Subscribe
Share
Share
Embed
Slip into something more comfortable and delve into personal finance with Josh Sheluk and Colin White, experienced portfolio managers at Verecan Capital Management. Each episode demystifies complex financial topics, stripping them to their bare essentials. From investment strategies and financial planning to economic headlines and philanthropic giving, delivered with a blend of insight, transparency, and a touch of humour. Perfect for anyone looking to understand and navigate their financial future with confidence. Subscribe now to stay informed, empowered, and entertained.
Verecan Capital Management Inc. is registered as a Portfolio Manager in all provinces in Canada except Manitoba.
Advanced voice from the open AI side that came out this past week is what terrifies me the most because it is really good at being imperfect enough.
Colin White:Alright. Well, it's gonna keep me up.
Kathryn Toope:Welcome to Barenaked Money, the podcast where we strip down the complex world of finance to its bare essentials. With your hosts, Josh Sheluk and Colin White, portfolio managers with Verecan Capital Management Inc.
Josh Sheluk:Welcome to the next episode of Barenaked Money. It's a podcast where we help give you the naked truth to make better financial decisions and hopefully turn those better financial decisions into more effective accomplishment of your goals. Colin, I think we have a really special guest today. Would you say he's the most special guest we've ever had?
Colin White:Oh, absolutely. The most most special. I mean, just look at the the backdrop there behind him. I mean, that's almost magical. So I'm I'm I'm expecting like an absolute magical podcast.
Colin White:I think this is gonna be extraterrestrial even.
Josh Sheluk:Well, it's gonna be out of this world. Good. So today's guest, as a formal introduction, we have Matthew Toussain with us and his LinkedIn bio reads very much like a resume for a military general. He's a cybersecurity expert. He's a red teamer and a purple teamer.
Josh Sheluk:I don't know what either of those things mean, but, hopefully, he'll give us some insights today. He's performed offensive and defensive cybersecurity operations. He's the grand champion, the first grand champion we've had on the podcast of the NetWars Tournament of Champions. He's a former US Air Force cyber warfare specialist. He's done work in password and identity access management, penetration testing, worked for Fortune 500 companies and what I would call some of the most security tight organizations on this planet.
Josh Sheluk:And more recently and currently the founder and CIO of Open Security Open Security, rather, where he trains professionals and organizations to protect themselves against cybersecurity threats. So, before they get slapped in the face from some of those cyber threats, they have a a plan in place. So welcome, Matt. Thanks for joining us today.
Matthew Toussain:Absolutely. It's a massive pleasure to be here, and that was an absolutely ridiculous, introduction. I am I am beyond flattered.
Colin White:That's interesting. With with that introduction, I would expect you to be way more stuffy than this. So I think that that the oddity is Yeah. The oddity is, like, you seem like a relatable person, so I can't wait to figure out what we're gonna find out. This is gonna be wonderful.
Matthew Toussain:He mentioned that I sound like a general in stealth mode and I'm like, oh, this hurts my heart and my soul internally because that's the last thing that I wanna be characterized as. I've known I've known a general one once upon a time.
Josh Sheluk:That that that was my read of the of the the LinkedIn bio there. So so okay. We'll we'll go over the general 10 side.
Matthew Toussain:Eventually. Yeah. Yeah.
Josh Sheluk:You got it. You got it. So turning to our conversation today. Cybersecurity of all kinds. We have all kinds of of our our audience and our listeners and our clients that I think cybersecurity specifically is such a big concern for them, and it's something that I I think it's it's a little bit, intangible for a lot of people.
Josh Sheluk:So I'm hoping you can shed some light onto to what's really happening sort of behind the curtains today. But I wanted to start here because I watched a video of yours not too long ago where during a live presentation, you hacked into your own bank account. And I thought it was so fascinating such an interesting way to present everything. So can you explain a little bit about what you did and how you did it and why you did it?
Matthew Toussain:I'd love to talk about that. In fact, let me start with the why. So I do think that from the perspective of cybersecurity, this is a much esoteric kind of career field or, experience for a lot of folks. So, like, if we're talking about cybersecurity, generally speaking, we're either looking at the news, something bad happened, or we're looking at a family member or a friend and fraud happened, and that was also something bad that happened to somebody that we know closely to each other. And if we think about from it from a fraud based perspective, it often has to do with your direct personal finances.
Matthew Toussain:And so what I wanted to do is I wanted to demonstrate as a cybersecurity professional, how vulnerable I myself am. And in that presentation, one of the things that I did in order to be able to hack into the bank account from the free in the first place is I actually had to hack into my voter registration. Well, and I'm Alaskan for, just for everyone's awareness. So I had to hack into my Alaska voter registration in order to figure out information about myself to then impersonate myself to the bank, to overcome their security mechanisms and take over my own account. Now, why is it my own account?
Matthew Toussain:Because if it was anybody else's account, that'd be illegal and I definitely couldn't do a presentation about that. But at the same time, what I was trying to demonstrate is how straightforward it is to be able to perpetrate an attack like this and how baseline security measures like using something like, let's say multifactor authentication, even if it's SMS onto your phone, let alone something like a multifactor authenticator can really change the paradigm for security for yourself because you are absolutely a target. We're seeing so many groups, organizations, individuals, and even nation states targeting folks in order to monetize their cybersecurity operations from an offensive perspective. And so we've never really seen a world that is as vulnerable and as attackable as it is today, which means we've also never seen a world where your need for cybersecurity resilience, even on the basic level, is as stringent as it is contemporarily.
Colin White:It's it's fantastic thing. Again, I understand why we were so excited to get you on board because oftentimes cybersecurity comes off like the mob. You know, you're just trying to scare people into paying a whole bunch of money for protection for something they don't understand. And, you know, we pride ourselves on bare naked money of of providing a balanced informational approach to things rather than a sensationalized, you know, this, you know, all your money is going to get gone sometime today unless you you trust us and and pay us a fee and we'll protect you. So, that's that that's a very, very wise opening because I I do I do think that there are basic steps that people can take and, you know, but it's evolving.
Colin White:That's the other challenge is, you know, what worked, you know, five years ago or three years ago. You know, it changes over time. So, it's it's worthwhile keeping people informed so that, you know, they're they're aware of the kinds of things that are going on and also the basic steps they can take. So fantastic opening. Well done.
Matthew Toussain:Thank you. And and for the viewers awareness, I'm a big proponent of open source software myself, And that is a little bit of a tangent based on what we're talking about. But one of my team's primary objectives, I'm in a company called Open Security, is to be able to lower the barrier to entry to make yourself as secure as is needed. And that might be for small businesses. For example, there's so many organizations out there that are these multibillion dollar companies and they say, buy our stuff if you want to have the opportunity to even know that you're secure.
Matthew Toussain:And a lot of the stuff that we do is actually releasing open source and free software that other people can actually leverage in order to get that same kind of understanding of their own organization without having to pay that massive fee. Now, on the other hand, if you identify, oh my goodness, there's a huge problem set going on here. You may need to invest in that, but at the very might take is that the very first step that you need to have is to understand what the value proposition is of what you're buying. And if you can't understand that for free, then you're really not ready to make that purchase in the first place. And one of the things that we're really passionate about is to help you get that understanding for free and perhaps to leverage that understanding with effort and human capital.
Matthew Toussain:Because I'm a really passionate proponent of human capital as opposed to, let's say, capital expenditures. We're talking about buying a software solution to accomplish something. I think that leveraging your folks, your team in order to make yourself more secure is the vast majority of what security really is. We often make a joke about this in the cybersecurity field. Call it layer eight.
Matthew Toussain:And layer eight refers to the human. We say the human is the most vulnerable part of cybersecurity. Well, guess what? Humans are also the most significant opportunity within the cybersecurity space to do better.
Josh Sheluk:Lots of interesting things there, Matt. And I just wanted to come back to really a few things that we talked about there. But so going coming back to to getting access to the bank account, I believe that a lot of the information that you needed to get access to it was was publicly available. And I guess this is a common theme these days with social media and how much is available published on the web that you can Google search with not much effort whatsoever. That that's a a, I guess, a big challenge these days.
Josh Sheluk:Is that right?
Matthew Toussain:Oh, 100%. This is something that we refer to as open source, intelligence gathering or OSINT. And so effectively what we're able to do is using open source, abilities that, that what I mean by that is things that are available on the The very first style of looking for things in the internet is a Google search. I might Google your name. Maybe there's a lot of people with your name.
Matthew Toussain:Where are you from? What's your date of birth? How old are you? What do you look like? What are your family members?
Matthew Toussain:All of these things help us establish a profile around you and we can leverage this in order to then look for things like government resources. And so in that very specific presentation that I was able to deliver, one of the things that I was demonstrating was that with just basic Google searching information, you're able to then move laterally into government available information and then identify things like voter registration records. At which point, you know, things like the home addresses of where people live at, where their family lives at. And these are really good factors. If you're an adversary, like you're an attacker trying to do fraud, they're really good factors in order to directly identify a specific individual.
Matthew Toussain:And once you've identified a specific individual, now we're talking about things like social security numbers and the last, bastion, if you will, that prevents them from getting access to things like your bank accounts. Given that the vast majority of this, let's say 80% plus of it is available just directly on the internet. If you know where to look and how to put different pieces of information together, that actually puts us in a really poor position from a security perspective at an individual level.
Colin White:For a while there, was it was trendy. I at least it was I was seeing it quite often where it was like, you know, hey. Do you wanna know your Star Trek name is? You know, give us the city you were born in and where you proposed to your wife kind of thing. And then it would go, oh, you're Captain Kirk.
Colin White:And there was a whole series of these things that were really, you know, prevalent for a while. It was like, oh, I wanted to what my Icelandic name would be. And it was a manufactured way of accumulating a whole bunch of those security question information. But I I've seen that kind of die off. Is that
Matthew Toussain:Oh, yeah.
Colin White:Is that something you're in your world that people have finally caught on to have stopped giving up, you know, their pet's name and stuff like that in order to find what their Viking name would be?
Matthew Toussain:Colin, that's a fantastic question. I wouldn't say that we've given up on what your Viking name would be, but attackers have really started to focus on what is most useful from that for them in like a direct attack based perspective. And so, what we're starting to see things like our, if you've ever gotten a text message, right? Where the text messages from someone is like, Hey, look, we went to dinner the other night. Do you remember me?
Matthew Toussain:Or they might say hello. They might say something like, hey, your tax number just came up and you need to pay us money. Now, a lot of people think of these things as perhaps fraud or perhaps, maybe bad text messages or whatever it might be. But here's the thing. If you respond to any one of those messages, regardless of what it is, it tells the person who's receiving it that the phone number they reached out to is real and that the person that they reached out to on that phone number is a responder.
Matthew Toussain:And so effectively what has happened here is we've changed the game from the way that we do liveliness detection into a much more modern context. And so while we don't see the stuff that you're talking about as much today, we're actually seeing just a direct evolution of that because the attacker's objective wasn't necessarily direct exploitation. It was liveliness detection so that they could then sell that information as a direct factor to other people who are gonna do that next step of attack on the Internet. And so they do this on the dark web, if you will. Effectively, what this really represents is a massive evolution in the sophistication of attackers.
Matthew Toussain:We're not talking about one attacker who's trying to go after you. We're talking about a 100 attackers who are just collecting information so they can sell them to attackers who want to go after you. We're really talking about an ecosystem now of attack where it's not just one person or even one group, but it's a multifaceted organization of attack that's happening against individuals. And if you have to defend yourself against a 100 people who do this for a living, that's actually a rather challenging thing to overcome.
Colin White:Seems hopeless.
Josh Sheluk:Yeah. Well, so give us some positive news here because you mentioned multi factor authentication, I guess there's multiple ways that organizations and individuals are trying to protect themselves. So is is multifactor authentication the best way as an individual to go about that approach? And you mentioned open source software and security and all that stuff. But but what else can we do?
Josh Sheluk:And you can make us feel a little bit better that we're not gonna be violated by a 100 people next week.
Matthew Toussain:Well, when you put it that way, it makes me really think. But at the end of the day, we do actually have a rather significant set of opportunities to actually defend ourselves because look, if we think about an adversary, they have to monetize their attack in some way, shape, or form. Like, they cause us pain and damages, that is one thing, and it sucks for us. I'm not gonna lie. That is absolutely true.
Matthew Toussain:But they're not actually doing this stuff just to cause problems for individuals. They're doing it to make money. And what a lot of folks don't realize is that if we look at fraud based organizations, many of those organizations in, let's say, Bangladesh, just as an example, they might actually be doing human trafficking to get what are effectively human slaves to be doing these types of attacks against individuals in The United States, for example, because we have kind of that that cash. And oftentimes, the monetization vector there is getting people or convincing people to buy like Apple gift cards or Google gift cards and then like distributing those. To be completely honest, like if we're talking about defending yourselves, if anybody says the word gift card and you don't know them on the phone, absolutely hang up immediately and call the organization that you think you're talking to back again, because that's a primary vector of monetization for attackers.
Matthew Toussain:If we can kind of understand how they're trying to make money, then we can defend ourselves against those specific styles of attacks. But here's an example of why you may not need to be as afraid as you might think right off the bat. And why you perhaps on the other hand should be even more afraid. You see, if you've ever received an email and that email has a bunch of typos in it, right? You look at this email and you're like, oh, I'm the Nigerian prince.
Matthew Toussain:And you are a member of my family from, you know, once upon a time. And I didn't know how to spell the word the, but I still sent you the email. Guess what? You can make a lot of money if you just sent me, you know, $10 first. The Nigerian Prince scams kind of worn itself out.
Matthew Toussain:The reason why that fails now is because we understand it. Have educated ourselves on the fact that this is obviously malicious. And so adversaries have navigated their way to a different style of attack. What we need to understand is that they're still trying to monetize themselves. One of the best, most defensive things that you can possibly do is that if you have a conversation with somebody on the phone and they're asking something related to money whatsoever, and they called in, guess what?
Matthew Toussain:Hang up and call who the think that they were. Because if you call in, you're gonna get the right organization after the fact. Did they give you a callback number? But you look up the callback number and those don't match. That's fraud.
Matthew Toussain:That's exactly what that is. There's a lot of opportunity to defend ourselves here. But let's go back really quickly, just very briefly to the idea of these typos in the email. Would there be typos in an email from a country like India, where the vast majority of English speakers in the planet actually live? Because English is the first language there.
Matthew Toussain:It's something we refer to in the cybersecurity space as self selection. For example, if you were dumb enough to click on an email where everything was a typo, then what does that mean when you get on the phone with those folks? You're likely gonna be gullible enough to fall for whatever their scheme is. What they're effectively trying to do is they're looking for the lowest denominator. They're trying to identify via self selection if you are the appropriate victim for them to spend their time against.
Matthew Toussain:If you're more resilient, you're probably never experienced these things at all because you just staved off these attacks by default. Guess what? The attackers don't care about you because you're hard. You're hard to hack. But on the other hand, there are a lot more folks that are much more victimizable.
Matthew Toussain:And we need to be aware of that. And many of those people might be our family members, and we really need to educate them and share this kind of information with them as well, because they might be the most victimizable folks that are out there and, that can be very terrifying.
Colin White:Well, in sales world, they call that qualifying a prospect. So That's
Matthew Toussain:exactly what it is in the sales world, a 100%.
Colin White:What what what you're telling me is, like, we should study these organizations because they're really, really good at, picking their audience. So and it's funny you say that because I I had a phone call from CRA a couple of years ago, and the the guy called up and said, I'm serious. Like, I laughed. I said, okay. You understand?
Colin White:I think you're not who you say you are. He goes, yeah. Know. I said, alright. So I'm gonna hang up, and I'm gonna call back the +1 800 number.
Colin White:Who am I asking for? And he gave me his name. I said, I'll call you right back. And I did. And I got through to him.
Colin White:I like, alright, dude. Seriously, how can I help you? So, yeah, that's absolutely is is a is a good reflex. Like, any anybody, an inbound phone call and they start asking information, hang up. And if I can't call you back through a way that I recognize, we can't have a conversation.
Colin White:So good good to know that I did the right thing.
Matthew Toussain:The mic, Colin, but, like, honestly, like like, there needs to be a clap here because that is exactly what we're hoping for. Like, I'm a cybersecurity professional. Right? I'm a nerd at heart, and I say a lot of words that in in some cases people don't quite get. But the reaction that I want to see from folks is exactly what you did that is on point and is amazing.
Colin White:Yeah. Well, I'm just I'll pat myself on the back too. Alright. So I yeah. It absolutely works and it it is is a strategy that I don't I don't I wouldn't call it infallible because, again, they can spoof numbers and stuff like that, but it it it removes it makes me difficult enough.
Colin White:I mean, it's the whole thing. I don't need to outrun the bear. I just need to outrun you. And, you know, as as long as I'm harder to to to crack than the the people around me. So that's kind of a Darwinian way to look at this and maybe not as uplifting as we want our messaging to be, but, it's it's probably very true.
Matthew Toussain:But if we look at it not as like an international, like, level or we don't look at it as an inter business level, if we start to, like, boil this down to an interpersonal level, right, where it's you and it's your family, guess what? If you're talking about defending your family, outrunning the bear is what it's all about.
Colin White:Yep. True. Absolutely.
Josh Sheluk:Now speaking of family, Matt, you kind of alluded to it at the outset there that familial fraud can be a problem as well. And I know when we had the pre call, you you mentioned that's a growing and pretty big issue these days.
Matthew Toussain:100%. Yeah. It's really unfortunate. I've actually had the opportunity to talk to a lot of pension funds, like, let's say, New York State Pension Fund, pension funds for different, like, police organizations in The United States and such. And one of their biggest concerns that they are actively observing, right, like on a day to day basis is familial fraud.
Matthew Toussain:And so the idea there is multifactor authentication is beatable through a couple different mechanisms. Either A, I hack you so hard that we are seeing stars, very, very difficult. Very, very difficult to accomplish for the value proposition that the adversary might get. So we might be able to see that kind of capability from nation state attacks, but nation states aren't looking to make money because, I know don't if you know this, but countries can print money. But if we're talking about individuals who are trying to monetize their own operations, we definitely have this idea of cyber criminals who are professionals at doing these types of attacks, and that's bad.
Matthew Toussain:That's terrible. But these cyber criminals, they often need access to pieces of information that are really hard to get, like access physically to your own phone. Because if your phone is kind of the custodian for some of your access to, your pension, to, maybe your, your health care administration systems, maybe something like Gusto for benefits and such. All of those kind of things, generally speaking, the custodian of access is primarily password and then followed by some kind of phone based second factor multifactor authentication component. Now that multifactor authentication component is really difficult for adversaries to bypass.
Matthew Toussain:And so if you're talking about a foreign state adversary, like, let's say, cybercriminals out of St. Petersburg, They're generally gonna look to do something different, and they're gonna avoid you. But on the other hand, that is so easy for your family to gain access to, and you might not believe that that's gonna happen. And this is such a terrifying thing because you trust these people. You love these people, And and we're all struggling.
Matthew Toussain:The financial world in is not the easiest thing to navigate and, you know, living day to day is is a struggle. And so if that happens to folks that are in your life and they have access to things that are also around you physically And from a cybersecurity perspective, we're using those physical access things as tokens that demonstrate that you are who you say you are. Suddenly, somebody who's close to you can bypass by default all of the security mechanisms that organizations like banks generally rely upon. And so familial fraud isn't just a a growing style of concern, but it's also a very easy one to see accessed and exploited. And then we see this perm not I wouldn't say primarily, but we do see the most egregious style of exploitation against the elderly who might not have the ability personally to be able to report this kind of attack happening against them, particularly when it's happening by somebody close to them.
Colin White:Yeah. There's a real behavioral aspect to this when we speak to this when we talk about behavioral economics and stuff. I mean, somebody can be a very trusted member of the family. They can be, you know, a very honest person. But honestly, anybody in the right circumstances is going to do whatever they need to do.
Colin White:I'm standing outside of a liquor store with a gun in my hand to two sick kids at home, and I can't afford to feed them. I'm probably gonna use that gun to get money out of that liquor store. And, you know, that's that's just, you know, that's how people would react. I could be a perfectly fine upstanding citizen the rest of my life and everything else, but I found myself in a corner. And in a corner, even somebody who is a deeply trusted person could become motivated to do something that's completely surprising but also completely understandable.
Colin White:You know, that that
Matthew Toussain:100%.
Colin White:That's what that's what people miss. Right? It's like, yeah, my my trust my brother. He's he's always done right by me and he would never had a problem and he, you know, but he could have something going on in his world where he gets to a point where, yeah, he's gonna have to behave in a way that's that completely is out of character.
Matthew Toussain:And and I hate to like that that's a that's an amazing point. And I hate to like the lip, like side of this, but familial fraud against things like pensions is one of the most least violent crimes that, lower income individuals can actually perform. And so I don't wanna say like there's I don't wanna say that there's like a an alternative side to this that is that is positive because it's all negative. All sad, and it's all unfortunate. But at the same time, one of the things that people have recognized is that an alternative for those kinds of individuals might be robbing a liquor store, and instead they've chosen to rob their families instead.
Colin White:Yay. Supposed to well, I guess mean, it's
Matthew Toussain:not good. It's less violent.
Colin White:Yeah. But, no, it's it's real, and and I guess the the key is and, you know, you don't wanna make people paranoid all the time. And the old Very true. Older generations grew up in the time like, again, I started giving financial advice before there were computers. The world's changed.
Colin White:And, you know, I'm keeping up so far, I think. But, you know, at a certain point, people stop keeping up, and it all becomes magic to them, and they don't understand. And it gets more and more difficult to keep up with the stuff you need to be, you know, literate with in order to protect yourself. So
Matthew Toussain:And and to be to that effect, let's take it one step further because the defense is the same defense if it is your family attacking you, which would be very unfortunate for a large number of reasons. Right? But it's also the same defense if somebody else is attacking you. So that kind of vigilance, if you're afraid of somebody external coming after you, is the same steps. Like, you're not you're not going at your family.
Matthew Toussain:You don't have to have distrust in your family in order to be vigilant about your finances. If you're vigilant about your finances from an offensive perspective, let's say we're looking at North Korean intrusion set actors, which is actually a government that does do cybersecurity attacks to extract money from individuals. Like, if we're afraid of those folks and we're doing the right level of vigilance to defend ourselves against them, that is the same exact set of procedures that we might wanna do to defend ourselves against people closer to us. And so while it is very fatalistic to kinda look at it from from our inside point of view and be exceptionally paranoid, that's really not what I'm trying to recommend to folks because it is rare for us to see that kind of fraud. It's just it happens.
Matthew Toussain:And it's really important for folks to recognize that it does happen and it'd be a little bit more defensive in nature so that it is not possible to. Now, if you're if you're, say, let's say, let's say, example, that you're a person a little bit elderly, you're getting a general, let's say, social security payment or maybe a pension fund or something of that sort and you miss a payment. Maybe you miss two payments. Now sometimes this stuff happens, and you might say, hey. Look.
Matthew Toussain:The government just made a mistake. It's going to roll in. Guess what? That is not acceptable in today's world because it's not necessarily the government that made the mistake. It's not that the pension just got missed.
Matthew Toussain:There might be identity fraud going on. And so if you wanna defend yourself against what's happening, when something doesn't look normal, we have to raise our hand. We have to raise a red flag. We have to call people.
Josh Sheluk:Yeah. Yeah. And I'm sure service Canada will get back to you in ninety days. Three more payments missed and maybe get to the bottom of it then if if our indication up here is is any is any precedent. But, I wanted to come back to the changes that we're talking about in the world because as Colin said, there's no computers when he started giving financial advice.
Josh Sheluk:But now we have something called artificial intelligence, which can actually pick up the phone and have a conversation with you. And I actually got a call from what I think was some type of AI a few weeks ago. And just trying to I don't know what it was trying to do, quite frankly. It was actually quite poor in in its conversational skills, but still pretty incredible that that something totally robotic can't have a conversation with me that's dynamic and changing. And so what are you seeing in this space?
Josh Sheluk:I can imagine that it's getting more and more difficult, but but how much more difficult is it getting, and where are we going from here?
Matthew Toussain:This is a fantastic question. I'm gonna actually start with being the reverse of hyperbolic and say why it's not that big of a well, okay. Why it's not the end of the world today, and then we'll dive into exactly what's happening and what the fears are for tomorrow. I don't know if you saw the new advanced voice feature that got released from ChatGPT earlier this week, but I've been, like, talking to it, like, voice based reason recently, and its intonation and its ability to pause and say, yeah, I know what you mean, but like specifically the part of that is just, it is so unrealistic that it is terrifying. It just sounds kind of appropriate.
Matthew Toussain:And so one of the things that we're really afraid of in the cybersecurity industry is that we've had this big problem that is the underlying, you know, underpinning of the weakest part of security for enterprises today, and that is phishing attacks. What does that mean? Effectively, I send you an email with a link in it, and that link goes to something malicious. You click on that link and now I am you on your computer. That's effectively a phishing attack.
Matthew Toussain:Now from a phishing based perspective, what I could do is I could create one email ruse or a pretext that you wanna click on because it's really, really good. One example that I had with my organization is that we were doing a phishing attack against an organization for them to understand what their risk was for phishing. And we did a Google maps on them. We found out that there was an REI sports good across the street from their organization. So we sent every employee in their company, an email that had a coupon that said the first 15 people who show up to REI sports good, get the first $100 of their purchase off for free.
Matthew Toussain:And we got a call from the client almost immediately because every single person in their, in their like business will be not every single person, but like the vast majority of people in their business literally stood up, walked out and went to REI. And the craziest part about this whole story is that REI looked at our fake email and said, oh, this must be from corporate. I guess it's real, and they wanted it. Oh my goodness. That was totally not the intent of the cybersecurity engagement at all.
Josh Sheluk:Well, that doesn't seem too dumb on the employees part. They all got a $100.
Matthew Toussain:I mean,
Josh Sheluk:they did make that.
Matthew Toussain:The big point there is that if we have a ruse, right, some kind of pretext that in that causes somebody to interact with an email, we're gonna be successful as an attacker. Like, we might not be as successful as we think we're going to be in that specific case. We wanted to get three or four clicks. We got a 100 people leaving the business to go across the street to buy stuff. How many clicks do you think we got?
Matthew Toussain:All of them. Basically, all of them. And so the first thing that we need to kinda recognize from a cybersecurity kinda context there is that I can make one email, send it out to a thousand people, and I can get a thousand clicks as a result of that theoretically. Or maybe, you know what? Maybe we got 1%.
Matthew Toussain:That's still a click. Actually, it's still 10 clicks. But what about voice based attacks? If I wanna call you up on the phone and I say, hey. Look.
Matthew Toussain:I'm Matt Hussein. You believe me. Right? Because my voice is very English sync centric. I'm very Anglo centric.
Matthew Toussain:I sound like my first language is English. I must be a normal individual. Right? Here's a direct example. The MGM got breached really badly and so did Caesar's Palace by a group out of The United Kingdom Because in The United States, we love British accents, and we trust them implicitly.
Matthew Toussain:And so the moment that that happens, we just say, yes, sir. Here's all of the access that you need to our environment. $170,000,000 in damages was that compromise. Really, really bad. Now the thing about these types of compromises is that they're very hard to scale because guess what?
Matthew Toussain:If I got to call you up on the phone, every minute of my time I spend doing that is a minute of your time. It doesn't scale laterally. If I send you an email, that's one minute of my time, a thousand minutes of everyone reading that email's time. Artificial intelligence fundamentally changes this paradigm because suddenly we can say, let's build this pretext. Let's make AI do all of the calls.
Matthew Toussain:And now AI voice based social engineering attacks are as scalable as email attacks. This is a fundamental change in the way that we're seeing cybersecurity attacks being performed against organizations and individuals, and it is something that terrifies us out the yin yang. Now positive side of this because it sounds terrible. We're not seeing as much of this as we expected. We're actually seeing adversaries employ these kinds of attacks at a much slower pace today than we expected that to happen.
Matthew Toussain:We expected us to kind of be underwater at this point. We are seeing adversaries doing this. It's absolutely happening, and we're seeing that rate increase over time, but it hasn't gone exponential yet. So there's still time to defend yourself. There's still time to recognize that this type of attack is happening and is inevitable.
Colin White:What's funny is that here's a very naked story for you. So Catherine, who does all of our marketing for us, she was using a program to clean up our audio. And, you know, it was removing all of the verbal tics from our audio before we published the podcast. And then we started being accused by by listeners of, you you guys are just, you know, it's just all AI generators. Nobody music.
Colin White:Well, it's all it's all rehearsed. It's all robotics. Like, what do mean? So I went digging to figure out how we got there, it was like, well, we cleaned it up too much. Right?
Colin White:So, I mean, it it's interesting in real time. We're learning these things. Right? That's I think I'm making it better. Oh, no.
Colin White:I'm making it worse. I think, you know, again, everybody's learning right now on, like, how imperfect do you need to be to sound real? Like, it's almost the Turing, you know, the Turing test. Right? You know, what does it take to be human?
Colin White:And if you can fake being human, then that's the highest level that you're gonna get to it, but it has to be imperfect enough.
Matthew Toussain:That is a fascinating way to lay that out. I I do think you're a 100% right. The most powerful world word in the world today is
Colin White:Yeah. Exactly. Do you use it enough? Do you not see it properly? It's unnatural.
Colin White:And most people don't put that much thought into it, but it it subconsciously, I think it's how we get comfortable with somebody if they're if they're imperfect enough that we can relate to it, and it doesn't sound too rehearsed or too polished or what have you.
Matthew Toussain:And advanced voice from the OpenAI side that came out this past week is what terrifies me the most about that because it is really good at being imperfect enough.
Colin White:Alright. Well, it's gonna keep me up.
Josh Sheluk:My chat g p GPT is still a little too optimistic. It needs to be a little bit more derogatory, I think.
Matthew Toussain:And then
Josh Sheluk:then it will be totally believable once it becomes it needs to take itself down a couple notches to to the more human level.
Matthew Toussain:You're a 100% correct there. My most common response is you're absolutely right.
Josh Sheluk:I know. Exactly. Yeah. You're correct. Yeah.
Josh Sheluk:You know, that's a very inspiring insight. I was like, yeah, it wasn't that inspiring. Wow. How are
Matthew Toussain:you such a genius? Yeah.
Josh Sheluk:Now Yeah. On on the the software and tech side of things, so it sounds like your firm open security is is very intent on sort of making some low hanging fruit available, I guess, to maybe potentially small business or or larger organizations. But, like we're a small business. I know it's something that maybe a lot of small businesses are neglecting perhaps or they're more vulnerable than they think they are. So is there something that you can tell us on the optimistic side of things that that this software and technology and protection is more accessible for businesses of our size than we would think?
Matthew Toussain:Sort of. So I've got pros, cons, and, like, middle ground pieces to say here. I think that the open source world has actually grown very significantly and very in this space, which means that if we were talking about baseline resilience, it has never been easier as a small business to be able to find the opportunity to defend yourself against standardized threats than right now. For example, one of the most big vulnerabilities that we're talking about actually came out this week in cybersecurity that is, and it is a Microsoft related vulnerability that affects everything. It's like kind of one of those sky is falling chicken little style vulnerabilities.
Matthew Toussain:And for your organization, you may or may not know if you're affected by it. Guess what? There are open source scanners that are really powerful at identifying those kinds of things. You don't need to have paid for a Qualys or a Nexpose from Rapid7 or Tenable's Nessus product. You don't need to spend tens of thousands of dollars to be able to identify these vulnerabilities in your environment anymore.
Matthew Toussain:But that is the lowest hanging fruit, if you will. If we're starting to talk about things like artificial intelligence attacks, then guess what? Resiliency is really important for your organization. So things like more advanced antivirus or anti I don't wanna use the word antivirus. I did.
Matthew Toussain:I apologize for using that word. I hate using that word. We generally speaking refer these things as endpoint. Mean, maybe it's worthwhile for me to apologize for saying that antivirus might be okay. Endpoint detection and response systems are what we tend to refer to these days.
Matthew Toussain:So things like CrowdStrike or SentinelOne, Microsoft Defender for Endpoint is a good example there. Those end up being like the next bastion of security for a lot of organizations, particularly on the small business side. Because when we're talking small business, we don't have a lot of time to review logs looking for security events that may have happened. Because guess what? Your organization might not experience a major security event for a year.
Matthew Toussain:But then when you do experience one, that could be an existential crisis for your organization. And so we're in this really weird space where the risk impact is exceptionally high, but the likelihood might not quite be there. And how do you account for that? And generally speaking, our recommendation tends to be resiliency. As in, if you are basically not below hanging fruit, adversaries don't wanna contend with you because all you're gonna do is take more time for the amount of value that they're able to extract in general.
Matthew Toussain:And so if we can make that low hanging fruit disappear from your organization, that doesn't mean you're secure, but it does mean that you're not the primary target of most adversaries today, and we can work with that.
Colin White:And that's one of the the things that we've we've taken on internally is we actually have a weekly video that goes out to the entire team, and then we log who's who's watching the video. And it's like it's a very short little video on whatever's topical in the cybersecurity world. Because as you pointed out, the human side can be, you know, that's the kind of can be one of the first lines of defense. One of the things that people try to co opt, it's but trying to alert our team. So, you know, that kind of stuff, I I find I found interesting how easily available and how cost effective those kinds of things can be.
Colin White:And just by, you know, that one instance of taking and then putting a top of mind of our whole team weekly, how important it is and perhaps highlighting some of the attacks that are currently going on. You know, again, just just that awareness. And you're right. We're just we're just trying not to be the easiest ones on on the street. If we can be a little bit harder, you know, I think that's a reasonable objective to to to maintain.
Colin White:Right?
Matthew Toussain:That Absolutely. I'd love to share a story about that kind of thing specifically. So I was doing a voice based phishing attack for a bank, a major US based bank. And one of the things that we're trying to do with this voice based phishing attack was identify if we could extract sensitive information. And so what I did is I said, hey.
Matthew Toussain:Look. I was recently the victim of a, identity theft. Now that's not true by any means. I'm lying, of course, because I'm doing a voice based phishing attack. That's the point.
Matthew Toussain:And so I said, hey. Look. You're asking for my last fours of my Social Security number. If you give me the middle two, I'd be more than willing to give you the last four. And the the support personnel on the bank side did commit to giving me those middle two.
Matthew Toussain:Now from the perspective of US Social Security numbers, the first five digits are generally speaking based off of where you were born, what hospital you're out of, those kind of things. And the last four are often shared through many different mechanisms, but they're randomly generated. The bigger point here is that those middle two are the hardest numbers to acquire from a Social Security perspective, but nobody knows that. Like, nobody knows that. Why on earth was the bank even allowing their support personnel to have access to the full Social Security numbers when the only thing that they need to do is verify the last four.
Matthew Toussain:That was just not something that was thought about. Right? And so so this is the kind of attack that happens often, but it is an attack on layer eight. It's an attack on the individual, and I kind of reject it being the individual's fault. I think that it just means that we didn't develop a good enough security grid to say, hey.
Matthew Toussain:Look. You didn't need access to the entire Social Security number. You only needed access to the last four. And so the fact that they were able to get the other digits from you is our mistake, not yours.
Colin White:Yep. Yeah, no, absolutely. That's a fantastic way of looking at it and siloing information so that it again makes it more difficult for somebody to acquire all the pieces of it. That's a fantastic thing thing at an organizational level that you gotta keep an eye on.
Matthew Toussain:Interesting enough in that scenario, they also identified the fact that me asking for that was very weird. And so after the call ended, they did a full investigation backs vaccine in order to identify whether or not it was legitimate or not. They found me out by a like, as a person that I was not who I was claiming to be whatsoever. And so on our report, we actually had a huge positive finding for them because they were able to do a full investigation without even needing to reach out to authorities and to identify that this kind of scenario was, a, not legitimate, and b, directly malicious in in general. Now to be fair, we were paid by their security team in order to come in and do this kind of thing.
Matthew Toussain:And so they reach out to the security team as the end point of this, and the security team was like, well done. You identified the attack. But that's exactly what we're looking for because the next step of that, of course, might be notification like if it was real world, might be notification of the individual who is attempting to be exploited, and and that's really valuable because what a lot of folks don't necessarily realize from a banking perspective or from a small business perspective is you might not be the endpoint victim, but you might be being leveraged in order to get more information against the person who is the primary victim. For example, if I wanted the Social Security number of an individual not to get access to their bank account but get access to other things related to them, Going after their bank and trying to extract that information might be the only thing I'm looking to acquire from the bank in the first place.
Josh Sheluk:You mentioned CrowdStrike, Matt. Now this is, I think, a name that we're familiar with, like people like us that are more laypeople on the cybersecurity side, Colin and I, we're more familiar with this name because of its prevalence in the media outages, specifically over the past couple of years. It seems and we're talking about siloing information as well. It seems like to be more secure, we need to build more complexities and and difficulties and inefficiencies in our business. So how do you work with businesses to help them manage those two things or balance those two things?
Matthew Toussain:That is a very interesting way to look at it, but I can't actually disagree with the take because you're right. Oftentimes what we're looking to do is to engineer specific inefficiencies into the business that affect adversaries, but don't affect employees. Because if we're causing inefficiencies to adversaries, we're effectively doing or saying, hey, your initial access to delivering effects, maybe it is ransomware or something like that, takes X and Y time. What we're gonna do is we're gonna introduce inefficiencies and we're gonna spread that time out so we have more opportunity to detect and respond before you actually win. So delivering inefficiencies into the attack process for adversaries is actually a core part of what we do in cybersecurity.
Matthew Toussain:So I love that you kind of laid it out in that kind of fashion. The other side of that though is delivering efficiencies from a defensive perspective, and resiliency has a lot to do with that. We can actually break it down into very specific pieces. I think that it's really important to recognize the network side and then the the system side of these of these approaches. So how is the defenses looking like on your personal system that you're using to access the environment?
Matthew Toussain:And then what are the defenses look like in the environment itself in order to identify, detect, and respond to the attacks that are happening, kind of live and in real time?
Josh Sheluk:So I'm I'm actually really disappointed that we made it this far into the conversation without talking about this, But you mentioned monetization and and being investors, we have to talk about cryptocurrency and specifically Bitcoin, which we get asked about all the time from an investment perspective. But all we hear about from a practical use perspective of Bitcoin is that criminals use it to transact. Is it well, let me let me start with here with this. Is it true that hackers just want Bitcoin, and that's what they're gonna demand all the time?
Matthew Toussain:Hackers generally want some kind of monetization vehicle that is as anonymized as possible and is as convertible into some kind of currency owned by a country as possible. Now the most common currency, of course, is the US dollar from that perspective. But the US dollar and the exchanges related to the US dollar are also the most Trackable. Extraditable, if you will. So, like, if you're if you're trying to do something that is criminal related to criminality, the last thing that you wanna do is deal with a Bitcoin wallet that is in The US.
Matthew Toussain:And let me give a direct example here. So the colonial pipeline breach. Right? The colonial pipeline breach affected basically the entire Eastern Seaboard Of The United States. Adversaries got into colonial pipeline due to some very significant cybersecurity failures.
Matthew Toussain:They were they were very, very bad. But the the bigger point is the attacker got in. They didn't actually affect the operational technology network. Operational technology effectively means cyber physical systems. So the pipeline is we're talking about in Colonial's, specific situation.
Matthew Toussain:The attackers never touched the pipeline, but the pipeline went down. Why? Colonial personally made the decision to turn the pipeline off because the attackers got into their billing system, which wasn't touched the pipeline at all, and they couldn't figure out how much to charge their customers anymore. They said, what if we can't figure out how much to charge you, let's just turn it all off because capitalism is king. At the end of the day, from the colonial perspective, what we're really dealing with here is that we've got attackers who are trying to make money, and the attackers don't wanna cause international incidents.
Matthew Toussain:And so they're not going after the OT network. They're going after the IT network. In this case, Colonial made a international issue when they turned off that pipeline, And it caused an OT effect even though the attack was against their information technology systems, SharePoint devices effectively. And so what the attack group did, DarkSide was the name of the group. They said, oh my gosh, this is crazy.
Matthew Toussain:We don't wanna go to jail. We definitely don't want to go to jail over $4,000,000 It's not worth it. We make that in a weekend and they left all the money in a Us based Bitcoin wallet. And so what the department of justice did is they seized it and said, look, everyone crime doesn't pay. But the reason why crime didn't pay is because the attackers very specifically said, we don't wanna go to jail, and they left it in a US based Bitcoin wallet.
Matthew Toussain:So when we talk about cryptocurrency from an adversarial perspective, the first thing to recognize is that it is traceable. Like we think about Bitcoin or cryptocurrency in general as if it were completely anonymized. It is not. We can trace where these wallets go. We trace where transactions go from one wallet to another wallet, and the way that adversaries are able to directly monetize is by pulling information and data, and specifically Bitcoin currency, if you will, or any kind of cryptocurrency out of a given wallet that is in a, extradited capable state and moving it into one that is not.
Matthew Toussain:So we might see something like Ecuador or Russia or Ukraine traditionally, many Eastern European states as well as a way to get the money out. Now does that mean that the FBI is not aware of who did it? No. That's not the case at all. We know.
Matthew Toussain:We absolutely know because it is rather more traceable than people believe. It's just we don't have the international authority to do anything about it.
Josh Sheluk:So Bitcoin Bitcoin goes to US Bitcoin wallet, gets tran transferred over to Russian Bitcoin wallet. Then what happens when it's there?
Matthew Toussain:Generally turned into something like rubles.
Josh Sheluk:So rubles are a better investment than Bitcoin in the criminal's minds.
Matthew Toussain:Well, so from a criminal perspective, they care about cash. They do not like cryptocurrency at all. Cryptocurrency is just a really easy way for them to convert cash from one style to another style.
Colin White:That that's where we want you to go.
Josh Sheluk:Yeah. Thank you. Yeah. That's bunch of it.
Colin White:Even the criminals don't like holding on to crypto. It's it's good to transact.
Matthew Toussain:Oh, yes. I could double down on that. Crypt criminals hate holding on to crypto. They divest out of crypto as fast as they possibly can post an engagement.
Colin White:That builds on the understanding because crypto is one of those things people are beginning to understand, trying to understand more, and it's evolving and how people are using it. And, you know, again, this is just hilarious for us to come to the realization of, you know, that this is the truth. They want want regular currency.
Josh Sheluk:So what what about the idea, though, that the the cryptocurrency wallets, if you wanna call them that, or the infrastructure in general is, like, virtually unhackable? Is that like, we've seen all kinds of vulnerabilities in the the crypto space, but it seems like that's happened more on the exchange side of things. Or Yep. There was some some issue that was kind of outside of the the true, like, intention of what crypto is at its core. So is it so so we've kind of debunked the anonymity part of crypto, but is the is the safety and in, you know, the the invulnerability of crypto, is that is that true?
Matthew Toussain:I love this question, and I'm gonna try very hard not to nerd out a little bit too hard over it. Because cryptocurrency is effectively just cryptography. All it is is cryptography that we've attached monetizable value to. That that's it. And so if you look at, like, your password, let's say you log in to a Windows device, on, like, your computer.
Matthew Toussain:Right? And so you log in to that computer. You type in your password. Your password is, of course, password because the most common password in the world is password one. Why not?
Matthew Toussain:And so you log in to your computer. Does your computer understand your password as the word password? Well, no. It converts that using a mathematical function. We call it a hashing function into a string.
Matthew Toussain:In the case of, let's say an NT hash, that's your Windows kind of credential, that can be up to 128 character password. And it can also be a password as low as one character. But either way, you end up with this singularized hash as a result. And effectively what Bitcoin is, is just a list of hashes. We always often refer to these things as immutable registries, if you will.
Matthew Toussain:And that's effectively what it is. It's just a list of hashed events that have occurred. And these are all just basic mathematical functions, which means that there's two ways that we can go after attacking these. Either a, the mathematical function itself is broken and we can break it or we can do something against it. This is rather uncommon to happen because we've been doing cryptography for, well, technically millennia, but if we're talking about cryptography in a computer sense, we've been doing it since, World War two.
Matthew Toussain:So we've been doing a lot of cryptography. Cryptography is generally pretty well developed, but if there were to be a cryptographic based issue, it could fundamentally break the entire thing. And we often look at quantum as an example of that potentiality. Now that is a very big challenge tangent, that is. On the other hand, we could look at the implementation of this technology and of this math into systems.
Matthew Toussain:You mentioned that exchanges being hacked are the primary way that we're seeing cryptocurrency style cybersecurity issues occur. That is absolutely right because effectively what we're saying is the crypto itself isn't vulnerable, but the way that we're implementing this ecosystem where crypto cryptographic technology is being leveraged is vulnerable, and that's what's happening with those exchanges.
Colin White:Yeah. That was one of the first ones that I remember seeing, again, not to nerd out too much. Mount Gox was one of the Yep. The first real big ones that got hit. And then I I started reading about it, and it was a repurposed server that originally was for trading cards.
Colin White:It was mad Magic the Gathering Online Exchange was the original use for the Melcox server, and they they flipped it over to a crypto server. And it's like, yeah, that that probably wanted to have a more substantial server to run things on then, you know, because you put a few million dollars on there and then all of sudden it became a target. So, yeah, it's it's an evolving ecosystem. And, yeah, just don't don't trust it.
Matthew Toussain:100%. And then, like, secondarily, like to double down on that. The idea there from a security perspective is often segmentation. So let's say for example that I'm doing cybersecurity work and I'm testing banks, to see if they're vulnerable. If I'm doing that from my own personal computer, guess what else I'm doing from my own personal computer?
Matthew Toussain:Maybe I'm checking Twitter or I'm doing whatever else on the web, and that computer could be vulnerable as a result of that. From a cybersecurity perspective, the right way to treat these things is to split them off. We call this segmentation. And in the case of Mt. Gox, well, why do you have a server that is primarily for Magic the Gathering doing something completely unrelated to Magic the Gathering?
Matthew Toussain:Why not have two servers? Because if you do, if one is vulnerable to something, it doesn't affect the other all of a sudden.
Colin White:Yeah. Absolutely. Now listen. One thing I like in, you know, from this conversation that I think is at the end of the day, the privacy is not a thing. Like, if somebody really wants to learn everything about you and they're determined enough, that's gonna happen.
Colin White:But that's okay because your defense is you just need to not be the easiest one. And there's a lot of people out there who are gonna be really easy to targets for stuff like this. So the challenge is not about trying to find a way to be a 100% invulnerable. It's just being hard enough that there's no reason anybody would ever wanna go to the lengths it would take to to, you know, get in your world. So the I feel I feel better, you know, just, you know, coming to that conclusion and and recognizing that that's the goal.
Colin White:Yeah. Because the the and I think this is important for people to to really understand. It's like there's no such thing as private information. You know, everything you everything about you is knowable if somebody's determined enough. Just don't make yourself a target and and make that difficult for them to get to.
Matthew Toussain:Yeah. And I think that's an extremely important takeaway to have for folks because when when I started in cybersecurity,
Josh Sheluk:I just wanted
Matthew Toussain:to hack stuff. Right? I was this kid. I I loved computers. I wanted to, like, hit my hands on the keyboards.
Matthew Toussain:I was working for The US Air Force and the NSA at the time, and I just wanted to get into things that were not supposed to be gotten into. But that's not really what cybersecurity is all about. At the end of the day, it's all about risk management, and that's the same thing that's true for folks who have a cybersecurity risk associated with them. You've got accounts. That means you are a potential victim, but that doesn't mean you are the primary one either.
Matthew Toussain:What is your risk and how much lengths do you need to go through to manage that? Some lengths for sure, but for a lot of folks, it's not something that we can't overcome.
Colin White:Are you one of those kids that get caught doing something they shouldn't have been doing instead of jail time? You decided to go work for the government. Is is that your origin story? Like, am I talking to, like, a Bond villain right now?
Matthew Toussain:It is not quite my origin story. Back in the day, there were two ways to go about it. Either you sold your soul to the government or you did something illegal, and then you sold your soul to government to not go to jail. In my case, I did the first thing first.
Colin White:Oh, okay.
Matthew Toussain:I went to the US Air Force Academy. I immediately sold my soul right off the bat.
Colin White:There you go.
Matthew Toussain:So it was super easy.
Josh Sheluk:Well, we're coming up on an hour here, Matt. But you mentioned quantum, and that's a big tangent. But maybe you can turn quantum into a little tangent for us just as we as we kinda wrap up here. Because what I've been hearing about quantum is basically all of the encryption that we've ever had. It becomes immediately hackable within seconds once you have quantum computing.
Josh Sheluk:And I think that's that's still a ways away is what the consensus is, but maybe you can give us some type of optimistic tid point tidbit to leave on.
Matthew Toussain:I would love to. Unfortunately, in this case, I do get to be very optimistic because none of that is true. It is true for all of the cryptography that we've had over the last forty years, but there's this thing called elliptic curve cryptography, which, oh, man, don't quote me on dates here, but was invented quite a while ago. And we've been rotating a lot of the cryptography that we leverage into that style of mechanism. And we effectively refer to this type of thing as being like a, resistant to quantum style cryptography.
Matthew Toussain:And the vast majority of things that we really rely on, like the underpinnings of the Internet or have already moved into that. Like if we were saying, hey, quantum computers are here and they're fantastic and they're amazing and they're breaking everything Ten years ago, then suddenly we're sitting with sitting on top of a problem. Unfortunately, for the people who wanna be sensationalizing things, it turns out that we've actually been developing security mechanisms against the potential for quantum cryptography, breaking mechanisms for the past oh, man. I'm gonna say twenty years, but it might honestly be longer than that. More importantly, many of these defenses are no longer theoretical.
Matthew Toussain:They're starting to get rolled into real world systems and have been doing so for the past five to ten years. So I'm no longer afraid of cryptography. Ask me the same question ten years ago. I'm terrified. The next world ending event, the next Y2K, it's gonna be all about quantum breaking our cryptography.
Matthew Toussain:AES is dead, long live AES, all of these kinds of things. But today it is suddenly no longer a primary vector of concern that I have. Now to be fair, is this gonna break things? Yes. Do you have old systems in your environment?
Matthew Toussain:Yes. Why is this going to break things? Because you have old systems in your environment, not because it's breaking the newest stuff that we're starting to roll out. This is a problem that exists. It's a real problem, but it's a problem that has a solution.
Colin White:This is amazingly positive. I'm not feeling the need to give up at all.
Josh Sheluk:At all. Oh, and we tend to be optimistic here about the future. So I think we're both very grateful that you've been able to share some optimistic perspectives on the cybersecurity cybersecurity space, Matt. So we appreciate so much the time that you've you've shared with us today.
Matthew Toussain:It's been my absolute pleasure. Colin, Josh, I hope that I didn't nerd out too hard. Could you ask me a couple questions here that just absolutely made my heart throb, and I could not help myself?
Colin White:You're you're you're amongst friends, and I think a lot of our listeners would count themselves among friends. So this will find an audience. We sincerely thank you for your immense knowledge and and your perspective. It's it's odd to find somebody who has the depth of knowledge who can actually put a sentence together, And you don't at all look like an avatar. You don't look like you're AI generated.
Colin White:You look real. So Yeah. Is just we ticked all the boxes, so we're great.
Matthew Toussain:Well, it's my pleasure to be here. This was a a stupendously fun conversation to have.
Josh Sheluk:Thanks again, Matt. And I think it leaves on again a positive note. And for all of our listeners in our audience, it reinforces some of the principles that we have here, Veracan, being optimistic, thoughtful, being process driven. But at the end of the day, we all need to protect ourselves and be smart about it.
Colin White:We didn't like the way investment management firms worked in Canada. So we built Verecan, something different. You can find us at annoyingthecompetition.com.
Kathryn Toope:For more information on the subject of today's podcast or any other financial topic, please visit us online at verecan.com. That's verecan.com. There's plenty of information there, or you can reach out to someone on the team. Thanks for listening. Please note, the information provided in this podcast is for general information purposes only.
Kathryn Toope:It is not intended as financial investment, legal tax, accounting, or other professional advice. Our discussions are not a solicitation to buy or sell any securities or to make any specific investments. Any decisions based on information contained in this podcast are the sole responsibility of the listener. We strongly advise consulting with a professional financial adviser before making any financial decisions. Listeners should be aware that investing involves risks and that past performance is not indicative of future results.
Kathryn Toope:Barenaked Money is produced by Verecan Capital Management Inc, a licensed portfolio management company in Canada. We operate under the regulatory framework established by the provincial securities commissions in the provinces within which we operate. The views expressed in the podcast are our own and do not necessarily reflect the official policy or position of any regulatory authority. Remember, at Verecan Capital Management Inc, we focus on aligning our goals with yours, prioritizing integrity and transparency. For more information about us and our services, please visit our website.
Kathryn Toope:Thank you for listening, and let's continue to challenge the norms of the financial services industry together.