20 Episode results for "Benazir"

Leaders: Benazir Bhutto

Encyclopedia Womannica

07:45 min | 1 year ago

Leaders: Benazir Bhutto

"The father used to say that the people of Bacchus thon on my political s there my sons and daughters. Hello from Wonder Media Network. I'm Jenny Kaplan and this is encyclopedia will Manteca. Today's leader was a groundbreaking politician who served as prime the minister of Pakistan twice making her the first woman in modern history to lead the Muslim nation though somewhat controversial due to charges of both corruption and political recall naievety. She was a champion for democracy and a force for liberalization in greater personal freedoms in her country. Let's talk about Benazir. Bhutto Benazir was born on June twenty first nineteen fifty three in Karachi Pakistan to a wealthy aristocratic family with strong a political ties. Benazir's father Zulfikar Ali Bhutto founded the Pakistan Peoples Party otherwise known as the P P P A popular Socialist Party that lead Pakistan in the nineteen seventies sometimes has to appear to be optimistic nevertheless feed that that is you for the future but this is dwindling at the same time I defected. That's lifetime and as your first and primary language bridge was English though. She did speak Urdu on occasion. From a young age she showed great promise and received a Western style. Education prestigious convent schools in Pakistan Khuzistan. In one thousand nine hundred. Seventy one while Benazir was attending Harvard. University her father was elected leader of Pakistan on a socialist platform. Then is your graduated with a bachelor's degree from Harvard in nineteen seventy three and then moved across the Atlantic to the University of Oxford where she studied philosophy political Kossi. It's making in nineteen seventy seven soon. After she finished Oxford and return to Pakistan Benazir's father was ousted in a military Kuu. I'm a Hamad will hawk. Zia became the military dictator of Pakistan and Benazir's father was executed two years later in nineteen seventy jeanine though Benazir and her mother were frequently under house. Arrest from nineteen seventy nine to nineteen eighty-four Benazir took up her father's mantle as head of the PP PP finally having had enough Benazir's political aspirations Zia exiled Benazir on her mother. The to move to London in Nineteen eighty-six Zia ended martial law and Benazir and her mother were allowed to return to Pakistan. Benazir quickly became the foremost member of the political opposition to Zia during her time. In England Benazir admired the work of Margaret Thatcher upon her return she shifted the P P P from a socialist socialist platform to a liberal one. It changed the course of my life. I had no intention of going into politics and had my father lived. Perhaps perhaps I would have chosen a different life for myself. A more stable life. The political shift helped Benazir navigate a political power vacuum created by the mysterious his death of Zia in a plane crash in one thousand nine hundred eighty eight in the ensuing elections. The P P P one the largest block of seats in the National Assembly and Benazir here was sworn in as prime minister on December first nineteen eighty-eight. This made her the first woman leader of a Muslim nation in modern history. As Prime Minister her Benazir tried to enact political and social reforms but was almost completely stifled by the Islamist and conservative parties as such. She wasn't able to effectively combat. The many issues facing Pakistan including pervasive corruption widespread poverty an increase in violent crime in August of nineteen ninety the president of Pakistan Gulan conned accused Benazir and her new government of corruption and nepotism Benazir was dismissed from her position and a new election was called. It's generally accepted that. The following election was rigged by Pakistan's intelligence services to ensure victory for the Islamic Islamic Democratic Alliance or J. I A Conservative Party in the years that followed Benazir served as leader of the opposition in the National Assembly in one thousand nine hundred ninety three the I J I government was also dismissed for corruption in elections held in October of Nineteen ninety-three the P P P again unearned a majority of votes and Benazir was Prime Minister of Pakistan. Once again this time around Venezia's determined to focus on economic privatization and greater the rights for women to areas. She believed were holding Pakistan back three years later. Renewed charges of corruption were brought against Benazir on. Is You're on her government these new accusations along with a series of controversies like the assassination of Benazir brother and a bribery scandal involving her husband. Bend led to her government's dismissal by the president. The P P P took a beating in the nineteen ninety-seven National Assembly elections and Benazir chose to go into self exile. The following year. The new prime minister was continuing to pursue. What were believed to be politically motivated? Corruption charges against her Benazir moved to Dubai and continued to run the P.. From there in two thousand seven rumors began to circulate. That Benazir was returning to Pakistan to run in the two thousand eight elections and she planned to run on a platform of greater military accountability to the civilian government and calls for a stop to the growing Islamist violence. In October tober Benazir officially arrived in Karachi from Dubai. They were great celebrations by her supporters following her return from exile though they were marred by a suicide aside attack on her motorcade that killed many supporters standing nearby. Either plus Sweden me not to come away. Intimidate me into not coming and I'm not going into be intimidated. I've made my decision and I'm returning for better or for us after attending a rally on December twenty seventh. Two thousand seven Benazir's Benazir's motorcade was hit by another suicide attack. This time Benazir herself was killed though. al-Qaeda took responsibility for the attack. It's it's widely suspected that the Pakistani Taliban as well as elements at the intelligence services were also involved in the years following her assassination. Benazir's here's come to be regarded as an icon for women's rights. She's revered for achieving the highest levels of success in a male dominated society tune in tomorrow for the story of another leader this week encyclopedia will Manica is brought to you by hellofresh. One of my personal New Year's resolutions is to cook more. Our thanks to hellofresh. I think it's a resolution I can actually keep. Hellofresh is flexible. You can easily change delivery days and food preferences and you can skip a week. Whenever you need I travel a lot? So that's Buydell for me. hellofresh helps me save meal prep and planning time and most importantly the recipes are delicious. Russia's I love that I get introduced dishes I otherwise might not try hellofresh now starts at just five dollars and sixty six cents per serving go to hellofresh fresh dot COM Slash Encyclopedia Tan. That's hellofresh dot com slash encyclopedia one zero and Use Code Encyclopedia. One zero during hellofresh is New Year's sale for ten free meals including free shipping special. Thanks to Liz. Caplan my favorite sister and Co Creator. Her Talk to you tomorrow.

Bhutto Benazir Pakistan Pakistan Peoples Party Zia Pakistan Khuzistan prime minister Prime Minister Karachi National Assembly Wonder Media Network Socialist Party Jenny Kaplan president Zulfikar Ali Bhutto Margaret Thatcher Harvard Manteca Zia
Best of - Benazir Bhutto: Paying the Ultimate Price

What It Takes

30:46 min | Last month

Best of - Benazir Bhutto: Paying the Ultimate Price

"It's americans in the whole world. Watched this week stunned as a violent mob. Egged on by president trump breached the united states capitol to interfere with our democratic election process. Whether you call it. A coup or an insurrection. Most people simply could not believe it was happening here. It was the kind of thing that happens. In other countries countries where the transfer of power is not a peaceful affair countries were democracy might function for awhile until it doesn't and that reminded us of one of our earliest episodes about the charismatic and controversial benazir bhutto of pakistan her father. The prime minister was ousted and killed in a coup in nineteen seventy seven and years later. When she became prime minister herself there was a coup attempt against her that failed she was willing to pay the ultimate price for her beliefs. And in the end she did benazir bhutto was assassinated for her third term as prime minister. We certainly don't mean to. Overstate comparisons between the united states and pakistan or any other country. But it's always good to remind ourselves of what we have and what we have to lose. This episode was originally posted in september of two thousand fifteen. A main. this child is gifted. And i heard that enough that i started to believe if you have the opportunity not a perfect opportunity and you don't take it. You may never have another child it all so clear. It was just like the picture started to form itself. There was new wing which ally could prevail over the truth darkness over light every day. I wake up and decide today. I'm going to love my life. Decide if they're going to break your leg or it's when you go into play stay out of there and then in long companies differential experiences. You don't look for you. Don't plan for but boy. You better not miss. This is what it takes a podcast about passion vision and perseverance from the academy of achievements recorded collection. I mouse winkler for today's episode. We pulled an interview from the vault. That is profoundly inspiring but also unsettling the interview with benazir bhutto pakistan's former prime minister and it's unsettling because her words take on a painful resonance when you realize that she spoke them in exile seven years before she was assassinated by a suicide bomber. Here's a news clip from that shocking day. In two thousand seven we begin with the assassination. That is reverberating around the world. Pakistan's former prime minister benazir bhutto made her triumphant return from exile. Just two months ago. It ended today in horror as she was struck down only twelve days from an election. It was widely expected. She would win. Benazir bhutto was the first elected female leader of a muslim nation. She was also one of the youngest heads of state ever prime minister at the age of thirty five. She served in that role twice in the late. Nineteen eighties and again in the mid nineties. She was devoted to democracy into modernizing pakistan. She tried to tackle her country's deep poverty and gender inequality and she was adamantly opposed to violence of any sort. When i was a very young child letterman by was always against violence. It was an era when people used to go shooting and hunting an member once coming out on the brandon in home in the countryside. And my father's teaching my brother to shoot a barrett remember seeing the battered fall down dead and bleed natoma being boiled by it. The battered flattering. Icon bed to see blood to the stay or killing. And i'm very much against war conflict in the taking of life. And i think that the seeing that little bird green and beautiful and living in jumping the tree and then falling down dead did have a profound effect sound city to say that when should feel so strongly by the bird. But i remember my father dating. He was facing the death sentence that i remember the little girl who cried so much because of bird died how she must feel benazir. Bhutto's father was zulfikar. Ali bhutto and extremely popular statesman during the nineteen seventies. he served as both pakistan's president and its prime minister. He was overthrown by military dictator and was executed just days after benazir returned home from oxford university. But in this interview with the academy of achievement benazir bhutto began her story. Before all of those events describing the pakistan she was born into in nineteen fifty three a country with few cars and extreme poverty. The gap between the rich and the floor was great too. I remember people walking barefoot and bare backed because of the poverty it was very privileged life that we lead with huge homes and scores of staff with everything looked after now. The world has changed much more. There's a greater appreciation of each human being equal and entirely the same opportunity as well as emphasis on human dignity. In those days. There was much less dignity. I remember that the Or people would reach greet the richer people by bending down touching their feats elaborate on them and throwing themselves on the feet so it was a totally different kind of world. And it's changed for the better in that sense. Even as a child living in luxury bhutto said she was aware of the disparities. The my father was always championing the cause of the poor. He was very much against the state of school. So he was always telling us that it's wrong that there should be people in such abject poverty unable to feed the children. I mean i'd be sitting there when women would come to my mother and to take our children. We can't feed them. My father was a lawyer at a member coming back and saying that a man came and said. I don't have any money to pay you for the He'd been welded and he said. Take my cow. Because i don't have any money and that was the car that would give the milk to feed the children so it was squad shocking to me. And i. i was sensitive to it because my father was sensitive to it and he dig us. We were landowners large landowners. And he'd take us to the lands and he would tell me. Look at the way these people sweat in the heat and in the sun in the fields and it is because of their sweat that you will have the opportunity to be educated and you have a debt to these people. Because it's they one born to sweat like this and you have a debt and you've got to come back and bay that debt by serving people. Her father was clearly her greatest influence as bhutto told journalist and documentary filmmaker irv draftsmen who conducted this interview for the academy of achievement. It was her father who was most against the gender constraints of the era that threatened to hold her back my mother. She used to be a working woman herself. She joined the national. God's she was a captain in the national guards. She was the first woman in garage to own a car into drive and people used to talk about her because they said women supposed to drive cars. But when i look back on it it was my mother who taught that the woman grew up to be married and to have children and she would tell my father in front of me. Why do want to educator. No man will want to marry her so all the time for her success depended on having a good catch as a husband and having children better for my father he broke three of those constraints and he insisted that i have an education he said boys and girls are. I want my daughter to have the same opportunities. Are you come for that. I don't know. I really don't know because i never had a chance to ask him. I just assumed this is what fathers did. And i finished university. He was imprisoned and then he was unjustly hanged by a military dictator and now in reflection. I would like to ask him. And what made you do things differently. Old go to other people's homes. I remember friend of mine. They couldn't eat food till the brothers had finished and the leftovers would be given to the daughters. That never happened in our home. I remember that. I used to sit at the head of the table. Because of the eldest child that never happened in other homes. I should have asked. My father had the chance but he enabled me do appreciate that. A woman is not a lesser creature. There was one other lasting and maybe surprising influence on benazir bhutto the nuns who educated her at the convent of jesus and mary a catholic girls school in karachi where the majority of the students were muslim. And adam very much mother. Eugene is to teach us literature and boy tree and reach for the moon and the lord star and it's spiring us more to it was very inspirational and motivational. That good conquered the moon and the stars if reached out so it was all about reaching out. I think the two powerful influences in my life and my childhood was my father and was my teacher in the conduct of jesus in mary mother eugene. I was fascinated with literature. My father gave me a love of books. He loved reading books and make sure that i bought books. And he'd buy me books. And then mother eugene made my imagination run wild through shakespeare twelve nine. Julius caesar keats browning byron mostly benazir bhutto loved historical biographies beginning with alfred. The great the king who defended the english against the viking conquest end as bhutto remembered with a smile was scolded for burning cakes by a commoner. Who didn't know his identity. She also loved reading about alexander. The great who was told that whoever untied the gordian knot would conquer asia. He took out his sword and cut it instead or so. The legend goes basically bhutto said her favourite books were about great achievers. Lie father was himself in achieve. And maybe it was a dime of achievers it you know. I grew up at a time. When colonialism had just ended and the whole inspiration behind colonialism had been to discover the world and to achieve more sense of adventure going to unmapped places braving beasts of unknown description a to conquer the world so it was very much still within that phase when words were more granddaughters and expressions or more granddaughters. The imagination was walk. Grandma's now things much leaner and meaner benazir bhutto may have inherited some of the colonial age spirit of achievement. But her politics were more the product of the post colonial protest era. She was at harvard during those years. And she told interviewer irv dresden. They changed her. I at the time. Great social ferment. At a time the vietnam war was being fought is a nation was against the vietnam war but i found the american fellow students but against that wall do so they didn't want to fight the war. Were protesting it. And i found that if it didn't like something you could do something about it. It was also time when D- robert kennedy and martin luther king and idealism chevelle the grape boycott from california labels rights says very much into saving the world. My generation grew up in saving the world. We thought education wasn't important exams weren't important. Although still did it was. I was scared. My father would get cross but i discovered that life was more than my homework and metro. To'real knife was about the larger issues where we could all play a role and the women's movement had just started gate milita just written her book and i remember very dear. Friend of mine and colleges were hardly seen since wendy lesser. She's taking out literally magazine now in california. The last i heard would sit. They're having these intense conversations about women's succeeding and good they succeed. Could they break the barriers. Because at that time still women many women thought that the objective in life was to go on and be married a not so much to have a career. It was dime of president nixon's impeachment and likely newspapers at go around trying to recycle. And i see a bit of that age. Come back in the sense of the environmental issues which are getting important but less than issues of sacrificing yourself for the larger community. Now i think it's more an age of the individual comes first then. It was more than aid that we as an individual subordinate ourselves to the logic communal. Good so all of this. You took back to pakistan with you. Yes i said on reaching up residents. Because i sold barber of democracy it was really. I felt awful. I felt my voice counted a damn in pakistan. My father had been trying to imbaba. Ordinary pakistanis and telling them that they could break free of the shackles of feudalism and military industrial complex. So when i bent back my own experience with me a bit ahead. Because i'd had a broad experience. I'd had experience box bond anonymity gun at seen it succeed so i went back really at the right time. You have any doubts about what a woman could do could accomplish muslim country. Itin tab doubts. Somehow i didn't have any doubts. Somehow the other for mucus my father also important taught a woman could succeed and he would delanie. The my daughter's win me more proud than indira. Gandhi made her father so for me. It was like it's normal for daughters to want to succeed and then in the gandhi was dead and she was a very powerful leader. Mrs bundy nike had been dead in city lanka. The first woman prime minister then. Of course we had fought magenta. Who was also presidential candidate unsuccessful but a presidential candidate so i grew up in regent full of bath women and i thought well they can do it. I can do it too. But then i used to talk to others the to you're mad. How can a woman succeed not necessarily in politics. But i wanted to be a diplomat. A wanted to have run newspaper. I wanted to do tins and other people men and women would find that very surprising so others doubted it. Even alan husband when he at me he thought i was under delusions that i could meet a beat the military dictator and he thought that she accepted finds out that it's all wrong and she can't than i'll be there to console her little knowing that i was the one which could score when i want so it was a time when people would say how can you think people will elect you that i i got elected. I mean this woman has us up demands. Place that she should be guilty should be assassinated just admitted hennessy. But i always felt i mean. I didn't want to go into politics. That i could become prime minister if i wanted to. I had faith in myself. But at that stage i did want to. Because i'd seen the assassination attempt on my father. i'd seen this assignation of shape jebron bangladesh. Or maybe there was some kind of subconscious fear of what politics could drink. So i didn't want to do it at didn't want the fear of the execution of your father. Changed his execution changed. That was i felt. I just couldn't lettuce blood in the blood of all those others who had died because the dictator hanged so many people who was supportive of him. They were coming on the streets to have in three and he'd had them whiplashed or hanged and had thought they all did so much and he did so much. And how can we let the dictate win and let all this blood goal. Waste that decision prompted by the execution of her father did not come overnight. She would spend the next decade either in prison or in exile. It gained gradually. It was not assad. There were two moments that say when it happened. You see one of the moments was when my father died. And i had before he died. I had my last meeting with him in the debt said and he said that you have suffered so much had been imprisoned myself introduced so young. You just finished your university. You came back. Had to whole life and look at the ted on. The which web lived is set you free. Why don't you go live in london. Barrasso switzerland or washington. You're well taken care off and have some happiness. Because you've seen to matt suffering and at each doubts with the prison baas and had a member rasping hands and saying no upper. I will continue the struggle that you began for democracy and so that was one of the points that i decided that i didn't want out at stay back but i still didn't think i'd ever be prime minister. I told my mother would be the prime minister that had worked for her to be the prime minister. And that's what i did. The mother got sick and actually she had lung cancer but we didn't know she was getting zayas so she started behaving differently. And we thought it's because she's had this serious She's reflecting on how leader ally. And suddenly i found that since miami was away in the whole body was about to collapse unless i was there so i started looking for the body that stage an event back people with shouting prime minister benazir and suddenly. It struck me that looking after me. Mummy ill looking. After means that i will be the prime minister so it was in that moment when i realized that the responsibility that had di canova could lead all the way to office that could govern the destiny of more than one hundred million muslims of pakistan. Then as your bhutto was elected prime minister the first time in nineteen eighty eight the political ups and downs that followed are serpentine and would require a retelling of the history of modern day pakistan which is frankly beyond the scope of this podcast but briefly bhutto was dismissed by pakistan's president three years into her term. Her government accused of corruption but her popularity grew again and in nineteen ninety-three. She became prime minister for the second time. Once again after three years in office bhutto was caught up in a swirl of corruption charges against her her husband and her government the accusations against her were never proven. Her husband was tried and convicted and served eight years in prison. Though bhutto continued to insist he was simply the victim of politics. She took their children and went into self-imposed exile and it was during this period in the year. Two thousand more precisely that this interview with her was recorded by the academy of achievement. At the time benazir bhutto was considering whether to return again to pakistan to run for office. Her husband was still in prison and she was worried about her children. Who hadn't exactly had much semblance of normal life. She said she was leaving the decision. To god what was best for her and for her country but she sounded sanguine and openly offered assessment of her political career up until that point. But i look back on my life. I really think of the different stages when we were so role. A naive and deadly realized things were i think back to my daniel as prime minister in item get on with the president because he wanted to kind of presidential system. I believe the bottom entry system but then remember that. Mount president was from party amount of father. I give him and heaton missile shabbily. And i think if i'd treated the first president with half of giving him half the babas that i give my one president. Maybe he wouldn't have knocked us out in democracy could have taken stronger. Routes saw endorsed terms. And all i really look back on it a look back also in the sand. Politics will be the appointed disappointed. So that orbits be the critics one has to take. I learned that after my first election as a little. I have to do win. An election and all critics will disappear and according to barbara cartland will live happily ever after. But i realized that the wake-up later he'll critics are still around and you still have to factor them in many experiences made me more inclusive person not inclusive to the margins but inclusive to those people who are have differences with us. But we're still moderates site drive to be more inclusive not easy because the other side has respond to but ultimately there will be critics but one has to do what what what is right as long as the majority of people support. That building schools was right. I tried to it even the clerics. Originally i adopted video A statue. I thought i had to prove i was stuff is mad. Because that was a man's world it was supposed to be a man's world now. I think it's not a man's world anymore but in those days so because it was to be the man's would try to be very aggressive warmongering in my second term to try and co-opt i have a consensus sort of person i liked to been people will go up to compromise not the goal of my values but i seek the middle way and i tried to do that but i take. In retrospect it was wrong was did not go up them. And i needed some amount. Supporters baba is such a strange phenomena. The bond gets isolated from the real world. People can't see you the phone you they have to go to the operator and it's up to the operator he puts through the gun dry. Do because the secretary's leonard read the letters and decide which ones are going to come to you so dearly one becomes a prisoner. And i used to meet my body. People is to meet people in the villages in the very happy because we were doing poverty-alleviation and sought but the people in the urban middle classes are very unhappy. And i realized now that i should be out more meeting people who want with us or meeting people who would representatives of organized groups. The other thing i learned in the boston is to meet be placed one dilemma. Would we would. We now realized that you have to listen to people and what they're saying we ought to be doing even Much more critical to my own life was my failure to understand. The world is moving towards transparency. I'd lived through the year of military dictatorship when the press would ride all sorts of things. In it'll be better off the duck's back now. I say that whenever these demands widened to have the i did say make an inflammation act. The didn't follow it through. Savage had given more freedom of information. Ashish tackled the so-called corruption issues. More deeply it was a pleasant. You know we all knew. Kickbacks must be taken not personally but on the level of these things happen and it wasn't like here to change it. It was like this business done so i. In retrospect i think that it would have done many things many many many things differently. But then you learn from your experiences like somebody told me how to succeed in this iraq decisions. How'd you come to the right decisions to experience. How'd you get experienced through wrong decisions to go to make. One does macron i mean. In retrospect one is older and wiser interviewer. Irv jasmine asked benazir bhutto whether she still felt she could be an idealist after all that had happened to her and to her country i feel the scientists like this and that if get officer given an opportunity to paint it and it's up to you whether you make good big joe whether you make a back picture. I think it's very very important to have ideals because when one has ideals wanting softening is worth it for me the suffering has been worth it. Because i think i could change things and i'm still idealistic enough. Still optimistic people telling me by you. Still idealistic optimistic and i sip. Because they could be ten people who are bad but the ninety people will go benazir bhutto's closing thoughts haunting to hear now words of advice. She offered to students interested in making change in the world. If a young person came to me. I'd tell them that. If you believe in something gopher for it but know that when you go for it. There's a price to be paid. Be ready to pay that price. And don't be afraid. Benazir bhutto eventually did decide. It was her destiny to return to pakistan to run in the two thousand and seven general election. Her chances of winning were considered very good but the dangers were clear as she left an election rally and paused to waive once more to the crowd she was killed by a teenage gunman and suicide bomber as if the recording of this podcast. No one has been convicted of her murder. High up officials including the military ruler at the time general pervez musharraf were charged but charged with negligence for providing information. Quit security when the threats against her life were well known in the intervening years. Witnesses have recanted trial motions have caused endless delays and one of the chief prosecutors investigating. Her murderer was himself gunned down on the way to a court hearing it seems no one may ever be held responsible for her. Death in live are challenges. But i think leadership is very much predicated on the capacity to absorb defeat an comment now off to having been at all it takes for more than two decades. I have come to the strong conclusion that the difference between somebody will succeed and somebody who feels is the ability to absorb a setback because on the road to success. There will be setbacks and there are those who give up and those who say the nobody going to go on. And then i also. When i was in prison i became very devout. I'm not a fundamentalist. But i am very devout in solitary confinement. When had nobody to to turn to see. I was brought up to the logistics Take them to judge or eastern how to say the press like. My mother taught that it's all to listrik. It was when i was in prison and everyone was cut off from my family. My friends food even couldn't get glass water without having to beg somebody nothing. Nothing got took everything away. Material physical everything and suddenly. I realized they can take everyone away. Could read newspapers the. Give me newspapers of time. Magazine suddenly realize the content. God way from me so much. Boston dime. I started passing it in prayer so from that moment i realized that god is always with one to what give me the fifth. The sustenance was my believed that god places a burden on people to bed and he plays only that burden which they can bear. The second was the love of ordinary people. The love was so much that it was enriching. It gives me strength. Nurturance not ish. Maybe i'm a needy person. Maybe i need love. Because why would sometimes i think why would someone gone wing it when i get so much love. I feel at the mass level that i feel i must go on. I think that those are the two factors that really gets me going. Because the worst of moments i always had foster reservoirs of la former prime minister of pakistan benazir bhutto talking to the academy of achievement. In two thousand to watch video excerpts of benazir bhutto telling other stories from her life and lessons in leadership you can download the academy of achievements e textbook social justice. It's free from items university. This is what it takes. Join us for the next episode in two weeks so a little heads up from here on. We'll be posting new episodes every other week. But we're sticking with mondays because we can all use some inspiration on mondays. I'm alice winkler and true. Mendes thinks to the catherine b reynolds foundation for funding. What it takes cnx time.

benazir bhutto pakistan bhutto academy of achievement president trump benazir academy of achievements record zulfikar Ali bhutto irv draftsmen convent of jesus Julius caesar keats browning b irv dresden wendy lesser eugene united states Mrs bundy nike winkler vietnam Bhutto
DtSR Episode 368 - Contain(er) Your Security

Down the Security Rabbithole Podcast

42:23 min | 1 year ago

DtSR Episode 368 - Contain(er) Your Security

"They say they say we should have known embed then to Saudi down D- down into this rabbit it's everything has and I think the conversation around containers has been even more pertinent. Now that Google has decided they're actually sense prepare for unique interviews insights and practical advice that makes your job just as Benazir and now please welcome your all right good morning good afternoon good evening welcome down the security writer hole to another down the security rabbit hole podcast a lot about this stuff because I dabble in it but you know I don't so folks if you've read the Bio and I know you read the show notes on these things you know I you know so bummed when I miss the other podcast we just recorded but I I I don't know I had some issues I got a pupil that would not going to start selling cloud as opposed to they're selling cloud to themselves so they've you know cooper NASA's become bigger deal so I thought we'd invite one of the folks that really knows sides misadventure jeans Gerardine and the white rabbits were off ball you have to do my hair like that and I I can't I can't I can't even match so anyway all right Liz you are the VP of open source engineering over at Aqua tells a little bit about that yeah security we provide solutions full price you want to secure the cloud native from you know okay so so far I don't know I get go for some follow ups but everything's good so far deal have you healthy all right well this episode constrict so it's heading how's it of what what happens when you have too much aspirin yeah wrap your got my buddy podcast life partner James rap how's it going this morning you've been missing for a while man would he get life going on don't shame on you please Louise show notes I write them for a reason Got Liz Liz I had I R- I haven't been the exactly it's as some issues that I needed to go in for for dealing with so but I'm back now so hopefully I'll be around for the a Europe are you are you guys GonNa what do you think is going to happen over there not not to get into politics but can we get this solved infrastructure as a service right having virtual having virtual systems and the the quote service world I- genuine unle service makes me laugh because I think this entire generation developers potentially growing up thinking that you don't actually need servers somebody still has to that's a lovely accent where do you hail from Liz I am from London in the Europe we stood in Quebec lose or win Anyway Eric Cool so let's let's talk containers because that is that is kind of like the halfway point I think between consoles tools and bath the part of the business that I look afteh say we have a different tools remembering this wrong did celinas not do containers a long long time ago back in the Kingdom Faraway Priori they did they had 'em Samaras Giles you're getting in as as we got this guy called connect first time you mentioned you mentioned you've got some history with skype as well Yeah yes applications that cabinet two deployments and the apple product pro-trade security but we call him in that with some consoles announced not yet technology has certainly come a long way and I've been following it their security has been a big focus ah I think we're we're we're tended to be tailing contain yourself insecurity because we talked about clouds talked about containers is and paths and a prominent inexcusable but using his name not really a thing called the container is made up of these three different famous to build what we talk that is that is going back back back back showing my age that well let let let's not have back does I suspect I still I recall correctly and it had quite a lot in common with what we typically call a container today at the thing that Daca poke neurology ever does what's the difference between you know the different container models and when you look at what's Docker what is Cuba that is how are they different can you explain that for the listeners era but yet in my in previous life I I did what for scholarship and that was kind of pre that Ebay acquisition as container run time executes you'll containers than sitting above that the orchestra which is kind of like a management layer if you like vigil containers running on a machine and then if we thought talking about cluster fishing's and we want to distribute all containers across of the communities folks certainly docker as well So for for those folks listening was this is you're gonNA have to do this for every for I think for every conversation as Louis manager containers when we're thinking about individual containers and then if we not rob okay I'll try say he said the containers have been around for a while as a cone set and what Daca did the notion was if you want better if you want good security you gotta go to is because containers simply don't provide enough isolation there's potential for exploit by and that's kind of it was a democratize the containers they built a really nice developer experience so that you could build container images easily on run so when when we're talking containers were really abstracting rather than bear you know when you talk about virtual machines abstracting to bare metal I basically using things like him cherise unnamed spaces and secrets top of docker at run time more recently you typically don't see the Doctor Damon needed on a community Mr machines then we need to have an orchestra is an orchestra to that will automatically place those containers somewhat seasonable across the class like set from a security perspective the fact that wish sharing account no means it's not the same there's definitely machine there somewhere somewhere there's a machine executing your code but it seems like the containers are it's it's a great model am I wrong to to remember you police the configuration of the Kosta police the configuration of each individual and police uh-huh I love that that's the thing I mean I don't love it it's funny something that's still part still restricted view of the host of running on sites on the colonel's spectator it can see all these processes running inside these containers they pretty much happening time with these different containers so yeah they're all that has been a lot of progress to make it easy connel and at least what looks to them like the rain Copa file system have the rain and view of that we that we've developed to help you secure your capabilities cluster we also contributes to some of the other projects in Beethoven's source community that's pretty cool and as yeah so if you have multiple containers running on the same machine the same machine all machine they're all sharing things just like regular next prices but from the containers pointed V. Eight Kennedy See essentially what's going on inside its its little world have a good foundation to have because now we've got has security professionals who got to figure out how to how to secure all this stuff right and there are plenty of things you can still in your virtual leising that for a bunch of virtual machines when you're talking containers wraps drafting all the way up to the operating system in an even into the potentially applications right products into into the platform itself new construction engine so that's it's come a tremendous way but I think that's an important thing to me block and I think technology from security perspective and Elizabeth degree that we almost have to start with an allow as as the default let people get comfortable and that's really will that he brings to the table and in the days came at sophomores isn't it isn't that what we all we everything that comes out though I mean that's pretty cyclical anything that comes out initially is open to the Internet and then don't be early adopter Amazon is now made it and I think Microsoft's followed suit lake the default configuration for your S. three buckets as but he finds it we lock it down I mean look at Mongo DB or all those databases like all that stuff when we first release it it's like here let's just put it out there with them let advice elation as you would get if you running your applications in different budge machines right and that those are some important distinctions there because early on GP's run out of the box and so a lot of the climate projects for example you can run way insecure connections machine anymore winner using a different container frontline typically something like contain a d you're getting into the weeds but really via run cost more security so for example a couple of years ago we were saying things like Tesla with the dashboard restricts you have to open it rather than it's like firewalls when we first had them write it was an any any allow them so they went with this is a bad idea they went any any restrict we'll get there are plenty of things you can configure in a very insecure fashion which is why event like equerry exists to help people password you know and then we get better at it and we start locking down you know and that's Kinda the case I feel like I know we're trying to stop that but I don't dash development or something kind of the insecure let's kick the tires version but this is again why there's a security industry right when the the docker world and and then Kuban as folks really stepped up their game and and and started adding native security right into the I don't know if that Straw man mentality or what I feel like that's always what we see is you know when it first comes out it's open everywhere so maybe I don't know key rule of thumb in as an industry tending more towards having the default secure option and let's have a dash dash test option and then the second day is really about application vulnerabilities so but it also makes it much more likely that people will deploy in production with those insecure settings and I would love to see nine scanning image full honorable dependencies is and I think probably the thing that might all help businesses make sure that will they're running is actually up in the secure way a not running with these individuals so what what is the big what is the biggest thing typically see you know from a security perspective when we talk about containers is it really mostly I tend to think of it in three main stages and then the first is the configuration of the cluster itself so this would be I mean obviously the APP doesn't really change from that perspective it's really just the the configuration of it since I'm thinking security for containers China injuries are really convenient package for distributing advocation software because they include the allegation and all its dependence is be looking at security market folds is kind of what I was doing that that is I think trump says a mindset we need this around just the configuration of because I hear a lot of people when they talk about containers you know it's it's that configuration file of the instants and all that is that really where most of the security is because run a build a pipeline annual ensure that you'll not running within Assam terrible played version of this is L. sitting in your application fees and then the sun thing in a container security around wrong time protection engineers running inside contain a- and it should I need really be running one executionable cooled engine x. and if you ever saw ace but because of dependencies that you WanNa make sure that they are dependencies without on abilities say contained and this is where containers can actually gives us an advantage over traditional monolithic off touches because he onto the Internet you much less likely to see that these days probably not a good for them happen and that's the kind of level at which somebody can easily get in install administering pasta saw running things on your pasta that kind of thing I am all customers and potential customers that we talked to the thing that they know they need to do and it's the thing that I will tell you blues it's the easiest thing to implement in his it'd be those longest podcast by Boris Johnson man all right athletes that's an one of the co possible Africa's that we can profile individual containers and recalled walk that looks like in Times Taylor has nice tickets which makes it really easy to just stand off kicked times and see how it works Camara service in your e commerce websites dot products such probably shouldn't be communicating with the payment system kind of units of security that you can build profiles around yes exactly what we did with an flip it and guard now going to block everything you have to figure out what it is that you want I can go further and say you know really isn't industry we anything else running inside that contain any other execute people running that would be I signed that the container had probably being compromised and be else runs let me shut this container down yes and different vendors will approach different ways we things like have you got an insecure as she peony connections that that's a that's we can operate in one team is either analyzing might while we believe that you know the this potentially baths suddenly lock down and if somebody tried to run some other executionable inside that engineers container they would see commission denied era there were other an unexpected Actions Container Check about what you will vendor provides so the biggest problem with that is that if you did have an anomalous behavior you can end up getting into dosing yourself situation where because containers in these mice mole instances of individual combatants cheese bills to operate secure bitcoin mining solicited finally got let me interject that we finally gotten to a point we can profile a system in it and that's that containers thank for that yet the the you know a gas containers runamuck we've gotta worry about whether the container itself is got some sort of vulnerability in it we've gotTA worry about clincial containment he's out there some of them are free some of the American source we have an equal trivedi just installed a more problems than solutions here yeah okay say I think when we if we sat down and think about why do people want to use containers Malysz thing has happened and based on my Halla he might cheese to take some kind of action all we can work in a preventive my where we she to give a shit optionality quickly it's it's over to come down to being able to provide the business with the business needs and some of the competitors did as well so is that blocked before it tries to do that or is that more of a detection system where the tax hey we're only supposed to run in genetics we've got a so now what we've got containers gotta worry that the the orchestrator and then of course the the route hosts is is configured so that it doesn't let the game container that is doing one job if it's a micro service or it's something like i-it's engine X. as my example so you go I four the Dan Fun to watch yeah so that's why we didn't take part and then there are some other tools that can do the alerting but vendors he will a see some kind of anomalous behavior they will show container down the there Clinton you being able to write down your your system into your containers and containers containerized services really nice and show anybody in town he's working and Organiz ation has been in a situation where the business side is saying and that's not a good thing because rate inside the container by default is the same as the on the east side good yeah hi again the venture down the rabbit hole into the world of cybersecurity you're plugged into the podcast security leaders and practitioners with a business oh thanks mentioned the user ID so expect to run inside the container because by defaults containers will run as rates the application itself and we gotta worry about containers attacking each other or the root there's a lot to worry about their Wa y the zoo what's the advantage of container models I I'm here Chrissy tooling the kind of news what would try h containers should be unconfirmed up yet. This doesn't arrive this this engine X. container should not be running they want to use may tip at all in the first place it all comes back to develop so that sacco ops and the ability you know should this be talking to other components in my system which permitted should they be allowed to talk to and he have products and we can apply for network traffic and again because equal a single component it becomes pretty easy to say well would have the capability to do that prevention mechanism if you if you wanNA consul capable of preventing you're continually seeing about happen ripping down the container it's thoughts up again will typically be keeping these does down again and so on a decomposing all systems into small independent pieces of functionality micro services we why can't you shouldn't this next week and the technology people are hugging because elected and by the Muse automated dependency the the the passion and then nine version of the Dan those right because you're scanning configuration files you're not scanning a running operating system trying to figure out all the vulnerabilities you're scanning vigorous Man I'm I'm thinking James when you're the guy on this on this show in the more the more and you know I mean we know every day new vulnerabilities are found all over the place oh we've scanned a package we've deployed it is there a way that unity to have more layers of defense so you can around each container build a kind of security isolation boundary around was he perspective although you can you can make an argument that it's more complex you can also make an argument that says this gives you the contain a- as well as around each and as well as around the whole in network deployments those it does make it simpler to now did he is there a way that those also get scanned later on because I know like the second thing he said application vulnerabilities really was more focused about the dependencies densify which Ryan contains affected by stone in which humans I came from he's rebuilding image within more we abstract because you know what's what's security really good at installing agents right we we we we install whatever whatever the security agent is somewhere as we issue files as a hey how do you have this setup and be able to terminate this works or this doesn't from a security perspective right and so he could be depending on what can forcement into that service definitions of the service consists of one or more containers and one of those containers can be the so you you continually re scandal wiscon- on a regular basis maybe one day in basis to Navan abilities and then Lynch refound all the images that are in your registry or at least all the images that are that you're you're running scanning you might be standing configuration files you might also be scanning containing images which you could argue is a sort of configuration but it looks like a file system but He commented is taking off like wildfire seems that businesses must be image you can update all the running instances of that container from a new image we're getting into From the container and further like with functions where do you install the agent the answers you don't listen your change in order to do that this isn't something you can just flipping an engineering organization into operating that way Nice Hosa you come continue to deploy that kind of enforcement mechanism in all these different Using the advantage of breaking down this and and being how to shake things quickly I also think that for US associated in your deployment but you have to scan once he sky before it ever gets deployed so you should find issues before they hate you running system but you do happy outage that you can scan the in a static mode this is an image this is armaments similarly functions environments ladder they have this idea of layers I'm sorry you're the foggy model or the model where you run your own host last is difficult question I think it depends on whether or not you have access to the host so he do have access to the host's yes you will install such example apple customers install also the across functions so does not all out now the big question which one was security perspective which model is better Baggio providing definition of the service he wants to rob and asked containers but what you can do is build I'm sure it depends yeah I think it's very much in it depends question the more that you take responsibility full the mole a little bit like a sort of layers of dependencies and you can build you can have a layer that tells the enforcement poll that includes the enforcement these environments things I don't do as fog when you have access to underlying host you just have access to the I'm still someplace to install security agents in the container World Eric Yes the couple of ways of elegant and Lucon of static package waitresses Van Gates you know maybe many instances of that contain ritual taking still allow on on the host then you have some environments like containers sorry about security you probably want to validate fuel cells to it is secure as it should get your it gets scanned again that tomorrow you know that open SSL all of a sudden has a bone ability in it that we know about it right now yes we e a lot more people switching to that you know a lot more of like the CIC D that type of stuff so it's definitely catching on You know definitely seeing much more of it definitely a more of it going on a lot of people I work with are still kind of more old you know old school they they haven't really made a lot of switch to that but I am seeing if you're the customer do you go to the Maj Container Model or where you have no access to the host or her or do you go sort of the far gate model where you at criteria like how you want your applications guile and whether you need control particular features you security affect you have to take control of the I don't guess half that sum they shed responsibility not as probably I think security is one factor that you probably making that decision based on other yeah I think what they'll kind of draw a line of WALLPA- on looking after from a security perspective and what they're expecting you to configure and Carol Hughes Als said the further up the level of abstraction the less you have I saw was fair I'm glad to hear I should probably add he wanted to see some very specific things with keeping at ease and configurations some very specific ways the managed services may not give you all those knobs in he actually has the talent and the knowledge and the know how to actually integrate security in a non intrusive way so that we're not you know the the proverbial last steps dials to to did exactly what you want Sans Depending exactly what you want games are you saying a lot of containerized deployment right now look at you know you look at your customer base the people you interact with every day how much of the of the user base of containers and virtualization is actually annual configuration tests or anything you know it's Paul Wall snaking the whole system right now for the tough question how much how much of that will be meeting sanctions is that is that becoming easier from that aspect versus you know you look at secure coding right you have to know the code erasing easier simplicity deploy Cillizza under staff and some of the advantages the goal line function holding the train leaving the yard yet he's cultural change that he's tall what we did you just mentioned CRC building all this stuff NGO pipeline said that you'll not skying things manually running level you're talking more like configuration files you're talking about looking at the images to see what there is that easier to track and look for the security risks Oh for whatever reason we cool an agent we call it an enforcer but it's secure engine compared to the long heist tight from our you will coin de sac helps I think that's that's really cool to the success of this contract and how many organization understand the languages you have to understand all the vulnerabilities there's a lot to do you know when you get down to the code level side of things when you talk about the orchestration side there's a lot good question I think that orchestration is stealth is is quite complex comes ways a favor pentastar become and and ties but I think the decisions of which model e the expertise all whoever's providing that manage status Yeah I think increasing the skill set helping people Tori Mesa sound really complicated alternation is your friend in all of the you know the and that's the kind of advances Dan doing sounds like a code level that easier to get people more up to speed on how to do the orchestrations that side of things I guess the routine things that will help associated one is the automation the we mentioned a number of concepts that people have to say if they need to know how looking they'll have to kind of understand some some some Nico sets but also adding as much of the of the security infrastructure and underpinnings that we need into the it into the stock because you don't have to Tulane will help you get things get things done get security in the right place so talk about that knowledge that skill set on shore the vast majority don't yet And I think as an industry meeting to make so you know I I told you about in having all these different layers and decomposing the properly into all these different elements that you can then see kid and off right if if we can have security into the hyper visor we'd had security into the Cuban as master host if we can have security built into the network without having to how the security scientists was the kind of development and operation side while so that at least that's incurred the feel like the the better security is woke simplicity quite frankly right so if we can get simpler could I can this one container and if I'm running in a in a managed model right on have access to the to the host get somebody set up a container that can then go louis means tools lollies need scales Lennox Nikon sets is going to be really really crystals any organization wants tools out there are with pretty you is that help you kind of build a bunch of this stuff up is that make it easier because you're not necessarily getting down code community driven Sunday events much during online so much knowledge sharing and that really will help us cleansing more simplifications to be naive but I think we all we all getting that I think we increase in the undestand understand united this whole thing that contain around this is probably not how we should have started really using managed systems all you'd have to worry so much you you don't have to night sign off because somebody else is you're taking in my current role where were you know it's a high skewed environmental date you don't get admin locally and the first time the agents at the thing and the other thing and in the thing on top of that thing we were always going to be better off the question is are we are we are being there do you think we're getting there I would maybe in the right direction for show there's plenty more imprudence down through the the host and backup to me because we're all route anyway right why can't they attack me and it's like well I mean conceptually the answers sure it'd be a really big staff that that'll be huge 'cause I know one of the things that some of the folks I've talked to are frayed of quite frankly is you know can stuff for you when you need it will configure it for you oh God this is awful these experiences not optimal right so it's not security teams fall but it's it's I feel like there's there's entity that goes you know what are you users don't know what you're doing you guys don't get route but but we're we're different an will click on everything just like you will but we're gonNA run special and listen listen I can't have any thanks for security I think we're definitely understanding wall difficult should be even if we made them the default yet I think a lot of

Google Benazir writer one day
Fatima Bhutto

Monocle 24: The Big Interview

29:13 min | 1 year ago

Fatima Bhutto

"I think in a culture where you have to be somebody. But you have to be that somebody all the time, and you have to followers, and they have to approve of you, and like you and you have to constantly be performing a version of popularity or significance. What does that do to people on the fringes of their society who are not wanted and desire who are not like, not popular? I think it drives you to a place of anger, really powerlessness and that creates a really bizarre impulse in return. Thought amaafuza is part of the Pakistani political dynasty. She was born in Kabul. Afghanistan and grew up in exile in Syria before returning to Pakistan, her family's histories, one of subsequent tragedies. Her grandfather. The former prime minister of Pakistan was hund- by his successor her uncle died from suspected poisoning her father. A prominent political activists was killed in a spray of police bullets in her memoir songs of blood and sword. First Mabuto, hold her aunt Benazir Bhutto Pakistan's, prime minister that the time of the killing and a husband the diary responsible. The diary was jailed for the murder, but became president after his wife was assassinated while campaigning in an election. He still a member of the national assembly today, but Bhutto's most recent book the runaways is a bold story about radicalism belonging and Muslim identity. I'm Georgina Godwin and to. Tell us more about the book and to intricate family history. Fatima join me in London on the big interview. Festival. The story begins really with your grandfather, tell us about him. Well, my grandfather is currently Bhutto was by first democratically elected head of states, and he was in power. And by Senator time when the country was really fresh from partition and independence, and he brought with him the hope and the promise of something new. It was a moment. I think Rebecca sonny's felt that the world was open to them with a future was opened them on when he was removed in a coup. D'etat by a CIA backed dictator general zeal hawk that ended that moment for bison. And what followed was the bag sanity, you know, today. One in which the army has incredible control over the country one in which a nation has been quite brutalize and all that goes back to general hawks nineteen seventy seven martial law. So. So a lot of the laws we have in place in the country against women against minorities. You know, the blasphemy laws all those date back to zero. So my grandfather, really, I think represented something to to the country that we haven't really seen since then not at least I haven't seen it in my lifetime. And I'm thirty six years old of grown up in the shadow of the hawks dictatorship on your grandfather was hunt. He was the family was never allowed to see the body. So we were told he was hanged, but they never actually knew the dictatorship buried him before his family could see him. But he was arrested. He was kept tawdry confinement. And that he was killed. But the family political dynasty continued. It did continue. But I don't think anyone really has managed to represent those ideals that the family in politics I began with and by sons history since then has been such a choppy one, you know, even in periods where we've had democratic. Pakistan. I can't really say it's been very democratic holding elections is the most basic step of democracy. But it certainly not the only one now you'll father vowed to resist that the knee. Yes, he did. And my father's life really was defined by what happened to his father. My father was twenty five years old when his father was executed, and he had spent in two years traveling around the world lobbying for his father's life, which I wrote about in songs of blood and sword and he resisted the dictatorship. And he spent sixteen years an exile from Pakistan. So when he returned back to back San he'd been away for sixteen years, he returned back in nineteen ninety four because he'd want an election. So he was a member of parliament. And he was killed not even two years into his return to his country. Let's took about his time away. Because that's when you born in fight you born in. Afganistan? Yes, I was born in Kabul under curfew must be childhood. Well, I was quite young when we left Kabul. I was I think only three or four months old when my family left, but then they went to Syria until I grew up in Damascus and the Damascus of my childhood really wasn't anything like one sees today in the news. I mean, certainly if you were a political opponent of the government's it would have been incredibly difficult place to be but on the other hand, if you were a woman, if you were a minority if you gave Syria was really quite an idyllic, calm, quiet place, and the Assad family wasn't very kind to you. Well, they gave us asylum. Really? They kept us an allowed us to live in Syria. And so we did I was twelve years old when we left, but you know, I thought of myself as Syrian for so long because it was only home I really knew. So until the war would go back all the time. I'm and I would really like to go back now. I mean, I don't know if it's safe. Maybe damascus. But I don't know. So it is I suppose one of the first homes I lost with Syria. The must've been quite an interesting time between going back to Buxton and before the reporting tragedy of of your father's death. Will you know, I grew up in the way, I guess many exiles grew up with this constant promise of home and the return to home. So growing up. I was seven years old. The first time, I visited Pakistan, a never seen it until then, and it was a place that I knew really through my father and through his memories and his belonging really to be home. So how'd this all tremendous notion of what by San was and what it meant? And would it could be and he would say all the time. This year will go home this year will go home. It'll be next year we go home. And of course, we never did on then one year. Remember, he said it and it started to become true. So for my father was a very exciting on, of course. I came with a lot of anxiety and threat of violence and was a turbulent time. But for him the idea of his homecoming was so exciting because he loved his country so much, and he he sort of lived in limbo when he was away from it. You know, he never really learned Arabic. Even though he spent sixteen years or less than Syria. But because he kind of lived in this sort of transit period for me. It was a little sad to leave Syria because I was the only place. I've no my friends with Emma school was there everything I knew about the world was in Syria. But I was also very excited to finally go home with my father. And once we reached by son. Of course, the reality of going home was much starker and less, romantic and more terrifying. Than unless anonymous people absolutely knew who you were less anonymous. Yes. Because growing up in Syria. Nobody knew I was nobody. Nobody cared. Nobody knew I went to an international school. There was only one other by sending in the entire school who arrived just round nineteen nineteen. His name was unfortunately for him Saddam Hussein. So there was a sense that I was I was sort of one of anyone at school. I never really felt anyone looking at meal watching me or anything like that. And then in bags, of course, it was a different experience. But I think I was lucky enough to have not grown up in that because it made me forever suspicious of attention. He talked father about him writing his own life story. Yes. Actually just before. My father was killed. It was his birthday two days before he was killed, and we'd had dinner, and we were sitting up late at night and talking, and I was asking him all these things, and I said to him, you know, your life is so interesting. What are you write a book? And he said to sort of the coffee said, well, you know, you do it for me when I'm gone, and I was thrilled always very close to my father. But I was really excited at the idea that he would allow me trust me with such a responsibility. And you know, I wanted to start taking notes immediately in an hey, sort of lofted means no when I'm gone not now. Of course, two days later, he was gone. And so it was always in the back of my head the idea that I had this promise to my father. And I started the research for songs of Lennon's or long before I wrote it I started writing it in two thousand and eight because I had a sense that the people who I held responsible for my father's killing. We're gonna come back to government. And I thought if they come back to government they're going to raise things. So I no longer had any excuse to wait at the time of his death. Your aunt his sister Benazir who was in charge of Pakistan. You describe that night. Tell us what happened. Well, my father was a member of parliament. And he was a very vocal critic of his sister's government, and especially his sister's husband who went on Ossets who went on to become president of bags on after my aunt's death. And he was coming home. My father that night from a public meeting on the outskirts of Karachi, and when he reached the road of our house, which is a road. I mean and credit, you know, a well populated part of the city. We live near a lot of embassies, including the British high commission and the street had been shots all the streetlights had been closed. There is no lights on the streets and about one hundred policemen had been placed in sniper positions in trees, all the guards of nearby residences had been told to go inside their homes. So it was a coordinated assassination. It was not something that was done spontaneously. It had been planned very carefully and very senior police off. Officers were on the road that night, and my father and six men were killed. They were shot several times including point blank, and then they were left to bleed on the streets for about an hour before they were moved all of them will move non toss. But -als there's only really one hospital in Karachi that can handle gunshot wounds. None of them were taken there. There would just take into different clinics and dispensaries and places like that. And I was inside the house while all this was happening. So we could hear the gunfire in the shooting. But with your brother with my anger brother, my younger brother, and I my brother was six years old. I was fourteen when the shooting started because we you know, we were Karachi kids we knew what to do in the event of gunfire. We knew to get away from windows when you to go to sort of corridors I did that I took my brother into a corridor unplugged the doors and kept him there until the shooting stopped. But we didn't know at that time that it was our father who was outside. Not just being killed with being left to bleed today. And you could your and I did I called the prime minister's house because after the shooting stopped we want allowed to leave our house. So when we try we were told that there had been a robbery the police said, and we had to stay inside. But it started to be very clear that something was wrong. When my father wasn't coming home. You know, this was in the days before cell phones. So we couldn't text him or call him. We said it's get anxious. And so I called my aunt was not put through to my aunt. It was her husband who wanted the call and said to me, don't, you know, your father's been charged. That's how we found out. And he, of course is in government. He's yes. Well, he was not now he became prime minister, but will the policemen who are involved in. My father's killing. They all hold very senior positions in the police. They hold federal positions in some case. They've been promoted many times in the. Will now it's twenty three years since my father's murder. So in terms of Justice, one cont really say that any form of DASA's has been carried out in the intervening years where did you go from the while I was still in school? I was in ninth grade. And so I we remained in Karachi and went to school and tried to live normally as normally as one cone. But it was always it was always there. I mean, anytime I left my house or came back to my house. I cross the road when my father lost his life. So the memory never really goes away. And not only that you know, the people involved in his killing were very present two. So they never went away. They're always there. And then I you know, I went to university. But first you be actual I yes, I did. That's right. Just fifteen years old. I was fifteen I had started writing poetry as a school project. My father was very encouraging about a who's really the reason I became a writer, and I had shown him some of these poems. And you know, he had sought with me, and and sent them out to publishers and helped me write the letter, and and then after his death. I publish them with Oxford University press in Pakistan in his memory one year one year after his murder. So yes, that's right. I published that book, and then I had I guess you would call it a normal life. I went to university you were Columbia on its soa sign it. So as yes it my master's here in London at so as and then he went back home to by San and I had another small little book come out after the earthquake in two thousand and five. I went to visit the areas, and I'd collected survivor accounts. Mainly written by children on that was published and all the proceeds were given back to a foundation called the foundation, which is one of the largest in by his San back to child survivors. And then I started writing a newspaper column for Pakistani paper on then that's I suppose the beginning of will the rest of this and a life is jogging, journalists reassess. Yes. So how does I was I was twenty four one. I started writing that column and from there, I wrote songs of blood and sword, and and that kind of pushed me further into books on away from from journalism. So songs of gluttony sold is is the is the memoir that we've been talking about. But then came the shadow of the crescent moon, and this is a book set in really very different circumstances from urine life. It's five men. They're in a completely different area. And all of them have terrible. To make Thomas a little about that book while the shot of the cresent moon takes pace over a single morning on. It's the story of this family and the three sons of the family who are all going for Friday prayers, but cannot pray at the same mosque because it's too dangerous. So in case the mosque is attacked. They will go to different mosques on. It's the story of the of the brothers and the families around them, and it sets in the tribal regions, very close by sense border with Arnesen MRs story really of a country on fire, and how it is that young people Neri people, including two women survive the turbulence of their country while trying to live while trying to resist it multi and have normal lives, unruly. That's pretty much the situation the countries in. No, it was the story of bags and for a very long time. And I'm hesitant to sound too hopeful I think in many ways, yes, it still the story of by Kazan. But I think something quite extraordinary. Has happened over the last few years. I think by his son's appetites by his ends people have had to endure so much violence so much uncertainty so much instability that they really push back against it unto. It's been quite nice to see over the past few years. A lot of people resisting them whether it's through arts and culture or protests, but we're for young population. You know, I always mention it because it to me it's boggling but seventy percent of the country's onto thirty. And so you see that nine over International Women's Day. There were a lot of protests young women taking back the roads over the country. And I am hopeful. I mean, I guess I'm always I'm never hopeful about the state or the way in which government is conducting itself, but I'm always an increasingly so hopeful about the way in which by people are choosing to live their lives, and how that using to sort of push back. All that in two thousand fifteen year next book came up, and that was democracy. Oh that was a short story. Yes. Gone. I forgot about that. That was a short story I did really for penguin. India? It was part of their kind of turn towards e books. So I did a short story called democracy, which is basically about pervades Musharraf coup but told and fictional form with corporate of wits too. I hope so I mean, I think that's partly how you survive countries like ours. You have to have a sense of humor about things. So yes, it's the story of a general on a plane that's been stopped from landing and then little other stories around the story of a news reader who's go to go on on air until the story of a coup. So yeah that came out into that in fifteen and quite closely based on on the coupe memories are so short. I'm not sure people notice it or you'd have to be a certain age to remember the visuals of that coup, which I was an interestingly, my high school swim team was on that plane with General Musharraf which had been denied permission to land and was circling over Karachi airspace with seven minutes of fuel left before his coup was successful. So I guess we will feel personally tied up the runaways, which is your latest book, which is I think Mike -nificant piece of work, and it's clear that many many people. Agree with me. It's been beautifully reviewed. It has some contested bluffs from some very important people. And again, it's a completely different book. It's really unlike anything you've written before, and it really examines suppose, the Muslim identity young Muslim identity just gives the the premise of the book while the runaways is about not just radicalism. But I think what the world doesn't want say about the radicalized. So it's about the lives of his people very much like anyone like you mean growing up between Portsmouth and Karachi whose lives drift towards this path and the drift for very different reasons. So that several characters, but they're all young most are Muslim and their lives. I think of alien Asian isolation and a lot of millennial confusion. And so it's a novel about pain Vivian how that leads to. Things like radicalism today. I think dislocated in exile is really really important in this unin deed in in the life of anybody who feels that way. This one wonderful line. You you you right now, this is about one of the character's sunny, and his father has left luck now and gone off to live in Portsmouth of places, you write the plane is not strong enough to transport the burden of his expectation across the black waters of exile. That's just such a stunning line. And it just sums up so much of what that feels like. I mean, you go on then to talk about the smell the scent of loneliness, and I think anybody who's ever left their home country. Can completely understand what you mean by that will, you know for south, Asians, especially the idea of exile is so painful, you know, we do call it black waters because you know, at least in the Hindu tradition, which seeps into a lot of Muslim culture to coming from. India does. The idea that you knew you are polluted by leaving your country that your spirit is defiled by exiling displacement. And so people who do it do it on the expectation that something really great awaits them on the other side, you know, something beautiful has to be on the other side. Otherwise, you've just destroyed yourself really to make that journey. And so that that section that you just read from is from sonny's father who who travels really kind of glamour d- by what he sees, you know, in JAMES BOND films on expects that England is going to welcome him. And it doesn't and what he finds. Instead is the loneliness of not being accepted, not being included. I know so the shock of of poverty which exists in England in a completely different way as it exists in India and the absence of community, which no matter how long he's he stays in England four he never quite builds up in the same way on his son's experience the father. Still believes that there might be a place for him in England in Portsmouth. But the sun's experience, you know, as a second or first generation immigrant is that there isn't any place, and he resents his father for dragging him out of his own country where he might have been someone where he could have been amongst his own to this place. Never really rejects him and never really accept him either and his experience, and I've done that it's kind of plot. Spoiler to say that he is radicalized is really out of that that frustration of being in a place where he feels that. He can't flee exist isn't fully seen. He wants to be seen. And I think you really pick up on the wanna use the word zeitgeist here dislike intensely, but the whole millennials guys of needing to be seen needing to be on Instagram to be on Snapchat to be out that to be someone an eventual to be someone who does something terrible. Yeah. There's this incredible culture. I think that millennials. Whether they're eastern or western or radical not radical ascribe to which is this culture of the self, you know, and what is fascinating about today's radicals is that they don't really require secrecy or discretion because they want the same thing millennial in New York or London ones, which is to go viral. And I think in a culture where you have to be somebody. But you have to be that somebody all the time, and you have to followers, and they have to approve of you. And if the like you and you have to constantly be performing a version of popularity or significance. What does that do to people on the fringes of their society? Who are not wanted and desired who are not like, we're not popular. And who don't have something, you know, fascinating to add to conversation. Twenty four times a day every day. I think it drives you to a place of anger, really and powerlessness and that and that can that can create a really bizarre impulse. In return and so- Sanni does feed into that Unicenter. I think tries to find belonging in many different ways. He tries to find in his school. He conned tries to find in his community Kant. He goes to the mosque and doesn't even find it there because they don't understand what exactly he feels so alienated by on. He sort of groomed by cousin his groomed by cousin who comes into his life at this voluble moment and says why fighting here they don't need us here. But there is a place where you can be powerful when you can be seen and that place needs you now urgently on across this for him unin deed for the other the other characters in the book who are drawn over to the caliphate religion, really has nothing to do it. It really doesn't. You know? I think this is maybe what is not clear in the west. But for those of us who live outside has always been pretty clear that the people joining these these. Fundamentalist movements are drawn to it. Not because it feeds into a religion that they ascribe to. But because he's a cults of power and violence and like a ferocious sense of significance. But religion, actually is even according to my five is a is an insulator against radicalism. It's not a feeder to radicalism. And we see it in the news all the time in or the people who go off enjoying these organizations. Don't know the first thing about religion, you know, they're buying the Koran for dummies off Amazon before travelling on the have this kind of diluted Chinese whisper version of something they considered to be a religion, but it's never actually grounded in any religious identity belonging. So how does one address this anti Islam feeling around the world where people uneducated people unthinking people equate the religion with tears way, thinking we're seeing so much of this now after the shooting. A New Zealand. You know, many people are coming forward to say that the media's responsible for a lot of that anti-islam feeling. I think it's it's it's fed by this sort of cabal of right wing politicians. You know newspapers that just want to sell copies, and how do you sell copies of paper? How do you do click bait you terrify people? And so you have to terrify them constantly all the time and the faucets. We do that is to other an entire group of people to reduce them to some some tiny. Terrifying story, and partly why I wanted to write the runaways is to do the opposite of that to say yes, there is filing. There is this problem doesn't come from religion. And in fact, everyone is implicated in that problem, you know, the twenty year long wars in Iraq and Afghanistan are a huge feeder to radical groups. You know, the politics that we see around us, Donald Trump speeches, those a huge feeders. But it's not a slum. That does it. It's not the intrinsic experience of being Muslim. And it's a -fensive. I think it's really wounding too many of us who live in a world that isn't run by, you know, I don't know the sun or Fox News, or you know, we have a much wider experience. And it's sad. Not to see that wide experience reflected in the world around us. So I hope this novel. Does that partly an certainly there many other great writers from bison, India, Iran, the Middle East publishing, and I think we have to read more of them. Absolutely. We are going to read more of you though, because you're working on something new on popular culture. Yes. So the book that I'm working on now is not going to be a novel. It's book of nonfiction repporters on the new global pop culture's coming out on the nut coming up from the Anglo Saxon world that coming from Asia you and I have. A lot about Cape up in planning a trip to go up to career. Oh, we should as we absolutely should. Because I just for the record think we should stay that. We're obviously academically anthropologically interested in k pop while unfortunately being interested in the music. We're going to be blasting the cable craze. Before we go. I have to ask you oversee the serious question, the one you get I'm sure asked all of the time will be the next two in Pakistani parliament, you know, I always have said that politics is something I'm fascinated by always have been. But I had this other love which is books on the written word, and so long as I'm able to talk about the politics. I wish to talk about to my writing, and I'm pretty happy doing that hit the Cape. Hope. That's thank you so much. Thank you. Thanks to say. Book the runaways published by by king the pig interview was produced by Julian go fund research by ROY Goodrich. Christine Evans, and by Kennedy, scarlet and Cusi. Gilpin to Tina go train. Like listening.

Pakistan Syria Karachi Benazir Bhutto Pakistan San Kabul murder India prime minister London Rebecca sonny Afghanistan president CIA Damascus England Georgina Godwin Senator Afganistan
 Facilitating Connectedness Among Physicians with Benazir Ali, Clinical Growth Strategies at Flare Health (Previously)

Outcomes Rocket

23:09 min | 4 months ago

Facilitating Connectedness Among Physicians with Benazir Ali, Clinical Growth Strategies at Flare Health (Previously)

"This episode is brought to you by E., H. R. Go go a simulated electronic health record with a catalog of realistic and diverse patient care scenarios included go helps educators teach human senate approach to technology in healthcare. Find out more at health podcast network, dot, com slash rockets that's health podcast network. Dot Com slash rocket. Welcome back to the outcomes rockets I have the privilege of hosting Dr, Benazir Ali she is the clinical growth strategist at flair health. She's an MD interested in life science, digital health tools and diagnostics that make delivery of healthcare to patients more efficient and effective. She has a diverse background with strong foundations in both the liberal arts and basic clinical sciences. Her work experience includes clinical. And Bench Research Healthcare Consulting Teaching and Healthcare Securities Litigation a very fascinating background and today we're going to be honing into exactly how we could improve healthcare delivery with digital and so It's exciting to have you on the podcast here today Dr. Ali, thanks so much for joining us. Hello. How are you? Hey, doing well so you're a literature major I was let major exactly. Right from that into medicine makes federal sales out of that work out like tell me how that transition happened. So I was a major with a double in gender studies and I always really liked the sciences but I really want I didn't really think I wanted to study them or. Did stuff in. From the sociological perspective over health groups a lot of stuff about. What groups of people have better health care will doesn't and asteroid graduated I started volunteering with a sexual assault while the program was hostile a lot. And coming to snowballed from there I ended up in Securities Litigation position opposition. But one of the cases we we worked on was a huge farm case. So I had to do a lot of scientific document review and it just all kind of fit together. I went back to school at a post back and then did a whole bunch of healthcare work and then. WENT TO MED school. Oh my gosh man that's awesome. Such an interesting background atypical and also very, very fascinating. So what is it that inspires your healthcare so I think what I really always say people is that every industry has really wedded technology, right? Like if you look at the auto industry, the food beverage industry hospitality industry can think of his really marrying technology healthcare. What a date with technology and like nine hundred, eighty, five, I didn't get along. Then they went on a date again, healthcare goes to technology it just like it's been this really this relationship that just hasn't been solidified and. A frustrating. Especially, once you when you're a medical student, one of the things that you end up doing a lot of your Third Year Med school is waiting for faxes on the floors a record speed. Mother hospitals and it's just an archaic way of doing things I wanted. Given by a physicians also administrator and he said you can go anywhere in the country put in a plastic card machine put in four or numbers out a certain amount of cash. But as you are in a hospital in zone, A and zone is two miles away. If his own be hospital doesn't have the scene electrical medical record you're waiting on a fax and it's just it blows my mind. There are definitely trends in the hospital where I was like it would be easier for me to walk two miles and physically. Records. So things like that. Really got me interested in the tech side of healthcare. Yeah. No you know what in in your right? The opportunity to leverage technologies in actually go beyond that date. Is there. So tell us a little bit about how you and flair health are are improving health care for the ecosystem and get. So people generally think that if you're physician, he must know all the other physicians and the truth is, is that more than eighty percent of doctors fewer than twenty doctors in their network so there's this issue where when physicians are faced with okay. WHO SHOULD I go see for XYZ they often don't know, and also as health hair grows and as more and more specialties even within like a sub specialty, there are sub specialties and. So certain physicians like doing one thing or better at one thing, and there's no real way of flagging that and so what are what we do is we create referral apps for large hospital systems, and through these referral APPS doctors can make referrals to specialty care physicians within a hospital system, and they can kind of search based on things like insurance location, some specialty training, and they can really hone in and find the right physician, and it really focuses on patient centered approach and were really talking about fixing that DR patients fit and getting it to appointments. And it matters right I mean when when you're talking about getting the right doctor, it could mean overall better outcomes it could mean faster recovery and that that's what's interesting is that what better means really depends on the patient now I train in place Camden New Jersey significantly underserved place lots of opioid use, and so you know a lot of my patients in speak English a lot of them are hourly workers for those patients. The right doctor is the one that's going to have availability and the gabled each kind of public transport. Have cars right and for those patients, the right doctor is very different than somebody who maybe lives in a suburb and has the ability to take off work for an entire day not lose wages. So that really is something we have to think about because we're not going to be able to change the entire smaller once right. So right now we have to really make sure that the patients get the kind of care they need as best as they can. No that's interesting. So let's say a given healthcare system. So you're saying that today they. Really. Don't have the setup for physicians to be able to tell the patient. Hey, you go to this doctor is the best fit there really isn't anything a lot of it is word of mouth and see now I went to medical school with this person who went to residency with this person and they know this person who does this a lot of like that a lot of it is you know people you know through work and it's not necessarily you know you might have a person that is the cardiologists, but they may not be enough. WHO specialists realizes in resistant hypertension right or they might APP is buying specializes in eighth might be somebody who's better equipped to handle those things. Now it's really surprising. Yeah, and I mean similarly, it's it's the same really with I remember there is there are a couple hospitalised that was training at Cooper Hospital, and one of them was particularly interested in the liver, and so he was a prime, he was a hospital is an internal medicine residency had not done a GI residency. All of the really complex liver cases cases would kind of be funneled him before they would go to other hospitals is you? Can only build your practice around what you're interested in what you're good at what you're well informed about and there's no real way. People's know that right now aside from word of mouth. Proud while that's definitely surprising and a great opportunity and I even think about I think about physician burnout to right when you're wanting to get physicians to work on what they love and thrive that work few have a a tool like this. Right if you're physician listening or you're hospital executive listening like what if you had a tool that will help your physicians shine and they could plug in that what they're best at. They have ways to be engaged with what moves them. Yes. Absolutely. Ryan I mean is kind of what you guys are heading after. Absolutely people are less likely to burn out if they don't hate what they're doing. And that's just the truth. Right and I think that there used to be a notion that it's your doctor you have to do as medicine gets more and more specialized realizing that that's not the case you can really focus on certain things and then you have people that are wonderful primary care physicians that are very holistic that one focus on the higher patient as a whole that avid self a holistic medicine in and of itself is like a another area now. I agree with that though interesting. So we're talking about outcomes here talking about physician wellness talking about being more efficient with technology and and so how has what you guys do improved outcomes and made business better absolutely. So right now is unique. The typical way referral kind of gets processed is that you'll go to your primary care physician that physician will tell you look through your insurance. They'll give you a name of a few specialists. They think are good fit fronts. You have a domino pain that just isn't going away and then you gi they will look through a few of their their networks. Love you a list of people use then take that list you call that that office, you make the appointment if you can get in touch with them, the referral has. To be faxed over the office has to get the facts. It's a very, very long slow process ner a lot of a lot of points along the way where people just get tired of say okay. I'm not going to see the specialist about or read about it. I'm just going to deal with a problem with that is that sometimes you actually do discuss specialists and then you. Know three, four, five, six months later your way way sicker example of this I think that's really that's really hits close to home with me is that my father had a hemorrhagic stroke at the age of fifty three and he's a non smoker non drinker but just had hypertension uncontrolled for a long time and of course, no real symptoms for hypertension for most people, right. So the. or so someone like someone like that who? Probably. Go to a specialist together hyper hypertension control because it's you know resistant to medication or whatever who doesn't is then you know can get into a situation where they have they have A. Stroke they have this ability they're losing time at were there. It's it can turn into so much more than it has to be so that really getting out patient to the right decision, a lot of cases is really important for things escalate. Wow, such a great example and so personal I appreciate sharing that and our APP does is we have our APP, is like basically a map on the phone, he's an ipad eventually also going to have it on the desktop but for now it's on phones and what you can do is you can select the specialists you put in the. Patient's first name last name date of birth. A quick reason for referral. You just click said and automatically happens is the referral gets electronically sent to that specialist's office that specialist office gets paying they then call the patient themselves they reach out to the patient which I think is a key difference in the way things are done right now. Right they reach out to the patient makes the point they put the information in a stem and in the referring physician can see these updates on their phone. So you're you're referring physician, your specialists are both in the loop networks going which endings often. Also a problem because there's not a lot of transparency and often PCP's especially Docs aren't collaborating as much as they can. Right. So it sounds great and today it seems like for definitely very focused in the clinic on you know doing everything through the Emr tell me a little bit about how it integrates Emr maybe not yet and the vision around. So yes. So currently we integrate with the MR at one of our sites. The eventual goal is that all of Odyssey all sides wanted. So we're we're working on that and the eventual goal is going to be to you. Put the referral order it on the phone edit auto populates in epic or Sir or whatever you are you use and that also another idea we have is that it would kind of I don't know if you've ever seen up to date I have not up to date is kind of this spirit physicians go to get the most up-to-date research information on no best practices anchor when you're in ethic, which is an Emr you can kind of toggle back and forth between epic and up to date. So the goal eventually would be to have like a flare window within all the And so yeah, and we're we don't WanNa ising innovation as great. But sometimes I say lakes has run innovation isn't bad either like you don't necessarily need to rebuild everything. Great A. So let's work on how we can integrate with them rather than building something completely different that doesn't talk the Mr. Yes. Very big on integrating with the Mars. Got It. Yeah. That's critical. I think to really gain adoption I had no idea that the referral system broken appreciate you highlighting this and I'm sure the listeners like, wow belly or some of them are like, yeah. No kidding like. Thanks for the opportunity here to make it better. Hey, outcomes, racket listeners this technology in healthcare education. Sometimes feel like detail wagging the dog you should check out e h are go go uses case based learning to teach a human centered approach to technology and healthcare education with over three hundred multifaceted Asian cases presented in realistic simulated electronic health records. Go help students build clinical judgment skills while also learning to effectively document with an HR when working in go students have to evaluate and organized competing healthcare needs in levels of urgency while. Making simple complex clinical judgments about their patient care just like in real life use an all educational healthcare disciplines go could be used within or between programs and is the ideal platform for inter professional education web-based with no software to download or maintain go could be used on any computer or browser for in-person learning or for remote or hybrid lessons. Go is the only educational platform puts human care at the heart of technology learn more about go by visiting health podcast network, dot com slash rocket that's health podcast network. Dot. com slash rocket. Would you say it has been one of the biggest setbacks that you've experienced McKee learning from mass. Particularly, in this role or With flair health and sort of how you guys have rolled things out what you learn. So we I think one of the biggest setback I mentioned before is held chair and its resistance to change from and that I see that everyday right I see that when I went to the health. Conference in Vegas, it was Oh, invigorating, and so refreshing because I was surrounded by all these innovators healthcare that want to change. But then you come back and you work with a lot of google physicians who just are set in their ways and they don't want to change the way the system is run but also complain about the way the system is from so that I think is the biggest is the. Big. Setback but I think that's changing I think with every generation of physicians that we create they're becoming more and more tech savvy. There's more of a focus medical education to really embrace change not as much as there should be, but it's there and it's happening, but it's a slow process. So it's definitely a big pain point for a lot of innovators in health care. So we talk about a lot of things on the on the podcast definitely outcomes improvement, but also business success. So tell us a little bit more about the business opportunity here I mean is there with missed appointments there's lost revenue right and so maybe you could highlight a little bit of the benefits of for the business of. Absolutely referrals are a huge huge huge part of a hospital systems revenue and when appointments are missed, you lose it out revenue obviously. But again, if that appointment is Miss, not patient ended up getting sicker then you're now costinha system a whole bunch of money as well and the second imposing a lot of the focus of the referrals as in the past has been let's keep referrals with our assistant. Let's keep his haunt as many referrals as we can within our system I think what aright eventually it yet is that less get patients to the best of the best person that does that that treats that ailment dray. Oh s different institution has people that focused on the. Things that are best at won't be an issue of losing referrals because if you might lose deferrals for one kind of issue, you're GonNa gain them for something else because you have an expertise and something else and I think that really pushes every healthcare system to hone in on its on its physicians and relief draw them what they're best at low it, and you know we're all experts in a specific area if you really lean on others to become more efficient and and to improve your referral, the way you're doing referrals meaningfully. INCA. flair health has some options. You Might WanNa WanNa think about and consider so what would you say you're most excited about today I'm really Really big project right now that I'm very excited about and that project basically is An it's something that I've been vision. It's the idea that we would get all the safety net hospitals safety net hospitals are hospitals that catered to the under served at a higher percentage than other hospitals. A larger percentage of their patients don't have insurance or are on an. Uninsured or have state insurance, and the idea would be that we would get all of these safety net hospitals on one giant electronic platform, and we would then have all a federally qualified health care centers, different primary care organizations that gender serve beyond the up their side and be able to refer into this huge platform, and so it'd be a way to get these underserved patients, a specialty care they need, and it would allow their. Physicians to be able to choose like five, six seven dockers with thousands and thousands of doctors across a large geographic area, and what we're looking to do is you know you'd be able to search by things like insurance by things. I. First Available The sub specialist training are you close to public transport all the things that you would need to really find the right specialist for your patient especially, those patients who don't necessarily have needs to. Get the best healthcare for shelley country. Yeah. You know it's a nice project and thinking about access right and and making it easier when you talk about having all the safety net hospitals and just kind of a the vision maybe incorporating the government Medicaid, you got some funding to figure that out I think it would be really meaningful to the less fortunate in means to improve access right? Absolutely and I think that if you. Take, if you increase the communication between Primary Care Physician and the specialty care physician that's only gonNA benefit the patient it only benefits the patients to have all the doctors that are taking care of them to be able to talk to each other candidly urban lay, and that's another piece of the puzzle with our with our platform is that we really want to increase that transparency between the referring physician and a physician that's being referred to. Very interesting. So fantastic Dr Ali, appreciate the insights here the referral system is broken. We need to find ways innovative ways to fix it. flair health's provide some provided some really interesting ways to meaningfully improve that physician relationship network. So check them out there at flair health dot com. So what are you reading nowadays Benazir would you recommend as far as books to the listeners bookstore listeners on marrying right now I just finished a re- I'm reading a book by Tana French I can't even remind warm the name I don't really talk my head I was eliminated. Books I. Recommend. I do plan on finishing Book Santorum at some point about eleven hundred pages though about been about eight hundred last year and a half while in terms of sacred books or books I really like I would have to say one of the first books that made me cry and really that I really love as like in high school. I. Ride was beloved by Toni Morrison I. Think it's a really it has opposite supernatural aspects to it and then but it also is based in reality and beautifully. And it says a lot about a speech a lot about I'm very passionate about women and women not not only marginalized. He often do and in the book, there's an part of the book where Tony Morrison is She always assumes the best part of her is her children and modern. Another Turkey says will know you're the best part of you and I remember being like Oh shouldn't everybody know that but she you know the way was written. It's Arabia's bucks. That's probably my favorite books. Love it what a great recommendation and touches the human aspect of what we should be thinking. About and considering identity was your identity in this in this healthcare ecosystem and in general. So love the recommendation again, folks go to outcomes rocket about health into search bar type in flair health or type in Benazir, and you'll find the entire show notes transcript and shorts to our discussion today. I'd love if you could just leave the listeners Benazir with a closing bod, and then the best place listeners could continue the conversation with you slowly. So I was thinking I was having this conversation with my dad the other day about just about you know career and lives and. He said to me don't ever forget to celebrate your failures just as much as S.'s because I. You know he's very much. She's much more than I am really believes that our for a reason, this is a man. Stroke and still will be like, Oh, well, how I'm glad he's doing well by the way. Yeah, and he he'll really happened for a reason. So I sometimes struggle at that but he's much better at that and so I think it's very important to count your blessings and your successes. But to also be thankful for the things that didn't work out because those things not having worked out are what kind of bring you to where you are and open your doors for you and I think it's very important to keep in mind not always kind of sit there have been. Better if I don back, well, then you wouldn't be doing what you're doing right now and chances are that this can Yasu. Yeah. No, that's a good one and yesterday I was running and I as playing this kind of like inspirational youtube thing while running treadmill and it was the rock he talked about the how not making it to the NFL created this incredible opportunity exactly what a great message from your dad and night you're laying it to us. So appreciate you sharing that and again folks the opportunity here that Dr Ali as really presented to us as let's look at our referral system and are we doing a good enough job? Are We? Improving outcomes the way that we could be improving them by making the right referrals to the right physicians and are we missing out on revenue because if we are, it's it's it's a problem and we need to fix it and Dr Ali where's the best place that people can get in touch with you Sherry and can reach me at my email address is probably the best place it's Benazir. Dot L. E. A. DOT COM B. as in boy E. N. A. Z. hasn't Zebra I our ally Jamile DOT com. So Dr Ali just want to give you a big thing and really looking forward to staying in touch house. Good. Thank you very mature me.

Benazir Ali Bench Research Healthcare Cons Primary Care Physician Benazir Cooper Hospital assault MD Tony Morrison Camden New Jersey Third Year Med school resistant hypertension youtube administrator Vegas google Dot L. E.
Un poco sobre los viajes.

CharlaConAngel.

12:02 min | 11 months ago

Un poco sobre los viajes.

"The proper Who knows in New York and been Bonilla? Santos's there's some mules as disciplined Graham. Challenge Deuce Amigo until Rita. This with Wolf doesn't come with a must be induced to tempt us with doesn't guarantee learn you Anita tippy solo so but don't unless does commute single Muslim wins. Here yes is Gimme will start than Tovia guy is looking Muslim. Tom Perez Grandma's the owner Conrad and tubing was on the House and kiss kids. What He Tau Tau swimmer. Rapidly scooping is the Yankee Insulin Pamplona Granados low-quality victim Columbia's sooner spices came as Espn institute is a CIOCCI. This was bureau. China's legalist needles mainly steinlager lower. Matt I trust our news in Maryland. Person usually catch enter abuse. Your apology. Our Enemies Ms Benazir Concerns Book where that percent of the LASAGNA cannot or she in the Cassini's by Gallus looking suspicious case. Eileen the NEON Amiya is Dallas Indo when Megan Kelly Stasi non productive customers couscous Italia Equality Akiva Yardley. Here's a team para picking your Yacky Yummy hoople November sitting again so hidden that they're up give we say it's too emotional laundries Cami. Nah photos look launders. Machine was massive delays. The album was our salon as we must either allow almost always Once he enters in Beaune William. We've got to figure out why commentator yes emotional no because see the local theodorus. Thomas two-minute Escape Better Komo came in. You know battles the car maybe sign. Phantom is tomorrow Mass Team. Maehara take allow Nick Hurrell. He'll be the area via is following. Stacey Endel Misamis Ma Dr them at a railway looper premiered bias and look to a Solo. Nossa meter to permit so no he by the press. Arming Canton Vinyl with story. Level Dhaka's COUPLA DE Kosovo Law Seminar. I Notre Mass Data Thailand definitely. I'm in Thailand yet. His last policy look ahead but when you say hello nate in Thailand. You used to walk through. She's simos their heroes. I look at the two towers tower more at me. The comparison purchase kit animals in staus nails. This woman Coke Disagreements K. For an application Kissy. I'm a couch surfing illman circus Gab. And Call it the Processing Montana movie coming Rather Mongolia meaningless. Mosad theon those memos Canal del Dea toxic while at Amoeba may not be as like I said Michael Dow but assume COUTURE SCUBA DIVING. Yami who drew combined you know. Three most tourists in molecular Muslim. Is that the candle light. The candle you Minamoto masters champion him style realize as Mrs Institute a steady he may hope upbeat on the still missing. Beaten ms the. We'll say put the Buddha settle map. Talk a competitive may be interior. Hit Him May Blatty Caucasia yet the needle yet yoga help or MAS as Mrs Port Sudan. Study ass you hinted the causing claim Luis Gatica this offer to nominate that missed the vacuum and saddened. Something is cool. Myth record source tells simister Cisco Lettuce Me Mahood Amigo crabby park obvious pollen mass the entire show Pacers. I'll be happy to help or I knew. Ci News Ecocosm for purse while in the mass When I was getting a sale also take us. Dan Was Bus Salami versus Roma loud imprint. Domenico stop in southern Biak in Brazil Lu dr sequence of hint hint this opera sale couch surfing now the alone. You pull new mobile can no matter how impasse inestimable Mental Gwen. Twins Sarah Crooked for behold this young people we are the new in West killers hysterical. Herro news there are several okay. Correa asynchronous Memento Sinton. That nedal Moshe Tip O'Neill Komo textile to not with me L. D. Narrow Yoga. No mccranie beans so you. When Demine Quinta Kim Compliance Elevator Manu Poku celebrity given us for a lucky? He certainly had Pacelle when most of them for casino. Ludivine deal but it won't tell me Cuba House in Columbia and Mementos Congress convicts soon less gate. North thing Milam wealthy sangomas merely gotta get on least development demands mammals automatic song chemicals. Gary Sick and look at the Sawtooth is another. Demento sent them in to me. Kim Mini gathering the risk news. Nila commend assume. But a theorist cannot prolong this spur yet spiral mignon kiss my neon but emotional. Kia. Is this news. Katina's dealing commenced settled on the begin. Use Puzzles similar to win separate on the air. This was coming at US Gordon s but when he was not demise scoop in Saint Louis Messina in my brought Laos so rain. Something better known episode. You complete them when our recap be to London. Iq Stanislav Sink women to help poon to sway care? Abuna I know seriously Kelly story this Boyce Laremy of Palestine tone says Iran Thailand. Where The for Rent Influence? Mica love for my tomorrow. This is increasingly. Maybe he'll get off to modernisation granddaddy literacy Annella Dignity. Mira impossible Koroma helium canosa important for some CISCO IMIA meager every Park al-Qaeda's rick when tower Allah Help Mazda according to your show Pisces Yoenis gassing combines solely totally took him Sarah Hazardous say is crucial than a negative us is still Dima boon to roll can say agriculturalist Dorian Miller communicate on my up. Remarrying is does militia. Pondo Davis California has Komen sales promotions. The heroes Paul million application Kissy Couch. Surfing is to the most important work. Nato's no Salami Point Kedah. Cheeto Club is used gum.

Thailand Megan Kelly Stasi Deuce Amigo Espn institute Tovia Anita tippy Santos Tom Perez Grandma Stacey Endel Misamis Wolf New York Bonilla China Ms Benazir Luis Gatica Graham Nato Nick Hurrell Beaune William Maryland
Episode 164: Bobby C.

AA Beyond Belief

47:45 min | 10 months ago

Episode 164: Bobby C.

"A beyond belief as a podcast by four about people who have found a secular path to sobriety alcoholics anonymous. Good Benazir Ben Benzon Video. Yeah so here we are. Thank you everybody for joining us here on a beyond belief today. I don't know why I said that we're not live. This is just a recorded podcast anyway. good to see you there been. Hey John Sorry for my tardiness bumpers slip and then my wife I internet so you're fine And then you've got bobby see here he is from Huntington Beach California. Bobby this is Ben. Hey Bobby Nice media. I've been looking forward to meet you. Nice to see a Ben. I just got done saying more video but now he just went off. So that's yeah it's good. I finally got to speak with you saying you. I've been seeing you on the podcast. I've been watching mostly all our chance on both channels. Oh good. I'm glad I enjoyed your talk with John. The other week to on the other podcasts. Yeah that was kind of fun. that that spirituality topic is always kind of controversial. You know people hate it and some people I'm like I really don't care you know do what you want to do. So don't know there's a variety of things I guess we could talk about Bobby You know last time that we spoke on the other podcast. You shared a little bit of your story. You talked about the meeting that you started and some of the other recovery groups that you participate in and we were talking a little bit beforehand and you thought that one topic of many that we could talk about might be anonymity Would you want to talk about that? And what your feelings are about that or do you want me sure. Well we could I'll go and we could discuss it yourself. We could talk about a little bit. Just go into into This my story just a little bit to where Matt now with the anonymity stuff behind. When I came in thirty six years ago I even know what a Rehab was There was only one place to go and and as you know was alcohol anonymous so I was. I was fortunate that you know a friend of mine was not friend of mine but he came became my friend he already was going to alcoholics. Anonymous came over and he took me to my first meeting mentioned that last art kissed but before that I I had no clue about a rehab helper. Any other form of a recovery I know is I started using very early. Probably I don't know how Joran fifth grade but that's when I started taking my dad. Cigarettes started smoking cigarettes and fifth grade. It's crazy to even think back you know and then from there it. Even if v moved from one town to another and I was in fifth grade and met a couple of friends in the neighborhood and back back. East I come from South Jersey so back. Easter was a lot of a lot of kids my age in a neighborhood and we picked up and I started probably about fifth sixth grade taking a little bit of wind year. And we'll sit there go out and pour a little bit in a little jar. Take a little whiskey. Everybody took a little whiskey added her parents cabinets and would meet down to go in. And I'd hold my nose and Swig a little bit of a half of a thing of whiskey down and I don't know how it was crazy. That was the introduction to it in kind of a crazy way just progressed. One in one and You know I I like to say today. Did it was a choice for me to take that first drink and it was a choice that I chose to take that for a cigarette and it was a choice to take the other things but it wasn't a choice for me to get addicted to it. That's for sure I didn't realize I was going to become addicted to an eighty substances but I did and then talk about progression in progress and my stories just like anybody else's it was like in the beginning. Wasn't that bad then as you turn. The pages became Doing the same thing over and over again and I didn't expect some different results. Different results ever came out of it kind of got. Kinda got worse and we never got better until I came into alcoholics anonymous and was February. Twenty seven thousand nine hundred eighty seven but when I came men anonymity you know they say on the media's The spiritual foundation at a program in today what I thought that would I think today is completely different and as my journey evolved throughout the alcoholics anonymous program as I as I stated in the last podcast I went to many different things. Acoa CODA meetings did one on one grew a went to some men's meetings different types of man's meetings and I read different books different spiritual books different motivational speaker. Books and my mind started expand so when I was going he's meetings I always had. I think we talked about that. Cognitive dissidents from the very beginning and Anonymity was always talked about as the years go went on. I kind of started finkel. My own and started to think question observed come aware of different things because of the outside information I was getting and I start seeing movie stars. You know. Talk ABOUT THEIR THEIR RECOVERY. And we know bill and other speakers broked around in any way back down but today. I don't know everybody. I don't think it's I actually think people don't they? Don't care about that because I think the trends. Going to less labels less stigma stigmatizing Less Less words did that. We're using to describe us. You Know Alcoholic. Alcoholism anonymous the disease concept. I believe. That's that's GonNa that's GonNa go away don't you? We gather I think the anonymity is is a personal choice and that There are some people who need to because of their careers or whatever Have a reason to keep it. You know out of the public level and I can certainly respect that and so you know. I feel obligated to respect their privacy. And they're in an empty I think that for me personally. I'm Kinda done with the tradition of anonymity however I do respect On this podcast just out of respect for AA and since a is in the name of this podcast and the people who listen to it are primarily members. I do try to follow the traditions best. I can so I do. I maintain my anonymity here. But when I read about this Principle or tradition of anonymity and sorry and the twelve traditions and And the twelve steps. That bill w wrote the primary reason that we have We're anonymous is that we're not out there. It's for public relations. So that we're not out there Acting as spokespeople for a and then and then lost it all up and I just don't see people doing that. I don't think that that is a problem. I you know. And I think it's almost idiotic because there are many other programs like smart recovery and life ring where people can talk openly about their involvement and nobody is is is accusing them of being a spokesperson for their particular program. You know so I I really feel like it was kind of a way at that time for those people they and they probably felt it was important to control the message as much as much as they could and so they wanted everyone to be anonymous Except for the big guys who would go around and talk about the program that was just. That's just my feeling. I also think that it stigmatizes the disease a little bit. You know like it's like every we're all in hiding or something now and I also though that being said I also recognize. There's a huge difference between being anonymous and respecting someone's confidentiality so that. If I'm at a meeting anything I hear in that meeting stays there. You know I have no right to go around talking about what I hear a meeting. But that doesn't have anything to do with anonymity that has to do with just respecting the confidentiality. That we have in meetings. So that's kind of my take on it. That's where I kind of evolved to this position but I still kind of tip toe it a little bit. Sometimes I crossed the line when I don't mean to and but I'm not as worried about is I used to be What do you think Ben? What's your take on that? Well you know you guys made a lot of good points John the last part you made to about Anonymity I will. I am one hundred percent for anonymity and and how it is everybody's decision as to whether they're anonymous themselves by being a sober Kherson not like. It's never my right to go out and say oh. Hey I know this guy. John S. News your full name and say you know he's sober to and does this does that? That's not for me to ever ever blow somebody else's anonymity but I do agree that the most of it stems from probably trying to keep the message quote pure in the get go and not having people spouting off everywhere like. They're the spokesperson trae in Johnny. Bobby I'm sorry I thought it was an interesting point. You made like a lot of people. The first time they may be heard about a was when some famous person said that they were a sober person. Without even saying they're going to AA or something So again we've all probably seen somebody in the public eye who seems pretty enthusiastic and you can probably tell they're going to a lot of twelve step meetings the way they're talking. We kind of know the lingo. But even when they don't don't explicitly say they go day I don't really cringe about any of that because I don't know if we give people enough credit. I don't think anybody thinks if somebody like. Ben Affleck is out there relaxing and causing chaos. If I don't think everybody says while a doesn't work you know the person who might say that is probably inactive alcoholics. Who Scared to death? Quitting drinking in an idol. They'll find an excuse to not come no matter what usually so. I mean I would imagine more good has been done by people talking about being a sober person in for a while there. I still think it's kind of this. William Bobby you mentioned it it's been kind of trendy and hip and I don't mean that in a bad way to talk about being sober and I mean facts on the table. Drinking in general is not healthy for anyone whether you're alcoholic or not. I mean alcohol's toxin and again. I'm not I'm not the sobriety police. I'm not saying everybody shouldn't drink. But at the public health issue so back back to the point at issue I will respect anybody's right to be anonymous and go out of my way to protect protect anybody else's anonymity and confidentiality like you guys are saying but I also I've evolved to a to where you know if it's everybody's business whether they choose to say they're sober not and you have to be careful because especially most of us here that tend to join on this podcast. We probably have some conflicting feelings about it. It's like I want to advocate for people to be sober if they want to be sober and if they find that works for them great but if it doesn't you know I have problems with AF things I love about a a so But like like Jon said it. There's there's things about the traditions that make them very worth respecting and in this is this is one of them Nassar. Their intentions are so pure. Yeah Yeah and you know like in the workplace. I'm I'm pretty anonymous and I kinda choose that but it's not like if somebody were to know it would bother me per se but I don't want I don't want to be I. I don't want people to think of me as that's that's me. That's that's who I I don't want them to identify me as being person in recovery necessarily I just WanNa be another guy at work You know so that and also I don. I don't want to have to be having to explain or even defend A people who might not understand it go ahead. Sorry Bobby I I agree with a mostly everything. Both these are saying For the for the listener. I guess that's important to here with us for the listener. Really doesn't know what anonymity means or how to deal with it or through years you you you learn from me. I believe in when I talk about anonymity I talk about myself not other people. I I personally don't break my committee to anybody. Secours doesn't matter. I only do it. I know exactly when to doing it kind of if it comes up. It's like almost a a known thing. It it's like your body and your mind and your feelings no to open up. So I'm really very careful with anonymity in that sense and I respect total respect other people's out. I mean after all the only thing that separates me from everybody else's did I was addicted to alcohol now. I'm not and character defects. I think all these character defects that they talk about or just human character defects of every human being on earth so anonymity is a personal thing. I I don't even tell I don't even go into medical stuff you know. Even I dag Zuber. I don't tell tell my doctors tell you the truth. It's not really that comes up and just normal everyday conversation with people at work or at a party or something just doesn't it's just not a topic that comes up it'd be you're exactly right. It's talking about you know a medical issue or something that's just not. It's just not something. I don't think that that comes up that often. The words even even an issue is more of an issue now because of the Internet I think. And you know it's you know you can go on Youtube and you just You know search for AA. And you'll find any number of people Talking about their experience at an AA meeting or they'll be celebrating their anniversary or whatever and holding up a coin and they're on video and they're not anonymous and they don't seem to mind at all and I don't know if that's really hurting a I don't think it is So I'm fine with them doing that. You know that's that's what they WANNA do. Yeah definitely I think we all probably see people post the pictures and there's always degrees of involvement. Aa To some people. Just go to meetings. And aren't that connected with other people socially and and everybody. Kinda does a little different. Bobby Bobby said you know us. Being the statement we hear about how anonymity is the spiritual principle. Whatever I think you know to explain that and more probably worldly two rooms in regular world terms. It's it's about humbleness. I think because you know even like talking about people on facebook you can see somebody who's you know Smokin pink cloud hardcore into being sober and you know there spouting it everywhere in six months and you know the counselor in me says okay now. Let's take it easy here. You know you've got to be prepared for when it doesn't feel that screwed all the time to not to burst your bubble. But I think that's some of the concern at anonymity thing and I don't think you know I just think it's over exaggerated how people say if that person has relapsed or something happens that it gives a bad name. I think one most people still don't know too much about a into. I think people do understand that addiction. They're starting understand that addiction and alcoholism is not something. That's just a once and you're done type deal for auto people right and and the stigma has has gone down to a certain extent. You know it's it's not an until large degree because of all these people that have come out openly about about it. That's one reason that that has reduced stigma. I think for certain professions. You know if if you're a medical person who your surgeon or somebody who's you know I think anonymity is important there in you know it does seem like we have special groups for people who tend to be the higher end professionals because of that. But also it's it's to be careful because I don't know if I'm being delusional about my own drinking but it was a fairly high bottom compared to some people now. That doesn't mean it wasn't bad enough for me or whatever but sometimes. I'm careful even tell somebody. I'm recovering alcoholic because I thought there had goes to is that you know. All I did was drink all day every day. For like ten years you lived on the street which I wouldn't be ashamed of that if that was my story. But again we don't know what other people's perceptions in where they go with that so somebody's professional Out somebody else. Who's in going to twelve step meetings? I may very well be destroying that person's reputation based on just what the other person doesn't know about about that other person's history so it's it's touchy. I have friends. I have friends that you know Back in my old home groups who we have agreements with each other where I'm like. Hey if you ever know anybody now that I've moved up to a Maha like if you ever know someone who needs somebody to connect with your talked to. I don't care if you out me one bid. Give me give them my number. Tell my first last name. I don't care you know so. I can have agreements with people like that too. So yeah. That's where that's where I'm going with. That anonymity stuff is like what we're doing. We're doing why would you were doing with the My secular recovery okay. I don't mind breaking my anonymity because I'm targeting on talking to other alcoholics. Even the word we could talk about that word alcohol with other people in recovery. I'm talking about maybe somebody that's looking for something so for me to break my anonymity that way. I don't have any problem with it. None whatsoever because they're looking or they're searching or they're going to this site for a specific reason so in that sense I don't anonymity to me I'm gonNA break it every gateway if I can help somebody that other that other pipe pass you talked about my secular sobriety. That's a really interesting experiment because I I wanted to do that because I wanted to kind of break out the AA mold. I wanted to have Topics that talked about recovery that weren't always related to a and I was really hoping that I wouldn't even have to talk about a but as the more I get involved with the more difficult I find it to not even mention it or not even to mention it as part of my own experience so I ultimately just gave up. I said okay. I'm just going to have to talk about my experience. Honestly and as a result I ended up breaking my anonymity on that particular podcast. But I'm not you know I just finally said you know. Just that's just the way it has to be a have to talk about my own experience but most of the most of the episodes on that podcast aren't going to be centered on a or the steps or anything like that. I really want to focus on on that podcast. I WANNA look at recovery from all addictions and using all types of or support groups and not being so concerned about what you say. And how you say. He's acting representing exactly exactly I. I don't need traditions. Police you know. Get an army about you know you you. You broke this tradition or that tradition. Yeah well how dare you talk about that podcast on this? That's another thing I was. I was really two separate. You know like I don't want he wanted to know I'm doing this. You know I almost felt like when I left my old. Aa Group. Didn't tell anybody that I left. I just went off of it. You know sooner or later we. We just have to become honest. You know I mean sooner or later we have to become like real. You know instead of kind of a hiding in and we don't talk about the disease there's two there's two. There's two trains of thoughts out there in this disease concept. Some believe. It isn't some believe it is. I happen to believe today. I believe I don't have a disease you know. Now we're talking on. This might be better to talk on the other channel about that. But we don't talk about that. We don't talk about the the alcohol industry. We don't touch the alcohol. Industry may believe me actually think that the alcohol industry should be held responsible for some of his devastating consequences. It has on Society. You know actually if you look at it. We are victims of the alcohol society. You know it's been it's been a lie and and it's still it's still affecting targeting young people women older people so we don't talk about that not that we're going to talk about. We're not going to talk about that talk. Well and the point is I. Think Bobby to some people. It seems like in again. I always get off on the religion thing. But it's like there's the police out here who think if you for one second talk about anything that may be contributed to becoming an alcoholic. Or whatever you WANNA call it then that is. You're trying to sidestep your own personal responsibility in on some level. There's a treat to that especially when somebody's really newly getting sober. It is so important to just focus on what you can do but you know eventually I think a healthy recovery oftentimes for many people involves looking back and maybe analyzing what went on and looking at some deeper personality stuff and some maybe some therapy and things like out there saying that you know I found to be of. It doesn't mean everybody will but So but there's such a you can even sense a tone in certain. Aa meetings where if something even remotely goes to that direction. The next person is sure as heck slammed the door on that. Move everything backwards. A you know a personal responsibility Movements often that involves a lot of shame blame guilt the tone of it is part of my concern about it but there's truth to it to write in it's sets singleness of purpose in staying focused on this but it's it's also what has led me to be bored of going. Aa meetings often singleness of purpose. Which I agree with on many levels but sometimes it just feels so repetitive and over and over. It's like Stan in English one. Oh One when you really WANNA get three hundred new books in English God. I'd say that I say that you know like. Would you stay in kindergarten? No not go to try to go to second grade. Y'All it's almost you know it's almost this is what you know. It's a power. Let's be honest here to parenting. No repetition of words and phrases and readings that repeatedly get into your brain and league Use The word Ken Ken Brainwashed and there's a good side of that and then there is a dangerous side too that I've kind of had to try and end. We've some of that stuff like Oh do I just believe that because I heard it in? Aa meetings over and over and over. Or how does that really relate to me or or how do I really feel about that? I believe I was born in atheist. I was born in a his then. My mother gave me her Catholicism sheep you know I I did all the Catholic stuff you know all the whole ritual and then slowly you know when I when I came into alcoholics anonymous. I tried to get back into that because I thought something was wrong with me. I didn't have it and then I even went into the Christian churches and started do Bible studies and started to tell everybody you know they better be saved. Let's go and go to hell I did that that little routine air for a while and thank God I came out. Thank whoever's like me really came out of it and Yeah it's kind of Lake It seems like there's a fear. Am like again along the Sanin. It'd be lying that if we don't have this consistent message in a dozen sound the same everywhere. There's there's a danger in that and that's just to me a lot of fearmongering and what it's it's to me. It's like sex education for kids. Let's give all the information so that kids can make the best decision. They have to make for themselves when they're in a situation where they're the only ones to make a decision just like we can all feel united and we can all say whatever the heck we say in that one hour in. Aa Meeting were there. It really does not matter if you mean it or if you're parenting it or not in that moment where it matters is when you're home and you walk and pass the liquor store or your wife has a twelve pack of beer in the fridge that you've been thinking about a lot. I mean it comes down to what's IT GONNA mean to you in that moment when you're away from all your safety and what do you really believe what really works for you like you learning about your mom's religion or any religion. It's like well. What does that mean to me? Or what am I taking from that draft to believe it all or none of it or do I have to frame it in a way that works for me now so it's it always comes down to personal responsibility. Whatever whatever the mind can conceive and believe it will achieve. That's that's good or bad. You know whatever my mind wants if my mind wants to drink and I believe it wants to drink a more to get a drink and I want sobriety expand enough it says the only requirement is desire so a desire means creating so if I have a craving for sobriety whatever my mind can conceive and believe about sobriety. I will achieve. I believe all programs all recovery programs work the same way through the belief that it will work good either so I take responsibility for that. Believe so I believe all the programs will work if you if you want him to work you know you don't want him the work they won't work. I see people in the big book stoppers They twelve steps. They got to sponsors that they sponsor return people they go to meetings. They go out and drink. I see people that don't have sponsors. Don't do the big book. Don't do the twelve steps essay sober. I see people to believe in God stay sober. I see people don't believe in God stay so so I believe it's our responsibility as my choice and I choose the one today store like I did back then. Actually my desire today is is a thousand times greater than it was back then in something like this website in this podcast. I think what it does is. It exposes the fact that there's been people who feel like us all along and some level that makes the people who are the hardcore dogmatists of a scared. Because it's like it's bringing something to light. That's been true for a long time in this probably growing in numbers. And I'm with you bobby. The honesty and the truth about is is what's important and I think the good side of Alsace Movement. I know we don't always like that. We're the good side of this. Is What it what it brings to the Is Authenticity in being emotionally. Honest about ourselves. That scares the hell out of some people and I would say that some people hide in the dog Mauvais and or religion because of that. Fear so to to have your to have your Your Foundation rattled just because all of a sudden you realize holy cow. There are some atheists endure holy cow. There's some people don't think the twelve steps are are perfect. As written they came down the mountain. You know that that for some people if if that really rocks foundation after question how secure their sobriety is so when you just talked about how secure someone is in their sobriety and it kind of it kind of brings me to another topic that Ah this on my mind that I'd like to talk about and that is how we're handling going to meetings are not going to meetings during this pandemic so. I made a decision that I'm going to practice social distancing and for that for me that means I'm going to be working from home. I'm not going to be going to gatherings where there's a large number of people and I'm not going to go to AA meetings. I'm not going to sit in a room a small room with fifteen or twenty people in it. You know I just made that decision for myself. I just think that It's not so much just me. Not Getting the virus but if I do get it. I won't be infecting other people. I just think it's really important to do that so anyway. I was at a meeting last night and I. It was a Friday night meetings that I chair and I told the people I said you know I you know. I don't WanNA chair this meeting anymore. I'm not going to go to meetings for another month We either need to close this meeting down or someone else needs a Charrette. No one else wanted to cherish. We decided to close it down and so after the meeting I was talking to a guy he looked to be about my age. And he's I know he's been sober for at least twenty years or so and explaining to him. You know this white this decision. I made about not going to meetings for a month. And why and the social distancing and he said to me he said well that sounds like a recipe for relapse That he has heard so many times that. When someone relapses the first words are they stopped going to meetings and I'm like that kind of disturbed me because it's like I'm not that insecure. My sobriety isn't that fragile and I have a good reason for doing this and how I it almost frightens me that there's people in Aa who think that they have to continue going to these AA meetings regardless of a pandemic John Lesser Disease. Talking in you I guess I'm just kidding how do you how do you guys feel about this This pandemic and how are you handling yourselves? You know I guess Bobby Let's let's let's just say I'm still a little confused in the sense that I don't know if I WANNA cut quest by meetings are new in. There may be only twelve people in them. And I'm on tour. I have cognitive dissonance with this. I'm torn I don't know what to do so I I'm taking it day by day and actually take it. I have a little meeting tonight and there may not be maybe one person or two people that show instead recovery Dharma meeting. But I'm going to go and I want more will be revealed to me and I'll I'll be able to make make make the decision after that and then all of a building that decision but as far as People saying you. I've been away meet in the beginning I was. I took vacations. I was away meetings for two weeks. You know I didn't get drunk. There's People Wanna get drunk because I wanted sobriety more than I wanted to get drunk. You know and there's there's people that they don't go to meetings all the time and they stay John. I have a question. Was this person directly referring to you. Sounds like a recipe for relapse for you yup. Yup We were talking in the room together and he was talking to me. He thought that What I was doing dangerous and I think that it's dangerous for me to put myself in a room full of people who might have a virus that I could transmit to someone like my wife who could pass it on to her mother. You know here's where that That kind of stuff annoys me. Maybe if you were like two weeks so I mean or something like that and still physically withdrawing but I mean it's like that's that's the dog man that's a fear mongering and that's the religiosity that annoys me about a a sometimes as far as me like. I took my son to Costco yesterday because we had to get some things with you know. Oh let's all warranty teen but before that we're going to be around a thousand people who are afraid then go quarantine right right so I mean I have so many mixed feelings about it. Our daughter was going to daycare still last week three days a week. Then you know all of those kids have been exposed to each other and you know. We'll fortunately for kids. It's not the dangerous really are the better the better off. You are really right and like you said John. I'm not worried about me. I'm not worried about my wife. I'm not worried about my kids. I'm worried about my inlaws. Who are in their seventies. Who HAVE HEART CONDITIONS? I'm worried about my mom who you know. If she got the corona virus in had a a a medium problem she would die? She's on oxygen twenty four seven and has heart disease and she has so. That's that's why we do this. I mean I'm trying to get political on this but so even today. I think I'm going to take my daughter to a movie but the movie theater that I'm taking his practicing distancing and not putting certain seats but even still there's there's a part of me that feels guilty because what this whole thing is revealed to me is just how. Goddamn self centered. We are too like even myself thinking like man. If I'm super annoyed with my family how the hell am I going to get out of here and go to a movie? My Wife School when this is going on. What's this going to do for me and then I have to sit and I have to think it's not about. It should much like A. It's not about me it's about us. And and if the goal really is I mean we may look back and be like oh everybody's panicking over nothing. We may never know that. We may be like Oh. We avoided the worst spice. Because of what we did. The other side of people might say. Well look at this bullshit. We didn't even have to do this. No exactly that's what my wife was saying. It's like if it's if it turns out that we do lower the the hump or whatever it is and it's not as bad as we were expecting because we took these precautions. People are GonNa say oh. What an overreaction. It really wasn't that bad but it wasn't that bad because we did these things right. There was a guy in line. The Costco is at yesterday. When all the way to the back of the store and back around the corner the line moves super fast but there was one gentleman and he said what the hell are all these people doing here and then another guy who I would've assumed if they were a political people that they would have been on the same team the other guy said. Well didn't you hear of schools are probably gonNA close for six to eight weeks? The other guy turned around and said God damned fucking media and so I'm just like okay. You know it's like whatever I mean. It's like we talked about sacrifice and we talk about. You know I mean what's a couple of weeks or a month which I know was a big deal in terms of economic terms. I do stuff the stock market so I realize that but I mean we the same people who are talking about sorry. This is now turned into a political podcast. Set the same people who were probably preaching against whatever Obama's death camps were are also the same people who are just saying it was just the flu if we kill off just the most vulnerable people in the old people who cares. It's like okay. Which which part of this camp do you want to agree with? But I guess my point is I. Don't blame anybody for not wanting to go to a meeting where people are going to try and grab your hands. The stupid outdated but there we've talked about this on other podcasts. There is something about being around other people physically around other people that does help so I understand it. And especially bobby for you. If you got a new meeting that is trying to gain some traction a month or two break might be just what it what it takes to have that meeting fall apart for a while but then on the other hand that problem might solve itself because there might be enough people that are living in fear. That don't come to the meeting anyway. So you know yeah when this you know. I just want to talk to the listeners. The the new the new people that came into different types of programs are recovery programs that are dealing with these these issues e seductive behaviors and stuff this. This is normal anxiety. Depression feeling bored. It's all normal feelings. We're all feeling so I want to just say that to them and let them know that today could see back in my day but today everything's online you can go online get involved go to facebook. Dot instagram. Go Go to twitter. You know. Listen to these podcasts. At US tour you know beyond belief I mean you could just stay there for hours. Listening into those different podcast. You know my secular recovery you only have about seven of them right now but they're going to be more common you know and we could sit and listen to them. Listen learn learn. Listen it's new. It's a newer so I don't think we have to worry about that. Bobby I mean I quite John. The reason that I am doing this is mainly because of my age. I'm all be coming up on fifty eight years old and I think that I'm a little bit in that category where I should be careful. I'm so this is my decision There are a lot of people that good are meaning are in there Are under forty. And they're not that big at risk so it's not not as big of a deal for them so I just making that decision for myself. The way that we're handling it. Our group is people who feel comfortable. They'll take their own precautions. Do their own thing and that so that was just my my decision but you know I was thinking bobby that what if this what if I were the only like just now getting sober. I'm like a week sober and It now if I was a younger person and just newly sober I think I would. I would still go to meetings and I and I practice precautions of not holding people's hands and etc. You know but I think I would still probably attend the meetings but when you talk about all the other resources that are available like going online and so forth when I was getting sober. I didn't have any money and so I'm thinking that if I was in the same position now just getting sober and I didn't have a job and I are already money. I might not be able to afford afford a cell phone with with Internet access or to buy a book or to any of that stuff. I'm on I'm not. I might not have a computer or being able to go online so I don't. I wouldn't have those resources if I if I were in the same position today as I was back in one thousand nine hundred eighty eight financially and so forth. I getting sober so you know the only thing I would be able to do now is access is go to the library. Which is actually what I did back in the eighties. You know so. It's a little bit more difficult if it depends on where you are in society and what kind of resources you have. It'd be great if you're just getting sober and you have a job and you have access to the Internet. You can go to online meetings and so forth but if you don't have the access to that it does make it a lot more difficult. It's going to be like you guys are saying Bobby. Thank you for bringing that up. Like they're going to be different degrees of what people need. So the important thing is if you can or able to be in touch with somebody who can help guide you through it if you don't feel like you know what you should do Because that that uncertainty that like Oh God. Am I going to get like you know John? Even that guy mentioning it to you and you've got what thirty three years or so sobriety. It can do that kind of stuff. Upsets me to to where I'm like. Oh Jeez what the baby I am or you know. Maybe I'm screwed up but I on someone we have to trust ourselves us. What tools you have available to you. I mean talk to a neighbor more often or I don't know it's it's going to be. It's going to be different for each person is somebody's GonNa use it for an excuse to drink. They will be nice Nissim APP. It scares me that there might be people who are in their sixties and older who are afraid not to go to meetings and they're going to go to AA meetings and they're gonNA get sick and they get very very sick and they're doing it because they think that it's the only way to stay sober and What I've heard some people even say is that well. I have two choices here. I can die from this virus or I could die from drinking. I don't believe that that's the choice. That's not the choice you can stay sober and and still take the precautions that you should take for for your particular situation for you. Know if you're if you're an older person if you have underlying medical conditions you need to take more precautions than somebody who is thirty two years old and otherwise healthy so yeah it kind of concerns me. I think that There's a lot of people out there who aren't taking it seriously and they're going to go to meetings and people are. GonNa get sick but we can talk about Now that's that's that's great. Everybody's GonNa find her own way and go back to that whatever. The mind can conceive and believable achieved. She is she wants to send. You'RE GONNA you figured out no matter what. Go to library or go online. If you can't afford it. Grab a booker. Something you'll you'll figure it out. Somebody figured out if they want to go get How about how about the people in alcohol? How much time do you think that guy had did have a lot of time or a little bit of time told you about twenty five years now? Let me just go with that for a minute. So we have people in alcoholics anonymous with a lot of time and they used to use these things with the bleeding. Deacon and elder statesman I think that was more controlling factor. Where if you seek out differently. You're bleeding deacon and if you sit back and say nothing and let the people make you a movie star or a Guru and you're a elder statesman Barda bleeding vegan and other states but in alcoholics anonymous. It almost seems like like we were talking about this kindergarten. Moving up you've got twelve steps and move up to the twelfth grade in the Ted step talks back continuing to continue to take personal inventory. So would I tend to see a lot in alcoholics? Anonymous is people that are five ten fifteen twenty. They tend to talk about the past all the time and trying to use what they did twenty years ago to help him today. You know instead of like really searching having an open mind being honest and willing to change are not to stay stuck. I see people older people with years. I you know I'm I'm judging an uptake mature yes I am. I see him stuck and That's why I like this this other stuff because if you venture out just a little bit your mind opens up a little bit more and Take Bobby that's a great point in like I'm looking at. This is an opportunity. Okay we're GONNA be at home more. What are the things around the house? So we've been trying to get done that we say we don't have time for so two like a match recovery. It's like this is a different aspect of our recovery. So if you're someone out there super concerned about going to meetings but you really don't want to because of this will think about. This is a new way. I can challenge myself to grow in my recovery. Wom At home. Maybe I mean everybody's been maybe you've been sitting there putting off right down your four step. We're going to be inside more. Go and write that down here. Maybe you've been telling yourself forever that you're GonNa Journal more often. Share your feelings in writing. Well here's a great chance to do that more. So it's it's almost like you're GONNA WE'RE GONNA have. We're all have this opportunity to have this stuff putting our face that we've been procrastinating putting off. Well here's a great opportunity to dig into some of that stuff and I'm going to be more podcast and I'm GonNa be reading more and I'll be taking my dog for walks. It's an opportunity. He's sitting. It's an opportunity for all of us to grow. It's a look at it as a bad thing or good things and opportunity. Well that's a recovery tool yup. I think as a conversation we had and I think that both topics. We talked about anonymity. And also the personal distancing social distancing thing. It's all up to each individual person to decide what's right for them I think and That's the way it should be. We get in trouble and we tell the people they need to do. Well I just WANNA say I've been practicing social distancing in meetings fergus. Said I go up and stand in the corner. Yeah Yeah I yeah to certain extent. It's kind of easy for me to social distance because I kind of to lighten around people anyway anyway. Thank you very much For listening to AA beyond belief. The podcasts always John. Thanks very talking to you. Okay take is. It's been great. Thank you so much.

William Bobby John S. Lake It Ben Affleck facebook Costco Society Benazir Ben Benzon South Jersey Joran Matt Aa bill w Kherson Youtube Huntington Beach California Bobby Let Aa Group finkel
Trump Appointee, Michael Pack, Leaves Trail Of Shattered Careers At VOA

NPR's Business Story of the Day

04:10 min | Last month

Trump Appointee, Michael Pack, Leaves Trail Of Shattered Careers At VOA

"This message comes from. Npr sponsor nerdwallet with their podcast. Smart money with weekly updates on financial news and answers money questions. Smart money's unbiased can help level up your finances. Subscribe to nerdwallet smart money wherever you listen to podcasts. There's been so much controversy. At the voice of america and its parent agency that it's easy to forget the human toll executives fired reporters investigated reputations shattered all part of an ideological civil war begun by former president trump's appointee to the agency. Npr's david folkenflik reports the us agency for global media overseas the voice of america and other federally funded international broadcasters. Last monday just two days before he resigned. Michael pack defended his record on fox news. I've been head of the agency for about seven months. And my only goal has been to get it to fulfil its legally mandated mission. Its charter which is present objective balanced comprehensive news. Tell america's story to the world others who worked under pack till npr a different story. It was actually one of the most surreal times of my career and federal government. That's dan handling a senior advisor to the ceo. When pack took office handling joined the trump white house team during the transition in two thousand sixteen and stayed throughout hanlin says he figured his loyalty to the administration would never be in doubt he was wrong. Pack decided almost immediately that hamlin and need weren't to be trusted and he banished them to the far corners of the agency. Headquarters found a foosball table. And since they weren't talking to us we would come in or nine o'clock and stamp out five o'clock and we play football day and we just sit there in common. About how absurd. This whole thing was hamlin's says it was a sign of worse to come. I don't think he had a plan other than to just blow the place up. Voice of america's top officials resigned. Pack fired the presidents of all the other networks back also suspended six top agency executives and paid private law firms millions of dollars to investigate them and the also refused to extend visas for any foreign employees implying they could be spies. Here's former general. Counsel david clergyman. He was among the executives suspended because he believed that we were disloyal to him. It perceived a us as being part of this cabal and it was. It was very troubling clicker. Men says pack embraced trump's fight against the media and against the professionalism of government employees one point even quoted leviticus to me some provisions at talked about bearing false witness clemson resigned in december after months in limbo. You have to stand up to bad actors like my colleagues. And i have done. And we've paid the price for pack pursuit investigations of journalists for perceived anti-trump bias on fox pack renewed allegations against a video segment on view as early language. Service was essentially a repackaged biden. ned It was not targeted as the deserves supposed to be to pakistan but really the michigan an appeal to michigan muslims to flip the state for biden via way. Staffers say packs. Charges are ridiculous. Very few people in the us consumer even know of its coverage social media. Promotions of valley are blocked here. Plus they're only about fifteen thousand michigander. We've speak urge do multimedia journalists benazir samah had her contract terminated diva fired because they thought it was you know against it was like biased towards trump view. Cut loose three colleagues to some odd came to the us from pakistan on a fulbright journalism fellowship. She went to work for the urge. You service in two thousand nineteen. She's now one of many who lost their jobs under pack. Who are seeking to get them back. It has threatened to turn my entire life upside-down bowman to not afford of my own. So i'm worried about my visa situation. My job and everything so mad says she is drained much of her savings since last summer her career the collateral damage of ideological warfare. David folkenflik npr news.

David folkenflik us agency for global media ove Npr Michael pack hanlin hamlin trump us david clergyman fox news npr white house dan biden football clemson michigan benazir samah pakistan ned
DtSR Episode 415 - TPA Man Algorithm Machine

Down the Security Rabbithole Podcast

36:38 min | 5 months ago

DtSR Episode 415 - TPA Man Algorithm Machine

"They say, they say we should have known bed. Then to. Saudi od down down into this. It's time you the venture down the rabbit hole into the world of cybersecurity you're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews, insights, and practical advice that makes your job just as Benazir. And now please welcome your guides this adventure jeans Gerardine and the white rabbits rough off. All right good morning, good afternoon, and good evening. This is randy welcome down the security rabbit hole to yet another. Riveting rip addition of the down the security rabbit hole podcast. It's a new week gets a new day were into autumn twenty twenty, which means this year as I hold almost over and. I can't wait to see the a trailer for twenty, twenty one but. The hall all that happens I wanted to make sure we continue the. The. Of Excellence the awesome guests that we have and you know sometimes we go back and revisit folks we haven't talked to in far far far too long and One of them is a doctor and cross. Are You sir? Particular Challenge Yourself. I'm fantastic. I. Messaged you because you gotta you did some things recently am I gonNa hey look who's on Linked enlist and and here we are again right. So that's. Smaller you sense. It good. To smaller to run into each other, physically these days by the end of the world I suppose. So it's good that virtually we were able to. put online together again. Yeah Yeah it's always. Always. Good. You've got a you've got an interesting perspective And you know we we were. I guess what better place to kick it often speaking of Lincoln you're just talking before we hit record about how I just saw a thing. I liked it as I was a wait for you to join the show here that somebody has this mean posted on Lincoln. No doubt one of our security peekers that says essentially like hey. Don't that don't want to. Pay. Fifty K. for a pen test, but they'll gets stuck paying five hundred K. for a ransom. Implying that one has anything to do with the other and of course you guys know me you're listening I can't. I can't help myself. I jumped in and said time to play devil's advocate what does one have to do with the other into and perhaps more importantly If I if I pay you fifty K. for Pinta resent indentifying me or and saying that you're going to guarantee me that I will not get any type of Encryption based attack or beheld ransom. Again, if I pass your test like this is a state of security today and I wonder I, I keep wanting to say senator we've gotten better the last time you and I talked but I suspect the answer is now we haven't Well I argue we have been getting better. The problem is that this is an race right? Like the other side is very motivated to improve as well, and since you bring up ransomware especially in the rents were space for so much money is behind it right? Like there's strong incentives to improve and sidestep security solutions and they evidently that still seems to work from time to time because. Those, those folks are still. Quote in business on quote, right. You say from time to time and? I know you that tongue in cheek because now we've got what three locked three or five of the world's largest logistics providers have all suffered a potentially crippling at least for time being. ransomware type of attacks I mean. Wow. Yeah it's I mean, it's it's challenging to secure environment not a trivial endeavor. Right I. Mean we we know that and I think this was another thing that we talked about before hopping on the podcast recalling right that. There's a lot of those little gears it. It's A. Very, complex problem to solve and gotta look at this from a very holistic perspective as well. I. I don't think these discharges were completely go away right we just need to make sure that we keep on improving improving faster than the adversary. I gotta ask though. That that's is that from a technology or is that from a process perspective because I think technology improves rapidly right? Whatever whatever the technology you're talking about insecurity we are not lacking for tools we are not lacking for awesome tact tech that. I if used a all use caveat if used to its full potential odds are it can do a fantastic job of. Catching. Everything That's out there. Obviously, not everything but just about right makes it makes it really raised the bar for the adversary. I'll tends the fail is you know look I can buy the world's greatest hammer it does not make me a carpenter does not mean I can I build anything? I'm just going to have a really expensive Hamr The implementation and the use of these things is sort of I don't know where we're at continues to fall down and I know that automation is one of those things that you work on a lot and probably try solve is better detection better analysis. What's the state of the art? What a what a, what a would be changed since last time you and I jetted. I'm so. One thing to notice the changed environment right that can give you some numbers from the the crowd strikes overwatch reports that we that we published. Just. In the first half of twenty twenty, there were as many potential intrusion activities as all the way through two, thousand, nineteen. So. There is a lot of growth with what the adversary out there is doing as well. That's contributing to the challenges. There's more things that we need to. Deflect and defense. So as you know, I was one of the things that you occurs about the my my area is around machine learning. So like what what we're doing the way we're trying to tackle the problem is we have a lot of we have a lot of data that comes back as part of basically our mission to keep customers eighth and I have to every time dig up before telling somebody because it's growing. So rapidly, we are at about six hundred, billion events per day that we processing our cloud. So that goes very very deep like a human cannot really get ahead of you lost the human like. Maybe more. Yeah I mean this. This is this is why I enjoy my job right like. This this is this is like a gold mine that you know you keep on, you can keep on digging their like this just keeps US keeps us busy for another decade to all the value. You know you can derive from that. So I think that's where it's at right like to get to get more things done automatically. Like in this example that I mentioned from the over to report. It twice the. On six months basis twice the amount of tax write AAC. Exponential growth, we don't want to necessarily. Yeah, we're not going to necessarily double like the human staff because we look at twice as many things over over every six months right that one. Where do you scale that long? That's that's why automation is key. You know doing more things concurrently grouping threats that to the same category and then getting ahead of these threats, basically as as a cluster of things if you want. Is Is We've talked about machine learning in artificial intelligence and I hate that term 'cause it's I. Don't know I think it's still largely a long ways away from actually being intelligent artificially but. You know again, don't know everything but I, I think a lot of the machine learning algorithms that are out there lot of the detection and analysis capability is so good. So good. It really does raise the bar significantly for attack or. You know I in. You've I mean that's that's a lot of that. You're that you're sifting through When you when you have that much. So the human, that does not have the slightest snowball's chance in hell of doing that manually. But where does the where does the ownership of the of the failure? Because there's still there's plenty of failure rate I. Guess I just because I have the world's Greatest Hammer, I'm just going to have an expensive hammer if I don't know what to do with it. Are. We getting to a point where and I think maybe this promise like twenty years ago with antivirus where all we have to do is install it in the technology does the rest are we are a? Are we getting there? We ever GONNA get their see do we ever want to get there I I don't think we're to get I don't WanNa get there I think always wanted to have humans in the loop right like we always want to have human experts that can give feedback on like what we want to see detectives and basically make the system more intelligent than quotes. That's in that sense That's that's the model that we're pursuing like everything that our overwatch team is is noticing in the field that gets back in how which meaning the algorithms and that tight feedback loop that helps because the challenges that just think about it right they. If you sift through the six, hundred billion events per day like how do you know that you detected everything? How did you know that was right? You know they they needs to be some level of feedback. So there's basically two loops right? There is a very fast machine based loop which which saves to the data, but then there's also. A loop at at human speed that's that validates. The day finds gaps, things that I'm those lines. So that's that's the way I would look at that, and that's why I would say they any kind of story that goes along the of we have artificial intelligence and it's kind of like like that robot from the jetsons right or whatever you want. It doesn't it doesn't work that way right like these. These are tools these tools that work for US humans they're not autonomously intelligent and I think the last time. And was only with without expensive. There was one of the points that he made. You know like replaced the words. Machine learning artificial intelligence with with algorithm a program and and. They'll sounds convincing right because that's what these things are that the programs like mathematically like in many cases, you can think of these things as as functions mapping various multi, various inputs to outputs, and that's it. Yeah. It's it's it sounds. I am glad people like I said this last time I'm glad there are people out there. That are that are Kinda dispelling the defied or the hype that is I recall one of your competitors it doesn't exist anymore. For a while that was all about the, no artificial intelligence will solve everything. It's magic machine learning math whatever. I mean we all just not our heads and we'll get bs to a crazy degree but the customer bought that because it seemed like, wow, it's magic. It's GonNa. It's GONNA solve my problems and come on we all knew we all knew and yet. Right People. Bought this stuff and it's The frustrating part of securities we get it. You know some those of us have been around long enough that they really and truly get it I feel like we get peppered on both sides, the customer who doesn't know what they're buying and so as easily fooled. And then the security professional or to seller that doesn't really understand what they're selling but knows they want to sell lots of it, and so we'll fool them and neither side really takes the time or maybe he has the time or has the care I don't know something's wrong. Something's missing that formula. That doesn't allow for an honest conversation. I mean, we're getting closer to it but I I listened to sales, which has all the time and I'm like all. My is so not even true. I came across a white paper of vendor that I was searching for something came across the white paper and it said something to the point of we using deep learning models that work on raw bites, and for that reason, we're not vulnerable or less vulnerable to adversarial attacks on machine running, and you know if you read that they as Lehman sure that sounds all the all the right words. Right? You know the Bing Bing Bing Bing. Make you. Check Boxes Steph. Yeah. It's just it's just not true and that's what worries me right like this. It's creating a desire for a`monoculture culture where there's kind of a set of technologies that are just accepted without evidence as as perfect and what they're doing and that resolves in. Other things longer being pursuits and they boring stuff like defense in depth, right? Like that's that's still relevant that you don't want to just rely on the donning to detect something and. Another important point people need to understand that machine learning has has its own attack surface, right? Like that's never really talked about. It if you're use machine learning, you need to guard against it as well. And got some very interesting numbers about that like they were publishing that about seventy five percent of data governance initiatives would not have adequately considered is security and that would result in like financial losses and thirty percents of. Cyberattacks would-be leveraging the. Data, poisoning mater theft, or adversary of samples like all the way through twenty, twenty, two that those those predictions these are pretty big numbers and There was a another paper that very interesting actually talked to the workshop briefly about as well from from some from some folks in the email community. and They they were they were talking to a couple of companies and We're asking basically here in your mouth systems and fourteen percent said, yes, the rest. Fourteen, one, four. Yeah and if you want to read the paper, it's by Schenker at all adversarial. Miss. United. Industry. Perspectives, from twenty twenty. So this year I found that very illuminating rights and the where things are standing right now we got to play catch up with securing the assistance and. Especially we gotta be very careful. If there's messaging out there that says this all your problems I think at this point, it's. Harmful to just stayed at this way. Because it really deceives people like it doesn't solve all your problems like sure it needs to be part of the solution like it's you know it's a it's a tool that you really need in your two bucks. But it shouldn't be. You're only tool like what what if that gets sidesteps and have you considered the full text surface of their tool? They can the data poisoned that goes in there. That's the data that a model is trained on actually represent what's out there in the from the distribution perspective, right? It is it susceptible to adversarial where you just make minor changes to a fire and you and you sidestep the modern can't detect it anymore like all of these all of these things need to be considered and that's that's why I'm always ready to which she went on. Seeing any analysis, the panacea messaging. I kinda feel like this really. Is this is not like a novel brand new problem I mean I not not specifically even in the senses because I remember back in the I, don't know two, thousand, three, two, thousand, four, one wafts were brand new. We got vendors that would say, okay if you put it in learning mode, it will learn your application and then you flip it to block mode and all the stuff that's not supposed to be part of the application will be blocked like but what if there's an adversary in the system everything call memo and it is a bad guy in system already sending bad data through a net suddenly became. The you know that becomes Dad becomes part of the model and then they accepted. Exactly right or like it, it may just be. Like sending chef where basically like an adversary knows that like better to -cation firewalls in training mode and they just sent a bunch of like benign garbage right like. Really cause anything just in there but the model picks this up right as something that normally you can in the process, you can notch D'Amato because when you take that away, right the distribution of what the model is trained on is is not necessarily what you encounter in the real world and they case like that it might just be just A. Benign consequence that the model doesn't work won't have many false positives right. But there are a texts build around dads that do exactly what you would. You say that you you make sure that there's a blind spot baked into the model, and that's what Gartner is predicting that we see a lot more of these types of attacks through throughout twenty twenty two. So, rather than attacking the I mean, there's can continue to be a tax on on the customer we we've talked is sort of predicted. That you know we've kind of predicted that. The adversaries would shift from attacking the customers or the target to attacking their provider and I guess this just another reason why it's down, it's it's it's it's something that's going to happen more and more I think. Yeah I mean we we we need to stay. We need to stay alert and this goes back to why I'm so adamant that needs to be a human in the loop. Right? How do you know these models do the right thing? Find. Your you're. Like whether the cachefly was trained now, right How do you know in some missing anything if nobody's looking and that's that's where other techniques come come in right like humans reviewing the data for false positives false negatives. Any other heuristic six or approaches may maybe other models but also the rule based approaches that concur with the assessment and then you can. Then you can have a better assessment, right like them. What techniques you have that agree on something the the most certain you can be that any similar given technique has coverage of what you're after. But yeah, if you just have them auto and you sumit's trains and it gives you the detections I, mean, that's that's the question I would pose. How will you ever know it's not missing anything. Yeah and that's the that's GONNA be. I can imagine looking at attackers get attackers are exceptionally creative and how they act. To look at. Ill I heard the term. You know we we feed petr bytes of data into our into our training model like okay. But have you looked all those pedder bites data? Are you one hundred percent certain that that is all good and not We'll see not bad not malicious and how long does that actually take a human require the first pass to then feed that at least initial work through the training model to make sure that you know the algorithms are really understands good from bad right from wrong I mean that debtors live. That's the bigger problem in all of this is yeah. It's easy to say you'RE GONNA feed it head of Bites terabytes in. Google bites a data, but is there are you sure there's no bad stuff in there anywhere. Yeah not not everything that you feed it is interesting right? Like if I'm curious if you feed it if you need a paraglider of stuff, it already gets rights. It really make a difference that that you feed it that right it just makes everything slower. Like. It's. There's a lot of nuance and how you put something together right and they. Numbers like that. But. They can be indicative of the maturity levels of hope the modeling process works the they're on their own, not really telling you a whole lot like at the beginning when the. Industry began like when it really took off. Right like you always saw these these marketing messages about like look at millions of characteristics I like what what that boils down to our you know spar features like Bego words they you know there's a million. Things that you consider and You said, you set the careerist characteristic to one if the string is there and if the string is not dairy, said it to zero right? And that was that was used in production models like you can find some some some stuff out there online. There was an attack on the vendor on the vendors monitor that was predicated on basically understanding that these things are in there and then finding strings the w nine and just adding them into the overly. So basically at the end of executed will fire you just concatenation some strings. And the model gobbled it up, and those were strings associated with good fights and the motto said, well, this must be a good fighter find all these strings here because it didn't consider where the strings are like no context right like just at the end of the flies inside. And Yeah. The two problems with that right like on the one hand. There's no constraints that you can put these strings anywhere. That makes it very easy to change a file to Jim. Number two nick. This is content on top of. Monitoring Necessity by the that's that you can create models where you can only imagine direction. So that wasn't the case here. Right you add. You add to bunch of good stuff to an otherwise pretty bad file and the good starts outweighing the bat. But that's really how it works in a reality reality. If I contains malicious code anywhere it's malware they. Can Be the nicest icons and you IDA dialogues and the fire and the nicest string or text pages doesn't matter if there's anywhere some malicious code in the binary, we need to consider it malware. Yeah that's interesting because we. That was that was I remember those with some of the early scoring systems was how much how how good is this or how bad is this? How much good stuff versus how much bad stuff. And that's Just pointed out that seems to lose its that that seems to lose his argument and significance relatively quickly because well, I mean, any amount of bad stuff is kind of the end. Yeah. Exactly. which is which is not necessarily this specific model was put together like it was very interesting to to to read that how the how other researchers basically wasn't and yet DABS and. Got Got to those conclusions like it's pretty good. It's a pretty good story. So. I some lagging the connection I. I was just about to say right like that's that's basically why on saying we need to look at things beyond has its own Texas like don't believe that it. It's all it's a problems right? Like that's That's That's a salad on the other hand that somebody isn't using a male. You know you. You can be sure they're not sifting through six hundred billion events per day either like you you you need it as a tool, but you need to use in the way that you don't hurt yourself by doing so. Yeah Well and so. Whereas W-. As as we've been talking, where does this where we leading to like? Where are we going from a perspective of the future So we're GonNa you know if we were to leave conversation at this point, if we pick it up in another in two years from now, technology will have significantly advanced. Where we headed to like what's the? What's the direction because you know? I think a lot of the attack has now shifted into I mean that's a significant amount of the attack has now shifted into the models themselves into the vendors. I somewhat, what's where do we go from here? What's next? So the first observation is I think at the end of the hype cycle, right? Like it's the people start to understand that is expected that it's that is used and it's no longer understood to be some kind of panacea. That's good. I I really I really appreciate that we're at this point now like I. Think what we're going to see going forward is that adversaries will pick up more of these techniques and use that to their advantage like right now they can get pretty good results by they can't crafting things right? Like you. You don't necessarily need a lot of M. L. to pass an evasive file or you don't need a lot of. A Lot. Of experimentation to come up with a good fishing message or something like that. But That might that might change is more automation. On the the side of the adversary using using techniques from the adversarial and L. Domain, for example, to to craft evasive attacks more medically to basically ramp up on their end and generate more threats that are more than are more evasive Vision emails might be the example I disclaim actually I have not looked into the specific space, but I'd argue that cheap to sense it's and easy to track if you successful. So it's a good target for joining like figuring out how to put a message together you get direct feedback, get somebody, click on it and like based on that, you can refine the message that that could be done in an automated fashion and they wild that probably is mostly handcrafted right now, I could see this as as a target at. Some point near future again, disclaimer having worked in fishing for like a on fishing detection prevention for like Probably like. Over a decade but You know like that that's something that that's something I think is. Interesting are. We. Are We? Are we do detection at this level Are, we pushing it to the Arrow, pushing it out to the edge and we moving. Into into the edge of the of the were the threats are we still centralizing? I. Think I think we want to be everywhere but. When? When I'm saying that we we need to avoid perimeter defense approaches. I think they zeroed trust is one of these these concepts in respects on something that we're. Obviously, at a crowd strike diving into right now as well the. As, I mentioned at the beginning but networks are fairly complex beasts and like once the remedy you don't want to have somebody roam freely inside your environment right so I think sure you wanna be at the edge because there's lots of inflammation consolidated and you can look at that in one spot right but you also want to be especially on the endpoint and have good visibility there and they understand what's what's happening there because once you're once somebody is in right They can't Raunchy networks. Really. Now, we just. Network problem today, it's very strange. The Internet is very laggy and Very interesting too I. think he got the rest of the year we got. We got the I got I got the rest of it. I think I lost yet that last about five seconds back. So I think I think we're okay. I will ask this to to kind of leave this in edifying point When we're thinking about doing processing. You're right. We don't WANNA WE WANNA keep data. We see the big picture. So he wanted to do as much centralization of analysis as possible How much of it? Can we move out to the edges to? where? We don't have a we have vast amounts of data, but not a lot of real time data shipping. I'm not sure if I'm tracking completely at. So okay. Thinking about it. This way Leah. So here's your my thought. We have attacks on critical infrastructure and systems like industrial controls and and mobile platforms. For example, that Donald necessary to have some processing power. But aren't I'll on always on and I get that the Internet is going to more places in more speed every day but you know. Five isn't what we've been promised. It's still kinda slow in some places and are still places in the country where there's just very little Internet access and globally as well. So how do we push things like machine learning out to these places and do detection without that constant always on connection without having the big picture for more than just that device. Got It. Yeah, and this is where the general concept of defense in depth applies again, like you want to be on the device because you want to know something happened and went to the parameter, but you also want to be on the parameter because it's cheaper there and you don't burn through battery, for example, right? Like in the case of some like battery powered device. So I think I think that's that's basically the combination that you want to strive for something like this and I. Mean. In the general sense, that's what we're doing with like Crosstrek Falcon as well. Right like we have, we have an autonomous sensor on end points that can operate even if you're offline and keep you protected. But when it has the cloud connection, it leverages the resources that the cloud provides so that it can do with shop offline. But when there is a cloud connection can also offload a lot of that that analysis to the system's in the cloud. I think that that's the model that makes sense to me obviously because that's how we build it here. All right. Well, the yeah you're right that doesn't that doesn't make a lot of sense and processing power on the edges and batteries and and all that has to be taken into consideration too Well, cool man I appreciate your time and this is always a fun conversation. I I I look at a time to go all the time gone What maybe one parting thought here What are you working on specifically? that's giving you I don't know let's gets posing some challenge to you. That's the hardest problem you're solving right now. I think very hard problem for us is to make as much use out of these. Six hundred billion events as we as we can. Right? Like I was kind of alluding to earlier. It's gold mine that we're having and You know the more that we're pulling in scope the more interesting it gets, but it's also The more challenging gets because the data volumes get bigger and bigger, you need to do more complicated and complicated processing with each with each iteration and Yeah. That's that's probably one of the biggest challenges you know how to put that out to put that data together. Sometimes, it feels like I dunno like you're you're sitting on a beach when you need to order the grains of sand and by by size or something like that, right? Like it's it's. Very Complex Endeavor where you need to look at many individual pieces in some specific offer. So I would I would say that's probably one of the biggest challenges in a good way like it. It makes me very optimistic how much we can squeeze out of that. A good place to leave it versus machine I guess. Is The dog here? I I? I'm glad I'm glad we're at the end of the hype cycle at least feel like because I feel like we are as well they crazy amount of hype around this type of technology is. Is Starting to wane I'm wondering what the next big hype was is GonNa be I'm almost afraid of it because it's it's definitely coming but well I guess years being employed, right? That's true. I mean like in in Sanga, we make sure others in there, but also make sure that it's not supposed to be the one thing that solves at all. Yeah that's that's a fantastic because it's one thing that we've learned about cybersecurity is that there is no re one ring to rule them. All everybody works in unison, Oriole failed at the same time. GotTa, stay vigilant. Yes sir. All right. Thanks Buddy. Always have always great having you on the show always have a great conversation and enjoy enjoy your insights. Good work you're doing over there. Crowd Strike And look forward to get more stuff from you guys in the future SASQUATCH's stay. All right. Thanks for listening. This has been yet another edition of the down security rabbit hole podcasts slightly challenged by network issues today Maybe it's because everybody's at home and we're all streaming. At the same time. I. Don't know what's on right now but. Anyway thanks for listening will be back again next week, same bat time, same bat channel, and also I just wonder prime you guys just a little bit kicking around an idea that we may spawn a new project potentially soon. So as if you don't have enough to listen to. Their mom might be doing something with that. So thank it over. There might be more common. Thanks to listening. Again, we'll see another time another place and another down the security rabbit hole podcast. Out on another down this security rabbit hole episode, we'd like to encourage you to chat with our host and gifts using the bitter Hashtag Pound D. T. S. art. please. Check out the show catch up on an episode of Miss and subscribes don't. Miss. Our website is white rabbits dot net w eight, one, two, three, R. I, C. Dot. Net. So on behalf of. Genes. Good. We'll see you soon on another down this. CAST.

twenty twenty US Lincoln senator Benazir randy Pinta Bing Texas Gartner cachefly Google Sanga theft Leah
EP 52 How to CONVERT your prospects into paying clients with Fathiya Fousseni

She Wins Podcast

10:05 min | 2 months ago

EP 52 How to CONVERT your prospects into paying clients with Fathiya Fousseni

"What the booth net entrepreneurship and nafta path to start and grow profitable business. Every week. we walk him. Amazing women from all over the world and the would have you dorie and yet ozone amazing bowl you. My name is in arm. Your left game today. The day talking about something i love my is to get in traffic in use how that can be gerhard by won't allow businesses. So that's what your plan customer rating a tuning business strategy. He managed to attend the time on. Shot into job to what we're talking today. The is that in order to burn and bag client. He needed to have been swing. Your potential hostile message. You need to provide an easy way to communicate with you. Detect anything needs who have a master skill in green point bird touch radio morning in target. Can't said to have your customer. They don off or webinars every issue day to get up. Luby's next step you have left us tumors. You can actually easy for your customer to get your message to listen to your message. What are you having his having your customer english day and then what is set and make maybe some and against new orleans housing. Well this easy between your customer and your message about food so is dead across muscle and again often. You need them renewed. Can you see the second step is to provide an easy way to communicate by disney's to update to who so what your boiler wanna make sure when one again they know what you're about and take action action in one. All wanted me to one highly. You also want to ask for more a lot of times to do by email or they pushing and that can help. Initiate easily said is to learn skills. King div very. I don't know what to do. The work and song actually provide to your client. News box timmy. Into your life you want to talk about it. Talk about this and that coming type second that you look itself and in whole new generation. I don't have time. i don't have been crushing. Needs to be a hundred sean. You don't have time or of committing to the i'd here in my line of thought is was gonna money to trust. You went up. Mike client of this say very sharp object. Must in gouge. Applying making the speech is a sausage. You need to be to understand. Applying could guide them into don't let them and just legal precision nowhere position. You wanna so let the next step and nothing create continent the actually convert to what is what is it type of. You've come to gestion so all so they could pay is all about and work die. Trust your audience. Using quite highlights expertise impositions people wanted by them very in the next step into in touch. Keep touch touch every week or every month or four five. Who you are bended. Never been around you. How did benazir. Why keeping in touch with you and no one time. You can create new friendly engaging than when someone doesn't buy back time so it's very important. Ask where jews just remain very and a short upside insert.

dorie gerhard Luby King div tumors new orleans timmy disney sean Mike benazir
DtSR Episode 361 - Your Adversary Problem in 2019

Down the Security Rabbithole Podcast

37:23 min | 1 year ago

DtSR Episode 361 - Your Adversary Problem in 2019

"They say they say we should have known embed thus. Od Down D- down into this it's time I again the venture down the rabbit hole into the world cyber security. You're plugged into the podcast for security leaders and practitioners with a business sense prepare for unique interviews insights and practical advice that makes your job just as Benazir and now please welcome your guides sides this adventure jeans Gerardine and the White Rabbit's Burrup good morning good afternoon good evening. Welcome down the security revolt to the down the security rabbit hole podcast. This is Ralph. You've got me on the Mike with James over. Yonder Nether. Yes happy to happy to be here happy to have made it through. DORIAN coming. Coming true fortunately wasn't too bad here in Jacksonville. I was GONNA call you the hurricane survivor but you've kind of blown that cover all right then I yeah I don't WanNa make it worse was love. Your survival isn't bad here at all. You know yeah it was I was almost hunkered down you. You're ready and I'm glad you made it through folks. welcome to another additional podcasts. We've got a great guests and I always liked when these reports get published because there's always something interesting in them and and some sort of nuggets of wisdom and stuff that you kind of don't really get to read but you get to hear what we bring the people that wrote them on the show so that in that regard cross-straits Etta Myers Myers Adam welcome to show thank you for having me as Adam is baking bread by the way. I just realized thank you man. Are you gonNA share some of that's wonderful concoction there. Yes stop on your way home. Dallas to Atlanta Virginia can do that. Eh probably a delta hub or something right. It might be if not then I you know I could always always making sure that you should probably over anyway all right so you guys recently released the Mobile Threat Report You WanNa give me a quick while obviously i. Let's give give give give you a chance to run down for those people that don't quite know you. who you are real quick. Oh so yeah. I've been crushed for just over eight years. It's just over eight years old. this month and I've been running the threat intelligence team of crowd strike which is really responsible for tracking all of the threat right actors that that we have identified. There's well over one hundred now and really the the goals the intelligence program at crowd strike is to understand the adversary because we believe that if you whether the attack is financially motivated or nation state or activists. There's there's a human behind that attack and if you WANNA have an appropriate defense against these attacks you have to understand who those humans are and what motivates them and how they're going to change over time and data kind of the quick steal their that's pretty awesome. That's that's fundamentally understanding. The adversary is something that we do in the physical world I think that's sort of a new thing in the digital the digital world. Why would you say yeah. I think you know when we came out. We I said You don't have our problem. You have an adversary problem Iran. You and I think what you'll see as we talk about. Some of the mobile threats that the adversaries constantly adopting new techniques. They're they're constantly moving. It's a Bruce Lee who said be water and doctors are like water they they figure out how they can get where they need to get undo it the easiest and smoothest way possible people and you know you have to be prepared for that. You have to know what they're going to do next by looking at what they've already done and what their primary motivations drivers are yeah so what's what's changed over the last couple of years in terms of threat actors he said the the mobile threat reports on the you guys third doing so what's changed with some of the threat actors you guys. I mean broadly speaking in terms of nation-states activists cybercrime. How's the balance of that change or less couple years. I think broadly over the last couple years we've seen proliferation. Nuclear proliferation needs to be a thing. We are concerned about what what new countries are. GonNa develop nuclear capabilities and be able to use them to to menace the rest of the world and over the last few years is cyber is the thing that's been proliferating. We've seen this across the Middle East. We've seen this across Asia Pacific. We've seen this across eastern Europe and even starting to see it until Latin America and South America so I think advanced nation states and and even those that aren't necessarily considered that advanced they've identified. There's a a key way to collect intelligence to feed their political their military their their own internal monitoring of of you you know potential threats whether they be revolutionaries or journalists that they need you have visibility into things that they can't currently see from a criminal perspective attractive you know. I think we've seen that era of the Banking Trojan has evolved in the last year or so into you big game hunting and that is you know you see these reports of coming out of Texas and all over the place about you know we'll calories state and local governments school district briberies police departments being arrogated by these big game hunters. You know these these these criminal actors that are encrypting encrypting files and charging a ransom to get the files decrypted and we're seeing more and more entrance into that area as well his you know the the bad guys figured it out. There's a there's a better way to make money than stealing a bunch of bank accounts and trying to monetize that go after these big enterprises lockup all their files and charge charge them half a million a million two three four you know the the the ransom amounts are getting ridiculous and people are paying and then on the hacktivists side. We're seeing you know more more and more developments in terms of complexity and advanced capabilities and as we get back into the mobile threat report you know one of the things that we've identified is that all three of these groups whether it be nation state criminal or hacktivists have developed capabilities to target the mobile platform which which is you know. I it self is another kind of development over the past couple of years because what we had previously kind of been watching for a was at what point do we hit critical mass where straight actors are really going after mobile devices and over the last two or three years the threat has ultimately caught up up with the concern and we're seeing more and more mobile threat every day and it's it it goes across all three of those motivations that I mentioned whether it be nation state criminal or activists. They've all developed a mobile capability so that's interesting because it it the the place that we are. I think enterprises have always been weakest from from a corporate perspective is in the things that are most difficult to protect either phone. The mobile phones fall into the computer. You have in your pocket. That knows everything about you that the houses all your sensitive information and I think it was a couple wasn't four five six years ago. There was a study down. People people were asked on the street you know would you rather lose your wallet. Your cell phone in the overwhelming amount of people's basically said take my wallet. Don't touch my cell phone. so that kind of thing is is always fascinating. is there any particular operating platform on the on the on the mobile side. It's targeted more than the other because I know there's like religious wars between IOS and android which one's more secure and there's secure versions of each or like a secure projects cheques. I guess you could call them inside the border and it it it just kind of crazy is any insight you wanna give me into that. I think that broadly the the android platform tends to be more opportunistically targeted by it by adversaries because the android is a much much bigger ecosystem if you will get irs there's you know really one platform for IOS which is apple hardware and there's one operating system which is controlled by that vendor when you look at the android ecosystem you've got Samsung Hallway and all of these other companies these that have built their own hardware. They've taken an open platform wake android and adopted. It's their hardware and so the operating system is inconsistent just in across all of these different hardware devices in different versions of different hardware devices. There's also the ability to hook into various APPs stores at market so with Apple. You've got one option unless you drill jailbreak your device which is to use the item store but when you start looking at something like android you can find localized markets. You can find your. DEX has their own market and while way has their own markets. There's there's a lot more the flexibility and with that you don't have the rigorous controls over what APSAR in those markets where we seeing or where are you seeing the biggest threat coming in seeing those differences you know especially from like APP store perspective and that type of thing. How are they going after the mobile devices when they're attacking them. Is it that it's I know it's all of these but is it a majority of it that it is you know some fake app out there that somebody can download is it through. Sms Is it through some other channel that they're going after that that makes aches one platform by default a little bit more protected than others which is a more realistic way that they're actually attacking. I guess there's lots of different. Don't worry that we're seeing things get distributed so first of all you have to understand what the types of threats that are that are out there before we even get into the distribution Asian right. You have to understand that there's different purposes so there's remote access toolkits which could be something that is developed by North Korea Iran China it could it also be commercially developed by you know any of the various commercial companies that are out there that are selling these types of things so you've got things like hacking team in Gamma Group and NSO and dark matter in the lakes that have different mobile capabilities that you can buy and most of those are kind of targeted towards nation the states in the nation state budgets but so there's there's commercial solutions out there for that but then there's a whole category that we kind of call spouse wear stocker aware that's marketed bigoted towards jaded lovers or or you know paranoid parents and things of that nature that will provide that remote access capability and provide visibility onto into a single device. There's banking trojans that are meant to steal banking credentials and to help bypass things two factor authentication multi factor authentication. There's also indications that was starting to seem mobile. ransomware mobile ransomware is interesting because you know you go to log into your phone and it doesn't encrypt the files on your phone. Just blocks you out of your phone unless you give them your credit card number type of thing or or send them bitcoin so That's something that we're seeing We've seen crypto mining for the mobile platform. We've seen a lot of advertising and quick fraud so there's lots of different threats out there and and what you understand the threats and you can start looking at how does it get distributed so we've seen some really interesting attacks a phishing attack and this really highlights your earlier question about the different types of platforms arms in what's targeted so there was one attack that we saw that they effectively used SMS message to the to the to the target right and this primarily focused on Japan South Korea now if you're running android you were prompted to install the AP K. or or an application onto the device and that would give the adversary remote access they'd be able to access the microphone and that GPS and all this other stuff but if you were on Ios they couldn't necessarily gets you to install and irs application so what they did was they redirected you to efficient site and you know the adversary recognize has the difference capabilities for the different platforms and so they they made changes accordingly operationally so they figure out what the focus on because they wanted to maximize meiser success so fishing one of the ways that we've seen this stuff get distributed and adversaries understand the difference between an IOS devices are an android device us another thing that we see is compromised websites so there was a pretty interesting case where in Iranian adversary targeted Turkish non on Prophet and had set it up such that if you went to that website illegitimate website it would then propagate at mobile malware on sue the onto the mobile device once you visited that website like watering attack exactly exactly application stores whereas we've seen that where you know for any APP market. There's legitimate applications. There was an APP out. There called lulls oh. PTO which a blogger stefan co had kind of started tweeting about I guess a researcher Dr. tweeting about and in that case it was a fairly early malicious APP that was downloaded a half over half a million times and it said it was a driving simulation game but when he opened it up at actually installed an additional tape k and try to display advertisements and things like that so there's you know that most is APPs store or or distribution through legitimate APP store and then there's things like close in attack so lost physical control of a device would be you know a concern if you're going through a border crossing for example and demand to see your your your phone and you know I I took I've said this before but I'd probably just break in half and throw it away after that because because I would consider everything on that device compromise operating system images that are are infected supply chain. issues source code issues software exploitation. There's lots of different distribution methods but I think the thing that's most prevalent is APP spoofing where you try try to create a malicious APP that looks like a legitimate act and one of the more interesting cases that I think we saw for that or or alarming would be something that was called red alert and red alert is a legitimate APP that was created for the Israeli market to let people be alerted to missile attack Rato in in Israel. You know you guys Jacksonville have to worry about hurricanes in Tel Aviv daft worry about missiles coming in to create his APP to allow people to install it and get an alert when there could potentially be an incoming missile the the adversary created Israel alert which was a spoof of that APP and that was actually meant to collect information sensitive information from Israeli is that had you know inadvertently installed this application because they saw app thought it was the thing that friend was talking about so APP spoofing is one of the the things that we see continuously by both targeted intrusion actors and also criminal actors and I'm on the on the on the traditional will call traditional hacking front right systems virtual and physical from not the non-mobile world we continue to talk about how adversaries and threats are exploiting they're using not so much the never before seen attack or had never before seen unlike custom now where they have to just for you but you know attacks from five years ago and patches that you're missing from you know ten years ago. Whatever or miss configurations does that carry over into the mobile mobile space as well It's not as prevalent. We don't see as much exploitation on the mobile device as as we do. I mean you could see just this past week. There was some more or maybe it was last week that the as Euro Day guys had released a number of IOS Os exploits that had been potentially used. We think it was potentially used by Chinese actors. targeting dissidents students like the leader or the Dallas Don type actors and the that that's and I think we we haven't seen too many cases where exploitation on the mobile platform has been prevalent but that could change you know as as more for more adversaries are investing in in their research and development of vulnerabilities on this forms. I think we'll see more and more of that stuff popping Is there a shift to get away from midnight. Get away from but less focus on trying to compromise my laptop and more and more focus on trying to compromise my phone because the laptop may stay in my on my in my house or at my office whereas phone never leave my side yeah and I think you have to look at who's using phones for different purposes so back in twenty fourteen when the umbrella revolution happened in Hong Kong we identified a very a quick ramp up of Chinese inch intelligence a operations that have created militias apps and tried to get into ensued the protesters so that they can keep tabs on what was going on the protests and I. I'd say that it's probably reasonable do similar the more things are going on today with the protests that are going line every weekend now in Hong Kong yeah so you know the I think if the as people are becoming less dependent on their desktops and more dependent on their their mobile platforms. We're seeing you know ultimately we're seeing convergence of the two things so if you look at every new version of Mac. Os that comes out it gets closer and closer to parody with IOS and kind of integrating that stuff stuff similar with Microsoft Windows ten seen it's really built for not just the desktop platform but you know the the portable tablets and mobile devices and thanks so I think you know the difference between a desktop computer and and a mobile device whether it be a phone or tablet is getting much less prevalent and you're seeing kind of convergence agents of a evolve expat forums and that happens you know I think the adversary won't won't really see difference between targeting a desktop and targeting a mobile device fair what throughout your report I mean. Is there any indication because I feel like if you we I guess after Defcon and everything. Maybe it was before that but there's a lot of headlines talk about you know security experts tell everybody to turn off their Bluetooth. What indications are there around that being a the threat vector for the device and for most users. Is that something that somebody should be really concerned of his Bluetooth really a common attack in fact or is that sort of a one off less used avenue right now. What Brutus has has eliminated distance so so I think that the the concern around Bluetooth would be if you're traveling overseas or travelling in a threat environment where you're going to have an elevated risk than we might be more of a concern if you're sitting in your house. The Range on Bluetooth is is less than one hundred meters so you're likely not going you know if somebody's going to target you over Bluetooth. You could probably see him out your window. but you know one of the things that's interesting. Is You know people are really concerned about the Internet things but if you take a look at Bluetooth go energy devices you know whether it be sports watch or you know everything is. Bluetooth low energy at this point. I've got a flashlight. It's got Bluetooth low energy on it so yeah. I don't know why do I have flashlight or why does up beautiful energy very different wine only flashlight same reason you I know you're watch. What's that the battery's low you better recharge it or something right exactly were if you lose it? Hey start flashing so I could find my flashlight tair. Put that aside right. you know my point. Is that all the devices that we carry with us every day Air Pied had you know Air Buds Bluetooth earpieces. Are All of these things have. This capability is so you know there. There is a risk there you just have to consider fitter more likely close range than a long range risk there. Hey another kind of a interesting question. I guess is the thing I was listening to. This show is who is the Who's WHO's the WHO's the bad of the bad like who's the WHO's who's top of the bad Abu Chain Oboe that is a tough question so one of the things that I looked at was all of the different nation state and and you know all the different categories of threats that we track so if you will get hacktivism terrorism Pakistan India Iran Vietnam Criminal Actors Actors China Russia North Korea South Korea all the different nation states that we track about ninety percent of them have capability ability to target mobile devices and so I think you know first of all the fact that we're seeing every every threat group has this capability woody is is certainly a concern so there's lots of bad actors to choose from in terms of the top list of of bad actors but I'll tell you a couple of the ones that I've seen and and you guys can can maybe throw some other ones out there you know but one of my I'm hesitant to say favorite but one of my favorites it's is a North Korean actor that was created a mobile application to target a specific group of people and and what is mobile application would do is and so you know one of the things we haven't talked about in in in this this podcasters what are some effective defenses fences so. I was one of the Lances yes I wanted to what one of the defenses that I always go people is to get permissions at the APP is requesting because of an APP. Is requesting stain unreasonable crazy permissions access to your SMS or something like that. You should be on alert for something like that. So this defeats that countermeasure has your status this APP asks for accessibility permissions and you're you know you might think okay so accessibility permissions would be you know for for visual or hearing impairment demand or or something like that That's not that big of a deal. What can they do with that and so you give it the the permission to have access to accessibility woody and if possible video and you watch this stupid video on in the background it's using the accessibility permission to grant itself access to your text messages at your GPS es and all this other stuff so it's you know they figured out not only what the countermeasures people are implementing but how to defeat them at that's a bit ingenious. I hate the fact I said that yeah. It's one of my favorites another one favorite is a Indian nation state actor that we were tracking rocking deployed a malicious or hostile. MGM which is Pretty Crazy think like md am is a solution that gets put in place to protect mobile devices by enterprises uprising right and and these guys figured out okay well if we could social engineer the user to install a certificate somehow then we can basically just wrapped the mobile device inside of an MD and am and monitor whatever they're doing while that's get again. That's kind of ingenious. Dammit yeah so we've in you know we we see lots of things targeting like various you know ethnic groups things like the weaker absorb the Kurds people that are are being heavily targeted by various. It's nation states and we'll see a lot of these kind of Fake News Aggregate Irs and things that are meant to kind of get them to install a mobile APP that gives you know remote access to it to a threat actor so there's there's no shortage of of interesting stories that are out there related to these these actual all threats so. I'm going to change gears this for second because this is something that I always want to keep in keep make sure people keep in the back of their minds as ago the threat model for some of these nation state criminal actors is is something that I think is important to consider because way way too many secure it professionals organizations tend to worry about the everything whether it's within their sphere of the threat of their threat model or not like like Bernie just never actually be targeted by a nation state so it's probably not that big of a deal for them. my example was is when y'all meltdown came out. Everybody freaked out about it and you know like okay without really understanding whether this like something that will directly impact them or not. Let's talk about so we're what kinds of what kinds of different threat models to these some of these different different threat actors fall into. I mean the nation state is that they're not targeting everybody right. They're targeting specific very specific groups second of what I'm hearing yeah. I think they're going to target whoever the chart so if you know you're you're not somebody that's of interest or or priority for a nation state than the probably don't have to worry about that threat factor if you are are interested nation state whoever that might be then yeah absolutely there's some concerns in you know interested nation state might just be that you're going to visit them and so they wanted to keep eyes on everybody. That's is coming in a country like China that wants to understand WHO's coming into the country and what their intentions might be. you know the. Maytag you through through through your device. They might you know. Intercept voice comes in might intercept mass. You know just understand what your purposes there so so i. I think that it's a it's a moving target in terms of who they're going after and how they're going after you but it you know you have to consider what what you're doing and where you're doing it to understand your risk from that perspective as a consumer user you know. I think probably criminal actors are a bigger concern sern but if you're a consumer user and someplace like say Israel you know there's there's Hezbollah and Hamas and and various groups that have capabilities ability so they might be going after your mobile device because they want visibility into what you know. Israeli citizenry is is up to so the I I guess my my kind of point there is that the is a moving target in terms of what risk factor you're in and who you hang out with yeah. Yeah that's fair. So what do you what kind of advice I mean. What's what's the lesson learned than from from the from the reporting from the research. You guys do on tracking all these different types of threat actors like what's the lesson learned for the average person listening doing enterprise security at their organization for Mobile Perspective in this case I think at the you know the real core things you have to protect what you have control over and the things that you care about so you can protect against every threat on the mobile platform ensuring that you you have adequate controls around your data and access to your systems is probably the baseline that you want to start at You know what organizations will do that something like an md m you know shameless self-promotion crowds. Thank rolled out a mobile product that the goes R say last year so there's a AH enhanced capabilities to kind of that. FDR you know visibility into your endpoint on your mobile platforms so there's there's lots of thing software wise that you can do to get visibility onto that device but common sense to like. Let's make sure your devices updated keep skipping that they'll keep saying delay the update the lady up day right and I'll say here's here's the one that I think is is the the Gotcha Doc making sure that you remove applications that you're not using so you know not to call you out here. Rafi but take take a look at your mobile device. How many versions of software do you have on their the bit. You have not used in two or three years right. I'm sure you've got like angry. Birds and friendster or something like that on there. I I may or may not have some Engelberg it. It really keeps me up at night around mobile is if you look at something like not patio from June July twenty seventeen there was vulnerability owner ability in esoteric you know Ukrainian financial software called Emmy. DOTS that adversaries had hacked into emmy dock. It wasn't even really vulnerable. They hacked into the Emmy Doc back end systems. They introduced a capability into update mechanism and they were then able to hijack act any doc update mechanisms and deliver arbitrary payloads which ultimately resulted in them deploying not petiot which was meant to look as if if it was ransomware in reality it was more of a disruptive destructive attack targeting Ukraine my point is think about who's developing angry birds in every area uh of the other hundreds of APPs. You probably have on your mobile device that you have not looked at and that application silently upgrading in the background silently updating and beyond that they're using third party libraries for stuff right they they're. They're not gonNA BUILD THEIR OWN AD networks. Though by a third party Ad Network Library Liberates you install into their mobile applications they can you know monetize their application effectively and you think about that there's a lot of software software running on your mobile platform that you have no idea where it came from and you have no idea what their security practices like at that development shop and and it could be outsourced to some third party development shop and and there's just a huge supply chain risk on these mobile devices. That is the thing that really makes me nervous yeah. I guess that's a as a point well taken. I mean I suppose I suppose in that. In that regard it's really no different than any other offer supply chain whether because people install crap on your laptops on their desktops on their servers all the time as well right they do but if you think about it from an enterprise perspective they got ah pretty locked down you know if you take corporate laptop exactly but on a mobile device especially when it's bringing your own device. You have no control over yeah well. That's kind of terrifying. That's I the now I'm GonNa go through my thanks a lot and removed half the ads on there. Ah Now cool there is a cool option. I'll say I know on. IOS match sure about Android but actually does is allow you to say you know basically remove the APP if you haven't used it in say thirty days and then when you go to use it again it'll just download it from the store so that way at least the APP isn't sitting on the device updating itself nonstop man I get that's very right in just just to clarify because I'm sure people might have this question when you think about updating the APPS download new update or like difference between android. IOS I mean some of this stuff may not be possible across both platforms Ormes but certainly you've got APPs that are sitting on your systems that are calling out through. API's and all that stuff whether it's uploading the apricot it's still calling out looking for potential commands and stuff like that as a matter what type of system you're on right yeah. I mean there's parody across the different mobile platforms. That's good though I mean what good. Oh Yeah I mean I've got both and I. I'm more comfortable with the The IRS platform. I am with android. I can probably speak more authoritative lead to that one but there's definitely some some cool features that have been rolled out that that has kind of addressed some of these these concerns all right well. I guess that's a that's a that's an interesting. I think what's the What do you WanNa leave with the the thing that comes out of that report you think people may be missed in all the analysis. That's been done What's what's the takeaway for you that you think that maybe people are missing. I think the most important Databa- is that he threat you know and I've been watching it for for over ten years trying to assess when it was really at a critical mass. I think you know the point of of this whole report. What is the threat as a critical mass. the capability has proliferated across actors are varying motivations varying technical. Michael Skill sets and capabilities and it's not going away so you know this is going to get worse and worse every year and you know people really should taking note of that and recognize that the risk to their mobile workforce the risk of their mobile platforms is is real and and the threats are here lovely well Adam as always thanks go back to go back to baking bread. I guess it's it's almost ready for lunch. That's perfect that is fantastic. Anything Express bread for lunch. No kidding me all right cool. Thanks for listening folks Sir James. That was pretty informative man yeah. You know it's funny we don't. I don't think we talk mobile that much so you know having those conversations I think is good because I mean like you said mobile's everywhere and I wanna go install half the APPS on my mobile phone folks listening and you're going now. I don't have anything to have used in a while. You look at your phone. I'm pretty sure you've got stuff and you haven't used the set up or even touch into while those apps that you like. I'M GONNA play the hell out of that game you install at once and you forget about it yeah. I've got some of those too all right. Thanks thanks for listening Adam Awesome. Thanks for having thanks for taking the time in giving us. Some insight and it's been my pleasure you all weekend all right right. Thanks for listening folks will catch you on another time another place on another down the security rabbit hole podcast chow the Baid out on another down the security rabbit hole episode we'd like to encourage you chat with our hosts and guests using twitter Hashtag. Take pound. Please check out the show catch up on an episode of Miss and subscribes. Don't miss a future grab. Our website is white rabbit dot net w eight one two three R a Vdi T. dot net so on behalf of genes jeans pronounce good. We'll see you soon on another down. The security podcasts the uh-huh.

Etta Myers Myers Adam Israel Jacksonville Sir James Iran Middle East Benazir DORIAN Virginia
DtSR Episode 385 - Malware on the Lifeline

Down the Security Rabbithole Podcast

40:54 min | 1 year ago

DtSR Episode 385 - Malware on the Lifeline

"They say they say we should have known bed then to Saudi down down into this. It's time you the venture down the revel into the world of cybersecurity you're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews insights and practical advice. That makes your job just as Benazir. And now. Please welcome your guides this adventure jeans Giardina and the White Rabbit Burrows Good Morning. Good afternoon and good evening. Friends and colleagues welcomed down security rabbit hole to yet another riveting edition of the down the security rabbit hole. Podcast hey graph and over yonder James is back this up buddy. Welcome man. We're we're midway through twenty twenty already. Aren't we feel like or I think I think as I saw someplace? Somebody said we were well into twenty twenty and I was like are we. I think well into qualifies once you get into like May and June that's like well into maybe even Moreso than third week of January. Probably not so much Across the mid mid January yet. And we're well into two thousand twenty twenty I. I just deployed through twenty twenty vision. Jokes just Are Killing me right now but we do have a fantastic show for you guys scheduled today again a good lineup of conversation and On this episode. We're going to talk a little bit about Stuff an unwanted stuff They didn't call your joining US Nathan. What's up man? Hey how's it Goin' things or having me and You are You are sought after individual at the moment. Or we're anyway for for a little bit there and you think the news cycles over with so thank goodness last week right. Well all right so For those folks. That didn't get chance to catch up on what happened. Give us the thirty second scooper to run down. And we'll we'll we'll start from there okay so back. In October we started getting support tickets for A phone that was on the systems of your actual. Don't give them the war accurate description of it. It was the lifeline assistance program and what the life. One Assistance Program is essentially is Excuse my kid in the background. He's got him as long as not to interrupt your train of thought but as long as we don't end up with one of those who CNN or MSNBC where the guy's given the interview and the kids run in my happen here let me close the door so it's a little bit better all right back to the story. Sorry about that all right. Put him down for the count. Set back to the back story here. Okay so the Surrey is is. We found a phone It was provided through the wireless which is a pretty much. They deal with customers that work with the life license system program in the lifeline. Assistance Program essentially is a program that provides a phones or Low INCOME FAMILIES IN AMERICA. Calm Worthy Cause so worthy cause very much so So what other models the cheapest model on? They're the most budget For thirty five dollars. Was You amax? And the MEX- phone We're finding from the sport tickets. Ever come in October. That had preinstalled. Bow Around it. So the first thing you know we did is double check. That wasn't a false positive. You know those things don't ever happen but you know just to check this out a false positive along with her. This is now where and you know. We can't remove it What do you mean? You can't remove it you can't remove it? So here's the fun part. Though preinstalled power is at the system level. Now anything on the system level for security reasons. He can't remove so think. Like your settings out at you wanNA watery mill because you move your settings APP. It would kind of leader phone as a brick right so the reason why can't remove it but when you're set his APP also has Mauer within the code. Have an issue that xactly was going on with a you. Max here so we we dug deep. We really went into it. I really you know. Try to cross Matiz down my eyes at this one because we wanna make sure that what we're seeing was a hundred and ten percent of what we are seeing 'cause you know we couldn't believe our eyes a little bit too indeed it had a dropper within the settings APP that was dropping a well-known Trojan dot hidden adds no chosen to hit an as is his little piece of malware that pop up ads. Pretty much anywhere. Can you notifications on your lock? Screen full page ads anywhere in. What it is. It's a scheme so they can get everything town of Papa at a couple sands here and there now you okay so I mean on the surface like having an APP. Essentially an ad sponsored low low cost phone for the We'll call it economically disadvantaged I mean I part of me wants to say they gotta pay for it somehow right so maybe a little different the full different I. I've had a couple of these phones. like The blue phone that was in the news a couple of years ago. We've got one of those and yeah right when you put the phone you have ads. You know ads are there. You know what you're getting into you know you know exactly where the ads are coming from. And it's Kinda like well. This is what I signed up for is a little bit different hidden. Add Hide in the background. You don't know where they're coming from. They're coming up every single angle. Where at least you know the blue phone it pops up and you notifications. He knows common. It's not a big deal. You Swipe whatever move on delight or this one is just aggressive as it can be. It is just from every single angle and hidden ads. High phone so you have no way to disable it because you can disable the ads on your blue phone. You know fairly easily. Not a big deal. Continues the phone worth this like. It's just it's just nasty stuff not something that comes originally with the phone. It's trucks it. So when we originally purchases phone and work with that we saw those a dropper but we hadn't yet got hit an ADS. It wasn't tells several days after finally drops it so the whole thing is just kind of eighty that reeks of shady. And this is our as as much as power can be where you're right some the phones that do come with ads right there on the phone pre installed. It's IT'S A it's a little bit different and you kind of know what you're getting yourself into. This was definitely still malcontent. While the other thing is it's it's not it wasn't a pre installed ad APP it is a dropper the ads as a road that yeah so that that's completely different in my opinion right so now gazette drop them. You're anything Dave nary thing. Now another fun part of this phone is also has what we can have known for years as adults and what is is we detected as pop dot risk where theft auto installer and it. Pretty much sounds as aquit is potentially unwanted program that is a risk where that can auto install things now right when you start the phone It goes ahead and installs three. S- things right off the bat. None of them are malicious. The just the fact that it just it just does it not like things that you absolutely need for the phone to function. Because I understand. So it's advertise wireless update or in the White House out. There obviously needs to be able to install some things to keep able to overlap. Some system outs to having more updated and more secure that functionality. But when you know downloading things like I can't remember what Zach was doing but like some Google apps that you don't really need on your phone and it's kind of like okay. That's that's pretty powerful. That can just install whatever it wants whenever it wants. But so at the system Laura Globes on this phone at the system level. But here's the thing with that one. We have a way That a couple of work around so because we can't technically honest all it because no matter scanner can plug your own into the PC and using what's called entered android the bridge I can't remember what it's called. Essentially a way to use command lines to interface with the phone and you can use these command lines to essentially on sell. There's actually a couple of different users on your phone and if you on install it for the current user it pretty much completely disables the thing for ever working functioning the phone that just just Just okay just so the pop. That's brisk weird the auto installer or what we call at of you can easily disable it using this method If you don't use this method adds has been shown that you can even disable it so this is kind of a work around. We found to be able to just you know stop it from doing anything and people can continue their phones where there's no solution for the settings. I mean the only solution that you could really do. Is You know if you updated settings APP with another version of studies that was compatible with the phone and would allow you to update. Now I've had other cases in the past where system of will ask the system new. I ap was infected and you know trying desperately to find a system you I App that would be able to overlap and fix the customer's phone. I just not accessible and at some point. We'll there's nothing we can do. It's really up to the manufacturer to step in and say okay. We're going to push out an update. Ironically through the wireless update of that has risk. Were on it. Yeah go ahead and push out an update and replaces settings APP with a clean version. And and I. My question is like how? How does this happen? Wh- what is what is the process for these budget manufacturers when they go through and they built an android device and they're looking at different apps on the phone I mean I guess you would think that Google would provide just stripped down generic system APPs that manufacturers could use but I guess maybe that isn't the case. I very curious to see what the what the whole chain looks like. From a manufacturer make it a fiscal device. Hugh Max and then putting Adriana Os on it and then putting you know custom system at the settings and everything else that needs to be on a device to function and how in the whole process settings could get veg with with with our like dad. It's I mean what's not accident right. It's it's not like oops something up and this is why can't I sort of one so as you're talking so as you're talking it springs to mind because of the this is the sound like a unique problem android. You're not getting apple doing this. Because they controlled everything about the. Us THEY SO hands on that. It's impossible you're right. Where android has so many different manufacturers and so many people doing different things and I have friends that are developers and they say android just a pain because every single westwood different ever seen a phone manufacturers just a little bit different and you have to make tweaks along the way to make things function. Were Apple I mean love or hate it. There lockdown it. Hold but this is this but this is the I mean. Maybe I'm wrong of James. Maybe we're just old but this is the same Microsoft versus Lennox argument. Yes have been this case. Microsoft is replaced with apple and Lennox's replaced with android Raymond's. It's the same argument. Yeah same thing even Microsoft and Apple Right. I mean after computers. Typically don't crash not nearly as much as Microsoft. But it's because my run on. Yeah Yeah you know. Pick PICK ANY RANDOM GRAPHICS CARD PICK ANY RANDOM CPU big motherboard rant. Whatever throw it all together and see you know this huge mess and Microsoft says. We'll run on that. Yeah which you know. It's it's it's nice because it leaves responsibility up to the user to do whatever you can dream of doing the same thing with the android. Ls I mean. We don't recommend it but you have to go to a third party site and download acid there instead of google play. No one's telling you have to use the La and a good idea. Yeah but you can do over the heck you want. You can route your phone one. I mean not a good deal once again but you can do it and also that that that sounds lovely for those of us that and I just might as well exclude myself from this now because I'm helping population anymore but those of us that you know per probably some of the audience. That's listening. That are going. Yeah I can tinker on my own. I can rican pile things on my own. I mean back in the day when we had to install the knicks from source. Right you had to compile everything before you could even boot up for all that stuff have that limits depopulation deck actually gets effectiveness on. It can do that safely. Let's say right. So yeah so let me think the mortuary is always the user that thinks they knew enough but they don't quite know enough was not going to be most of my colleagues at any given company on out there it and so that makes me think like is is this. It's definitely a I think discipline. So it's a disadvantaged android has but then again it's an advantage because now it can be on a million different devices and you've got scale ability that way but then they're all out of sync is. Are you guys seeing more this stuff happening on the android platform absolutely but you also have to think all right you want to go out to buy? Apple phone today. How much you spending you WANNA go out and buy it android today? You have all. These budget manufacturers. That she'd get the Tooth Rome. Tell where else you can have a smartphone Mart. Phone for thirty five dollars. I mean the it's hard and I understand. I broke my pixel last spring and I was freaking out. It's like look at Pixel two with five six hundred dollars now I I. I completely get it. You know I I get why people want to go out and buy a more cost on the phone and you know what I say. Go for it. And there's absolutely zero reason why you should get a cost effective phone and yeah. It won't be as fast but you can still on the Internet. You can still do what you need to do on it. But there's no reason why not pre installed now on top of that that that's too big a price to pay. Yeah No. I think that that's always been that. That's that's the risk but it's but that's not the that's not unique to mobile phones right. We've seen We we've seen USB now cheap USB sticks that come with Come with now where we saw the noble laptops Mike at am. I remember that correctly James was at Lenovo. The had the the problem British Lenovo had ago world on it. Yeah Abo even past that idea of bloat wear right. I mean you gotta blow where we've had that problem for so long but you know you take it to that next level of you know like you said I mean this isn't it's not like the APP was installed there's dropper they're saying hey I can say whatever I want and you know. People aren't agreeing to that when they get it right. Absolutely they don't know is coming up front when you have a dropper that's on-time released and you don't even see the Trojan that's dropped days afterwards. It's you know there's something something very shady going on. Somebody's playing dirty pool there. So you work for a work for a company that fine researches fines and helps people remove this crap from from their devices. And how much of this? How much is this trend? And what else are you seeing? Almost afraid to ask this question who man. I have been preaching this several years now to be honest. I've been doing mobile for probably more than say close to ten years now and I've been seeing this common and I'm kind of the guy you know guy rooftops shouting about it and it was like yeah. Yeah whatever not really listening like no this thumbs. Common guys like we need a we need to do about this. Guy Okay. Whatever and I mean the monarch cases we see our support system I help on the forums. Amount of cases we see there is just. It's crazy I was talking about the method where you can go ahead and use your PC and use command lines while we have a forum post net. Foreign post is has. I'm I'm just off the top of my head. I thirty five thousand views. You get it. Some of the issue with thirty. Five thousand people have looked into installing something on the P. C. to find work around to remove that Transall Mauer. It's it's the problem is a big problem in Albany hundred people when you when you first had mentioned that I was they like you know it's pretty simple runs commands but when you're talking about the low end phones right. Yeah how many of those people don't have computers? None of them have computer theaters. And just right. I mean you're not. You're not going into the library to load them the android bridge intensive conservative. And I I feel guilty because I'm just like this. This is what I have. This is what I I wish I could do more. I you know I would invite me to my house. Sit Down and do it for you if I could but you know it does just the reality to it that you just can't you can't do that and have have you seen any instances where where this is coming out. Because I could see this as the opening opportunity for you know somebody else. That may be a capitalist out there saying oh well I'll just create a program that says it removes. We're just running my program. You don't have to run any command line. Things download my execute ables and run on you know if you have the PC run on your PC. And now I've got this same type of stuff on your PC running. It's to who you can hear me but I'm holding my head in my hands right now many times. If you've gone out and search right you're sitting there working ellen writing down nose right now friends computer. And what do you do you go out there and you search you say. How do I get rid of this? I got this error message and you know you look at the Google results and you know. Fortunately there's a pretty reputable company that POPs up at the top. That usually is pretty good at pulling off stuff from your computer. But how do you how do you know do? I choose this one or that one and I'm always terrified like can I run. Do I WANNA to download US and run this? I mean a bunch of people have done it but that doesn't mean that doesn't make it right right you know and so it makes it that much more difficult. Because you're in a situation like Dang I know he got malware and to try to get rid of them our downloading something. That's malware that says it's GonNa get rid of it but it gets rid of that but then puts different our on their you know. Ask super vicious experience in Google play. There's so many fake scanners out there. So many yeah how do you? How do you know which was probable? Went to an isn't a which is tough Hey did exactly I got under the question for you? So we learned what twenty years ago that we were going to get malware and viruses. That was what we call them before on our on our PC's and MACs and Lennox laptops and desktops and servers and whatnot. We started putting av on everything I don't yet have anti malware protection or maller protection on my mobile. The mobile tablet is that is that a is added thing. I should be concerned about Yes yeah absolutely. You absolutely should have something especially on android. You should have him. We'll skater and guess what at the price of free? There's not really much excuse we offer ours. There's we have a premium version. That does a bunch of extra things and then after the ninety days. You can Brunner scanner for free as long as you like. Though I mean a lot a lot of other companies out there are doing the same so yeah that I don't think there's much excuse I think is just a good idea you know. Even if you have best practices visit safe sites you go to Google play to install your apps. Man I always find on Google play. Those are always the hot logs. Because THEY WANNA say they're impenetrable with third. Google play protect. But Yeah we see that story all the time. They'll google removed another ten thousand applications found to be militia. Jill like how they get there in the first place. Here's apple you know disallowing something that That you know moderately could be confused for bad and an android but when you when you think about that like the totality and this is something I don't know if you really have expertise in so feel free to tell me this is not but like you've got the folks have maintained the Google playstore I or the APP store. They have to effectively police whether something something that's uploaded is good or bad at the rate of these. These things are being uploaded in the desist into that system. I I don't even know the numbers but I imagine they're freaking monstrous. Alleata have to be so you gotTa automated some of this and detect and Google's got smart people. I mean they they got lots and lots and lots more people but the scale of it right and then it's always a game of cat-and-mouse so operan an APP store sounds sounds like a headache. I don't really. I don't think I'd WanNa go do ever. Yeah it's it's a nightmare and we've seen this before. Microsoft said the same things years ago. You need a any AV. We have windows defender. Yeah Yeah we. We all know how good windows defender is right. It's the same thing with Google in you know. They're they're trying but I will. I will give them props. They came out onto long ago stating that. Yeah whatever good at this and out. We're going to try to get some help sell. So they're they're they're trying. They're trying to other meeting that they have some some flaws. Is that the reason though why there's a dropper installed on it originally You know maybe not going through the play store for it but you know hey let's put a dropper on here won't flag maybe it won't flag anything and then days later after it's been certified now can go ahead and down low you know and and that timing that cat and mouse game you talk about timing feature that yeah. There's nothing I talked about it and we talked about this five six years ago. I was like why don't you know how do we know that developers aren't writing code purposely vulnerable in these APPs? Yeah but it makes it through and Oh man there was a you know there was a back door and that or there was an expert. No and then they get it through and then of course it looks just like Oh well. It was just a bug in the system even though it was purpose bug in the system. I mean I agree. It's a tough thing and the only thing I can say we're happy to say. I don't know if I'd want to run an APP store when they're pulling sixty seventy percent of every sale but you haven't they have an obligation because they're running. It's like the same obligation and this is just tangent here. It's the same obligation like the folks that that run the Youtube for kids. I have to make sure my kids aren't watching crap. It's inappropriate for their age. That's like I'm trusting you with that right. That's that's your damn job and if you screw that up you know there there's a special place in Hell for you because we're trusting rates break that trust like that's your that's your job but You know I just thought of something With all these cars running around Nathan that have That are basically giant ipads giant. Andrew Wheels are talking about free installing anti wear. A conversation anti our company should be having. Wow No no. It's not too far off the Rome. I mean I've I've heard like spiracy stories where you know. Someone's car just doesn't happen to stop and runs right into a tree that happened to you. Know Piss off someone in the government. Some high out that In the military so I mean that is hurting. That's that's not too far healed. I'm Lee Almost. I almost feel like ours than that though is into odd. Yeah what's that James? I feel like almost worse than that. Is You know we're going to get to this point where you get in your car and you have to watch a sixty second ad before you can put it in drive or something a much more terrified of that. Yeah and you know going back to the hidden ads. It's kind of genius that you know. They're popping up all these ads left and right or aggressively to all the as they pop up for legitimate companies so so it took these guys the court what happened. I mean the pop up ads. Yeah the pop up a little bit. These guys serve any jail time. It'd be like well. Just don't do that anymore but keep all the millions of dollars edges made. You know. Just don't do it anymore. I I just I. I gotta wonder if feel like that's for the Mobile Mauer's going these days. They're going into directions of being in the gray area to a skate with a B also escaped them our centers as well. You're late in this gray area. It's like well. They're just they're just display ads like we all have APP center phones at display. Ads was a big deal. You know but when we get. What's another one wrestle? You know the Nathan this is. This is kind of interesting to you. Know how there's a there's a lot of to do right now. About third party libraries that developers tend to whether you're talking about containerization. Us importing stuff or your watt doing includes in software or just whatever kind of importing functions because nobody writes every piece of offer from scratch right. There's there's always libraries your reporting in. I kind of wonder if there's a library out there somewhere that has that dropper built in these guys by accident legitimately by accident used or if it was militias. Until I'm sure there's a way to determine everything if you have enough time resources but you have to remember that my job at the classified. Malware you know and masks winner blog took up a lot of time December where people are taking vacations so I am working with. What a guy here. If I'm sure yes is absurd. Someone who had all the time of the world and aid to just look at it to the issues like this could dive deeper and figure out the exact or actually. It's not GonNa be me. Unfortunately yeah I hear you. I hear you listen Before we before we were around the time How much I mean you you you like. You said you get paid to classify Mauer. How much of How much of the of the media hype that? We hear about millions of new samples a day thousands of variants Blah Blah Blah. How much new. Malware is there actually out there being produced on a regular basis. You know we have a feed that comes in every single day and I'll pull up the stats and just the last couple of days of what we have seen coming in and keep in mind. These are numbers of things that we think about good high probability of malware. Let's see here Suggest yesterday we had sixteen thousand the day before that twelve thousand. They've that fourteen thousand and the list goes on and on so is there neum. Our in different varies Mauer. Vert recommendation of power coming in every single day. Gal I mean some of that. Marley already detect obviously but obviously a steady flow coming in. So I mean I think for some reason. An mobile people don't make the connect with Maur as much as they do with P. C. Lied Platform has always been sought been. Look those of us that are old enough to know we are. Your flipped. Razer didn't necessarily need Mau amount of protection because it was a phony called people. Yeah Yeah but I think we're at the point. Where if you have a smartphone use me find a cold here till into that but We have a smartphone today. Probably glad you have a skit on deal like instead of free. You might as well do it. Yeah where's your risk level versus like Mao? What would classify as our guest versus stuff like Ma- ransomware on the mobile like ransomware We saw a pretty good trying to raise the wear loan with the PC side just like the PC side is kind of died down to die down side too but we add exists Is a little bit different? Obviously where raise wearing a PC? It can be locking down a whole company. Where on the mobile? You'd be lockdown. Someone's cat pictures now so the might be willing to pay for the cap pictures you know but you know everything that we see on. Pc has eventually or will eventually trickle down to the mobile side because it's kind of the same developers we do you see better trends amongst mobile so like you know like you mentioned ransomware computer. It's whole different thing phone like Jim. More people if people tend to back up their mobile devices better than they do their computers like. I don't know many people that actually up their computers right but I think we do. We got the ball. I think we'd get by default because of the phones like an Omen Pixel. Has Google backup right on it and set it up right? We update the Ryan. Yeah it's all it's all there. You're photos are uploaded. The cloud automatically I don't know if the same case with the budget carriers but you could definitely get a backup thing and it could easily back up any new photo. Third thing with that. So yeah thank. We'd do a little bit better job. At least from a I get that from like a ransomware perspective being less effective on mobile just because most people actually whether they know it or not. Probably have backups. You know it's all a break. And they're you know there's a way like factory reset and reload from backup and you kind of back up and going. Whereas you know most of your. Pc's aren't backed up at all. Yeah it is. It's a lot easier process. I mean again in a couple of times where you just go ahead and backup everything on your phone. You get a new phone and within minutes. You're up and running and Sullen Oi the apps over under old home so it's a little bit more streamlined. Little bit easier. So yeah. There's there's some differences like you know. Ransomware is as effective. But there's also things on a mobile phone that are way more effective than the PC and in my opinion Wayne were scary What brings us to a good segue to what we call stocker. Where was doctor is seriously any APP? That has the ability to Spy ON Someone's phone and we've been seeing a huge uptick and cases where domestic abuse cases people are able to find the victims and shelters or wherever they are because they have some kind of spyware that said in on their phone now. Is there really cared in their lap? Around everywhere they go not necessarily as everyone carried their phone around everywhere they go absolutely and these things could do. Creepy things like take Pictures from your front camera from your back cameras so they can take pictures of where you are a contract your GPS location. It can record your calls. It can detract. your SMS. I mean anything. Think of these things pretty much do or that's something that is unique to mobile that you know as becoming more and more of an issue and we're really trying to push hard to detect a lot of these these creepy things and We're going to continue to do so when we're partner with other companies as well have you seen from The makers I guess right whether it's Iowa s or Google as far as doing it because I know like at least with my phone with Ios you know now at Talaq Ammon even even if you say like always allow tracking my location for like my mileage APP you know every three days it pops up and says hey. This has been using your location. He wanted to allow allow for a day. Always I just said always allow well which is probably a good thing right that it that it notifies you that it's is tracking location issue is when you can pretty much have them trekking location that you don't know Location that's run in nearer in the back row to your own and the unique thing about stock aware is la these cases It's being installed by someone who has physical access to your phone because you know domestic abuse cases for someone has access to your phone is able to go ahead and and install these nasty things and you. You're none the wiser so an rn. We Wanna be able to detect them to at least give warning that hey you have this monitor we clarified Mosey things as monitor and You know this this thing is here in in could be tracking where you're going so it also like much more android based versus IOS based as far as risk level. I but I think there is some uniqueness to android that makes a little bit easier To to be able to do that Has a couple more you know he can grant permissions on android than you can. Apple be able to do things in this manner. bartered install APPs too. I mean I mean I don't know I mean I feel like I could give somebody my iphone and even unlock it if I tried to go. Download a new APP from the APP store. You know you gotTa have my fingerprint or my password to be able to do it whereas you know I don't know about I don't really do cover too. You know going out to be able to just download a file from anywhere and loaded onto a system seems a little bit more relaxed than in the environment. I just checked you guys. I just checked in so I I check my android version. So Maya I've got a one plus And My android version on ten and as of the most recent update Google now regularly pops up and says Hey this APP has now gotten your location twice in the background. Do you want allow this. Do you want to allow location? Only when you're using the APP or like screw this. This should not have my location. I dig that You know the problem with that. Is People get the teague? Gave them my newest with does it to all the time dislike the distracting. You hear this jerk a jerk. You were at some point you just like. I don't care just allow Lockwood all Lao everything. 'cause I'm just teed and sick of the Novacaine loading every feel like we forget that security industry. Yeah Fair. There's there's a point where you just you just you're being annoying and everyone just can allow everything I mean. I'm none the Nile. I know what people are looking at the right before president stall on APPS. Nobody's doing that Leon. I'd do that until you see what I mean. I could ask from you know from the aspect of APPs that may use the camera. But I mean I've only got one APP and it's my mileage tracking APP that ever asked me about tracking location like what kind of APPs you loading. So I'm I might want to start running some of your mouth now hold on so for example I use of Youtube. Tv So YouTube TV regularly POPs up and has gotten that pop up Linked in twitter facebook My for for For whatever reason my Amazon shopping APP has has asked about that Like I use run keeper to track. Track my runs That wants to make sense that you'd only have. That should only have my location while I'm using it like. Why are you doing the rest of the time Microsoft teams like what the Hell does fitness tracker? I would imagine that it would have to know your location all time because I mean do you want like sit and wait five minutes for the GPS to connect before you can start your run. So now disconnect. I don't allow it to do it all the time and it takes maybe seven eight seconds. It's pretty quick on android okay. Shouldn't take long because the phones. Gps All the time. Yeah I know I was Gonna say I told the APS no but we all know the phone by itself is striking. Because anyway so yeah. This isn't a the this isn't fifteen years ago when you had to wait for your phone to pick a four satellites to get. Well this is a this is a good place to end this. Because we'RE GONNA we're we're out of time but Nathan. This has been fun. Great Chapman. Uh It definitely Definitely interesting thanks for bringing that to light. I mean I I really do wonder whether it was whether it was as we were talking. I started believing maybe was just a library. Somebody did an include on or an import on. Didn't relieve and think about what the heck they were doing. A that is entirely too common APP development world or maybe malicious loans. Let me just say that you know? I know we've been hanging on you. Max. You know a little bit here but it's not just you Max a lot other carriers and you know what? There's a good chance that you amax is the victim just like everybody else destroyed to provide a budget phone and they got into business with people they thought were legitimate and they you know they just got had. It's IT'S A. It's a possibility so I don't WanNa pick on them. I don't WanNa pick on them too much in it lot. I. I'm happy that there's companies out there that are trying to provide a budget phone because five hundred dollars a thousand dollars is too darn much. Yeah no kidding especially when you are thirty seconds into it. You drop chatter screen and you're screwed any. Who and not like. I've had experience with that Nathan thanks. It's been a pleasure. Thank you for joining us. It was an absolutely jazz. Another one As we rolled them in the book closer to four hundred. Man Now rolling. They're fast all right folks listeners. Thanks for joining us There might be some show notes in this one. I'm just curious how how many of you get actually read show notes. 'cause that's what. I write them for just for myself. Just kidding Also if you haven't followed her twitter account and if you guys have at DT Sr underscore podcast on twitter Trying to get that one a little more active than more than just posting the podcast and of course on Lincoln I post this too so Thanks for listening. This has been fun. for Nathan Jacobson myself that I appreciate you guys listening. We'll catch you another time. Another place on yet. Another down skewed rabbit hole podcasts is. We've bathed out on another down the security rabbit hole episode. We'd like to encourage you to chat with our host and gifts using the twitter Hashtag Pound D. T. S. please check out the show. Catch up on episodes. You may have missed and subscribe. Don't miss a few for our website is white rabbit dot net w. h. One T. three are BVI. T. Dot net so on behalf of jeans along with good bucks on another down the security hole podcasts.

Google Pc Apple Transall Mauer James Microsoft Nathan Jacobson US La Youtube Surrey AMERICA CNN Benazir
 File	Progress DtSR Episode 360 - Thwarting Bots and Frauds

Down the Security Rabbithole Podcast

41:21 min | 1 year ago

File Progress DtSR Episode 360 - Thwarting Bots and Frauds

"They say they say we should have known embed thus o._d. Down d- down into this it's time i again the venture down the rabbit hole into the world of cybersecurity. You're plugged into the podcast for security leaders and practitioners with a business sense prepare for unique interviews insights and practical advice that makes your job just as benazir and now please welcome your guides sides this adventure jeans gerardine and the white rabbit's rough good morning good afternoon good evening. Thanks for listening welcomed the security rabbit hole to the down the security rabbit hole podcast. This is rap live sitting in chicago. In person <hes> going to do a live interview with a very very interesting topic. <hes> got sambu so with me or what talk <hes> about the intersection of machines and humans in terms of identity detecting badness along those lines but i'm let it introduced himself dive right dan sam hey. This is sam brousseau the c._e._o. And founder of pre cognitive <hes> we're excited to be speaking with you there so the hot topic topic then you hotness obviously or the same old hotness insecurity is as we <hes> as we break platforms apart and try to identify what what bad looks like <hes> comes back to the identity right <hes> machine learning artificial intelligence fun little buzzwords <hes> but ultimately it comes down to figuring out how do you how do you detect when a interaction with any particular online asset is <hes> machine or or human and whether it's good or bad fraudulent or real rights you guys tackled that from a company perspective. Let's talk about kind of the problem that you're seeing being able dive into specifics yeah. That's a really good <hes> starting point so this is the third fraud prevention <hes> company. I've been part of where we started off. Initially was looking at data. That's being input by the user so who's telling you they are when they go ahead at submit mine and what's the data they're entering it and submitting to you but as i'm sure yourself and your audience are aware the number of reaches we see just continues to talking any better on the numbers so this that was once kind of like hard to get a hold of now a thirteen year old can buy some bitcoin jump on the dark lab and purchase full identities for percents right so the barrier of entry has gone down for fraud in general and the quality data that fraudsters have access to has gone up so you really have to look beyond just today that consumers providing you go deeper <hes> you know we focus on now device intelligence looking at a consumer device first and then furthermore getting into <hes> behavioral biometrics and behavioral analytics so this is how consumer or user behaves <hes> and the thing there as you can't buy hi that right. You actually have to do it. Yeah and these are the types of things we're looking to create our data that you cannot purchase but you actually have to do okay so there so there's a couple of branches then the debt that that were we can focus on <hes> you talked before we started recording. We talked a little bit about the idea of credential stuffing getting basically the stuff that scripts will do <hes> and then there's actually write fraudulent transactions and fraud. How do we separate operate these things correct <hes> a lot of that really comes down to examine. What's taking place when you're interacting with what you perceive to be a consumer <hes> so we're looking at user. Interactions are in some case by or automated interactions and application level <hes>. There's there's quite a bit. You can extract right in terms of <hes>. How did this session take place and what occurred in the session. Bots don't don't perform a lot of actions you expect her that you would see from human <hes> so you know separating human and bought <hes> we find that you can can simply look at what's taking place on the page and some folks trying to be clever with their butts and make them click and so forth but they're still <hes> you know a ah natural movement if you will to actual human that they have a hard time simulating a replicating and obviously leverage i'm learning to the help nope not to be flippant but like when i talk to folks at ronnie com platforms and bigger small the answer from a security perspective look at the security a person say estimates able we use captures all those other things like have we solved this problem and so i'm guessing the answer's no catches can be defeated. <hes> we actually do that. Hamels ourselves and we've even published recently on the web that you can take that will solve <hes> you know the the google. I'm not about click yeah yeah yeah yeah so they do you make the barrier of andrea you know a bit harder for fraudsters but you can certainly get past them so i i don't think cap john on its own is sufficient and furthermore catcher creates friction and when you're an economy or spending lots of money just to bring the reconversion you can now. You're potentially turn one away or dozens something away because the recapture <hes> what's frustrating to use her and they bounced off the page. Yeah that is that right. That's turning away people. Oh and sometimes it's people <hes> for a number of different reasons right visually impaired hearing whatever it is. It makes that tough so okay. I see i see so. Where does this guy like. What's the what's the progression here is obviously if we're trying to <hes>. Are we talking reducing global fraud numbers or what are we trying to get at ultimately what okay what our goal is you know i think even as a <unk> industry as a whole as one that prevent as much as possible without impacting consumers <hes> what we've seen happen over i'd say last five or six years as the generation one generation to <hes> fraud prevention solutions when the attacks got more sophisticated tecate. Dan have the underlying tech to deal with it so they ended up doing was like let's add more logic more constraints more rules <hes> so you know you walk into a larger retailer today. We're finding these guys are declining like five percent of the transactions in real time right <hes> these are people that wind to convert it was like i hit submit and they got rejected. You know either by <hes> some system that's sitting there or potentially they got queued up to a fraud al so there that made the wrong decision by i five percent and we know statistically frauds about one so it's like four percent of your revenue. You're just giving away. I don't want that wanna. It's too risky for us. Is there a number behind that like a dollar value yet. You know they say <hes> retailers lose more in false positives i than they actually lose to fraud so that's that's not a good and and <hes> we've seen numbers you know of these losses in the u._s. u._s. False positives in excess of one hundred billion dollars <hes> that that are being quoted. I and you know people are still losing thirty two plus billion to fry so they'd it'd be better off if they could just letting the fraud through obviously that doesn't work out become a target and the fraud gets higher but i mean look like insecurity in in sort of the other this led security you get a false positive rate. That's higher than the actual incidence rate. It becomes real difficult to keep that tag on right certainly the bits. You're convinced the leadership that we know we still need that like yeah but it's doing more literally doing more harm than good and in e commerce hammers where everybody's competing against the amazons of the world i mean you don't want to turn anything away. I i can tell you how frustrating traveling and that's what i do for a living right running my corporate card or running my amex and getting declined and then you get even though you get that tax fifteen seconds later about hey. Did you do this transaction. You go yes. I did by the time the people in line behind me. You're frustrated up. You know what forget. I'll just move on and i've left. It's interesting so while because this this is what what generation of tech are we talking first and second generation jet three jet four where we got we are now in january and powers what we're seeing emerging market and <hes> against trying to focus back on have you financial data that has been leverage because we always see new companies emergency. We are doing machine learning we're doing a._i. Those buzzwords are there other remark it out you know and then i kind of look at it. Okay so you're making the same pizza you have a super oven instead of a regular regular using the same ingredients so what's the outcome gonna be yeah slightly masturbate pizza. That's ultimately what you want to do. What better outcomes not just say alabaster. You got and we want more toppings. We need more copies so that's were that. Yes i think the two innovators in spacer bringing in additional data sets <hes> so going beyond your traditional data that's being supplied by consumer and using using <hes> we've seen some interesting companies companies that are bringing in external data sources that people haven't thought of before like going taking marketing lists and using them the bump pop against see if these people have been marketed to before okay <hes> so tragically layer or urgency that you haven't particularly thought of using one of the first things we did yeah that people thought was we are as well we put in census bureau data to our system but actually quite a bit of a location where you're potentially shipping or something something yeah yeah yeah and and your models will will pick up on that and be able to extract some very valuable insights never thought of that. That's interesting sets us data gives you location nation m._u._d. Geographic population density gives you out factor. <hes> a little bit of you do get some age you get them. Graphics graphics you get water area and some of the the census bureau that we've seen like what's the water area. You might think like what the hell is that matter and that's exactly what we thought but we shoved it in there anyways and we had you know our models back and said higher water areas have a higher risk of fraud puzzled us for but then we realized that actually correct because that's where a lot of free borders are and if you're shipping product overseas you defraud shift to a freight forwarder in right so there is there's now now it's looking. At what other data sources can we bring in whether it's publicly available data or data. That's proprietary that we're able to generate that doesn't exist awesome <unk>. That's interesting early invention. You know the way because behavior analytics is a new thing. It's been it's it's has it's been done arguably arguably not super. Well i remember so i worked on a banking platform going back to two thousand four two thousand five where there were those vetted at the company brought in the promised to be able to pull information off the phone that you're if you if you were you know trying to buy something off of off of their app. They could tell the at rate phones new around that you're a human being with right. Living are diesel divide these computers carrying their pockets generate a metric <unk> truckload of data about us. Most of us really aren't cognizant l. Which is a little scary in itself and five gonna make that worse but we're what are you. What kind of data points are you talking about. We're talking about behavioral antics. What's what's the universe of data yep so <hes> and behaviorally that we actually we break it down to categories so we ever on alexa be able biometrics so behavioral analytics. I think about when you go on transact online. Let's say you're buying a pair of jeans. Do you just go to gap by. The genes probably not right we go. We look we see if we can find a coupon. Yeah we see that plug. We're using has has a more us michael. Look at another pair of jeans. We come back. We might sign up for marketing email hoping to get that too many percents coupon so we're actually looking at those interaction okay from a behavior selects perspective and saying okay wrath and we don't know what's wrap your zero one nine out of your anonymous but this consumer look at saint pair of jeans five times in the past month and now they're overnight shipping. Oh that's actually a good consumer behavioral pattern right you. Fraudster doesn't behave in that way. They're going to just buy get shipped overnight yeah but most of us i've ever bargain shopping and you know we look at that. As is the item on sale. What's the discount amount at sarah which can say that <hes> somebody's showing consistent interest in in a product or service transacting. That's a good sign. I'm so that's a really on the behavioral excite behavioral biometrics as a whole nother field and it's really quite interesting to the amount of data we get out <hes> mobile devices ranging from data on your accelerometer how hard you press on on the screen. <hes> and some of the stuff you think is like me and one of the the r._n._d. Guys you're joking around like anything valuable and we start just doing ourselves in the room and mike apparently slammed the phone with my finger every time i touch it and you know he's the lightly tapping on it. So you know you start to combine all these points how quickly our user types how you know they hold the vice what angle and you start to get a good consistent patterns for people because i i know i know gate was one of those things that they were looking at like when you put your both people carry their phones in their pockets soon. You're gonna see the abuser yeah. That's that's that person because somebody somebody walks all the differently and one thing you know i've seen some claims that people say we can uniquely identify an individual from this data. We cannot uniquely identify individual say that we're looking at a massive population of one hundred million yeah. You're going to have people that light but what we can do is say this device belongs to this account and this kind of fuzzy signature of this user. It's like a low resolution image if you will where like a one megapixel camera. It looks pretty darn right yeah and we've seen this device before and whatever other factors we have in there okay. It's very likely that right <hes> and and it's certainly not something that's one hundred percent accurate in terms of <hes> the behavioral we have a biometric data but it can give you that additional confidence through the with other factors say okay. This is who we think something we that's okay because i don't want to necessarily identify myself itself or you. Don't want to start pointing out people you don't right you want identified their their their persona not the individual exactly and this is another challenge john security right <hes> people generally associate security with <hes> you know being able to identify somebody as one hundred percent unique but you have obviously all the privacy obviously regularly and consumers worried about this to see how valentinus right we want to be able to positively identified as much as possible without being one hundred percent or sat and being too sticky to where you can't this so you've got to also kind of clay both sides here in terms of being respectful of privacy and consumer choice but still still protecting the consumer as well as the business enterprise behind it so there's a lot of that that's actually pretty interesting because as you start to aggregate lots of these different data points this is this readily available number you know when i was at the hoppers that a company we pulled that from like cookies right. We'd set that by various various pieces of code the applications browser. How do you get that off of the is that something you said the a._p._i. To give you we do use the native api is is there a storage mechanisms devices while where we will look to write something that is a unique identifier device but still does not identify individual okay <hes> so we do a lot of binding of of unique data points that are still anonymous but <hes> you know that's i think where the market's heading what you have to be able to yeah and that's that's always interesting because that that gives you the to the is it well so i'm sorry that limits that's us too to mobile devices your cell phones right. What about your ear. Your tablets your laptops or other types of devices your keep out browser kiosk. Ask god help us if you're using those right at the at the hotel. I'm staying yet. There is a business center where there's a bunch of computers lined up. People check their email from yeah. There are different <hes> bits of data. We get from those devices you know from our perspective <hes> a web browsers is actually easier to deal with <hes> but you have kind of sometimes a lesser persistence there <hes> however you know the a._p._i.'s for browsers if you have take a look at them or starting to resemble mobile global more so <hes> you know stuff that you can only do previously and say a native i._o._s. App some of that's now bleeding into just a standardized ended is a._p. Is so as as the browser market. I would say kind of catches up to functionality. I was available native applications and <hes> some of this also becomes easier chrome driving with other browsers. Ask google driving crow would be the crumps fifty plus percent percent of the browser market now so for us it. It's a big place of our d. and google does a great job at security as well and consumer privacy <hes> within chrome so crazy statement right it is and you know i think they know they have the balance it. They they permit certain things that <hes> you know. Folks take advantage but there are things that probably go too far. I think they're respectful enough <hes> given their their market position to to block those types of active so we're trying to solve that human versus bought fraud versus real problem it. There's gotta be what these are desert in line rain decisions on allow the buyer not right. These are like these have it at sub second. You're talking massive. Data pools is do you build a profile ahead of time and know before i'm gonna go click on by that at that option. I should not be buying that or is this like an app at decision time before he charged a car to get human human like we play like the roulette wheel. There is allegation. That's consistently happening so as you're navigate through websites are interacting with application. There's a profile being built. Some those files never get access because you never convert or do it of what we call significant like log in <hes> or wire transfer whatever or maybe <hes> but there is a building of profiles that happens <hes> and they get access at the point where the decision is it <hes> but so you just mentioned wire transfers. This isn't just like going in the checking out at some econ platform. You're talking about other applications. Here's well yeah we primarily said and and three use cases right from our perspective but those use cases are our across multiple industries so we are looking for things like account openings like when somebody is establishing facebook account for example as i really a person or is it going to be a damning account opening but that could also be account opening of a credit card right bank <hes> so looking for broad there. We're looking at a point of transaction. The transaction could be an ecommerce purchase could be a wire transfer. Her could be movement from card to card if you're sort of value cards <hes> and then the the other area where we see a lot of interests especially these days given dan you know things like the state farm breach at that recently happened is around log in credentials stuffing. So what is it about our human attempting to log in and second of aw what is this logging consistent with how you previously are using the same device or same type of device. Are you saying gio fence <hes>. Are you typing the same way. Are you holding device in the manner that we've seen you hold of them before and really bringing all that together and saying okay we are confident. It's this user and and if not you get one of those nice messages in your house <hes> inbox that says please enter code yeah yeah yeah so where's the most obviously besides com where's the most relevant applications of what we're seeing this problem solving right now <hes> e-commerce and financial services banking or um tom fintech startup so they're taking information from you. That could eventually be censored. Make sure it's secure it so that that seems to be the pattern right. You've got the that sort of two places where financial transactions happened either at the management money. Hold my money or take my money. It's always senator around the cash right. So what comes where the where the limitations like what are you. Can't you solve like what are you pushing. The boundaries on you know we've focused on very much on those. Those kinds of three use cases from where we do find some challenges. As how do you determine if it's a good user on the i interaction with them. I've i've never seen the log in before. We always assume on the first go round. That's actually your account so there's there's some of those challenges in terms of <hes> you know when you're you're starting to build these profiles understanding user making sure you have the right user. We're generally dependent in that case in our partner who were working for two to trust the dave secure enough to the point where we're i interacting with. It's really you as opposed to to komo already being down the rabbit hole fraud yeah yeah and that's that's an interesting place to put it because that that kind of the technology <hes> seems to be like set it up around identity right and it's <hes> i i would love to see that being adapted towards other less will call significant applications <hes> like a <hes> think of it this way. I might like a google authenticate her right. Wouldn't it be the greatest for for apps that need to verify their you rather than every developer trying to develop their own version of what you're doing. If there was a human human authenticated app that would that could tell you that you could ask a question like is this really sam and it would go ninety eight percent. No this is not santa. This is sam's mom or girlfriend or somebody else that we don't know trying to get into this app or this phone or whatever rakers that that's i think that's an interesting application sort of pushing pushing the frontier that it is and we are aware of a couple companies that are trying to do that currently so <hes> as opposed to doing this as you know in the cloud. There's a couple of startups doing this on the device itself even aloe potentially somebody like samsung apple could license their technology technology. That's interesting and maybe emit some sort of signal to where the interaction's happening with spat or not good <hes> so there are are some folks looking at it from that perspective <hes> it certainly i think an interesting space especially the the mobile device now almost becoming the identity right. Everything is so heavily really focused and somebody asked me. Would you lose your wallet. Your phone. I didn't have to think about is like take my wallet. My wallet is my phone there a lot the people that they're doing that now backing and i you know i would certainly rather lose the wallet in the phone as well. I have a lot more on the phone <hes> <hes> but he's the vice has become more prevalent even see <hes> yeah grandparent's typo age like wow they have to now so oh you know there's a lot more reliance also on the mobile device becoming that sort of thing that you have when you're looking at <hes> you know multifactors yeah rob something something something you are yeah so with the different i guess because the iphone on the apple ecosystem. It's not so bad but on the android because we've all seen the metrics it's horribly fractured right ancient versions of android all the way to bleeding edge. How how do you think that people buy stuff off of. All of that right is there. How do you essentially step down or step opera. Try to try to kind of build the best model you can using whatever the heck you're living out currently is that a is that a develop a separate model for each of these different operating systems are capabilities within his outbreaks isn't how does that work. We do have models for different operating systems android. It's quite interesting donnelley's fragmented at at a less level with some of the virgin's. It's fragmented at a hardware level. Yeah anybody can produce <hes> an android device and there are literally literally up <hes> different models and some of them have really bad security at hardware level where you can you know <hes> make the the fingerprint biometric say a pass when it actually didn't <hes> <hes> so you know we use a lot of unsupervised learning to really look at <hes> where we've had anomalies data ada where <hes> they just don't look right and sometimes it is catching these devices <hes> they're not behaving matters that we kind of expect them to right but this is one of the challenges. I think we'll continue to see right. You're gonna have all types of devices operating systems that you have to deal with and and for us. It's really boiling it down to like whether data points are actually critical here because we can get hundreds of data points off of a device but you know foundationally. There's there's there's a dozen or two that really matter <hes> and the the nice thing. Is you know there's something analogous on each s right okay android or <hes> <hes> of its i o s we can find something. That's similar. <hes> you know. Access patterns etc might be different <hes> but you can get to kind kind of a common ground with the two that's interesting. <hes> i think that makes that makes it more interesting because trying to support these vastly different models <hes> it's got to be on your on your on your development on yard <unk> so you mentioned vice learning and i know so. That's what people people generally throw these buzzwords beginning n._f._l. Blah blah blah okay unsupervised learning type of machine learning so give me give me a little back without disclosing anything obviously so you'd be a little background on listeners. You know what types. How do you guys leverage machine learning and are we. Are we actually talking scott. What's your artificial tailgates perspective on this yet. There's obviously a lot of misconception around a as well right people think the machines are making decisions by themselves in and thinking for themselves and we're not that far obviously not just by the way i'd like to be obsolete. Thank you agree. We do use <hes> you know both supervised and unsupervised learning here and i think in the field of general <hes> they both have applications for them where they they excel right from you know a._i. Perspective i think a lot of people kind of think of a._i. Is what we might call like. Reinforcement learning worthy machine gene can learn off of its errors better itself and that's kind of this <hes> dooms they think people think of as the machines are teaching themselves but <hes> you know there within a set of rules and parameters that were setting right. We're kind of setting a chessboard and saying here's how you play it <hes> and training the models to get better and better where we use artificial intelligence if you know i usually say machine learning but i know is kind of the buzzword but <hes> machine she learning is primarily and looking at data where we have existing labels <hes> and then trading supervise models there but in certain types of scenarios for example <hes> like device intelligence data. We see higher device interacts. We also see things like t._c._p. I._p. packets each of the p. data browser data device vice stay though so we don't necessarily have examples of what's good and bad but we have so much data. We know what looks normal what doesn't and that's unsupervised. Learning comes in because we can feed it. You know these terabytes of data. We have and say okay finest stop. That doesn't look like the rest and a lot of times. They're they're out of your box. You're you're you're really weird. Android devices dollars like really weird users or really weird users or a lot of times and where we get excited when it picks up on doc which is like we can see the t._c._p. I._p. Packets belong to olympic server but it's like hey i'm an iphone and these papa manley's and it was like no you're not are forging urging that the user agent an iphone but this is a lennox pock sitting in a data center somewhere trying to transact or log in right now and these are the kind of big red flags that people people are coming to us to help them identify. Stop so that's interesting. That kind of sold the applications for what you know what you're doing from our perspective i mean combating in global e commerce fraud is in financial crime is huge but i i wonder if we we've on on this show talked about <hes> several times <hes> it might be worth revisiting again about the fact that you know how big is the food global fraud number. The answer is is exactly where it needs to be right. If a couple of spend any more they'll be spending too much to spend any last. They'll be spending too little so sort of balances out in this in this. This is what they're willing to accept odds less. That's the cost of reducing it is less than the actual like the the loss right so if you're <unk> nobody wants to spend one hundred dollars to save a buck exactly right so is is the applications of the technology that you guys are developing broadly so that it can be used at e. Common and these different marquette applicable bowl thing or is it specific to the application so they are you know the way we do about the platform is a series of products that are kind of plug and play okay <hes> <hes> at the core of it. There's a decision on jazz machine learning capabilities <hes> you can write rules. If you wanna kinda go a little bit old school. They'll do them as gatekeepers for you know policy elsie things like that <hes> and there's other products you can bolt on so there's a device tell just component. There is being able biometrics. There's about detection module. <hes> there is a deep web crawling module so it's really our idea kind of where we see. The space going general. Is you have a lot of point solutions out there for fraud brought even cybersex and you're like okay. I have a problem. I'm gonna go to x. company because they do pat stuff yeah but then you've now something stop credit card testing right you gotta go get another product so our goals into really set something. I hate to use a._w._s. As an example almost like an a._w._s. Fraud here's a stack the fraud technologies. What's your problem here. We can put you know this is the goal. Ultimately people always come in just to the buying the whole thing because they're like all right. We we need everything you kind of. Do you know you have to have to wear the the entire suite blow. That was <hes> you know our conception how we vision the market evolving over over the next five six years and we started building from so everybody's talking about elections actions as as we start to take some of these things online yes <hes> i am on a has this idea of moving capital technology allergy broadly. You guys are developing taking that into the world of tomorrow. We're actually going to get away from people standing in line paper ballot voting and maybe going in and actually having online interactions for elections and other important things that are not just elections but other kind of governmental or you're governing types of things. Is that tech of that. Do you feel like it's close enough to where you'd be. You can be comfortable using it today or is there. Some ardy not loved. No i think we have technologies in ways of doing you know even doing you the individual device and making sure those those identifiers over putting her grip dad can't be tampered. Whether you know shared yeah <hes> so we have that technology. I think the bigger challenges you. It was something like an election at this point. Is everybody have access to. That's the mold of mobile device sir yeah but there are countries believe isn't estonia where they do their own online right. Everything is is digital digital cars. Yeah i'm sorry i think we'll see this especially. <hes> you know the u._s. Is a always kind of forefront of this stuff so if it's <hes> something something that starts to also support from of doing it wrong not gonna rush to that klay yeah yeah i i would think with my in your lifetime we would probably see this happen to are elections are being done <hes> maybe by using your fingerprint on your iphone or some other mobile device them making your selection that would that certainly would be interesting. What about sort of you know last kind of question from r._n._d. Perspective where what kind of data sets or data points points that you can't get to today or or maybe a where's this kind of leading you from a research perspective. What else are you looking at. What's the frontier of uh on the research side of it. Yeah our focuses is very heavy and be on alexa behavioral biometrics and we think we're making progress but the data sets we got <hes> there are probably icebergs and the more we kind of dig into them. The more stuff we find i think <hes> you know behavior on the lakes huron <unk> biometrics spin around now for a while but i still feel from our perspective we are at the tip of the iceberg <hes> we can tell you find the new stopper or new ways to use it <hes> that we hadn't even thought of or that we stumble across by accident so there's there's a lot of information there and <hes> you know for the amount of data that we're able to collect acting us currently i would say it's probably ten fifteen percent of the day that we're actually collecting able to store so oh. There's still a lot more to be done here in terms of other things that can be done with the state of we're doing something now. It's really interesting insurance side where you can go on and put a claim online right for your car insurance. Are you crash a car. We're doing something now which is deception detection at added still in early stages but we're looking at you know when you go through and you say like you had an accident. You're filling out the score. What's the damage and you put them three program. You get to the end of the formula. Let's say six and you go back up. We're looking at that that change. What's what's the increase in how long after the initial entry take place <hes> we can start measure if there's potentially some sort of user deception here so this is something that and assurance company a large approached us with and said can you do this and we said i think so. Let's try and they're like all right. Let's try and it's working right. We can see these nuances in the data that percents caesar might be lying to us humans certapro. Ultimately humans are fairly predictable as what i've heard by folks that do study behaviors of people right we we predictable from from the time we get up in the morning to go to the way we sleep. All the way through like we have patterns. We generally wants were savvy. Don't deviate. Is that feel true. I do you know i know i'm. I'm a creature of habit. I walked the same route to work every day. I you know have a very <hes>. I would say regular schedule in terms of when i'm working on undoing it and at that start at the end is all the time but i think we are certainly creatures of habit and you know that we've got these mobile devices in our pocket into they're sending off little signals <hes> on how we walk how we hold our where we are geographically how quickly we're moving. <hes> you know we we see this in <hes> are logging <hes> protection component though we we offers we can see like people log into their bank account count the same time every day from the same location. <hes> you know they do on certain days of the week a few look at this stuff a lot of fall into little buckets. You know that are us. I think i think it'd be kind of scared. Look at your might be interesting at some point to offer people the ability to look at their own life profile. This is you in a billion data points over two two years. Wow what we we have done. Internally we all know who any of our our our clients consumers are because we is that data only the the national stationery commerce retailer totally are <hes> but in our own offices here we do that often. That's me it wasn't paris last week and that's right so so interesting so i guess last night because we talked about career paths and what's interesting in how do you break into somebody's because this is this is really cybersecurity says this is one of those supporting pieces of of that of that of our market <hes> that is exceptionally important right now al because with the you know we can't we can't do this. We can't secure things without the kind of data that you have ultimately the the intelligence and engine behind it. What kinds of people are you. Are you employing winger use it. Behavioral scientists data scientists all the above primarily data scientists. You know we we do talk to people who are in behavioral science at we use them more from consulted perspective just alle. We maybe have an assumption. We want somebody. That's more uh i would say versus the space to give feedback on but primarily you know what we're doing is building data structures that i'm giving it to the data scientists scientists and letting them run various algorithms that analyses against them and see what pops out what they find out. How much data did you work with on regular basis like. Let's let's size. Is this thing <hes> i mean we are from like a device intelligence perspective. I know we've got like ten twenty terabytes of the day that you know uh there's hundreds and hundreds of millions of devices in their from a behavioral perspective. It's even worse because <hes> we collect much able to think of like google. Analytics is usually collecting so i think event per page view were collecting event per second so somebody's on e. com site. We're seeing you every second. If you have five hundred thousand users on a popular recital man <hes> you know there's a lot of that we don't keep all of it forever. The bear will they age out after ninety days. We say that makes you know now time has passed and we have our good so we don't need the raw data anymore <hes> but you know our infrastructure costs for substantial and they they continue to the cloud. They continue to grow as we had were it products. Each one of them generates more data every time. We have a new client so it's got some of those like a compounding effect to all right. We'll santa's did fund <hes> really a really interesting space. Folks help you enjoy. There's a lot of stuff that crosses over into the fields that we <hes> everyday work at livid <hes> not only the way you interact iraq with <hes> your you know your phone how you buy stuff in your financial transactions but just this kind of technology this problem an eh approach <hes> in our industry really interesting so thanks for joining me appreciate it. Thank you very much for having me and i hope everybody enjoys yeah look at a startup. Thanks for listening you guys. This has been another dallas accuser apple podcast. We will catch you another time. Another place see you later joe is we've they'd out on another down the security rabbit hole episode we'd like to encourage you chat with our host gifts using twitter hashtag pound not please check out the show notes on any episode. You may have missed and subscribes. Don't miss a few our website. Insight is white rabbit dot net w eight one two three r a v._d._i. T. dot net so on behalf of james could on another down the security podcasts <music>.

fraud google dan sam apple benazir chicago cloud founder Hamels alexa facebook sarah
DtSR Episode 365 - Mountains of Data

Down the Security Rabbithole Podcast

35:54 min | 1 year ago

DtSR Episode 365 - Mountains of Data

"They say they say we should have known in bed then to Saudi down D- down into this rabbit it's all right good morning good afternoon good evening welcome down the security rabbit hole to yet another edition of the down the security added whole podcast you've got wrath how are you listening to us once again hey james you're back I'm back sense prepare for unique interviews insights and practical advice that makes your job just as Benazir and now please welcome a parallel from our usual conversation on INFOSEC and talk about data management and if you're in for with all the complex I think I was the victim this data Boston I traveled over two to London this morning and gate to gate facial recognition implanted in everybody's house everything generates data data data data vendors WANNA collected everybody collects it I look it's an interesting thing to talk about what are the he's generating all kinds of fun data across I thought this would be a good time folks if you're listening to talk a little bit about take a slight we'll see this is what we're trying to protect right so look I hinted at this but every system every iot thing every little widget you've got out there the watch on my hand and have to show my passport once they already had my picture wasn't a matter of having to provide it to in agency the data was is already there correlated aggregated. I'm sure my ticket information was associated with whatever was making these checks talk my cell phone my smart outlets the listening device over there in the corner that that my favorite vendor has in Asian management player that's cool information management that's an adjacent field will call security you think it is going around data certainly in the mountains of it is certainly on your mind I'll be brought a fun guest with us I will anthony applications for some of this stuff that we're massing I mean where do we where did you guys start to talk about it it's interesting just today that that acquisition I'm helping open text understand what it means and how to become more a security company as a as an infant leveraging our data to to validate with you know out even knowing when I got up this morning that I would fly right through does that information locations are as such you know something like facial recognition technology at airlines has sprung up without really any any of US having any say back and you know I it's a dreary rainy day for us here I know it is for you too but I'm kind of glad it is because we needed some water down here development for open text before that I worked for guidance off where we make had a product management prior to was already logged and that's kind of a a real world scenario the broader broader picture data exhaust is everywhere here's we've seen enough different types of big businesses breached over the past few years government healthcare whatever have you by likely the implications are ill maybe this a good but it can be scraped correlated aggregated for the bad it's a target for her indiscipline warm as hell though isn't it and I gotTa Tell Ya Yeah Yeah well it's it's school time kids are back in school everybody's everybody if you will for the attackers and everything that's done on that enterprise network every day give us the who the heck are why the heck are you hear hey thanks for having me today guys Anthony Develop I'm the vice president of strategic or in governments imagine the picture that can be put together of ads lovling every one of us certainly the airlines can do it governments that have been stack kind of Thomas Summer where it's delight slash October I think we've got this crazy concept down here it's Is Log track creates an artifact that can be reconstructed in a way to understand the state of the enterprise in our networks can do it as well but at the same time and I I like to share this with with some of our customers and have this conversation and how they're employing it though we're starting to see some of that happening today at least companies trying to tackle this I remember I go back where that that same exhaust is probably for business the best quote threatened they have at their disposal it's that massive data that target tides misadventure jeans Gerardine and the White Rabbit's burrup ball has example but you know in order to harness that businesses really need to take a a level step change in terms of the technology they're employing maybe two or three years and felt like every business I was talking to was starting a data lake project we're going to build a data lake we're gonNA shove everything into her before we can you know gain that kind of information advantage across pedal Bites exa bites whatever have you size dated do it and ask it questions year later companies were on their second or third attempt to to create this and it turns out it just creates more that point I think open text has one exit under management across all of our customers zeroes is that it's too many were pushing back to centralize management in that keeping things scattered and trying to do it ourselves enterprises clearly hasn't been account it's it's a lot it's you know we're approaching larger and larger data sizes and certainly open text is in the problems in companies have really been successful in trying to at least today taking all this this exhaust Ridge not being biggest type of repository think about Google Amazon Microsoft and their cloud environments and how much they they data they must have upper management cost-saving centralization and it's almost a throwback to mainframes of the fifties and sixties everything old is new again the primary concern it's at you sift through all that information with limited manpower technologies like machine learning Nita come a bit further working from a security perspective well I don't even want to think about the compliance implications of that though so you've got exit bytes of data GDP are made it clear that you can't just collect things and maybe use them someday right so the challenge becomes so what do we do about that now oh has shared data with TSA or the airline in this case if that gate was actually run by British Airways and not TSA are there but to say it's fuzzy is likely to step away from clarity it'd be interesting to know how absurdly when I came through the UK border that too was totally automated experience at least polling from us that We've heard from you know the likes of Google and other companies that have these massive databases at Profile Human Beings is that well you know it's just little under control which that popularity of these of the cloud vendors an Im- I think too it's only it is required to get you through in this example in that we know the questions historically that that have been asked as we're traveling and it's so where's the where's the compliance angle right so where is the where's the need to be compliant with these vary committed is it something where there's some agreement with you know other parties that they share that Info be interesting to know where that that stuff comes from you know that they get that I think to go from so many questions about where I'm going etc etc to just smiling Cameron walking through I mean they haven't shaved for a couple of days I don't know what does that actually I mean certainly you know going back to to my flight today it certainly wasn't the passport database and flight base man I tell you what are making the what what businesses really make the push to cloud a few years back it was we're gonNA Now I feel like a lot of businesses have been pushed and forced into it by their it really fuzzy data's there may be one or two dots haven't been connected to maintain some sort of privacy of a bit here in this data around this starts to get very fuzzy in terms of are we in compliant so to something I've thought about in some of these sniffers of certainly looking for malware but at the same time replicating sensitive data replicating P do that information is gained by them like you know for your example going through the airport is that something that while you were filling stuff out stuff was security hasn't gotten to this point yet you know the packet capture has been very popular security technology for fifteen years or all right so what does that do because open tax brought in the the forensic organization right that you guys guy I that's where complaints really gets interesting again you know it's being addressed at a surface level now to check the boxes I assuming scraping your facebook profile this is what I'm thinking as I'm walking through certainly you know whomever is maintaining my passport Mrs are addressing the obvious that is to say ensuring that those structure databases have the right identity and access controls on yeah from a compliance perspective and I think we're only touching the tip of the iceberg there in terms of business looking dams it's filling gaps it's new attacks in new defenses to meet those attacks but fundamentally it it's always playing a game we're trying to protect it has better control over those Those controls that visibility than Info security honest to who I was or what I was doing those gates wouldn't have opened for me as opposed to that lady walked onto a Delta of catch up there's been a disconnect between the vendors and the professional's responsible for security and that which but I believe the state is likely a mess and data is all over the place that we haven't even considered looking for it yet bits of information here little bits they're not all linked Donald Link to your profile it doesn't it's a I've heard it described as a fuzzy profile of you just me they had acquired what you got data management organization acquiring friends organization. Tell me a little bit about 'cause that's relevant to this conversation some ways in others information is as silo D- as departments within within business so what eighty the system knew who I was there were no questions the doors opened I was not a risk obviously but nonetheless if there was any question international local regional international laws and regulations how does like looking at the way your organization and others manage this stuff a lot about data data classification and sensitivity and all these things based on its core information management business that let's see I at one part of it that's a great thing in another you know the fact that our lives are just a Ba- an algorithm somewhere as a little terrifying where do you look from the enterprise perspective now I mean collecting is one thing but then trying to make sense of it the why the what's and I think kind of as an additional side to that I started to be a pro over risk management discipline than a board kind of visibility issue we're seeing intelligence is critical for security in order to do its job best in and Brinkley in order to scale across traditional businesses pulling security closer to their core business so in this case open texts bring security closer to data open text knows apply security more intelligently where where it's needed again trying to secure an entire enterprise equally as bird coming team stressing people out and it's not working all right so thinking through this you've got how does that work how how what was the thinking there it is I think it's it's thinking of a little different than how sick in Texas looking to do and I think open text isn't the only one as the businesses maturing information security over the past everybody leaves bread crumbs and trails of things they've done places we've browsed tolls we've we've driven through doors we walked through airports we've been E- E you've got to not only figure out a way to go back so go back concept of data exhaust you mentioned right everybody who of different segments the value of data undifferentiated departments other things other intelligence that can be used to better security thinking today that is to say you know I argue that the approach to Infosec hasn't changed a hell of a lot twenty years it's NAM the whatever business value that data is inside whether it be pi or bank information but once you start moving sorry I kind of call a peanut butter security applying a layer equal layer of security across the entire enterprise respective of the business value the I don't know if it's yet making it any easier I think it's opening our eyes up to what's needed made trying to investigate an issue whether it's an incident physical or virtual does having all this day does it make it any easier the global enterprise another element of security that has really changed a lot at least up till this more kind of risk based view is one where longer businesses of employed this type of technology for security purposes and I it was doom that Ada is king scooped up whether it's the application of machine learning or being able to better link different facts together based on in order to get there and by that I mean being able to sift through the mountain of data at to get to that incite or nations the the fact that it's out there make tracking down your bag is essentially any easier her knowing that it's out there somewhere to go track it down because it's in different databases I mean outside of your organization writes in different databases indifferent low key Lorde with the caveat that that we as vendors need to do more to help folks get get to that needle in the haystack of needles then you never know where that strand of hair might turn up that ties it to a criminal of the smoking gun whatever have you so more date is at street corners we've crossed a you know J. walked at like all that stuff is out there from a I again the venture down the rabbit hole into the world of cybersecurity you're plugged into the podcast security leaders and practitioners with business reconstruct that crime scene in the physical world it's just the with prime is committed don't move a thing preserve every lower a word document that spells it out and playtex I that's the part I'm interested in right now is now you've got the the the contextual understanding of those individual facts those individual facts being any kind of of bitter bite weather via a link vile or ideal and everything that we have out there that changing the required skill set or you know thinking processes that the the manual reviewer is going through that has to have it is the skill said to solve this problem at scale is both the mind of a mess the data scientists over on one side and subject matter experts over on the other side won the subject matter experts in the field on the ground every day the coming the norm in the future is that that automation that augmentation of the investigators brain with with math without ecksteen plus agencies it took over a year and a half for that investigation and there was a team twenty folks put to task on it and they had technology assisted review technology they were using a business intelligence was tasked to investigate a cross agency matter this involved about a pet a bite of data from Titian with the subject matter expertise of the field there are folks trying to develop that unique blended skill set but today aginst visualization technology they had the the foundational elements to to do the job what was at the original group those conversations are starting to happen but it's been it slow going right it's it's a lot a knowledge intelligence to try to distract away through in this case essentially a mathematician and it'll take time to perfect those models all different kinds of information how do you bring that together what's the process look like in I'm just kinda curious what you know how you even talk about that it's nowhere it needs to be yet in order to solve the problem at the scale we're seeing the data at is it changing is all the technology various types of networks packet captures this system that system how did how I mean look we're generating more data so I feel terrible for these friends and yet I mean you just like I over the past several years is the security show see ai everywhere I it's nowhere missing that could have and would mean to accelerate investigation like that and that you know few years ago it was quite unique that that scale and scope and I see that now the tech is is there I think it's the application of the tech that still has a ways to go and what I mean is right now that's where your vendors in the big four loosely speaking are trying to get through that all right so that's an interesting question that because you just told me that you have two different very very very different skill sets that are required to analyze offer your your basic you know by a second or two you'll be searching through an extra hundred gigs of data like how does how does how technology calm and it up to draw out the means to express that in a way that they can turn it in urge departments to essentially teach each other that is to say our forensic experts teaching data scientists what relationships are interesting and important so what are the key questions that I think I I hear a lot when it comes to something bad happened the next question is okay different digital crimes exposing that through our tool and automating the connection to those important from a data artifact perspective and data scientists working with subject matter experts Jason where you know we help is through our experience and understanding of what artifacts have been important to help solve the certainly through the open text Magellan machine learning platform and the case generated data out working in our maybe hours that you have to formulate the picture of what happened what was taken what was impacted how do you even get to that analysts and investigators have to go stitch stuff together across Patta Bites Peta Bites impacted bites of information got bigger time stamp on your on something rhythms and that's you know the application of machine learning in a more focused in expert way which which we haven't seen accents of mountains of data how most enterprise I know can't staff both of those they're lucky if they've got a forensic I announce staff how do you get through that Sir relationships that could be through a time stamp that exists across the page vile in a link file as well as Some D. L. L. we don't have that luxury of time so we're trying to understand the impact of something to a of a major threat should it be I mean look let's look beyond the obvious great forward the challenges more detecting before it happens and after it's already got on the network really exposing those proper artifacts in the relationships that exists in order to confer more imbalance eight something happened is pretty activity or anything anything else that may help paint that picture I bring up Peijun link files as inhalable was both great and also terrible because it makes you sad you know we can't take a year with twenty people do an investigation it just the means of correlate aggregate this information exists we've worked with the years back a particular agency that take that model what what are the what are the technologies required to do that so post-facto it's the insider or the bad guy is is in the network on the network and poking around undetected that it's a little bit more straightforward and you know the technology's being forensic investigation tools like like n case forensics investigation approach but but doing it in a detective manner in in real time I think that broken where did they go what did they take and how long were they there right those are the three key questions here probably the most not not being they're kind of obscure but also a pretty important from a forensic perspective these are the types of artifacts that windows create a real time format it is a it is an entirely different scale of a problem right because now we're talking about taking the traditional do a lot of the heavy lifting that you know an analyst would have to do if they were trying to manually hunt through the network which you know doesn't scale this that you need that that technology of scale that the machine learning element automation orchestration across tools in order little credit cards stolen because that's frankly in today's environment and not a big deal let's look at something that human life a little bit more sometimes you've got days maybe and not being in DC fire myself but just around people that are into this thing that that have to answer these questions to two boards into the media it's to help it manage itself as it's being interacted with by users or network connections or or whatever have you I'm so sorry how do we get those questions faster with more confidence in an environment where there is more information agent agent based technology that powers our our enterprise solutions there's already think forty forty five million pushing things closer to the source part of the reason open tech's looked to guidance software case for acquisition was that can we put more e in and around that agent without overburdening it which has been a failing of of other approaches we've seen in Blake of security data and trying to query it your days and weeks behind just the same with that approach is it all this data is that we're acquiring I would say if we had the ability to just magically find what would you be great but audience is in Las Vegas at the Venetian hotel this year November eleventh through fourteenth I'm thinking in its right Nancy why a lot of these security data lake projects failed in part in that there's no real time when you're populating John Nineteen th year running and what's made it so successful over those nineteen years is it's it's the only conference I know of that brings a legal a law enforced your your as you pointed out that's entirely different problem I mean that's you can't take a month it's a process what's going on right now I'm really excited at to have him with us this year I think we've got over a hundred lectures and hands on sessions this year some of the ones that stuck out to me we've got a talk this year called shelf space how insider threats relates to the mitre attack were open tech's Oh continuum between lawyers cops and the insecurity folks swear they come to learn the most recent advance and syntax in an case agents to floyd across all of our core the client's and this is giving open text immediate visibility into those across digital investigations in particular could be things like new operating systems and artifacts that help find clues faster as well as a new technology like Crypto So this year we've got James Clapper joining us as a keynote that's national intelligence Yup being able to get some repeatability in their in their detection technology we've also got a session on Crypto Currency Shadow Paul show Mojo who's also a regular on the on the speaking circuit will talk about how to apply the Mitre attack framework to insiders it's popular framework finding how to detect and respond to rogue employees mining cryptocurrency within the enterprise and finally this one's kind of entertaining wants the date is left the building the alarms are going off and the tracks lead to where they do again it's it's that window where the attacker monitor everything equally isn't going to work either yeah I can't imagine so I so downscaling Ivanhoe podcast got invite you guys invited at the end to end of solving and detecting a crime I'm each of these folks have different different places they play in that in that whole listening what it is and why they should be going m fused which was formerly known as CAC for those old timer deify ours in the in the unstructured data for discovery purposes security purposes forensic purposes in we're looking at now how that's giving that talk in how to interpret emojis to to make implications of communications associated with crime super interesting talk about people do that anyway all right so that's interesting then because if we're interested in trying to figure out what happens not just post-facto but in kind of that real time or Smith and a security operations audience together in in what brings that that group together is you know that focus on Dan you know what to do when when something happens or fates are intertwined in some ways absolutely games any parting thoughts here and just and the investigators have more in common than they now on the digital investigation side and you know we see even among our clients information secure on top of it in and this is where okay that's funny sounding topic but then you see it's a cyber investigator from the FAA a department head from the University of North Georgia is that tech they're basically help stitch it altogether 'cause there's structured data unstructured data right in in different forms there's like just sounding the me the talks called the potential impact of the prof- prolific use of emojis in digital forensic context. Okay I saw that interest letty a time to register don't miss it this year again we're we're keeping everybody

Boston London james WANNA Benazir letty nineteen years fifteen years twenty years three years
DtSR Episode 378 - Trending on CISOs

Down the Security Rabbithole Podcast

36:19 min | 1 year ago

DtSR Episode 378 - Trending on CISOs

"They say they say we should have known embed bus. Od Down Down into this. It's time hi again. The venture down the rabbit hole into the world of cybersecurity. You're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews insights and practical advice. That makes your job just as Benazir and now please welcome your guides signs this adventure jeans Gerardine and the White Rabbit rough ball. Good morning good afternoon. Good evening this is Ralph. Welcome down to security rabbit hole to another edition of the down security rabbit hole. PODCAST test positive. Catch my breath and I'm live here at twenty nine thousand nine. The open. Tech's conferences focused on security. Lots of good things have happened so far. But I've managed to track back down Paul show who's with Open Texan. He's kind of those people that likes to think in their future acted in. The president likes to interview security leadership then gain insights and stuff so I figured what the Hell. Let's let's start with. Hey Paul what are you researching and then see where it goes from there. So Hey Paul hey good to be back yes. So that's kind of one of my passions is talking with people that predict the future and I I like people that can spend the money and actually fund the future in by Steph or invest in startups. Because it's because we kind of a self fulfilling prophecy 'cause they're funding it. It's kind of cheating I guess but So so yes this year in the last hour. Eight nine months. I've been talking to Cisco's and got weaned a bunch of good of insights about things. I can definitely tell you that they are heavily affected acted by the cloud migration which is almost over. That it's completely changed the way of thinking of things as interesting. Okay so let's let's let's start there. Who would you say first off if you say so? We're already where we differ. Jif and who do I beat up for that difference but no so who. Who did you spend time really talking to you? What kind of demographics are we talking about here? If I figured I would go big if I'm GONNA do it to try to go federal hall. Bigger home Fortune five hundred companies ones have Heavy regulatory issues like health care or insurance etc out also ask some of the first ones. Hey what other sisters influence you in you you know one of them said to me welcome interest in. It iot security. I look into Iot vendor and so I had a couple security vendors juniper networks Microsoft Fannie Mae Blue Cross blue shields big names like that and then I had some some some ones that were more like five thousand no networks and they'll aw I basically kept going into light a sample things converge and I kind of feel like my thumb on the pulse. All right fair enough so any any specific industry that sticks out more than others that you had a Better conversation with than others. I mean Fintech. Always in the forefront healthcare seems to be the the new hotness The New Honda the ball lately where what stood now from the from a participant perspective. I think that the Microsoft us it was one of the first ones and he kind of he already laid out to vendors. Yet his priorities he's lined up and laid on a piece of paper and say here's my big pain points and what I want to spend on the next two years to fit in and that was kind of my my inspiration for the best way to to to grill or or elicit good information from them as literally asked them. Hey what are your big pain points and you know. What are you planning on spending on the next two years and I didn't just want to hear pain points? I I wanted to hear insight into why the problems arose because obviously then listeners. Readers of my articles can kind of understand how out affects their careers and also. There's already products out there for solving these problems. How come they're still problems? I want to ask that well. So we jokingly said before I hit the record button about the fact that the INFOSEC industry is getting to the point where. I think you're starting to get sort of like the movie industry. Where all the good news if in May when I was going to reboot stuff we seem to agree there? Absolutely it's funny like Orchestration is coming back. I mean that have been around the pass. I talked a lot. Old Timer. Go awarded on that before. But I'm not talking about the citizen tired old timers on the vendor side button. The top Alert Fatigue and purchasing solutions to trying to handle that it seems like an never ending problem. I definitely asked him a good bit about sore security orchestration automation and response. They had some interesting. You know plus points of it but they still have alert fatigue gets it really comes down the quantity quality of alerts but then there were a lot of things they were more Komo more fascinating. I noticed the cloud. Transformation really has had a huge tremendous impact on the way. Everyone I've talked to thinks about things. so I so obviously the cloud migrations pretty much done on prem data centers are closed. And you're going to apply former deserves infrastructures of service SAS models taking over so on top. Hold on I want to stop you just for a second because I'm not sure I've I've I've agreeing with the fact that cloud transformation is almost over. I think we're probably in that early. Part of we're still in the early side because just about everybody. I know unless you're a brand new startup rides. You don't have anything legacy you've got a ton of stuff in data data centers. Your your son told me very recently that they're Claude. Migration depends on old tech old people dying literally. That scared me just a bit because it sounds like we're going to need to take some of these. Things detect out behind the barn dearly. Did you think it's how we're on curve. Do you think we are so we can level set here so that's a great question because obviously in my day job in my career expands into this media writing thing to buy ideal with enterprise southwards reports big networks and then here. I'm talking from fortune. Five hundred company so I'm a little biased towards that that's their sector and their. It definitely seemed like we're probably part sort of you know I don't maybe late majority. I mean it's pretty far along. I definitely agree. That they're still on prem stuff but the one there's a couple of interesting honestly translating but just attitudes of sister so excited to throw out their legacy on prem stuff and then start from scratch and build security right from the ground up because they learned so much on Prem Graham and they can just start over hold outs okay are you. Are you finding that they could actually apply those principles over. Because the more I see the more I think Aghia I mean the things that we did in the nineties and a tooth out early. Two thousands the concepts apply to the cloud but the practice is different. What what they're thinking of it more as like building a house and being building a solid foundation and in theory you know it makes him stronger? 'cause they're they're talking about things. Like Zero Trust laying encryption not just in data at rest but you know as we build out all of our you know software custom application making sure everything's encrypted in transit. Which is actually pretty complicated? You you think about all the different applications that move and copying data and now we have a lot of custom applications. Every company is becoming a software software company. I mean think about the most analog company have a grocery store they have the kiosks where they let you check outs. Cars are driving to work. People are everyone has a customer poor. If if you buy a rake a customer portal a digital web experience they have APPs. I mean. It's funny but it's true. I bought a I bought a I bought a so. I've got a tow it for the car and they've got a receiver that pulled my kids in my bikes and a and literally. It's a pen with a lock on it right. And they're like. Hey y'all tell us what you think. Go to a website like need a website. I I know it's crazy. My wife likes to do the warranties but I hate it so I think they couldn't get me on the websites but they're they're all doing it. It's an interesting thing and then with encryption and we also have to think about to all this custom applications that are pulling the data there. It's not just vendors integrate what they have to get their own army of software developers at the rate company or or wherever to make sure that they're decrypted data in transit. That's a big deal. It's pretty confident well. And you've got software developers now everywhere right so we started with the things that were as code were websites and applications. And then we've got into now. It's infrastructure's code now working code everything. The thing is code. which would you know? Everything's programmable everything is multifunctional. Everything is recode -able and it's it's a world that I could not have imagined. We were burning e problems you know late in the early nineties. That's when he missed. I came from the embedded software firmware side. But Tom I'm actually you know as a maybe a little bit older timer. Twenty years in I was actually really surprised. How quickly custom application developments taken off and you you know in the enterprise the cloud migration? It's because it's a whole different world when you think about it where you have the code for all these applications. You need to secure saying you have Dev ops which is basically you know I knew. Give some opinions on this. But it's it's Kinda separate than INFOSEC It's Kinda like I don't know it's like it's like the teacher lecturing of the internal developers what's to do for the check. Their code in in many cases with the static analysis. Well so I I do have some paints as you may know. I've just not a huge fan of term Dev ops because while it's important for security to be remembered I think every three times security the security community or security people in your enterprise or wherever decide that there is has to be another another label for something somebody else already doing just to include security it puts us on the outside or aid add-ons step once again so I that Ed cyclops to me demonstrates to me that okay like devops you guys are good. You know what you're doing but now we're going to put security intuit so that we have to have deadset. That goes some now. We feel insecure. If we're not included I don't get it. Why do we have to keep doing that? It will also it's going to say DEB cyclops. Couldn't they made it roll off the tongue better that. That's one of the things I finally but anyway it's a pet peeve. You know one of those. I talked to she brought up. How big of a attack surfaces and if you're actually developing sovereign house you're probably accessing really important privilege data and you could potentially leaving open? I mean a lot of these other thing is the rise uh of. API is people have AP's customers they haven't for partners and so you're you're also Yovany External attack surface. That's that's a pretty a big deal so I think I think that's why people think about it so much but it's it's a pretty different skill set than traditional INFOSEC. It's it's really kind of crossover with the developer. I mean there's always a crossover over in cybersecurity but it's a little different well so one of his pet peeves. I was around during the early days of Awa- spin and getting a Developers and security Talk together what always drove me. Insane and Whole Channel Nine or Tom Brennan for a second? But you always drove US insane. was that we'd we'd go to these conferences. and which was it. Meant to braying educate secured bring security education to developers. Ninety ninety percent of the audience was INFOSEC. And you're like wait a second. We have screwed this out by who were talking to ourselves. This isn't working so I think As that evolved the other thing that happened to was you ended up with people that were classically trained in or experienced in and security and I mean patching I mean you know configuring that kind of stuff and they're now using using tools to go tell developer that their web APP is vulnerable and they need to change it to developers is fine. I don't believe you go let me show you an explanation. Great will tell me how to fix it. WE GO I. I don't know that's your job. That's that's really interesting. You bring that up because one of the things and talking and really the the rise of Dev ops funding. This was really the top of the answers that I got from almost all of them this year in terms of to your spending priorities but they were very realistic about Static Code Analysis. You've you you make the developers offers us it you put it in with their continuous integration. Tool so they have to run it for the check in and they see. All these warnings vulnerabilities they don't believe it and invariably they always this ship with a bunch of them and so interestingly enough there's another category of dynamic analysis tools which you actually ship with at runtime in monitor and logging. It's used for instant response. Obviously works off the premise. That yet we ship vulnerabilities and so that's kind of like the second part. The first priority is like you know getting the developers Oprah's onboard the static analysis and then let's ship dynamic later because we know they they let abilities. Well that's that's that's the three. That's the effect that you've got SASS static. Applications testing DASS dynamic dynamic applicants. You've just got rast runtime. Afghan security protection right which is inserting code. Libraries essentially create a itself defending web applications. That disallow you from doing stupid things. Even though the code itself would ordinarily allow you go built into the application. Yeah Yeah and I can see why they're doing it because they're watching this development operations and they monitor code rise so quickly and it's publicly expose us with obviously let me think about it. We're talking about web portals in half so most of its purposely publicly available so I kinda understand why why there's so much on new product product categories coming up. But but yeah I mean I don't want to sound cynical but it's gonna be a mess Look I didn't. I didn't have my time as a commercial developer. Half half half more on the security side and I could throw like commercial version of the bus and say they don't think about security too much coding. But before I do Step back and for all the people in cybersecurity that are coding tools. How many of you Run Static Code Analysis on your code. You really think about the the thing is it's not that you wanna be Lazy Z.. or Put your busy. You're trying to get functionality. You're getting rewarded for shipping functionality. And that's just an unfortunate aspect of human nature well and the move to Virtual is virtually everything virtualization the cloud which we started talking about One of the one of the things that sort of is we'll call it a the driving force you identified as API's it's not necessarily web APPs anymore with browser the human being is the interactive machine to Machine Gene Communications Api the API right. It's a IT systems. The systems its applications that are that are real development as micro segmentation kind of architecture where you've got these make their little components applets. We used to call them now. This thing performed very specific function and that piece of code for instance could function. They talk to each other over the Internet over. API's and if we can't do that securely those can even in the Halton or worse. I mean the companies you're talking the big about API's Kirti that's going to be a mess trying to dig into API's look at traffic and figure out is that militias can be very difficult but yeah that's a big deal in also breath. Encryption is a is a big thing to encrypting data in transit and now you have so many different applications copying and moving with so many different paths to access assists. That's that's a big thing that talked about. I mean going going back to building things from scratch and zero trust. Were big things but it but it really all kind of flows closed from the. There's been a big change with with the migration to the cloud minutes flatten out the IT infrastructure. So I was talking to one of the Cisco's and and he's basically talking about. We lost a traditional perimeter. Everything moved to this multi cloud world and then our rent or points roaming outside of of the firewall so so they're really connecting directly to their one hop when logging away from our sense of data and this particular Cisco which acquired the the the article. I'm coming out the priorities. He said the hackers don't log in Hackers don't break in anymore they log in which I thought was pretty profound. That is that is so doc exerted super profound right that changes the priorities that we have as defenders. Let's let's get back to that but I wanna I wanNA highlight that is that is really really profoundly important. You have sleep. And he went as far as to say that his security group and this was actually Microsoft so doubt salvage a big secure Somebody would know. Yeah and he said his security organization thinks of identity as as the new perimeter. Because if you if you have the credentials you're one log in your one one hop away from the sense of data in the cloud and that's why obviously I identity access management is a big deal. I mean you think about the nist model. A lot of us have been focusing. Unlike identify. Protect defendant respond. It's almost like in the cloud. They're starting from scratch. We we're working on defense and on sorry detection and Response on imports. An allies to help me. Just identify where the heck I have in the cloud. And it's really starting back on identifying protect with you. Identify with identity access management and then then protecting acting moving moving more towards trust encryption spanning over there a. so encryption is something that I've I wanNA touch I've spent a lot Time with the topic I by no means an encryption expert things like ten of the world and I'm not one of them but it it seems like we we have a better shot at getting the encryption in transit done because Google is forced. HTTPS I in your browsers were forcing people to communicate securely. Like tell that you can't really do anymore. It's but it's when that data sits there always terrifies me and this has been we're gonNA talk about the openness three rebe buckets because Lord help us if we're all still do that kind of stuff but they do. Everybody does stress that right. That still happens every day. The thing I'm worried about is we've got devops. It's working to rapidly prototype rapidly. Innovate stand up an APP. They don't need the security team forty to spend a month bringing up a server or a cluster sure systems so they can have credit card will devops right is is the joke. But even legitimately with the blessing of your company through valid account Blah Blah Blah law. You plus you install install you in stange eight server or set of servers or some containers. You push your co down to what you test it. It and you're dealt with it and it goes away you test it. I'd say you're testing with real actual data because it's really hard not to and then you go well. This is kind of a case where the case because Discovery tools become important right. Because you like hey so there was a server that ten servers that went up for a span of seven hours yesterday. This group over here brought it up. What was on that like? Oh test data great. Did anybody accessible. That's it that was not us during that time was properly configured and you get. I don't know right now. It's a big deal and I'm putting things in memory Marie especially when writing custom applications putting these databases encrypt in the database. Five new people spend custom APPs and pull it out. Did they encrypt. Its did they copy it. Leave it somewhere they decrypted in arrest evil all sorts of the the I mean there's there's so much early logging some of it. I mean when you have a bunch of offer developers that are working in accessing the same data and moving around it gets Kinda scary. Well so do you think the Because budgets have have been increasing year over year over year and there's companies that are spending hundreds of millions of dollars. Ironically those are the companies that are seeing massive blockbuster size the video rental company instead but like just very large data breaches so which leads me as a rational person to believe that it doesn't it almost doesn't does it. Matter how much you spend but it's in the way that you spend it that will help you get more relatively secure or less agree disagree. You're absolutely I can definitely tell you one thing. I was surprised that some of the sisters were pretty open about was that there's so much technology comes out each year. They're kind of overwhelmed. Getting a feel for what makes them more effective and some of them tied that back to alert fatigue of you're adding new detection. Technology new alerts is making you more efficient and one of them actually brought up on three mutation the idea of simulating recent attacks. And then seeing what alerts pop up so that you can start outbuilding a building at your play books in your response to those because I mean the thing with the rise of orchestration is it. It makes things better and most of them had bought sore products and had deployed them but they sell the problem and they brought up the fact that there is work involved working out the process and you know cutting up connectors and you have so many alerts. Where'd where'd you start? which ones do you work on? Well the alerts problem is not going away anytime soon especially since. MSSP's that I that I know of are all all still very much alert. centric right manage manage sock manage whatever new. DDR vendors and alert POPs up on the console boom custom get certified like this isn't helping helping. It's not helping right. We know there's a talent shortage so they're not able to hire their own people but flooding them with alerts of a third party. I don't see how that helps helps. Yeah I mean it's the age old problem if you have too little detection technologies you don't see it if you have too many drowning alerts. It's it's it's not gonNA go. It's I don't think they had an answer. I think they felt like somebody. You continually work on just like a similar thing is the bad behavior of users. How do you how do new users to stop doing silly things clicking on phishing emails in strange links? Yeah well let's start with. How do we get security? Stop doing we do justice by but the the reality is some of them there. There's there's tricks that attackers use urgency and persuasion and faking domains. Ends and making it really really look like your CEO. Set you that request to go. Pay This third party company. You've never heard of. I mean look a and little attorneys fell for the Nigerian Prince Scam. What chance does might you know? Mother father and their sixties sixties have much less the rest of the population who just wants to computer all dangled play games. Yeah it's funny. I knew you mentioned earlier. About security people being likely to click them at I. I was skeptical but as I think about now I think people are most vulnerable at the people that you can alarm with an email and if you have like. PTSD from fatigue. You know you're probably going to click email specifically we target. You say you know this is something important. Yeah well that's the thing right. We're we're we're trained to analyze everything we're trained to try try to be analytical and dig in and we're moving so fast so many things like reading an email on your outlook on your desktop. Maybe okay I can see I can spot the fake. But when you're looking at it on five and five and a half inch screen in your pocket on the device in your pocket it it's completely different ballgame this the url bars like ten characters. And you can't see what's going on what that's that's a great point. I hadn't really thought about that before. Those phones really really reduce your ability to recognize phishing emails. Also hovering over things. Did you click the link. Did you just hover of Get more about it. It's I it just seems like highlighting. I learning things is getting worse on the more recent releases like every time we alarm goes off on my phone and I pick it up. I can't tell the dice news at I cancelled or whatever you know. It's just me I I I've I've got an android and I struggle with. Maybe it's because I don't like I don't I don't like waking up to the alarms anymore. That's a different problem though so we talked about about. We talked about in taxes. And I want to go back to identity because this is one of those problems where fifteen years ago security owned the identity dairy management company. We were like Hell No. We don't want this really isn't security. Who pushed it away? Went to obser- whoever helped other somewhere else and somewhere general. It Land It's twenty nine hundred and we're like so we really need identity to do security well getting back to the people you talk to you starting to own the identity Matrix again i. I didn't feel that way. I felt like under this more the CIO the so. That's being put in place. But you know I think there is better liaison type you know between those two groups. I think but I definitely agree. It seems like it's more more on that. It infrastructure aside. And I think a lot of it has to do with the difficulty of just architect designing your there was definitely uncertainty about your. You Still Love Active Directory. Single sign on with the cloud. But then you Kinda you KINDA WANNA silo. Identity for partners and customer separately and so they're still trying to find like architectural best practices actresses security-wise ops. That was an issue. And then I I mean for sure for sure. They kind of felt like we're kind of working our way through it and figuring figuring out and it's hard to actually adopt the solution so they're doing it piecemeal so what we're getting back amounts so what's really interesting. Is that active directory. Sorry we could years. Ad Right without everybody's gotten there yet now Azure ad for a lot of US sixty five companies. It's not any less complex argues probably more complex identity. There's gotta be a better way. What basically I'm trying to get at is there's gotta gotta be a better way than having a win your work domain with and things that it can log into V. S.? So you you're outside of work you log into different things within work you log into twelve different systems again. That's what the I think that's what you're by yourself so it was absolutely spot on. You don't really really need to hack systems anymore some of these cases because you can pick up a username and password from one of the millions of out there stolen and you're good to go go and now you legitimately in the system. It's interesting 'cause I I mentioned. Three big categories like employees and partners but even with an employee's you have different levels of roles definitely. Some people talked about that. I've run into taking advantage of the more on Nexgen. Authentication behavioral based multi factor actor for certain roles. And there's there's definitely the best practice being worked out but that's definitely an issue. I do feel like I said this before for there's an enthusiasm with they're getting to build it again from scratch and the cloud. Let's do it right so who knows how ended up well so we we started this soda off by say by saying that I feel like the security industry has gotten into the same spot. Hollywood's gotten aware like all the good movies have been made aide. It would talk about rebooting stuff now because you know we can do it better this and I totally get it. There's there's clearly cases where are I try. Second third fourth try. We'll talk about seven for the first couple of tries. Several were just not good but is it wasn't Bernstein's That's it said you'll do. The same thing over and over again is the definition of madness absolutely for sure. That's an issue. I can tell you you know. Besides the sisters talking venture capitalist. They're looking at categories. They WANNA remake. I'd just to give you a little preview. They're looking to remake deal P. That's one of them for sure and encryption. Obviously they're concerned that when quantum computing comes out that everything about security goes away. 'cause it can all be broke with brute brute force so we can talk about the innovation sandbox competition against that every year Venture capitalist seem to be looking for type of encryption that can stamp the quantum computing home. Amorphous incriptions the big BUZZWORD. There that they didn't know if it's possible takes too long they Someone they did it. How how can we approve? You did it. You know that kind of stuff. It's well yeah that absolutely so I know I've I've read enough about quantum computers under sail. I think big Arizona. Cuba is the quantum bits read. It can be both a zero and a one at the same time. That's just confusing to me. I mean I that's like it's both. It's both water. It's both liquid and solid McAfee. How does it? How can you do that? But encryption encryption seems to be one of those things where I think also I think security professionals missed the boat on fairly often and we think that things easy to be cryptographic secure or safe forever when the reality secrets have a lifetime right and there's a point at which after a while it's not not a secret anymore because you take the case of some prototypes of acne corporations. Working on for something you when that thing gets pat. Didn't put to the market. It's sold anybody can access to it so it's not really a secret anymore. Yeah absolutely and that's definitely something came up. Is this kind of concept of data life cycle management that. How long do you have to manage manage it? How long you have to keep it? You know where does move to an accessed and going along with that is doesn't employees get axed they start an it not than they move over to the business side did they get to keep other accessing keep accessing the data and when is encrypted through its life cycle. When do you have to do that anymore? So that's definitely a big trend. I mean we're exploding exploiting with data because of the cloud so it's it's going to be a big mess. Let's finish that where we began the move to cloud is causing a fairly nearly as substantial problem with data volume. Not just in. How much work wiring? But in terms of very simple that you and I care about logging functionality right the amount of transactions alerts log lines that are coming in are in the trillions. I if not whatever the next thing after that is we're getting into a very very large number here. Two Point the point at which I think we pass this point many years ago but it's clear now. Humans are not capable of doing this job right couple that with an analyst shortage I we are in a very very dangerous place right now. I don't want to Segue into A. I am a whole another big topic but some yeah automation Dealing with what the data modeling the data ADA dealing with big large sets That's a big deal I. I do think that they're going to the. Im L. right eventually right now. It's been a little tough for a lot of vendors because because you really have to have a good set of data model but Yeah it's it's a hard problem. I think the reason that I am probably struggling so hard in the public. Is that marketing. Marketing took over and made and made those terms completely interchangeable irrelevant and quite frankly laughable in some cases right but there's real technology there has been in use since censoring depictions from four or five one on a previous episode and he one of the things he said was this has been around since the sixties folks. This is not a new technology. So I'm about to blow my soapbox now six months ago four months ago because I had been working with data scientists from Manager Cal Tech Grants. I worked with someone who did all of our interview all of ours as fraud detection for twenty years and they've been using. AML forever and talk to people that were doing. Image processing more on the defense side. And every time I was exposed to what they're doing it's the same math in our textbooks twenty years ago. The math isn't new and when I talked I talked to. This is the big. That's the big thing that was different from the marketing people is. They want to talk about new math. New Algorithms talk about they got their data scientists from MIT or an essay but the data scientists were more talking about having a quality curated data data set and then spending time modeling and see what comes out of it. Because you don't know until you really start to model it and that's a big. There was a big big difference between the two so if you're buying from a startup and they have no data. They claim to have a good luck. Well and I think that just underscores the love of BS in our industry. Quite frankly right because we we need to. It seems maybe this is something that that ends up in things that you're SEASO's care about in terms of priorities but there's just so so much hand waving smoke and mirrors and black magic and Arthur Arthur. C Clark's right and he's sufficiently advanced technologies indistinguishable from magic. I can tell you A lot of this is not sufficiently advanced but it sure feels like magic because of a marketing campaign. That's a brilliant observation. I think part of the reason why some people are so far is they. Don't get distracted by all the faulty information you know. Unfortunately the marketing buzzword merchants can cause some acidification for sure. Well that's absolutely true so cool looking forward to a put a link to the article gets published. And you've got some say see Z.. stuff going on as well just to mention to the article is going to be called five cybersecurity so priorities for the future going to be published dark reading yes besides sides the Cisco is I kind of have a season which I just started but I always had a venture capital season. I would go out to Rsa and I talked to the. I'm sorry the Venture Capital CAV's leading up to it and I'm pretty pretty tight end with with that crew over our say so I get to talk to the entrepreneurs at before they get up on stage. Do you know it's kind of a shark tank type thing get in front of the venture capitalists and Pitch and Anna. They name a winter so every cover that Last three years it's been publishing eweek hopefully really that that trend continues but yes so that's a lot of fun after our our say I'd love to come back home if you're interested in talk about that yeah it sounds like a good time Lots of the shifting sands of Infosec landscape. Certainly give us a lot to talk about folks. Thanks for listening on. Think Paul and open. Thanks for having US here. This is a great show. I haven't told you yet. They should probably go. Check it out if you're in forensics FDR data management and all seventeen other topics that get covered here at some point another that are all completely relevant to each other so for the podcast and for myself James and fall here. Thanks for listening. We'll catch you another time. Another place on another down the security ever go podcast is. We've bathed aalto on another down the security rabbit hole episode. We'd like to encourage you to chat with our hosts and guests using twitter Hashtag Pound D. T. S.. The please check out the show catch up on episodes. You may have missed and subscribes to you. Don't miss a few episodes. Our website is white. Rabbit Dot net. One T. Three are abd. It's dot net so on behalf of James Good the on another down the security risk sir.

developer Cisco US Paul Microsoft INFOSEC Iot Benazir Tech Jif Steph president Fintech Honda Fannie Mae Blue Cross
DtSR Episode 373 - Internet of Increasingly Smart Things

Down the Security Rabbithole Podcast

41:51 min | 1 year ago

DtSR Episode 373 - Internet of Increasingly Smart Things

"They say they say we should have known embed bus. Od Down Down into this. It's time I again the venture down the rabbit hole into the world of cybersecurity. You're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews insights and practical advice. That makes your job just as Benazir and now. Please welcome your guides nine this adventure jeans Gerardine and the white rabbits were off all right. Welcome to another edition of the down the security rabbit hole podcast. Good morning good afternoon. Good evening wherever in the world. You're listening listening. This is Ralph sitting live at Infuse Twenty nineteen the optics conference once again sitting next to somebody pretty fun. We're going to talk about whatever we talk about. Ever Schroeder how are you. I'm doing good you are a boomerang you've been out. We did this two years ago. Yup I think it was that math. Yeah so we. We talked a little bit about Iot. Ease things too I. o T GEICO ahead creepy bear with me. We still around their in the coroner's without a soul. This lovely thing creepy bear okay. It's only gotten worse to notice the big rise the whole voice assistance. They're constantly telling you what to do. It's like having your mom with you all the time Alexa or Google true. I've just off the yeah. There goes your phone and it's like now Google Noviny earphone. That was creek. All right speaking of creepy burry. So we're back again this year. What's what's your take got kind of the the what we've seen so far and so it's interesting and a couple of years of having infused ash view Running by open text. It was quite the opening keynote. You you always have that rockstar moment. On like one of these days I gotta come up on a stage like that and just drop the mic can be done I am. I know I want the music. A lot you know the the glitter cannons yes litter. We would aid you for that. Yeah I guess. Glitter at the end of the day is the herpes of craft world. Oh good wire aware that you can never get rid vehicle. Thank you for like months after I've actually a was part of a single candy topiary. That's been circling country. You had a confetti candidate. Confetti in parking meter places like once leader still pocket here like I thought I got rid of it all now. uh-huh I'm doing next generation smartphone forensics. Oh goody so dreams shatter for every they'll see that's for everybody else. I have no dreams when it comes to cell phones. I know that little thing. There's an apple that's running right now. 'cause your phone has more privacy convert secrets about clipped it to put in my presentation because I saw that and I was like. Oh that's like a war cry of apple against this space because at the the end of the day apple has no love loss. Dr Though no offense to apple but really they don't and now they're publicly coming out going. Oh no not only only this. We're going to side with the consumers every bit of the way that they're probably the biggest heartache when it comes to smartphone forensics just because it made it so difficult but their last release says it just put out thirteen. I call this the Pumpkin spice season. And that's when we all of the like the new firm wares for the phones in things. It's also when all of a sudden my hair matches what's popular things like that. And and they put it out and they headed a whole bunch of stuff back which was weird because because that stuff they took out because Congress complained and now all of a sudden it's back in there then they took other stuff out. Unlike you guys just don't keep track of something or oh. You're just waiting to see what we find this cycle to head. The project product benefit. They must like they've got New People New People new staff. We've got a whole new firmware and it's been a little bit of a hot mess to deal with because of it sort of mobile mobile devices called little pocket the computers in our pockets that tell us what to do every day every minute of our lives other state of these devices any better than it was two years ago. I think the security has actually improved your time which is nice but at the other side of it that hasn't improved is the actual APPs themselves. which is what you spend like? Eighty five percent of the time is in an APP. It's not like you just look at it and go so pretty. The people like apple that do they really do they like cut it. It's lovely you know. I've heard them talk about their new cameras and they're like I'm like dude. Just look at the camera. Umbrian think who. It's got three lenses. Move stuff like that. But at the APPS have not improved in their security as much. They've had a hard time migrating but the thing they did do that. I think is a little better as they've moved a lot more of them to the cloud. Not Great for forensics but better for people. So is there the other we've lost windows. Os Silence for with those calls beneficially like a year and a half now yes. There's still some random people out there then have it but it was the only one that was clan-based. Everybody died had one of these phones and he looks up and he actually refused to get rid of this. What those mobile phone until like physically would turn Zun as well because he did? I should ask because it's the only you know. Live I remember the sidebar. I've ever this a long time ago. Somebody's set on twitter to hate. Your podcast isn't in the zoo store like that's the thing here like it was a real real cure that you're punking me a bath so besides that that's gone on some much of the way like UEMOA allows you got android you've got a seventy thousand flavors of ANDROID and Ios. Are we back. Are they parody in terms of their security and privacy now of course now of course not. Now it's still. It's still pretty different in. Yeah I apple I always call a hot mess at the ended the day. And it's because it can't decide what it wants to be. Its architecture changes so dramatically and I think in the end. They're actually GONNA move off of phones and start moving into you and no laughing. I really believe our next generation for mobile devices is going to be in headsets. So we're looking into VR AR side of it. Because they really out I mean how. How much more innovation can you put in something? You're holding your hand. Snow that exciting. And so that's really the next thing is we're going to start seeing the heads up display and going that Google us. We'll we'll we'll be back. You've seen all the companies start buying to where facebook owns oculus. You've got all of that. Really trending up. It makes sense that we're GonNa see that in the next three years so next time we talk. That's what we're going to have that on. We're GONNA just yeah we're just doing this completely. Virtual we call you guys will have to pardon me for saying this but it'd be copied. We're Google last class holes SEC there. Were you know you look ridiculous. I guess you you'll look cool soon. I bet yeah all has to do is trend up. Every everyone go to mazing the try to create steph glasses or something like that I think they tried to do something in the air range and I think it was just a little early because again. They're not marketing it to US K. They're marketing it to your kids. Good because they are going to find it fantastic. They're going to be like I have to have this this so cool because they're going to get into the school system's going to start learning that way. And that's it as the last connection do you okay. So but so android enjoyed still has like I said seventy thousand yet flavors of its essay is much of a hot mess as apple as I think android if if they could figure out how to streamline the release process would sounds like y'all sputter that's their biggest problem is the manufacturers can't always release so it's like I'm I'm big Samsung names on Fan. I was had been but yet my device can't get the latest one because they haven't decided to put it out yet and I'm like okay I don't want to necessarily switch over Pixel there okay. That they were my favorite. So it's like what am I going to have it and that might be almost halfway to the next pumpkins by season and then I get it. It's like took a long time to wait. Well I bought the crapper this all the time. I'm on a try he's got this is ready Oxygen and I've had this since the one plus one. I'm on a sixteen now and I'm sure they're spying on me but I think you're delusional if you using somehow magically apple made in China isn't yeah you're delusional if you don't think your smartphone is spying on your. I was dead joking the other day. This is a new fund like branch of Research. So I have to Siberian Husky dogs and one of them. She's very spectrum me so I believe she's autistic. I know this real thing for dogs but he believed it could be. I think it could be all the things that are very spectrum and so I was talking about it. I didn't Google it. I didn't do anything else but then all the sudden the next day on my phone I got an ad for a t shirt that says Husky mom of autistic Husky. I'm like that was really really really exact like that is not a hey. Everyone picks up the t shirt even in Vegas. That just doesn't happen and I'm like look at that it's listening. It's listening more than I thought. I was listening. I you know it's funny our phones whether it's an android or apple or whatever you've got they have the they do. They've listened to what what you say. we've tried and tried to talking. Basically you have a conversation a one time Congress. Must you just never talk about and then you start getting ads on Google on facebook. Go for that thing that you'd never talk every time you toss whatever APP was turned off except for your phone. You're like that's that's that's and no one ever talks about how much they're talking to the other machines. I thought that was actually very pointed in Kenya where he was talking about. Really the problem is we're fighting machines. I felt like a Terminator Ray did because I just watched that before I came here it was really good. Yeah I enjoyed it. Yes yes I'm watching NYMEX's worth it so But he was talking about the machines in the problem you have with the machines is they're talking without us having any record it's not like they're leaving logs so my smartphone is telling my smart TV. That I was surfing the web. While I was watching the show so maybe the show isn't as good as they thought it was. They passed that big data up and now all of a sudden the show gets cancelled because too much of the population was doing that wasn't able to contain her interest. You know these things are happening. But we don't have any control of it. Think of how many secure facilities out there. What do they have dumb TVs? Did I miss something dumb TV anymore. Everything's Smart I oh I solved that by not refreshing TV in the last seven years. And you don't believe it's loosening. It does have microphones that I know of it has no Internet connection has a power connection exited. HDMI you have the only big CRTV left. And I I know it while the TV in itself is not. Because it's one of those like nick back in the days but I have a Google Crook cast hooked up to it so it made it smart that you made it aside. Art Is intelligent intelligent. Did this made a device. That's I mean that is our problem. Limits were constantly fighting evolution of the machine. That's going on and we still have to rely on human imagination and creativity on how we're going to fight that deal with it acquired as evidence. Whatever we're going to do it's difficult? It's not like he used to be willing humans. Humans process data civil orders of magnitude slower than machine. Yes so as fast as they are able to send process return and and make decisions. We're still trying to figure out who talk to. Yeah we're trying to put like the basics of. Oh you wanted me to color blue in that block. Sorority relate what Lou. I don't understand to them. It's just a machine gene it. No it's this or it's this and thinking about that and where we all sit with security at the end of the day it comes down to data the has no bias. That's that's the that's the main difference between. I think the human analyst at an algorithm as humans have implicit biases. This is that we just can't get away from right. They're they're they're ingrained in our subconscious and we make decisions based on things. We think we know or experiences. We've we've had you. Can you can actually program that out of algorithms not to learn things and just make decisions based on if this that that kind of situations now. Aw when you're talking about driving vehicle that may not be something I want. Yeah I think that's when it starts getting a little difficult. I did it this year I did a cybersecurity security Women Conference trying to really promote women getting into cyber security. 'cause I think they're very good talented and they have a different perspective and one of the speakers we had was with a self driving car company and it was interesting to see. She's the sea so there and to hear her perspective on just the challenges that they're having and trying to get the machines to understand the biological data. They have to process because at the end of the day. That's what they're processing in. Their centers is is the biological data and how they should respond to it. And I said the same so reversed from what we're used to doing. It is actually so we. Did you ever take that. I think it was user Stanford or mit had this online They were looking at They're building at the at the some kind of ethical thinking takes Into self driving cars and they would ask you a series of questions based on your urine a car you. Oh you are the car you have a type of passenger Mama. Two kids and elderly person overweight or a fit like male female or Yang. Aw whatever right and then you have to make a decision on coming to a crosswalk move smashing into the wall and killed the driver or the people on the crosswalk and it gives you different. You're like scenario where and it gives you a re first off when your take ten questions and it gave you back the bias internally had and it's like okay we'll have biased again. You know I always run over the old person as opposed to like and preserve the life of the of the baby but then we started discovering. There's a paper written on on it. Like general as a society we think people that are obese less worthwhile than those that our lives and so you start going okay comfortable. We're here now because you're like well. I'm not exactly a fit. You know. Super The inaugural industry could be at risk here thirty tighter. We all say we try. Aw But let's be serious so we building idea that would make machines this why like. Ai Drives me crazy. A It makes me insane because it's not intelligent. It's not actual. I artificial some article computer algorithm. It's out GRUNDIG. The big based decision making it is and that's another problem they reached. No it doesn't I. It's like yeah that didn't have the sex appeal at the others. Did we found that with. Ah so that was going back smartphones. That's one of the hard things we've seen is. The smartphones are starting to incorporate their version of my air quote A.. I is that they're making the decisions and for us so they're filling in text messages for me. I'm like but I didn't choose those words. You did type ahead and then you're putting it in so oh my grandma. She turned one hundred this year ago. Sale in May and she's not a Texter y'all mcdonagh the texture. She's on social media though. I'm very proud of yeah. Yup She's on. facebook spoke so very proud of her. And but she doesn't she puts dissertations up on your wall and things like that and so my device she dies she this traditional letters which is fine. It's one hundred. She whatever she wants and I wrote. Yeah unlike you literally never. You grew up without a car. You were in a horse and buggy. I get. That's totally because i Mike Okay but My phone knows. I never text her because if why would I ever send text message. So it's removed the texting off of her her menus and I was like look at it. It thinks machinist martyr at making the choices and I did not move it. The machine moved it and in a lot of ways. It's making some of those decisions so it seen okay. Well I know every day at this time you typically you probably check your social media at the same time every day. Yeah I do and it's like here you haven't done that. Maybe I should just pop this up for you or wings or the as you're walking out the door you get an alert from Google maps that says. Hey there's a fighting it slowdown. Yes out to where you're like what now we're going to work because they track you the last l.. Six hundred days and I know that between Monday and Friday between this time you take the same path that it's now different that the rise of the machines I'm concerned with it's super like it's so simple to trade that bit of we can. We can kind of put the Paranoia Toya or the other shelf at the back of our brains ago. Wow that's super convenient. Yeah ten minutes drafter totally different. Yeah that's the seaward. We don't want to us as convenience is going to cost us our security but it also costs us or evidence because one of the hardest part of forensics is proving. Was it you was it. You is it if it it was my machine but the machine chose to do. It wasn't actually me. It wasn't in my possession sent the text message because that's the one I normally send it. Drafted it so. It wasn't me so our our entire legal system in the. US of course is based on doubt. Right would I can cast doubt but we we. We used to be so good so good at saying you must have sent this message because you the only person that has access to this device. You're the only user of it. You must have scented scented but now the best could be absorbed it. Yeah exactly you have a lot of argument now because the machines are thinking differently friendly. They're sending the data differently so being able to actually find those patterns in our digital lives. Were proved that it is me. Holy my phone at this time that actually sent at this. It was me that called my grandma you know because your devices you know you have. Malware introduced in them. And now it's all of a sudden deciding to send any of that. You think about that because I hate to say there's a malware defense but there's realistically some malware in some AI defense out there. I did not send any hill. The use it now worry that it does. That's absolutely a possibility. Technically coldly legit to and reality for so many people. Because if if you were to have your parents like would they know. Would they know if they had now. Where like on his back? Don't do you know they still believe. It's okay. If Microsoft calls him and they give them a credit for number probably because that's who are the caller. ID says Microsoft. Yeah they believe. It's gotta be someone I trust the there on my machine. They are machine. You know. That's just the difference in perception for it or what is your forensic space. What's new and exciting there? Besides the fact that our phones or spying making life difficult and generally everything everything bad I I think the forensic space is finally starting to so my biggest problem is always. I was thinking of the weird stuff. I guess it's maybe maybe the I am spectrum me which is totally fine but I think if buying large there's what generality you make about our industry is I think we're just a little KANANA's perfectly fine but I've noticed that I finally got people realized that cloud is really something you have to look at for investigations differently. Someone kept telling telling me no. I'm just GONNA image it like a computer and I said hold up. So you're telling me if an organization large organization has you know a pet abided vita data in there that you're just gonNA image. How are you going to do that? WHO's overstocking six weeks? Who's going to pay the bill? Is that what you're gonNA pay the band with coming. They're like are you sure that's how the cloud works Gal that's l the club works it's transactional based and they said you really have to start redefining the boundaries of forensics. Yeah well that's one of the things that a couple years ago. I started looking at work for coming. We built security. My team built security program so we did the research into how their structure components in their maturity curves. And all that and one of the things that I came to realize is it doesn't matter how far up the fortune five hundred ladder you are. Uh maturity does not equate size of company or or word. We know fortunate list. You are because we died spoken with many companies. They have got to have their stuff if anybody's GonNa have the either stuff together. It's these guys and you walk in like so. We're struggling with how to do. In forensics in the cloud we have this tool of. We're trying to figure out. Our teams are still struggling and how to capture like. Oh it is it because it's a concept that problem. It's the first time in their entire career that the data isn't sitting in front of them. Even when you look at a smartphone even you look at. It have some type of physical representation of data. Yeah you say okay. It's coming up if it is coming off this device coming off a tablet but when you say okay all my companies in the cloud they go physical representation. Haitian of this data is where and I mean. The cloud is really just someone else's computer but it's not like you're going to get into a data center and be able to go look at those chances are they're not in a data data center many data centers. Yeah it's it's the I used to use this as a way to make appointments not exactly exactly likely rocket surgery but you east say what Iran when I was a kid. Random investigations early. Two thousands would go ahead a little kit. You give a write blocker doc. pull the hard drive out the right block plug the ID ribbon cable in our it up right and you get a copy and today you're like okay. Where do I pull the drive from? Yeah where do we go about. It worked sales for there's A. We had a breach of our salesforce data. Where do I pull the data from like the idea to go try to tell Amazon? AWS or Azure or Google to All the physical video of these data was on. They're going to go tell you to pound. I think they're not even going to do it nicely. They're going to laugh at you until you to go out and say you're going eleven cats and a huge conceptual difference of how we have to look at what our future is really holding and a lot of those old mentalities can exist and I think that's very hard for an industry to adopt opt to it because it's also hard to get the legal community and there are many judges have many ages too so no one is offended. But in general I've noticed a lot of of the judicial side of it ends up at that education or perception level. More than anything at the of my parents and I tried to explain the cloud to my mother. I thought that would be easier for me to manager. It she was in the cloud but she still keeps wondering. I think I actually left a case like a hard drive case in her office and said well your data's on here she physically could understand. There still could be dated there. It's empty. There's no drive in it but the cases there so she has a reassurance that okay I'm physically seen where it is in fact all of its in the cloud that way. I can help her if it becomes because we're not in the same state. Yeah Yeah and remember not even you know five six seven years ago. My parents had a desktop computer and I had to put it VNC ON THEIR ON. RTP into it when you know they had an issue or get a webex license two thirteen right when they had they had issues because it wasn't so simple now you'll be now. Let's simple because I saved saved the file. Would you say the two. I don't know like we talked about your laptop your bone or your tablet the tablet. Okay do you have. I cloud turned data. What and now? And that's the funny thing to in our apple hot mess. They really designed it for parents. Think about it. They just got rid of itunes. That was the death in this pumpkin spice season is no one's any by the it's not that it was awesome but it was kind of the nicer central source reliability. It's the only thing I liked about her. But now it's like okay so everyone has to go. I cloud that was a lot of commitment. It really fast decision was made for you absolutely. This isn't this isn't arranged marriage. This is not a choice of Joyce. Yes it was like okay. which is planned obsolescence right there? You go it's like now we're together. There's no options were just together. Your it's kind of funny you now it. You're buying the physical device but the as a service model has made all of technology a- service yes right everything because as you have you have some data storage here but everything I care about is on dropbox. the rest of it is in. My parents have all the photos from their vacations and cloud like well. How do we back that up? That's okay it's it's already up there. Yeah what happens if it goes away like I call goes when you've got a way bigger problem. It's apocalypse season. Alright yeah pumpkin spice season over over the bomb shelters ride this thing out is over. But that's that's the thing is my mama auto recently fairly recently her phone quote. Stop turning I don't know what that meant but it died in some form or fashion and she's freaking out about these photos they had and what about messages. We've sat over. FACEBOOK might not mom. They're actually on your phone. What meat were that? FACEBOOK is cloud. They're not my go tos one another. You're technically their facebook photos. But you have a right to this photos. Yeah we're all talk about rates. Now Yeah Liberty of Windows Media Player and we all hated the Diarra that came with it because worth anything literally anything going back to that. Yeah a little bit. What's old is new spending sites different conversation? Total thing about mom jeans I have. I have to tell you I stand firmly against the mom jeans with you against Bob. I agree completely spiderman. And I'm like what is his aunt wearing monkey tickets. y'All are so what what what makes it better. I mean where it it can't be because essentially what I'm hearing I if I'm if I'm interpreting what we're saying here correctly is that the complexity that they've added they proverbial day. The Samsung was the googles the apple whoever the complexity that have been at being added to the system some to I almost feel dirty seconds but to protect our privacy while completely giving no apps about our privacy. What what if feels like this luge of privacy that they're selling the consumer while keeping the parts they want for themselves and making it it difficult on law enforcement in forensics folks who's winning besides the manufacturer's I don't think anyone else is that's just it? It's it's an irony irony we call it the cloud and the fact that in the fact they've kind of shoved all our heads in the clouds. Saying it's okay. It's okay but in fact you have no right to wait. It's I have a presumed right but at the end of the day. What do I really get if you called up google tomorrow and said Hey Google I want everything everything out of my Jamal forever and I want you to never talk to me again? It's not like you can have a hard break up. You married them. And there's more because you're I'm not GONNA get anything out of it and you're probably GonNa lose everything you had I fear for some of these The ACLU is just the announced announced. Today right the borders wireless borders are disembark devices are unconstitutional. And that was that was a today so And then you know you guys by the way. This is being recorded on the twelfth of November. So if you've missed this headline but this is a good thing but it says without reasonable suspicion while like walking okay great so now. We're reasonable suspicion is subject to some somebody at a at a back to your bias question Ding Ding Ding Ding Dan. You're absolutely right so we've now removed. We've now limited to just very narrow scope of complete subjectivity Until Allison full rise of the machines could we have to go back to terminator. They just assumed every biological entity was suspicious in so just obliterated everyone that's what you end up going to two. That's a bleak future away. Yeah sorry feel like okay. We have to talk about something. I I think I need to re-explore my farming options in the future. Because I think I needed like deviate office now. She's all the result needs are gonNA destroy us all they have made life more convenient but I do think we have to be aware that with convenience comes to sacrifice and it comes a sacrifice in the control and it comes to sacrifice McAfee's end. Who really actually has that data? Well we we couldn't professionals. It is our duty Rudy to those that are not us that we evangelize if I may use that term the decisions and the trade offs that were being presented with the most of us don't understand I agree to a will using sample so we both have kids yes. Have you talked to your the kids about the value of their personal data. There's have absolutely no idea but they have personal. That's just it. And if they don't learn learn at a really young age because my kids are older but they don't have the same perception on the value of their data. They preferred the convenience over the value. Well and you can see that in our simply say thank the good Lord that there were no ability self is when we were kid because the the Internet never forgets and I did some things when I was. Yeah that That the good thing is all event. That's all gone now and long time. Move because because nobody was there recording with a cellphone fire still takes out photos brigade. Yes the switch is hard drives past. Ah But yeah so. There wasn't that but today's generations of the snapchat facebook twitter generations. Yeah that I don't even know what that is is the yet they're growing up with this mentality. There's not really any value to their data. There's no value value to their data. And then they're only personal. Value is starting to come from a bunch of strangers telling him they like. I think is really really hard because I'm so I have two boys and one girl and I think that's the hardest lesson to teach them is it's like the only person and it's even hard for me because his I've been taught my entire life as a woman that my self esteem is not me. It's other people's opinion on me. So you have to reprogram that side of it and if we don't do it now Kashin's will end up telling them they're worthless one day and boom. Well you've seen the amount of there's still this adds that that are starting to hit the televisions now and the media where it's put away your phone and your value is so much more. There was an ad that said. I think it's a Miller lite AD I. I saw the other day over over these last night at night football. I'd have to double check in which the seahawks beat the forty niners a a great game but it was a few close friends is better than a million followers or something like that. Yeah I'm going yes. We need more of those ads. Because that's what you have to teach your kids so Mike. My daughter is a huge fan of John Gates. If anybody knows for for God's Sakes helped me get a hold of the guy that my kids but the but apparently Disney plus came out it was down was an accessible for a while today and the nursery of the Internet was losing their minds because I follow him for behalf of my daughter Uh he put out a tweet this morning said for those of you that are having trouble getting onto Disney plus. I've a very simple recommendation. Put on pants and go outside. It's Tuesday very nice guy. That gets it right as an explorer adventurer. We like I feel like so the movie the Wally is becoming very real. Betwee that radiography. We are absolutely Trudeau's movies turning into prosthetic not comedy and that scares the hell out of me. It is very scary. And it's one of those so whenever there's a storm on the east coast. Everyone does this story and they buy out by the water. And then they buy the bread manageable the interesting phenomenon so I took my kids aside and I said I'm going to teach you how to make bread. And they said what do you mean you can make it. I was leg. I indeed you can. It's like magic and they said but without the store and I'm like indeed without the store but they were so shocked intense. Then they've started to realize is how many more things that they can kinda step away from some of that convenience because you really comes down to convenience more than the automation the only place okay. Yeah you'll be the only place that you can get. Food is not the grocery store serious moment. They're like I taught him how to can. I was an old school. I feel like a pioneer here and unlike we made our own jam in their lake back so much better. Because you're busy seventy four chemicals. Say I don't even know what some of the stuff I remember seeing but hey this only has three things in it and that's it okay. All right so that's how we save ourselves but I think we remember that side of US remember that we do go outside or remember. It's okay to actually not have your device on new. I've I've told my husband at least a couple of hours of the night of which no one can have their phone because my face is like about twelve inches taller than where that phone is city. Most of the time. We'll have the conversation with me. I could talk to people. They have their phone in front of him. Or that's a good one two good what I think I'm going to create a a new product. It will be lead lined are shielded box that you can put your cell phones in no i. They owned the patent on Faraday Bax okay. Well there you go there all family. Who put him in there for one hour a day? Nobody can touch their phones. Yep Up because you know if you're missing anything until it comes out of the bag and then it's like. Oh Hey look this anything. The world has exploded not die in that time period now but I think that the old school mentality is. What's going to save us in? The next generation is realizing convenience isn't worth everything that's a good. That's a good way to this. Yeah I didn't want to leave it as apocalyptic athletics. Yeah right yes. You can't make your own food you can't you can't get through a day without relying on your cell phone. Although most of US probably couldn't navigate. They're your driveway to the grocery store anymore. GPS LIKED GPS. An awful lot and not very good. I had to read a map the other day. It was hard So I'll tell you one more. My father was absolutely really. You could look at the map and for the next nineteen hours you could drive from Chicago to wherever you. We're going to Disneyworld without having okay. I know where this Google etched so when I noticed that after following Google maps twice to the same location and then try and do it by my memory. I couldn't I started. I would look at the directions. Read them alowed and as driving it would tell me. Turn left on it okay. Turn right on Sycamore. All right you know we posted kind of directionals knows that. I'm getting better at not relying on my device anymore because I dread the day. The hacker collective this takes over the maps ramps at suddenly. Were all the semi five car pile up on the freeway on ninety years. Something because we've all been told to go the wrong way down a one way street and Oh yeah no my sixteen year old teaching outer drive in part of his driving lessons that his dad and I do is that we make him get there without any help of of any other. Directions is like you've been there fifteen times or more you can make it to the score that takes you can figure this out and it's amazing. Gene how difficult it is for him to just be like well. I'm only relying one hundred percent of my own brain and that's that lack of convenience. It's like it's in there. We all have. It's built inside as your dad. Had It better than most I could never have done it by just looking months with if I could. If you've got that practice in do it enough times time has your brain will get you there. Just look all you had. All his. His advice was driving south. I've just following the guidance to go down you'll generally which way we're going. The major high winds were turning on an awful and I destroyed sal like any other was never stressed out about what what it's going to be five minutes off the road. I'm nobody cares. Yeah five minutes holy crap. How can I get over this five minute hurdle take? It's only five minutes. It's really really not that bad all right well. This is slightly up doubt but everyday rather relatives. That's that's good. I hope you guys got something out of listening. Uh this is this is our conversations. Can you should be like a regular contributor Stanley randomly. Like we we need to get away with the topics at hand for a bit. We tested the topics. But I think it's just a different. It's a spectrum perspective it is and I appreciate attackers. We're all just a little bit and it's totally okay. It's okay we're good enough for smart enough. Gosh darn it or friends still do their quality followers. That is very true. All right thanks for being on the show to the great folks. Thank you for listening. I hope you had time. This has been another edition of the the security rabbit hole. podcasts live from Las Vegas and fuse twenty nineteen ever heard. Thank you for being on the show and you kind of links or anything you WANNA get people to go check out or what's your again. My Name's ginger. Wonderman Ginger Winterbotham. I follow you tweet Moore. I'm trying I'm not naturally associate. Social person has been very hard for me to social media so I have to fight that whole self esteem thing. Like how many fathers w what do I do. Does America's people follow you. Love the heck would you. Oh there we go sell appreciate it. Thanks guys thanks for listening. I will get you another time. Another place on another downhill skied rabbit. Hole podcast Baid out on another down the security rabbit hole episode. We'd like to encourage you to chat with our hosts and guests using. It's a bitter Hashtag. Please check out the show notes. Catch up on an episode of missed and subscribes this. The future episodes our website is white rabbit dot net w eight one two three R. A. V. I T. Dot net so on behalf of rebounded. Aw Good Bucks on another down the security Yeah.

apple facebook cloud Google Congress US Samsung GEICO Alexa Benazir Iot Schroeder Ralph
DtSR Episode 429 - YGHT Crowdsourcing Security Intel

Down the Security Rabbithole Podcast

15:01 min | Last month

DtSR Episode 429 - YGHT Crowdsourcing Security Intel

"They say they say we should have known bed then to saudi. Od down down into this. It's time you the venture down the rabbit hole into the world of cybersecurity. You're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews insights and practical advice. That makes your job just as benazir and now please welcome your guides this adventure jeans giardina and the white rabbit all right. Good afternoon and good evening. Welcome to very special edition of the good rabbit hole. Podcast one in which we haven't done for a while so i thought i'd give you a treat every once in a while. Something interesting comes along. It doesn't quite fit this show format and i. I want to be able to expand the audience and the horizon for the for the folks that listen Now is sort of a weird time because we have the topic of intelligence threats. Come to the fore pretty heavily with everybody realizing that their them at three hundred thousand or so of their closest friends are probably compromised out with some sort of thing going around. But that said wanted to introduce you guys to a different kind of organization any just a short format let them. Let's talk a little league. Talk a little about what they're doing and how it may be applicable to you. Think at school opioids worth your listen fleet. Walk into the show. Thank your iphone. Tell us a little bit about yourself. Yeah income from background off of been doing this for years and years and after that i went into high security hosting environment as we're hosting things for our government and sensitive Journalists you know migas and stuff like that and me and my sister. We came up with nine during this time that we can do things better for the larger crowd to secure themselves. And this is where we talking together tonight right. So tell me what that means. Because there's a lot of doors no shortage of threat. Intelligence platforms companies agencies research. Or what do you do that's different. Where's your value. Yeah absolutely so what we do. Basically is will replace a piece of software that you probably know. The audience may know it's called fade to ban was born in sixteen years ago in switzerland made by jackie. Very cool guy. You made it more like an application to his new learn python skills and this enbridge no this thing was used by half million mission. Roughly in the world so is quite quite a large footprint. But it age it's not really It is maintained but the guys very few time to to to maintain it so our new version follow us. Yeah but our new version is better on many points and we have a team that is paid for that. So you know it to team off a ten people working in in day out on this you know. And it's modernity dc ten dollars state lesson decouple obama. So it's better you. Can you can switch for it and will only get up sites for that but this is not the end game. The end game is way different. Say after million mission. The biggest houdini put network ever in the world. Right and this is what we're doing. We are creating ip reputation based on this huge network so obviously recreate the systems to to avoid poisoning into false positives but we get signaled from all around the world could be. Sweatshop in thailand could be as smb in south. Africa could be iceland wearing sixty four counseling. This and recruit read the signals and redistribute all those ap's reputation to all the member of the network. So you protected. From both behavior standpoint and reputation standpoint i vecchi that keeps the kitchen counter for being able to poison the poison of pool right. Because if you're able to contribute badness to you can lock out other people that are good you can do all kinds of malfeasance so i i guess my skepticism to this i p rep is something that's It's it's been it's been talked about negativity just put it politely as the internet. Ip address is used to be probably a lot more static many years ago than what i will demand when it first came out Ip used to be much more static. Right you'd side ip address. Then we just live in. The days of amazon azure gcp ip addresses live. Sometimes it all ten fifteen minutes sometimes less times more. How do you for that kind of. Have you cycle through that. How do you get a reputation on. Ip address that could be owned by fifty different people or organizations or entities in a span of day. Potentially so the points the first one is what you do is sigh tation because if you go on and just drop it is super harsh and and it leads to providence. Basically so we highly advise people not to do this at all using the system. And you want to bounce people on hdp layer. You'd rather senator capshaw. Its way safer. You will block anyone out of the website. It's smarter and since we can interface at any level could be could be session could be business logic. You can have a bouncer saying you're magento shop. That will just interrupt the connection if the ip disconnected he's known to do credit card stuffing so it's very accurate. We don't want to ban the world. it's not the point and the other thing over. There are smart staff here. And there are more smartness under the hood so for example if one ip has been cut into a problem and installing the database it will be automatically removed after seventy two hours if nothing has happened from the ib because we think that the previous systems. Sometimes i dated there. Were therefore like three months or more and it didn't make sense because you're right. I mean spot instances. Sometimes it switch hands in the manner of a quarter here. What we do is like the network is big enough and and sensitive enough to be able to regenerate the reputation of an ip faster and the bigger the network grows the faster the more realtime this ip repetition becomes that's why we think we avoid most of the pitfalls that touched the produce ip reputation system. And this is among many other way of dealing with this we have wastewater things to do. Okay so so then. What we're talking about realistically is those. Ip rep systems used to be primarily used. I mean we're talking ten twelve fifteen sixteen years ago right longtime ago. They were primarily used to ip black hole on perimeter devices firewalls and such even taking it down. Potentially the endpoint layer. But you're talking about using it. As a rather than the the sole indicator out one of many indicators but in something like a credit card transaction where So that actually brought to your audience quite a bit that takes you to the e-commerce world where you know like the likes of like a shop or something right. They have or whatever. Their competitors are they can They can rapidly. Take your reputational score factored into a A formula decades as a fraudulent transaction. Or not should let this person used a stored credit card or make them reenter it to verify who they are absolutely absolutely. You're right. I mean what we're doing is this. This piece of software is for free right. So the behavioral engines for free and the ip reputation engineers for free if you sharing signals. Because you don't have to share them if you don't feel like sharing the sparring you don't. We don't take your logs. We'll just take like the time stamp funding ip and this scenario triggered so. But you've never the less you don't wanna share you don't share you. Have a good behavior ended if you want to share your the petition for free as well. But if you're a business and you just want get prediction system to be able to say yes. This is a trustworthy. ipo note. This one been several timing doing shenanigans around like peace. Be anna payment getaways in sawn. Please don't allow it inside your network. That's that's cool because if you extend it. Beyond just the scope of e commerce you can use it for example in context where there is very feud cpu and ram available said now ut device for example is pretty dumb a camera a connected way scale whatever. They are very Short in supply regarding cpu and ram so you cannot make them do anything smart but you can make them do what one api call. That would say yes. You can connect on no. You can't connect so our business model our manipulation model. He's very fair because a community benefit of this for free and only the people that do. Api cold that does not contribute to the petition system will be paying to access the api that is a very interesting model because if you're contributing everybody benefits that it had sort of a mutual system but if you're not contributing and you're simply consuming you have to pay for that privilege That's interesting what kind of what kind of adoption have you seen. Has it been primarily on the two way or is it just a lot of one way of paying customers while so far. The is three It's funny because it's geographically different. For example. Europeans are very sensitive to this thing and we are compliant for what's worse so they are careful with this psalm. Don't share like twenty percents. Maybe most of them share and the other group that is quite. Mitchell is russian russia like. Whoa whoa whoa. Whoa whoa we want to share this. Okay guys don't shirks not the problem. You wish to hand russia's down not so much during you know and other other countries like the us kershaw take it all and give us a good staff. We like it. Well as americans like to like to be sharing the whole concept of a community a community involved intelligence pool has been discussed many many many many times over. And i think the the place where always falls down is the vast majority of end up being people that consume and they don't ever contribute anything back to it so it ends up being kind of a limited you system but if if you've got a significant percentage of kind of curious what the percentage if you take the entire user base how many of that is a on the whole. I mean contributing versus consuming. I wonder what that comes out to be. We have to second episode for that. Because it's really early for us to say and beside the people not sharing. We don't have any contact with them so we don't know the the the software so we get. We don't have any way to track them and that's on purpose because they want to be tracked. That's fine by us. But if you think about it that you're right. This community thing is the core of it because think about it in a different way saying we do what to benefit it so we have like million mission in a network like four years from now. If you would have to run it on your private founds right on the corporate phones it would cost you something like thirty dollar permission per month right so you would be looking at the cost of something like one point. Five million pronounce to run the network. Sorry my around. Fifteen million sorry. My method fifteen million to run the network and if you scale this with the year and so on you looking at the cost of hundreds of millions of dollars where are we are spending close to zero because the people are being the curation locally qualifying the system locally so putting in the effort and we have a way better granularity because as i told you. We sweatshops in thailand. The in in south africa big companies like good at he's using it county and the like it so if you do this on the macro scale and want to deploy like fm million machine you would probably industry lies it on the same cloud of clouds like disappear w. so yo. Your greenwich party would be not as good as this one all right so quick quick final. How do people get involved. Where do they find your stuff to tell us how to get how to get more. Invol- well get hub. Is the one place for the community. Right so guitar slash crotchety. They can go out so on. Crowd sec dot net crowds dot net like the cross security dot net and it can find us on twitter on crowd. Security would be happy to discuss and if they want to imply themselves involved himself. We are looking for ambassadors and contributors in many countries as many as we can to help them spread the world. Well cool. I wish you lots of luck. Thanks for joining us for a few minutes of your time. Maybe we'll check back in and do a full episode ones. What you guys are up rolling in and you've got some you've got some real data talk. I'd i'd be interested in finding some of the some of the stats in that data. So all right lee. Thanks for your time buddy regret they and anytime you want by is out on another down the security rabbit hole episode. We'd like to encourage you chat with our and yes using the hashtag pound d. s. are please check out the show notes catch up on episodes. You may have missed and subscribe to us. Don't miss our website is white. Rabbit dot net w h. One two three r v. I c dot net so on behalf of jeans with good. We'll see you on another down the securing breath.

vecchi senator capshaw benazir saudi jackie thailand iceland switzerland ap providence amazon Africa obama russia anna kershaw Mitchell
DtSR Episode 396 - Verizon DBIR 2020 Analysis

Down the Security Rabbithole Podcast

51:38 min | 9 months ago

DtSR Episode 396 - Verizon DBIR 2020 Analysis

"They say they say we should have known bed then to Saudi down down into this. It's time you the venture down the rabbit hole into the world of cybersecurity. You're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews insights and practical advice. That makes your job just as Benazir and now please welcome your guides this adventure jeans. Giardina and the white rabbits were off all right. Good Morning. Good afternoon and good evening. Friends and colleagues welcome down the security rabbit hole to episode three hundred ninety six of the down the security rabbit hole. Podcast I'm shouting. I'm so excited I feel like we're doing this yearly now and it's really cool Days we get to record an episode on the Verizon Data Breach Investigations report. This is the twenty twenty edition and I'm stuck man. Yeah it's always interesting to look into this this data because mean it's just mass of compiling. You know I mean it's fantastic seeing what is actually being seen out there and as always I love the fact that they start. It started with a with a great quote and of course Oscar Wilde experiences. Merely the men. The name then give to their mistakes. I've named all my experiences. There are many Logos for them. No come on. We're not going there all right To get your we've already devolved all right. That was like seven seconds. Ed Dude all right to To get this show rolling what better. What better guest to have onto the explain all things that Mr Gay Bassett? Hey Buddy how are you? I'm doing well. Thank you for Avenue you wanted to give people your who am I. What am I again in case there listening to you for the very very first time? Ever absolutely so. I'm Gabriel Bassett. I'm the lead data scientists for the Price End Dvr I've been doing this about think this is at least my fifth is the lead data scientists. I'm also co author of the report and so we spread the writing responsibilities equally between myself. A highlander. Filling is a recent addition to team. Alex Pins San wide and all recognizable names by the way. Yeah you know. It's really interesting that this kind of we. It's very diverse set of people who we all have our different skill sets of such is able to come together and kind of put the different pieces together and kind of become voltron to make this whole thing happen. Classes just made them both ron reference. I love you. We've got Oscar Wilde and Boulter on and we're not even two minutes in. This is amazing. This is GonNa be awesome right well. Let's let's let's not waste any time dive right in. I like to start a the summary of findings because I like pictures. They're very pretty I'm a simple man so Let's start with What the figures tell us your all right from his from the perspective of what tactics are utilize. Let's talk about that. And so this is a good place to start for anyone like if you need that kind of one of the world's just glance it was significant this economy into you and starting with the taxes. And these are the actions track with our fair Stephen Paquin is still the top action. And just hacking but specifically the use of stolen credentials right When people see the report guy down the figure six are going to see us a stolen credentials at the top. That is the driver reaches Next most likely action social actions Particularly fishing and so between USTA credentials in fishing. Those are the two malicious ways that attackers are getting an systems majority of stepping. Pass that we get into the really interesting stuff Because between it used to be the next down was malware But as Instead we have seen non malicious action so airs when people make mistakes you know and this is not like Mistakes where you you know you turn a setting off or missed figure sees me. You like don't enable the security settings in it that allows the taxes and that's still intact. This is like you know when you publish that Private data into your public Cloud storage bucket. And then you know your private data sitting on the Internet and you put your Mongo. Db database straight on the Internet without credentials on. Those kinds of things are are airs. But it's also Miss Delivery like wearing attacker. Excuse me where eight insider Accidentally the mailer gets off. Nah So now you're mailing person as stated person be we even seated web APPs. Where like you have a web APP and you log into the web app in like someone else just shows up at the web app you know. Those are the kinds of airs. That we talk about those have come up and passed by Mauer in announced the typically Equal to Social Tax in causing breaches. All right so this is really interesting. How many people are thinking about airs in their security program? Yeah so okay. Do things that immediately hit me. The first two things you talked about Forever tied intricately tied together. Phishing campaigns against so against users. So still you know Steph credentials and then subsequent reuse of those credentials there are companies that have sprung up around the fact that Anytime credential theft happens out in the real world They ALERT USERS DATE. They look for giant caches of of data. There's companies that have sprung up around the need to do this at a programmatic level. But I try not to be Profane here all my goodness. It is twenty twenty. How are credential attacks? Howard how is Password Reuse and and And these difficult to solve but so prevalent since I got into INFOSEC Jillian years ago. How are these still the top two? I mean this doesn't feel like I every so let me let me think step back every year. I I keep expecting maybe hoping for a different outcome in this gave. I keep hoping that like you know zero day attacks like the things that they took. Tell us on the in in. Cool movies Suddenly become like the cool thing like the number one attack was attackers from nation states crafting individual attacks and creating zero days to attack individuals and companies. And I look at this and guilt yet more of the same cool like no. I like like to be so much cooler. If like most attacks were you know the Vance thing where they they pivoted office weird ration- and then you know they have to. Yeah like you know the exfiltration data through the Through the power supply and those kind of things are possible and they happen. But you know instead of picturing like I think we have that mental model of the attacker is like this incredibly skilled technical person. But you know when. We searched online former four hundred marketplace data. You know One in twenty in the post was either a quest or an offer. For services like your. Hey would you like to just purchase your crime of the service you know like the it's that level right? The attackers are wanting to get their tax over and done with as quickly as efficiently as possible during the money. Making Business Which have seen over and Oregon a by the way you mentioned Like we know what a credential dump comes out and then looking for those credentials and stuff we actually. I'm figure twenty. Four people get a chance to go look the report. We looked for correlation between increases credential stuffing attacks. Yeah and Credential dumps like a leaks yeah and it turns out there's no correlation whatsoever really patrons just add the credentials to their data set and then they just keep plugging along. They don't take those credentials in the news. Like up their game right after a leak at least with the data that we had. Well that's really cool concept like CICA that just we've never really looked at as an industry but you know it. Really Nails home that prevalence of You know the attackers are just going to be consistently hitting through the year and they make it you with you know a thousand attempts they make it with a billion on the figure before twenty three shows the In this is on page I think twenty two report twenty one of the PDF people downloading that it shows the distribution of how many credential attempts organization got for you and the median Most common is right there between one hundred thousand and ten million With as little as under a thousand and as much as over billion we modern mercy and so like as an organization But this goes back you said it makes sense to be prepared for credential. Tax Happened In. You know maybe maybe a whole lot you know but you need to be ready for. Everyone's getting hit. That's it's the Internet background radiation. If you've got something logging on the Internet it's going to hit the hit with this kind of attack. You need to be prepared for it but like you look at companies that are just now moving to remote work now. I was talking to a friend. And he's like yeah. You know we're worried about do even have protection on our end points because before they always protected by beam inside our boundary. You know and we haven't even started to consider pushing patches out to him because the patch was behind the VPN in the BPM already. Saturated you know like those of us who of live in the modern It infrastructure where we can get all the things we need to web applications but we also understand the inherent risk of planned our security into when we used to factor indication. We are aware fishing reported. When it happens you know. It's all part of the chorus but there's so many organizations really haven't even considered what that means that they're just now like hey. We'd online collaboration software. Well especially if nobody going especially let me. This report is going to look even different in your next iteration because now everybody's going from home And and you guys obviously collapsed in college and brought this data set from before cove nineteen head and that was still sort of. We'll call it the the normal times before If you're listening you know your next report. If you're listening to us you know more than a couple of months down. The road will probably be significantly. Different point something out because I'm still stuck on paid seven because we talk about. There's this huge section of the industry believes the insider is the big threat and you can and consistently you guys have shown us that the external attacker is far more numerous than the internal but the internal can do essentially more damage on accident. So in this one. Seventy percent external thirty percent internal. But that's the thirty percent is not a small number. No and that's very much driven by those heirs. In the mistakes people make our. That is the consider that it's not the the people inside your insiders who are causing breaches are not doing so intentionally. So it doesn't make sense to hunt him down. As you know rogue employees you know it makes sense to look at like process improvement right manufacturing. You know they've had decades and decades of saying. How can we improve our process? You know so that we don't in cause defects that we don't like leave a screw out you know and security needs very much the same approach. Yeah the but like you said about it. -siders You know it's really interesting is when you think about insiders versus outsiders. Just far more outside there are insiders and if most breaches are financially motivated You know the nicely that insiders. You're already paying them. You know. And so like the preach would after you work a lot more for them to risk their future salary right on. It does happen not unheard of but even our misuse category. Which is that malicious insider. Lot of that is just the person breaking the rules to try to get the work done like sending you know. Personal data to their internal company dated to their personal email address absolutely worked from natural gas. Well we count that as MRIs. It's very little of it. Is kind of real malicious insider games? I'm pretty sure you're excited about the fact forty three percent of these of breaches involve web applications. You're never going to be out of job. Yeah you know I'm sitting here thinking about what you just said about. People working from home and then modifying their kind of work process to be able to work from home like sending stuff to their personal email with. Everybody forced to work from home. Now would we expect to see a drop in those type of misuse internal errors? Since now. You're bringing your work stuff like you don't. Have you already home right? Like you. Don't have to rig it up and be like oh I have to send this to my personal email so I can use my home computer like I forgot my computer now at home? I've got everything I need. I don't have to go through these panel. The hold on so wait but th there's a there's a give on on. Get your thoughts on this before you answer that question. The the follow up to that is yes. We've now sent people to work from home. But the peripherals they need to add. How many more companies are we adding local admin passwords right now to all the systems? They stripped him off of years ago. Oh man and you know. Obviously this isn't something that our nation's but the good question is not just like who's doing that by you know who's handing their work computer to their children to play games on for. Who's like sitting at their desk at their work computer. And that has five o'clock annoyance. Five o'clock you know. And they switched to doing personal things from the computer or you know. Even you know what we're gonNA nations are not able to push policy out to those were computers or are not able to do Remote digital forensic science in response right like remote the if I are as kind of a that takes some skill you know in companies that are prepared for that he's going to have these computers out there and potentially those computers are gonNA come back into the organization at some point you know. Can you imagine what it'll be like The day everyone returns to work or whoever is return to work returns to work And all the sudden valley's computers have been off the reservation for months and months Hitting the internal systems. You know that's up seeing. It organizations the security people are going to have to be prepared for that is funded by the way different thing. You mentioned the web APP and that's huge in ties into just what we're talking about right on Web. App has Breaches involving Web. Applications has doubled since last year And you know like organizations are prepared. Just use it. We understand how to protect credentials To protect Tokens and such for cloud services but The companies that are just moving to that are moving into an environment where the attackers are already there. You know and so. It's a very quick learning experience in on a lot of times they don't think people realize it. You allow these cloud services. Her are are the basic or email mail on such. And so we kind of think you know well you know what's the attacker really gonna do with my email. The they're gonna read me arguing about the color green to use this powerpoint presentation But what we've seen. Is that the attackers willing to compromise. even just people's email even if there's no clear use for it and sometimes they use it to turn around and use the credentials or the addresses. They finding it to attack other people to sit out more fishing Sometimes they steal. The data is sometimes. We don't even know what they steal the data but we have to report it as a breach anyway. Right like if you're in a industry where you have mandatory reporting requirements and you have some that dating your email address and attack it's access to email. You have to report that breach even whether or not the attacker actually Made use of even download the data. Because you may not be able to tell what they accessed so with the with the web. Compromise is going up so much I was trying to look through here to see if I can find a breakdown of that. How much of that is. Due to? The fact that there's just much more prevalence of credential stuffing about eighty percent of it is credential stuffing in about twenty percents expectation of self. I'm but where it's an exploitation the web APP That's not like again. You know we'd love to be really cool advanced tax and and what it really is. Most of the time is known vulnerabilities Well document patched vulnerabilities They can just be scared. The entire Internet could be scanned for to be attacked. Whenever they're found in on so the real solution to that portion is just you know to apply the patches your vendor since you eventually in the patching stuff that we looked at this year was actually really interesting. We don't have it The chart up in the main body down in the industries. There's several places such as fear ninety-one where we talk about The patching within a specific industry and in each of those there's an overall line in the overall line shows that Most organizations only get fifty seven percent of their significant patches so they're medium and highs patched within the first court and it's a slow progression Started about twenty five percent and then passed the other twenty five percent over the quarter So it's not like a great number like you know. Fifty seven percents exactly passing in Grade School Passi grits. I've been out of grade school now on time. Okay I'm pretty sure. Sixty and below is failing very close like statistically they nearly pass right within the yeah they would give the Party division trophy so with twenty percent not being You know like brute force last credential stuffing the other bit. That's going on there. Is there a breakdown of like you've got patching which is obviously huge deal? Aman equifax showed us that But things like sequel injection or you know like a top ten type stuff like that. Is there anything that actually tracks number of breaches? Recurring based on any of those exact type of vulnerabilities within a system. Often you should say that if you go look at page What page About thirty seven. Thirty eight depending on your version and fear forty nine. We actually broke down the types of attacks sequel injection leads the types of the facts Followed by PHP injection and local injections File uploads and cross site. Scripting are kind of following Within that you know and that kind of lions somewhat what we see with the vulnerabilities in software sequel injection and cross site scripting. Some of the major vulnerabilities But yeah that's a breakdown of I think five point five billion after tax. Wow yet so that's interesting because I mean it's funny like so many people say you don't see sequel injection anymore. I know it's still out there but You know it's it's so rare tests that I do and stuff like that like it's so rare to find sequel injection on an APP anymore But it's the interesting thing is that we're testing the people that care about security and the people that Attackers WanNa find the people that don't care about their security. You know the ones that are easy to attack and so even in our breach Corpus injection tends to be one of the higher types of exploitation And so seeing that align with both types of vulnerability software has and the types of Attackers make really kind of. Let's see it at almost every stage of the process you know. Both the vulnerability the attack on the vulnerability and of the attack and because right. The attackers can shocking Everything on the Internet you know or it may be a well-defined sequel injection and they're just lucky for the people who haven't bothered to patch in the last year right so my focus in kind of skin do this by looking at interesting things. Is Your Time Line Section? That's page thirty five I see hope it in in this world when I look at detect detection meantime to detective. I think right this. That's your discovery figure. Meantime detect is days or less as opposed to months or less as opposed. It used to be years I suppose. And then the meantime the containment dry Is is is getting better as well. Yeah and I and I think that that's a trend that we've seen particularly for discovery. Discovery is a trend. We've seen over time. The last half decade continuously going up this year not to dampen the silent but part of the reason for the increase is the increase in breaches discovered by manage security providers And so and we include them. Because you know this is a legitimate thing you know having managed security providers who helps you find breaches And do it quickly. Efficiently is a great way for small and medium-sized businesses. Can't like like one of my personal core. Beliefs is every it should be security for every size organization. No even a junk yard has a junkyard. Dog You know but the problem is like my dentist can't afford his own sock You know so what he does is he rents He doesn't actually own his computer. Software he leases at all miss some other company that manages it and then they can afford Security because there have pooling resources you know and so it's a good pattern. I think to say that Manage security particularly for organizations that otherwise couldn't afford security is a good way to Improve detection. You know but that is part of that is just as big increase in breaches associated with Matt. Well now you're now you're singing tune because I you know not not to be entirely too self serving but give me a second here. I the MS pretty entire Middle Market. The entire mid market in terms of companies that are one hundred million to to a billion in revenue. I think there is. I've been saying this and some people give me Kinda side I look and some people not along but It is it is entirely. I think bonkers to try to build out your your own security. Operate your own sock your own staff your own tools like why are you doing this? Your money is better. Spent on things like actually things that go into engineering. An architect safer products or actually doing things at that. Provide value to the revenue of your company Security operations and in have in building Sam and running your own. Mdr like they're just just doesn't make sense anymore for many reasons. Not The least of which you're not gonNA find the People. Yeah no absolutely and and the counters side. You have to have that security operations right. You know walk can be built thick enough or wide enough or deep enough to stop at attack. If you don't have someone sitting on the wall watching of course and so you know in so this is how you bridge. That gap is to have That pooling of resources and taking advantage of those economies of scale that you can get through a man security solution. Yeah and so yeah I. I'm a big believer. That security ops is critical for every type organization and you know manage. Security is really only way that a lot of small and medium-sized businesses. Ever be able to take advantage of it But yeah that's what helped drive that days with last time But even then like the government sector. We saw a decrease where detection for government tends to be very long. Yeah Um and and their detection has gone down substantially And so I you know I think that maybe we're getting better at this tax and really that flows into the whole thought and like we we started with the Clo- right about imperfection and experienced in You know that's kind of the message of the report this year is that you know even though we are imperfect and what we do You know I don't think I'm just spit on say here on. This call is perfect. I'm pretty sure I'm not. I can assume neither of you are be wrong. Let's let's just assume that that's true. Keep going perfect. We know our packing is imperfect our mouth but racine of solutions working right. We don't see a lot of abilities exploited in breaches right the attackers after other things are patching are Phil Tree. That's working it's not the easiest. Catherine RUN ATTACKER. We look at our and like we started off the conversation. Maur has dropped. It's not even his Co. errors are bigger 'cause breaches than malware. You know now armoured types that are getting bigger like read somewhere but things like trojans particularly for organizations are dropping. You know what that tells me is when we look at our Incident if you go to like everyone should read the marriage section. Read the black box in the our section of the report this year on page. I think it's going to be about sixteen or seventeen run because one of the things we realizes we've got our breach data right And the breach data shows us where the attack of succeeded. We've also got are not as data like our blocks. Which shows us where these hackers failed because it was blocked now. We've eliminated part of our biased traditional the DVR has had despised. Things succeeded for the attackers. Which was okay. Attackers tend to do things of succeed. But now we can compare the to them. Say what did they try to bail out? You know what they tried and failed. That were some of the traditional types of our they. Sit in lots of it But it gets block you know talking to my so friends they say yeah you know every once in a while we get some our but the tools just kinda take care of it. We don't like have to write an incident that don't have to run our. I are process for it You know and so there's good news there there's good news in the air side even because When we look at like industries that have mandatory reporting like the public sector and Healthcare in the US. At least they have to report Breaches even if the caused by airs They've always had really high error rates and so now my kind of takeaway is that airs are not increasing reporting. There's is increasing. You know we're just now getting publicly disclosed and you know I'm sure this is not comforting for the people that actually have to do this in at least in the short term. But you know I think this is a good thing because like we said none of us are perfect and so You know the only way we're going to improve our security better is if we're honest about it right like my car gets has a recall every once or twice a year you know. I drive over to the dealer. They replace some small part or do a software update. And you drive a tesla. I'll at this point I drive. A minivan can do an entire podcast. On why minivans are great to drive which Arianna about where I am in my life cycle right But you know they replaced by go on and it doesn't make national news yeah You know the same thing should apply to ears. We should understand what couples say. Hey we made a mistake. We fixed it. We've done our best and we're going to continue doing in the future you know and we're going to make mistakes of the future but that's just a part of you know living And so I am hoping that we're normalizing ear disclosures so that we can all get past it And just fix the problem and move on because that's how we get more secure when it comes to airs. Even they're all I can say is it. Is there anything in here? I guess there's a little bit that show some of the trends like that does a more kind of detailed comparison like year to year to be able to see you know. Hey you know I mean it sounds like we are getting better and I think we say that every time you do a podcast To be able to show like even from the hacking side or or the Web APPs side versus some other area. You know where you can see was sequel injection Jackson. Were those the same top things last year? Do we see that shift? Or we're still seeing mostly the same type stuff just maybe less of a lot of it. You know the top things particularly fishing and Credentials after misuse are still the top things but for anyone. This is a great chance to plug something else for anyone who wants to compare like. Ud your type stuff We rented this problem like a couple of years ago with report where like we were trying to carry the same charts over and over and over so that people could compare you know but it was just like it was taking up all the room. We couldn't put anything new in the report. And so what we've done is we've created an interactive site And so if you go to the same page where they launched the with a dvr is in the scroll down There is a link to a tool wear It's all this data for the calculator over like the last five or ten years and you can look at all these different aspects of the data In interactivity and see how things have changed over time And so if you want to look at the data over time That is the best place to go. And you can really dig down into like deep data that we just don't have the physical room to put into the report this year. 'cause like at one hundred fifty pages we are all Bush. Yeah Hey listen I WANNA I WANNA change the trajectory of this conversation. Just a little bit. 'cause I get fascinated by colors pretty easily And if you look at thirty two to thirty three how many pass must have breached walked down so Figure forty one and forty two In in both incidents and breaches the fall off is pretty dramatic somewhere around five right five steps like it seems in the The overwhelming vast majority are one or two steps. Everything beyond that is seems seems a little exotic perhaps am. I reading this right and now I ask you explain figure forty two minute you are absolutely right and this is one of the things so. This is one of the things this is like been. This is like the fifth year I put paths into the report. Like slowly working and getting a better Explain fighting better detail about it And it really hits his stride here Because I think that we need to think in terms of to really Build good security like if you think about braces to like a snap and time right Then it doesn't give any opportunity to intervene mid breach right you either. Had everything perfectly set and the attacker didn't get in or the attacker got in and now you're just cleaning up after but if you think in terms of a path you could say you know what. There are a couple of options. Now one I can choose where to meet the attack right. 'cause the attacks starts with say a phishing attack that stills credentials and then the second action is using those credentials to log in to something And then the third attack is the third action is putting more on the system right. You know maybe you WanNa try to stop the phishing email ever getting in now but maybe what you WanNa do say. Well we'll stop that but what we really want to focus on is improving our reporting so that Phishing attacks get reported to US QUICKLY. And then we can isolate the systems and look for any new execute ables on them. You know we can pick where along the path we want to intervene and we can choose the place where it is most beneficial to us But going back to those figures on the past right. The attackers like short. Pass right. We. We already talked about the being financially motivated right. Who wants to work more? Get the same amount of money Well WE WANNA work less and get a get more money preferably. Yeah and so you know why would attack ever going take a fourth or fifth or sixth step you know if instead they could go and take one or two steps three steps and do it to tin other organizations so every step you put in makes a huge difference. Yes so let me let me. Just throw some some thoughts in here because this sort of it sort of makes this The thought that attackers take these long complex past exploit one system. They'll fish you. They'll get your credentials. Exploit wants us to move onto the next move on the next move on the next move on their next pivot pivot. Find something exfiltrated It makes that feel like a little bit of a myth. Because and why the reason why I'm bringing this up is because a lot of ours to see you know. I'll God forgive me for this though we say you know security in in in depth right And or defense in depth and so that relies on the fact that over a certain number of steps. The attackers bound get caught by one. Or more of them. When what I what I believe we're seeing here is from a defense perspective. You're not getting a whole lot of opportunity to catch the bad guy. Gal Person The attacker if you're not paying if you're not looking closely. It'll be a blink. They're gone I would. I would catch differently in that. If you are defendant death Potentially is either working because if you get caught in those steps you don't shop in this corpse right. These are the people that failed Or if you are getting caught and you had defense in depth. You didn't have the the death in the right spot right if it doesn't to have you know this really fancy internal Defense System with multiple internal enclave when the attacker logs into someone's email and then stills your w. two data's readout email us the email the fish you know an HR person and getting know for a business email compromise right. It's a one or two steps thing and this is where your threat Profile becomes very important in your ability to define your tax service right because you have built. These incredible defenses around things at the attackers. Aren't going after you know or would go after if they could but really you left some things. The attacks are more than happy to take way too far out near your boundary. Well don't have to. This once again reminds me of the fact that I need to get John Stephen. Back on this podcast because not enough of you out. There are doing threat modeling. No and you know one of my. This is like you know the same they gave like. Just imagine the world does you know and I return years for security is that we do threat modeling but we do threat modeling with passing graphs to say. Okay you know at this point which direction could attacker take in fact So I used to work in a previous life. We had ten tests but they were super super structure as in the attack. The Pin pastors were not allowed to deviate from the plan. that's great. I know it's like hey here's a pen test but you can't Actually do anything that you haven't already told us you were going to do so what we did is. We gave them a lab environment where they got to test and they got to try it and The field But the way they would documents document these very elegant attract trees. And if I get here then I'm going to try these things and if this one succeeds I'll be able to go to do these things you know and they would kinda work down as attaching. That's we can be doing. Similar attacks reserve attack graphs as to build out our tax surface. And things like that. Dvr help you see. What are the attackers? Doing where are they going after to help you build that because then hopefully you can see? Hey Wow there's this path where the attacker there's one thing in the negative their goal That we hadn't considered or you know hey To get to this other thing that we really care about all the attacks have to come through this one point and so that's the point. We wanted to play or controls set. You know it's a thinking in terms of the promise think in terms of grass is really hard and so these opportunity here for tools to make this easier for people You know from the detection standpoint It's an open source. Project called grapple. Drp G. R. A. P. L. That it was only do we have. Do we have to pay extra for vowels I am not going to Talk about crawling because at such a cool tool he's doing some really cool graphs up. This is like how it works. What he does you from Texas standpoint right. It may be really hard attacked Mauer but you know we know that. Like if you know maybe an executable as spawned from Microsoft Word you know maybe that's not something that should be happening if if not if Internet explorer response CALC and suddenly opens power. Shell probably not the right thing to happen right here. So you know that he's doing cool things around that And he's not the only one doing of it's just a nice open source project point to And I think that that way of thinking all the center detection get so much better because we're not detecting a single thing were to decking a sequence of things. Sequences are much less likely to happen. Just randomly well. And it's a family and you get into detecting families of attacks or classifications of attacks rather than attackers. Exactly these are very general patterns and you can tailor them to the things attack is like to do because we see anything the DVR at the attackers like to do the same very efficient attacks a whole lot and so you could build the signatures In such a way that you're looking for those general General Attack Pass or tax Shane's And then detect and block those versus trying to look for. Maybe points in time ended her more. Ambiguous is hard. When we're looking at that the PAP thing Is there anything that breaks down as far as either industry or anything like that to be able to show you know? We've got the DOTS coming down. You know are certain industries that attackers tend to be having to take more steps with or willing to take more steps with critical infrastructure. They have to do more. And they're okay with that versus you know some you know e commerce site that it look if we if we hit we hit it if we don't we move on as it was already breakdown as regarding that we didn't put it the report. I think we have it in our exploratory analysis. But it's not something that I remember off the top of my head but it's definitely something that we get to look into. Hey Gabe anonymity to the size matter deep dive a deep dive Indus and breaches I I. I've been staring at that for a moment here while you guys were talking in like the the frequency obviously is is out of wack for large companies but things like top patterns threat actors active mode actor motives data compromised. None of that is that dramatically different between small and large companies. So what? I'm what I'm seeing is In my analysis is actors threat. Actors are mostly indiscriminate unless they're specifically targeting a thing or a an outcome they want they will as you've already said they will reuse tools and techniques as often as possible and they don't really care who the. Who the target is on? I think that's that's a very good way to characterize it that particularly describe as targeted I. Actually I went back yesterday and looked up and The small medium businesses far more or far less targeted for his less targeted than a big business. Right it's opportunistic attacks on small medium businesses. You'd expect Yeah I mean. This isn't it isn't surprising but for a small medium business it says well there's no reason for an attacker to attack me now. It's like well. They are not attacking you. They were attacking everyone. And you got caught right the fact that you have no reason to target U Or you don't feel Is Not a reason is not to prevent the attack from targeting or attack because they just want money. And you know if you have a web service available or are you have Email and you have systems inside. They'd be fished. You know you're just going to get swept up in these more general attacks knowing so for small medium businesses. They can't hide behind the anonymity of being a small business if you look at Census data. There's far more. Small businesses in there are large right and so the percentage of small businesses is the we have his recorded for his sparse smaller. But you know it's playing a game of random chance. They'll do the attackers today. The attacker is just randomly. Hit on me or not and it's a small business. You don't WanNa be flipping a coin to decide whether you get breached or not. That seems like a rough way to go all right. I think we're coming up on time here. My final thoughts come out into CIS Control Recommendations CIS critical security controls. Right where you guys had this. Great Map of the type of safeguards map to patterns. And I I look like some of these columns and Gila Cyber espionage against that. You've got to have your you gotTa have your stuff together. Pretty good in all these areas but the thing that the one row which is if you're reading this it's the CIS is done on rose one row that seems the absolute most busy and you would expect expect that is implement and a security awareness and training program. What do we holistically across the board without fail catastrophically suck at that? Yeah and so this and that that ties very heavily into like the top of your six which is a great summary of the report. I know I make me jump all where that's right. Report is fishing USA stole credentials. Miss Delivery Miss configuration what ties all altogether. Those are all involved with the Human Element Ryan People are involved in all of that And equally so you know our ability to not just trained people but put them in situations where there are less likely to fail or make mistakes and enable to deal with the mistakes when they make them is critical across the board to protecting an organization their security right. We all make mistakes. It's possible to be imperfect and still be relatively secure so so focused on the good things in as an organization doing prepare to have mistakes happen and to be able to deal with well and I think that figure six nicely summarizes exactly what we've been talking about and since twenty fifteen thing like the Mao where scrapers the trojans the specific dumper malware that kind of stuff either decreased significantly or stayed the same. The things that have increased the attacks on the people and I can't think of a better summary For this entire report than Including what you. We just literally talked about making protecting your people as your strongest asset in the fight against crime and attackers like people are your strongest asset but also you weakest link and so we need to do everything humanly possible to arm them with the intelligence and the knowledge but knowing that they will fail as will use security professionals all day every day and you will click on that lake. That looks way too good to be faked. But done it is you will fall for some website. You will have your credentials dumped at some point. How well how well insulated can you be against by process and tech? I think that's the key and I don't see I mean I don't know anything in particular but if we're having this discussion five years from now I don't see a major change coming. I I would agree. People will always be part of the process. They will always be Both our ability both 'cause our ears but they will always also calls our ability to adapt and improve and so you know play to people strings. Help them mitigate the weaknesses and you know except that it's okay to be imperfect and just keep working for an impressive for a love it. That is a fantastic place to end this conversation. Man This is that once again to everybody that That was That was on this And and of course. Thank you for For joining I'm GonNa ask what's with the The Soi Color Swatch at the end. So it's time to the frontline is well And so if you are lucky enough to get print report It will not be easy this year But if you're lucky enough there actually if you look at the covered they're going to cut holes for all those colored squares and so when you get the report you're GonNa see through the cover to the color. Is THAT BIG Waffle plot behind Thanks to Bob Rudas for the our code that generates these And each these squares each represent about one breach each and they represent the number of breaches in both the regions and industries and so each different colors either region or in industry. And you're seeing through the cover physically you'll see through the cover the report she those colors behind it. All right. That's breaking cool. How do we get one? How do I get one? I will see what I can do for you now. I long it all right folks Hopefully you've gotten the chance to Read the Twenty Twenty Verizon data breach investigations report if not go grab your copy there in lies some great data For pretty much anything you want to get accomplished in in Cybersecurity Whether whether you find this stuff interesting or not You should definitely definitely definitely read it. Definitely there's there's good stuff in this. I mean I again. I keep wishing for something that we've never seen before and I I'm I'm unsurprised. It's not there it's on the next. Tv show that's coming out for. That's where you're GONNA see. That's lovely thank you so much for the that's that's not gonna be in real life. Is this going to be in the TV world? Hey give you wanna give us the The authors here again. You've got yourself I. I remember Alex Pinto filling Wa Suzanne wider and Dave highlander by the way a big thank you to all of our contributors We had over eighty this year. Each one of them puts in a amount of effort to get us the data. It is not an easy process They are all very helpful and good to us and so we really appreciate the contributions they make so that we can turn this contributions around and provide them with the community. Fantastic all right. Thanks to rising letting US borrow your brain for a bit. Thanks for joining the show game. It's always a pleasure man. My pleasure folks. Thanks for listening. James. I'm I'm heartened that maybe one day we'll win this fight against crime with army. I couldn't my positive positive attitude. Yeah yeah that the quarter will get you a cheap cup of coffee in a native come all right well Thanks for listening you guys. This has been Episode the ninety six of the down the security apple podcasts summarizing and discussing the twenty twenty verizon data breach investigations report. Go redick go use it. gold learn from it please. So we don't have the same findings next year Something different to do and on that note. We'll see you guys another time. Another place on another down the rabbit hole. Podcast JULIA IS WE FADE out on another down the security rabbit hole episode. We'd like to encourage you to chat with our hosts and guests using the twitter Hashtag Pound D. T. S. please check out the show. Catch up on episodes. You may have missed and subscribe to you. Don't miss a few. Our website is white. Rabbit dot net w eight one two three R B B I t dot net so on behalf of genes pronounced good bucks. We'll see you on another down the security i.

USA Verizon Oscar Wilde Mauer twenty twenty Benazir Mr Gay Bassett Giardina Gabriel Bassett Stephen Paquin ron USTA twitter government
DtSR Episode 392 - Chris Nickerson is an Original

Down the Security Rabbithole Podcast

48:48 min | 10 months ago

DtSR Episode 392 - Chris Nickerson is an Original

"They say they say we should have known bed then to Saudi down down into this. It's time you the venture down the revel into the world of cybersecurity you're plugged into the podcast for security leaders and practitioners with a business sense. Prepare for unique interviews insights and practical advice. That makes your job just as Benazir and now. Please welcome your guides this adventure jeans. Gerardine and the white rabbit's burrow all right. Good morning good afternoon and good evening. Welcome down the security rabbit hole to yet another edition of the down the Security Rabbit Hole podcast ladies and gentlemen boys and Germs. Every once in a while I get the option and the honor of having a longtime friend and one of those I will I will simply refer to him as one of the. Oh Jeez Bar Industry. You deserve it. Mr Chris Nickerson. Thank you man. I'm glad to be talking with you. It's been quite a long time. It has been a hot minute man. It's life is life is life is progress. It's been It's been crazy ride. I think for The last twenty but certainly the last five to seven You built well. You've done a couple of things. You've you've built up a business that started As sort of Let's see if you know kind of a project of yours that has seriously done some nail big things. Tell us a little about that. Yeah you know. I think like everyone at some point after running teams and running companies. You realize that there's a bunch of people at the top of the food chain. That are getting rich in that. You're working ninety hours a week and eventually go. Whoa maybe I could work ninety hours a weekend. Make the money versus may one else rich and kill myself right and you know. I think we were afforded the opportunity early on in my career as a penalty. Some stuff that other people weren't doing just because At my time you know when I was when I was running secured sprint And and what we were doing there and trying to be really aggressive about our security programs you know. Kinda let us into looking at more of these sort of makes disciplined approaches and attacks because we we had a lot of lot of different stuff going on internationally at the time So we were dealing with you know blended threat attacks that had to do with you know things that were happening over the carrier networks things that were happening over the cellular networks that we're building what we were doing. You know physically in those locations and and it really led us to doing a whole lot of at the time Which were these sort of blended threat assessments of you know? How can you get in at the most advanced or highest level in the most motivated level? You had Which really led us into you. Know at the time which was which is kind of the the beginning of offering red teaming out to the world And being able to do things in a mixed discipline attack surface in a whether it was social or physical electric And as it started to grow and as I had kinda changed out of that position and through working at KPMG for a little while Very little while I was gonna say personality in KPMG. I can just see that colossally colliding. You know they were. They were ambitious. They they wanted to start a testing group And at and at the time I was pretty well known for starting really aggressive testing teams and Once they realized what an aggressive tested team look like and how that that worked they were like. Oh no no no. We're not necessarily ready for that. And you know it's interesting watching all the big four is now come around and start buying you know boutiques and companies like ours trying to get into this. You know aggressive testing market in a wits. It's about fifteen years later So so they're finally warming up to it but at the time. I think you know to ambitious too early Then you know worked worked at a large Distribution shop called the Arrow And and we had all these bars and we were kind of white labeling security services as they would white label the resale of of the products because being a distributor They white label as to all these are so we were able to kind of pitch out some of these things that were really on the edge you know whether it was doing advanced hardware testing or software testing. Or you know apsect pen testing or you know full on full scope red teaming When you have three thousand bars it's pretty easy to to go and pitch out a service that's kind of bleeding edge because you have some ability to get one just by the economy of scale So that was really. What led us out into doing more and more of these full-scope tests an as we're doing those full-scope tests They made a terrible TV. Show about us. we'll come on. It was fun to watch. It's so bad it was. It was one of those things that was kind of too early. Right like the The the the world had not watched Mister robot and hackers and all these other kinds of shows that warm them up to what we did in our our community and and the things that we love to do the things that we like to explore so it didn't hit the same way as did with within our community were like. Yeah this is the stuff. We do everyday spun so you know that happened and then I can't believe it but you know thirteen years ago. I started Laura's with With Eric Smith and that's that's a congrats man at the hot minute. Yeah Man. It's been a while in and it's It's been one of those things where where we really set out to have a mission and have a purpose and and really let that be our guiding principle and and I know that anyone who listens to has an MBA or whatever other advanced degree from grade schools. Teach people how to build businesses and sell them and whatever else Probably goes. Oh Yeah you know you're supposed to build it with all these other things in what we did is we just built it around the lines of. We're going to go out there and we're going to do. The things that we know are going to make people be more secure and and whether that is to hack harder whether it's the trainer whether it's to be part of their team or whatever else you know we we really set out with that mission and and you know knock on wood or knock on my head. I guess the the the blessing that we've had along that time is you know we've run a company that's been that's been in the black every single day Starting a company in the middle. Both of what? What's now the second worst recession right in? Two thousand eight like terrible time to figure out starting at company or two thousand seven And and then go okay guys. Let's let's try and do all this fun stuff and in and we really just been blessed. It's it's worked out that we've been able to to go out there and apply skills that we have is you know more advanced adversaries attackers and use that way to train people in their environments to to resist the actual bad actors. That are out there. Well I think I've got. I've got two stories that I think anybody that knows you has heard before The first one the first one is I think is the one from sprint. With the walking you wanted to prove resilience Peres's IRS Into the data center at. That's a that's a fun story. Told the that I think makes continues still makes every Assist the network manager nervous. Yeah Yeah Man. We We we we we really did invent the the idea of chaos monkey You were the chaos monkey. Yeah Yeah I mean. It's definitely a monkey when I was a kid. Walking into a data center with with a scissors and box cutters and going. Oh yeah is that. Ha Does it work. I don't know and then let's one swipe of a box cutter later be like can you still paying it and amazing how fast Networks start to grow in the level of belief and or face in a configuration is no longer that same level of faith and belief and I feel like you know what what we've tried to do in the history of the company is to expand that same level of of testing rigor If you WANNA call it that to everything that we do so you know now it's like hey my firewall words. Hey My ideas were take my host based protection words my next Gen a PT pro five thousand Blah Blah blow. Whatever okay does it work? Great like let's throw it if it actually worse and then they're like oh nothing's happening and you're like yes because it doesn't work well and it's it's interesting 'cause that's that we see. We see similar things going on last the last two or three years with the ransomware attacks all these companies and all these individuals You know I don't know how I don't know how you were but when the stuff started happening I kind of looked over at At my backup The drive hanging off my My Little Odongo here Like all right. It's time to test a couple of these more rigorously. I generally you know as of now so I used time machine for like I know that Kinda worked but like what about the other four and a half terabyte the photos and crap that I have. That are replaceable. You you just. Don't think these things are like. Oh yeah I can figured it. I've been I've been using it like this. Aj pair is out there. This is av this whatever. Widget security thing is out there. The vendor dashboards said it's working so it must be working right right. Right exactly yeah. The lights are blinking. We must be safe. I think that that is a but you know that's that is a. That is a lull far too many security leaders if I can call them that maybe security accidental leaders have fallen into where like you show up. Start telling them the like. That's great that the lights are blinking. But does it work? And they're like who is guy of course it works. I mean look. It says it works. It's been cold water on some of these some of these prospects and customers it is. It isn't at the same time I think there's there's a piece of realization which you know. Look you and I have been a Let's just call it barking force in the industry up real long time Trying to signal to people as we walk through the vendor floors snarling and barking at vendors. that that maybe it's maybe it's on them to prove that their stuff works and I think that you know a large part of the practitioners in our industry are now starting to get to that kind of Missouri mentality of like okay. It sounds cool but show me like show me that it works proved to me that every day twice a day nine times a day you can detect or protect against the same exact thing and if you can't then you know you know your stuff doesn't work you don't have. You don't need to sell it to me. I don't need to listen to your speeds and feeds speech anymore. I just want you to show me at works. Well that's I think that's the problem is there's there's a de for a long time. We kept saying well. We're pretty sure it works because you know when it doesn't work maybe we won't even notice and then people like you showed up. It's let me show you I. Can I can via a prescribed process even like when you guys brought up. The pizza is right even during that formalising. The let me show you if it works. Or not leveraging not just the the demo data that everybody else says because I kept when I was accelerate APSECT. You know what feels like a lifetime and a half ago we you would. You would have a mocked up site. Somebody designed so that the scanners sh found stuff like cool. But then you know. Oh you're running against a sites. Some guy built in his basement or some offshore team or onshore team or some Newbie or some advanced developer wrote. And you're like this I. We've never seen this before. I don't know how I'm GonNa if this is going to even do anything you like. Yeah but that's all of security and that's kind of what we're up against against creative people that have a lot of time have a lot of purpose and they're good at what they do right right absolutely and creativity it is it is. I think I think it's creativity and a lot of places and I think in in the rest. It's it's trying to get an idea of what? What is our measuring stick? And what are we really measuring against? Yeah and and how can we be consistent with it because I feel like for quite a long time? We really haven't even had a ruler. You know like there's just there's just people measuring arbitrary things with with the single access and everyone's using a different ruler in different stick in some people's ruler is You know a square inside of a newsletter printed by Gartner that somebody's spent the money for town and some people's measuring stick. Is You know. Oh we haven't been hacked but then you ask them. We'll have you had malware viruses. And they're like. Oh Yeah we've had that okay you haven't or have been hacked like no no no we've never been hacked. We have had some viruses here in there. And you're like I just want you to say that in the mirror a couple times to see how that works out you know until the other story that I I You've got you've told a couple of times is I think it was during a physical pen test And you guys were trying to get into a building and you ended up with a blow up doll that triggered a sensor that opened a door. Yeah the there's a bunch is you know it's funny. I guess when you're younger you always you always a little bit more Create create the right word Yeah you're a little more creative when you're trying to do these things you know now After after we figured out all these different ways that we could get. You know compress pieces of of Aerosol. That had enough density to to you know move a P. R. move a REC CENTER. To to kind of open from the inside. You know becomes a lot easier just like spray the magic dust under the door. And it's good. You don't have to expense a blow up doll and then walk into a Party. Time balloon store and try and get you know a balloon go into an aquarium store get like little fish tank wire see can then kind of lay piece all of those together put it in a backpack slip the balloon you know slip the balloon person Under the door and then try to feed it with you. Know the answer Larry. Little tiny pieces of Of THE HALF OR QUARTER KEG. Helium things But but yeah oh it was so funny and you know it's and it's always one of those doors where it just looks hilarious like you're in some weird movie because you know this little tiny door that has you know the Steel Mesh Wire and all that stuff and then all of a sudden you see this kind of little weird. Oh's shape face coming up the door and and oddly enough the we we actually had to do it twice which is part of a story that I really never told so. We had to do it twice so this thing floats up in front of the door right and it doesn't work and I'm like there's no way this isn't working. It's it's like it's face is right next to the REC center and In some work will must it must have heat so then we had to deflate it and deflate it and pull the thing back the door and try and like move it around so then we could get the head part back underneath the door but didn't lose all of the helium win it because we didn't have enough and so he gets a thing partially under the door and take one of those little. Hand warmers packets that you use like when you're out skiing or whatever yeah and like duct tape it to the head then boosted up with helium again and so now. It's this you know this. Blow up doll that has like duct taped heat pack. It's all over it's backup that's that is a TV show script at writes itself. I swear calamity of errors right in meantime. You know I'm I'm thinking to myself like all right you know. We've we've clearly pushed limit. We're going to get caught. Not Not even you know not realizing that the security guards were like out on security guard tour so we get through the store and as we get through the door and we're like picking up all this gear and we're just like we're like kids splayed out with stuff all over the ground and this person's coming around the corner and I have a blow up in arms and and it is not completed yet and one of the other guys is cleaning up a backpack full of stuff with the helium container and everything else sitting there and the and the guys like you guys are right and I'm like Oh yeah we're breaking into so and so's office we're GONNA play a joke on him and he's like he's like I can let you if you want and I was like no. I don't WanNa get you in trouble. And he just started laughing and walked away. Wow it was so funny and I'm just sitting there thinking like oh man I can't. I can't believe we're the stupid caught. Chicken help us out. He was going to open the office. We were going to get into that kind of goes back to the people. I want to be like this insecurity. The couple things principles you learn is human psychology. People WANT TO BE HELPFUL RIGHT. So it's like the if you ever want to get somebody's phone number. That's that's you know that they know that their peers. Whatever don't WanNa give out say oh his their number is Blah Blah Blah right. And they go. It's not it's actually right. It's like those things that they that you got me. I've I've sat through some of your some of your Stoxx and that some of the things you talk about and I think but that's human psychology that were never really going to fix people are going to want to be helpful. Because that's that's how we're wired. Yeah no I agree and I think you know not not to repair the every Reagan person you know trust but verify type thing right But but it's it's funny I I've been working a lot. You know after doing blended threat type stuff and red teaming stuff for such a long time trying to work with certain guards That are that are at that end up feeling like they're the victim of my attack even though they're they're just kind of a unfortunate kind of like unintended consequence of the fact. Yeah So so you know. It's it's one of those interesting things that I have. I have always tried to train those people in those situations to to be the first to talk because when I train people on the other side of doing social engineering or manipulating people and problems I always I always say go first right like the first person that goes owns the conversation. And so if if you're doing an SE GIG definitely engage somebody even if you don't think that that person engages you you know saying hello making yourself known starts to pretext you're definitely supposed to be there and and so you know. I when I work with some of these guards were doing guard tours and stuff like that. I try and do the same thing with them go. I like b-share you're the person who goes first and talk about things that are not about their You know why they're there. What are they doing or whatever else talk talk more about the Environment So you know if you're if you're XYZ person and you're walking through a back gate and there's a badge reader that pops up that says you know Darryl You know y'all down the hallway like warning Daryl and wait to see what the tone of the responses and and you know even if you have somebody who isn't part of the environment just yelling out a name. Hello Mr Mrs Xyz. And then they they kind of say hello back if that person says hello back doesn't correct you and say oh. I'm so whatever else you can immediately be like Whoa. I just made up a last name and that person just was cool with it. And so there's little pleasantries. Don't that don't make a situation confrontational that you end up getting to to kind of pick a little piece of knowledge out of it and then all of a sudden sort of move that to the next stage of the conversation whether it's through tonality or whether it's just the actual response that you get and those those are the types of things. I guess you know you pick up quickly And it's not just a good guys do a ride. The bad guys have been doing this for awhile. It's I mean we've all. We've we've definitely heard the stories of if you ever If you ever want to you know be led into a door. You're not supposed to be fill up all your hands with you know Two things of coffee and say. Hey I'm bringing these eight. I'm late can you? Can you give me a hand? I left my badge inside. Odds are somebody's GonNa let you in bright right. I mean God I I remember one of my Worst feelings in physical security testing was in upstate. New York it was like minus five million. I don't know what it was. It was minus something ridiculous and Eric Rolls. Up In this rental car drops me off and says hey man go get in that door. There's somebody walking by so I took my coat off and I'm outside in a T. shirt dying banging on the door and this guy comes over and he's like why are you outside without a house like my badge and my desk and he's like get inside and like like gave me the old like hug some going in and he's like are you all right. I'm like I am now right. That's pretty incredible. Meanwhile Eric's in the rental car and laughing hysterically. It's driving away But that's human nature. I mean look at so you've been around. You know enough to to kind of know the the the things that work over and over and we've been talking about that but we. I mean we've been doing this for a long time. Chris I mean it. It's probably twenty plus years right. Sorry what is different today that that hasn't wasn't present maybe even ten years ago like I guess I I keep asking people I asked i. Here's the basis for this I. I saw Dan gear a little while ago about a year and a half ago. I'd had them for episode one hundred. It's been a hot minute but and saw a need to show my great. I love to have you back at some point and ask you sort of what's changed and he looks at me and goes by beards longer and I'm like that's depressing but that seems to be the answer like Infosec folks give us say. What have we done in the last fifteen ten fifteen years? Like what are we? What are we fixed? What have we done better people like a like are you are you gonNA glimmering rays of Sunshine? You know what I feel. This is on I will just pretext it with ice feel at That the information a symmetry that exists in our industry has not resolved itself but it has lessened. And when I when I when I say that right e think the the the thing that Schiller inaccurate law won a Nobel prize on on on lemon markets right. Yeah and and the thing about the women market is that you have this information asymmetry between the seller and the buyer And it's the it's the perfect description I Know Schneider call it out a couple of times being like that's perfect description. Infosec market where the buyer has this really disproportionate level of knowledge in the cellar seller. Knows all this stuff about all these things and all this tax and how it works and how the blinky lights stops the bad and all that other stuff. The buyers like I know there's bad stuff so like the blinky Lights Thompson. I'm cool with that. Just wanted to stop and I think at the very least the I can't say only complimentary but the most complimentary thing I can give to our industries that in in its youth It it still is too young to be formal and we don't have enough. We don't have enough acumen in formality in how we do business and where we do business and what we do but we are getting a little bit better at educating the consumer. Yeah and I don't I don't feel that that information asymmetry is gone but I definitely feel that a customer from fifteen years ago to customers from today has a larger or more depth of base knowledge than than they used to before it was like. Hey do a pen test and I mean you know the the genus why we started writing tests was because someone said do a pen test and no one idiot. What the hell that. He met or more importantly everybody did their own thing. Yeah well there was like there's no. You could literally do anything like you. Here's a cup of coffee and they're like what's that it's like. Oh okay cool. Give me your pen. Click Click works like see later So so I think that those things are are happening more I by no means field that that has resolved itself or evolved to a point. Where Where we're Outta the woods of doing the training. I think that you know unlike medicine oil all these other practices. That have been around for you. Know the millennium plus You know we're now looking at at being able to start to educate the people start to be able to formalize what we're doing you know maybe even Maybe even get away from some of the fear tactics that we've been using to drive the industry so far and maybe maybe even divorced from from some of those things of Instead of making you scared when will make you hopeful and I think that that's one of the things that that we can learn from medicine over time in medicine for for just the longest time Really worked in this con- up the the FUDD that fear uncertainty and doubt that we have built our industry on and and an over even medicine over the last thirty years has changed to be a signal of hope and protection and resistance and resiliency and in durability and and health right like an that that's the place our market needs to go. But we're we're still real far away from that part. I think that that's but but I have seen some people actually get inspired by the progress Of security opposed to. Hey find me more things that are red finally more things that are bad like tell me more about how you could destroy the thing so then I can you know. Get more money to Block fear with cash. I think there are there. Are Some people really trying to lead the charge of? We don't need to scare you anymore. You know you need to be protected and we're here to give you hope that that protection can happen. So that's that's you know what I have thought about that. But a symmetry has been a huge deal. I think some of that has been contributed by the fact that I didn't go to the last. Rsa Frankly because I took a year off and decided to go on vacation for for the first time in history. And I just didn't WANNA to be there but like the year before when they opened up the the underpass between the two Mosconi East and West Like that filled with vendors. It seems like no matter how much space they open more security vendors. Show up like this. Can't be you know you talk about. Information Asymmetry. There is never going to be a tie this. I think the problem is is getting Is Getting more. It's getting more broad. The volume is growing. Like you've got a million vendors and it seems like there's more every other every day that do just something slightly different. It's a weird world man. It's like I and I think that I think that part of those things is is really the narratives and I think that you know like a lot of what what I tried to change. When you know what twenty sixteen started kind of preaching You know what the work I was doing with with minor at the time around attack and being like okay. Let's let's find a baseline just to see if your stuff works. Yeah and And I think that you know even that is starting to starting to find itself into the politicization of the security industry. Where it's like. Oh It's a Bingo card now. I can just show you that. My stuff blocked all of attack and they're like It's not what it was supposed to be useful. It was supposed to be a a way for you to go through a workout regimen to determine if you felt good if you're sore if there was certain muscles that don't work the same as other muscles. Yeah and And I think that the more that we start to implement rigor in what we do. I think the more formalized our programs and practices get and I think that eventually what what that's going to do once we'd get more education out there to to consumer. I think that's gonNA eventually start thinning. The herd of while everyone can come out with a new product that similar or just a little bit different. I think that there's there's a lot of consolidation on the horizon once we start looking at You know how many of the big players by the fringes and how many of those fringes are going to survive. And I think that you know the venture vulture market of of California and in all of their you know quick. Get a minimum product to market so that we can get our series a funding. Everybody can by Ferrari's leave and then and then the only person that's left on the battlefield is the customer with a broken product and and you know and they're and they're left turning over their tool set without being able to learn their own home field advantage every two to three years because they're like well this company's gone out of business or they got pulled into another company that ditched their functionality. You know it's a that's an interesting point I've been I've been having this conversation lately. A lot more than I thought I would but years ago. If you would've asked me who we're going to be the ones you know left. When the dust of the of some I knew there was a consolidation coming. You could you just said it it. It's it's on. Its Way I think the this corona virus economic temporary economic shutdown is you know probably collapsed a lot more companies that were in that space where they've got an MVP and And they're going to try to sell that product a little bit than exit like. There's nobody buying that right now. Right that whole space just evaporated but look we all thought. McAfee SYMANTEC would be around forever. I mean look what's going on there right like if you know it's it's like SYMANTEC. Holy Hell the fact that I. I don't know if you blame that on executive mismanagement. Do you blame that? On just the weakening of of the of the roots based on the fact that there were a million. Piranhas Ankle biters out there like the spaces. Almost is the microcosm of this right. The endpoint space. Fdr EP whatever you WANNA call it. Because there's there's a one hundred twenty one hundred thirty different ways of doing endpoint security and like the. The titans just couldn't hold their ground. I don't think I don't know what's your thoughts. Yeah I you know I I think that the the bat at back to the silly asymmetry thing You know once you show that you are novel and new There is a reasoning behind. Someone going I'm now sick of this product not performing so instead of trying to tune the products performance or or right size and right fit the product for all of the other things that you have in their stack. They just go well You know hydroxy cut didn't make me skinny. Maybe Hydroxy Code Three. You'll make me skinny Gatineau and they're like well once you go to the gym and you're like I think I'm GonNa try hydroxy. Cope is 'cause like it's new and somebody had a great infomercial about it. So we'll just put that in and like it's just a is this this perpetuation of You know people kind of looking at at tooling panacea Of doing the work for them versus being the robotic force multiplier that. They need in order to institutionalize their defensive program. Yeah right and I think that every single one of the players has the capability to tune their tools to work for the environment but unless they are educating the customer that hey look your tools need to be turned you know like okay. I get it. You have an extra large shirt. If it's most people who are extra large but if you WanNa look real good you got tailor it and and I think that the more products that come into the market that have a pre tailored shirt like oh well. This shirt looks a little bit better. Slim cuts big cuts. That cuts wide-cut whatever. And they you know they didn't customize it much but they customize it just enough to make it optically different and then and then still. Those people will get replaced once again by the others. Who Do that just a little bit more? And then the teams that have understood that settling on a defensive plan in using their time to tune that plan to make it work throughout all of their environment. Those are the teams that are. GonNa make it all the other teams they're going to be are Su job hopping you know. You'll you'll see on their linked in profile that every year two years or another company. Yeah and and it's practitioner and consumer like. Yeah I it's you know it's funny. You brought us to kind a topic I wanted. I did want to chat. You're short on time but I wanted to talk about. Is this this? We've all been saying those of us that have been around for at least ten fifteen years of all been saying the rush to to buy as many tools as possible was was then met once. We realized that that wasn't going to solve. It was then that with a wave of trying to hire as many people as possible and then everybody complained that there aren't enough people to hire no kidding. You can't solve you. The million monkeys typewriters isn't going to work in INFOSEC. It's just not the way the world works right you can. You can't have a baby with by by having nine women A month right. It's just not just not how it works. So there's this there's this required mix of process that stitches together people in technology to make us efficient at doing the things that we necessarily need to do and then coupled with the right set of maybe Strategic provide year on the vendor side. I'm on the vendor side but I recently dedicated last five now going forward as well years on sort of in that like managed space. Where I'm looking at the mid market and looking at the lower end of the enterprise and saying a lot of these companies their best chance of defending themselves. Well is figuring out what they can do that. Strategic to their enterprise architecture and engineering stuff right work on protecting the company in a forward-looking manner and the op stuff that you just simply the ops rigor and the tooling and the process that takes billions of dollars to do. Maybe leave that to somebody. That's actually an expert. And I I mean cloud computing has made that even more difficult You know all these different types of Happened with you know When the MAC OS entered the enterprise in a in a real way than the IPADS and the iphones and all the other devices like crap we can't we can't manage all these things and suddenly like oh by the way also cloud and then also containerization and all the other different types of technologies and suddenly now Iot Iot in like the twenty ten thousand Person Company? That's got like three. It people have no chance of being effective at security on their own agree. Totally agree totally agree. I think you know the the companies that are in that space that are helping Watched the frontlines and and do things in the baseline I think are quite effective That's not to say they're perfect But you know when I when I look at the rise of companies like Red Canary. He and others that are that. Are you know taking care of the end point trying to deal with the triage of you know? Look at all alerts Do something you know. I think it's I think it's much better to to have some type of force multiplication to understand what's going on especially like the employee Where where that's that's where you just. You just need humans on keys to do that right you just there's no amount of our PA that you can put in out there without spending a jillion dollars which is just way outside of of what they can do financially That's going to get you to the point that you could get by having some of these other tools and other other organizations that have mass amounts of data that. Can that can hunt for something in your environment that they saw in a different environment. That even knowing that that's there like like that force multiplication I think is essential for even the mid market space. Where Yeah I mean God. How many how many companies have you gone into right there? There hundred million dollar companies and they have like one security person. Yeah like what what are you? What are you doing it like? I guess. You don't need to keep that money. But but they don't have the funding for it. You know so even even those companies. It's like you know at least get somebody watching the door and you know an arm your people if you got a one person shop arm them with an army of other people that they can leverage and uses a resource so then you're not alienating that person that person still able to learn skill up be there for the long term without going. Hey I've been trying to protect this hundred million dollars per company on on my own and and you know when you put those things into physical terms. You'll you'll never find somebody that says. Oh Hey I've got a hundred million dollars in cash in a warehouse. How many people do you think we need to protect that? They're like one one probably fine. No no that's that's that's ridiculous. You'd never know one in Earth would say that but but as soon as it becomes a non tangible and they go. Oh it's one hundred dollars but it's you know it's it's on the computers caretaking one still not going to work there. Yeah I don't know man. I I think the I think the future. I think the future sees US finding. I hope the future sees us finding a good balance because we just can't keep whining and complaining. There aren't enough people while trying to solve the security problem by everybody by every you know looking manually at logs trying to manually do things even source space is incrementally helping but I I just I I think the challenge and I love to hear what you're thinking but I think the challenge for the next five years is figuring out how to lessen dependence on people increase the efficiency and efficacy of tools that we have in place. Stop trying to chase like I did. I talked to an organization not not three months ago. They had four different simplisafe forms. Okay one for one for application intelligence one for network intelligence one for for general analytics in one for security. I'm there like will they each do something a little bit different than the other. And I'm like so you're ineffective at all of them now. It's it's terrible it. It is an and the reality is they. Don't different things right? Yeah they they absolutely do not do different things the my so. So here's my My my prediction of this of the solution is is definitely not over. We're GONNA get there right away thing But I'll call it ten years right in ten years. What what I believe we will see and at least this is. This is a way to get to some of those solutions. Is that As people start to learn more about security they will eventually recognize that security is not even its own topic Love it and security is in fact. A piece of the puzzle and the puzzle is called performance and when we start looking at security as one of the many metrics that we are measuring inside of performance of an organization. And we start saying is my security tooling or our windows or whatever else is it performing and at what level as if performing and how do we grow up the same scale to understand that we have a mature measurement of the performance of security right subsection subsections sub section? How do we get there? I think that one of the keys to getting there is is kind of the the thing that you just described A log is a log is a log a security log at performance log and air log a crash log on all that logs. All of those things are just events and I think that once team's start the transition from securities. Its own thing APP. Sex thing performance engineering's its own thing devops zone thing. Blah Blah Blah. I don't care all those things produce artifacts all those artifacts need to the same place and everyone who needs to be able to do analysis on artifacts and these have access. Yeah and and then segmenting out that access for functionality. Great sure you know right. We need to. We need to be able to make sure people are seeing the things the need to see but being able to look at security as a as a mechanism that is inside the measurement of performance and then building an architect programs that support that I think is where the industry needs to go to survive. Because what we're GONNA WE'RE GONNA keep ending up. Bumping into is despaired systems. We're GONNA you know we're we're going to go all the way down to Oh I got this log and even though my my spunk in my this and my elastic in all these things are here in consolidating inc and talk to each other well. This one's using different character sets aren't posits compliant. So now after ridership that the that you know I have twenty pre processors and it gets lost in the pre processor when it's being translated over to something else note all that shit us go away. Yeah we have to have a centralized place where every piece of telemetry that the entire environment runs exists and then we need to be able to extract the information and extract the limited data from a single source a mandolin. And and I think that that is. That's the place that we need to go in order for us to evolve but but there's a lot there's a lot of religion there's a lot of Voodoo. There's a lot of stuff that has to kind of be dispelled in order for us to get to that place a man. That's a good place to stop because otherwise GONNA run it. We're going to get this. We can do this in L. Day as I say ten part series man. It's good to hear your voice again man. It's really good to talk to you brother. I appreciate it well Best Lock continued on. What you're doing on your project and whatever else you're working on over there and I hope I hope you get out and catch some of that powder before Before it all melts away into summertime. I'm through and staring out my window right now. I May I may have to. You know break break my solo quarantine to get in my truck and drive off to a piece of the mountains that no one is in. You know at least take a runner to our man. Thanks for being on the show. What's love to you? It's good hearing your voice. Yeah like folks. Thanks for listening. That was Chris. Nickerson another episode of down this accuser. Whole podcast and Chris twitter account. Do you check twitter at all Yup At in the three zero three I N D I three. Oh three so. If you need a thing WanNa Talk. Smack have questions will be rounds and if you want the the real story. Chris the guy to ask is he is absolutely no. Bs Right all right. Thanks a lot buddy. Thanks for listening folks. We'll catch you guys another time another place on another riveting edition of the down askew driven podcast and as they say back home. Www Zenia gummy regular baccini bass doubts on another down the security rabbit hole episode. We'd like to encourage you to chat with our hosts and guests using twitter. Hashtag Town D. T. S. Please check out. The show knows catch up on episodes. You may have missed and subscribe. Don't miss a few. Our website is white. Rabbit dot net h. One two three R v. It dot net so of genes. Good Bucks we'll see you on another down the security cast.

Mr Chris Nickerson sprint KPMG twitter KPMG Benazir Gerardine They white US SYMANTEC titans New York Missouri
DtSR Episode 362 - Real Security is Hard

Down the Security Rabbithole Podcast

45:58 min | 1 year ago

DtSR Episode 362 - Real Security is Hard

"They say they say we should have known embed thus. Od Down D- down into this. It's time hi again the venture down the rabbit hole into the world cyber security. You're plugged into the podcast for security leaders and practitioners with a business sense prepare for unique interviews insights and practical advice that makes your job just as Benazir and now please welcome your guides nine this adventure jeans Gerardine and the white rabbits were off all right good morning good afternoon good evening. Welcome down the security rabbit hole to yet another edition of the down to security rabbit hole podcast. This is wrapping riding Solo today. James has got some thing your other probably on an airplane. I Know James But I am really excited. It's all guys those of you who have listened while talked about this person. You know I do this podcast one because I thought there was void many many years ago that is I just needed to fill the kind of an office friendly safer work learn something to have a podcast on enterprise security and to just learnt excuse to sit down for an hour and talk to people. I Really WanNa talk to you and sometimes. I get lucky enough to do this twice. at interview somebody they both has been a mentor and a good friend over the years so on that note back with the re- we'll call it a reduction episode one. O Two from July twenty first two thousand fourteen welcome back to the show Mr Jim Tiller. Thank you very much. It's really great to be back and it's good to hear your voice. Man has been far too long and it's really good to be back in the show. I'm really looking forward to this. It's GONNA be interested. It's it's been a while so you and I we recorded that episode. I think he's a recorded. I published it literally a week after I joined Akhavan at the time and you're still back could. HP and I had just moved on funny enough back. We're kind of back to that exactly exactly so oh I thought as we as we were kind of prepping folks what we talk about on this show if you go back in their show notes of episode one to we fishing years what's changed. What hasn't it's it's been. It's been five what's changed. What hasn't complexities camouflage for bad guys Jim. I love that quote and I'm going to ask few. If any of that has changed we wanted to talk about a little bit about the fundamentals why we're still failing and then where will the this is the end with this brilliant and I'll and I'm glad we didn't prep this but where will security be as disciplined in ten years. I asked you that five years ago or halfway down the line. We'll see what you're thinking now. So let's start with first and foremost you know what do you do you man. It's been a while. I know right. Well you know in many waist thanks to you. I got connected with opt of right. I mean with Occupan fishnet coming together. we had an opportunity to continue to work together for a bit but still still supporting services from an operations perspective so it's it's been exciting. I know I just celebrated as of today believe or not how my a four year anniversary with optum so it's been a it's been interesting ron and work continued to really focus on where things are going and so it's been exciting and but personalized analyze things are good no complaints just keep pounding away but security is still very near and dear to me doing it for a really long time. It's as you know and I try to stay. Hey Up with kind of what's going on and get a chance to talk to customers and people out there in the field and it's been a lot of it's been a lot of fun to watch all this evolve and or not of all depending in your perspective again over the last couple of decades if you will but does W is definitely stays interesting it keeps you may not keep your waking. I hopefully it doesn't keep your waking night but it's. It's been a lot of fun so these very good Jim. I tell you what when I when I first met you many many many years ago you joined. HP and I was like Holy Crap. We've got one. What are the guys from ages ago joining us back and coming back to a joining joining. HP has like this is so awesome people like you have heard that name before several have you seen. Have you looked at the bookshelf behind you 'cause there's there's about that at least ten bucks up there that guy that talking to has managed the right like when we talk about the the the folks that built this industry the your name is one of the first ten that's gotta get mentioned. You probably want to like the quiet. You don't sell promote a a lot and you know which makes you completely unlike everybody else in this a so really so. It just warns me here. You say that be you know I I really appreciate it man. I I guess I don't know myself enough but I really appreciate you saying that means a real lot to me your book so I mean I D- Did I always liked to I. I always liked to stock a bookshelf with stuff. That's that was relevant when I got into this twenty some odd years ago and and may still be relevant now but so it's it's. It's been a long time since we got into security. So what do you think has changed in the last health that we last talked five years ago. I it's been just over or five years like what has changed. I you know I think you know I think some of the more obvious ones. I guess you know by seizes. we're still fighting sort of the vulnerability piece the whole concept of technology. It's always ebbing and flowing right when I first got into securities very technology based doing pen testing testing then it starts getting into compliance then we start to my risk that became heavily loaded. There's like well. How do we deal with the vulnerabilities and then it was was threats and you see this sort of cyclic approaches which is up and down back and forth to how securities meandering through all these challenges threats become more effective impactful and we just keep fighting him off and you see his evolution ocean of technology? I would say the really the the one thing that's always stood out to me is when I got into it. There were like five security solutions at best right. I mean firewalls firewalls. Were you know you're still shoving floppies into CISCO GEAR now. You can't throw a stone without bouncing seventeen security vendors. I mean there is getting dozens and dozens of technology solutions that are solving very more and more unique problems and more and more of a finite spectrum of capability and the adept is getting deeper while it's getting a little bit more narrow more focus and I think that's pretty cool however there's a huge byproduct of that and it's something that we've lived with. I'll take quick story. I remember when ideas I came out and everybody's like oh my gosh what is this thing right up Graham and so people would buy hi these boxes and just flip them on and turn on all the signatures and there were wondering why now I got to hire somebody to keep this thing kind of you know making sense. They were still double dealing with that same dynamic. We keep throwing technologies solutions. Excuse me throwing technology problems. Thing is going to solve that problem. It doesn't don't realize that you know it can help you solve problems but it still takes an army surrounded around that with other technology other humans and other capabilities applications that make it all kind of come together in so as more and more technology comes out or fighting more and more with how we overlap them same concept that that's indep still plays so. I think if I was a one the thing is was really changes. Is that the the problems. Come a little bit harder. The threats have come more impactful but at the same time the technology all G has made it more complex. I mean everything is just the complexity is just exploded especially. I would say over the last you know five ten years. I think that plays will the complexities of camouflage for just a second but before we do that I I've said this a couple of times recently and I think it bears repeating so I wanna get your opinion on it because if anybody would get you would when you look at the security solution space and you alluded to the fact that now there's were solving kind of more niche more complex complex problems so there would there narrower deeper. I said this a while ago and it was the gentleman has said it was not popular because he was what he was head this founder of one of these companies but I basically said we've got an economy right now insecurity of features they're not in full. They're not products. They're just features like a company. See it's founded based on this feature that nobody else has an rather than they try to make a in an effort to I mean I guess that's the right way to do it right effort to try to make it go mainstream green. They build a product around it and suddenly rather than I mean what I would think the right thing to do would be integrated into some bigger platform. I'm just crazy here but what is happening is this is how you get your complexity right. You end up with a thing that solves one use case and you have that one one use case of a problem in your organization so you buy a tool that solves this one use case and you buy another tool. It's another use case and you got thirty seven tools that solve thirty-seven use cases which covers about ten percent of your security problem and then you add and multiply and divide here and suddenly it's. It's that complexity problem. Title Are you are you are you. Do you agree that. We've got features running them up muck. You're I absolutely totally agree and I think there's actually a couple of things that contribute to that and I think one of the main ones is. Let's be honest as the investment community right so if I can if I see a niche. Nobody's dealing with it as a smart guy or Gal I can go out company program at build a solution goes sell it to customers but really what I'm trying to do is retire so you're you're trying to set this company acquired because there's just so much absorption within the market. you know what. I remember times when you know image as you know headlines. Right in the security space real big giant moves right now. It's just like popcorn boom boom boom. Boom and people are acquiring. These capabilities Elysium features in some of those features are popping up because of the economic around that kind of setting themselves acquisition or things that nature because they're small on their niche that kind of space will was also happening is not all of them are getting acquired right so then that means you have this sort of explosion the people trying to be entrepreneurial and you know changing jobs and look and say well you know. I think I know how to do this better and so we get his influx of in some cases a lot of really cool stuff right but it just doesn't have a home but there are companies out there says that's a meaningful like you say feature and they acquire they purchase it right and if you go to any RSA or blackout or whatever you know there's this huge rooms full of all these folks right are there is there is more than I could conceivably understand with my tiny little brain yeah totally right and so the the net the net effect is that you have this situation with customers out there trying to solve very complex problems albums and they had these really cool technology out there and so we should find either through third party consulting or through their own processes trying to bond these together gather and make sense of it all and then that actually add some more acquisition of other data other datas solutions to bind together you know and so creating this interesting technology economy if you will on both sides on the one side through people selling and building capabilities and these features as independent products that were forced to to try to have the time together and on the flip side you had the commercial aspects in the investor community understandably so trying to make the most out of know wha what's the next pony in this race. I WANNA on it back on the very interesting dynamic well and and an unpopular opinion but this is kind of how we got where we all were it seems seems like most of this most of the the Im- those employed by our industry are actually trying to solve the greater problem. They're just trying trying to get rich. They can retire as as you put it right so it makes it very difficult to as an end user and consumer of the SA- The security product space in services space to really solve anything because the tools one up each other one gets bought one goes away. There's a hundred plus endpoint security tools EP L. O. L. OMG and you're like I I don't you know your security leader at a mid size enterprises an entirely different animal like large enterprise but in a mid sized company which is the breadth kind of the the the widest breadth of of Area Service area in terms of security security problems and you have a full-time job trying to figure out what tools are out there much less how to operate them. Keep them operationalize events where the difficult part is an that's a lot of where you spend a lot of your expertise around that and come back to that complexities the camouflage for bad guys right as the so of accompanying security director VP OF SECURITY ESPN security. Whatever your job title is you. You've got so many one. You have to understand the problems you're trying to solve so like mentally create a threat model the organization which mind you very few people actually know how to do ordeal bother with right and then you've got this patchwork work quilt of technologies and open source and closed source and commercial and services and partners and this and that creates creates insane levels of complexity. How has that evolved over the last couple of years. I got worse agree. It's gotten a lot worse in I'm trying to find a way to articulate this correctly but think about this or so many options out there that each SEPA for example whatever insert letters here so I was responsible ensemble they had their own views of security their own business challenges they they're unique in their own right so all we have an avalanche of standards and compliance requirements. There's also they want to accomplish something and then they go to the like RSA or pick. Pick your poison and they say this technology. Go Wow that does exactly what I want right. I need that it plugged that hole right because now there's a menu full menu of options out there and then you pack on top of that that some some I'm really big solutions that are entirely effective. You know the really Mosser's. The of the sale points are cyborgs for example. They're not inexpensive. They're highly effective but they take a long time to implement and they get and they're fairly ended. Get the most out of you you deeply integrate them into your environment as an example. I'm not I think those are great products obviously but so you had this on one hand a bunch of a small very capable tools that are affordable that saw that pinhole and then on the other end you have these very complex solutions and you have. You're trying to find out which one of these fit best us ironically is your left now with all these different tools at put always pinhole together but you still can't connect the dots when keeping the threat. Eh and you said something very insightful about you know the comet about are people really taking a look at a threat and I'll and I'll wrap this in a more probably more unpleasant statement amen. Is that if you look at the most you know highly attacked. CVA vulnerabilities kind of thing they're they're from twenty sixty in two thousand seventeen right they are and then I I will tell you. We've all done our research right. You know we you like we've been around for a while so we've seen all the hacks right and really gnarly ones the ones that cause a lot of problems with the ones that resulted in millions or billions being you know fraudulent activities all over the world it. Kinda comes down to the same same old stuff bad passwords or somebody clicking on a link. They really shouldn't and so is kind of inching. We're trying to fight this off and has become like its own noise. When in fact there are still some very fundamental things that we struggle with as an industry and we're seeing progression we're seeing more and more people by the multi factor you're and in doing types of things with passer management but you know we still have these old problems keep surfacing and but we really trying to tackle was the next new thing that's going to help close that pinhole or what's the next big giant technology. I'm GonNa Hook my trailer to with. The board says it's going to solve these problems. It is an unenviable enviable task. It is insurmountable in many ways you have so much pressure from within so much pressure from above you got market pressure opinions of other people. You have all these technologies and they're. GonNa Solve World Hunger and you gotta find a way to stitch it together and it's a difficult time to be in cybersecurity more so than ever. It has been yeah not. I'm totally with you and you know I've been you and I both been on the provider side for quite some time now but I I've also said on the other side of that's at that table for a while and I make a conscious effort to to avoid some of those terrible mistakes. Ill does unforgivable sins of of I can solve every problem you have or hear. I don't need to hear you tell me what your problems are. I already know everybody organization. every organizations just unique enough and I think that's the problem is we. We we love our. Maybe we just we struggle with with complexity complexity so we falsely label or maybe mentally make that Swab 'cause it's easier to admit that our organizations are too complex for us us to simply handle verses. The adversaries are just that much more difficult as you put it. It's not that they're they're wasting zero decreasing zero day for every attack. They're not they're. They're it's the same it's really a lot of the same old. Same Old bought It's stuff that we haven't gotten to but in the large. Jenner prizes right the large breaches that have happened where it's it. The processes are there but simply somebody makes a mistake. A mental mistake make a calculation on spreadsheets missed miss patching a host all the good intentions are there and you miss something and boom you end up on the news and a catastrophic breach and you're like but we did everything we did. Our best we literally did the best we could and we simply missed one and I you know dramatic Germanacos men and number of years said I keep using this because in I'll keep attributed to him but I keep using this because it makes so much sense say you've got nine critical sequel injection vulnerabilities on your website you patch eight of them. How much more secure are you like. If you do the math. The math tells you one thing but if you've been insecurity long enough if you go not Jiro actually Ciro targeted attack and the answer is really it depends because one of the things that we we do a good job or the day job. Here's we classifies the types of attack and they're trying to make that clear to to customers and and and you know internal and external but that you've you've got three types of attackers the ABC League right the Sealy will now. That's the board kids. That's kind of where the world's started when we were. We were getting into this industry. It's the kids home on spring. Break throughs GONNA mess around for awhile impress their friends or try to mind some big corner. Whatever they're GONNA do didn't no big deal. They're not trying to rule the world old. The be leaguers are like all right. I know some things I can write some custom code. If I have to be a little bit persistent but I'm going to jail for this stuff right and the leaguers are not going to be deterred. I mean they're not going to look at a problem and say oh they've patch or I want to move on to the next company like I need. That document from comedy from that Guy's is personal laptop. I it doesn't matter what it takes. I will get there and so the first ones you can stop the second one's you can detect the third ones like well yeah well. I mean if the federal government can't stop them. The best organizations in the world can't stop them then. Maybe it's not about stopping them. Maybe it's is trying to minimize the damage. That's kind of where I think. Security has gotten to is. We have to figure out who were to playing against across the table right and that's why bring it back to threat modeling because you have to know like at least have the reasonable idea of what kind of business you're in what a process that can or cannot be affected. WHO's coming after after them to go all right. Now I got an idea of what kind of strategy employees so I one million percent agree with you and I'm very curious to see if this came up in the original episode from five years ago but one is I suggested probably around seven eight ten years ago that the entire concept of security would move into the philosophy of fraud because it would become less about stopping for the exact reason you just mentioned you can only plug somebody holes and it's just a matter of dealing with it at that point yeah right and we've actually seen this not to kind of stay in the sort of mark arc of the world but we've seen organizations that got hacked ten years ago and their stock market their stock would just plummet right and they used to be the big thud component right now how they get hammered and it's not even a blip on the radar and so what's happening is that the the world's become softened to it a little bit and I suggested years ago that it would move into sort of incident response mantra. You remember we we had this conversation back at HP. That's like eight years ago. We would talk about stuff a long time ago and even back when you go back to two thousand one when I was at working at loosen bell labs. This was what we talked about a lot. It was the whole concept of the the ability to you detect and take automated action on it right and to sort of get ahead of the hack or get involved with the hack as it's happening at least minimize damage and find ways as of quickly you know more cream over resilient environment which by the way that whole foster got adopted by IBM and the big mainframe stuff so then I think that's an extreme version but I I used to also say is security is the balance between threats and your assets if you don't have assets sets than the restaurant matter because they're not a threat to assets and vice versa if you will but the the net net of it is that we spent a lot of time and of in the technology algae's facing whatever but we really have to embrace and understand the assets really get a hold of it and that's become extremely difficult like bordering impossible symbol and then the threats become very dynamic in their own way and so that's what's creating this interesting set of complexity and so it kind of makes you wonder how far far will these two pillars reach off into the horizon to the point where there is no way to stitch them the environment between them together to make to make a truly defend and defendable position against them to protect your assets because your assets are all of the world or or they may be in the cloud and stuff. That's coming incredibly blurry well so you mentioned the cloud and I was I was take it in this direction to I was going to bring this to you and go okay so for the assets. If I ever find out about amount of assets there's ten of them. I can protect them pretty damn well. I can make sure they're patched that can make sure they're well monitored but the more assets all the unsold that the attacker is dead so the attacker against known own assets generally has to be in my opinion pretty damn clever to get past me and not be detected the type of attacker that can get past me on assets. I have no idea exists. I E assets in the cloud for example right when you've got have have credit card will devops kind of METALLICA's out there right. Suddenly you've got VM's being stood up with potentially customers sensitive information potentially cassette potentially sensitive business processes us have no idea that they exist the type of attack acker that can be effective against those is almost at sea leaguer as opposed to the nation state actor because frankly if you know it exists this what's the security posture on it. You have no idea odds are it's zero or damn near close right. That's exactly right and so actually I'm not even sure how to add to your point. It was perfectly stated. Is the more you understand your environment the more that you can begin to build controls in places that can minimize that sort of. Oh this other server over here in some back room kinda thing or a vm that just got stood up right to your point it and it's it's a and the thing is is is if somebody can just sort of scan all the time and kind of begin to look around you just you become just a target of opportunity and so therefore anybody can hack into with pretty much off the shelf tools. I mean we have a lot of things out there that you can take somebody in quickly quickly. Make them effective. I I did a little experiment. This is about mid admittedly maybe about maybe about four years ago. Five years ago I was working with a group group and and I was trying to demonstrate exactly the point. I'm trying to make so my son at the time he was fourteen or something not a huge technologist and I sat him down taught automatic. US aircraft in about thirty minutes we went together to this thing put everything on a on a date a USB stick and I said okay. Let's go plug the Dick again booted off of it or start using applications off of it and before you knew it we had control and could be able to see everybody's wireless traffic and I didn't touch the computer once. Is it all and the point I was trying to make the people in the room was this is what you're dealing with is that you're dealing with a really progressive setup tools and this is a long time ago now. It's it crazier clicks so your point about not knowing what's out there. That problem has increased exponentially right you know and then simultaneously the CD players are actually becoming pretty capable simply because tools are becoming and Don Parker years ago back in. I WanNa say you Don Parker Harker. cybercrime fighting cyber crime. I think he published that in early nineties and he wrote about all this about the one day. They'll be tools kind of thing and boy boy. He emailed it so the cost of entry is quite low very very low because the tools you know and you think about the the the other side of that equation the cost of defense I mean how how expensive is it to hire. Talented industry industry never mind trying to find them. Look well. It's the classic you have to defend every potential problem. Hacking only has to find one that formulas not changed in the history of security at all you know it goes back to war in ancient sometimes if you will but the fact of the matter is because and not just because of the threat I would say that security's become extremely popular. GonNa Popular Career. There's a lot of people talk about a lot of people need it. There's a push in that direction and that's healthy. It's good because the outcome I'm hopefully as we have better security but the fact of the matter is takes a long time in some cases to kind of really understand the technology and be effective so as those particular people to be able to help stitch that together their foreign feud between quite frankly but that doesn't mean that there's a slow people author getting certifications getting exposed these technology getting exposed to places like companies like we work at that help develop them professionally and these are all things that are very positive direction but there is a gap and and is not necessarily because of threats are getting better. Even though that is true. It's just because the stakes are higher. the stakes are much higher in with regards to data the impacts of that and the fact that it's everywhere so helping to corral that and to a point like you said early if I I knew I had these ten assets. I'd be pretty strong. the fact of the matter is your analogy of something just popping up and then getting attacked which means his lowers. It's a or increases potential for being attacked. Yeah that is the reality of today that was not the case as great well you know fifteen years ago you'd be in order to stand up vulnerable silver server on the Internet you had to go by the order hardware the company W or HP or Dell or IBM from from somewhere illegal physically install it mounted into Iraq. That took time even to do it wrong. People would know about the fact that there's a hue server the Raqi go what's weird and suddenly you know if you had a good or even a mediocre security team or a mediocre networking team. You'd have to allocate a public. Ip Address which meant if you had decent processes somebody insecure you would go. Hey wait a minute. What does that thing right now. I can literally take a corporate card and go stand ended up ten thousand Amazon or your instances in seconds and raising. Anybody's permission now wonders for business agility. Let me be clear yeah that is done amazing things for companies being competitive and getting prototypes to market and all this stuff right that has not done security any favors and even though a lot of these public cloud providers building security. I guess we'll natively into the into the the tool sets the capabilities into the environment. You don't know it's there as the end user and you don't understand how to use it. It doesn't matter that they're they're it's true in moreover is those security controls roles that are being developed in those clouds scenario that you just described are can be somewhat complex you really you have to you have to really really understand them. It's not like configuring firewall like in the old days and become like when expert when you yeah exactly right rule zero and to be able to really get a handle on these cod environments and make it as effective or at least more effective than your internal security posture that's not that's not an insignificant challenge and it's interesting you mention this because years remember when I heard earlier. Es came out and people would load up companies would load up these websites so that they would allow people to set up servers and I remember working with one particular client and I think within a month they had something like thirty thirty thousand servers in their entire army completely out of control everything with everywhere and I was like well. How many did you have before you roll this out as like. Maybe you know a thousand like. Whoa we are changing things and it still exists to this day but you're putting it within the context of the car which is the future of all this no matter or what and it is it is not insignificant and and I know there's a lot of vendors out there that are building really compelling solutions to drive out that cloud security but it's becoming intensely complex so that even further increases the gap of available people that helps us deal with that right yeah well and and that kind of brings me back to that that point of you know you do a lot of consulting as well. You're out there in the field quite a bit are are. I thought probably will be when I recorded episode. One not in probably significantly before that if you look at the summit talks I gave back when I have worked for you and even before a lot of my the platform was you can't protect what you don't know and if you don't know it then it's time to go figure it out before you try to security right so I until I became a big fan of I till discovery in process and I didn't make any friends in security as a result because it was all about well. You know we're just GONNA go secure. It and it's like time out you know like change. Management is an important thing I I I think being agile and and being able to move on the fly in his all great great but and change control proper change control asset discovery and asset registries all these they are not sexy they do not come with awesome press releases and black hat talks but if you can't do them you can't get a handle on them. None of the other crap you do matters from a defensive offensive perspective. It just doesn't know and I was actually gonNA. I'm glad you brought this up because I was going to tie back to this and her early conversation about you know people out there. They're trying to deal with the latest security technology and stuff. There's there's kind of a subconscious subliminal thing that's happening here and that is simply because to really be secure. It's actually really boring work and you have to do all the blocking and tackling you have to go through and make sure that on every regular basis you're investigating the conditions of your controls the conditions of your systems you know and I think still to this day. I mean how much we still top patch management. People like you got a pasture systems which is very true right but we also know that not doing so just completely opens yourself up to you know to all kinds of things and so the the net net of it is the fact that about the fact of the matter is is that it's not fun and did you see a lot of people on pen testing and doing really cool stuff all right I would bet that the companies out there that are off the radar that are just that are that are not that are getting attack but they're not getting. Those tax aren't successful. I guarantee not you. There's people on there just pounding away every day of making sure those funnels a change or I used to be a big Dia Cap Guy. I thought that was really cool with compartmentalization that eventually gave way to you know eight hundred fifty three philosophies which is great and those those things those special publications as they enter series which have been around unseemly forever. You'd go back to the very early versions and yeah and you just do what they say and you're going to be in pretty good shape right out of the gate. My granddad has me still need technology algae. There's I mean he's still not dealing with problems but what happens is you're kind of. You're raising the tide right. You're bringing all the things up to a particular level and what that does it minimizes these huge gaps in your environment or the potential for them to surface to your point earlier about you know throwing up a Vm am server or even in the cloud kind of thing but you know of course businesses want that fast react that time to market is critical for all the reasons we know which is also you know one of the nimbies if you will of security but we have to find a way it's not just being in the board and I know that's a big deal. We had that exposure and I I think we've got to that point in many cases right but what it really comes down to helping collaborate very tightly with the business and creating a balanced where you're saying yes but they understand that that evolution right and and we've seen that be successful different parts like devops is is a direct act outcome of those activities in the development of software which would didn't exist five six ten years ago now. It seems to be very common that building building a relationship with the business so you're not saying no but you're not just saying yes and checking a box. It's helping them achieve that objective but doing so in a methodical way the change management you talked out of the I. Till the discovery making sure you're going through these steps and importantly to that may be so bold to say as the rapper of governance. It's up that process so you're costly interrogating the act of doing those things and always looking for opportunities for improvement which gets us into the capability maturity Freddie model philosophies. These things I believe are very foundational but they don't they don't have little blinky lights and there's no fancy dashboards so it's it's hard to get people excited about doing that kind of stuff well. I on the on the topic of checking the box there's a there was a debate that every once in wild pops up every every time a major breach happens. If somebody mentions well you know obviously the security to the enterprise space can't regulate itself in terms of what the baseline is lines for security on holiday security well. Maybe it's time for the government to step in and I have the same reaction every time. No absolutely not well but you think about how the unfortunate fact is. We aren't doing a very good job of self policing so when you look at I ten years ago. Maybe maybe even we all laughed because Oh okay just check the boxes like it's fairly comprehensive now and I would argue in an or in an average organization if you're following P. S. if you're following the NIST CSF and some of the some of the you know and into the spirit of it not just the letter of sometimes. There's a major difference there but I I would argue that. Actually you're probably doing pretty damn good right. I don't I don't disagree. I was I remember when PC I was still see ISP right it was just visa and massacres. SPD's program so so but I will point out the obvious is that's not really government right. That was the industry getting hold of himself right. I I think that's where it is. I mean but again I'm old in cricketing right so I was around in jail. Ba Hip and all that kind of stuff and it was just like Oh aw and so now you know hip. I mean I know what would you say the same thing about hip at. Do you feel like our healthcare. System is more secure now that were twenty years post hip right and I'm not sure the answer's yes right right either. I think I think it's forcing. I think it's forcing the conversation though which is good at a risk officer level. That's not in information security. It's it's not enterprise security so what those rags do is. They force somebody in a position. That's not a techie to go. Hey this could adversely the impact our business. Hey see so we don't have to. We have also says we should like what's a ceasefire. That's a really good point route. That's a really really good point and you're absolutely right. I I I think one could argue security was taken seriously because of the impacts but I think when when you put when you put dollars around it and then you put requirements that the government says look you have to deal with this it creates a different rhythm and so you start okay well now now that we really need to look at it as governments so but out but so your point I guess what is the point being that will government regulation make security better that I have a hard time with but having government insists on you achieve these certain levels of capability and in doing so you know instill cheerios or do these types of fundamentals do a risk assessment which you know we have things like specifications that tell us very good ways of doing these things that that I am that your your view. I absolutely agree with that. I never really thought of it that direction because I always kind of like us with Sean too much. This is how I know. Lovey Sean is because my thinking immediately has gone from when you do better security to the reason I think government regulation is not the answer but it is a nudge in the right direction is it it creates potentially laws and laws can our basis for taking a company to court and taking a company to court sate sets court precedent and then there's like ugly things that can happen if you get taken to court and found you know negligent right you can you can. There's very serious things it can happen. you know a company could lose. Its ability to process customer data. Hell you get your business license revoked. I guess your executives could conceivably be punished. In terms of you know go to jail. defines the you know loss of governor checks. It's more than just because Oh you want to believe as the consumer that you have the power to say that company didn't take my privacy and data security seriously. I'm not going to buy from them but then you go oh yeah but the alternative suck dammit. I'm stuck right but if the consumer we want to believe in a in a capitalist system that we have the power of the consumer has has the power because the the world has changed over the last fifteen years like I dare you not the by Amazon anymore the boy you know me all too well. I mean I've got him on delivery scheduled for tomorrow afternoon. I got one every day so little brown. POX relates ridiculous UPS Guy but but that's that's the net of it is when I joked about this but when you know when the target breach happened literally the new credit card showed up like aw man target got breached as an you know people like are you going to stop going to target Nell effect. I'm on my way to go. Pick up diapers right now. Yeah you know 'cause they're a mile and a half from the House and it's eleven fifteen at night and everything else is closed and the Walmart's additional two miles and the other places or to you know to run the clock pharmacies twice as much so I'm going to the place that I always goatee when the credit card is easily interchangeable in a well. I mean you can't go back and Redo. Your medical records your credit history. Thank you so much but stuff like that. I feel completely powerless against that as a consumer so you've we've already touched on this. The the industry becomes the consumer becomes apathetic and goes and and and we go well just at this one. I'm hoping that my my information's. He's been stolen enough times that I just I'd become not interesting. My credit profiles not interesting to somebody trying to defraud and that's kind of what my defense is like. Have have you know a knock not rockstar credit and you're right. I don't know but I think that's going to continue to evolve. I think that's for the next time we do this in another year or so. Maybe maybe less than five years him but that might be the next topic of conversation so I think I've never actually I mean have but I've been then admittedly sort of anti that but I and while you were talking I'm thinking why am I like that and I think what it comes down to is. This is gonNA sound really terrible and so you get those single but for me. It's like these problems are so obvious right. Why not why do we need government say here it is but when you said making laws and made me really think about some of the laws in the UK and the formation of of of organizations that are exist specifically to make sure those laws are intact right so we see do things like that in that kind of stuff which isn't a law but it is sort of got something with teeth right and and what you're suggesting is having these laws may hold companies accountable right and you're right? I think there is something to be said for that. I think I think we're probably going to see a lot out of the surface especially with the advent of GDP are and then what we're seeing kind of servicing California now and other states. Maybe that begins to drive certain law structures offers that really focuses on the data right and so it kind of gets back to yeah the outcome or the personal effects of what happened with something like target I think that's a sound argument. I maybe I need to get out of my old man chair freely about a little bit. I've always been government involvement. Well put your Bourbon Cigar down for second right. Exactly exactly is absolutely correct walser. We have run out of time and I think we're just slightly over but it has been a forty two minutes of my pleasure as always loved. I really appreciate it wrath. I really do I. I really enjoy. I hope we can get a chance to do this again in the near future but it's always a sincere air pleasures get it's been. I'm I'm bringing the mic over to your place and we're going to do beers and beer and whisky and cigars on your on your back porch there. That'll be a much much jab much better venue than over the Internet absolutely all right buddy awesome. Have you folks thanks for listening this this has been episode three hundred sixty two of the down the security rabbit hole podcast with Mr Jim Tiller real underscores security on twitter and yeah the guy wrote half the books on your shelf behind you there if you've been around the industry long enough so big thanks to Jim for for the time here and folks like I said if you've got questions his comments feel free read the damn show notes. That's why posts them sometimes. I'll leave Easter eggs for you to find but it has been awesome. Thanks for listening Jim once again. Thanks for being on the show buddy. We'll see next time. Thank you take care all right folks. Thanks listening. We'll see another place another time on another down. The Security Rabbit Hole podcast child is we've bathed out on another down the security the rabbit hole episode. We'd like to encourage you to chat with our hosts and guests using the twitter Hashtag Pound D. T. S. Please check check out the show notes on any episode of Miss and subscribes. Don't miss our website is white rabbit dot net wait one two three R V. I c Dot net so on behalf of reporter genes good bucks. We'll see you soon on another down. The security casts yeah.

HP Mr Jim Tiller James IBM Amazon Benazir Akhavan twitter Occupan ron CISCO California UK Don Parker US Lovey Sean