Joe Tidy

Foreign.

Patrick Gray

And welcome to Risky Business. My name is Patrick Gray. We've got a great show for you this week. We will be joined by Adam Boileau and a special guest for this week's news. Joe Tidy, the cybersecurity correspondent for the BBC World Service, is joining us to talk through all of the week's security news. So that'll be fun. And yeah, in this week's sponsor interview, we're going to be chatting with Harun Mir and he's talking to us about something interesting, the idea of, I mean, we've all heard about honey tokens. There's a similar concept called breadcrumbs. They're not exactly new, but thanks to Canary, is starting to support various types of breadcrumbs in its product. And, yeah, he'll be joining us to talk about what they are like, what is an SSH breadcrumb. And he's also chatting about how thingst has actually acquired a very small, I guess, would you call them a competitor or complementary business? So that's pretty cool. And they've also taken over South Africa's Computer Olympiad, proving that, that they are, in fact, giant nerds. So we'll be chatting with Harun about all of that a little bit later on. But first up, it is time for this week's news. And first of all, Joe, thank you so much for joining us. This is your first time on Risky Business and we're stoked to have you here.

Joe Tidy

Oh, thank you very much for having me. I have listened to you guys for, I think, just about eight years now. Every single week. You are my Friday gym session podcast. So thanks for having me. Brilliant to be here, man.

Patrick Gray

That's fantastic that we can help you in your goal of getting swole. That's awesome. And, you know, we hear you a fair bit here in Australia as well because we've got all sorts of radio stations and syndication agreements. So sometimes I'll be driving along, you know, after dinner on my way home or something. And then there's Joe Tidy talking about the cybers in my. On my car radio. So, yeah, it is, it is great to have you here. And Adam's here as well. And mate, the first thing we're going to be talking about this week, I am freshly back from six weeks in Latin America. So I was in Brazil the last six weeks from early December until like 48 hours ago. Just got back and there was a bit of news, you know, in Latin America while I was there. Of course, the sort of abduction of the president of Venezuela, Nicola Maduro. Was big news. And now we're still seeing. Weeks later, we're still seeing news reports about, oh, there was cyber in this, according to officials who were briefed and then counterclaims saying, well, where, you know, was there cyber? Would that even matter? On and on and on. I think the key thing here, the reason we're talking about this, of course, is because the New York Times just did a very big and vague piece. I think my takeaway here is it is impossible to know what the US Government may have done here in terms of cyber, and it would not have really been definitive anyway. So the whole conversation seems like a bit of a waste of time, which is why we didn't have it last week. First of all, Joe, what are your thoughts here, mate? Because it just seems. It just seems like a big bit of a waste of oxygen this whole news cycle.

Joe Tidy

Yes. But I also find it really intriguing and I want to know. And I remember when that, when he came out, Trump, and did the press conference about it, and he said it was dark and dangerous in Caracas. No, dark and deadly is what he said, because we have got some special. I can't remember the phrasing, but something like special skills in order to turn the lights out. And I just thought, well, my. My cyber senses are tingling. You know, that sounds like cyber to me. And then I assumed that we would get more information and that it would just become a part of this, this what was, you know, shock and awe military campaign. That. That would have been a significant. But obviously not, you know, not everything. It was about cyber, but it would have been a significant part of it. But there's just been nothing since the New York Times article, as you say, doesn't give much detail, doesn't really sort of progress the knowledge in any way in either direction, really. I'd love to know. But I think part of the appeal of why Trump said that and why they're now not saying anything else is because part of the. The strategy is don't let them know what capability we have. Don't let them know how we did anything. Keep them guessing.

Patrick Gray

Yeah, yeah. I mean, one of the craziest things about all of this is I'm now seeing some of the Venezuelan propaganda that's being pumped out after this event actually being repeated by Americans. So, of course, one of the Venezuelan guards apparently came out and spoke to the media and said, oh, the Americans, they were super soldiers, genetically engineered, they had sonic weapons that turned people into paste. They basically had alien technology, you know, so this, of course, is a Way to save face after the loss. But of course a whole bunch of Americans saw this and they're like, cool, retweet, retweet, retweet. Look at us, we have alien technology. When really to me it just looks like the Venezuelans are trying to save some face. What's your feeling on all of this, Adam? Because, you know, we saw the materiel, the gear that the Americans had brought in. Like, if I want to go and get around some S300 air defence batteries, I'm bringing myself an EA18 growler. I'm not bringing some Cyber Command nerds, right, to keep me safe on that mission.

Adam Boileau

Yeah, nerds. With CMD EXE slightly less threatening. I mean, I think the thing that we, that this said to me is that like cyber is a key part of us, you know, of the tools they have in their chest. And they're very good at combined ops, like putting intelligence together with special operations, with air support and all of the other bits and pieces. And cyber is a piece of that puzzle. Even if the extent to which they are using in any particular case, we're never going to know until years after when someone writes a tell all book. And that will be very interesting when it happens. I mean, Venezuela's power system has had a whole bunch of issues in the past. It's already pretty flimsy, so I can't imagine it would take much to push it over, be it cyber, be, you know, electronic warfare, be it, you know, what was the other thing we saw? Like bits of carbon thread dropped over transformers to make them stop working, short them out, you know, whatever it happens to be. I guess, you know, the thing they are trying to signal is we have techniques and, you know, if you're somebody else that's trying to mess with the US then you'll get some combination of those and we're just not going to know what that combination actually is until we are the victims or, you know, it's 10 years down the track. So, yeah, I'm as curious as Joe is, but we're not going to find out in a while unless, you know, Trump decides to just screenshot it all and post it onto his social. You never know, you know, he might.

Joe Tidy

Well do.

Patrick Gray

You never know.

Joe Tidy

My favorite part of the kind of like mystery of it all was when someone tweeted a picture of, you know, this meme of someone on a podium celebrating with champagne exploding everywhere and it was Cyber Venezuela. And then it zoomed out and he was at the bottom of a much larger podium with People above them. And it was like military soldiers, Air Force, human intelligence. And then this is a cyber guy pretending he was doing it all himself.

Patrick Gray

Delta Force are going to be in position number one on that. On that. Right. Like, it is, it is pretty funny. But, you know, I. Look, the whole thing, though, you would have to say, and I guess, you know, just one comment, not really related to the cyber component of it, but, you know, I was talking about this with our colleague Tom Uren the other day, which is, look, this is just one of the most remarkable raids. It is the most remarkable raid in my lifetime. Right. The fact that it went off so swimmingly is just extraordinary. It is absolutely, it's almost unbelievable. And you think, well, perhaps they were able to get, you know, through intelligence operations, perhaps they were able to get a lot of the military to stand down while this happened. That doesn't make it any less amazing. And Tom agrees with me on that. Like, whether or not it was pure military or pure intelligence or combinations of absolutely incredible stuff. And I'd imagine too that there would have been a lot of useful intelligence collected via cyber means, you know, if you had to choose right, when putting together a caper like this, whether or not you wanted cyber effects on the day or you wanted cyber to do intelligence collection leading up to the day, it's always going to be the intelligence collection. That's something I've always said for years and years and years, which is, that's where it's useful. Right. You want to take out the power, do cyber, figure out which transformer to blow up, then, you know, which transformer to blow up. Blow it up. You know, that's just my, my feeling, Adam.

Adam Boileau

Yeah, yeah, no, I'm with you. Like, there are things cyber is good at and actually having effects is not really top of the list. There's many better uses of that capability. But it is good for the U.S. from their perspective, to have everybody else being a little bit scared just in case they do have amazing cyber that can turn off the power.

Patrick Gray

Yeah, yeah. Well, apparently, you know, Venezuela alleged that they did that in 2019 in a pretty big way when the previous Trump administration was trying to destabilize there. And then of course, late last year, you know, something that looked a bit like a ransomware attack happened to the state owned oil company and the government there was blaming the Americans and we said that that was actually credible. So, yeah, who knows? Anyway, let's move on and, you know, some more political drama in the United States. As Jen Easterly, who is the Former SISA director. She, of course, was the second director at CISA after Chris Krebs. She got lumaed at some point and is apparently an undesirable in the eyes of the White House. Well, she was appointed to lead the RSAC conference in San Francisco. So she's going to be the CEO of the RSAC conference. And that has caused, according to nextgov, it has caused some officials to consider skipping the conference. The information I have is that it's essentially a blanket ban on federal government employees attending RSAC this year because Easterly is running it. This I don't think should come to any, as any great surprise. You know, we've got an extremely vindictive cadre of right wing activists who are constantly looking for ways to do things like this. And this is just the latest one. So I don't think there's going to be much of a government presence at RSAC this year. Joe, what are your thoughts on this?

Joe Tidy

Well, as a BBC reporter, I'm not really allowed to have an opinion on the politics of it all. But, you know, politics aside, if you look at this, if you look, I liked Jenny Stilley as head of cisa. I think she was great. I think she was. Some people were sort of wound up a little bit by her shields up thing that she kept going on about. But, you know, for me, it was a message that did resonate and it made a difference and it made people, you know, stop taking cyber seriously. I like her Rubik's Cube stuff and her music. I think that's all, you know, part of the appeal of her for me. And I think her being appointed to run the conference is great. I think it's frankly bizarre that a government would not want to have officials there, it seems. I've never been, but I hear it's, you know, one of the most corporate, one of the most government of all these cyber conferences. So it strikes me that you do surely want to have people there, but, you know, it's their decision, isn't it?

Patrick Gray

Yeah, yeah, that's right, Adam.

Adam Boileau

Yeah, it just seems, you know, it's kind of petulant and vindictive and, you know, exactly what we expect, unfortunately, from the Trump administration. And, you know, the desire is to make it clear that anyone who was against them, you know, is going to feel these kinds of effects wherever they go. And so much like with Sentinel One and Chris Krebs, right, there'll be fallout from employing people, you know, that the administration doesn't like. And it's just, you know, it's just not how things should be. It's not how we should behave, you know, generally as a society. And I think it's, you know, it's just embarrassing for everybody concerned and sucks for Jan Eastleigh and sucks for rsac.

Patrick Gray

So the black banning of former public servants continues. Now, there's also news out of SISA at the moment. We're not going into detail about it, about something about how the acting current head was trying to force out the ciso. And there's all sorts of weird political stuff going on there at the moment as well. But we do have this story in front of us, Adam, where federal agencies have been ordered by CISA to roll out a patch for a bug that you found kind of interesting. And you think it's interesting that they have ordered this one to be patched. But we've also got a piece to pair with this, which is that the patch itself is actually bad and is stopp people from being able to shut down their Windows 11 systems, which is kind of funny, I think, a less critical problem. But let's start at the beginning. What's the actual bug here that CISA is making US Federal government agencies patch?

Adam Boileau

So this is a bug in the Windows Desktop Window Manager and it's like a local information leak and it's like a CBSs 5.5, so not particularly exciting. It's like the reason you would be using it is it lets you leak memory from the other end of an ILPC connections. ALPC is like Windows Inter Process communication. So between processes you can communicate. There is a way to leak some memory and that lets you kind of leak information about where that remote process or the other end of the connection is located in memory. So you can go to unaslr, you can defeat ASLR controls and somebody's using them in the wild for that. And that's Microsoft released. Those 113 bugs got patched in this month's patch Tuesday. This was the only one I think we saw that was being actively used in the wild. So the fact that someone's using it is part of Sister's Choice, but part of the reason Sister is specifically telling people to patch it. I just thought it was interesting seeing a CVSS 5 1/2 info leak being a thing that people were being ordered to patch because most people would look at patch Tuesday, start at the criticals, ignore anything below that as a thing that they're actually going to push. So it's good that CISA is calling out one that is actually being used in the wild and has some real utility for attackers because many people might otherwise miss it. So I thought that was, you know, it's not often we get to give Scissor an attaboy, you know, in the recent times. So I felt like it was good to call them out for doing something, doing something nice. But then yes, we get to the Microsoft giveth. The Microsoft taketh away part of this which is that past Tuesday also introduced some behavior with interaction with like the secure boot process where after you'd apply the patch you can't shut down anymore. So that's not great.

Patrick Gray

No, no. But I mean you can turn it off at the wall. It's not the end of the world, right?

Adam Boileau

Fortunately, yes. Fortunately we can still control the actual flow of electrons into computers, but not for long. I'm sure that'll be taken away from us, you know, but the AI future or something one day.

Patrick Gray

Now let's talk about this research out of Whiz Adam. This is the good stuff. This is absolutely amazing. The reporting around this I'm going to say has not been particularly good because I think there's some nu that's been lost. But let me have a crack at explaining what the problem is here. So Wiz discovered that there was a flaw in the AWS code build continuous integration process for the GitHub repos where the AWS console like source code lived, which would enable them to change that source code, which would mean they could do all sorts of absolutely horrible things to the AWS like console like front page which would be, I mean amazing. I mean how did I go explaining that there?

Adam Boileau

Yeah, that's pretty much the nuts and bolts of it. Like someone at Wiz was sitting around the office one day and said hey guys, did you know that I now have admin access to every AWS environment on the planet? Right. That, that's the like that would have been a rough day around the office when they're all sitting there like you know, no one's getting any work done because everyone's high fiving each other and backslaps and you know. Exactly having. Having a great old time. This is some just like it's just Chef Kiss, beautiful cloud hack and research and like the team that was that pulled this together or whoever it was so good. The specific details here. So Amazon has their JavaScript SDK which they develop and publish on GitHub. That SDK is used in a bunch of applications including the console, but also many other things use the official Amazon SDK. This particular git repo was configured to use Amazon codebuild. Normally when there's a pull request, the continuous integration will build and integrate, build and test the code that you've submitted. Obviously you don't want every pull request from every person on the Internet to result in the code environment, in the environment spinning up and running the continuous integration, because control of that lets you leak tokens or do whatever else. In this particular case, they had an access list which configured which user identifiers on GitHub were allowed to trigger code builds. And this particular list was implemented as what turned out to be a regular expression. So a set of numbers joined by pipe characters. So any one of these particular values can match the regex. And if you match the regex, then you allowed to trigger a build. The key insight that Wiz had was that this regex is not anchored, so at the start or the end it can have other content. So if you can get a user identifier, which is a super set of one of the ones that's allowed, so it contains that substring, then you're able to pass this check. And so then they sat down and built a bunch of tooling that would sit there watching GitHub registrations, looking at the numbers being allocated, because these user identifiers are sequentially allocated. And so if they wait long enough, there'll be a time window where a user will get allocated an ID that's going to pass this check. And so they sat, they built some tooling to kind of predict when this was going to happen, register a whole bunch of them in bulk. They figured out a path through GitHub that didn't require them to go through a capture or any other kind of like, you know, non robot check. And then they won that race. They actually built this infrastructure, got to the point where they could register an account that met the prerequisites, and then they exploited this bug, granted themselves admin access to the AWS repository, and at that point they stopped and reported it to Amazon instead of hacking the entire planet. But if China or Russia or anyone else had done this, like North Koreans, oh my Lord. I mean, everybody's Amazon environments, boom.

Patrick Gray

I'm gonna guess, I'm just gonna go out on a limb here and guess though, that AWS does do some monitoring of its console code, right? Like after the build gets crapped out, it goes live. They're going to be looking at that, and they're going to be looking at that in case there's some, I don't know, DNS people Mess with the DNS or whatever, it starts serving different content. Like, you always want to be looking on anything that critical at what is actually appearing in front of users, surely.

Adam Boileau

I mean, yes, but we are talking about, you know, one of many JavaScript dependencies of an application that's probably built in an automated fashion, right? So you might detect it after the fact when weird stuff starts to happen. But, you know, with an attacker that's.

Patrick Gray

Smooth, like those North Koreans with the. With that huge one, you know, gajillion dollar Buybit hat. Buybit. Yeah, the Bybit one.

Adam Boileau

Yeah, yeah, yeah. But I mean, the thing with like, with you know, Bybit style, like, you steal the billion dollars, even if Amazon catches that 30 seconds later, right. The billion dollars has already walked. Right. Because North Koreans are good in getting out. Anyway, point is, like, this is like Internet scale, amazing, beautiful hacking. And like, hats off the Wiz for pulling this one together and actually going through and doing just stopping it. We found the regex in this situation. We might be able to do this reporting. No, no, she went ahead and did it.

Patrick Gray

They should have dropped a comment into the repo, like, for sure, like, whiz was here, you know, just something like that would have been cool. But I wonder if it would be kind of like the time that someone actually managed to successfully backdoor ssh, right, when nothing happened because it got snapped so quickly. Right. And you know, that is the sort of thing where you would think, wow, that's the end of the world. But, you know, that's all. It's just impossible. Yeah, I know I would want to.

Joe Tidy

Leave in the end of the world, but. Adam, I was going to ask. So I get these. I get these kind of reports through and people message me, you know, individual hackers about things I found and they tell me all the access they could have got. But I always ask the same question. What could you have done with this? So you've said that you've got, you know, this is Internet ending, but what if you put your cybercrime hat on? What would you have done if you'd have had that kind of access?

Adam Boileau

That's the, like, you know, you are the dog that caught the truck at this point. Right. You know, because, you know, if you have everybody's Amazon console in the world, right, what are you going to do? Well, I mean, I mean, you could just mine Bitcoin on people's, you know, mine cryptocurrency monero on people's CPUs, but, you know, the data theft options, the access into People's environments. I mean, you know, what would you like if you were China, what would you do from here? Like you would have to figure out how to.

Patrick Gray

You could see what's happening is Adam's, Adam's brain is actually spinning out right now because of the possibility. This is like my 4 year old when he runs into a room and he says, I'm looking for the, the, the, the, the, the, the, the, the. Right. Like that's, that's what's happening to Adam right now. You broke out of it. You happy, Joe? You broke out of it.

Joe Tidy

Yeah, I'm so sorry.

Adam Boileau

Yeah, I would just yell hack the planet at the window of the car. That's what I would.

Joe Tidy

Right.

Patrick Gray

Pretty much. The possibilities are too much. Don't break my co host. All right, let's move on. And look, this is, this is cool. I like, I like this next piece because I feel like to a degree, Adam, you've been a little bit too skeptical on the AI stuff. I think you're coming around to it a little bit. And it's because of stories like this, which is there's this Linux based malware called voidlink that's popped up that actually looks pretty good. And we've got some other reporting out of Checkpoint labs that says it's written quite breathlessly, but says, oh my God, this was thrown together by AI and very little human involvement and whatnot. Now look, even though the Checkpoint stuff is a little breathlessly written, that's still a bit of a milestone when you've got competently put together malware as a sort of end to end platform that is being developed by like, you know, Jailbroken Claude or whatever. First of all, tell us about this malware and then second of all, tell us about the role of AI in it and what you make of that.

Adam Boileau

Yeah, so the piece of malware is like, you know, Linux malware. It's kind of modular and pluggable like you'd expect. Has, you know, modules for doing root kitty type things for command and control for, you know, all the things that you would expect an implant to be able to do. It's also particularly well tuned to modern and containerized in cloud environments. So it's kind of set up to run not on bare hardware. Like it's got the necessary kind of specializations for operating in cloud environments and interacting with the services and things that you would expect to find in cloud environments. So in that respect, quite a modern framework and then a bunch of like anti discovery, anti reverse engineering, all the sorts of stealth and hiding stuff that you would expect. So like a well put together, competent, modern rootkit using modern features and so on. It's also written in some kind of modern, pretty hip language. It uses Zig, which is kind of like a portable C style compiler runtime environment that reminded me a lot of Mos Def from back in the Immunity Canvas days, which I used to work on. So quite cool tech. And then the AI side of it, it seems like. So Checkpoint Labs found a bunch of opsec fails in the infrastructure around the deployment of the stuff, and they found some build artifacts and things like internal design documentation and stuff lying around, all written in Chinese and it appeared to be generated by an AI. And they looked through this and they found like a bunch of tells that said that the person behind this was using, I think Trey, the Trey AI coding platform to do it. And they actually took a bunch of the documents that they had found that the AI had generated to then guide the various sub agents that are writing things and tried to rebuild the malware themselves to see how effective that process was. So the AI side of it is interesting because Checkpoint started tracking this, saw interesting new malware, and then they found this documentation which is structured like it's being written by a team of actual people describing sprints and features and documentation, standards and so on. And then they said the actual progress of the malware in terms of time is faster than these documents suggest and perhaps faster than the humans involved would be doing. Perhaps it's not actually humans doing it. And that's kind of the conclusion they've ended up arriving at, that this is AI driven. And that's, you know, to the skeptic in me, it's kind of cool that I guess the, you know, the methodology for building this stuff, you know, if it's one guy behind this building stuff at the scale of a team, actually, I guess maybe they've arrived at something that's actually useful.

Patrick Gray

Yeah, I mean, I know a guy around here who is a CIO type who went to, you know, last year sometime went down to the Microsoft Experience center in Sydney or whatever, and they were doing those sort of coding demos where they're like, this agent's the boss and this one's this, and this one manages these two and like breaking it up like that and then telling it to go and build a game. This is one of the demos they have for their, for their enterprise customers. And it is, is pretty amazing and getting a lot better. Joe, I wanted to ask though, how you go about covering stuff like this for the BBC because what you just heard from Adam was some, you know, was a subject matter expert talking about this topic with a lot of nuance for an audience who can understand that nuance. What's it like being the BBC cyber security guy and say you were tasked with covering something like this. How on earth do you begin to do that? I mean, I know how I would have done that because I used to write for newspapers like 20 plus years ago. But how do you skin that cat and what's that like in the year 2026, you know.

Joe Tidy

Yeah, but you had an advantage Pat, because I think you do have a technical background, don't you? Whereas I don't. So it takes me a long time to get my head around these things. But I think that helps in a sense as well because I think my stupidity helps my reporting because it takes me a long time to understand, which makes me a bit more easy to boil it down for people. But it reminds me of that Claude story. Do you remember that story from Anthropic, the AI company that makes the Claude bot? And they said that China, they discovered that Chinese hackers had used Claude agentic systems in Claude to create sort of end to end spying espionage hacking tool. And they were putting it out like it was fact and everyone was getting very excited and it was being looked at as a bit of a landmark mark. But then what I did was I went and I read some, some people's analysis that I sort of know and trust and sort of admire and, and actually there's a bit more of a, it's a bit more complicated, you know. So for example the, in all the, all the evidence isn't quite there that it was all completely automated and actually we've, we've heard from Google that in previous reports about agentic AI cyber, you know, attacks that they don't, they're not really that effective. So I think you've got to factor in that these companies want to make out that their bots are super duper incredible because then they can sell the idea that their AI needs to be protected by other AI in defense as well as attck. And that's obviously a massive driver not only in the AI world but in the cybersecurity world as well. Because cybersecurity companies, as a kind of BBC sort of public servant journalists, I always remind myself that these companies are, are selling fear, they're selling, you know, this is what these incredible tools can do, this is what the hackers are doing. You need to buy our tool to Protect yourself from that. So that always runs through my head as well. But I think in general, my cynicism about AI becoming a major part of cyber that is ebbing away, perhaps the same as you, Adam, because I was cynical at first, because I've been hearing it for a long time that AI is doing this, that, and the other. But I do feel that we've had enough cases now where it does feel like, okay, this is now a real thing. And what I like about this particular report from Checkpoint is that they have managed to find, because of opsec failures on the hackers part, some pretty decent evidence of the kind of development trail which you don't often get. Quite often you'll get a cyber security company saying this was AI with zero evidence, whereas this time we do have a little bit of evidence that actually was.

Patrick Gray

It's so funny that you mentioned that anthropic report, because I actually came down on the side of, oh, my God, this is amazing. Because even though there was some, you know, human elements involved, like occasionally the AI rig would ask the person, oh, are you trying to do this? Or what do you want me to do here? Or, you know, prompt me to do the next thing, I still thought that was incredible because it was such a force multiplier. But again, I understand from a BBC perspective why you don't want to freak out your audience by saying that the AI hackers are coming to get you. Which I guess is why I thought that would be an interesting. An interesting question for you, but I've definitely found myself becoming less sceptical about this stuff in general, I guess. First, working with some of the cybersecurity companies who are using these models to do some fairly primitive things. But, you know, they're incredibly valuable models, even in doing those fairly primitive things that until recently, we've just been getting people to do, which is a terrible waste of their time. But I think in the field of software development and malware development and running campaigns, it's just. It is absolutely the future now. Now, moving on and Adam, we've got one here from Andy Greenberg and Lily Hay Newman about. This is a Google Bluetooth pairing protocol. It's called the Fast Pair Bluetooth protocol. There's a problem with it. I mean, we're always seeing problems with, you know, various bits of Bluetooth. But the, in essence, what the problem is here is that anyone can fast pair to these. To these devices, right, without having to have any special codes or whatever, which means, you know, you could turn them into listening devices or you could track people who own these devices, I'm guessing only for as long as they notice that their devices are no longer paired to their stuff. I don't know. You tell me, you're the one who worked through this story.

Adam Boileau

Yeah, so I guess there's two aspects here. One is the fast pair process, which is a Google written kind of standard on top of Bluetooth for making, you know, pairing headphones to your Android phone smooth. And then Google wrote the spec and then certifies the manufacturers in their implementation to make sure that it works well. So the first problem is that some of the implementations fail to check if a device is already paired when starting the pairing process. So over the radio, over the Bluetooth, you can connect to a pair of headphones that's already paired to somebody else and just kind of pair with them as well and at that point hot mic them, play audio, do whatever else. So that's the first part and that's not ideal obviously. And it's an implementation issue with quite a lot. Like Sony for example, is one of the big vendors, they actually have to submit their devices to Google to have them tested. And throughout this whole process, no one involved actually checked to see if the pairing didn't work if you're already paired. So that's the kind of overall failing there. The second half is location tracking. So devices in the Android ecosystem on first pairing with a device that's logged into Google's ecosystem will basically add them to Google's device tracking API platform thingy. What's it. So whoever is first paired with them. So in some cases you are able to take over and then receive tracking information from these devices like you were the first user and the users who are moving whose device they are may not be using that feature, may never have noticed. You can now track them even when you're outside of Bluetooth range, independent of the Bluetooth thing. So, so sit on a train and now you can track people that you're on the train with via this thing. So that's also not great. But that's a subset of the devices have that extra problem because not everything has location tracking support as well. So not great. You know, there's a lot of devices shipped. Are they going to need a firmware update? Many people are not in the habit of firmware updating their headphones. So that's kind of a problem like fixing it in the wider ecosystem there will be a long tail and you know, it's the sort of of just dumb bug that you would expect an ecosystem that Has a specification, reference, implementation and device, you know, kind of review process by the manufacturer. Ought to have caught something this dumb.

Patrick Gray

Yeah, moving on. And there is a critical bug in fortieseem which I'm guessing is Fortinets seam. This bug was actually disclosed in August 2025, but. But someone dropped a POC recently like a few days ago and now there's a bug, there's an exploit for it now and people are using it and then everyone's getting owned and you know, it's business as usual.

Adam Boileau

Yeah, 40 seem is two words that just should not belong together. Like to start with, if you've got a 40 seam, you've already made some poor life choices. The main reason I shoved this one in is not because, you know, bugs and Fortinet devices, because if we did that we would have this in every show we've ever published. This one I was real mad about because the bugs in 40 seem have all been basically the same bug, but just like one function over or like they had a command injection bug and then the next one is a second order command injection bug because they fixed the first order one and then someone found a way past and so on. So this is command injection floor unauthed so over the network to your 40 SIM and then command exec as root and the bug is literally in the same function as the previous round of this bug, just the next parameter is different inside the function and then they command exec it through like I guess it's second order command injection because of the filtering. And it's just so dumb that Fortinet have done such a poor job of fixing the bugs holistically. You know, just point fixing the one thing that someone actually.

Patrick Gray

Yeah, yeah, they're not. They're not going in there and qaing the rest of the thing.

Adam Boileau

Right.

Patrick Gray

Like, and that's clear. And that is making beardy man mad. Okay, got it. We've also got. What is it? A multi stage attack against Copilot. This one's actually kind of interesting. Give it to us quick, Adam.

Adam Boileau

So this is an attack that's been seen in the wild against Copilot where you give a user a link to a legitimate Microsoft Copilot.com website that embeds a prompt and it's prompt injection. So not exciting. But it bypasses the existing controls Microsoft has against prompt injection by asking the same question twice. And it turns out the guardrails that are in place to stop prompt Copilot leaking people's personal information out via outbound web requests. So an attacker only apply on the first web request and not the second one. So the prompt just asks the AI to do it twice to check that they match. So that's kind of point number one. That's dumb. The second thing that's kind of cool about this is that the attacker injects a prompt into copilot, copilot in the cloud goes off, connects to the attackers, you know, infrastructure and gets the prompt that they've been directed to get. And then even if the user has by this point long since closed the tab, copilot is continuing to interact with the attacker. Multiple back and forward prompts and responses using the user's context. And that's kind of a thing that I think many people didn't really think about. They imagine you click on a bad link, oh my God, I closed the tab. Now nothing bad can continue to happen. Not the case because yay cloud future. Woo.

Patrick Gray

Well, cloud future and AI agent not really caring about your tab because it's.

Adam Boileau

Operating up in the cloud, it's not running on your computer.

Patrick Gray

So yeah, we've got some law and order stuff here where we've had some Blkbuster hackers arrested by Ukrainian and German law enforcement and apparently the, the main dude, the alleged ringleader is apparently Oleg, has been identified as Oleg Neferdov who is a 36 year old Russian national. He's wanted on suspicion of forming a criminal organisation abroad. Large scale extortion and related cyber offences. Let me ask you Joe, because you know the UK has seen a lot of very high impact ransomware cases lately. Does this sort of news rate in England at the moment?

Joe Tidy

No, not really. We don't, I don't cover these kind of cases. We see these arrests and they are quite frequent but it doesn't seem to move the dial that much on what happens. You know, that these gangs are still there. And I thought, I thought it was interesting reading this because as far as I was concerned, Blackbuster had gone. You know, they were, I hadn't heard about them for a while. I thought, I assumed that that sort of brand had had evaporated and given way to something else. I don't know what it is now. Dragon Force, whatever, it will be chilling. Who knows. So yeah, I'm afraid, you know, it's good news. We all, I always treat it with, you know, like this is a good news story but we would never, I would never cover that on, on, on the BBC because they are quite frequent and without much impact.

Patrick Gray

Yeah. And John Greig over At the Record has a report up about a Jordanian fella who is pleading guilty to broking access into 50 companies. Adam, I suppose one notable thing here is he was extradited to the United States from Georgia.

Adam Boileau

Yes. Yeah, from the country of Georgia. And yeah, I mean, that's, that's good work getting someone out of that, you know, Soviet bloc world, the west, for prosecution. So, yeah, he's probably going to have a bad time. And, you know, this kind of like initial access brokers have just been such an important part of the ecosystem, so it's good to see them getting law enforcement attention too.

Patrick Gray

Yeah. We've also got a couple of skateboarding dogs this week. We've got Nicholas Moore, 24, resident of Springfield, Tennessee, has pleaded guilty to repeatedly hacking into the US Supreme Court's electronic document filing system. I think he was just using a cred pair he got somewhere, but he was posting some of these documents. He posted the personal data of several of his victims on his instagram account @ihackthegovernment. So a little bit difficult for him to argue innocence there, you would think. So. That's a nice one from TechCrunch. And finally, this week's absolutely wild bug, which honestly, like, you're not going to find this in too many places, but it's such a bad bug and people are messaging me about it and it's very, very funny. But yeah, if you're using GNU inet utility telnet, you've got more problems than you would even assume that already. That you have. Than you already have.

Adam Boileau

Yes. Yeah, this is a bug that's been in inetutils telnetd since 2015. I think the code got committed. And the impact here is that you can pass a username in the telnet environment which gets passed to binlogin and you can log in as any user with a username of f root because the F parameters have been login tells it that, hey, I'm just root, don't worry about authenticating me. And this is funny for many reasons. One, because telnet, again as root with no creds is hilarious. Two, Solaris had this bug in its telnetd binlogin kind of embedlogin combination in the early 2000s, I want to say. And then that bug was a recreation of the same bug in like R login on unices from the 90s. So like Aix or whatever else back then you could R Log in as -F root or fbin some other user without auth. So there's a perennial UNIX bug, you know, I guess root causes. The contract between Binlogin and the rest of the system is terrible. But mostly it's just made, you know, old UNIX beards everywhere chuckle with delight at seeing this wonderful treat of a bar turn up on the bug track on OSS SEC mailing list like it was bug track in the 90s. So, yeah, it's a good day to be an old UNIX nerd right here.

Patrick Gray

Now we are also going to link through to a wonderful feature on crypto crime and theft from Joe Tidy, which is going into this week's show Notes. But really, Joe, you know, thank you for joining us for the news, but the big reason we wanted to get you here into the show to talk to us was to talk a little bit about your book. I have read a few chapters. I've not read the whole thing. But you've written a book and it's, it's an interesting idea because you've basically written a book about Z Kill. Now, this was the guy who hacked Vastamo in. Oh my God, I've forgotten the country. Was it Norman?

Adam Boileau

Finland.

Patrick Gray

Finland, Finland. I'm very sorry to the Norwegians, but. And, and the Finnish. But yes, hacked. Hacked Vestamo, which was like the song of state, psychotherapy clinics and whatnot. And, you know, stole all of those patient files. You know, tried to blackmail the company, then was blackmailing individual people, caused some people to kill themselves. I mean, this guy is like a horrible, disgusting sociopath. And you thought, hey, I gotta write a book about the dude. It's called what is a Control or Chaos? I can't remember the back half of the title there, but it's an excellent read. I just haven't finished it because it's like, like reading about this stuff in my time off is very, very hard for me these days. But Joe, I'm just really curious. Why did you decide to write a book about someone who is widely regarded, I guess, as just an amoral, sociopathic monster?

Joe Tidy

Well, I knew that there was a story there with Vestamo. Vestamo, for me is the cruelest cyber attack ever. You just described it brilliantly. You know, there was. Not only did he, and either him on his own or with others, hack and break into the psychotherapy chain Vestamo, but also it's the direct blackmailing of the individuals which we don't see very often. We do. We are unfortunately, obviously now seeing a bit more. There was a case in the UK last year of some parents being phoned up by a nursery chain after a nursery chain was hacked for example, it was that, it was that direct appeal to the victims or, you know, I've got your notes, I know your deepest darkest secrets.

Patrick Gray

Because it sort of, it blows away that, that idea where a lot of these people sort of fool themselves, don't they? They like, they ransomware a hospital and say, oh, there's no effect on patients or whatever, right. So they like to keep themselves, they like to give themselves the illusion of like, what I'm doing is not immoral. Whereas this guy's like, no, I know that you had an affair on your husband and I've got the notes and everything approving it and you're going to give me, you know, or I'm going to ruin your life.

Joe Tidy

Yeah. And that was it. And I spoke to lots of victims for the book and you know, these people are still suffering. You gotta, you gotta think as well. You know, these people are already vulnerable, some of them children as well. You don't go to the therapist if everything's rosy usually. I mean, it's quite a healthy thing to do. Any obvious anyway, obviously. But you know, these people had a lot of problems in their lives and then suddenly you get this horrible email from, for my money, the most hated hacker in history. Because the thing about Kivamaki, when it came out, he's called Julius Kivamaki Zekiel. When it came out that he was in the frame for this, there was an Interpol red notice out for his arrest when the Finnish decided that he was the guy. He has got a storied history in cyber. And actually it all comes back to my first ever day of doing my first ever Cyber story in 2014, when he was part of a gang called Lizard Squad Squad, which hacked Sony PlayStation Network and Xbox Live, the two biggest gaming platforms in the world at Christmas. And him and these other teenagers took it all down with a very, very successful DDoS attack. And I interviewed him on sky news, that was 2014. And I was just completely blown away by this baby face attacker who didn't give a damn. The nihilism, the arrogance, you know, loved the attention, loved the chaos. And then I just sort of thought, I've always thought to myself, what's going on with those kids? What's going on with him? And then of course, I've tried to follow his career and then he disappeared for a few years and then came back in the frame for Vestama. And I thought, my goodness me, there's a sort of villainous arc that I think we should explore to find out how does Someone go for a. From what I now know was a gaming obsessed teenager to fall down a kind of delinquency online path and then to get into very serious cybercrime and then become one of Europol's most wanted criminals for the cruelest cyber attack. So that was what led me to write the book. I just thought, let's use him as a way through to talk about the bigger problem, which is teenage hacking cybercrime culture, which has. Has gone through an extremely dark transition in around the 2000 and tens and has never come out of it.

Patrick Gray

Oh, and it just seems to be getting worse as well. But I mean, you've spoken clearly to other teenage hackers, right? As well as Zeke Hill. Is he different? Is he missing a piece, so to speak? You know what I mean, though? You know exactly what I mean.

Joe Tidy

Mean well that I think the, the way that Alison. So Alison Nixon is. I don't know if you've come across her. She's like the authority on this and I'll always defer to her expertise on this. And I interviewed her a lot for the book and she describes people like Kivamaki as the centers of gravity in these communities. And they are not necessarily the most technically proficient, they're not necessarily the most articulate, but they're normally the ones who don't give a. So they're the hackers, they're the teenagers in the groups who are the most anarchic. They don't care. They'll go after, you know, they'll do things that other people just won't do.

Patrick Gray

So it's a community that pushes the sociopaths to the top.

Joe Tidy

Absolutely. And if you look at some of the attacks that Kivamaki did in 2014, sort of, sort of a part of Lizard Squad, he was, he brought down a. He forced an emergency landing of an. Of an airline line because he was annoyed with the CEO of Sony Online Entertainment. So he called in a bomb hoax without disguising his voice. It's that kind of activity where it's a step away from hacking really. These kids don't care how they cause chaos as long as they can do it. And then what we see now with Scattered Spider, it's a whole nother thing entirely. They're now combining their forces with. With well run organized ransomware gangs like Dragon Force. You know, it's a potent mix.

Patrick Gray

I mean, I sort of contrast this with the teenage hackers that were causing a lot of drama. Like, I think Back to like LulzSec. Right. And I Think back to people like Topiary, who I got to know. Actually, he actually wound up doing some comedy. Jake Davies Davis. Yeah. So he actually did some comedy sketches for us on Risky Biz, where he did. It was like, they were so funny. He was like. He would put on his John McAfee voice and talk and do sketches about playing board games for John, like, real surreal stuff. And, you know, I used to set them to, like, the Twin Peaks, like, weird music and, like, it was really cool. So I actually got to know Jake a bit. And, like, I gotta say, Jake is one of the loveliest young men I've ever met. You know what I mean? Like, here was a guy who was at the center of this chaos all around the world, but he was a lovely guy and clearly had no sort of moral failings, really. Like, he was not a person that you would think has problems with morality. And to go from that to this, I just. I just. I'm like, wow, how did that happen so quickly, you know?

Joe Tidy

Well, I actually. It was interesting you bring up LulzSec because my. So I did the kind of the. The draft of the book, and it's my first book, so, you know, I didn't know what was done doing. And the publisher said, yeah, this is great. You've told us, you know, the story of vestamo and teenage hacking. But they actually challenged me at one point. They said, take off your boring, you know, BBC hat and your boring Sky News hat and put your neck on the line a little bit and tell us, you've told us how the transition happened and when it happened, but can you tell us why it happened? And I killed. I sort of went back to LulzSec as being one of the groups that really did change things. You know, they. They brought teenage hacking onto Twitter and it was all about getting likes and retweets, and they had a logo and they went after big organizations.

Patrick Gray

They were funny. That's how they got the attention. They were funny.

Joe Tidy

Yeah, yeah. And because. That's because of Topiary, you know, that was his. That was his role, wasn't it? It was funny on. And take the mic. Yeah.

Patrick Gray

But then it was dropping a text, man, see if I can get him to do some more comedy for us to.

Joe Tidy

I need to look this up. But then if you. I sort of, like, not just. I think LulzSec kind of. They nudged the teenage hacking culture in a direction with which it just has snowballed since. So before then, you know, people would say it's a simplistic View, perhaps, but because teenagers have always been hacking. But if you look at the kind of 80s, 90s, early 2000s, Legion of Doom, Cult of the Dead, Cow, Chaos, Computer Club, Loft, different culture, different vibes to what you get.

Patrick Gray

Well, okay, so here's. Here's the question. Joe, Adam and I, when we've had discussions about this, you know, both in the show and just amongst ourselves, we wonder if perhaps cryptocurrency monetizing these communities. Right. Is where the dramas come from, because that would be. Seem to be a pretty clean explanation for the culture.

Joe Tidy

Cryptocurrency is number two on my. On my three theories as to how it happened. Is. Is why it happened, happened is. So number one is Twitter. I think that Twitter had a massive part in the change of this culture, because if you talk to the guys like Jake and if you listen to, you know, some of these panels that they do now, as grown men, they loved the attention. They absolutely. They talk about being more popular than One Direction, you know, that it's all about that online clout. And Twitter changed social media because before Twitter being on social media, being on a social network was being social with your network. Whereas Twitter said you don't need friends, you need followers. And you can get followers by being infamous, not even famous. You can just, you know, cause. Cause mayhem. And then the number two, Bitcoin, I would say, you know, that really changed things because before that, it was quite hard to make money from. From your breaches and your hacks. And the third one, I think, is the rise of live video, voice and text chats, irc, Skype. Now we've got telegram and Discord. Cybercrime is a team sport, as we know. You know, it's not a loner in his room in a hoodie. They're joining up all over the world and they're coming together to carry out attacks. And if you've got instant, you know, tools like that, then you can quickly spin up an idea for a hack and go after it.

Patrick Gray

Well, I think this is why Nazis are making a comeback as well. I liked it better when they had to hang out in weird little bookstores and industrial estates that occasionally get burned down. Whoops. And now they're all over the Internet, and that's just how it is. But, you know, in all seriousness, you got to think about as a serious possibility for the fourth reason why this change might have happened. Joe. Microplastics. It's all about the microplastics. You know, it's microfiber sponges. It's it's, you know, that's what it's, what it's about.

Joe Tidy

I haven't considered that. I've really missed a trick.

Patrick Gray

All right, Joe Tidy, thank you so much for joining us to talk, to talk through the news and also to talk a bit about your book. And I did actually look up the correct and full name of the book, which is Control Alt Chaos How Teenage Hackers Hijack the Internet. As I say, I got maybe a third of the way into it. It's very good book. I will finish it eventually. And yeah, so thanks for joining us and Adam, thank you as always as well and I'll catch you both real soon.

Adam Boileau

Yeah, thanks. I will see you next week. Pat.

Joe Tidy

See ya.

Patrick Gray

Foreign. That was Adam Boileau and a special guest co host, Joe Tidy, the cyber security correspondent at the BBC World Service. And yeah, it is time for this week's sponsor interview now with Harun Mir, who is the founder of Thingst Canary, which makes of course little honey pots and whatnot. You all know who they are. They also operate, you know, honey token services. But what about breadcrumbs? This is a concept that is new to me but it has apparently been around for quite a while. Thinkst has introduced these things called breadcrumbs which enable you to figure out when a bad person has got access to a box where you have ssh, basically. So here's Harun talking about that. We're also going to talk about a small acquisition they made of another company that does deception related stuff and how things Thinkst wound up being the owner of the South African Computer Olympiad. But first, of course, here is Harunmia talking about SSH breadcrumbs. Enjoy.

Harun Mir

So interestingly, we've had breadcrumbs for a few years, but we've been really quiet about them. So to take a full step back, we've got the canaries dead simple. They act like entire operating systems. So drop a Windows canary on your network. Drop one that looks like an IBM mainframe, drops in seconds. Forget about it. Attackers hit it. And then we've had tokens which are here's an AWS API key. So you put those everywhere you want to, attacker finds them and you get an alert. Breadcrumbs we kind of snuck in a few years ago because we were kind of feeling our way around it. So the simplest version is breadcrumbs lead people to your canary. So if you've got canaries deployed, you get to say, give me crumbs for this canary. And if your canary was running an FTP server, we now give you a config file that points to it, or if your canary is running rdp, we'll now give you RDP files. Or you get a Windows shortcut pointing to file shares and that sort of thing. But we were not great believers in breadcrumbs, in part, Lots of other deception players, when they first started, started focused really heavily on it. And we always felt that people find canaries while they're doing their attacking business anyway, and the act of deploying crumbs ends up being heavy and painful. But what we've deployed recently, or what we built recently are nicer SSH breadcrumbs. And the reason I say nicer we've had in the past, like if you had sshds, so if you dropped a canary that looked like a Lamp server, MySQL SSH Apache, you could get a breadcrumb that had an SSH host entry that pointed people to that canary. And so now you get to deploy those on your boxes. People find them. People find your canary. What we're doing now is generating SSH key pairs also for those SSH key. So the way to look at it is you, an organization, and you've dropped two canadies. You now get to create SSH key pairs for zillion of your internal hosts that then point to those two canaries. So now it increases the odds that if any one of your hosts get compromised, attackers find that SSH key pair and end up connecting to the host.

Patrick Gray

Yeah. So, I mean, it's kind of like what you're. What you're doing is you're kind of funneling them towards a canary. Right. And let me guess, the nice thing is you can generate unique key pairs.

Harun Mir

Exactly.

Patrick Gray

For these SSH things and then you get the attribution. Now, I mean, is that really much of a game changer? I'm going to say probably not, because you already get the attribution based on the IP and whatever. But I'm guessing from your point of view, it's easier to do the attribution in your software. You don't have to worry about the network at that point. You could just take the attribution based on the key pair and say, this box over here got owned and someone tried to log into the SSH using this key. So go and turn off that machine.

Harun Mir

Exactly right. And we don't see it as a game changer at all. Exactly. The way you say it, it's not something we've pushed forever, even though it's been in there for years. But like the way we like doing things, we like taking a thing and then making sure we get it nicer and right. And so what happens now is Effectively someone pays 10k because they've got 6 Canadians on their network, but they get an entry on every host on their network and so they funneling to us. But they're increasing the odds of catching an attacker trivially and that's what we actually interested in.

Patrick Gray

Let me just ask though, the process of deploying these things, I'm guessing it's mostly manual, right? Because you're not going to want to give your Canary console like highly privileged access to go out there and mess with all of your SSH configs. So I mean, does that get a bit unruly though, Harun, are you meant, you know, how do you tackle that? Because I'm thinking like, you're like, oh, you can put it on 100 machines, it's like, how do you keep track of them all?

Joe Tidy

No.

Harun Mir

So that's exactly the right question to ask and exactly why it takes us, took us a while to get here. So of course everything we do is API drivable. And so deploying tokens, deploying birds, all of it can be done via the API. But if we can make the API endpoint for this nice enough, now we can start saying, well, you've got an AWS cloud and you've got cloud automation as part of your init script, fetch an SSH key and deploy it on your host. So now every time a Kubernetes instance comes up, or every time a host comes up, up, it can reach out, collect an SSH key that then gets applied to it.

Patrick Gray

Yeah, every time you deploy anything with ssh, it just like bing, bing, bing.

Harun Mir

Done exactly right. And this is, this is how that stuff comes up. And so this is exactly how it works. Single API request to us. And then we also do the coolness behind that to make sure that the API key being used for this can only be used to fetch an SSH key. So you can't use, if an attacker happens to find that, happens to find that API key, they can't use it to do more stuff on the console. So again, in the way we typically do things, it should be dead easy for people, it should just slip into their work stream and it should increase their coverage by a whole bunch. And of course the way Canary works, it's completely free. So even if they've got five birds, they can now have 5 million SSH entries, these coverages better free Just works.

Patrick Gray

Nice. Very nice. So what, I mean, I know the focus is on ssh, but where else can you use this?

Harun Mir

Yeah, so we've got a bunch of different entries, like I say, even things like rdp. So Canadians have custom RDP that we can do it with. We can do it with all types of shortcuts.

Patrick Gray

So in part, can you do. Sorry for my ignorant question, but can you actually do keybase auth for rdp?

Harun Mir

So you actually could do certificate based auth for rdp. So currently we do it for username, password, but cert based auth and because.

Patrick Gray

Like key based auth but Windows and very complicated and hard to do.

Harun Mir

Exactly. And, and part of our thing is, yep, we'll eat that complication to make it easy for users and that's what we do. So. So we'll add a whole bunch of that stuff down the line because you can see it works and you can see its value you. But right now we'll start with ssh.

Patrick Gray

Now the other thing we've got to talk about today is the fact that Harun, you've now graduated. You are fancy because you are acquiring things. Let's talk about two things that you have acquired. One is a company called Deceptic and the other is the South African Computer Olympiad. But we'll get to that next. First of all, tell us what Deceptic is. Another deception play, I'm guessing. But is it small? Is it bit like, you know, walk us, you know, what, what happen?

Harun Mir

Yeah, so. So Deceptic. So we've seen other deception companies come up like over, over the different runs, different times of, of the last 10 years. And deceptic was a really small player in the uk, but almost the same makeup as us. So ex pen testers from Praetorian Labs, deep pen test skills, deep desire to make attackers bleeding lead and accidentally made almost exactly some of our tokens, lots of our thinking and we started bumping into them in places and really liked what they were doing and reached out to them and said, hey, listen, like you building something that's going to hopefully someday be like us, why don't you come join forces with us and do coolness? It's hard to find good people. It becomes an easy way to grab good people people. And we'll start off just with some cool tokens of theirs that we'll integrate. So yeah, we excited we get to find mini me's that we think can become good and it should be interesting.

Patrick Gray

Okay, so that's like an aqua hire, like micro acquisition I'm guessing is that, that's kind of what it sounds like here.

Harun Mir

Yeah. We don't think the acquisition is going to get anyone buying islands or anything like that, that. But. But we think great people are worth grabbing whenever we find them.

Patrick Gray

Yeah. Fantastic. Now, tell us about the South African Computer Olympiad and how it wound up in your possession, because that's. I'm guessing there's a story there.

Harun Mir

This is mostly just geekery and a little bit because we can. Look, we like doing things in South Africa. The Computer Olympiad has been running here since like 1984 and we've got people on our team who are previous Olympiad gold medal winners. But the Olympiad ran out of money, which is really an odd thing considering they propped up by sponsors and we know a bunch of their sponsors, but we got an email saying Olympiad's being shut down for financial reasons. So we reached out, found out if we could buy them. It means a commitment from us to keep them supported for the next few years, which is a little bit of money money, but, but mainly what we're saying is we've created a non profit. We'll commit to sponsoring it for the next few years and hopefully get it on its feet again, give it a fresh coat of paint. Like, like there's a few things about it that we don't like as much, but we think it's important for Za and we can. So we'll keep it going till we can make it nice enough to attract more schools, attract more sponsors and then usher it on its own way.

Patrick Gray

I mean, it's nice to have these sort of things right, because they effectively operate as talent pipelines for the local technology industry. And I'm guessing, like, you know, just putting on your cynical hat, that's going to benefit you because you could use all the talent you can get locally. I know you hire outside of South Africa as well, but, you know, one of the challenges in South Africa is actually finding those people. Right. And this is a, this is a good way to do that.

Harun Mir

It absolutely should down the line, like, you see the quality of people who come out of it, like strong comp size, strong algorithmic skills and yeah, totally. Our take is, look, it probably will be good for companies like us down the line. If it doesn't, it's okay. It should stand on its own, but more than likely we'll get the benefit genuinely, deeply, one of those rising tide lifts, all boats things that works for us.

Patrick Gray

All right. Haroon Mir, terrific to see you as always. Thank you. Thank you for joining us. For another year of risky Biz sponsorship. And yeah, we'll be chatting to you throughout 2026.

Harun Mir

Always cool, Pat.

Patrick Gray

That was Haroun Meir there rounding up this week's edition of the Risky Business podcast. I do hope you enjoyed it. I will be back next week with more security news and analysis, but until then I've been Patrick Gray. Thanks for listening, Sam.