Subscribe
Share
Share
Embed
Shared Security is the the longest-running cybersecurity and privacy podcast where industry veterans Tom Eston, Scott Wright, and Kevin Tackett break down the week’s security WTF moments, privacy fails, human mistakes, and “why is this still a problem?” stories — with humor, honesty, and hard-earned real-world experience. Whether you’re a security pro, a privacy advocate, or just here to hear Kevin yell about vendor nonsense, this podcast delivers insights you’ll actually use — and laughs you probably need. Real security talk from people who’ve lived it.
Welcome to the Shared Security Podcast, the longest running cybersecurity and privacy show for actual humans. No jargon, no hype, just honest analysis from industry veterans who've seen everything and survived it. Each week, we break down the stories that matter, expose the nonsense that doesn't, and give you the tools to stay safe in a world where everything connected and nothing is guaranteed. This is Shared Security. Here's the part a lot of people forget.
Tom Eston:Once your mobile app is out in the wild, it's in an untrusted environment. Anyone can try to analyze it, modify it, or mess with it in real time. Traditional security stops at release, but attackers don't. You need protection that lives with the app wherever it runs. Learn more at guardsquare.com.
Tom Eston:This week on Shared Security, the US government has ordered Anthropic to suspend access to two of its newest frontier AI models, Fable five and Mythos five, citing national security concerns and a possible jailbreak. Now Anthropic complied but pushed back pretty hard saying the issue was not really an issue and that the same kind of capability is already available from other advanced models. So what happens when an AI model becomes regulated like a national security technology and if your business security team or more specifically a defender working on an enterprise security team who actually controls your access. And joining me for this topic are my cohosts, Scott Wright and Kevin Tackett. Hello, guys.
Kevin Tackett:Hey. I'm gonna be pedantic.
Tom Eston:Please.
Kevin Tackett:They're already regulated even without this.
Tom Eston:They are
Kevin Tackett:a my understanding is they're a US based company. They have to follow the US government's rules plus any country that right. Like, all that kind of stuff. Right. But yeah.
Kevin Tackett:When what do you do when the the whatever government you're dealing with throws a temper tantrum and says you need to block people right before they have jumping bikes and fighting people on their lawn.
Tom Eston:You mean a a gladiator event in front of the White House?
Kevin Tackett:Yeah. Idiocracy. No. Sorry. So what do you I look.
Kevin Tackett:Let me be very clear. If I was anthropic, I would, while I would hate that this happened and that this is a business impact and all that kind of stuff, there is a part of me that was like, yeah, man. They said we explode. What? Yeah.
Kevin Tackett:He
Scott Wright:brought it up real good.
Kevin Tackett:I all I can say is and we talked a little bit about this. I have they not learned anything from the last few times they tried oh, yeah. Germany banned hacker tools. The US government banned the exportation exportation. I don't know that's the right word Yeah.
Kevin Tackett:Of SSL. Right? Like, oh, man. You know, that's too many bits for those foreigners to have.
Scott Wright:And we need to call it a munition in order to Yeah.
Kevin Tackett:Like, I you know.
Scott Wright:Scare people.
Kevin Tackett:I mean, to be rude, but I have a different definition of munitions, and they're fun to go to the range with. I I like You can keep I don't know. Right. Exactly. I've never killed anybody with encryption or an AI model.
Kevin Tackett:I guess I could say I'm
Tom Eston:Not yet, Kevin. Up
Kevin Tackett:there. But
Tom Eston:yeah. Yeah. This is
Kevin Tackett:this is not new. It was a bad idea before. It's a badder idea now, and stop being stupid, government.
Tom Eston:Yeah. And I also find it interesting. So I I'll link in the show notes that, you know, Katie Moussouris, who we all know, you know, she was actually given access to a paper about this apparent like bypass or jailbreak or whatever from Anthropic to review and like comment on. And I guess it was made by the government or whatever and said that it really wasn't a big deal because it was like what the models do to fix vulnerable code. Like that's the thing they were concerned about a jailbreak, which is like by design, like, yes, it's supposed to fix vulnerable code.
Tom Eston:That's what it does. And so she had a really good overview of it and how again, this is definitely overreach and it goes back said, Kevin, it goes back to the days of export controls around encryption saying no other governments and foreign people can't have this stuff. Well, like, I don't know if the government's paying attention, but like GPT, what 5.5 right now can do the same things, maybe even better than some of these models that Anthropic is releasing Don't some
Kevin Tackett:tell them, don't tell them.
Tom Eston:Right, so like we've got a major, like there will be new models every day, every hour. Like, this is getting, like
Kevin Tackett:And they're
Scott Wright:not all gonna be American.
Tom Eston:Right. Well, deep seek. Right? The Chinese models are doing crazy stuff too.
Kevin Tackett:I think you you said it a little bit in the intro and you definitely said it inside of the the email that you sent out with with, hey, let's do this, is I I I truly believe that this does more harm to the organizations that are trying to fix things. And I wanna be very clear. I I know there are people here who are gonna say, but, Kevin, you were complaining about nobody's focused on defense. If we don't have the ability to test our own things Mhmm. If we don't have the ability to look at us, that doesn't block others from looking at us.
Kevin Tackett:And that, to me, that's this is a knee jerk. I have to do something. This is why we get stupid stupid versions of privacy laws. It's why we get stupid versions of universal health care. No.
Kevin Tackett:I mean, you're required to have insurance. I had this conversation. I was at WizzCon WizzCon, the Wisconsin Information Security Conference. So inaugural year, it was amazing. Everybody should vote next year.
Kevin Tackett:They're doubling the size of it at least is my understanding. It's it's incredible. But having said that, I was talking to this this person, and I wanna be very clear. I'm not saying they're dumb or insulting them or anything else like that, but they came to me and they said, hey. I'm really worried about my data being lost.
Kevin Tackett:I'm really worried about people stealing my data. And what do you think of the idea that that government should make it illegal for companies to get hacked? And that's not how they phrased it, but that's that's really what it boiled down to was if you get hacked, you violated the law, and you're punished. Okay? Like, let's punish people for losing data.
Kevin Tackett:And and I said to him, I'm gonna argue the victim blaming and all that kind stuff. I'm not gonna argue any of that kind of stuff. I'm just gonna ask you one question, and it's a very simple question. Can you name a thing that the government made illegal and it actually went away. Like, that's it.
Kevin Tackett:That's what I want somebody to do. And I'm not saying there isn't one. I'm not aware of one is what I will say. That is a very simple question. Tell me anything that the government has made illegal that actually stopped that thing from happening, and I'm not aware of one.
Kevin Tackett:And so what we've done is the same thing we always do. Gary, It the politicians will save us, and they pat the thing. They issued an executive order or whatever. Right? And now we're safe.
Kevin Tackett:There. I'm done. I just.
Tom Eston:So, Scott, I I love to hear your your opinion because you're you obviously live in Canada, and your government isn't just, you know, banning stuff. So I'm I'm curious to hear your thoughts.
Kevin Tackett:If I may, Canada is a good exception. They made it illegal to be rude, and every Canadian is polite. So There you go. Right. Yeah.
Kevin Tackett:We have it.
Scott Wright:And I was I was not gonna, you know, offend anybody by saying that, but Right.
Kevin Tackett:Right. Just do it. Yeah. It's fine.
Scott Wright:Yeah. I mean, this this gets into an area that I'm I'm probably I'm not feeling very confident in, but I think in general, I did some time working with Entrust as a product manager in the PKI space, which had a lot of crypto, and we had that experience back in the late nineteen nineties, early two thousands around crypto is a munition and it has export rules. Even though we were in Canada, because we're sort of, at the time, partnered with The US, we we had to be really careful about, you know, what we said or did with the algorithms and and stuff like that. And, you know, as Kevin said, it's not clear that it was all that effective, and I think what it really does is it actually makes the cost of defense more than the cost of the attack.
Kevin Tackett:Yes. Excellent point, Scott. Sorry. I that is absolutely, in my opinion, true. That's all I have to say.
Tom Eston:Yeah. I think that will be the quote for the episode for sure. Yeah. That's yeah. Yeah.
Tom Eston:Exactly. Like, it hurts the defenders. Absolutely. 100%. And I mean, the more people I talk to in the industry and the more that we're seeing AI being embedded into not just the things that people are talking about in the news of like, oh, I'm building these agents and they're helping me automate all these things, but they're actually helping defenders defend and helping defenders defend better and more efficiently.
Tom Eston:It just taking these things away does not solve the problem. It does not make things better. And just like we've seen, well, history repeating itself and, we never seem to learn from past history. I don't know why that is, but maybe that's why we have that saying. I don't know.
Kevin Tackett:That yeah. We are doomed to repeat it.
Tom Eston:Yes. Or we're just doomed, but whatever. Mobile apps are just part of everyday life now. Banking, health care, shopping, entertainment, you name it. And with that comes a lot of trust because users are putting their personal data directly into your app.
Tom Eston:But here's the reality, mobile apps are a growing target. A recent survey found that 72% of organizations experienced a mobile app security incident last year and ninety two percent say threats are only increasing. And the way attackers are going after apps is pretty sophisticated. They're reverse engineering them, modifying them, and redistributing fake versions through phishing campaigns, sideloading, and even third party app stores. So from a user's perspective, everything can look completely legitimate.
Tom Eston:That's why taking a proactive approach to mobile app security really matters. You want to stay ahead of these threats, not react after the damage is done. This is where GuardSquare comes in. They provide advanced protection for both Android and iOS apps, along with automated security testing to catch vulnerabilities early and real time threat monitoring so you can actually see what's happening out there. If your mobile app is critical to your business, and it probably is, this is something worth paying attention to.
Tom Eston:You can learn more at guardsquare.com. That's guardsquare.com.
Kevin Tackett:I do wanna say, you brought Jamie McSarah's. I cannot think of a single example where she has spoken up about something, whether she agreed or disagreed. Right? Yeah. Where in hindsight, we saw that she was wrong.
Kevin Tackett:She is really, really good at looking at something, evaluating it, understanding the ramifications and context it is in, and then providing damn good recommendations. I I cannot say enough good things about her her ability. And sadly, we see it time and time again that people discount her, whether it's because she has pink hair or whether it's because she's a woman or whether it's just they didn't agree with her. I don't know. I cannot think of an example where they weren't wrong to discount her.
Kevin Tackett:She is incredible.
Tom Eston:I agree with you a 100%. I mean, she's one of the people that whenever she posts something, I am definitely paying attention because to your point, she's usually right. She's always right, actually. Yeah. And what I like about Katie, I'd love to get her on the show too because she's been someone I've really admired in the industry.
Tom Eston:And she's just a great person. But I think that she has that experience. I mean, she was the one that started the hack the Pentagon, the bug bounty program when she worked at Microsoft. I mean, she has worked in the government circles. She knows how these things work.
Tom Eston:And so I would hope that more people in the government would pay attention to people like Katie, and there's others too, right? That we all follow and have and should have more influence into these government decisions, and we're just unfortunately not seeing that.
Scott Wright:You guys have any thoughts on, if you're a, you know, a corporate executive in a company that, you know, maybe especially the software development companies, you know, what do you make of this sort of activity or action by the government, and the risks that it puts on you as a user of AI in in developing and deploying your products and services?
Tom Eston:I I think for one, I think you just find an alternative, and there are alternatives as we as we talked about. Right? Like, the government can try to ban whatever.
Scott Wright:You but it it's sort of a a systemic or systematic problem. Right? It's not just The US and and then tropic. Right? It's like if you're depending on a cloud based AI, you don't have con real control.
Scott Wright:It's kinda like the debate that we've had with hate to bring this up, but the the Canadian government buying f 35 fighter jets. Right? And then the other governments looking at it are now debating whether there's a kill switch that The US can just flip and disable or, you know, put put the the jet at a disadvantage. And it's a similar thing with these cloud tools. Right?
Kevin Tackett:If I may, I think that isn't an AI or cloud specific thing. No. Right? It is if you're deploying something that is mission critical for your business or even, you know, mission moderate, I don't know if that's a real phrase, but let's go with it. Right?
Kevin Tackett:You have to have a a record plan. We like, let me I'll give you a good example of this. Secure Ideas right now, today, is in the process of transitioning from our current client portal to a new client portal. We're we're moving to PlexTrack. Right?
Kevin Tackett:Not a plug, not a sponsor, whatever. I I I don't know what's
Scott Wright:gonna say.
Tom Eston:They they were a sponsor in the past, which is fine. I love those guys.
Kevin Tackett:Yeah. Okay. But but we're moving to Flex Track. Yeah. Damn.
Kevin Tackett:I probably should have known there. I don't know. Doesn't matter. Okay.
Tom Eston:It doesn't matter.
Kevin Tackett:We're moving to Flex Track. And as we're planning the migration, one, we are in knock on wood. Right? Pray my butt off. We are trying to plan back out plans and rip cord plans when when if something goes wrong.
Kevin Tackett:And we're also evaluating long term back out plans. Right? Because today, PlutzFrac is what we need. PlutzFrac is what we're using. If somehow they piss off the government and the government say Yeah.
Kevin Tackett:In that day. What do I do? Right? How do I how do I recover from that? That is a if if you're in business and not thinking of that, I'll be blunt.
Kevin Tackett:You're not in business long. Right? That is absolutely something you have to keep on top of. You have to keep in mind on anything that you do. Now having said that, now let's talk about a slightly related thing.
Kevin Tackett:Okay? We've recommended that you have alternatives. Right? That's cool. How many marijuana dispensaries are cash only because they don't believe that the alternatives will let them do what they need to do because the government will just go after that alternative?
Kevin Tackett:Right?
Scott Wright:Interesting.
Kevin Tackett:Yeah. That that so in this specific case where we're saying, okay, Anthropic did something. We know part of it is a temper tantrum because, you know, I like to pretend to be a military guy in the Department of War dude got his panties in a twist because Anthropic wouldn't let him do stuff. Sorry. But, you know, that's they went down this path.
Kevin Tackett:There's nothing stopping them from doing the same thing to OpenAI. There's nothing stopping from from saying, hey, if you're a US company and you're working with a Chinese AI thing, you're out. Right? I know that right now, every year, I have to file a form with the the state of Florida that says, I don't have any Chinese nationals that own part of the company, right, because of some stupid law. And that's easy.
Kevin Tackett:I'm the only owner of Secure Ideas, and I'm not a Chinese national. Oh. But here's the I'm very funny. They know that. Right?
Kevin Tackett:But there's nothing stopping them from doing that in in the future, and you have to plan for that.
Tom Eston:All right, well, I think that's all we have time for today. So if you have comments about this topic in this episode, are you a defender? Are you somebody that's using these models and or you have a very strong opinion about it? We'd love to hear from you. Please send us an email, feedbacksharedsecurity dot net or you can go on to the socials and find us on Blue Sky wherever or, on our YouTube channel.
Tom Eston:We would love to hear your comments about this topic. And then just one last thing before we, adjourn for today, but I wanted to let everybody know that we did relaunch the Shared Security Podcast newsletter.
Kevin Tackett:Yay.
Tom Eston:And so you can sign up for that at sharedsecurity.net/newsletter. We are keeping that updated weekly with a recap of the episode as well as some other news stories that you might find interesting, sometimes related, maybe not related to the episode, but we would, definitely like for you to subscribe to that. Alright. Well, thank you again, Kevin and Scott, always a pleasure. And thank all of you for listening.
Tom Eston:Stay safe, stay secure, and stay private. Thank you for listening or watching. If you like this episode, hit subscribe, share it with your friends and colleagues, or jump into our community at sharedsecurity.net/supporter to keep the conversation going. Thanks again, and we'll see you next week for another episode of Shared Security.