Risky Business #828 -- The Coruna exploits are truly exquisite

A

Foreign. And welcome to Risky Business. My name's Patrick Gray. Fantastic show for you this week. An excellent selection of news to get through with Adam Byrlo and James Wilson. And we'll be doing that in just a moment and then we'll be hearing from this week's sponsor, Prowler. So Prowler is an open source project that does cloud security checks and remediations and its founder, Tony De La Fuente will be joining me later on in this week's sponsor interview. So of course there is the open source Prowler, but they're kind of at that point where they're starting to add some enterprise features into the commercial version. It's much as you would sort of expect, pointy, clicky, SSO integration and, you know, compliance features and stuff that really doesn't belong in a community slash open source version of software like that. So Tony will be joining us to have a bit of a chat about that later on in this week's episode. But first up, let's get into the news and we've got to start this week by kind of correcting some stuff that I said last week. So last week I said it was my very firmly held belief that Trench and L3 Harris Trenchant was the vendor behind what became known as the triangulation campaign, right, which was targeting Russia. It was disclosed by Kaspersky in late 2023. So last week I said a few things. I said I thought that the newly unveiled Karuna exploit toolkit was linked to triangulation. And I said this for a few reasons, basically because it was sort of, it seemed to be implied a little bit in Google's write up of it. I verify came out and sort of made that link and I'd already sort of long suspected that triangulation was an L3 Harris trenchant thing. Turns out it's not right. So it turns out it's actually not. But interestingly enough, the bit that I did get right last week is that the Karuna stuff is the Trenchant stuff presumably leaked by Peter Williams. Now we don't know that that's the stuff that he leaked, but we do know that these were a series of exploit chains that were being used at L3Harris or developed by L3Harris around about that time. So you would think, logically speaking, that these are the exploits that were leaked. There's some dead giveaways there. I think the fact that they've got like bits of this are named like Cassowary, which is a dangerous, flightless Australian bird, would tend to indicate that maybe this is a trenchant product. I should also mention too that I do have some sourcing on this. I'm not just. This isn't just vibes at this point. Last week was a little bit too much vibes, maybe, but this week, not so much vibes. So, you know, TLDR triangulation and Karuna, not from the same vendor, did use one of the same bugs though. And I'm really unclear on whether or not that was parallel discovery or someone licensed the bug to someone else to use. Or, you know, maybe someone used to work at place A and move to place B and sort of took the bug with them or I don't even know how that happened, but we can say they were using some of the same exploits. Could have been parallel discovery. Not sure. Triangulation was not trenchant. Karuna was. That's about as cleared up as it's going to get. Adam, let's bring you in on this one for starters. The other thing that's happened here, of course, is that we actually have the karuna samples on GitHub, thanks to the team at Iverify. Thanks for that. Which meant we've all got to look at them.

B

Yeah, it's been really interesting seeing the inside of that particular kit. We've seen bits and pieces. That particular. The bug that you mentioned that's shared between Karuna and Triangulation was that undocumented Apple hardware feature that basically turns into unconstrained dma. Like that was a super juicy bug. And so seeing the insides of the rest of the tool chain, that was kind of around that because when we saw, I think it was Kaspersky wrote up that particular one, we were like, you know, there was some eyeball face going on there because it was so interesting. And so seeing the rest of the toolchain, it's kind of gratifying to see what the high end of the market looks like. And many people have seen little bits and pieces, but seeing the whole chain laid out and just how, you know, like, I guess there's a reason that, you know, trenchant and, you know, Azimuth and LPL before them, you know, were very well regarded in the industry because they produce some good stuff, it turns out. And yeah, it's nice to see. It's good to see the write ups. You know, James has been digging through it and some details about his background at Apple as well. And so, yeah, it's just been a fun week around the office, you know, seeing these beautiful, exquisitely classted Faberge Egg exploits.

A

Yeah, I mean, this explains why Trenchant guys had the good parties in Vegas. I guess, like, this is. This is why they get the big bucks, right? Is because it turns out they're pretty good at this. So, yeah, let's bring in James at this because, you know, because the obvious thing is, geez, if only we knew someone who used to work at Apple on iOS who might be able to have some insights here into what these exploits looked at. And you know, James, you have spent some time actually over your weekend too, because this is such a rare event, really having a look through these samples and you have been. I mean, to say you're impressed is a bit of an understatement.

C

Yeah, that is understatement of the century. Like, it's such a weird feeling to be looking at exploit code that is exploiting code that, you know was written by folks that just. We used to work in the building next to you at Infinite Loop. And then when you see the way this has been strung together just using the most seemingly unrelated parts of Even just the JavaScript frameworks, like the number format object in the internationalization framework being combined with an offline audio context that had a buffer overflow in it being then combined with vector graphics, it's like no one would have ever thought to put these three things together. But the sheer depth of knowledge of the internals of how this works is just, you know, I was looking at it from the lens of, okay, people are saying this is nation state and sophisticated, but what does that actually mean? And gosh, you really do see what that means when you look, yeah, you

A

probably look at the code, you're probably piling into this thing saying, yeah, sure, buddy, whatever, yeah, okay, come on, Click, click. And then you're like, oh my God, yes, yes. Now I should mention too, for those who are really, really interested in James's opinion on this toolkit, you have recorded an 80 minute solo podcast just talking through your analysis of this, of this exploit toolkit. And we're going to publish that, I think either today or tomorrow, but it's going out real soon. So if anyone out there listening to this is interested and like, God help me, I never thought it would. Something like that would be interesting, but I've listened to about half of an hour of it as of yesterday and, and it's really good, so well done. But those who are interested in listening to that, you can find it at the Risky Business Features podcast. So just search for Risky Business features in your podcatcher or head to Risky Biz scroll, scroll, you'll find it with all of the right subscriber links there. But look, I think it's safe to say that this stuff is very well done. And look, staying on that topic, we had a guy, Daniel Wade, publish a analysis of the JavaScript components of this, which was really interesting because like everybody was focused on the sort of payloads and whatever. And it looks clear too that these toolkits went from being used presumably by the U.S. you know, Google say this and they're a bit cagey about where they saw it pop up. Then all of a sudden it's being used by the Russians to target Ukrainians and now it's being used to try to steal cryptocurrency from Chinese speaking users which is just like what a, what a waste of some exquisite exploits. But where was I going with that? Oh yes, the JavaScript. So everyone's been looking at the samples and the, you know, the actual exploit components of this. This guy sat down, really had a look at the JS components. James, what did you think of that part of all of this?

C

Yeah, he's, it's incredibly in depth analysis and I think the thing to really call out here is that the analysis that Wade did, he was the only one I think between Google and Iverify that were the other sources to actually call out the use, use of or explain how the pack bypass works. Right. So in all Apple A series, Silicon, since I think the A12 onwards, there's a built in hardware feature that looks at the pages in memory before code is run and it checks that there is actually a cryptographic hash and signature there before it'll run code for obviously ensuring the integrity of the code. Google and Iverify called out that this had obviously been bypassed, but just called, I think they referred to as like an undocumented or not public bypass. But yeah, he went through and figured out how it works and the way it works is again just, it's beautiful, it's signed code being used to sign other unsigned code and it's magic.

A

Adam, you got some thoughts there?

B

Yeah, it is, it's just beautiful work. And you know the, you can listen to James's pod and you'll hear the specifics of all the details but really it's just like I've met some of the guys that work in places, you know, like trenchant and you know, some days you see them at the end of the day and they're at the pub having a beer or whatever and they've got that just like There's a certain look, like, glassy look in your eye when you've spent your entire day inside the gubbins of, you know, symbol linking in, you know, the middle of someone else's operating system. And it's just, you know, I have a lot of sympathy for what that does to your brain. So, like, I salute you, sir, for your very fine work. But God damn, it's. Yeah, it's cool and it's just, yeah, it's great to see it torn down and written up so that we can all enjoy it.

A

Now I will just say too further on the triangulation, you know, misattribution there. I'm not the only one who thought this, right? So as evidenced by Iverify, you know, who had the samples and looked at it, getting feelings in their waters that these things were connected. I mean, you had L3 Harris trenchant guys passing around stickers at conferences that were triangles saying caught in the wild. You know what I mean? And also I've heard from some people that certain elements of Trenchant management weren't really keen to shut down the rumor because it was kind of like a positive rumor to have that you were behind this, like, really badass set of exploits and whatever. So, look, I'm not the only one who's made, who's made that mistake and formed that opinion in error, but I think it's really cool that, like, we're kind of at the point where we've, we've. I feel like this mystery is largely solved. You know, Lorenzo over at TechCrunch, too, overnight he posted a piece too, that linked the Karuna stuff to. To Trench. And so I think, you know, I think we can kind of put that to bed. Who was behind triangulation? I don't know. It's another Five Eyes actor. Was it a contractor that wrote it? Was it nsa? I don't know. I don't know. But I still think Kaspersky's story that a Five Eyes threat actor was exploiting the telephones of people who worked at Kaspersky in threat research seems like a pretty unlikely one. I think if I had some closely guarded exploits, I'm not going to throw them against threat researchers. That's just me, you know, I'm like, hey, I've got tens of millions of dollars of O day here. Let's go exploit some people who work at Mandiant. Like, that just doesn't track, you know? You know what I mean, Adam?

B

Yeah. Like, it feels like a poor choice unless you have some very specific Tasking or reason that you need specifically them. But like that just feels very niche and it seems like a poor life

A

choice and well, and they were hacking ambassadors and stuff and people in the government. Oh, and a handful of Kaspersky researchers like give me a break. No, that's not, that' not what happened now. Anyway, we're going from the exquisite end of the, of the exploit and you know, malware, you know, industry down to the kind of like rundown, crappy rats everywhere end. And we've got this great post here from bitdefender talking about apt36 which is apparently a Pakistan based threat actor, which is now just. They're doing Vibe coded malware which Bitdefender is calling vibr. I love it personally. James, you've had a bit of a look at this and you know, you also think Iran might be doing some stuff around, you know, vibeware and whatnot. But I mean this is how it's done. It's kind of depressing. What do you make of all of this? What do you make of this Apt 36 and how they're rolling?

C

Yeah, there was two funny call outs in that article. The first one was, you know, a go binary that they observed that had still had a template address in there for the C2. And so it got deployed and it couldn't actually reach back to its C2. And I think that only could have been better if the C2 address was actually still local host. So the developer could have legitimately said, but it worked on my machine. But the other interesting thing here is they're adopting novel languages or niche languages like Zig and Crystal and Nim. And that's real new hotness stuff. And some of the articles say, oh, that's going to help evade detection. And I'm not really sure that's the case but I would bet that it's just because, you know, given free reign an LLM is probably more inclined to go and churn out a new language, that it has a fresh and pretty deep set of knowledge around to create these exploits.

A

I mean this is a trend. Sorry Adam, but yeah, this is a bit of a trend because we saw something where there was like go malware for some like ancient platform recently when we're both scratching our heads going, but you know, probably LLMs being everywhere and doing so much code is a part of that. But you were going to jump in there, Adam, with something.

B

Yeah, part of the write up is suggesting that maybe they're doing this for detection, evasion. Right. Like you build custom malware. That way you don't have to worry about signatures existing for your malware and you can avoid AV and other things. But the idea that you would need to go to the extent of writing a malware in one place and then having LLMs translate it into other implementations so they can avoid detection, avoiding AV really isn't that difficult. The state of the art for avoiding AV is already, you know, good enough to get past most people's av. It seems unnecessary. So, you know, maybe there's some other explanation, like maybe it's just fun, maybe it's different, I don't know. But like the, the detection evasion angle just didn't seem, didn't, you know, track exactly like what's going on to me. But hey, who knows?

A

Now we've also got this other story here about some state linked actors, Iranian state linked actors targeting US networks and whatnot in the lead up to the Iran war. James, you felt this one dovetails actually previously quite nicely with the APT36 one. Why is that?

C

Yeah, I didn't make that connection at all until I read the write up and they talked about they're using Deno, which is a very new, again with the theme of the new hotness, a very new Node JS replacement, like a JavaScript runtime. But it's like if you know what Deno is, you know that it's basically a runtime that was designed for security built in and it explicitly does not allow access to network and disk and all the things that you would want a backdoor to have. So it's like it's just these weird technology choices. Like as Adam said, if you're just trying to get a different hash for your malware, why are you bothering? But then we're seeing like LLMs choose brand new languages and brand new runtimes, and those runtimes don't even fit the model of what you would want your implant to be doing. Which is. Right. So many questions.

A

So you see this one as a bizarre technology choice on behalf of the Iranian APT operators, which would suggest that Maybe they're using LLMs to do some of their dirty work.

C

I'd scratch my head, but the lack of hair just makes that dangerous.

A

Now look, staying on all things Iran, we have a story here. It's been repeated in a bunch of outlets, but we've linked through to the SC media version of this story that Iran's like cyber warfare HQ on a base somewhere was actually hit with an airstrike or a missile. Like it has been blown up by the Israelis. No surprises there. I think I remember reporting on when the Israelis hit a Hamas cyber facility in Gaza actually many years ago, before all of this, before the war in Gaza. It was just so massively controversial. In that case. The building had been evacuated prior because there had been prior notice given. So no one was actually killed in the strike. But you know, I think a lot of people in this field sort of forget that people who are doing state backed cyber operations, I mean quite often they're gathering intelligence that is going to be used to harm their enemies. So they are legitimate targets. And I just sort of, I haven't seen as much of that discourse this time around. So I think maybe people have adjusted to that. But I mean, did you reflect on that a bit as well, Adam?

B

Yeah, exactly. I mean, the increasing, I guess the utility of site. We talked was it last week before about like where there are places that cyber is actually legitimately useful and battle, damage assessment, reconnaissance, things that are like legitimately military functions. You know, if you start doing those, then you, you know, you do end up being kind of legitimate targets. And you know, I think that, I remember that one against Hamas and we talked at the time about how this is also a deterrent for wanting to go and use your cyber skills, you know, in that kind of capacity. Maybe think twice, go do some other business. Like same kind of thing here where, you know, even if the effect of blowing this up is not, you know, in terms of ongoing operations and those particular staff, you know, even if that wasn't a big impact, it just has that kind of reminder you are a legitimate kinetic target. If you're doing this, you know, in an adversarial context, you know, in the war and, you know, think about what you're doing.

A

Yes, you're part of it, I think, is the, is the message there if you're gathering intel, I mean, I mean, I think that's what makes OPSEC so important. I think it was really funny actually when the United States started to sort of dox some of these Chinese operators, right? Whether that was DOJ or whoever is like, well, you know, all of the attribution stuff. And then the Chinese are like, yeah, we're going to do the same thing. And they do stuff by like saying Rob Joyce is nsa. And it's like, yeah, man, he's been on my podcast as nsa. Great collection there. So I think, you know, this is where opsec as well becomes pretty important to the whole enterprise. And I think that's something Five Eyes certainly does better than the rest of them, anyway, moving on. And you know, two of these, at the time of the this article was written, six US service members had been killed in this Iran war. I think that's risen to seven now. Two of them were actually cybersecurity people. There was a guy who was studying cyber security at a university and a guy who was actually a, who was actually doing cyber stuff, defensive cyber stuff in the US military. They were both killed in a strike in Kuwait. So there you go. I mean, it's very sad. I mean, I don't think these guys chose to engage in a missile war with Iran that didn't have clear aims, you know, and they've paid the ultimate price for that.

B

Yeah, and these are reservists, so these are people that had, you know, regular civilian lives and had been deployed, you know, as reservists. And that's, you know, it's a pretty long road from Iowa to, you know, where they were in some, you know, place in Kuwait. And yeah, expecting to be on the end of a missile strike. Not really. Probably what they expected when they signed up for the reserves, you know.

A

Yeah, I mean, I just don't, I don't quite understand what all of this is for. You know, I understand that Iran's missile launch capabilities will be temporarily degraded, maybe their drone manufacturing temporarily degraded. We haven't seen really a change of regime or, you know, if anything we're going to wind up with a war hardline regime. I just, I don't know what this is for. And tragically those dead school girls, mate, that's just, you know, I've got a daughter that age and seeing that something like 170 kids were killed and you know, the reporting suggests that one of the reasons that strike may have happened is because Claude was used for target selection and to accelerate target selection. You just think, wow, if that is the case, if there were insufficient checks done, I mean, what a, you know, just, what a, what a tragedy. The whole thing, the whole thing is just tragic. Anyway, moving on and you know, sort of staying with cyber and conflict. The Russians are doing a big signal and WhatsApp phishing push. Is this just more QR code linking James, or is there something interesting happening here?

C

No, I didn't see anything particularly novel other than just the sheer volume of it and the brashness of who it's targeting. It's just same old, same old and even sort of signals advice reads, it almost reads like tired advice of like, okay, come on, you know, this is happening. You know what you gotta do, but you're still falling for it. So just the same, same.

B

I mean, this is a pretty well known problem. But on the other hand, there is not that much attack surface here. Right? I mean, your options for phishing Signal users to get some useful effect are pretty limited. And I don't know what the Signal foundation should do to kind of make that pairing, device pairing process more robust, but I think there is some. It's somewhat heartening that there is so little attack surface here. And you know, all they have to do is figure out, hey, is there a more robust way we can do this? And they're going to shut off, you know, one of the only significant avenues people have for doing this kind of thing. So, you know, whilst the we don't have a support bot on Signal that's going to message you, advice does, you know, you can just, you can feel the like, exasperation, like them rubbing their temples over at Signal Foundation. But, you know, they have an opportunity to figure out, you know, really answer one question, how do we do this better? And they'll make a big difference. So if that's good.

A

All right. Oh, now this next story, this next story. Now this is completely unverified. It's been pulled off like some Russian Telegram. I reckon There's a 50% chance that this is just completely made up by some Russian mill blogger. But I want to talk about it anyway because it's one of those things that like, is. I don't know, it's probably, it could be true. I don't know.

B

It vibes right for us.

A

It vibes right, right. Which is that the Russians have been trying, initially, we're trying to tell troops and try to tell Russians generally not to use Telegram because it's not safe after a while. And that's where this, from what I heard, like, this kind of feels like it's probably wrong. But after a while they said, look, people on the front can keep using Telegram because it turned out Telegram was being used a lot by Russians who were involved in the war in the Ukraine. In Ukraine. I'm sorry. So there's that part of it. But now this report from Russian Telegram says that they told them to stop using Telegram and to start using Macs. And this is their Everything app. This is the Russian WeChat, basically. So they're like, start using Macs. And now the latest info is, and that's what this thing is claiming is that the Russian government is now saying, oh my God, don't use Macs. It's completely Insecure people are dying because they're using Macs. Go back to using Telegram. So look, I don't know that this is true, but what I do know is that it's extremely highly plausible. Because if I'm Ukrainian sigint, this is absolutely. What I'm doing is I'm trying to figure out Max.

B

Right, Yeah, I mean, Max is a pretty natural target with them. And of course this is one of the challenges of building your own sovereign infrastructure, your sovereign technology, stack, whatever else. Like this is hard work. It takes a while to get right. And even if Max turns out to be as good as signal or as good as other alternatives, it's going to take time. Like the first versions, first couple of years. Much like when you roll your own crypto, everyone who tries to implement their own x509 parsing is going to screw it up the first 11 times they do it. The same thing here, right? I mean, trying to implement your own messenger and trying to do so in like in wartime conditions against an adversary that is in an existential fight against you. Yeah, that's not the place that you want to be yoloing your first, you know, your first take at a national messenger. So yeah, it's a, it's going to be a fun ride for. I imagine the Ukrainians must be having a hell of a time discovering it, figuring out all the ways to break it and then abuse it. And then, yeah, if this report of Russian troops being told to just go back to Telegram is true, then yeah, doesn't look great for the rest of the Russians who are stuck having to use Macs.

A

Well, it is kind of funny because it is the, the app that the Russian government has made to make it easier to surveil their own people, which ironically makes it easier for their enemies to surveil their people if they find the bugs in the thing. So, you know, anyway, I don't know. As I say, that's completely unverified, but a fun one to talk about. Anyway. Now, speaking of technology engineered to surveil people, the FBI is investigating another breach on its so called critical surveillance network. That's what CNN has called it in this instance. Now we have seen a breach of this, of surveillance associated systems in the past. You know, recently in the last couple of years this happened and it was the Chinese, but they didn't actually get to the wiretap systems. What they did get to were the systems that were like processing the warrants. And this is extremely valuable intelligence because it would tell like, oh, okay, the Americans are onto this guy who we've been using to do xyz. So we're going to just have to like walk away from that asset and that sort of stuff. Right. So this is very valuable. But in this case we don't really know exactly what data the attackers have got. It's all very cagey. I mean usually in America like eventually they're pretty forthcoming about stuff like this that's gone wrong. But James, you've looked into this as well as us and there's like not really much on this out there.

C

No, there is hardly anything. So it's a lot of speculation. I sort of broke it down into like an input process, output framework and maybe it is the input, it's the tasking. Could be it doesn't feel like it's the process of actually wiretapping. That would not be in these networks that are supposedly seeing suspicious activity. That I believe would be in the telcos. Adam, correct me if I'm wrong, but there is also the angle of what if it is like the repository of the recordings or the transcripts or something, something like that. We just, we don't know. It's so, so short on, on anything substantial.

A

Yeah, but they seem freaked out, which is not never good. Right. When you're dealing with news like this. Right.

B

And we're also not clear what the link of any with salt typhoon is. Right. How does this fit into that? Because, you know, we saw reporting of the Chinese intruding into telco ally systems there, but we also didn't really have any details. And you know, part of this, as you say, is that people are just kind of cagey around lawful indecent and the actual mechanics of it. You know, there is quite a lot of moving parts. I mean it could even be as something as like, you know, you've got recordings but you need a linguist to process them. So maybe there's, you know, because it's not necessarily English, there's lots of places where the downstream products are processed and yeah, so we don't even really know. As you say, eventually maybe the U.S. you know, will explain it. It's funny seeing, you know, the other countries in the world that have also been salty food, how, how much slower they are at getting out details of what happened to them than the U.S. and so we complain about the lack of transparency, hear how long, you know, how imprecise the language is. But you know, we don't hear this coming out of, you know, other countries that were salt typhoon, you know, in anything even this little bit of detail, you know.

A

Yeah, I mean, I, it is funny. Like for all we say about the Americans, they are pretty transparent when it comes to this stuff in a way that is like, like just would never happen here, right? So, like, if this were happening in Australia, it would be buried. Like we ain't hearing about it unless somebody blows the whistle and tips off a member of the opposition who brings it up in some Senate committee or something. Like that's how it would get out and it would scandal. Right. Whereas this is just, you know, normal day of the week sort of stuff in, in America. Now look, speaking of normal, normal stuff in America, the Trump White House has released its cybersecurity strategy. Now, if you remove the logo pages and the preamble and the last page, which is just a blue sheet with the White House logo on it, you get a total of four pages for this cybersecurity strategy. And it reads like, this is the most bizarre thing I've seen in a, in a, in a, in what's supposed to be a serious public policy document, because it reads like cybersecurity fan fiction. We are going to like secure our networks and upgrade them and they'll be the best in the world. We're going to do this. We're going to go after the adversaries and, you know, completely render them helpless, flailing children. You know, it's bizarre. Our colleague Catalan Kimparnu did a write up of this in the Risky Bullet newsletter, which is hilarious. It's quite long. It's funny because he actually cut it back. He couldn't, right? And I spoke to him about it. He's like, yeah, originally it was longer and he cut it back and it's like, it's still actually pretty beefy for a lead item in a, in a Risky Business newsletter story, but it's like the whole thing is just bizarre. It's so weird. Like, Tom Uren, our colleague, he's writing up a more serious analysis of this tomorrow for the Seriously Risky Business newsletter. Again, go to Risky Biz to subscribe to that. And it's his feeling that some of the parts of it where they're like, they're going to go offensive and take more offensive actions against adversaries. You know, he thinks that is a part of the strategy that actually has some hope of going somewhere. The rest of it just seems pretty, pretty meaningless. And my question is, given the other actions of the United States right now, when it comes to, you know, like offensive actions, whether we're talking about Venezuela or what's happening in Iran, you sort of wonder if they're about to go on like a, the cyber equivalent of a kill streak with no sort of deeper strategy beyond that. Right. And I just don't know what's going to happen. Like, let's start with you, James. What are your. I mean, first of all, what did you think of this? The strategy, which we'll put in quotes. And second of all, like, you know

C

what, as you guys know, I've had the pleasure of working in some very large enterprises over the last couple of years. Places that have like entire departments that are called Strategy and Transformation, and they churn out just the most dry, hard to read things. And like, I spent years training myself how to read those. I couldn't get through this document. I just, I couldn't. I kept putting it down, I kept coming back to it, I kept thinking, I got to read this thing. But it does. Ironically, coming back to AI here, it almost in a super cynical sense feels like someone said, okay, what's the real executive order? We just want to go and wreck a bunch of stuff in cyberspace.

A

Okay.

C

But we can't just say that. So can you please create me a doc that looks really balanced and talks about all these other things we're going to do, but what we're really going to do is go and break a bunch of stuff in cybers because it's such waffle. It's so meaningless.

A

Yeah, I mean, it's like the whole thing's bizarre. Let me just quote a bit of it. President Trump's actions, however, send a clear message. We will act to defend our interest interests in cyberspace, whether destroying online scammers Networks and seizing $15 billion of their stolen money, supporting a globe spanning operation to obliterate Iran's nuclear infrastructure. Huh? It's a cyber strategy or leaving our adversaries blind and uncomprehending during a flawless military operation to bring international narco terrorist Nicolas Maduro to justice. Adversaries are on notice that America's cyber operators and tools are the best in the world and can be swiftly and effectively deployed to defend America's interests. I mean, that's a hell of a strategy right there, don't you think, Adam?

B

I mean, I guess what I took away from this was like, at least like the five Eyes in the US in particular, like they know how to do offensive cyber. Right? They're good at the technical part of that. Their OPSEC's great. We were just talking about their wonderful, beautiful exploits. Obviously those were Australian exploits they bought off the shelf.

A

But anyway, enough of, enough of the media talking about how these were American exploits, they were Australian exploits, thank you very much.

B

So, like, the US Absolutely has amazing offensive capability, defensive cyber. And especially during defensive, you know, at a country scale, like trying to solve municipal water scatter, you know, vulnerabilities or whatever, that's hard. Just hacking stuff is easy and the US Knows how to do that. And this is just a case of, we've got a hammer, let's go find things to hit with it. Because, you know, in the end, all of the other problems are really hard. And the Trump administration is not there for hard problems. Right. It's there for quick wins and easy and, you know, things that they can make a splashy show of doing something about. And that's what offensive cyber is like. Is it going to work? Maybe a little. Maybe against some people, who knows? And we haven't really tried it. I mean, like letting nsa, you know, uncaging that particular shark and letting it just go nom, nom, nom over the Internet. It might work. It's possible. I guess we've got to find out.

A

That's always the case with these Trump initiatives. Right. Like, even this Iran thing, it might work, but I would say there's a reason other people haven't tried it. Right. Like now, have previous administrations been too cautious with offensive action? I think they have. Right. So you're right. We're going to get to see, we're going to get to see what happens here. And I do think that the offensive action against ransomware crews and ransomware as a service, I mean, that's gone. It doesn't exist anymore. And I think that's largely because five eyes took their gloves off and just beat the crap out of them. Right. So I think you can achieve certain aims, like data extortion is huge. Ransomware still exists, but doesn't feel like a existential crisis for us all anymore. And it did there for a while. So I think, you know, you can, you can certainly achieve things with offensive action. But like, let me just quote one more line from the Cyber Security Strategy, which is our resolve. This is the Moving forward section. Our resolve is absolute. We will act swiftly, deliberately and proactively to disable cyber threats to America. We will not confine our responses to the cyber realm. So, you know, gloves well and truly coming off now. It looks like the White House has announced a thing where they're going to go after cyber scam compounds and look at actually setting up like a victims restitution fund. I don't know that that's the way to go, but I think it's beats doing nothing. And you contrast this with the cybersecurity strategy. I mean, this seems like it actually had a lot more thought go into it. James, what did you think of this one?

C

Yeah, real thought gone into it. You know, I think I raised the question of, like, where's this funding going to come from and to what scale? How is it going to be meted out?

A

And it'll come from all the Doge savings, man.

C

Well, yeah, hopefully the plan for this is on the thumb drive that we'll get to, but. But it's like, yes, great. I mean, if I was a victim and this fund was being set up, I would be appreciative of it, but I don't think the government stepping in here and making a pool of money available to victims actually shifts the needle on fixing the problem, you know, in the platforms and the systems that are enabling it. So good, but wrong spot, maybe.

A

Yeah. Adam?

B

Yeah, I mean, I guess the. So the article said that the money looks like it's going to come from stuff that seized from. So it's like proceeds of crime. And I guess in that respect that seems like a better use for it than just putting it in the general government pot. But, you know, I also wonder, like, is there any weird incentives here? Like, if people can give their money to scammers and there's a chance they're going to get it back again, like, does that make them more prone to falling for scams? Like, kind of how cyber insurance makes people target people that have cyber insurance.

A

Well, and if it's money seized from these scammers, is that all money seized from Americans, or are they taking money that was lost by Australians and giving it to America? Like, it's just strange. Like, I, I get it, right? Like, I think, though, the Brits, there's a report in the, in the, in recorded future where the Brits are thinking about this a little bit differently, which is like more about shifting the liabilities onto telcos and banks. And you might think, well, why telcos? And it's because a lot of this stuff happens over the phone and the telcos should do a better job of blocking some of these scam call centers where they know where they are. You know what I mean? They're getting reports of this stuff and they're just operating on such thin margins that they don't want to spend the money to actually deal with it. You know, I would say, too, that I did Some Googling today and the, you know, the total amount of money lost by Australians in these sorts of scams in an annual period is something like 2 billion Australian dollars. And the Commonwealth bank, which is just one of our big four banks, posted a profit of 10 billion. So I think, you know, I think if you want to get this stuff to stop, you do make the banks liable and it stops basically, is what I think. I mean, James, you actually worked at the Commonwealth bank, but probably not on stuff like this. But you know that that sort of statement, like even that idea would be considered just the most unholy, satanic idea by Commonwealth bank management, surely?

C

Yes, yeah. There's various people there that I'm sort of picturing their reactions now if I showed up and suggested this, that we do this. I think the, you and I were talking about this offline and with the bank aspect came up. I think if I remember right, the UK article actually pitched it more at like get the telcos and the platforms involved. And I said to you, well, but what about the banks?

A

Right?

C

Because I think we both agree that the buck stops with the payment processes and we know this model works. You know, when, when credit card companies take on the burden of all things fraud related and protect the customer, that, that's, that's a proven model that works really well.

A

There is a reason which is the banks are in the UK are already on the hook to a degree. Right. So I think this is just an extension out to other, other players.

C

That's right. It's taking that same model and taking it to the next couple of layers up. But again, you know, I think the, the right sort of incentive structures happen when you put this closest to where the money moves around. But we'll see, you know, it's better than, better than what we're seeing in other places. So all of these things are like, okay, let's watch and see what works and, and extrapolate that out into other regions.

A

Moving on. And man, so many executive orders to talk about this week. And apparently according to Axios, this is a bit of a scoop. The White House is readying a executive order to get anthropic pulled out of all every corner of the U.S. government. I mean this is just like, you know, they're shooting themselves in the foot with this. It's insane, it's petty. I don't get it. James, let's start with you on that one.

C

Yeah, I don't get it either. And you know, with those quotes you were reading out of the strategy like grok wrote that. And if you don't think that did, like, convince me otherwise. Right. It's straight out of an LLM, that sort of language. But the thing that irks me about this is it's this notion of, and I hate the term woke, but it keeps coming up around, oh, we're getting rid of anthropompy because it's too woke. I'm sorry, go fire up OpenAI, Go fire up llama or any other model, pitch them the same sort of question and watch which one of them is the most sycophantic and woke. And it's OpenAI every time in the current set of models. And it's largely anecdotal, but when you use these things day by day and you interact with them, Anthropic is the one that actually just gives you straight answers and doesn't sort of fluff around and give you the you're absolutely right sort of things. And so it's dumb on every level and it's extra dumb because it's, it's the best model out there and they're hell bent on getting rid of it.

A

So I mean, Adam, I gotta ask you, like, I mean, if you're China watching this, you know, there's that meme of like America saying, take that China and like blowing its head off with a rifle and China just standing there looking horrified. You know, the meme like this strikes me as one of those. Right.

B

Yeah. It's just, it's dumb and it's petty and it's poorly thought out. And unfortunately that's a pattern that the Trump administration, you know, leads us to expect. Like this sort of, you know, like

A

America feels this incredible, incredible edge with Anthropic. It's such a wonderful story of American innovation. Right. And they're good at innovation, right. And they've built this wonderful thing. And now the government's like, ah, can't have that, you know.

B

Yeah, it makes no sense. It's such a self own and like, and the thing is Anthropic knows that they're good, right? They know that they've got the best stuff they are doing. You know, their numbers are all looking great. Corporate's taking them up, like it's, you know, they're doing well and they just don't care. Like if anything, the burden of not having to do business with the U.S. government, I mean, think how much simply your regulatory and like legal approvals department is going to be without having to do government contract approval. Like, I bet those guys are just laughing like going off to the, you know, have a, have a beer to celebrate not having to deal with Pentagon procurement. I mean.

A

Well, the problem is though, like being designated a supply chain risk. I mean, I think there's a bit of a legal argument back and forth, but I think, you know, a lot of companies that might do business with the US government can no longer use it as well like, or that is what the government is, is claiming. So, you know, it remains to be seen how badly this is going to harm Anthropic. But you know, all of these companies are basically just cash incinerators. Right? So like, bottom line difference. I don't really know if it makes much of a difference. It's just they're all in a race to see who can sell the most tokens. It's pretty funny, I saw some numbers going around on socials the other day. I don't know if they're true, but it's saying that like a $200 Claude code subscription can burn up to five grand of compute every hell of a business model, which is like the level to which this stuff is. I mean, this stuff is just subsidized to a degree that is like kind of crazy. And look, staying with Anthropic, they are launching a code review tool to check funnily enough to be able to review AI generated code. So I love this. You create the problem, you create the solution. James, I mean, you're the guy who spends the most time with AI among the three of us. Yeah, I think this is probably quite a positive development actually.

C

Yeah, it's a positive development, but is it a standalone product that we should be sending a press release out about? No. If anything, it sort of harks back beautifully to the Microsoft playbook of. We've created this product and it's got a whole bunch of security problems in it, but that's okay. This product over here fixes all those security problems and we'll sell you both and it's two different licenses. Just bundle this into the way the thing works. It's generating the code, make sure it checks its work, make sure it's doing the code review itself and the result is better anyway.

A

Well, I mean, Claude code subscriptions eventually have to head to like five grand a month anyway, right? So you'd expect some bundling there. Well, I don't know. I don't know. That's probably the upper bound. I don't know if everybody's generating that much, you know, using that many tokens. But anyway, this whole thing, what a. What A what a wild world. And I should mention, too, that we had a bit of a laugh about the fact that CrowdStrike's share price plunged because anthropic like, you know, code security or whatever got released, and investors don't know much about cybersecurity, so they started selling Crowdstrike. They just posted a record quarter. Okay. And it's like, what is it there? Total revenue grew 23% on a year, on year basis to 1.31 billion in the quarter end of January 31st. So congratulations to all of you crowdstrikers on that. Just a funny thing now, Adam, you're our Java guy, man. You're our Java guy. And we've got a Java story here.

B

I'm stuck with being the Java guy. Like, do I look like I'm from the 90s? Oh, wait.

A

I mean, you do. Yes.

B

Fair call.

A

You are from the 90s, and you do love a bit of Java. I do.

B

I love it because it's so easy to break. And people who write Java code, for whatever reason seem to write security critical trash. And this is a great example of security critical trash. This is a authentication library called pack4j that, amongst other things, implements like JWT tokens or web authentication. So when your web app is, you know, authentic requests is what it uses. JWTs are usually like a little JSON blob that are then signed with a. With a signature. This particular piece of code, if the signature was null, it would just go, you know what? That's fine. We'll just trust the contents anyway. So you can make a token that says, yes, I'm totally admin, Just not sign it. And it lets you in as admin, so good job, Java devs.

A

I think, you know, it's a decent. I mean, you know, we talk about comedy bugs, but that's like, you know, comedy master class bug. I laughed.

B

Definitely pretty good.

A

All right, so we're on the home stretch now, and we have seen a bunch of reports that genuine Joshua Rudd, Lieutenant General or whatever it is, he's been. He's been confirmed as the head of NSA and Cyber Command. So finally, after about a year or whatever it's been, there is now a new head of NSA and Cyber Command. So that's pretty good. Meanwhile, over at csr, dude, I think I called it right when I've said that this is sisa's century of humiliation, because, you know, we talked about their CIO going. We actually had this bizarre moment in our prep call between the three. Three of us plus Amberly Amberly was on the call as well this morning where I'm like, oh, hang on. We've got an item here about CISA's CISO and Deputy CISO leaving. We talked about that last week. I was like, no, last week it was the cio. This week it's the CISO and Deputy ciso. And now Sean Planky, who was going to be Trump's nominee to lead sisa. I mean, he got walked from his job at dhs. And, like, there's reporting that I think he was only came back as a nominee for a second time due to, like, a clerical error and stuff. And there's this whole background about how he's on the nose because of some DHS decision to not buy boats from some congressman's district. I mean, the whole thing is like the ultimate. It's not even a sandwich. It's so layered. It's more like a lasagna of American political dysfunction just sort of squeezed into one. And here it is. But it doesn't look like he's going to be the guy I think is the TLDR here.

B

Yeah, no, we don't really know much about the guy, but yeah, the bit with the Coast Guard part of it. And I think there was some reports that he'd been kind of in. When he was in the dhcs. He was also rummaging around and sissa, like, kind of on the assumption that he was going to end up in the role. And it did not seem that people there were enjoying that process, so.

A

That's right. I did see those reports where he was, like, apparently annoying people, basically.

C

Yeah.

B

So I imagine there'll be some. Some degree of celebration at SISSA over this, but, you know, they haven't got a lot of good news to go around, so I guess even a little thing probably feels pretty big there.

C

Yeah, it's going to be a small party, too, because there's not many people.

A

Well, everyone's still furloughed, I think. I mean, I don't know, maybe that's changed. But, like, as I say, like, SISA is unfortunately just, you know, you wouldn't really describe it as a functioning agency at the moment. Speaking of which, though, I did have dinner with Chris Krebs last week in Sydney. He was down at the. He was down at the same event that I was at, that Sphere event. That was fun, too. There's a lot of cool people around. Got to catch up with some listeners. Met some cool listeners. So thanks to all of you for saying hello. I did really Enjoy that. But, yeah. Wow, what a world. Now, we did mention a Doge thumb drive. James, you brought that one up. We got a story here, another one from Lorenzo that says that a Doge employee apparently walked out two very tightly restricted databases from government systems and said, oh, these will be great at my next job. Now, whether or not this guy was just trolling or whether or not this has actually happened kind of supports our argument at the time that all of this Doge stuff that was happening, that perhaps there might be some data governance concerns, to say the least.

B

Yeah, that was a prediction that you made, and it seemed pretty. Pretty accurate. You know, it never felt particularly good letting 4chan kids rummage around with rude access to all of government things. And, of course, this is. You know, how it's. You know, how it ends up shaken out. And the. The thing that I found reading this story was, you know, I saw the headline about Doge. I'm like, man, I haven't heard of Doge in ages. That seems like ancient history, and it was only last year.

A

Yeah.

B

But yet, like, so much has happened, and Doge just seems like a quaint sort of after, you know, footnote at this point. So, I mean, good on Lorenzo for digging up a story that, you know, I had already forgotten about. About. So. Yeah, but exactly as we would expect. Of course.

A

Yeah. I just. I mean,

B

you have to laugh because otherwise you would weep.

A

Yeah, you really would. All right, so we're on. We're very much on the home stretch now. James, you added this one. This is a link From Palo Alto U242 looking at a vulnerability in Chrome that allowed extensions to do unholy things to Gemini.

C

Yeah, look, contrast this to me spending 80 minutes doing a solid podcast talking about the intricacies of what it takes to escape a sandbox from a browser. And then this is basically the browser sandboxed, but we jammed an agent that has full file system access right next to the DOM and the rendering engine, and it's like, well, why do you even bother sandboxing anymore? And it's such an inversion of the security paradigm, where it's like decades of work went into securing the browser, and then we just throw an agent in there that has full access to everything. And, of course, all the extensions can access that agent and give it prompts to do. It's just like, you know, did no one walk down the hall and talk to the crafty security guy and say, hey, should we be. Should we be worried about this? Is anything going on here?

A

I mean, this reminds me of like the. I saw a funny post somewhere saying, you know, all these people are throwing like Claudebot into VMs and they're like, yeah, that's great. Then they give it its credit card number, they give it access to the Internet, they give it all their passwords and they're like, oh, no, something bad happened. But I'm running it in a vm. You know, it's just. What?

C

Yeah, yeah, yeah. It's like you run it in a vm. Good job. Okay, what's the first thing it asks you for all the tokens that you've got on your local desktop machine? And you paste them in. It's like, okay, so the VM is giving you a different IP address at that point. Good job, pal. Well done. Yeah.

A

All right, so we're going to wrap it up now and just mention this story. This is one for the slide decks, right? It's unusual. Well, I guess through my career it has been unusual previously to hear of entire businesses disappearing as a result of cyber attacks. But there's an extremely large Romanian meat processor called Alex1, which, and Catalan obviously dug this one up and put it in our Monday newsletter. They had a ransomware attack and, you know, the costs for recovering from this have essentially driven them into insolvency. So they're going through some sort of restructure now. Just a good one for the slide decks, right? Because I know people are always looking for these sorts of things and this one happened in Romania, so it's probably going to go a little bit under the radar. But this is a real big deal company and yeah, people should. People can take a look at that one in this week's show notes. But that is it for this week's show. Adam Boileau, James Wilson, thank you so much both of you for joining me to watch through all of that.

B

Yeah, thanks so much, Pat. We will see you next week.

C

Yep. Thanks, Pat. Looking forward to it.

A

That was Adam Boileau and James Wilson there with a check of the week's security news. And it is time for this week's sponsor interview now. And for this week's sponsor interview, I chatted with Tony de la Fuente, who is the founder of Prowler. And Prowler started off as purely just an open source cloud, you know, security scanner. I guess you could use it to find misconfigurations. You can use it to actually do remediations as well. And you don't need to use the SAS tool to do that. You can do that through the command line. Tool. It's just cool. It's very good and you know it. The open source version being free, you know, a lot of people use it like it's an extremely popular project. But obviously Prowler, now there's a pro version which previously, like, you know, it's like, it's just like a SAS version of Prowler. I guess you could actually spin it up yourself and kind of run the same thing as Sass. So you can run it in a container or whatever, spin up a web server, and you've essentially got the Sass version there yourself. Tony's finally at the point where there's going to be some features splitting off that are just paid, you know, and an example here, and I'll drop you in here where he starts talking about this. But. But an example is sso, right? So you can actually get SSO to work with open source Prowler, but it's a bit fiddly and you've got to go configure it yourself and whatnot. Whereas with the Prowler Pro, with the SAS version, that's just pointy clicky. Done. So I'll drop you in here where we talk about that. And that leads to a deeper conversation of what the dev team at Prowler have been up to. Enjoy.

D

Actually, in Prowler Open source, you can configure that, but you have to configure it in product cloud. It calms everything down.

A

Yeah, yeah, yeah, right. It's more pointy clicky.

D

So that is the basic thing that everybody puts, like paid only, but it's beyond that. So everything in a complex platform, you need to configure a lot of things we have now, for example, attack path, that requires more infrastructure like GraphDB, etc. So we maintain everything, all that for our customers. That is probably not enough value for somebody that can do everything with their hands. But most of the organizations, any size, they don't care about what is underneath. Right. You just want cloud security in place.

A

Yeah. You just want it to work. You want to put the credit card number in and make it work.

D

Right, exactly, exactly. You can go through your favorite marketplace or the credit card and that's all you get it.

A

Yeah. But I think importantly, right, like the checks in Prowler, they are remaining open source. Right. Like that is not. It's not like you're charging for checks with these changes.

D

No, no. So our plan and the reality is that Prowler is de facto tool for cloud security and that is going to keep being exactly the same because it's our value, right? Creating new controls, new detections, remediations for cloud infrastructure, for infrastructure as code, good for Kubernetes, SaaS providers as well. The most common SaaS providers for infrastructure, let's say the Microsoft 365, Google Workspace, even GitHub, etc. GitLab that we are adding now, all that stuff, the Prowler universe is accessible for everybody, including the AI, right? Or third parties AI.

A

Well, funnily enough, funnily enough because you and I were chatting before we got recording and. And funnily enough you told me that when the people are asking Claude code, hey, can you check my cloud infrastructure and make sure nothing's accidentally exposed or misconfigured? And basically Claude goes around and tries to take a stab at itself and eventually it downloads Prowler, spins it up in a container and off it goes and it just uses Prowler and gives you the results, right?

D

Yeah. When it goes to a dead end it says okay, let me use Prowler.

A

Yeah, that's awesome. But I mean I guess, I guess that's handy, right? To be able to get Claude code to use Prowler. But when you ask it to do something like compliance reporting, I'm not going to trust a non deterministic large language model to do my compliance reporting based on using an open source tool in an unsanctioned way. So I'm guessing you've still got a bit of a moat with some of these enterprise features that you're baking into the products. I mean that must be part of the thinking here.

D

So part of our mapping, the mapping between controls and requirements of an integration platform that is totally accessible, it's part of prior Hub for example, but we want to offer the part of the infrastructure like SOC 2, type 2 support, the multi tenancy backup, all that stuff that you need to have if you want to go into compliance that is going to be part of the paid only, of course.

A

Yeah.

D

Prowler Cloud Pro or Prowler Cloud Enterprise.

A

Now I should mention too that people who want to actually use Prowler Pro, like it is not difficult if you just grab a credit card and you can actually just head over to Prowler's website and click on pricing and then off you go. You could get going with this extension extremely easily or if you are really stingy you could just go to GitHub and grab the free version and do what you need to do. But one thing that's been interesting for you, right, is with the AI stuff, it's not so much that you guys are like squeezing heaps. I mean, there's a bit of AI. You've sprinkled some AI on Prowler, right, but it's not like an AI first kind of product. But what is interesting is people are building an awful lot of AI related infrastructure, right? You've had to build checks for that, that stuff. Like what sort of infrastructure are we talking about there is it. I mean, I'm not super OFE with the AI infrastructure, but I know that model context servers are a thing, MCP servers are a thing. But what else is involved and how easy is it to configure this stuff in a way that's not dangerous?

D

Well, so not using AI in a world of open source is a nonsense, right? So of course we use. With Prowler Studio you can create new detections, remediations and new providers. Actually we have customers that they create their own providers to scan new providers with Prowler, their own providers, like whatever they want to use Prowler. So all that stuff is doable in matter of hours?

A

Well, yeah, you've got rid of that part of these sort of products where you have to be proficient in some indecipherable query language and scripting language for writing the tools. You can do that with AI Now I, you know, that is exactly.

D

So for example, we added Vercel support in two hours, for example. So now you can. Because Vercel is a key part of, you know, cloud infrastructure at the end of the day. Right, so and also adding a chatbot, adding an MCP as a part of our set of tools, when it comes to using findings or using problem in many different ways is key. So all that stuff is available around your findings, around your remediation plans, etc.

A

I guess my question was more about like what sort of infrastructure people are spinning up, you know, to host their own agents and whatnot. And you know, is that turning into a popular thing for people to use Prowler to check? Right, that sort of infrastructure, you mean

D

in aws, Bedrock or Vertex, et cetera. So yeah, we see that happening every day when it comes to building their own models or their own AI in their workloads. But sometimes it's like everybody goes very fast building everything. So people is missing the security part of those services as well.

A

Well, I guess that was part of the question, right, which is like, how are people doing with that? Because we've got this entirely new type of, of cloud computing environment that people are not experienced in setting up. Are they making mistakes? And is Prowler finding like a lot of misconfigurations and stuff in that area?

D

Yeah, 100%. The good thing is that Prowler always finds a lot of misconfigurations. So the new software development life cycle is you build something and you put something somewhere. Right. And that where is cloud and that cloud can be infrastructure as service like major cloud providers or even places like cloudflare or like Vercel or like many others that they need security as well. They need compliance as well. They need to make sure you are using the best practices to prevent from DDoS attacks to SQL injection. Because. Because of course now cloud code security is going to take care of the security of your things. But can you 100% trust of everything that is being given from a prompt? We will see. I think rule based security is still a thing at the end of the day. AI goes through checklists in order to give you a response.

A

Yeah, I mean I think at the end of the day having stuff like Claude code actually use existing tools. Prowler is what's going to make a lot of sense. You know and when we you hear people, the buzzword at the moment is, you know, systems of record, they're going to need to use systems of record and whatever it's like. Yeah, it's pretty funny as in we're just going to need the same old products but just with agents doing more to interact with them. What's the plan in terms of timing? Because this hasn't happened yet. Right. So these versions are upcoming any is it. Is it a gradual rollout of different versions or are you just to going to bang do an update real soon?

D

We are releasing this week before RSA a couple of features like the provisioning, bulk provisioning with Prowler Cloud, also the import findings from the cli. So we are making the CLI of course is the scanner but also the CLI is also a client of Broward Cloud in order to make easier the integration from CI CD pipelines into cloud for compliance, AI, et cetera. So that is coming before RSA and during RSA and after we are rolling over more features that are going to enhance the experience of our customers.

A

Yeah, and I'll just say for the umpteenth time, I love it that you have a command line, you know, version of Prowler. It makes a lot of sense especially for people who want to give Prowler the sort of privileges that it needs to do remediations like I totally understand why people don't want to cut and paste that into a web service, into SaaS like that seems insane to me. So, yeah, being able to do that in a CLI and then also being able to do scans from, from the CLI and then import that into the SaaS so that you can do things like generate compliance reports and whatever, you know, that makes a lot of sense. And it's also the sort of thing that absolutely does not belong in a free and open source repository. So it makes a lot of sense to me. Tony Delafuente, thank you so much for joining me as always, to talk all things Prowler. It's always very interesting.

D

Thank you. Thank you, Pat.

A

That was Tony Delafuente from Prowler there. And yeah, you know, Prowler is a good thing. It's a wonderful thing. And you can just go to their website and drop in a credit card and, you know, use it pretty straightforward. Or you can go to GitHub, grab the free version and just, just off you go. Important thing that he noted that there too, which is Prowler's checks. All of that's open source. That's not going to go behind any sort of, you know, payment, payment system or payment plan or anything like that. But yeah, it's, it's good stuff. Prowler's call. That's it for this week's show though, and I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then I've been. Patrick Gray, thanks for listening.

B

Sa.