Security Now 1068: The Call Is Coming From Inside the House

It's time for security now, that's Steve Gibson in the lead.

Well, I'm Leo LePort, we're live normally in the Florida for zero trust world.

Steve's presentation, the calls coming from inside the house, an extra security now,

coming up and oh, we better get going, we're on.

This episode of security now is brought to you by Threat Locker.

Threat Locker zero trust platform blocks every unauthorized action by default, stopping

known and unknown threats, including VM-based malware that evades traditional antiviruses,

ring fencing constraints tools, and remote management utilities, preventing lateral movement

or mass encryption.

Threat Locker works across all industries, supports MAC environments, delivers comprehensive

visibility and control, and provides 24-7 US-based support.

Trusted by JetBlue, Heathrow Airport, the Indianapolis Colts, and the Port of Vancouver,

and recognized with G2 high-performer and best support for enterprise, summer 2025,

peers spot number one in application control, get app best functionality and features 2025,

get unprecedented protection quickly, easily and cost-effectively, visit ThreatLocker.com

slash Twitter to get a free 30-day trial and learn more about how Threat Locker can help

mitigate unknown threats and ensure compliance, that's ThreatLocker.com slash Twitter.

This broadcasts you love from people you trust, this is ThreatLocker.

This is security now, episode 1668, recorded live Wednesday, March 4th, 2026, at zero trust

world, 2026, the call is coming from inside the house.

Welcome back everybody, it's time to close this out, this is our final main stage session

of the day.

Right now, the call is coming from inside the house, so for years we've built stronger

parameters, better firewalls, better detection, better external defenses, and we got pretty

good at it, but the next frontier is an outside, it's inside.

Some of the biggest breaches in recent years didn't happen because the perimeter failed,

they happened because internal systems were overturned.

Too much access, too little segmentation, policies built on assumptions instead of verification.

Zero trust was born to solve exactly that problem, and there are few voices that are more

respected in this space than the hosts of security now.

Gibson founder and CEO of Gibson Research Corporation has been programming since 1970 and brings

decades of deep technical insight on modern internet security.

His passion for low level computing and secure system design is legendary.

And Leo Laporte, founder of this week in tech network, has been hosting and shaping

tech media since 2005, bringing clarity, context, and conversation to millions of listeners

worldwide.

Today's session is a live recording of the security now podcast, and yes, it will run

a little bit longer by design, followed by a meet and greet in the solutions pavilion.

This is our final session, and this will be a strong finish.

Zero trust world, are we ready?

Ladies and gentlemen, Steve Gibson and Leo Laporte!

Hey everybody, great to see you, thank you for coming.

This is Steve Gibson.

We got some people.

Yeah, let's sit down, Steve, and we're going to talk.

So I never on security now have I gone through your full bio.

Thank God.

So I decided to ask AI, who you are, so get ready, and if I say anything wrong.

It's going to be hallucinating.

You got, did you start writing software when you were 13 years old?

Okay, well they got that right.

PDPA.

That's right, for data general.

It says data general, see that's a lie.

For deck.

Close.

Okay.

Close.

When he was 15, Steve got a job, high school student working, a summer job working at the

Stanford AI research lab.

Sail.

That's pretty amazing.

And at the sail lab, you were working on speech synthesis.

Now this is what, 1975?

This was in, no, 70, like 71, very early.

The speech synthesis he worked on ended up as part of Texas Instruments speak and spell.

Did you ever, when you were little, did you have that thing, you press the button, if

anybody remembers those things, really see.

He also wrote a light pen application for the Apple and the Atari, right?

Yeah.

Hardware.

I'll skip that agency part, nobody cares about that.

Now he, in 1985, founded GRC, the Gibson Research Corporation.

And one of the things that I first became aware of, Steve, was your info world column, which

I loved, in 1986, Tech Talk from 1986 to 1993.

Steve wrote about technology in an accessible, fascinating way.

He's always been a little bit of an iconoclast, kind of, an outsider, banging at the wall of technology.

And I love that.

In fact, I started writing for info world because of you.

So thank you for that.

Now when you were, in 2001, when you were working in security, you got mad at Microsoft.

I do that frequently.

You may remember that in Windows XP, they released something, a capability to use raw

sockets, which meant you could impersonate any, address, right?

So the big problem was that, as we know, Bill Gates wanted to compete with the source and

comp you serve, so he created, he was doing Microsoft Network, MSN.

And that was going to be dial up modems and things.

And then he got surprised by the internet, which was not what he expected to have happen.

So they had Windows, but it was, it was like, with a modem.

And so they got a TCP IP stack and stuck it on Windows and put it on the internet.

So this was Windows on the internet.

And this is this predated NAT routers, we didn't have NAT routers then.

So my company, I thought, oh, the internet's happening.

Let's put our machines on the internet.

And it turned out that other people had Windows and all of their C drives were shared on

the internet.

So it was freaky.

I mean, a slogan that we often use at security now, what could possibly go wrong?

And so this was the genesis of Shields Up.

I created Shields Up to show people that ports are open bit.

And so that was my first time going.

How many of you have used Shields Up to secure your networks or secure your router at home?

I use it every time I set up a new router.

And so its genesis was that Microsoft just stuck Windows on the internet, which was the

original upset.

And then as you were saying, they produced, they took an operating system, Windows 2000,

which was more enterprise-oriented, and they created XP.

But because they took the network stack from 2000 to XP, consumers were going to have

the ability to generate raw data on the internet, which was going to create a DDoS nightmare.

So you did that DDoS by a raw socket attack shortly thereafter.

You also got a lot of hate not only from Microsoft, but people in general said, well, it's

you all worried about raw sockets.

Three years later, with Service Pack 2, Microsoft said, oh, yeah, maybe you're right.

Well, and there was no firewall in Windows until, they introduced it in XP, but it was

disabled by default until Service Pack 2.

So I first met Steve, I'll give you an idea of how long ago it was, he had just written

a program called Trouble in Paradise, which was able to diagnose the click of death on

a zip drive.

Do you remember zip drives?

Yeah, that's, yes, who could forget?

And we had him on the screen savers, the TV show that I was doing, this was probably 1998

talking about the click of death, and we've been friends ever since.

We first got together to do a podcast 21 years ago.

We've been doing it.

Steve, you and I were doing some TV because you had tech TV and call for help, right?

And during our break, we would do four programs in one day, and between, like they had to

rewind their tapes or something, and so between that, you and I were just talking and you

said, hey, what would you think about doing a podcast about security?

And I said, what cast?

This was very early on.

You were also concerned that there wouldn't be enough material.

Oh, we're going to run out stuff to talk about.

21 years later, the show isn't getting shorter by any means.

It's getting longer.

We're going to do a short version of security now today.

Don't worry, I promise we'll get you to the cocktail party in time.

Steve proposed, actually, over this 21 years, we've seen big changes in security.

Early on, it was all about protecting the perimeter.

It was all about firewalls, as you mentioned.

But things have changed quite a bit, and I think it wasn't so long ago.

Maybe last year where you started to say, you know, there's a different issue at hand.

And this is where the title, the call, the threat is coming from inside the house.

So yes, one of the, again, we've been doing this for 21 years.

I remember early in the podcast, talking with you about the fact that there were viruses,

you know, I mean, there was mischief being conducted, you know, DDoS attacks, people

were like, you know, getting pushed off the internet.

But there didn't seem to be a purpose.

There was no reason for it.

It was just, you know, bored with the laws.

Yeah, I mean, it was just to see if it could happen.

I think that probably the most pivotal defining change was the emergence of cryptocurrency,

was because it was the ability for bad guys to extort.

And for there to be a way for them to get paid, that turned this from, you know, hobbyist

hijinks to, you know, foreign state actors having a motivation.

You may remember in the early days they were asking for you to go down to the drug store

and buy cards that you would then mail to them, not the best way to extort.

But as soon as you could do it anonymously with crypto, everything changed.

Everything changed.

And so I think what we've seen is that, you know, one of the things I wanted to make

sure I shared the day was to, for everyone to understand that the bad guys don't care

about the data that they're taking, right?

I mean, you and I, after that most recent data breach last year, we looked up our social

security numbers.

Oh, yeah, the data broker breach, yeah, yeah.

The personal data is out there.

It's already escaped.

But the value of cryptocurrency is that it allows extortion.

And if bad guys are able to get into an organization's network and maybe cripple their machines,

but certainly ex-filterate their data, then they have something that they can ransom.

And in the same way that a kidnapper doesn't want the entity, the person they've kidnapped,

that person's a liability to them.

You know, the value is extortion.

And so one of the things that has changed, and we heard this 20 years ago, nobody would

want to attack us.

You know, why would anyone want to attack our enterprise, our organization?

It is for the sake of extortion.

It is so that they can say, we've got your data.

You may have a backup of it, but what's it worth to you for us not to tell the world

or to leak the personal and business data that we have stolen from you?

Right.

So they have the means.

They have the motive.

The motive is extortion and payment.

The opportunity, it's really up to these guys to keep them from getting the opportunity.

Is that right?

I think so.

And one of the other issues I think for anybody who's doing IT security is, you know,

that the famous expression is it's not possible to prove a negative.

It's how do you get credit for your organization not being attacked?

How do you demonstrate that it's because you have the budget that you have for IT and the

equipment that you have and the staff that you have?

You know, there's certainly there's profit pressure in any enterprise.

And so when the guys who are controlling the purse strings look around for where they

can cut, they're like, well, we haven't had any problems with our IT, everything's going

great.

Right.

So let's cut there and it's like, wait a minute, the reason everything is going great

and you haven't had any attacks is that we've been able to keep the defenses up.

We've been able to, you know, purchase expensive network gear that, you know, even though the

old stuff was still working, it was now no longer being serviced and we know that there

are probably vulnerabilities there.

So it's crucial that we continue to fund this enterprise of keeping the network safe.

I suspect that you all know.

I'm seeing heads not out there.

Do you think though that that's changed a little bit for the longest time?

There was this incredible pressure on IT to do more with less to be secure, but I think

with all these breaches and all the issues that are coming up, do you think organizations

are starting to understand, no, no, this is really.

I think there's much more traction that's available now for the security side to say, you

know, would you like our enterprises name on the board of shame of outfits that have been

breached?

There's that wonderful site.

Do you remember what the name of it is?

Oh, in real time.

In real time.

Every day would show you the breaches that have happened today.

There was usually a dozen, twenty breaches in a single day.

In the morning, not so much, but then in the afternoon.

Yeah, you don't want to be on that list.

And I hope that business leaders are realizing that the best way not to be on that list is

to take IT seriously.

Right.

And so that when we were thinking about what it was we wanted to say today and came

up with the title of this, my sense is from what you and I have seen over the last couple

decades is that we are getting much better about protecting the perimeter.

Not 100% yet.

There's still a way to go.

One of the issues I think is that there is a pain associated with increasing security.

One of the, yes, always there is a security versus convenience versus security trade

off.

And one of the biggest problems that we see is it would be possible to further increase,

for example, perimeter security.

I've been saying for a while now on the podcast that authentication doesn't work.

I mean, if it did, we wouldn't keep over and over and over seeing serious problems with

authentication failing.

Cisco just had a 10.0 authentication failure in their SD-WAN product, which enterprises

used to interlink satellite offices.

And as we know, you have to really try hard to get to 10.0.

CVE of 10 is on R.

That's like Nadia Komeneach.

So it's easy to do and it's not a low probability attack.

You just figure out how to do that.

Is that one in the wire?

You just cut right through.

Oh, yeah.

It's in the wild.

The Australian signals director discovered it and then all of the various security organizations

around the world started screaming about it.

So at one point, it got so bad with breaches that we stopped reporting them.

They were boring to our listeners.

There was no point.

Everybody is crazy.

Oh, okay.

Every day there's another breach.

That's not news.

No.

And so an example in this SD-WAN breaches is a perfect example where it was an authentication

failure, some bug in Cisco's system.

There was allowing bad guys and they were, in this case, Chinese state backed attackers,

probably located in China, getting into enterprise networks through this authentication failure.

So I asked the question, why could someone in China get a connection?

Why do you want people in China trying to connect your SD-WAN?

No.

Right.

Put a firewall rule in front of it because you know where the entities are that you do

want to have connecting, everybody else should be locked out.

But it's, you know, whoa, what if there are IP changes that way, you know, then we wouldn't

be able to connect.

Again, some lack of convenience in trade for much greater security.

You should probably whitelist not blacklist, right?

You know what IP addresses are.

Oh, yeah.

Yeah, it ought to be a blanket, you are, you know, no packets come in, unless it's from

this IP, this IP, this IP, this IP, that's that same idea of right.

Yes, it is, it is exactly.

And so the, so even though we've gotten way better at securing our perimeter, we could

still get a lot, there's still a long ways to go because again, we all understand the

notion of multi-layered security.

Unfortunately, too many people are just assuming that authentication works at the still order,

still today.

Yes, otherwise we wouldn't be seeing these breaches.

Right.

And so you think that part of it is, and we talk about this a lot, that there's the impression

that well, it's nation-state hackers that have this sophistication to do this, we aren't

going to be the target of a nation-state hacker.

So we're probably okay.

People assume their threat model, they don't have to worry about.

We are financing North Korea.

That's the problem, right?

Yes.

Because there is a, there is a motive for that because of hard currency.

Yep.

Yeah.

And they, we saw the number a couple of weeks ago.

Chewly amount of money that is flowing to North Korea because, because their hackers are

good and they're jumping on problems as soon as they occur.

And our, our border defenses are still not what they could be.

Because it is much less convenient to do that.

Right.

I mean, if, I guess if I had one thing, I would urge everyone to do, it would be to assume

that authentication doesn't work because that's what we see.

We see example after example after example.

And so, if you, if you assume it doesn't work, then take the responsibility of, of, of

what happens if it fails.

Imagine if, if, if bad guys could connect to your, your enterprise VPN, then what?

Well, the, the, the simplest protection is simple IP address filtering.

Right.

Because most enterprises aren't like residential consumers whose IP will change.

But even there, it doesn't change much.

I mean, it is, it is my entire defense.

I have three nodes, two places I work from and, and GRCs facility at, in, in what used

to be a level three data center, but they've been purchased about 12 times since then.

So I don't even know what they called them.

Who owns them now?

No one knows.

I don't know.

But my IPs don't change.

My entire defense is that I have IP address filtering in all three locations.

Right.

So they can only talk to each other.

And I have, yeah, yeah, and within that, of course, I'm authenticating.

But you know, I look like just a black hole to the rest of the world because for that simple

experience of, of using a firewall in, in front of those three locations.

Yeah, you would think they're saying, well, we're going to route it through Africa

so you won't know it's China.

But it's funny.

I still see all the time on my home network, Chinese logins, one after the other, trying

to get through the NAS or getting, you, you actually told me I set up my SSH server, which

is now off.

So I don't get any ideas.

And I, and I set it up with a port 22 and I thought, well, they can, you showed Anna,

they could find the port.

So why use an obscure port and security through obscurity doesn't work.

But you, but you said, no, you should still use, there's, it's, in other words, it's

not a, it's not a silver bullet.

There is no silver bullet, but you shouldn't also make it easy for them.

Right.

There.

So, right.

And I had port 22 open and you immediately prrm all these Chinese attacks.

If, if your goal was to give everyone a better sense of this, if your goal was to have SSH

as a global service, which is a mistake to begin with, then you'd want it to be on port

22, where the globe would know to look for it.

Right.

And if you want to want, want to run a web server, that's got to be on for free and emails

got to be on 25 and so forth.

The only places you should use default ports are where default users who don't know

specifically where your service is would go to look.

Otherwise, why leave it in on the default port?

Right.

Yes, it's not, it's not going to protect you from someone who's going to scam all your

ports, but it's trivial to put it somewhere else.

Right.

So, why not?

Right.

So, it, so it just cuts down on opportunistic attack.

It's layers.

You got to do a lot of things.

I would, and I would use them all.

Yeah.

I mean, just, you know, so many and so, so that, you know, yes, maybe something is going

to be fragile and break occasionally, but again, even though you're not going to get credit

for not being attacked, you get to sleep at night.

I've learned so much doing this show.

We remember we used to talk about Hitachi or Homachi, not Hitachi, Homachi, which then got

sold to log me in and we stopped using that and the tail scale and wire guard and all

of these techniques.

It's one of the reasons I love doing this show because I learn so much for it.

This is kind of a special edition of security now.

We usually do the show on Tuesdays.

We usually spend a couple of hours, at least, talking about attacks, what's happening in

the world, the latest security news.

Do, have any of you ever listened to security now, is there just a few of you?

Okay.

All right.

The entire front row, the rest in the back are going, I don't know, it's just, where's

the free dinner?

So, good.

We're, we're doing a special version of this.

We're going to pause for a moment because we have a commercial break.

Thanks to our great sponsors here, Threat Locker, who brought us out for the event.

We really appreciate Threat Locker and they've been a great sponsor for us and they're all

the way into 2026.

We're very happy to have them.

We'll come back and when we come back, we're going to talk about remediation.

What you can do to protect yourself in this kind of new world, because we'll talk about

what that call coming from inside the house is.

It's not a babysitter sitting downstairs in a bag of upstairs, it's something else.

This is security now.

Hey, everybody.

This special episode of security now is brought to you by, guess who?

Threat Locker.

We're here right now at Zero Trust World, where Threat Locker is hosting some of the brightest

cyber security experts for the sixth year in a row.

I gotta tell you, this is a great conference.

Zero Trust World provides crucial education and training to support IT professionals, along

with full session access, hands-on hacking labs, meals, and after-party, even the opportunity

to take the cyber heroes certification exam.

Be sure to check out this exciting interactive three-day event that happens every year to

get hands-on cyber security training, expert insights, and more.

The Threat Locker Zero Trust platform takes the proactive deny-by-default approach you

want.

That's the key.

Deny-by-default blocks every unauthorized action.

Unless you explicitly permit it, it doesn't happen, and that protects you from both known

and unknown threats.

Threat Locker's innovative ring fencing, constraints, tools, and remote management utilities.

So attackers just can't weaponize them.

They don't get lateral movement.

They can't do that mass encryption ransomware thing.

Threat Locker works in every industry.

They've got great 24-7 US-based support.

They work on windows.

They work on max in every environment, and with Threat Locker, you get comprehensive visibility

and control.

Just ask Emirates Flight Catering, a global leader in the A food industry, 13,000 employees,

and happy Threat Locker customers.

Threat Locker gave them full control of apps and endpoints, improved compliance, and delivered

seamless security with strong IT support.

The CISO of Emirates Flight Catering said this, quote, the capabilities, the support, and

the best part of Threat Locker is how easily it integrates with almost any solution.

Other tools take time to integrate, but with Threat Locker, it's seamless.

That's one of the key reasons we use it.

It's incredibly helpful to me as a CISO.

Threat Locker is used by enterprises and infrastructure companies that just can't go down,

not even for a minute.

Companies like JetBlue, the other use Threat Locker, he throw airport.

The Indianapolis Coat support of Vancouver, they all use Threat Locker.

Threat Locker consistently receives high honors and industry recognition, their G2 high performer

and best support for enterprise summer 2025.

The PeerSpot ranked number one in application control.

They got JetApp's best functionality and features award in 2025.

Visit Threat Locker.com slash Twitter to get a free 30 day trial and learn more about

how Threat Locker can help mitigate unknown threats and ensure compliance.

It's Threat Locker.com slash Twitter.

And we'll see you next year.

Please add zero trust world now back to the show.

This is security now.

We're coming to you from Orlando, Florida.

We're here at the Threat Locker Zero Trust World Conference.

We thank Threat Locker for bringing us here, Steve Gibson and Leo Laportna.

Really nice crowd.

They're about, I think they told me they're 1800, 1900 people here learning about security.

I did a hacking lab earlier.

I didn't realize this, Steve, they have, I just asked Heather something like 900 laptops

for these labs.

You haven't gone into one of the labs.

You've done the labs, right?

It's really cool.

I want to do the MetaSplay.

One of it was jammed.

There was no way to get in.

But they have laptops for everybody.

They can come in.

They can sit down and do these hands-on workshops, which is really, really cool.

I learned how to hack the web today.

It was fun.

So that's really cool.

There have been some wonderful speakers.

So we're really pleased we could be here.

I hope we can do this again next year.

And I hope we'll see you all again next year.

So let's talk about, given that the world has changed, incentives have changed, the

means have changed, the motives are clear, where is the biggest threat right now?

So we've pretty much covered keeping the bad guys out at the network level.

Authentication cannot be relied on.

Packet filtering is so dead simple that if there's any way it can be used, it should

be used.

I run fail ban.

So if people try to log in too many times, just assume that authentication is a weakness

and engineer yourself so that you're not worried about that.

So the thing that we've been seeing in the last couple of years is a, because I think in

general, things are getting better in terms of the secure perimeter, is the bad guys going

around the perimeter.

The shiny lapses hunters group.

Social engineering primarily.

Social engineering.

We talked last week, they're trying to hire women.

They are hiring women and paying them a lot of money, $500 to $1,000 up front to place

social engineering calls with a woman's voice under the logic that will be more convincing.

The customer service rep is going to say, oh, you poor lady, we were talking last week

about, I remember there was a hack where a woman called, she had a recording of a baby

crying in the background, and it's all to get the customer service rep whose job is customer

service to do the SIM jack to make a mistake.

To make a mistake.

They're very good.

Shiny lapses hunters is pretty amazing with it.

And you had an instance in the last couple of months and have to talk about that.

What I did, where I didn't click the link, but it was reasonable looking.

Jeff Jarvis, to say text to me this morning, he got a text from AT&T and he clicked it.

I was offered free headphones.

I thought, well, that's a good deal.

And I started to go through the process so I realized that it was a website in the Philippines

and I was trying to give them my credit card number.

And we're presumably, relatively sophisticated, we're aware.

The problem is they get you at a weak point.

I'd been getting a lot of text messages from my carrier.

Late for lunch and so you just said go ahead and have my coffee, that was my excuse.

So I think that this, to my way of thinking, that's the next frontier for enterprise security.

The call is your employees, let's be, let's be frank.

The reason a personal computer is so much fun.

The reason we all got our own PCs is we could do anything with it we wanted.

There were no general purpose device, no constraints, download software, run it, do whatever

you wanted to do.

That model doesn't work inside the enterprise.

The reason I think it's like the final frontier, it's also the biggest problem.

Well, your users have personal computers at home?

They know the way it's supposed to be.

They want freedom, but they can't be trusted with that freedom.

And again, you and I couldn't be, because we almost clicked the link.

I mean, so it's not about who they are or lack of training, it's that there is tremendous pressure

created by the opportunity to extort, which there wasn't historically, but there is now,

thanks to cryptocurrency.

So there is pressure, and that's, I mean, I don't want to, to have anyone come away

undervaluing the importance of that.

And your boss says, well, who would want to attack us?

Who would want to, you know, we don't have anything.

You do.

You do.

You have, you have extortability, and so this tremendous pressure is motivating endless

cleverness.

You know what scares me?

We get these emails all the time.

We unfortunately, I think we're going to change this, have a easily guessable email address

for our accounting department.

Somebody said, oh.

And so we get literally, you know, several emails a day, right?

Lisa is saying, you know, your bill is due.

And now we're a small enough company so that our accounting people know enough not to

do that.

But if you have a large company with a big accounting department and a lot of invoices

coming in, that terrifies me.

That would be so easy just by, you know, just say, oh, yeah, well, let's pay that invoice.

How do you control that?

That's really problematic that I think that what this next frontier of security that is

to deal with the call is coming from inside the house.

It's necessary to, unfortunately, reconceptualize the internal networking architecture.

You need to assume not that you have an evil made, as it's called, you know, an evil

change.

We're going to have to change that.

Yeah.

An evil mutler.

An evil mutler.

How about that?

Or an evil janitor or something.

It's not a bad employee.

It's somebody who a social engineering hack tripped.

And they're really good now.

They've gotten better these engineers.

Yes.

And they're going to keep getting better.

Again, don't underestimate the pressure to get inside.

And so, you know, anyone who's listened to security now has heard me talk about the model

I have of security as being porous, where it's not as open as a sponge, but more like,

you know, some porous stone, where if you have sufficient pressure, you can get some leakage

through.

So you have security, you have a wall, but it isn't perfect.

But nothing is perfect.

And this is the problem, is that it only takes one mistake from one employee, one time,

who, you know, who allows something onto their business.

You guys have to be perfect.

The bad guys only need to succeed once.

So in the same way that I would urge people to, to, on the, from the outside looking in,

to assume that authentication doesn't work.

You cannot rely on authentication.

The sad reality is you cannot rely on your employees not making a mistake.

Making a mistake is human, right, you know, and so, so, and you can give them training

and you can be testing them and we know that we have sponsors of the podcast that specialize

in doing exactly that.

There's people on the show floor doing that.

They saw all of this training.

Yes.

Raising, you know, maintaining on a level, a heightened level of, of anxiety essentially

right about, about like the, that individually they're under attack, but you're not saying

don't do that.

It's just insufficient.

No.

I'm saying you need that.

Yes.

It is insufficient because mistakes can still happen.

Right.

And so the, the, the easy way of setting up an organization's network is to have a big

switch and plug everybody in.

Right.

You want a big happy family.

And if you're inside the network, you're good.

Exactly.

Right.

And the problem is you are then maximally vulnerable in that, in that scenario.

So, so, so a powerful technique and I, I saw it mentioned in, in some of the notes for,

for the, for, for this conference, a powerful technique is white listing apps.

It's also really painful because nothing that's not white listed will work.

Right.

And it's going to upset people.

Do you ban all shadow IT?

Do you, do you say you can't use outside apps?

You can't.

I, I think you have to, you know, I, I heard you just the other day, given the example

of the employee who gets their laptop infected at home and then brings it into the enterprise.

It happened to the NSA for crying out loud.

And if it can happen to the NSA, it could happen to anybody.

Yeah.

So, so the, the, this, the final weakness, I think, this, this, you know, the call that's

coming from inside the house is not somebody who's maliciously attempting to do something,

but somebody who makes a mistake, who allows something bad to get into their machine.

And now their machine has more access than it should have.

That's, that's where I'm going with this is that it, in the same way that, that if, if

authentication isn't perfect, then you're, you've got IP filtering to back it up, so they

not even have a chance to authenticate because they're coming from, from, from, from an untrusted

location in on the world, where only three are trusted, the others, you know, everything

else isn't.

This is zero to one of the minute.

Yes.

Zero idea.

Zero trust.

Yeah.

And, and so it's, it's, you used to call it trust, no one.

You coined that phrase.

T-N-O.

Well, I got it from Mulder on X files.

Okay.

Yeah.

That was in a different context.

I think there were aliens involved, but it's a, same idea.

So, so you have to then say, okay, if something bad gets into this employee's machine, what

could it do?

What access does the machine have?

And I would argue that to, in this day and age, still today, too many end points in

the enterprise have too much privilege.

We talk, we all understand the concept, the concept of least privilege, but it is, it

is so difficult to actually implement.

Well, try telling the CEO that he can't serve to any side he wants.

Right.

Sorry.

Yeah.

Because he could make a mistake.

Well, he will make a mistake.

He probably more likely to make a mistake.

I hope this message, though, is getting through to business leaders, to CEOs.

They understand that, yeah, we're locking you down for a good reason.

Well, and it's arranging to send them a spoofed email that they fall for.

That's one way.

It would be like to say, well, look, it did happen to you.

Yeah.

So the point being, ask yourself, what happens if any endpoint in the enterprise is malicious?

Does it have too much privilege?

And I understand the pain.

I mean, just the additional overhead associated with really implementing a least privilege

policy on an endpoint by endpoint, node by node basis.

It's not the default.

It's not easy.

Yeah, as I said, the easiest thing to do is to get a switch and plug everybody in.

You need to segment, you need to think in terms of departmental level access, but what

we always see is the bad guys get in somewhere and then they, they, lateral movement, lateral

movement.

That work, we were talking the other day about a hack that somebody had set up, you know,

like 90% zero trust, but there was a security camera that had just enough RAM and just

enough processor to run an encryption routine, a malware routine.

So they use that.

That was the one thing that wasn't protected.

Yeah.

It seems like though, if you really implement true zero trust, that would be easier in

the long run.

The hard thing is the social thing is explaining to your users that you superglue their USB

ports.

It's not easy.

Yeah.

Or that, you know, if you want to log in, you have to go, you have to jump through some

hoops in order to do, you have to, you have to continually, internally reauthenticate,

prove that they, oh God, we hate that though.

Yes.

Again, it's going to be, it's going to be hated.

Google's making me log in again.

But that's why, right?

That's why you have to, what do you have to do?

Right.

Now, you worked on Squirrel.

You had an idea for a good authentication method that did not require a password.

Pass keys, that's part of it, right?

Making it easy and still secure, is it possible to have both?

It seems to me that what we're going to, where we're going to end up being, is pervasive

biometrics within the enterprise, or a thumbprint on your keyboard, or on your mouse.

Your level three facility, your Colo had that, right?

You had to do a handprint, yeah.

Yeah, I had a hand geometry reader, right, in order to get in.

So, the way I think this story ends is that in order to do anything, the user needs to

continuously reauthenticate, and I don't mean anything, but I mean, certainly you need

to create security parameters and think this through.

A lot of thought will have to be put into this, but it will be necessary for the person

to constantly prove that they are them doing this.

That's why passwordless is a step forward, because that's why biometrics, because if people

are going to get very used to putting their thumb on something, and it's not so hard.

No, exactly, and that's where you get the face recognition, or it's a little easier,

and it's as secure.

It's necessary, because I think you need to have it demonstrated that this is an internal

entity, an employee in the organization who wants to do something.

They should feel good about it, because this is what we have to do.

And we made it easy for them, just put your thumb on the keyboard in order to do it.

We only have five minutes left, what about, I mean, one thing that's really changed the

landscape in so many ways is AI.

We're so early in AI that I don't think we yet could guess what's going to happen.

I think that's a fair bet.

I got a piece of feedback actually from one of our listeners last week, and I'll probably

mention it in our next podcast.

It was an application of AI for watching, so it ran locally on their machine, and its

job was to keep them out of trouble.

And I think that's a really good idea.

I think it's brilliant.

I would, you and I, could use an AI looking over our shoulder, like that laying?

Exactly.

But that sounds a little bit like the Nanny UAC, Windows UAC kind of people really resent

that.

Except way more intelligent, so we're not talking clippy.

Do we remember every time to look at the far right end of the URL to see what the TLD

is?

We'd look at it mostly, but AI would always look.

It would always look.

And it would see what the URL underneath the link that we're about to click, and neuter

are clicking it, and then up comes the dialogue, saying, wait a minute, what you think you're

clicking doesn't correspond to what this email is about.

So none of us want, most of us don't want, recall, recording everything we do with our

machine.

Recall is funny, because it was simultaneously too much and too little, so it didn't go

far enough, and it went way too.

But I love the idea, where the way the world has evolved with the external pressures creating

an economic incentive for bad guys to breach our security and subborn an employee without

their knowledge, tricking them into making a mistake, having a local AI, which

is looking over their shoulder all the time, it's not leaking information, it's not in

the cloud, you don't have to worry about it from a privacy and security standpoint, watching

what they do, keeping them from pasting something on their clipboard into the run dialogue and

hitting enter, because they don't really, they're following instructions, they don't

know that's bad, and it says, whoops, hold on a second.

All the frontier models are now starting to add security modules to it.

And I think at first, I think people were a little nervous about this idea thinking, well

even with vibe coding, that the AI may make security mistakes, and maybe early on it was,

but you can also, I think you can train AI's not to do buffer overflows, not to use

stir copy when it could use string copy.

It can look at the patterns of common mistakes and prevent you from doing those, right?

My feeling is, we're also at the early stages of AI coding, that anytime you take a general

AI and say write some code, you're not doing nearly as good a job as when you have a specific

coding AI that you gave birth to from scratch for that purpose, that's really going to

be something.

We haven't seen that yet.

Yeah, we're getting there.

Yeah, it's pretty amazing.

Oh, we've got a long way, we're at the 1% point, really, I mean, we're, if anyone were

to ask two years ago, would we be where we are today with AI, we would not have predicted

this?

And two years hence, who knows, right?

There's no way to know.

Yeah.

This is why old guys like us are still excited about doing what we do, because-

But keep an eye out for agents that keep your employees from making mistakes.

I think that's going to be a serious win.

Yeah, I like that idea.

I hope you all will subscribe to Security Now, you'll find it on our website, Twitter.tv

slash SN, or in your favorite podcast app, we do it every Tuesday.

Steve is a national, international treasure.

We're very glad that he decided to keep doing it for a while.

He was making noises about stopping at his 999th episode.

But we're now at 1068, so that's the good news.

Let's hope for another thousand.

Thank you so much.

We really appreciate it.

I thank you, Steve.

And we're going to go to the cocktail party, and if you want to get a selfie with Steve,

we'll be there.

More with Leo.

Well, I'll be behind him with the devil horns.

Thank you so much.

We really want to thank Threat Locker, our sponsors for this show, sponsors for the conference.

I think they do an amazing job, and we're really happy to be partnered with them.

I hope you have a great conference.

See you later.

Never seen a musical so good you didn't want it to end.

Like you could live inside it forever.

Then you're going to love Schmigadun.

Get your one-way ticket to Broadway musical Paradise.

If you ever felt trapped at a musical, like you literally couldn't escape, then you'll

hate to miss Schmigadun because you'll never want to leave, and you can't.

But the important thing is you'll never want to.

Get tickets at SchmigadunBroadway.com