0:26

right here we go to say something

0:29

, licenses

0:32

and one and of

0:35

the different parties and when industry

0:38

bow and junior me tonight as always

0:40

is mister andrew tell it

0:42

hello, jerry, how are you, sir? i'm great

0:44

how are you doing? i'm

0:46

doing good i see

0:48

nobody else can see it, but i see this amazing background

0:50

that you've done with your studio and all sorts of cool

0:52

pictures did you take those?

0:54

do not take those the are straight off amazon

0:57

actually it's i'll i'll have to post a

0:59

picture at some point budget the pictures

1:01

are actually sound absorbing panels

1:05

no

1:07

there's jokes i'm not going to make him but then you

1:09

and your great good to see

1:11

awesome a reminder that the thoughts

1:13

and opinions we express on the show or hours and

1:15

do not represent those our

1:18

employers but as you are apt to point

1:20

out they could be further a price

1:24

in by doing with it really means is you

1:26

know going to change our opinions you just going to

1:28

higher

1:29

correct

1:31

mansour our existing opinions some

1:33

day that a work

1:35

all right so we have some

1:37

interesting stories today the first

1:39

one comes from se magazine

1:42

com the title is why solar winds

1:44

just might be one of the most

1:46

secure of software companies

1:48

in the turkey universe

1:51

pretty interesting one i i i went

1:53

into this a little

1:56

cynical

1:58

the

1:58

what it is real

1:59

reducing stephanie are there there is

2:02

i think what i found interesting as people

2:04

things one is very obvious

2:07

the

2:08

this to see planted attempt

2:11

to get back into the good graces the eighty

2:13

world

2:14

but at the same time

2:17

it is we're that the have

2:19

made some pretty significant

2:21

improvements in their security posture

2:23

and i think for that it deserves

2:26

the discussion

2:28

and only improve it's but they're also

2:30

having

2:33

the strong appearance of

2:35

transparency and sharing lessons

2:37

learned which we appreciate

2:40

correct the one thing that i soaps

2:43

will get into a little bit but they still don't really

2:45

tell you

2:47

how this the thing

2:49

happened

2:50

aliens

2:51

abby susie leaves they did tell you what

2:54

happens in so in the

2:56

article here they describe the spurs

2:59

see so of solar

3:02

winds describes that

3:04

the attack didn't actually change

3:07

their code base so the attack was against

3:09

their code repository

3:12

the actually against one of their build

3:14

systems and so they were

3:16

the adversary here was injecting

3:19

code at build time basically

3:21

so wasn't something that they could detect through

3:23

code reviews

3:25

the actually being

3:26

added as part of the build process

3:29

and by inference the head

3:32

pretty good control at least a sort they could

3:34

control over there

3:36

source code but they did not have

3:38

good control

3:39

over the build process in

3:41

in the article they go through

3:44

the security ah plus they've made to their build

3:46

process which are quite interesting like the

3:48

i would describe it as they have three

3:51

parallel the

3:53

channels that are run by three different

3:55

teams at

3:58

the end of the

3:59

in a be to those there's a comparison

4:03

and if they don't

4:04

they don't match they

4:06

call it it a deterministic built so

4:09

there are those security team

4:11

does one a dub up steam there's another and

4:13

a kiwi team does team third

4:16

the

4:16

there old building

4:19

the same set of code the

4:21

should end up with the same i know

4:24

final product

4:26

over the systems are

4:29

central to themselves they don't coming

4:31

little have access to each other's though

4:33

there should be a very low

4:36

opportunity for for an adversary

4:38

to have access to all three

4:40

environments and do the same thing they did

4:42

without being able to detect at

4:44

the end when they do the comparison between

4:47

a novel approach i hadn't

4:49

that about it it seems

4:52

the my first bush was it seemed excessive

4:55

that is the more think about it

4:57

it's probably not a huge amount of

4:59

resources to do submit made it makes

5:01

sense

5:04

yeah

5:05

the also they mention that three different people

5:07

are in charge of it rained so to

5:09

corrupted somehow injected

5:12

it all three would take

5:14

the how corrupting three different individuals

5:17

somehow someway yeah they would have the cool

5:19

the three teams would have to collude

5:22

the beach or which

5:24

the typical

5:28

absolutely so they actually i haven't

5:30

looked into it but they actually center they've open

5:32

source to their of their approach to this

5:34

the multi can most well just go multichannel

5:37

built

5:38

that was

5:39

interesting sony outlook their served

5:41

it's a good read that they talk about how the changed

5:44

from their pro model of having one central

5:46

a sock under the

5:48

the company see so to three different

5:50

sacks that monitor different different

5:53

aspects of the environment they went

5:55

from having a part time

5:58

red team to a dedicated he moves

6:00

focused on the built environment at

6:02

elsa the one

6:05

reservation i have is this kind

6:07

of feels maybe a little bit like they're

6:09

fighting the last

6:11

war

6:13

insole, all the stuff that they're

6:15

describing is very focused on addressing

6:18

the thing the failed last

6:21

time in

6:23

are they making equal improvements

6:25

in in other areas could be that would

6:27

say that

6:29

they're stuck in a bit of a pickle here are they

6:31

need to address the com question

6:33

is how do you can't stand this from happening again

6:35

dallas that is what most people

6:38

are good as him it's what the government's asking and that's

6:40

when customers asking them and

6:42

so they somewhat forced whether

6:44

that's the most the fishing users

6:46

not to deal with that problem right

6:49

they they have no choice but i also feel like a

6:51

lot of the changes they met built change

6:53

their build process would

6:55

catch the

6:57

great many other supply gmt

7:00

attack outcomes

7:01

seems to me for free of has also just

7:04

begun low things are easy to someone

7:06

explain i didn't want to devils in the details

7:09

that they had to figure out an image that they did

7:12

they halted all new development of any

7:14

new features for seven months and turned

7:16

all attention to steer

7:19

the elite family to play moved

7:21

from the attic and on prem

7:24

that been built environment to one that was in

7:26

a to be worse so that they could depend

7:28

amicably create and

7:30

destroy them as needed

7:32

the average it's an interesting the fundamental

7:35

concept this article saying

7:37

is say once you been breached i

7:40

knew secure yourself do

7:43

you have a lower likelihood of being breached

7:45

if you? are you like dale? you have

7:47

the board's attention now you have the budget i have the

7:49

people not have the mandate to secure

7:52

the company is that

7:54

true? i

7:56

i it is situational

7:58

we know that there are some

8:00

drawn a blank of use when the hotel chains

8:03

i don't see the wrong name but

8:05

i believe that there are are

8:07

also instances

8:10

roll readily available

8:12

the contras true like to just keep

8:14

can exact over and over and i sometimes

8:16

wonder that has to do it's complexity their environment

8:19

and dead legacy stuff in

8:21

there for i'm and if you look at a company like adderall

8:23

anything about silhouettes but i'm guessing

8:26

you know that they're somewhat of a clearly

8:29

modern id footprint that maybe

8:32

someone easy to retrofit as opposed to

8:34

the hotel chain probably some huge

8:36

data centers that are incredibly archaic

8:39

in their potential architecture and design

8:41

and now that's

8:43

a good points very good points a different

8:45

very different business model for

8:48

it and he talked about how they're spinning they've got

8:50

three different tiers of socks now

8:52

sourcing to them they're spending a crap

8:54

ton of money on security

8:57

whether it's a with crowd strike watching

8:59

all their and point stuff they mentioned in here

9:01

i'm sure that contract appreciated that their own

9:03

tier three so i can i get a lot

9:06

of stuff and they also talking that

9:08

now they're retention rates for customers your backup

9:10

in the nineties which is pretty pretty good

9:13

so other not yet clearly this is a pr

9:15

thing but the same

9:17

time i really do appreciate

9:20

the company has gone to the sharing is much the

9:22

sharing because the rest of us can learn from yeah

9:25

absolutely and the other

9:27

thing it's interesting as a look at this site where for sulfur company

9:30

now it's a small complete

9:32

something the size of these guys and we don't have the resources

9:34

these guys have but i

9:37

think about how many points

9:39

in our dev chain crowley

9:42

could be easily corrupted in the supply

9:44

chain attack that they're

9:47

starting with their model that

9:49

by wonder what what

9:51

can i do like how much of this could you do

9:54

on a budget there's a huge amount of people

9:56

environment here there's a huge amount of of

9:59

red tape legacy and checks

10:01

and balances that must

10:03

add tremendously to the cost

10:05

probably slow things down a little bit probably

10:08

got it would get push back if you just

10:10

trying to show up and your dev shop and say

10:12

hey we're doing this now without ever gone to the

10:14

sort of events so what of dancing around here is accounts

10:16

of a culture post

10:19

reach you know have a culture that's

10:21

probably more willing to accept what could be perceived

10:23

as draconian security mandate

10:25

over how they do things as opposed to pre

10:27

bridge

10:29

but it probably doesn't

10:32

still down for a while

10:34

yeah

10:35

the

10:36

the overhead at the port on any they also

10:38

in the article point

10:40

out that you know it remains to be seen

10:43

how

10:44

well solar winds continues

10:46

carrying on but he does it like

10:48

you said it does seem like

10:50

the if

10:51

that really taken this in learned

10:54

from it and not only learn from it but also

10:56

his we see in this

10:58

article trying to help the rest

11:00

of the rest of the industry language is

11:02

by the way like what we're trying to do here on

11:05

the show kudos to them

11:08

the

11:10

yeah

11:12

the also wonder how many other doves development

11:14

shops

11:17

we'll learn from this and

11:19

adopt some these practices so

11:21

they're not the next obliging attack that's

11:24

really where the benefit comes

11:26

yeah absolutely

11:30

all right onto the next story

11:32

which comes from computer weekly dot com and

11:34

the title here is log for shell and this

11:36

way to becoming endemic

11:39

who the the us government after

11:41

joe biden president joe biden sub

11:44

executive order in

11:47

twenty twenty one

11:48

maybe

11:49

formed a cyber security

11:52

what it's called the cyber labour safety review

11:54

fiber safety review board a could remember

11:56

the us

11:57

which i think was modeled after

11:59

the

11:59

if be or what have you

12:01

that they released this report last

12:04

week which describes

12:07

what happened in or least their analysis

12:09

what happened

12:10

in the log for j incident

12:13

happened last year

12:17

oh i'm nick

12:19

mixed emotions about this

12:21

one the older one of the one

12:23

of the key findings instead open

12:26

source development doesn't have

12:28

the same level as

12:30

maturity and resources that that

12:32

commercial software does

12:34

and the one hand

12:38

you wanted a promises of open source was

12:40

many ice makes

12:42

very shallow

12:44

which would be cuisine is not

12:46

really holding water very well

12:49

but it but i think the other

12:50

problem is it's asserting

12:53

that

12:54

open source developers are uniquely

12:56

making security mistakes in

12:58

their development

13:00

last i checked every single

13:02

month for the past twenty plus

13:05

years microsoft

13:07

releases set of patches

13:09

or security bugs in their software

13:12

and they are not open source and and

13:14

so i i

13:15

i think in a what with a little frustrating

13:17

to me use they didn't

13:19

if you will be didn't address the that

13:21

else and in the room

13:23

which was not necessarily that the

13:25

the that open source developers here

13:27

did

13:28

a bad job didn't understand how to

13:31

code securely

13:33

self evident that they made him he

13:35

made mistakes

13:37

but the bigger problem is

13:39

the fact that it was

13:41

rolled up into so

13:43

freaking many

13:46

other open source

13:48

they're not open source packages

13:51

in the end multi tiered right

13:54

combined into a package this combined

13:56

into another package the combined into another

13:58

pegasus

13:59

combined into his commercial

14:02

software

14:03

the and

14:04

the big challenge we had as an industry

14:07

was figuring out

14:10

where they were all that stuff was

14:12

and then at even after that trying to beat

14:14

on your vendors

14:17

come to terms with effect of they actually have

14:20

love for j in there

14:22

the environment and then having to make these like

14:24

painful decisions do we stop using

14:27

for instance vm were because we know that

14:29

they have the out that they have love for jay and have

14:31

it released a patch

14:32

the time

14:35

but that that is suggests the more

14:37

concerning problem

14:40

not to serve you see for love for t but when you

14:42

look across the industry

14:44

we have lots of things like log

14:46

for j that are pretty

14:48

mans by oh either a single

14:50

person or a very small team on

14:52

a best effort basis and they serve some kind

14:54

of important function they just

14:57

keep getting consolidated

14:59

the and i don't think there's a real appreciation

15:02

for how pervasively some of these

15:04

things

15:05

or be used they do talk about in the recommendations

15:07

about creating both in a better a building materials

15:10

for software which only

15:13

do that for coming at it the runway

15:15

paid seems to me like we need to be looking

15:18

for hotspots and addressing

15:20

the suspects and this and stuff and that seen

15:22

that in it's concerning twitter what do you mean by

15:24

hot spots

15:25

in terms of potentially

15:29

where we managed or not

15:31

it's not the right way to say it

15:33

well managed opensource packages

15:36

that have become super

15:39

ingrained in the eighty ecosystem

15:41

like log for change like openness and so has

15:43

been in some of the other bass and

15:46

and and so on the

15:49

see this coming go but

15:51

at the end of the day i i i don't know

15:54

that we have a good handle on where those

15:56

things are so we're just gonna continue to

15:59

get surprise some

16:01

enterprising researcher was

16:03

submerged nobody's looked under before

16:05

and realizes oh gosh there's this piece

16:07

of code it was managed by a teenager

16:10

the proverbial basement

16:12

then they since moved on the college and it's

16:15

in the study mean to anymore anymore but

16:17

it's like the used by

16:19

hi everybody in their dog

16:23

we don't seem to be a thinking about their problems

16:25

least in that way

16:28

certainly early on in the covering this to about

16:30

how open source is less

16:33

rigorous in their controls than

16:35

commercial but i think

16:37

it's very fair to say that the vast

16:39

majority of commercial applications reusing

16:43

tons of open sore and so louis in

16:45

their code right the

16:48

kind of odd implication there's a commercial

16:50

entities right even if the ground up when that's not

16:52

true star years the flip side if

16:55

i've got a well known

16:57

mature vetted package

17:00

that does it's job well that i

17:02

can including myself her baggage i

17:05

could potentially save myself a lot of bugs

17:07

and and vulnerabilities

17:09

because that package has been so well vetted

17:13

in theory right hundred you

17:15

know it's like ready your own encryption algorithm bad

17:18

idea there's a whole whole

17:20

it be of people whose edited ruined

17:22

because they thought they knew better and that's a really

17:24

hard problem solved so i think there's

17:27

value in having and

17:30

was like engineering standards of this

17:32

type of strength of concrete that is reuse

17:35

because it's a known quantity as

17:37

opposed to hey we're just going invent new concrete

17:39

give it a whirl i see the little bit like that

17:43

what are you i agree with you i also

17:45

wonder how often damn shops can

17:47

spare someone who whole job

17:50

is to dig deep into the ecosystem

17:52

of all the packages they pullin when

17:54

they do the development in know than life

17:56

cycle those the

17:59

level where he about vs hey that's a solved

18:01

problem i just put off the shelf and move on

18:05

i think that is the very issue

18:07

for associate that is

18:10

probably because they don't think most companies have

18:12

the ability to do that when you thing and i

18:14

got a curated

18:16

market of i open source tools

18:18

that are will maintain think we're headed in that

18:20

direction they don't

18:22

love the idea

18:24

any stretch of the same don't

18:27

mean to imply that i do

18:30

i don't see a good alternative

18:32

in the reason is that like you said

18:34

we want it as a as the developer

18:37

of of application whether it's open

18:39

source or not

18:40

you want to use you don't want to recreate

18:43

something that's already existing and you

18:45

want to use them this reliable

18:48

i think that one of the problems

18:50

is

18:51

these smaller pieces of open source

18:53

technology like have a strong feeling that

18:55

like the know when love for

18:57

j started out they didn't expected they

18:59

were going to be in every freaking this

19:02

a commercial an open source software

19:04

out there it just happened it

19:06

happened over time when

19:09

he didn't you know it and and i'd the just think

19:11

there was little consideration on both sides

19:13

of the equation or what was happening

19:16

was just happening in nobody

19:18

really

19:19

was aware of it sounds like a log which

19:21

aging was like gum use me everywhere had

19:23

there's a limit of hey i wrote this it's up to you

19:26

want to use a that's on you know it's there

19:28

soviet answer so it

19:30

this

19:32

is it's the from

19:35

ireland suffer bill materials as your solve either

19:38

i know why people are talking about it i know that

19:40

it helps but it means i think it it

19:42

helps in so much as if you have

19:44

a few as the me

19:46

a manufacturer of software or even

19:48

us oh consumer

19:51

have a as been the

19:53

goes all the way down which by the way is itself

19:55

a pretty tricky

19:57

something like log for j heads

20:00

becomes much easier to look across

20:02

your environments a if i get it there and there yeah

20:05

that's what i have to go fix by the way

20:07

like it's your also depended on

20:09

your clothes source

20:11

commercial software provider

20:13

also doing it a

20:15

similar

20:16

and a job so i think there's a

20:18

coming set of standards and

20:20

practices

20:22

the industry's gonna have to it to get to

20:24

because this problem is gonna go way

20:26

it's going to continue to get worse

20:29

and families either gonna have some enterprising

20:32

government like australia in the air

20:34

the us is gonna stuffer the

20:36

wish none of us like dot or throat organ

20:39

to have you come up or something

20:41

the and wrong it'll be hitters new see how

20:43

how it plays out now

20:45

that i think the genies of a bottle you gotta

20:47

assume some these big cybercrime sin

20:50

against or whatever community users attempting

20:52

to replicate this

20:54

hundred percent the person

20:56

they get a be looking around seeing what is that

20:59

would open source components exist

21:02

in pervasively in and what would

21:04

be easy is

21:06

for me to take over slash compromise

21:09

so that the i could brolin roll

21:11

up to into his his money

21:13

environments as i can with that

21:15

would be

21:17

super convenient as a as an adversary

21:20

anyway but the lots

21:22

more to come on that i do think

21:24

we're going to see lots of

21:27

hyper focus on

21:29

no

21:30

there's good supply chain open source

21:33

humming

21:34

and i fear that it's going to

21:37

the largely misguided for at least from

21:39

one fair enough already

21:41

the next story comes from bleeping computer

21:43

and the it's fascinating one title

21:46

is hackers impersonate cyber security firms

21:48

in callback phishing attacks clever

21:50

people we we have a story here about

21:53

in adversary or maybe multiple adversaries

21:55

who have become super

21:58

enterprising

21:59

and they

21:59

sending letters

22:02

to unwitting

22:04

the employees at different companies

22:07

you know how will target this is this is really

22:09

no letters discussion but that but been

22:11

in the examples they cite they have a letter

22:14

like i had to get comes

22:16

the way of email and crowd

22:18

strike letterhead and it basically

22:21

says hey crowd strike and your employer

22:23

has this

22:25

that his contract and place we've seen some

22:27

anomalous activity you have

22:29

you in your company are

22:31

beholden to different regulatory requirements

22:34

and we have to move really fast we need

22:36

you to call this oh numbers

22:38

and to schedule an assessment

22:41

and him

22:42

unlike by the way a lot of a lot of

22:44

these things is pretty well written i would

22:46

like to think that if i got it i would

22:48

say was bs but it

22:51

is it really will read this that slothful a

22:53

grammatical errors kind of makes sense

22:56

in in apparently if you follow the instructions

22:59

by the way the hypothesis

23:01

is that little lead to unsurprisingly

23:04

i read somewhere a infection is

23:06

the install a remote access trojan

23:09

on your workstation and then you should use

23:11

that as a be chatting and into year

23:14

the company

23:16

yeah

23:18

he to see a bit know the good reason why you shouldn't let

23:20

your employees of randomly install software

23:23

yes that you have to assume the

23:25

some this is where i struggle by the way

23:27

with this engineering training is

23:29

i really do believe in son of failure

23:32

sort of warfare is unintelligent failure it's

23:35

it's a psychological weakness of how

23:37

human beings greens work

23:40

the bad guys are exploiting and

23:43

they will find some percentage

23:46

in some certain circumstances that

23:48

will fall for these sorts of efforts

23:52

and you've got to be resilient against that i

23:54

don't think you can train that risk away

23:58

the yeah i would say that it's pair

23:59

i think that you can train in away

24:02

because then you start to think that when it happens

24:06

it's the failure of the person

24:08

in actually think that's a long way to think about it if

24:10

you have obviously

24:12

you want to do some a level of training

24:15

church the stood for door the reason

24:17

you're obligated to do that by many regulations

24:19

and whatnot

24:21

that are also what you want people

24:23

to understand like what to look for it's

24:25

it helps in the long run but it is the end of the day

24:27

like you we have the designer and baronets

24:30

who will stand that kind of

24:34

issue rate of yeah if if we're

24:37

the bar security is predicated on

24:39

someone recognizing

24:41

that a well written email on

24:43

crowd stoked letterhead

24:45

this

24:46

this is fake

24:48

we have problems yeah if

24:50

you never give be taken down by one

24:52

here and click on an employee that

24:56

i think is probably the salt

24:57

and this a failure on on on

25:00

our alec i t and insecurity

25:02

side not under his employees

25:04

and though

25:06

really be on the lookout obviously

25:09

this is a pretty and i hadn't

25:11

heard this before it makes total sense in hindsight

25:14

but something to be on the lookout for

25:17

alright the last three we have comes

25:19

from cyber security ties dot

25:21

com

25:23

one of my new new favorite websites by the

25:25

way

25:27

the good stuff title is microsoft

25:30

rollback a macro blocking and office

25:32

sos confusion

25:34

so earlier in the year microsoft made

25:37

a a much heralded

25:39

announcements that they were going to be blocking

25:43

the macros in microsoft

25:45

office from anything that was

25:48

originated from the internet

25:50

and and

25:52

was borne out by the way by the parents

25:55

some researchers have said that they'd much

25:57

as two thirds

25:59

the

25:59

the attacks involving macros

26:02

as

26:03

oh in a way

26:04

it's a pretty effective control microsoft

26:06

last week

26:08

no to they were reversing course and real

26:10

enabling macros

26:12

i assume

26:14

because see oppose everywhere were

26:17

for meltdown that there

26:19

if you spread sheets were no longer working and

26:22

obviously we should assume that the attacks

26:24

are going to be back on the upswing and

26:26

i apparently this is a

26:28

temporary reprieve it's a little

26:31

unclear when microsoft is going to

26:33

three enable it but i have a strong

26:35

feeling that a lot of organizations

26:37

have

26:39

thinking of taking a a breather

26:41

on this front because microsoft

26:43

solve that for us and now

26:45

we now we to be back on on the defensive

26:50

yeah i'm really curious what the conversation

26:52

was like that for some reverse

26:54

course i what broke that was that big

26:56

of a deal that was so

26:58

imperatives because it has been a problem

27:01

the release fifteen years will max

27:04

oh yeah at least this was a pretty big

27:06

win and now

27:08

it's can

27:10

i get rolled back so i

27:12

was disappointed

27:14

there are in in those i think

27:16

to some links in here you can actually go back

27:18

and run a bullet through group policy

27:21

settings obviously so if you're so

27:23

inclined probably really

27:25

good idea as a as an i t industries

27:27

inc with were sauce

27:29

the strange until they ran a bully

27:32

this is without knowing all the reasons

27:34

behind it is feels like such a pure example

27:36

of productivity vs security

27:39

sort of treat awesome playing a real time

27:43

and almost guarantee this what's going on

27:46

that yes that is a

27:48

little concerning definitely

27:51

yeah no ago

27:53

indeed he would have it's to

27:55

be continued stay tuned to be continued

27:59

that is

27:59

the story for to they are just

28:02

one little bit of editorial it

28:04

i spend a lotta time during the week reading

28:07

different stories all kinds of google alert

28:10

set up for for different security stories

28:12

and whatnot

28:14

what we talk about in these

28:16

hard cash

28:18

in

28:20

it is amazing to me

28:22

how many stories that

28:24

are

28:25

how to his news

28:28

are actually basically

28:30

marketing pieces i

28:34

know that we've talked about this in the past but it

28:36

is a learning i actually gotten to the point

28:38

now where it dropped down to the end to see

28:40

what they're going to try to sell me before you get

28:42

to invested

28:44

the i look who wrote if

28:46

they're like not a staff writer if they're like

28:48

contributing writer and from chief marketing

28:50

officer from blah blah blah my nope

28:52

the

28:53

a very quickly just

28:56

pretty and if it's something written by an employee

28:58

of a vendor some variety i

29:01

don't mean to be harsher adjust there's

29:04

a bias there that they believe

29:07

their own marketing and

29:09

or old dog food and they're clearly pushing the

29:11

problem they know how to solve

29:13

weird characterizing the problem

29:15

is

29:16

something that their offerings can solve

29:20

right and but i think it's a

29:22

certainly understandable

29:24

this shouldn't but i

29:26

i'm concerned that as a

29:28

industry where

29:31

do we go to get actual best practices

29:33

because his year if everything you read is written

29:35

by

29:36

security vendor who wants the

29:39

best practices are install crowd strike

29:41

install bred canaries though

29:43

mcafee the study earrings interesting you

29:46

bring up his ringside point which is i'm

29:48

seeing some movement in the cyber insurance

29:51

industry that they're basically saying

29:54

the brought us level for those that are less

29:56

sophisticated these are the three

29:58

eighty hours we once you one else

30:00

and if it's not one of these three your your premium

30:02

pricing

30:04

that's interesting

30:06

then you're like wow especially

30:08

because it's such a blanket statements

30:10

and so many virus or different

30:13

and i'm sure i'm not passing judgement on the

30:15

efficacy of those three vendors is why

30:17

not saying them it's more that's

30:19

feels like a very lack

30:22

of nuanced opinion that very blunt

30:25

instrument being applied there

30:28

yeah it also ignores

30:31

like a whole spectrum of other stuff

30:33

doing in snatches the greedy are

30:36

deep state in which is onset coming

30:38

very much read somewhere they're just getting their asked

30:40

experience workouts and so they're like what

30:42

is what will stop read somewhere furnace

30:45

specific the point

30:47

that's your point about it so many marketing pieces

30:50

being masquerading as

30:52

it was sec news i think is very true that

30:56

on a note i want to take city sponsor of bob's

30:58

budget firewall

31:01

probably fair for ethics with

31:03

cleared ten years of no not

31:05

at their sponsorship not

31:07

nicer to prove any kind other than

31:09

the relations between person

31:12

right that is the show

31:14

for the sleek happy to have rather

31:16

than two weeks naruto

31:19

the make a habit of

31:20

i know is great i appreciate

31:23

right for us to all for listers pistol

31:26

ass

31:27

i am

31:28

moved to

31:30

commercial podcasting

31:32

hosting platform and so we get actually now

31:34

and some metrics only of out of

31:36

ten thousand ish

31:38

wow

31:39

wix is that counting the inmates that are forced

31:41

to listen to part of their correction know c c

31:43

i i think actually because that's the one

31:46

that many things so there's probably like

31:48

one stream is forcing like

31:50

baby five hundred people

31:52

yeah

31:54

then when they do crowd control like better be thousands

31:57

of people that is true i

31:59

was quite

31:59

the teens and really proud

32:02

of you when i found that the your voice was

32:05

found to be one of the best tools to

32:07

disperse crowds

32:08

a we'll have to be good as since and rate is

32:11

up there with

32:13

charles's

32:14

there

32:16

right neck and neck

32:18

better to tear gas i are you were

32:20

this better i was not aware that

32:22

i had to overtaken tear gas

32:25

impressive my friend usually proud i i

32:28

parents should be proud i am i'm

32:30

gonna go tell them

32:31

alright alright that'd

32:34

, good with really sorry