear. We have Kelly is with

2:50

us today. Yay. Welcome back, Kelly.

2:52

We missed you. I missed everybody

2:54

else too, John. Good to see you as well. It

2:57

sounds like some people have work to do or something.

2:59

It's weird. We have Mike is

3:01

with us as very regularly. Mike, how are you

3:03

doing, sir? Doing well. I

3:06

hope you and your family had a good holiday

3:08

weekend. Did. It only

3:10

involved getting stuck in airports overnight twice.

3:12

I consider that a win. We

3:16

have Florida Man, by the way, Raul. Just

3:19

so you know, we have a story today that's

3:21

not a Florida Man. It's a Georgia Man story.

3:25

That's literally a disappointment. Honestly, we could

3:27

try harder. We can't. You

3:29

can. Florida's got to raise their

3:31

game. Speaking of the game, Batman will is with

3:33

us, sir. How's the watch working out for you?

3:35

Oh, it's it's definitely gave me a lot to

3:38

talk with about the doctor today when I went.

3:40

It does. It does. Welcome to the

3:42

club. And I'm sorry. I'm sorry. Watch

3:44

is give you shit. But if you don't work out, you're like, you need to

3:46

go do something. You know what? I need it though. I

3:49

had it. So awesome. Oh,

3:52

somebody just said it's hard to recognize

3:54

Raul from this angle. Yeah, I fully

3:56

agree. I

4:00

I felt the exact same way then I

4:02

thought I said this same thing. Yeah,

4:04

I'm in anti streamer mode There

4:07

you go. And then speaking of angles and

4:09

cute puppies in the background Bronwyn is with

4:11

us Hey Bronwyn see the puppies there say

4:14

hi to the puppy for us Absolutely,

4:17

he's my little man Louis

4:20

and then we have what is

4:22

it the coffee that coffee guy

4:24

Cory is with us as usual

4:27

All right, everybody. I'm just gonna grab a story

4:29

at random. Is that okay? Oh, here we

4:31

go That's the whole show.

4:33

Yeah Oh,

4:38

by the way folks I have to balance a little early so if

4:40

I leave Cory

4:42

approved Approved

4:46

hey, that's my job. I

4:48

saw your line. I saw I stole his line Okay,

4:51

approve. It's one of those words I

4:54

can spell correctly So

4:56

general electric is investigating a claim of

4:58

a cyber attack and data Yeah, this

5:01

in and of itself we had someone that said

5:03

who this general electric reach that could be bad

5:06

It could be but my

5:08

favorite thing about this particular

5:10

story is the threat actor

5:13

Intel broker attempted to sell

5:15

access to general electrics development

5:17

and software pipelines for $500

5:21

on a hacking form and

5:23

it didn't sell Well,

5:26

I do like how their profile just their

5:28

their sub line is just the racist. That's

5:31

yet It's

5:35

like you've got to kind of feel bad for

5:37

general electric a little bit like you can see

5:39

the CEO or stuffs for sale online How

5:41

much are they how much are they charging for it? 500

5:44

500 million dollars those bastards I

5:51

Don't know Yes, yes Sir,

5:54

it's lower. It's all lower

5:57

or what 500 Yeah,

6:00

that's it. Not any higher

6:02

than that. No

6:04

one bought it? Yeah. It

6:06

was not on sale yet. It was on sale. Yeah. It

6:09

was on sale. Yeah. It's

6:12

someone who spends a lot of time on

6:14

these kinds of websites. No one ever believes

6:16

that anything is real ever. So

6:19

like actually getting... I will

6:21

also say a lot of the times they

6:23

will advertise like a single sale and I

6:25

think those get more... Usually

6:28

from my perspective, it's kind of a standoff where

6:30

it's like the first person that buys it is

6:32

then going to publish it or try to resell

6:34

it. So like once one person buys it and

6:36

distributes it, it's free for me after that. But

6:39

the one tactic I've seen that works is

6:41

if they advertise it as, this is a

6:44

one-time sale. I'm never going to disclose

6:46

this ever again. Then typically

6:48

companies like Mandiant or other entities

6:50

will maybe step in. I mean, who knows, right?

6:52

I don't know. It's not like I work for Mandiant.

6:55

My thought is we talk about

6:57

development pipelines, we talk about breaches. I always

6:59

think of token theft. That's where my brain

7:01

goes. We've seen it multiple times. Someone's

7:04

development keys for GitHub or keys for

7:06

GitLab or something are compromised and then

7:09

someone just pulls down the entire repo.

7:11

That's what happened to Twitch a few

7:13

years ago, I think. Yeah. That's

7:16

right. But still, I mean... I think

7:18

it's just a cyber Monday deal because

7:20

my end of the summer cyber Monday

7:22

deals, that's what the attackers were doing.

7:26

Honestly, if it's like the way that you can get

7:28

your GE washer and dryer to not just die after

7:30

three years, I definitely could seek... That would be worth

7:32

$500. I would buy it for that.

7:34

I would buy it for that. For

7:38

me, if I was on these forums, it would

7:40

be like buying domains. For

7:42

a lot of us, we have an addiction

7:44

of buying random domains. Someone's like,

7:46

"$500 for access to... Yeah, I'll

7:48

pay that." It's

7:51

worth a shot. But don't taze me, Doc Bro.

7:54

You kind of get the Doc Bro's, man. They're

7:56

really good. Yeah. General

7:58

Electric next week. hiring entry

8:00

level cybersecurity analyst eight years plus

8:02

experience with AI leverage sim 25

8:05

years experience with offer suite. 10

8:07

plus years with no. Nice.

8:13

Nice. Oh my god. It

8:16

hurts so bad because it's

8:18

true. Yeah.

8:22

So I mean, overall, like the

8:24

data that they teased was like,

8:26

they just say DARPA related military

8:28

information, files, SQL files, documents, etc.

8:31

That's all I had to know, etc. I was in. Yeah,

8:34

right. That's $500 straight up. Once

8:37

again, I can still see the CEO

8:39

and CFO being like, no one, no

8:42

one wanted to buy that at all. Like,

8:45

okay, I guess we're sad, you

8:47

know, I'm gonna go home and I'm gonna

8:49

wax my my Porsche for a little while.

8:52

Still,Bel fishes already rolled back. Freedom

8:57

check. Phantomile all over

8:59

the world. I'm scared rip. Here

9:04

we got transphobic Lund here.

9:06

Ian. You already at APT. Ian

9:09

Within Atrain, he's

9:11

a wellRecordedwhatever. I

9:15

can say is from determine. Ian

9:19

here. Now batting

9:21

me. It's not me. It's

9:23

not totally happened when he is

9:25

my defects. What? No,

9:27

no, no. Let's see if

9:30

it was Grayson. Grayson.

9:34

Oh, wait. Really? It's

9:36

where the echoes come back on.

9:39

No, it's it. We're

9:42

waiting. I'm sorry, Ian. It's easy.

9:44

It's okay. One, two, three. Not it. Not

9:47

it. I think it's fixed it. What

9:50

does your echo mean? If you're

9:53

wondering how to cause a denial of service on a podcast,

9:55

that's how you do it. Either

9:57

that or you just start dropping pictures of tits. And

10:00

then that's okay. Let's get let's get

10:02

the show off on track off track

10:04

So this let's talk about looney tunables.

10:06

I mean I feel like we have

10:09

to Thing

10:11

in G lib see I get all excited

10:14

Tunables, it's such a good name. I feel like

10:16

ten out of ten for the name. Who's got

10:18

me. I don't know who named it But 100%

10:22

absolutely fantastic. That should be trademarked. So it's a

10:24

flawless. Are you still want to keep that ten

10:26

out of ten Raider? I

10:28

think we got a drop down Speaking

10:32

of speaking of vendors come to our

10:34

snake oil summit Qualace

10:38

yes, they coil summit if you want to know vendors

10:40

and snake oil We'll talk more about it a little

10:42

bit later. But so the

10:44

tunables glib C library is

10:47

designed So you can link

10:49

and then you can adjust Malak

10:51

memory allocation and

10:53

CPU timing so you can actually tune

10:55

the performance of your app

10:57

as it relates to the CPU And

11:00

I've heard it's been deprecated. I don't know if it's

11:02

been deprecated or not. Let me check that I've

11:05

heard that there's been a lot of newer ones that

11:07

are out there It

11:11

says finally set of tunables Maybe may vary

11:13

between distributions tunables feature a lot of solutions

11:15

rather own for some reason I thought that

11:17

they were working on deprecating this particular one

11:19

for something more efficient but

11:22

but seriously when you look at what this

11:24

has access to Inside the

11:26

kernel like if you list out

11:28

tunables it has access to at

11:31

Malak, which is memory allocation CPU

11:33

shared cache sizing PT threads or

11:36

p threads CP prefer map Menting

11:39

it's like literally a who's who's

11:41

and what's what a very very

11:43

sensitive CPU functions John

11:45

that's really escalation here who would

11:47

have thought John that's

11:50

really technical the scary words that you need

11:52

to know from this one is in

11:54

their default configurations. Oh,

11:57

that is the scary phrase. Yeah, that is

12:00

The scary phrase of this one, because it

12:02

sounds like, oh, tunables never heard of it.

12:04

I'm not Richard Solomon. I don't know how tunables

12:06

work, but it doesn't matter because it's exploitable in

12:08

the default configuration. That's the scary part. Wait

12:11

a second. Nothing's ever, ever

12:14

bad in the default configuration. Ever

12:17

what? We're supposed to change configurations?

12:19

Nobody's ever done anything with that. I'm

12:21

going to push back, Mike. I'm going to

12:23

push back because this is a library on

12:26

your Linux system. This isn't like an app

12:28

that you tune. These

12:31

are shared object libraries, glibc.

12:34

You would not tune this. This is not

12:37

a default configuration. You're like, well, you're a

12:39

moron. What do you mean you didn't modify

12:41

your glibc, tunables, environmental

12:44

variables? No. No

12:46

one ever in the history, except for Bill Stearns.

12:48

Bill Stearns. Yeah, it's filmmakers

12:50

with everything. It's gripped to tune. What

12:54

I thought was funny about this attack,

12:56

too, is it's just an environment variable

12:58

that you modify to do the injection

13:00

and then you run the sedu, the

13:02

set privileges. That's it. Yeah.

13:05

Yep. Yeah. Like,

13:07

that's wild. You just run the

13:10

SUID permissions. Dude, this

13:13

is trivial to exploit.

13:16

I personally come from the place

13:18

of like, a lot of the times what

13:20

we see nowadays are vulnerabilities by misconfiguration. Those

13:22

are like, I think, if you're

13:24

in a patch, like, mature company, that's the most

13:27

common vulnerabilities are like, wait, we

13:29

shouldn't just have everyone able to add

13:31

a new guest user to Azure or

13:33

have everyone the ability to create a

13:35

new user or something with every category.

13:38

We're going to make the exact same mistakes in cloud

13:40

computing that we made all the way up. By

13:43

the way, Ben from KC just

13:45

nailed it with a comment that

13:48

said all those people that are running Gen 2 are

13:50

like, good point, Ben. Good

13:55

point. But I think the

13:57

goal is to stay in persistence within the Kubernetes

13:59

environment. or what do you think they're

14:01

really trying to get after here? I don't think it

14:03

matters. Well, it's the same old. It's

14:06

the same old. They sell a web

14:08

shell and they sell it for $500. Yeah,

14:10

I mean, the basic kind of web shell now

14:13

is a root web shell. And

14:15

it's over. We'll talk about the Mirai botnet

14:17

and DOS. We got a different vulnerability

14:19

zero day that

14:21

came from Akamai. But in

14:23

this particular one, it's just a local published

14:25

escalation. And I think that there's proof of

14:27

concept code out for it already. I

14:30

think. Oh, yeah, no, it's hot and

14:32

spicy ready for. Yeah, it's ready to go. And

14:35

I think it's just an environmental variable. So

14:37

it's not like, like, I'm trying

14:39

to find the C code to exploit this. Yeah,

14:41

it's not. It's not. G

14:43

libc tunables. So like, this is

14:45

the environment variable. G libc underscore tunables.

14:48

That's the environment variable. You modify

14:50

that. And you can,

14:52

when you launch a binary and

14:54

you can execute code. So I

14:56

mean, the current malware they mentioned

14:58

in the post is specifically targeting

15:00

the PHP testing framework, PHP unit,

15:02

but there could theoretically be exploits

15:04

in a whole variety of other

15:06

units or other Linux things.

15:09

So big, bad fix. There's also

15:12

a BOD 2201, which

15:15

everyone knows what that means, obviously. I

15:17

had three of those for dinner. No. So

15:20

let's pretend some of us don't know what that

15:22

is. I got a couple on the Instapod. If

15:25

you don't know what that is, that you don't need to

15:27

worry. You're already patched. Basically,

15:31

the BOD is like, I mean, this is

15:33

a SZA thing. So I don't really know,

15:35

but that's a binding, binding

15:37

directive, basically, meaning like you have to fix it

15:40

by the state or else you're, you

15:42

know, you're in double secret probation. Yeah.

15:47

The government, internal government auditors are going to

15:49

come after you. Nothing is very,

15:51

like dying for anyone. Or is it just me?

15:54

Reach Stream's rocking for me. I feel, I'm feeling

15:56

good. I'm getting a lot of static, but you

15:59

know. If it works on me, it must be my

16:01

fault then. Ryan, as the

16:03

driver of this plane, are you flying

16:05

into a cliff or does everything look

16:07

good from your side? No, you're the

16:10

pilot, dude. If

16:12

we have a driver for the plane, we're

16:14

already in a real problem. On

16:18

my screen, the entire interface has been completely

16:20

frozen for like 10 minutes. We don't even

16:23

do titles, right? Oh, man. Let's

16:26

keep rolling. This next one, I don't

16:29

know if this is funny, if this is tragic, if

16:31

this is scary, or if this is stupid. There's a

16:33

lot going on in this SE Media, SE Magazine

16:35

article. It said, fishing

16:38

attacks spike attributed to

16:40

generative AI adoption. And

16:42

it starts with this sentence that is

16:44

just like, seems a bit off. But

16:47

SiliconANGLE reports that fishing attacks have

16:49

increased by 1,265 percent between

16:54

the fourth quarter of 2022 and the third quarter

16:56

of 2023. While

16:59

credential fishing has risen by 967 percent, those

17:01

are huge numbers, right? I

17:08

don't know how they're coming

17:10

to that. But at any rate, the

17:13

reason why they say that they're blowing

17:15

up so much is because generative AI

17:17

is going to be so

17:19

powerful at creating convincing profile

17:21

pictures in packable text, not

17:23

inventing the ability to code

17:25

malware. The threat landscape

17:27

is shifting incredibly fast now, as opposed to

17:29

last year or the year before that, with

17:32

the introduction of AI to the name of the game. But

17:35

the good news is that AI can also

17:37

be used to defend against sophisticated attackers. This

17:39

sounds just stupid. But

17:42

at any rate, yes. I think we

17:44

found that this media outlet is just

17:46

AI generated. Yes, it's all on the

17:48

phone. I was just saying, as the

17:50

staff, do we get like bot bot

17:52

2000? Like, I'm not getting that to

17:54

you, but it was so painful I

17:56

had to share. I love that you

17:58

were reading it. like, I

18:01

don't like this.

18:04

This whole article just screams scare tactic

18:07

to me. Also, there's no

18:09

there's no, like by name, it

18:11

just says SC staff, aka the

18:14

AI API key. Right. Even even

18:16

somebody is fairly new to this

18:18

industry and things. Those numbers seem

18:20

outrageous to me, that it

18:23

can increase that much in a year. Well,

18:25

I mean, we should all have gotten at least

18:27

three phishing emails today. Absolutely.

18:31

And I'm only at one. So let's

18:33

talk about the AI thing. Hold

18:38

on. I got you. Just left

18:42

out. So let's

18:44

go through this. We read this article

18:46

says Silicon angle reports that phishing attacks

18:48

have increased by 1265. And Silicon angle

18:51

is not a company.

18:53

It's another website. That

18:56

is a news website. And

18:58

new report released by phishing protection

19:00

companies slash next incorporated. So

19:03

it's literally referencing like

19:05

another article from another

19:07

like internet. I

19:09

slash next. What does anyone know?

19:12

They're forwarding. Next

19:15

is a complete generative AI

19:17

security for email, mobile and

19:19

browser. So basically, okay,

19:21

John, I figured it out. I know why

19:24

the numbers went up because this company didn't

19:26

exist. Dare

19:31

everybody from their competition. So they can

19:33

hurry up and grab it. They

19:35

got reference to dark web stuff in here,

19:37

too. I've definitely made phishing

19:40

sites that look just like this. If you

19:42

go to business GPT net, which is one

19:44

of our phishing sites, it's basically the same.

19:47

They have a

19:49

console. Hey, that looks like

19:52

my watch on display. Oh my god. Really? You're

19:54

getting 30,000 fishes

19:56

on your watch. You really should replace them

19:58

with Different words and

20:00

that's like totally what like the phone

20:03

John the Garmin phone app doesn't it?

20:06

Yes But

20:08

they have no it's okay guys they're trusted by

20:10

their customers it says they're trusted so excited Like

20:16

this is so weird like this whole artist

20:18

go to slash WP dash login login with

20:20

admin admin we all know how it goes

20:24

Anyway, I like Proxmox. Hello. My name

20:26

is Ship

20:31

no, I am NOT an AI So

20:34

I just thought as you were

20:36

clicking through the article at some point We were

20:38

just gonna dig deep enough until we found a

20:40

Furby that had been hooked up to Twitter It's

20:49

like a Furby skeleton now right sad to

20:51

say that cuz those things are back I'm

20:54

more powerful than other. Yes, they've

20:56

come back. Yeah, I

20:58

scared It's like it's like Stephen King's

21:00

pet cemetery, but for like electronic pets

21:02

I keep I guarantee you we're gonna

21:04

read an article on here one week

21:07

Oh, probably because when they first came

21:09

out It was a huge thing in

21:11

the government because people kept bringing them

21:13

into their offices like idiots I

21:15

gotta see how much they cost you know, how much is

21:17

a Furbie? They're like under a hundred bucks or something like

21:19

that What a Furby is Oh Wow

21:23

for you for those of you who didn't get

21:25

to experience these fun level It's

21:35

a mixture of a gremlin and My

21:38

boy and and a Teddy Ruxpin

21:40

like and when one of those creepy

21:43

things like those Disney Display people don't

21:45

remember Furby and then reference Teddy Ruxpin

21:50

I went the wrong way

21:52

there You

21:55

fell straight into I draft you In

22:00

this defense Teddy Ruxpin did make a comeback

22:02

a few years ago, so people might understand

22:09

that reference. I'm going to smash it on

22:11

this a bit. There's

22:17

one thing that if anyone leaves here and they

22:19

do like the critical analysis of this article and

22:21

you say, when should I look at this and

22:23

say, this is made of

22:25

snake oil and fake unicorn tears and whatnot. It feels

22:27

like snake oil. It feels like snake oil. It does.

22:30

It's the 1000. Isn't that what we tell people when they're

22:32

looking at fishing? That

22:34

is not a quantifiable number. There's

22:37

no anything to give you any sort of

22:40

reason to believe that they've any sort of

22:42

metric to base it off of. And even

22:44

more than that, I actually

22:46

don't care if there's been a 40 bajillion

22:48

the 11 d4%

22:51

increase in fishing attacks, because that's

22:53

what it says, right? Increase in

22:56

fishing attacks. What is successful? Tell

22:59

me that tell me that generative AI

23:02

is making the fishing attack more successful

23:04

in reaching actions on objective. And now

23:06

I'm concerned. And also I got a

23:08

question. Now there's some firms that I

23:10

trust their data, right? Like Verizon comes

23:12

out with the data breach report. I'm

23:15

going to read it. They've been

23:17

like semi trustworthy actors in the field

23:19

for a long, long, long time. Mandiant

23:22

comes out with a report. I'm probably going to

23:24

trust it. But like

23:26

there's a bunch of different companies, right, that

23:28

have been around. They come out with these

23:31

reports and they seem pretty legit.

23:35

Setting aside some of those large vendors that have been

23:37

around for a really, really, really long time. If

23:39

you're a new vendor and your

23:41

whole thing is selling AI to

23:43

protect email, and you're talking

23:46

about generative AI is creating this huge

23:48

spike and all of this. And

23:51

none of us on this

23:53

show have heard of your

23:55

company. Like immediately legit security

23:57

professionals are probably not going to listen to you. Especially

24:01

because I was plugging around on this website, I

24:03

can't see where their data is coming from. Like

24:05

they're not sharing the raw data at all. It's

24:07

just like Ian said, they're just coming up with

24:10

numbers and throwing it at a wall. So,

24:12

I don't want to throw any previous employers into

24:14

the bus here, but having been involved as the

24:17

source data for articles

24:19

like this before, usually it's one marketing person

24:21

has a really good idea and they talk

24:23

to one person and then someone crunches the

24:25

numbers and then that's the report. Yeah,

24:27

yeah. I

24:30

mean, supposedly this company does their own

24:32

email filtering and security, so that's how

24:34

they basically are sourcing the data. So

24:36

it's like, yeah, but I

24:38

don't know. All right, let's get to

24:40

something that is kind of like true and real and

24:42

scares the living hell out of me. The

24:45

Fidelity National Financial being shut down

24:47

in wake of a cybersecurity incident.

24:51

So Fidelity National is a Fortune

24:54

500 company that provides title

24:56

insurance and settlement services for mortgage

24:58

and real estate industries and they

25:00

are currently shut down. And

25:03

if you're thinking that Fidelity, it's the other

25:05

Fidelity. It's the other Fidelity,

25:07

Fortune 500 company. But

25:10

it seems

25:13

bad. Like based on

25:15

our investigation to date, FNF has determined

25:17

that an unauthorized third party access certain

25:19

FNF systems and acquired certain credentials, the

25:22

investigation remains ongoing. I

25:24

think one of the biggest things that's

25:26

terrifying about this is there's two

25:29

things, right? One, and one

25:31

leads to the other. One we're getting limited information,

25:33

but two, the information we are getting out of

25:35

this leads me to believe that they have no

25:37

freaking clue how bad it is. And

25:40

that's probably the most terrifying

25:42

thing. Allow me to

25:45

attribute this using my next generation AI

25:47

technology. Go for it. I

25:49

bet you this was Scattered Spider. I

25:53

will almost confirm that for you, at least

25:55

at this point. The register went ahead

25:57

and reported last week about this and they said that it

25:59

was blocked. which is supposed to

26:01

be scattered under protectors. And

26:04

it looks like, according to

26:06

a scan from GOCI, it

26:08

looks like this might be another case

26:10

of Citrix bleed. Oh, yep.

26:13

Oh, again. Citrix bleed plus

26:15

post-ex plus maybe some SE. I

26:17

could see it. Well, I'll

26:19

be honest with you. I watch the financial stuff

26:21

because of where I work and

26:24

there have been more and more

26:26

since Citrix bleed hit, there

26:28

have been more and more of these

26:30

ransomware attacks against financial companies that

26:33

a lot of people might not have heard of,

26:35

but are big on the back end. So

26:38

it doesn't surprise me at this point.

26:41

Yeah, we got paranoid and checked all of our CPT

26:43

customers for Citrix bleed because I was like, I didn't

26:45

think this is going to be a thing. And then

26:47

it was still being a thing. And I was like,

26:49

OK, we should probably double check. Everyone was patched, luckily.

26:51

But yeah, it was scary. What's the

26:53

CPT? What's that? Oh,

26:56

sorry, continuous penetration testing. Yeah, it's

26:58

very, very, very tough. Customers. It's

27:00

our customers that hate themselves the

27:02

most and want to bring as

27:04

much pain as possible on their

27:06

security teams by having us continuously

27:08

hack them for just forever. Remind

27:12

me to keep you out of marketing,

27:15

Corey. No, no, no. There's

27:18

nothing for me. If

27:20

you're a glutton for a punishment, and you're on

27:23

a main screen today, that's all right. Listen,

27:25

if you want marketing attacks are

27:27

up 1,263% source. I

27:31

Google this. Look

27:33

at Corey right now. Corey's hair is all over

27:36

the place. He just did that amazing marketing pitch.

27:38

And he's wearing a Windows 3.1 for

27:40

work groups t-shirt. Thanks. Actually,

27:42

it's Vaporwave95. Vaporwave95.

27:48

Also, let's talk about F&S stock. Now, this

27:50

is the other thing I wanted to ask

27:52

all of you. Their stock is

27:54

only down 0.4% or, wait, no, 0.47%. Like

28:01

how, like, is there any relation

28:03

between stock and hack? Like,

28:06

and this is one of those things, Ian, I'm going

28:08

to call you into this. And I'd

28:10

like to get Kelly in as well. Like

28:12

seriously, y'all, we've been talking about this

28:14

for years. Like that you're always

28:16

like, well, how are we going to get the board of

28:18

directors to take this seriously and take security seriously and take

28:20

the CDash shows, make it take, it didn't

28:23

in fact, that's their stock price. They

28:25

don't care, right? So fidelity

28:28

next week. Yeah. Yeah.

28:33

You're his hand, leverage, 25 yards, 30 yards. And

28:37

starting out. I don't know

28:39

who you are, gooshed, but you need to come

28:41

on the show now. Yeah. Because you're hilarious. All

28:46

right. So like, I really want to open up to Ian

28:48

and Kelly on this because they're the two people that I

28:50

talked to the most about this whenever I get down and

28:52

sad and troubled and I need a helping hand. All right.

28:54

Take it away, Ian. What do you think? Oh, yeah. So,

28:57

I mean, I opened up the 8K over here.

28:59

So somebody in the comments, I'm not logged

29:01

in where I can pull up the comments, but something in the comments

29:03

put up, did they file with the SEC? I think it was Brian.

29:05

They did. It is in the

29:08

SEC. It did show up and

29:10

the entire SEC report is like

29:12

three sentences. That's it. Yeah.

29:15

And the boilerplate stuff, which

29:17

we stuff up top. Yep.

29:19

Right. So part of the reason why

29:21

one, to answer your question simply, no,

29:24

it doesn't matter anymore. After the after

29:26

target and Equifax, basically

29:28

their board saw that their stock

29:30

price would rebound in a year.

29:32

That just became part of the

29:35

playbook. They say, okay, if we

29:37

ride this out for a year and we

29:39

solve the problem, it's fine. They treat it

29:41

like nothing more than we had a bad

29:43

sales year. How would we, how would we

29:45

address this? So it's actually in

29:48

my mind that argument has actually caused

29:50

more problems. It seemed perfectly logical, right?

29:52

You're going to see a hit on

29:54

dividends, which are the money that's paid to

29:56

you as a stock owner if they pay

29:58

dividends, extra money there. And then it's going

30:00

to take a hit on the stock price, which we just haven't

30:03

seen happen. If to use

30:05

the terms the kids use, if you're

30:07

diamond hands on the stock. Diamond.

30:09

Right. The

30:12

real issue that I think is also

30:15

the reason why this doesn't impact this

30:17

is the industry that they're in. This

30:19

is a highly, highly, highly

30:22

regulated industry. No investors losing

30:24

their money after

30:26

this. They're not losing their investments.

30:28

They're not losing any of that.

30:30

All of that will not matter.

30:32

Now, fidelity, how they come out the

30:34

other side, how much money they have to spend,

30:37

maybe that's it. But that's the

30:39

reason it's not hurting the stock is the

30:41

actual core assets, barring them doing something

30:43

absolutely bananas, which could then be reversed

30:45

in a highly regulated industry. I

30:47

just don't see why it would impact them. And

30:50

Michael Allen on this court just said, oh, I

30:52

get that. But I think investors are also becoming

30:54

numb to it. Right? Oh yeah. You've

31:27

got buyers and sellers of real estate.

31:29

You have real estate attorneys who could

31:31

be one, two, three person real

31:34

estate firms. You have title

31:36

insurance. The real estate

31:38

industry is not regulated. Now, the

31:40

National Association of Realtors does have

31:43

a data and privacy toolkit,

31:45

but they really aren't that regulated.

31:47

And we've seen these types of

31:50

attacks against the title

31:52

companies, the insurance companies, the attorneys,

31:54

even the buyers and sellers has

31:56

been happening for years. And

31:58

quite frankly, I've seen. a lot

32:00

of buyers and sellers, especially here in

32:02

Florida, lose money because of phishing

32:05

attempts, of bad URLs.

32:09

Some of the clients that we've had, we've

32:12

actually said, listen, you've got to go to

32:14

out-of-band communication. You've got to come up with

32:16

your own procedure to say, this is actually

32:18

from the buyer, here's the transfer of money,

32:21

here's the special code, the one-time code, and

32:23

I'm only going to tell you it over

32:25

the phone at a particular time. I

32:28

don't think it's as regulated as

32:30

we all think it is. Honestly, I

32:32

think these small, medium-sized businesses really need

32:34

more help because they aren't as regulated

32:36

as we think they are. Well,

32:38

in going back to the SEC filings,

32:40

they did pretty much all. I

32:44

hate to say that their filing they put out

32:47

is like, oh, they're going to be fine as

32:49

far as the SEC is concerned because it's very

32:51

sparse. But they're still in the middle

32:53

of working in the incident. I guess I give them a little bit of a

32:55

pass. Now, was there a

32:57

press release for this or was it just their SEC

32:59

filing? Were they notified? I don't think you get to

33:01

the email to do the press release. They're going to

33:03

their website right now. I did. Yeah.

33:05

No, this is how- Little error. Yeah, I

33:07

know. This is how ransomware works. My hot

33:09

take on this is that day one,

33:11

it's not going to impact. Here's my

33:14

theory. The stock market knows

33:16

about ransomware and it just depends

33:18

on how fast they recover. If

33:20

they can recover in 48 hours,

33:22

you get a free pass. If they're down

33:24

for a week, a month, like

33:26

Kelly said, these transactions, these real estate transactions, there

33:28

are two people sitting in a room saying, we're

33:30

trying to send you money and you're trying to

33:33

get the money. And if they can't use this

33:35

company, they'll use another company or figure out another

33:37

way. I think when they start losing, if

33:39

they're down for a while and they start losing revenue

33:41

and competence, this could be actually really

33:43

bad. That's my prediction is like, they don't

33:46

care- If they can place else, then those

33:48

firms just continue using that stuff. Exactly. Yes.

33:51

It's not like it's going to impact their

33:53

stock price from the investment perspective on day

33:55

one. But when this industry realizes they have

33:57

lots of alternatives, they have lots of other

33:59

options, like Kelly said, it's not as regulated

34:01

as we might think, then they're just

34:03

going to be like, okay, well, we'll just use a

34:05

different company. And, you know, now this is the,

34:07

the inertia is here. And we're just going to stick

34:10

with this. I mean, I don't know. That's total

34:12

speculation. We're not financial advice. Oh,

34:16

the announcement did come through the

34:18

AK filing. They have not really

34:20

given any word from the company.

34:22

Yeah, because they can't email each

34:24

other like legitimately. Like I'm

34:26

not joking. Like they, they, there is no,

34:28

they're off the map. Like genuinely

34:30

these customers probably have no door or these,

34:33

you know, entities, no domain controller, no,

34:35

like no email, no exchange server, not

34:37

like none of that. Their VMware is

34:39

probably completely locked out. So the question

34:41

is, is how much more are they

34:43

going to wind up making because people

34:45

are delinquent in their mortgage payments? Looking

34:48

at some of the articles, people, people have

34:50

been going ahead and trying to

34:52

make payments and they can't get it all down.

34:58

Yeah, maybe it's Mr. Robot. Yeah. I

35:00

would kind of have to agree with

35:02

Corey a little bit too. Oh, oh, well,

35:05

go ahead. Yep.

35:07

I was just going to say, I would agree with Corey

35:09

that businesses like this and the way people are, we're, we're

35:12

creatures of habit. So once we, we

35:14

do something, we find out it doesn't work and then we

35:16

move on to the next thing. We're not generally

35:18

just going to go, Oh, let me check back on this old

35:20

one. Yeah. So I think that

35:23

even though, yeah, their stock price is unaffected

35:25

right now, if they don't recover

35:27

quickly, it will be very quickly. Yeah.

35:29

And I want to go back to some of the other side real

35:31

quick. Radice just brought up a great point.

35:33

When Mr. Cooper got locked out, they

35:36

gave a wave on penalties. Is Mr.

35:38

Cooper back? Are they back and

35:40

running? Or are they still, is

35:42

that like Ask Jeeves? What's

35:44

Mr. Cooper? Mr. Cooper

35:46

is a mortgage company. So they are very, very, very large

35:48

one. And I don't know

35:53

if they're back up and running. Said

35:57

customer data was compromised. Oh my gosh, we

35:59

talked about this I think. No, we

36:01

didn't. There are other things that are important.

36:04

Yeah, they're hit. I think

36:06

legally, if they still charge people the

36:08

interest, they could get in trouble because

36:10

people had no way to pay. So

36:12

like the interest is not on the

36:14

customer's fault. Yeah. So but that's

36:16

a good point. I don't know if Cooper be hanging

36:18

with Mr. Cooper. I don't know if

36:20

they're up and running yet, but they had to go through and you

36:22

had to call in and they had

36:24

to get all kinds of weird ways to

36:27

process payments, which is strange. I want to

36:29

go back to what Kelly said real quick.

36:31

She said, I'm going to disagree with you.

36:33

I actually don't think we disagree in principle.

36:35

I agree 100%. That's not a word. That's

36:37

a word. That's title insurance. Seriously, hear me

36:39

out. I agree

36:41

that the title insurance agency is weird. More

36:44

what I was saying is that the

36:47

assets themselves, the titles being transferred, those

36:50

are highly regulated. At

36:52

least in my experience, it's been very difficult,

36:54

about a million papers to transfer a

36:57

real estate title in a

37:00

mobile notary that has to come and do that. And

37:02

then they scan or they do it digitally and all

37:04

that stuff. So what more I was

37:07

going with asset loss is it's not like, and

37:09

someone can correct me if I'm wrong, this service being

37:11

down and suddenly a bunch of people are like, oh

37:14

crap, I don't own a bunch of commercial properties and

37:16

I have no idea how to get them back. I

37:19

don't think that's going to happen, but I'd

37:21

be. I

37:24

think it depends upon whether you're talking

37:27

commercial or you're talking

37:29

individual. A couple of years

37:31

ago when my mom passed away, I wound up

37:33

taking control over some

37:35

real estate and it took me $200 in

37:37

one day to go ahead and get that

37:39

title changed into my name. Yeah,

37:42

but you were the next of Ken. Yeah. Barbie?

37:45

Barbie? Let's just agree

37:47

it's bad. It

37:52

is bad. Yeah. I

37:56

don't think I don't like let's move on because I

37:58

have to leave and I really want to to

38:00

this. When I mentioned it earlier,

38:02

Florida man is slipping. Oh

38:04

no. Why is because Georgia man

38:09

was arranged today on charges, the

38:11

cyber attack that they conducted against

38:13

the medical center in 2018. According

38:15

to this incident,

38:18

Vika Singala, 45, Marietta,

38:20

a chief operating officer of

38:23

a Metro Atlanta network security

38:25

company that served healthcare industry,

38:27

allegedly conducted a cyber attack

38:29

against the medical center, disrupting

38:31

their phone service, obtaining information

38:34

from a digitizing device, disrupting the

38:36

network printing server. And they

38:38

did all of them as

38:41

their marketing plan to try to

38:43

get that hospital to work with

38:45

them. Are you serious?

38:47

You act on first so they're scared.

38:49

Okay. I'm calling it right now. We

38:51

jumped the shark. My security jumped the

38:54

shark. Someone went to a CSO conference

38:56

and was like, yeah, what

39:00

you got to do is hack into the company. And

39:02

then it's like, it works. It's like the mob. What?

39:07

You're real shaking if something happened to

39:09

that perimeter firewall. We can't help you

39:11

protect it. I'm going to bring

39:14

Kelly in on this because Kelly,

39:16

you were at SAMS conferences for

39:18

a long time with me. We

39:20

go way, way, way, way back.

39:23

This exact thing was like a lot of

39:25

people that were in the industry, they talked

39:27

about doing this. Like, wouldn't it be illegal

39:30

if I actually hacked the company and then

39:32

told them that they were vulnerable? I think

39:34

that's gray hat hacking. I'm going through finding

39:36

vulnerabilities, and then I'm showing them the vulnerabilities,

39:39

and then I can help them fix it.

39:41

And it's like, no, that's breaking the law.

39:43

That's illegal. Yes.

39:45

Are you sure? Like I would have been

39:48

in Florida. People even in Florida. Oh

39:54

my God, it gets worse, guys.

39:56

The agent in charge is named

39:58

Chris Hacker of the FBI Atlanta

40:01

field office. Yes. Yes. So

40:03

his name actually comes up

40:05

a lot because he has

40:07

very little office, a huge

40:09

field office. He does the

40:11

FBI equivalent of FBI staff

40:14

agents. It's like, yeah, yeah.

40:16

Yeah. Wow. He

40:18

was a detective. How many

40:21

times has he asked for a transfer? Oh,

40:24

how popular is the last name hacker? Actually,

40:27

but John, your point though, there was a

40:29

whole bunch of people with responsible disclosure that

40:31

were trying to do responsible disclosure proper. And

40:33

then there was a whole bunch of people

40:35

that were doing it improper. Right. And so

40:37

like, what's that balance? And I don't know

40:39

that even it is today. Great point,

40:41

by the way. We

40:45

talked about this a number of times on the show, but bring it

40:47

up here. If you're going

40:49

through and you're doing good faith security research,

40:51

if you just Google that Department of Justice,

40:53

good faith security research, you'll

40:56

come across the guidelines for the Department of

40:58

Justice and how they handle good

41:00

faith security research and what they consider

41:03

to be a differentiation between that and

41:05

malicious. So if you're doing good faith

41:07

security research and you find a vulnerability

41:09

and you go to a vendor and

41:11

you share that vulnerability with the vendor

41:14

and your primary goal is improving the

41:16

security in that organization or the industry as

41:18

a whole. And I'm cutting this

41:20

down quite a bit. Then you're a

41:22

good faith security researcher. If you're hacking

41:24

companies and accessing data and

41:26

pulling that data down, you've crossed the line,

41:28

number one. And number two, if you're doing

41:31

that and you go to them and you

41:33

say, Hey, I found the security vulnerability, you

41:35

got to pay me. That's

41:38

not good faith security research. So

41:40

the Department of Justice does have

41:42

guidance that actually breaks down what

41:44

those two things are. And for the

41:46

record, this is not that. This is

41:49

not good faith. This

41:51

one's pretty solidly on that bad side of the line.

41:54

So should we tell CJ not to do this then? Wait,

41:57

I want to close out one call. This

42:00

came out last year, Grayson. Yeah.

42:03

All right. Go ahead. Sorry, Corey. Oh,

42:05

you just said we should tell CJ not to do that.

42:08

A port plan bad. I

42:11

think operation viral marketing

42:13

version two. Well,

42:15

yeah, port blends showed

42:17

in jackpot. Yeah. Yeah.

42:20

Like Ben just said, that's extortion. Wait,

42:25

wait, hold on. We have a crime for that already.

42:27

Hold on. I sure said you

42:30

just got to put a marketing spin on it. That's. Yeah.

42:33

So, okay. Hold on because it gives

42:35

it, I just can't, this just keeps

42:37

getting worse. The assets identified

42:39

in the indictment paper, which I'm looking

42:41

at are just all Lexmark printers. Like

42:44

where, where are you getting your TTVs?

42:47

When after was Lexmark printers, are you

42:50

serious? Also, you can imagine being like

42:52

recently here, here's the other crazy thing.

42:54

Each one of these printers is a potential 10

42:56

year sentence. Can you imagine being in jail and

42:59

being like, if I hadn't gone after that printer

43:01

in the break room, it would only be 70

43:03

years. Icing

43:07

on the cake would have been if they actually just

43:09

put hire, whatever their company name was

43:11

on the printers and started printing out. Just put it

43:13

on the cake. Looks

43:16

like you've been hacked. You should hire this company. Oh

43:19

my God. Good. He did it. He

43:21

did it. He did it. Very serious

43:24

cyber operating. And

43:29

I love the commitment that he's keeping them fresh

43:31

and not reusing. I know. You

43:35

say AI. 25

43:39

years with Lexmark printers. Specifically. No,

43:43

this is like I said, you know, this

43:45

is stuff I remember kind of when pen

43:47

testing first was starting as a thing, you

43:49

would always get in conversations like, well, if I

43:51

did this, why would that be illegal? I'm just

43:53

telling him. It's like, no, no, no, that's, that's

43:55

illegal. You're breaking a ton of laws. But am

43:57

I? Yes, you are the computer fraud and abuse.

44:00

You will be able to prison for that. I

44:03

just think it's interesting that he actually tried

44:05

it. And I would love it. If somebody

44:07

out there works at this medical center, what

44:09

did he print? Because he-

44:11

What did he print? Right? It

44:15

was money. He printed money. That's how the

44:17

FBI got involved. Yeah. Oh, go

44:19

ahead. Let's be honest. Our imaginations can

44:22

run wild. Inquiring minds want to know.

44:24

And us wondering is worse than us

44:26

knowing because could it be an advertisement

44:28

for a cybersecurity company? Okay. You've been

44:30

hacked. Could it be Goutzi? We don't

44:32

know. It could be any of those

44:34

things. I would threaten to take out

44:37

P2. I'd like to request,

44:39

you know what? We need to make a screenplay. Let's get

44:41

it in front of Netflix. Let's. This

44:45

is so stupid Mr. Robot. Yeah.

44:48

This does the dumbest shit

44:50

ever. Mr. Gobot. Mr. Gobot.

44:52

Yeah. It's

44:55

like the sci-fi version of Mr. Robot

44:57

where like- That's good. Science.

45:00

I gotta start the- Corey, I'm leaving

45:02

you in charge. Oh God. No, no.

45:06

Look at this, this show. Oh man. All right. Hello.

45:10

My name's John Strand. Nothing can

45:12

get done. Yeah. I can't, like that

45:14

article is just peak. Like it's everything

45:17

that like you should never do ever.

45:20

Beautiful. Beautiful. I think it's important though

45:22

that, you know, when these things happen,

45:24

I'm not defending that situation in any

45:26

way, but it does set a precedent

45:29

sometimes for non-technical leadership in law making

45:31

and all kinds of stuff that could

45:34

have impacts on this community,

45:36

right? Yeah. In negative

45:38

ways, not necessarily in positive ways. So-

45:41

Really? Be mindful of that just

45:43

to make sure that, you know, that

45:45

all the people that make decisions

45:47

know what decisions they're making if

45:49

these types of things continue to happen. So

45:52

are you conjecturing then that this person

45:54

just told people to go do this

45:56

and didn't actually do it themselves? No.

46:00

No, I'm saying that it's important to just

46:02

make sure that you have a proper... I'm

46:05

not saying that this person had a scope, but it

46:08

just goes to echo that if you're doing

46:10

any type of pen testing or anything that

46:12

you're supposed to have, certain scopes, you're supposed

46:14

to be doing certain things because you can

46:16

really easily get into hot water and get

46:18

yourself into some legal trouble. I

46:21

don't think that's what happened. No,

46:24

that's not what happened. I'm saying, when

46:27

this type of stuff happens, it does

46:29

potentially set a legal precedent in the

46:31

future for other non-malicious

46:33

actors. Yeah, but this

46:36

is just a precedent that if you hack computers,

46:38

that's illegal. That's not a new precedent. Let

46:41

me add to what you're saying there.

46:43

This was the chief operating officer or

46:46

chief something officer,

46:48

right? When you

46:50

have that title, you have

46:52

a fiduciary responsibility to the

46:54

organization and you are bound

46:56

by certain ethical restraints, simply

46:58

by having that title. Also,

47:00

you're covered by damages

47:03

and liability officers insurance. I

47:07

think this guy was just a bad apple. Yep,

47:10

absolutely. It's

47:12

important that we know how those

47:14

bad apples can influence not only

47:16

that organization, but the cybersecurity community

47:20

in whole, right? Because bad

47:23

apples need to be held to bad apple

47:26

laws, right? Other people don't that

47:28

are potentially doing it for non-malicious needs

47:31

and intent. I think I picked

47:33

up on what you're putting down there. I think

47:35

it's important to say, even

47:37

though we do already have the

47:40

laws in place to say, hey, we already have

47:42

this. This is a computer crime. It has

47:44

been listed since the 80s. No

47:47

problem. But when you go through

47:49

and I'll tie it back to what Corey

47:51

said about the printers, when you say, oh,

47:53

they hacked this many printers and you establish

47:55

a precedent for prosecutors to say we were

47:58

able to put this person in jail. jail

48:00

for this specific type of thing, I

48:02

think it all ties together with what

48:04

everyone said is that these lawmakers and

48:06

whatnot, they don't know that Alex Mark-Printer

48:08

is, you know, maybe it's not the

48:11

hardest target in the world. But

48:13

they do know that they've got some 20-year-old

48:15

on a college campus that did something, and

48:18

they can get another win in the prosecution

48:20

column because the precedent and the case law

48:23

for how they got this other person in jail

48:25

is exactly the same. So I agree that although

48:28

it's already there, prosecuting that

48:30

sets up a kind of a dangerous

48:32

precedent to take people who would be

48:34

good faith researchers and tend them

48:36

to something that was clearly not good faith. I

48:39

kind of think the opposite. I think this

48:41

is actually a demonstration that, because it says

48:43

specifically in the indictment that it

48:45

says, aided and abetted by others unknown to

48:47

the grand jury. So the way I read

48:50

that is, if your COO tells

48:52

you to go hack this company and you're like, I

48:54

don't think this is a good idea, but you do

48:56

it anyway, as long as you flip when the FBI

48:58

comes knocking, you won't be indicted. The COO will. That's

49:00

how I read it. But I mean,

49:02

I'm not a lawyer, and I don't know if

49:04

that's actually the indictment, but the fact that it

49:06

rolled uphill instead of the COO probably would want

49:09

it to roll downhill to the actual person that

49:11

hit enter on the Lexmark printer and hacked it.

49:13

Like, that's how I read this. Yeah,

49:15

that's the standard RICO stuff. They're like, we want the

49:18

big charges and we can get that with the

49:20

C-level person. So let's turn the people below them. Yeah,

49:22

which is how it should be. If someone comes to

49:24

you and says, go hack this company, we're going

49:26

to get their business because they're going to think they're

49:28

a breach. And I'm like, that sounds like a

49:30

bad idea, but I guess I'm just rank and file.

49:33

So whatever you say, I don't

49:35

want that charge. I want that charge to go to the

49:37

person that told me. That's how I see it. I don't

49:39

know if that's the details of the case or not, but

49:41

I'm just saying, interpreting it through

49:43

that lens, I feel good about the precedent

49:45

versus I'm glad

49:47

it rolled uphill and not downhill personally. Usually you

49:49

would expect it to go the opposite way. Okay.

49:54

Anyway, I guess, Grayson, do you have

49:56

a take on the... SolarWinds

50:00

situation where the leader or I forget

50:03

if I think it was the CSO

50:06

Was it like under criminal proceedings or

50:08

whatever by the SEC or you're aware of

50:10

that situation? I haven't been following

50:13

it most recently, but you know, I'm not an attorney.

50:15

I happen to be married to one That's a pretty

50:17

darn good one And so she knows a lot more

50:19

about what's going on in that that world than I

50:21

do But you know, it's just

50:23

interesting what you know to end to your

50:25

point a minute ago That some of these

50:28

people that are non-technical that are making laws

50:30

can oftentimes misinterpret or or or psych case

50:32

law that then Is

50:34

a precedent for other things right? And

50:36

so we want to make sure that

50:38

they're not doing that so I don't

50:40

know as it pertains to the situation

50:43

with with the the

50:45

most recent Disclosure

50:47

around the SolarWinds situation.

50:50

I don't really know one way or the

50:52

other if I haven't read any of that Yeah,

50:55

it was basically yeah We talked about on a

50:57

previous show that just it was basically he told

51:00

investors that the security was great and you know

51:02

best In the industry and it was he also

51:04

was getting emails like the same time that said

51:06

the security is not great We know it's not

51:08

great. So it was basically like fraud like yeah

51:12

Like it was mostly that he said it was

51:14

good even though it was terrible I think it

51:17

was less about like any specific cyber stuff Whereas

51:19

this is much more like in the

51:21

you know, it's a single edge Yeah,

51:23

Kelly was actually talking about exactly what

51:26

that qualifies under that errors and the

51:28

other word is omissions Insurance

51:30

and so if officers of the company

51:32

knew something that investors should have known

51:35

Yes, or they weren't told something that

51:37

they should have known That

51:39

insurance is meant to cover that and it

51:41

kind of is exactly that only they took

51:43

it a step farther because

51:46

it wasn't even ambiguous it

51:48

was We knew we

51:51

knew yeah, and hey, no, everything's great

51:53

guys. Yeah, we jokes that like the

51:55

new program at SolarWinds Is they just

51:57

don't tell the CSO anything? But

52:01

yeah, no. I will keep

52:03

an eye on that article for the show and see if

52:05

there's any... I would love to

52:07

hear the take of someone who's actually practiced

52:09

his law. Like obviously

52:12

none of us really know, so it'd be interesting

52:14

to hear from someone who's like, I'm going

52:16

to use this for this purpose or judges

52:19

are going to use this for this purpose or that kind of thing. So

52:22

we'll keep an eye on this article. Plus,

52:25

we want to hear all the juicy details for our screenplay

52:27

that's going to go to Netflix next year. It's

52:29

going to be huge. Ryan, can we pull up

52:31

a Rauner's... Rainer, if I'm saying

52:34

your thing, their quote on the screen.

52:36

The SolarWinds CISO indictment is not an

52:38

infosec indictment. It's a charge for violating

52:40

the cardinal sin of capitalism. They lied

52:42

to the shareholder. No, Ryan, that's just

52:44

good business. What are you talking about?

52:47

You know the rule in America, right?

52:49

You never steal from the rich. That's

52:51

the fact. You go to prison. You

52:53

go to jail from the poor and

52:55

you're good. You steal from the rich and they will get

52:58

you. There's been

53:00

plenty of cases just recently, you

53:02

know, the CEO of that

53:04

one exchange that... Yeah, he stole

53:06

from the rich. Yes, Beckman Freed.

53:09

Yes, Beckman Freed. Sam Freeman. Sam

53:12

Freeman. Sam Freeman-Royd. Anyways, he is

53:14

going to prison for lots and lots of

53:16

time because he stole from the rich. Anyways.

53:20

Yeah, that's exactly right. It's exactly the joke

53:22

I was going to make him point. Guess

53:24

that. Made the cardinal sin of stealing from

53:26

the rich because that's what that made off.

53:28

I just can't wait for all the juicy

53:30

hacking scenes of the Lexmark printers. Like

53:33

foggy room. Foggy room. Lexmark

53:36

printer is going down left and right. He's

53:38

printing. He's faxing. He's using

53:40

all the functions of the multifunction printer. They

53:42

pull it off. What does that grab

53:44

to say? Okay. How can you even do

53:46

this? As it says, cyber Monday

53:48

deal on pen tests. Call now.

53:51

I don't know. Yeah. Flex, flex,

53:53

flex, flex. Flex, flex, flex. Flex,

53:56

flex, flex. Yeah. Yeah. Flakvist

53:58

has it right as front. The SolarWinds

54:01

guy goes, it was

54:03

lying was not the crime. Getting caught

54:05

lying Was a crime

54:07

never caught Always the crime.

54:09

Come on. Yeah, that's always true I'm

54:13

telling you the people that you should fear the most Catching

54:16

you are the people who have lots

54:18

of money. Okay, because they can bring

54:21

the resources to continuously Look

54:24

for that right? None

54:26

of them are vindictive or

54:28

malicious or no

54:31

poorly educated or anything like that. No

54:36

It's it's interesting that I think Kelly I'd

54:38

love to get your feedback on this too,

54:40

you know, there's a big difference between Even

54:44

knowing that you have a problem and having

54:46

whether you're regulated or unregulated or any anywhere

54:48

in between as an organization What do you

54:50

have money high budgets to fix

54:52

problems or no budgets to fix problems?

54:55

Just having an understanding that the problems are

54:57

there is it's very different than buying down

55:00

that technical debt to actually solution and fix

55:02

those problems Right. So whether you're doing active

55:04

protection or you're doing pen testing or you're

55:07

doing whatever Whatever you're trying to

55:09

do and you're you've got this big bucket

55:11

of money You also have this big list

55:13

of problems. You're trying to figure out what

55:15

that alignment is What do

55:17

you think is is the hardest thing for people to

55:20

get started to? Understand that

55:22

like I mean we're perhaps Orleans as

55:24

the example, but just balancing risk basic

55:26

risk, right? Well, I don't

55:28

think people understand risk To

55:30

begin with me. I one of the analogies I like to

55:32

use is I used to live

55:34

in Wisconsin So my house insurance would would deal

55:37

with things like a roof that collapsed from too

55:39

much snow on it or ice down

55:41

here I've got hurricane insurance. Well cuz I'm

55:44

I'm in Florida Understanding

55:46

the environment you're in and the

55:48

risks that lead to vault to threats

55:50

and vulnerabilities I think

55:53

we've done a poor job Teaching

55:55

see those are upper level leadership

55:57

at the board level how

55:59

to understand understand risk because it makes

56:01

no sense for me to put

56:03

a fortified snow roof on in

56:05

a house in Florida. But if

56:07

I'm a mortgage company with title

56:09

insurance with large monetary transactions, maybe

56:11

I should invest more in my

56:14

perimeter defenses, my zero trust defenses.

56:17

I just don't think we really quantify it

56:19

or that's not the right word. We

56:22

understand risk well. I agree. Yeah,

56:24

I mean, it's hard and it doesn't really

56:26

matter how big of an organization or small

56:28

of an organization. I think in general, most

56:31

people have a difficult time, you know,

56:33

understanding risk and cyber is such

56:35

a black box that most folks,

56:37

it's difficult. I understand how they

56:39

don't, they don't have to

56:41

balance it. So not saying I agree with

56:43

getting caught lying or not understanding, but there's

56:45

a lot of people that just don't get

56:47

it, right, too. So CISOs certainly need to

56:50

have a better understanding of their risk. Well, the

56:53

risk thing, the other thing I would add in

56:55

about that is it's

56:57

not only that they don't understand the risk

57:00

necessarily. A

57:02

lot of big organizations, and this is something that engineers

57:05

deal with all the time, they want to get in

57:07

the weeds. They want you to understand, and this was

57:09

something that John Portse, if he's

57:11

listening, hey, what used to say all

57:13

the time, you do not

57:15

understand the downstream impacts. Every

57:18

single cost saving measure, every single

57:20

we're going to switch to this

57:22

outsourcer and it's going to save

57:24

us so much money, they

57:26

only look at the primary

57:29

impacts, the money savings, the

57:31

glossy marketing material, whatnot, because

57:33

they don't get down into the weeds on it

57:35

because it's not in their area of concern. Their

57:38

area of concern is trimming budget and whatnot. So

57:40

when they say that they don't understand

57:43

it, well, they understand the risks that

57:45

are important to them and what they

57:47

do, saving money, bringing the payroll to

57:49

manageable levels, whatever it is. But

57:51

when you say, hey, when you do this, to

57:53

save this money, when you go to outsourcer and

57:55

you do this, here's all the downstream impacts, the

57:57

talent loss, the this, the that, the... the

58:00

one person who runs that box, that runs

58:02

the scripts, the power of the move it

58:04

server, which is actually the thing that makes

58:06

us money, you're about to fire them. You

58:09

don't understand that and then this stuff plays out and

58:11

they go, well, why didn't anybody tell me that was

58:13

a risk? We did. You just

58:15

didn't want to hear the details. Well, and when

58:18

I do get that understanding of risk, I'm sorry,

58:20

I'm gonna cut you off, but don't know, you're

58:22

good. It takes a long time to get budget

58:24

for something. Like you could understand a risk and

58:26

then you don't have that aligned budget in that

58:29

year's budget at all. And

58:31

then you've got to then go ask for leadership

58:33

to give you that and understand how to

58:35

translate that information so that they get it.

58:38

And sometimes it's too late. And

58:40

for that, if we can come back to my camera,

58:43

I have this lovely device. It

58:45

is my management accepts the risk

58:47

stamp. No, I don't wanna use

58:49

this in meetings when I got fed up. I

58:51

was like, fine, you know what, my advice? Here

58:53

you go, right here. There's a stamp. I

58:58

mean, I think point in, one of the things that

59:00

I do a lot when I'm editing reports is I

59:02

try to act like the, like

59:05

an advocate for whoever's gonna be on

59:07

the receiving end of our report. And

59:10

I think in two reports today already,

59:12

I said, okay, we need to

59:15

explain why this is bad. I get it.

59:17

Others are not going to. And especially this

59:20

has to be done in the executive summaries

59:22

and it has to be done in a

59:25

non-technical practical manner. Because

59:29

if you're not a CIO, if you're

59:32

not a CTO, you're not a CISO,

59:34

you probably don't have the

59:36

technical chops to understand

59:39

detailed forensics speak or

59:43

getting down into the weeds about this,

59:45

that, and the other thing, even explaining

59:47

something like good password policies,

59:50

it has to be simplified. And

59:52

that's one place that we still continuously

59:55

fail. Amen, sister. Preach

59:57

it. Another thing about the SolarWinds

59:59

thing, talking about it and this will be

1:00:01

the last thing we talk about, but basically, the people

1:00:05

who operate in these spaces, like

1:00:07

chief officers, chief operating officers of

1:00:09

large companies, they kind

1:00:12

of are very, they're in

1:00:14

rarefied air of like, there's very small job

1:00:16

market for them, but they're very expensive and

1:00:18

hard to find and all that good stuff.

1:00:20

But when you've been charged

1:00:22

with fraud and internal control failures, you're

1:00:24

basically out of the job market. So

1:00:28

I think like CSOs take heed of this,

1:00:30

like don't just accept the risk. That's

1:00:32

the precedent this sets from my book is like, you're

1:00:35

not going to, no one's going to be like, well, we hired

1:00:37

to do a CSO and here's the press release. He was charged

1:00:39

with internal control failures and fraud and

1:00:42

he's great. So basically, the CSO is that like,

1:00:48

oh, where you could, it could be a career

1:00:50

ending move, like quite literally. Well, for a public

1:00:52

credit company, for sure. True.

1:00:54

I mean, true. But like, yeah, I mean,

1:00:56

I'm not, not to say that this person,

1:00:58

it could be false charges or, you know,

1:01:00

unfair or whatever, but assuming the charges end

1:01:02

up sticking, I feel like you're untouchable. Right.

1:01:04

I mean, I don't know, I could be

1:01:06

wrong, but I know for,

1:01:09

I mean, Kelly brought it up, the fiduciary

1:01:11

responsibility. If you've got SEC charges,

1:01:14

no board can possibly

1:01:16

say, no, we

1:01:18

did our due care and due

1:01:20

diligence by hiring someone who had

1:01:22

SEC charges against them for fraud.

1:01:25

That's not going to happen in a public.

1:01:28

There are minor fraud charges. There are minor fraud

1:01:30

charges. Light treatment. Don't worry,

1:01:32

you can never be indicted for the same

1:01:34

crime twice. So I'm not free to go.

1:01:36

Let's mark it. Yeah, let's darn it. That's

1:01:38

the new thing. Once you double jeopardy. I

1:01:40

got a couple charges. Then you go through

1:01:43

and you're like, I can commit all the

1:01:45

public securities fraud I wanted. Our security is

1:01:47

amazing. It worked that

1:01:49

way. Right. Right. Yeah. So

1:01:51

anyway, we should wrap up the show.

1:01:53

Come to our Snake Wall Summit. Ian, you want to talk about

1:01:56

the Snake Wall Summit? Not really. I'm putting you on the spot.

1:01:58

Okay. No, I will. I will. well.

1:02:03

Come to the Sync Oil Summit on the

1:02:05

6th and 7th. We've got a low-cost training.

1:02:07

We've got lots of talks. It's all online,

1:02:09

all virtual. So in about a week, you

1:02:11

know, come check it out. You can go

1:02:13

to anticyphantraining.com and check out the schedule of

1:02:15

speakers and other things going on. So we hope

1:02:17

to see So we hope to see you there. And

1:02:20

on the final note, have a fantastic week. Indeed.

1:02:24

And I guess I'll agree. I'm a

1:02:26

fire Orion. I'm scared.