Patrick Gray

Foreign and welcome to Risky Business. My name's Patrick Gray. We'll be chatting with Adam Boileau about all of the week's security news in just a moment. And then we'll be hearing from this week's sponsor. And this week we are chatting with Harun Mir in the sponsor segment. He is, of course, the founder and head honcho over at Thinkst Canary, and he'll be joining us to talk about, I guess, Thingst Canary's slash security page, where they sort of spell out how they think about security and the sort of security measures that they. That they use to ensure that their product is. Is, you know, sensible and haroons along basically to ask other vendors, where's yours? You know, where's. Where's your equivalent to things slash security page? Which he thinks is kind of table stakes. And I kind of agree with him. So that's an interesting conversation coming up a little bit later on. But, Adam, let's get into the news now. And look, it's a bad week to be someone who operates a scam compound in Myanmar.

Adam Boileau

Yeah. Yes, we've seen reports that the notorious KK park scam compound in Myanmar, at least some of the buildings there, have been blown up with dynamite. We have some pictures of, you know, like, clouds of dust and smoke rising from the facility. Local reporting is a little mixed. The KK park and a number of the other scam compounds in the region kind of operate either directly with or under the kind of protection of the local military junta. And there's a reasonable kind of set of reporting which says this is just performative and that the relevant people were escorted out of the building safely to be established in other places whilst they blew up some buildings for the cameras. But even if that's the case, there is definitely a lot of focus on these scam comments. They have gotten too big to really kind of continue as they were. And there absolutely is going to be pressure from the outside, but either way, it's kind of nice to see. You know.

Patrick Gray

I went down a bit of a Wikipedia rabbit hole trying to untangle bits and pieces of this, Right. And it gets complicated because I don't think it was actually the junta itself that was operating these scam compounds. I think it was actually like a militia, a Buddhist militia, the Karen national army or whatever. And now it's the junta who's blowing bits and pieces of it up. I mean, one thing that I predicted like, couple of years ago was eventually we would see various armed factions competing to control this industry, given how valuable it Is we don't know that that's what's happening here. But I don't know who's blowing it up, who was controlling it, who was profiting or why. But as you point out, the KK park compound is a big one. I think there's something like 250 buildings there and they've blown up 25 of them. So you know what this means. Who can say? But we can say that China has sentenced another five Myanmar scam compound kingpins to be executed, which we have seen before from China. We spoke about that a few weeks ago, about how I happened to be camping when the first news of that release. I was very surprised when I. When I sort of stumbled on it later. But it looks like this is China's approach to people who run scam compounds in Myanmar. Yeah.

Adam Boileau

And this is certainly a bit more meaningful than blowing up a few buildings, you know, and some of the crime families that are, you know, the ones who were sentenced previously in this round as well, like, you know, they are quite big organizations and, you know, also like their Chinese operations, like the Chinese crime families operating inside China or near China, and the Chinese authorities cracking down on them. So there's kind of a saying, I think, in China that, you know, when you're outside China, the people you can least trust are other Chinese, because they're going to rip you off. And that seems to be kind of the thing that the Chinese government are cracking down on here is that their own people essentially ripping off Chinese people. And the fact that they're doing it from outside China complicates a little bit. But we've seen the Chinese military and police cross the border to go pick people up or assist with raids or whatever else. They seem pretty serious about cracking down on this. And honestly, sentencing people to death does send a pretty clear message to the others. Right?

Patrick Gray

Yeah. And I think there's that thing and it's, you know, it's an odd, complex sort of political thing, but, you know, because the Chinese do run an authoritarian state, but they have this sort of historical communist thing about slavery, you know what I mean, about the exploitation of people for this sort of activity is something that is so offensive to Chinese communist ideology that I'm not surprised that these guys are getting lined up against the wall and sort of taken care of. Right. Like, that is just. Do you sort of see where I'm coming from?

Adam Boileau

Yeah, yeah, yeah, absolutely. Yeah, yeah. And, you know, the, like, the only.

Patrick Gray

Thing that would make it worse from a Chinese Communist Party perspective is if there Were religion involved, you know, as if they were religious cults that were also exploiting people for commercial gains. Then it was like they'd kill them twice, you know.

Adam Boileau

Yes, they would. Dear, oh, dear. Well, I guess the good thing is the scale of the scam industry has gotten some attention. And we've seen it, you know, in Myanmar. We've seen it in. Around Thailand and Cambodia and Lao, Vietnam, like that whole region. There is definitely this kind of feeling that, you know, that this has gotten too big and there is each kind of exploring their own ways to deal with it. Yeah, good job. China for once.

Patrick Gray

I mean, the whole thing feels a little bit. A little bit trumpy, I think, in the. In the way it's like, you know, the way they're hitting, like, alleged drug boats and stuff in the Caribbean. It's like. Yeah, right. Okay. So we got to the point where there's dynamite involved in executions and stuff and. Right, okay.

Adam Boileau

So 2025 is not really the year of nuance, is it?

Patrick Gray

No, it's certainly not. Speaking of. And staying with, you know, cyber scams in Singapore, scammers and mules, money mules, are going to be sentenced to between six and 24 strokes each, which sounds pleasant until you realize they're talking about strokes from a cane. They're not going to just gently stroke them. They are going to. They're going to. They're going to lash them with a cane. And these Singaporean, like, cane dudes take it pretty seriously.

Adam Boileau

They do, yeah. They really like. They like the cane in Singapore. And, you know, the. One of the things that came out of this, there's been existing laws around, you know, caning as a punishment, and they've kind of overhauled the levels and places where there's like, mandatory caning, discretionary caning, depending on the particular case or whatever else, and the amount of lashes that you get. One of the other stats that came out of this is that 60 of reported crimes in Singapore are scams, which I thought was really interesting number. I mean, you know, Singapore isn't famously quite safe place because of the strictness of their laws. And, you know, it's a very small country, so they do have to kind of run a pretty tight ship to keep things civil. But 60% was quite a. Quite a big number.

Patrick Gray

And do you think it's because of the strict laws? I don't know, man. I think that Singapore's probably got some other things going for it that make turning to a life of crime not such a, you know, I mean, yes, there Are.

Adam Boileau

I'm sure there are a number of factors, but, I mean, you know, you get on the train in Singapore on the, you know, on the metro, the subway thing, and there is no chewing gum on the seats of that train, unlike every other country in the world, because if you stick chewing gum on the train, you're also going to get caned. So, you know, it does provide some, you know, compels people to behave themselves. But, yeah, there's a number of offences. You know, things like running scams themselves, money muling. There's also things like supporting them with, like, registering SIM cards or providing like, other services to scammers, which may also see you, like, discretionary caned if they decide you're a bad person. But again, I guess the moral of the story is Singapore, probably not the place to do it. China is certainly not the place to do it, and the other places, you know, a little bit getting more dicey by the day.

Patrick Gray

Yeah, it's funny, you know, I knew a few of the Australian Federal Police guys who worked on the Bali bombing case. Bali bombing, of course, happened back in 2002 and killed a bunch of Australians. So the Australian Federal Police offered support. It was really interesting talking to them about the Southeast Asian approach to law enforcement, especially when they're combating something that they take seriously, you know. So they had a number of laws that actually were very useful according to the afp, because a lot of those guys, they wound up going from those sort of tasks and a bunch of them sort of wound up in the cyber part of afp, which is how I knew them. And, yeah, many, many an interesting conversation over beer. Actually, it was interesting because they said the laws that enabled them to detain people for, you know, a few days and sort of sweat them a bit were actually quite helpful in solving that crime quite quickly. But other things they did, the Australians were like, whoa, hey, take it easy. You know, I think during the search for one of the bomb makers, a guy I know in the AFP was shown a video of where they thought he was in this hut. And they just lit the hut up. And I mean, like, machine gun fire, mortars, everything. Didn't even say, hey, come out, like, just lit it up. And the AFP guys were like, yeah, that's. That's not quite how we do things, but, you know, you do you. So I. I feel like, you know, once the wheels of justice start moving in Asia, yeah, it. They. They certainly do grind inexorably towards an outcome, let's put it that way. All Right. So staying with Asia and there has been a breach of a Chinese cyber security firm called Known sec. What do we know about this one? Because it does not appear to be of the same stripe as the isoon leaks where they were doing a lot of hacking and you know, trying to sell stolen material to the, to the Chinese government and whatnot. This seems a more professional and less Yahoo kind of outfit. Like what do we know here?

Adam Boileau

Yeah, so this is, they are a subsidiary of Tencent and they are a pretty kind of like full service, you know, cyber security company. There's a transfer documents that were leaked on GitHub. They've subsequently been pulled so I haven't seen the full set and a few people have started analyzing. Obviously they're all in Chinese so that makes it more complicated for Western analysts. But we've got a few write ups of some of the documents that people have seen and it's not quite isoon level. Like this is a crowd that's running an apt or anything. Like this is more there's a bunch of infosecond cyber related services. So things like they have I guess a thing like Shodan or Census that provides Internet survey and you can query over devices and of course some of those are flagged with vulnerable to particular experts. Same kind of thing as you get with Shodan. There's also some documents like describing some of the services that they can provide and you have to kind of read those with a bit of like marketing sales guy grain of salt. Right.

Patrick Gray

Because I'm like the Snowden PowerPoints that leaked from NSA.

Adam Boileau

Sometimes there's things that like are aspirational capabilities or things that they'd like to be able to do or would like to sell but don't quite do anyway. It's a little bit hard to read between those lines, especially with the language challenges. But there are documents about for example lists of systems in Taiwan and which of those are vulnerable to particular firewall bugs or common exploits that have been around. There's some information around their capability of collecting data from various email providers which covered basically everything in China. And then also Gmail which was quite interesting. They don't specify how they get that data, whether it's a lawful process, whether it's a technical process, exactly what it is. But there's some descriptions of capabilities there and you know, just a few other bits and pieces that people are like, you know, it's not quite clear like for example there's like Windows Trojan, backdoor slash Rats which could be legit services, could be Hacker tools could be both. Kind of difficult to say, so we don't really know. It doesn't feel exactly like isoon, but it's certainly an interesting insight, you know, into these Chinese companies and the ecosystem generally. You know, someone will have to get hold of the whole tranche and really dig through before we know actually whether it's interesting or just kind of like, you know, work a day, info leaks.

Patrick Gray

Yeah, yeah. Is it. Is it a pen test company plus Shodan, or is it offering like rats to the mss? Like. We don't actually know yet. It could be either of those. Right. We're just going to have to wait and see. Good news here though, I guess, is that the. Well, not for them, but the good news for us is that this data is apparently being sold on like, Telegram or something. So someone's going to get their hands on it and when they do, they'll do that analysis and we should, we should know a little bit more now. Talk to me about the apparent breach at the Congressional Budget Office, because we started seeing reports of this last week that they'd had an incident. And now I guess where it got more interesting is that we've got some subsequent reporting from Politico that says that this is still a live incident and that people are being told, like, don't click on links in your own emails and whatnot, because people are still like, in there. Not great. Especially during a government shutdown.

Adam Boileau

Yeah, exactly. We haven't seen much in the way of specifics. Obviously the shutdown doesn't exactly help that process. It was being reported earlier in the week as though it was like a thing happened and we're investigating and it's under control. Politico today was saying that it's still considered ongoing and that some other organisations, for example, Politico saw an email in the Library of Congress where staffers there were told not to interact with the Congressional Budget Office, like not to go on teams calls with them, not to zoom, meet with them or click on links in their emails. So there's definitely some feeling that it's still, you know, live and ongoing and maybe they haven't actually contained it yet. And that's obviously not great. Details are just super sketchy, though. It's just, you know, bad stuff is currently happening as opposed to bad stuff did happen. And we will wait to wait and see exactly what that looks like. But, you know, I guess it's not a great time to be a US government employee, full stop at the moment, so.

Patrick Gray

No.

Adam Boileau

And if you have to Interact with that office.

Patrick Gray

Yeah. And Lily Hay Newman has a report for Wired. Just sort of, I mean there's not much here, but you know, basically the piece is asking what the result of this shutdown is going to be in terms of security outcomes. You know, I think the vote to reopen has already happened or is about to happen, I can't remember. It all gets, it all gets a bit lost, lost. But you know, the government's going to reopen and the question's really going to be like, how much catch up is there? So I believe that like a lot of security personnel, they did still work through the shutdown. But you know, you know what it's like. You've worked security jobs quite often as part of your job. You're going to be asking other people to do things. And are those people there? You know, you need to meet with various people from across the organization to actually do your job and a lot of them aren't going to be there. So I don't think we really know how badly things have atrophied over the last five weeks of this, of this U.S. government shutdown. But yeah, look, one point the piece makes is that things have actually got better inside the US government over time, like moving to more cloud based systems and things like that and actually some attention being put onto cybersecurity. But yeah, I mean, I think a whole bunch of people are going to come back to work and then neglect will gradually reveal itself.

Adam Boileau

Yeah, I think it's hard to judge, but I think the combination of the shutdown and then the kind of wider cuts across the government employee base over this year, it's going to be a pretty rough place because as you say, you have to interact with other people to get things done. If those people are busy or don't exist anymore because they lost their jobs, getting anything done and getting it done comprehensively because like you can make security changes, you can have initiatives, etc, etc. But you kind of have to be comprehensive about it. You can't just do it in a little pocket. You kind of have to do it everywhere. And that kind of effective coverage is very difficult when you know, the organizations you're dealing with are compromised by, you know, the availability of staff or resources or whatever else. And yeah, we're not going to know for a while, you know, what the cuts of SISA meant, what this meant, you know, government shutdown has done. It's going to be a mess and it's going to take a while to claw back, you know, because everybody's going to be hyper busy when they get back to work. And, you know, I'm sure the adversaries will make hay while the sun shines, you know.

Patrick Gray

Well, they're always trying. Right, so.

Adam Boileau

Yes, yeah, exactly.

Patrick Gray

Now look, staying with the US and we've seen the appointment of Donald Trump's former bankruptcy lawyer, also the former US Ambassador to Israel being appointed to. What is he, he's the president of the board at NSO or something. And this comes after the NSO Group has been acquired by a group of US Investors which included the movie producer Robert Simons. Look, it seems pretty obvious what's happening here, which is that. Yeah, David Friedman, who, who is the, the former ambassador. Yeah. So he's the executive chairman. Sorry, I'm just looking at it here. We've got some good reporting from the Guardian that we've linked through to in this week's show Notes. It seems pretty clear what's happening here is us. US Owners are taking over NSO and it is a matter of time before they're going to move to have the sort of sanctions and entity listings against NSO Group dropped and they're going to be going after the US Market. Now. I think this is depressing in that NSO Group sort of being resurrected from the dead is not what we want to see. I think seeing anyone involved in that enterprise sort of rewarded and legitimized is a, is a bad thing. And you do wonder who's driving this. Right. And what the, what the plan is for NSO Group's products under this current administration in the United States.

Adam Boileau

States, yeah. I mean, it's a good question. I think the original founders are out as of the most recent kind of ownership change. And you can definitely see the path that they're going down, as you say, like a pivot towards being a supplier into the U.S. you know, law enforcement and national security and other buyers there.

Patrick Gray

Well, Friedman says that that's his objective. Right. He says he wants to take NSO and get at US Government contracts.

Adam Boileau

Yeah. And given, you know, they bought it for really top and tape me. Right. There was very, very little compared to what NSO used to be worth. And so I guess they feel like there is still a lot of latent value that they can claw back and make bank on that particular purchase. They've just got to navigate this process and the kind of level of nepotism that we kind of expect in the US at the moment. It makes sense that the guy's got the connections to Trump. You know, there is a Kind of a path for them to turn this into a real thing, which as you say, is kind of depressing. On the other hand, you know, the US as a steward of these, if we, if we accept that these tools are going to be made somewhere and exist somewhere, the US is probably a better place for them to be beholden to. Because the U.S. you know, modular, the recent unpleasantness, basically believes in the, you know, you know, regular world order, whereas, you know, we see what some of the players that operate outside of those constraints have been doing. Like all the places that they've been settling and NSO in the past have sold too. You know, it's not the worst place for them to land versus like sell it to Russia or, you know, sell it to North Korea or something. There are plenty of places where it could go that would be worse. But it's still not great, as you say, to see people rewarded and.

Patrick Gray

Well, I think, I think, you know, given that the original founders and shareholders all sort of got hosed, maybe that's not the worst part of it. I just, you know, I just don't think this admin is going to do particularly responsible things with, with. I did say, I don't know if you saw recently, but the new president of Syria, Ahmed Al Sharar, actually closed the office of his brother who was trying to profit from the family name. And I did say, someone comment on, on social media that, you know, it's kind of ironic that the former Al Qaeda guy seems to be, you know, doing a better job on nepotism than the United States States president. So, you know, straight, we do live in fascinating times. But, yeah, look, I think broadly speaking, you're right. And look, even in my conversation with that I, that I spoke about last week, the conversation I had with John Scott Ralton at Citizen Lab, you know, it really is my opinion that when it comes to spyware, the thing that really matters is the legal controls around it, the legal framework around how it's allowed to be used. You know, what the courts do, what the courts are allowed to do. You know, this is where the rubber meets the road when it comes to spyware. So it's really important that the government of the day is going to be a responsible steward. Now, whether or not that's this current government, I don't, I don't know. But the midterm elections are happening in 12 months from now. So I think, you know, what, what unfurls from this is really going to depend on who wins elections in the United States and who cares about this issue and it has seemed in the past where there has been some sort of bipartisan concern around this. I think the Biden White House did a pret. Good job on this. So, you know, it's all going to come down to who gets elected.

Adam Boileau

Yeah. One question I had reading this particular story is what about the injunction by Meta against NSO group? Like this whole process, like let's say they get to the point where they, you know, are back in the US Government's good books or whatever. Are they still not, they're still not allowed to Target Facebook or WhatsApp or, you know, anything Meta owned because of that particular injunction, which puts them at somewhat of a competitive disadvantage compared to their peers that can sell WhatsApp exploits. I don't know.

Patrick Gray

I mean, I think there's, I think there's ways around that, which is you can sell the exploit and the customer can use it and they've got software immunity and like there's, there's going to be ways to skin that cat. I don't see that as being the end of nso. I just think, yeah, I, I'm not on the team that. I think that is some crushing blow against them, but they're appealing it anyway. So again, comes down to the courts, comes down to the law, comes down to, you know, to, to, to what's allowed. So we'll just, we'll have to see. Now look, staying with the US and you know, the 2015 CISA, not to be confused with the agency, but the Cybersecurity Information Sharing act that lapsed after 10 years, so that lapsed on September 30th. Been freakouts from various quarters. Now this is the law and the framework that allows companies to share data with the, with the government and for that data not to be used against them in various ways. So it's been a, you know, it's been a big deal. There wasn't, there hasn't been an immediate cessation of that sharing. Right. So that's the good news. But it's also not a tenable situation where people are sharing this information without cover. I think most organizations have been in this sort of wait and see holding pattern with it, which is all well and good until it drags on a little bit too long or something bad happens or there's some government action or, you know, so now it looks like that law is going to be, it's going to go through with the reopening of the government. It's going to get kicked down the road till about January 30th. And there's a bit of an argument between the Dems and the Republicans as to whether or not they just do a, you know, clean reauthorization of that bill or whether they actually whack some additional stuff in there. One thing that some people want to go in there is immunity for people who've shared this information while the bill has lapsed. But it looks like it's going to get worked out. And thank God for that because, you know, I've had a lot of people in my ear about this over the last month or two saying that really, if this thing goes away, it's a very big problem.

Adam Boileau

Yeah, yeah, it's been. There's been a lot of kind of conversation about it and quite how important it has been. And, you know, it's funny how these things end up kind of casualties of the wider political situation. Right? I mean, this will end up being temporarily reauthorized, we presume, you know, with the government restart. But it shouldn't have to be tied to that. Like they should be able to have a functionality democratic process that results in this being reauthorized in the normal way instead of lurching through with everything else. But it is, you know, it does seem to have been a particularly important thing. And, you know, I think at the moment there is some kind of somewhat bipartisan support for extending it properly. Like, there's a few people holding out because, you know, there's been, you know, lots of concerns around kind of weaponizing these relationships, you know, with the private sector by the government in one way or the other. But this is, you know, it was a dumb thing to throw out with the bathwater. And I'm glad that, you know, even if it's temporary, it's going to be moving onwards and presumably they will get it right eventually.

Patrick Gray

Yeah, that's it. Now we've got a report from Kevin Collier here who has. It's a good report actually, because he's noticed that in the bank of England's, you know, economic update, it even mentions the ransomware attack against Jaguar Land Rover. You know, it says, what have we got here? Headline GDP growth has remained slightly higher than estimates of underlying growth over recent quarters. You know, blah, blah, blah, blah, blah. Headline GDP is projected to have grown by 0.2% in Q3, a little less than expected in the August report. That reflects weaker than expected growth in exports to the US as well as disruption linked to the Jaguar Land Rover cyber attack. So that's really interesting when you've got A central bank in a major economy saying, you know, this ransomware attack actually weighed on growth. I mean that means that that ransomware attack has measurably impacted the economy and thus measurably impacted the quality of life of Britons. Which is nuts.

Adam Boileau

Yeah. I mean there's one comparison that Collier makes which was that it's more impact than WannaCry had. We remember what WannaCry was like at the time. It was wild watching that bug go crazy across the Internet and knock all sorts of stuff offline. And so this particular, you know, ransomware attack making a bigger impact, like what was it, two and a half billion dollars worth of impact of the UK economy at Jacob Land Rover. Like that's, that's significant. And it does kind of also it makes me think about the kids that did this like are mostly, you know, British or at least English speaking, you know, like I wouldn't want to be them. Like they may well have caught the, you know, being the dog that, you know, catches the car kind of thing because they're, you know, it's going to take law enforcement a while to untangle all of that comm mess but they're going to get there and these guys are going to be looking at taking the rap for the bank of England saying that GDP is down because of them. That's. Yeah, that's not going to be good for your process.

Patrick Gray

That doesn't look good when you're in court getting sentenced. When you've got the, you know, the head of the, of the bank of England saying this guy just hurt the economy.

Adam Boileau

It's not good.

Patrick Gray

What else have we got here? We've got Sonicwall saying that those attacks against their sort of cloud config backup thing, this is when they were getting brute forced and didn't notice because they weren't doing any brute force detection which is, you know, malpractice. If I'm, you know, expressing my true opinion on that. They've now said that that was a state backed actor who did that. I don't think they've said who it was, but yeah, I mean, no surprise there really. I mean look, smells like China, let's be honest.

Adam Boileau

It does smell that way. I mean it could be North Korea I suppose, but it does kind of.

Patrick Gray

Smell like China, North Korea going after sonic walls. I mean, how many crypto exchanges? It doesn't. Nah, it doesn't.

Adam Boileau

Yeah. I mean, I'm just saying like who would be behind it and do a good job? Right? I mean it's kind of a Short list, yeah. The interesting thing about this Sonic War thing, right, so they've said that it was probably a nation state actor when they originally reported it. They mentioned brute forcing as a vector and it did seem, and they said like, oh, 5% of our customers. And that felt like plausibly brute forcing. But I think that they've kind of, they don't seem to be doubling down on the brute forcing angle. I think that there is another avenue because like the fact that it went to 100% of customers, they got all of the backups does not feel like account brute force. That feels like there was a bug in the platform and that they originally spotted they were looking for something that was explaining these things, getting nicked, saw brute force attempts in their logs, pulled that particular thread that led to the 5% number. That's kind of how it feels to me. There isn't anything that kind of substantiates this except that brute force 100% of customers does not ring true. Right.

Patrick Gray

I mean, you know, maybe they brute.

Adam Boileau

Forced a privileged or a privileged or something. You know, it's possible, but like it feels like there was a bug in the platform and that resulted in all of the backups getting stolen and then of course credential material from there and onwards to great victory. But yeah, either way, nation state behind it totally makes sense. China makes sense. And yeah, if you have a sonic wall, they've actually provided some better guidance on like how to deal with this, where you put in like the serial numbers of your sonic walls and they will tell you whether or not those configs have been stolen and what you should do about it based on the exposure of various services on the firewall so that they've done them, you know, as good a job as they could in dealing with this after the fact, but would be better if they hadn't had all of their conflicts stolen in the first place.

Patrick Gray

Now let's talk about Japan and the Nikkei, the media giant. Nikkei, I'm guessing. Do they operate the exchange? I don't know. I don't even know. But yeah, it owns the Financial Times and publishes a bunch of financial newspapers, employs a bunch of people. Their Slack got owned and it exposed data on 17,000 people. This is a piece from Dorina Antoniok over at the Record. And I guess the thing that makes this interesting is I still feel like a lot of organizations, they don't really think enough about what an exposure of something like Slack actually means for them. And this is just a good example of like, wow, okay. You know, that's. That's bad.

Adam Boileau

Yeah. Because this particular breach got into their Slack, you know, having stolen login credentials, I assume, like info stealer, you know, almost from there includes chat histories for 17,000 users. Like, it's one thing to get names and email addresses. Like, that's not a great data breach. Chat histories at a news organization. Like, I feel like that's probably a thing that is not ideal. And I guess the benefit is that stuff ages relatively quickly. So, like, in terms of profiting off, you know, financial reporting ahead of the market or something like that, that stuff doesn't last particularly long. But I'm sure there is a great many juicy and interesting things in all those chat logs. And there are various memes. Right, Because, I mean, if someone's got all of your. If someone stole our Slack history, for example, there would at least be some funny, you know, some funny japes and stuff. So that would be nice.

Patrick Gray

There'd be some scuttlebutt. You know, we do talk about that. You know, we talk about stuff in Slack that. Where it's like, you know, high quality room that you can't really report or stuff sources have said and they've asked you not to talk about it publicly. And like, there's stuff there. Yeah, I mean, media is always a great target for intelligence collection because they are at the front line meeting with sources and collecting a lot of stuff. And often they don't publish it. You know, we don't know that that's what this is. Who knows? But, you know, it's just that, that, that exposure, like, you know, the number of secrets as well that you can pull out of Slack. Like, we've seen that a million times, like API keys, cred pairs, all sorts of stuff in slacks. It's just, you know, and it's one of those typical SaaS services where you don't control it. You don't control it, and people are using it to do sensitive stuff. And I just think this is a good example. I don't think this Nikkei company, which operates the, you know, which owns the Financial Times and a bunch of financial newspapers. I don't know that they operate the exchange. Probably not. Anyway, someone will. Someone will yell at me. They always do. Tell me what I got wrong. We'll talk about that in a minute, too. What else have we got here? No, we've got a story from Catalyn. Found this one where intel has sued a former employee for stealing a bunch of confidential data. It is the means of theft, Adam, that you think is particularly LOL worthy. So walk us through it.

Adam Boileau

Yeah, so this, this guy had worked at intel in like a design engineering role in Seattle I think for 14 years. He found out he was going to be terminated. He decided that maybe he would loot some confidential documents from intel to help him out the door. Whether for a future employer, whether he was planning on selling them, who knows. He decided to do the obvious thing which is you plug a USB stick into your computer and you copy all the files over to it. Now intel, being a sensible cyber enabled, security conscious organization, had put controls in place, presumably at great cost on desktop use of USB storage devices, maybe some dlp. Whatever it was, whatever technology was, it snapped this guy attempting to copy the data. And so good job, security, controls, everything worked as intended. So to get around that he just brought a NAS in and plugged into the network and copied that instead. So like good lateral thinking, got the job done. Unfortunately, you know, he's, you know, they found out what was going on overall. But you know, I just feel bad for the people that had to work such a long time getting USB controls in place and then circumvented by plug in as copy data to there instead.

Patrick Gray

Yeah, I mean that's just, that's just how it goes, right? Which is, you know, inside a threat is hard and you know, it doesn't take much to sidestep a lot of controls in practice. Although I mean he did get caught, right. And I'm guessing there's a nice juicy network logs there to help with the prosecution. Now OWASP has updated its top 10 and by and large I feel like this update, it's not the first time we've said this. When they've updated it in the past, this update feels like progress because when you see what's on the top 10 now, it's less and less dumb stuff. Like it's still dumb stuff, but it's like not the dumb stuff that we were used to dealing with. I kind of feel it's good that we're dealing with different dumb stuff now. I don't know, less ubiquitous dumb stuff, which is cool. But walk us through OWASP's new top 10.

Adam Boileau

Yeah, so this is the release candidate, so they may still tweak it before the final, but I feel like at this point it's pretty locked in. So number one is still broken access control. And that's a category that covers all manner of, you know, kind of logic flaws around access control, you know, things like direct object reference, etc. And that remains number one, which, you know, is I think an entirely reasonable thing. Like reasonable thing to be number one.

Patrick Gray

Would something like PHP file include fall under Broken Access Control or.

Adam Boileau

Probably not. Although, like these categories are a little bit, you know, kind of flexible and I think quite a lot of the OWASP top 10, like when they arrange, you know, the numbers and the categories stuff, there is quite a bit of massaging because they want a top 10 that covers most of the things that need to be covered because many project managers and business owners and whatever aren't going to fix things that aren't, you know, like top 10 bugs. Because it doesn't seem like, you know, if you're doing, if you're not fixing things in the top 10, then you're negligent. So there's quite a bit of sort of massaging to make things fit the way we need them, them to. And the list is. There's a bit of wiggle room, I guess, in how they categorize.

Patrick Gray

Well, I mean, I'm just thinking the reason I ask that is because when I think about a php file include, I can see like 4 categories or something here on the top 10 that it fits into. Right.

Adam Boileau

So yeah, so there's, you know, they try and map these onto CWE common weakness enumeration kind of categories and there's sort of a bit of fix about. Some things are like symptoms and some things are like root causes. But. But the main thing is to give developers and security people some ammunition to use to say we actually need to fix this because It's a top 10 bug. And so how they finagle the list to support that is indeed part of the process. Although this is not just, it's not just finger in the air. They do collect a bunch of data from application security firms, from developers and whatever code review places to kind of substantiate this. But there's a little bit of work and backwards from what we want.

Patrick Gray

It's impossible to build a simple taxonomy, as evidenced by the fact that server side request forgery is now a part of Broken Access Control. So, you know. Yeah, yeah, yeah, they folded that into that category. But, but look, I guess, I guess it's just like you used to look at the top 10 and it was all real face, palm, dumb stuff. And it's like, it's more nuanced now, it's a little bit more sophisticated. So I feel like that's good.

Adam Boileau

Yeah. So Broken Access Control, number one, security misconfigurations is up at number two. Which kind of makes sense. It was a bit lower in the previous one. There is a new one which kind of subsumes the previous category, which is software supply chain failures. And that's one of the big changes here because we have seen so much focus on compromise of upstream packages, of very complex dependency trees, of software backdoors and supply chain attacks, pivoting through credentials and things that this is a thing that absolutely deserved to be higher up and kind of more highlighted in the list. And I think of all of the changes this year that's, that's probably the big one is focusing on supply chain and how people are going to address that. Because especially in ecosystems that pull packages in very rapidly, things like the JavaScript ecosystem, whether it's dynamic composure of software very close to runtime as opposed to at build time or earlier on in the lifecycle of software development. So it makes sense for this to be a thing that people are focusing on. So that's great. They've collapsed down some other categories as well and kind of rearrange them. Cryptographic failures have gone down a little bit, which I think is probably reflective of the fact that the slightly less crypto junk with block shuffling of AES ciphers and things, because that kind of bug class has been pretty hammered out by Microsoft and NET and by bug bounty kids and so on. So there's a little bit of wiggling. But that software supply chain is, I think the big change for me. There is one other new entry which is mishandling of exceptional conditions, which, you know, error handling is a thing that we should get right. I guess it wasn't explicitly in the top 10 before, now it is and that's good. But everything else pretty much kind of how it was, have good logging.

Patrick Gray

So you're saying what's this luxury doing in the top 10?

Adam Boileau

Well, but I think that's to your point, I think that is also kind of progress. Right. The fact that we have logging and alerting and mishandling of exceptional conditions have made it into the top 10 is a recognition that we are overall getting better. But also that previously we would have had separate entries in this list for cross site scripting, for SQL injection, for server side request forgery, for local file include, whatever those were broken out previously. The list is better organized now and we've made room for more, you know, more important things because we've kind of collapsed the categories a bit. And I think, you know, overall I'm really here for this. I think the OWASP, like the team that managed the top 10 do a really good job of massaging it into exactly kind of what it needs to be. Even if it means a little bit of weaseling about, you know, service I repressed forgery could just kind of like go up into, you know, access control or wherever, whatever it is is. Because the outcome we need, they get there one way or the other and you know, good work and good job to them all.

Patrick Gray

Right now that's actually mostly it for the week's news, but we're going to do a bit of a follow up conversation just quickly. Last week of course we spoke about the FFMPEG Google spat. Funnily enough, both you and I have been chatting to people from Google. We're not going to name names but you know, you've spoken to someone at Google. I've spoken to someone at Google. I had a pretty negative, our comments got a bit of a negative reception with the person that I spoke to who was like, look, we spend a lot of money with FFMPEG Labs, which is sort of the commercial arm of FFmpeg. We've contributed through Summer of Code. Like we've helped them a lot. I think all of that's true. I don't think that changes really my position on this, which is it's time to have a conversation about the norms involved in reporting software bugs, particularly to open source projects. And you know, this 90s era codec where the bug was that we were talking about, like that's not really part that's being commercially maintained based on contracts with Google. Like it's just, I, I just think I still maintain that it's time to have a conversation about this. Yeah, I've even seen a bug, a bug finder on social media saying, well, I just submitted a pull request with my, with my bug after everything that's happened this week. And you know, I think that turning that into a bit of a norm is not the worst. But you had a conversation with someone who's quite senior at Google as well and they seemed more receptive to our position on that. So I think opinion seems to be split everywhere on this.

Adam Boileau

Yeah, I think all of these things can be true. Like Google absolutely can contribute and has contributed to the wider FFMPEG and obviously have a lot of people that write good code and contribute code to open source projects. But at the same time, you know, disclosure has always been a real kind of like it's a thing that always kind of riles up the community because it's such a nuanced, kind of complicated set of you know, trade offs that we have to all make. And there are different answers to all of these questions depending on your perspectives and so on. So I think, you know, it is nuanced and I think, you know, if anything Google understands that nuance. Like Google has a depth of information engineering knowledge and relationships with these communities and all the people involved do understand all of these complexities. You know, sometimes, you know, there are kind of blunt reporting bugs that came out of your AI. It can be kind of a blunt process as you say. Like we're heading towards the point where they'll be able to submit code fixes in that kind of scaled way that we're talking about. But you know, overall it's, you know, this stuff is complicated and I think, you know, getting to the point where at least showing up with a, you know, like here's a bug I found and here's at least an attempt at like how we could fix it or.

Patrick Gray

Well, yeah, it doesn't, I mean that's, that's literally about was, was what I was about to say, which is you don't, you know, it's not going to be possible for a bug hunters to submit a patch every time because they might not entirely understand how the software works, right? Like they've, they've figured out a bug however they've done it and they don't know, they don't understand the context in that code to be able to make a fix without breaking something or whatever, but at least trying to be more constructive about it, which is here's how far I got, here's what I think. But who's the developer? Let's have a call. I just think we need to move to a more collaborative model basically.

Adam Boileau

But at least trying is a demonstration of good faith. And if I'm reporting a bug to Oracle, I don't feel like I need to demonstrate good faith then because probably I don't have good faith with Oracle.

Patrick Gray

There's a difference between, hey look, I think I found a security bug here and I'd like to work with you on fixing it. Let's have a chat versus here's a bug, here's a POC, you got 90 days or I'm going to full disk it and screw you. You know, like that's the difference.

Adam Boileau

Yeah, yeah. And like there are plenty of people in the hack community that are kind of from that, you know, screw software developers, you know.

Patrick Gray

Yeah, but that was that, that was born of an era where Microsoft wouldn't fix really severe bugs in like iis. Or Internet Explorer. Right. Unless you put the screws on them, they would just sit on bugs for a year. They would never fix them. So, like, that came from somewhere and it makes sense. And I still think it makes sense to turn the screws on a bunch of these little large companies that, that need to be doing better, but we just need to be a little bit more intelligent about it. Anyway. We've, we've, we've spent enough time on that. The other thing I wanted to quickly mention as well, just, you know, a little bit of subsequent reporting on the Peter Williams trenchant leak situation is I have it from two sources now that one of the bugs that he stole and sold to a Russian exploit broker was used by North Koreans, which is, you know, it's, it's not been reported anywhere. I figure it's probably going to come out, you know, more officially than just people telling me and just, you know, it really puts this thing into, into context, which is, like, how bad it is, what he did, like, how appalling his actions were and why I find it just insane that he's not even going to do as much time as a ransomware affiliate. Although, you know, let's see if his sentence is surprising to the upside in January when he actually. When it gets handed down.

Adam Boileau

Yeah, I mean, when, when we started to see that kind of scuttlebutt, it does make you think, what did you think was going to happen when you sold these bugs? Where did you think they were going to go? You know, and the fact that we end up, you know, not just in Russian hands, but like, in North Korea's, like, it's. What did you. I mean, I guess that's a number of people I've talked to. Like, what did, what, what did you think was going to happen? How did you think. Why did you think this was a, you know, a plan that was going to work for you? And let's really hope that it does not work well for him because, you know, we'll see what the sentencing looks like.

Patrick Gray

Yeah, I mean, the only thing I can think of is he hit, like, acute money trouble. And when you look at when his activity started, it was when interest rates went up. The crypto economy, like, collapsed equities did badly as well. Like, you know, 2022 was a time when a lot of people got into money problems. You know, this is a married guy with kids. You know, he's probably worried about his family situation and whatever, but, you know, out of the frying pan and into the fire is what this guy did just epically, epically dumb. He might even be listening to this. From what I understand, he was actually a Risky Business listener. So, Peter, you're, you're a knob, you're an idiot. And you, you know, you deserve everything you get, I'm afraid. Adam, that is it for this week's news. Big thanks to you for joining me and we'll do it all again next week.

Adam Boileau

Yeah, thanks so much, Pat. I will talk to you then.

Patrick Gray

Hello, I'm Tommy Wren, the policy and intelligence editor at Risky Business Media.

Harun Mir

You can join the Gruk and I.

Patrick Gray

Every Tuesday for the between two Nerds podcast, which is all about cyber intelligence and cyber war. Deny, degrade, discombobulate. You can find the between two Nerds podcast and more in the Risky Bulletin podcast feed. Subscribe today by searching for Risky Bulletin in your podcatcher. That was Adam Boileau there with the check of the week's Security News. Big thanks to him for that. It is time for this week's sponsor interview now with Harun Mir, who is the founder and, you know, big cheese over at Things2Canary. Things2Canary obviously makes our hardware honeypots that you can just plug into your network and they can mimic whatever you want them to be. So if someone is on your network poking a, you're going to get a very high fidelity signal that tells you someone's poking around on your network. As you'll hear, they've got a bunch of sort of cloud based canaries these days as well, because it is 2025. But Harun joined me for this conversation really about how we should be demanding better from security vendors, companies that make security products. And it isn't the usual just ranting about how we deserve better. He's talking specifically about how Things2Canary has a slash security page which you could go visit, right? Canary Tools, Slash Security. Go have a look at the slash security page and you'll see that it's a very simple list really of the security measures that, that Things puts in place, how they think about their product, you know, what can happen if there are breaches, I guess at Thingston, like what they've done to wall people off and prevent things turning into a disaster. Just really simple stuff. And Harun's point here is shouldn't everybody do that? And I think he's absolutely right. So here's Harun Mir, like part of.

Harun Mir

The reason we have this page, like we have Slack Canadotools, Security is a, hey, listen, here's how we think about this product. Like we going to do some dangerous things. You're going to trust this box on your network. What security questions should you have about this device? And let us try to assuage you that actually this is not a terrible idea. And I think that all security vendors should be putting forward some of that. Like customers should be demanding some of that. Hey, you're going to be doing this dangerous internal thing. Show us that you're considering EBPF instead of just raw dogging the kernel. You're going to be doing this stuff on our network. Show us that when you get owned, you're not going to also end up owning us just because of splash damage. And I think all of the answers are going to be different. I think. And one of the things that frustrate me is that you don't see signs of this sort of thinking or innovation coming out in the security space, in part because people don't demand it. What you should be seeing is someone with deep pockets, like someone like Fortinet, someone like Palo Alto coming out and saying, we've got a bajillion t lines of code to audit. And that's why this is our code scanning solution. This is our SAST solution. But you don't see innovation in those spaces being talked about because they don't have to. It's like, yes, there is this risk that they know they're carrying, but they can just ignore it because instead they're going to talk about the next thing that the market cares about. So they're going to buy the next agentic thing and before that they bought the next saw thing and before that they bought the next. But fundamentally, people need to be saying, hey, you've got a lot of code. How are you auditing this code? Take anyone who runs modern sast, modern code scanners, they've got the same problems that code scanners had since forever. And so Cisco and Palo Alto and all of these guys should be putting out white paper saying, you know, when you have as much code as we have, this is what we doing, this is how we're getting there. And you'll notice for our stuff, it's very US related. It's we got to run 3,000 nginx instances. How have we customized NGINX to not surprise us?

Patrick Gray

I've noticed actually that on your security page, you look at a lot of this and some of it's like, okay, we're using memsafe languages and whatever, but a lot of it is just sort of architectural. You know what I mean? It's like we've chosen to deploy this way for this reason and it all makes sense. But it is very specific to you.

Harun Mir

No, absolutely. And I'm saying everyone should have stuff that's specific to them for exactly this reason.

Patrick Gray

And what you see, how does that work when it's like a domain joined remote access appliance, you know what I mean? You can't re architect that such that it's no longer a domain joined edge device. Right. Like that's always going to be an architectural problem.

Harun Mir

Yes. So there are some things that can't be done safely and then those people need to be saying for you to trust me to do this safely. Here's my duty of care. And what we slip into without that is trust me bro. And instead take Adam and Adam will tell you, of course we were gonna pop that thing and Adam knows it and every attacker knows it and everyone else is just acting like that's not the case. And that's just insane for places where it matters. And instead the company should feel under pressure to say if we're going to do this domain joined edge thing, then we need to show that we've had it audited by the absolute best. Because otherwise you shouldn't trust us with this thing. And so like our slash security really comes from the place that says why would you trust us with this thing? Look, it's because we're thinking about this. And what I want to see more from other vendors and what I want to see customers demanding is exactly that sort of accountability.

Patrick Gray

And way back, you know what's crazy Harun right is you know, I work with a bunch of startups now and all of them get security testing. And it's because often people procuring newer technologies, they demand a pen test, you know what I mean? They want to know that you've been through like a rigorous order. Like you know, Knock Knock is a great example where commission to test really good tester actually based out of Australia testing company, they found a couple of things too which were definitely worth fixing. But then you get to package up the report and like customers can look at it. What's amazing is how much this type of material is demanded from startups. But meanwhile they'll throw a couple of, couple of million dollars at a few, you know, pan devices that are like, you know, Linux on mips with no like memory corruption mitigations or controls and like no pen test report needed. That's fine. You know, you guys have been around for a while. It seems a bit backwards.

Harun Mir

Yeah, it's exactly the Reverse assumption, right? You think that they're big enough and they must be okay. And also, like, can you really ask them for that sort of stuff? But it's absolutely what we should be doing. And I must say, also for the smaller startups, you'll see them slip in two ways. They'll do the pen tests, but when you, a young startup, you're going to have this problem of it's a normal technical debt thing, right? You're racing for income, you're racing for features, and you start to choose your. Make your architecture choices then. And my thing is, we've always known that we genuinely have to be accountable for our choices till today. We don't heavily play in active directory deception because we don't know how to do it safely. Like the times we've done it, we ended up with, yes, we can own this, and there's no way we can not own this. And so we don't release that because we're not going to get people's networks on that way. And what you see is the reverse where you, like, I've spoken to other people, other vendors, and I go like, how are you doing that securely? And there's a shrug.

Patrick Gray

Well, it's like, you know, it's like when I talk to HD Moore about how Run Zero is, you know, a terrific scanner that is unauthenticated, right? And he's figured out how to make unauthenticated scanning work really well. And the reason for that is like, anyone who's done pen testing knows that a great way to collect privileged credentials is to just pop up on the network and wait for the vulnerability scanner to pass off a bunch of highly privileged credentials to you, thinking that you are a device to be scanned, you know, and it's like, you can't fix that. You just can't fix that. And it's dumb and we shouldn't be using that shit anymore.

Harun Mir

Yeah. And I'll take it a step further. We shouldn't be introducing those things. And you will still see a ton of security products still introducing security badness. And my thing is, because they get to get away by having their SOC 2 report and a SOC 2 report.

Patrick Gray

Like we all know, but they're Fedramp. It's fine. It's fine.

Harun Mir

Exactly. And so I'm saying what people should have is a slash secure page like this that at least says, here's the things we think you should be thinking about, here's the things we thought about, here's why you should listen to us. And like, this Stuff keeps changing. Like we write about some of them pretty currently. But yeah, I think it's a mistake for people not to increasingly I push back to people to say let's go read their blog. You can read the Run Zero blog and you can see HD's thoughts on the industry. You can come see our blog and other than our new features, you'll see here's the stuff we're doing to keep our infrastructure safe so that when we get popped like F5 did, you'll hopefully hear about it before the two years are up and all our source code is gone. And mostly that just doesn't exist for people because the market's not demanding it and, and when we did the products we deserve talk I said that good customers need to push back because lots of times good customers know that they hearing vendor BS and they ignore it. But the problem is bad. Like younger customers don't know that stuff. And so it's the responsibility of smart customers with well funded teams to push back and say actually this is garbage and you guys shouldn't be doing it. And then hopefully that stuff will get better.

Patrick Gray

I mean like it's funny talking about this because it's been my approach for years that the stuff that I'm interested in from a security products point of view and these days kind of as a part time venture investor, which is part of my job now, the stuff that I'm really interested in is what I would describe as enduring controls. Right? And the great thing about enduring controls is they tend to be a lot simpler than the stuff that is getting owned sideways these days. So I think about stuff like Airlock Digital which is Allow listing and you know, very simply constructed but you know, makes allow listing simple, you know, scales up to, I think they've got clients with like 150,000 endpoints in one console. Like pretty amazing stuff. But it's simple stuff. There's no heaps of parsers and they don't have a team of researchers who are playing whack a mole with different classes of attacks. It's just this enduring control that is going to work as well in 10 years from now as it does today. And the attack surface is not really there. Then you've got other stuff like Knock Knock is a good example, very similar approach. It's allow listing but it's for network connections. You know, again an enduring control. Your stuff, you know, honeypot based detection and sort of incident alerts. You know, again it's an enduring control and in fact more enduring now because you've launched a bunch of new stuff that we're going to talk about in just a second. But you see what I'm saying, right? Where I feel like when you're dealing with the stuff that's not an endearing control, when it's like stuff that just, it just, it's never gonna, it's never gonna be good. I don't know, I just, I just am not at all hopeful that it's gonna be good.

Harun Mir

No, it's so, like, I think we've quoted it before on the show. Like, you know the thing that says, I didn't have time to write you a short letter, so I wrote you a long one. Like, like that also applies to like good product design, right? Like, if you can whittle it down to here's the thing that it does, we do this one thing, then it doesn't become, let me throw the kitchen sink at it. It's, here's what we do. We're going to make sure we can do it cleanly and we're going to make sure we can do it well. And the alternative to that is let me grab every buzzword that we can. Let me shove it down, because maybe this ticks some of your boxes when you're trying to do your acquisition or your purchase.

Patrick Gray

Well, what is F5? It's a load balancer firewall WAF. It's an SSL termination load balancing firewall WAF.

Harun Mir

You know, and, and that stuff happens a lot. And I'll tell you to a bigger, to a bigger thing that you mentioned, like, for the last while, like, like we went through this 15 year hysteria of everybody starting a company and everyone's getting acquired and everyone's selling their company and, and you end up with this horrible place where people are like, the intention is to make a company and then sell the company. And like, what you'll see if you speak to the airlock guys, if you speak to hd, if you speak to knock knock. Fundamentally there's, I want to build a meaningful thing. And like, if you're building a useful thing, you get a bunch of people who feel they're doing like great work in building that thing and then you actually care about, can I do it securely? Can this thing not own my customer?

Patrick Gray

Well, but I think it's, those two are kind of related. Like the reason it is an enduring thing, it's a fundamental control. And the thing about fundamental controls is they tend to be quite simple, so they are easier to build securely. Which again is why I like them. You know, yeah, it's.

Harun Mir

I think, I think you'll bump into like when we gave the talk, I spoke about why people stay away from building simple things. And there's a bunch of thing, a bunch of reasons that simple is hard, but I think that's maybe a soapbox issue for us to.

Patrick Gray

Yeah, that's a longer conversation. Speaking of, we're kind of running out of time here, so. You've also put out a platform update for things Canary. What have you shipped?

Harun Mir

Yeah, so this month we shipped two new platforms. So for us canaries, you'll remember the original versions were just the hardware devices still by far biggest seller. So literally thousands of them. Famously, we always talk about hardware devices in Antarctica, so sitting in the snow. But soon after that we released VMware versions, Hyper V versions, AWS versions, GCP versions, but all of them logically are the same. So if you've got this environment, you boot them up. A Canary is now in that environment and we've got them on Docker, we've got them in tailscale. So for people who like tailscale, you can just click, click a button and a Canadian shows up in your tailscale network. And this month we released them for Oracle cloud infrastructure and Nutanix. So again, people who've got those sort of setups, you now have the option where you can drop a bird in. Again, just works, shows up in your console and you're good to go.

Patrick Gray

Excellent. Now the Antarctica one, is that the Australia based guy from the Antarctic Authority or whatever, the Antarctic division?

Harun Mir

I'm not sure I can say that.

Patrick Gray

Oh, that's all right because I met, I met that guy. I met the security guy for the, you know, Antarctic division or whatever it's called at like OSIRT like 15 years ago. And he gave me a pin and he was a really cool guy. So hello to you. If you're listening. I've still got the pin around somewhere. I have to say.

Harun Mir

We now have two customers in Antarctica, so. So one of them might have been that and we now have two, but it is one of the things I love most in my life. Like if you tell me that, you take something away from me and I'd be very sad, being able to savior on all seven continents is one of them. I love our Antarctica customers.

Patrick Gray

Gotta look after those penguins. All right, Haroon Mia, thank you so much for joining me for that conversation. Great stuff as always.

Harun Mir

Always cool. Dad.

Patrick Gray

That was Haroon Mia from thingst Canary there with this week's sponsor interview. Big thanks to him for that. And that is it for this week's show. I do hope you enjoyed it. I'll be back next week with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening.

Harun Mir

Hello, I'm Claire Aird, and three times.

Patrick Gray

A week I deliver the biggest and.

Harun Mir

Best cybersecurity news from around the world.

Patrick Gray

In one snappy bulletin.

Harun Mir

The Risky Bulletin podcast runs every Monday, Wednesday, and Friday in the Risky Bulletin podcast feed. You can subscribe by searching for Risky Bulletin in your podcatcher and stay one step ahead. Catch you there.