Transcript

[00:00:00.410] Ned: That seems excessive. Okay, so we’re using a new platform. I’m sure this is going to go well.

[00:00:08.800] Chris: Oh, yeah. Change always works perfectly the first time.

[00:00:16.050] Ned: 60% of the time it works every time.

[00:00:18.880] Chris: No, it doesn’t.

[00:00:20.770] Ned: No, it doesn’t. But I do appreciate that we’re sort of beta test thing live. The one feature that I like so far, and this may be silly, is that I can actually name the recording, which you would think would be a simple thing, but for whatever reason, the other platform didn’t let me name the recording. So all of the file names don’t correspond to anything. They’re just recording five, recording six. That’s not helpful.

[00:00:50.750] Chris: What’s important is this is riveting to the people that are listening.

[00:00:55.730] Ned: Let me tell you about the minutiae of audio editing and getting a proper level set for everyone.

[00:01:01.620] Chris: You’re not moving on, are you?

[00:01:04.150] Ned: I don’t know. Do you want me to talk about audio?

[00:01:09.510] Chris: I think you should move on.

[00:01:11.160] Ned: Okay. Moving on fine. My eyes still red, so that’s cool.

[00:01:17.140] Chris: Yeah. That takes, like, six months to clear. I don’t know why you keep bringing it up.

[00:01:22.250] Ned: Yeah, the WebMD article I read said, like, four weeks, and apparently that’s a lie, like everything else on that site.

[00:01:29.010] Chris: Well, it would be four weeks if you were, like, 20.

[00:01:33.550] Ned: That’s a valid point. Now that I’ve reached the ripe old age of a million right. Things just they go slower.

[00:01:42.610] Chris: Yeah. This will be healed in four to six weeks. Very quickly becomes you can handle it.

[00:01:51.170] Ned: It’s fine.

[00:01:52.630] Chris: Take another advil.

[00:01:55.350] Ned: My calf is finally doing better. I was able to run 3 miles this weekend, and it felt fine when I was done.

[00:02:03.640] Chris: That is legitimately progress.

[00:02:05.470] Ned: Doesn’t sound like you, and I am taking it slow.

[00:02:10.650] Chris: Doesn’t sound like you.

[00:02:12.010] Ned: I know. I am just going against the grain and my natural inclination for everything, and it’s fine. Everything’s fine. Hello, alleged human, and welcome to the Chaos Lover podcast. My name is Ned, and I’m definitely not a robot. I’m also not an octopus, a bonded crow pair, a portiad spider, or an amalgamation of quasi sentient gloop. And I’m certainly not a weird mass of bones, hair, and vestigial organs that serve no purpose except to further confirm the theory of evolution. Oh, wait, no, wait, I am that. I’m precisely that. And so is our wonderful co host, Mr. Chris. Hello, Chris.

[00:02:57.820] Chris: Look, you can have one of the two. You can have a wonderful co host, or you can have Chris.

[00:03:03.450] Ned: You’re saying they’re mutually exclusive?

[00:03:05.810] Chris: It’s not me that’s saying that. It’s like, society.

[00:03:08.970] Ned: It’s like our entire audience.

[00:03:10.690] Chris: I really think we should not have started sending out surveys. It has not gone well for me.

[00:03:17.390] Ned: You know, I have considered sending out a Chaos Lever survey. I don’t know if anybody would actually.

[00:03:21.330] Chris: Answer, though I suspect you would answer, like, 15 times.

[00:03:26.210] Ned: Well, I do tend to put my thumb on the scale of history, but I wonder what should even be on the survey? Let’s think of two good questions. Is this a good question? Yes or yes? Did you enjoy the previous question? Yes or yes?

[00:03:45.050] Chris: If you were sentient, what would your opinion of Eschatology be?

[00:03:49.210] Ned: Yes or yes? See? It works for everything.

[00:03:52.680] Chris: Yeah, it’s going to go great.

[00:03:56.250] Ned: All right, let’s settle down. Settle down, everybody. So you didn’t go to a conference, and you’re going to talk extensively about the conference you didn’t go to.

[00:04:05.900] Chris: Sort of. All right, green this the end of April was a pretty big deal conference called RSA, and they have little conferences all through the year, but the big one every year is in the US. Because, of course, in San Francisco, I didn’t go.

[00:04:24.790] Ned: Good.

[00:04:25.450] Chris: So I did decide to look into it. So you don’t have to either.

[00:04:31.030] Ned: That’s fair.

[00:04:32.140] Chris: So, like I said, it’s a big conference and it is a lot of material. Okay, how much material, one might ask.

[00:04:44.650] Ned: I didn’t, but I might.

[00:04:46.480] Chris: The website lists at least 333 scheduled events covering 25 discrete topics and subject areas that took place over a three day period.

[00:04:58.990] Ned: That’s a lot.

[00:05:00.750] Chris: So that’s way too many for any single person or even a single company to cover in full.

[00:05:07.810] Ned: And yet we’re going to try.

[00:05:09.380] Chris: Well, it’s interesting because realistically, since there’s so much material, you could go into that and make a summary before you even go, and your summary would be accurate.

[00:05:22.150] Ned: Somewhere. You are correct.

[00:05:23.860] Chris: Exactly. However, there were some what I thought were key takeaways that are not specifically about individual technologies per se, but more like what is the industry and what is the market saying the year is going to look like based on short term answers and a little bit more like medium term forecasts.

[00:05:44.590] Ned: So themes in a melody, pretty much.

[00:05:46.910] Chris: Which is really funny for something we’ll get to a little bit later.

[00:05:51.710] Ned: And I didn’t even read ahead.

[00:05:53.080] Chris: Look at me now. In case anyone watching, listening, reading, wanted to dig more into this on your own, you actually do have a few options. First off, some of the topics and sessions are making it onto YouTube. The keynotes, all 30 of them are all available as of today.

[00:06:14.150] Ned: Is it still a keynote if there’s 30 of them?

[00:06:17.830] Chris: If you want access to the full 333 events, I’m ignoring you, though you’ll still have to pay. It’s far cheaper than buying a ticket for the actual event, but it’s still not free. They will not release the majority of the recorded sessions for free until next year’s event rolls around. Now, sometimes, if there is a subject, a topic or an author that you find interesting, the content could be available from other sites, prior publications, et cetera. It’ll just mean you’re going to have to get creative with the Google. Now, I actually did this for this week’s secret bonus content that’s only available in our handy dandy newsletter.

[00:06:59.550] Ned: Look at you leaning into the newsletter, as everyone should. You can go to chaoslever.com slash newsletter and sign up.

[00:07:07.530] Chris: We didn’t plan that and we didn’t. If you’re really only interested in security itself or the concepts in general, looking at the videos from 2022 is really not that bad of an idea, because, like I said, it’s 2023. Everything from 2022 is online for free as of now. A lot of what is talked about at events like this is not blazingly new, with a few exceptions. Admittedly, the world according to AI is going to look a lot different last year than it did at this year’s event.

[00:07:42.690] Ned: Just slightly. Yeah.

[00:07:43.990] Chris: But for example, if you are intrigued by a 2023 video entitled The Simple Yet Lethal Anatomy of a Software Supply Chain Attack, well, there’s still going to be value in spending 45 minutes with the 2022 version, even if it is a year old.

[00:08:01.210] Ned: There’s a reason why the Oasp lists don’t really change that much year to year.

[00:08:07.770] Chris: Yeah. I mean, we do love to talk about how fast it moves, and it’s one of those things where it’s like it’s true, but it’s also not true.

[00:08:17.230] Ned: Right?

[00:08:17.630] Chris: It depends on how you’re approaching the question.

[00:08:20.930] Ned: We find all kinds of ways to do the same thing. Wrong again.

[00:08:26.210] Chris: That’s a sticker. Yeah.

[00:08:29.650] Ned: Anyway, I’m writing it down, like I said.

[00:08:31.920] Chris: So I was looking for larger trends and themes, and the biggest takeaway I got from not attending RSA 2023 is this the rest of 2023 is going to be tough on It and security teams for a couple of major reasons that you can probably think of already. The uncertain economy is one thing. Don’t forget a very real set of workforce challenges. The accelerating rate of change in both attack and defense postures is another. The cloud and the edge, two hazy terms at the best of times are starting to mix and intermingle, forcing some security teams to completely rethink strategy. And just that sentence is probably worth a full deep dive all on its own.

[00:09:17.430] Ned: Not it probably, oh, I guess that’s me next week.

[00:09:21.970] Chris: And of course, the introduction to basically everything of our best friend AI. So what does this mean in terms of goals? Like, this is just buzzwords at this point. What am I supposed to do with all this? Well, I broke it down into two main categories and stop me if you’ve heard these before. Companies are going to have to stop.

[00:09:43.930] Ned: You told me to.

[00:09:45.610] Chris: You didn’t say hammer time. I’m so disappointed.

[00:09:49.530] Ned: I don’t want to get sued again.

[00:09:51.360] Chris: Companies are going to have to, one, do more with less when it comes to their It and security budgets. And two, cybersecurity needs to be a part of company culture. But, like, for real this time. Like, for serious, no takesy backs.

[00:10:06.380] Ned: Yes. I mean, they could start by not, like, making everybody else hate them.

[00:10:15.590] Chris: Once again, I’ve tried that, and it has had mixed success.

[00:10:19.510] Ned: Fair enough.

[00:10:20.470] Chris: So companies have been talking about wanting to limit their It budgets forever, right? Reports from Q one early spending in the enterprise space are showing that this time it’s actually happening, especially at the highest levels of enterprise and the most expensive or highest priced initiatives. Top spenders averaged $10 million or more per initiative in 2022. Now, this is like the 1% of the 1%. Obviously, not every company is going to spend $10 million on one initiative, but that rate is down by 50% so far, more or less, across the board. Now, for the purposes of this statistic, an initiative is a major umbrella term like digital transformation or zero trust deployment. A lot can go into that. Needless to say, if you all of a sudden have that budget cut in half, you’re going to have to get creative, right.

[00:11:24.960] Ned: Or just kind of remove some of the things that weren’t actually part of the initiative to begin with. They’re someone’s pet project that they thought they could just kind of shoehorn in, like earmarks in a bill.

[00:11:37.070] Chris: So what did the kind people, or the strategists, I should say, at RSA think that we as an industry need to do about this? A few strategies, and stop me if you’ve heard these before. Reduce costs, spend tactically, and automate the daylights out of everything.

[00:11:56.470] Ned: Wow. That’s all in my bingo card right there.

[00:12:00.790] Chris: The number one best way to optimize costs is to understand what your expenses actually are and map them to what you expect them to be.

[00:12:16.810] Ned: I’m I’m laughing because this is, like, budgeting 101.

[00:12:20.460] Chris: Yeah, you’re absolutely I mean, to bring it down into terms that most people will understand, this is not that much different of an economic situation than when you kind of have to tighten the belt at the high school level. Great. The household level.

[00:12:37.010] Ned: Well, you mentioned high school, and this is one of the things that they’re supposed to teach you in, like, home ECH or whatever in high school is how to come up with a budget and stick to that budget and track your expenses.

[00:12:51.710] Chris: Right.

[00:12:53.030] Ned: This is literally like the first thing that money management gurus have you do, is write down or figure out everything that you’re currently spending money on and come up with a budget.

[00:13:05.060] Chris: And if people were doing that, would we need money gurus?

[00:13:09.210] Ned: I would argue we never need money gurus because it’s always some sort of grift. But point taken.

[00:13:15.380] Chris: I mean, the problem is that these things just kind of you see something that you think you need, so you buy the entire deal. It’s only after the fact, when you’re looking at your American Express bill, that you’re like, wow, do we really need HBO Max and Netflix and Disney Plus and Peacock and CBS All Access and whatever, 37 other streaming programs. I can’t even think of off the top of my head right now.

[00:13:43.190] Ned: Yeah, just try to remove one and see what the kids say.

[00:13:45.770] Chris: Well, you have to then start asking tough questions. What’s the percentage time you actually spend watching them versus what you spend monthly on those subscriptions?

[00:13:54.650] Ned: Me personally, almost zero.

[00:13:57.630] Chris: Similarly, from a household security perspective, how dangerous is your neighborhood, really? Do you really need, say, a twelve camera surveillance system, all steel doors, electrified bars on your windows, and a fire moat?

[00:14:14.370] Ned: The fire moat is non negotiable.

[00:14:16.140] Chris: Yeah, obviously that one’s rhetorical. Everyone needs a fire moat.

[00:14:20.370] Ned: Dragons are optional.

[00:14:22.630] Chris: Let’s call that a stretch goal. But the processes that you use as a business to rationalize your expenses is the same. We just have fancy names for them. The two that are the most common right now are FinOps and Cost Ops. Because we love portmanteau’s AWS.

[00:14:45.620] Ned: We do.

[00:14:46.000] Chris: I mean, really, they mean the same thing. And stop me if you think that this definitions are incorrect, but in my mind or my understanding, FinOps has sort of come to mean understand the money you’re spending in the cloud. And Cost Ops is kind of a larger idea of what are you spending everywhere else.

[00:15:07.330] Ned: Every time I’ve heard the word FinOps used, it’s been in relation to cloud spending.

[00:15:12.190] Chris: Right?

[00:15:13.430] Ned: So yeah, I think that’s Cost Ops says to me just general cost calculation and for anything across all of your businesses, FinOps, for whatever reason, has been pinned very specifically to it. And cloud costs.

[00:15:28.250] Chris: Well, I think that makes sense to have kind of the umbrella term and then a very specific, narrow and focused term. Because one of the biggest problems with the cloud is the way that it is charged is very granular, which means it’s very hard to keep track of. People make mistakes, people forget things are running, people are using way too many resources. So the biggest example and the number one thing that still cost people more money in the cloud than anything else ned network egress.

[00:16:01.990] Ned: No. Net gateways.

[00:16:04.510] Chris: Compute resources.

[00:16:07.510] Ned: Yeah, like I said, nat gateways.

[00:16:10.630] Chris: So, I mean, one part of FinOps is it’s as simple as do I have the right EC two instances running solve that problem and most companies will save at least 30% on their bill, period. You’re done that’ll be $300.

[00:16:26.170] Ned: There’s a reason when I went to Reinvent that there were so many cost control companies whose basic pitch was we’ll look at your EC two instances and tell you what you’re doing wrong.

[00:16:35.580] Chris: That’s why it was like eight of them. Even in the age of microservices and PaaS, for everything, there’s a lot of companies, and by a lot I mean like 80% of cloud usage is still IaaS based. Yes, you’ve got options. FinOps simply explains to you what those options are and the best ones to take advantage of.

[00:16:57.510] Ned: Right. And the deeper we go into the age of the cloud, the more generations of compute there are and the more diversified they get. So actually selecting the appropriate family and size for a given compute, assuming you actually know what your application profile looks like to start with, which you don’t, you’re almost guaranteed to select the wrong size to begin with and continue to be wrong for a while.

[00:17:26.430] Chris: That’s a great name for my autobiography continue to Be Wrong for a While, Chris Hayner’s story. So that’s your infrastructure. Another part of this is software based and the way to do that is generally termed as tools rationalization. And this is kind of what you were alluding to before, similar to infrastructure that just appears is a financial drain and might not be clearly understood. Over time, companies accumulate an inventory of software tools. This can be for a lot of reasons. The most common one is siloing. Different business units might have purchase authority and buy something just for their one specific need at one specific time. And oh yeah, they signed a three.

[00:18:10.590] Ned: Year contract with automatic renewal.

[00:18:15.390] Chris: This translates into a ton of products on prem in the cloud wherever, of which companies are often using like 5% of the features. And this is, as you can imagine, an enormous inefficiency. So not to get into too much detail, but R1 Life example, there was a company that had been spending something like $1.5 million a year on security tools that were sold by something like 40 vendors.

[00:18:46.150] Ned: Wow.

[00:18:46.760] Chris: Now, I don’t care if your company is bank of America, that’s too many tools and that’s too many vendors. Detailed analysis of their actual needs knock that down to a yearly spend of less than 20 vendors.

[00:19:02.750] Ned: Not bad.

[00:19:03.380] Chris: And this kind of result from a tool’s rationalization is not uncommon, it’s just often not done well.

[00:19:10.530] Ned: It’s the sort of thing that needs to happen from the top down. Because as you alluded to it’s because you have all these siloed groups that are trying to solve a problem that’s specific to them. And they know that if they tried to pick a tool that worked for other portions of the organization, then it would get into this big, long, drawn out, multi month discussion where you have to have all these meetings and figure out requirements for each one. Or they can just swipe the credit card and start using this new tool that has the thing they need.

[00:19:41.740] Chris: Right?

[00:19:42.520] Ned: So you need someone from the top down to go, okay, it’s rationalization time. I’m going to make you have these painful and annoying meetings until we get it down to a reasonable number.

[00:19:52.130] Chris: Exactly. And everybody has to agree that that’s a good strategy or it will never work. And we’ll get to that in a minute.

[00:19:59.070] Ned: Okay.

[00:19:59.660] Chris: But this is also why I believe that the cost should be considered at least tangential to your overall security strategy. Reduction in a budget like I just talked about means that there’s more money to spend on something new with no reduction in your functionality or security posture, that money can then be spent on something new. That I mean, come on. Probably has AI in it. More on the implications of AI this summer though, after I don’t attend Black Hat but do a breakdown of it anyway. Yes. I’m just thinking ahead, but dev? Finsec? AI? Ops? Anyone? Anyone?

[00:20:39.440] Ned: Good and tight? Moving on, moving on.

[00:20:43.150] Chris: All right. Risk management as a part of security strategy probably sounds about as enticing as the above suggestion to include cost management, but it is true some risks are more important than others. The famous example that’s used in probably every business school ever is a factory in the middle of Kansas buys flood insurance. Sure, a flood might happen, but don’t you think a tornado insurance might be better?

[00:21:11.990] Ned: It’s so much more expensive.

[00:21:15.590] Chris: Knowing what you need to spend money on is super important since it’s easy to get carried away by the latest and greatest new thing. RSA had a lot of discussion about the old model of Sims and XDR Solutions, which were all their age 18 months ago, kind of falling by the wayside. Not because they weren’t worth it or not because they didn’t do what they promised, but because they were crazy expensive and confusing to implement and manage.

[00:21:44.050] Ned: Oh, I thought it was because the acronym was dumb.

[00:21:48.850] Chris: That is sometimes a problem. Sometimes people buy the acronym, but the question these are easy purchases to make when the money is flowing, but when the belt tightening happens, you have to start asking the more important question of yeah, they solve a lot of problems, but do they solve our specific problems?

[00:22:12.250] Ned: Right?

[00:22:14.330] Chris: And solving our specific problems and really breaking things down into discrete areas to cover was a huge topic at RSA with talks on attack surfers management, cyber asset management, vulnerability management, proactive instead of reactive security testing, et cetera, et cetera.

[00:22:37.010] Ned: Et cetera, et cetera.

[00:22:39.650] Chris: And this is the part of It work and security work that’s not fun.

[00:22:46.230] Ned: Is any bit fun.

[00:22:49.030] Chris: A lot of what those things entail is sitting in meetings, breaking down your requirements, talking about what the software actually does, comparing and contrasting. But once you do that and you can manage all these things, you can get a better understanding of the gaps your company might have. And crucially, a shopping list for if you actually need to buy something new and that if is really important. Or can you extend the use of something you already have.

[00:23:23.490] Ned: The problem with those kind of assessments? Well, I already mentioned it has to be top down, right? Someone actually needs to sponsor this and force all the different bubbles or silos within the company to actually jump in. But it also feels like you’re not accomplishing anything. We’re sitting in meetings, we’re not doing anything right. And people need to feel, I won’t say everybody, some people need to feel like they’re being productive. And what you’re talking about doesn’t initially feel productive. It feels like busy work, even though in the longer term, it has real positive implications.

[00:23:59.250] Chris: Yeah. It feels like a grind. And what ends up happening, and this is one of the reasons, I think, that a lot of technical people are skeptical, is they’ve probably done an exercise like this before.

[00:24:11.650] Ned: Yeah.

[00:24:12.240] Chris: And the result has been predictable. You get some kind of boilerplate copy and paste with your company’s name slapped on the front of it. It’s 400 pages long. Nobody ever reads it, and nothing changes.

[00:24:29.510] Ned: And that’ll be $15 million. Thank you very much.

[00:24:33.110] Chris: And I think that that’s one of the things that’s actually changing. And one of the reasons that it’s getting so much attention at places like RSA conferences is companies have started to recognize we need to do a better job at this. We can’t just throw best practices back in a CEO’s face and say, that’ll be $15 million. I’m sure some companies still do that, but I would argue that the number of companies that are doing that is shrinking.

[00:25:00.830] Ned: Right. It wouldn’t be you, though. It would be the consulting company that you hired to do the exact same thing.

[00:25:06.580] Chris: Yeah. And that is a question that really it was interesting because it seemed like the fact that you were using a third party for that kind of exercise was assumed.

[00:25:15.670] Ned: Yes.

[00:25:16.140] Chris: And it’s not necessarily a bad thing because somebody coming in cold will ask every question under the sun and will not make assumptions.

[00:25:25.670] Ned: And also, in theory, they have a process in place for doing this kind of thing, and they’re the experts in accomplishing what you want at the end. That’s why we when well, you still do consulting, but I don’t as much. But that was the reason people hired us, is because we had the experience and the knowledge they’re going to do it once we’ve already done it 20 times.

[00:25:46.450] Chris: Right.

[00:25:47.330] Ned: That’s the theory.

[00:25:48.530] Chris: And we bring coffee mugs.

[00:25:51.150] Ned: But the problem is what happens when the consultants leave?

[00:25:54.370] Chris: Right. And that’s why the deliverables have to be worth the expense. They have to be actionable, they have to have roadmaps, et cetera, et cetera. And as you’re comparing and contrasting and shopping for a company to help you do these types of things, those are the questions that your organization needs to ask. What does the result look like as you walk out the door? How quickly can my team turn this into something functional?

[00:26:23.210] Ned: Right.

[00:26:25.050] Chris: Also, can I have another coffee mug?

[00:26:27.850] Ned: At least two.

[00:26:30.010] Chris: So, like you, alluded the other big part of this is that it’s got to be a team effort. Cybersecurity needs to be a part of company culture from the top down. There is and has been a large disconnect between CIOs, CSOs, and executive boards in many organizations basically forever.

[00:26:54.390] Ned: Yeah.

[00:26:55.300] Chris: I mean, this is the old it can’t just be considered an annoying expense. It’s got to be considered AWS, an essential part of making a profit argument.

[00:27:04.710] Ned: It’s not viewing it as a cost center. Right, but it’s also it proving that they’re not a cost center also.

[00:27:11.120] Chris: Correct. CSOs might be the person at the highest level that is working specifically to keep the organization’s data secure, but it’s difficult to make it a priority if the CFO is not on board and is just cutting budgets without considering the impacts of, say, reduced staff. Because a lot of times, if you’re doing something defensive, it’s going to be a little bit more active and it’s going to require upkeep and management and eyes on a dashboard. And if that starts to stagnate, your defensive posture becomes, shall we say, brittle.

[00:27:49.910] Ned: Let’s shall.

[00:27:51.350] Chris: And I know a lot of people get tired of hearing this and are like, oh, well, that’s a problem that we solved because we’ve been talking about it for so long.

[00:28:00.840] Ned: Well, we sure have.

[00:28:02.240] Chris: It isn’t a problem that we solved. In a recent survey by financial software company Cooper, 33% of CFOs said they felt more tension with the CIO than with any other leader in the company. Cool.

[00:28:18.350] Ned: Awesome.

[00:28:19.470] Chris: And this is why breaking things down into discrete and actionable points is so important. Cost ops tools, rationalizations and risk registries, et cetera. You, as the It staff, have to meet the rest of the C suite with compelling arguments backed with data. You don’t just run into the boardroom and scream, we need this.

[00:28:39.510] Ned: Right.

[00:28:41.270] Chris: But simultaneously, the rest of the C suite needs to be able to listen. They need to have a position of cybersecurity is important, right?

[00:28:54.140] Ned: Like, they know that sales is important because sales is how money comes in. They know that however they produce their goods is important. So keeping your cost of goods sold low while your sales up, that’s all important. But how is Dave over in risk management helping my company grow or make more money? You’ve got to convince me that I have to keep Dave around.

[00:29:18.870] Chris: Right? And the easiest way to do that from a cybersecurity perspective is in a risk registry. What is the cost of a breach that makes the COVID of the New York Times? What’s that going to do to the rest of the year’s financial forecast, right? And crucially, this is why it has to be an ongoing conversation. The CSOs and the CIOs have to be in the room all the time. It cannot just be, here’s your budget. Now leave me alone. And for God’s sakes, turn off MFA on my email. That is not the way we want it to talk to the C suite. Right, but you don’t have to take my word for it, because this time it was the RSA conference that said it.

[00:30:06.290] Ned: And I know what that is. As a CEO, I’ve heard the no, I’ve heard that before.

[00:30:11.170] Chris: I know what you’re saying to yourself, self, this is great and all, but any of it from RSA? Touch. Chris’s, still stellar predictions from January? Well, the answer is no, but also yes. Wait, none of the above really touches explicitly on my predictions, but there was another big component of RSA that did the maturing opinion of these types of companies around Zero Trust.

[00:30:41.470] Ned: Okay?

[00:30:42.060] Chris: There was a lot less product and ballyhoo and a lot more actual strategy phased product ideas, metrics companies could use to help evaluate where they are and where they need to be. And it was just kind of folded in to a lot of strategy discussion as a must have, considering that I said in that predictions episode, quote, zero trust will gain a lot more traction. Unquote. I’m going to chalk this one up as a win ding.

[00:31:11.750] Ned: I’ll allow it.

[00:31:13.510] Chris: And incidentally, this is one thing you can look at in some of the keynotes. You’ll just hear them talk about zero trust, as a matter of fact, which I think is a major change.

[00:31:22.570] Ned: Well, just to go back to the naming thing, like XDR is stupid, zero Trust is actually a pretty slick marketing term in the sense that it’s nebulous enough that you can put just about anything around it, and also, it sounds inherently secure. So whoever came up with that term, well done.

[00:31:42.370] Chris: It was me.

[00:31:46.130] Ned: ODoyle rules.

[00:31:47.640] Chris: Lightning round.

[00:31:49.030] Ned: Lightning round. EU does their best dr. Evil to the tune of $1.3 billion. Once again, the EU shows us how us silly Yanks should be doing privacy protection by slapping Facebook. Still not going to call them meta with a $1.3 billion fine for privacy violations under GDPR. Yes, Facebook is being fined for privacy violations. I will wait for you to catch your breath. What’s shocking is not that Facebook has been lax at best and actively malicious at worst with EU citizen data. It’s that they’re actually being held to account. Not only that, but the ruling that came down from Ireland’s Data Protection Commission also orders Facebook to stop transferring data from the EU servers to servers hosted in the US. An action previously allowed under the privacy shield pact. That pact was declared invalid in 2020 by the EU courts because the US. Couldn’t keep their grubby hands off of EU citizen data. The ban takes effect in five months, and all EU data needs to be scrubbed and purged in six months. Of course, Facebook being Facebook, they can simply pay the fine and say no thanks to the rest. Which they may be inclined to do, since $1.3 billion represents about 1% of their annual revenue for 2022, revenue that relies on selling ads that target some portion of the EU populace.

[00:33:27.960] Ned: So while I laud the EU, what we need to do is a little bit of enforcement on this side of the pond as well.

[00:33:36.870] Chris: Lawsuit alleges DoorDash charges iPhone users higher prices this week, a class action lawsuit. Was filed against DoorDash, alleging that DoorDash manipulates a fee called the expanded range Fee in order to charge premium customers, which is their Door Plus or whatever I forget what it’s called and iPhone users more money. DoorDash has, of course, denied the allegations, saying that its pricing is, quote, fair and transparent. This is a particularly amusing defense considering that at the time of the complaint, the quote expanded Range Fee was not defined on the company’s website.

[00:34:16.610] Ned: It’s so transparent, you see right through it.

[00:34:19.040] Chris: It’s there now, though, with a description that is suspiciously in a different color than the rest of the fees, of which there are many. And I was unable to confirm when the change took place via archive.org because the fees page is an uncrawlable JavaScript nightmare. Luckily, the complainant in the pending case took screenshots. Now, this would not be the first time companies have utilized data that they shouldn’t have in order to charge certain customers more. Back in 2021, the British government called out airlines for charging Mac users more in 2023 orbits got nailed for doing the same. What a world. It would be, say, if, I don’t know, retailers had no idea what device or browser you were using, then this sort of thing would be what’s the word? Unpossible.

[00:35:11.810] Ned: Yeah.

[00:35:13.110] Chris: Hashtag data Privacy.

[00:35:17.190] Ned: Raspberry Pi drought over by Q Three hobbyists rejoice during an interview with Jeff Gearling, CEO of Raspberry Pi Ibn Upton said that the elusive Raspberry Pi SBC three B and Four, along with the Compute modules, should be available to everyone in Q Three of this year. Since the height of the Pandemic component shortages made it all but impossible for hobbyists and educators to procure the full blown single board computer and compute module form factors, the folks at Raspberry Pi decided that they needed to prioritize business orders, since those companies were facing very real crises when they couldn’t source the necessary parts. While the average hobbyist can probably wait a bit to build that cool garage door opener NASC Crockpot monitor, they also decided not to raise prices significantly and to actively fight hoarding and unauthorized resellers. According to Upton, Q One of 2023 was their worst first quarter in a long time. But the PaaS they rely on are once again available and they are ramping up production to ship millions of these tiny devices in Q Three and Q Four. As someone who is sitting on an empty Turing Pi Two board with nary a compute module in sight, I’m pretty pumped to hear this news and I appreciate their approach.

[00:36:36.690] Ned: Check out the whole video interview if you have the time.

[00:36:41.810] Chris: Google Registry releases new vanity TLDs, some of which are ripe for abuse yay, we all know what the TLD is, right? That very last set of letters after the very last period in the name of a website. The famous ones.com gov us, whatever. Well, Google has introduced a new set of them for quote Dads Grads and Techies. It’s important to note that Google did not use an Oxford comma in this headline, and as such I’m already furious. Most of the new domains are more or less harmless, and I can’t see much to complain about with dad PH. D prof Esq or Nexus? Sure. But there are two others that have raised immediate concerns in security circles, namely Zip and Move that’s MOV. When people think of Zip, they think of a compressed archive, or a zipped file, if you will. And for Move, a video file, particularly one made by QuickTime, the way an attack can be structured is simple someone receives a link to a file type they’ve heard of and it’s in the email. It looks like you’re downloading a file from GitHub. You’ve heard of GitHub, right? You should click on it, probably.

[00:38:10.990] Chris: And they do. There are already reports of websites using a Zip TLD to attempt malicious activity. Sites have been created with names like Report 2023 zip. Or Microsoft Office Zip. So this of course is bad. There have even been a few pro consumer protection sites, like Financial Statement Zip, that one exists solely to one, take some names that would definitely be used for evil out of circulation and two, go into why this is such a bad idea in a lot more detail than I can right now.

[00:38:55.370] Ned: Move over, shadow it. Here comes shadow GPT. In a move that absolutely no one will circumvent immediately, Apple has banned the internal use of Chat GPT and similar products, thereby proving it has learned nothing from its own success. What do I mean? For those of you who don’t remember because you’re too young or whatever, there was a time before iPhones where all devices were owned and managed by Central It. Then iPhones happened. People looked on their blackberries with disgust and disdain, and the great Circumvention began. While Central It tried to fight the invasion of mobile devices outside of their purview. Their effort was doomed from the start. Rather than fight the technology, most organizations finally chose to adopt a bring your own device policy with enforcement tools like MDM and Mam to try and contain corporate owned data. Apple’s main concern is that the same corporate data could be leaked through tools like Chat GPT. And once again we will have mass circumvention of the policy because people want to get shit done, and Chat GPT helps with that. I predict we’ll see an influx of Chat GPT like solutions that aim to protect corporate data in the same vein as MDM or Mam.

[00:40:13.560] Ned: In fact, Chat GPT already has a business version that they plan to roll out shortly.

[00:40:19.750] Chris: Intel releases white papers suggesting that future CPUs will be 64 bit only. Well, that was bound to happen, right? Eventually, with chip makers like AMD having X 86 64 bit only versions of their processors forever now, and Windows Eleven coming out with a 64 bit only limitation, intel is finally looking to drop all the old backwards compatible Cruft, aka legacy modes that their current lines of processors support in favor of a new chip design named X, meaning simplified. The goals, at least, are simple and ironically similar to the ones Microsoft had with Windows. At a certain point, designing for the future while maintaining unlimited backwards compatibility is a problem. Now, it is true that all of these 16 and 32 bit modes are emulated. They take up a tiny fraction of the CPU, and switching into 64 bit mode ignores them entirely. So there are some questions at this point as to how necessary this actually is. There’s little need to update 16 and 32 bit modes at this point. Just copy and paste it. Who cares? There’s also the question, though, of patents to consider. The X 86 64 ones have long expired. But could this X 86s mean a chip design novel enough for a new patent?

[00:41:49.490] Chris: And would that make any difference at all in the marketplace or in the data center? Only your local patent attorney knows for sure.

[00:41:58.070] Ned: Oh, I’m just envisioning a rainbow where it’s patentable hooray and they saved their own industry. Good job, intel.

[00:42:07.910] Chris: Lightning round.

[00:42:10.070] Ned: Thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end. So congratulations to you, friend. You accomplished something today. Now you can sit in front of the mirror and count how many pointless facets there are to the human body. You’ve earned it. You can find me or Chris on Twitter at ned 1313 and at hener 80 respectively, or follow the show at Chaos underscore Lever if that’s the kind of thing you’re into. Show notes are available@chaoslever.com if you like reading things which you shouldn’t. Podcasts and our YouTube channel, Hint Hint Hint Hint, continue to be better in every conceivable way. We’ll be back next week to see what fresh hell is upon us. Tata for now.

[00:42:53.170] Chris: Subscribe to YouTube.

[00:42:55.450] Ned: That’s like the whole thing. Just bulk subscribe all of YouTube.

[00:42:59.300] Chris: I subscribe to the Internet once. That was a bad idea.

[00:43:02.270] Ned: Oh, yeah? There’s a lot on there. I hear it’s not all cats.