Chaos Lever Podcast

A review of the core keynote speeches at the 2024 RSA Conference and what they mean for IT defenders.


I Didn’t Go To The RSA Conference So You Don’t Have To
Didn’t make it to the 2024 RSA Conference? Well neither did Ned and Chris, but that’s not going to stop them from talking about it. This year’s theme was “The Art Of The Possible,” highlighting tech’s potential and the threats it faces. AI was a big topic with lots of talk about how both attackers and defenders are using it. The "Secure By Design" pledge was also a key initiative, focusing on better product security. Interestingly, Zero Trust, which was a hot topic in past years, didn’t get much attention this time around since deep engineering concepts aren’t top-of-mind once past the first wave of publicity.


Links

What is Chaos Lever Podcast?

Chaos Lever examines emerging trends and new technology for the enterprise and beyond. Hosts Ned Bellavance and Chris Hayner examine the tech landscape through a skeptical lens based on over 40 combined years in the industry. Are we all doomed? Yes. Will the apocalypse be streamed on TikTok? Probably. Does Joni still love Chachi? Decidedly not.

Ned: Once again, I spent 30-plus minutes fighting with my webcam and microphone setup.

Chris: You mean the webcam that you bought because it was going to be easier?

Ned: That’s the one, yeah.

Chris: Yeah. It’s going good, then?

Ned: Going great. There was a firmware upgrade that failed. So, then I had to look it up, and what I discovered is that the cable they ship you is a USB-C to USB-C, which I happen to have a USB-C port on my computer, so that’s what I plugged it into. If you try to do the firmware upgrade across that cable, it will fail. Because everything is awful, and burn it with fire [laugh] .

Chris: Cool.

Ned: Oh hello, alleged human, and welcome to the Chaos Lever podcast. My name is Ned, and I’m definitely not a robot. I’m a real human person who has roots, and sentience, and gets jokes, and sometimes I even go for a long strolls with my canine companion who is also not a robot, for real. With me as Chris, who’s also here. Hi, Chris.

Chris: I really thought you were going to say that the dog is here and is now the new co-host.

Ned: [laugh] . Don’t tempt me [laugh] .

Chris: Hard decisions have been made. Kibble bribery has happened.

Ned: Ah yes. Bark-a-tron 3000. Has opinions, and he wants you to hear about them.

Chris: Especially about the mailman.

Ned: [laugh] . Mostly the UPS guy. Just loses his goddamn mind over that. That and a woman pushing a stroller. That’s just, like, Threat Level Midnight.

Chris: Can you imagine if there was just a number of packages in the stroller?

Ned: His brain would explode. Central Processing Unit just, pop. [I had] a really weird experience walking the dog this morning. Like the actual real dog… and not my fake robot dog that we used for the sake of a bit. We’re walking, and we look across the street, and there’s a fox. Now that, in and of itself, is not odd. We see foxes all the time. But the fox stopped and stared at us, and then started mewling. I learned what the fox says, and it sounds kind of like a dying baby.

Chris: Mmm, yeah, that sounds about right.

Ned: And it just continued to do that, looking at us. And my dog was very disturbed by this, as was I. It’s also, like, 5:30 a.m. so it’s barely light outside. So, we walk slowly in the other direction, keeping an eye on that fox, and now I’m a little scared to go outside.

Chris: Well, that’s a useful and fun PSA, that if you’re out in the woods, and you hear what sounds like a baby crying, do not try to find it because it’s not a baby. It’s an animal with teeth, and probably rabies, and maybe a knife.

Ned: [laugh] . They are tricksie. That’s one thing I’ve learned from Aesop’s Fables: you can’t trust a fox.

Chris: A gift that keeps on giving.

Ned: Every day of my life. Anyhow, you did a thing, or you wrote a thing about a thing you didn’t do.

Chris: Hey, hey, hey.

Ned: [laugh] .

Chris: You settle down. This is a long-standing tradition on this show, where I don’t go to various conferences, tell you about it, so you don’t have to go.

Ned: Yay.

Chris: I’m helping.

Ned: Sure.

Chris: In particular, in this instance, we will be talking about the RSA conference, or RSAC as they insist on calling it, which I absolutely will not.

Ned: That makes me really uncomfortable.

Chris: [laugh] .

Ned: Like, I shifted around in my seat a little bit when you said that.

Chris: Now, for those who aren’t a hundred percent familiar, the RSA Conference is one of the premier security conferences that comes along every year. This year, it was held in San Francisco, which is not a surprise because it’s always held in San Francisco. Duh.

Ned: Of course.

Chris: Now, in another long-standing tradition, as discussed before, I didn’t go, but I heard about it.

Ned: Yay.

Chris: So, as usual, the sessions did all get recorded, and if you bought the remote attendees On-Demand Pass, you can watch them all now. And you can in fact, still buy the On-Demand Pass if this stuff is all interesting to you. There are already some sessions available for free, especially the keynote-y type sessions. Now, their official statement on the matter is that this stuff starts to become available approximately 30 days after the conference, but they’re actually already sharing them. There’s a good amount out there, and they’re going to just keep on trickling out. So, keep an eye on the RSA Conference’s YouTube channel if you’re interested in what you can see from this conference for free. Now, I said keynote-y type sessions and I said that for a reason. There are 36 keynotes.

Ned: Uh— [sigh] —I—

Chris: Which, if you’re doing the math at home, is a lot.

Ned: It ceases to be a keynote at that point. Right?

Chris: Right.

Ned: Right.

Chris: Correct.

Ned: Okay.

Chris: Because if you look up the definition for keynote, it’s a quote, “Talk that establishes a main underlying theme.” One would assume from this that there’s one. This has stopped being a thing for way too long now. Now, before we even talk about the conference, I want to start a change.org petition to call it something else.

Ned: Okay.

Chris: How about we’ve got ‘sessions,’ of which there are an infinite amount, “The keynote,” of which there is one, and the super-duper, fancy special speeches, of which there can be 36.

Ned: Sure.

Chris: Longer name, sounds way more important that way. Who says no?

Ned: Can’t we just call them, like, ‘Premier Sessions?’

Chris: Oh, that’s good, too. I think mine’s better, but that’s good, too.

Ned: All right.

Chris: We’ll workshop it.

Ned: Of course. And, you know, if listeners have suggestions, write them in. Let us know.

Chris: Yeah. Okay. So, on to more serious topics.

Ned: Okay.

Chris: Let’s start with the obvious question that a lot of people probably don’t know: what the hell does RSA stand for in the name RSA Conference? I’m not going to lie, I have probably looked this up ten times, found out about it, and then forgot it ten times. So, I had to look it up again. And it’s not as exciting as you might think. It’s actually just made up of last name initials of the cofounders of RSA. That would be Ron Rivest, Adi Shamir, and Leonard Adelman. Get it? R. S. A.

Ned: I get things. I’m smart [laugh] .

Chris: So, there you have it. One mystery solved. [singing] And we’ve only just begun.

Ned: Oh.

Chris: And we’re sued.

Ned: Eh, always. Always. Folks may be familiar with RSA if they look at different encryption types because RSA is one of the encipherment types, I think.

Chris: Encipherment?

Ned: Yes. It’s a word I use.

Chris: That is absolutely not a word.

Ned: [laugh] . It is now [laugh] .

Chris: It sounds like something you get six months in jail for.

Ned: [laugh] . Encipherment, right next to embezzling?

Chris: [laugh] .

Ned: He enciphered the company for thousands of dollars. I think it is a cipher type.

Chris: Yes.

Ned: So, you may have seen it there.

Chris: Anyway, the theme of the conference—and they actually did have a theme—was ‘The Art of the Possible,’ which sounds wishy-washy, and more like you know the title of an airport self-help book than something that would be around relevant topics in technology, but in the way of the old blessing slash curse, “May you live in interesting times,” get to think a little deeper about ‘The Art of the Possible’ name. Kind of, the idea here is, not only what we as technologists can do, as you know, security professionals can do, what is possible that our adversaries can do. Ehhh? Ehhhh? Anyway.

Ned: As a response to whether or not this is a self-help book, it is. It’s called The Art of the Possible: Create An Organization With no Limits, written by Daniel M. Jacobs in 2010, and it is, quote, “An integrated leadership and management guide to success.”

Chris: Why do you insist on putting the audience to sleep?

Ned: [laugh] . Well, I didn’t actually try to read it to you, though, that would absolutely put everyone to sleep, probably me included.

Chris: That’s on the Patreon page.

Ned: [laugh] . We should have one of those.

Chris: So, with 36 sessions listed as a keynote, it was a little difficult to pin down where to start [laugh] and what the main mission of this year was supposed to be. But if you look at the schedule—and that is also available on their website—the first one that was not weird, was put on by Hugh Thompson, who is a big-wig at RSA, and did a number of keynotes. But this one, I think, got as close to a main topic or a main overarching theme speech type of thing that we’re going to get. It was titled “The Power of Community”, and is available for streaming on their YouTube channel. It’s only 18 minutes.

It’s worth the watch, actually. It’s very entertaining. The guy’s good. The main theme of the speech was basically that none of us is smarter than all of us. Now, on the one hand, you might think this is a cynical message that only serves to reiterate the importance of paying a lot of money to go to a security conference.

Ned: Fair.

Chris: But on the other hand, he’s kind of right. These conferences are, in fact, a sharing of knowledge enabling every security practitioner to learn just a little bit more about their own areas of expertise, and the ones they need to know, but never had any type of experience with. And to that end, he talked about two things that are really good life lessons for conference-going that we’ve actually discussed before. The first one is to attend sessions outside of your wheelhouse because sometimes it might not help, but often it actually will. It’s fairly surprising to hear other subject-matter experts talk about what they’re passionate about, and then be able to kind of think about your own stuff in a different way.

Ned: Mm-hm.

Chris: External perspectives on other technologies opening up little neural pathways in your brain. It does actually help.

Ned: It does. I agree.

Chris: And the second one is a stupid thing. He thinks that you should talk to people.

Ned: Bah, no.

Chris: What?

Ned: Thumbs down.

Chris: You fool.

Ned: [laugh] .

Chris: No, he enjoined the audience to, quote, “Meet at least three new people.” Which, to me, sounds terrifying and counterproductive. As all security practitioners know, new people have cooties, and they’re all out to get me.

Ned: Uh-huh.

Chris: I mean us.

Ned: Yes.

Chris: But if you wanted to get cooties, there was something like 42,000 people wandering around the halls of the RSA Conference, drinking stale coffee to give it a shot with.

Ned: Wow, I did not realize it was 42,000 people. That’s getting up there with, like, re:Invent numbers.

Chris: It is creeping up there, and it is a bit of a surprise. It also explains perhaps why there were 36 keynotes, but probably not.

Ned: [laugh] . Still, no.

Chris: Now, all of that being said, let’s talk about some of the themes of the conference, based on the material that they actually shared in the sessions. So first, with a bullet, you’re not going to believe this. Ned, I hope you’re sitting down.

Ned: Can I sit down lower? Would that help?

Chris: Can you put a chair on a chair, and then sit on that chair?

Ned: Okay.

Chris: Because that’s the kind of sitting down you’re going to need because this is a shocker. AI was a big old topic.

Ned: [big silly gasp] .

Chris: I warned you.

Ned: Damn it. I should have been sitting on a milk crate. [I need stability] .

Chris: I mean, good God, man. Of the 36 keynotes, 13 of them were directly AI-related. Of the regular sessions, it was 82 out of 298, and that is just ones that had AI in the title.

Ned: Frankly, that seems low.

Chris: [laugh] . So, what did they actually have to say about AI? A lot of what they had to say was not really that surprising. Main themes: AI is going to be more and more utilized by both attackers and defenders, and it’s an open question if there’s any way to guarantee that the defenders will maintain an upper hand going forward.

Ned: Almost certainly not.

Chris: Hold that thought. Because there is one piece of it that might be just the faintest glimmer of hope.

Ned: Oh, okay.

Chris: So, before we get to that, there are two things that attackers can do now that were just flat out harder for them before AI. The first one is, hackers attacking from all over the globe have a problem, and that problem is, generally speaking, they don’t speak every language on Earth.

Ned: True.

Chris: But they would like to attack everybody on Earth. So, what you used to end up with was hilariously poorly Google-translated emails that were obvious scams, or attacks, or just loaded with malware, and grammatically incorrect things, right? AI can help just rewrite communications into natural-sounding language for whatever they are trying—whomever they are trying to attack. You can do that with ChatGPT, for free, right now, indefinitely. Now admittedly, ChatGPT still has an extremely heavy English language bias, but they are working on including more and more sources from other languages, so it’s going to continue to get better and expand.

Ned: There’s an interesting theory that I’ve heard proposed before that the poor wording syntax and English usage in those emails is somewhat intentional. Could they get someone to write it in a more natural-sounding way? Yes, but they’re using it as a filter to only capture those people who would read that email and think it’s perfectly fine because in order for their scam to work, they need someone who will read that email and think that it’s perfectly fine, and that also they should click on the link and transfer $1,000 to a bank account.

Chris: Interesting theory.

Ned: I don’t know if it’s a hundred percent accurate, but I have heard it proposed.

Chris: Well, they didn’t talk about that.

Ned: Well fine.

Chris: So, stop helping.

Ned: [laugh] . Okay.

Chris: So, the second thing that AI can do to help attackers is research. Thanks to the careless, wide-open way that people use the internet, and the total lack of data sovereignty laws that matter at all, there is—and I looked this up—it’s a quatro-bajillion data points out there about everyone and every company.

Ned: [laugh] . Okay.

Chris: Now, in terms of corporate research, previously, you would have to rely on paid services. The most famous one that I know of is ZoomInfo, and what they do is collate all this information from LinkedIn, from blog posts, from 10-Ks, from wherever they can find it, to figure out, how is it company structured? What are they up to lately? How many employees do they have? What are their markets? Blahdy, blahdy, blahdy, blah.

This may not sound like much, but remember, the human element is and probably will always be the biggest security risk. Figuring out who works where, what they’re responsible for, and how a company is structured, both from a personnel perspective and potentially from a security perspective—IT infrastructure, et cetera—often makes its way into press releases. This helps fine-tune long-running attacks, right? This is not the fly-by-night scams we were talking about before. This is APTs and state-level actors.

But it makes it so much easier to do this research with AI. Now, in terms of people being the worst—just a little side to jaunt here, a little venture—the 2024 Verizon Data Breach Investigation Report, or DBIR—came out around the same time as the RSA Conference. And one of the main numbers to pay attention to from this report was 68%. 68% of breaches involve a non-malicious human element like a person falling victim to a social engineering attack, making an error in configuration, et cetera, et cetera. Meaning people make mistakes. Now, if you want more info about the report, there is a link to it in the [show notes] . The report is free, it is informative, and it is depressing.

Ned: Well, you and I have both read at least one Kevin Mitnick book about social engineering. And the general way that he got into anything was to figure out the organizational structure, and then find a weak point in it. And often that weak point is going to be the personal assistant for any of the muckety-mucks at a company because they have a vast amount of access—much, much more than they’re getting paid to have—and they know where all the bodies are buried, all the secrets are, and if you can compromise them, then it’s relatively straightforward to compromise the rest of the company.

Chris: Right. Also people that are new to the company.

Ned: That’s a good one, too, because they don’t know the proper procedures, and they’re report—

Chris: And don’t they know everybody.

Ned: Right.

Chris: And they’re probably very stressed out to do a good job and to keep everybody happy.

Ned: Right. So, you get a request from Angela over in HR to send over some very important information that they need to complete your benefits package, and you’d be like, “Sure, I’ll get right on that, Angela.”

Chris: I like benefits.

Ned: I—who doesn’t? You know, “Participate in our employee bonus program.” Like, yeah, I’m responding to that. Except Angela doesn’t work for the company [laugh] .

Chris: Right.

Ned: And now they have all of your personal information and your password for some reason.

Chris: So, let’s pivot, and we’ll talk about what they had to say about things from the defenders’ point of view because it’s not all a nightmare.

Ned: Okay.

Chris: One thing that could help tilt the balance in favor of defenders ties back to the whole, “We’re all in it together,” point from earlier. Defenders have a hell of a lot more data than attackers do. Bruce Schneier, IT security technology guy extraordinaire, stated it plainly. “We have more data than they do. LLMs and AI, they be trained on data, therefore, our data stuff is going to make our AI stuff better than their AI stuff.” Now, he said it a little better than that, but I’m paraphrasing. Actually no, I take that back. It was an exact quote.

Ned: All right, fair.

Chris: So, if you step back and think about it, it does make sense. Pick any random EDR company that’s large, like say, SentinelOne—whomever; doesn’t matter—now, these companies, they don’t release precise specifics on their deployments of the field, but SentinelOne proudly states that they have quote, “Tens of millions,” of protected endpoints out there, all of which report back about attacks, SentinelOne vulnerability researchers can then take that data and turn it into protections. Thus, you have areas of security where you didn’t have anything before because you can see what people are doing. And there are even areas of security where researchers from multiple different companies will pool their resources to help increase the overall security posture of everybody. So, that’s good. Attackers, on the other hand, don’t do that.

Ned: [laugh] . Yeah.

Chris: They all work, more or less, alone. And I don’t care how popular a given piece of malware is. It’s, one, probably not phoning home like that because that would be immediately discovered by network trackers, and two, they’re not hitting tens of millions of anything, except maybe dollars they get from ransomware payments that are never disclosed to the public.

Ned: Wa-wah.

Chris: Quote, “We have a very rich data source which, uncommonly, is an asymmetry in favor of the defender that we don’t see very often,” unquote, stated Daniel Rohrer, VP of Software Product Security at Nvidia. So, what does all this add up to? From the AI perspective, what it adds up to is finely tuned LLMs. Not general stuff like ChatGPT, but we’re talking about very focused things based on security, trained on that huge amount of data to help with things like identifying adversarial behavior, zero-day protections, and eventually, even things like auto-remediation. You can have a listener on each endpoint that tracks for all this stuff; if it sees something nightmarish, it could just turn off the network. Now, it’s going to take a long time for people to be comfortable with auto remediation based on AI, but if we look far enough into the future, and I’m thinking probably less than five years, my guess is that this is going to become the norm.

Ned: We’ve already seen a flood of security vendors adding AI into all their marketing materials, which some of that is, you know, just marketing, marketecture—vaporware, if you will—but a lot of it is we’re bolting on a new feature to our existing offering that makes use of a trained LLM that we trained on our giant pool of data we’ve collected from all of our clients.

Chris: Right.

Ned: So, I think, from a security perspective, that could happen pretty rapidly. What’s a little more difficult is putting in the detection portion that you’re talking about because that needs to be closer to the endpoint. So, we’re going to have to wait for, probably, some specialized hardware to be available—the sort of TPUs, GPUs, XPUs—to be available on these endpoint devices to do that real-time scanning if you’re looking for that level of protection.

Chris: TPU, of course, as everyone knows, is the Toilet Paper Unit.

Ned: Yes [sigh] .

Chris: I got jokes, man. I got jokes.

Ned: It’s fantastic. No notes.

Chris: [laugh] . Oh, Bark-a-tron 3000 looks so disappointed in me.

Ned: [laugh] . He’s kind of licking his own ass, but whatever.

Chris: Okay. Moving on. Something else that was a big topic. Everybody’s favorite four letter word: regulations. These are a— [mouth noises] —

Ned: [laugh] .

Chris: That is not important. Just… doing the thing over here.

Ned: All right.

Chris: So, it was a big concern at the conference. Honestly, it’s a big concern all over the world, and it does have relations to AI. But first, one thing that came out at the conference was the quote, “Secure by Design,” pledge. Now, this was created by CISA, and is intended to ensure that quote, “Products should be secure to use out of the box, with secure configurations enabled by default, and security features such as multifactor authentication, logging, and single sign on available at no additional cost.” So, this pledge is super great, and I hope that it gets a ton of attention.

It is disappointing and more than a little galling that it has to exist, but as the SSO, Wall of Shame website clearly shows, plenty of vendors have no qualms whatsoever charging extra to enable features like single sign-on.

Ned: Yeah.

Chris: Now, at the conference, 68 companies, including big-wigs like AWS, Google, Cisco, Microsoft, and IBM, signed the pledge. Kind of a big deal. Except, of course, that it’s not binding. It’s not a law.

Ned: [laugh] . That’s true.

Chris: But it does at least commit these companies from a PR perspective to work towards the increased product security goals over the course of the next year. So, why was this important? In my opinion, it’s one of those ‘which way is the wind blowing’ kind of moves. To wit, it is likely that these companies are trying to self-regulate to get ahead of the world’s various governing bodies regulating for them. To that end, other regulations are already happening.

Ned: Mm-hm.

Chris: There was a lot of discussion about these. In Europe, there is NIS2 and DORA, which focus on cybersecurity mandates and operational resilience requirements respectively.

Ned: And also finding the map.

Chris: Ugh.

Ned: I’m sorry. So, sorry. [laugh] . I can’t tell if you’re frozen or just mad at me [laugh] .

Chris: [laugh] . For whatever reason, America continues to trail behind Europe on things like this, but it does stand to reason that we will have them sooner rather than later. Now, we already know about the cybersecurity mandate and the AI mandate, all basically just things that were executive-summarized. My assumption is that we will get a law at some point.

Ned: It seems likely, yeah.

Chris: Along the AI footpath to this issue, AI regulation and governments were big talking points, not just from regulating and governing AI, but using AI to make sure that your company stays compliant with regulations and governance. So, if you’ve ever looked into any of these regulations, you will know that there are, I think, six times eleventy-bajillion attestations and data points that have to be collected in order to prove evidence of compliance. There’s actually a huge subcomponent of the consulting world that is based exclusively around helping companies prove this compliance. A subcomponent of the consulting world that might be a little worried that AI tools are going to come around and do that.

Ned: Yeah. And they’re almost necessary at this point because of all the security frameworks that we’ve baked into various deployments of compute and whatnot. They all have a virtual TPM now, they all are doing attestation of boot—not all, but a lot of them are doing that—and something needs to verify all of that and keep up to date with that. We’re generating so many more data points, as you said, there’s no way a human, even a consultant that’s getting paid thousands and thousands of dollars an hour, can comb through all of that and prove it. We need something to do, sort of, just gather it all up and look through it and then give us back a thumbs up or a thumbs down.

Chris: Right. There were tons of other AI notes in dribs and drabs. Things like utilizing AI for data protection, utilizing AI for micro-segmentation, utilizing AI for log management and observability, using AI to make you a sandwich, et cetera, et cetera, [big gasp] et cetera. There’s a lot of AI, I guess is what I’m saying.

Ned: It’s what I’m hearing.

Chris: One thing that was notable for its absence, was the concept of zero trust.

Ned: Oh.

Chris: In previous years, zero trust was the belle of the ball at these conferences. This year, it showed up in a mere two sessions, and zero keynotes.

Ned: That is a significant drop-off from, like, two years ago.

Chris: Even last year, yeah. It’s crazy. So, the absence is probably down to a few things. First of all, companies that have embraced ZT are already doing it, and there’s really not anything to chat about. It’s an understood topic, philosophically and designalophically.

Ned: Who’s making up words now?

Chris: [laugh] . I mean, I think that’s really the problem is that it’s gone from marketing buzzword-y razzle-dazzle, to just a standard operating procedure.

Ned: Yeah. That jives with what I’ve been hearing is, the companies that are actually doing it are now doing it, and the ones that it was all just fluff, they are no longer in business—

Chris: Right.

Ned: Or got bought by other companies.

Chris: I mean, and the other thing is, it’s not the new hotness anymore. So, it’s really hard for its QScore to stay high. This is the downside of deep engineering concepts like zero trust. Once you get past that first wave of publicity, it’s just really hard to keep it top-of-mind. And since it is such a challenge to, you know, sit down and explain to somebody, things like zero trust just don’t get nearly as many influencers keeping up with it as whatever the latest new hotness is.

Ned: But we’re better than that. Check out our previous episode on Zero Trust DNS. Ehh?

Chris: [laugh] .

Ned: I worked it in there. That was good. I’m good at this [laugh] .

Chris: So, those were all the major things, and I could go on a little bit, but I won’t. One thing that was talked about that was interesting and was not necessarily technical in nature is the pernicious and not-talked about issue of burnout in IT, particularly in security, and it was boiled down to a couple of things: number one, there’s not enough people doing it; number two, the ones that are doing it are overworked and underpaid; number three, the budgets are just not there for what is required to keep modern IT security up to date in almost any company; and number four, whenever anything goes bad, it gets dumped on IT security’s shoulders with basically no support.

Ned: Yeah, that all stacks up for me. I mean, burnout is a well known issue in IT, writ large. Security might even be worse. And we need more people to get into the field, which means the field needs to be more inviting, which is another issue with InfoSec as a whole, is it can be rather hostile to new people, especially ones that don’t fit a particular stereotype.

Chris: That’s because new people have cooties. We talked about this.

Ned: Yeah. And they smell. They smell good, which we don’t like. No, no good smelling people in InfoSec.

Chris: That’s how you know it’s a trap.

Ned: [laugh] . You’re probably right. Oh, dear. If anybody is interested in learning more about the Secure by Design proposal, we did a whole episode on that. Do you remember that, Chris?

Chris: Nope, sure don’t [sigh] .

Ned: In March, we did a whole episode on Secure by Design and analysis of the proposal by CISA, and also some reactions to that proposal. So, if you’re interested, definitely worth checking out that episode. But hey, thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end, so congratulations to you, friend. You accomplished something today. Now, you can sit on the couch, fire up your AI prompt and ask it about zero trust. You’ve earned it.

You can find more about this show by visiting our LinkedIn page, just search ‘Chaos Lever,’ or go to our newish website, pod.chaoslever.com. You’ll find show notes, blog posts, and general tomfoolery. If we got something wrong, we did something you hated, you can leave us a comment or leave us a voicemail, which we will proudly read, or maybe even play during our tech news segments [laugh] , so enjoy that. If you want to be heard on tech news, leave us a voicemail. Go for it. We’ll be back next week to see what fresh hell is upon us. Ta-ta for now.

Chris: We’re also not above doing dramatic recreations—

Ned: Oh, yeah.

Chris: In the style of unsolved mysteries, if you prefer.

Ned: [laugh] . If you don’t want us to play the audio, we will do a dramatic recreation. We may even bring in a voice actor to do it.

Chris: We’ll make Ned do an Irish accent.

Ned: That goes well [laugh] for everyone.

Chris: [laugh] .