Speaker 1: 0:04

Happy New Year, happy 2025. You're listening to the Audit presented by IT Audit Labs. I'm your co-host and producer, joshua Schmidt, and today we're joined as usual by Nick Mellum and Eric Brown. Happy New Year, fellas. How you doing? What are you drinking today? I got a nice mushroom coffee here.

Speaker 2: 0:20

Happy New Year's, gents. I'm rolling water and diet do Whiskey.

Speaker 1: 0:23

Whiskey for the and diet do Whiskey, whiskey for the man in charge, all right.

Speaker 2: 0:29

I'm early today.

Speaker 1: 0:30

I'm glad everyone's staying loose. We're going to get right into it here with a news brief, some articles that jumped out to us. This first one's from the Verge. It's about Honey's deal-hunting browser extension. It's been accused of ripping off customers and YouTubers. We scroll down here. You can read the PayPal Honey browser extension is, in theory, a handy way to find better deals on products while you're shopping online, but in a video published this weekend, youtuber Megalag claims the extension is a scam and that Honey has been stealing money from influencers, including the very ones paid to promote their product. Eric, you found this article. I'd love to hear your thoughts on this and kind of break it down for us.

Speaker 3: 1:09

Yeah, actually I give credit to Jake, friend of the show, who clued me into this and it's like wow, yeah, that is pretty interesting. Paypal, back in 2020, spent $4 billion to buy honey, which is kind of a head scratcher of why would they do that? There's got to be something going on behind the scenes and in fact there is, and that's in the form of the click stealing by honey. So, josh, you talked about honey advertising, being able to look for better deals when you have things in your cart. Well, a lot of the way in which these online services are compensated. So, for example, if you have an influencer who's recommending a product, go to a URL. Well, if the referral link is coming from that influencer, to say Sonycom, for instance, then Sonycom knows that the influencer is the one who should be monetized for sending traffic their way. Well, honey has ingeniously come up with a way to insert themselves and grab that last click. So by saying that maybe there's a better coupon in the available with a coupon code, and then that would take the last click. Or, if they don't find a code, then they say just close. Sorry, we didn't find anything, you've already got a great deal. Click this button to close the Honey window, which that also steals the last click or takes the last click.

Speaker 3: 2:53

I think the term steal might be up for a class action lawsuit, which is happening now, brought forward by an influencer who saw that their traffic was being manipulated by Honey. The other interesting thing is because Honey was capturing some of this or this revenue stream, they were actually making up some of the discounts because they could afford to give some money back to the consumer for stealing that last or inserting themselves as part of that last click. And then the nefarious thing that it seems that they were doing was if they were paid by a company, they may replace a coupon say that there was a coupon for 20% off of something. Honey may replace that with a 5% off or something else, so that the savings would not be passed on to the consumer. So I thought it was an interesting piece of tech.

Speaker 3: 4:01

Clearly there's a lot of brainpower going into capturing revenue streams. Certainly I admire it from a technology just thinking through how they would do that. Of course I don't admire it from stealing revenue from other folks who rightfully should be paid for that revenue stream and honey not. But I don't know. What do you guys think?

Speaker 1: 4:32

Yeah, I first learned about this today, this thing called last click attribution or action, after reading this article.

Speaker 1: 4:38

It says the steps kind of go like this the customer first sees an advertisement for a product on Instagram, for example.

Speaker 1: 4:44

The second would be later they click on a blog post reviewing the product and third, finally, they click on a Google ad and make a purchase. So that last click attribution model would give Google ad the full credit for the sale and give them some kind of commission and ostensibly this is what the influencers are doing, right, and they're making a living trying to get that last click so that they're getting some money in their pocket. And that's kind of the game. But it sounds like Honey's kind of gaming this and obviously brings up moral and ethical questions and it'll be interesting to see how it plays out. One of my questions for you guys was is there a way that consumers can protect themselves from these tools designed to? You know these tools are designed to save them money, but is the way they can protect themselves against people quietly monitoring or monetizing their data or their actions in a way that will conflict with their interests, don't install shitty browser extensions.

Speaker 2: 5:41

That's the best point yet I think thatic just made. But I mean, besides, like reading the privacy policy, you know, reading that stuff, um, understanding consent, but I think like also limiting permissions, right. So a lot of times when you install these web browsers that can track you or not track you, right. So making sure that you have that stuff locked on. That's not going to keep you from using a bad web extension, but it's a way to protect yourself if that one that you don't know is bad is bad.

Speaker 3: 6:16

I was working with a client, I think this came up over the break. We had a change freeze and we're scratching our heads on what could we do to do some quick improvements in security over the holiday break. And we went through and we looked at all of the browser extensions that were installed in the Chrome browser in the organization and there were, I think, 1,700 different browser extensions. Now, some were multiple versions of those browser extensions. Honey is an example of a browser extension, but there were games in there like Cut the Rope I don't even know what that is, but I saw a couple versions of that. There was password managers. There was casino things. There was password managers. There was casino things. There was probably some coin miners, but it was a good reminder of like, let's go back into our organizations with our customers and let's cut the browser extensions from a Wild West to a very limited view of an allow list of browser extensions. And certainly that just is further to the right on the maturity curve. Right, mature organizations are not going to allow users to install all of these junk extensions that aren't needed for business purposes in the browser.

Speaker 3: 7:44

But you know, I think this is clearly one that doesn't have a business purpose. People may think it does serve them as an individual user perspective in their home lives, but we can see apparently nefarious activity by the company Honey. And back to what we were talking about earlier, with maybe Nick coming up with a branded line of these hairless cat products. I don't know. I think you mentioned sunscreen. Hey, that's my idea. Oh, that was Josh's idea A little zip up vest for the hairless cat. I don't know what's going on over there, but going to Rover Nick would not want to have his revenue stream interrupted by honey because they stole that last click as somebody who's going to get that vest.

Speaker 1: 8:36

Yeah, this spells some kind of disaster, perhaps in the future, or throw some shade onto PayPal, which I saw as kind of a trustworthy entity, business entity. I've been using it for years, I don't think twice about using it and it actually makes it easier for me to track a lot of my expenses online, especially if they're for business. So, yeah, not a good look. Not a good look for PayPal.

Speaker 3: 9:00

I have a question for both of you. Look for PayPal. I have a question for both of you. Josh, you mentioned PayPal. Now, I too longtime user of PayPal, but Venmo certainly not newer on the scene, but newer than PayPal. Why?

Speaker 2: 9:28

is it that people are using Venmo and Zelle these days more than PayPal? What's going on there? I think it's a convenience thing, I think it's all it is. I think that Venmo I'm a user they have captured the market in a way that it's almost a social media platform where they pull you in there. People got their pictures. Whatever you can find your friends, you can see what they're doing, right, Like transactions. Like if Josh and I are friends on there, Eric, you go on there, you can see us, our transactions.

Speaker 3: 9:54

You can also hide it, but hold on. Why would I want to see your transactions and why would you want to show me your transactions?

Speaker 2: 10:03

I don't disagree with you. I'm saying the average person. You're not the average person. People that are not in our industry. They like to be nosy and see what's going on and they don't think about. I shouldn't show that. Anytime that I send money to a family member or a friend there's a private function. Always hit the private function. But to your original question, it's all about convenience. So the first part was about the social media aspect. People love that, obviously. The second part is the convenience. You go on there and it's like two clicks. I find this person that I want to send money to, type, put in the money and I put a funny emoji or whatever, put a little cat in there and then hit send and I'm done.

Speaker 1: 10:42

It's a way to kind of be quickly funny and I think they've captured different segments of the market. I think PayPal is more in line with e-commerce activity and I think Venmo is more of a social thing, like sending money between friends after going out to dinner, for example. I also use Zelle. That seems to be a little bit more transactional in terms of business transactions. So, yeah, I think it's just kind of like why do people use Instagram over Facebook and why do they use X over Instagram? And it's just market segments and yeah, I think.

Speaker 1: 11:14

Venmo is a little bit more useful to Gen Z, perhaps younger people.

Speaker 2: 11:19

Do you guys use web browser extensions, any of them that you like to use?

Speaker 1: 11:23

Password managers Just Bitwarden.

Speaker 2: 11:26

Same. I use an ad blocker and a password manager. Yeah, Right now I think I'm using was it Privacy Badger?

Speaker 1: 11:34

One quick question I had before we move on to the next article. Would an ad blocker or a Proton or VPN protect from these types of malicious protect from these types of malicious ad blockers or maybe not at all, don't rely on VPNs or ad blockers to be protecting you from bad browser extensions.

Speaker 2: 11:53

You could rely on a pie hole.

Speaker 1: 11:56

Pie hole's coming up. I'll be coming up in the next month or two. We're going to switch over to the next article. This one was brought to us by Nick. This is from bleepingcomputercom. I love the title of this outlet. Proton worldwide outage caused by I can't remember how to say this. Right, nick, kubernetes, kubernetes. I always have to do this speech thing Kubernetes, kubernetes.

Speaker 3: 12:22

No, it's Kubernetes.

Speaker 1: 12:23

Kubernetes.

Speaker 2: 12:26

Well, I was led astray by the uh, the browser on air he did.

Speaker 1: 12:30

I don't know if. Okay, I thought I heard that something like a cat in the background anyways says here that swiss tech company proton, which provides privacy focused online services, says that a thursday worldwide outage cause was caused by an ongoing infrastructure mitigation by Kubernetes Kubernetes, if you will and a software change that triggered an initial load spike tomato, tomato. As a company revealed yesterday in an incident report published on its status page. The outage started around 10 am Eastern Nick, were you affected by this? I know you're a Proton user.

Speaker 2: 13:01

I am a champion of Proton, so when I saw this article pop up today earlier, I wasn't directly affected, but I knew it was going on because my VPN didn't connect and also my Proton calendar wasn't loading. But I use them native on the app. So they were loading but I wasn't getting any updates, like if there was a calendar invite or something like that. I wasn't able to see it. But I wanted to bring this up just because we've been seeing different outages and it's just the nature of the beast, right, we're going to see outages every now and again, but luckily this one was just a couple hours. But I do use Proton for all things Proton Pass, proton Drive, vpn and obviously this just happened yesterday. We're hearing about it today.

Speaker 2: 13:47

Obviously a lot of people were affected yesterday, yesterday, we're hearing about it today. Obviously a lot of people were affected yesterday, but I think it just kind of shows that really redundancy is the best. So maybe having a secondary VPN that you could connect to, if you're an organization and you do use Proton, have a way for your people to connect or have a means to if they're traveling outside the country or are you go into a coffee shop, but just real quick there. You know there's a lot here. A lot of people do use Proton but luckily there hasn't been a lot of outages from them that I've seen. This is the most notable or most recent. Obviously it just happened yesterday, but I know you guys don't use Proton, do you.

Speaker 3: 14:29

I, like Proton, I was a little disappointed, if I'm honest. Right, it's sloppy. First of all, what are you whacking in a big change like that in the middle of the week? That's stupid. So that was annoying. Why weren't you doing that on the weekend, like at 2am? And I get it. It's a global company, but look where all of your users are and you make those changes in that time zone and I, I know they're, you know, maybe it was uh middle of the night for them, because I think they're what in switzerland. But I mean, come on, that's, that's just sloppiness and like I expect that from microsoft, you know who's making bns changes at. You know two in the afternoon. But um, this to me it took them down a rung in my book.

Speaker 2: 15:11

So I think what I was thinking too, Eric, when I was reading through this is I think they need to call IT Outlet Labs for change management. We'll make sure they make that change on a Saturday night at 2 am, not on a weekday.

Speaker 3: 15:24

The tinfoil hat side of me also was like well, was it really a Kubernetes change or was it something else that we should be a little bit more?

Speaker 2: 15:34

concerned about. Do you have any thoughts on what they could be trying to cover up, something other than Kubernetes? Totally, I didn't have that thought. I think I was giving the benefit of the doubt. But hey, just like the last article, paypal is nefarious right now. We'll see. Who knows, we might hear something about this in a little bit.

Speaker 1: 15:55

Yeah, it's interesting the connection between these two articles. Proton has built its reputation on privacy and security, so I'll kind of take it here for you guys to think about. When a privacy-focused company like this faces downtime, or when anyone faces downtime, shout out to the people in LA right now dealing with horrific fires. There's a lot of people losing power and so, for whatever reason that things are going down, how do you guys step in and communicate with an organization when tools are failing to mitigate any kind of threat that might be coming in, because people are probably trying to get online, get work done. It just turns into a huge mess. So how would you step in and kind of help an organization?

Speaker 3: 16:42

I think you got to rewind the clock several months as to when they were planning what the overall migration is and what that migration might entail. Are they moving data centers? Are they moving systems? Are they re-IPing, like what is the entire big scope of the change that's being made, and then testing out if they're thinking they can do it with zero downtime, which is interesting? How are they doing that? Have they tested it a few times to make sure that that's actually true? Or is it better to just take an outage and say, hey, we're going to be down at X time between this time and this time on this day, so folks can plan for it and you're not then just scratching your head of like, hey, why isn't this thing that I bought working? That's probably more annoying. If they took a scheduled outage to do it, we probably wouldn't even be having this conversation.

Speaker 2: 17:41

Absolutely. I think. If we're in front of a client right now and this is something that you know taking Proton out of this, if it's, whatever application it is, if this is something that, uh, you know taking proton out of this, if it's, whatever application it is, if this is something that we truly believe in or the client truly believes in and we've all aligned on it, I think, then it just becomes a communications right acknowledge the issue and then we want to communicate the steps of how we're going to rectify it or try to mitigate it in the future and then just reassure stakeholders on why this is the right plan forward, using Proton as the example. Right, if we want to continue using Proton, you know, is it sloppy? Right, it is absolutely. But have they had recent issues in the past? Not that we know of or have seen. So one-offs like this could be excusable, right, this could be an accepted risk that we might have a discussion with the client. This is something we know could happen, but we have failovers for reasons like this.

Speaker 3: 18:32

We work with a lot of public entities private too, but the public ones are the ones that the public has put their trust in elected officials and then services are being delivered through those public entities. And one of the biggest things for those public entities is trust and reputation of brand and it's that communication out of what they're doing and why they're doing it. And the community may not always agree with what they're doing or even the why they're doing it, but the communication is absolutely paramount to maintaining that public trust. And you know I'm glad they came out, or Proton did, and said you know it was a Kubernetes issue. Hopefully it was, and you know they got in front of it.

Speaker 2: 19:17

But there's probably more things that they could have done to mitigate it or take an outage and plan for it and maybe Proton's waiting to come out here in the next couple days after they do a little bit of after-actions report, that battlefield assessment, and they'll see what happened and they can brief us, the users, on what happened. They've come out with this right. They said it's Kubernetes. They're going to probably come together and then maybe we'll hear a lot more on what the actual issue is or what they're going to change going forward to so this doesn't happen again I'm still going to go with kubernetes kubernetes hey, that's a cat name.

Speaker 1: 19:57

There you go that's the cat you guys are on fire today.

Speaker 1: 20:01

I love it and and I love how you're connecting this to you know your work with organizations. It's really fun to hear. So let's move on to the next article, this one Eric brought in. This is from Krebs on Security. We're talking about a day in the life of a prolific voice fishing crew. This is kind of an interest malicious actor story. Here. It sounds like Besieged by scammers seeking to phish user accounts over the telephone. Apple and Google frequently cautioned that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices. So, eric, what are your thoughts on this? Why did this stand out to you?

Speaker 3: 20:52

It's just another example of the ingenuity by which the threat actors are going after us, are going after us and they're doing it 24 by 7. They're in war rooms. They're whiteboarding out these things. It's not somebody in their parents' basement with their hoodie up, like you know, doing some sort of DDoS with some borrowed machines. This is high level, high level, highly intelligent, well executed, well thought out orchestration and it's impressive from that perspective. But it's it just from the white hat side.

Speaker 3: 21:42

We've got to up our game. We've got to get in front of users, got to make sure that they're aware of this. They don't need to know the details of the ins and outs about how it's done, but simply the fact that it can be done and it is being done until Apple and Google put a fix in for it. But I mean, I wasn't expecting to see something like this, where it's a essentially spoofing Apple's number reaching out to the user, sending the, the, the, the. This is you know what are we calling it? The MFA prompt? Yeah, the prompt, Thank you. Sending the prompt to the user's phone, getting the user to accept that while they're patched in to a fake call service.

Speaker 3: 22:35

It's crazy, and you know we're still dealing with customers that are sending passwords around or storing passwords, like in a in a in a text file. And it's like, well, we got notebooks on in a text file over here and we're saying, hey, you know, you got to put your stuff in a pam, you got to rotate every eight hours, you got to rotate when that that password's checked back in. And then we have the sophistication of these threat actors who are spoofing numbers from Apple sending the prompts down to the phone. It's like, wow, you know we're outgunned here and we've got to do a better job of protecting our organizations with more rigor in how we control the devices, because it's tough.

Speaker 2: 23:31

I feel like I just left church on a Sunday, or pastor right there.

Speaker 3: 23:36

No, am I wrong? I mean like oh no, you're talking about with with passwords and spreadsheets. I mean, come on.

Speaker 2: 23:44

You're, you're spot on. I think I was shaking my head. Yes, the whole time. I agree with everything. I mean, come on, you're spot on. I was shaking my head, yes, the whole time, I agree with everything. I think, like you said before, these are career professional nefarious actors. They have dedicated their craft to this activity, to getting whatever they can get, and here it just shows how they are willing to do anything and everything. It shows again that a lot of times, different organizations you know the security landscape, we're on our heels, right, we want to play more offense, but this just shows that they are driving in on every aspect they possibly can and it kind of leaves a lot of us with our hands up in the air.

Speaker 2: 24:21

But we need to drive in and figure out how do we fix this problem, and a lot of it. You know we keep talking about training, training the staff, education, and that's what this boils down to. Those checks and balances, the policies and procedure is not going to fix something like this. We need to continue to educate your staff, whether that's reports coming or like newsletters coming out on Fridays. Hey, this is what we saw educating people. There's so much we can grab onto here. In my personal life. I just talked to a family member yesterday that received a phone call from Bank of America. I think it was.

Speaker 2: 24:57

One of the two, somebody had tried to open a credit card in their name yesterday. So what we've talked about in many episodes locking your credit, strong passwords. So I spent some time on the phone yesterday with this individual and going through to all the major credit bureaus locking their credit. So also, you know, continue to lock your credit, good passwords. But also a shout out to the banking industry by flagging this, because what they said was their the address didn't match up.

Speaker 2: 25:29

Where they're trying to opening it in illinois, and uh, this family member lives in texas. So uh, didn't add up right, so they stopped it. And then uh phoned uh, this family member. So it, you know they're attacking us on all fronts. Uh, you know, here, here at ITI Labs, we spend a lot of time playing offense right and teaching and helping our clients play that same role too, with many different tools. We facilitate, but it just shows they're willing to do anything and we need to do the same thing by educating, you know, not only our staff but family members and everybody. It's just a matter of awareness.

Speaker 1: 26:04

Are there ways to redesign these systems so they could be more secure without sacrificing accessibility, you know, kind of from the back to the drawing board position, or maybe exploring like additional steps to verify or for high risk activities or something like that.

Speaker 3: 26:20

It's tough right, it's that chicken or the egg and I think it's always the how do you make it easy to consume and easy to use and secure? And unfortunately sometimes that's a dichotomy. I don't know if there's a good answer, If you figure that out, josh.

Speaker 2: 26:35

You won't be on this podcast anymore.

Speaker 1: 26:38

But that's what you guys do, right? You step in and kind of help balance those scales and talk through these things where people aren't thinking about this every day. You kind of maybe shine a spotlight on some dark areas that they might not be thinking about and kind of explore the whole terrain with an organization, correct?

Speaker 3: 26:54

Yeah, on the corporate side there's a lot you can do where you can manage the devices and a mobile device manager and you can make sure that the devices are at a certain level before they're connecting to the organization. You can limit what they could do. There's a lot more that you can do with the corporate tools than you can for the home user and unfortunately the home user is probably 99% of the attack vector for these types of things.

Speaker 2: 27:27

I think one. You know, josh. I don't know if this directly answers your question or not, but I think you know.

Speaker 2: 27:35

One thing that I see working with customers and clients and reading these articles is, a lot of times, security organizations within a bigger, you know department, any big organization, their security department is usually stuffed away in the back in the closet. It's a few guys or whoever. It is right, they're small, I you know, and they keep them close to the vest. Nobody really knows what those guys are doing. Having more transparency, they're showing what they're doing, that could be a news article from them every Friday, like I mentioned earlier, having them give a training, in-person training, a virtual training so people can see their faces. Showing what they're doing. They could present how we are right now, a news article and things that they're seeing under the threat landscape and that you know. It does two things it shows what the security team is doing and what they're seeing and they're actively trying to protect your organization and it's educating the staff and I think you get two of them. That can strengthen an organization in itself.

Speaker 1: 28:24

I love that because I learned by doing better than I do when I'm given like an e-book, for example, or those are great ways to learn, but just with the amount of content coming at us these days, it's great to have hands on a human being to kind of help you think through and talk through some of this stuff before it becomes a problem. So that's great advice. Fellas, any New Year's resolutions? This year, as we enter a new year, a new podcast year, I'm trying to read more books. This year I got a stack of books some nonfiction, some fiction and just trying to set aside a little bit of time each night, put the phone away and get into a book. So that's my New Year's resolution. How about you guys?

Speaker 2: 29:05

You took the words from my mouth on the putting the phone down. I find myself reading too many articles, listening to too many podcasts, and I've got a young daughter, so I'm trying to put the phone away, trying to listen more, talk less. So those are kind of my two things.

Speaker 1: 29:19

On the plus side. Nick, you're going to read like 2,000 books this year like the Cat in the Hat.

Speaker 2: 29:24

Out of Fish. I'm cool with that. Franklin Goes to School, that will recharge the batteries so I can get into the fight every morning again.

Speaker 1: 29:33

How about you?

Speaker 3: 29:34

Eric, I'm trying to do at least a book a week. So I'm right there with you, Josh, trying to get that done. I do a lot of audio books because I have a bit of drive time here and there and I like to listen to audio books, like you know, say, if I'm on the Peloton or whatever get a little workout in, I might as well listen to a book while I'm doing it and then using some AI to summarize the findings and keep it tucked away in the library, but easily available.

Speaker 2: 30:03

Do you have a favorite book you've read recently, Eric?

Speaker 3: 30:07

The Elon Musk book was really good by Walter Isaacson. You know, politics aside, about Elon Musk tongue in cheek there, I know you like that term. For me it was more about the journey of the individual and what's been done. I mean in a disruptor in several industries, right going to space and shining a light on the inefficiencies of the programs that the US taxpayers have been purchasing for years from like a Boeing who you know they've got I don't know, 30,000 people over there building these rockets or whatever they're doing.

Speaker 3: 30:48

But their contracts are cost plus. So whatever their cost is plus a small margin, is what the government pays, what we as taxpayers pay for that rocket. With SpaceX the idea was, well, let's compete against a cost plus model and come in with a fixed bid model. So, yeah, we can build X number of rockets for this fixed fee. And why you see all of the launches from SpaceX coming out of Florida and Texas previously California is because Boeing can't compete. They don't know how to figure out how to cut so much cost and be effective in building rockets that can compete with the Falcon 9 and the.

Speaker 1: 31:39

Merlin rockets.

Speaker 3: 31:41

So the book just highlighted that. You know, and I really like one of the things, that kind of the principles where Elon's going through the factory and talking about, just you know, delete, delete, delete, like, take out all of this process, all of this heavy crap that is not needed. And if you don't essentially break the process when you're doing that, you didn't cut enough stuff out. And I see that all the time in different accounts and even at IT audit labs with, like you like, well, why do we do it that way? Working with an account recently, somebody on my team in the account we have a model sometimes where we'll go in and we'll run a security organization for a customer and their teams report into us. And in one of the accounts we had somebody new join the team. Their name was spelled incorrectly.

Speaker 3: 32:42

So you can imagine all of the active directory assignments and whatnot is all associated with the incorrect name. Then to get that name change took three days, right, you put in the ticket. It's got to go through all this monolithic stuff to get the name changed because you can't just bang the change into Active Directory. It's got to come from the HR system and that's on a batch process, right All of this stuff and I'm like, okay, yeah, the guy's new, he's getting set up, annoying, not a big deal. But what happens if you're an employee at that company or a contractor working with that company and you've recently gone through, say, an exit from an abusive relationship and you're going through a name change? Or say you're going through a transition and you're changing your name and you've changed it legally or what have you, and referring to your past name causes you pain. Well, for those three days, the company, the organization, is not giving that person three days off. While they figure out how to change a name, that person has to come and enter the name. That is painful to them. So it's like, why are we doing that? Changing a name should take 30 seconds and if it's longer than that you're doing it wrong.

Speaker 3: 34:06

So when I think about the Musk book by Walter Isaacson, going through and making those deletions to be more efficient, to be faster, to put out the Model S, to put out the Model 3, the Model Y, the Falcon 9 rockets, the Merlin rockets, all that good stuff, that could only be done by getting rid of the crap and really just being tight and judicious and clean, and sure there's pain along the way.

Speaker 3: 34:38

I'm not saying there wasn't. People worked lots of hours to do this, but there's nobody else doing it right. And that's why, at least according to the book and according to Walter Isaacson, why Elon Musk has been so successful with I'm not going to say all, but many of the companies that he's been involved with. I mean, I know it's kind of interesting that they can't get a robot to walk straight, you know, with that robot that they're trying to build. But the point being, if we just think about, how do we delete the crap, the 80% of the crap, from everything that we do? Everything would be better so long tangent, but that is one of the books that I enjoyed reading at the end of last year.

Speaker 2: 35:26

I also read the book and I have one call out in the book and I could be explaining this wrong, but Elon also had an issue with SpaceX, their parts being super expensive to get, and there was a part where he was explaining some like AC unit to cool something down.

Speaker 2: 35:44

It was like a hundred grand from this vendor and Elon said why does it need to cost that much? They went and got an AC unit for like a house and they re-engineered the hookups and it cost $5,000 and it worked so and then I was thinking to myself when I was driving back to Texas from Minnesota over Christmas is how does that connect to our industry? Eric already talked about a couple, but I was thinking to myself we have all these high horsepower tools. We need those, but we also need the high horsepower individuals, smart individuals willing to do the work, to read after hours, to understand the industry, and to me the people are the $5,000 AC unit that can work with these high horsepower tools. So the book just connects in so many different areas, but I have to agree it's an awesome book.

Speaker 1: 36:36

I love it. I'll put that on my toread list this year 2025. Maybe we can get a couple of flamethrowers up in the IT Audit Labs office. The Boring Company, yeah, yeah, yeah. So you heard it here. Folks, if you want to stay efficient and cut all the red tape, check out IT Audit Labs. You've been listening to the Audit presented by IT Audit Labs, by IT Audit Labs, today we've been chatting with Eric Brown and Nick Mellom, and I'm your co-host and producer, joshua Schmidt. Like, share and subscribe and please share us with your friends. We'll be doing podcasts every other week through the year of 2025.

Speaker 3: 37:07

Thanks for listening and see you in a couple weeks. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization to the size of your organization, thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.