Information Security Industry Ego & Arrogance

Unsecurity Podcast

Evan recently wrote an article detailing why he thinks there is a lot of ego an arrogance among people who work in the information security industry. This topic has drawn some interesting conversations and debate on social media since it’s been posted, so Evan and Brad made this their primary focus for Episode 26’s discussion. They also chat a bit about Evan’s recent ‘normal people” research, and break down the latest infosec news as always.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: Good Morning World. It’s time for another episode of the un security podcast. It’s monday May 1st 2019. It’s not me first. It’s May 6th May. What do I have me first in my show notes?

[00:00:35] Brad Nigh: I don’t know. But I didn’t catch it either until just now.

[00:00:38] Evan Francen: All right, well, it’s May six. I’m told I’m Evan francine and this is episode 26 joining me as almost always is Brad. Good morning Brad. How are you? I’m good.

[00:00:50] Brad Nigh: How are you?

[00:00:52] Evan Francen: Not too bad. We had some good weather this weekend was gorgeous.

[00:00:55] Brad Nigh: Finally, so nice to get out and be outside a little bit.

[00:00:58] Evan Francen: Yeah, I enjoyed it. Uh and this is uh yeah, so according to our show notes, this is where we chit chat just a little bit and some people don’t like that. Some people do

[00:01:09] Brad Nigh: you know? I gotta keep it. It’s kind of who we are.

[00:01:12] Evan Francen: Yeah, we haven’t seen each other all weekend. We’re here for the Cinco de Mayo party in front of How did that go? It’s good. It’s fun and they get crazy.

[00:01:21] Brad Nigh: Uh No,

[00:01:22] Evan Francen: nobody need to have a talk

[00:01:23] Brad Nigh: with. No, it was pretty tame.

[00:01:26] Evan Francen: How many people were here?

[00:01:28] Brad Nigh: Yeah, but I guess 25 30 employees and then significant others

[00:01:34] Evan Francen: and stuff. Yeah. Cool. It was a good time. It was fun. Yeah, we took the camper out for the first time. Uh this weekend

[00:01:44] Brad Nigh: my daughter is going on a trip here in july for a campaign where they up to the boundary waters and yeah, canoeing and portage ng and she’s like, I need to go try this out.

[00:01:58] Evan Francen: I did uh I took my kids once one night to the boundary waters uh when they were probably about the same age as yours and I went myself where I went with friend and these kids, my kids and uh we didn’t bring enough food. So three days in like man, we’re all super hungry. So we were picking wild raspberries and trying to do everything trying to catch fish. I didn’t catch much fish, so lost

[00:02:29] Brad Nigh: a little weight, you know, crash

[00:02:31] Evan Francen: diet. All right. So last week I wrote an article uh about uh and it was more of a question and I was kind of um poking it at myself because I don’t like to just point fingers, you know, they have that saying, you know when you point a finger four point back or something like that, you heard that? So, I wrote this article and the title of the articles are information security people arrogant. Did you get a chance to read that? I actually did in my show notes? I gave you credit for not.

[00:03:09] Brad Nigh: I no, no, I actually read it.

[00:03:11] Evan Francen: What do you think?

[00:03:12] Brad Nigh: It was interesting? It was, you know, I don’t like to think of myself as arrogant, but there’s definitely a couple in there. I was like uh huh Yeah, ok, gotta be careful that you don’t fall into that trap.

[00:03:26] Evan Francen: Well sometimes I think it’s easy for somebody who gets passionate about something they do for a living and you know, so much of what we do is about people. And so you tell people, you know, stop clicking on links, You tell people to choose strong passwords, you tell people to do all these things and then what seemed pretty simple and then when they don’t I think it’s real easy to get maybe angry or frustrated

[00:03:52] Brad Nigh: frustrated for sure.

[00:03:53] Evan Francen: So I was having this discussion, this is what made me think of it as I was having this discussion with my mother of all people and I’m an only child, so she has no other Children that she gets to call arrogant, but she called me, she’s playing simple. You’re arrogant. I was like really, I’m just frustrated maybe, but maybe I am arrogant. So I think in in 2019 we use a lot of words that we don’t know the meanings too like bigot or you know, people just throw words around. So I went and looked up the meaning of the word arrogant and I was like, you know, maybe she has a point, can you think of a time when when you’ve been, maybe you’ve come across as arrogant, you just didn’t think you were arrogant.

[00:04:40] Brad Nigh: I think a lot of it for me is is the assumptions mostly right. Like you think, why would you have, why would you have done this right or these things that you weren’t doing it so obvious, How did you not know that this is a problem or how did you not catch it or how did you allow this to continue and just assuming like others see that? You know, it it’s not like I don’t I don’t think I look down on them, but I just as soon as like what you’re tall, well there is that, but you know, I don’t think I’ve ever called somebody, you know, one of the examples and there is thinking of someone stupid or things like that. I don’t I don’t think I’ve done that, but it is, it’s frustrating, it’s like this is basic stuff. How do you not get it?

[00:05:32] Evan Francen: What I thought, Yeah, and so the definition of arrogant is an attitude of superiority manifested in an overbearing manner or or in Presumptions claims or assumptions. So I thought, you know, I think I do have occasionally, I mean I tried not to I never want to come off as arrogant, but I think there have been times when I’ve had this attitude of superiority. Yeah. You know, you look at users and you shake your head like, come on, really? I mean like I would never fall for that. I can’t believe you would. And I think that comes with a lot in this industry seems like,

[00:06:10] Brad Nigh: Yeah, I think, I think you’re right and I think it’s easy to do, you know, because like you you keep saying that we’re not the normal ones, so we don’t think the same as others. It’s really easy to to fall into that trap even without intending to be. You know what I guess you would traditionally think of as arrogant in your regular life.

[00:06:36] Evan Francen: Yeah, maybe that’s it. Maybe it’s just But you know, now that I think about it lawyers to me, the lawyers to you seem arrogant. I mean, in general, right? I’m speaking in generalities, which is always disc Yeah,

[00:06:51] Brad Nigh: I could see that. Yeah.

[00:06:54] Evan Francen: Our doctors, sometimes surgeons

[00:06:57] Brad Nigh: speak down to people.

[00:06:58] Evan Francen: Yeah. Anyway, so it was more of a posing the question. I didn’t want to write the article like information security are arrogant. You know, information society people are arrogant because I think there’s probably more who aren’t, but it’s a few that give us a bad name maybe.

[00:07:14] Brad Nigh: Well, and I think part of it you also get is, you know, that hero complex or superman complex or whatever we’re, you know, you keep hearing how short there’s such a huge shortage of talent. And so if you’re not careful, it’s easy to good. Well, you know, I’m one of the few I can and that’s b is pretty special.

[00:07:39] Evan Francen: Well, and this was one of the articles where I think, you know, when I posted it, only then I think I got the most comments, I had more comments than I had likes, which is sort of, it’s sort of rare. Usually it kind of goes the other way around unless a lot of people just didn’t like it. I suppose that’s probably okay to, but the I learned that when people don’t like to be called arrogant, that’s a very offensive word to people. If somebody called you arrogant, would you be offended?

[00:08:13] Brad Nigh: I would, but not at them, but I think more uh crap. What did I do? You know? Because I don’t I don’t want to come across that way,

[00:08:25] Evan Francen: would you come stupid,

[00:08:27] Brad Nigh: depends on who it is.

[00:08:28] Evan Francen: No. Do you call me arrogant? You don’t know, nothing stupid. No, probably not. Can you think of people you know, that you’ve encountered in our industry, you know, over the years that have been arrogant? Oh

[00:08:42] Brad Nigh: yeah.

[00:08:43] Evan Francen: Can you, can you think of any one particular story? Um Uh

[00:08:48] Brad Nigh: huh. Yeah, but I have to, it would definitely, would you, would

[00:08:53] Evan Francen: you let them know? Okay, it’s not the guy sitting across the table.

[00:08:56] Brad Nigh: No, no, no, no. Just, you know, a lot of the times, I think it’s it’s kind of this the arrogance of I can do what I want and get away with it because I’m the security guy, you know, like I’ve seen security people send emails as other users as a joke and cause real issues with for those users or they do things and that if a regular user did would get fired well but their the security person so they can do it, you know, So there’s a little bit of that that type of arrogance I think is more, you know what I see and and just yeah, a lot of the talking down to the users for sure.

[00:09:46] Evan Francen: Yeah. I’ve definitely seen my share of that. The I just had a thought it was about I wonder what other people think about us. I mean if I were to ask other people, you know, I call them normal people and I just do that because it’s a you can call them everyday people, whatever. Just people who aren’t in our industry. If I were to ask them our information, security people arrogant. I wonder what kind of response I get

[00:10:15] Brad Nigh: and be interesting. I think you’d probably get a lot of yes and why be talking in the big words that they don’t understand and just assuming that they do understand it, which

[00:10:26] Evan Francen: can come off as arrogant candy. I mean I can even not be arrogant, but if I’m using these big words, I’m just assuming that people I’m talking about,

[00:10:35] Brad Nigh: that’s where I get caught up the most was think I’ve told you this story when we first moved in uh to our house last year telling the neighbors what we do and I’m like I guess you know P. C. I. And high trust and he’s because like yeah I saw this stuff for a living, I don’t understand what you’re talking about, I was like oh oh my my sorry and explained and he’s like oh so this you know the training we have to go through to swipe the credit cards. Yeah exactly. Yeah. Oh yeah and he’s like oh I got it. Okay

[00:11:09] Evan Francen: so now have you ever been on the receiving end of arrogance in our industry? You know where somebody because I ran into this sometimes or a half in the past when I’ve gone to security conferences before where you know it’s all about bragging and.

[00:11:27] Brad Nigh: Yeah yeah you see that a lot. I think

[00:11:31] Evan Francen: like this bro culture almost and it’s like well if you can’t do this thing then that’s from some people and it’s a generalities which is dangerous.

[00:11:39] Brad Nigh: Well again but it’s that that kind of that vocal minority as it were. But yeah I think that’s what I would call that that superman complex right? Like hey you know I’m coming in and I’m gonna whatever save the day or do whatever that nobody else can do. So got to worship me right?

[00:12:00] Evan Francen: Get sort of that little G. Or maybe in the big G. God complex you know I’m better than you because I can do these things and you can’t right now if you’re on the receiving side and then I’ll let this arrogance thing go if you’re on the receiving side of arrogance, what does that feel like? Is that intimidation do you feel intimidated

[00:12:22] Brad Nigh: smaller? I just, I mean I think there’s a tune them out, you know, I think it’s it’s actually counterproductive for the industry because people just go whatever that guy and don’t listen to what they have to say, even if they have really good things to say.

[00:12:39] Evan Francen: Well and I think on the other side sometimes what you see is people who, I don’t know if it’s enough, it’s a lack of self, I don’t know what it is that but some people follow those people, you know the arrogant people, they almost, you know, just like a a little G God right? They idolize these people because I’ve been, you know, I’m fairly active on twitter and and sometimes I’ll see people, security people say things that they shouldn’t say right, you know where they’ll be ripping on another security person or they’ll be uh you know ripping on a user, just things that are complete are totally arrogant. I mean you can just, it’s funny how in You don’t even need the 440 words or however many words you get on Twitter now, they can be arrogant in like six and then you’ll see, you’ll watch the likes and retweets and the and the replies yeah, you know it’s like I don’t know man because twitter’s public right? I mean unless you’ve specifically made your food not public so people are seeing this this public branding and raving about not raving, ranting arrogant which doesn’t help at all. You wonder how these people get so many followers so many, you know it’s like man it’s just not the right thing to follow. I don’t think

[00:14:15] Brad Nigh: that that certain grouping that likes the uh the confidence, maybe they go well there that sure of themselves to talk that way. They must know what they’re talking

[00:14:26] Evan Francen: about. Yeah I don’t know it’s weird. I actually create a list of twitter accounts that the arrogant twitter accounts no. Okay. Will that get me

[00:14:39] Brad Nigh: in trouble? Do you think it’s probably not worth the headache? No?

[00:14:45] Evan Francen: Yeah maybe

[00:14:46] Brad Nigh: maybe before I liked your approach of the ones that are good do that. You’ve got the

[00:14:51] Evan Francen: highlight. The ones are good. Did I do

[00:14:53] Brad Nigh: That or you said the 10 favorites?

[00:14:55] Evan Francen: Oh that’s in that article isn’t it?

[00:14:56] Brad Nigh: Yeah. See I did

[00:14:58] Evan Francen: read it. You did read it did I? I don’t think I did Yeah these are just 10. Yeah I wanted to give 10 Twitter feeds of people that you know I’ve followed for either a while or I did follow for a while or something that I’ve always appreciated their contribution at least on twitter because they come off as not being arrogant you know so yeah tell security Loria Toni colette. No, hacking roger, grimes, jane franklin, dave Kennedy dave Kennedy is one of my favorite. I guess he’s just a cool guy. I don’t know if you you’re not on twitter as much as are you?

[00:15:41] Brad Nigh: I read a lot on the on the twitters on twitter but yeah I don’t post a whole lot. I do need to get better at that post a

[00:15:49] Evan Francen: picture of them. But those ribs you made uh meet you smoke this weekend. It was good. It was so good. Right? When I was watching uh yeah but anyway there’s a list of 10 that I think are they just seem like people that aren’t arrogant.

[00:16:04] Brad Nigh: Yeah I recognized you know I was looking through it like yeah seems like a good list.

[00:16:10] Evan Francen: could easily create a second list of the 10 most

[00:16:14] Brad Nigh: area. I was disappointed. It wasn’t on it. I’m kidding. Well you don’t I don’t never tweet you don’t

[00:16:20] Evan Francen: tweet. You don’t tweet enough. Get out get out there tweeting. It’s okay. No man you have good things to say. I’m assuming. I mean I think you do that’s account sometimes. That’s a non arrogant compass for you. All right so what’s the takeaway? I think um I just need to be careful of myself because I can’t at the end of the day I can’t control what other people do. I can’t control whether if somebody’s going to be an arrogant, arrogant, they’re going to be arrogant. Right? But one thing I can control is, you know, just keep it in check myself. I don’t be careful who, you know what I’m saying, Who I’m saying it to. Um, don’t assume, I think assumptions get you into all kinds of trouble. Um, and you know, kind of be that approachable person. So if you don’t understand the words amusing or vice versa, you know, let’s just come clean. I don’t know what you’re saying. I’m sorry. Can you, you know, can you put it in a way that maybe is a language that I speak? Because I think because two people speak different languages doesn’t mean that one person is smarter than the other. They just speak different languages.

[00:17:29] Brad Nigh: Yeah, very much so.

[00:17:32] Evan Francen: All right. So, you know, I’m writing this book the second book. Yeah. Book what I had in the show notes, you’re supposed you’re supposed to uh, yes, I

[00:17:42] Brad Nigh: know another book I hadn’t heard.

[00:17:45] Evan Francen: And then you’re supposed to roll your eyes. Okay. Yeah, there you go. Perfect. Yeah. So I was writing this chapter the book and this kind of fits in with this arrogance thing where you assume that you know what people are thinking and you never not. You I didn’t ask what they think. Um, so, you know, I’m writing this book and it’s for lack of a better title, you know, its information security for normal people. It’s really meant to be a book that resonates with people who aren’t in our industry, What things should they really be worrying about what things uh you know, we tackle. You know, is there a cyber war going on? So what does, what does that mean for me? You know, how do I protect my family? How do I protect the safety of my Children? Uh you know, it’s it’s that sort of book and it’s meant to be not using a bunch of technical jargon and things like that. That’s funny that when I think I’m not using technical jargon, normal people still think I’m using technical jargon. Right? That is weird. So I’m writing this chapter of the book and I’m kind of complaining about how we as information security people make the mistake of just assuming we know what they think. Mm and worse yet. I think there are times when we actually try to tell them what they think. Yeah, has your wife ever done that to you? She’s not the person. She doesn’t listen to our podcast. My wife used to do this a lot. That’s why I ask.

[00:19:21] Brad Nigh: I’m trying to think of a specific example right now. I know I’ve done this and and I just can’t think of an example off the top of my head.

[00:19:28] Evan Francen: My wife is she used to my wife used to get in this habit and I don’t know, maybe it’s because I didn’t I didn’t share what I was thinking enough. So she would tell me what I was thinking? I’m like, that’s not what I’m thinking. Yeah. And it would get really irritating for me. Like how dare you think? You know what I’m thinking?

[00:19:47] Brad Nigh: Yeah, they make assumptions. And yeah, I started acting like that’s not it at all. Yeah. Yeah.

[00:19:54] Evan Francen: So I was writing this chapter of the book. Kind of not, I didn’t bring my wife into the book, but I was just talking about how we assume these things. And then it dawned on me, it’s like I’ve never actually in mass anyway, any kind of study any kind of research. I’ve never actually researched what normal people actually think about security about various security tactics.

[00:20:18] Brad Nigh: It’s all like, hey, this is what we see or we’re here, but there’s nothing formalized about it.

[00:20:26] Evan Francen: So I stopped writing put together this survey and you participated in that you and your wife participated. I have 537 I think complete responses. Which gives a An air raid of the margin of error. 4% and certainly good enough for me to not feel like I’m assuming.

[00:20:54] Brad Nigh: Yeah. You know, it’s a good sample size for compared to, I mean, especially considering there’s nothing else that I’ve seen out there. Like it.

[00:21:01] Evan Francen: Yeah. Well, and it also opened up like the questions based on their answers. I have more questions, you know, I mean? It’s like, oh, so that’s what you think. Well, tell me more about that. So I think it will lead to, I’ve already kind of talked to Kevin Kevin’s our CFO you don’t know that about? You know I’d like to budget like a study a month You know because the studies because we pay for the responses and those responses can you know $800-$1,500, a pop.

[00:21:37] Brad Nigh: Yeah it can get they can get expensive but it’s worth

[00:21:41] Evan Francen: it. It really is because the inside I got so I’ve just started sort of mulling through the data and if you still want to participate on our show notes there is a a link to another blog post that I had written about must have more data. Uh So if you, you know if you want to give your input and I’m taking input from security people and non security people because one of the questions in the survey is are you straight person or not so I can filter them out and kind of you know, do some good.

[00:22:12] Brad Nigh: Yeah that that’s a good yeah, I kind of felt it was a study between the

[00:22:18] Evan Francen: two. So um but the results are pretty amazing. I did this one word map Right? You know because there was only so is 30 questions in the survey and only one of those questions is an open ended question. Okay the rest of them are you know sort of yes, no, scale 1 to 10, that kind of stuff. So that one question I asked, what can or what advice do you have for an information security expert for them to be more effective. Okay, basically, you know, uh and there was all over the place, different responses but things you know, there are themes that popped out. So I did this word map just with the raw data. I didn’t manipulate it at all. So some people have written sentences. Some people are just written a couple of words. Some people, yeah. So I just took it dumped it. Did you see that? No, I have to show you. Uh so this word map is like easy, understandable, simple. I mean there’s these key words that popped out there like

[00:23:25] Brad Nigh: okay, what we have to focus on the yeah, talk to him.

[00:23:29] Evan Francen: Yeah. So as we’re working on the, that my face is score or my facts or whatever, you know, the name ends up being um it’s going to make it so much more effective because at the end of the day, the theory is the same people that are working at work are the same people that at home, right? And it’s the same person, right? So if you’re not really security conscious at work or at home, you know, reflecting the other places. So so far a really, really good study, I have a lot of data to still mole through Because you take 500 times 30 questions, you know, it’s a lot of just kind of different data to figure out and data is beautiful thing because you can uh you know, just portray it in so many different ways. Right? So many different

[00:24:18] Brad Nigh: angles. Exactly look at it from, you know, so many different.

[00:24:24] Evan Francen: So it’s uh it’s fun. I’m excited. I think I’ll be releasing some stuff about that pretty soon, you know, and we might even do it in a press release because I think it is some impactful

[00:24:36] Brad Nigh: stuff. I think that be like I said, you just don’t see these things done. Right.

[00:24:44] Evan Francen: Right. Then I broke the survey down into three areas. One was information security, the next was privacy and the third was online safety. Okay, now I’m guessing most normal people would think that those are all, maybe there’s a question I should ask. You know, if there are some people may think they’re all one and the same. They’re definitely closely related but there are different things. And so I ask questions like um how important is information to security to you and your family and uh and then just give them like, you know, super five questions, five answers, super important sort of important all the way down to not important at all. I don’t think about it. Then I asked them to rate themselves and their ability to protect themselves and their family uh on a scale of 1 to 10. Um if you keep the tens in there. I don’t, it would be weird. I don’t know how you could like if you don’t, if you ask me that question, you know, being Around for 25 years and I wouldn’t give myself a 10. No, I mean I still like, I don’t know, pretty good. And I know that there’s a lot of gaps though, I mean because nobody knows at all, I’d say maybe an

[00:26:02] Brad Nigh: eight, so I was gonna say,

[00:26:04] Evan Francen: But there was 33 people I think in the data that had given themselves a 10. So it’s like, I don’t know if you understood the question.

[00:26:14] Brad Nigh: Yeah, well or they maybe they don’t yeah, they don’t understand the security piece of it and they think that they legitimately think they’re good. Doing that good.

[00:26:27] Evan Francen: So that’s the thing. So you bring up a great point, the different perspectives on the data because you’re right, maybe that is what they think.

[00:26:35] Brad Nigh: You know, I don’t have Facebook, does that mean higher than others? No 10 I mean I should get some points for

[00:26:44] Evan Francen: That. Have a strong password, have a strong password. Does that make him a 10

[00:26:47] Brad Nigh: password manager? No facebook. Right. I do have twitter, but I have multi factor.

[00:26:52] Evan Francen: Yeah, it’s interesting because you know, so you run the data with those tens in there and you run the data with them out, you know taking out layers and There are still five ISH 6 ISH. You know the trend is and where the data says, You know 90% I think of the respondents. So that wasn’t a surprise. Said that it was very important to extremely important. But then, you know, there’s some definite disconnect there where I think we have opportunity. But anyway, we finally asked or I finally asked, I don’t know if there have been other studies, but I know that I didn’t know.

[00:27:32] Brad Nigh: Yeah. No,

[00:27:33] Evan Francen: I think 25 years of security stuff, something I’ve never

[00:27:36] Brad Nigh: asked. There’s some stuff I’ve seen out of I. C. Squared the safe and secure online around teens and teen activity online and things like that. And that’s got some pretty eye opening numbers. Like Yeah, I went out of 10 teams have met someone they didn’t know in real life online. They met online, they met in person. Well that’s yeah, so I’ve seen some stuff around that. But

[00:28:05] Evan Francen: if you find that stuff, I’ll go look for it because that will definitely play into the online safety chapter.

[00:28:13] Brad Nigh: I can definitely send that to

[00:28:15] Evan Francen: you. Suicide rates have risen, especially in teenage girls. Um since the advent of the smartphone and I don’t know, you know, is there a correlation between that and social media and the smartphone? I don’t know, you know specifically, but I don’t think it’s coincidence

[00:28:32] Brad Nigh: There was we were talking about that the other day, there was one. So yeah, I think it was a Britain or Oh yes, I remember that, that I think I know what you’re talking about that can basically confirmed that the number of attempts has more than doubled and tights girls and Yeah I know well on teenagers and overall really. Um But it was all based on like hospital records and it wasn’t like anecdotal evidence. It was hard, hard medical records of attempted or successful.

[00:29:07] Evan Francen: Yes. I think the key, I think one of the keys to our success as information security professionals even though we work in work with businesses, I think it’s to meet people where they’re at as much as you can to try to make it personal for them. You know because sometimes you know you’re you’re working at work it’s like it’s not my data. I don’t you know whatever. But those same practices are the same practices you’re doing at home. And even though it’s not your data, it still affects you personally right? If you’re the cause of a breach that somebody’s going to have to pay

[00:29:46] Brad Nigh: well because we do our when we do training for customers we have kind of a standard deck that we keep updated but it’s protecting personal and company data and we get a lot of what what this is about the company. Yeah but if somebody’s bank account is breached and they have no money and they’re dealing with that or they’ve got all this fraud. How do you think that’s going to impact their performance at work or if they’re doing these risky things at home, what do you think they’re doing at work? Mhm. So let’s this gets good security practices that are easy to understand and relatable have it both ways and usually the companies are Oh okay good. Yeah good point. Let’s do it.

[00:30:37] Evan Francen: Yeah it’s uh definitely plenty of work to do I think for for everybody but the uh yeah so that’ll be insightful and I think there’ll be some good information you know in the book for that kind of good stuff. Uh So we talked about arrogance, we talked about the the study the and like I said, I think in the next few weeks maybe if you know there’s some time that frees up, I’ll publish some things about what I’ve learned, what we have learned from the data and even make the raw data available. I mean people have different perspectives and

[00:31:12] Brad Nigh: yeah, so I know the next couple of weeks will be busy for you specifically but both of us. Yeah. Yeah it will be. You got some big speaking events coming up?

[00:31:25] Evan Francen: Oh yeah, that’s true. I do I’ll be in L. A. Los Angeles Anaheim next week at the ice aka C. A. C. S. What is C. A C. S. Stand for?

[00:31:35] Brad Nigh: I don’t know

[00:31:36] Evan Francen: CACS it’s funny because when uh when James amounting James now, I don’t know if he listens but when he when he first yeah when he first sent the email asking if I was available to speak at this conference uh For some reason he had written the ice aka kaka conference. C. A. C. A. I was like I don’t think you got that right. I mean it would be interesting to, it might be an interesting conference to go to. I mean never been to the caca conference but yeah that’ll be next week and then the weekend next week also you and

[00:32:15] Brad Nigh: I we both speaking At secure 3 60, what’s your topic? Disaster recovery doesn’t have to be debilitating. So how to can be though it can be but try to get how to get by in how to successfully implemented er program and gain buy in from the top and what does that look like? Nice.

[00:32:36] Evan Francen: Yeah I was task just a few months ago to lead the development of a business continuity plan, does that? And disaster recovery plan. Um And I refused why I refused to leave the business continuity plan. I’ll lead the disaster disaster recovery. But the business really has to get more, you know, has to own much more business got no you’re playing I’m not going to lead, I’ll participate but you

[00:33:03] Brad Nigh: know it’s not work for me to lead. Its that’s definitely a tough one.

[00:33:07] Evan Francen: Yeah. One and it’s like okay well who is the sponsor of this plan? I mean I I can even do a disaster recovery plan if I. T. The C. I. O. Is the sponsor but you know the C. I. O. Can’t be the primary sponsor of the business continuity plan.

[00:33:22] Brad Nigh: Right. Well so much of what the er plan needs is from the business anyway. Right. And so like if you if you don’t have that by in it’s gonna be really hard. It’s only I. T. Working on it. Yeah.

[00:33:37] Evan Francen: I don’t know what I’m speaking of. Do you know what I’m speaking on next week that secured 3 60. I don’t know.

[00:33:42] Brad Nigh: I know I know I was talking to a two. We have a couple of analysts going to it next week you know both days and I was like oh that’s great. Evan and I are both speaking. You can come listen heckle us. No. No I don’t think so. I think we’ll see somebody else. We

[00:33:59] Evan Francen: should give them a rubber band guns.

[00:34:01] Brad Nigh: Just start shooting at us. Yeah. If we’re losing the crowd just start shooting.

[00:34:06] Evan Francen: Right well nowadays people take that

[00:34:09] Brad Nigh: wrong. Yeah. Yeah that’s

[00:34:10] Evan Francen: true. Maybe water balloons.

[00:34:13] Brad Nigh: But there, yeah the consensus was no I listened to you guys all day every day. I think I want to hear someone else like I can’t who can blame them.

[00:34:23] Evan Francen: Come on who wouldn’t want to listen to this whole day. Thank you. All

[00:34:28] Brad Nigh: right. Do you really want me to answer that?

[00:34:31] Evan Francen: That’s enough said yeah. All right. So what else any uh anything else this week coming up?

[00:34:38] Brad Nigh: I don’t think so. You

[00:34:40] Evan Francen: Know 360s or another speaking thing

[00:34:42] Brad Nigh: too. No I’m

[00:34:46] Evan Francen: pretty far behind

[00:34:47] Brad Nigh: right now. I don’t think so. There’s some stuff going on. But

[00:34:50] Evan Francen: Okay. Alright. Let’s jump into some news. So I just it’s crazy every week. You know when I look how much and I look at like well what what sort of newsy news things do we want to talk about? Um It’s crazy, you know, every week there’s just a lot of major stuff. So one of the things I thought I’d like to tell when the when the good guys win, when the good guys win one. So uh G. B. Hackers dot com, which isn’t I don’t know much about to be hackers dot com. It seems like some of their stories are really good. Some of them are like

[00:35:26] Brad Nigh: sensationalized.

[00:35:27] Evan Francen: Yeah. So anyway the the title of the story is authorities shut down the world’s largest dark web marketplace and arrested its operators. Um Did you catch us at all?

[00:35:41] Brad Nigh: Uh No, I haven’t seen a lot about it. So it was it was a really good read. I thought I was like, oh I mean, you know about these things? Right, right. I’d heard of the marketplaces. I just didn’t see that they had been shut down.

[00:35:57] Evan Francen: It’s crazy how the bad guys always always seem to eventually get caught, they make a mistake, they leave, you know, used the wrong handle in the wrong forum somewhere or just you know something

[00:36:10] Brad Nigh: something with a yeah some little thing they didn’t put on uh masking on an I. P. On one post or something and it gets tied back to them.

[00:36:21] Evan Francen: That’s funny. The the title says that the world’s largest dark web marketplace. But then the first line in the story is german federal police with the help of Interpol and the FBI take down the world’s second largest. Don’t walk. So one of the largest. The largest or second largest now. Do you spend much time on the dark web? I don’t know. Yeah I don’t have enough time anymore. Yeah. Uh but you know there and there are a number of services I think they do a pretty good job of of monitoring the things that happen. I don’t even like the name dark web because it just seems I hate that buzz words we use in our industry. But yeah dark I mean there’s lights they got lights on too.

[00:37:04] Brad Nigh: See I think I see like dark web and just it’s not indexed the dark web as if I do need your weight. Can I do it? Hold on. No, I think don’t I have to uh yeah the dark web. No it didn’t

[00:37:18] Evan Francen: work. It was The voice. Do we hear if you worked last time? Yeah you would hear it. Did you listen to the last podcast. Do you ever

[00:37:29] Brad Nigh: sometimes

[00:37:33] Evan Francen: the dark web. The dark web and

[00:37:35] Brad Nigh: there it is. You could hear it do it right now

[00:37:39] Evan Francen: drunk not. Yeah, they came to the dark wide. All right. That was cool. We had to do it because

[00:37:50] Brad Nigh: it sounded, can you tell me record this early in the morning? We’re a little

[00:37:53] Evan Francen: it’s monday morning. A little fun. All right. So, um anyway, the was taken down good job german federal police, uh Euro Pole and FBI uh yeah. So the site is down, the site was called the Wall Street market Uh over 1.1 million Uh, users and 50 400 vendors on this. And if you if you know, I’m not I’m not gonna give you instructions on how to that a play in the dark web because it’s actually just a place. Every time I go, every time I spin up tour and start writing, I just feel dirty. It takes you can’t unsee. You can’t do some of the things that you that you might find there. So just don’t go trust trust the pros that you know. Plus if you play with fire sometimes you get burned. Right?

[00:38:54] Brad Nigh: So you got to be careful

[00:38:56] Evan Francen: if you if you don’t know what you’re doing and you’re you know, running around down there. So anyway, that’s and there’s a good press release. There’s a link to the press release on, you know the takedown and all that good stuff. Uh I don’t know if the details. I didn’t see the details on specifically how it was taken down, but I’m sure that, that there’s a write up somewhere on the specifics, the mistake that they made and, and all that stuff. But, but there’s some good, like The Silk Road, that whole story. It’s such a, an interesting story if you’ve never followed it. Um, I think they’ve done some documentaries, There’s been some netflix shows, you know, and some other things about, about that.

[00:39:39] Brad Nigh: Yeah. There’s a link in there to the actual Euro Pool Press release. Press release. It’s got a little bit more info. So they’re saying there’s there were the, to the Valhalla or silk kitty, I guess Silk. It? S A O K K I T I E. It’s called that the Valhalla marketplace. I like that one better. Yeah. So they shut that one down earlier and then shut down Wall Street Market. But they said, yeah, it’s got, um, to the highest selling suppliers of narcotics were arrested in the US. So, a little more detail in there.

[00:40:14] Evan Francen: Yeah. I mean, you can get anything on the dark web, you get hit men. Mm hmm. If I trust a hit man through the dark web

[00:40:23] Brad Nigh: show about that when you’re trying to hire people and it’s like all stings. I saw some

[00:40:30] Evan Francen: may have better look at craig’s list then then tour. Yeah, I don’t know. So anyway, that’s, it’s nice I like to see, you know when the bad guys lose once in a while. Um, because they do and I think we lose track of that sometimes too. We just think that what’s the use. Um, but you take down a market place like that, you know, it does. Yes, there will be another one just pops up in its place. That will always happen. But at least it will be a period of time when the availability of some of these things, some of these illegal things will be lessened. And sometimes maybe that’s enough to deter somebody, you know, to think twice to slow down. You know, if you’re gonna do something rash or stupid.

[00:41:20] Brad Nigh: Yeah. And they’re saying that, you know, the one, the hollow one’s been out since 2013. So it’s been around a while. It’s a long time

[00:41:28] Evan Francen: for a has been,

[00:41:31] Brad Nigh: but you know, there significant Bitcoin in both that were seized. So there’s, you know, it is taking some of that stuff off the off the market now out of those hands, it’s not, you can’t just replace Bitcoin. It’s a finite supply.

[00:41:47] Evan Francen: Yeah, that’s one, you know, and conversely, you know, one of the biggest things, you know, that I get frustrated within an instant response is just how the Attackers got something from somebody. Right? And often times it’s been money and they’ll just reuse that money oftentimes reinvested it reinvest it into future attacks. Right. Well, here, it’s nice to take some of that money back won’t go back to the original owners assuming that there was,

[00:42:15] Brad Nigh: but hopefully it goes towards maybe fighting. Yeah,

[00:42:18] Evan Francen: sometime. All right, so the next one. you know, it’s from techcrunch and the title of this article is security lapse exposes a Chinese smart city surveillance system. So even the chinese make mistakes. Yeah. Uh huh. But you know, there’s nothing one of the ever friend who’s Chinese um he’s actually my chinese, my chinese, Canadian security friend. Uh and he was telling me about, you know, we had the opportunity to sit, we drove to the airport together 11 day and uh and I was just asking about china because I’ve never been to china, I don’t know much about china and I was asking him, you know, what’s it like living in china is their privacy and it seems like people are kind of controlled there and yeah, he confirmed a lot of those things. But then even worse than I thought they have surveillance cameras

[00:43:18] Brad Nigh: everywhere. Yeah, there’s some like videos of people that were streaming the police just come in and say, yep, we’re taking you downtown or whatever because of what you were what you were looking at online.

[00:43:34] Evan Francen: So this smart city surveillance system. I think most of the surveillance in china, if not all is used by the state to control the population, right? It’s a communist state. Right? And so this smart city, you know, we hear the word smart city thing. Oh, that’s cool. Well, but this surveillance system was used. it’s not what we think of as a smart city, right? It’s so the government can control. Yeah. But anyway there’s a there’s some good information about uh what this mercy does some of the artificial intelligence, you know, sort of that they were putting into it. And

[00:44:17] Brad Nigh: yeah, I thought the best part of this article is uh you know, so it was hosted on Alibaba on their cloud platform and their public release said well uh as a cloud, as a public cloud provider, we don’t have the right to access the content in the customer database. And the next line is while they may not have visibility, we did that awesome. It was on the web without a password. Yeah, like come on,

[00:44:45] Evan Francen: imagine that.

[00:44:47] Brad Nigh: But I think yeah the big thing there is it gives you this is what I think is is unsettling about using biometrics. They have all the facial recognition and all this stuff. All the data points are there. You can, you know, poor implementation, you can’t really change that stuff. So

[00:45:09] Evan Francen: what’s the and that’s the thing in china right? There is no privacy. They don’t value privacy like they do in the West. Um you know, imagine something like G D P R ever ever standing a chance in china. Uh so it’s such a different, you know sort of culture and the billions of people that are in china, you write those facial recognition, they don’t want you to have you know highly secured accounts you know strong authentication. They want us to not have it. But in terms of the government you know it’s it’s all control.

[00:45:53] Brad Nigh: It also had an attractive score which would be scarier to for for a lot of us attractive score. Yeah they would. The database had like you know all the details about him and included an attractive score.

[00:46:07] Evan Francen: What’s an attractive score

[00:46:08] Brad Nigh: if they’re attractive or not

[00:46:10] Evan Francen: really? I didn’t really miss that part.

[00:46:14] Brad Nigh: Yeah. You know they can tell um sunglasses or a mask or if the eyes or mouth are open if they have a beard

[00:46:21] Evan Francen: so that’s sort of attractive. Not like you’re good looking.

[00:46:25] Brad Nigh: No I think they’re saying like the age and what their ethnicity is and it’s kind of what I got it. I was just

[00:46:33] Evan Francen: so you just sort

[00:46:34] Brad Nigh: of quote unquote attractive score. So it’s sorted by the most attractive or at least attractive. Right? That’ll that’ll take care of your arrogance.

[00:46:44] Evan Francen: Yeah. What do you mean? I scored a 20 son of a. Yeah it’s an interesting it’s an interesting story and they give some insight. Well one the first thing I got out of it was I mean poor security support security right? The chinese have just as many problems and issues if not more or less. I mean I guess it doesn’t I don’t know they’re human beings right? And any time you put somebody and they make mistakes and this is just a example

[00:47:15] Brad Nigh: of that mistake. And even if it’s A. I. Is still programmed by people. So you get those. We’ve talked about that right? It’s the biases of the people that program to get put into the ai and there’s just compounds from there. Even if it’s not intentional right? It’s human nature. That’s what we do.

[00:47:37] Evan Francen: Yeah. I mean there are bugs in my word processing program for crying out loud and I’m not expecting bugs in an Ai you know. Yeah. So anyway good article. I think some good information. Uh No privacy in china. I think that was the second part that sort of hit home is just the kinds of things that get tracked. Uh huh. You know for chinese citizens and this this would never obviously never fly in the United States. I hope not. Yeah it’s true hope. I guess we maybe we don’t know. The last article is mystery database exposes 80 million U. S. Households. Or data on 80 million U. S. Households. This is from naked security. This is one of your favorite sources. Yeah The uh the title is mystery database exposes data on 80 million US households. Mystery database. They don’t think they don’t know how it got

[00:48:37] Brad Nigh: There now. And what’s weird is it’s only on people over the age of 40

[00:48:41] Evan Francen: includes name, birthdate gender income homeowner status map coordinates whether they’re married

[00:48:50] Brad Nigh: but not how many kids nope

[00:48:53] Evan Francen: and dwelling type

[00:48:54] Brad Nigh: but not Social Security. Right. I mean I’ll be honest, so you know, they don’t know who it is. But to me immediately I look at that and think it’s got to do something with politics. Yeah. I don’t know targeting around that she a name because they don’t care about kids or social Security so that but an older, sadly we’re in that group uh order

[00:49:19] Evan Francen: for yourself man. I’m going back in age

[00:49:22] Brad Nigh: 29 and holding

[00:49:23] Evan Francen: Yeah, that’s at least how I’m going to act.

[00:49:26] Brad Nigh: Yeah, I don’t act

[00:49:27] Evan Francen: that’s my wife. Yeah one and so a lot of these news articles to it like this one was posted five days ago. So I don’t know if there are updates after. We usually don’t have enough time between, you know, identifying what we’re gonna do for the show and doing full research on each one of the articles. Maybe we should do that a little bit more. I’m thinking I should anyway because I don’t know if there’s been an update to this. But it is very interesting because it was, I don’t know how it got there. It’s an open database, 24GB worth of records host on a cloud server Microsoft Cloud Server with this sort of data in it. And it’s sort of a mystery.

[00:50:09] Brad Nigh: There’s no update on the VPN mentor article just as the last one is from The 30th. It says it’s no longer open.

[00:50:19] Evan Francen: So it was uh no um wrote him, brought him wrote them and ran low car from VPN Mentor who found this database and so let’s go through it again. Name, birthdate, gender income home. Yeah I mean that’s that’s sort of some sensitive information. They’re the one that freaks me out, that freaks me out. Uh makes me feel the most sort of queasy is the map coordinates. Yeah I sort of don’t want people know where I’ve been or where I’m at.

[00:50:50] Brad Nigh: It’s interesting that there’s a member code and score for each intrigued. So there’s some it’s tracking something

[00:50:58] Evan Francen: yeah there’s something more to correlate there for sure. So what did you say what other parts score?

[00:51:05] Brad Nigh: There’s a member code member underscore code and a score in every

[00:51:12] Evan Francen: intruder score code.

[00:51:13] Brad Nigh: So there’s some sort of like a like a unique I. D. Free to save or

[00:51:17] Evan Francen: SaM’s club database. Right? Mhm. Costco database. No. Yeah. Yeah interesting. Yeah. So you know I would expect more to come out about that maybe in the future because there’s got to be some correlation. We have a lot of smart people, I’m sure there’s plenty of smart people taking a look at what these things have to do with each other because it’s the same way oftentimes they’ll crack they’ll track back. Well that’s different but you know oh jeez sometimes they’ll track and just knock that over, sometimes they’ll track uh credit card transactions but this isn’t transactional data so I know

[00:51:59] Brad Nigh: but it’s saying you know because you track when their home when they’re not home. Yeah I don’t know

[00:52:08] Evan Francen: interesting. So definitely a mystery database. But one of the things that’s I don’t know it’s going back to 80 million US households. How many households are there in the United States? 320 330 million people. So I mean you’re talking potentially 80% 70 80 of the U. S. There’s a thing in

[00:52:34] Brad Nigh: the population Up to 65% of US households. Is that the

[00:52:41] Evan Francen: 65%? So. Okay so over half of all US House. So mine chances are better than half that your data and my data are in there somewhere it’s going to be on have I been cloned? No I can’t. There’s no email address is not how we match. Mm So I’m gonna how am I going to find out? Maybe VPN maybe VP mentor will put something notes.

[00:53:08] Brad Nigh: Weird but it looks like it’s target verify if you go to the center site, they’ve got a screenshot of the database entry and it I mean it really looks like it’s it’s like a household targeting not people. So it’s got like the address and then it’s got a sub of that is who lived there. So the people aren’t the main target. It’s the it’s the address and then it shows who lives in those addresses. Uh

[00:53:41] Evan Francen: huh interesting. Yeah. Anyway something to follow up on something to see if we can’t find more at some point. All right well like I said there’s plenty of other news to um you know I think the hacking of git hub the repositories and then holding code ransom. There’s historian motherboard dot com. I think that was pretty interesting. It’s titled someone is hacking get hub repositories and holding code ransom. Mm Not cool but that’s a good read. Were coming towards kind of the end of the show. Uh We have a full week ahead. What are you up to this week?

[00:54:21] Brad Nigh: I’ve got our monthly management video and then we’re doing a customer advisory board event around incident response on thursday. That’s that’ll be good.

[00:54:34] Evan Francen: Yeah. Oscar Oscar will be here this week.

[00:54:37] Brad Nigh: Yeah it should be here

[00:54:38] Evan Francen: today actually. Yeah. That’ll be cool. He sent me the documentation. Had a chance to read it yet.

[00:54:43] Brad Nigh: So excited that it’s been it’s been good.

[00:54:46] Evan Francen: Good. That’ll be fun. I think this week friday. I think I have a due date. I have a delivery for that. You are bit you’re a nice G CSF thing are you? Once that’s supposed to do you have a date yet?

[00:55:02] Brad Nigh: No I’m still waiting on some scanning stuff.

[00:55:05] Evan Francen: Okay but I’ll take a while

[00:55:08] Brad Nigh: as soon as I get that I should be done. I’ll be done this month.

[00:55:11] Evan Francen: Okay that’ll be cool. Um Yeah and that I think friday leave for L. A. Going to spend the weekend in L. A. Then I speak. I think I open like open the conference And I’m speaking like seven something in the morning

[00:55:26] Brad Nigh: on monday monday.

[00:55:29] Evan Francen: Yeah nobody’s gonna be there. But we still be sleeping like wants to talk cause I think I’m talking about 3rd party. Yeah. Information security risk management. Who wants to talk about that on a monday morning but I’ll be calling into the show um dear hosting. Uh we’ll have a special guest next week. We’re actually going to have lunch with him today. I’m excited about that. So look for the show notes on friday. Hopefully hopefully. Yeah and then uh but that that’ll be fun because he’s got he’ll have some really good insights on Things that are going on that he’s been working on in K. through 12 which you know both of our hearts, you know, are there. Um and that’s it. So we have some drama here and there. Everything will be cool. And speaking of cool if you want to be cool, you want to follow brad on twitter even though he doesn’t tweet, he’s

[00:56:22] Brad Nigh: gonna start, I’ll post the picture of the bacon wrapped pork line apple like we

[00:56:29] Evan Francen: learned last week from christoph, you know he uses buffer

[00:56:33] Brad Nigh: just buffer it, you know

[00:56:34] Evan Francen: read some news on sunday when you’re just kind of relaxing getting done with the weekend and just buffer them all. Uh Yeah then my twitter. So at @BradNigh. That’s where to find you on twitter me. It’s just my name @EvanFrancen easy enough. Uh Yeah. And email us at If you have, you know, questions, comments concerns something like us to talk about specifically, we like to be, you know, sort of as relevant as possible. Otherwise that’s it Until next week.