.png)
Privacy Please
Welcome to "Privacy Please," a podcast for anyone who wants to know more about data privacy and security. Join your hosts Cam and Gabe as they talk to experts, academics, authors, and activists to break down complex privacy topics in a way that's easy to understand.
In today's connected world, our personal information is constantly being collected, analyzed, and sometimes exploited. We believe everyone has a right to understand how their data is being used and what they can do to protect their privacy.
Please subscribe and help us reach more people!
Privacy Please
S6, E252 - Who Really Owns Your Digital Self?
Digital privacy is under siege from all sides, and we're bringing you the latest developments along with a major announcement about our growing privacy-focused network.
This week has seen a flood of significant data breaches across critical sectors. Air France-KLM and Workday experienced major incidents, with the latter connected to a broader campaign targeting Salesforce CRM systems. These breaches highlight the vulnerability of systems storing vast amounts of customer data and raise serious questions about the security of our critical infrastructure. As we discuss these events, we examine the ripple effects they create and what organizations should be doing differently.
The question of who truly owns your digital identity emerges as a central theme in our conversation. Most people don't realize that when using third-party authentication providers like Google or Facebook, they're surrendering control of their identity. Every "Login with Facebook" click allows these companies to track when and where that identity is used across the digital landscape. We explore self-sovereign identity as an alternative approach, where individuals control their own verification infrastructure rather than relying on tech giants.
We also tackle the paradox at the heart of data minimization efforts. For years, companies have been told that "data is the new oil" or "currency," yet are now expected to minimize collection. This contradiction makes implementing privacy principles challenging. As we put it: "You told me I'm sitting on gold, and now you want me to minimize it?"
Beyond these discussions, we share exciting news about our expansion into a network featuring three distinct shows. In addition to Privacy Please, we're launching "Problem Lounge," exploring the messiness of being human in our technology-driven world, and "Decoded," a technical deep-dive with privacy engineer Jake that will explore privacy-enhancing technologies, cookie audits, and the intersection of privacy and AI.
Visit our new website at theproblemlounge.com to learn more about our expanding network and how you can become part of the conversation around privacy in the digital age.
all righty, then. Ladies and gentlemen, welcome back to privacy, please. Cameron ivy here hanging out with gabe gums. Gabe, what's going on, man? I'm well, brother, how you doing? Oh no, it looked like there was a delay on our recording. So you're you're?
Speaker 2:you froze with your eyes wide are you sure I wasn't just sitting there with my eyes?
Speaker 1:that's true. You're kind of looking like large marge from um he we herman large march. If our listeners don't know who that is, I'm sorry well, yeah, you should go check that out he was a serious bot. That was a great movie. I don't care what anybody says um, that's a topic for another time. Was a great movie. I don't care what anybody says, that's a topic for another time. I think we should talk about. We could talk about that in our show Problem Lounge.
Speaker 2:That's right. Wait Problem Lounge. What show is that?
Speaker 1:What is this? Oh, it's a new show that we're releasing, along with our website and network. Sorry, tell me network. Sorry, tell me more. Sure, so it's already live right now. The problem loungecom Right, we have privacy, please, of course and our new show, the problem lounge, which is all about the messiness of being human and this crazy technology led world and the craziness there is, so that one kind of just is more broad and we kind of just hit on a lot of topics, that about life and technology A little raw on that one.
Speaker 2:Yeah, a little raw. You can at me on that one. You can at me on that one, let's do it.
Speaker 1:And then we also have another show that we're we're coming out with with. We have going to kind of keep that on DL until three shows. So just get excited because we got a lot coming your way.
Speaker 2:So three shows, one network yes that's right.
Speaker 1:I guess we can kind of give a teaser of the name of that show, or you think we should keep it under wraps? Tease it, tease it, tease it. We got, and we also have a new partner joining us as well. Wait, wait, wait.
Speaker 2:New show, new website, new network, new partner. Mm-hmm, what Dude.
Speaker 1:All of this. This is awesome. Yeah, we got a lot going on um. So. So one of our good friends, jake, he's a privacy engineer. He's got his own company as well integrated privacy um, where he does fractional privacy engineering for companies. We're going to do a third show called Decoded, where it's, you know, where privacy meets clarity, so that one's going to kind of get in the weeds and I'm really excited about that we're going to get real technical on that show.
Speaker 2:We're going to talk about privacy enhancing technologies. We're going to talk about doing cookie audits. We're going to talk about doing cookie audits. We're going to talk about privacy and AI how how things like prompt injection affect privacy. We're going to get super technical on that show.
Speaker 1:Yeah, I'm really excited about all this. Hopefully you guys are too and uh, yeah, we can't wait. So we're, we're. If you haven't checked out the website, we haven't, it's a soft launch, it's, it's live now. So if you want to go check it out, um, if anybody wants to become a guest, anything like that, we'll have a page dedicated to that, um, and you can reach out to us and we'll, uh, we'll go from there for, um, those conversations and, yeah, just super excited, can't wait, it's going to be hotness.
Speaker 2:I like it, I love it all yeah.
Speaker 1:So, with that being said, gabe, lots going on. But there's a lot going on this past week, from data breaches hitting major brands to new rules shaping the future online, and there's just a lot to unpack. So let's dive in real quick here. So data breaches let's talk about that first. Gabe there were a couple airline and tech giants that were targeted this week. To end, tech giants that were targeted this week Air France, klm and Workday were both linked to vulnerabilities and third-party platforms, highlighting the supply chain's critical role in security. So, for Workday, the breach was connected to a broader campaign targeted. They were targeting Salesforce CRM systems. That's pretty huge. That's massive. They were targeting Salesforce CRM systems. That's pretty huge, that's massive. Salesforce is, I mean, a lot of major companies use that for as their CRM. A lot of everyone uses it, yeah.
Speaker 2:It's small and you know CRM, an acronym for customer relationship management. It, by its very nature, stores a lot of information about customers and interaction, right right.
Speaker 1:And that not only I mean. The problem there is like, think about all the, the outside data. That's not even within their own company. That's like they, if they have a lot of like, you usually use that for leads, for generation, for lead generation, and so you got a lot of who knows what kind of information that they have in that system.
Speaker 2:But I'm sure it's very sensitive it's gotta be concerning that these conversations aren't becoming any lesser for people that are leveraging other platforms to, you know, otherwise, make their lives easy. Right, yeah, there's. There's an expectation, of course, that when you use a platform like Salesforce, given the size and the maturity of the organization and the platform, that you would otherwise be at least somewhat insulated from these problems. But the truth is we can't put it completely on Salesforce's shoulders either. There is inherent risk with using third-party solutions, and that risk is ultimately on the users of those platforms to manage.
Speaker 2:The ones that really concern me are the ones against airlines, and not because I think, oh no, they may bring a plane out of the sky. Oh no, they may bring a plane out of the sky, but there is equally so much more sensitive data. That is in passports, ids I mean, it's all there. Travel histories, you name it, it's all. It's just all there, it's all there. I think we would all consider our airlines to be part of our national critical infrastructure, whether you are France or you're the US, mentioning France because it was Air France KLM that was targeted specifically.
Speaker 2:That's infrastructure that we can't, we shouldn't. Just, you know, tell Air France, hey, go do the best you can and you know, let us know like we should be taking an active role as participating members of of society, if you would to, to kind of insist that critical infrastructure is secured in a collective way, in some collective, collectively agreed upon, an auditable way at least. Right, we don't lack security professionals to help weigh in on this topic.
Speaker 1:No, that's a good point. And it seems like the French have been very busy this week because a major telecom was hit as well. I don't know how to pronounce this, but it's Boigus Telecom. Maybe that's right, they're a French provider. They were exposed to personal data of 6.4 million customers. Just another example of large-scale breach impacting, you know, a large amount of our country's population. Australia had their internet provider. Inet was another breach this week. Customer, there's no details on on how many customers, but, um, email addresses, phone numbers, things like that were compromised. Uh, you know the simple, like data brokers, dream, dream list, I'm sure. I'm sure, but it seems, I mean, that's a pretty big ripple effect there for sure, on that side of the world.
Speaker 2:I don't know Lots going on with data breaches this week. Yeah, I like the weeks when we don't have about what to do in response to what feels like an uptick, as in who Like what to do as who Just like a consumer.
Speaker 2:No good question, as the organization's being breached is what I'm thinking. Yeah, as consumers. I think consumers need to continue to follow all of those standards and best practices that we talk about on a regular basis. That list is one that we should probably, just now that we have the site live, we should post that information on the site. We will do that. I will make a note to make sure that that happens, because there's certainly things that consumers can do to try and insulate themselves, because you will not protect yourselves completely, but insulate yourself from the impact that these breaches will continue to have.
Speaker 2:But the same is equally true for organizations as well, too. I know there's an ungodly amount of resources out there from, you know, nist, oauth, you name it. There's no shortage of organizations that you can look to for assistance. But I think there's still something a little bit more matter of fact missing from the conversation, right? Because, if we're being honest, we've got a ton of security tools, an ungodly number of them, ton of security tools I don't got the number of them, um and they can block attacks. And you know we've got backup and recovery solutions. They can recover from attacks. So you know, why do breaches, why are breaches still successful. It's still successful. There's some obvious answers to that right. Like it's like. Well, you also have brake pads and you've got seatbelts, but car accidents still happen. And that's a true statement Humans, humans, humans. That's always where it comes back to. So next week we roll out our recommendations on how to get rid of the problem.
Speaker 1:You get rid of the humans and it's just all AI robots.
Speaker 2:Well, I'm okay with them duking out without me, but there's definitely some conversations here that I think are still missing the larger picture here itself, too. And it's not more solutions, it's not spend more, it's not do more of this, it's more do less of. There's a list of things that we all need to do less of versus the list of things we need to do more of. Yeah, that's, that's what it comes down to yeah, yeah, good, I like that thought, though.
Speaker 1:Um, we can go down a rabbit hole there, but I'm okay with starting with the less humans.
Speaker 2:I'm okay with that. Yeah, I I mean Apologies. If you happen to be a human, let's think of the show.
Speaker 1:The only reason AI is able to progress is because of the humans and the data that it's collecting and using to further become smarter than us.
Speaker 2:I await. Today, if George Carlin is right and we know he is, because the math is the math at least half the population is below average intelligence, because you know average and so you know if we can, if we can work on upping the overall average intelligence around this, I'm OK with that.
Speaker 1:Yeah, you got a good point. Let's transition to AI and privacy around the governance gap. So a lot of the AI is constantly, you know, top of the headlines everywhere every week. It seems it was always about like what can AI do, but now it's like what should it be allowed to do with our data? And I don't know if this is in this section here that we're going to talk about specifically, gabe, but it kind of makes me think about um. I keep hearing more about the ai, um therapy, um topic and how a lot of people are against it, which, which makes sense, like you shouldn't take therapy from from a robot.
Speaker 2:To be fair, people also shouldn't self-medicate with alcohol, but we're not going to go back to banning that, so that's very true as well. I'm of the opinion if you find something that works for you, Correct the operative phrasing. There is those. Does it work for you?
Speaker 1:Yeah, is it actually helping you?
Speaker 2:And helpful is certainly subjective when it comes to a topic like mental health, but if you find something works for you, I'm more into leaning into it than leaning against it, right?
Speaker 1:Well, specifically on AI governance, companies are obviously rushing to integrate generative AI, but they're struggling with the fundamental privacy principles, with data minimization and transparency. So how is personal data being used to train these models, and what new risks does that create?
Speaker 2:I get it. Minimization is a problem. We've told everyone that data is the new oil, Right Like get known.
Speaker 1:Data is currency.
Speaker 2:Data is money.
Speaker 1:We told everyone that.
Speaker 2:Yeah, we said that, and then we're surprised when people don't want to minimize it. It's like wait a second. You just told me I'm sitting on gold, jerry Gold, we found gold, found gold. And you want me to minimize my pile of gold. Why would I do? Tell me why I should do that. You've spent the last decade telling me that it's gold. Dude, tell me why I should do that. You've spent the last decade telling me that it's gold. You told me just a minute ago, cameron, that the reason those companies get hacked is because they're sitting on gold. Now you want me to minimize it.
Speaker 1:It's like telling a pirate that found a frigging you know treasure somewhere that they can't who told you when this is the new age pirates man, yeah pirates are always in love for more booty, not less booty I do love me some pirate booty man. I'm a pirate booty who doesn't. If you don't know, pirate booty is the.
Speaker 2:It's basically just cheese puffs oh, yes, oh that, yeah, yeah, yeah, no, yeah, cheese puffs oh, and and okay, I see where you went.
Speaker 1:All right, yeah, yeah, cheese puffs, cheese puffs. So, um another, uh, decentralized identity. Um, so, let's see, uh, there's a trend around self-sovereign identity, I guess like a future owner of your own identity yeah, yeah, what do you think about that?
Speaker 2:I have started experimenting with it myself at home. So we should talk a little bit about what it is right Self-sovereign identity, self meaning yourself. Sovereign meaning under the governance and control of some entity, in this case that entity being yourself controlling identity. And so today, essentially the argument and it's not an argument is your digital identity isn't really yours, which is to say, when you validate to another entity that you are who you say you are today, you're usually using some third party for that right.
Speaker 2:Think about all of the sites where you use the login with my Apple login, with my Google login, with my blank. In those circumstances, your identity provider are those other people. It's Google, it's blah, blah, blah, it's whatever. And so you don't own that digital identity. No, now you don't even own the username and password that you use to log in, to validate that you own that identity, because the terms of service explicitly say that all of that belongs to. I'm just going to use Google and pick it on Google for no particular reason. Let's make it Apple, because I think that one is also just as ubiquitously found where you know. Log in with your Apple ID Either way, but you don't even own the username and password per se. You're only putting that in as a check to validate that you are allowed to use that digital identity, but it's still not yours. It's still not your digital identity. If you think it's yours, that's part of the problem.
Speaker 2:The you being the royal. You not just you, cameron the royal, all of our voices. If you think that your digital identity belongs to you and you're using a third party service, you would be wrong. Even if you are using your username and password, that is little more than something that you've agreed upon with the owner of your digital identity that they will ask you for when you come to use your digital identity. You put it in, you get a little two-factor action and they're like cool, thanks for proving that you are who you say you are. Now you're welcome to use my digital identity. Yeah, let me throw an analogy your way, because I love analogies.
Speaker 1:Now you're welcome to use my digital identity?
Speaker 2:Yeah, that masquerades as a view cam.
Speaker 1:Let me throw an analogy your way, because I love analogies. So it's kind of like when we used to have Blu-rays or DVDs or the physical thing and we can buy it and own it. You own it, I actually own it but now you're either paying for a streaming service or you're buying it online. Even when you buy a digital copy of it, you don't actually own it because you don't have it physically in your hand.
Speaker 2:You download that thing and keep it on a hard drive, etc. And for what it's worth, because there are laws around who actually owns even digital media. Even back in the days when you bought a CD, the record companies made an argument that you didn't own it either. You couldn't do anything you wanted with it. You could do certain things within reason with it, but you could not do anything, which is fair. You weren't allowed to say, put on a performance and collect monies from the ownership of that CD. But your point is a very valid one. You at least had a tangible asset that you could call yours.
Speaker 2:Yeah, so this movement towards a self-sovereign identity is exactly that. How can I literally own the infrastructure? How can I own the proving that I am who I am to other entities? Part of that is happening through pass keys, right? So, like you've probably been asked to save a pass key to your laptop or your phone, and what that essentially does is it keeps some information in your control, right, and it checks it against information in their control and their control. But your identity in that sense is still only yours. If you're using a passkey to access another service, let's say that service is let's take something relatively benign. I want something that's I don't know your local gym. Okay, you log into their web portal, right, and you schedule a class to go to. Maybe you want to do a little jazzercise because you want to work on that pirate booty. Whatever it is, okay, okay, or squat thrust. However you put the pirate booty on.
Speaker 1:I'm picking up what you're putting down there. It is Pick it up, put it down.
Speaker 2:Exactly, Exactly, but you know. So you save a pass key, you log back into. You know your fitness of choice dot, whatever. Ok, In that case you own the validation, verification of your identity when you set that up between you and that entity, Right? The second you start using an intermediary to validate. You like, log in with Apple. You don't own that identity, that's not yours. So I was mentioning that I started experimenting with this at home myself.
Speaker 2:There's what's known as IDPs identity providers right? So, like Okta is a relatively known one. This is less consumer oriented, more business oriented. In the consumer space, it's the Apples, it's the Googles, it's right. Like. It's the Facebook, right, Like, log in with your blank. It's the LinkedIn's log in with your LinkedIn account. In the consumer world, we see a lot more of that third party stuff that way. So what I started experimenting with was self-hosting my own identity provider. There are identity provider platforms that you can self-host that allow you to completely control the ownership of your identity. There are open protocols that allow you to then validate yourself across the landscape that other providers do accept, like ODIC. That's not really accessible to the average person, right? Right, Mom, pop, hell sisters, brothers, cousins I don't even know a lot of other technologists that self-host their own identity platforms, and I know a lot of other technologists that self-host their own identity platforms and I know a lot of technologists.
Speaker 2:I know a lot of people that are super privacy oriented, super security oriented and extremely technical. Like they could do it, but they don't. And I don't know that there's a reason other than ease, right, like it's all about that friction between use and service, right. But I think we should all be pushing towards a modern of self-sovereignty that is also achievable for everyone. Past keys is a decent way to get there. It's a decent way to get there. And again, this goes back to the list of you know, we should be doing less of this versus we should be doing more of that. The thing we should be doing less of is when we're presented with the login, with your Google login, with your Facebook login, with your Blank. Do less of that Because, also, every time you do that, those companies are tracking how your identity is used. They're tracking what you log into, what you're a member of, when you use it. The identity provider can see every place you go and come across. The digital landscape provider can see every place you go and come across the digital landscape.
Speaker 1:Not only that, well, because you're talking about, they can also locate your like where you are, where you are digitally. I mean 100, yeah, and that's the same goes for that's the other thing that it worries me about, like all these ev cars and not even ev cars, just all the smart cars forget the smart car.
Speaker 2:You're already stepping in your car with a phone in your pocket. Don't even worry about it.
Speaker 1:You're already being tracked. Yeah, that's true. Don't even worry about it.
Speaker 2:Yeah.
Speaker 2:Your point is a valid one, though it's a very valid one. We don't need more things doing more tracking, because I have the ability and the choice to leave my phone at home right now, true, to leave my phone at home right now, true, and take my car without the phone track. I mean like I have that choice. But your point is very valid with a car that has that level of technology built in which is a lot of cars, by the way, it's not just ev cars right, like true, yeah, yeah, xm radio, you name it right, like you've got it's, it's in there, they, they. Your Things, like your location, are no longer quite as private as it may used to Right, that ship has definitely sailed, but your identity is very much the last frontier and I think we have to fight diligently to be the sovereign owners of our identity.
Speaker 2:Yeah, you got to get the sovereign owners of our identity.
Speaker 2:Yeah, you got to get the point and every time we click that login with Facebook login, with Meta login, with whatever login, with LinkedIn button, you give that up. You give that up Again. It's a little. It's not as approachable for lots of folks, but you know like I self-host several of my own personal email domains and one of the things I do is I create a domain for different services I use. And so, speaking of gyms, so I signed up for there's this workout place I go to, and so I signed up for them and it's nameofcompanyatmypersonaldomaincom. And last week I started noticing a bunch of ads showing up in this in my just general inbox, like what the hell is this? So I click on the two button to see who it was sent to, because I use a different email address for each service. I can tell immediately who sold my data or who got my shit breached. And sure enough, it was this gym, it was this workout place.
Speaker 2:Wow, I was like you dirty rat and it wasn't even best I could tell, they're actually using Square, the payment processor, and so did they even do it intentionally, or are they just using some tier of Square service? That like automatically takes their data because they're using a cheaper tier and now they're reselling my stuff. I don't know, that's probably the latter probably the latter, but I caught him red-handed. I'm like, there they are.
Speaker 2:But again back to that identity problem yeah when you own your own identity, you you get better control of that because I own my own domain, right, I have a bit better control of my own identity. From that perspective, apple's doing a decent job with this. Now, right, like from your iPhone and from another iOS device and from different Apple devices, you can choose the hide my email feature. There's only one problem they will obfuscate and hide your email on your behalf, but again, now they even own your fake identities it's.
Speaker 1:It's kind of scary, yeah, hideous. Do you think that we're too deep into it now, like everybody's? Not at all I still think.
Speaker 2:I still think we are, and here's why I actually think we are. But you and I are a little biased. We live in like an extremely. We're like in the 0.1 percent of the world as it comes to technology adoption. Most of the planet is actually rather technology disabled. Their phone is their primary technology device. In most of the world, developed and undeveloped and I don't really love those words, so maybe I need to find a better descriptor but you know, regardless of whether you are a small nation of a few tens of thousands of people, or if you're, you know, a large nation with hundreds of millions of people, or if you're, you know, a large nation with hundreds of millions of people, um, technology adoption is actually not, uh, it hasn't hit the entire globe, we, it just feels like that to us because we are in it.
Speaker 1:We are deep that's a good. That's a good point. It reminds me, gabe, I saw something about in Japan. You can pay for a service to to disappear and, like, erase your identity. Usually it's for, like you know, debt or financial difficulties, work, school, like you just want to start over. I thought that was kind of interesting little squirrel moment.
Speaker 2:But that is interesting. Pay to disappear.
Speaker 1:Yeah, I think the term is called. Would you do it? Would you pay to disappear?
Speaker 2:Johatsu Johatsu. Would you do it, though? Would you pay to?
Speaker 1:disappear. I don't know, maybe just so I can be at peace.
Speaker 2:I presume that's the reason one pays to disappear.
Speaker 1:Yeah, maybe so, Maybe so. All right, moving on to regulatory stuff, this past week CCPA settlement. So California Attorney General announced a record 1.5 million settlement with Healthline media. I think if you haven't heard about that, that's kind of recent. Um, it's a pretty big deal, but um, I think we talked about that a couple of weeks back. Um, things are expanding with a lot of States going creating their own comprehensive privacy laws. You're seeing that trend and ripple effect. The big one is around protecting child's privacy, so the FTC. They keep advancing on the Children Online Privacy Protection Act, which is also known as COPA, which has been around, by the way, well before privacy regulation became in vogue.
Speaker 2:COPPA has been around for is it close to 20? It's got to be more than 20 years, easily more than 20.
Speaker 1:Something like that, yeah, and I mean I guess they're continuing to try to improve that, to give parents more control, which I think is the right move. For sure, I'm surprised it isn't something that's, like you know, more well-known. I guess, Like you said, it's been around for as long as it has, but they continue to try to make it more relevant. I guess it does seem a little. I think was it TikTok that kind of? Was it tick tock?
Speaker 2:that kind of made it come to light even more because of the oh, I don't even know kids and stuff on on the internet now, yeah, probably both yeah, having having predated tick tock youtube kids even is, is probably, uh, a bit more responsible for that. You can argue that ultimately, you know, a child's privacy is already in the parents' hands. You have to actively choose to relinquish it. The challenge becomes is, as we use technology to even enable and empower kids further, you know, for their learning, for their entertainment, to even enable and empower kids further, you know, for their learning, for their entertainment, it is that embracing of technology that is willingly or unwillingly, but oftentimes unknowingly and unintentionally, relinquishing that privacy. Yeah, so COPPA is trying to, you know, restrike that balance. Yeah, so COPPA is trying to, you know, restrike that balance. But again, I might argue not to be so draconian that a kid's digital privacy has to be given away. It isn't as inherently given away.
Speaker 2:The way, you know, as an adult, is Because we have to exist in certain ways. Like you know, we need to be able to use banking services. Like, yes, yes, you can go live off the grid completely as an adult, you absolutely can. But to function in in today's society, you don't have a lot of choices as it pertains to what you are willing to exchange in return for those services. Right, like, yeah, the requirements are put out there and either you you accept them or you don't accept them. Right, like you use the service or you don't use the service. You want to use the bank, right, you got these things. You know that don't. But a child's privacy is wholly in control. The challenge becomes again. It's it's that intersection of both learning and entertainment where we, we begin to willfully, if not unknowingly, expose children's prides.
Speaker 1:They're children yeah, they're children and so that I mean obviously having a kids and you have. You know, we, we care about that kind of stuff, so I'm I'm curious to see, um how that kind of develops. Um, let's jump into the last couple topics here. Gabe, this is stuff that you love. Uh, ransomware oh yeah, cyber criminals are on the loose still, um no, but there's been some some things that have happened in the past week. Um, any of those we have we have a couple topics here, but any of those that you want to kind of dive into. We got um microsoft exchange and cisco firewalls. Um, saw some important updates.
Speaker 2:I don't want to talk about anything Microsoft related. I'm just going to get grumpy.
Speaker 1:No, that's fine with me, they get enough. Yeah, I beat them up.
Speaker 2:Enough as it is too. You don't need me beating you up again today. Microsoft, that's fair. Simultaneously making everyone's life better and worse at the same time.
Speaker 1:I would talk about those hackers teaming up there, making everyone's life better and worse at the same time. Well, here's a.
Speaker 2:I want to talk about those hackers teaming up there, yeah, yeah, yeah, coming together like power twins. What's going?
Speaker 1:on out there. Are we talking about the shiny hunters and scattered spider those guys, okay so threat actor group shiny hunters was linked to several recent attacks and is reportedly collaborating with scattered spider. These, these are. These are cool names.
Speaker 2:They are. They are very cool.
Speaker 1:So a trend of cyber criminal groups teaming up makes them more formidable and their attacks are more widespread Makes sense.
Speaker 2:Yeah.
Speaker 1:Cyber criminals teaming up.
Speaker 2:It makes sense. You know you got a group of dudes over. It makes sense. You know you got a group of dudes over here doing some things. You got a group of dudettes over there doing their thing, coming together like power twins and uh, it's, it's powerful, it's like the avengers of like the avengers. And the truth is, this kind of thing happens frequently and, for as long as I can remember, it always has, whether they were you know I'll, but you know, way back in the 90s, whether you had like freaking groups or wares groups or hacking collectives or whatever it is. Yeah, yeah, yeah, like that goes back. That goes back a ways it is.
Speaker 2:It's not new in that sense, but a bit more newer and scary in the sense that, to see it on the ransomware front, because ransomware is just such a scourge that's just not going anywhere. It's concerning, it's concerning. I don't think anything different needs to be done about it. This is a law enforcement problem ultimately. Yeah, the things that we need to do as consumers and as businesses continue to be the same, but yeah, it's fascinating. It's fascinating watching them team up.
Speaker 2:I'll tell you the following the stories that will follow will ultimately also result in lots of fallouts too. There's no honor amongst thieves, and it's only a matter of time before one group screws the other group over. We see that happen already now, right, where you have these ransomware gangs and they have these structures to them, where this part of the group does the negotiation and this part of the group does the initial infiltration and this part does the privilege, elevation and lateral movements and they go get to the targets right, like it's all nice and compartmentalized. And we've seen it happen already where the group that was responsible for the negotiation and payment reception bounced with the money.
Speaker 1:Right, they didn't break anyone else off that Protect EU initiative, where they're talking about the European Union and exploring ways for law enforcement to access encrypted data, which I mean. What do you think about that? That says you know the thoughts on raising significant privacy and security concerns.
Speaker 2:They can't have it both ways. You can't push for quantum resilient encryption, because everyone else will be able to decrypt the things, and for you to also get air quotes legitimate access. The debate, I think, should have been largely settled, which is the following Any back doors that are placed by a legitimate entity can and will be used by an unauthorized entity.
Speaker 1:That's it.
Speaker 2:Any authorized back doors will be leveraged for unauthorized use. I don't even understand why this is still being considered. It's crazy talk, is what it is. It's crazy talk, is what it is. It's crazy talk. And who are you protecting? I mean, I understand theoretically the very nature of well. We have to be able to, you know, shut down child abuse rings. Agreed, fairly agreed. I couldn't possibly agree more. You cannot draw a straight line between that necessity and creating an environment where any number of unknown bad actors can get access, because you're essentially trading one bad thing for a bunch of bad things, right?
Speaker 1:and you know what the lesson that I'm learning is like. Let's take p diddy's situation as an example which one?
Speaker 2:the pirate booty incident later all of it. It doesn't matter about these. Like you, you like pirate booty. I heard when he gets out he's going to be a sponsor All right.
Speaker 1:So let let me let me tie this back Cause see, we can intertwine and talk about this in the problem lounge. But if you haven't seen the movie blink twice, it's basically the concept of it is it's kind of like it's kind of like throwing shade at Epstein and their Island and having this mansion where they bring people and drug them and they forget about it. They don't. Basically, the movie is about drugging these people and they just can't, like it's keeping them drugs so they can't remember. But my, my whole thought around this is it doesn't matter, money is going to win, no matter what, no matter how bad somebody is, if you have enough money you can kind of get away with whatever you want, almost, and that's it's. It's a terrible example of the way our country is, but it's. I think it's kind of true. Like I mean, what happened to them? Epstein files, come on. Now. Where are the Epstein files?
Speaker 2:Come on now, where are the Epstein files? I've heard about them but I haven't seen them. I don't know. But you know I'm just saying. I've heard lots of things about these Epstein files. I've never seen them. Where are they at?
Speaker 1:Where are they at, though I don't know I'm sidetracking, but you see where I'm going with this.
Speaker 2:I it I understand exactly where you're going with this. You, you are demanding the epstein files. I am with you, I am right here with you.
Speaker 1:I, I too, demand the epstein why don't, yeah, why don't we have a? Why don't we? You know, let's pull some data, let's find, let's get access to that. How about that?
Speaker 2:shiny hunter and scattered spider are otherwise busy at the moment exfiltrating things that are not the Epstein files.
Speaker 1:Well, any ethical hackers that listen to this show, or any hackers, let's go.
Speaker 2:Yeah.
Speaker 1:We want them files. Challenge on you we want them files, but files. But anyways, this was a great episode. This was a lot in uh this past week and past month or whatever in cyber security and privacy, so hopefully you guys liked it. It's been busy.
Speaker 2:It's been busy, we've been busy. We got new shows, new guests, a new co-host, a whole new platform, new websites. Man, we do things. Opportunities. Don't forget to check that out yeah, anyone that wants to sponsor.
Speaker 1:I was gonna say, uh, you know who be a good sponsor is that you know that black fire booty, pirate booty, would be a good pirate booty for sure. Um, we'll accept other forms of booty as well, if that's this is true.
Speaker 2:But is it called?
Speaker 1:Black Phone? Is it the phone that's like the simple phone where you can't access, like social media and stuff? I feel like that'd be a great, great sponsor for the network.
Speaker 2:I know what you're talking about. I know what you're talking about. Anyways, yeah, gabe, this was about. I know what you're talking about Anyways.
Speaker 1:Yeah, gabe, this was fun Damn. Always a pleasure. Thanks guys for tuning in. We'll see y'all next week.
