Selling Fear, Uncertainty, and Doubt Artwork

The Security Table

The Security Table is four cybersecurity industry veterans from diverse backgrounds discussing how to build secure software and all the issues that arise!

All Episodes

The Security Table

Selling Fear, Uncertainty, and Doubt

February 27, 2024 • Chris Romeo • Season 2 • Episode 7

0:00 | 41:09

Matt, Izar, and Chris discuss the impact of fear, uncertainty, and doubt (FUD) within cybersecurity. FUD is a double-edged sword - while it may drive awareness among consumers, it also leads to decision paralysis or misguided actions due to information overload. The saturation of breach reports and security threats also desensitizes users and blurs the line between vigilant security practices and unnecessary panic. Fear-based security strategies do not foster a secure environment.

The proliferation of smart devices and the internet of things (IoT) make many everyday objects potential targets for cyber-attacks. However, media sensationalism surrounds these vulnerabilities, and there is a lack of follow-through in educating consumers about realistic risks and protective measures. This gap underscores the need for reliable sources of cybersecurity info that can cut through the FUD, offering actionable insights rather than contributing to fear.

They also explore the practice of weaponizing security in competitive markets. Some companies leverage security breaches, or the lack thereof, to differentiate themselves in the marketplace. These marketing strategies highlight "superior" security features while pointing out competitors' breaches. While such tactics might draw attention to security considerations, they also risk confusing what constitutes meaningful cybersecurity practices. The industry needs to balance competitive advantage with ethical responsibility and consumer education. Who will fill the gap?

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris Romeo 0:09

Oh, the planning, the planning process is over.

Matt Coles 0:12

Well that's the big, that's the big dog as opposed to the little one.

Chris Romeo 0:14

Okay, well that's, that's the one that's famous for being on the show, though, is

Matt Coles 0:18

No, the little one.

Chris Romeo 0:19

Oh, the littler one is the one who's, who's had many appearances.

Matt Coles 0:23

Yes, yes indeed.

Chris Romeo 0:24

and the littler one's dog, what's the name of the littler one? Skier?

Matt Coles 0:29

Skier.

Chris Romeo 0:30

Like a ski, like the dog is a skier, goes to the mountains, puts on

Matt Coles 0:35

No, like the yogurt.

Chris Romeo 0:37

Okay, so the dog is a, is a yogurt

Matt Coles 0:40

The Icelandic for yogurt.

Chris Romeo 0:41

Ah, interesting. Okay. Wow. And

Izar Tarandach 0:43

did you get there?

Matt Coles 0:45

Uh, we, we really likes, we really like skier yogurt. And, um, so the timing was good. Heh

Izar Tarandach 0:51

Oh, okay, yeah.

Matt Coles 0:52

heh.

Chris Romeo 0:53

need help naming something, I'm going to reach out to Matt and his wife from this point forward and say, please come up with a cool, cause that's really a cool name. Like it's, you know, do you have a, is there a domain name associated with the dog where

Matt Coles 1:07

Not, not yet. Well, actually, there's a domain name for the yogurt, so we probably would be in conflict if we tried to get one, but

Chris Romeo 1:13

Well, that would be like a ic or something though for Iceland, so you

Matt Coles 1:17

Mm hmm.

Chris Romeo 1:18

Alright,

Matt Coles 1:19

Scear. com is an actual yogurt brand, but

Chris Romeo 1:22

See, I don't eat a lot of yogurt, because I think it's disgusting. And so, there's another category of people who will send hate mail. The lovers of yogurt. And

Matt Coles 1:31

Well, I should go grab my Scear yogurt now, because I get, it's in key lime flavor, which is

Chris Romeo 1:34

Well, you know, this episode of the Security Table, brought to you by yogurt. You need to eat none of this per year. To be happy, successful, and wise.

Matt Coles 1:46

It tastes good. Come on.

Chris Romeo 1:48

the,

Matt Coles 1:48

Heh heh heh heh heh heh

Chris Romeo 1:50

came up. It tastes good. That would not be the tagline I would associate with it. It would be terrible consistency, but good for you. All right. Well, hey, welcome folks to, uh, what appeared to be just a random conversation, which

Izar Tarandach 2:05

Soft serve.

Chris Romeo 2:09

A random conversation that, uh, turns into a discussion about something in the realm of cybersecurity. That's why we call this the security table. I'm Chris Romeo joined by Izar Tarandach, Matt Coles, uh, the Knights of the security table who, uh, fight the battles of, I can't even finish the metaphor. I'm sorry.

Izar Tarandach 2:30

All of them.

Matt Coles 2:31

killed DAST, so I don't know what we're fighting now. Heh heh heh heh heh heh heh.

Chris Romeo 2:36

we fight four letter acronyms for security products that don't add value to the world. If you're out there, we're coming for you.

Izar Tarandach 2:46

Dun dun

Chris Romeo 2:47

of thing. So

Izar Tarandach 2:48

Knee!

Chris Romeo 2:48

wrote it.

Izar Tarandach 2:49

Uff. Tis

Chris Romeo 2:52

now we're going into a full Monty

Matt Coles 2:55

Bring me a fuzzer!

Chris Romeo 2:58

These are, this is one of the knights at St. Knee. Was that, now, in the movie, was that, who was the, which movie is it where the guy is like, gets his arms cut off and then his legs cut off, and, come closer

Matt Coles 3:10

for Holy Grail. That's Quest for the Holy Grail. Same, same one. Tisma Scratch!

Chris Romeo 3:15

yeah, come closer and I'll bite your ankle! That's how we fight with valor. That's how the knights of the security table, we fight with that same enthusiasm

Matt Coles 3:26

But you have no arms!

Chris Romeo 3:28

and result more than likely. So, all right, but we should actually talk about something in regards to security. And so the topic that we have for this week is fear, uncertainty, and doubt when it comes to consumers. and their security consciousness. So we got to this as a result of a post I wrote last week on just, just, uh, I guess, reflecting on the role I've seen fear take in the security industry throughout my career of 26 years and seeing how We went from the days of old where it was all about scaring people into doing the right thing, or people, or the consumer being scared as a result of, Ah, my data's going to be breached, or my credit card's going to be stolen, in the days where you had to go to the police station and fill out a police report, because your, because your credit card was in a data breach. Um, so that, that's

Matt Coles 4:23

by the way. You're still supposed to do that. Yeah.

Chris Romeo 4:26

don't think, I mean, right now, I mean, the card companies are so good at, like, they call you and they're like, hey, by the way, your card's been breached. There's a new one in the mail. We got this. It's all good. Like, but that's, that's kind of like the, the shift of what's happened in perception of those things. But I guess, what is the role of, is there a role for fear, uncertainty, and doubt or FUD in the realm of cybersecurity, if we just use the umbrella term? Matt, what are your thoughts?

Matt Coles 4:56

Is there a role for it? Uh, if you, if you mean it fear drives people to take, take action? Probably. The problem is, does fear, uncertainty, and doubt cause people to a, take the wrong action, or at some point stop taking actions because there's this overload. And I'm fearing, I have some, I have some fears that, that overload happens. I mean, how many data breaches have there been? I mean, I mean, let's just jump it out there. Out of, uh, out of the things that are in your home, which ones can get hacked? And which ones can't? And which ones can you do anything about? Short of not doing something, like not doing something or not buying those things,

Chris Romeo 5:44

Hmm.

Matt Coles 5:45

right? So I think fear is a driving factor to a point, and then there's a cliff or a wall.

Chris Romeo 5:51

Yeah,

Izar Tarandach 5:53

I am going to say that we are past that cliff. I think that people have been so and it's the second time in two days that I try to say that word and it will never work. The SENSITI

Matt Coles 6:06

Desensitization. Desensitiz Wow, I can't, I can't say it. That

Izar Tarandach 6:11

not an

Chris Romeo 6:11

been de census, I can't say it either now.

Izar Tarandach 6:15

people are not sensitive to that stuff anymore. To the point that, you know what? Yeah, something else got breached. I got one more email from, you have been phoned, and Yeah, sure, whatever. I mean, we spoke about password managers, we spoke about compartmentalization, we spoke about what actually happens when somebody gets, gets breached, and when we bring all that together, I think that people are just like Passcaring.

Matt Coles 6:48

Well, and we're talking about consumers here. We're not talking about security professionals, right?

Chris Romeo 6:53

even, we as security professionals don't really care about data breaches at the macro level, at least I don't. I don't track them anymore. I don't, I mean, there was a day in my time in my career where we got the morning briefing of some, anything big that happened the previous day or whatever in regards to giant incidents, but I can say I don't really pay that much attention to it anymore.

Matt Coles 7:15

Well, I

Izar Tarandach 7:16

more surprised than fear, I can say, and the surprise is not even that big. Sorry, man.

Matt Coles 7:23

I, I was just gonna say, I guess I, I, I tend to revert to consumer mode and go look on and see if, you know, see if I'm in the latest round from have I been pwned. Right, uh, but yeah, I mean, so Marriott got popped, or MGM got popped, or, you know, whoever else. Oh well, I mean, that's what, that sucks, right? Uh, another round of credit monitoring, another round of what can I do, what can I do about this,

Chris Romeo 7:52

Does anybody ever sign up for that free credit monitoring by the way?

Izar Tarandach 7:56

let me give you guys an example. Last Friday, I had a trip for the extended weekend, and of course, as one does, as I leave the house, I check that all the cameras are online and everything, blah, blah, blah, blah, blah. Uh, get to the airport, get into the plane, land, and as one does, you check on your phone to see that you have connectivity, right? To see that everything that you put in place, you can check. And I see that two of my cameras are offline.

Matt Coles 8:25

Panic in the streets. Yep.

Izar Tarandach 8:27

and three of them are fine. And yes, I have more than five if you're counting. But, uh, the point is that right then I, instead of like freaking out and saying, okay, my basement just got flooded as soon as I left the house, I went to my email and I looked for any email that I had from the provider. And that's where I see, oh, there's a security thing going on with my provider. Apparently people have been getting the wrong thumbnails when they open their web access to their cameras. And part of the treatment of the thing was that cameras were taken offline. And no, I was not a victim of the thing. Nobody has thumbnails of me that I know of out there in a compromised situation. My reaction to the whole thing was, eh, turn around and get another pina colada. Because at the end of the day, what can I do about it as a consumer, right? They're going to go and do their security things. And the only thing that I can worry about is not putting myself into compromising situations in front of a camera that at the end of the day I have absolutely no control of.

Chris Romeo 9:39

Hmm.

Matt Coles 9:39

after the first or second pina colada, who cares, right? I mean,

Izar Tarandach 9:42

There's that too.

Chris Romeo 9:44

Lucky they didn't have a camera on that view of you drinking so many Piña Coladas.

Izar Tarandach 9:48

if the cameras that were offline got caught in the rain, they wouldn't work because they were not the offside ones. But yeah, I digress. But my point is that even the, the, the, as a consumer, I would agree that fear would be a factor if those very smart people in marketing would decide that that's something that they're going to use to sell. But I can't put two home camera systems, one against the other, and say this one is selling because it's selling itself as more secure, or is it selling itself as we haven't had a breach in the last year. So fear as a motivator, as a buyer, I don't think we're there. I think that there is still a bit of fear of the technology in general,

Matt Coles 10:36

we'll take it, take it a step back in that, in that example, you, or that, what you were just talking about fear. as a reason to go buy something versus fear of the thing you're buying, right? So you're talking about, you know, camera A versus camera B because of their data practices and their track record versus why are the, why are the buyer, why is the consumer buying those cameras in the first place? Um, so I know it's, we're sort of, now we're expanding the view of security out to physical home security and not necessarily just, uh, you know, network and application security. But, but so there's different, there's different levels of fear. The home security slash protect, you know, physical protection thing hasn't yet hit that peak or that wall or that cliff, right, that we're, that we're talking about. But from a breach standpoint, from a data security standpoint, from a, I have no control. Do I need to fear it still? We've already run off, off the edge. We're like the lemmings running off the edge of the, of the cliff. Right. Um, because reaches happen all the time. Products get hacked all the time.

Chris Romeo 11:49

And we've chosen to consume those products, right? Like,

Izar Tarandach 11:52

because we have no option.

Matt Coles 11:54

Yeah. Who, who needs a smart toothbrush as

Chris Romeo 11:58

What even does a smart toothbrush do?

Matt Coles 12:00

gets

Izar Tarandach 12:01

us your dumb teeth!

Matt Coles 12:04

Apparently Apparently it gets hacked in a buttnet, right? Oh,

Chris Romeo 12:13

fear as a motivator in cybersecurity again, because yes, there was this report and it started to make its way through the media that smart toothbrushes were being assembled into botnets and we're going to, we're performing distributed denial of service. And then it turned out it was bunk. It was just a complete fabrication. I don't know if, uh, ChatGPT may have hallucinated in an article and

Matt Coles 12:37

you mean like it did earlier Earlier this week when ShatGPT went completely off the rails?

Izar Tarandach 12:42

I thought it was finally the dentists of the world taking over.

Chris Romeo 12:47

that is, uh, that is a possible, uh, possible scenario, but it just, that, that's, that's really what brought it back to the forefront for me is this, there was this kind of attempt to generate fear. By saying that the smart toothbrushes were going to assemble into botnets and

Matt Coles 13:06

The uprising.

Chris Romeo 13:06

denial of service,

Izar Tarandach 13:08

Every time that you say smart toothbrush assemble, I got this Voltron image in my head.

Chris Romeo 13:13

ha, you're like,

Izar Tarandach 13:15

coming together into this, like, sort of master toothbrush. I'M GONNA SCRUB YOUR HUMAN!

Chris Romeo 13:25

all of a sudden it's going to make you floss. You're going to floss!

Izar Tarandach 13:28

I TOLD YOU TO DO IT EVERY DAY! NOW SUBMIT!

Chris Romeo 13:31

So listen, the hygienist told you, the dentist told you, and now I'm here to make you pay. And then the floss pops out, and the smart toothbrush.

Matt Coles 13:42

Or you suddenly get 18 cases of, of, uh, of fluoride toothpaste that you didn't know that you need

Izar Tarandach 13:49

Now gargle! But, uh,

Chris Romeo 13:53

That's a different type of attack.

Izar Tarandach 13:54

no, but, wait, wait, wait, wait, wait. So, okay, so, that one turned out to be, to be wrong. Turned out to be an hallucination by Izzy. Either a LLM or, or a writer. But let's think for a second here, is, is there an ulterior motive that somebody would put that online as a rumor or as a fact actually, would, would that lead to something like, would it make people consider buying smart tooth brushes or not? Would it make one brand of smart tooth bridges be more valued than the other because there was no, no, no breach on that one.

Matt Coles 14:34

Well, think about who's buying those things in the first place. I mean, a smart to smart toothbrush co. So a regular toothbrush costs what? Uh, two bucks, three

Chris Romeo 14:42

Well, they give you one at the dentist if you go.

Matt Coles 14:45

Right. And if you go to, if you go to a local grocery store, you can pick up a two pack for, you know, for a couple of bucks. So the people who are looking for smart toothbrushes are either super health conscious.

Izar Tarandach 14:56

Matt Coles 14:56

Well, well they are, they are super health conscious. They are super health conscious and have a lot of disposable income. Right. And so the question of, so first off, do they even know that they may or may not have gotten hacked, right? Do they have the consciousness, the awareness that that's a thing? Number

Izar Tarandach 15:21

Oh my god, I'm about to be so offensive.

Matt Coles 15:25

uh, you're gonna, your sociopathic tendencies are about to show up. Is that what you're saying?

Izar Tarandach 15:30

Yeah, you know what? Let's leave that one to the last episode. Yeah, yeah, yeah. No, no, no.

Chris Romeo 15:35

Yeah, I mean, outside of the, why would anybody need a smart toothbrush? I think that's a, that's a discussion for a different podcast by maybe people that are medically trained or something. Maybe there's a good reason. Like, I don't feel like we're qualified to answer that question. I mean, my initial answer is, I don't see why anybody would need this. But it's, if we circle back around towards more of the fear, uncertainty, and doubt. Angle of it. I like where you were going with that, Izar. And could it be a competitive advantage for one company over another? Could, could secure, could we weaponize security?

Izar Tarandach 16:09

Or lack of thereof.

Chris Romeo 16:10

or lack thereof,

Matt Coles 16:11

Or, or, or private or privacy, by the way, it doesn't

Chris Romeo 16:14

privacy or security, but could we weaponize it based on a lack of rigor? that a competitor applies to a given type of product. If you have a company that has the same product, are we facing a future where security is weaponized by companies against each other?

Matt Coles 16:33

I, uh, are there FTC rules against that? I mean, you're making, you're making outlandish claims, right?

Izar Tarandach 16:39

wait. Wait,

Chris Romeo 16:39

Well, I'm not claiming, I'm, I'm, I'm, this is a thought experiment more

Matt Coles 16:42

no, no, no, I'm not, I'm not saying you're, I'm not saying you, I'm saying the companies that would be making these comparisons might be making some fantastic claims, right?

Chris Romeo 16:49

Yeah. Like in

Matt Coles 16:50

we didn't, yeah, we didn't get hacked. We didn't get hacked. And so you should buy our product, but that doesn't mean we're not susceptible to that.

Izar Tarandach 17:00

if we go back to Sony, MGM, or any of the big companies, big breaches, and look at their stock price. I myself have been using that as FUD for a long time to tell people, Hey, if you get breached, you're going to have an impact on your But I think that somebody did a study and turned out that not to be so

Chris Romeo 17:23

Not

Izar Tarandach 17:24

It dips for a very big, like for a bit, but it goes right back.

Chris Romeo 17:29

I mean, it used to be like, remember the Target breach that we all lived through? There was a big consumer. I remember people that I know that had no knowledge of cybersecurity saying, I'm not going to shop there or I'm bringing cash with me. So there was definitely a time period where that level of incident resulted in lower reputational damage and a lot, a loss of customers and sales. I think those days are

Matt Coles 17:56

the same way. Yeah. TJX had

Chris Romeo 17:58

That was in the same vintage, though, right? It was in the same year or two. I don't think that happens anymore. I think that's, that's, we're so far away from that because people are just, this is the numbness. I heard somebody describe this as data breach numbness,

Izar Tarandach 18:11

so it goes back to not being sensitive to it anymore. but not because people don't care about their data being out there. It's just that right now they are just assuming that at some point the people who hold their data are going to get bought. It became a fact of life.

Matt Coles 18:25

pretty much. And, and by the way, we, it's probably that, that stock, you know, if they're publicly traded, those are, that's sort of baked in, you have SEC filings now that talk about this sort of stuff. Um, and I wonder if we need something like GDPR, right. Which has pretty sizable financial impact, you know, for, for an infraction. Right. Uh, you know, multi, multi, millions, hundreds of millions, if not billions of dollars of potential impact that would have serious impact on, on a bottom line.

Chris Romeo 18:57

But,

Izar Tarandach 18:58

That's, that's

Chris Romeo 18:59

don't want to go here, but I'm going to go here just for a second. And then we might have to put this on the shelf for a future debate discussion after more research, but. I'm going to say something that may not be that popular, but I don't think GDPR actually did very much at the end of the day. Yes, they sued Facebook. They went after Google in the early days, but did it really move the needle? Our companies is, is individual privacy better as a result in this, on this globe because of what

Matt Coles 19:35

think the answer is, and I'm not, I'm not the expert. Uh, I'm still learning about these sort of things, but I think, I think the answer is yes, but not because of the financial impact. It's more of, it's now in people's minds, and you have, consumers minds,

Chris Romeo 19:52

products.

Matt Coles 19:53

yeah, and you have, and you have not just GDPR, now you have, you know, uh, you know, the patchwork that is the United States, and you have other, other countries that are jumping on board, and so it's becoming more in the, in the common, common view that this is important, and not necessarily that the hundreds of millions of dollars of Facebook and Apple and Google, whoever get hit by, uh, you matter as much.

Izar Tarandach 20:18

So, Chris,

Matt Coles 20:19

naive view there. Okay,

Izar Tarandach 20:23

more you just did. And I'm just going to say, if people are at that point in their lives where they are not sensitive to this anymore, I think that's and I'm looking at the mirror when I say that, I think that means that we suck. Yeah. We as security practitioners, we suck.

Matt Coles 20:46

that.

Chris Romeo 20:48

Tell us more. Tell us more. Like, what do you, what do you mean? What do we?

Izar Tarandach 20:52

if people are at a point where they actually expect things to be breached, then it's just because we haven't been done our work well enough, and breaches are so commonplace that not being breached We discussed if being breached is, uh, uh a disadvantage, and that leads me to not being breached being an advantage, and it's not anymore. So,

Matt Coles 21:21

not a differentiator

Izar Tarandach 21:23

it's not a differentiator

Matt Coles 21:24

Well, it's expected to be a matter of time. It's not really, uh, it's sort of a foregone conclusion that it will happen.

Chris Romeo 21:29

Yeah. I guess as a society, we've, we've accepted this as normal. That,

Izar Tarandach 21:36

There's nothing normal to this.

Chris Romeo 21:39

the things that we use are, are not infallible.

Izar Tarandach 21:43

There's nothing normal to this stuff. It shouldn't be normal.

Matt Coles 21:48

off the puppets already.

Chris Romeo 21:51

But it is, it is, that's, that's the reality that we live in. And I guess, have we failed as security professionals? Then that's kind of where you're going, Izar, as you're saying. Did we put, did we fail as a, as an industry? Like, we can't really, we won't, you know, we're not going to call ourselves out specifically as like, it was all our fault.

Matt Coles 22:10

it's all the, it's all the ops people. It's not us. I mean,

Chris Romeo 22:12

Yeah, exactly.

Izar Tarandach 22:13

Thank God it's Friday. Now I can have a whole weekend for an existential crisis.

Matt Coles 22:19

Where's the piña, where's the piña colada now there, buddy?

Chris Romeo 22:23

Do you like pina coladas?

Matt Coles 22:29

in the rain.

Izar Tarandach 22:30

in bridges in the rain. Oh, we have to do something with those lyrics that we have.

Chris Romeo 22:35

Our new hit single, Breaches in the Rain. So, alright, well this, now that we've left Izar with an existential crisis for the weekend, I wanna, I wanna give, I just thought of another angle on this that I wanna get, I wanna get, uh, your take, both of your takes on this. Because I think this is still happening. What I'm about to describe is still happening, and it gets called out a lot more now. So you may know where I'm going with this. But there are still salespeople. that use fear, uncertainty, and doubt, and the misfortune of competitors as a lead generation technique, or as a way to reach out to people. And so if a company has a breach that's like, say, a cloud, let's just say, and I don't even know if they've had breaches, I'm just going to say a cloud storage provider has some type of security incident in the news. Account executives from the other, their, their nearest competitor will start emailing people, emailing prospects and say, well, hey, we, you know, you probably saw what happened with company A. Company B, we take security seriously. And we invest in it. And, and, and I'm not making this up. Like it used to happen all the time. Like I can remember a day, 10 years ago, 15 years ago, where this was the normal sales approach that would happen. It was the ambulance chasing of the world. I don't think it happens as much now, but I, it still happens. Now we're better as an industry when people will call people out and start publishing their, uh, these types of approaches, but I mean, what, what, have you guys still seen this? Have you seen this happening in the marketplace?

Izar Tarandach 24:08

I've seen a bit of what can we learn from XXX. And then the, uh, the answer part is, is that we are better, but, uh, that there is, uh, I have seen some hooks coming in as postmortems or let's see what went wrong there that would never happen with us.

Chris Romeo 24:27

So it's like more of a soft sell now. It's not as, it's not as confrontational, but it's still the same. They're going for the same outcome.

Izar Tarandach 24:34

I think that they took the schadenfreude out of it and, uh, that they're not revealing so much into the failure of others. And it's taking a bit more of an educational tone of what can we learn from that. Which, by the way, I'm all for. I just don't think that that, um, that would make me buy something.

Matt Coles 24:53

Now, are you talking about, you're talking about the corporate sales and, and sort of as, as a practitioner, does this translate, are you seeing this translate to out in the real world? Like, I mean, most people don't buy direct from security vendors. But they may buy, they may get pushed. I mean NordVPN and others, you know, push VPN software all the time. But they're using the general state of security as the, as a selling factor. And the consumers, you know, they get, they get some fear and uncertainty and doubt. Are you sitting at your, at your local coffee shop? And are you gonna get popped because you're in, you know,

Chris Romeo 25:29

Which is the biggest bunch of bunk these days, right now. I wanted to unpack that, but I went to the enterprise, though, to answer your question. I kind of set this stage up. I, without telling anybody, I switched our focus from consumer, the consumer side of this, to the enterprise. Because obviously with consumers, you don't have account executives that are, that are reaching out to consumers and generating, using fear, uncertainty, and doubt as a sales tactic. So we've kind of, we've kind

Izar Tarandach 25:55

actually

Matt Coles 25:56

but they do.

Izar Tarandach 25:57

it's what Matt just mentioned. But I think that the point there is that we got to a point again because of the, the The general state where the public's head is regarding security, that people are, people are at the point where they say, I need to have a toothbrush, might as well be a smart one, meaning I need to have this minimal amount of cyber hygiene, might as well get a toothbrush. the latest VPN that says that it's, I don't know, they have points of presence in 300 countries. So I can move myself over there. Just, just off the top of my head. But I think the math is right, that there is still some FUD going around in terms of what do you need as a minimum practice of cyber hygiene. And while I totally, I think that everybody should be at least minimally educated in that. It's a survival trait today. I am not sure, again, that people have the enough understanding of the problem to say this one is better than this one. To

Matt Coles 27:06

Yeah. And actually, you know, just on that, I guess, just to, to take that a little bit further and here's the general question for you. Would you, would you, do you think we, you need to buy something in order to be secure,

Izar Tarandach 27:24

be or to feel.

Matt Coles 27:26

Chris Romeo 27:29

Consumer or enterprise?

Matt Coles 27:30

consumer, consumer, consumer, and, and, and is more, is more better.

Chris Romeo 27:37

Is your definition of you, Izar or I, or a

Matt Coles 27:42

Put your consumer, put your general user, put your, put your parents, put your, your kids, put your whatever hat on and, and think about them. Do you have to buy something or do you have to pay more for something for it to be better

Chris Romeo 27:57

Matt Coles 27:58

when it comes to, when it comes to security? Yeah. So things, things like, like things like a VPN, right? You can pay two bucks a month or you can pay, pay 20 bucks a month.

Chris Romeo 28:07

I mean, I think that's the model that exists in the marketplace. Like, let me give you an example. So I use these Eero routers that are, it's now an Amazon company. I just,

Matt Coles 28:16

And that's, that's a mesh router

Chris Romeo 28:18

Mesh router system. The simplicity of it is just brilliant. Like I used to be a network, uh, person and I used to love wiring my house and making connections. Now I just want the stupid thing to work. I just want to plug it in, just make it work, stop not working. And so, but in with Eero, I have to pay an additional fee for their advanced. Advanced security. We put that in air quotes and that gets me like threat, uh, intelligence blocking of things. It gets me ad blocking. It gets me some things. It's just a software feature, but I recommend other people do it too because like, it's very seldom do ads get served up on my network here to any device that you're using because they just block it. But it's, so I think, but I don't know that maybe, maybe normal people don't take that step and pay that extra money because they don't see the value proposition. I know for me, I looked at it and looked at the list of features. I'm like, done. Of course, I want that level of, you know, malware bots. They're doing all the threat intelligence stuff behind the scenes. And then the device just knows don't accept anything from this IP, these IP addresses or whatever, you know, but I don't know, maybe the, maybe normal, I call them normal people that don't have security superpowers. Maybe, maybe they don't. Maybe they look at that and they're like, eh, I don't want to pay the extra money. I just want the thing to connect me to the internet.

Matt Coles 29:44

I mean, people are always annoyed at ads, but is it dangerous in their, in, you know? And do we have uncertainty or doubt about dangerousness that would drive fear? Right? Fear is a response to those other two things. And so you have fear, which is why you pay. But others maybe not, don't have that, that level of understanding yet.

Chris Romeo 30:14

Yeah. Yeah. I mean, where would they get it? Right?

Matt Coles 30:18

Well, they get it from people, they get it from commercials saying, Hey, you know, you're going to, your home wifi is under threat. Go,

Chris Romeo 30:25

I don't want to get, I don't want to get, I don't want to ever, I don't want to ever get political on this podcast, but the media, like we're in an age where. It's challenging to, to, to know who you can trust that's

Izar Tarandach 30:41

Oh yes,

Chris Romeo 30:42

because everybody has an agenda. Everybody has an opinion and it's not the days of old where the news broadcaster on TV was a trusted source of, of, and everybody just trusted whatever they said. Now they could have been lying through their teeth to us, who knows, right? But there was a trust that existed with that. We don't have, that concept is gone, at least in how I perceive the world, and so there is no source of truth that can speak to the masses about security, and give them, and give, and let people know what the real threat is, like if any, and then we're back, we're circling back around to attack toothbrushes, right, that's what happens, is we just, people throw out all this crap, you know, somebody gets up with an idea that, oh, and then, you know, People have become so numbed because they've been, they've been, it's been hyped up for so long that it's the chicken little problem, right? How many times do I have to hear the sky is falling where I'm just like, you're full of crap. The sky's not falling. It may actually fall and land on top of me, but I've heard it so many times that I don't, I don't, I'm, I'm numb to the concept that the sky is falling.

Matt Coles 31:48

Well, and we see, we see, I mean, from us as security people, right. We, we know how to. Get cut through that because there's people we trust to talk about this sort of stuff, right? I mean, we've talked about Bob Lord and CISA in the past and, you know, Bob's had some pretty high profile posts about, you're not a danger at your, at your local, you know, cafe, internet cafe or coffee shop, right? It's, It's FUD. And, and, well, maybe, maybe not. Uh, but, you know, but we, we have, we have the tools to help cut through the FUD. The consumer doesn't, right? They see that, oh my God, my, yeah, they, they see my smart tooth, my smart toothbrush is at risk.

Chris Romeo 32:30

Yeah. Yeah. And like,

Matt Coles 32:32

what do I do?

Chris Romeo 32:33

I mean, Dan, Daniel Misler iss, the one who posted the, in the initial response to the toothbrush thing saying like, I don't think this thing is, I don't think this is right. And that's somebody that I've read a lot of his stuff, I followed him for a long time. I'm like, oh, now I'm, I'm all of a sudden looking at things closely going, like, if Daniel Misler said that's he did analysis and this is what he figured out, this isn't true. But yeah, to your point, like Joe, consumer, Jane consumer doesn't have. The net, the, the insight that we're able to glean. And so that's why they're numb to these things. Cause there's just, there's nothing else they can do. They can't hear the sky is falling anymore.

Matt Coles 33:11

And to your early point, the sources that they're getting the information from are not making those connections either. They're not following up. Oh, a prominent security researcher said this is bunk. That story we told you yesterday? Yeah, probably ignore it.

Chris Romeo 33:25

Yeah.

Izar Tarandach 33:28

you know that it almost starts sounding like a way to DOS people, like we know that there's a lot that we see on the media and whatnot. that tries to divert attention. But if you really want to keep people busy, keep people occupied somewhere, not only like 15 minutes of them paying attention to something, but causing them to actually ask those questions that Chris asked in the beginning. What in your house could be, or Matt, I don't remember, what could be hacked in your house and actually serve as something? You know what, it would give me pause, it would make me for one hour go around and say okay do I have the latest firmware and everything and is my router closed and this and that and the other one so yeah it's it's a great idea to get people's attention away from things.

Chris Romeo 34:21

Yeah. And as we're coming to the end of our time, it just makes me realize we don't have any single trusted source that has legitimized themselves to the masses about cybersecurity. Who? Oh,

Izar Tarandach 34:44

crebs.

Matt Coles 34:46

Yeah, but Krebs is dense reading, nobody's going to take the time to

Chris Romeo 34:49

yeah, it's not, he's not mass market. He's not somebody

Izar Tarandach 34:52

No, his not. No, no, no.

Chris Romeo 34:53

that.

Matt Coles 34:54

I mean, Hack 5 maybe, right, as a YouTube video, but you have to be on YouTube, you have to know what you're looking for, and they're

Chris Romeo 35:00

I'm just thinking about, it seems like in other parts of the, of society, there are people who stand up and kind of hold that, uh, responsibility for us for trying to educate in a certain area. And cybersecurity is just one of those things that no, but there is, there is no trusted source. If you, if we went to, uh, if we went to a mall, there'd be nobody there. If we went to a shopping center that had various, uh, like, uh, you know, uh, a Target and a Home Depot and whatnot in it, and we asked 10 people just randomly, just walking out of their cars, presuming they would talk to us. Some of them would just run away, but presuming we could get 10 people to answer the question, what, who, who is a trusted cybersecurity source for you? I don't, I think we would get nobody. I don't think they would answer. I think they

Matt Coles 35:51

You know, we, we need, we need the cyber, we need the cyber or application security equivalent to Neil deGrasse Tyson. You're a personal astrophysicist? Well, we need your personal cyber, cyber person, right?

Izar Tarandach 36:04

No,

Chris Romeo 36:06

nobody's

Izar Tarandach 36:06

missing something. No, there is, there is. We're missing someone.

Chris Romeo 36:10

who, I

Matt Coles 36:11

Who?

Izar Tarandach 36:12

I don't know, I got something, it's not Schneier, I got something in the back

Chris Romeo 36:16

the closest one is those guy, like Leo, the guy that does the pod, he's done the podcast for like 10, 20 years at this point. Leo Laporte, maybe, or something like that. I think he had a radio show at one point. That would be the closest to a, but see, you guys don't even know who I'm talking about, so it's not, he didn't, he never reached a mass, I think he reached a technical audience, legitimization, if that's a word, and, but never a mass market type of thing where everybody, everybody was willing to say like, this person knows consumer security

Matt Coles 36:52

We need a, we need a, we need a Neil deGrasse or we need a, a, a Bill Nye equivalent, right?

Izar Tarandach 36:58

Yeah, I was thinking Bill Nye, yeah. But we should ask, we should ask Degrassi in here, so that he can explain to us how we get that.

Chris Romeo 37:06

I'm sure he

Izar Tarandach 37:07

Okay, let's get on it.

Chris Romeo 37:08

He did Joe Rogan, so, I mean, if he'll do Rogan, he'll probably do our show. I mean, we're

Izar Tarandach 37:12

If you're out there and you're listening to us and you have a connection to Neil deGrasse, let us know. We want him here.

Chris Romeo 37:18

Or if you know him, just text him. Tell him to

Matt Coles 37:20

Yeah,

Izar Tarandach 37:20

that too.

Chris Romeo 37:21

Anytime, we'll, we'll make it

Matt Coles 37:22

I mean, you know, actually, there is one per there is one person, maybe, uh, there's two, actually, sorry, there are two, but again, they're not mass they're not mass market, I guess. Neil Stephenson, who talks a lot about sci fi, and then you have

Izar Tarandach 37:34

Oh, he's up here. Both

Matt Coles 37:36

Doctorow.

Izar Tarandach 37:37

of them up here. Way up here.

Chris Romeo 37:39

they're not, they're not mass market, though, to you, like what you said. They're, they're known quantities, they're smart people. they don't, I'm thinking about, like, who should be on the Today show talking about public Wi Fi security. Like, there is no person, there's nobody that's filled that gap that's, that's bridging the gap between large and small technology companies that are putting out products and the consumer. So we've got an opportunity for anybody listening out there who wants to become the cons, we'll help you with the branding, we'll come up with it, we'll make a podcast for you, we'll get a website, a Twitter.

Izar Tarandach 38:16

but we, we, we are this. We are still, we are in this field where as soon as somebody raises their head to take that place, they're going to get bombarded from all sides with Oh, but you didn't mention this! Oh, but you forgot this edge case! Oh, but that doesn't work in this! Nobody's going to have the energy to deal with that.

Chris Romeo 38:36

It'll take a special person that would be able to do this, that would just be able to ignore

Izar Tarandach 38:40

Yeah, Iron

Chris Romeo 38:40

nonsense. Yeah,

Matt Coles 38:43

we, again, we need, we need Neil deGrasse Tyson to, to help us because he's, he's done it for astrophysicists. How, how bad can it be for cybersecurity?

Chris Romeo 38:52

how could you explain, how could you make it so that

Izar Tarandach 38:54

Does he get pelted by astrophysicists all over the world saying I know better than you? I know that he does by people who have no clue, because that's a really fun read, but

Chris Romeo 39:06

Alright, well,

Matt Coles 39:07

we need, or we need Cybersecurity Mythbusters edition or something, you know,

Chris Romeo 39:10

that could be an idea too, but I think

Izar Tarandach 39:13

let's, let's, let's go there, let's go

Chris Romeo 39:14

done some of that, we've done some of it before on this show already, we've busted some myths and whatnot, but I think we're, uh, we're out of time for today. It's another one of those episodes where I feel like we maybe just made the problem bigger without solving anything. Like, yeah, so you'll be, now

Izar Tarandach 39:35

9, 8,

Chris Romeo 39:36

you could schedule it for, you know, well, you know what, you don't really want to ruin your weekend, so you might want to start it now and maybe it'll end midday through Sunday, but you know, it's all good. But it's, this is good. This is the type of stuff that's, it's fun to explore. These various avenues and see where we land. So, Matt Coles for Cyber Security Czar. That's, and he just waved to accept it. So,

Izar Tarandach 40:00

Yeah, because you can't have Izar for Izar. It's too confusing.

Chris Romeo 40:05

Oh, That's true. If we could use those two words together, your

Matt Coles 40:09

I'm Matt. I'm your, I'm your personal cyber consultants. Yes,

Chris Romeo 40:12

I like that. That's good branding. All right,

Izar Tarandach 40:15

Wait, no, no, no, no. Now it just reminded me. Who was it that was cyber consultant for the stars? It's somebody that we know.

Matt Coles 40:24

is.

Izar Tarandach 40:25

Yeah, somebody that we know had

Chris Romeo 40:26

Michael, Michael Lodenthal that, that spoke He, uh, he did a lot of work with famous people, politicians and stuff about personal security. But once again, it wasn't public. It was more from a one on

Izar Tarandach 40:39

Yeah, yeah, but somebody had that moniker. Now this is going to drive me nuts.

Chris Romeo 40:46

Maybe it was you this whole

Izar Tarandach 40:47

No, no, no, not me. Not me. No, no, no, no, no, no, no, no,

Chris Romeo 40:50

All right. Well, hey, hey folks, thanks for listening to another episode of the Security Table. We'll be back next week with more MADCAP fun.

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Application Security Podcast

Chris Romeo and Robert Hurlbut

The Threat Modeling Podcast

Chris Romeo