Risky Business - Risky Business #733 -- Say cheese, motherf---er
Episode Date: January 23, 2024In this week’s show Patrick Gray and Adam Boileau discuss the week’s security news. Microsoft honks its clown car horn Australia’s hounds, released, catch th...eir man The beginning of the end for Scattered Spider SEC was SIM swapped but had MFA off any way Ivanti learns a lesson… … while Progress does not and much more DHS undersecretary for policy and Cyber Safety Review Board head Rob Silvers is this week’s feature guest. He joins the show to talk about how the CSRB handles possible conflicts of interests from board members with industry day jobs. In this week’s sponsor interview Resourcely’s founder Travis McPeak talks about why we need to help developers with “paved roads” instead of relying on dashboard products to tell us when things have gone wrong. Show notes Microsoft network breached through password-spraying by Russia-state hackers | Ars Technica Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center Medibank cyber attack: The weakness that saw Medibank hacker Aleksandr Ermakov exposed | Exclusive Russian man identified as Medibank hacker, hit with sanctions by Australian government - ABC News Middle District of Florida | Palm Coast Man Arrested For Wire Fraud And Aggravated Identity Theft Charges | United States Department of Justice SEC.gov | SECGov X Account Owner of BreachedForums sentenced to time served plus 20 years supervised release with special conditions CISA issues emergency directive for federal agencies to mitigate Ivanti vulnerabilities | Cybersecurity Dive Ivanti Connect Secure exploitation accelerates as Moody’s calls impact credit negative | Cybersecurity Dive Progress Software shakes off MOVEit’s financial consequences, maintains customers | Cybersecurity Dive Cyberattack on Ukraine’s largest telecom provider will cost it about $100 million Ransomware attacks leave small business owners feeling suicidal, report says Canadian Man Stuck in Triangle of E-Commerce Fraud – Krebs on Security Experts call for US Cyber Safety Review Board rethink • The Register
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business and boy oh boy do we have a show for you today.
Adam and I will be talking through the week's news in just a moment, the doxing and sanctions
against the Medibank hacker.
We're going to talk about Microsoft getting clown card again by Russians.
There is just so much good stuff to talk about this week.
And then we're actually going to be joined by a feature guest this week, Rob Silvers.
He is the Undersecretary of Policy at DHS and the Chair of the Cyber Safety Review Board.
And he's popping in to set the record straight on a few things.
There was a Senate hearing into the CSRB last week.
And, you know, some of the testimony was a bit unkind in a few ways, and actually a little bit off base.
So Rob's going to be along a little bit later on to talk about why the board relies on industry figures to participate in it,
which was one of the areas where CSRB got a bit criticized last week.
And they're also going to talk about how they handle conflicts of interest because there is a very robust process there and he's also going to talk a bit about what's going to change for
the CSRB once a new bill passes that will give it subpoena powers right so that is coming up soon
this week's sponsor interview is with Travis McPeak of Resourcely and we're talking to Travis
about how dashboard products that do things like detect cloud misconfigurations are great, but they don't actually help you fix problems.
So Travis thinks we need to focus more on laying down what he calls paved roads for developers instead of trying to mitigate issues after they're in production.
You know, and trying to mitigate them by plumbing whiz through to JIRA.
You know, you get a ticket and you get a ticket and everyone gets a ticket.
That's coming up later.
But first up, let's get into the week's news now
with Adam Boileau.
Adam, hello.
Hello there, Pat.
And mate, we have seen a disclosure to the SEC
by Microsoft and an announcement from Microsoft,
which is just a you what, mate?
Kind of incident disclosure.
This one is so weird.
Can you start by telling us what actually happened here?
Oh, boy, oh, boy, oh, boy, Microsoft.
So some Russian military hackers were nosing around Microsoft presence
on the internet and managed to just like straight up password brute force
or guess or reuse a password,
single factor into some like old test system.
A test tenant.
Yeah, they password sprayed their way into a test tenant.
I mean, that's no big deal because it's a test tenant, right?
Yeah, but what possible access could it have?
Turns out in Microsoft world, their test tenant,
somehow by mechanisms we haven't really understood yet,
had access to all of their corporate email,
or at least a subset of their corporate email.
It's a little unclear how, but the net result was that
this particular group, Midnight Blizzard, or Nobellium,
they were rummaging around in the email spills of senior
cybersecurity people and legal people trying to find out
what they knew about Midnight Blizzard, the hacking crew in question.
And Microsoft dropped this disclosure on late on a Friday afternoon
with not much detail, which left a lot of us, as you say,
going, excuse me, you what, mate?
You what, mate?
Like that was just come again?
Yeah.
And I love it.
I think they said something about like how production systems
weren't impacted.
It's like, hang on, man, if you got Russians rolling through
like very sensitive mail spools with authed access, I mean, sure, okay,
that's not a production system breach,
but those are kind of production accounts.
I'm sure Microsoft's legal people feel that their email is a production system.
But yeah, the idea that an old test account, single factor on the internet,
bad password could lead to Microsoft legal's emails,
like that's not a situation that should be happening.
And, you know microsoft has spent quite
a bit of time lately talking about you know it's they launched their new what was it secure future
initiative yeah but that's only a couple months old like we can't say the initiative has failed
right because of this like but but but i had to read this twice were you the same when when they
published this you read it and you're like, hang on. Hang on. No.
Maybe there's some wrinkle in here.
Maybe there's some nuance.
Maybe there was some stunt hacking in here we missed, you know.
And the Chinese clearly had to work hard there
and pull off some epic stunt hacks.
Yeah.
The Russians did not.
The password sprayed into an over-provisioned account
abandoned in a test tenant.
Like, listen to this, though.
The language is hilarious because I reckon it's my feeling that this account that they got by password spraying
had a lot of privilege, right? So they only used it on certain accounts, but listen to the wording
here from Microsoft. The threat actor used a password spray attack to compromise a legacy
non-production test tenant account and gain a foothold. And here's the important part,
and then used the account's permissions to access a very small percentage
of Microsoft corporate email accounts.
Now, you would notice they didn't tell us what percentage
of Microsoft corporate accounts that account had access to,
just that it was only used to access a very small percentage of them.
So I'm wondering if this gave them access to pretty much everything i mean you know having
full access to read people's emails pretty privileged and yeah you know clearly to a bunch
of people like that's not that's not just like a duplicated user privilege right like this is
this is you know how could that only give them access to like senior cyber security and legal
like no like this thing feels like it
could have been an account that was provisioned in such a way that gave them access to microsoft
corp email boxes like all of them at a minimum and possibly more possibly more like i don't i don't
know what the inside of microsoft network like i assume there is not one domain admin that just
gives you everything inside Microsoft.
Well, to reassure you on that,
I'm sure Microsoft have no idea
what their internal network looks like either.
So I don't think you're alone on that.
Don't feel bad, Adam.
Don't feel bad.
But I mean, come on, Microsoft.
Like this is how you get CSR beat, right?
This is how you end up, you know,
getting spanked and having governments
looking at you askew
and people asking questions. Because, you know getting spanked and having governments looking at you askew and people
asking questions because you know we expect microsoft customers to do better than this
which means we have to expect microsoft to do better than this yeah look i think this just is
a product of scale right like it really is a product of scale when you're not paying very
close attention from the top down to security to stop stuff like this from happening because
you know at this point microsoft has just grown so quickly you know such has done an amazing job
of turning microsoft into just because it was its influence was on the wane you know what i mean you
sort of felt like microsoft's sun was setting and then in comes such and just turns them into a beast
again and you know the emphasis was on growth it wasn't on security and safety all of the cloud
business and azure and like so much has happened there that you can certainly understand a test
tenant in azure somewhere you know having a whole bunch of access because they are you know very
much building that as they are flying it yes and at least you know to their credit so this
apparently the breach happened sometime in November.
They spotted it on January the 12th,
and they were disclosing it to the SEC on January the 19th.
So five days to turn around an investigation,
like that's pretty good, actually.
I mean, I've heard from one CISO pal who's like,
I don't know that this is material.
I don't know that they needed to disclose this to the SEC.
But I guess they're just erring on the side of caution, which we're going to see a lot of companies doing that this year now that these new SEC disclosure rules are in place.
Yeah and I think that's a good thing right I mean much better that it doesn't get covered up I would
much rather know that there were Russians inside Microsoft's mail spools you know even if we don't
know the specifics of how I would like to know and i'm sure many of the customers and shareholders would also like to know yeah now look moving on to the other
big story of the week and this one is just i love this i want to inject this story into my veins
the australian government has identified doxed and sanctioned the individual responsible for
the hack of the medibank private health insurer here in Australia.
This happened in, I think it was October 2022.
So about 15 months ago.
Yeah, they found him.
ASD and AFP went after the guy.
They found him.
They've identified him.
They've published his name, his location, his handles.
And also, I love this.
They published the trophy shot from the guy's webcam just to let him know,
just to let him know that his box got shelled.
Here are some comments from Australian Foreign Minister Penny Wong
announcing the sanctions.
This morning I can announce that Australia has used cyber sanctions powers
for the very first time on a Russian individual for his role in the breach
of the Medibank private network.
I can confirm that thanks to the hard work of the Australian Signals Directorate and the AFP,
we have linked Russian citizen and cyber criminal Alexander Ermakov to the attack.
Richard will speak more about the substantial efforts which have gone towards this and can I
thank the officials for their work on it. I also want to acknowledge Tim Watts, the Assistant Foreign
Minister who has worked so hard on this attribution and on these sanctions. The sanctions imposed are
targeted financial sanctions and a travel ban. This will mean it is a criminal offence punishable
with up to 10 years imprisonment to provide assets to Ermikov or to use or deal with his assets, including through cryptocurrency, wallets or ransomware payments.
It sends a clear message that there are costs and consequences for targeting Australia and for targeting Australians.
Say cheese, mother****er.
Exactly. marketing australians say cheese exactly but look at the united states and the uk
have also followed suit and also sanctioned this guy uh and i just think this is great and and i've
seen a few people poo-pooing the sanctions oh well what's that gonna do blah blah blah blah but i
think the sanctions component is actually less important than the doxing component because this
guy's life just got a lot more complicated.
He's probably going to have to pay some bribes to stay out of trouble.
Every single criminal in Russia now knows that he is a vulnerable 33-year-old with an absolute ton of Bitcoin.
So, you know, this is not a happy time for him.
And he's probably like right down in the well of the paranoia vortex
right now like tearing apart every electronic device in his possession trying to look for asd
shells that have long been removed uh so sucks to be you dude but what what's your feeling on all
of this i mean i think given how difficult it is to get people out of russia to face any kind of
justice right there weren't a whole deal of great options and you know on the one hand doxing someone as a nation state as a way of punishing right I mean
there are some concerns around that I mean there's the you know we have a judicial system we have a
system that's meant to deal out justice and oh but an arrest warrant does an arrest warrant does the
same thing come on yeah yeah yeah so I point is, like, there are other mechanisms that we would prefer
in the ideal world to use
rather than just doxing someone in a foreign country.
But we don't have any of those options.
And this is, honestly, it's just really nice to see, right?
But even if we did have that option,
we would still be doxing them by nature of arresting them
or putting out an arrest warrant, right?
So I don't know that there are any concerns uh about that i i do think i mean don't forget this is the guy who published
a list of women who had claimed pregnancy terminations on their health insurance in
australia yes pulled that out and published it like he he is like a scumbag right like a total
scumbag so he got he got the special treatment.
They're not going to do this for the guy who enumerated Optus data.
No, they won't.
This guy gets the full treatment.
The special treatment, yes.
Yeah, but I wonder if this is enough to disincentivise other people
in Russia from doing the same sort of thing in Australia.
And I would have to fall
on the side of thinking it would dissuade some people, I think. When you see that you actually
get a special response like this, I think you would just, some people would decide it's not
worth it. Not all of them, because these people aren't the clearest thinkers or the most logical
thinkers, but I think it could actually make a difference.
Yeah, and especially, like,
you have a plethora of target options as a cybercrim, right?
And even if you are specialising in, you know,
English-speaking Western First World countries,
you've still got other options.
Like, New Zealand is very like Australia.
You could hit us instead of the Australians.
And that, you know, it doesn't take much
to run faster than the next guy to get away from And that, you know, it doesn't take much to run faster
than the next guy to get away from the bear, you know.
And the Australian government and deploying the second agency
to go impose some cost on people, like I think there probably
are a lot of other governments looking at Australia's response here
and going, actually, yeah, maybe this could work for us too.
Maybe there is some option here to be able to go and impose cost
in a way that gets around the lack of good law enforcement,
normal criminal process.
And so in that respect, we're all about releasing the hounds around here,
and I think Australia has released some hounds,
and those hounds have caught their quarry,
and we have the trophy picture, as you say,
and the costs that this
imposes on him in terms of his life right it's not just making travel difficult it is as you say
now everyone knows he's there knows he's a target he's going to have to pay protection money he's
going to have to yes take a bunch of precautions that were and he can't and he can't just leave
to avoid paying the protection like it's it's it's it's not a good time you know no exactly and like that's good right seeing some
real cost imposed on people who have felt like they can just get away with this stuff
and bribe their way out of whatever trouble like limited trouble you might get to in moscow or
wherever you know they happen to be so yeah i I'm all for this. This is solid work by the Australian hounds,
and we salute you, sirs.
Yeah, I mean, we have seen a similar action.
I was talking about this with our colleague, Tom Uren, yesterday,
and I was like, I can't think of anything quite like this happening before.
And we went away and we did a bit of Googling,
and Tom found and remembered that the US has previously sanctioned the group behind trick bot so the individuals attached to trick
bot so we have seen these sort of sanctions before i think this one still feels a bit different though
because that was like okay we're sanctioning the members of a transnational sort of you know
serious criminal organization this one is like we're sanctioning and identifying this guy because we don't like him yes yeah exactly and it's you know it feels more personal than because like he
was associated with uh revolt right so they could have just said we're gonna sanction some
reval people but yeah this feels a bit more on the nose and as you say the the fact that
they are demonstrably up in his business yeah well and i wonder i wonder what
else they've done to him right because they haven't said like i mean they were clearly on his devices
and i just love it that someone made the decision to declass that photo they took of him through his
own webcam that's brilliant yes because that sends a message but you wonder like was he using cold
wallets was he using cold wallets?
Was he diligent in his opsec?
Does he still have his Bitcoin?
Because if he's put in a position where he's identified as someone with a lot of Bitcoin who actually no longer has Bitcoin,
you're thinking he's going to lose a few fingers.
Anyway, my point is, I love this.
I think it's great.
Moving on to some actual law enforcement action on this.
I got a release in front of me from the Department of Justice in the United States
that a Palm Coast man has been arrested for wire fraud and aggravated identity theft charges.
This is in Jacksonville, Florida.
United States Attorney Roger B. Handberg announces the return of an indictment
charging Noah Michael Urban, aged 19, from Palm Coast, also known as Sosa,
which I think is a terrific handle, by the way,
because Sosa was the Colombian drug dealer in Scarface.
But anyway, other handles,
Elijah, King Bob and Anthony Ramirez.
He's been charged with one count of conspiracy
to commit wire fraud,
eight counts of wire fraud
and five counts of aggravated identity theft.
And he's looking at a number of years in prison.
Now you're like, okay, why is pat talking about some random 19 year old in florida getting arrested it's because a little birdie got in my ear and told me this is one of the scattered spider
kids yeah well he's certainly a kid at 19 and uh they said something like 800 000 being stolen as
part of the identity theft stuff he was involved in so yeah if he is one of the one of the com one of the scattered spider crew then you know clearly he's not going to be the
first one because i'm in that you know if they're up in that group and they're investigating and
they're at the point i think i mean he's not going to be the last one but yeah not gonna be the last
one sorry then yeah if they're up in those kids business then maybe this is the beginning of a
bunch of them uh seeing some charges,
which are probably well-deserved.
Yeah, so this release actually went out on January 11 and no one kind of noticed.
And then I got a sort of bit of a tip saying,
you know, it could be wrong, right?
I've had bad information before,
but I'm sort of told that this guy is perhaps, you know,
allegedly involved in the Scattered Spider stuff.
So, yeah, bad time for him.
It surprises me that it's taken as long as it did.
I mean, it's still only been a few months though, really, hasn't it?
Yeah, and then these things do take time,
and especially if it's a very big group with lots of connections,
they've got to unravel and decide that they've got everything they need
to start actually rolling on them in public,
having the news go out and stuff.
So, yeah, I'm sure a lot of solid police work was done.
Now, a quick follow-up on the SEC Twitter hack.
I just think it's interesting, actually, what happened here.
They were having trouble with their MFA,
so they asked Twitter support to disable it,
and then they just never re-enabled it.
That's how someone was able to do a sim swap and you know so even if they were using SMSMFA at that point
it wouldn't have mattered because they sim swapped it and took over the account that way
I did find something interesting though buried in this which I didn't see previously like last week
we spoke about how I was crushed because it looked like they just published a draft tweet on january 10 they actually said that the unauthorized content on the sec gov account
was not drafted or created by the sec so that's interesting so i was thinking they just pushed a
draft tweet but it actually looks like maybe the attacker maybe they're about to pick up another
star adam for the yelp for crime maybe it was actually cool maybe maybe
they did photoshop up the uh the image that they posted it with to make it look like like it was
legit but yeah we i guess we will we will we'll see whether i mean still what did you give it like
one and a half stars last week so i can't remember i think it was still two and a half but i know i
mean i think it might actually be what we thought it was, like which is someone, and maybe even better,
because they were drafting, you know, they did a tweet
and, you know, legit-looking artwork announcing something
that the SEC was expected to announce anyway.
So maybe they were like really playing 4D chess
and they're back up to five stars.
Maybe they can be six out of five stars.
Maybe.
I guess we see, you know, with the Lamborghini sales peak in the United States next
or whether someone shows up with a whole bunch of money,
they may have it because that's the proof of the pudding, right?
Get rich.
I try.
Let's see.
Let's see.
Let's see if there's an arrest in six months of someone for, you know,
using Bitcoin instruments to trade on that.
That'd be interesting.
But I have a feeling this will just go away.
Probably. That is my trade on that. That'd be interesting. But I have a feeling this will just go away. Probably.
That is my vibe on this.
Now, let's talk about Pom Pom Purin
because this is the owner of Breached Forums,
just a kid who looks like had a real hard time
when being locked up.
There's talk of a suicide attempt, unfortunately.
Unsuccessful, fortunately. Been sentenced to time served. up there's there's talk of like a suicide attempt unfortunately unsuccessful fortunately um
been sentenced to time served this is brian connor fitzpatrick uh has been sentenced to
time served and he's just going to be on supervised release for checks notes basically forever um
and no one's really quite clear on why because the prosecution were asking for quite a heavy
sentence here and it looks like yeah that that's not going to happen and you know you wonder you know he had he
had a sort of history of mental health issues uh really not coping in prison but i mean that's not
usually a way that people wind up with a reduced sentence is that they don't like prison and it is
exacerbating their mental health condition but i i believe you know it's possible he's quite sick
uh and the other possibility of course is that uh you know there's maybe a cooperation agreement we're not
aware of yeah it's certainly interesting because you know we're used to seeing disproportionate
sentences in the united states towards the heavy side and it's unusual to see something you know
lenient or something that's got you know has taken into account some of those mitigating factors perhaps.
So he was out on bail.
He before, whilst he was being, going through the process of his trial,
he got briefly rearrested for violating the bail conditions.
And then, yeah, now is on home arrest for two years with a GPS,
you know, location monitoring bracelet or whatever.
And the terms of his, you of his supervised release are pretty strict.
And some of them are like, must not use the internet.
Yeah, I mean, I think he's on an ankle monitor for the first two years.
For the first couple of years.
But then even after that, there is still a requirement
that he's not allowed to have a job that involves the internet,
which, like, who doesn't have email at work right i mean that's
a pretty difficult set of restrictions uh there's also relating to the um child sex abuse material
that he had uh there's a bunch of restraints about you know associating with children or being
involved in jobs to have children and so on and so forth so it's a pretty restrictive set of
conditions as you say for 20 years yeah um and he can be thrown back in the
clink um you know if he if he violates those conditions so it's yeah it's not a you know
gentle slap on the wrist and off you go enjoy the rest of your life no it's onerous supervised
release yeah what's funny though what you mentioned just about the the not being allowed to use a
computer thing i i just always remember the talk by Sammy Kamkar,
who of course wrote the MySpace Sammy worm,
which took down MySpace quite by accident.
So he got in a bunch of trouble over that.
And as a part of like when he was going through
the whole legal process on that,
he was banned from using the internet for a couple of years.
And what's funny is like, if you've ever met Sammy,
he's really charming.
He's just a really agreeable guy to be around he's a lot of fun and you know he says he had to learn how to
be agreeable and fun to be around because he wasn't allowed on the internet anymore it made
him go out and develop social skills which he said he absolutely did not have uh before that
period where he got kicked off the internet so there there you go. He had so many friends on MySpace.
Yeah, all of them.
All of them.
That was kind of the problem.
Now CISA has issued an emergency directive for federal agencies to apply mitigations
for this Ivanti stuff.
There's a crew going around exploiting Ivanti software.
And the mitigation, I believe you've looked at that.
It's pretty ugly i mean i know
gray noise is seeing this popping off right so it's like they're they're the they're the
disaster child uh this week ivante and even moody's has like downrated them in terms of um
credit because of you know what's happening so yeah ivante is this week's disaster vendor
yeah yeah they certainly are i
mean that uh mitigation that you're supposed to roll out looked unpleasant as an admin and
you know apropos of our various conversations about how difficult it is to patch fast enough
these days now we've got scissor telling people you need to download this weird xml file from
avanti and apply it to your things because there still isn't a patch yet uh and yeah um the i think was
it um valexity who had been tracking compromise of this said there's currently at least 2100
systems that are already compromised so if you have one of these uh and you're getting scissors
guidance now you know you probably should be running the integrity checking tool although
i think even that they were starting to bypass as well, the attackers who were doing this. So, you know, that conversation we had about, it was on
Seriously Risky Business about how China is willing to dig in in ways that, you know, Western
intelligence or Western cyber, you know, actors probably wouldn't. Yeah, they are bypassing the
tools that Avantia work on. So like, it's just such a mess.
So don't blame Moody's for downgrading the outlook on them.
Yeah, so Moody's Investor Service said
that the attacks are credit negative against Avanti.
The attacks have a negative implication
for the company's reputation
and could lead to higher customer attrition,
potential litigation and impact revenue growth.
Cybersecurity Dive has that report but adam
moody's might be wrong they may well depressingly this is this story there's always one every week
that makes you want to go live in a log cabin and just never connect to the internet again and
and the what are we all doing here story and And this is another one from Cybersecurity Dive.
Matt Capco has this one.
And it's that Moveit, Progress Software,
the company that owns Moveit,
and we all know Moveit was the disastrous file transfer appliance
that got everybody owned.
Was that last year?
Yeah.
Business is great.
Business is booming.
Moveit is one of their stronger performing lines to the moon.
So that's what making terrible products that get all your customers owned gets you is massive.
13% year-on-year revenue growth.
13% year-on-year growth in revenue.
I mean, you know.
And the file transfer component, 17% year-on-year growth.
So the moon.
Yeah, yeah.
I mean, Moody's maybe wrong.
Maybe Avanti is also going to go to the moon
and now is your chance to buy low and sell high.
But yeah.
Well, I guess a lot more people heard of Moveit, didn't they?
Yeah, I guess.
Like any publicity is good publicity, they say, right?
And I wish that wasn't true because it really shouldn't be.
But perhaps us and our dear listeners are just crying to themselves all day long
and no one else really cares about the cybers and about the computers
and the securities and all of the data and all the people who have their things stolen.
It's depressing, isn't it?
We just weep salty tears of defeat.
We do.
We do.
Now, we've got a few more stories to get through
before we bring on this week's feature guest,
but we'll just run through these quickly.
The Record is reporting that Kyivstar,
which was attacked by the Sandworm crew
and they had their whole infrastructure RMRF'd,
that's going to cost them 100 million bucks in foregone
revenue because they're doing this big customer loyalty push. Because obviously the first thing
that happened when they went down is a whole bunch of people went out and bought SIMs for
rival networks. And, you know, so they're trying to rebalance all of that. So it looks like the
cost is going to be at least 100 million just on that side of things. There's a link in this week's
show notes to the write-up from Darina Antonik, who is,
of course, based in Kiev. We've got another one from the record here by Alexander Martin that is
worth drawing attention to, which says, ransomware attacks leave small business owners feeling
suicidal. And this is a report from RUSI, which is the Royal United Services Institute.
And it's, look, it's just important work that I
think needs to be highlighted. And I've dropped a link into this week's show notes to that one.
But I just want to read a couple of paragraphs from it. RUSI assessed that incidents affecting
small business owners can have a greater psychological impact because of how close
together the individual's personal and private lives can feel. And here's a quote,
if you run your own business for 20 years, that is your personality. That is your only source of income. I feel that, you know,
I've run this business nearly 20 years. It's a big part of my identity. I feel it. So when I was
reading this, I was just thinking, you know, what if I wasn't a security person and I'd be built,
you know, some business in some other industry, then someone just came along and torched it.
You know, what would that do to me?
And it wouldn't be pretty.
Did you find this one a harrowing read as well?
Yeah, it really is.
And we are fortunate that we're in an industry
that kind of allows us to protect ourselves to a degree,
but you really feel it for so many customers
that I've dealt with over my years in consultancy
who just aren't equipped to deal with these threats.
And, yeah, you see them having their stuff taught, stuff that they've worked on for years and having to make choices to, you know, let some of their staff go because businesses, you know, their business has been disrupted or whatever else.
Like, you really do, you know, it has very, very real impacts and stuff.
And, yeah, it's hard to read.
Yeah. And we're just going to finish up here with a story from brian krebs uh and this one is just i don't worry
what is this like basically a canadian man uh just tried to buy something on amazon and he wound up
being arrested yes so this was he fell victim to a scam where someone lists on an online
marketplace like in amazon or ebay or whatever else the products for sale you buy them then they
use a stolen credit card to buy the products that you have ordered and ship them to you from some
other third party you know yeah so they drop ship they basically drop ship to you using a stolen credit card. Yes.
And then in this particular case, the guy worked for like a First Nations group in Alberta
that provided, like in this case,
he was buying like multiple sets of children's outdoor
like furniture or whatever,
like things for kids to play on
and that he was going to distribute to the youths in his neighbourhood.
And the person whose credit card was used phoned the Canadian Mounties.
The Canadian Mounties rolled up to this guy's house
and arrested him for using a stolen credit card to buy these goods.
And now he ended up getting fired from his job
because he got charged with a crime,
even though
you know the police in this case i think have chosen not to prosecute now they understand
their mistake but it's really ruined this guy's life and he just went online and bought something
from a seller that had four and a half stars out of five or whatever from this amazon marketplace
seller and amazon's like well which yeah you know not a great response and yeah i mean
there's so many ways to do online fraud and online crime but the ones that leave a really
horrible trail behind them like ruining people's lives this is one of them and it was just a
horrible read normally the krebs stories end with someone getting doxxed or outed or whatever else and this one didn't have a happy ending so yeah grim grim indeed yeah that's a bucket of sunshine to end the news on but that
is the end of this week's news segment and it's time to speak to our feature guest now rob silvers
rob is the undersecretary for policy at the u.s department of homeland security and he's also the
chair of the cyber safety review Board, or CSRB.
Now, there was a Senate hearing into the CSRB last week,
and it heard testimony from the likes of Tara Wheeler
and Trey Herr from the Atlantic Council.
And, yeah, the witnesses agreed that CSRB should have more powers,
which it is likely to get,
because there's a bill before Congress right now
that would make the CSRB permanent and give it subpoena powers.
And currently it's not permanent because it was established via an executive order signed by Joe
Biden. But it wasn't all, you know, positive stuff last week at the Senate hearing. The witnesses
also criticized CSRB for having industry board members, which, you know, okay, fine. There is
potential for conflicts of interest there if you have industry participants.
But that's not something that hasn't been addressed.
And I think that's maybe something the witnesses there didn't necessarily know about.
So we're going to get Rob's thoughts on that in a moment.
But Rob, welcome.
And first of all, why don't you just tell us a bit about what will change if this CSRB legislation actually passes and makes the board permanent.
Patrick Adam, thanks a lot for having me on the program. So it's important to start with right
now, the Cyber Safety Review Board is fully operational and conducting its reviews. The
board was actually launched by an order that President Biden issued in 2021, his landmark cybersecurity
order. And we have conducted two complete reviews to date on the Log4j vulnerability and then on the
Lapsus group of threat actors. And now we're in the middle of our third into the recent Microsoft
Exchange Online intrusion that was reported in the summer of last year. What we've proposed as an administration
is legislation that we want to work with our Congress on that would enshrine the board in law
and give it some additional authorities to do its work while also maintaining its really unique
character as a truly public-private
organization where half the members are all the public sector U.S. government leads for cybersecurity
and half the members are cybersecurity luminaries from industry and academia in the non-profit
world. The legislation would, amongst other changes, give to the board a limited subpoena authority to ensure that the board can get access to whatever information it needs to conduct its authoritative after action reviews and develop those lessons learned from the biggest cybersecurity incidents that the cybersecurity community needs. Can you arrange this so that we can have subpoena authority as well when we're looking at a
breach?
Because that would be super rough.
CSRB first and then risky business.
And then journalists.
Yeah, yeah, yeah.
Got it.
Got it.
Now, look, there was this, you spoke about the public-private dimension to this.
And last week, we did hear some senate testimony where people were bringing up this idea
that uh you know having industry involved uh it introduces a bunch of conflicts of interest and
look i can understand on the surface why people you know why that's something that needs to be
considered right because uh you know people do have the people who are contributing to the board
i mean many of them are industry people who do have interests outside of government.
But at the same time, I don't think the people doing the testimony maybe realized that the rules around this are actually quite strict already. Like, what are the rules in terms of deconflicting
some of these investigations? Yeah, it's a really important question. And we have really good answers to that question because it's of utmost importance
that the board's work be done free from any kind of preference or bias or favoritism on the part
of any of the members. And I can understand why people ask the question, well, if you're going to
have industry members on the board, aren't they going to make decisions that tilt in favor of whoever their employer is? But here's the thing. We have developed really stringent ethics and recusal
rules for every aspect of the board's work. We have DHS career agency ethics lawyers who receive
full financial disclosures from every single member. They know what they're invested in,
who their employer is, where they draw income from, and they make assessments for each review
as to any potential conflicts of interest. And if there is a conflict of interest,
or even the appearance of a conflict of interest, then the ethics council will order that a member be recused from the review at issue. And we have
exercised that recusal process successfully in our work. In the current review of the Microsoft
Exchange Online incident, we have a small handful of members that are not participating in the
review because of potential conflicts of interest. But we have 12 members that have been
cleared by our agency ethics council and are proceeding with all the thorough and rigorous
work that's needed here. So people can have confidence that we've thought through these
issues and there are really strong protections in place to protect against any potential conflicts
of interest. I mean, you've even had members who've sold shares, right,
to avoid conflicts like dumping Microsoft stock or whatever
because they can't hold that if they want to participate in a review.
We have had members who have divested themselves of stock holdings
because those stock holdings would have put them into a conflict.
Divested themselves of stock holdings does sound better
than dumped their shares. I will give you that, Rob. But we have different jobs. But the thing is,
you know, these are important issues to be managed, but it's really important to keep in mind
how unique and how empowering it is for the board's mission and work to have industry luminaries
as core members of this operation well i i was i was having this conversation with a friend the
other day because who was it it was tom uren our colleague who writes seriously risky beers and i'm
like the thing about the industry people the thing that they have that is hard to get from non-industry people is what I call sort of like ecosystem knowledge, right? They've
just got that broader view. So there's definitely potential for conflicts. But again, if you've got
really robust procedures to handle that, that are adhered to, then you can mitigate the issues there, you would think. Absolutely.
And the private sector membership is part of what makes the boards work high quality
because you have that unique vantage point.
We don't have a monopoly on the good ideas or experience in the government by any means.
And it also is what gives the board a lot of credibility to drive change right yes it's not just some
government person saying what you can and can't you know what you should and shouldn't do it's
exactly it's those government people but it's also some of the leading cyber security minds
of our generation and when those people come together and speak as to what needs to happen out there, what CISOs need to do,
what network defenders need to do, what regulators need to do, what legislatures need to do,
that speaks with incredible force and cannot be replicated by a government-only enterprise.
And so we have hit the right model here and we put in place those safeguards to make sure that the model is free from those important risks of conflict of interest. I trust, you know, people like Heather Adkins, for example, who had just been around the block for so long and really understand it, just makes that output so much more valuable to me than,
you know, another FBI jib or, you know, or something like that, that, you know, I don't
necessarily understand the provenance of. And it's just really, you know, I think a super important
part of the board's work. Now, speaking of that output, right, there was one bit of weird criticism
that popped up at the Senate hearing, which was, oh, you know, there's nothing really new in these reports.
You know, they're issuing recommendations like use MFA and whatever.
I don't know if they were reading the same reports because, you know, it's not just, you don't just get a CSRB report to read it for its recommendations.
You know, the Lapsus report I loved.
And it was funny because that one just copped so much flack.
Like people really criticized that report but i thought it was just extraordinary because it foreshadowed
what would later happen with this scattered spider group right uh it was just an exceptional report
and i i at the time it was released i described it as uh you know required reading for any cso's
out there and i stand by that i think still if haven't read it, you should go out and read it. But you did actually drive some change through that one as
well with the, was it the FTC or the FCC? One of your other agencies actually took some action in
the telco space to try to minimize SIM swapping. That's exactly right. So what we found as we were reviewing Lapsus and what was amazing about Lapsus is that it was a bunch of members, many of whom were teenagers, who were consistently week after week able to break into the best defended companies in the world, the most richly resourced companies in the world.
And what that told us is there's something that needs to be looked into here.
If these kinds of sort of amateur, if you will, threat actors are able to consistently
break into the crown jewels of really sophisticated organizations.
One of the things we found, to your point, Patrick,
was that they were using SIM swapping as the attack vector in a number of their hits. And
they were essentially using that to gain access to broader corporate environments. And what we
did in our recommendations was we said that the Federal
Communications Commission, which is our telecoms regulator here in the United States, really needs
to increase its oversight and regulation of the mobile phone providers to protect their users
against SIM swapping. Because SIM swapping is comparatively rare, but it is devastating impact on the victim.
It can really overturn your life.
And the FCC, and then we worked afterwards with the FCC to explain our findings.
It was a really good relationship.
And then the FCC, which is an independent regulator that makes its own decisions about what to do, decided and recently issued new enforcement
guidelines to require enhanced security protections to telecoms providers to protect against SIM
swapping. And the chairwoman of the FCC, Jessica Rosenworcel, specifically called out the Cyber Safety Review Board for
recommending that course of action.
And so this is exactly the kind of impact that this body was designed to have.
And it's exactly the kind of impact that we are having.
And OK, so here's the part that makes me feel like I'm taking crazy pills, because I was
in the United States a few months ago
and in DC, right?
And something I consistently heard,
mostly from like journalists and stuff is like,
well, why didn't they investigate SolarWinds, right?
So this is the common thing.
It's been a running theme for like a couple of years.
Why won't they investigate SolarWinds
like it's some sort of cover-up?
I mean, in my view, I don't know really much else
what we would learn from that, considering that there's a full Mandiant report and it's a pretty
well-understood incident. And it's also quite old now. But how do you actually pick what it is
that you're going to look at? Because is it a shadowy cabal of people trying to cover up
SolarWinds or is it something, I'm guessing it's
something a little bit more boring. Rob, can you please tell us what it is?
So the Secretary of Homeland Security and the Director of CISA have the authority to task the
board with what it should look at. And when we're having those discussions about what the taskings should be, it's always a discussion around what should we give the board that will really, on the other end of the review, drive change in the community?
Where can we reach impact? that are as yet undiscovered or under-discovered and that haven't been deeply studied,
where there hasn't already been a lot of analysis done
of the incident or the issue,
and where the CSRB's unique voice can drive better security.
With Log4j, you had this endemic vulnerability
that was the worst software of all time.
You had an all-community incident response all at the same time.
Incredibly unique insights gained into the open-source security community and vulnerabilities there.
If you want to understand supply chain risk, that's the one you look at, right?
Exactly right.
So really important. Lapsus, likewise, right? I mean, you said it, it was not a household name,
and yet we saw in it a lot of risk to the community and something that could metastasize
because those TTPs can be used against anyone and by anyone. They're not that sophisticated,
actually. And so we were like we
need to put out a playbook so that network defenders know what to do to protect themselves
against that and then sure enough we published and very shortly thereafter you see scattered
spider come out all on all the same telegram channels using all the same techniques and processes to do it.
And it's like, it is the playbook.
It was amazing vindication for the decision, I thought.
Totally.
And then, you know, with SolarWinds, listen,
that was a very serious incident that had a lot of impact
and drove a lot of change within the community.
By the time the Cyber Safety Review Board was operational
and the members had been onboarded, that incident had actually been very well studied. And the U.S.
government had taken on a lot of lessons learned and specific lines of action to address deficiencies
that came out through the study of solar wind. So, for example, everyone on a bipartisan basis circled around the need for incident reporting rules.
And Congress passed a law to give CISA that.
That was a direct result of solar winds.
We mandated through executive orders zero trust architecture in our vendors,
all kinds of supply chain security efforts that the U.S. government would be leading,
all because of solar winds.
When you put that up against the other less discovered pieces of the ecosystem and things that had happened, we all felt that the real impact would be driven by looking at other
fresher incidents.
And look, my final question, it is a slightly curly one, sorry about
that. But, you know, there's been a question raised, and I think it's a reasonable question,
actually, about whether or not the CSRB having subpoena powers might kind of put it into a
position where, you know, it turns DHS into a bit of an adversary, and obviously CISA sits under
DHS, you know, could this, you know, throw some sand in the gears at CISA, you know, if a
DHS, you know, investigations agency is given subpoena powers?
No, I don't think so.
I think everybody understands CISA's business model for working day in, day out with companies
on their incident response, on sharing and pushing
best practices. The CSRB is a unit that is administered by CISA, but operates independently.
And at the end of the day, people understand that if you want to know what happened in this world,
then you need to give those who are tasked with looking into it the ability to get the information. And I don't
think it's going to disrupt the relations at all. I will just say, though, because I do think there's
some misunderstanding, I have heard criticisms that our draft legislation would give private
sector members the ability to issue a subpoena against their competitor. And that's really actually not the case. The
legislation that we have proposed specifically says that only federal members, the government
members, can vote on issuance of a subpoena. We just felt like that's an inherently governmental
power that shouldn't be shared with private sector members. And in any event, private sector members,
if their competitor is involved, they're going to be recused off anything having to do with
their competitor anyway. Well, and the nice thing about having subpoena powers is once you have the
powers, you generally don't need to use them because people know that you can subpoena them.
If you look at the National Transportation Safety Board, which in the U.S. system is the agency that investigates air crashes and the like, they have subpoena authority, but they almost never use it because the companies that they work with and fact gather from understand that it's there and they'd prefer not to get one.
Yeah, exactly.
Right.
So, yeah, it's a power that you have, so you don't need to use it, which is not to get one. Yeah, exactly, right? So yeah, it's a power that you have
so you don't need to use it,
which is always a funny one.
All right, Rob Silvers,
thank you so much for joining us.
We're going to wrap it up there.
A great chat about all things CSRB.
Really enjoying the report so far
and I'm really looking forward
to the next one on the Microsoft.
And I genuinely am looking forward to that one
because it's going to tell us
really what happened
with that Microsoft Exchange Online hack.
Yeah, thanks so much for your time.
Really appreciate it.
Thanks, Patrick.
Thanks, Adam.
That was Adam Boileau with the news there
and Rob Silvers jumping in as this week's feature guest. Big thanks to
both of them for that.
It is time for this week's sponsor interview now with
Travis McPeak, the founder and CEO
of Resourcely. And Resourcely
is a pretty simple play
really. It helps you manage
your Terraform. So if you've got like a
thousand different Terraform modules and they're
all unique little snowflakes and
the whole thing is just a complete mess, you know, you'd probably do well to contact Resource.ly. It'll help you
provision resources through Terraform in a not insane way. But Travis is joining us this week
to talk about how we need this kind of approach across the board, not just when it comes to
Terraform. You know, a very typical sales call for Travis is like when someone's become a customer
of one of the CSPM products like Wiz and they just wind up choking on its output. So they ring him
and they say, please help. But the bigger point here is that surely we should be trying to stop
the problems being created before they wind up in a dashboard, right? And not just Terraform.
Terraform provisioning should be easy. So should
encryption, so should authentication, so should logging. So many of these things should just be
easier. So here's Travis now to kick things off in this interview by recapping the sales call he had
just like a moment before I spoke to him. So we got a POV going with a very large company.
They had recently brought in one of the leading CSPMs and they
found out very quickly that they had thousands of issues overflowing at a much faster rate than they
can actually address those issues. And then they got interested in potentially doing something
proactive to prevent this pain from happening in the future, at least continuing to accumulate.
Well, I mean, this is the issue, right? With CSPM and dashboards and whatnot,
they're really great at surfacing problems, but you quickly get into a point where you can't just take the outputs for
these things and generate tickets because you're going to drown everyone in tickets.
Right. Yeah, that's right. And if you think about there's a disconnect between the people
filing the tickets and then who needs to take action for it, you know, they're not on the same
page. Sometimes they don't have the right context, but really it's a big pile of work for
somebody to go take on. And that work doesn't end up being high priority often. So we end up in this
kind of phase where security is nagging you to go fix your tickets, please. These things don't get
fixed. 60% of breaches involve known issues. So that's a whole cycle of pain that we'd like to
improve. Yeah. So there's a lot of
companies out there now who are going through these processes of using the scanning tools,
the posture management tools, and all sorts of tools like things that interrogate APIs and whatnot
to surface issues and realizing that they can't ticket their way out of it. So they're moving to
an approach of trying to stop these things from becoming issues in the first place. I mean,
this is what Resource.ly does.
It tackles, you know, certainly doesn't tackle this whole problem,
but that's going to be the topic of this conversation.
The stuff that you tackle specifically is, you know,
Terraform issues, Terraform misconfigurations and whatnot.
You just give people an easy way to provision that stuff
so that it doesn't turn into a mess in the first
place. I mean, that's, you know, the simplest description for resource lead, that would be it,
right? Exactly. Yeah. Our goal is to give that context to a developer or whoever else needs
something in line and tell them not, you did this wrong. You need to go fix this, especially not
late, but at the time that they actually want to get something set up to help make it dead simple for them to know what is that thing I should pick? How do I actually set this up
well? Yeah. Yeah. Now, as I just mentioned, you know, this problem is a lot bigger than just the
part that you're solving. Right. So I thought it'd be a good idea to talk to you because you've got
a long background in doing, in doing stuff in these sort of, you know, I mean, you can't really
call DevOps modern anymore, but in these sort of you know i mean you can't really call devops modern anymore but in these sort of devops environments right and i remember i had you
on the show many years ago talking about repo kid which was a which was a tool that you wrote when
you worked at netflix which would go and nuke unused uh unused permissions from and privileges
from accounts uh across across different services that, you know, that was really cool.
But yeah, now you're moving on to this idea of paved roads, right?
So like, how do you help a developer, you know,
because a developer doesn't want to deal with a lot of this stuff, right?
They just want to get their code up and running in an environment
that's going to work and get stuff done for them.
So you've, you know, you've tackled the Terraform bit of that.
But there's a whole bunch of other areas that are ripe for a similar approach,
which frankly, I mean, you're not going to go there,
but there are these other areas.
Like, why don't we talk about some of them?
I mean, one that you mentioned to me
that's really straightforward is just encryption.
You know, like having to put encryption in place
in these web applications and whatnot
can be really fiddly and put encryption in place in these web applications and whatnot can be really fiddly
and put people in a situation where months down the track, there's broken certificates everywhere
and people can't manage it. So, I mean, this is just one example, one other example of where
people could probably make some gains, right? Yeah. And the really cool thing about this is,
you know, traditionally in an infra team security, you know, DevOps, it's kind of an adversarial situation, right? It's zero sum, developers lose, security wins, security wins, developers, you know, whatever, like, it's all mixed up, somebody's going to be coming away unhappy. With a paved road, you can actually create this win win condition where security gets everything set up from the get go correctly. That means they don't have to fix it later. And developers get a simple path to get whatever they need. So yeah, we call these paved roads at Netflix.
I would actually call the RepoKid project a paved road for least privilege. Now developers don't
need to do anything. They just get roles that are exactly what they need, completely zero touch for
them. So that's a win. Crypto is an easy one, right? Because that's scary. Even as a security
person, I don't want to go figure out crypto. It's complex. There's a lot of knobs. I might screw it up and cause a really bad day for
the company. So I think making it easy to manage keys, making it easy to get certificates. You
know, we had a project at Netflix called Lemur that did exactly that. So now developers, when
they want a certificate for their app, they don't have to worry about picking parameters and managing
private keys and rotating. That's a whole class of easy win. A bunch of this simple web application stuff,
right? This is why we have frameworks. So this is our standard logging format.
This is how we want to do auth. This is our auth Z integration.
Well, hang on. Let's talk about those two individually because like they're both
big. I mean, auth is huge. huge thankfully we've got some vendors in that space
who are doing some pretty sensible stuff like you know auth zero is terrific then acquired by
octa and i believe like some recent price hikes have have sort of upset people but but certainly
that is something that you can that you can buy logging is an interesting one though right because
yeah there's only a few people doing it now.
A lot of people claim to be able to help you
with just being able to import logs
and get logs flowing from web applications.
But that is way harder than it should be, right?
Like, why don't you talk a little bit about that?
Yeah, it's way harder than it should be.
So if you want to implement some kind of a standard
in the organization, you know,
this is the kind of events that we gather.
This is the level of detail we put into them.
That's cognitive load on developers.
I think that's the main theme, right?
Cognitive load.
Just number of things that developers need to understand
how to do correctly.
So there's all of that part of it.
And then there's the collection of them.
How do we go and take these logs
and put them in a central location
where they're automatically backed up and rotated
and retained for the right period of time?
So developers shouldn't have to worry
about any of that stuff either.
And then there's tons of more complexity
that spins off from there, right?
Like the idea is like developers can just import a thing
and then they pick what's relevant for their application
and things just get set up in the correct format.
Yeah, I mean, I know Panther is a company
that we've had some dealings with here.
They're a SIEM company.
And one thing that they love to talk about
is how they can help you actually get logs
out of web apps into a SIEM, you know,
which is just kind of crazy
that there's a market need for that.
You would think that we should have, you know,
like so much of this stuff,
you would think that it always should have been that way,
if that makes sense.
Right, yeah.
And I mean, even developers
shouldn't really have to understand. I mean,
there's a ton of best practices about what kind of logs you should emit and the level of detail
in them and getting every developer to be experts in logging configuration really doesn't make any
sense. Yeah. Yeah. Yeah. So just on the auth stuff though, I'm curious like how people are handling
that one. Cause I imagine a lot of people would have been using like third party vendors for that. Is that still the case where people
starting to, or are there like new crops of vendors coming up who are doing it in different
ways or like, where is that all out at the moment? Well, what we had at Netflix, which was really
nice is developers didn't have to worry about it. So they, we had basically an identity aware proxy
that we offered and security as well as you know reliability and
other folks would put things into that proxy so now if you integrate the proxy there's a simple
way to do SSO there's a simple framework you can use to define you know users and groups and who
has access to what in your application there was a WAF bundled into it so it was resilient against
attacks you know load balancing all of that was in there. So that was kind of like a one-touch,
developers don't need to worry about any of this stuff.
I think in the vendor landscape,
we see much more fragmented.
So as you mentioned, we have tools like Auth0
that are great for not having to roll your own AuthZ.
And then we have a different set of tools
that handle the authentication part in SSO.
Yeah, and the proxying stuff, right? Like that's different
again. Yeah. Whereas with stuff like Auth0, it's very much about building, you know, using their
tools in your web applications. Right. I wouldn't be surprised if there was a kind of a rebundling
of these things as well. It would be nice to just have a kind of integrated, there might already be
vendor solution that handles everything that the web app developer needs to worry about aside from the business logic of their application.
Now we've just spoken about a few examples here, right?
Authentication, encryption, and the infrastructure side, which is what you do.
It feels like this is the cynic in me coming out.
It sort of feels like wishful thinking that we're going to get to this point anytime soon
where these are things developers don't need to think about, but that
is the ultimate goal, isn't it? That's the ultimate goal. Yeah. If you, if you don't do that, so we do
what we do today, right? There's, there's things that tell you about problems after they already
exist. You're going to face a lot of pain. It's just a different kind of pain, right? It's the,
it's never ending tickets. It's developers being forced to upend whatever their plan work was to go and fix stuff. Um, any, you know, anytime you can't, this is like trope at
this point, but anytime you catch stuff late, it's way more expensive for everybody involved
to go and address it. I mean, at the same time, it's, we see tons of companies where there's
whole organizations of teams that do nothing but help developers provision and manage stuff.
So this is definitely like being, that's being borne out. We've kind of half DevOps ourselves into this. What's funny. Cause we always talk about shift
left, right. In terms of, uh, making sure that code quality is good, but it feels like we haven't
put the same emphasis on all of the support on the infrastructure bit, right. On the ops bit,
it's all been about shift shifting left in the, in the code. Right, and a lot of times when we say shift left,
we're talking about pipeline, really.
So before it gets deployed,
we're going to do some kind of analysis
and tell you about potential problems that exist.
One of the problems that we've seen with that
is they don't really have context, right?
If you're finding out about something in pipeline,
you have no developer intent.
Instead, if you actually shift that left
to the actual developer,
they know what they're trying to get done. You can ask them some questions about that and then make the right policy and configuration
answers based on whatever they're telling you all right well travis mcpeak thank you very much for
joining us for this interview uh again if you are struggling with terraform uh you know if you've
got terraform modules that are all unique and numerous and you realize you cannot continue this way, definitely hit up Resourcely, Travis McPeak's company.
Thank you very much for joining us and thanks for sponsoring this week's episode of the show.
Cheers.
Thanks for having me.
That was Travis McPeak of Resourcely there and you can find them at resourcely.io.
So that is R-E-S-O-U-r-c-e-l-y.io
and yeah if you have a terraform problem if you have terraform issues if your terraform use is
heavy then give him a call and that is it for this week's show I do hope you enjoyed it
I'll be back next week but until until then, I've been Patrick Gray. Thanks for listening.