Risky Business #811 — F5 is the Tip of the Crap Software Iceberg
Date: October 22, 2025
Host: Patrick Gray
Co-host: Adam Boileau
Overview
In this episode, Patrick Gray and Adam Boileau break down the ongoing fallout from the F5 breach, exploring the broader issue of insecure edge devices and the chronic state of "crap software" that underpins much of today's security infrastructure. The news segment covers major stories from the infosec world, including China’s finger-pointing at the NSA, Salesforce data breaches, a brutal VS Code worm, vulnerabilities in WSUS and Rust tar libraries, as well as reflections on the dependency on AWS. The episode also features an interview with Push Security’s Jacques Lowe about detecting a sophisticated LinkedIn phishing campaign and new browser-based investigation tooling.
Main Theme
The F5 Breach as Symptom of a Bigger Problem
The hack of F5—the prominent provider of network edge devices—by suspected Chinese threat actors is used as a lens to examine the wider, industry-wide problem of inadequate security practices and lackluster software maintenance among "mid-tier" vendors supplying core network infrastructure. This episode questions the sustainability of “unique” yet poorly maintained products in critical network positions and explores whether the emergence of AI tooling can help reverse the quality rot, as well as the market forces (like private equity) that dampen progress.
Key Discussion Points & Insights
1. F5 Breach: Scope, Impact, and Industry Implications
-
Recap of the Attack ([00:00] - [04:24]):
- Suspected Chinese attackers were inside F5’s network for years, accessing source code, build environments, bug trackers, and vulnerability reports.
- “They were all over the internal bug tracker. As soon as this came to light, F5 dropped like 44 patches.” – Patrick Gray ([02:27])
- Concerns about attackers learning about unpatched bugs and the risk of future exploit weaponization.
- Attackers had access to the patch signing/distribution area but didn’t (yet) push malicious updates. Speculation that this access might be reserved for a “special occasion.”
- “That's the sort of thing you would save for a special occasion—preparing the battle space kind of thing.” – Adam Boileau ([04:09])
-
Broader Theme—Crap Software on the Network Edge ([04:24] - [06:20]):
- F5 is the “tip of the iceberg”; many edge devices are insecure, understaffed, and undermaintained.
- Lack of market pressure results in slow or no improvement.
- CSO Magazine feature highlights systemic failures and catalogs insecure edge products.
- AI tools now make code quality improvements more affordable, but private equity control still blocks meaningful investment in product security.
2. Geopolitics of Attribution: China, NSA, and Information Warfare ([06:20] - [10:11])
- Reuters reports bolster China attribution for F5 hack; mirror accusations of NSA operations.
- China’s “doxing” campaign of U.S. operations typically targets highly strategic (often military-related) organizations, using decade-old tool comparisons for attribution.
- “A little bit vibes based.” – Adam Boileau ([09:39])
- Analysis of how these information campaigns are targeted at international opinion and policymakers, not technical audiences.
3. Salesforce Data Leak and Doxtivism ([10:11] - [12:47])
- Scattered Lapses “com kids” breach Salesforce customers, doxing hundreds in U.S. government, claim to have thousands more.
- Risk of provoking strong law enforcement response.
- Analysis of which agencies are positioned/eager to retaliate, especially ICE and FBI.
4. ICE’s Surveillance Spending Spree & Domestic Risks ([12:47] - [14:41])
- ICE invests $3.4 million in Clearview AI; much larger spending planned.
- Warnings that ICE, not NSA, poses greater risk for domestic overreach given current political climate and legal empowerment.
5. John Bolton Indictment Over Classified Info Leaks ([14:41] - [17:04])
- Former Trump advisor indicted for sharing notes on classified meetings via personal email to family — a goldmine for hackers (eventually exploited by Iranians).
- “Not a great look for John Bolton.” – Patrick Gray ([16:50])
6. NSO Group and Spyware Litigation ([17:04] - [18:22])
- U.S. court permanently enjoins NSO from targeting WhatsApp.
- NSO’s argument: “We are a spyware company, we can’t not hack Meta accounts.”
- Questions over enforceability of such injunctions.
7. Exploit Industry: L3 Harris Trenchant and Internal Espionage ([18:22] - [20:31])
- Chronicle of a Trenchant ex-employee who claims to be wrongly fired over exploits leaks, instead blaming state-sponsored hackers.
- Working in private exploit development is shown to be risky and personally “complicated.”
- Still, “if you want iOS exploits, you go to the source.”
8. Academic Side-Channel Attacks on Android ([20:31] - [23:33])
- New research extracting 2FA codes via GPU side-channel timing in Android apps—clever but not very practical in the wild.
- Highlights the continual creativity of academic work, as well as limits of real-world exploitation.
9. VS Code Worm: Widespread Supply Chain Malware ([23:33] - [26:25])
- Malicious VS Code extension worm propagates via auto-updates, using blockchain for C2, scraping wallets and credentials, and deploying a full stack of persistence tech (SOCKS proxy, VNC server, Unicode obfuscation).
- Tens of thousands affected; very sophisticated, “old school” hacking.
- “There was some engineering in this one.” – Patrick Gray ([25:57])
- “Invisible Unicode characters... Chef Kiss.” – Adam Boileau ([25:59])
10. SIM Farms Takedown ([26:26] - [27:35])
- European law enforcement busts large SIM farm infrastructure, similar to recent U.S. actions rumored to have had Chinese involvement.
- Points to enduring value of phone infrastructure to both fraudsters and nation-states.
11. Unix Backdoor via Linux Capabilities ([27:35] - [29:04])
- Attackers using relatively obscure Linux capabilities to create SUID-root binaries, evading traditional detection.
- “My mental model... was wrong. And this post showed me that I was wrong.” – Adam Boileau ([28:32])
12. RCE in WSUS (Windows Server Update Services) ([29:04] - [32:37])
- Remote code exec via. NET binary formatter, still present in WSUS despite being obsolete and explicitly deprecated by Microsoft.
- ~7,000 WSUS servers exposed; huge risk given post-Covid work-from-home setups.
- “Microsoft getting owned by binary formatter... so rude.” – Adam Boileau ([31:47])
- “This is an old style bug… from 2005, not 2025.” – Patrick Gray ([31:57])
13. TARmageddon: Rust TAR Library Vulnerability ([32:37] - [34:31])
- Vulnerability in widely used Rust async tar implementation complicates patching due to fragmented, nested forks in open source chain.
- Example of evolving bug classes reaching supposedly “safer” new languages.
- “I just love Tarbugs.” – Adam Boileau ([34:31])
14. AWS Outage: Centralization Woes ([34:31] - [37:06])
- US-East-1 outage brings down essential services, including remote podcasting tools.
- Irony that crypto “decentralization” advocates are ultra-dependent on AWS.
- Political ramifications: “If only you knew how bad it is… also took down a bunch of the crypto world.” – Patrick Gray ([35:55])
15. OpenAI's Browser Launch and Security Nightmares ([37:06] - [37:50])
- Atlas browser (OpenAI) is seen as a potential security nightmare for enterprises due to LLM's inability to separate code and data.
- “Just gluing a browser to an LLM gives me the willies...” – Adam Boileau ([37:50])
Sponsor Interview: Jacques Lowe (Push Security) ([40:55] - End)
Theme:
Detecting and unraveling a LinkedIn-based, multi-stage phishing campaign targeting tech CEOs, and the importance of session context and browser-centric detection.
Attack Flow Details ([40:55] - [41:49])
- Sophisticated phishing chain starts with a hijacked LinkedIn account, then leverages Google Docs and Microsoft domains as relay points, ending in a phishing page.
- “Very interesting in terms of how people got to the phish kit. But the phish kit itself, fairly stock standard.” – Jacques Lowe ([41:22])
Detection and Response Workflow
- Push detected the cloned Google login page and blocked users attempting password entry.
- Visibility into the complete chain of browsing events—showing how a malicious link reached the user—delivered instant value to client security teams.
- “We caught the cloned login page, they clicked through two warnings, we blocked them on the password entry… The security team immediately got in touch… ‘We just turned on that block mode like four hours ago. We're so happy.’” – Jacques Lowe ([42:56])
Why Browser Context is Game-Changing ([43:42] - [46:36])
- New Push Security tooling provides a graphical, queryable history of user browser interactions, enabling teams to trace the hit chain back to the originating vector (often LinkedIn DMs, malvertising, or other social platforms).
- Enables much faster and more confident incident response/investigation.
- “The second you have the entire flow... it will jump out at you very very quickly when you start looking at that extra context.” – Jacques Lowe ([46:36])
Additional Capabilities ([47:22] - [47:56])
- Now pulling extension and OAuth event information into timelines.
- Blocking capabilities for extensions “coming right around the corner.” ([47:37])
User-Driven Development and Next Steps ([49:59] - [50:25])
- Internal development driven by user demand; advanced teams are “willing to invest the time and learn how to use this stuff” due to its value.
- Fills the “missing middle” between EDR and proxy logs: “This is exactly the data that fills in that gap.” – Jacques Lowe ([50:25])
Notable Quotes
- “I mean, I'm jelly. That would be a great thing to have.” – Adam Boileau, discussing attackers in F5’s codebase ([03:07])
- “Devices that are on the network perimeter that implement security controls, that is a place that attackers love to go.” – Adam Boileau ([01:46])
- “Every time China's trying to dox an NSA operation, they're linking it to decade-old tools.” – Patrick Gray ([09:00])
- “Winding up the NSA in particular is probably not a smart move.” – Adam Boileau ([12:06])
- “ICE is sort of being empowered to investigate people who oppose ICE.” – Patrick Gray ([13:51])
- “NSO said, like, but you can't tell us not to target WhatsApp… that's what we do.” – Adam Boileau ([17:30])
- “Invisible Unicode characters... Chef Kiss.” – Adam Boileau ([25:59])
- “If only you knew how bad it is and how many individual points of failure there are.” – Patrick Gray ([35:55])
- “Just gluing a browser to an LLM gives me the willies and I'm not happy about it.” – Adam Boileau ([37:50])
- “Can you imagine you're in a situation… Something is happening on a website somewhere, and then the EDR lights up. But what is happening in between? … This is exactly the data that fills in that gap.” – Jacques Lowe ([49:59])
Important Timestamps
- 00:00–06:20: F5 breach recap, impact, AI in security, “crap software” landscape
- 08:00–10:11: China/NSA campaigns, global cyber-norms
- 10:11–12:47: Salesforce doxxing, U.S. government targets
- 18:22–20:31: L3 Harris Trenchant exploit story
- 23:33–26:25: VS Code worm breakdown
- 29:04–32:37: WSUS deserialization bug explained
- 32:37–34:31: TARmageddon Rust bug discussion
- 34:31–37:06: AWS outage analysis
- 37:06–37:50: OpenAI Atlas browser security skepticism
- 40:55–End: Push Security interview on advanced phishing detection, browser forensics
Tone & Style
Engaged, knowledgeable, and laced with both dry and overt humor. The hosts repeatedly praise clever/brazen hacking efforts—even when malicious—as “good work.” There’s significant gentle ribbing (“Chef Kiss”, “my God”, “so rude, Microsoft”), and a pragmatic, systems-level view of security reality threaded throughout.
Conclusion
This episode paints a stark picture of the persistence of software rot at the critical edges of the Internet, the complex interplay of state actors in cyberspace, and the growing sophistication of both attackers and defenders. The feature on Push Security’s browser-level visibility and detection reiterates that while prevention is hard, rapid detection and forensics are advancing. All this—plus a healthy dose of InfoSec insider banter—further solidifies Risky Business as a must-listen security news digest.
