2024-09-16 - Pour Over News

Ralph May

It's hot.

Alex

It's hot. Florida's hot. I think I got all these ACs.

Ralph May

I actually configured my house to use DC power.

Alex

Really?

Ralph May

No.

Sean

I was about to say. I'm not surprised at all.

Ralph May

Your wallet.

Paul

Let's have DC converters in them.

David

Decondition.

Ralph May

Yeah. Just don't worry. It's fine.

Alex

Just imagine how much of a pain in the butt that would.

Ralph May

Oh, the thick wires to my air conditioner would be like, this thick.

David

But you could.

Alex

You could plug your computer. You wouldn't even need a power supply, actually. No, you don't.

Ralph May

Yeah, but it's. You know how hard it is to find a computer with no power supply. It's extremely hard to find. I've been looking for years.

John

Have to convert it back to AC to go back into DC just for.

Alex

Oh, my God. Yes.

Ralph May

Yeah, exactly.

Alex

Anything even happened recently?

Sean

Stuff and things.

Ralph May

You're the host. You. You have to know the future.

Alex

People buy things.

Ralph May

We actually. This is a Minority Report podcast where we actually. We talk about breaches that are about to happen. Did you not. Did you not know that you didn't.

Sean

Get the ball rolling down with, like, the special wood that tells us the grain?

Paul

There's some AI news, which sounds like it would be interesting to talk about.

Sean

There's always.

Paul

Yeah, really easy to talk about.

David

Could also be one of those days to where, like, just this big news story breaks like, 15 minutes after we're off the air.

Alex

So that. That, that does happen sometimes.

Ralph May

Happen a lot.

David

Yeah.

Sean

John just goes, like, all over the place.

Ralph May

John's just like, guys, I found this article. And everyone's like, what? Where?

David

Where?

Alex

Where did you like. John, please tell me, where did you find this article? Like, I've been thinking about it all week. I'm like, it came out yesterday. I don't understand.

Ralph May

I'm going to reverse engineer John's tactics. I think he just goes to dark raiding and finds something spicy and then just brings it. There you go.

Sean

I feel like I should have drank in caffeine before this.

Alex

You feel like you should have drank caffeine?

Sean

I'm definitely on, like, a low level right now. I didn't have coffee yet today. It's like, no coffee today. Yeah, it's been a rough day for me as well. So I think I had a piece of cheesecake while in a meeting for lunch.

Alex

What is your diet? Just cookies.

Shadow

And what is going on?

Ralph May

Cheesecake.

Sean

It was what was ever in the fridge that was already made. I just grabbed it.

Ralph May

Are we going to have an intervention for you wait.

Alex

Yes.

Sean

Maybe. I don't know. Like. So I have like a pour over coffee, right? And like, it makes good coffee, man. Well, no, I do it myself. Like, I grind it myself.

Shadow

I'm sorry, wait. If you think I grind it myself as a defense for. Oh, you're fancy, man. Like, I don't know what. That's not what you think it is.

Sean

The grinder is like $8 on Amazon Prime.

David

All right.

Sean

It's not like it's an expensive coffee grinder.

Ralph May

What he meant to say was French press. I think what he meant to say was I hand grind it.

Sean

Yes, that is better hand, hand grinding coffee. Right. It probably takes me a good 15 to 20 minutes to make coffee.

Ralph May

Yeah. And you just didn't have time.

Sean

Just didn't have time ever. It limit. It limits me to like, if I want to make another cut, I'm like, do I really want to invest 20 minutes to go downstairs and to make another pot of like another cup? I make it per cup. Not even per pot.

Ralph May

Yeah.

Shadow

So no, wait, is the reason that keurigs sell?

Ralph May

Well, I will say you gotta have. You gotta have good options. You can't just be committed to the pour over. Sometimes it's nice on a Saturday morning, but on a like, rushed Monday, you can't be relying on that. Get an espresso machine. They're only like $15,000.

Sean

Oh, okay.

Alex

I got two of them. Just in case one breaks. You never know.

Ralph May

No, yeah, espresso is the way to go. You can get pretty solid coffee in like a minute. That's what I would recommend.

Sean

I'll see if John will approve.

Shadow

Japanese hot pot and then Japanese pop.

Ralph May

Instant coffee. I mean, that's actually okay. That's not a terrible idea. If you need to drink a ridiculous amount of coffee, you can. That's basically infinite coffee glitch at your desk.

Sean

Yeah, they have like instant pot, instant coffee packs like buried at the bottom of this bag, now that I think about it.

Ralph May

Well, go get that bag and we'll see you in five minutes. Cold brew is good too. People in chat, we got lots of good. That's like cold brew. You're not going to get a lot of off flavors you get with normal coffee.

Sean

Yeah.

Ralph May

So yeah, you're going to be awful.

Shadow

I like loose. And Shadow's got a great comment in the chat. Two espresso machines BC Dr. Plan from Shadow. Real nice.

Ralph May

Yes, exactly.

Sean

Straight into the DC outlet.

Ralph May

These John Strand memes are really doing it for me. The one of him on the. Is that John Strand. I don't even know someone.

Sean

Strand.

Alex

Yeah, I think that is funny over here.

Ralph May

I don't know if that is. But if you look at Haircut Fish, I think. I don't know if it's John Strand, but someone on the orb. That's good. Aeropress is good too. But aeropress can get really complicated. And I will say, I think unless you have a really fancy, complex recipe for Aeropress, it's not as good as, like, pour overs.

Sean

I got. I got rid of my Keurig. When I read about, like, the dude who invented Keurig is like, what have I done?

Ralph May

This was a mistake. Yeah, Keurig. Keurig and Espresso are the bottom tier of coffee. I would say instant coffee is above that. Instant coffee is better.

Shadow

There's some good instant brands these days.

Ralph May

I agree. Yes. I agree. I think instant is not to be slept on.

Alex

On this episode of Talking About Coffee.

Ralph May

Talking About Coffee, A coffee podcast where we talk about breaches.

Sean

Oh, the other. So when I was at defcon, one of my students found me and he was from. I think he was from, like, Central America. He was from Central America, maybe even Colombia. But he gave me coffee from his country. And I was like, this is amazing. And it's actually like, that's what I'm still drinking.

Alex

And that's. They're still drinking the same coffee that he gave you.

Sean

It was a bag. I make one cup at a time. You only go through, like a pound bag so quick, right?

Ralph May

Yeah, you got to. It's impossible to preserve one time. My. Yeah. If you have friends, you just got to like, give coffee to your friends and be like, drink this before it goes bad.

Alex

Welcome to Black Hills Information Security. Talking about news. I am your host today, Ralph May, and I am excited to be here with an all star cast of luxurious hosts and coffees. Cast members.

David

Yes.

Alex

We have serious beans. Yes. Starting from my left. Your right. I'm not sure. A bird who pooped on me yesterday.

Ralph May

I'm not the bird I was pooped on. Does that make you super lucky? No. I don't know. We'll find out, I guess.

Alex

Yeah.

Sean

We were discussing omens. What's up?

Alex

Thanks for joining us. Making it. Making your way here. All the way. Today we got Alex. Thank you also for joining us, Paul. I don't think I've seen you on here before. Welcome, Paul. No, David and Sean. And then finally, last but not least, the man who makes us sound great.

Ralph May

I push buttons.

Shadow

That's my job.

Alex

So did anyone read the news did any. Did anyone even look at it? Did anything even useful in the security?

Sean

I saw the two billion dollar purchase.

Ralph May

The who is one?

Shadow

Yeah, the MasterCard articles.

Ralph May

And who is one is good. The. I guess, I mean M and A. Where do you want to start?

Alex

You want to start with the Fortinet breach?

Ralph May

I say start with that. I mean, because I clicked on it.

Paul

And I have copied already.

Alex

Because you have it in your browser right now.

Sean

Oh wait, did you. Which link did you click on? Okay.

Ralph May

I mean. Okay, so everyone.

Alex

Wait.

Ralph May

Yeah, everyone knows Fortinet. I think 440 gigs. I think all of those 440 gigs are confirmed to be not firewall configs.

Alex

That must be a lot of firewall config.

Ralph May

That would be every firewall config in the world. Yeah. So I guess it hasn't really been attributed, has it?

Sean

But is that at least.

Alex

That's a 40 bitch I'm looking at.

Sean

The threat actor is known as 40 bitch. Oh, that's a pretty good name. I thought that said 40 breach and like your mouse was over it. But nah. 40.

Ralph May

Okay, let me. Let me rephrase. It hasn't been attributed to something that isn't just a meme. It's not like lock. It's attributed to for the bitch.

Sean

A threat actor that just goes after one company like good for that purpose.

Ralph May

Right.

Alex

So they got 400 gigs of what?

Ralph May

440 gigs. Yeah, but apparently they. So Fortinet claims it only affects.03% of its customer base.

Shadow

Customers.

Ralph May

Yeah, which is a fun number because it's like what if those are your paying customers and everyone else is just free account.

Alex

I don't know what Fortinet free tier you're using.

Ralph May

I mean I'm just going to do my default thing that I do on the show where I say every breach is from info stealers and say it was from info stealers. Probably like a vendor thing. Like a vendor had access to a bucket or something like that.

Sean

It gets me because you're like 90% right with that. It's just the.

Alex

Yeah, like you can be 90% right just by accident how often it was.

Ralph May

Third party cloud based shared file drive. That's how they phrase it. Which to me could be S3 bucket, could be Azure Storage Blob, could be, you know, Snowflake or whatever.

Sean

MFA definitely wasn't drive.

Shadow

I mean the allegation of a SharePoint server from the threat actor could still be a cloud based storage. You know, in that sense.

Ralph May

Yes. True, true. Well, that's what they're saying, scratching my.

Shadow

Head like at what is this data?

David

Right.

Shadow

440 gigs for 0.3% of their customer base. And you know, like, like you said, it's not firewall config. So is this just like giant reams of log files or something like diagnostics?

Ralph May

My guess is, my guess is it's doc. I'm guessing it's like diagnostic data. So this is one thing we've encountered with network vendors before where like they have less than secure practices for their support team. And you know, the support team's like, oh, your firewall isn't working. Well, just upload the files to this Google Drive or whatever. You know, the full, the full diagnostic archive, which could be, you know, hundreds of gigs of like, you know, seven days worth of logs and all the diagnostic dumps. That's my theory. I completely made that up. For the record, I don't have any data to back.

Sean

I was about to say, you have the data already, don't you? We know it.

Ralph May

The data is public. I haven't downloaded it myself because I'm too lazy. But it is like the threat actor for the bitch or whatever posted.

Alex

Classy name.

Ralph May

They did post like key access. They posted the files. So they're not, they're just going for broke. The files are already open, so there.

Alex

Must be anything there. Do you think if, you know, they just posted it right away?

Ralph May

I, I would guess they tried to ransom it failed and so they posted it.

Shadow

That's the one article says they attempt. The, the, the threat actor claimed that they attempted a ransom and Fortinet basically told them to screw off.

Ralph May

Sure. Yeah.

Shadow

So what, which link did you Fortinet's response? If you read the comments, basically they're acting like this is no big deal. So.

Alex

Oh, typical Tuesday, huh?

Ralph May

So next week on the news, we'll talk about why it was a big deal. Stay tuned.

Alex

Yes, yes, stay tuned. It's always funny because sometimes these breaches come out and we get like, just like a whiff that there could be something.

Ralph May

Right.

Alex

They're like, well, it was an incident, right?

Ralph May

It's.

Alex

It's nothing. It's nothing. And then a week goes by, as Corey mentioned, and then we're like, yeah, it was something. It was something big, right?

Ralph May

Yeah. I mean, yeah, we'll see. It could, it could be even like sales data or like, you know, something like bunch of slide decks with like all The, I mean, 440 gigs. Yeah, probably. It's gotta be some kind of logs or diagnostic data that's A lot of.

Alex

Data, only photos of the routers.

Sean

Netflow of a single.

Ralph May

It's. Yeah, it could be netflow. Like, that's a good. That's a good, like, potential thing. That would make sense.

Alex

Yeah.

David

Some of the info coming out is that it exposed the SSL credentials support files. You have Forticare or Porta cloud accounts. Those are at risk. This was stuff from a breach that occurred last November.

Ralph May

So it could. Yeah, I mean, people are saying in chat, it's totally true. It could be snowflake fallout, potentially depending on where that data was stored.

Alex

But melted, who knows?

David

Yeah. And there's also. Again, going back to. Sometimes the threat actors have brought this up, but there's. The threat actor was accusing Fortinet of failing to file an SEC 8K form. They didn't do that. Mandatory disclosure. So that might be some of the, you know, some of the reasons why it was just released for free is like, look, this is. This is all the stuff that was breached. And you never did that filing. That was necessary. You didn't negotiate with us.

Sean

When they do that filing does do they naturally say like, hey, these people just filed pretty quickly. Does anybody know? Like, how do they know they didn't do the filing and the. They just kept a secret and insider threat.

Ralph May

Wait, you're saying that. How does the company know that they are the ones who file?

Sean

Alex said that the threat actor said that Fortinet didn't file, that they were breached because they're publicly traded.

Ralph May

Okay.

Sean

Right. How do they know? Like, when a publicly traded company does file, how long does it take for the public to find out then?

David

I don't, but I think it's.

Shadow

I think it. I don't think it takes that long, actually. I think they're. They're publicly available pretty rapidly. That's actually how you hear about a lot of these, is the records being available for poll. So presumably, of course, the threat actor knows when they hit them, and they know within the next days. They haven't seen anything posted. And then they know, okay, you guys haven't posted anything.

David

Yeah. And considering this was from November of last year, like, they could safely say that you haven't filed this because we breached due in November and September and we're just, we're dropping this information now.

Ralph May

And I feel like it's part of the ransom negotiations to be like, hey, not only will we, you know, disclose the data, we'll also go public with, you know, the announcement or whatever that. It's. It's got to be like a Bargaining chip from the attacker's perspective of like, not only will I do this, also cause impact to your share price or whatever.

Sean

Typical.

David

Speaking of Snowflake, much of a. I.

Shadow

Mean I was just trying to think, is there any actual useful lesson to take out of this one for the audience? But it seems like it's kind of a nothing burger to me. I don't know if you guys.

Alex

Yeah, there's definitely nothing.

Ralph May

I mean I would say if you use Fortinet products, definitely make sure that you find another 5 or your exposure. Especially if you use the two products that Alex listed, which would be forticloud and was it Fortic support or something? Yeah, it's got to be Ford Care for the Forticare. If you've ever wanted your firewall to be able to tell you what your cough is, that's what that is. Yeah. So basically, if you're affected by this, I'm sure you'll be getting an email here shortly.

Alex

But I mean free credit, monitoring for life, the usual, these are the kinds.

Ralph May

Of things like Fortinet stuff should probably never be publicly exposed in any way, shape or form. So if you're already hardened, you probably don't really have to think or worry about this. But I will say third party cloud credentials. Think about what access to your Fortinet support interface could do if it was malicious, right? I don't know, probably nothing. But maybe if you could modify a config or something like, who knows?

Alex

Speaking of Snowflake, did you see they finally enabled multifactor and why the hell.

Ralph May

No, no, you mean required.

Shadow

I'm sorry, it's been an option for.

Alex

Required. It's been an option. I'm just, I'm just kind of taking back the idea that like it's not forced from the get go. I don't know. I guess a lot of platforms aren't forced. I mean, what do you guys think? Do you think we should like, do you think when you go to a website everyone should be enforcing multifactor like by default?

David

No, think it depends.

Sean

Depends on the company, right? Yeah, like I think it should be useful.

Ralph May

I think it should be prompted on enrollment and I think it should be required once you actually put data that's beyond test data. Like basically like if you're. Let's say you sign up for a Snowflake account, it should ask you do you want MFA during account setup? If you say no, that's okay. But the second you go and import a CSV into Snowflake, it's like now MFA is required, if that makes sense. Like once you put data into it, then it trips the threshold for okay, now you need mfa because if you're just like demoing it for the first time, although honestly it takes two seconds, so it's not that hard to set up.

Alex

So what I've seen with a lot of the different providers out there is typically they run into on the setup process, they'll do some kind of, you know, multifactor, but not in the sense that we're thinking of. Right. So the sms, right. If you got to set up a phone or email is the most common one or whatever. Yeah. And so, and then what they do is they immediately turn on some kind of conditional access within their application so that if you log on from a new device, you know, whether they fingerprint your browser or whatever, then it kind of forces you into validating your authentication via that email.

Ralph May

Right.

Alex

It'll say, hey, we haven't noticed you from this device. You know, we sent an email to send us that code. So I think that's like the easier on ramp, right, that I've seen.

Ralph May

You're saying passwordless? Yes, it's still single factor, but the factor is something you are not something, you know.

Alex

Well, I mean, well technically they're, they're adding in a kind of an extra validation. Right. Like is that like one and a half factor? Because this, it technically it's out of band though. So it's an email. Right.

Ralph May

It's still a single factor though. The only authentication token is just the email link you get. That's the only authentication. You could send that link to anyone you want. Just like you could share your password.

Alex

You could send the link. Yeah, you could send the link to anyone want. It's only going to you though.

Ralph May

I mean, you're right, that is like the newer way of doing things is you don't require a password at all on account creation, you just require an identity and then that.

Alex

Well, yeah, I've also seen that too where they're just like, hey, just an email or whatever. But anyways, the on ramp where like, you know, that's their way of moving in and then they have the option, if you want to, to enable a second factor, whether it be sms, horrible idea or you know, epa, which is probably the best. And then, I mean, I think it should be required.

Ralph May

Like I think that is the great option. But the two things that people are talking about in the chat that I want to call out are number one, the friction, which is there's two kinds of Friction, which is if I have to set up MFA and I don't have a password manager, then that hurts me and I might just browse to another site or do whatever. The other thing is friction on support. A lot of people don't know how to effectively manage MFA tokens. And so if you set up a TOTP and you lose the Google Auth, you know, you get a new phone or you whatever happens and you don't know how to back up that, then you, that's creating a lot of support load on the company where you're like, hey, I lost my mfa. And then it's like if that process is easy, then you just have the similar security of like making it too easy to reset mfa. Sure. But yeah, I mean I think it's ridiculous for a company like Snowflake who's. The entire point of it is to put your good data in there. It's like, it's like, it's like the whole point of Snowflake is give us your crown jewel data and we'll make it easier to process and access. Well, why doesn't that require mfa? It's one thing to do like New York Times or whatever. What is if I'm going to read all my articles.

Alex

Yeah, yeah. I mean, what's the risk?

David

Right?

Ralph May

I mean because AWS for example rolled.

Alex

Out mandatory two factor like years ago. But if you have an AWS account, they, if you had an account, you had to enable it. There wasn't a choice, right. La everybody. But that was a couple years ago.

Ralph May

I mean, but also you can still create access keys with infinite like they're, they're like you can still make an.

Alex

Access key that is like a forever thing, right?

Ralph May

Yeah, you can still make an access key which is single factor, but yeah, I mean it should be required. This is way. The other thing is there is a cost to MFA if it's SMS based, they have to pay for every one of those texts out calling and those bills can get really expensive.

David

Big enough?

Alex

Yeah.

Ralph May

But I mean again for a company this size, does the token base then.

Sean

Like Google Auth1, does that not cost anything then?

Alex

No.

Ralph May

TOTP. I mean it depends. It shouldn't cost anything if it's in the code base of the app. But a lot of people are just going to use a third party code base like Keycloak which is open source or free or some of them will just use Okta or other well known providers.

Alex

So if you write your own authentication mechanism, which isn't that crazy, you could Implement Google Authenticator.

Ralph May

Yeah. Totp is free and open. It's free.

Alex

It's like an open standard. Right. But if you do implement one of the other authentication providers a lot, for example, like Auth0 and other stuff like that, you know they'll implement that. They'll do those because then they don't have to write all the authentication mechanisms. They can just bring in those libraries and then use that.

Ralph May

Yeah.

Alex

So it just depends.

Ralph May

So basically it is free. I mean most apps should have totv based mfa. Like there's plenty of home lab apps.

Alex

Yeah.

Ralph May

Like you know that you can get that are like to support totp based MFA without any kind of. You know that. But again, roll your own blah, blah, blah. Like there is it. It does take some effort, friction, whatever you want to call it to get it rolling.

Alex

But you guys want to. Anyway, talk about my favorite technology. Cameras, Cameras, cameras.

Shadow

Favorite story on that one.

Sean

Camera, cameras and AI.

Ralph May

Another hot take. This is not the first take by Larry Ellison that we've talked about on the news. The last one was. I forget whether. Does anyone remember what it was? It was something like AI is going to take all of security's jobs or something.

Alex

Yeah. So he's working on a. He's not really working. It doesn't sound like he's working on a surveillance system. He sounds like he's working on AI.

Ralph May

To private island, which is just Hawaii.

Alex

Yeah, Private island right there.

Ralph May

He owns 98% of an island in Hawaii. But anyway, no way.

Alex

No way. Owns more. He's got a big.

Shadow

He's got a big.

Alex

Anyway, anywho, so he's coming up or when I say coming up or trying to develop a AI platform for all of the cameras, feed all of that like surveillance cameras and police cameras and all this other stuff in to see if people are doing bad things. I'm not sure.

David

He's 83 years old.

Sean

Yeah, right. He looks pretty good for 80, to tell you the truth. But I guess that's what a billion dollars does to you too.

Ralph May

He's got that young blood. He's probably got a blood boy. He's probably got a botanical.

Alex

Oh my gosh.

Shadow

Feel out the Mad Max. There we go.

David

I mean he's spending a lot of money to get the obvious answer that like yes, people are doing crimes like more cameras, more AI.

Sean

You're going to.

David

You're going to go from okay, there's. There's a crime that was committed, we have video footage of it to a crime was committed, we have video footage of it. And that video footage is in 4K and from three different camera angles. Yeah, it's what, what changes there that you go look, if, if having it, having clear cut crimes on body cameras, on surveillance videos, on, you know, ATM machines, having those, if that doesn't result in the crime getting prosecuted, how does having more cameras and more AI all you're going to do is just, it's going to make it clear that there's a lot more crime that's not being addressed.

Ralph May

I mean like this is the definition of this is only newsworthy because a billionaire said it. Because like that's right. I mean, okay, here's the quote. He said every police officer is going to be supervised at all times. And if there's a problem, AI will report the problem and report it to the appropriate person. Okay, can we talk about alert fatigue? If you're watching a feed, let's say you're watching a feed from every police officer, there's always going to be a problem. That's their job, the whole job.

Shadow

I think he's getting actually, I think he's actually getting more at like, if police are not doing their jobs properly, they talk about more like, okay, back to square one.

Ralph May

That's their entire. No, I'm just kidding. So, okay, so like I get what you're saying.

Alex

Monitors, they're like the monitors monitor.

Shadow

That's what, that's how I read it. I read it as AI is going to keep an eye on everyone, on both sides of everything. And so it's not just AI is going to catch, you know, petty crimes. It's also AI is going to tell you when the cop is beating the tar out of that guy down the.

Alex

Street, he shouldn't be double crime.

Shadow

I think this, I mean, we've got body cams for that already in a lot of jurisdictions, which seemed like a much less intrusive way of achieving.

Ralph May

He probably, yes, it's confirmed now we're making this up. But he definitely went on before this interview, he went on the AI and said, give me some hot takes I can give in front of a bunch of people. I mean it could be true, but it is totally just like the concept is so easy to just like say. But the reality of implementing it is not as easy. And AI is not just like a yada, yada, yada thing. You can't just be like, oh yeah, of course AI is going to figure out when cops are doing something they shouldn't be doing. It's like, okay, explain how if baton.

Sean

Is moving at X speed and outline is human alert. Yeah, there you go. I wrote the first detection for.

Alex

Oh, my God.

Shadow

I think more concerning to me than to try and bring this back to a little bit of serious. I think more concerning than the idea of having AI try to assess what's going on in video was the implication that you need to build, you know, the Orwellian super surveillance state, which I don't know about y'all, but I'm not too fond of the idea of a CCP level of monitoring everywhere, all the time that is controlled.

Sean

That one's a little bit more hardcore. Yeah.

Shadow

There's already plenty of stories about what that kind of monitoring is already being used for, let alone when you start slapping intelligent algorithms on top of it that make it faster and easier to track people down, things like that.

Sean

I do love it when it shames people crossing the street, though. That's pretty cool.

Ralph May

Paul, what were you going to say? What were you going to say, Paul?

John

Basically the same thing that Sean said. If you created, like Panopticon, look at everybody, which is great in theory, but there's going to be a human behind it. And also, it has already been proven that AI has biases built into them.

Ralph May

That's a good point.

David

Based off its training, can.

Ralph May

Yeah, I mean, I think that AI is one of those. Oh, sorry, there might be a lag. I think AI is one of those things where, like, you know, you mentioned it has biases. I think the tech side of what, like, the AI actually will do is something that billionaires think will be trivial and easy, but then they go tell, like a thousand tech people to do it, and they're like, hey, we can't tell the difference between a finger and a hot dog. And we have put $2 billion into this and we cannot do it. Like, so I.

Alex

We've given it a soul.

Ralph May

Maybe someone will call my bluff. But my whole thing is that the NSA has been trying to do this for years of, like, we have a data lake, we can't search it. Can anyone figure out how to search it? I'm assuming there's been thousands of people working on this for years. I think it's the same thing with AI and especially when you get into video. I would say, Larry, you know, this features come into the Apple iPhone, right? Like, this is that you don't need massive. Like you could now on the new iPhones, you can search like this person in this video, this moment in this video. So, like, this is already, like on device on apples. This is. You don't need like some Orwellian level Panopticon. Like, it's just your iPhone, dude. Like, I don't know. Anyway, I.

Paul

This guy's 80 years old though too. He probably has an Isaac Asimov understanding of what AI can do.

Ralph May

True, that is a good point. And he hasn't really been relevant other than apparently he was briefly the most the richest person in the world for like two minutes and then went back to Bezos. But anyway, still, I guess somehow we always talk about his hot takes and they're always pretty bad. So let's see if we can go three for three next time.

Alex

You guys want to talk about cyber insurance?

Ralph May

No, let's talk about recorded future.

Sean

Yeah, okay, we'll talk about that before I have to leave.

Alex

All right, talk about that. Tell me.

Ralph May

Yeah, okay, so how the heck is recorded future worth $2.65 billion? Cause isn't it just like a website you can't even go to because you have to have an account?

Sean

Yeah, you're right. It is. It is private and locked.

Alex

It's a hype train, man.

Sean

It's a hype train. I don't know. I feel like I'm definitely going to call it my own biases. Like, I learned how to do threat intel using their platform. That was like the first thing. And I will admit they had like some pretty good resources and some pretty good stuff behind them.

Ralph May

It was just the threat intel platform for 2.67 billion.

Sean

It's not like a tip, like what you would think, but they do. They do all the thread intelli stuff, right? They provide you lists, they do the dark web searching. They do like, you'll throw names into their platform and if any news comes up about their names, that'll bubble up.

Ralph May

Google does that for free. It does it for free.

Sean

But this one, you can like actually put like risk scoring. Like, trust me, it's not. It's not cool.

Ralph May

It is $2.65 billion for it.

Sean

No, that's why I was like, why was mastered. Like, at first I was like, MasterCard is paint buying them. Then I was like, I guess they're working the threat intel arm.

Ralph May

They charged it, that's all.

Sean

Yeah.

Ralph May

They listen, they just wanted to incorporate this. I'm assuming the whole thing is they wanted. Yeah, this is just them getting in front of the whole fraud detection AI thing.

Sean

Yeah, that's what I thought too.

Ralph May

Right? Yeah.

David

They're paying that money to be like the forefront of threat intelligence. Because, I mean, threat intelligence is growing and MasterCard is basically going, okay, we're going to be in front of this, make threat intelligence a big deal, you know, and they're, they're going to invest. And I, I think while they're spending a lot of money on this, I think it's a good investment in the threat intelligence space because they're going to get their money back from this as it grows over the, you know, as threat intelligence grows over the next, you know, decade or so.

Ralph May

Sure. Oh, sorry. I was going to say, does anyone know for card Future has done like, AI stuff.

David

Yeah.

Ralph May

Is that.

David

Yeah.

Ralph May

So that's.

Shadow

They had some art.

David

Yeah. So I mean, I took over. I mean, Wade did. Wade learned on AI and I took over, like his seat and his work. So I definitely use like Recorded Future and the stuff that he built, you know, absolutely enjoy using it. And it does have the AI capabilities. So I can see where it would be the product to buy for what MasterCard is wanting to do.

Ralph May

Gotcha. What are the AI capabilities?

David

A lot of the AI capabilities are some of the analysis against, you know, top threats against your organization, I believe also some correlation. And I think where MasterCard is entering the space is on that fraud detection. It say, okay, here's some compromised cards, compromised accounts, and then it would be able to notify and do that analysis for you.

Alex

So.

David

Yes.

Ralph May

Yeah.

David

And lots, lots of people in chat are also reinforcing that, you know, Recorded Future does lots of AI stuff.

Ralph May

So it's basically MasterCard decided our fraud detection division is going to be scrapped. We're going to spend $2.5 billion to turn it into its whole thing. And they could probably sell those services to vendors and other things as well.

David

Yeah. Basically, in the threat intelligence front is something that MasterCard recognized as being at the forefront, is that it needs to be less reactive and more proactive, saying, hey, we need to do the threat intelligence in order to get out there, get out in front of it and say, here are these things that are emerging, you know, potential fraud, potential causes. So, yeah, the, you know, risk scoring that's based on traffic. So it does that heads up. And a lot of organizations, especially financial institutions, are wanting to see that. They don't want to, you know, close the barn door after all of these accounts get compromised and reissue a bunch of cards they would rather know ahead of time and say, hey, we, we got in front of this, we stopped this, and MasterCard is recognizing that and we'll be providing that as kind of a service or, you know, kind of a pilot program for financial organizations.

Ralph May

Sure. I mean, A lot of people are saying in chat that it's a pretty solid tool. It seems like it has pretty good penetration, at least amongst our audience, of like people knowing how to use it, people being familiar with it.

David

No, and it absolutely shuts down some red teams. If you get like good CTI or their red team building their infrastructure and doing some of that initial recon, recorded future will see it. And you, you shut it down, you burn their infrastructure and you go, okay, we didn't, we didn't hear from our contest for a couple of days because they had to rebuild. Yeah, they rebuild their domain. Like we, you know, we see it and go, hey, they, they, they cloned our domain. They tried sending some phishing emails from it. Take all that as like early intel, early information and say, we're gonna, you know, we're gonna burn down this cloned website before anything emerges from it. And then you, you see that pen test report a month or so later saying, you guys, you guys saw us like within a day of registering this domain, burnt it down. And we had to spend a whole other day like putting it back up again.

Ralph May

So what you're saying is MasterCard, their subscription was so expensive to record a feature, they just decided to buy the whole company? Is that what. Yeah, is that what I'm hearing?

David

I mean, there are a lot of good modules. It's a fire hose of information. Sure, you can certainly buy everything and spend a lot. You can tune it and be choosy and get some real good advantages from it as well. But I think it's MasterCard investing in the threat intelligence space, not just the recorded feature space.

Ralph May

I mean, it's also potentially an entry into the security space for MasterCard, which is like kind of an interesting, you know, financial, big financial companies have so close ties to security, but traditionally have kind of avoided it as an industry. I think this might kind of break that mold a little bit of being like, we are going to start providing security services, we are going to start integrating security into our products from the ground up or whatever. Maybe that's the, maybe that's the read here. I mean, we'll see. It could also just totally be a buy, like pump and dump type of scenario. I mean, it's a lot of money though.

Alex

Yeah.

Ralph May

Okay. I guess we could talk about cyber insurance, but this article, again, this is like a Larry Ellison hot take. I can't really take it that seriously.

Alex

Yeah, I mean like security, who definitely.

Ralph May

Isn'T a cyber insurance provider, probably says that cyber insurance is poised for exponential growth.

Alex

Yeah, that's like the whole thing.

Ralph May

There's growth.

Alex

I don't know. Okay, so like the article is, it's got more words than it's growing. But I mean, you know, the premiums are going up. You know, we obviously know the reasons why. And insurance companies are just in the business of making money, so they're not going to keep playing out these insurance policies. I think it's a good thing though because it actually flips the pressure. Instead of spending money on insurance, you should be spending money on actually securing these things. Right. As opposed to being, well, insurance will pay for it. Right. So I think this is definitely a.

Shadow

Story you hear in a lot of places.

Ralph May

The article, the article is like reporting based on an article by Cybercube or like a research report that was published by CyberCube. I don't know what CyberCube is. I'm now on LinkedIn and it says they're delivering data driven cyber risk analytics for the insurance industry and they have 50 to 200 employees. So I don't know, they help, I.

Shadow

Don'T know, they claim to help quantify risk. So taking something, we're putting the actual dollar values against it. So my presumption is from a marketplace standpoint, they're probably working with insurers to get them dollar values so they can price out policies and things like that.

Ralph May

I see. Yeah. I mean that's an interesting take that like cyber insurance is going to grow because I also could hear a take that's like cyber insurance is going to die because just like everyone's gets breached. Like it's like uninsurable because everyone gets breached. No, I, Yeah, that does blow my.

Alex

Mind that like you can even still get cyber insurance. Like that's. I don't know.

Ralph May

I don't know. I think the article is kind of a non starter. But I mean it, it's definitely. Yes. I don't, we don't have any cyber insurance experts here. I, I don't know if you want to be a cyber insurance expert or if that like technically makes you go crazy, but apparently it says here the mid range projection suggests that US standalone cyber insurance market could reach 45 billion in premiums by 2034, which is 5x of today. So today would only be 10 billion in premiums. Seems like a lot less than I would have guessed for cyber insurance. Apparently people aren't paying a whole lot for cyber insurance. Right.

Shadow

Well, the other thing to keep in mind is unless you have a specific regulatory need to carry cyber insurance policy, a lot of Businesses actually will get relevant insurance through various loss policies. On general business, you can get equivalent coverage through other means that many companies are already carrying, and they just put a small rider on that, which is often cheaper for them than getting a full cyber policy. You see cyber more commonly these days, where there's an actual need due to some regulation or something for you to literally have cyber insurance.

Ralph May

What regs are there to require cyber insurance if you know off the top of your head? If not, I'm sorry for putting you on the spot.

Shadow

No, no, take this with a slight grain of salt. I used to work in the finance sector and there were places there where there were actually things that come through from the, I believe, some interpretations, some of the SEC side of things that actually effectively mandate you to have cyber.

Ralph May

Gotcha. So financial, mainly.

David

Yeah.

Ralph May

Interesting.

Shadow

There may be others, but that's the one that I'm most familiar with.

Ralph May

Sure. I mean, it makes sense. It's a really heavy.

Shadow

I see required saying healthcare also in the chat.

Ralph May

That would make sense. I mean, but seriously, if the, if the premiums are $45 billion, like, what is the site? What is the monetary impact of like a change health care breach? It's if. If. So, okay, if standalone cyber insurance policies collected $10 billion in premiums, what's the impact of this, of something like the change healthcare breach? Because that's got to be close. I mean, I don't. Maybe 10 billion is a lot, but that, that's gotta be billions of dollars, right? Theoretically, if they actually had to pay out. Or is it only covering like, like how much does cyber insurance cover? Does it cover? I'm assuming it covers incident response and like the actual material loss of a ransom payment. Is there anything else? Like it can't cover, like all the downstream effects or else it would be like a $10 billion policy.

Alex

Yeah, and it probably depends on the policy. They probably write different stuff into the different policies, get cheaper policy, not cover the ransom. I'm not sure also what you just.

John

Said is true about, you know, Sony, that big hack, they lost a lot of money through the movies and such.

Ralph May

Yeah, I mean, I don't know. I don't. We don't know anything about cyber insurance. We should move on.

Alex

Yeah.

Ralph May

If you know about, if, if you actually know something about cyber insurance, come on the show talk about cyber insurance. I think it is kind of. Okay, here, here's a. I just googled it. The United Healthcare Group estimates their cyber attack cost is $2.3 billion. So if you, if you have a Cyber insurance policy. I mean, that would be 25% of the gross revenue of cyber insurance, the industry, for one year. So basically, if you call in, if you're change Healthcare or United Health Group or whatever, and you're about to call in your policy, you're gonna. You're gonna tank that company. There's no way that payment, that, there's no way that policy is ever going to pay out, because you are. You gained $2.5 billion. And the revenue, the entire gross revenue is only 10 billion. So, yeah, I don't know. The numbers don't make sense, but I don't really understand insurance. Again, if you understand this, come on the podcast.

Paul

It's kind of. It's crazy too. It's kind of. Cyber insurance is a lot cheaper than I thought it would be. Because I'm looking at an article now that says for like a million dollars in coverage. This was back in 2019, but it was $1,500 per year. So that's kind of wild to me.

Ralph May

So $1,500, you're like, all right, I paid my 1500. Now I need 2.5 billion do dollars.

Paul

Yeah.

Alex

So let's. Let's talk about cyber insurance, but also move to the next article, which is 23andMe is going to pay 30 million to settle their 2023 data breach lawsuit. Right. So this is kind of like the fallout of the data breach. Right. So back.

Ralph May

Who is that going to Who?

Alex

That's a great question. They agreed to pay 30 million to the affected customers.

Ralph May

Oh, it's a class action. Okay.

Alex

Yes, it's a class action. Which means everyone gets, like $3 and 32 cents or something like that. Yeah, yeah, give me that check.

Ralph May

Can I get something that changes my DNA to someone else's?

Alex

No, no, that. That's not the feature they offered.

Ralph May

Okay.

David

You could buy a broken microwave. That'll do that.

Alex

The most interesting part about this. The most interesting part about this is at the. At the end of the article, it says revealed that it earned a total revenue of 220 million, down 27 from its 300 million the year before. And a huge chunk of the settlement money will come from cyber insurance, though, which the company expects to recover 25 million out of the $30 million.

Ralph May

So they paid 1500 bucks and they got 2,500 million out of it. That's pretty good insurance policy, if you ask me. Yes. We don't know how much they paid for the premium, but clearly less than 25 million, I would assume.

Alex

Yeah, that kind of brings the kind of full circle here.

Ralph May

Right?

Alex

Like cyber insurance is going up and.

Ralph May

Right.

Alex

You know, why? Like where, where is this money going? And then a breach happens and then there's a legal.

Ralph May

It's illegal stuff. They're covering the legal fees. Once the insurance has to cover the legal freeze. It's better, you know, it's. The payouts are going to be huge. Yeah, lawyers are expensive.

Alex

If your data was breached in 23andMe, I have no idea how much money you're going to get. But $30 million in the class action.

Ralph May

Lawyers take 90% and then everyone gets $3.

Alex

I mean, so it's 6.9 million.

Ralph May

What's the lawyer fees?

Alex

I mean, you'd be lucky if you get a dollar. Dude, there's 6.9 million users.

Shadow

Sorry, no, I mean $5, man. And then lawyers will take, you know, 70% of that. So maybe you get a buck 50. Although.

Ralph May

Okay, but you can, you will be sent a link where you can delete all your information from the service and you'll be able to enroll a three year privacy and medical shield and genetic monitoring. So if you're.

Alex

What does that.

Ralph May

Okay. If your DNA changes, they will tell you.

Shadow

Well, but the thing is, I can't wait to not submit your DNA to a new third party.

Ralph May

Yeah. For the breach monitoring, we're using Kroll's extremely not a government spy program monitoring. No, I'm just kidding.

David

Yeah, but like another line that stands out to me. Like with the agreed to pay $30 million as well as to conduct computer scans. And what frequency are they doing those computer scans? They say they will conduct annual computer scans and sign up audits for three years.

Ralph May

They're just getting a pen test now? They have to get one pen test.

David

Yeah. Then audits for three years. And it's like, well, that's. Congratulations, you hit the, you made, you met the floor.

Ralph May

Okay, but here's okay, I will say I do like it when the legal system backs up how we all feel, which is that you should get an annual pen test. You should monitor for credential stuffing. Like, you know what I mean? Like, it does kind of back up. It's like the baseline. It's like if someone says, oh, I don't need an annual pen test, I'll be like, but you might legally be required to get one if you get breached. Right? Like, you know, it does kind of come full circle of like, you know, I mean, the annual scan of computer systems is so ridiculous. We have purchased ness's professional for $3,800. And now we are compliant with the legal demand.

Alex

That's pretty funny.

Ralph May

I mean, I do want to know what genetic monitoring is. I like, that's.

Alex

That's honestly my most burning question too. When you told me that I'm like, my DNA is going to change or.

Ralph May

Like what they do is they, they look, they scan the dark web for your.

Alex

Is there a dark web for exchanging DNA? If somebody clone you, they'll let you.

Ralph May

Know you can print Someone on a 3D printer. You have you not. I have the future.

Alex

You can grow humans.

Ralph May

Yes. No, I honestly don't know what that would be.

Paul

I mean, would it not be like whenever you're not quite in Westworld, updated by somebody submitting their DNA or something like that?

Ralph May

Maybe, maybe it could be that. But I just like the idea that it's some ridiculously futuristic thing that's impossible.

John

To just insurances by your DNA.

Alex

200 years from now. They're like, oh, we detected that you've been cloned with that data breach.

Ralph May

You get, you get an email. A clone has been grown in bat number 2782. Would you like to terminate?

Paul

That's how your future clone self finds out that your future self is a clone.

Alex

Oh, this is a book. This is a book.

Shadow

All right, all right, gang, I think that's our.

Ralph May

How do we know if we're the clones, Guys?

Alex

We don't.

Ralph May

All right, what else, what else, what else?

Shadow

Google getting the gavel thrown at them by the eu.

Ralph May

Yeah, yeah, let's talk about that. I mean, everyone gets the gavel thrown at them by the eu. This is every tech company.

Alex

More like the eu.

Ralph May

It's either going to be tax evasion in Ireland or GDPR violations. Which one?

Shadow

Number two.

Ralph May

Hey, bingo, bingo.

Shadow

Now that's something we need like a meme for the GDPR violations. Meme.

Ralph May

Yes, it really is. There's two doors. Door one is tax evasion via Ireland. It's the second article, Ryan.

Alex

Second article.

Ralph May

The second door is GDPR violations that you're probably just going to pay and keep operating because they're not expensive to have material impact to your business. Although, I don't know. Sean, take us away. What's going on here? What do they do?

Shadow

This one sounds exciting from the headline when it says things like, you know, it's compliance, but it's not actually, because you might be thinking, oh, didn't the EU just pass something with AI? Yes, they did, but this ain't that. This is just gdpr. And what this is is basically the allegation is that Google might be in violation of GDPR for sampling personal data as part of setting up its models and algorithms and training them. And so there's a very similar thing with X not that long ago. And X did the thing that every company does when there's even the remotest threat that you are going to be hit with anything from GDPR is they just got the hell out of Europe, at least for now, and said we're reassessing the country.

Ralph May

You're saying if I go for the.

Shadow

Specific use case, they stopped using European data I see around that could contain people information as part of their training set. And so all of the AI models.

Alex

Are just not going to know what like English people look like.

Ralph May

They're like, what is it?

Shadow

What is it actually?

Ralph May

What is a flat, you have a flat tire. Why do you live inside of a flat tire?

Shadow

Well, it is, it is for things like that. Right. It's localization is why they care about it from an algorithmic standpoint. And so that's the thing that they have to work around. X is currently dealing with that while they figure out what the heck they want to go do. And Google will probably do something similar, but they'll have to address this at some point because otherwise they are going to run into the model being very America centric. And that's already enough of a cesspool. We don't need to go any further down that.

Ralph May

I mean, I will say, I think if you surveyed the EU and said, do you support your data being used to train AI? They'd say no. But then if they asked it questions that were horribly regionally inaccurate, they'd be like this stupid AI, I hate it. So like, it's kind of like you can't have both. You can't have a product, an AI product that works well, that doesn't have personal data in it. And I will say, like, I'm sure there are efforts to scrape that kind of personal information from AI models because arguably it isn't required. You don't need to know like you know someone's name. Although I guess arguably with like, like public figures. How does that work? Like, where does the Queen live? Oh, that's GDPR protected. You can't know that.

Shadow

The issue is just, it's the all or nothing nature. Right. They have the giant vacuum that they just hoover up everything with.

Ralph May

Yes.

Shadow

Where you run into the consuming of data you don't actually need.

Ralph May

Yeah. I don't know. I'm curious to see how it goes. I Guess they probably just build a. Yeah, your audio is good, your video is not. But yeah, the, the whole like giant data vacuum like you said, is gotta be such a hard technical problem to make that thing GDPR compliant. Because just because people expose that information publicly doesn't mean you're allowed to store it. Right. If I have on my personal website, here's my name and address, like I can have that and still be GDPR compliant, but you can't have it. Right. So it's kind of a weird. I don't know.

Shadow

Yeah, it's when you as a corporation are processing or consuming personal data, that's when you become subject to the GDPR restrictions. And that's where you start getting into things like people have to have a right to opt out, people have to have ability to request their information and things like that. And obviously none of the AI models and their teams are set up to do any of that stuff. And that's where they're running into trouble right now.

Ralph May

Yeah, right. They don't have any way of saying take me out of your training model.

Shadow

Yeah, correct.

Ralph May

Not able to. I mean, I think it's interesting.

Shadow

It's a tough problem to solve.

Ralph May

What was their response? Do you know? What? Like where did, did Google have a response? Did they say like we're not going.

Alex

To, we're getting out of the country?

Ralph May

We don't. What? I said, what did I say? We don't negotiate with EUs.

Alex

We don't even negotiate with EUs.

Shadow

From what I saw in this article, Google hasn't had a formal response yet, which is why I'm hypothesizing they'll probably do what X did and temporarily suspend use of EU based data while they figure out what a response is. I think X was originally hit with this months back and they still haven't actually turned the faucet back on for European data consumption, so.

Ralph May

So gotcha. Interesting. And yeah, I mean people in chat are bringing up some points like, you know, of course the tech giants just completely walked, you know, all over the regulations, didn't really care or try to follow them. Right. It's all about, you know, turn and burn the data. Right. So yeah, I mean, but it's interesting. I think Europe is, you know, we've joked about it. It's very notorious for going after companies like Google and Facebook with big fines for not paying attention.

Alex

You guys want to finish up with the WHOIS server?

Shadow

Oh yeah.

Alex

So the rogue who is server giving researchers superpowers no one should ever have.

Ralph May

So what Flight invisibility. What kind of superpowers?

Alex

I think it's pretty much being able.

Ralph May

To see anyone's browser history that would be a superpower no one should ever have.

Shadow

No saying issuing certificates and stuff like that.

Ralph May

Yeah, yeah they took over, they. How did it work? They took over an account by registering a domain. The administration.

Shadow

They took over an old domain that was then trusted by downstream everybody basically.

Ralph May

For mobile domain Moby Moby.

Shadow

Yeah, it was a domain that was used for mobile device who whizzing basically from what I was able to understand from here.

Alex

Oh it brought the domain mobireegistry.net and that was the official authoritative who is server for MOBI tld.

Ralph May

So then server received queries for more than from more than 76,000 unique IPs within a few hours. That's gotta be a rush. You just go ahead and pull that email out and be like ah, oh guys, It's a live one. Over five days I received 2.5 million queries. They why were there so many systems clearing a deprecated domain which for those wondering it was this domain that shouldn't exist anymore or this TLD shouldn't exist anymore or I guess the MOBI registry shouldn't exist anymore.

Alex

Google Mobi. Oh my gosh.

Ralph May

So then how were the downstream certificates signed? Populated the whois data with junk data that responded to all real MOBI addresses administrative emails. So yeah, I think the idea is.

Shadow

If you're, if you're the who if you basically are the intercepted who is when somebody reaches out to say who is the owner of this domain.

Alex

Yeah right.

Shadow

You can supply any email address you want as the owner of the domain and then oops. Now when you go to register a certificate that's the email that is a domain owner.

Ralph May

So okay. Though apparently the impact is he could dictate the email address certificate authority Global Assign. You said Herman of party was applying for a TLS certificate certificate was a rightful owner. So someone global sign has a workflow where they confirm if you own the domain because they query the don't who is information and then send the email to that domain. So you can actually you could potentially take over or request get a certificate for a domain that you shouldn't be able to. So he got a certificate for Microsoft Moby and confirmed he got the email and then you know I just think.

Alex

It'S funny they, they shut down this MOBI top level domain but they just allowed him.

Ralph May

So the domain still exists, it's just that one domain. Yeah, I mean basically they didn't fully. When they moved over from that mobyregistry.net, they. They forgot to actually take it out of the records. Yeah. So, yeah, and I will say that I don't think anyone does use the MOBI for, like, production that I know of. I think it's most like Google and Microsoft have it, but only as like a placeholder redirector. Yeah. Like a park domain. So I don't think anyone's like, just go to hacking Moby. Like, I don't. I don't think anyone's ever told me to go to a MOBI address in my entire life.

Alex

Yeah. It is funny though, because it just shows how much trust we put in the DNS system. Right. And.

Ralph May

Well, who is not even DNS.

Alex

What's up?

David

It's.

Ralph May

Who is. It's not DNS. It's a completely different system. It's a whole separate disaster of a list of protocols.

David

Yeah.

Alex

But isn't this controlled by icann?

Shadow

No, no, they're.

Ralph May

Each registry is their own registry.

Alex

Well, how did he. Wait, wait, wait, wait. I thought you said that MOBI got shut down. Is that what you.

Ralph May

No, no, I misspoke. Just the one domain that was the authoritative record.

Shadow

Okay, so there was the domain that Moby had for their wiz server.

Alex

Yes.

Shadow

They migrated that at some point in the past. They didn't actually kill. The old domain just lapsed. So then he came in and said, oh, hey, there's this domain.

Alex

It was still already in the registry, though.

Ralph May

Yes, yes. It was literally like a defcon conversation back from the hotel at defcon and then they actually did it. That was literally the article like that maybe talks about him going back to.

Paul

His room at DEF CON after he bought it.

Alex

That's.

Shadow

I mean, he had to do something while they were searching his room. Right. You know, so.

Ralph May

Right. So the. The key moment was they moved from it used. Now it's NIC. The NIC, whichever, whatever that is. Nick.

Alex

Yeah.

Ralph May

Basically it was hois.mobileregistry.net and it was supposed to be moved to whois Nick. Mobi. So when that happened, everyone was supposed to move over. Like Global Sign should have moved and it should have been querying the new tld, but a lot of providers were not providing, not doing it properly. And so that's where they got. They registered the domain, they noticed it was expired, registered it, monitored it for incoming queries, saw there were still queries, figured out which providers were doing queries to that domain, and then figured out they could get Certs from Global Sign because they weren't using the new tld, they're using the old tld.

Alex

Got it, got it.

Ralph May

Yeah, basically, I mean, you said DNS, but if you had said who is it would apply. Which is basically, does anyone really know how this works? Does anyone really know how who is works? Or is it just layers on layers of like, oh, who is apparently is vulnerable to takeover because of everyone didn't update their whois provider or like the API was out of date or whatever. So it's like, you know, the classic oopsie legacy. We forgot we don't know how whois actually works. The guy that knew how it worked got fired five years ago.

Shadow

Yeah, that was the interesting question to me. Was lagging.

John

But they took over a domain that was, you know, supposed to be using it. So it's probably all hardwired into some mobile devices that are hard coded in there that was actually still reaching out to them. So what are they going to change? Stuff that's already antiquated. It's not. It's another thing of not a real exploit to other people because it's only vulnerable to the things that are already thrown out.

Shadow

That kind of touches on what I was going to go to, which is the interesting question in my mind, especially since I haven't the faintest idea who works in any detail, is just what would a clean migration have looked like here? Would it have been enough for them to do something to fully expunge that, you know, domain? Or is there actually something that downstream consumers of that would have had to do? I suspect the latter. In which case it's almost like, how could this ever have gone well? Is sort of the question in my mind.

Ralph May

Yeah, I think you're right. It's the downstream consumers where like Global Sign wasn't querying the updated information, they just had it hard coded to the old address. So I mean, I think it's one of those where like arguably like it's up to the people who migrated it to maintain the domain until it's no longer receiving queries. Right? Like that's the smart move. You gotta like, you can't just let that stuff expire if the domain, like, sorry, if the domain's still being queried, don't let it expire. That was the whoopsie because yes, people should migrate, but all you have to do is monitor the people who are querying and regularly contact them and say, hey, we noticed you were still clearing it. Or just keep it and send it to nil. Like send it be like, invalid response. Like your code now broke and you have to go fix it. Right. So, like, it's up to the people who own the domain originally. They should not have let it lapse. That's the one thing. And yes, you know, exactly. People are saying, chat. Yeah, you got to own that domain in perpetuity.

Paul

This is one guy's responsibility to keep it updated.

Ralph May

And he failed one guy's credit card. What happened was the Internet. The intern who originally founded the company, his credit card expired and then the domain stopped renewing and they couldn't get it back because the email pointed to his old email. But that, Yeah, I mean, again, it couldn't be number anymore. But there are extenuating circumstances. You can do hostile takeovers of domains. Like if I Go register, like MicrosoftSucks.net, they can come after me and take over that domain. Right. So, like, it's not like you can't get the domain back in any circumstance. Like it. It's, you know, that it was on them to keep that legacy domain and they didn't do that. So it's on them. But yeah, I mean, you have to assume downstream consumers of your data are going to not update their code. That's just like running an API 101. We could probably close. I think that's a good. That's a good time to close it.

Alex

So we're light on news this week.

Ralph May

Yeah. Well, thanks, everyone.

Shadow

We went for a full hour.

Alex

Yeah, no, I always do. We always do. We always got the gift of the gap.

Ralph May

Yeah. All right.

Alex

Yeah. Thanks, everybody.

Ralph May

Next week.

Alex

Bye.

Ralph May

Bye.

Alex

Fill it with fire.