Red-Teaming Barbados: Our National Cybersecurity Strategy [49]

Posted on Tuesday, Mar 14, 2023
Chris shares his thoughts on the updated National Cybersecurity Strategy, Ned does NOT pretend to understand SVB, and we all take a moment to remember Google Reader.


[00:00:00] Chris: That would make for a very weird way to make a podcast. But I guess you’re right.

[00:00:03] Ned: This email could have been a tweet.

[00:00:07] Chris: This tweet could have been nothing.

[00:00:09] Ned: And there we have it. You got to wonder what percentage of meetings are completely pointless.

[00:00:21] Chris: So all.

[00:00:27] Ned: I wouldn’t say all. You remember, like that brief period of time where I stopped doing actual work and became a director.

[00:00:36] Chris: I don’t recall you ever starting doing actual work. Boom.

[00:00:39] Ned: Neil I walked right into that. You’re not wrong. I had this nagging feeling because half of my day or more was booked up with meetings, I had this nagging feeling that I was just wasting my life in meetings. And that grew and grew and among other contributing factors, was definitely part of the reason that I eventually quit.

[00:01:11] Chris: Yeah, I read something that almost made it into the lightning round this week, which was about a breakdown of people that purport to do agile and DevOps, like, say the words Agile yes. Versus companies and organizations that actually do it properly, right?

[00:01:36] Ned: Because you can go through the motions pretty easily without actually changing the way you do anything, right?

[00:01:45] Chris: And long story short, one of the biggest things that shows that disparity off is how many meetings and how do we all agree that there are pointless meetings? And one of the things that they said which might merit its own topic at some point was that Scrum Master is not supposed to be someone’s job title.

[00:02:08] Ned: Right? They’re just someone who’s going to facilitate the scrum, but they have other responsibilities, right?

[00:02:16] Chris: And if that person doesn’t have that as their situation, then they are unfairly motivated to have pointless meetings for absolutely no reason, and thus the process continues.

[00:02:27] Ned: That did seem to be the point of so many meetings I had, was someone they literally have nothing else to do. So to make themselves seem important, they are going to get people in a room and talk at them.

[00:02:43] Chris: Or ask them for updates they already have the.

[00:02:45] Ned: Answers to, updates they could have easily either found themselves or asked for in some sort of report format that they’re not going to read anyway.

[00:02:55] Chris: Ned, so you spent all morning putting together that weekly status report. Can you tell us all about that?

[00:03:01] Ned: Can you briefly summarize it?

[00:03:04] Chris: Can you summarize the summary?

[00:03:06] Ned: And that’s what so much of it comes down to. Well, this is when we have our weekly blah blah, blah meeting. And so we’ll all go around the table and give our updates and everyone will tune out except when they have to give their update.

[00:03:22] Chris: Yeah.

[00:03:25] Ned: So that’s it. We solved it. We have solved organizations and management and meetings. I think we can all have a drink and go home. Perfect. Or go home and have a drink. Either order is fine. Shall we?

[00:03:43] Chris: Surely.

[00:03:44] Ned: All right. Hello, alleged human, and welcome to the Chaos Lever podcast. My name is Ned, and I’m definitely not a robot. I look upon small mammals with great affection, just like you. I boop, snoots, and give treats of questionable nutritional value after they successfully execute my commands. I am definitely not training an army of doxins to infiltrate naval bases and take over the US’s nuclear capabilities. And I resent the assertion. With me is Chris, who is also here.

[00:04:17] Chris: That’d be a very small, reasonably cute army.

[00:04:23] Ned: I think the term you’re looking for is fucking adorable army. And I’m going to call them the FAA so no one suspects. Oh, the FAA is here to inspect the naval air carrier.

[00:04:42] Chris: That makes sense. I mean, it’s a perfect cover. Little small collection of rat dogs.

[00:04:49] Ned: No problems whatsoever. Yes. Collectively they can type it like 70 words a minute, and the keys get.

[00:04:59] Chris: A little like one dog per word, I’m assuming. So you’re going to need at least.

[00:05:04] Ned: 70 dogs, but you kind of break up the keyboard into sections, and each dog is responsible for a section.

[00:05:14] Chris: That makes sense.

[00:05:17] Ned: Okay, I’m glad that we’re on the same page. Kind of related. Let’s talk about cybersecurity and how to protect against those errant armies of dachshunds.

[00:05:33] Chris: So, yeah, this is going to absolutely have to end up being another one of the pillars. What are we going to do about armies of dogs that sound very different than how they’re spelled?

[00:05:47] Ned: You have completely frozen. Well, you answer the question, you completely froze for, like, a solid 30 seconds.

[00:05:57] Chris: I know that doesn’t get you off the hook. Answer the question.

[00:06:02] Ned: Welch’s grape juice. Final answer.

[00:06:06] Chris: That might be literally the wrongest thing you could have said.

[00:06:12] Ned: Thank you.

[00:06:14] Chris: Anyway.

[00:06:14] Ned: Where is the badger pride?

[00:06:17] Chris: Let’s talk about the national cybersecurity strategy, which right off the top, not an inspiring name.

[00:06:27] Ned: It’s not a bad name.

[00:06:28] Chris: No. I’ve certainly heard worse. But kind of vague, kind of bland.

[00:06:36] Ned: Like a Microsoft name as opposed to.

[00:06:40] Chris: An AWS name that makes no sense at all and is impossible to remember.

[00:06:44] Ned: Exactly. This is project Athenos, but there were.

[00:06:51] Chris: Promises made a few years ago and Biden and company finally did the thing. It’s not just anything. It’s an internet type thing.

[00:07:02] Ned: Does he know what the internet is?

[00:07:05] Chris: He has an email address.

[00:07:09] Ned: That he accesses with his AOL.

[00:07:16] Chris: In stark contrast to a lot of countries around the world, the US. Has historically had a bit of, let’s call it a lax attitude towards mandating crazy things, like we should demand companies be held accountable for putting out poor products. Now, some of this was discussed last week in the lightning round by Ned, who talked about that part of the strategy, the one that’s going to upset companies the most, which is the one that would require software providers to assume more responsibility for the products that they sell. Outrageous, right? Maybe sell things that aren’t trash. What a concept.

[00:07:55] Ned: Unconscionable.

[00:07:56] Chris: But the document that that came out of the national cybersecurity strategy talks about a whole bunch more things than just that one. So I figured it’s early, everyone needs to get back to sleep. Let’s talk through the whole thing.

[00:08:11] Ned: Yay. So we’re going to read it word.

[00:08:14] Chris: For word in the beginning.

[00:08:17] Ned: Wait, wrong strategy.

[00:08:23] Chris: So there isn’t I don’t think very much controversy that something like this is needed. The US. Government is pathetically behind the times around security and by extension so is the private sector in America. Sorry guys, just is.

[00:08:41] Ned: I mean it’s pretty obvious by the number of ransomware attacks that I see in my news feed every day.

[00:08:49] Chris: And it’s funny you mentioned ransomware because we’re going to get there.

[00:08:52] Ned: I had a feeling.

[00:08:56] Chris: So first things first, this strategy isn’t binding. It’s effectively the president or I guess really you should say the executive office because I’m sure he didn’t sit down with a pen and pad and sketch this thing out just getting up and yelling at the sky that he has very important things to say. Now the difference here is that he actually is the president and he is in charge of the executive of the allegedly the most powerful country in the world. So him saying such things has some heft behind it but still like not going to say that it’s a ton. Nothing’s going to change this week just because the strategy all of a sudden exists. But what is likely is that organizations and states, other parts of the government and hopefully the private sector will start to use what’s in here as guidance to create actionable and binding policy resolutions, dare I say laws over the years to come.

[00:10:09] Ned: I mean in theory congress could take some of this, put it in one of those subcommittees, come up with some bills and then maybe actually pass one or two. Unlikely, I know more likely is that biden could issue some executive orders that will get immediately repealed by the next.

[00:10:25] Chris: President and ignored entirely while they’re enforced.

[00:10:29] Ned: Yeah that’s it.

[00:10:31] Chris: So the strategy is not a huge document and it doesn’t take that long to read the whole thing.

[00:10:36] Ned: I think.

[00:10:36] Chris: Totally total size start to beginning is like 38 pages and it’s broken down into five pillars. And those five pillars are one, defend critical infrastructure. Two, disrupt and dismantle threat actors. Three, shape market forces to drive security and resilience. Four, invest in a resilient architect. Future.

[00:11:00] Ned: Yes.

[00:11:00] Chris: Future. I don’t even know why architecture came up. Five, forge international partnerships to pursue shared goals. So again the names aren’t inspiring but they all seem like a pretty good idea.

[00:11:15] Ned: Yeah.

[00:11:16] Chris: Like kind of basic let’s go ahead and do that because it makes sense. Stands to reason the government wouldn’t be doing it already. Boom. Again. Crushing it. Crushing it. Net.

[00:11:28] Ned: Absolutely.

[00:11:29] Chris: So let’s go through them relatively quickly one by one.

[00:11:33] Ned: Okay.

[00:11:34] Chris: So first one, and I think this is number one for a reason because it really sums up the goal of what we’re trying to do here and that is defend critical infrastructure. So according to the strategy, in order to defend the, quote, critical services underpinning the lives of the Americans and the economy, a number of new regulations are in order. And this is what I mean by the strategy not actually being binding or actionable. It’s not describing what these regulations are or putting them together in any way. It’s just demanding that these regulations be created. Now the strategy does make it clear that the regulations should be in line with some of it’s favorite four letter words, sisa and NIST. I’m not sure anybody ever actually pronounces it sisa but for the purposes of this joke we’re just going to plow right on ahead.

[00:12:28] Ned: Oh no. Now I’m thinking of the RnB artist CISA and that would be fantastic if we could take all of her recommendations under consideration and make them actionable law.

[00:12:39] Chris: And also studies have shown that if you make things rhyme and back them up with a sick, sick beat, they’re easier to remember. So win win.

[00:12:51] Ned: Absolutely no arguments here.

[00:12:54] Chris: Now the strategy highlights some of the critical infrastructure in question and it’s not all 100% government. So what we’re talking about Azure pipelines, aviation, rail, water, and the electrical grid. And one of the things that is driving this insistence to protect them at a higher level than before is the increasingly used word smart. Smart in particular the smart grid.

[00:13:27] Ned: Right? Smart usually means connected to the internet.

[00:13:32] Chris: Which usually means open to attack. There we are.

[00:13:37] Ned: Okay.

[00:13:40] Chris: So when you talk about those, obviously we’re talking about huge swaths of the economy. And like I said, it’s not all government. So one of the things that the strategy asks for is for the private companies that work in those spaces to get on board as well. And unfortunately from the beginning of the internet till now, we’ve got ample evidence that those private functioned companies aren’t going to secure themselves.

[00:14:09] Ned: Right?

[00:14:11] Chris: So one interesting thing that they throw in here that was like I really wish they had broken down a little bit more. They want regulations that make it so private actors and private companies don’t underspend on cybersecurity AWS part of their economic competitive strategy. So the old problem of It and security being considered a cost vector versus a competitive advantage.

[00:14:44] Ned: More importantly the fact that any decision to spend on cybersecurity is balanced against the cost of not implementing it.

[00:14:53] Chris: Right. So like I said, they were super vague about this. I think it’s a good idea, super curious to see how we’re going to do that and how that one turns out.

[00:15:05] Ned: The problem that you have here is if you create specific regulations, you set a floor, a minimum on the security that you’re in expecting any given company to put into place and they will do that bare minimum. But they’re not going to go above and beyond. If you want companies to go above and beyond, you need to provide some sort of economic incentive or reason for them to go above and beyond the absolute minimum of security. I feel like that’s not something you can easily do with regulations and rules that you need to find more of a carrot and less of a stick. Though a little bit of both is probably good.

[00:15:44] Chris: Right. Final point they make in this particular pillar, the modernization and increased cooperation of federal organizations when responding to 80, and this is capital letters cybersecurity Incident. So there is such a thing as a National Cybersecurity Incident Response Plan. The strategy makes it clear it is insufficient.

[00:16:11] Ned: Okay?

[00:16:12] Chris: And the fact that this might not be the best response, especially when you’re talking about something of this scale, makes sense. When you have a large nation state sized attack on critical infrastructure, it stands to reason that a nation state sized response would be warranted. One of the big things there you’re going to need is instant cooperation, sharing of data, et cetera, et cetera. All stuff that is a big problem right now. And what’s interesting, some would say concerning, is that the document wants these regulations to take lessons from, quote, the success of the Joint Terrorism Task Forces, which also gives you, I think, a bit of a hint on how the strategy wants to approach cybersecurity incidents going forward.

[00:17:03] Ned: Hand it over to the Department of Homeland Security, nuke them from orbit. Okay.

[00:17:10] Chris: Which leads directly into the second pillar, which is disrupt and dismantle threat actors. So we didn’t have to wait all that long for that terrorism thing. Hint to be paid off. No nations state threat all stars such as China, Russia, Iran, and North Korea are explicitly called out as malicious actors, with drumroll please ransomware being a major part of their adversarial actions.

[00:17:41] Ned: Yay.

[00:17:42] Chris: These are all words in the strategy, all right? And what this section is describing is definitely a change in strategy towards proactive maximization the disruption to these actors’ability to operate. So some of these things already existed. Things like taking down botnets, trying to freeze funds in banking accounts, making it so it’s impossible for them to pull the money they get out of a ransomware tech out of the country. Has been done in the past, but somewhat defensively after the fact. Responsively, I guess. AWS, maybe the better way to put it. Right. The strategy advocates a, quote, strategic approach of defending forward.

[00:18:31] Ned: That is some epic words missing there.

[00:18:33] Chris: You like that?

[00:18:34] Ned: Defending forward. So attacking. Oh, no.

[00:18:37] Chris: Which is a different word because we already have that word.

[00:18:40] Ned: We’re defending forward, we’re not attacking. Wow. I just want to sit on that front. Okay.

[00:18:50] Chris: They basically want to step forward and stop bad actors before those bad actors have an opportunity to inflict harm. Now, this is a bold change, but it’s one that a lot of security analysts have actually been talking about and calling for for years.

[00:19:11] Ned: It does raise the specter of if we’re perceived as attacking these other state actors, then they can feel more justified in responding with elevated attacks from their side. Kind of like a you started at first pointing fingers type of situation, right?

[00:19:32] Chris: You’re on my side of the line.

[00:19:34] Ned: Right.

[00:19:36] Chris: And especially when you’re talking about these countries that have such a delicate relationship in international politics in the first place. It’s going to be interesting to see what goes on here. But in terms of how they want to do it, the strategy again, asks for faster communications and publicprivate collaboration. It wants to lean harder on the financial world, not just in the United States, and we’ll get to that in another pillar to stop the flow of money, to track where it’s going, and to make sure that the people that are doing these types of things, these malicious actors, literally just cannot get the money they’re demanding. They’re also looking for international ways to try to identify the true owners of US based servers and infrastructure. Now, it doesn’t flat out say we want to start proactively blowing up North Korean based hacking groups, but if we’re defending forward, it doesn’t really rule that out either.

[00:20:42] Ned: That’s right. I mean, to really get into our critical infrastructure, they have to establish some kind of beach head on the US side of the line.

[00:20:52] Chris: And a lot of times what happens is they go through five or six different shell companies to disguise who’s actually doing it right. So what kind of tools can we put together or regulate or whatever to make unpacking that type of hiding of who’s actually doing it a little bit easier?

[00:21:11] Ned: Brian, you’re talking about not just enlisting cybersecurity professionals, but finance professionals, forensic accountants, people who can dig into the morass of business agreements and contracts and all of that to divine who’s actually behind that six shell corporation set up.

[00:21:35] Chris: Right. And a lot of the justifications, because they revolve around ransomware, can justifiably say the money is the most important part. They define ransomware as a borderless challenge that represents a, quote, threat to national security, public safety and economic prosperity. Which, sure, yeah, ransomware has also been going down over the past two years, but it’s definitely a thing that everybody’s heard about. So the cynical take here in terms of why is framed this way. The government can then point to any cybercrime they want to and just be like that’s, just like ransomware, sort of. And then move right on to red teaming Barbados or whatever. They know what they did. They know, Ned. They know. So the next one is shaping market forces to drive security and resilience. And this is the one that you talked about in more depth last week, so I’m not going to spend a ton of time on it. Basically what it says is that the, quote, stewards of our data must be held accountable for that data’s security. That means every aspect of the Internet, really. That means accounts, email accounts, whatever you want to call it. That means your devices.

[00:23:08] Chris: That means fly by night cloud services and SaaS companies. One would have loved to see something in here about legislating away the ability for crap companies to store infinite amounts of data about us all forever, thus removing the incentive for bad actors to attack these crap companies in the first place. But I know someone has to think of the advertisers.

[00:23:35] Ned: I don’t think you said that with enough Suzanne Summers inflection, but I think I’ll let it fly.

[00:23:42] Chris: I appreciate that.

[00:23:43] Ned: All right.

[00:23:46] Chris: Now, the next one is invest in a Resilient Future. And this part of the document especially gets a little repetitive. And I am guessing that this pillar is only even in here because saying your document has five pillars sounds a lot cooler than it’s only got four.

[00:24:08] Ned: All right.

[00:24:11] Chris: It’s a bigger number, Ned.

[00:24:13] Ned: I generally like bigger numbers.

[00:24:16] Chris: C. So what is this pillar asking for? Public private cooperation, investments in R and D, and security and the national will, to quote, out innovate our overseas competitors.

[00:24:39] Ned: Okay.

[00:24:42] Chris: So this section actually does make a few specific requests, which is inasmuch as this document makes any specific requests, these are logical but not earth shattering changes. Things like fixing well known bgp vulnerabilities, making DNS requests, not plain text, and finally implementing iPV six, which should have been done literally a decade ago.

[00:25:16] Ned: Yeah, all of these things are possible right now.

[00:25:21] Chris: Correct.

[00:25:22] Ned: The bgp vulnerability thing in particular is there have been a bunch of different potential standards for it. But the problem you have is that bgp on the public Internet relies on the cooperation of hundreds of different organizations, and not all of them want to implement secure bgp in the same way or at all.

[00:25:44] Chris: Right. Which does make things more difficult.

[00:25:49] Ned: It does, but it’s okay.

[00:25:51] Chris: We have a strategy now.

[00:25:52] Ned: We at least have a set of recommendations and maybe the force of the US. Government behind it, for whatever that’s worth.

[00:26:02] Chris: So interestingly. Another more specific request made by the strategy is the creation of a digital identity ecosystem, which resembles something else we talked about.

[00:26:15] Ned: Oh, my goodness.

[00:26:16] Chris: One way to do this would have been the decentralized identifier w three C standard. More on that. Way back in September of last year, ned did a breakdown. Episode 26 listen Your Heart Out I.

[00:26:32] Ned: Am just impressed you looked it up.

[00:26:36] Chris: That was the hardest work I did on this whole thing. What are you talking about?

[00:26:39] Ned: Wait, what?

[00:26:40] Chris: I didn’t say that out loud. But one thing that’s missing from this list of obvious fixes that is annoying to me why didn’t they put anything in here about the fact that email is a nightmare that’s been a problem for 25 years, and we’ve never made any significant efforts to improve it there’s Dmark. That’s not better. That’s a bolt on.

[00:27:04] Ned: Again, I think you have the same general problem with Smtp and email that you have with Bgp in that there’s hundreds, but this time thousands of providers, all of whom may not want to make the same change to their protocol, right?

[00:27:23] Chris: But they’re all breaking it in a different, unique and beautiful way.

[00:27:27] Ned: As you pointed out, email is actually like JavaScript, right? Email has become highly centralized for a lot of people. I don’t have any numbers in front of me, but I got to imagine that between Google and Microsoft, that’s got to be like the bulk of email. So between the two of them and maybe one or two other players, they could force some changes in the ecosystem as a whole. But what’s the incentive for them to do it when they can just use their internally developed tools instead that are not open source, right?

[00:28:00] Chris: So something else that the strategy lays out plainly as something we as a country are going to have to prepare for is Quantum of Solace. No one’s ready for that. Okay, on this point, the strategy is insistent even more than clear. And what do they think we’re going to do, need to do to prepare for a post Quantum future? Invest in R and D and public private cooperation.

[00:28:32] Ned: Shocking.

[00:28:34] Chris: I am going to find whoever typed this and steal the control C from their keyboard. Now, one thing that’s interesting about this, the strategy also lays out pretty plainly that all of this is going to require a lot of cybersecurity professionals and thus they want to make sure that things coming up are available to, quote, recruit and train the next generation of cybersecurity professionals. Now, the strategy does list out a lot of already existing government programs that if people are curious about this, might be worth investigating. Called out by name are just a few, but here they are. National Initiative for Cybersecurity Education, the Cyber Corps Cyber Education Training and Assistance Program and workforce development programs and apprenticeships at the National Science Foundation and other registered agencies. So, yeah, I had only heard of it’s not important. I hadn’t heard of all of these.

[00:29:46] Ned: Or any of them.

[00:29:48] Chris: So ironically, maybe they should invest in some advertising.

[00:29:54] Ned: Yes. Try to get the word out there a little bit, especially as we’re seeing a downturn and layoffs in employment knowing that this is coming down the pike. It gives people an opportunity to scale up or reskill for that trade. And also we have other sectors that are going to eventually shed their workforce as stuff like coal becomes less and less viable. Hey, maybe some of those people working in the coal industry could learn to be cybersecurity people. Why not?

[00:30:27] Chris: And then the final.

[00:30:32] Ned: Countdown.

[00:30:33] Chris: What? The final what?

[00:30:36] Ned: What? Okay.

[00:30:38] Chris: Forge international partnerships to pursue shared goals. Last pillar, I promise. The strategy wants to continue to build partnerships that will encourage, quote, responsible state behavior in cyberspace. Now, these types of partnerships already exist, so this is again more of an expansion of existing ideas. But they do get a little feisty about some of the other more proactive things we’ve discussed, including recognizing, quote, the need to work with partners to thwart the dark vision for the future of the internet that the PRC and other autocratic governments promote.

[00:31:22] Ned: That’s a line.

[00:31:26] Chris: Dark vision, which I assume feels a little melodramatic for a governmental position paper.

[00:31:33] Ned: A wee bit, yeah.

[00:31:35] Chris: But then again, this was on page 29, and I’m assuming that even Chat Gptpt gets a little punchy when we get to the 20,000 word mark.

[00:31:45] Ned: That’s libel and slander, sir.

[00:31:51] Chris: This strategy also wants to build further support. More than just the economics and the information sharing. It also asks for the ability to help allies who are under attack.

[00:32:02] Ned: One would think of Ukraine, for example.

[00:32:06] Chris: Or any other smaller company that is getting completely demolished by cybersecurity attacks that would be within these partnerships. All of this with the basic goal of building partnerships that can be used to benefit those who play by the rules and team up against those who don’t.

[00:32:26] Ned: That does sound like a generally good.

[00:32:29] Chris: Idea right now, one of the things that is highlighted in the document, like I said, there already are some of these partnerships, but there are like 3000 of them, and a lot of them are, like, very small and very focused. So you’ll have three countries that have an agreement about sharing information about ransomware, but if you’re talking about all the good guys working together, multiply that by the I don’t know, let’s make up a number 100. Good countries.

[00:33:04] Ned: Good countries, right.

[00:33:06] Chris: You can see how very quickly it becomes difficult to know how to communicate. What if you have an issue with that three country agreement, but there’s a fourth country? Now you have to have a whole new agreement. Like, what’s the plan? And I think that’s what they’re going for is something a little more overarching simplifying, the ability to communicate, to share ideas, and most importantly, like I said, help thwart dark visions.

[00:33:33] Ned: Thwart dark visions.

[00:33:35] Chris: That’s the short, short version of this 38 page paper.

[00:33:39] Ned: Okay, so what do we think? Everything that you’ve talked about thus far sounds like a good idea, good recommendations. The biggest problem is implementing any of.

[00:33:57] Chris: It.

[00:33:59] Ned: Both domestically and internationally.

[00:34:03] Chris: Right.

[00:34:05] Ned: We don’t have a Congress, a lawmaking group of people who can really agree on anything at the moment. And so to try to get through any kind of legislation that is in any way contentious or even existent is going to be a pretty big hurdle to get over.

[00:34:27] Chris: Yeah, I mean, we can’t even fix daylight savings time. This is an easy one. Just stop doing it.

[00:34:33] Ned: Should have been an easy one. There was a bill and it passed past the House, maybe, but no, PaaS the Senate.

[00:34:41] Chris: It hasn’t made it to the House for reasons. Yeah. So one thing that I do wish they had put in here is highlighting the need for increased attention on educating the population as a whole about just cybersecurity topics and best practices. We have known for years that it is humans that make up the biggest risk to any system security. According to a pretty famous study from 2018, 95% of cyber incidents were, quote, human enabled. And while things have gotten better over the past five years, how much better are we talking about? Really? We don’t need to put a number on it, but just think about it. Remember just last week when we talked about what took down lastpass? Wasn’t there questionable encryption or some deeply sophisticated advanced persistent threat? It was an engineer who had root access, who was running an unpatched Plex server on a desktop computer.

[00:35:54] Ned: So many things wrong with that sentence.

[00:35:56] Chris: Yes.

[00:35:58] Ned: I kind of liken it to the earlier era of automobiles, when we started introducing safety features to protect people. But as part of those safety features, there had to be a massive push in education around using or adhering to those safety features. Right, so seatbelts, for example. We can put seatbelts in cars, we can create an annoying ding sound that if you don’t buckle, it will continue doing. But at a certain point, you need to educate the person enough to know why they should put on the seatbelt in the first place.

[00:36:36] Chris: Right. And very famously, back then, when they were doing that, one of the people that they enlisted was one of the most well known movie stars at the time, James Dean, who then, a week or so later, very tragically died because he wasn’t wearing his seatbelt.

[00:36:53] Ned: Well, the world has a distinct sense of irony, doesn’t it? But it did dramatically show the impact of not following your own advice. So that’s, I mean, sad, but I’m not suggesting that we unintentionally kill an educator in service of increasing cybersecurity, but some kind of educational program would probably be a good idea, some sort of PSAs, a push for better personal cybersecurity be a good idea.

[00:37:30] Chris: I agree. Lightning round.

[00:37:33] Ned: Lightning round. We are not going to cover silicon Valley Bank last week was a rough one for venture capitalists, startups and investment bankers, as we saw the thoroughly stunning collapse of what seemed like a permanent institution in Silicon Valley. Silicon Valley Bank, better known as Svb, suffered a bank run due to poor messaging and perceived insolvency on the part of its depositors. In a panic, customers of the bank primarily focused on startups and tech firms rushed to withdraw their money for fear they would be left holding an empty sack of promises, draining the bank’s reserves completely to the tune of $42 billion. The bank could not meet remaining requests, so the FDIC took over the. Bank and declared it insolvent. This is generally considered a bad thing. This only heightened the panic among remaining depositors who were worried they wouldn’t be able to make payroll and pay operational bills in the coming weeks. Late Sunday night, the FDIC announced that they would make depositors whole with access to their funds on Monday in their full amounts. That’s basically where we are now. These are all just the facts on the ground that had been reported well by other sources.

[00:38:51] Ned: Neither I nor Chris are remotely qualified to comment or analyze what went down, and unlike half of Twitter at the moment, we won’t pretend to be. If you want an excellent breakdown, check out the linked video from Patrick Boyle and stay tuned because this story is still emerging and many of the early details, hot takes and quote unquote facts are likely to be wrong.

[00:39:20] Chris: United Kingdom’s Online Safety Bill set to completely destroy security and privacy online yay. Anyone with even a small amount of privacy, background or interest knows that the UK kind of loves prying into the lives of their citizens. London famously is the only city outside of China when it comes to CCTV cameras per capita top ten. Now, to put a feather in there, won’t someone think of the children cap? The UK is once again attempting to destroy the Internet security this coming parliamentary season so they can spy on people basically at will. The idea of this bill would require companies to break end to end encryption and hand over messages from individuals to the government when asked. This, of course, is a terrible idea and would result in a lot of security problems and basically the end of privacy in a reliable fashion online gross. The bill is so bad that even Facebook is on the right side of the issue, saying that they would rather remove WhatsApp from the UK market completely rather than remove end to end encryption. How in the world is the UK missing that particular bellwether? It is time to seriously reevaluate your priorities and actions when you’ve done something so stupid that even Facebook appears to be in the right.

[00:40:51] Ned: Advertising Company Google killed Reader ten years ago. Never forgive, never forget. It was a decade ago that advertising company Google formally announced they were discontinuing Reader, but it still feels like it was yesterday. For those who never had the pleasure of using Reader, it was essentially an RSS feed aggregator that ran in your browser. RSS is probably best known as that weird protocol podcasts use like this one, but it’s really just a way to publish content to subscribers in a standard format from an unchanging URL. As someone who ingests a lot of news, being able to view and control the aggregation of sites is awesome. For sites that still support RSS, I tip my hat to you. Everyone else, you suck. Regarding Reader, I want to make two things very clear. Number one, google reader was not the greatest application ever. No one is claiming that advertising company Google is notoriously bad at UI and design and Reader was no exception. Number two free replacements absolutely exist. I’ve been happily using feedly for the last seven or eight years. The death of Reader is about something bigger. It was the beginning of advertising company Google becoming advertising company Google, ruthlessly killing off apps, a practice I would argue has sowed distrust with users and stunted innovation at advertising company Google to the degree that it was ever there.

[00:42:26] Ned: And also it signaled to news aggregators like Facebook and advertising company Google itself that they should focus on curating the feed for you injecting ads and monetizing your eyeballs in memoriam. Google Reader, you weren’t the best. You weren’t even that good. But you represented a better possible internet and I lament your early demise every day.

[00:42:54] Chris: Facebook developing a Mastodonlike social network to take on Twitter, finally smelling blood in the water many, many months late. Facebook is apparently working hard on a skunkworks project that will allegedly be a direct competitor to Twitter. Twitter, which everyone hates, is on. What we can all see is a probably unavoidable death spiral. Facebook, which everyone hates, is finally taking notice. The Instagram team appears to be working on a project codenamed P 92 that would conceivably be a mastodon that people have actually heard of. It is designed to be decentralized, but don’t worry, don’t worry, you would still use your Instagram account to log on, so Zuck will still be able to spy on you with his usual lack of care for your privacy or protecting your data. Still, it is likely that only a company with the user base of a Facebook will create the network effects that are clearly required for a social media project to work. To do a quick comparison, mastodon and the fediverse have approximately 2.6 million users that’s user total. Facebook has 2 billion active users worldwide. These are two different numbers slightly and the P 92 project would allegedly take advantage of activity pub, which is what powers the Fedaverse.

[00:44:26] Chris: So Facebook, while still unavoidably awful, might have the numbers sway to make a decentralized tool a reality. Baby steps.

[00:44:38] Ned: Baby steps. You know, I wrote a whole lightning round article, that was the same article but taking the opposing position. And then I read yours and deleted it.

[00:44:48] Chris: That’d be pretty funny if we had them side by side and we just let it go without coming.

[00:44:52] Ned: They were side by side. I just didn’t read yours first.

[00:44:54] Chris: Nice.

[00:44:57] Ned: GitHub will require two FA on all accounts by year end. Let’s hope this is the beginning of a trend arrived. Starting on March 13, GitHub is embarking on a campaign of getting every user enrolled in two factor authentication for their login. Rather than trying to do it all at once, they are selecting small groups of developer accounts to target, sending them emails and displaying a banner notification when the user logs in. Targeted accounts will have 45 days to enroll before being forced to enable twofa on their next login. GitHub supports ToTP security keys and SMS based factors. While they recommend using ToTP or security keys over SMS, they don’t put SMS behind a paywall. Unlike garbage Twitter. You can also set up multiple second factors and select which is your preferred method and which is your fallback method. Additionally, GitHub is testing the use of pass keys for integration later this year. Considering the staggering amount of important code that lives on GitHub, I’m surprised it took them this long to roll out the two FA requirements. Other sites should take notice and enable similar policies, helping make our web a little bit safer.

[00:46:14] Chris: After a six year absence. Go appears to be a top ten language Again yay, maybe.

[00:46:22] Ned: Sure.

[00:46:24] Chris: When building a software, the first thing a software builder has to do is pick the language to software in. And if you’re not in tech, it can frankly be a shocking bewildering thing to learn how many languages there actually are out there. Spoiler alert it’s a lot TIOBE. The software quality company regularly releases a listing of the languages that are the most popular. Now, this is not in terms of quality or power. It is a pure listing based on the number of lines of code produced on publicly available data. Number one, with a bullet is of course, Python. Number two is C, probably because of stubbornness. Number three is Java, because why not be self destructive? And then C plus plus rounds out the top four. These are the titans of the software industry, and they barely ever changed their rankings. The rest of them can get a little interesting. And this month, the Google Language Go snuck back into the top ten, literally at number ten, but hey, it counts. Go has been around for a while, but it hasn’t made the top ten of this list for the past six years. It barely edged out assembly for this March iteration.

[00:47:47] Chris: Time will tell if it sticks around. It would be good if it did that underdog advertising company Google. It’d be keen if they could get a win.

[00:47:56] Ned: Boy, they really need it, don’t they? Hey, thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end. So congratulations to you, friend. You accomplished something today. Now you can sit, sit, sit, stay. Good listener. Give yourself a treat from the jar on the counter. Now the other one. You’ve earned it. You can find me or Chris on Twitter at ned 1313 and heiner 80 respectively. Or follow the show at Chaos underscore lever, if that’s the kind of thing you’re into. Show notes are, as is the sign up for our newsletter, which you could get every week in your mailbox. Your email box, that is. We’ll be back next week to see what fresh hell is upon us. Tata for now that’s out of the rape, I guess I can say whatever I want. You’re a stinky poop head, and I don’t like you.

[00:48:52] Chris: Ha.

[00:48:53] Ned: You don’t listen to the podcast anyway. You left me.

[00:48:58] Chris: What was the question?

[00:49:01] Ned: What is your favorite type of fruit juice?

[00:49:04] Chris: Welches.

[00:49:07] Ned: Wrong answer. Rape.


Chris Hayner

Chris Hayner (He/Him)

Our story starts with a young Chris growing up in the agrarian community of Central New Jersey. Son of an eccentric sheep herder, Chris’ early life was that of toil and misery. When he wasn’t pressing cheese for his father’s failing upscale Fromage emporium, he languished on a meager diet of Dinty Moore and boiled socks. His teenage years introduced new wrinkles in an already beleaguered existence with the arrival of an Atari 2600. While at first it seemed a blessed distraction from milking ornery sheep, Chris fell victim to an obsession with achieving the perfect Pitfall game. Hours spent in the grips of Indiana Jones-esque adventure warped poor Chris’ mind and brought him to the maw of madness. It was at that moment he met our hero, Ned Bellavance, who shepherded him along a path of freedom out of his feverish, vine-filled hellscape. To this day Chris is haunted by visions of alligator jaws snapping shut, but with the help of Ned, he freed himself from the confines of Atari obsession to become a somewhat productive member of society. You can find Chris at coin operated laundromats, lecturing ironing boards for being itinerant. And as the cohost on the Chaos Lever podcast.

Ned Bellavance

Ned Bellavance (He/Him)

Ned is an industry veteran with piercing blue eyes, an indomitable spirit, and the thick hair of someone half his age. He is the founder and sole employee of the ludicrously successful Ned in the Cloud LLC, which has rocked the tech world with its meteoric rise in power and prestige. You can find Ned and his company at the most lavish and exclusive tech events, or at least in theory you could, since you wouldn’t actually be allowed into such hallowed circles. When Ned isn’t sailing on his 500 ft. yacht with Sir Richard Branson or volunteering at a local youth steeplechase charity, you can find him doing charity work of another kind, cohosting the Chaos Lever podcast with Chris Hayner. Really, he’s doing Chris a huge favor by even showing up. You should feel grateful Chris. Oaths of fealty, acts of contrition, and tokens of appreciation may be sent via carrier pigeon to his palatial estate on the Isle of Man.