All links and images for this episode can be found on CISO Series (https://cisoseries.com/we-lower-the-security-and-pass-the-savings-on-to-you/)

We're racing to the bottom in terms of price and security on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode was recorded in person in San Francisco. It is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Seth Rosenblatt (@sethr), editor-in-chief, The Parallax.

Thanks to this week's podcast sponsor, Encryptics.

Now you can share data without ever losing control of it. Our advanced architecture makes data self-protecting, intelligent and self-aware – wherever it goes, no matter who has it. Our .SAFE patented multi-key technology enables data to evaluate its own safety conditions, including geo-sensing, recipient authentication, and policy changes from its owner. Contact Encryptics today and see for yourself.

On this week's episode

Are we making the situation better or worse?

Are big Internet giants' privacy violations thwarting startup innovation? That's been presidential candidate Elizabeth Warren's argument, and it's why she wants to break up companies like Facebook and Google for what she sees as anti-competitive practices. According to Seth Roseblatt's article, it appears all of a sudden Facebook and Google are very concerned about privacy.

Nine years ago, I remember seeing Eric Schmidt, then CEO of Google, proudly admit that they tracked people's movements so thoroughly that they can accurately predict where you're going to go next. Nobody blinked about the privacy implications. But today, users are upset but they don't seem to be leaving these services at all. Is it all talk on both sides? Have you seen any movement to improve privacy by these companies and would regulation be the only answer? And heck, what would be regulated?

Here's some surprising research

Over the past 15 years, home WiFi routers have been manufactured to be less secure. Seth reported on this study by the Cyber Independent Testing Lab, which we also discussed on an episode of Defense in Depth. The most notorious weakening is the use of default passwords, but there's a host of other firmware features that don't get updated. Is there any rationale to why this happens? And has this study done anything to turn things around?

Is this a cybersecurity disinformation campaign?

Fighting "fake news" like it's malware. In Seth's story, he noted there are structural and distribution similarities. I envision there are some similarities between fake news and adware which isn't necessarily designed for negative intent. Fake news appears to be an abuse of our constitutional acceptance of free speech. How are security tactics being used to thwart fake news and how successful is it?

When you set up your new home assistant, try not to position it close to a window, because someone across the street might be preparing to send voice commands, such as “open the garage door” by way of a laser beam.

Researchers from the University of Michigan and The University of Electro-Communications in Tokyo have successfully used laser light to inject malicious commands into smart speakers, tablets, and phones across large distances and through glass windows. They use standard wake commands modulated from audio signals and pair them with brute forcing of PINS where necessary.

They have also been successful in eavesdropping, and in unlocking and starting cars.

Their research shows how easy it is and will be to use lasers to not only penetrate connected devices but to deploy acoustic injection attacks that overwhelm motion detectors and other sensors. More information including access to the white paper is available at lightcommands.com.

More from our sponsor ExtraHop.

Look at this, another company got breached

Tip of the hat to Malcolm Harkins at Cymatic for posting this story on Forbes by Tony Bradley of Alert Logic who offers a rather pessimistic view of the cybersecurity industry.

It's broken, argues Bradley. We spend fortunes on tools and yet still get hacked year over year using the same tools. The article quotes Matt Moynahan, CEO, Forcepoint, who said we wrongly think of security as an "us" vs. "them" theory or "keeping people out" when in actuality most hacks are because someone got access to legitimate user credentials, or a user within our organization did something unintentional or potentially malicious. Are we wrongheaded about how we envision cybersecurity, and if so, is there a new overarching philosophy we should be embracing?