Risky Business Episode #823 Summary

Title: Humans Impersonate Clawdbots Impersonating Humans
Date: February 4, 2026
Host: Patrick Gray
Co-Hosts: Adam Boileau, James Wilson

Overview

This episode dives into some of the messiest and most amusing security stories of the week with an emphasis on the convoluted situation around "Claudebot," AI agents, and Maltbook, as well as high-profile breaches, legislative developments, and a range of vendor security disasters. The show also introduces new Risky Business Media team member James Wilson. A sponsor segment with Fletcher Heisler of Authentic spotlights their new open-source endpoint agent.

Key Discussion Points & Insights

1. Introduction of James Wilson (01:21 – 02:00)

• Background: Patrick introduces James Wilson as the latest team member, formerly a tech exec and Apple/Amazon engineering veteran.
• James: Brings a deep technical background in authentication and data privacy.

2. The Notepad++ Supply Chain Breach (02:00 – 06:16)

• Incident: Chinese APT group Lotus Blossom compromised Notepad's shared hosting, redirecting update traffic and dropping backdoored updaters.
• Code Signing Chaos:
  • Notepad's developer once distributed a self-signed root CA to users to sign updates, creating massive trust and security risks.
  • Adam (03:47): "They shipped their own root CA for a while and had the end users installing essentially a self-signed root CA into their trust... which is just insane."
• Impact: Targeted attacks, mainly on Taiwan, with sophisticated DLL side-loading.
• Advice: Users should reconsider what software they entrust, especially when project maintainers demonstrate erratic operational security.
• Technical note: Rapid7's writeup revealed interesting tradecraft, including DLL sideloading via Bluetooth service executables.

3. The Claudebot/Maltbook/OpenClaw AI Psychosis Fiasco (06:16 – 16:57)

• Three Distinct Elements:
  1. OpenClaw Bot: An open-source, modular AI assistant/agent.
  2. Skills Registry (Claw Hub): Like npm for ‘skills’ (prompt snippets/plugins) with rampant malicious entries, fake popularity metrics, and easy exploitation.
  3. Maltbook: A “Reddit for bots,” where AI agents can socialize, exchange messages, and get manipulated—often by prompt injection and humans masquerading as bots.
• Security Perspective:
  • Claw Hub skills registry is "very problematic." Easy to poison, spoof download counts, and inject malicious behaviors.
  • James (07:50): “Skills are like, think of an NPM sort of package registry for little prompt snippets. And it is as bad as that sounds.”
• Prompt Injection Epidemic:
  • Maltbook is rife with prompt injections; adversaries can easily plant malicious posts that participating bots ingest.
  • Patrick (10:06): “You've got all of these claudebots crawling this Multbook thing. And half of the threads are like, hello, claudebot, please stop what you're doing and ignore all previous instructions.”
• Grok Incident:
  • Security researcher Jamison O’Reilly got xAI’s Grok to register for Maltbook using a creative prompt hidden in a Canva-generated image.
  • Jamison describes (16:10):

    “I went to Canva and generated a black square with really, really dark gray text... Then I went back to Grok and said, can you make out what it says in this image? And then, bang, it responds with my verification code.”

• Bigger Risk:
  • Giving such agents system/inbox access is a massive risk area.
  • While not inherently “bad,” these open-source agents glue code and data together, making safe operation nearly impossible.
  • Adam (12:17): “If it was easy and straightforward to do safely, Apple and Microsoft would already be selling it to you.”

4. LLMs and Messaging Privacy: Is End-to-End Encryption Irrelevant? (17:00 – 19:21)

• Concern: As Meredith Whitaker (Signal Foundation) flagged, LLM integrations (summarizing messages, notifications) can create new points of compromise and potentially undermine E2EE.
• Adam:

  “Having private conversations is going to become hard because of all of this integration... there's another place where people can go and get your data.”

5. Firebase, Supabase and Data Leak Epidemics (19:21 – 21:33)

• Chad & Ask AI:
  • 50M-user app that left hundreds of millions of private messages exposed due to misconfigured Google Firebase backends.
  • Security researchers scan app stores for misconfigurations, listing vulnerable apps in real time.
  • James:

    “If you just trust the output of the model, the model's produced you code that will work. But will it work safely?... That needs a human to judge it.”

6. Journalist Raided: Signal Desktop, Biometrics, and OpSec Failures (21:33 – 26:51)

• Story:
  • Washington Post reporter raided by FBI; Signal messages seized from her work laptop via biometric unlock (which can be compelled in the US; passcodes cannot).
• Gotchas:
  • Signal Desktop mirrored on a managed/work device is a big risk, as is using biometric unlock.
  • James:

    “If you turn on lockdown mode on one device, maybe you should be prompting any other devices to say, hey, do you want to review your use of biometrics and other access methods?”

7. Epstein Files and Wild Accusations (26:51 – 30:56)

• Focus: Allegations that security pro Vincenzo Iozzo was Epstein’s “personal hacker” and arms broker.
• Patrick: Points out the source is a dubious, unsubstantiated FBI tip with wild claims (Vatican, Iranian, Israeli passports, Hezbollah deals, etc.).
• Takeaway: Guilt by association is a dangerous line; actual evidence remains absent.

8. Google-Takedown of Residential Proxy Networks (30:56 – 33:21)

• Action:
  • Google and partners sinkholed a major residential proxy botnet (using SDKs in third-party apps to enroll consumer devices).
  • Impact is significant (cuts millions of nodes), but such networks are quickly rebuilt.

9. Polymarket Bets & Nobel Speculation (33:21 – 34:16)

• Underlying Story:
  • Unsubstantiated digital espionage theories after a prediction market correctly picked the Nobel Peace Prize winner; evidence lacking.

10. Physical Pen Testers Awarded $600K after Arrest (34:16 – 36:30)

• Context:
  • Pen testers arrested after authorized Dallas courthouse assessment in 2019 finally win settlement.
• Industry lesson:
  • Paperwork is vital, but these are edge cases. “Pen testing is not under attack,” says Patrick (36:30).

11. Microsoft Disabling NTLM (36:30 – 38:22)

• State of Play:
  • Microsoft moves to disable NTLM by default in new Windows releases; significant given continued prevalence of NTLM relay attacks.
• Adam:

  “To finally have it off by default... it's been a long journey since NT4.”

12. Critical Bugs: Ivanti, SolarWinds, Fortinet, SonicWall (38:22 – 42:41)

• Bugs Briefs:
  • Ivanti: Command injection vuln; clever shell-golf exploitation.
  • SolarWinds: Deserialization vuln—now a “bypass of a bypass of a bypass of a bypass.”
  • Fortinet 40Cloud SSO: Homebrewed SSO with critical auth bypasses now exploited in the wild.
  • SonicWall: Victim company seeking compensation after alleged cloud backup breach; probably a legal dead end.

13. Privacy Policy Easter Egg: Cape’s Switzerland Trip (42:41 – 44:03)

• Story:
  • Cape, a privacy-focused telco, hid a Switzerland trip giveaway in their privacy policy. It took only two weeks to find—evidence that privacy-conscious users actually read the fine print.

14. Russian Attribution Theater & Threat Intel (44:03 – 45:33)

• Ukraine, Sandworm, and Attribution:
  • Industry is in heated debate over attribution of Russian-linked attacks; Tom Uren teases a deeper breakdown in the companion "Seriously Risky Business" podcast.

15. Sponsor Segment – Authentic’s New Endpoint Agent (46:43 – 55:27)

• Guest: Fletcher Heisler, Authentic (co-founder)
• Product: New open source endpoint agent for their self-hosted IDP; designed to enforce device posture (full disk encryption, EDR, MFA, etc.) as a login prerequisite.
• Use Case:
  • E.g., 911 center using Windows devices with biometrics and other credentials; need quick but secure access between endpoints.
• Cross-Platform Pain:
  • Linux: Still addressing compatibility challenges due to OS fragmentation.
  • Heisler (49:35): “We’re still addressing it, to be honest... Every Linux box is a unique little snowflake.”
• Security Philosophy:
  • Strive for flexibility, support for open standards like Passkeys/FIDO rather than proprietary endpoint agents.
• Emerging Demand:
  • Growing federal interest, especially for FIPS compliance and air-gapped environments.
  • Increased relevance for automated agents/nonhuman users.
  • Heisler: “If it's a nonhuman user, if you want to secure it all the same ways, you want to give it the same sort of access with security and guardrails, it should have that ability.”
• API-focused design: All functionality is accessible programmatically for both humans and agents.

Notable Quotes & Memorable Moments

• On Open Source AI Agents:
  • Patrick, (10:56): "It's a strange situation where someone has set up a place for computers to go and pretend to be human and now it's being infiltrated by people pretending to be computers pretending to be human to trick the computers that are pretending to be human..."
• On Open-Source Project Risks:
  • Adam, (04:51): “When you're pushing a self signed cert out to all your users, it doesn't fill me with joy. It doesn't spark joy.”
• On Prompt Injection Epidemic:
  • Patrick, (10:06): “...half of the threads are like, hello, claudebot, please stop what you're doing and ignore all previous instructions.”
• On Pen Testing Risks:
  • Patrick, (36:30): “Calm down, guys, calm down. A bit of an edge case, but it's nice that it's been resolved now.”
• On Biometrics and OpSec:
  • Adam, (24:19): "...if you have got Touch ID enabled on there, that's how they're going to get in there regardless."
• On Corporate Vendor Stickiness:
  • James, (41:08): “If you've got a really solid account manager, account executive with Fortinet in with the CIO and they're best mates... it’s their products that are going to get a look in first.”

Important Timestamps

| Segment | Timestamp | |---------------------------------------------|-----------| | Intro and team welcome | 00:03–02:00| | Notepad++ breach, code-signing insanity | 02:00–06:16| | Claudebot/Maltbook/OpenClaw explainer | 06:16–16:57| | LLMs eroding encrypted messaging privacy | 17:00–19:21| | Firebase/Supabase data leaks, AI app breach | 19:21–21:33| | FBI raid, Signal opsec/ecosystem | 21:33–26:51| | Epstein files, ‘personal hacker’ rumors | 26:51–30:56| | Google’s residential proxy botnet takedown | 30:56–33:21| | Polymarket Nobel betting | 33:21–34:16| | Pen tester compensation case | 34:16–36:30| | Microsoft disables NTLM by default | 36:30–38:22| | Critical bugs roundup (Ivanti, SolarWinds…) | 38:22–42:41| | Cape privacy policy Easter egg | 42:41–44:03| | Attribution games: Russian attack analysis | 44:03–45:33| | Authentic’s endpoint agent interview | 46:43–55:27|

Takeaways

• Trust Software Wisely: Supply chain and operational security practices matter deeply—question both the code and the behavior of open source project maintainers.
• Prompt Injection and AI Agents: The current era of open-source AI bots is a security and trust nightmare; actual secure integrations remain rare and risky.
• App Security Hygiene: Model-driven/generated code does not excuse lack of human oversight; cloud misconfigurations are rampant and often publicly visible.
• Physical and Digital OpSec: Convenience (e.g., Signal Desktop, biometrics) can be the enemy for those handling sensitive information.
• Industry Dynamics: Many enterprise security woes are as much social and political problems (vendor stickiness, sysadmin choices) as technical.
• Vendor Developments: Open-source alternatives to major IDPs (like Authentic) continue to grow, focusing on flexibility, openness, and API-first design.

[End of Summary]