The Security Shit Show

"Why going to the cloud means more work for security not less, shared responsiblity is 100% your problem - Am I going to treat this like a green field, or the next dumpster to throw the data, systems, and stuff we can't deal with in real life? - What are my expectations? (planning, timing, longevity, migration, business, etc.)- Will we use it as an enclave to simply separate developers from anything else, or vice-versa, OR will we take a stance and work with ALL the teams to build it out successfully?- DOES my cloud governance align with the rest of my business and technology policies and goals?- AM I willing to implement the recommendations that most cloud providers offer TO make things safer and more secure?- Can I manage the audit and compliance of a new world, and HOW will I integrate it?- Speaking of integration, WILL my business and technology actually function IN/WITH the cloud?- The cloud is MUCH more than someone else's computers OR a spare data centre, but it still has to live somewhere, so WHERE does it live, and HOW do you get to it?- Where's YOUR staff, how do they talk with the cloud, what controls, management, etc.- How much control will I have over my data in YOUR cloud?- Who's got access TO my little slice of the cloud, hardware, system, bare metal, data, etc.- How do I (OR who's going to) monitor YOUR cloud infrastructure, and MY systems for access, etc. - And if it's on your side, do I get to see the logs - What's the charges FOR monitoring - SLA's etc?- Who's managing the encryption for my data, if it's YOU then where's my key's if it's me what help etc.- I don't want to catch cooties from YOUR other clients, how to you maintain separation/segmentation?- What options exist to backup my data, my configs, and what happens if YOUR systems go down?- What areas of the technology, services, systems, and environments fall into shared responsibilities? - Who has to deal with what when it goes wrong - Who get's to point fingers, and who has to fix things (AND what timeframe, etc.)- ALL my data belongs to YOU… what happens about uptime, distribution, redundancy, AND company stability. - Technology roadmap in here too - What dependencies, partnerships, and vendors do THEY rely upon?- Let's talk security, compliance, regulatory stance, etc. What do you have, AND how do you maintain it?- When we fall OUT of love, what happens, how do I migrate, what options are out there (and costs, etc.)"

Information security tells us that the job it is all about protecting data, protecting the confidentiality, integrity, and availability of the data ultimately to protect the human(s) the data is about. On average each human creates 146,880 MB of data per day for a staggering total of 1.145 trillion MB a day or 2.5 Quintillion bytes WHOA that's a lot of data, where is all this data coming from and more importantly where is it going, who has it and how is it being used?How do I know my data is safe? How do I know I can trust that it is accurate?How do I know where my data is, has been, and is going?How will my data be used to manipulate and or harm me?DUDE Where is my data? And what are you doing with it?

"Lots of us say that information security is EVERYONE'S responsibility. While this is sort of true, we use this as a copout more than anything else. The truth is, everyone has information security responsibilities but information security is NOT everyone's responsibility. See what we did there?Everyone has information security responsibilities. So, let's start at the top and work our way down. The Board of Directors, the CEO, other C-Levels, etc. Hey, CISO, what is it that you'd say you do here? The quality of your answer might say everything we need to know. You either know or you don't. If you know, share the answer with us (simpler, shorter answers are usually an indication of mastery, just sayin'). If you don't know, that's OK, BUT ONLY IF you don't pretend you do and you seek out the answer.Now that we got that squared away, MAYBE we can figure out what everyone else's responsibilities are. If we don't get this right, how the hell are we going to hold anyone accountable. If we can't hold anyone accountable, how the hell are we going to get any better?"

Let's talk intelligence, machine learning, quantum and ALL the various future technologies and things we should be asking OURSELVES and OTHERS (our vendors, partners, suppliers, etc.) As we go forth into this brave new world...

Every day we inch closer to a new computing reality, the arrival of commercially stable quantum computing, we hear about this new disruptive technology, that when unleashed will break the worlds strongest encryption in nanoseconds, that is a very scary proposition for any info-sec professional.There is work being done today to make quantum resistant encryption or so we hope. It is already difficult enough to secure and keep up with the systems that make up our modern world. Systems that are overly complex and running trillions and trillions of lines of code just using 1's and 0's, systems we already fail to protect every day, in part due to the complexity of them.If you think current technology is complex and at times confusing, you haven't seen anything yet, quantum introduces a whole new level of complexity and way of thinking about what is happening, and why.What does this mean for us in the information security industry, will future system admins need PHD's in quantum physics and discreet mathematics? Will we all need to get our CQISSP? Can we secure quantum? How will our world change? What new things we will be able to do? How will quantum be abused and misused by criminals and nation states.So may questions so little answers, tune in for a fun discussion on the impact of quantum computing and what the grey hairs have to say about it.All this and more on the Security Shit Show with Evan Francen, Chris Roberts, and Ryan CloutierThursdays' at 10pm central / 9pm mountain

Don't overthink this, human. Just take my word for it. Math is beautiful, math is your friend, and math is trustworthy. Math DOES NOT lie. Math can be used to figure out bank balances, areas of shapes, rates of acceleration, even the angle of the sun in Asunción Paraguay at 11:42am (local time) on May 7th, 2022. The list of useful things math can do is endless. You, human, you're a different story. You are also beautiful, and you might be my friend, but you are not trustworthy. Humans have emotions. Humans have bias. Worst of all, humans LIE! What do we do when the math doesn't match up with the story you've told? You mention risk, math (whom I trust) tells me one thing, but you tell me something different. Why?

I'm fortunate, I am surrounded by good people whom are NOT like me, they bring different experiences, lives, thoughts, deeds, and viewpoints to all of life's interactions. That pool of good people continues to ebb and flow, often going weeks, months, and years between conversations. Some are thankfully more regular, and like clockwork we sit, talk, share ideas and breath a sigh of relief that all IS good in the world, at least at the very table we're occupying...The key is to raising the geek right? Don't shelter them. Don't surround them with kin, and DO put them in a world that will challenge them, force them to reconsider their views, open their eyes, and look beyond what is presented simply with first sight.Why this?Because sometimes we loose sight of what is important, what keeps us grounded, and that the world around us IS different, and that IS a good thing, it's something that we should NOT label, not poke at, ridicule, attempt to redirect with humor, or discount.. OR something we should NOT let others do either.That village? It's family. My Family.

When I sit back and think about it so much has changed in the last 24 months almost every part of our life's is in some way much different now then it was before, and in others it is very much the same old story, so how do we keep up with all this change while keeping our sanity intact.Even in the last couple of weeks the cybersecurity landscape has changed significantly. The world has gone from “not going to happen to me”, or “we are doing enough to be compliant” to I need all the security and I need it now. The rules have changed, the risk has changed, the pace has changed. We have changed as a society and as an industry. Many of us have new opportunities, new roles, and new responsibilities, and for those of us who care there is too much to do, to much to take on to meet our goals and God forbid find time to take care of ourselves to prevent burn out and dropping to many of the wrong things disappointing ourselves and those we care about.

We've talked a little in the past about inner voices, and how some folks don't have one (which I still find fascinating, and would offer up one of mine if you aren't fortunate enough to have a traveling companion in your noggin); however, this conversation takes it a little further. I'd like to unpack both some historic “what the heck” moments, as well as look at some of the current issues we see with folks opening their mouths before engaging their brain…. OR Is it that people still have an entitled mentality and think they can get away with it and simply apologize IF caught/found out/called out? We see the same behavior in our industry across numerous areas, from individuals grooming others, to put-downs, elitism, and denial…. (not the river) all of them COULD be mitigated if folks just paused, looked around, evaluated the situation, and then thought about things before inserting one or both feet in their mouth. Let's talk about why this happens, and why we still don't seem to be able to tackle it.

HAPPY NEW YEAR!Join us as we wrap up and do a recap of 2021 what a year it has been lots to unpack here. We will also be laying down our predictions for 2022, will Evan ever put on pants? Will Chris migrate his soul to the cloud? Will Ryan shut the Fark up? So many things to predict!Who will be the biggest breach?Will we finally see something other than "password" as the #1 bad password?How many critical vulnerabilities will be from the 90's in 2022?All this and more on the Security Shit Show New Year Special.

Merry Christmas to all!! The Security Shit Show crew wants to take a moment to show our appreciation for all of you! This Christmas special is just a small token of our appreciation for you. Tune in for what is sure to be some holiday joy filled antics. No topic, no agenda just some good friends, good beverages, laughs and love. Come join us and be in your ugliest Christmas sweater, we may be bringing you on the show live to share your holiday joy with the listeners.

Humans are creatures of energy conservation; it is baked into our DNA as part of our natural survival instincts, this natural tendency is what lead us to invent tools to help us get more done with less effort.We are always looking for ways to make things easier on ourselves, usually with little to no regard for the long-term impact of such a convenience. This is true in every part of the human experience but it's magnified 100 times in the world of information and cyber security. The reason that “Easy button” marketing works is because we all want an easier path to the win, the problem is hard work is not easy, no magic button or set of technology can eliminate hard work. it can evolve it, move it, reduce it, but all we are doing is shuffling the hard work to some other place or person.For example, when we go to the grocery store it is easy to pick up our produce, meat, our prepackaged and prepared meals and put it in our cart. Very rarely do we stop to think of all the people involved, and the very hard work they put in to get that food on the shelf. Growing food is hard work, running the logistics to get that food from the farm to the store is hard work even with the help of machines and computers.Information and cyber security are no different, it takes a ton of hard work to do it right, we preach that the enemy of good information security is complexity, so then simple is its ally, easy right?Simple is not easy simple is a ton of hard work, it is asking tough questions, digging for answers, it is building understanding, communication, documentation, trial, and error. Now knowing that humans prefer to limit the amount of hard work they do, to conserve energy incase they need to run away from a saber tooth tiger, or some other primal drivers, how do we shift this paradigm?We do not ask enough of the right questions; we are in a hurry to find a solution that will make it easier on us to accomplish our goals, we need to do a better job of connecting on that primal level and showing that doing the hard work saves energy and resources in the long run.For me this begins with speaking simply to the business, avoiding technical terms as much as possible, showing that I am as invested in helping them to conserve energy as they are, working hard to understand the business driver and value behind the ask, helping them to identify existing solutions that meet their needs, without needing to add another magic button to the environment, that will most certainly not be magic or easy. Helping them to understand the impact later to convenience now.Most business leaders will not want to create a situation in the future where the business is unable to function because someone wanted one less step in their day.All this and more on the Security Shit Show Thursday at 2100 Mountain/2200 Central

Let's try this again.Read the title of the episode. Are you singing the song in your head right now?You know, the hit song by Fleetwood Mac? Here, I'll help you out. If I could turn the page In time then I'd rearrange just a day or two Close my, close my, close my eyes But I couldn't find a way So I'll settle for one day to believe in you Tell me, tell me, tell me liesHaha, now you got it!What the hell does this have to do with information security? Well, nothing really, if we're just talking about the song. The theme for this episode of the Security Shit Show is just "LIES", not the song Little Lies, but when I started writing this introduction, I squirreled. OK, let's get to it...Lies are everywhere in our industry. Hell, they're everywhere in general! We ARE the Security Shit Show, so we'll keep it to information security (I think).Lies are told and believed so often in the information security industry, we start to question what reality we're living in! In case you missed it, Chris wrote a LinkedIn post earlier this week:https://www.linkedin.com/posts/sidrag...At the end of his post, he posed a question (with a poll). Which LIE is the worst we tell everyone? Option 1: We CAN protect you! Option 2: Endpoint will solve it ALL! Option 3: Just install “x” technology Option 4: “Other” leave No.x below :)Interesting, eh? Got me thinking... Why do we lie so much in this industry? Is it OK to lie in certain circumstances? Is it OK to lie if everyone else is? Is one lie worse than another? Do people even realize they're lying? Do we just accept the lies? What about lies of omission, clearly they aren't as bad as lies of commission, right? Am I a liar? Are you?The truth is... (watch the show to find out)! We're going to tear this one up and you'll enjoy the fireworks! If not, drinks are on Chris.

The original show (outlined below) is DEFERRED to next week. One of the show hosts was unavailable for this one.Are you singing the song in your head right now?You know, the hit song by Fleetwood Mac? Here, I'll help you out. If I could turn the page In time then I'd rearrange just a day or two Close my, close my, close my eyes But I couldn't find a way So I'll settle for one day to believe in you Tell me, tell me, tell me liesHaha, now you got it!What the hell does this have to do with information security? Well, nothing really, if we're just talking about the song. The theme for this episode of the Security Shit Show is just "LIES", not the song Little Lies, but when I started writing this introduction, I squirreled. OK, let's get to it...Lies are everywhere in our industry. Hell, they're everywhere in general! We ARE the Security Shit Show, so we'll keep it to information security (I think).Lies are told and believed so often in the information security industry, we start to question what reality we're living in! In case you missed it, Chris wrote a LinkedIn post earlier this week:https://www.linkedin.com/posts/sidragon1_oh-the-lies-we-tell-having-just-landed-activity-6871732134323765248-VokQAt the end of his post, he posed a question (with a poll). Which LIE is the worst we tell everyone? Option 1: We CAN protect you! Option 2: Endpoint will solve it ALL! Option 3: Just install “x” technology Option 4: “Other” leave No.x below :)Interesting, eh? Got me thinking... Why do we lie so much in this industry? Is it OK to lie in certain circumstances? Is it OK to lie if everyone else is? Is one lie worse than another? Do people even realize they're lying? Do we just accept the lies? What about lies of omission, clearly they aren't as bad as lies of commission, right? Am I a liar? Are you?The truth is... (watch the show to find out)! We're going to tear this one up and you'll enjoy the fireworks! If not, drinks are on Chris.

Every time I encounter an ego in our industry, I immediately think they are channeling their inner Robert Denerio. Or when I run into a vendor who is in the protection racket, buy my tool or else. I remember We are here to protect people not to provide “protection”Why do we feel the need to act like gangsters and thugs, bullying our way around, scaring the people we are supposed to be protecting. Our industry is rife with extortion tactics and borderline criminal business practices all in the name of helping, but the only thing we seem to be helping is our pockets to get fatter. When your sales strategy is a quote from Vito Corleone “I'm gonna make him an offer he can't refuse.” Something is wrong.You say you want to help, yet your help is behind a registration wall, your “help” comes with a constant barrage of unsolicited emails telling me how if I just buy more of your shit, I can stop the cybercriminals. Forget the fact your own security is probably in shambles and your marketing email is how your customer is going to get infected.If you need to behave like a quote from a gangster, I suggest you quote Tony Montana“All I have in this world is my balls and my word, and I don't break them for no one.”Remember this sage wisdom from Mario Puzo “The lawyer with the briefcase can steal more money than the man with the gun.”“Listen to me very carefully. There are three ways of doing things around here: the right way, the wrong way, and the way that I do it. You understand?” – Ace Rothstein If we are going to keep acting like the criminals, we are trying to stop then we should have gangster names so at least there is some authenticity to our actions.Join Spotted Dick Roberts, Mind Fuck Francen and Pretty Face Cloutier for a lively discussion tonight on the Security Shit Show.

Remember those days?Remember the scene?Remember when that was semi-acceptable?Yea… long time ago, in a country pub a LONG ways away.You might still have the luxury OF doing that in your favorite restaurant, bar, pub, or location…. Heck when you go to a hotel or entertainment location you can put things on the tab, HOWEVER in those cases they've already charged you for the room, and they DO have your credit card on file.Yet we think it's ok to run up a tab with people in this industry?We think it's ok to have folks do work for us, then invoice us, and THEN maybe pay in 30 days?We think it's ok to get services for free while WE invoice our clients ahead of time?We think it's ok to take advantage of people's kindness and then when it comes time to pay we throw roadblocks, request, and all sorts of ridiculous demands (can you send a canceled check, proof of a bank account, a letter from the financial institution, can you copy 4 people from accounting, and BTW one is on holiday for the next 2 weeks, etc.)This is something that's affecting me at a personal level, and I don't think folks realize, understand, or simply want to acknowledge that we ALL have bills to pay, we ALL have folks depending upon us, and we ALL value our time, services, and work efforts to a point where you don't get to take advantage of them for a month or two before paying at least something FOR those services.Not only that, when was the last time you called out a plumber, electrician, or other professional trade, and when presented with the invoice explained that you'll pay in 30 days IF they provide you with 3 references, their first born and a blood sample? They'd rip out your new shiny HVAC unit and walk off in disgust, same with any contractor coming into your home, they have expenses, costs, systems to purchase and don't need your numpty ass defaulting on things. It's risk management 101 and we ALL have to deal with it.SO, next time someone send in an RFP, SOW, LOI, or document asking for some of the funds up front realize it's because they're also human, they rely upon income, and YOU are a risk to them. Treat them like a human and don't be an ass about paying up front for a portion of the work effort, after all BOTH parties are risking something. Yes, you can get something for nothing, and yes many of us want to (and often DO) help, often putting mission before money, but that doesn't put food on the table… that invoice you have DOES… remember that please.And no, you can't put it on your tab….

The show MUST go on. The show ALWAYS goes on. The show goes on regardless of your wishes and regardless of your participation.Do you remember signing up for the show?You did. Maybe you didn't know you signed up, maybe you don't remember signing up, or maybe you didn't know what you were signing up for, but you DID sign up.Welcome to the show!Now that you're in the show. Get out there and show 'em what you got!The show is AMAZING and you'll do fine. Keep you head up, play your part, and keep your mouth shut. Play your role and you'll be fine. The show has its stars, but you're probably not one of them. The stars are only stars in the show. This is all for show.Some days we put on a great show, some days not so much. No matter, you still get paid (probably) and you'll be paid well (probably).What about those days you don't want to perform?What about those days when you want to quit the show?Go ahead and quit, but the show MUST go on.What about those times when the entire show goes to shit?When does the show end?The show does NOT end. The show MUST go on!Even when people know it's all for show, we keep on playing. Don't you get it yet? THE SHOW MUST GO ON!This is certain to be a great conversation between myself (Evan), Chris, and Ryan. Rachel will do her best to keep us in line. Join us LIVE @ 10pm and tell how the show looks to you.

Words matter, your choice of words can have a profound impact on the outcome, we love to speak OUR language the language of tech and engineering. Our language is complex and full of unique terms, it is a beautiful language that no one outside of tech understands.We must ask ourselves why we would speak tech talk to non-technical people. This is like trying to speak Sanskrit to a person who doesn't speak Sanskrit. We need subtitles or translators because our language is not helping to get the message across to our users. We bitch and moan they are not doing what we told them to do and that's why we got breached, but we are failing to realize we told them in a language that to them sounds like Charlie Browns parents.Our language is full of $50 dollar words, acronyms, negative and aggressive words, complex words that require a novels worth of information to put into context.If we hope to fix what is broken, to do more with less, to increase security, to reduce risk and make an ethical sale or two along the way, then we need to find a way to communicate that resonates with every person. Simple and understandable, easy to connect with and internalize, relatable and personal these are the corner stones of effective communication.

A true story with four realities (or versions of reality).1. The public version. 2. The employee version. 3. The management version. 4. The Security Analyst's version.To the public, -ORGANIZATION- seems to be doing a great job. -ORGANIZATION- has a noble mission and appears to be serving the mission well. They don't think about information security at -ORGANIZATION- because it doesn't come up in conversation. All they care about is that -ORGANIZATION- is fulfilling their mission, and they seem to be treating the public OK.To the employee, -ORGANIZATION- is doing OK. Sure, there are plenty of challenges, and politics sometimes gets in the way, but employee's like what they do. As long as employees do their job well, they'll be fine. Information security isn't a concern because the employees don't really know what it is. Just stay focused on the job, keep your head down, and you'll be OK.To management, -ORGANIZATION- has a mission, but personal missions far outweigh the -ORGANIZATION- one! The personal mission is to keep this job and get some kudos along the way. In order to keep the job, they have to play the game. The game is politics, and sometimes politics are cutthroat. Management spends more time defending itself and attacking each other than they do on accomplishing anything. As long as the public and the employees see management as great (or good) leaders, they'll be safe. Problem is, they suck at the job. Focus #1 is "MY JOB" (at all costs). They love the job because it comes with a lot of perks. Information security is a pain in the ass and management doesn't have time to learn about it. Who cares anyway?To the Security Analyst, -ORGANIZATION- has a mission and information security is (and must be) part of the mission. There are so many risks to deal with and there's not enough support. The Security Analyst is a team of one and has no support from management. People keep clicking on links, people keep choosing crappy passwords, management wants new blinkly lights, and the Security Analyst can't cope anymore. The Security Analyst is not paid well (by industry standards), but they're here because they care. The Security Analyst doesn't want people to get hurt, and they believe in the mission, but they need help!The true reality? Most of three realities are bullshit. To some extent, the public has been deceived, employees are misled, management is shitty, and the Security Analyst needs some support.The Security Analyst works at -ORGANIZATION- for the right reasons. The Security Analyst loves people and wants to protect -ORGANIZATION-. The Security Analyst wants to protect -ORGANIZATION-'s employees, customers, and the public.The Security Analyst doesn't want to make a name for themselves, but desperately wants to do the right thing. The Security Analyst has tried again and again to get their message through to the alternate realities, but the results are very disappointing. The Security Analyst feels it's their moral responsibility to do something. To this end, the Security Analyst sends a VERY respectable email to the -TOP MANAGER-'s executive assistant. The email is respectful, informative, fact-driven, and was NOT threatening in any way. The sole purpose of the email is to get help and to help (the public, employees, and management).The next day...The Security Analyst is called into a meeting, and here's what the Security Analyst is told: - "The Board and most people don't give a shit about Security and it's not our job to educate them." - "Our job is only to deal with internal concerns and stay in our lane." - You "didn't follow the chain of command and need to be mindful of the bigger picture and their concerns, and realize that (your) focus isn't theirs."This story is REAL. It just happened last week. Let's talk about this and the alternate realities we live in. What the hell do we do about this?Join myself, Ryan, Chris, and Rachel LIVE and give your thoughts...

Repeat After Me:I am NOT a neanderthal(Even if I look like one) I do NOT walk around with a permanent hard on(IF you do, then you're taking too many blue pills) I do NOT need to treat every interaction with a female in InfoSec/IT/Cyber/Tech as an opportunity to peacock, and prove my manliness by dry humping the server rack. I will NOT step away from chivalry, HOWEVER, I will not use it as a shield to hide bad behavior OR ulterior motives. IF I don't tell Chris that he looks pretty, then there is NO place to do the same to anyone else.(And if you DO tell me I'm pretty you STILL don't get a hallway pass to do the same to others…) IF I cannot walk shoulder TO shoulder with my female counterparts, then I do NOT deserve a place in this industry(…and I'm on shaky ground elsewhere in society!) A meeting is NOT a date A LACK of wedding ring is NOT an invitation to drool and act the fool A wedding ring is NOT a challenge I will NOT mansplain, and IF I'm going to argue, then I AM going to go and look at the awesome flowchart from Kim Goodwin Done? Need to repeat it? Tattoo it on a body part? SO: If ANY of this is jogging a memory then y'all might want to go find that second voice and listen to it BEFORE engaging in a conversation with the opposite sex. If YOU are offended by this, then go look in a mirror and ask WHY If YOU laughed at this, then I hope it's a laugh of clarity, and not of ignorance. If YOU know anyone that NEEDS to read this, forward TO them, blame me, it's simpler and I've been blamed for worse. IF you are a narcissist you've likely recognized yourself and simply don't care… for you I have tasers.(Although you'd probably enjoy that too…) If your regional, religious, back-arsed belief system has put “you” as superior, then please go boil your head, and GTFO of our industry, you have NO place here, none of us want you. ‘Enough said for now, a HUGE thanks to both Christy F. and Sky Kennedy for the inspiration! Feel free to print, forward, blame, but FFS get the word out that this shit has got to stop. ‘all for now ChrisJoin us tonight on the Security Shit Show 2200 Central 2100 Mountain #respect #infosec #cyber #inspiration #society #technology #culture #change #womenincyber

Hope in one hand and shit in the other! this is what I was told as a child about hope, this is because hope is commonly associated with expectations, and expectations lead to disappointment. It was not until later that I learned hope could also mean a want or desire for something to happen, that hope is about anticipation for positive outcomes.Then I remembered I work in information security, an industry that at times appears to be a hopeless wasteland of soul sucking, ungrateful people, never-ending greed, over inflated egos, blaming and shaming and awful behavior. An industry were the vendors treat their customers like victims, while peddling rebranded anti-virus and packet inspection as next gen and don't get me going on the “Rock stars” of the industry are high on their own farts.Work in this industry long enough and you will start to lose hope, lost hope that anything will change, that we can get ahead of the criminals, that we can do the right thing, that we will become diverse and inclusive, that we will help and protect those we serve, that the next generation will know how a computer and network actually works. Feeling hopeless makes it hard to get up each day and keep fighting this fight, hopelessness is hard on mental health, passion and drive start to suffer and apathy starts to set in. It was in this spiral of negative feelings about our industry and its future that I found myself, when I arrived at my very first GrrCON. What unfolded over the next few days, surprised, renewed, refreshed, inspired, encouraged, empowered, energized and left me with a restored since of hope.After spending an amazing time hanging with and learning from some of the kindest, nicest, humblest, smartest people in infosec. I could see we have a chance to do better, to be better and there are some of us in this industry who are in it for all the right reasons. From the amazing folks at ILF to the thoughtful sessions, the openness to share knowledge, and humbleness of some of the biggest names in the game. Every person I met from the newest in the industry to the dusty old dinosaurs (holding up a mirror) every single person was eager to help, excited to grow and learn from one another regardless of experience level.We need to take what makes the attendees of GrrCON so special, put it in a bottle and sell it as a service.All this and more tonight on the Security Shit Show with Chris, Evan and Ryan.

In the early 1970s (1971 to be exact), a group of wise men (Three Dog Night) were quoted as saying:And if I were the king of the worldTell you what I'd doI'd throw away the cars and the bars and the warMake sweet love to youWise, right?Wait a second! What is I/you like cars and bars? Some people must like wars too because we keep having them.OK, all that aside for now. What if I were king of the world? What would I do?In terms of information security:Would I fire CEOs for not doing the basics?Would I flog the vendor for making crappy stuff?Would I define what's negligent and what's not, then throw people in jail?Would I fire the CISOs who continue to take shortcuts?Would I break up the monopolies that dominate technology?Would I, would I, would I...This should be a good discussion where we can dream a little bit. How would we right the world and how would you? Join me (Evan), Ryan, Chris, and Rachel (leading the online stuff) for an entertaining (and hopefully helpful) show LIVE on these Youtubes!

Over the hill and through the woods we go to…Where are we going, I can't recall, I may be going senile.To grow old is one of life's blessings, but it is not all roses, one day you wake up and find you have injured yourself while sleeping. Maybe today is the day you discover you have knees, and they are very unhappy with the way you have treated them over the years. Or maybe this is the day you realize that you can't keep up with all the new things and changes happen around you daily.Sometimes, as I reflect on growing older, and the older I grow the more I seem to reflect, not because I am fearful of the aging process, or that I am worried about my final outcome (hint I love Jesus). I reflect because I ask myself what I have done to set the next generation up for success?What can (or should) I be doing with the time I have left to help others?In my career I have watched the birth and growth on an entire industry. I have seen how the technology we made has had a profound and lasting impact on what it means to be a human, and how you interact with the world. Those who come after us do not have this same luxury, they are lacking the wisdom earned through these gray hairs.Each year that goes by, it becomes clear(er) that I have forgotten more than I (or they) know. With age and experience came a price that must be paid. I don't know all the latest and greatest things happening, new tech, new vulnerabilities, new exploits. Who does? The good news is, it doesn't matter as much as how you deal with them. How you deal with them hasn't changed much in the last 30 years.Experienced professionals have stories to tell, advice to give, and lessons they learned the hard way. They have so much to share!Are we doing enough to mentor those coming up in the industry? Hopefully before our minds leave us, spending our waning days rocking in a chair reminiscing about the good old days. You remember yelling at people in your house, “Hey I am on the internet, hang up the phone”, or that one time we waited 4 hours for a .jpeg to download?Those were days when you knew what was on your network and could explain what it was doing. "Googling it" wasn't an option.I find myself pondering this question as I grow older, I ask myself about the legacy we're leaving for the next generation. Believe it or not, they ARE looking to us for guidance and leadership.What lessons have we learned, technical and non-technical, that we want to pass on? There's a story, purpose, and lesson behind every scar.In an industry that is as competitive as ours, based on secrecy, are we doing enough to equip the young'uns with the hard-earned knowledge that no book or class can teach? There's something about being in the heat of the batter. If we don't share our knowledge, then the same mistakes will be made over and over again.Maybe this is why we're still trying to get people to backup their data?I enjoy growing old because I value the experience I've gained and the scars I've earned. There are the joyous moments and there are the painful ones too. Like the title of one my favorite western films, "the good the bad and the ugly".Although I may feel like a lost shoe on the side of the highway, we should wonder, where it came from, how in the F did it get here and does it still serve a purpose.I used to wonder why all the old people seemed to be cranky and fed up with the world, and each day this worldview makes more and more sense.Join us tonight for a discussion on aging, the impact it has on us as humans and security professionals and most importantly, what are we doing to pass on the experience we have to the next generation.https://www.youtube.com/watch?v=a2__8xIIa2AEvan, Chris and Ryan

I remember my Mother teaching me “if you don't have anything nice to say, then don't say anything at all” and there's a LOT of merit in that statement for various situations.... However, when it comes to our industry, and some of the companies, folks, and players INSIDE of it I must admit I've broken that rule on several occasions. Which brings me to the rather splendid Osthoff Resort, sandwiched between Milwaukee and Green Bay, Wisconsin. I'm here... Surrounded by a posse of FBI agents, InfraGard folks, and businesses...THANKFULLY I'm not alone in this pickle. I've got Evan Francen and Ryan Cloutier, CISSP with me to even out the odds a little. And we've just spent the day (I'm up on stage in a couple of hours to complete the trifecta of apocalyptic horsemen) beating the living snot out of the entire industry, LOTS of folks, companies, and agencies that are in it. Which means we should probably end the day thinking/saying something nice. IF nothing else we need to give folks some hope (and ourselves some redeeming qualities beyond just binging the alcohol.) SO, this evening the #shitshow IS going to be live FROM the FBI/InfraGard stage and IF we can, we're going to find some good things to talk about. There might be some pauses, some moments of silence as we work out what IS good.... Come along, hang out, join in (we're doing audience participation on this one) AND let's see if there ARE some good things inside InfoSec (aside from the availability of alcohol, tea, and caffeinated beverages)Shout out to InfraGard for allowing us in!AND to the Federal Bureau of Investigation (FBI) for being nice enough to not arrest us on sight again....

You know about the massive Takata airbag recall story, right? No?! Maybe?Well, we've got one helluva story to tell you. Takata was (keyword "was") a Japanese company founded in 1933 that started making airbags in 1988. At one time the company owned 20% of the market, and things were good. At least we thought things were good... - Honda knew about more than 100 injuries and 13 deaths related to Takata airbags, starting in about 1998. - In the Spring of 2013, recalls were issued. Not small recalls either, like 3.6 million cars. - In June 2014, Takata admitted that their Mexican subsidiary mishandled "the manufacture of explosive propellants" used in their airbags. - Later in June 2014, BMW, Chrysler, Ford, Honda, Mazda, Nissan, and Toyota all announced recalls. The reason? Takata airbags "could rupture and send debris flying inside the vehicle".Let's stop for a second... What do you call something that uses an explosive propellant to launch a projectile (or "debris")?It's called a gun.In July 2014, a pregnant Malaysian woman was killed. A metal fragment sliced into her neck. (she was going 18 MPH).-----INSERT MANY STORIES HERE-----Late last year, Janett Perez, a U.S. citizen in Mexico was killed when a Takata airbag shot a metallic fragment into her neck too. Another car accidentally backed into her.Today, millions of Takata ticking timebombs are still on the road.More than 30 car manufacturers have been affected, and the NHTSA ordered an (ongoing) US-wide recall of more than 42 million cars (the largest automotive recall in U.S. history). Worldwide, the estimated size of the recall is roughly 100 million cars.So what does this have to do with information security? Lots actually! The parallels include consumer ignorance, manufacturer negligence, regulatory ineffectiveness, and more. As we integrate technology more and more into our physical world, the parallels become even more frightening.Let's have a truthful (and downright scary) talk about this shit tonight! Join us LIVE @10pm CDT, August 26th.Evan, Ryan, and Chris are sure to have one helluva discussion about this!

Last week we took some time away to do some of the things we love, Chris went to DefCon to taste whiskey with folks, Evan took his beard and bike to Sturgis to make memories, one of his most favorite things to do and I took some time to visit with my wife and dog. As I was reflecting on all the things that had happened in just a weeks' time, it dawned on me we are at the beginning of a new era as a society and as an industry and even as I type this my news feed is full of new discoveries, new legislation, new science and change on a global scale that at times is hard to comprehend. The scope and scale of work in front of us is daunting, old thinking and old methods must go, we must get creative, we must innovate, we must simplify. What used to work is no longer working, what used to be acceptable is no longer acceptable, what used to be enough is no longer enough. We now must embrace these changes head on and take a whole new approach to a new world, especially in our industry.Tonight, we will discuss some of the changes that have happened that affect our industry, pontificate on what we need to change to adapt and adjust to this new world.

Last week we took some time away to do some of the things we love, Chris went to DefCon to taste whiskey with folks, Evan took his beard and bike to Sturgis to make memories, one of his most favorite things to do and I took some time to visit with my wife and dog. As I was reflecting on all the things that had happened in just a weeks' time, it dawned on me we are at the beginning of a new era as a society and as an industry and even as I type this my news feed is full of new discoveries, new legislation, new science and change on a global scale that at times is hard to comprehend. The scope and scale of work in front of us is daunting, old thinking and old methods must go, we must get creative, we must innovate, we must simplify. What used to work is no longer working, what used to be acceptable is no longer acceptable, what used to be enough is no longer enough. We now must embrace these changes head on and take a whole new approach to a new world, especially in our industry.Tonight, we will discuss some of the changes that have happened that affect our industry, pontificate on what we need to change to adapt and adjust to this new world.

DAY ONECONGRATULATIONS! You've made it to the top. You're the CHIEF!CHIEF INFORMATION SECURITY OFFICER, the CISO. Sounds pretty damn good! It's feels pretty damn good too! I AM THE CISO!!! YAY ME!!!SOMEWHERE BETWEEN DAY TWO AND NINETYI'm (still) grateful to be the CISO. I get paid to make a difference, and it's great to be in a position where I can!It's a lot of work though. Like ALOT or work. It didn't seem so hard from the outside. Maybe I'm just not doing it right. Or, you know what? I'm still adjusting. Yep, that's it! Still adjusting.This will be great!Now that I think about it, it's sort of lonely here at the top too. Oh well, whatever. Remember, I'm adjusting and I'M CISO!SOMEWHERE BETWEEN DAY NINETY AND WHAT SEEMS LIKE ETERNITYWow. Now I realize that it's lonely at the top, AND the wind blows the strongest at the top of the mountain!Between the unrealistic expectations of the "business", lack of collaboration with other executives (namely the CEO), preaching the same shit everyday, the politics, and very limited resources, I'm starting to miss the good old days.WAIT?! What am I saying?! I'm the damn CISO! I'm the the top dog, and this is awesome!Now I need to figure out how to tell my wife I'm going to be late again tonight...IF YOU'VE BEEN PAYING ATTENTION...You may have noticed that you're playing a game that you CANNOT win. You are being held accountable for things you're not empowered to control. Everybody looks at you when you know they should be looking at themselves.That damn head of research and his damned grants! There's no way in hell I'm going to get him to use MFA on the data repository.Bill in sales is a real turd too! Just because he brings in millions of dollars of business, it shouldn't exempt him from following the rules! He's putting the business at risk!!!Crap, and what about Sally, the head of the London office? She keeps playing the politics card with me and I don't have the same kind of pull she does.My budget keeps getting cut, I feel like I'm losing the respect of my peers, and I always feel like I should be leading my team better. Speaking of my "team", I'm running at 40% staffing level right now! THIS IS HARD! To top it all off, I'm not sleeping very well, my wife is distant (and usually pissed at me), and I have no time to take the new boat out.THAT'S IT!!! I CAN'T WIN!!!Oh this sucks! Now what? I've got two kids in college, a big house payment, this nice car I've got to pay for, and this fricken boat I never get to use!I can't quit! What will happen with everything I worked so hard for?Shit. I'll just go with the flow and try not to make waves anymore. That "change" I was so excited about at the beginning? Yeah, screw it. I'll just play the game to lose.

You Got Breached.Congratulations.You're NOT a special snowflakeYou can't go round poutingYou don't need to find anyone to blameNo, the Russians probably didn't do itNo, I don't need tagging in the postYes, likely you DO need to change some thingsNo, you probably couldn't have stopped itYes, you could have likely detected it soonerYes, you could probably have remediated it fasterNo, don't you DARE blame the users!No, your annual training for 30 mins isn't effective (it sucks)Yes, you can recover from it (hopefully)No, it won't kill you JUST yet, wait a few more years though…More budget? Stop wining and spend what you have wiselyYes, it means you have to roll up your sleevesYes, interns or apprentices can help remediate thisYes, get off your ass, it got pwned, get over itNo, you're still NOT a special snowflake.Congratulations.You're JUST like all the other breachesYou can sit down and planYou should go look in the mirrorYou likely did it to yourself, we'll get to that.Yes, you can reach out for help and adviceNO, you don't need to buy everyone's cyber-crapNO, everyone's cyber-crap isn't going to stop it eitherYES, it would be good to know what you actually haveYES, it would be great to know WHERE your data ISYep, IF you can track it back, it probably starts on a users machineYes, ongoing education HELPS (doesn't fix, but helps)Yes, you can recover from it (get the basics in order)Yes, we are working on hacking the chips in humans, fun eh?Nope, don't expect more money, so work smarterYes, it means you can now get your house in order, good!Yes, you can probably justify headcount but save $$ and get folk TO trainYea, it sucks, sorry, but it's the way of the new world.And no, you're not special, you CAN however be a good example.Get the basics sorted out BEFORE your ass is delivered TO you on a silver platter* Assets, what do you have?* Assets, where are they?* Who's got access to them, and why?* What DO they do, what is their purpose?* What's on them?* Which ones do you need to care about?Got it? Good, now go get a cuppa tea or coffee and go deal with it…. I'm going to go make breakfast.‘all for nowChris

You'll have to listen to find out. Actually, we forgot to write the show notes for this episode. Cut us some slack though, this is the Security Shit Show!

We all piss. We drink shit (not literally), the shit finds it's way to the kidney (I only have one left), and eventually to the prostrate (if you're genetically male), and out through the wanker.Pretty standard stuff. At the end, you get urine (hopefully). That's it.So, why the !%@$# pissing contest?! What's there to contest?Is your pee yellower?Is your stream stronger?Did you hit the bowl this time?Why are you so *!@& proud of yourself?The fact of the matter is, we engage in pissing contests way too much in this industry, and it's a COMPLETE waste of time. They serve nothing but the selfish, destructive ego.Let's go through two examples from this week, and see where it goes from there.In example #1, it's the classic establish dominance right out of the gate maneuver, "Well, let me give you a scenario...". Example #2 was straight up intimidation of a colleague with less experience and confidence. The pissing contestant went with the "Well, let me stop you right there..." move.At the end of both examples, we DID make new friends, but not until we established that we don't give two shits about ego. Let's solve some damn problems!I'm sure we'll come up with some more good examples during the show!

Vendor Questions! On tonight's YouTube #shitshow we're going to discuss what to ask the vendors as the line up to take your annual budget.... Think of this as OUR version of 20 questions. Join Ryan Cloutier, CISSP, Evan Francen, Rachel Arnold, and I, as we work through things to contemplate, cogitate, consider, AND use as you sort for that elusive needle IN the thicket we call the “right” InfoSec vendor in the ever increasingly convoluted and complex landscape. Somewhere in among the twenty questions we WILL likely have the following: - Where's my data?- What IS the airspeed velocity of a swallow?- How do YOU train your staff?- What IS the meaning of life?- Explain how YOU use 2FA/MFA- Do you feel lucky?- What's a polymorphic trojan, AND why is there one in your code?- Is it safe?- What's your plan for the end of the world?- Who ya gonna call (when it breaks)- Define protection?- Where's your decoder ring for the acronyms?- Who's accountable when it breaks?- Etc. Join us THIS evening (Thursday 21:00 mountain time) as we (try) to piece together 20 USEFUL questions you can ask the next vendor that makes it past the front receptionist AND their trap doors… BONUS: How to, and where to hide the body If the vendor in question prefixes each response with “That's a really good question Chris, let me…” SIGN-UP NOW! And receive spam for life free* (Postage not included) CLICK THE LIKE!! And we'll track the click AND enter you into a free draw to win stickers!(This one we can do, we HAZ stickers, DM me if you want some!!)

Picture by Nerea Sesma PerezLooking back at the history of modern technology, it's incredible how far we've come in such a short period of time. Parents remember life without a cell phone, while kids were born with them as part of their DNA (practically).Parents struggle to keep up, kids can't wait for the next thing.Social Media:5.22 billion unique mobile device users.4.20 billion social media users.+1.0% (population growth), +1.8% (mobile user growth), +7.3% (Internet user growth), and +13.2% (active social media user growth) - All annual.2.32 billion active monthly Facebook users.2.5 hours per day spent on social networks and messaging (on average).Most popular social platforms (in order): Facebook, YouTube, WhatsApp, FB Messenger, Instagram, Weixin/WeChat, TikTok, QQ, Douyin, Sina Weibo, Telegram, Snapchat, Kuaishou, Pinterest, Reddit, Twitter, and Quora.Devices:Average number of connected devices per household in 2020 (worldwide): 10The smart home market will grow by $54 billion by 2022.IoT data volume is expected to grow to nearly 79.4 zettabytes by 2025.Worldwide network device ownership will be 3.6 per person in 2023.All this comes with a price. What is the price and how will we pay for it? We've adopted technology so fast, MUCH faster than our ability to use it responsibly and MUCH faster than our ability to secure it.Where are we? How did we get here? Are we OK with where we're at, or are we heading for disaster?Good luck taking the phone out of your kids hands! Look down at your own.This will be a great Shit Show! Join myself (Evan), Chris, and Ryan LIVE at 2200CST right here.

At least in years past we could at least spot the neighbors as they tried to hide behind the shrubs in the garden, the curtains in the house, or ducked down below the fence line that separated each of our little slices of the American Dream....These days; however, things are a little more subtle (if the neighbors have been paying attention to the InfoSec world for more than 5 minutes...)Long gone are the days of just borrowing the neighbors wireless to launch an attack against the NSA through their cable provider (although it IS fun to see the black suburban roll up occasionally to their doorstep when you're feeling mischievous..)Today's targets for neighborhood “watching” vary across an entire spectrum of fun and games...I still feel slightly guilty about the 50-gallon barrel of lube my neighbors have, but “Hey Siri...” we just have to have some fun....I DO enjoy making their microwave go off in the middle of the night, although they've replaced it a few times now, and the electrician doesn't use Google Maps anymore to find them... amazing just how far away those WEMO plugs can be controlled from.Now, thankfully Xfinity allows themselves to provide “free” WiFi to anyone with account credentials, so it IS still possible to get directly TO their router (you'd think folks would update the things.... but no) and given I've got around 1,335,000 Xfinity account ID/Passwords I'm set for a LONG time before I must leave my own fingerprints...Oh, speaking of fingerprints, confession time... one of the neighbors has a RING doorbell, oh how we laughed when we changed out the screws during install and just last week got the doorbell to short circuit and burn ½ the place down... shame the fire alarms didn't work, someone should REALLY unblock NEST's fire alarms from the firewall and allow them to do their job. The video of the owners yelling “Hey Google FFS call the fire brigade” will be posted on YouTube later (thanks Arlo for the default account credentials...)Oh, while we're on the subject of the recently deceased, I guess playing Poltergeist on the other neighbors Roku device and having it display on all their nice Samsung IoT enabled TV's is probably a mean thing to do... although it does make for entertainment as we might have also hooked up their Phillips Hue to pulse at the same frequency as the TV... I guess that's why they seem a little nervous these days.Oh, and we won't mention the fun we had with the Tesla and some bright spark in the neighborhood thinking they could geofence the car into opening/closing the garage as they came home... Watching the garage door rapidly open and close AS the car tried to get in watching Grandma eat dinner with her falsies...Speaking of that, I need to go mess with dear old Grandma's IoT toothbrush, I think tonight we'll set it for “killer mode” and see if it can chase her round the bathroom again...We haven't even gotten to the fun part watching the cute couple across the road react as their adult toys came to life in the middle of a webinar and started to inch across the desk... now THAT was fun to record… got to LOVE Bluetooth enabled things.You get the idea; the neighborhood is SO much more fun these days....Join us tonight as we talk though the evolution of the nosey neighbor :)

For the first time, the Security Shit Show hits the road for an in person event. Chris, Evan, and Ryan are heading down to the woods of Nebraska for the weekend. The first night we're there, we do the show.We're not really sure what to expect, but we're pretty sure there will be some information security stuff, some shit, and some whiskey.

Sorry to Disturb You...· But your front doors open...· Your flies are undone...· I found your kid wandering on the street...· But I think you dropped your wallet...All things many of us have said, done, acted upon OR been the recipient of over our years, and all of them taken in the spirit of the manner delivered, graciously, often with relief and a huge thanks to whomever delivered the news.HOWEVER, in the digital realm...· I do say, you appear to have an open port on the Internet...· Um, your application has a hole in it...· We found your data lost and confused....· I think you might have a hole in your cloud...SOME of us have tried to have these conversations with companies, individuals, and entities out in the digital realm and have been met with a variety of responses ranging from thanks AND relief, to accusation, lawyers, silence, or the FED's arriving on the doorstep etc.Somehow, in the physical realm when point out your mistakes, flaws and general numptiness you are happy to receive the feedback, yet in the digital realm when we do the same it's as if we called your baby “robust with a face only a mother could love.”What gives? How DO we give you YOUR data BACK in the digital realm without all this grief?I mean, it's NOT as if you realized it was gone, OR that chocolate fireguard you were sold would have slowed us down anyhow IF we did want it!Things to ponder on and discuss this coming Thursday on the Shit Show with Evan, Ryan, and Chris‘all for nowChris

Well we are going to try this again Episode #47 went a different direction, so tonight we are going to to try Jeopardy againIt's time to play some Security Shit Show Jeopardy again. Hell yeah!I will be your host Ryan Trebek One game, one Cham Peon. Like v1, we'll pick three contestants from our live audience to play our version of Jeopardy. Winner gets some bragging rights and a Security Shit Show T-shirt (that I'll forget to send you).YOU THINK YOU'VE GOT WHAT IT TAKES?! COME PROVE IT!

Originally we were planning to play another round of Security Shit Show Jeopardy, but things went weird off the bat. We just talked about stuff, really. Got honest about things. Hell, this is the Security Shit Show! What did you expect?!

My Retirement Plan…Is to head to New Zealand…Somewhere nice and remote…With good power (or a wind farm, etc.)Good internet (terrestrial and Satellite)AND a nice AS/400 to live inIf I have my way, and I think well get there before I go too much more senile given the work being done on untangling some of the innerworkings of the brain, I should be at a point where not only can my current intelligent system recognize when I want a cuppa tea, but it can also figure out why, and likely decide what options to present me etc. Already it knows where I'm at, IF I'm thinking of him, and what settings to set the screen to based on several factors that my brain apparently is telling it without letting me know.If I can help push the boundaries of what we're working on I've every confidence that a digital version of me will be coursing around the Interwebs before I'm pushing up daisies. Which brings a WHOLE heap of questions.What makes us human?Are we just quarks and binding energy?Is there really something else to this?Can we be broken down into pulses?Where ARE the limits (or are there any?)Just one retirement plan, what else is there out there? Let's discuss this and where else humanity IS heading as it does handstands on the edge of the existence cliff…So, as nicely as I can say it, screw y'all, I'm going to hang out in my self sustaining AS/400 and watch things unfold AND if it looks really dodgy I'm going to work out a way to simply fire my digital self into space as a set of waves and see what the hell happens…Lawnmower man, here we come!‘all for nowChris

Money!! it makes the world go round, we need it, we want it, and when it comes to money for our security program we fight for it, but are we spending it wisely? - Will it have the impact on our security program we hopped it would? - Did we spend too much or not enough? - How much money is enough? - What the hell should I be spending it on that will make the biggest impact?Is it wiser to invest in your people and the fundamentals or to invest in state-of-the-art laser cats with predictive AI powers? What is the right level of budget for your organization and how will you show improvements to the organizational security posture against the spend on the security program.Vendors love money, and the love of money is the root of all evil. - How do you know if your vendor is predatory? - Does the product or service do what they claim? - Will you need to increase headcount to accommodate the tool or service? - Could you get a better deal on this tool or service? - Do I even need this tool in my portfolio or is there an existing tool that I can leverage better?All this and more, on the Security Shit Show Join Chris Roberts, Evan Francen and myself for what should be a a very lively discussion. On YouTube Thursday night at 9pm MTN 10 PM central time - Ryan Cloutier

What the hell is going on?! It feels like the world has lost it's mind. Everywhere I look (out there), it's chaos.Hypocrisy running rampant.Virtue signaling is a "thing", gotta score those popularity points.Cancel culture? This is a thing now, maybe, maybe not?Politicians preach nonsense, openly lying and manipulating.Big societal problems left unsolved, with no (unbiased) solutions.Black kids shot (accidental or not, the result is the same) on the streets.Cities burning, and we're burning them.People hurting (deeply), and we're not helping them.Vaccinate! Wait, maybe not. If you do, maybe you'll die?Accountability, what the hell is that?On, and on.The bath water is dirty. Who cares about the baby.People spew shit out of their mouths that doesn't make any sense. Nobody speaks up. Worse yet, yahoos sell their souls to support bullshit, because it's better to be in the "in" crowd. Who the hell is the "in" crowd anyway?This shit IS NOT computing. Not in this brain anyway. Everyone's lost their minds! Not "everyone" everyone, but everyone out there.WAIT A SECOND. It clicks. Didn't my Dad say something about this once? Son, if everyone's an asshole, you're the asshole.So, does this mean, if everyone's crazy, I'm the one who's crazy?!Dammit! Now, I have some reflection to do. The journey down the rabbit hole begins...What does this have to do with information security?Simple.Everything. The hypocrites, the virtue signalers, the cancellers, the politicians, the "illegals", the Blacks, the Whites, the Hispanics, the people who live in our cities, the people who live in our suburbs, the people who are hurting, the people who vaccinate, the people who don't vaccinate, the Liberals, the Conservatives, and everyone in between, is ALSO my co-worker, my relative, my partner, my customer, my friend, my employee, and my fellow human being.I may run in my circles, just like you run in yours, but my job is to protect EVERYONE, regardless of who you are, where you come from, what you believe, or what you're struggling with. Knowing that information security isn't about information or security as much as it is about people, makes people my focus. Not just the people I like and agree with.This is deep, but sometimes we have to dig deep to find out who we really are and what we're really doing here.Looking forward to talking this shit out with my AWESOME friends, Ryan Cloutier and Chris Roberts! Catch us this week LIVE at 10pm/2200 CDT on the YouTube. (and yes, I am crazy, but a functional crazy)Sorry maybe, but this is me.-Evan

NOTE: #ShitShow​ topic NOT my Grandma in Real Life before anyone gets worried!Annually, there are anywhere from 22,000 to 250,000 cases of death in the medical field that really should NOT have happened.Firstly, I'm glad the medical field has as many problems as we do in counting how many people they harmed. InfoSec has no REAL idea as to the implications of our actions beyond “Hey, Look! More data's out there…” At least in the medical field there's bodies to count.The question then is how do you categorize death? IF they were sick before they came TO hospital does that count as malpractice, or “accelerated natural causes”? You get the idea, it's apparently rather subjective…These two fields are coming together on something akin to a collision course of a planet sized scale.Technology In/on/around the body (smart pills, nanotechnology, biotechnology, telemedicine, etc.) are all making serious inroads into “us” the human. Analog humans ARE becoming part OF the digital realm.We need a LOT more forethought before medical malpractice adds another tick box marked “CAUSE OF DEATH… Kernel Panic”So, join Ryan Cloutier, CISSP Evan Francen and the crew tonight on the Shit Show to discuss…

Security Shit Show and JeopardyYep, this shit's happening! For the first time, we're going to host the Jeopardy game show, Security Shit Show style. The topics?Come on. You think we plan that far ahead? We don't know yet. It's the Security Shit Show! We'll figure it out when the time is right.Participants?You and us.We'll pull folks from the live stream chat.Then we'll find out how much shit they know about some shit. The champ stays, chumps go back and sit down.Any other questions?Save 'em for the show.If we like your question, we'll answer it. If we don't, we'll probably ignore it.I'm the game show host (Evan), while Chris and Ryan will heckle you. Tune in, this will be a good time! (or it could suck, but that's unlikely).

The late Colin Chapman, founder of Lotus eschewed the pursuit of horsepower in favor of lightness combined with better handling across his road and race vehicles.That courage to buck the trend resulted in numerous accolades on both sides of the Atlantic.It is that ethos our industry should once again embrace.Simplify:The interfaces, the barriers to entry, the integration, deployment and overall management of the plethora of technology we eagerly buy, deploy, and then complain about.Lightness:Adding power is great if you are going in a straight line, however, leave the power alone, remove the complexity, and unnecessary features (the rule of 90%) and reduce the amount of time you have to fettle over the technology.How well do your tools integrate?How much unnecessary overlap do you have?How much of that tool do you REALLY use?How many hands does it take to run?Do you maintain it?Etc.Start measuring vendors, technologies and PEOPLE by how well they help you simplify, then that should add some lightness across the board.Join Evan Francen, Ryan Cloutier, Rachel Arnold and I as we unpack this tonight on the Shit Show…‘all for nowChris

THIS IS PART TWO - CONTINUATION FROM EPISODE 38A fool is a person who acts unwisely or imprudently. A Tool Fool is someone who unwisely or imprudently loves tools. They don't necessarily love the tools they have; they just love tools. The more tools, the better.Don't be offended. We're all fools from time to time. When it comes to our information security, we do the best we know how. We don't intentionally act the fool, but when it comes to our tools, too many of us ARE the fool.Don't be the Tool Fool!Here's are 10 things about the Tool Fool:1. Brags about their tools, but they don't know how to use them.2. Brags about a big budget, but they can't justify it.3. Thinks “tool first” instead of a “needs first”.4. Thinks tools fix process.5. Thinks tools makes problems easier to solve.6. Likes easy but confuses “easy” with “simple”.7. Has tools they don't know they have.8. Advocates for tools because fools like company.9. Oblivious to they're most significant risks.10. Knows how to use some of their tools but won't to use them well*.The Tool Fool costs the organization more than they know. Tool Fools waste money on tools they don't need, don't understand, and/or can't use. The Tool Fool can convince themselves that their tools will keep them secure when the opposite is true. Worst yet, the Tool Fool's work has convinced management of the same.The Tool Fool has a false sense of security. The Tool Fool makes security worse.The Tool Fool is the topic for this Thursday's (3/4) Security Shit Show with Chris, Evan, and Ryan. Be sure to catch the show LIVE on YouTube at 10pm/2200 CST!*This is relevant to a dialog between Senator Wyden (D-OR) and witnesses (Kevin Mandia, Sudhakar Ramakrishna, Brad Smith, and George Kurtz) in the recent open hearing, “Hearing on the Hack of U.S. Networks by a Foreign Adversary” before the U.S. Senate Intelligence Committee (2/23). This particular exchange happens at 1:22:08 in the recording here: https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary, and has been transcribed here: https://evanfrancen.com/unsecurity-episode-121-show-notes/

A fool is a person who acts unwisely or imprudently. A Tool Fool is someone who unwisely or imprudently loves tools. They don't necessarily love the tools they have; they just love tools. The more tools, the better.Don't be offended. We're all fools from time to time. When it comes to our information security, we do the best we know how. We don't intentionally act the fool, but when it comes to our tools, too many of us ARE the fool.Don't be the Tool Fool!Here's are 10 things about the Tool Fool:1. Brags about their tools, but they don't know how to use them.2. Brags about a big budget, but they can't justify it.3. Thinks “tool first” instead of a “needs first”.4. Thinks tools fix process.5. Thinks tools makes problems easier to solve.6. Likes easy but confuses “easy” with “simple”.7. Has tools they don't know they have.8. Advocates for tools because fools like company.9. Oblivious to they're most significant risks.10. Knows how to use some of their tools but won't to use them well*.The Tool Fool costs the organization more than they know. Tool Fools waste money on tools they don't need, don't understand, and/or can't use. The Tool Fool can convince themselves that their tools will keep them secure when the opposite is true. Worst yet, the Tool Fool's work has convinced management of the same.The Tool Fool has a false sense of security. The Tool Fool makes security worse.The Tool Fool is the topic for this Thursday's (3/4) Security Shit Show with Chris, Evan, and Ryan. Be sure to catch the show LIVE on YouTube at 10pm/2200 CST!*This is relevant to a dialog between Senator Wyden (D-OR) and witnesses (Kevin Mandia, Sudhakar Ramakrishna, Brad Smith, and George Kurtz) in the recent open hearing, “Hearing on the Hack of U.S. Networks by a Foreign Adversary” before the U.S. Senate Intelligence Committee (2/23). This particular exchange happens at 1:22:08 in the recording here: https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary, and has been transcribed here: https://evanfrancen.com/unsecurity-episode-121-show-notes/

That resource we want more of, or less of, the one we want to slow down, speed up, thank, curse, monitor, measure, ignore and obey. All often within the span of the same day. The very resource we so often run our lives by, yet waste at every turn. It too, like our digital world is a more abstract concept than the tactile analog world we live in. It too can be captured and tamed for fleeting moments in devices, yet like it's digital cousin we think we control it, but we are nothing more than custodians of the memories it leaves behind.We are not good with time; we've had 6,000 years or so to get used to the idea of its passing and the consequences. We used to track it by the moon, nowadays we are ruled by atoms that are accurate to a millisecond every decade.So, why should we care?We waste so much of it.We allow others to dictate our use of itOur very existence is tyrannized by it We have watched the convergence of our digital world and that of time, and realized the very objects meant to save us are doing nothing more than sucking more and more time from us.Like our digital world we need to be better custodians of time (not that it really cares as it marches on no matter what we do) but for our own sanity, stand up, be accountable to time itself.Join us for a conversation around time….

This week we saw an attack against a city water system, in an attempt to poison the drinking water.Many of us have been warning about this for years.How did this happen? It must have been the work of sophisticated nation state attackers, it has to be hard to hack a water treatment plant because you know, people could die if that happened. The people in charge must take extra precautions, and have really good security practices in place to keep our drinking water safe. They must have been unable to prevent or avoid this attack.These are all things that we hope would be true, unfortunately the reality of what actually happened is far more disturbing. (Channeling my inner security Yoda) Sophisticated this attack was not, difficult to pull off was it not, prevented could have been, security basics lacking they were, practice good they did not.What happened was a multitude of failures in requiring and implementing the most basic and foundational of security controls. We have reached a point in our technology journey as a society, that we need to pause for one moment and take stock of the giant mess we have created. We need to figure out what minimum safety standards are needed for critical infrastructure. We need to ask ourselves should the things that can kill us be connected to the internet in the first place?Knowing that the security posture of the affected water treatment plant, borders on gross and willful negligence, what should the legal and criminal consequences be for those who made these shit decisions in the first place.It's 2021 and computers can kill you, so let's act accordingly. We will be discussing this and more tonight on the Security Shit Show, join us for what is guarantied to be a lively discussion, and you never know Chris may do some show and tell as well.

Here's a question for you:What is at the root of all information security industry problems?Oh shit! Talk about an ambiguous question. Yes, but who said ambiguous questions are bad?Alright, let's break this down then.First, the question assumes there are "problems". Are there? We think so, but... - ~942,000 people in the U.S. are gainfully employed in this industry, and most of us are getting paid pretty well. Good paying jobs doesn't seem like a problem to me. - Worldwide, the cybersecurity market is valued at $173B. Seems the people selling shit are doing alright, no problem here. - Global "cybercrime" losses for 2020 were estimated to be $945B. The crooks DEFINITELY aren't experiencing any problems either!So, where are the problems then?Simple, look for the people who suffer, the victims. They're the ones who get the short end of the stick. They feel the brunt (or symptoms) of the problems. They lose money, they lose businesses, they lose income, they lose peace of mind, they lose time, they lose productivity, they lose their privacy, they lose their innocence (especially kids), and they lose life.So, yeah. There are problems! One group clearly takes advantage of the other. We'll call them "Profiteers" and "Victims". There's one more group. There's a group of us who are trying to protect Victims from the Profiteers. We stand in the void. - Profiteers: Cybersecurity practitioners who don't serve the (potential) victims, companies hocking products that don't serve the (potential) victims, and the crooks who steal outright. - Us: Practitioners who stand in between, serving (potential) victims. - Victims: Governments, companies, non-profits, schools, everyday people (grandparents, parents, kids, etc.) OK, so we've got problems. The masses become victims and feel the result(s) of the problems, the symptoms. Oh shit! The rabbit hole goes deeper.We'll stop here, before things get too out of hand. We need to save some shit for the Shit Show. Chris, Ryan, and I will take it from here. Maybe we'll get far enough down the rabbit hole, and deep enough into the shit to find some semblance of the "root of all information security industry problems".Regardless of how far we make it, it should be entertaining!

There's been a lot of hand wringing these last few weeks as ALL sorts of folks have woken up to, realized, or started to question their online presence. Their digital world has crumbled around them as they've realized not only don't they own anything they commit to the keyboard, but whatever they do is, controlled by someone else.Congratulations you are no longer the master (or mistress) of your own destiny, welcome to the digital world, please get in a queue like a good subservient population and tow the line or else.No?Then please leave. Leave the digital world behind, after all WE still have all that you were while you WERE here…But, you can't can you?Someone somewhere HAS a digital record of you, it's out of your control, welcome back peasant.What IF you could be YOU on a digital medium? How DO you secure AND use it, yet ensure that nobody keeps nicking it? (Stealing for the colonials here)THIS is the topic of this evenings Security Shit show with Rachel, Ryan, Evan and IIS it possible?Does it mandate lead lined boxes?Will there be volcano's?IS Cerberus with us?Will hiding it under the mattress work?OR are we screwed and should simply give it all up as a bad job?

Recently a well known cybersecurity company made a very bold claim that they can end cyber risk!This begs the question can you end cyber risk? what would it take to end all cyber risk? Is it even possible to end cyber risk? what if you put the phone in the chipper shredder, throw the laptop into a crucible and melt it to bits, will that help? How deep does the digital rabbit hole go? is there any escape from cyber risk? Can you go off grid or will the grid follow you? if you do go off grid does that impact how much you care about your digital life? does being off grid affect your cyber risk exposure?Or is it all just a pipe dream? are vendors selling pipe dreams and not solutions? or are they just smoking some funny stuff that makes them think this behavior is ok.