Navigated to Cybersecurity Today: The Month in Review - Key Stories and Insights - Transcript
Get the app

Log in
Cybersecurity Today

Cybersecurity Today: The Month in Review - Key Stories and Insights

Episode Transcript

Cybersecurity today would like to thank Meter for their support in bringing you.

This podcast Meter delivers a complete networking stack, wired, wireless, and cellular in one integrated solution.

It's built for performance and scale.

You can find them at meter.com/cst.

welcome to cybersecurity Today, the month in review, it seems like only yesterday.

we did an update in mid-December and then the holidays came and we were theoretically off for the holidays, but we had to come back to do updates because of all of the things that were happening during the holidays.

Now, boohoo for us, for those of you who were out there stuck working because of this and saying to yourself, it's only once a year, Mr.

Scrooge, we're sorry.

and I hope you got some rest.

And we're all now back to work and we want to take a look at the key stories and the events from, believe it or not, the past three weeks, close to a month, although it feels like much more.

We have our panel.

We have Tammy Harper from Flair.

Welcome, Tammy.

Hello.

Thank you for having me.

Laura Payne from White to welcome Laura.

Thanks, Jim.

I was just glad to be here.

And the new mascot for White to, Mr.

No, the, our, our Monday morning host and the CEO of Beauceron Security and, um, looking really good there.

David Shipley, welcome.

I, uh, yeah, thank you so much.

I, I, Santa found me and I got some amazing white to, uh, merch and, our IT team, like IT teams everywhere loves merch.

So the, t-shirts and hats went over really well.

So thank you so much to Laura and Rob and the entire crew.

You, I think this is an industry thing though, right?

People, I don't know what it is.

Like you put stuff out and people just gotta grab this merch stuff.

My, my wife saw all this stuff come up and said, why do these people send you these things?

I'm going Because it's cool.

It's cool.

it's not just cool.

It's practical.

Yeah.

yeah.

the, I do admire the, to the eron cap will only be really good in the summer when I'm trying to keep from getting sunstroke of cutting the lawn.

but yeah.

So I've got all the seasons covered.

And you'll notice for those of, you're watching this on YouTube, I got some Christmas gifts myself.

I got a new plaid shirt in a different color.

So men in plaid continue.

But there you go.

, I guess we should get to work.

Okay.

let's start with the first story.

David, this is the one that you actually came back in.

We had to do a new episode on this.

This was your Christmas gift to me.

was being able to edit the program.

I'm not blaming it on you, but do you want to go for the Mongo MongoDB story?

Yeah.

So Mongo Bleed, which is a vulnerability in almost a decade's worth of MongoDB instances, that was, appropriately named because of some of the similarities to the workings of Citrix bleed and other things.

with respect to the ability to gather from memory potential secrets from a MongoDB database, credentials, API keys, et cetera, and query them at an almost RCE level vulnerability.

So I think it scored an eight seven on the CVSS so bad.

Now, this vulnerability was disclosed.

On December 15th, what made it particularly problematic and newsworthy for our discussion was on December 25th, a researcher for elastic security released POC code to demonstrate this exploit.

And then things went bananas, the number of exploits, ramped, and all of a sudden you've got a high severity vulnerability in a database system that's used massively, and particularly in cloud deployments in many different ways, at the most sort of downtime, in at least the western, world in terms of the holiday sequencing.

So it was a perfect storm.

And it raised some really interesting questions in my mind about responsible disclosure and, what this means and what really stood out for me from this story.

And I've spent a bit more time now paying attention to Reddit, and I understand that Reddit's, like most social media and anger Factory heard, but there were a lot of big feelings, between IT teams and security researchers over this move.

And I got a much clearer sense for w.

We have a growing fracture in the relationship between the people responsible for cleaning up things and the people responsible for finding things.

And I think that's gonna become more and more problematic is AI accelerates vulnerability discovery and disclosure timelines, and then the pressure on the patching timelines.

And I'm, that's an interesting sort of way to start the year.

I dunno how other people felt about this, but I thought December 25th, maybe we could arrive at an international convention that certain major holidays, and I don't, they don't have to be exclusively Western holidays.

It's not okay to drop POCs at this time.

Maybe, but maybe there's more nuance this discussion and I'll hand it over to the smarter folks like Tammy and Laura to weigh in or Jim on your side as well.

I have to say, like all this process, like these procedures and, of how to disclose and everything like this all predates.

Artificial intelligence.

And since artificial intelligence really speeds up a lot of stuff, I think we're gonna have to start rethinking like policies.

Like not just like everywhere.

so like how do we have, like how can ai, 'cause there is gonna be a point where it's just gonna be AI talking to another AI that are gonna be saying like, Hey, I found, like a vulnerability.

Here's the disclosure and it's all gonna happen in the background, right?

And you're gonna have some people just like taking, keeping an eye on things, but and then it's the AI that you're gonna fix things and then there's gonna be human reviewer.

It's gonna be a push notification from an ai, like a pull, a push request.

the, what I think is we have to really start thinking about how are we going to set guidelines for ai.

especially once AI is able to like be, once we take the training wheels off of AI and it's like like doing its own thing, I think it's gonna be really interesting to see that.

and I'm curious to query Laura who has experience in large enterprise environments on, 'cause I if you're watching the YouTube video, that the wheels were turning, and I could see you think of this, but also the, oh, dear God.

The, like the AI talking to the AI talking like when they're gonna push the patch and the update.

it does feel like we've just given up in a sense and yep, the machines are just gonna do it all faster and we can't keep up, so let's just let 'em do it.

but we haven't actually given up that control yet.

So I, from a human perspective, just because the tools find things faster.

Doesn't mean that we should disregard the ways we've tried to create human engagement between the people finding the vulnerabilities and the people who have to now implement some sort of fix to defend against the vulnerabilities.

Like the tools aren't there yet, so let's still be human with each other and try to give people time to respond appropriately.

and I know it, yes, this vulnerability was found and it was disclosed on the 15th, and yes, somebody worked on it and disclosed the proof of concept code, and it could have been somebody else who was not somebody who we would normally think of as being like, on the good side.

when would, when somebody puts the label researcher in front of what they're doing, you imply that you are doing this for the good.

So December 25th release of, proof of concept exploit code.

blurs those lines on what's good and what's not good.

but we aren't there yet where we know the responders, the people who are gonna have to deal with the fallout from what you've done have necessarily those tools at their disposal.

they or they may have access or be aware or, maybe they're playing in their private labs at home with those kind of tools, but their enterprises have not caught up to adopt those tools and to allow them to do these things.

So it really is just about, I think, trying to hold onto that piece of humanity that says we need to allow people to work at people speed, even if we have AI tools running at AI speed.

Did I miss, something on this?

I is there, was it the AI that was the reason this was disclosed on December 25th?

no.

It was so let's, I always wanna be, be careful.

we don't ascribe to AI what we can ascribe to human stupidity.

No, a hundred percent.

I think it's the question of are we allowing the fact that in, in our general conscience now, this idea that the computers are fast and so we have to be faster, are we using that excuse to say, we, we can't be human with each other anymore.

on the chance that, yes, I, as a human found this, but there must be some machine out there that's trying to find it too.

But if it interesting enough, I'm gonna argue against my own point about this particular release, just to be devil's advocate for a second.

And 'cause I'm just, I'm still trying to get my head around, Jim, what this researcher may have if we assume Laura's point was trying to act.

Goodness.

I still feel like they behaved like the Grinch to it.

sysadmins on the holidays.

No.

Who hash for you, you're gonna get patching phones is if the point is that, and I didn't see this in any of the justification for why this is released.

Hey, we see bad actors doing this.

we've developed this POC code so you can see if you're vulnerable because we think they're gonna ramp up, et cetera.

it just seemed like it was just like, ha here's my code.

It's go.

and that seemed irresponsible to me and I'm still struggling with the timing of it.

And did the severity justify it?

The, so that, that part is that part too.

Yeah.

The, because the, the, and we don't know the research.

We're actually gonna dig around and see if I can find 'em.

'cause I think it's a really reasonable question to be asking.

I am gonna do some digging after this show and see if I can locate them.

but the, and if you're out there, send me a note.

but the idea of, I can't ascribe this to, maybe it was the person thought this has been out there for 10 days.

It's really high.

Nobody's doing anything.

I have to say something.

You don't have to ship the code to do that.

You could have just said, I have the code.

just as a tip to the person for the next time.

and even that it's so interesting now, I think the broader point that Tammy's making is that the, and Jim, you covered this, in the interview with those researchers, you developed POC code in 15 minutes for less than a dollar using code.

The speed of, taking vulnerability research that's published to exploit code development is now at machine speed.

how we choose to respond to that, and to Laura's point, we may have to, for a variety of reasons, accept that there is a uncomfortable period of time where this POC code's gonna be out there.

You hope your other mediating controls are gonna help, but you can't patch that fast.

Change management process, testing robustness.

it's at the breaking point now with the current timelines of well, critical patch.

Yeah.

And I think we often say, you should patch Now there are people who are more current than me.

I'm, I am a retired CIO for a couple of years, at least now.

So I'm not doing this every day, but when we did patching, it was a big deal.

we had a patch weekend.

We had to test everything.

We had to make sure that we could still come up, that we had systems for our users on Monday morning.

So all of this patching is generally weekend and night work.

Maybe the world's changed over the past couple years.

I don't think so.

It's a big deal.

So when we say, you're not patching, I wanna make sure we're not just kicking out a criticism to people.

this is a lot of work and a lot of planning goes into it.

because you, if you make a mistake on this, especially if you have a financial system or some operating system and you don't come up Monday morning, people aren't happy that you save them from hackers.

No, and I think the layers is a really important point in this story as well.

If you let your MongoDB sit out there on the internet exposed, I.

Don't have words like, don't do that.

It's, that's not how to have a database.

This is self-hosted.

So the, the right architecture is always that these should be protected networks.

They're not even exposed to your regular user networks.

Like your regular user shouldn't be connecting directly to your MongoDB server either.

It should be an application that's in the middle, handling those connections.

So what this announcement really potentially does to an IT team isn't actually change the level of risk if they have done their architecture correctly.

It's a relatively protected environment this database should be operating in.

So I am giving you, if you did your job correctly in the first place or got the correct support to do the right architecture in the first place, you've got a lot of.

A lot of things that buy you time.

that's what I'm gonna give you.

A lot of things that buy you time.

But now you've got some executive who opened up their tech feed and saw that this is going on and they're now making noise.

And it's the noise that's actually worse than the patching because you may have had it planned, you've had 10 days, you probably had it planned, but now you've gotta deal with the noise and the escalations and with so many things, security related, it's not just the tech that's the problem, right?

It's the people in the process altogether.

And getting people's hackles up and creating noise where it isn't justified is another big piece of the problem.

And that's again, you know what, December 15th, if December 17th somebody released proof of concept code, that's, before holiday time and people can deal with noise and they're in the office and you can talk and collaborate December 25th making a big noise about this, that.

Is really disruptive to people's well earned downtime .

Yeah, I, that's where I have a bigger issue.

I think.

I think the brand that the individual worked for possibly lost some brand equity on that one and maybe carrying in some bad feeling mojo into this.

but that's probably enough on, on this story.

I don't know if we wanna, but there's, yeah, I don't wanna come back to this because I can talk about this responsible disclosure later in terms of whether pumping the code out into the world is responsible disclosure and how we do that.

But also, Laura, I wanna go back to your thought and there, and this is something I want to think about as we go through and I'd love to hear comments from people.

We have to have architectures that buy us time.

If we're not gonna get time as people, we really need to start thinking about architecture in a way that buys us time.

And it's beyond just pure segmentation.

But you talked about a couple of things.

I wanna gelt that around in my head for a while because I think that's one of the things, one of the defenses we have to really concentrate on in the coming year.

Things are gonna move faster than you can move.

You better find a way.

it's like being on a battlefield where you put stuff up to keep the tanks from rolling over.

we have to have something like that in our architecture.

Good point.

it's, it is interesting 'cause when I was in the armored corps, when we were taught defensive tactics by the military, you have this idea of a defensive action.

and so you had a series of lines set up on a map and you knew when you were falling back based on certain conditions.

Okay.

Like we lost 50% of our fighting strength.

It's now time to withdraw.

and every time in this organized withdrawal, you were buying time.

For something better to happen to reorganize than be able to approach this.

it's interesting because this is the first time just in this idea of buying time, we've always talked about defense in depth.

Like somehow the defense in depth eventually just stops something.

And it's not been so much about the time, it's been how many layers of the Swiss cheese we need to have.

So I really like this notion that now we're actually, we're saying, listen, with the defenses we have, we think with a critical vulnerability in an architectural part of our stack, we can buy seven days from POC code exploit development.

That's our, that's now our time window.

Okay.

And then A CIO or CTO could make better decisions saying, okay, what buys me 15 days?

Yeah.

Moving on to our next story.

'cause I think there's a segue to this, although I is, have you ever, is there a job you haven't done, David?

Because I sit there and go, I bring out this great tank analogy.

He goes, oh yeah, I, when I was running a tank, nevermind.

but the, this Rainbow Six siege now to show you how outta touch I am with gaming, which is really crazy 'cause my next novel has a big gaming structure in it.

So I'm gonna, I'm gonna take this as my time to get educated was the Rainbow Six Siege.

You suggested this story, David, I think was that because it was a MongoDB, hack as well or, so we still don't have the full root cause analysis, but the timing is awful auspicious.

and currently there are two predominant theories of how Rainbow Six Siege, which is played by, tens of thousands of people.

At any given moment and a couple of million, player accounts.

So they were popped shortly after this POC was released.

And some threat actor groups who've since been discredited, had claimed that they had done a broader hack of the games maker, Ubisoft.

And they had claimed that MongoDB was the root of this.

Now, what's interesting about that is some of these claims were not accurate.

They didn't get into Usoft.

At least we've seen no credible evidence thereof.

And it may be some really great examples of using, misdirection to, to squirrel IR teams.

If you do have a better way or you have some kind of persistence and you wanna distract them from that persistence More to follow on that, because not only were they hacked on, I think it was the 27th.

and this is interesting because this is the first time I've seen the economics of video games so thoroughly savage.

all of these people have been talking about the cyber Pearl Harbor and all the things that could happen to destroy a national economy.

And else we just saw a simulation of this in a video game economy.

And it was fascinating.

They flooded the market with billions of dollars of in-game credits.

Now, for those who aren't gamers, you'd be like, who cares about in-game credits?

it turns out part of the monetization model of modern video games is getting people to pay real cash for virtual currency to buy virtual goods.

I have never bought a single virtual good in my life and I refuse to on principle.

but lots of people do.

To the equivalent of Ubisoft lost $13.3 million in real US cash ca potential opportunity for all the credits that were given away.

So they ended up cleaning all this up.

They had to shut the entire game down, which is incredibly disruptive, you're getting people out of their habits to use the game.

So there's all kinds of things happening.

And then they got hacked again, and then two days ago they got hacked a third time.

and now this is my pop culture reference as our resident pop culture.

Guys, as I'm sure you weren't sick of in 20 25, 6, 7 uhhuh, they were randomly banning people for 67 days, and proving the attackers were still in control of the en environment.

so it is most interesting because I have never seen a game economy so thoroughly destroyed.

I have never seen an incident response.

absolutely countered back and forth, they took the entire damn thing down and put it back into play, pun intended.

And then they had to do it again.

and if that is a snapshot of what we could be seeing in other contexts, we're in trouble in 26.

I think the gaming world though, is vulnerable.

And this is one of our next supply chain pieces.

this is a whole new world that we have to police.

I'm not sure what the overlap is into our own commercial world where most of us spend our time.

But I gotta tell you, if you're gaming on the same machine you're working on, I'm.

I'm getting a little nervous.

and here's interesting when we toss over Tammy, 'cause one of my favorite pieces of research of all of 2025 came at a Flare and it had to do with gaming.

So I'll let her get into what was going on there.

but what it would go, Jim, just lastly on your point, it's not just that it's the adult using the machine for gaming and other things, it's, if you're accessing anything sensitive on a home PC where your kids are doing gaming on it, you gotta treat that computer like a community pool.

It's not hygienic.

I wouldn't do things in that pool or drink the water from that pool.

I wouldn't do my online banking or secure log into my work stuff from a tool that a child to teenager ever touches.

But that's just me.

I dunno, Tammy, if you, if that's a good segue over to the research you guys were doing, but it was somewhat mind blowing.

Yeah, like we found this was, by a fellow researcher, Estelle, who did this incredible piece.

And, basically it found that a significant part of Steeler or Info Steeler compromises came from cracked video games.

And so it's fascinating to see 'cause people wanna play games, so they're going on BitTorrent or on, these like warez sites and these forums and just oh, I can, or even trying to get like cracks that will, give them like in-game virtual currency, right?

And all these things.

So it's fascinating to see like that still is one of the main ways people are getting compromised indirectly.

And for all those who were probably born after 2000, the the wares like this used to be the way you got your Doom and you downloaded it from a BBS.

Yes, I am that old.

and that's how generally you got some malware back in the day, because you are trying to get free versions of Duke Newcombe.

As you see what regulatory action.

Will happen in current times with respect to cryptocurrency.

That's not about a bunch of people making a lot of money, but as we see Tumblrs being targeted and taken down as we see crypto get greater scrutiny in certain jurisdictions where the rule of law still applies, the pressure to find other ways to launder money, and now that certain banks are outta the money laundering business to the two of billions of dollars games are gonna be the place that I think we're gonna see more money laundering, as well.

So it's all kinds of hurt come into someone's good time.

We're doing more and more stories.

following up on what you were saying, Tammy, and maybe we should post a link to this paper 'cause people should be thinking about this.

Video games are the perfect place to hide malware.

they're complex code.

There's all kinds of stuff happening.

They have emotions attached to them.

you get the best game.

What are you thinking?

Play it, not check it.

it's also because like games have a lot of, at least the big games have a lot of DRM like digital rights managements that like, protect it from getting pirated.

So you have these like crews that are experts at specific types of DRM, like specifically like dvo and.

you have these people that basically crack these games and then they release it to a smaller group of people.

That's called the scene.

And then the scene has, it's like just a smaller group of forums.

And these are private forums that have the game now, and they do what's called the peer-to-peer release.

And these peer-to-peer releases then go up onto the more like generic and more po public Torrent sites and the, the pre-release dbs and like all these other sites.

And there's, then you get into the world of repacks.

And then the Repacks are the ones that, have to compress.

'cause these are massive releases.

Sometimes games are like a hundred gigabytes, 50 gigabytes, 70 gigabytes.

So you wanna compress these games so that you can like, download them faster and more effectively.

And so you're, there's so many places that there.

That in the piracy world, that it is okay to touch the integrity of these files and you're just inserting.

And then there's also like the modern community, right?

And so there, like interacting with games and changing a games code is not something that a lot of people like think about, right?

it's very common to do that.

And oh, and there's also like a lot of the things of prote, like how to crack a game, people will say oh, it's a false positive.

You gotta deactivate your, antivirus.

Don't worry about it.

like it's just the key gen that's getting flagged, right?

there's a lot of conditioning that happens to, to get to that allows you to get infected.

And on that happy note, .

Let's move on to our next story, and I'm gonna do a little bit of a disclaimer on this piece .

David and I debated this story when we ran with it, and had a quite a large debate about it.

and it was the, because it was, it, and I'll let David introduce it or whoever's gonna take this story, but there's a fake video that came out of Venezuela and it was obviously a fake.

It was used in propaganda.

And there's some other, another layer of this story as well that was, and that was the whole idea of attacking infrastructure.

So there were two pieces in this story that were right within our wheelhouse.

Unfortunately, it also hits an area where there's all kinds of emotions.

There's good guys and bad guys or whatever.

I wanna stay off of that.

That's not the point.

But in the end, we ran the story because if we walk away from.

From stories because there's an opinion or something that we're, we shouldn't touch and we start censoring ourselves.

We start, stop talking about cybersecurity, then where do we stop?

And we can't, so we can't do that.

So that was the, what went through my head was you can't censor yourself just 'cause it's in a sensitive area.

The second thing, and I've pointed this out to people who've written, and God bless you, please write, we, you don't have to agree with me or agree with what my editorial piece is.

'cause I'm the end, I'm the head editor here.

I take responsibility for every story we run.

But the issue is if, if we.

As cybersecurity professionals.

we don't, we're not, we don't live in a jar.

we touch the world.

People process.

Society, all of those things.

So we're gonna, we're gonna, we're gonna get ourselves bruised against those things.

But just to focus on this, there were two elements that jumped out in the story, and this is why we did it.

The first was there was a video that came out immediately after this attack and whatever you wanna call it, forget.

but it came out and it was a picture of people who were crying because they felt that they, that they had now, and they were crying with happiness because of the change, the regime change.

It turns out it was an obvious fake.

You wanna take it from there?

David?

you, yeah.

The story.

So there, there are a couple of interesting things.

So we're seeing that hyper speed of creating hyperrealistic deep fakes to, to socialize narratives and other things again.

I'm not gonna take any kind of an editorial opinion on the politics or geopolitics of this.

So there was that, the misinformation, disinformation, narrative shaping part of this, which is interesting in context because NATO has just released a brand new 30 page report, and we haven't covered this yet, but it comes at the same time talking about this reexamine, this concept of cognitive warfare.

So this is an example of just how multidimensional conflict is fought.

The other thing that was really interesting, and it's notable from a cyber policy standpoint is in the briefing at Mar-a-Lago for the US military operation, the president of the United States disclosed that they used technical means.

To turn the lights off around the capitol and Caracas and other things, which is really interesting.

this is different than just dropping a thousand pound JDM on a power substation.

that's not what was inferred from this.

And then following up to that, you had the head of the joint Chiefs of SAF saying, we used a variety of layered effects.

And he talked about, cyber command and space command and other things in this operational side.

Now what's really interesting is that we've loaned for a long time that nation states have had the capacity to impact critical infrastructure, power, water, lights, et cetera.

The Russians demonstrated this twice dramatically in, the buildup to the Ukraine war 20 15, 20 16.

we've seen, attacks by Iran against Saudi Arabia using attacks on critical infrastructure.

We famously, Jim and I talked about, SNET and the, Nanette Naans in Iran.

so we've known these capacities have been there.

What's different about this is publicly talking about it, setting a new norm around, this was not a declaration of war.

This was a military operation.

This was part of a law enforcement operation by how it was portrayed.

but normalizing the use of cyber on targeting civilian critical infrastructure, and that's a signal.

And it comes at a time when we're seeing a lot of stress on defense.

We just spent a big part of the first part of this episode talking about how hard it is to patch and critical infrastructure and operational technology.

Is that on 10 x difficulty mode?

so we, that was our primary interest is seeing the implications from a cyber policy standpoint of normalizing the use of cyber to achieve part of a multi-stage military operation via Western Democratic nation in that context.

So that was interesting.

But it also came just a few weeks after vesa.

So that's the petroleum, petrochemical company of Venezuela suffered a massive cyber attack and it had some hallmarks of what.

We weren't sure if it was a nation state based attack, a ransomware crew or other things.

no one that I'm aware of had claimed responsibility and Venezuela accused the United States of being behind the attack.

Again, we don't have independent, verifiable information, but these are the two interesting things that tie together in that theme.

So now cyber as a tool of state conflict is now being openly discussed, and that changes the defensive calculations and for not just government but private sector.

that's the context that we're looking at this particular lens, if that makes sense.

And I don't know if Laura or Tammy, you had any thoughts on the headlines flying around this?

I will say it's difficult to wade into this one without getting into the geopolitics.

And I think that, that maybe that is the story here, right?

is you were saying David, is, we're normalizing and it, this isn't like the first one, right?

You can go back to Stuxnet and there were one before that, right?

Stuck, stuck net might be the most famous kind of early days, discussion about how, the, our side, the good guys, we like to think, right?

And sometimes it's just, you know what, there's one side and there's another side.

but, making use of a cyber vector in order to achieve a particular outcome.

and, but certainly in the current context where, who is doing what for what reason is much more convoluted and difficult to discern the truth.

And there the truth is not the kind of thing where there's only.

one narrative, right?

There are multiple streams in truth that are, it can all be true at the same time and are non-exclusive to each other.

and that I think is the, when we get to talking about the misinformation aspect of it, and the disinformation is core to those things because there's always a thread of truth that makes misinformation credible.

It's just, are all of the threads that have been woven into that narrative true?

Or is it just one or two anchor threads that are doing it?

a lot of, yeah.

I think this is just indicative of how difficult it is right now to separate cyber action and, and used in a military context, from the narrative that is created around the action and whether this is.

Legal or not, whether it is for the greater good or not are all just the aspects around what the actions actually were.

Yeah.

and you know what's interesting is, I thought about this from a military standpoint.

In theory, using cyber in a targeted manner to turn off the power for a defined period of time and allowing recovery could arguably be seen as more moral than dropping a thousand pound bomb and the powers out for weeks impacting hospitals and other things.

So again, it's not without multiple views on that, particular side, the danger is normalizing the use of these things to achieve state policy aims, but not war.

And even if we get past the argument of normalizing it, it may like, let's not, I'm not even gonna get to the, whether or not it normalizes this.

Just get to the wake up call that we've had here that we keep ignoring.

And, I lived near Walkerton here in Ontario.

When the water plant stopped working, people died.

And I don't wanna be a big downer on this, but the fact is our infrastructure is exposed.

It, the security on it is next to terrible.

We did a show on it last year.

I bet you I could go back and rerun that show and it would still be accurate.

so our infrastructure supports our health.

It supports our society.

And we've sort of whistling in the wind going well, nobody will attack it.

maybe this is a wake up call.

Maybe somebody did us a favor to say, wake up folks, because Nation states have been in, we know that nation states have been in the telephone system.

We know they've demonstrated they can shut the water plants down.

We know that they're, and that's in the US where I think, God forbid, I think they're a little more sophisticated in some cases in Canada.

I'm scared.

it is a question of this could be our wake up call for people to say we need to start protecting infrastructure at a level that we at least afford to our commercial systems.

and I see Tammy, that you, do you want, did you wanna jump in?

Yeah, so it's a, it's related, but it's a little it be Berks a little bit.

It is.

I wanna see, and I want to know if any private companies were involved Uhhuh in that, because there's, like as this becomes more of a thing.

If we ever get into a major conflict, like what's gonna be the role of all these like elite cybersecurity companies?

Like how are, like, there's for sure the governments of all sides are gonna start recruiting all the talent and officially on the books and off the books.

Like, how's that gonna look like?

Like I, I want to know if that.

That's my point.

I wanna know what happened there and not for, not, because there, towards the end of December, there was a big discussion, and we're expecting some more policy on the US side to drop about expanded role for the private sector in offensive cyber on that.

which is the, jokingly, and again, I'm a maritimer so I'm gonna bring up Barrett's privateers.

If you're unfamiliar , if you ever meet someone from my region and you say, and the year was 1778, you're gonna get a song.

It's just gonna happen.

and if you hear about a broken man on Halifax beer, you'll understand, more about that.

but this idea of cyber privateers and can they keep their tools given that one of the best hacking tools of.

The decade, was, eternal blue and even the NSA couldn't properly keep that secret.

the idea of cyber privateers, building specialized toolkits to turn lights off and potentially losing it is an interesting one.

Tammy gave us a perfect segue and that was my, to my question.

Oh, of course.

People in the industry couldn't be corrupted, could they?

And we, I think two, I don't know who put this story up, but was two defenders plead guilty to aiding ransomware gangs.

who's got that one?

Yeah, so it, it basically, it was two Americans, Ryan Goldberg, from 40 from Georgia, and, Kevin Martin, 36 from Texas.

they pled guilty, in a federal court in, the southern district of Florida for their roles in, ransomware extortion attacks.

they were, affiliated with the group, Al v Alpha V or a k, a Black Cat.

And, so these crimes occurred, between April of 2023 and December of 2023.

And, they were targeting multiple US victims, with ransomware.

Now what's really, the reason why this is so big is because, these were two cybersecurity professionals, right?

They were both defendants, that, they were both defendants that had legitimate industry roles.

the first one like Goldberg, managed, incident response outta the big cybersecurity firm.

And Martin worked, in ransomware threat negotiations, and they used their skills to, attack others, right?

They were using their skills to, pray and have the upper hand.

And what I wanna know, and this has never been made completely clear, and this is really the one where I think is crazy, is did they work on their own?

Like incident response?

did they, like attack, respond to it, right?

that's, it's never been made clear, right?

it's, it hasn't been denied or, or, or validated.

but they actually stole a, like they, they extorted a whole bunch of cash.

Like one victim, like one known case is that they, a victim paid them about 1.2 million in Bitcoin.

And, so the defendants, George and Martin were able to, they took that money and 80% of them, it went to them, and it's, they split a three way.

And then, the 20% went to Alpha, the Black Cat, and then they were started laundering that money.

so the thing is that the, this plea of like from the DOJ and the FBI is including like the take down.

And this was like really, like it came up with this take down from 2023 of Al V.

And black Cat.

it's terrifying.

I don't know, like it's, it is the thing that we don't want to, to admit in our industry.

'cause we interact so closely with a lot of individuals like that are on the bad side.

And a lot of us like play the role of criminals to, gain intelligence and and gain the upper hand.

but corruption, it, it's, it can be tempting to say Hey, I can, I know how to pull this off.

I know how to launder the money, what's stopping me?

it's just ethics and morals stopping me from pulling off and making bank over, the course of a couple of months.

So it, it's, and that's where you have people with like weak morals and weak, and weak ethics that get into that, that succumb to this, temptation.

Yeah.

And just to jump in quickly and Jim's gonna mock me again probably.

'cause, one of the other jobs that I had for multiple years was I was a crime reporter for a newspaper.

I know, it's hilarious.

but to Tammy's point, the, they pled guilty.

I don't believe they've been sentenced yet.

I think that, we'll, that's from March 12th.

March, 2026.

That's coming.

And so what's gonna be really interesting for us to pay attention to is what sentence they actually get.

There's some things that are gonna play in their favor.

They pled guilty, they didn't drag out a lengthy trial.

The way the American justice system is that they'll account for that in the final sort of sentencing.

But big thing that they're gonna wanna do to Tammy's point is that beyond ethics and morals, there's this concept of deterrence.

Oh shit, I get, I do this.

I'm going to jail for five to 10 years, and to 20.

Yeah.

I, sorry, I was using Canadian math.

just like Canadian dollars.

Our jail sentences are much lower.

so God, stop now.

Wait, I'm gonna, I'm just stop.

You're, you stop.

Laura.

Yeah, I just wanna go back to Laura's point on this.

Yeah.

Because it was her, the late last year, and I think it was one of the last two shows we did where Laura was actually warning about the layoffs and unemployment that was affecting security professionals and that this was a potential risk for us.

I Do you feel vindicated, Laura?

I'd rather not be, but Sure.

Great.

I'll take it.

It's nice to be wrong sometimes, isn't it?

Yeah.

Yeah.

But no, and re reading a, through some of the other reporting on this particular story.

And because what's interesting is always the why, right?

You have a job, you've got, one presumes.

'cause this is a high demand industry, a good paying job.

What gets you to turn to more?

And in this case, at least for Goldberg, and there's a third unnamed accomplice.

and the other one, hasn't really, it had, I didn't find what his justification was, but in Goldberg's case it was personal debt.

And for however that personal debt was acquired, which in the states could be anything from you made a trip to a hospital, to, you got into some pretty gnarly other activities on your own time.

but personal debt is a huge motivator, right?

If you can't see the bottom of the bucket that you are drowning in.

You Get creative and it's really unfortunate, and I'm sure that will play out in sentencing as well, is, what was the motivation behind this?

And a deterrence of course is super important, if this is somebody who really found themselves in a bad situation and just didn't know how to get themselves out of it, but at least, they finally found the bottom of the bucket when they turned, got themselves in and pled guilty.

It, they, there is something to be said for that, but I don't think this will be a unique story where, you know, and they're listed as former employees.

So how former Where they former and then became affiliated.

Were they working there?

had some moral feelings like, yeah, I can't be doing both of these at the same time and left or are they formal?

Former because yeah, they got arrested.

Now that now they are former.

I'm not, I don't, but the cybersecurity lesson in this that knits all of this together, whether it's Tammy's point or Laura's or your point David, is internal threats.

And I've warned about this, not just, for people who get into money trouble and we get into money trouble in Canada too, so so it's not just in the us people get, we're not immune from that.

People get into money trouble.

I worry about sex extortion and things where people are being extorted.

we have to not think of cybersecurity.

And this will coin your line, David, as only being a technical thing.

You gotta think.

And Laura points to a good point.

and we could talk about this more as a year goes on, but I do believe the proliferation, the massive proliferation of online sports betting.

I'm just saying gambling as a thing.

To, to Laura's broader point about debt is, is there, and I'll end up with that.

, Okay, I got one more story.

I'm gonna, we're gonna walk into, 'cause I don't wanna leave this one and then we'll wrap up.

But the, my favorite story of the week, and I took some grief from doing this.

One, the Hacktivist Martha Root, who wiped, the floor with three white supremacist websites live on stage of the Chaos Communication Congress in Hamburg.

she took out three sites, white date, white Child, and White Deal.

And somebody sent me a note saying, what's the big deal about white people being able to date each other?

I went, I don't think that we're talking about that.

but she didn't just knock them offline.

And, but also, you gotta give her style points.

She arrived in a Pink Power Ranger suit.

Did this live on stage?

Took them down and said they've got poor cybersecurity hygiene that would make your grandma's a OL account blush.

Now that was the big deal now, and we go, I want to tie this around.

The reason why I wanted to go back to this story, she took those sites down and I think there's a big, there's a something we could talk about hacktivism and where the limits of it should be, but she did responsibly disclose the information.

She didn't docs them.

She sent it to a company or an organization called DDoS Secrets.

I've been in touch with them.

I'm gonna bring them on the show to talk about how responsibly making this information available for researchers and legitimate journalists is what they do.

So I give her credit for that.

But I'll ask you both the question we're.

it's nice when it's our side, as you said.

somebody wrote me a letter and said, where do they, where do we draw the line?

I said, I don't know if this is a white supremacist site, it's offensive to me.

but what if it's kitty porn?

Where do you know?

Is there a place for Hacktivism?

And that's the question we're gonna have to answer this year.

And thanks to this wonderful lady in a power Ranger suit, we're gonna have to talk about this in a real way.

I think it really circles back to the discussion we were having about the privateering aspect of things, right?

And it's like, how do you make, actions from a private, whether it's an individual or an organization that are aligned with the best interests of the society they operate in.

And so we'll take a country as an example, right?

How do you make those actions permissible and legal while being clear that it is not open season to go and just take down anything because you disagree with it?

and I think that's where it's not so much a line as it's, a process of permission.

because, in this case, one hopes and presumes the culture that one operates in says that you know what?

People of all, colors and races, deserve equality.

And we shouldn't be promoting supremacy of any of them.

So this kind of activity is not acceptable.

So let's say that's okay.

we can take that down.

Good job.

but somebody else disagrees, or with something that is more socially permissible, but they decide they're gonna go and take it down.

where's that permission?

or who is the judge?

Is it, do we wait till after the fact?

I think, I would argue it's probably better to have some sort of distinction before the fact to say that Yep.

I've been authorized and here we go.

because otherwise the other thing we get into is, inconsistent application of the law, right?

So technically this is not a legal activity depending on a number of factors, jurisdiction and where the servers are and all sorts of other things, right?

So it's a very gray zone as to or without more information.

Was this even legal to do?

And if it's not legal, just because we like the outcome, does that mean that's okay?

if we have two people who get into, fist fight in the street.

They generally both get detained and then it's sorted out who, what was somebody assaulted first and who was in the right, or who was in the wrong.

we feel less inclined.

I think, sometimes in the digital world to be as consistently applicable in how we apply law.

Yeah.

And Tammy, I am sure you've got, I was interested in hearing what you had to say, Laura, and I'm interested in hearing what Tammy has to say too.

'cause this is cultural.

we always think of the people that you're, that you're studying as being crooks and that sort of stuff.

But there are people out there who are hackers who may be doing it for what they think are good reasons.

Yeah.

There's the whole like concept of the greater good and you want to be, you want to try to be on the right side of history and.

there's this whole like back and forth of am I doing what is right or what am I doing is what is wrong?

And that's always, it's not as clear black and white as it always is the, for example, I run, an association with like other individuals.

in Europe I help run and maintain an, admin, website called Ransom Look.

And that's an open source project and where we basically like list and supply, information, on the latest like ransomware victims.

and a part of that is I, it's a part of it is oh, am I like, like victimizing the victims more because I'm showing them, I'm like amplifying the, the disclosure of these victims.

Or am I doing the right thing by, like being as objective as I can be in how I present and collect this information and present it to the community so that the entire cybersecurity community and defenders can use this information to defend themselves against these threat actors better.

so there's always these like concepts of like, how you do it is also just as important as why you do it.

Yeah, which I think is the lesson I'm gonna take away from today.

And that's something I think we'll wrap up the show with that is we're not just in a technical world anymore.

We're actually having to deal with not what we do only, but how we do it and how important that is.

I wanna thank our panel, Tammy Harper from Flair.

Thank you very much.

Thank you very much for having me.

It was great.

Laura Payne from White Tuque.

Always a pleasure, Laura.

Thanks, Jim.

Uplifting as always.

Yep.

and the disappeared, David Shipley running out to, probably to a client meeting, but, david will be back on Monday morning with the cybersecurity news.

I'll be back next Wednesday.

And as much as I want to keep the news show from being news and less opinion, it is our job to put news in context when we can.

The weekend shows do allow us to discuss themes on a deeper level, technical and otherwise.

And as I've said before, technology and cybersecurity don't exist in a vacuum.

They affect people, process, strategy, and our lives in general.

But this is not an echo chamber.

I look forward to exchanges with you.

Look forward to hearing from you so you can reach me.

Tech newsday.com or.ca.

Take your pick depending which country you're in.

you can reach us there on the contact form.

If you're looking at this on YouTube, just leave a note under the video and,, you can , find me on LinkedIn.

Glad to talk to you, to our guests.

Thank you very much to all of you.

Have a great weekend and we'll see you Monday.

Never lose your place, on any device

Create a free account to sync, back up, and get personal recommendations.

Create account