Breaking Down the WannaCry Ransomware Attack

Taking a look back at some of the recent presentations and conferences the two have made appearances and presented at. After, they break down some of the recent information security news stories like the WannaCry ransomware attack, Microsoft updates, and more.

[00:00:23] Evan Francen: Hey, hey, it’s time for episode 28 of the UN security podcast. I’m Evan Francen your host this week. I’m gonna try to get a little more excited because it’s hard sometimes on monday morning Brad. Yeah, you can talk. Yeah,

[00:00:39] Brad Nigh: it’s a little, it does. It’s

[00:00:40] Evan Francen: Cold early 30s, I got up this morning

[00:00:44] Brad Nigh: on the blood side. It was bright out.

[00:00:47] Evan Francen: All right. You’re always, you’re always a glass half full kind of guy. Mm All right. Well, uh, did I already say my name? This is Evan francine. That’s me. I’m the host of this week. I’m actually in town. So it’s nice. It is. Last week went pretty well. I thought it was nice to have rain

[00:01:04] Brad Nigh: here. Yeah, he’s, he’s had a good conversation. We actually ended up talking for about another half hour after we ended the podcast. Did you realize about

[00:01:12] Evan Francen: stuff? Well, he’s good at, He’s a, he’s a passionate yes. About his baddest thing and you figured out how to say his last name. Uh, Claudia

[00:01:25] Brad Nigh: Claudia Claudia. He said just not Claudia

[00:01:29] Evan Francen: Claudia or Claudia

[00:01:32] Brad Nigh: clue. Ta go

[00:01:34] Evan Francen: french money. All right. So

[00:01:38] Brad Nigh: you can tell it some fiddle early.

[00:01:40] Evan Francen: Well, yeah man, this is how we roll. Uh, so you saw the show notes, yep. Okay. But you, like you said about five minutes before the show. Maybe last night.

[00:01:50] Brad Nigh: Nice yesterday evening.

[00:01:52] Evan Francen: So you prepare better than I do. How was your weekend?

[00:01:54] Brad Nigh: It’s good. It’s good. It’s gross.

[00:01:57] Evan Francen: Yeah, I built the closet nice. Yeah, just on a whim.

[00:02:02] Brad Nigh: I had actually had friday off. So I got

[00:02:05] Evan Francen: Oh yeah, that’s right. I

[00:02:06] Brad Nigh: did all the stuff that’s been uh well say neglected around the house since april when we started the mentor program says

[00:02:15] Evan Francen: I

[00:02:16] Brad Nigh: gotta get, it’s getting a little bit of grief about, you know, things not being

[00:02:20] Evan Francen: done me to my wife was, she said, you know, I had a bunch of things to do around the house and so I said, well, we’ve always want to put a closet in lydia’s room. She’s like, you can’t do that like thanks. Just would. Yeah, well she’s brutally honest with me

[00:02:39] Brad Nigh: and keeps you in check. My what do you think kids are the same?

[00:02:43] Evan Francen: Right? So like every five minutes after I made anything, any kind of progress on the, on the, on the closet? I brought her in to show hey, what do you think? Words of affirmations? My love language too. So that helped. Alright, well here we are. We survived a week. That was last week was crazy for me. I don’t know. I didn’t get to check with you. So I don’t even know how you reek was

[00:03:08] Brad Nigh: last week. I don’t really remember it. So it was good. It was, I had had a good week. Um Yeah, obviously you both, we both spoke at secure 3 60 so we caught up a little bit there. That was fun. You had a much worse week than I did in terms of travel. Yeah. Uh because you were out in Anaheim monday, flew back, spoke, did you speak on Tuesday? No, no,

[00:03:35] Evan Francen: Tuesday, Wednesday?

[00:03:36] Brad Nigh: You had to speech or two talks thursday, You had another

[00:03:41] Evan Francen: one and then a panel two on Thursday, but a bunch of post secondary uh college faculty, it was one of their conferences. It was really cool.

[00:03:54] Brad Nigh: Yeah, and then we have the two major program, right? The classes,

[00:03:58] Evan Francen: those classes, and and like I said in my notes, I truly wasn’t PowerPoint

[00:04:03] Brad Nigh: hell, I was so happy, that was that Wednesday was like, I woke up, I was like, oh no, we didn’t do the and then I saw your emails like, oh my goodness,

[00:04:13] Evan Francen: I, well, when I’m down I figured I’d do it because, and we’re all busy, you know, we don’t get a chance to catch up as much as I like to during the week, so I don’t know if you didn’t have time, man.

[00:04:25] Brad Nigh: Was weeks at a time.

[00:04:27] Evan Francen: Well now you tell me,

[00:04:29] Brad Nigh: I don’t know how to do this. Come on, man,

[00:04:32] Evan Francen: I did so many pipelines because he figured 100

[00:04:37] Brad Nigh: It was about 110 slides Monday and Wednesday,

[00:04:40] Evan Francen: So it’s 220. Then I had one. Yeah I mean it was 252, 400 slides maybe last week. Are you moving

[00:04:50] Brad Nigh: here actually? Yeah that’s a that’s a lot of slides.

[00:04:55] Evan Francen: Yeah. Yeah. So security people do power point. You know if you’re going to get into information security uh learn PowerPoint.

[00:05:04] Brad Nigh: Yeah. Unfortunately I wish there was a better way I try to do it with uh minimal like just the talking points on their uh and then talk about it because otherwise you know nobody wants to sit and listen to somebody read off a slide. It is so painful. It’s I feel bad sometimes in the class because there is a lot of just you’re gonna have to memorize this stuff, you have to understand what we have on here. That’s the hard part now we’re getting ended up more of the practical stuff like we’re yeah actually Wednesday will be the last lecture.

[00:05:39] Evan Francen: Yeah. And so for the people listening, we’re talking about the C. I. S. Sp mentor program that we started in

[00:05:46] Brad Nigh: First week April like eight I

[00:05:48] Evan Francen: think. Did we? Okay. And so we’ve been doing to classes at a week pretty much. We had a couple of little break sessions here and then we have one coming up like we won’t teach on monday because we have holiday is Memorial Day. Okay. Um Yeah so tons of classes and anybody who’s done the C. I. S. S. P. Before knows the joy. You know it’s a lot of memorization? I am a pro C. I. S. S. P. Person because I like how it’s so broad so it’s sort of even if you’re a pen tester I think understanding you know where what you’re doing fits in the context of everything else is important

[00:06:28] Brad Nigh: agree. So there’s a lot of people go what’s the point if we you know some of the security models and given Bella Padula and all that but without knowing where that where you came from what the history was behind it. You can’t it helps build that foundation.

[00:06:46] Evan Francen: You know there’s some good theory stuff there. Right. Yeah thank you because the theory of those things still still applies. Maybe not the model itself you know? Right. Right. All right so we survived the week you had so we did catch up on what day was secured 360? You said Wednesday we have to talk a little bit. You did that day was

[00:07:09] Brad Nigh: uh yeah at the conference it was nice. We had most of the sales stuff without Tuesday and Wednesday

[00:07:17] Evan Francen: conferences for

[00:07:19] Brad Nigh: conferences or travel. So Tuesday I uh had all day with no sales stuff basically. I got so much done.

[00:07:29] Evan Francen: Yeah Tuesday. I worked with nuts. My flight got in yeah Tuesday early morning I was probably home by two a.m. Because you know you flew in from the west coast. Uh So I just work from home on Tuesday. Yeah then I what what day was thursday? This is security life man. I’m trying to remember what day I did. What what thursday yet thursday? I was up really late so I slept in on friday. But I worked, yeah crazy week and we’re gonna talk about that. So that was part of what I wanted to talk about in this present. Isn’t? This podcast was just our week. We had five talks and I and I say we because you know it was you knew the talks I gave, you know what I mean? I shared them with you and We were at five talks, 4 conferences, two classes in a panel. So it was a busy week. Um this week isn’t quite as busy. I’ll be in Denver um Wednesday or thursday I can’t remember yet because I haven’t looked at my schedule. If you look too far ahead then you just get crunch.

[00:08:38] Brad Nigh: I looked the night before when I go to bed. I’m like okay what do I have tomorrow and then I never remember. So I would look when I get up and like all right, do I have any client facing media, nope okay I can wear a t shirt, I don’t have to

[00:08:51] Evan Francen: dress up, do that too. So Wednesday. I think it’s one series thursday. Um Denver is lisa. I’ll be at the Meeting, We’re doing a 3-hour instant response workshop mm that’ll be fun. Yeah. So if you’re in Denver and you, you know, want to come say hi you should do it. You should see me at the I. S. S. A. And we can hang out or something. I fly in and fly out that same day.

[00:09:20] Brad Nigh: I have to give you our new IR playing template there for sure. You can kind of looked through what we put together.

[00:09:27] Evan Francen: Yeah. Yeah. Yeah I know you and Oscar been putting together a lot of Ir stuff.

[00:09:33] Brad Nigh: Megan actually put a lot of work into cleaning up the document and making it a little more maybe funk. Business friendly. I guess business functional

[00:09:46] Evan Francen: is pretty awesome. Alright so last week let’s talk about it. Uh I gave four talks, let’s talk, let’s start with your talk. You give a talk on Wednesday at secured 360 and tell us what, tell us what you talked

[00:10:00] Brad Nigh: about. It was er doesn’t have to be debilitating.

[00:10:03] Evan Francen: Well yeah it does. I’m just kidding totally. It

[00:10:07] Brad Nigh: was interesting. So they had a lot of talks around B. C. P. D. Are, you know, business continuity disaster

[00:10:13] Evan Francen: 3 60.

[00:10:15] Brad Nigh: And uh mine wasn’t, you know, it wasn’t a technical talk. It was yeah, here’s what should be in the plan towards the end of it and just talking through and like you know who has all these parts and you know who has a D. R. Plan and then hands down if you, when you see something you don’t have in years. And

[00:10:34] Evan Francen: so when you asked how many people had at the airplane what percentage of people raise their hand?

[00:10:40] Brad Nigh: Mm Probably most of them did

[00:10:44] Evan Francen: Actually because you have like what 50 fish

[00:10:46] Brad Nigh: 40 40 45 somewhere in there. Uh Most of them did but then you start. Okay so does it have all these

[00:10:53] Evan Francen: things and how many of them been updated in the last,

[00:10:56] Brad Nigh: Well yeah that was the other part of it and uh yeah a lot of them went down when it was. I think a lot of people have a D. R. Plan that’s just the I. T. Procedure piece. It doesn’t have the country doesn’t have all these other pieces that are so you know critical to business contacts, all that stuff.

[00:11:17] Evan Francen: Why do you think that is? Do you think they missed that higher level stuff because they didn’t have executive buy in or just driven from an IT

[00:11:26] Brad Nigh: person? Yeah he’s tasked with doing it. And so what does it do? What here’s the things I need to do if they go down here’s how I recover. I think that’s more.

[00:11:37] Evan Francen: Do you see I. T. Doing? Uh because we talked about that to last week which was coincidental I suppose because it was Wednesday Wednesday you were talking

[00:11:48] Brad Nigh: and then Wednesday night we talked about it.

[00:11:50] Evan Francen: Yeah so you know you know the right way to do it is to do that business impact analysis, build out that recovery time objective, recovery point objective and all that stuff. Nobody doesn’t seem like many people actually go through that

[00:12:05] Brad Nigh: hard work. No. And so a lot of what my uh talk about was how do we make, how do you get that buy in from the business? So it was about communication. So instead of R. T. O. R. P. O. M. T. D. All you know all those acronyms that I. T. And security love it’s okay translate that to say how much how much data could we lose? What is what is if this goes down and we’re down for how long before you have a you feel the pain and then how long is it going to take you to come back up from it? You know? So if I get it back up how much work is involved for for the business unit to understand, you know and helping them understand that. So it’s like communication, peace and understanding that you know, N. I. T. It’s intimidating to the business because what’s intimidating to people what they don’t understand how many and uh yeah because I’m a bit of a smart ass. I think we can say

[00:13:11] Evan Francen: that we can it’s our podcast. I’m a little I’m going to reiterate that he said smart ass. Yes okay okay

[00:13:18] Brad Nigh: for the record. Uh But yeah I was like all right, so how many sea levels do we have here? Just so I know they raised me and I’m like, okay. So I know how to avoid the rest of the conference. Sea levels are intimidated by

[00:13:31] Evan Francen: technology, asked that how many lawyers? Yeah.

[00:13:34] Brad Nigh: But I was like we have to dumb it down for for the sea levels for the executives because they don’t understand it. That’s not their job. You know? How many people do you have? How many executives do you know that have trouble with their phone? Well how do you think they’re going to think about when you talk about, you know, VTS or virtual tape libraries or back up to disk to disk and replication and all that. It’s intimidating. So you have to be the ones to make that. But

[00:14:04] Evan Francen: when I think effort it people in general because you know, you and I sort of started their ourselves. Right. I think a lot of security people do. Um we don’t I don’t I’m just thinking of my own experience. I didn’t get out enough. Yeah. And talk to people enough. When I was in I. T I don’t think you anybody really does. You know, because I don’t think there is any such thing as enough. I mean that’s true. I think so when you do a business impact analysis, well that means I have to get out of my desk, go talk to people educate people, a lot of people are good at that.

[00:14:41] Brad Nigh: Yeah. I always tried to do to that I enjoy talking to the two people. So, but yeah I definitely when I started for sure it was just like do whatever you got to do I can think back to some jobs or it was just like doing what’s right because you know you’re the only person for.

[00:15:01] Evan Francen: So I wonder if that’s one of the reasons why if if if a drp. Is driven so much from I. T. Without really the rest of the business involvement. And just in general I. T. People are desk people you know they don’t get out much and talk to other tribes within the organization. Much combination of those things. Might be a reason why the D. R. P. S. Aren’t as good as they should

[00:15:27] Brad Nigh: be. Yeah I would agree. I think that’s a big big part of it so but you know it’s it’s all about changing that mindset though. It should be the custodian you shouldn’t be the ones making that risk decision. Now you can you’re going to have to help the business understand you know what they should be doing and translate what they say into. Okay you can be down for 15 minutes that here’s what it’s gonna cost. Oh okay for four hours. Okay that’s that’s okay we can do that then.

[00:15:58] Evan Francen: Well it’s funny because I’ve I like simple you know that and I’ve always thought that as a. C. So I have two jobs. One is two give you know executive management the best possible risk data I can to help them make good risk decisions right? So in that is a lot of coaching. A lot of teaching that’s one job. And then the second job is for me to enable I’m sorry enact those risk decisions to the best of my ability. That’s it. Yeah so I have to do a lot of coaching but I think to your point too you know we started out that way but I think both of us are a lot different now. I do a lot more coaching than I do anything else

[00:16:43] Brad Nigh: I think and I’m looking back to you the progression of the career and you know the first couple of go sys admin type jobs that I had. It was so focused on just the technical stuff and but I think that’s kind of a natural thing and then as career progressed getting too okay business I need help with from you on this and you know getting out and I’ve never had an issue getting in front of executives or leadership so always was the one from I. T. You know I don’t care. They need their computer fixed. Okay I’ll go do it to help us guys don’t want to deal with them. That’s fine. I’ll get face time with him. It’s it can’t be bad.

[00:17:35] Evan Francen: I think one of that I think one of the best things you can do for career progression to you know just in maturing in your career is to learn people skills, the better you get at people skills, the better you’ll move up

[00:17:50] Brad Nigh: right? Well, and and Exactly, and and learning the business to write that was one of the slides was, you know, communicate this to the business, show them how you’re thinking rather than me I. T. Or security being a cost center. All right. If we have each outage is whatever 30 million hours, Uh so that’s $3,000 per outage or whatever it is. Well, if we implement this new technology for 15,000 and then it reduces our outage to five hours, well now we can show that. And then even if it’s not perfect if you can show your thinking that way the businesses go, oh, he’s

[00:18:34] Evan Francen: a fucking language. And I’ve almost purposely thrown in crappy math into some of those things to get their attention and get their engagement because they’re like, no, there’s no way you could, you know, it could be that worthwhile. Well, let’s talk about it. And then you start having this discussion and they’re like, see I showed you your math is off, but then they’re still positive there, isn’t it? So, you know, I got my I got what I was looking for, I needed that little bit of shock value of a faulty math on purpose. Sometimes I’ve done that.

[00:19:06] Brad Nigh: Yeah. And, you know, it’s an estimate. I can’t do it without the business I’m I’m taking some assumptions here. All right, Help me figure it out what what should we be looking at so I can do it correctly.

[00:19:16] Evan Francen: Exactly. So well in your in your talk um pretty well received.

[00:19:22] Brad Nigh: I think so. Yeah. I had a couple of people, multiple

[00:19:24] Evan Francen: people. Did they clap?

[00:19:25] Brad Nigh: Uh Nobody walked out.

[00:19:28] Evan Francen: Well nobody booed. That’s a win. Nobody threw anything. You’re talking about drp Right? No, they clapped. Okay because I’ve learned how to end my presentations now. You kind of like, well thank you very much. You know and then you kind of leave this like pause and then they clap because then then it almost makes them feel awkward if they don’t clap.

[00:19:47] Brad Nigh: Yeah. I had a couple actually good questions at the end of it too, which was just

[00:19:51] Evan Francen: nice. I did you know we’ll get to my talk a little bit because yeah there was some really interesting things I actually did the talks that I did on Wednesday and thursday on purpose to see what I could learn. Not so much what I could teach because I talked about things I’d never talked about. And I just wanted to kind of see what the reaction would be because on Wednesday I had my first talk was with really I T. Ish type people not security people. And then I gave that same talk in the afternoon two security people. And so I did that on purpose because I wanted to see the different reactions from both. Uh But it was it was really really cool but that the afternoon talk was weird because it was Like 4:00 in the afternoon and the conference ended five.

[00:20:42] Brad Nigh: Yeah that was yeah the second day of

[00:20:45] Evan Francen: yeah it was weird so long. So what takeaways? Uh if you had like one takeaway, one thing you could tell the audience about disaster recovery planning, what would it be if you can think of one thing like maybe in your presentation you were trying to drive home this point,

[00:21:03] Brad Nigh: you gotta get to be successful. You have to hit the business engaged. Amen.

[00:21:10] Evan Francen: I couldn’t agree more of that. All right, so now this is where I hog up some of

[00:21:15] Brad Nigh: the talk, some of them. I looked at it and I appreciate you saying we had all these, I had one, you did all the talking

[00:21:22] Evan Francen: teamwork makes the dream work in the classes. I always feel like every time I’m giving a talk that just as much as I’m representing, you know, whatever point I’m trying to drive is representing you know the company, right? Um So yeah the week started off with uh I was out at uh Anaheim for the uh North America 2019. North America is Sacha see A C. S. Event. I don’t know what C. A. C. S. Stands for. I never even looked it up to be honest,

[00:21:52] Brad Nigh: do something about

[00:21:53] Evan Francen: auditing. I’m guessing the he’s gotta be audit asses. Maybe super, super sexy. I mean the thing is sexy right? Anyway. No, so I started the present. So I started off, I kind of opened the conference, I was the first talk of everything and I was in this innovation center, which was basically just a stage with a wide open area in the middle of all the vendors, right? You know? And so I thought I was talking at seven a.m. And uh so I’m, you know, kind of walking by and I’m like, man, there’s nobody in this innovation area, right? It’s just nobody. So I went to, my wife was with me, I went to my wife and I went to a couple of guys that were with us in our booth. Like, man, I don’t think I’m going to talk because there’s nobody here. I’d be standing up on the stage by myself preaching to what imaginary friends. It’s like a

[00:22:58] Brad Nigh: normal day at work. I

[00:22:59] Evan Francen: know. So I’m like, this is just weird. So I was wrong. It didn’t start at seven. It actually started at 7:20 PM. uh it’s like 705. The that one of the event organizer type people comes, you know, there you are. You know, are you ready to go? And I’m like, well, you know, I don’t think I don’t, I’m not thinking I’m going to talk because there’s like nobody there because what are you talking about? Come over here so I wouldn’t and you know, it’s kind of around the corner and I look and it’s like packed now, like

[00:23:31] Brad Nigh: all

[00:23:32] Evan Francen: right, let’s do it. So uh so you start off monday morning, beginning of the conference. And my topic is, The title is different than the topic. The topic is 3rd party information security, risk management.

[00:23:46] Brad Nigh: Who can say we don’t have the most exciting

[00:23:49] Evan Francen: topics to talk about. I get I get jazzed about it. But yeah, people, people I don’t know that it was they were actually very engaged. The title of the presentation was why then I just went through, you know, I love that book by Simon Sinek. If you haven’t read that book, please read it. It’s just

[00:24:07] Brad Nigh: yeah, it put so many things like they just clicked like, oh yeah, that’s why I’ve been doing things the way I’ve done alright. It just it made, Yeah, put that puzzle together.

[00:24:20] Evan Francen: Absolutely. It’s not a, you know, it’s not a security book to to kind of say everything.

[00:24:25] Brad Nigh: Yeah, little bit of like a self help type of here’s why you’re why you’re doing the things you’re doing

[00:24:32] Evan Francen: right, totally. So I uh so the presentation was why, you know why 3rd Party information security risk management. And you know, so what’s the purpose for some people the purpose for third party information security, risk management is defense ability. They want to be defensible if a bad thing happens, some people actually want to do it, right? So it’s truly about risk management. Some people understand how you can’t separate third party information security from enterprise information security. They are integrated pieces. So it was, you know, and this was a 20 minute talk. It was let’s define the why together um this is what generally it is, this is what it should be. So and I used logic in this talk, which I love, you know, you know me, I love logic. So I said uh I basically walked through, this is what information security is. This is what third party information security is. This is how they fit together and you can’t separate them. So you can’t say you you take information security seriously at the end of the logic, you can’t say that you take information security seriously. If you don’t take third party information security seriously. Yeah, that’s a good point. So it was a good talk. And and the feedback at the end of it was good. You know, people I didn’t get I didn’t get booed either, I think I think they clapped, I don’t remember. Um it was good.

[00:26:01] Brad Nigh: So I did look it up. It’s computer audit control and security. Can you see a CN control?

[00:26:08] Evan Francen: Really? There you go. So that’s what I did computer audit in controlling. So talk to him. Well and then uh you know after that we there was a book signing at our booth, Which was awesome. We have we only brought 150 books and they were all gone. But I met I had 22 questions that I asked everybody who came to our booth for a book signing was where are you from? And what do you do? And met people from Nigeria? Portugal, Belgium, Netherlands Germany, spain Colombia. I mean yes, all over. It was so cool. And uh and that was the whole point. The whole point of the book wasn’t to sell books. The whole point of the book is to spread the word, right? When you think like somebody in Nigeria might actually read this thing. Are you kidding me? That’s beautiful. I love it. So

[00:27:04] Brad Nigh: that’s why our marketing group is Sophie like he’s just giving them

[00:27:09] Evan Francen: away. I know, right? That’s what I do. Give stuff away. All right. So that was the talk on, it was monday, monday. Yeah. Then flew back and then to talks on Wednesday and both both of them are the same talk. It was the first one was at La flor tech fest, which was at ST paul River Center. Um Good venue. There’s a good venue and and and there were a lot of people that I would say there was probably 1500 people. Maybe that’s good. Um Yeah, maybe. Probably maybe even more because P. J fleck the golden gofer football coach was the was the keynote and I stole his bed. That’s always fun. Well because somebody said I couldn’t do it. And I was like, it’s like my wife said I couldn’t build a closet closet seriously, come on. Yeah. So yeah, I know I did was just went up to the desk and said, somebody says that somebody thinks that I can’t get this badge basically or something like that. So can I just take it and show them that I can actually get it? Sure. Mhm. To just use brutal honesty. And then uh yeah, I brought it back though. Nobody, I mean I can’t I’m not going to pass myself off as petrol flak. Yeah, heavier. Um uglier more facial hair. So ignorant. It was fun. So speaking this one, so this talking at la flor was speaking information security. And the point here, which doesn’t sound like a sexy topic, but I really enjoyed giving this talk because this gave me the ability to really preach what our mission is and preach it pure. Yeah, I enjoyed that. So what I talked about, I talked about, okay, so I just started with um same thing I’ve talked about a million times. Information security is yeah. Is what? And it’s interesting how yeah, nobody wants to raise the hand. You know, I was did they give the same talk at secure 360 which was all security people and nobody, nobody raised their hand. I’m like nobody said, you know, when I said the information security is what,

[00:29:35] Brad Nigh: see if I were in the audience and nobody raised her hand. I’d give some sort of a totally wrong answer just to try and throw you off. That’s who I am or

[00:29:45] Evan Francen: just give me a yeah, we’re just gonna smartest answer, right? I’ll take anything. So you know, I walked through, you know, information security is managing risk.

[00:29:53] Brad Nigh: I was going to say it it’s protecting against cyber threats only. Well, yeah, yeah,

[00:29:59] Evan Francen: cyber always cyber cyber cyber cyber cyber cells, cyber cells, cyber cyber sexy sells cyber cells sexy.

[00:30:07] Brad Nigh: Yeah. See through you off now.

[00:30:10] Evan Francen: I know. Yeah, I love, I love that. I love when people use cyber to you on something, it’s not really supposed to be used with. So information security. So I walked through, you know, it’s managing risk, not eliminating risk, it’s not compliance and then managing risk. And what? That’s another one of those words that’s just, it’s overused. It’s frustrating because if you and I are going to work on something together, we should have an understanding of what it is we’re working on. And so when I ask what information security is and people just blankly stare at you right? Maybe they have a definition, but they’re not, they’re afraid that they’re afraid to say it. But you know, they’re not afraid to say other stuff, right? You know, I mean during the talk I’ll ask other questions and they’ll they’ll pipe in for that. But yeah. And it’s so weird because it’s like it’s like what we do, right, right. I can’t get easier

[00:31:09] Brad Nigh: than that. What would you say you do here? Right. Right. Nobody answers.

[00:31:13] Evan Francen: So we walked through the talk about, you know, information security, managing risk and then, you know the types of controls and what’s risk and you know, likelihood and impact, you know, and it’s funny because I asked the same thing about risks, it’s such an overused term and I say, you know what is risk? And again, nobody won’t somebody sometime it’s a board game. They do. I have heard that before. Not maybe it did last Wednesday but somebody you they get closer on this because once said probability, I was like yes, I think that’s close and then somebody else well doesn’t have to take into account like uh like how bad it is. I go you mean like impact? They’re like, yeah, there we go. There you go. There’s your definition. But then I think that’s too high levels to apply like just likelihood and impact. What does that actually mean? Yeah. You know, how do I do

[00:32:12] Brad Nigh: that when you were saying that? I think, oh I had a good point. Um shoot,

[00:32:21] Evan Francen: I don’t remember what I was saying. Impact risk, board game impact.

[00:32:25] Brad Nigh: Yeah. Well I think, I think it goes to that we don’t, we make it too complicated a lot of times, right? You just keep it simple. It’s not yeah, it’s not over thinking it, right. I think that’s a very common. I think you’ve got a lot of people that in this industry better to be very analytical look, you know, and they overthink no, this is all it is right. You don’t have to make it more complicated than it really is. That’s

[00:32:56] Evan Francen: very true that and I think we just take stuff for granted. Yeah, we just take, you know, everybody knows that information security is, but do they?

[00:33:07] Brad Nigh: Nobody here had a

[00:33:08] Evan Francen: definition, right? I asked. And you guys all sat there one. So, uh but you bring up a good point about the the overthinking because that’s one of the things I’ve heard before is um you know, when I when I want, I’ll give a talk that they’re like, yeah, that’s so basic and I’m like, yeah, but you’re not but you’re not doing it. I understand it’s basic, but why would I go to these complicated things if I don’t understand the basics, I don’t have that foundation.

[00:33:44] Brad Nigh: I know I’ve done that and it’s like you get just almost like that paralysis by analysis and then it’s like, wait a minute, what am I doing? What was the first thing I came up with? Oh yeah, no, that’s probably what I should do. It’s just start with a fundamental and dot doesn’t have to be

[00:34:04] Evan Francen: right because you can take any one of these, right? So when I go from likelihood and impact, I always start with because likely to impact our functions of vulnerabilities and threats. Right? That’s where I can apply it. Right? So what, you know, vulnerabilities are just weaknesses. And I always start with vulnerabilities versus threats because I understand myself better than anybody else. Hopefully hopefully exact well, yeah, you gotta get honest. Right. And sometimes people don’t like to get honest either. They don’t like to call. You look in the mirror.

[00:34:35] Brad Nigh: I know all my vulnerabilities. I have no asset management program.

[00:34:39] Evan Francen: Exactly. Exactly. So you take, you know, some vulnerabilities and what, you know, administrative, physical and technical controls and so on the basis. You know, you can take the basics of administrative controls, right governance policy, risk management function background checks, asset management on and on. These are the basics of administrative controls. But if you want to get deep and get complicated, you know, and get more sophisticated, you certainly can do that. But why would I talk about individual procedural things or psychology and my training and awareness program? If I don’t have a training and awareness program, I don’t have a policy. Right. Right. You do have to start with that foundation and then build on it because you can get because I think the most uh uh intriguing part of information security for me is administrative stuff. It’s the people part because technical controls aren’t that hard. No, it’s on and off one’s and zero’s whitelist over blacklist, I mean

[00:35:42] Brad Nigh: it’s configured or it’s not. It stays right. In theory. As long as people are, people aren’t messing with it, it won’t change.

[00:35:50] Evan Francen: But it’s that people part man, I was talking to somebody. They were they said that they were wanted to get into security and I was like, oh no, it was skylar. And he’s like, yeah, you know, I got a degree in psychology and like bro bring that into security because we have a lot of need still for figuring out the psychology of security. And I know that there’s a lot of ground breaking research, but that’s that’s the key.

[00:36:18] Brad Nigh: Yeah. And and yeah, if you understand how people work, it makes your it open, it opens up a lot of opportunity for time, you know, improving things

[00:36:30] Evan Francen: big time. So start with vulnerabilities and then you apply threats and where do you get threats? And then you can get that anywhere. There’s all kinds of threat feeds because I think people also generally don’t like to look at themselves in the mirror critically. So because you see a lot of organizations that are subscribing to threat feeds, They understand, you know, some things about threats yet their controls are crap. Right? Why don’t you start with vulnerabilities, don’t you start with your controls first and then apply the threats to those things.

[00:37:02] Brad Nigh: Yeah, I know all my threats, but I don’t know where they applies,

[00:37:08] Evan Francen: right. Yeah. And so you see you also see a lot of, you know, you’ve seen a number of assessments over the years and so by um, and usually they’re not risk assessments Because they’ll use things like the capability maturity model, which is a 1-5 scale um which is really capability maturity model ruling only applies to vulnerabilities, the effectiveness of the control it doesn’t take into account the threat piece. So then it can’t be risk no. Just by the definition. And I’m literally on this stuff because we have to be have to. Yeah. And that’s what the whole point of the talk was really was the language of information security. So I talked through that and then so you come up with this definition. This is what information security is. And everybody is nodding their heads now it was pretty easy on the people that aren’t in my tribe meaning the I. T. Folks at la flor tech at the tech fest. I’m like, all right. You know, we’re feeling it now at the secure 3 60 was a different vibe. It was like you guys are all nodding your heads in agreement. Where were you when I asked this question at the beginning? Yeah,

[00:38:18] Brad Nigh: because I don’t that said anything now you’re saying. Yeah,

[00:38:21] Evan Francen: that’s right. Because I get that all the time. I get that a lot. I get the head nodding and it’s like, well then do it. Like if you talk about asset management and how important it is to the information security program. Everybody is nodding their heads. Yeah, I agree, agree. Let’s go. How many of you then have a good solid asset management program and all the hands come down. Why? Why the disconnect you all agree that this is critical to your information security program. Yet you’re not doing it right And there’s all kinds of reasons. Well, it’s hard, it’s it’s dirty work. You know, there’s not a lot of blinky lights there there are some tools now that you can go and buy that are blinky lights if you use them right? That you can get a pretty good asset inventory at least to start. So anyway. Uh So I use that definition then for our tribe and then I correlated that to what about people that aren’t in our tribe. So if we agree that this is our language for information security, in our industry meaning amongst us security people You see because I can have a discussion like this with you. I can have a 30 minute discussion about what is this? I don’t get that same opportunity with the executives. I don’t get the same opportunity to the board of directors. You might get five minutes. That’s what I always should’ve shot for five minutes. If I can do this in five minutes, man, I win I think. And

[00:39:44] Brad Nigh: even invite me back even more important than the five minutes. Is that At 1st 30 seconds. Right. Right. If you go in super technical or whatever, they tune you out immediately.

[00:39:54] Evan Francen: Seeing them pick up their phones

[00:39:55] Brad Nigh: or Yeah, you got to get that Right, that initial 30 seconds is critical and then you’ve got maybe five minutes after

[00:40:03] Evan Francen: that. Exactly, yeah. So I take that. So our tribe, that’s our definition and then Okay, so what can we get to resonate with executive management? And that’s when I went into the Fisa score and the reason I went into faisal score wasn’t too self ISIS scores, because after I talked about that, I mentioned how we’re going to make the Fisa score free, which was the first time I’ve mentioned that to anybody outside of our security. I don’t think I even made an official announcement to people at fr security security studio. I think I just like I’m doing it.

[00:40:35] Brad Nigh: Yeah, I don’t think there was any official we’re going for it

[00:40:39] Evan Francen: surprised. Yeah. So the reason why so, but I felt like I had to do that because I don’t sell stuff. I’m not a salesman, ma’am. I am truly trying to help fix this broken industry. And so here’s our definition of information security. Here’s something that uses that exact same definition that we represent with a numerical value so that I can go to the board of directors and in five minutes I can tell them this is your current value. This will be your future value. This is when you’ll get to that future value and this is how much it’s gonna cost. So those four things. So then executive management knows or the board knows where we’re at, where we’re going, when we’re going to get there and how much they can hold me accountable to that. And I can also hold them accountable because they gave me the, the edge of the risk decisions to enable that to happen. You know what I mean? Uh, so, you know, I talked about Faisal score and in the free nous of it all, you know, a free risk assessment for people that are, you know, freaking out about that, which, you know, it’s, we’ve got 1500 Fisa scores on the street, right? The goal is 4.8 million. A little bit of great. Yeah, we got a little bit to go still. But there are some people who do make money off of doing crisis scores For their clients, right? We have 15 partners. Right? And so I wanted to alleviate some of their concern to in this talk about what do you mean you’re giving away for free? I mean, we have a practice built on this. Cool, prepare yourself. Well, part of it’s that part of it is the Fisa score is free. But you have to understand that if I’m assessing myself, that’s a non validated, there’s no third party who validated and said yes, that is accurate.

[00:42:30] Brad Nigh: Are you saying that people give themselves the benefit of the doubt. I’m gonna be a little bit nicer

[00:42:36] Evan Francen: about it. For sure. Yeah, and some just straight out a lie. So I talked through that and then also in the same, you know, talk it’s uh the third dynamic with our language. So one was within our tribe, one within our tribe in what I call normal people, which is the stop the topic of the second book that’s coming. The third is how do I translate scores or how do I translate languages? It’s not, it’s not like german is better than english, which is better than, you know, french.

[00:43:09] Brad Nigh: They’re just

[00:43:10] Evan Francen: different, they’re different languages, right? So some organizations may not speak face to score, they may speak, so they may speak N I S T, they may speak Corbett, you know, whatever language they speak, then you need to have a translation between the languages and and so Well we built a translator invent defense, but there are other translators out there as well and that can translate these languages. Uh, so that’s the last, obviously the easiest would be if two people spoke the same language. So if our company spoke faces Score and Company X also spoke to score. Well then just share scores. Yeah, simple, there’s no no translation required. So I talked about that um, in that presentation and like I said, I gave the same presentation twice that day. It was interesting because both of them different audiences. I think both of them were very, a lot of people come up and talk to me afterwards. I think some people are skeptical because they’re so used to being sold

[00:44:15] Brad Nigh: stuff. I’ll be honest. You know when you first mentioned it to me, my first thought was Evans lost his mind and then you know, the more we talked about and yeah, just giving it away. What? Oh wait a minute. It does make sense for our mission. I think so. And

[00:44:37] Evan Francen: uh huh. Yeah. Yeah. That’s what we do right? When it should help people realize the commitment to the mission. Because you know, the theory has always been you know in business, this business that if we stay focused on the mission will make money. All right. We’re not going to starve. Um whereas if we focus on the money, we would never accomplish the mission. So that’s why,

[00:45:02] Brad Nigh: you know, well and you know, it’s not, you know, there are other things around it that we can tons do. So it’s not, there’s no shortage of work to do. I mean, you know, and you talked about the validation, peace and banking and healthcare and for insurance purposes and things like that. You have to have an independent assessment. So

[00:45:25] Evan Francen: absolutely want someone else to fix all this stuff

[00:45:27] Brad Nigh: and then right. So yeah, it makes sense. Right. You can go and where am I at? Oh, I’ve got a lot of work to do and either work towards it and then get that validated or

[00:45:39] Evan Francen: Yeah. And the eventual green for some day the eventual goal is for some day for the all for the assessments to be free. Even the validation that’s a function of data. If we had good solid data which we don’t in this industry about vulnerabilities and threats you know in a more I think global scale then we could get predictive we could do some analytics so that way I wouldn’t have to waste two weeks or a month for an assessment. Yeah I could almost have an assessment validate that piece which would be pretty easy and then get to work on fixing stuff which is really where the value is. Just telling me where I’m at. Yeah that it opens my eyes and things but nice myself to make it better. Yeah. Yeah. So then

[00:46:33] Brad Nigh: the work doesn’t end. It’s not like oh God no.

[00:46:36] Evan Francen: So the things things that are coming you know with all this you know we’re gonna be going on a roadshow. 3rd 4th quarter of this year probably more fourth quarter um where we’re going to be taking this language to everybody you know

[00:46:53] Brad Nigh: What’s that? Oh no

[00:46:55] Evan Francen: the second part is the community involvement program. So even vices score itself shouldn’t be owned or managed by a few. It should be owned and managed by the community. So we’ll be working on figuring out how to get everybody involved in future development and refinement and right awesomeness.

[00:47:18] Brad Nigh: Yeah. You know we talked about you know do you have a the community group and you have to be be approved to get in somehow. Right? You have a C. I. S. S. P. You have a C. I. S. M. You have some sort of certification. We can validate that. Yes. You are at least qualified to talk about these things.

[00:47:38] Evan Francen: Yeah. And then the community polices itself. I mean Wikipedia. Right.

[00:47:43] Brad Nigh: Right. Yeah. There’s a ton of of good kind of those knowledge bases out there that they do it like you know from an I. T. Perspective. Spice works comes to mind right there. Community is really well self police. You can tell who the experts are, things

[00:48:00] Evan Francen: like that. So it was a really good talk. I mean they went well twice. um the second one was interesting because it was like I said it was secured 360. It was the end of then I started off I like to insert a lot of humor, you know? And so I was like, you know when you have this big party and you’re it’s coming to an end, right? And it’s time for people to kind of go home. Um And so you’re kind of trying to shoo them out the door. You know, I’m like they’re everybody’s head nodding there and I go that’s you. Mhm Because you’re still here at 4:00 and why are you still here? Yeah. So that was fun. And then uh my last talk was on thursday morning Keynote at this uh I don’t know what you call it. Um Minnesota community colleges, state colleges uh faculty okay I. T. Conference and uh and I had a talk already created that I created last weekend. It was seven facts about unicorns. And then I was on my way driving there in the morning. Uh huh. And I figured out I felt like I didn’t want to talk about that so I changed my mind. Uh so I pulled over in a caribou coffee which is you know people are around here from around here that’s a coffee chain like Starbucks but here and rewrote my presentation on the way to give the presentation it was just dump. But the good thing is I had good content already sort of in mind. So what that thing up and give talk about 38 because I’ve you know that we I’m doing this 100 truths about information security. It’s funny because I’m not getting it. I’m not getting really anybody pushing back on these things. So they must I’m assuming that people must agree with them. So I was on that time that day I was on day 38. So I covered the 38 truths about information security of 100. And it was really good. It when it went over really well I met and then after that talk was to present no no no to others Ryan man ship from Red team security crap and I can’t remember the other lady, the lady’s name. Anyway, we were on a panel and uh, it was a really good panel discussion. Uh actually I might ask Ryan if he wants to be a guest on one of our Future podcast because I think it be interesting to hear. Uh, because you know, I guess in the traditional sense their competitors, but who cares? Let’s work together

[00:50:51] Brad Nigh: as I was talking about with uh, you know, a couple other people That there were vendors had secured 360. It’s like, let’s work, there’s there’s no shortage of stuff to do, right? Right. And we’re gonna have expertise that you don’t, you have expertise that we don’t let’s let’s figure out what we can do and help each other. That makes it right for

[00:51:15] Evan Francen: for the client. Exactly. At the end of the day, what’s best for the people we serve? Right. And what’s best for the people we serve is for us to be on the same page for us to do things in similar ways. Similar methods. I mean, seriously, there should be no intellectual property in common commodity type testing and things, right? Even high level,

[00:51:38] Brad Nigh: right? Even like pin testing, you are selling the value of your tests are and what experience they have. But the tools, there’s only a like there’s a limited set of tools. There’s not

[00:51:51] Evan Francen: right. And some people are developing their own tools find that that’s Red Team type testing and you pay a lot for that. And those things you wouldn’t necessarily collaborate on. You know, if you’ve got something, some secret sauce really there. But if you have some secret sauce, don’t you think Attackers have your secret sauce or some flavor of your secret sauce? And so when the community benefit by knowing the secret sauce is that you have, so that

[00:52:21] Brad Nigh: right?

[00:52:22] Evan Francen: So we can plug ourselves, you know, plug holes. So, but it was good. It was a good talk I think, uh, because Ryan and I had never met before. Um, and I think we had some misconceptions about things because you know, it’s just natural when you don’t talk, you know, you think, uh, oh, I know who you are based on what I saw on the website and whatever. All right. So that was the talks, that was the panel that was classes. My God, it was a long week. This week isn’t going to be as long. I don’t think

[00:52:56] Brad Nigh: you’re on your own list Wednesday.

[00:52:58] Evan Francen: Yeah, yeah, yeah. You’re going to celebrate uh, your daughters accomplishment. Yeah, pumped man. So that when you have smart kids,

[00:53:09] Brad Nigh: Yeah, yeah, they do their homework. They are like super on it. And like where did you get that from? Because that’s not what I did

[00:53:18] Evan Francen: there raised well, come on you and your wife do a good job.

[00:53:22] Brad Nigh: I’ll give her most of credit on

[00:53:23] Evan Francen: that. See that’s part of part of the skill, man. Being humble. I love it. So, all right on the news. Uh, some sort of big news Microsoft had their worm warning this last week. Uh, and it was kind of all over so you can choose whatever news story you want. It’s a big one, whatever source. Right? So C V A C ve 2019-708. A vulnerability in the remote desktop services, which doesn’t require any authentication doesn’t require any user interaction. It’s like the perfectly made vulnerability for a worm. Yeah. Well, you know, it’s crazy how, you know, this thing has been in the wild. I mean, yeah, this goes back into versions back XP. They’re even going to issue a patch for action.

[00:54:15] Brad Nigh: Yeah, that’s crazy.

[00:54:17] Evan Francen: Right? So it’s like, thank God this hasn’t been exploited. Didn’t nobody catches. Right? And we would pretty much know if it was exploited because worms aren’t quiet. No, they spread fast if you haven’t patched. My God, patch, if you’re running XP retire, I’m just kidding. Maybe. Well, there are some XP systems out there still. I mean, I’ve run there’s a lot of occasionally

[00:54:43] Brad Nigh: there’s some embedded XP as well that’s still supported. But yeah, I know there’s legacy systems that, you know, business is just you can’t get rid of because

[00:54:55] Evan Francen: I’ve seen it in public utilities, you know, an XP controller system and

[00:55:00] Brad Nigh: software is supported on anything else

[00:55:02] Evan Francen: when you can’t upgrade it because upgrading. It would be down time and you can build redundancy in the system so you can’t afford downtime because downtime would take down an entire, you know, cities. Power, minor details. Yeah, but patch do do be aware um Yeah, because it’s it’s bound to happen and it’s bound to, you know, some certain percentage of people just, I don’t live under a rock or something or just aren’t paying attention and won’t catch their systems. So there will, I would be no surprise if there wasn’t alarm anyway,

[00:55:36] Brad Nigh: pretty quick,

[00:55:37] Evan Francen: but just to make sure that you’re not part of it and it won’t affect your systems. So that was the big news. I think the biggest news maybe last week one of the others was I’m a history guy. So I like, you know, sort of reading about things that had happened in the past. And so we had this two years later. Want to cry as two years ago already. That’s crazy. I know, man, I can’t believe it’s almost june what the hell is my life coming to man? All I do is work. Oh sorry. I just, I complained a little bit right

[00:56:08] Brad Nigh: there. If you want to blow your mind, it’ll be, it’s been, it’s almost three years since I started.

[00:56:15] Evan Francen: It’s been a good three yourself. And it’s really fast. It’s like holy cow, I’m really grateful. I was just bragging about you and Oscar in particular. Uh my son was over joe was over at the house yesterday visited. And yeah I was talking about Oscar and you and I say yeah it’s gonna make it’s cool. Mhm. So anyway I want to cry two years and uh I don’t know where in particular they get these numbers but um I assume that they’re somewhat better than the numbers I have.

[00:56:55] Brad Nigh: We need to look at like the probably the showed on.

[00:56:57] Evan Francen: Yeah. Yeah maybe. Oh but according to this article I’m reading from circle I. D. It’s two years later want to cry continues to spread to vulnerable devices. Nearly five million devices affected. Well can you put that into context? five million isn’t? Big percentage of systems? No. So the fact that it’s still out there in five million. The number itself seems large in context with everything else. It’s

[00:57:25] Brad Nigh: it’s enough to cause a problem but

[00:57:28] Evan Francen: it’s a small number but according to the malware bytes research um Eastern countries are the most at risk India. 727,000 Indonesia 5 61. The US 430,000. So we have 430,643 people here in this country that you share the roads with every day they haven’t patched in two years infected with wanna cry. It’s like my God. Mhm. How do you find these people Russia? 356,000 Malaysia. 335 and so on. So you know it’s still out there, which is not surprising, I think there’s still variants of melissa.

[00:58:13] Brad Nigh: I’m sure I’m sure people still get the like, I love you or something.

[00:58:17] Evan Francen: Right? Exactly. Code red bumps around somewhere. The next one I have is a hacktivist attacks dropped 95% since 2015, which it is yeah. Because in 2015, 40 years ago they were sort of disruptive, you know? Uh This is some research by IBM in this article, This is zd net and the title is hacked of it. The title is hacktivists. Hacktivist attacks dropped by 95% since 2015 and they’re blaming it on two things, the death of anonymous, the hacktivist collective itself. Um And the second thing is, what the hell was it? Uh I don’t know, increased law enforcement activity on, focused on hacktivists, uh which is interesting that the law enforcement community itself can focus on anything because there’s just so much going on for them. Right, Right. I mean, are they are they focusing more on activists or more on, you know, dark web stuff and taking down, you know, uh some of the markets, God knows, I mean, and then dealing with all the be ec stuff, the email compromise stuff that we see with fraud and ran somewhere and it’s like yeah, and then just your normal run of the mill credit card fraud things, you know, I mean law enforcement that they got a lot of work and you know those guys are busy. Really really good people. Um Yeah but anyway hacktivist attacks were dropped which is you know I wonder because it wouldn’t be hard to start something and in today’s political. Yeah I’m I wonder that is interesting. I mean how hard would it be to have they gone organized a bunch of people who see the world the way I see the world and just get angry about it and want to attack the other side because we’re so divisive.

[01:00:28] Brad Nigh: Yeah. Be interesting. Have they gone too? You know the black hat side or they may be you know I got a job right because there’s such a shortage and you can’t really it’s not worth risking your career to do this because now you’ve actually got employment doing those things I don’t

[01:00:49] Evan Francen: know. Alright, next article was Bruce schneier. This is on his blog. Schneier on security. And interesting how uh in March and we we heard about this in March but he wrote about it just last week why why are cryptographers being denied entry into the U. S. And one of the things uh Adi Shamir the S in our PSA was denied entry into the United States to attend the R. S. A. Conference which which was a big deal. You know for people that are say because obviously he is the S. And R. S. A. Plus he was there too I think on a panel or to give a talk. So he was a featured guest there. Um and it’s Israeli it’s like Israel is I didn’t think Israel was an enemy country or anything, so and he’s been here before. Right. So anyway, anyway, Bruce talks about um you know the big just kind of his thoughts a little bit and like Bruce’s most of Bruce’s posts on this um his blog, you know, you only wrote, writes a paragraph and then you read the comments because he poses this question and then people comment on the reason. So I think there’s more interest in probably reading the comments than there is in the blog post

[01:02:24] Brad Nigh: itself usually seem to be pretty quality comments to there’s always gonna be some

[01:02:31] Evan Francen: abortion is such a little g God in our industry, you know what I mean? He’s contributed so much. Good stuff. Uh The last is the team viewer breach um so late last week I think there was a report revealed. Uh this is an article from the hacker news which isn’t a source I use a lot but I happen to be the one I grabbed Report reveals. Team viewer was breached by Chinese hackers in 2016. Yeah, yeah

[01:03:05] Brad Nigh: went and knowing I think it kind of goes along that and it’s a little bit more of a pucker factor is the whole anti virus. Uh So they said reported semantic mcafee and trend micro source code compromised, they’re important protection so that that will be uh I mean, I’m really interested in seeing the details around. Yeah, but it’s probably gonna be a while before we

[01:03:36] Evan Francen: Yeah. And it’s interesting how that didn’t grab as much press as I would have expected, but there’s maybe another shoe to drop on that. So maybe there will be one come next week. Maybe there’ll be some more news

[01:03:51] Brad Nigh: because that’s a that’s a that’s a potentially huge

[01:03:54] Evan Francen: deal. Big time. Big time, right source code. Uh arguably the three largest, um, you know, anti malware. Yeah. Uh Anyway, all right. So that does it for this week? Last week, crazy week. Hopefully, you know, listeners got some some uh benefit out of listening. I will be posting, I’ll create a series of blog post this week on each one of the talks that I gave so I can share my slides and you know, if anybody wants to reuse or whatever, you know, feel free to take it. But watch my um my my site, Evan francine dot com and you can grab those slides and get kind of a synopsis. A lot of the stuff we talked about. Uh that’s the meat of the show. What should we look like this week bread and anything.

[01:04:45] Brad Nigh: I don’t know. I haven’t looked at my calendar.

[01:04:47] Evan Francen: No, same with me. You know, I have Denver in there somewhere

[01:04:50] Brad Nigh: now. It should be good. I’ve got some time blocked off for working on things or is it a response stuff? So cool.

[01:04:57] Evan Francen: And I’m behind like usual so I can try to get something kind of all right. Other than that, thank you Brad. Don’t forget you can follow me or brad on twitter. I’m @EvanFrancen and Brad is @BradNigh email us at the show unsecurity@protonmail.com. Love to hear your thoughts and comments. That’s a wrap.