Liquidmatrix Security Digest Podcast – Episode 7C

Episode 0x7C

Yup, this is a habit now.

It’s all fun and games until somehow you find yourself actually planning and not doing that whole “maybe we will, maybe we won’t” thing. It’s happening. We’re back and making a habit of this!

Upcoming this week…

1. Lots of News
2. Breaches
3. SCADA / Cyber, cyber… etc.
4. finishing it off with DERPs/Mailbag (or Deep Dive)
5. And there are weekly Briefs – no arguing or discussion allowed

And if you’ve got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It’s not that explicit, but you may want to use headphones if you’re at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of (approximately) 5 opinionated infosec pros who have sufficient opinions of their own they don’t need to speak for anyone except themselves. Ok? Good.

In this episode:

• News and Commentary
1. Russia forces Apple to remove dozens of VPN apps from App Store  
   Dark Money tied to war on Apple’s encryption
2. OpenAI had an oopsie and forgot to mention it…  
   But they’re also just plain making mistakes at the basics too
3. Hackers reverse-engineer Ticketmaster’s barcode system to unlock resales on other platforms
• Breaches
1. The human cost of breaches at Hospitals – this one is awful
2. Sightline Security for non-profits
• SCADA / Cyber, cyber… etc
1. A really good assessment of the great Rogers outage of 2022
• DERP
1. DON’T LIE ABOUT YOUR BREACHES DAMMIT
• Mailbag
1. Dear Liquidmatrixes,
   What’s the deal with The Cloud? I really like hugging my servers and I give them special names, how do you hug a cloud? Even better, how do I secure it?
   Thanks all y’all.
   Legacy Folk. Just sign up for CloudSLAW
• Briefly — NO ARGUING OR DISCUSSION ALLOWED
1. Ollama – run some great LLMs on your laptop
2. Microsoft Midnight Blizzard Saga Continues
3. Eight Nations Issue Warning About Speed Of Chinese Hackers’ Operations
• Upcoming Appearances:  — more gratuitous self-promotion
1. Dave: – Global News talking about Ticketmaster yesterday
2. Matt: – SnooSec NYC
3. Jamie: – Starlink terminal connection end point… SOMEWHERE.
• Advertising – pay the bills…
1. Vulnerable U – Mattjay’s other news. Sign up or else.
• Closing Thoughts
1. Seacrest Says: I’m Europe now, very fine. Not worry about my doing well.

Download the MP3

Listen:
Watch:

Subscribe to us using plain old

Apple Podcasts:

And

Creative Commons license: BY-NC-SA

Transcript (unedited)

00:02.39
gattaca
Good morning, good evening, and keep it tight. Welcome back to Liquid Matrix Security Digest hacker radio podcast, episode 0X7C. Hopefully I got that right this time. Here with me this week are myself, Dave Lewis, Matt Johansson back from his European vacation, Look Kids, Big Ben, Parliament, and James Arlen on the wheels of steel. I should point out that this show does not represent the thoughts, intentions, plans, or strategies for world domination of our employers, ex-girlfriends, wives, belly button lint, or the militant wing of the Girl Guides.

00:34.15
gattaca
It is solely our own personal opinions. We make no guarantees to the accuracy, validity, sobriety, relevance, or importance of anything we say or do here. My portion of this podcast has been brought to you by one password. No, really. Hey folks, I did it. I actually got through the opening read for the first time ever without stumbling over my own tongue. Okay. That was something else.

00:56.03
Jamie
Oh no, this is twice now in in like 12 years.

00:57.95
gattaca
I did it once be before.

01:03.62
gattaca
to Pete, to Pete, no, you know,

01:06.49
Jamie
You’re making me sad, Dave. You’re making me very sad. But it does appear that this is a habit now because we’re we’re doing it regularly. We have a plan, like an editorial calendar for future episodes.

01:15.94
gattaca
that that’s terrifying all by itself.

01:20.47
Jamie
We’re acting like grownups. And I think that’s the fundamental difference in what’s going on. It’s all fun and games. And then, you know, you’re not doing that whole, maybe we will, maybe we won’t thing you’re, you’re behaving. I mean, look, we even got Matt.

01:35.47
mattjay
we We should do the podcast, like we should do the podcast, yeah.

01:40.22
Jamie
and We were, we said that for about five years, off and on.

01:42.91
mattjay
I know, every time we…

01:45.85
gattaca
We did, but then I had a catalytic moment where I realized I had a lot of free time suddenly.

01:46.20
Jamie
ah

01:51.79
gattaca
And I was like, okay, wait a minute. We should really do this.

01:54.87
Jamie
Wait, someone stole your converter?

01:55.63
gattaca
And then Matt said, we should really do this. What was that?

01:59.53
Jamie
Someone stole your converter?

02:01.81
gattaca
No, no, no. I was given a complimentary cigarette and blindfold. And I realized I had a lot of free time suddenly, but now I don’t have free time anymore.

02:08.27
Jamie
I thought you were talking.

02:09.82
gattaca
But you knowre you’re right. It’s nice to be adults and it’s nice to do this. And honestly.

02:13.29
Jamie
I thought you were talking about the alternate revenue stream that you were looking into.

02:18.57
gattaca
alternate revenue stream. what Dude, you were supposed to say the quiet part loud.

02:19.71
Jamie
Yeah, you saw us all underneath cars, yanking cats.

02:27.69
Jamie
right We got lots of news. We got some breaches. We got a a actually really interesting cyber thing that relates to the Canadian government. um There’s a mailbag and a derp entry, briefly, ze and then we’re out. But I think we should kick it off with young Matthew. Hey man, it’s good to see you again.

02:50.42
mattjay
Hello, hello. Thank you for keeping it going while I was ah traveling, even though I know I am the crux of this operation.

02:51.58
gattaca
Well, welcome back.

02:59.45
mattjay
I’m glad you guys kept the roof on while I was while i was out trouncing around Europe. Yes. No, obviously kidding. I am a bonus feature at best.

03:11.57
gattaca
ah

03:12.96
mattjay
um

03:13.06
Jamie
You’re literally the last word. like you’re you’re You’re structural, man.

03:16.37
gattaca
You close it out.

03:21.22
mattjay
Um, okay. Side note. Uh, I, I have one of my favorite content creators is a guy by the name of Jose monkey. And he’s kind of an OSINT creator. Have you guys watched any of his videos? He does the short forms.

03:33.72
Jamie
oh

03:33.78
gattaca
Sadly, no.

03:34.88
mattjay
Yeah. He does the short form stuff on all the short form platforms, Tik TOK, Instagram, YouTube shorts. Uh, and he does OSINT things where people send him videos and then he has to find where they are. Right. Hey, I’m just here in like some nondescript place.

03:48.61
Jamie
Bye.

03:51.73
mattjay
Uh, find me Jose monkey. And then he finds them and he, and he explains how he does it and uses like. Oh, sin type stuff and open street map. And anyway, anyway, right now, the reason I’m bringing it up is right now he’s doing Canadian week. And so I have been thinking about, uh, you gents and a fair bit of our audience, uh, as well. I’ve also noticed a fair bit of uptick since we’ve been doing this again of newsletter subscribers with Canadian email addresses. So, uh,

04:18.72
gattaca
That’s awesome.

04:19.36
Jamie
Keep that advertising alive.

04:19.83
mattjay
yeah, but. The militant wing of the girl guide has, uh, has found my newsletter or whatever it is. So, okay, cool.

04:28.38
gattaca
Oh, gotta make a t-shirt to that.

04:28.46
mattjay
So to the news, unless, go ahead, Dave. Yes. The, gar yeah, that’s, that’s our swag, the militant wing of the girl guide. Um, okay. To the news. So, uh, so this has been an interesting one. So apparently back in 2017, Putin decreed or passed a bill as a They like to say, I don’t know how much passing of of bill the schoolhouse rock. Does that work in Russia? I’m not sure. Um, so, uh, yeah, yeah, yeah, yeah.

04:55.64
Jamie
Doesn’t work in America either.

04:55.64
gattaca
Yet.

04:58.35
mattjay
Okay. I’ll get to that. So, uh, so in 2017, uh, Putin made a bunch of online encryption tools, illegal, including VPNs, uh, and encrypted communications. This did not become even attempted to be enforced until about 2019. Uh, when. the GRU and some ah some other organizations under Putin started sending mean letters and nasty grams to VPN providers. And they were like whack-a-mole VPN nodes that were actually physically within their borders that they could control. But still, their citizens were obviously, if they wanted to use a VPN, they still could ah use a VPN or Tor or any of the other services. Well, now this week,

05:47.14
mattjay
uh, on kind of the next level of, uh, trying to actually enforce this was instead of the nasty grams going to the VPN providers, uh, the nasty grams went to Apple and Apple, uh, caved basically and took a dozens of these VPN apps out of the app store in Russia. So, um, yeah, that’s like obviously a much, uh, a much bigger and more effective blow to this enforcement, right?

06:16.05
gattaca
I’m

06:17.45
mattjay
Um, I, I talked about this on social media this week and one of the more interesting themes that I saw coming in my comment sections was, Hey, if we don’t see our VPN on this list, should we be a little bit worried about how effective this VPN actually is? Because if it was effective, it probably would have gotten this whack-a-mole treatment, uh, in Russia. And I thought that was an interesting, uh, an interesting theme. What’s your take on this guys?

06:43.98
gattaca
ah I’m right out of the gate. I’m actually a little bit curious about why they were still operating in Russia ah in light of all of the sanctions and everything as a direct offshoot of the war in Ukraine. So I’m a little bit actually caught off guard by that particular aspect of things. Um, and I, I’m less worried about, you know, the viability of VPNs because this is, I mean, I get it. I understand why they would do this. Um, But yeah, no, I’m Demi.

07:15.27
mattjay
Well, so to answer to answer your first question, um’m I’m not sure these are all like US or even EU-based companies, right? a lot of the A lot of the VPNs like Proton comes to mind, like a feature of Proton is that they are housed in, what is it, swi Switzerland?

07:28.16
gattaca
Switch on

07:32.79
mattjay
and ah and And so that they can be,

07:33.10
gattaca
now.

07:37.24
mattjay
like not sanctioned, but like that the three letter agencies can’t send them a letter to go do something. That’s like a perk of proton VPN, right?

07:47.46
Jamie
I don’t know. there’s There’s a certain amount of, we’ll call it justifiable skepticism that says VPN as a way to alter my apparent geographic location is interesting.

08:07.88
Jamie
Purchasing VPN service as a way to secure my connection, much less interesting. And so but what it feels like is less so that it’s about securing access or making it so that the GRU can see all of my traffic and much more about

08:15.60
mattjay
Yeah.

08:28.30
Jamie
geolocation evasion and the reverse pipeline. It’s not so much Russian citizens evading the lockouts on on them from ah from a sanctions perspective, but rather Russian citizens gaining access to things that don’t go through the big GRU firewall. And if you if you think there’s no big GRU firewall, you’re wrong.

08:49.01
mattjay
Yep.

08:52.07
gattaca
Oh, a categorical one.

08:52.56
mattjay
Yeah. So a hundred percent, I get this question a lot as like a public info sec figure to some degree of like, Oh, well what VPN do you use? You must use a VPN. That’s like all of the commercials I see on YouTube. It’s like, Oh no, they they don’t do very much for your security. And like most security people do not subscribe to this, right? There obviously is use cases for VPN. It just has very little to do with like, your personal security on like Wi-Fi or something.

09:17.78
Jamie
yeah ah so sometimes it’s yeah Sometimes it’s convenient for me to access an otherwise non-rotable, non-accessible device at home. And so I do have a VPN endpoint inside of my home network that I’ll VPN to when I need to apparently be at home. But day-to-day operations ah at work, honestly, um we use a lot of IPsec meshing for doing you know cluster communications across providers. There’s a bunch of reasons to use IPsec meshing as, I mean, technically it’s a VPN, but it’s more like an overlay network.

09:55.76
Jamie
ah over existing SDNs compared to using it as a security feature. Like all of all of the users, they’re just on laptops on the internet. I mean, our offices are basically just exclusive access coffee shops. There’s no your office from a traditional networking standpoint there. um the The only place where we actually functionally use them is oddly to deal with the United States. um A lot of state and local governments in the United States taxation offices, their web interfaces are only available geographically there.

10:33.03
Jamie
So even though our company’s headquartered in Europe and we have to pay taxes in Austin, local city taxes in Austin, you can’t access that local city interface from outside of the United States. And so BPM to the rescue.

10:46.22
gattaca
in a yeah In a similar vein, I do the same thing when I travel is that when I’m in Europe, I use a VPN just so I can read news in North America because so many sites will block it because they don’t want to have to deal with GDPR and things like that. So they just rather than actually do something sensible, they just go, u we’re going to block you, which is so freaking irritating.

11:07.71
mattjay
So to, so to bring this back really quick from like the VPN is not actually a security tool. Cause I agree. Right. Um, even for person, not like we’re talking corporate, but even like personally, a lot of like non-infosec people, that’s one of their only things that they really like see, like advertisements are that like kind of advertise as a security service that they might actually like, yeah, yeah, that they might actually go and purchase.

11:26.20
Jamie
Pee-pee!

11:30.91
mattjay
um So if you’re, if you’re one of those people and you’re listening, just like FYI, that’s not actually buying you all that much that like HTTPS didn’t solve like many, many years ago. um There are certain threat models where like proton makes sense. If like you would rather proton have your ah traffic versus your ISP because of whoever you are as a person, but like for the, the general pop, like this is, you know, where, but ah where it’s at. Anyway, to bring it back to this story. Yes. Russia used the excuse.

12:01.94
mattjay
that these TOR and and these VPN services were being used by cyber criminals to do cyber criminal things and like send bomb threats and things like that. and And so while yes, I agree, I think the real reason is absolutely they do not want their citizens reading the stuff that they don’t want their citizens reading. because like I think there’s there’s only a handful of reasons why any government is attacking any encryption service right and has very little to do with we want to catch more bad guys.

12:35.36
mattjay
right When bad guys are live live streaming you know their ah their shootings or they’re posting their plans on Facebook of whatever they’re going to do and we don’t catch them, ah what makes you think if they read every encrypted text message all of a sudden they’re going to catch them?

12:36.55
Jamie
yeah

12:53.43
mattjay
It’s not going to happen. So there’s this guy, and so I wanted i did want to bring it back because instead of just Russia bad. There is a lot of this going on in Canada and the US as well in terms of the government attacking ah encrypted services under the guise of we need to break this encryption to better secure our children or whatever it is.

13:12.49
Jamie
and and And the UK and Europe and Australia and New Zealand and and all of the the, you know, air quotes, Western democracies.

13:13.77
gattaca
Trust us, we’re from the government.

13:17.81
mattjay
Yes, yes, yes.

13:23.35
Jamie
Everybody’s doing the same thing.

13:23.54
gattaca
and Any country with an internet connection, let’s just cut right to the chase.

13:27.92
mattjay
Yep. And so ill I’ll link another, I didn’t get to put it in the show notes yet.

13:28.81
Jamie
and

13:31.43
mattjay
I will. There’s another article from last year that I covered in depth, and I don’t think I got nearly enough coverage about a bunch of dark money, like tracing a bunch of dark money, like donations to, uh, this is us based specifically to attacking, um, Apple and iCloud encryption under the guise of we need to find, uh, and protect like child exploitation material. on this platform, so we need to break all encryption for that, right? To like use this emotionally charged, like save the children reason to actually kind of come in and weaken encryption on, you know, one of the biggest operating systems on the planet.

14:08.30
mattjay
So anyway.

14:08.30
gattaca
there were There were protests in Canada a couple of years ago and the funding that the protesters were receiving, the the vast, vast majority of it came from people outside of Canada. It was actually influence operators from other countries. So it was really amazing to see that sort of thing. And again, you know, you flipping back to the Russia thing, The other piece of that too is quite literally so they can exercise their level of control so they can control their narrative. So if people can access VPN, get news from other sources, they’re going to start questioning the the narrative and that would be a problem for the sitting girl.

14:32.96
mattjay
Yep.

14:38.54
mattjay
Yep. Yeah. A hundred percent. And I think, um, I think the other interesting part here that’s like buried in the story is Tor, uh, specifically, right? Cause that’s obviously also, um, takes a certain level of sophistication, a a user, um, to, to achieve. And so they’re like, you’re, you’re targeting a very specific subset of your population that would use Tor to do things that. you know, you don’t want them to do or information that you don’t want them to get, right? And disseminate. So anyway, found this one interesting.

15:09.45
mattjay
Thanks for, thanks for the dark web.

15:10.20
Jamie
Do you to me mean the dark web?

15:15.84
gattaca
the a billion phrase

15:16.03
Jamie
Okay. Just checking. um You know, if if you really do want to be a nation state and review everybody’s text messages, you’re probably going to want an AI to help you out. But I’d suggest it not be OpenAI and ChatGPT. because they do things like um forget to mention out loud that they’ve had a breach for a non-trivial period of time. And when you’ve got TechCrunch warning you that AI companies are treasure troves for hackers,

15:48.62
Jamie
that’s That’s a thing, right? um The one that’s, that’s even more, I mean, we can beat up on, on Gen AI all day long if we feel like it, but the other one that’s hilarious is the Mac app for chat GPT was just going out and storing conversations as play text.

16:07.47
gattaca
it’s a feature

16:10.15
Jamie
You know, because why do anything other than that? but That makes total sense. um The whole Gen.I world is… I don’t think that it’s going to ultimately good places. I don’t know that it’s quite the set of waste items that everybody says it is, but I also don’t know that it’s it’s necessarily going to end up working out terribly well for everyone.

16:33.62
gattaca
I think we’re really in the gold rush stage, quite literally. And everybody is rushing to be, you know, I want to be part of this and the stupid will happen. So that’s going to be, I ultimately am optimistic that we’re going to get to a good place because so much of this technology, there is positive implications, but, ah you know, with a hammer, you can build a house or I can beat you about the head and neck. So, I mean, obviously it’s how the tool gets used.

16:57.45
Jamie
Yeah. I mean, you know, looking forward to some of the stuff that’s going to start dropping this fall with, with the next round of updates from Apple. Um, I’ve been messing around with, uh, local LLM usage. So running Olamo with llama three or Gemma two. And you know what, it’s, it’s 90% of the way there. It answered some pretty complex questions.

17:17.41
gattaca
I’m

17:20.04
Jamie
Um, Jackie’s a school teacher and she was asking you questions about Ontario’s curriculum and it was answered correctly out of a 4.7 gigabyte data file running locally on a MacBook, like M1 Air. So there’s like there’s a lot of of good you can get without necessarily being embedded in in a real running live cloud-based service as well. And I don’t know that people are looking at that closely enough.

17:43.79
gattaca
actually

17:46.66
gattaca
I agreed with you. I’m actually using one called Private LLM. And again, it runs locally and actually it’s really, really, really good. and You can use whichever set instructions that you want in order to run those. And it’s been a fantastic thing.

18:02.00
Jamie
Yeah, I mean, it’s generating urine now, so.

18:02.52
mattjay
Yeah.

18:05.04
gattaca
Well, you know, something has to.

18:07.26
mattjay
people um So, I completely agree. Huge proponent of local stuff. I also like a project by, uh, Daniel Miesler called fabric that can tie together a bunch of the different API stuff. And then you use it locally. Uh, you are using the cloud services there, but it’s a really powerful open source tool to like build in a lot of the context stuff and do a lot of the prompt engineering and like kind of build your own rag and things like this. ah turning into a bit of a power user of that tool, definitely go check it out. He’s got some really good YouTube videos getting you set up and started on that.

18:38.18
Jamie
you

18:40.10
mattjay
I just like overall, I’m very bullish on AI. I’m not the naysayer, right? But I’m also not the extreme like, hey, you know, this is gonna save us or kill us either. I just think it’s gonna be a really cool tool for us.

18:54.12
gattaca
Mm

18:54.22
mattjay
And it’s obviously already changed the world in various ways. But um I do just want to, Like make a plea to the security people listening to this to not be the like Department of know when it comes to this when your teams are trying to explore AI technology. I’ve been seeing this right or these security purists are coming in and saying like, no, you cannot use this.

19:18.94
gattaca
hmm.

19:20.33
mattjay
This is like and pointing at stories like this one that we just covered and saying, this is dangerous. You’re putting all this stuff um in this third party tool.

19:26.29
Jamie
Yeah.

19:27.79
mattjay
And like, this is like the worst security thing you could possibly do.

19:29.58
Jamie
it

19:30.95
mattjay
And I just, I just disagree, right? There’s the the risk can be handled here.

19:33.38
Jamie
that’s that’s not so yeah i mean That’s not the reason that I say no. the The predominant reason that I say no is because every vendor wants to embed AI in their product and their upsell charge for AI in their product is basically the same as getting access to the underlying general AI yourself. So, you know, I can give you a chat GPT license and a strict version of the tool, or I can give you the AI enabled version of the tool, but only one of the 10 tools that you use because I don’t want to pay 10 X the cost of a chat GPT seat. Like they there’s there’s a bunch of funding model stuff in there as well to to pay attention to.

20:14.55
mattjay
completely Completely agree on like, hey, do your due diligence on like people sneaking this stuff under the hood and it’s like really just an open AI API key with ah with a margin on top that they’re taking, right? um but But I just have seen ah enough people telling their developers that they can’t use chat GPT. And I’m like, you’re that’s a very quick way to get your developers to stop even asking you ah so or telling you what they’re doing, right? Because this is currently the most popular tool on the planet, right?

20:44.86
gattaca
completely agree and then all of a sudden everybody has shadow IT. Oh wait, they already do. um And that’s a real problem. And the thing is the department of no is not something new. This is something that we dealt with forever. I mean, Jamie and I used to have to deal with one guy in particular who were main nameless that was just absolutely the whole point of his existence was to get people fired. But thankfully he was really bad at his job. And this is that real, real frustration to that yes, these are tools that will be good in some cases, but obviously there’s going to be outliers like Grammarly is very, very helpful as an example, but it requires access to everything, including your children.

21:16.34
mattjay
Thank you.

21:22.47
gattaca
um it’s It’s just, it’s absolutely so insane the amount of access that particular platform has. ah But. You know, you’ve got a counterbalance of what’s the risk. Are you doing it as a personal thing or are you doing it as a corporate thing? You have to do the risk assessment, but just yeah arbitrarily saying no is absolutely nonsensical. um And going back to talking about tools that are, you know, AI powered and such, there’s a great one that I got to call out and specifically that I use called Clough Notes. And what this one does is um like you can talk for about 10 minutes and then it’ll actually, you know, transcribe everything you said. And you can say, you know, I want it as meeting notes or I want it as a shopping list or whatever it happens to be. And it will put it into that format and it just absolutely fantastic. So it’s just one of the examples of a really good tool that will run locally on your system that, you know, was able to you know do all of these things and not have to rely on everything being shipped off to wherever stand.

22:19.72
Jamie
Indeed. But ah speaking of just hacking your way around fundamental problems in your day-to-day life, um i I’m done paying for concerts, man. If only there was anything I could do about that.

22:35.50
gattaca
Hello, Cleveland. um Yeah, no, it’s a real problem there. And you’ve got to really think, you know, how can you do this?

22:41.65
Jamie
that That was the segue into your story, David.

22:43.60
gattaca
I’m working with the Segway here, huh? Geez.

22:46.27
Jamie
Okay.

22:47.16
gattaca
Good. It was almost good. um No, it was never good. um Yeah, so hackers have figured out a way to mess with the barcodes and reverse engineer them for a Ticketmaster barcode system. This could be a huge problem for Ticketmaster because all of a sudden you have four people showing up for the same seat.

23:05.47
Jamie
you

23:06.47
gattaca
That could get super interesting. And this news is coming on the heels of a recently disclosed data breach. They’re having a, and they had actually another day to breach a few days before that. They’re having a bad, bad 2024 right now. And this is not to beat up on them. I know people like to go after them for their costs and you know, it is expensive, but you know, these are the kinds of things where you vote with your dollars and you do what’s right for you. Me, I tend to go to a lot of events, so I tend to use them rather extensively. Oddly enough, I have not received my notice um that I was part of the compromised data.

23:40.67
Jamie
and I’ve had two who?

23:43.02
gattaca
You got two. Oh, you mean you got my other. You got mine then. You got one for you, one for me.

23:47.25
Jamie
No, I’ve got one for my regular Ticketmaster account and then I’ve got one for the Ticketmaster account that’s associated with the sports team.

23:53.73
gattaca
Oh, very good, very good. Yes, I’m very curious as to where mine is. And by some miracle, my account is just so old that they actually didn’t get to it when they did the day to breach.

24:02.71
mattjay
and Dave, you can’t vote with your dollars in a monopoly. Sorry.

24:07.53
gattaca
Well, you can. It’s just going to be a very quiet party all by yourself. download the album, sit in a dark room, listen to it, go like this with an iPhone, because people don’t do lighters anymore, and you know, you get the effect.

24:21.60
mattjay
Apple Vision Pro is actually pretty good.

24:24.55
Jamie
if you just became such a moment in letter-counting all by yourself.

24:31.65
Jamie
um we’ve We’ve often spoken about, um you know, ransomware or malware people and their impact on things like hospitals. And, you know, we’ve we’ve always got that great positive story about how they attacked Toronto’s sick kids and backed off. There’s other stories about how they attack other hospitals and don’t back off. It was a story caught in the ridge and it’s one of those ones that it really makes you stop for a hot second. It’s story of a a single human, Johanna Gruthusen, who found out with you know only a few hours notice that she wasn’t going to have the the surgery that she expected she would have, but instead was going to have a much more impactful surgery.

25:23.76
Jamie
um She was going from a skin sparing mastectomy to a complete simple mastectomy last minute. So thought that things were going to be okay, but took this massive impact. And the reason for it, interestingly, was not entirely ah the hospital, but rather one of the providers to the hospital. And I, you know, I’ve i’ve been in conversations lately with with a bunch of people kind of as we’ve we’ve talked through things like the the city of Hamilton forever breach that that talk about getting the basics right and things like three to one backups and things like understanding how to properly contain and purge your systems, having cyber insurance in place, having responders in place. And when it turns into

26:15.21
Jamie
um stories about individual humans and you know mother of two young kids and it’s just it’s not right and either we as society need to step up and fund those organizations so that they can defend themselves or we need to help those organizations understand that if they don’t do the basics then they sacrifice their ability to run as an organization and we just pull them apart. I don’t have any better answer for for any of it, but just this kind of story and and the kind of human scale impact. When we talk about ransomware things and we’re kind of blase about it because they happen all the time. They happen all the time and and it’s not good.

27:06.39
gattaca
I agree with that. and One of the things that I’m fortunate to be a part of is a body called Sightline Security. and What it does is it provides security services for nonprofits that are not able to you know have security people on staff for themselves. so This is just one example, and there are lots of examples out there where there are people doing good things to try and help better secure organizations. um We need to see more of that, not less, because exactly that. and Like, this is a great example of, you know, bad things can happen. um And we want to make sure that we’re moving the ball forward. So ah if you are talking to anybody out there or curious about it, look up Sightline security and talk and see more information there is one example. ah There are other parties out there as well. And I just wholeheartedly support anybody that is doing good stuff.

27:55.52
Jamie
All right. um With that, let’s move on to um cyber, cyber, cyber. The Canadian government has actually done something pretty cool. It literally pains me to say that out loud.

28:05.89
gattaca
I’m sorry, I say that again.

28:09.72
Jamie
And even worse, the CRTC has done something cool.

28:14.52
gattaca
Oh, now you’re lying.

28:14.78
Jamie
that’s the Yeah, the Canadian Radio Television and Telecommunications Commission, the regulator of telco in in Canada has actually done something pretty cool. um They’ve published a report um that was put together following up on the Rogers network outage about two years ago now, almost exactly, um summer of of July 2022.

28:34.95
gattaca
right right right

28:39.46
Jamie
One of the major telcos in in Canada is called Rogers. communications, and we have all kinds of conversations about how horrible they are. um But suffice to say, due to some single sourcing contracts that happened in the financial services sector, um the major inter-banking capability in Canada was offline.

28:56.27
gattaca
Right

28:59.90
Jamie
So your your ability to walk into a store and use your debit card, walk into a store and use your credit card to purchase something was offline as a result of this particular outage.

29:00.55
gattaca
right right

29:09.46
Jamie
And it’s only a couple screens long, but it goes into some pretty harsh detail on what went wrong and how to not do that.

29:20.29
Jamie
It’s it’s actually pretty well written. You should you should probably read it.

29:24.24
mattjay
It also has a very good like 1999 PowerPoint network diagram.

29:31.57
Jamie
Oh, it’s beautiful. it has It has five different colored clouds on it. Five.

29:38.68
mattjay
I thought it was the cloud.

29:39.62
gattaca
know

29:41.46
mattjay
I didn’t know there were five clouds.

29:44.15
gattaca
There’s so many clothes man.

29:44.26
Jamie
i

29:45.23
gattaca
Look up in the sky. What are you talking about?

29:47.16
Jamie
There’s clouds, there’s there’s router icons, there’s dashed lines and straight lines. It’s fantastic. But anyways, um if any part of your world involves being dependent on a telco, it’s worth a read.

30:00.92
gattaca
Yeah, I had a glance at that one the other day and yeah, it is definitely worth a read. I agree with you there.

30:07.04
Jamie
Uh, do you know what else you shouldn’t do?

30:09.58
gattaca
Oh, what?

30:11.03
Jamie
Lie about how many people were involved in a data breach.

30:15.65
gattaca
Oh, data breach. I thought it was something else. um Yes, that is super, super bad me blinks at open AI.

30:18.26
Jamie
Yeah.

30:22.80
Jamie
Um, no, in this case, it’s, it’s prudential insurance. Um, they had data breach back in February, cause I mean, who can keep track of these things?

30:25.83
gattaca
Oh.

30:29.39
Jamie
Really? Uh, they said about 36,000 people are affected and they’ve just revised that upward to 2.5 million.

30:36.70
gattaca
Sorry, what now?

30:38.32
Jamie
Uh, 36,000 2.5 million actually affected.

30:38.75
gattaca
You say that number again.

30:44.15
gattaca
That’s a bit of a difference.

30:45.91
Jamie
Yeah. So, I mean, it’s only a small percentage of their customers. They boast about 50 million customers. So, you know, 2.5 million is not a lot out of 50 million, but it’s a lot more than zero. And also, um,

30:59.46
mattjay
How do we find out? Oh, I can tell you how we found out. I didn’t even read the article. Hold on. I have a guess. Can I tell you, can you ask me if my guess is right?

31:09.65
Jamie
Sure, what is your guess, sir?

31:11.43
mattjay
Is it the state of Maine? Is that how we found out?

31:15.43
Jamie
Yes.

31:19.18
gattaca
Nothing but net.

31:20.17
mattjay
Thank you Maine. For all of you who don’t know Maine who has like less people than the county in New York I grew up in as a state, and it’s a fairly large state, ah has a law on the books that if any one resident of the state of Maine is part of a data breach, that the entire data breach needs to be disclosed. Most of the data breaches that we hear about nowadays are because of this one law in the books in Maine. I knew it. I knew it.

31:50.55
gattaca
I’m loving Maine right now.

31:52.69
Jamie
Damn them lobstermen.

31:55.07
gattaca
This is one of those things that aggravates the hell out of me because this is just one of many examples, but it’s net like data breaches happen.

31:55.39
Jamie
Well done.

32:02.00
gattaca
It’s an accepted thing. I mean, I hope it doesn’t happen to organizations, but it’s not the fact that there’s a breach. It’s the, when the people try to cover it up or hide it and then it ends up and you know, sec filings or whatever it happens to be or in the state of Maine, it’s just like, it’s not the crime. It’s the coverup gets them every time.

32:21.15
Jamie
yeah These kids today. We’ve got another mailbag entry this week. Anybody want to hear it?

32:27.52
gattaca
Really? Let’s go.

32:28.60
Jamie
Yeah. Dear Liquid Matrixes, what’s the deal with the cloud?

32:30.56
mattjay
Here’s the mail.

32:35.08
Jamie
I really like hugging my servers and I give them special names. How do you hug a cloud? Even better, how do I secure it? Thanks all y’all. Love legacy folk.

32:50.81
gattaca
Oh, Matt, you want this one?

32:51.87
Jamie
Matt, do you name your cloud servers?

32:55.38
mattjay
I do.

32:55.87
gattaca
Yeah, I do as well.

32:55.90
mattjay
I used to name them after Dragon Ball Z characters. Then I went in through a Lord of the Rings phase. But yes, of course I named my cloud servers. OK, what’s the real question here? how how do you hug a cloud How do you secure a cloud? First of all, I have a great answer to this question that is short enough to say in a podcast episode. ah Have you guys heard of Rich Mogul?

33:22.39
Jamie
No, I’m aware.

33:22.77
gattaca
may have

33:24.96
mattjay
So rich mogul, good friend of all of ours, they’re being idiots, um, who runs a blog called securosis. They used to also be an analyst firm, right? Rich has gone on to like taking.

33:35.50
Jamie
I may or may not have contributed to that and or am still a contributing analyst like Dave.

33:36.82
gattaca
Same,

33:39.73
mattjay
Yes. I was going to say, I think you, I think you both have securosis email addresses.

33:42.21
gattaca
same. thing

33:45.55
mattjay
I somehow have not been invited to that party. Uh, I am in the Slack though. Anyway, rich, uh, who teaches the cloud security. incident response course at Black Hat training, right, for thousands of dollars.

33:58.50
Jamie
Except, except not this year, but yes.

34:02.12
mattjay
I know, but he combined it with another one. He’s still teaching cloud security at Black Hat, and it’s a world-class training. It’s it’s not cheap, right? Black Hat charges whatever they charge. ah For free now, Rich has a newsletter that I helped him set up on the same platform I i do my newsletter on. ah called Cloud Slaw, like Cole’s law. And Slaw stands for security lab a week. And so every week in this newsletter, he puts out a lab that might as well be in his blackout training, they’re that good. And also he’s got it so over-engineered so that if you sign up today for the newsletter, he puts you into an automation so you get the labs in order so you don’t get them like released every week like a normal newsletter. So he’s got some crazy automations going on. Anyway,

34:49.46
mattjay
i’m an I’m an avid reader. I really like what he’s doing. It’s like absolutely world-class training for free, so everyone should take advantage of that.

34:58.76
gattaca
100%.

34:59.97
Jamie
I may or may not recognize some of the, some of the tutorial entries in Cloud Slaws being things that Rich and I developed while standing on that stage at Black Hat over the last decade doing that work. So yes, very familiar. And yes.

35:16.80
mattjay
also I can also give another somewhat serious answer. I think there are two paths in cloud security. Well, there’s probably more. But there’s like two paths that I see that are like the big rocks of if you want to get into cloud security, you can kind of go in these directions. If you do both, you’re crazy. But ah one is like the actual servers that are running in the cloud. So getting really good at uh, orchestration and terraform infrastructure as code, uh, Kubernetes stuff, Docker stuff, very specific to cloud, like server running, uh, infrastructure ops, security ops. So learning all of the, like pick your cloud of choice. If it’s AWS, like a lot of people or it’s Google, what’s their like audit trail look like? What’s the observability on this platform look like?

36:03.46
mattjay
you know how how do I find and fix vulnerabilities through infrastructure as code, how do I build guardrails, all that kind of stuff, right? And then there’s a whole other world in cloud security. And these people, I bow to them because otherwise I would be them and I’m glad I don’t have to be them and that’s called identity and access management. And it’s a completely different beast. And you need to basically go get a PhD in the 5,000 plus roles that you could give somebody in AWS to let them do what they need to do on the platform. And anyway, that’s a whole other thing. i’m I’m not even kidding, right? it’s It’s really, really hard to be good at both of these things. Never the two shall meet. But if you’re really into identity governance, all this kind of stuff, cloud identity is a rabbit hole you will never find the bottom of.

36:53.39
mattjay
How was that?

36:54.99
gattaca
Nailed it.

36:56.10
Jamie
Not wrong.

36:56.60
mattjay
How was that mail bag?

36:58.42
Jamie
ah Not wrong. um We are on the verge of running long. And thusly, it is time for some brieflies.

37:08.44
Jamie
My briefly, I just give you the link to Olama. Run run your LLMs locally. You will be astonished at how awesome it can be for you. Matt.

37:20.57
mattjay
Uh, mine is the continued Microsoft drama of the breach that they had a few months ago from midnight blizzard. Uh, apparently some notifications went out this week to the admin tenant email address for the O365 admin, which in their docs, they tell you to like never give a human actually access to that. So that like the notification of the breach is. sitting in an email box that no one’s ever supposed to log into. ah So anyway, there’s there’s some drama in the thread and you can go read about it, but Microsoft again, not not doing great on this particular breach.

37:57.83
Jamie
That’s awesome. Dave.

38:01.08
gattaca
My briefly is absolutely shocking news. Apparently eight nations are warning that China based hackers have been accessing government networks. Who to thunk it.

38:10.47
Jamie
the

38:11.24
gattaca
APT 40 is underway and please be vigilant. Please be checking your systems. Uh, yeah, bad things, fire bad, all that sort of fun stuff.

38:19.00
Jamie
That tracks upcoming appearances.

38:25.98
gattaca
Well, for me, I was on global news yesterday and we got to talk about the ticket master breach. So that was fun. Um, you can check that out. Uh, I posted that on LinkedIn and I’m sure it’s, it’ll show up in the show notes. It’s cause I can’t configure that properly and I’ll be at summer camp. Matt.

38:42.57
mattjay
Uh, I will be hosting an event called Snusec, uh, in New York city next week. Uh, I think registration still might be open for a few more days by the time this comes out. Um, but, uh, for all my New York city friends, I’ll, I’ll be. Partner around running a little mini security. meetup slash we have like a few talks lined up, but it’s mostly for the meetup. Um, and then I will be in Vegas. It seems like I’m going to be there Sunday to Sunday. So I’m there for the whole shebang this year.

39:11.63
gattaca
Oh, longer than me for the first time.

39:16.65
mattjay
Yeah. I have commitments Monday morning and I have commitments Saturday night.

39:16.94
Jamie
Yeah.

39:19.81
mattjay
So I am traveling Sunday to Sunday.

39:22.56
gattaca
Bless your heart.

39:23.85
Jamie
That’s awful.

39:25.12
mattjay
Yeah.

39:25.34
Jamie
I’m going to be at the other end of a Starlink connection and not admitting my GPS coordinates to anyone.

39:31.15
gattaca
Nice.

39:31.76
Jamie
Because that seems like the right thing to do.

39:31.80
mattjay
Oh, I love it. I love it. Cool. Well, thanks.

39:38.20
Jamie
Make some bills.

39:39.05
gattaca
Yep.

39:39.94
Jamie
Do we want the advertiser to speak of their advertising?

39:43.70
gattaca
I think we do.

39:43.79
mattjay
Me. Oh yeah. So I guess it’s an upcoming appearance too in your inbox every week. If you sign up my upcoming appearance on Friday mornings. ah Yes, I run a newsletter called Vulnerable U. Thank you for all of you who have been signing up through the show notes. I i see you. I appreciate you. um And yeah, I do. I started doing the cybersecurity news thing on Liquid Matrix ah in like 2008. I am still doing it. I just do it for myself also over on Vulnerable U. So I appreciate all of you who signed up.

40:17.44
gattaca
Very cool Very nice.

40:17.76
Jamie
Awesome. That does get us to the end. And since you usually have the last word, Matt, would you please read from the screen?

40:24.82
mattjay
Uh, I’m Europe now. Very fine. Not worry about my doing well.

40:35.85
Jamie
Bye, everybody.

40:36.11
gattaca
Yeah, got you all next time

40:37.61
Jamie
See you in a week.