A

Foreign. And welcome to this soapbox edition of the Risky Business podcast. My name's Patrick Gray. For those of you who don't know everyone you hear in a soapbox edition of this show, paid to be here. It's a sponsored product but we get to have some really great conversations and that's what we're going to do today. So today's soapbox is brought to you by Gray Noise. And if you don't know, Gray Noise operates a global scale network of honeypots which enables them to see who, who's doing mass scanning and mass exploitation on the Internet to detect that sort of stuff very quickly and turn it into all sorts of extremely valuable threat intelligence. So the way most people use it is they can look up an IP to see if bad stuff has originated from it. So it's a good way for you to avoid toxic IPs. They can also do stuff like capture people's attacks and reverse eng using AI reverse engine. Someone's probes into oday like this is something that they've done before but normally it's a, it's an intelligence about IP kind of product. But you know, going with that theme of them discovering all sorts of really interesting stuff, the founder of gray noise, Mr. Andrew Morris joined me for this interview where we really started off talking about how they are getting a three months heads up these days when really damaging O day is about to drop. So it's a bit of a windy road in this conversation for him, for, for me when I did it and probably for you as the listener to understand exactly how that's happening. But basically there are all these towels that Gray Noise can pick up on where they can say there is going to be a Cisco ASA like bug dropped in three months that's really, really damaging. People should, should prepare for that. So yeah, really interesting conversation that I recorded from a hotel room while I was in Melbourne with Mr. Andrew Morris, the founder of Gray Noise. And we also talk a lot about IPv6 versus V4 and some of the challenges. They're just all in all a great con and interview. Please enjoy it. I will drop you in here where Andrew is talking about Gray Noises ability to sort of pre cog know that some serious vulnerability is coming. Here he is. Enjoy.

B

So Bob Rudis, he's our chief scientist, he's you know, he's doing some research for to back up some marketing claims that we're making maybe a year or two ago, right. And some marketing claims are making hey, we're going to see early warning Signals and blah, blah, blah. And so it's like, hey, Bob, can you dig into this and really find maybe an example or two of us spotting something before it happens? Right. Bob digs into the data and he does a lot of kind of regression searches and tests against looking at spikes that happen against of probe, scan, crawl activity, basically inventory activity for specific sensors that are running specific software, and then looks to see if any noteworthy vulnerabilities come out within a certain period of time of that. And like, we knew in our hearts that it was likely that that was linked or that these two things were together stated differently. All of a sudden, everybody and their grandma wants to know about, I don't know, you name it. Fortinets, asus, routers, who cares? And then, you know, three months later, like clockwork, we hear about a really big, bad, scary zero day that's been disclosed, and that's when it becomes public. So we knew this in our hearts because we've been doing this for a handful of years. The behavior of it makes sense. But when we actually, like, dug into it, we wrote a research paper about this, the results of it are, like, kind of eerie how often it happens consistently.

A

Yeah. Correlation is one to one, basically.

B

Yeah. I mean, it's like kind of every time. So there's a certain size of spike that we only see when a very big scary vulnerability is going to be disclosed. And it's within 90 days, right? 30 to 90 days. And what's fascinating about it is, so then that I don't want to say emboldened us, but, like, you know, I'm a cynical, skeptical security person. Security people hate hearing, like, marketing BS that they're gonna hear of, like, ooh, I'm gonna ha. Whatever. I was like, hey, guys, let's be very careful about any claims that we make on this. But I'm looking at the charts and I'm like, this happens every time. Like, every single time. So after we published the paper, we see it was. I mean, there were two pretty big scary spikes. One, one in people looking for Cisco ASAs, and the other for people looking for Palos. And really bad bugs came out really kind of right smack on time. So what's fascinating to me, let's take the step back, right? Who's doing it? Who is doing those spikes? It's not like all of a sudden everybody starts doing really big spikes. It's so tightly coordinated when it happens that it's very clear that it's one actor operating from many, many different places. So what I find is Someone who.

A

Has the, Someone who has resources, basically, right? If they're the ones doing the global recon and then developing, or have already developed and then do the recon. But yeah, it's someone who's well resourced.

B

And so what's fascinating is that you'll see, I mean, they've got resources because we'll see it happen all at exactly the same time with exactly the same protocol. Fingerprints from maybe 5,000 IPs at exactly the same time. So it's like, okay, well, I know that whoever it is either can lease 5,000 IPs on the Internet or they've got access to 5,000 compromised devices. So there, in and of itself, you've got resources. But the other one that's really fun to think about is, is this a defender or an attacker? Is this the vendor?

A

Well, that's okay. So there's a couple of things here, right? So there's that, right, which is someone like my beloved co host Adam Boileau, who has actually built mass scanning tech previously, like he built the low hanging kiwi fruit many, many years ago. And would, you know, you see someone ripping through the Internet looking for that stuff. It could have been him, could be some beardy UNIX guy in New Zealand just looking for stuff. But the other, the other angle on this, right, is I respect the science of it, but this is not actionable insight.

B

Okay?

A

You know what I mean? So even if, you know, even if you Gray Noise, and I just wanted to get your feelings on this, right? You Gray noise, you're sitting on this, this extremely sophisticated thing, right? The sauce, as you call it, the Sa Neo from the Matrix.

B

That's right, that's right.

A

Things fall, right? That's right. And you're like, in three months someone is going to attack SharePoint. You know what I mean? Like, yeah, yeah. Okay, so what do you do at that point? Because you could tell all your customers in three months, someone's going to attack SharePoint. They're not going to do anything because. Because we live in a horrible world.

B

You're not wrong. You're not wrong. I would say for the last, for the, for the first five years of Gray Noise, I would say nobody does anything. Everybody. You know, there's so much fud. There's gonna be people that say stuff like this that indeed is not actionable. I am personally now so confident in this and I feel like we've gotten this correct enough, enough times and we've got the receipts to prove it. That at this point you need to take like all Those security controls that you think that you have on these edge devices, you better double check those. All of the networks that are behind them, you better make sure. You better assume that they can be moonwalked into, right? Any kind of audit that might involve, like, hey, let me just reread those configs real quick, like with my eyeballs. Even though no alerts went off because you can't put EDR in an edge device, let me use my eyeballs to go through and just make sure that the users that I think are logged in or created, that they're good. Let me make sure that the configs are good. Let me make sure that it's not talking anything that it would. And I would, again, I would say that for the last five years, I would totally agree. I would say, like, look, people say this stuff all the time. What are you gonna do? But at this point, no, I think you very meaningfully. It's not like a maybe something's coming. It's that in that moment, to someone, those devices are vulnerable. So you need to just assume that that's the case, right? Like, really assume that that's the case. And then trace through. Maybe it's Tabletop, maybe it's looking at connections again with your eyeballs. Maybe it's actually going through. Maybe it's rebooting those things. Because as we found out from the Bad Candy report that the ASD just did, a lot of these are in memory implants. So you can just nuke it up, down once, and you've kicked off, you've booted them out of the access, and they're at least going to have to pop it again. And you kind of know it's coming. So this is where I think we end up on it. Can you. Should you freak out? No, that doesn't do anything. That doesn't help anybody, right? But, like, there are some things that, like, forget about cyber, right? Like a dude walks by in the middle of the night and he walks past your car. I'm not freaking out, right? The dude peers into your car. I'm starting to get a little bit sketched out, but maybe he thinks it's his car. The dude tries to open the door of the car. The guy's trying to get into your car, right? Like, the dude's up to no good, right? So these are some things like that. And it is going from a little bit of a voodoo art to like kind of a little bit of a science. And I get a lot of sort of satisfaction out of knowing that it's, we're kind of both catching a potential like the vendor who might be asking a security research group or a nation state apparatus, hey, there's a really big bad bug. How many of these things are out there? Where are they? Because not all of these vendors really get that level of telemetry. Even though I, I would hope and assume that they do. They don't. Right. Or maybe it's an offense team who's saying, oh, we found out about a bug, we gotta figure out where all these things are so that we can figure out all the accesses to go into. And the 90 days is so fascinating because that's kind of the perfect responsible disclosure timeline. Right. As soon as MITRE knows about something, as soon as the vendor knows about something, then in very real terms the clock starts 90 days.

A

So you think it's possible that some of these actors are getting an early indication that a bug is coming down.

B

In something a hundred percent? Absolutely.

A

So this isn't research that they've done?

B

No.

A

Then they're right.

B

Okay, that's why I think it's so fascinating. Somebody all of a sudden has a massive interest in figuring out where every single XYZ devices around the Internet. And they're doing that for one of two reasons. There is no third reason.

A

Okay, so when you were saying a bug is coming, you meant like a publicly disclosed bug, not one that shows up just as an oday then hitting those devices.

B

It may have been disclosed to the vendor, it may have been reserved by Mike, but it's not. There is, but nobody knows about it but the person who found it and maybe the vendor.

A

So what I find interesting there is because when you were originally talking about this, I figured what you were saying is someone has found an ode, right, in a product, then they're going out and scanning to find that same person or same actor or same resource. Well, resourced organization is then going out scanning and finding where it is. But I guess what you're saying is they maybe have some insight into reporting.

B

Channels or they are reporting channels. So, you know, if I were, if I were Acme Edge company, I would definitely have research partnerships with universities. And there's certain things that as a, you know, a giant publicly traded company who has XYZ gazillion dollar contracts with maybe the DoD, you know, insert wherever. I'm sure it's the same in places like China and other giant countries. They have certain sort of information sharing and disclosure sort of processes that they're gonna go through. And someone somewhere along the way is gonna be like, ah, we gotta figure out where all these things are. And we gotta figure out.

A

Okay, okay, so you're not just saying that like an adversary might be sitting in a bug tracker, for example, which.

B

Is, you know, okay, they're definitely doing that too. But that's not what.

A

Yeah, so, but more that just when the wheels start turning on a bug disclosure, you're gonna see it in gray noise.

B

That's right. And the worse the bug is, the more intense the scanning that we're gonna see because the louder and faster they're gonna have to enumerate those vulnerabilities is or enumerate or inventory those devices is. So there's a difference between, hey, it's a bug that is like, you know, low severity information disclosure. It sucks, but it's not the end of the world. It doesn't lead to full system compromise. Yeah, man, like slowly scan that, kick that bad boy off from four different places, let it run for the next 90 days, whatever. When we see 150,000 IP addresses suddenly start looking for an ultra specific piece of software and they're not looking for anything else, were like number one, someone with resources. Number two, they are super interested in Palo Alto's right. And they're not interested in anything else.

A

Let me ask you something though. Like why are these people doing these scans not using stuff like Shodan? Why are they not using stuff like census? And you know, when it comes to, you know, state backed adversaries like China, we just saw a leak out of a Chinese contractor that was like owned by Tencent that looked like they had something similar to being like a Chinese census that no doubt, you know, all the MSS people can log into and like look up stuff. So why, why do this? Why show your hand by scanning from 150,000 IPs and showing Andrew Morris and friends exactly what you're looking at?

B

So I would say like number one, maybe it's because you're from everybody else's perspective, you're probably not gonna see it. The only reason we see it so much is like we have no business value and we have in 80 different countries in close to a hundred hosting providers and thousands and thousands of places. So to us you're gonna stick out like a sore thrum to like, you know, Joe Random Network. He's gonna see 1, 2, 3, 4, 5 IPs probing a path, whatever. So to us it jumps out in a really big way and the loop's not really getting closed there. And we, and maybe they find all of our sensors, but we burn them and stand them back up pretty often, so who cares? The second reason of why really does depend on which side of that you're on. If you're. If you are the defender, if you're either the vendor or the equivalent of the Information Assurance Directorate.

A

Yeah, you don't really care about getting caught because you're not doing anything wrong.

B

There's no caught to get right. You're just like, I got to find these things. I think a more interesting question, though, is in the heart of what you asked. Why not use Census? Why not use Shodan? Like, why not use one of these ones that are already inventorying it? So I'd say for a couple of different reasons. One, you're gonna leave a log there of you having done that, I guess, as opposed to leaving a billion of.

A

Them when you do it yourself with gray noise. Yeah. Instead of just giving them all to you.

B

Yeah, yeah, that's right. Number two is that no matter how good and how thorough all of these are, and they are good, and they are thorough, lots of people are gonna block or redirect or mistreat these benign scanners. Cause they don't see upside in allowing themselves to get inventoried. Whether I ideologically agree with that or not, you know, you're always gonna get better mileage when you do the scanning yourself, when you know what you're doing. And then the last one is like a lot of these bugs are, you want to figure out with very high certainty that the bug is there, but you don't want to tip your hand to the path of the bug. Right. It's like the whole cve. Do you give a good description or a bad description?

A

Well, and that could be. That can be hard because maybe you're checking not just a version, but the presence of some module or something like.

B

That's right. And maybe it's a module that Census and Shodan don't check for. So maybe they're looking for, you know, they're looking for all these banners, but maybe they're not looking for that one model specific register. Maybe they're not looking for that one stack trace that goes out in this place. And that's what you need. And you know this, like, there are lots of bugs. There's so many of them. And so, you know, so you. And so the nature of each of these bugs is going to be a little bit different. And look, your Census, your Shodan, you're doing this. You're already hitting 4 billion IPs just for the routable IPs, not even thinking about all the V hosts and all the web stuff. So you're already doing a lot of requests every day. You don't want to do 2 or 3 or 4 or 5 per software per thing. That's a lot of overhead. Like, that adds up really quickly.

A

Well, it's almost like you think of, like. I mean, I'm sure, I don't know, but I'm sure you could probably go to Census with a custom request, right? It's sort of like. But at that point, it is kind of like tasking a satellite. It's like tasking a satellite at that point, right?

B

Yeah, that's right. I mean, so you can like a lot of these. I mean, Shodan's been doing it for a long time. Census, you know, they have on demand scanning capability, like all of these different, you know, the real players who know what they're doing. They're gonna allow you to give them a little bit more nature of like, what exactly you're looking for, and then they'll kick it off. It's risky for them to do, though. Cause you, you know, that can kind of go wrong when somebody slips in a, you know, directory traversal bug to this and all of a sudden, you know, Zakir goes to jail. But, you know, and they don't want to tip people.

A

Right.

B

So it's, it's a funny cat and mouse game. It's like not, not in. It's a confection or confection or something like that. When you, you, you, you have a solution and you have to figure out what the problem is that somebody's solving for. It's, it's, it's kind of the, the definition of the reverse engineering. Right. Like, I don't know what people are looking for, but I do know the specific requests that they sent and I know where they sent it to, so I can surmise. Right?

A

Yeah.

B

So they want to give me as little information as possible. If you're, if you're out there, bad guys, you know, you don't want to give me anything. Right?

A

Well, but I mean, the point is, the point is you don't know if they're the bad guys. You don't know if they're the vendor. I don't know if they're like some security company that's found a bug and they're doing a survey for their marketing blog post when the bug drops in three months.

B

But I am simply uninhibited by whatever the restrictions are that they're going through. I don't have any early access to this bug. So as soon as I hear a credible rumor. This is a metaphor that I'm making. As soon as Gray Noise hears a credible rumor, you bet your ass we're going to tell everybody about it. We got no reason not to, Right?

A

Yeah.

B

And so as long as. And again, I'm treating the security community like adults here. I'm saying, look, guys, don't just freak out about it. Don't throw a bunch of money at some random vendor who says they're going to make your problem go away. But yeah, if we say that a bug's coming in, Cisco S is, please review your Cisco ASA logs and like, audit those things and go through it. And I'm not picking on asa. They obviously, they've got some bugs going on right now, but it could be any of them. And it is every time.

A

Yeah. You know, one thing I want to talk to you about, right. Like, so I'm working with Knock Knock, as, you know. Right. So it sort of tangentially connects. Connects to what you do. Right.

B

Huge fan.

A

One thing that's been really funny, right. My experience there is the border device problem is huge. Right. It is absolutely massive. And where Knock Knock is getting traction is actually for the internal use case. I mean, it is getting traction for external as well, for external attack surface. But what's crazy is like, hey, it's growth. I'll take it. It's going well.

B

The hair. My back starts to sweat as soon as I hear you say that.

A

I'm like, I don't get it either. Right. Which is like, I think there's this perception among a lot of enterprises. They think they're in a better. They think they're in better shape than they are. Right. When it comes to their external attack surface. Does that vibe with your experience as well? Because you're talking about, like, oh, okay, we can tell them that there might be a bug coming down in three months, so they're going to go and check the configs and this and that. I feel like there's a real disconnect between what people, what is accessible from the outside and what they think is accessible from the outside. Do you see that as well?

B

Yes. I mean, so this is. This is my opinion. I'm going to wax poetic for a second. I think one of the biggest sins that, you know, Mormon, like that. More mature that. That advanced organizations have, especially those who spend a ton of money on. On security products and with, you know, big master service agreements with with different security vendors is that, like, they kind of forget the basics and they assume that they're better off than they are. The way that, like that. That people who work in. Off. I mean, I used to work in offense, right? I really never had to do any super, you know, crazy matrix voodoo stuff to get into networks. Like, there's just a handful of things that just work. When I look at the credentials that attackers are spraying right now, it's autumn 2025, exclamation mark, capital A. And they're doing that. Cause it works, right? And it's gonna fit inside the security policy, right? So it doesn't matter how many different crazy firewalls and stuff that you've got. Like somebody's password is gonna be autumn 2025, exclamation mark, capital A. And they're gonna get in, right? So that's 1, 2. My bigger point here, and I'm very glad that we're literally on the soapbox right now, because, boy, I'm climbing on it. This whole attitude of like, oh, this is a single player game. I'm just gonna protect my network and it's okay that the whole rest of the Internet is screwed. That can't affect me. It doesn't work, man. Like, the ISP's doing nothing, the vendor's doing nothing. Like the government, in certain cases, doing nothing. The hosting provider's doing nothing. And just being like, good luck, everybody, update those firewalls, right? The firewalls are the ones getting popped, right? And so if the expectation, from my perspective, if the expectation here is that, like, we're going to duplicate effort intentionally so that we don't muck around with, like, the free part of the Internet, I'm over here. Like, why would you invite somebody who has COVID 19 to your wedding? Why would you do that?

A

Even if, you know, I'm with you?

B

Even if your guidance, Even if your guidance to all the guests is, hey, by the way, you better be vaccinated. Cause some dude's gonna be here with COVID 19. I'm like, no, if, you know, someone's got COVID 19, he's not allowed to come to the wedding, man. That's the bigger problem, in my view.

A

Yeah, no, I get it. I mean, but you've always had that vision of wanting to fix the Internet, right? Which is like, talk about thinking big. You know, I remember talking to you years ago, and you're like, my. My dream end state for this is someone does a mass scan on the.

B

Internet, they're immediately so net Non grata.

A

Exactly. We kick them off the Internet. Right. So where that gets interesting though, and as I say, I've been spending my, a lot of time with my head in this space. Where it gets interesting though is when you've got all of these residential proxy networks at the moment. This is a problem for. Well, this is a problem ish.

B

For we. And in particular.

A

Well, hang on, let me, let me.

B

Let me finish that.

A

Right, so yeah, so what happens is you've got these residential proxy networks, you know, thousands of compromised devices and you know, the Chinese have developed these things in response to companies like yours doing a better job. Right.

B

Like a well oiled machine.

A

Yeah, 100%. So they can pop out of some compromised residential machine. And they're popping out of a grandma's.

B

Toolbar in the browser.

A

Exactly. And they're popping out of a clean CG NAT gateway. Right. So it's like a major ISPs gateway for a certain region in the United States. And from a gray noise perspective, like that's hard. From a knock knock perspective, that's hard. Right. Which is what I'm talking about. And I think, you know, you've got to realize that with a lot of this stuff it's like, you know, you can massively reduce the risk. And indeed we're building eventually a gray noise integration so you could pop your gray noise API key into Knock knock. So if someone is trying to get a network port from a bad ip, it'll just say no.

B

Yeah. Or an IP that's ever touched us. Right. Because people who are using knock knock are probably not randomly scanning the Internet Right. From the same box Right before they do it. Right?

A

Yeah, yeah, exactly. Right. So it's like that massively reduces the risk. But I guess where I'm going with all of this, right, is that a lot of what we're talking about, we're trying to patch over the shortcomings of IPv4. And the longer you spend in this space, the more you realize that wouldn't it be nice if we lived in an IPv6 world? Now don't get me wrong, that's going to bring with it a different category of problems. You're going to have issues that are different problems around discovery.

B

First of all, you're going to have to rewrite every security product on the market right now because none of them support it. Right.

A

So there's that. You're also going to, yeah, you're going to have issues around like how do you discover assets, you know, but that's A problem for the bad guys as well. But I guess my point is like, it sort of feels at this point that IPv4 is just not fit for purpose. And I wanted to get your thoughts on that being Mr. Network Guy.

B

Yeah, I think Nat. So like, I think this whole notion of like non routable IPs, the existence of non routable IPs as like a, let's just call it a kind of a gloss over, sort of real quick and dirty solution to like not having enough IPs on the Internet.

A

Like everything is nat now. Everything is nat. It's crazy.

B

So everything is nat. And so the issue is that it was never meant to be a security control ever, right? It is not a firewall. It is not a firewall.

A

But no, but it's really good at obscuring the origin of something, right? Which is a problem for gray noise problem for us.

B

It's kind of become a de facto firewall. And the old gray beard, crotchety old security guy in me, if you can believe him, he's there. He's saying that if you architect the network the right way, it doesn't matter if you're on the Internet or if you're on the inside of somebody, if you're on a corporate network or if you're on the Internet, it's all the same. That's what you would say.

A

I mean, my definition, my definition of zero trust has always been very different from everybody else's. Where my definition is, it's just about treating every single computer in your network as if it is directly attached to the Internet.

B

That's what you kind of need to do. And so that's why I'm, I'm, it's like I respect the place that, that, that NAT and IPv4 had and all these routable and non routable IP addresses, right? I respect that. It's good. It got us through the Internet.

A

Boom.

B

And everyone can get out of the way.

A

But let us get away, let us get away with some bad behavior.

B

Let us get away with murder, man. Get away with murder. It's like, you know, you let, you let, I mean, you let your, your, your kids when they're growing up and they're like, mommy, daddy, can I eat ice cream? And you're like, sure. Like, can I do whatever I want? Sure. Do you want, Can I put my finger in this socket? Sure. It's one of these days it's gonna blow up in your face, right? Like it's gonna, it's gonna, you're incurring.

A

That you're gonna have a kid with diabetes getting electrocuted by sick.

B

That's right. You know, and so this is, we made that bed, right? And it's never too late to do the wrong thing. So from my perspective, it is, I mean it's. Now we're in a problem of our own making. Right, but let's just start pretending that every single thing on the Internet is routable.

A

Routable. No, I know, but that's what IPv6 is like. And I'm saying why do we want to pretend?

B

I can't hear you over me directly pinging your laptop right now? Because we're both on IPv6. It's awesome.

A

It's just, I just, you know, so much of this goes away and it also like, the thing about it is it would, it would not make gray noise disappear. It would make gray noise like much more valuable. When you've got such granular, it makes.

B

It makes bright eye, bushy tailed, 20 something year old Andrew gray noise go away. When I had no idea, you know, where the technology was going to take us and what problems that we were going to ultimately like fall into. Because people don't have the exact same IPv4 noise problem. You don't trip and fall into, you know, IPv6 IPs the same way that you do with IPv4. Bugs are still going to be exploited on the Internet. Compromised devices are still going to try to, you know, attempt to whether it's using neighboring protocols, enumerating quad A records on the Internet, scraping for resources, you know, predicting the brute forcing random number generators in the DHCP leases of embedded devices that are handing out all these IPv6, you know, Dhcp leases, like whatever, whether it's any of those, you're going to have bad guys attempting to figure out where these things are.

A

Gray noise looks very different in an IPv6 world because you know, you're at the point now where in the IPv4 world you're everywhere, right? It's a small enough IP space that you've got your honeypots. Like they're going to get touched. If someone's doing mass scanning, they're going.

B

To get touched in IPv6 billion times a day.

A

As it turns out, yes, in IPv6 world that just, that doesn't happen. So you know, it's a different game at that point. Like the paradigm of like there is a company that can tell you who's doing exploitation of a large number of devices like that still exists. But the mechanics of how that Works is completely different.

B

It's different.

A

But look, look, look, Andrew, the good thing is we're never going to an IPv6 world, so why are we even talking about that?

B

We have to. We have to. That's the thing. We have to. Of this I am certain. We have to. We're kicking the can down the road right now. I get it. I love the meme of like, cancel IPv6. IPs were never supposed to have letters. I do love that. But we have to man out with the old, in with the new. The only constants change. You gotta do it. And it's. And forget about IPv6. It doesn't even. It doesn't even matter about IPv6. It's about changing the mindset of, like, you got to assume everything's on the Internet. And that's very easy to do when literally everything's on the Internet.

A

Yeah, well, I mean, that's why, you know, I'm doing the work with Knock knock as well, which is like, you know, in a V6 world, like, that solves so many problems when every single connection is allow listed and pinned to.

B

Auth, you know, so let's pretend that the world isn't in the middle of lots of big awful wars. Let's just pretend that that's the case for a second. Right? I would so much rather every horrible vulnerable device that is going to get the crap hacked out of it. I'd rather it happen now. I don't want it to happen when there's a 4th, 5th, 6th war going on. Right. It's better to happen in fair weather. So, okay, all right. All of our routers are going to get popped. All the IP cameras are going to get popped. All of these edge systems are going to get popped. Let them. It makes them get stronger. You have to assume that that's gonna happen anyway. You can't sweep it under the rug. So I'm. Let's. I know I'm soapboxing, but if I can't do it here, I don't know where I can.

A

Well, you can't do the soapboxing on the soapbox. But look, final question. We're gonna have to wrap it up, right, because we're kind of running out of time. But my final question here is like, okay, you say we have to. We have to go to an IPv6 world. I mean, I agree, but like, why aren't we there yet and what gets us there? Because IPv4 exhaustion is a real thing. It's already happened. But there's still, it seems like there's still enough dumb stuff with IPv4 statics that, you know, gradually the prices come up and the dumb stuff like that gets re allocated to the pool prices are just creeping up. They haven't exploded. Like what, what is the thing that ultimately gets everyone to switch?

B

Capitalism, I mean, it's got better.

A

Yeah, but how, where's that, where's the, where's the economic driver in capitalism?

B

That's what I'm saying. If the economic drag capitalism states that if there isn't, especially with something like security, where it's a cost center. Right. Like security doesn't make money for anyone other than the security business. It just costs people money. Right. And so, like, there is no economic incentive to move on from it. And because there's no economic incentive to move on from it, we're not gonna do it. So there needs to be either. I mean, there needs to be a massive amount of pain as a result. And I do not think, not for a second, that if I snap my fingers and everything's over on IPv6 and we've gotten through it, that we're all of a sudden 100 million times safer or whatever. I don't think that's true at all. But I do think that if there is no reason to do it, it won't be done. And if it's not being done and people are trying to do it, that means there's too much money in it. Not happening. And I was making a funny little bit joke earlier, but I was dead serious. I think I know three or four network security products off the top of my head and logging stacks that support IPv6 end to end. There was a great hacker news article maybe a year ago where a guy just. He just disabled IPv4 on his home network. He was mainlining IPv6 and he just started browsing the Internet to see what worked and what didn't. Almost nothing worked. Yeah, almost nothing worked.

A

We only turned V6 on for risky Biz, like a few months ago.

B

Yeah. So the Internet, table stakes. The Internet has to work, man. The Chinese have been on IPv6 for a long time, Right?

A

Well, that's because we were monopolizing the v4 address.

B

Yeah, I was going to say that's right. Because for every 1 billion IP addresses, you know, that's because of like, what, Stanford.

A

That was out of necessity. We're like, no, you can't have them, we're using them.

B

So, yeah, the exhaustion is.

A

Let them eat. V6, I think, is what we said.

B

To the Chinese, she did say that. I believe that is what she said, right? Yeah.

A

Oh, man. Oh, look. So before we wrap it up, like any cool new stuff with grey noise, cool new features, or is it just more research refinement, that sort of vibe? At the moment.

B

My mind is paralyzed with fear at the staggering rate that we're either getting better at finding exploitation of edge devices or that it's just going up and getting worse and getting faster. And I don't know which one it is, but that's what's dominating my mind right now. We are putting a lot. So there's two things. One, we're putting a lot of effort and energy into making Gray Noise, a multiplayer game so that we can functionally share data across our customers across many perimeters to be able to sort of kind of deputize anybody who wants to, either from a research perspective or companies that actually want to figure out, hey, what's hitting me versus my 10 competitors who are also part of the program. So that's one, and then two. And please get in touch with me if you're interested in this. Our raw data, which then becomes labeled data, is a goldmine for AI models that are making decisions for routing packets at line rate. I have about 10 yards away from me as we speak, and Nvidia Bluefield 3, one of the kookiest contraptions ever made. It is basically a GPU on a network card, and it can grind packets at 400 gigs per second. So I've got right now, I mean, I've got basically a little box that says if you look like you're bad, you're going nowhere. If you look like you might be bad, you're gonna go slow, and if you look like you're good, you're gonna come on through. So that's my fun little project that I'm working on with a couple folks from my team. But I am not a data scientist. So we want to get as many security researchers out there in AI labs that have use cases like this that need good labeled training data day in, day out. I've got billions of labeled malicious, suspicious, benign, encrypted, unencrypted network traffic. And if you want me, if you are working on something around this, please get in touch with me and I'll give you a live feed of it all the time, as long as you show me what you're working on. So those are some of the things we're working on that I'm very excited about.

A

It's funny what the LLMs can turn up. Right, so like, you know Damian Lukey, right?

B

I do. I know him well.

A

Yeah. Yeah. So the stuff he's doing with Nebula around. Vibe hunting.

B

Vibe hunting, baby, that's right.

A

So vibe based threat hunting, where the LLMs are really good at grabbing those low and informational findings that might be in a log source and actually stringing it together into something. I mean, it's always possible that your LLM is going to wind up like the Pepe meme, making some connections that aren't there. But that's easy to tune out of it as well. But. Yeah. So I do find it interesting that we're in a state with LLMs where you could throw, as you say, unlabeled packets and whatever.

B

Yeah. And all our stuff. I mean, I'm not even looking at LLMs for this. I'm using small language models in certain cases. Not really reinforcement learning, but functionally, just looking at things like byte headers and stuff like that. Decision gradient boosted decision trees, things like BERT that are. Basically, all they're doing is saying, like, how gray noisy do you look? You look pretty gray noisy. You're going real slow from now on. You don't look gray noisy at all. Come on in. Right. And at least for edge devices, if you put one of these things in front of like a massive network, it can actually make a pretty big dent. So it's pretty cool.

A

Yeah. I shouldn't say LLMs, because that's the.

B

I know.

A

I'm not trying to chat GPT. No, no. I'm not too bright though.

B

I'm not trying to actually. You, like, you know, we're not on hacker news. This is real life. But we're seeing the most success from non LLM.

A

No, I get it. LLMs are the ones that tell me to check the fuel pump in my electric vehicle.

B

LLMs are the ones that tell me I'm exactly right. I can totally invent a quantum time machine with exactly.

A

You've invented time travel. Congratulations. Yeah.

B

And then I'm like, this is sick. And I have like a psychotic breakdown.

A

You wake up in a hospital going, where's my time machine? They stole it. They stole it from me.

B

Yeah, that's right. Man, this weighted blanket is great.

A

Yeah. All right, man. Great to chat to you as always. It's always heaps of fun chatting with you, Mr. Andrew Morris. And, you know, I look forward to chatting to you next year, dude. Take care.

B

I could do this all day, every day, man. It's good to see you. Thanks again. For having me. Having me on, man. Cheers.