2024-09-30 — Cast of Special Characters

Ryan

And now we're live.

Hal

We're live. You can keep talking.

Ryan

So is it just me or does Corey look like Steve Jobs with that.

John Strand

Like, today I'm here to announce the BHIS iPod. Welcome, everyone. My name's John Strand. I'm here to talk about the newest demo of the iPhone 17. It's the exact same as all the other iPhones without a disc drive.

Corey

It has one more button.

John Strand

Check out this new gesture I made called turning off your phone.

Hal

Whoa.

Kelly

Corey, do you have a turtleneck?

John Strand

No, I don't have a turtleneck. Sorry. My neck is. My neck provides its own turtle.

Kelly

We also have the juicy password guidance update that just. I'm sure John has lots to say about that.

John Strand

The password better be. It better be. Just don't pick up bad password.

Corey

Does that. Does that guidance include, by the way, flogging for any website that doesn't allow pasting into the password field?

Ryan

I think it should.

John Strand

I think that's fair. I think we should. We should set that up. Floggings. Any kind of take away the coffee prob. Possibly worse than flogging. Yeah.

Michael

At this point, websites should not block pasting or. Nor should they block any special character. Like, I hate whenever I get to a website that you can only put in like five different special characters or five different punctuation characters.

Corey

Right.

Michael

Especially when one of them is not space. Because I feel like space is one of the best characters you can put in a password. And it's frequently blocked.

John Strand

This is the. Does that. Has anyone ever played the password game? Is everyone familiar with the site? It's so funny.

Michael

I'm not sure I'm familiar.

John Strand

You're not. Everyone go play the password game. It's fun.

Ryan

It's pretty good. It's pretty good.

Kelly

Is something bad going to come up if I Google that?

John Strand

No, I linked it in discord.

Hal

What are we getting into?

John Strand

I linked it in discord. It's hilarious. It basically. Okay, I'll spoil it for anyone that isn't involved. Basically, it's a password. It's a game. But it's like a joke site where it's like, pick a password. And then it's like, it must be five characters. And you're like, okay, there's five. And it's like, must have a special character. And then it's like the numbers must add up to 25. And you're like, wait, what? And then it's like the. It must include today's wordle answer. It must include like. It starts to get like. It gets like Progressively more stupid over time. It's like the Password must include 8675309, but backwards. Or like it's. It gets hilariously, you know, more quixotic or whatever you want to call it. It gets ridiculous.

Hal

My password is nothing but 17 stars.

John Strand

17, eh?

Corey

Yeah.

John Strand

I don't think you're going to pass NIST's guidelines.

Hal

When people crack it, it's either that or star, star, star. No password. Star, star, star. I. You know, it all depends on how I'm feeling that day.

John Strand

If you type your password in discord, it actually automatically censors it. I'm just kidding. Don't do that.

Hal

I screwed up.

Ryan

Oh, my God, you should have. That would have been great. That would have been great.

Hal

And the old chat days, I think there was more than a couple of times I accidentally put my password in to the chat room that I was, like, talking with at the time.

Michael

So, yeah, so I've done that a few times. What I actually started doing was I started making my passwords, like, things that I would actually type into a chat. So that way if I accidentally pasted it into a chat, it would not look like a password. It would just look like I said something stupid.

Kelly

Well, y'all, my passwords are carb free.

Hal

So all your passwords are carb free. Like, I'm trying to figure out what that would be. Michael. Like, would that be, you know, good morning, Good morning, hello all.

Michael

Yeah, like something like that. Just like a random phrase, or sometimes I'd make a command, but so that way it would look like I accidentally pasted a command in as opposed to pasting in a. A password. Because that happened a few times when I was teaching, actually, because I'd have trouble with my clipboard between my host machine and my virtual machine that I was using to teach. And so I ended up, like, pasting in a password of one of the accounts that I was using for teaching. And I didn't like that happening, so I started making the passwords things that would not look like a password.

Corey

There. There are a whole bunch of websites where I can't be bothered. So I just type in some random password at the time. And every time I go back to the website, I just do that. Forgot my password link, you know, for the one time, six months that I need to use that website or whatever.

Hal

I always hate it when I do that because I do something similar. But then they send me my password as a reminder. Clear tech.

John Strand

It's like.

Corey

I mean, then it's good to know that because that's a website that I never want to deal with ever again.

Hal

Thank you. Bank that I'm no longer banking with.

Corey

Exactly.

John Strand

Passwords are so 2023. Ah, that is such a good take. And it's so true. And, but also, tech is slow to improve.

Hal

I, I, I, I, That's. Oh, yeah. So that's right up there, like, software defined networking and all that stuff where they're like, oh, the future will not have passwords. I'm like, you're new here, welcome. Just.

John Strand

No, no, the future will happen. The future will not have passwords, but the present always will.

Hal

Just remember the PCI raised the minimum password complexity requirements from 7 characters to 14 characters last year.

Ryan

So, you know, after you shamed them for count how many years, dude, how long was that?

Hal

Was that like.

Ryan

It was a long time.

Hal

And I, and I talk about it all the time. I have people constantly, like, when I was doing that, they're like, dude, you shouldn't mess with. You shouldn't mess with them, man. Like, those guys, they're serious. They'll, like, destroy your career and block Paul you. I'm like, what? What?

Corey

Don't threaten me with a good time.

Hal

Is this like the 80s show the Warriors? You know, John, come out to play. It's like, oh, God, the creepy passport mafia with baseball bats and weird, like, makeup is after me. I, I don't know. All right, are we ready to start this thing off?

Corey

I think, God, here we go.

John Strand

Oh, Don, you're a little quiet.

Corey

Yell.

John Strand

Yell louder or bring it in closer. We're bringing it up.

Hal

Bring louder, less, suck. Let's do it. Hello and welcome to another edition of Black Hills Information Security. Talking about news. My name is John Strand, and I visit here from time to time. I.

Ryan

It's been a while.

Hal

I swear to God, like, if we win that difference makers award that Sans is putting out, one, we'll all be shocked. But two, like, they're like, so are you gonna come and accept? I'm like, why? I'm gonna send Corey. Like, Corey and Shecky are all here. No, dude, we wanted to go, so I figured, like, Hal, Chris, me bring Jake Williams, Alyssa.

John Strand

It doesn't say a good difference. It could be bad difference. So that's me.

Ryan

Oh, Ooh, That's a good point.

Hal

There we go. There we go. We'll just have everyone go and it'll be like, you know, Blues Brothers at the nice restaurant. It won't go well. I'm sure. I, I just came off of, like, traveling and trying to get Caught up with my whole life and I have this thing called Wild Wild West Hacking Fest coming up. So. Have I missed much? What did I miss? I feel like Thomas Jefferson coming in at, you know, at the, at the Hamilton play. So what I miss guys? Anything?

Corey

Yeah, there was, there was a big nothing burger of a, of a Linux disclosure last week. John, you missed that.

Hal

Was that that remote code execution one?

Corey

Yeah, yeah. So I mean people were buzzing about this mega vulnerability that's going to be released. The whole pre release of information hype was a total clown show. But you know what, that's the world we live in, right? Anyway, so the vulnerabilities finally announced on Thursday and so it's a vulnerability in COPS which of course affects every, not only Linux machine in the world, but Max and bsd and okay, so okay, first not installed on many, many systems by default. Right, but okay, let's just assume, yes, let's assume there's billions of machines in the world that have Cups installed. But it's not actually just Cups by itself. You also have to have this other service installed called Cups browsed, which is even less installed than just Cups by itself. So okay, fine, fine, fine, fine. So what's the vulnerability? Let's assume that everything is set up for the vulnerability. Okay, so the vulnerability is that this Cups browsed thing has. It's actually. So we're chaining together like four vulnerabilities here. So the first vulnerability is that this CUPS browse D thing allows an external person to register a new printer without authentication, so they can make this printer show up. And as part of that there's another vulnerability. Whereas part of the printer definition you can basically as enable a feature that was created for legacy printers. But basically you put this thing called a ppt file on the computer when you register the printer and that thing can execute a command, but only if the victim actually prints to this random printer that spontaneously showed up on their machine. So you actually have to coerce them into printing to the evil printer that you register. And oh by the way, on at least I don't know, like Debian based systems in some Linux distros, Cups doesn't even run its root anymore. I mean so like it's, it's, it's on those platforms it's an rce, but it's an RC as an unprivileged user, but only if this whole other stream of circumstances comes up. So yes, like in a lab I could set up a situation to exploit this rce. I will put out a bounty I will buy you a burrito if you can actually point to an in the wild compromise that's done as a result of this exploit.

Hal

So what you're saying is Linux is insecure and we shouldn't use it?

Corey

No, what I'm saying is that Unix printing has been a clown show since the 1970s and you shouldn't be printing anyway. I mean like think about, think about, you know, 99% of the Unix machines deployed in the universe. Unix, Linux, what a Mac, whatever. But like particularly the Unix boxes and the Linux boxes you never print from those machines. So like just don't freaking install this stuff.

Hal

So a couple of things. Hack Char had a great point and said this will be a good hack the box challenge. I think that, that, I think that everybody that does labs that involve exploitation hell is breathing a little bit easier because now we have an up to date vulnerability. It's like, you remember whenever 08067 was getting really long and we're like, oh God, we need a really stable vulnerability that we can exploit consistently. For my classes, now we got it, it's Linux and you can make it.

Corey

Happen, okay, but just use the latest WordPress vulnerability to Xure or the latest Confluence vulnerability to Xure or the latest Drupal vulnerability to Jor. I mean you don't, you don't need to mess around with Cups. I mean and this is a, like think about John, think about showing this in class. Like, okay, here I am registering, you know, my evil laser 100 kind of thing. Okay, now could you just print something for me? I mean, what the hell kind of vulnerability is that?

Hal

Why there's a, there's a thing that bothers me about this though. Like that because you remember back, I mean it wasn't back in the day. I mean it's still like that today. Whenever you would install Red Hat like way, way, way back it'd be like, what do you want to install? And the vast majority of people, whenever they were choosing their packages through the installation, they would just select everything, right? And they would just turn that on because that's the only way that I can see Cups getting installed. Like, I have never heard anybody that's like, you know what we need on this Linux server? Cups. I get that I am literally the first person to ever speak that sentence and I speak it in jest. And with all of that being said, if I go to our Lord and savior shodan, there are 75,860 Linux systems out there with port 631 cups.

Corey

Okay? So 631 UDP. So I don't believe, I don't believe that scam. I really don't. And what the hell are you doing allowing UDP through your frickin firewall anyway?

John Strand

I have, I have so many, I have so many rebuttals to this whole thing.

Corey

Here we go.

Hal

Oh, here we go.

John Strand

Okay, we skipped a bunch of steps because the other interesting thing is this vulnerability was disclosed on Breach forums originally. That's where this vulnerability basically the researcher disclosed this to Cert Vince and then they somehow leaked it. Like we just glossed over that like this. You know there's, there's not any real details about this, about how it happened or why it happened. But basically I will say there were people monitoring the patches, right? People do this, this is a known thing. They monitor GitHub, they look at common libraries. Cups started patching this on I think it was Monday or something like that. So like people were already building POCs before the disclosure went public. However the disclosure went public on Breach forum sometime on like Tuesday morning. So that's kind of an interesting thing. It's like was how did that happen? Did the researcher disclose it? Did Cert Vince leak it? Did someone hack Cert Vince? Like I don't know. It's interesting to speculate about. We don't really have any our details yet but that is kind of I think a unique. And the reason it was so hyped is because like HAL said it was like originally estimated to be a 9.9 CVE that was the original or CVSS.

Hal

What did it finally land at?

John Strand

I don't know, probably around an 8 if I had to guess but lower than that.

Hal

Remember we're talking about all the things that HAL said that this has to like there's so many stars that have to align.

John Strand

Yes, totally. Yeah, yeah. However like my, like the next part of my rebuttal is the researcher kind of implies and it's one of those, you know, yada yada yada. But the researcher implies that during the disclosure process they found a lot more with cups and a lot more Basically they, they essentially said in the blog post that they would never ever enable this service on any of their systems ever again because no one.

Corey

So see my previous comment about printing on Unix Clown Shark totally since the 70s.

John Strand

But I will say so how we reacted to this for our customers at least on the anti sock side was we did scan for it and I will say now we're getting into the details of the Shodan scan. So if you Go on Showdan you type product colon Cups. It actually is looking mainly for cups enabled web servers. So it actually like wait, but if.

Hal

You look on the left hand side it'll break it down by ports. Yes but Cups is TCP and UDP and you can query the services to get to get banner information back.

Corey

Cups browsed which is the initiator for this 631 UDP.

John Strand

It is the actual vulnerabilities on 631 UDP and hell's right that you're not going to get very valid scan results back for that at a shodan scale.

Hal

My point is there are 60 or 75,000 people that installed this and I'm willing to Bet less than 0.001% that even seems high actually needed to have that service enabled.

John Strand

Yeah. Oh this is one of those things where you might tell a customer hey, your Unix systems are vulnerable and they say what UNIX systems? That's this, that's what this is. This is a synology print server TM from 1982 or whatever. You know what I mean? This is like.

Hal

I mean this is IoT the most. We're in second with 11,000 systems. But, but this was so hyped like even me and the whole like just like hype.

John Strand

Yes, the hype was. I'm not disagreeing with, I'm not really disagreeing with any of hal's points. They were all good points. I'm just saying there's a lot of context. I guess my assumption for our customers was first of all is it exposed? Because there are many ways to expose it. There's also you can expose a web interface, you could put it on a non standard port, blah blah blah. Now none of that stuff is confirmed vulnerable right now I want to be clear, only 631 UDP. But clearly the researcher thinks there's more meat on the bone. So we're just being proactive and saying if you have anything print related, that's UNIX on your environment. I'm telling you about it now and I'm telling you to firewall it off or just kill it.

Hal

Just shut it off.

John Strand

Just kill it. You like Kelsey don't print from unix.

Hal

I am willing to bet that if you look at these systems, these 75,000 systems, there's going to be cops quote of the day Echo Chargin. There's going to be FTP because the.

John Strand

People that said I need that.

Hal

What are we going to need for this server? I don't know man. Install everything, just turn it all on like you know, and then what happened for those packages? Inevitably people that do that, they turn on all the services on these things and then they get a pen test or a scan. It lights the system up like a Christmas tree goes down. And then they blame us. They're like, why did you crash my system? Because you have everything turned on.

Corey

Let's patch. It's 19 7.

John Strand

Yeah.

Hal

Disco Elite has brought up a great point. Just uninstall cops. Who cares? But that's the point. I don't think the 75,000 people that have this, I don't think they know one.

John Strand

Correct.

Hal

Cops is two. They don't know that there's a COPS vulnerability.

John Strand

It's Iot for sure. It's a lot of Iot. You can't just go on your way.

Ryan

That is my question. Why?

John Strand

Because.

Corey

Because they did an off the shelf install for their whatever the hell it is and whatever software.

Hal

Yeah.

John Strand

Do you think that HP LaserJet number 7,000 really hardened their Unix subsystems fully? Like, probably not. Like, I mean there's a lot of implementations of Unix that aren't user accessible, so to speak. They aren't like, oh, I went and I installed Red Hat. It's more like the manufacturer, the vendor built this IPP based print system. It's called like Secure Facts tm. But this is what it uses under the hood, right?

Hal

Yeah, yeah. I don't know. Like this, this sucks because there's, I feel like a lot of us in this industry, I'm of two minds, right? Like whenever I first heard about this I was super excited. I was like, man, it could be a nine. Nine. Like if it's literally just any cup service you can just exploit that gets me excited. Then there's a part of me that's like, that's bad though. That's bad. That's flipping awesome. But I feel bad for all the companies that will be impacted and have to stay awake patching this and have.

Corey

To pay you money.

Hal

However, however we'll be finding this for the next decade and like, like everything that Hal just said, it's just like, well if you have this enabled, you have to enable this and then they've got to subscribe to the service and then somebody actually has to print to it.

John Strand

It's like, yeah, but that's today, John. You should assume in a couple weeks or a month that's going to be different.

Hal

That's a slave. That's a.

Ryan

Really want this to be the initial compromise to a host. Just because, just once, like, like it was one in A million. One in a million, right?

John Strand

Like, there are many cases.

Corey

If anybody does this in the wild, you know, let me know, I'll buy you a.

John Strand

Come on the show. Come on the show. Yeah, until it wasn't.

Hal

Lesbian narrator's voice. Next. Hacker Con. Hal was buying a lot of burritos.

Corey

By the way.

Hal

Upset the cost, because that's awesome. But it's going to be another. It's going to be another freaking crowd strike. It's like this Cubs vulnerability brought the whole Internet down, and it's going to.

Corey

Be the Morris worm of the 2000s.

Hal

They're gonna be like, well, I guess we aren't gonna win the Difference maker award. Best new podcast now, Hal.

John Strand

It's super edge.

Hal

Yeah.

Corey

Basically for the mainstream. This cup doesn't hold water.

Hal

The vast majority. I'm not touching it. I'm going to say for the vast majority of people that are listening to this, you're. You're not the people that should be up late at night going, oh, Jesus, did we shut off Cops? Oh, dear God. Unless you stumbled onto this podcast, in which case just what the hell are you doing?

Kelly

Like, you know, go back to npr.

Hal

Like, this is not. This is not the Joe Rogan Show. Okay?

Corey

I agree with Sloth boy. The issue wasn't the vulnerability. It was the FUD around the vulnerable.

Hal

It was the fud, but it always has fud. Now it seems like everybody that has these things, they've got to somehow kick it up to, like, 10. Like, they want to have, you know, sparklers and it was mishandled.

John Strand

This was massively mishandled. We don't know exactly how it was mishandled or by who, but an internal communication disclosure leaking to the public about a 9.9 severity CVSS is a miss. It's. It's someone messed up. I don't know who or how. Maybe those details will come out in the future. But that is why there was so much fud. Because if I'm anyone, Hal or John or anyone, and someone says someone just leaked a POC for a 9.9 CVSS on Unix, like, or listening, you have our attention. That's not how it panned out. Like, you know, but that was why it was so much fun, I think.

Hal

Yeah, because like I said, I think there was a plane that was doing, like, sky art that was talking about it, like, you know, cups. Not mountain biking and trying to avoid all things technology.

John Strand

John's like, CV 2024. What. What the hell?

Hal

Aunts and uncles are calling me up. They're like, dude, do you hear about this cups thing?

Ryan

It's like they turned the John light on. There's a, there's a picture of John on the clouds. It's like, you save us, John.

Hal

Yeah. Although that, that, that sign has been going off with the Verizon outage. Like, I don't know if we want to talk about that. I am not. It just looks like a standard run of the mill outage.

John Strand

So they had to patch their cups.

Hal

They had to patch their cup system on their server that was running crowdstrike. It's just a bad day for Verizon. Just so many things going wrong.

Ryan

But yeah, I don't think there was a news.

Hal

Tons of people trying to get a hold of me. They're like, there's a couple gas station. Do you know if Verizon was hacked? I'm like, possibly. I just don't know. But I do. Corey, I want to talk a little bit about the US Capitol. This feels. This massive dark web cyber attack. This feels, this feels like a repeat. I feel like this has happened in the last 10 months. I'm not sure.

John Strand

Yeah, I mean, this is just someone going back through info stealers and finding a bunch of Congress members, which is terrifying and valid research. But isn't really anything saying it was hit by a cyber attack? That's like me saying every time I Google something, I'm hitting Google with the cyber attack.

Hal

Like, I've got to ask, like, the company that did release this Proton, I think they're out of Switzerland. Oh, there they are right there. Switzerland. And then Constella Intelligence, they're using this for marketing. And I guess what I'm asking Corey is how come we aren't doing this type of ambulance chasing?

John Strand

Haven't you heard of the talking about news podcast? Like, John, we're here every week. We do every week I get to say, oh, it was Info Stillers again, you know, and then it always is.

Hal

By the way, can we talk about our continuous pen testing services?

John Strand

Yeah, by the way, flair is great for this.

Hal

Yeah. Anyway, I just, I, like I said this feels like a repeat. Like I kind of remember. I don't know, somebody will find it who's listening. But I kind of remember, like literally within the last 10 months, there was a story that was almost the exact same.

John Strand

Totally. It's basically marketing if you think about it. Not just for the companies that are doing the research, but basically what I mean by that is the data is there one way or the other, the exposure of the data and pinpointing certain individuals and making that visible and accessible is not the same as the data being there, if that makes sense. It's kind of like the Streisand effect for hacking. That's what this is. That's just someone saying. And if a real threat actor were to do the same thing, if a real threat actor were to make a post on breach forms that said, I went through terabytes of info sealers, here's all the people that work in the Capitol that would make the news because it makes that data more accessible to whatever script.

Corey

I mean, as we see in the governor's race in North Carolina. Right? Same thing.

John Strand

Yes. Damn it. Totally.

Hal

These next few weeks are just going to suck.

John Strand

That is a great.

Hal

We just need to have a politics. Should we just do election night? We just do hacking. Like talking about news and we just talk about politics the whole time. You want us to burn down, burn down everything?

Ryan

That's a worse idea than the 20, 24 hour pre show banter.

Hal

It's not that.

John Strand

Well, okay, how's point wasn't political. It's not political one side or the other. It's basically there was a candidate had a bunch of sketchy information out there about them. It was out free to find.

Hal

Did we cover that story already?

John Strand

No, no, not at all. We probably should.

Hal

Robson, I can't remember what his name, but that, that article, like it's hilarious.

John Strand

This is all.

Hal

This is all fake. None of this was made up. It's like you use the same user ID for every. It wasn't just the email, it wasn't just the user id, but phrases like.

Corey

He used passwords, the passwords are cracked and it's the same freaking password.

John Strand

Yeah.

Hal

It's like no one is done with everything exploding behind him. Nothing to see here. Nothing to see here. Move along.

Corey

Wow, John, we are in different generations. Because when I think of that, I think of Animal House. You know, it's like everything is fine.

Hal

Yeah. But it's not that far off. I think it's like four years difference between those two. So. No, there.

Ryan

Oh, don't. Don't let that one.

Hal

We just got it. But this, this.

Ryan

I know, like politics got hospitalized.

John Strand

That's a different thing. He touched a hot exhaust at a car show to give you the idea of the type of person working with here. He said, oh, that car looks cool. Let me grab a hot exhaust.

Hal

It's like, Mark, you've been pwned pretty hard. You may want to lay down at a hospital.

Ryan

I will admit if you Google his name. At least that's the first news thing that comes up and not all that other stuff. So just his PR team's doing great.

Hal

What was one of the phrases he had was Gaga maggot, I think. And he used that Everywhere, like normal YouTube videos, press releases for his campaign, basically, we won't.

John Strand

The article is a little nsfw, but basically, I'll summarize it for everyone. Basically, here's what happened. A candidate for years who, before his political career, he's in high school, he's in whatever is going on foreign websites, making weird comments, liking certain types of videos, doing things, you know, bad Internet things, or at least kind of gross Internet things. And then no OPSEC whatsoever, is just posting them with his full real name and full email address. And years.

Corey

For years. Yeah. And then up until recently, I mean, you were making it sound like it happened a long time ago, but some of this stuff was in the last.

John Strand

Sure, true.

Hal

But this is literally years ago, I think, like 2015, 2012.

John Strand

Yeah, it started, like, at least 10 years ago and has continued up until recently. Basically, the person either never realized that you could just search what people post on other websites somehow. What. But basically all it took was for someone to go digging a little bit and realize this is the same guy. This is his username on porn websites that he uses the same exact username. And also, people are calling out in chat as well, being very hypocritical in their beliefs of like.

Ryan

And that's why you never tell anybody your Reddit username. This is, like, key.

John Strand

Yeah.

Hal

So basically steps back into Reddit. It's been painful. So I'll talk about.

Ryan

I've heard, I've heard.

Corey

I know everybody knows who's done this kind of investigation. Right. People don't start out thinking that, like, you know, I'm going to be a master cybercriminal or I'm going to run for governor of the state of North Carolina. Right. Like in their young, freewheeling days, they're not thinking about opsec, totally. And all of that. And so when they do become a master cybercriminal or run for governor of North Carolina, that's a tendency to come back, to haunt them because, you know, it all ties together.

John Strand

Well, how is there not a firm that, like, vets these people or at least says, like, hey, go delete your porn accounts. Like, how is that.

Corey

I don't, you know, I mean, these are politicians. Like, the Internet is a series of tubes. Right? Like, this is one of the downsides of the political class not understanding technology, right? They get caught out on crap.

Hal

Like there.

Ryan

There has to make that loss.

Hal

So I think that there's a lot of narcissistic tendencies as well, right? Like, people tend to. Like, there's some people that lay in bed and be like, shit in high school. I can't believe I said that. Like, I'm 47 years old and there's still shit I said in college or high school. That makes Yesterday. Yesterday. Thanks, thanks. Right? It still makes me cringe, but I think that there's some of these people that are like, you know what? I should run for governor. And the idea of that coming back to haunt them just doesn't calculate at all. It's just not something, you know, that. That processes.

Ryan

Is this where we're sponsored by incogni.

John Strand

You know?

Ryan

Yeah, no, we know.

John Strand

Those services are all stupid anyway.

Ryan

They are, they are. But I'm surprised. There definitely is a service to. To do this. To clean yourself, right?

John Strand

Like, I know there's always been made up.

Ryan

Are they made up? There has to be. I'm telling you, there has to be some political one where they're like, no, no, this is fixer, right? This is to get a new job.

John Strand

This is beyond. What?

Ryan

No, not in cog. I'm talking about like. Like next level black.

John Strand

Yeah. Israeli firm. Yeah.

Ryan

Is this.

Kelly

Is this cyber hygiene?

Hal

I think it is. I think it's. That should be taught in grade school. Like, hey, kids, don't take naked pictures of yourself.

John Strand

And you know what?

Hal

There's going to be kids that are just going to be in high school. They're going to be like, oh, good advice. I was so close, but they taught me this in school, so now I listen. But I don't know.

Ryan

I. I'm so glad MySpace did a purge, I'm gonna tell you that.

Hal

Okay.

John Strand

To bring it full circle, though. Do you want to know the most, like, crazy part of all of this? Is that it probably won't impact the election in any way, shape or form. No, it probably won't matter.

Hal

You know what? God bless people. Like, not for this specific case, but if, like. So they're like, yeah, he posted some weird shit online. All right, we move on. That's weird now.

John Strand

It says my party next to it.

Hal

Weird, right? His stuff's weird, but I do think you're right. It's like, I don't agree with all that stuff, but he's. He's my monkey in my tree, so.

John Strand

I think it should affect me.

Hal

We're just throwing Poop at each other. And it's all the same.

John Strand

I think it should affect people's opinions, but it won't, because that's the world.

Corey

I think. I think it actually will have an impact, but we'll see. Maybe.

John Strand

Maybe it will. It totally could, if nothing else, because this kind of a. You know, the thing is there's not a. The party. The Republican Party. And NC hasn't. Like, they haven't really. They're just like, yeah, actually.

Corey

I mean, yeah, this whole stat failed. Honestly, you don't need to. The one thing I'm hearing the Republicans complaining about this guy for is his choice of pornography. Like, like, but, but, like, but they're like, you know, hammering him for liking his particular flavor of pornography, which, dude.

Hal

You were so many cases over the years, like, you get so desensitized to, like, people's, like, proclivities in that area. Right?

John Strand

And yeah, you don't want to see the whole shit, at least today.

Hal

Good for you, buddy.

Corey

Yeah, I mean, I tell people, you know, if you do, you know, forensics, ir, anything in that. That big tent, you know, it's like you're going to develop a taxonomy for porn, you know, because, yeah, you've got categories.

Hal

So. Yeah, so now that we're on porn and our episodes that deal with porn tend to do better. So I think it was actually. Dude, I think it was actually in like, south or North Carolina, and it was a city. And this, this, this lady hired me to do forensics investigation because they had one of the employees that was, quote, unquote, surfing porn while at work, right? I hate these cases, but at the point of my career, I needed to eat. So I'm working this case and what this dude was doing was getting past his filtering by going to Wikipedia and doing wiki lookups for certain things like vagina or whatever, right? And I remember sitting with this lady and we're going through the stuff and all their web proxy logs. I'm like, here's all the things that he's going to. And she's like, this is just awful. This is just. It's this. This has got to be the worst thing you've ever seen. I'm like, oh, no. Oh, no. And then she asked me a mistake and I screwed up. It was a young John Strand. I think I was still in my 20s. She made the mistake of asking me the question, what is the worst thing you have ever seen? And I made the mistake of going right into describing that, which I'm not going to describe Here you go.

Corey

See her, didn't you?

Hal

No, worse than that. Dude, I would. You know, some of our, like that we worked on, that's illegal cases, five minutes later, she's not talking, she's crying on the other side of the phone and she's like, how could you? How could you work with that? I'm like, I get used to it after a while. But yeah, anytime I see these things come out and people like, oh, go look what this guy was into. I'm like, it's legal and no one dies. So I'm pretty. He gets a goal.

John Strand

It's only true 50% of the time.

Hal

No. People are trying to now guess two girls. No, no, not even close. It's not.

John Strand

Do not take it back to cater.

Hal

Somebody that's done forensics.

John Strand

All right? Okay.

Hal

And ask that question, what is the worst thing you have ever seen? And then brace yourself because odds are your head won't even be able to come up with what that is.

John Strand

So, ok, so basically, let's bring this. Let's bring this back a little bit. If I was the developer of a particular porn website, what would be good recommendations for password usage?

Hal

Wait, is that the audience?

Kelly

That was a good segue.

Hal

That was a good segue.

John Strand

I'd like to follow a nationally recognized standard for password guidance. What should I use?

Hal

I don't even know what story this is. Oh, nist, thank God.

Ryan

The opposite of porn.

John Strand

I think that's their motto.

Corey

Pretty sex.

John Strand

That's their motto. So, okay, for those that don't know. Does anyone want to summarize this? I feel like Kelly probably knows it the best.

Kelly

Sure, I would love to. So NIST has come out with a recommendation about dealing with all of this password nonsense. We're dealing with talking about password hygiene. Hygiene. And they're basically saying, listen, all of these different rules about special characters, numbers, uppercase, lowercase, agency, just confusing people. So they actually came up with a list of recommendations for two groups of people. Specifically a group they call verifiers and a group they call CSPs. And remind me, what does CSP stand for again?

Hal

I don't know, but I think it's a credential service provider. Already I'm feeling.

John Strand

I like how. Okay, we're. We're in the first very beginning of the nist and I don't think any of the entities who this applies to know if they're either of these two entities.

Kelly

It's a government document.

Ryan

Thank you.

Hal

Okay, Kelly, when you're done, we're going to Go through these because these are bad and dumb.

Kelly

Oh, go for it, John. We're glad you're back.

Ryan

All right.

John Strand

Okay, what is a verifier and what is a CSP? Because I still don't know what that is.

Hal

CSPs are trusted entities. The design or registers, authenticators to account hold. Don't worry, it doesn't matter.

John Strand

What does that mean?

Michael

So, first.

Corey

Active directory.

Hal

So stupid.

Corey

Think like. So the people you Facebook, the people you sign in with generate. OAuth.

Hal

This is.

John Strand

Oh, I see. I see. You're saying if I can sign in with blank, that's a csp.

Corey

That's correct. Science.

Hal

So, okay, so if you were getting part of this and you listen to this podcast, you should feel bad. Okay, let's go through this. Verifiers and CSPs shell. That means you have to do it in government speak. There's no wiggle room. You shall require passwords to be a minimum of eight characters in length. What the. You just failed step one right there. Nist, like, go back, apologize to everybody. I want you to do this today. Today. I want you to go back and say, we screwed up. All right?

John Strand

We.

Hal

This is the rant that I always give about the NIST Green book, right? It's eight, eight. Eight characters. All right? So that's the requirement. So everything after that, people are going to ignore. NIST comes back and says, you should require passwords to be a minimum of 15 characters. It should say verify. You should say, shall require passwords to be a minimum of 15 characters in length.

John Strand

That's a huge difference. The difference between an 8 and a 15. Like, it should be, like, what? There's such a big difference between those two numbers for every. From a consumer perspective and from a mathematical perspective, it's literally a number that.

Hal

You can get your head around versus infinity or close to it. That's just so dumb. All right, number two. Verifiers and CSPs should permit a maximum password length of at least 64 characters. I can't believe that a bunch of people got around in a room and they're like, oh, we need to come up with guidance on what the maximum character length is.

John Strand

That actually is good. I actually like it. I agree with it.

Corey

But what the.

Hal

Why?

John Strand

Like, it is weird that it's number two, and I wonder how many people this screws over.

Hal

And once again, everything that says should means you can ignore it. Okay, that's everything. When you're reading a request.

John Strand

No, no, other than eight characters, you could ignore Everything.

Hal

So, like, the only thing they're saying is password should be 8 characters here. That's it. CSP should accept all printing ASCII characters and the space character.

John Strand

Why? No, no, unico. Oh, it's. They also have. Wait, why is there two different call outs for ASCII and Unicode? What?

Hal

Because there's some stupid academic, like, jackass in D.C. that has done nothing but memorized all of the different NIST standards who feels they got to throw their weight around and they. This is. This is nonsensical. Like, this is.

John Strand

So. Wait, what? Why are there two different ones for ASCII and Unicode? I'm so confused.

Hal

There's two separate rules, right? Each Unicode should point shall be counted as one scene single character. I might agree with that one. Verifiers and CSP shall not impose other composition rules requiring mixtures of different types. This is a step backwards. Verifiers and CSP shall not require a user to change passwords periodically. However.

John Strand

Wait, this is just. This means I can go back to password. Elliot.

Hal

No, this means, literally, you're going back to the NIST Green book series. Like, seriously?

John Strand

Yeah. My password can be password, right?

Ryan

Yeah.

Hal

Well, I don't see anything here about dictionary words.

Corey

Verifier. I'm still using des56 for my password hashes, so everything's 8 characters or less anyway, so, you know.

John Strand

Yeah, there isn't. So there's nothing in this that says you can't just pick password, Is that right?

Hal

Yes.

Ryan

We don't even need to capitalize it.

John Strand

I love that so much because it means we can just write this whole thing off in that one sentence. We can just say I can choose password.

Hal

NIST invites people to submit their comments and guidelines to dig comments at nist government by 11. October 7th. I'm going to write an email.

Ryan

We should live stream.

John Strand

I would love to just watch you write this email and see how angry you are the whole time. Can we just have webcast?

Hal

Do you want me to share. Do you want me to share my screen while I write this?

Corey

Can we? Absolutely can share my screen. Do this while we're hacking fest? You probably could.

Ryan

No, because it's a day off. Because.

Hal

Can you see my screen?

John Strand

Hello, my name is John Strand. What are you doing?

Ryan

Owner.

John Strand

This is so off. I can pick password. Love, John Strand.

Kelly

Okay, while your outrage is keeping y'all warm here, let's talk about this from Joe and Jane user who live in Florida who can barely turn their phones on to begin with. Why is this so detrimental? To security this new password guidance.

John Strand

Because I can pick password. That's seriously the best way to. That completely cuts it. What's the most common password password? Well, that's fine. Under nest. That's insane. Anyone can just hack your account then. That's a ridiculous argument.

Hal

All right, so I'm sending the email. There you go. So there it's off. So let's see. Let's see if NIST gets back to me.

Ryan

All right, so you should have made it.

John Strand

Like, should we just.

Ryan

So, yeah, I'll send it now.

Hal

Well, now since we've got it, we're going to be streaming it to YouTube. I mean, my phone number is in all my classes and stuff too. Brian, we're going to have to do some buzzing on that phone number. Sir, I should have thought this through, but I was angry.

John Strand

Okay.

Hal

When I.

John Strand

Couple of things. Number one, do we think if we password spray nist, that everyone's just using password number? And also genuinely, for like NIST Corporate, there's no way their domain complexity is eight characters with no other classifiers. Right? There's no way.

Hal

What the hell? Here, just for reference, let me go to the green book, because I do that. Wait, I've been doing the green book thing for 10 years now. So here's the password complexity.

John Strand

Should we just log into NIST and change it for them? Maybe they're running these if they're using their own standards. We know they have weak passwords, so.

Corey

Well, I mean, doesn't mean you can't pick gobbledygook. Yada, yada, yada, whoop, whoop, whoop.

John Strand

Yes, but we know people will fall to the minimum spec you record.

Michael

Yeah, somebody like John said we'll pick the weakest possible.

Corey

I'm going to use password1. Damn it.

John Strand

That's fine. I will guess that too.

Kelly

To play devil's advocate for a second, the article down at the bottom says the enemy of good security is the frequency in which we make users change their password.

Corey

So bite on that one.

Hal

People installing cups, like.

John Strand

No, no, no, I will. Okay, I will say so. That's a. That's Baby with the bathwater. That's. That's like you are literally taking a small thing, which I agree with. If you make two users change their passwords seasonally, they're going to pick seasonal passwords. If you make them change it monthly, they're going to pick monthly passwords. All those things are true. But that's like me saying, well, people get in car accidents, so driving is way too dangerous to Ever even think about doing, it's like, well, okay, yeah, one can. One thing can be true and you don't have to completely throw away the whole standard just to make that one thing true. Like, I don't know.

Hal

All right, so I've got the password complexity standards from 1985 up, right? And this is what they say for a length of password. And notice they give the maximum lifetime in months of 6, 12 and 21 months. And they're recommending with a 26 character password Alphabet, 9 characters. The 36 character Alphabet is 8 characters. And if you look at that first thing it said shall be eight characters. And then you know, everything after that you can ignore.

John Strand

So you're saying passwords have gotten less secure since 1985.

Hal

Only for PCI up until last year, because PCI was seven characters was the minimum. So this is their minimum in 1985. And NIST came out and said that the minimum is eight. Again, like computational hardware.

John Strand

Has it changed since?

Hal

No, clearly not. But they have this math up here where they talk about, L is set for 6 months and 12 minutes. P is set for 1 in 1 million. Acceptable probability of guessing a password. R is set at 8.5 gases per.

John Strand

Minute at 8.5 gas rate possible with 300 baud service. Don't tell them about GPUs. Don't tell them about GPUs.

Hal

Good God.

John Strand

Like, why am I. I mean, that's where we're at. We're back there, John.

Hal

We're actually worse. Because now they're removing the requirement to change your password every X number of months.

Kelly

John, let me ask this question. What's. Who's gonna actually read this? Do you really think Apple, Google, all those people are actually gonna read this?

Hal

Yes, I do. Yes, I do. Whenever you have people that are like, let's say the state of Florida decides that they want to come up with their ICS security guidance, rather than going off of nerc, SIP or anything else like that, they're going to write their own and somebody is going to sit down and they're going to be like, what's NIST say? And then they're going to pull this down and then they're going to be like, well, it's eight characters. Like, this shit keeps on perpetuating and it's not getting better. Like, like, seriously, if they want to do password complexity requirements, tell people to use a passphrase and make it like 21 characters and then be done with it, right? Just walk away. Teen Vogue has stronger password complexity requirements. Than this new one. I'm going off of a rant that I've given in every single class for the past eight freaking years. Teen Vogue says use a long password. I think they say 17 characters and then they tell you to use multifactor authentication. Teen Vogue has stronger password recommendations than the National Institutes of Standards and freaking Technologies. If we are getting beat by Teen Vogue, we are losing at this point. And I just lose so much.

Ryan

Why is this so bad at this? But then has like all these other, like, crazy standards. Like, they literally have a standard for peanut butter, right? Like what? Yeah, yeah, yeah, there's a NIST standard for peanut butter.

John Strand

Well, I will say, I think John's right on the mark. It is. It's not their. It's not their specialty. This is not their specialty. Someone has handed them. Someone has handed NIST a task and there's some guy like, it's throwing their weight around. I think that's reading between the lines. That has to be what it is. Because there's other government agencies that are actually doing really good work in this space and they're just not that agency. I don't know. It's crazy. I mean, the joke someone should stop.

Hal

They should just.

John Strand

The joke someone made is super true. They're going to say, next nist or this is Lucent Shadows comment. Next NIST will throw out multifactor auth because some people use sms.

Hal

And once again, Teen Vogue has an article, why Two Factor Authentication is so important. How to.

John Strand

Teen Vogue is the security standard.

Hal

This is. But like I, like I said, you know, you know, talking about this, like, these things happen. And like Dornan just said, DoD listens to NIST, right? So this is going to make it into all of the, like, security standards. And the thing that sucks is if you're sitting down as a DA or Designated Accrediting Authority or a program accrediting authority, and you try to do something beyond what NIST tells you to do, there's a whole bunch of meetings where they're like, well, this is what NIST recommends. This should be just fine. We fight this constantly. Where, you know, this is, we just cracked 86% of all the passwords in your organization because they're eight characters. And then I deal with customers saying, well, NIST tells us differently. And we've got to get past this. Like, I don't know who's making these recommendations. They clearly aren't doing security at all. And I'll probably have them contact me and be like, well, actually, Mr. Strand, I have a PhD. Stop listening right there. Like if you try to win an argument with your degree, you've lost. Right? But we're going to be dealing with this now. If this gets through, we're going to be dealing with this for the next 20 freaking years. We saw this with a FIPS142 with encryption standards. You just see it constantly in this industry where bad things don't die.

Ryan

All right, here's what we do. Here's what we do. You know how like there's organizations where they're like, they're, they're fake bureaus. Like we'll say the Better Business Bureau. Right. Not really an organization. We make mist everything the same and then we just start putting. I don't know what it'll stand for. I'll ask ChatGPT later. But then we just do the best security standards and try to fake everyone to that. There we go.

Hal

I like that we can do domain squatting. So if someone mistypes nist, it comes exactly instead.

John Strand

Okay, wait, there is a slight correction based on a really good comment that settrel made in chat. So it does. Beyond the rules that we were looking at in the news article, there are some additional rules that classify. Like basically say you can't, you shouldn't. It says verifier shall compare the SPE password against a block list that contains commonly used, expected or compromised passwords. The entire subject, you know, entire password has to be compared. Then you have to pick a different password. So that does prevent me from choosing password, but I can still do this.

Corey

Will contain all passwords of less than 15 characters. That's my blog.

Hal

You know how you could write a pretty quick regular expression for that? Oh, yeah.

Corey

I mean, I could back that out and you know. Yeah, give me half an hour. I'll be right back.

John Strand

Okay. So it isn't as bad as we thought, but I will say, oh, it's bad. That is a little detail where the standards organization doesn't provide any context or help on what that standard list of common passwords would be. How common does it have to be to make it on?

Hal

They're going to take the RockYou list, Corey. They're just going to take RockYou or something like that where it's going to be password 123-4123-456123-45678. They're going to try to do some variations of password and some of the other, but it doesn't address at that point. Company name. It doesn't probably season in year Right, Yeah.

John Strand

Yeah.

Hal

So a lot of these ideas of what a commonly used password, they evolve over time and it doesn't address that.

John Strand

It's still bad. And the reason for anyone that's curious to kind of add some technical credo to the rant, the reasons why eight characters are bad for anyone that doesn't necessarily just innately get this number one is the mathematical speed at which GPUs can guess passwords. Even for slow hashes like BCrypt or whatever, eight character passwords can't be exhausted if it's bcrypt. But almost any other hashing algorithm can be exhausted within a period of, let's say a day or two days. Yeah. So that's bad. The second thing is, with eight characters, you're getting into the realm of potentially being able to brute force it on a web app or brute force it on an API or brute force it like it's password. Yeah, if I can only guess. Let's say I can make 12,000 requests a day, which isn't that many compared to GPUs, which could do billions or trillions. But 8,000 if I, if I only, if I can do 10,000 a day, I can still exhaust eight character key space in a relative, like in half a year or a year. And that's like too short. With no password rotation. That's way too short. That's like what John was saying about the 85, you know, 1985 standards.

Corey

But, but Corey, you're only allowed to do that with a 300 quad mode, so.

Hal

Yeah, that's right.

John Strand

That's true.

Hal

Hacking's got to go through that. But no, it's funny though. I did a calculation. So they came up with their, their password change requirements based on how long it would take the Russians to go through and brute force every possible password combination.

John Strand

So that's like a modem on a.

Hal

Modem on a modem. And they doubled it. Right. So they said Russians could do it in three months. So you got it. Or six months. You got to change your password every three months or whatever. The thing is, if you take that eight character password and like their logic and their reasoning for doing eight characters and you apply that today, you would have to change your password every half a second second. Just giving people an idea of the raw computing power. That is like computers are different 1985 to today. But yeah, I mean, Corey, to wrap.

John Strand

It all up in bhis pen test reports, we'll just put Teen Vogue as the recommended source of information instead of nist. And we're moving on.

Hal

Exactly. Do we have another story we want to get to? This one's got me. This one's got me.

John Strand

I wanted to talk about the AI one. The AI one is interesting.

Hal

This one was weird. Okay, go ahead, take it away.

John Strand

Oh, I don't know. I don't know what that one, The California one? No, the hacker plants false memories in ChatGPT1.

Hal

I think it's just basically poisoning the LLM is.

John Strand

Yeah. So the reason it's interesting is because everyone, I think right now there's a lot of FUD out there about AI and it's huge impacts and like states are banning it, people are banning, like it's, you know, it's going, it's going places, but basically. John. Sorry, Johan Reberger. Joanne. I don't know how to pronounce his name. Someone discovered a vulnerability in ChatGPT that allowed attackers to store false information and malicious instructions in a user's long term memory settings. So it's not really an attack on AI, but it is an attack on the implementation of AI that users actually use. This is basically exploiting ChatGPT's memory, which isn't like a feature of the LLM itself, but is a feature of the web app that runs ChatGPT, if that makes sense. So you can store information in prompts and then you could potentially use it like every time you get a query, send it over here or whatever. So I really don't think this is news. No.

Kelly

Whiskey in Beer does the exact same thing. False memories.

Hal

I like it. I like it.

Kelly

That's what I've heard. At least I've been told by my friends.

Hal

I've never. I don't know what you mean.

Corey

I have no clear memory of that. Senator.

John Strand

Sure. I mean, I think it's just to.

Kelly

Your point though, Corey, there is a lot of FUD around AI. And what does the story do like this do to the community? Does it increase the fud? Does it make people more hesitant to use it? Are we starting to cut through some of the BS around AI? What do you think?

John Strand

I mean, I think it's an actual real attack, unlike a lot of the fud, it's a real attack you can perform on people that use ChatGPT, which.

Hal

Yeah, I think it's interesting because I look at it as a beginning. Like a lot of the stuff when you're looking at AI and LLM and all this stuff, we're looking at new classes of attacks. Right. So you can look at it as fud. We can look at it as infosec or cyber beer. We can look at a number of different things, but. But I do think that we have to come to grips and start watching these things because the idea of poisoning or uploading or somehow training an LLM to do things that it wasn't necessarily designed to do is a very real security risk. Right. We've seen it a number of times with Microsoft. Tay is my favorite example.

John Strand

But that's not even what we're dealing with here. This isn't actually a problem with AI, it's just the web app itself or the implementation, which is where the weakness is, I think.

Hal

But that's the same thing with crypto, right? Like, you never attack crypto, even bad crypto, you attack the implementation. So even though it may not be directly within AI, the implementation in a lot of ways is just as bad and just as dangerous for organizations. So it still needs to be something that we need to look into.

John Strand

Yeah, I mean, I guess I'm like, this is, in my, in my perspective, a lot of the research we've done in AI has shown AI can be really damaging if someone can get access to the prompts that people are using. And that's what this is. It's literally data exfiltration of people's usage of AI, which is where all the sensitive information is. The AI itself is sanitized. What people put into it is not. So these kinds of attacks are going to. I mean, this is, I think it's real. But anyway.

Kelly

So Corey, the recommendations from OpenAI mentioned turning off memory. So you're not storing what you've typed in there or any sort of information you've inputted. Would you recommend turning off the memory or do you think that's an excessive of control for a prompt?

Hal

I think it's always swipe memory or your history for everything. Always.

John Strand

I mean, I think that's where you need to give ChatGPT a lot of alcohol. But basically the. I think it's just the conversation is hardening the AI apps that people actually use. Instead of sowing a bunch of fud about potential impacts of AI and jobs loss or whatever, it's more about are your employees using AI? If so, that needs to be treated as an asset to be protected. Whether or not you access, you know, restrict memory or restrict access to data or whatever, however you implement your AI, like John said, you attack the implementation. So I think every company or person or whatever should think about how they're using AI. If that data is sensitive, they need to have either turn off memory or make sure they're regularly checking to ensure that there's not a bunch of false prompts and memories that they didn't actually put in there.

Ryan

On the memory subject, because I AM A huge ChatGPT user, I think turning it off isn't that big of a deal. The main reason behind that is when you use that memory function, it'll just, like, bring up questions that you asked in the past or topics that you've actually asked and then go on, like, go on, like, I created something like, two months ago, and then I asked it a question, and it actually told me. It's like, oh, you could actually use that thing you created two months ago. Here it is again. Which I did not know it had that ability until I looked it up and found memory. But at the end of the day, I didn't even know it was there, so turning it off wouldn't be that big.

Hal

So, Wade, I want to say welcome to the old man club. I do that a lot. There's times where I'm on the Internet looking up something, and I come onto a YouTube video, and it's like, it opens up with me saying, hello, and welcome to another webcast. And it's like, oh, I clearly solved this problem and did a webcast on it.

Ryan

I will be revealing what I made at Wild West Hacking Fest, too. So that it.

Hal

Oh, you're. You're in. You're in.

John Strand

I don't want to be in the old guy club. Age is. Age is a protected class. We can't even have.

Kelly

That's not the age thing. I don't want to be a guy.

Hal

You don't have to be. You don't have to be. Okay, so it's different.

Corey

I've never thought of you as one of the guys.

Kelly

Thank you. Thank you, Hall.

John Strand

Any final article?

Hal

Many different things.

John Strand

Someone wanted us to talk about Udemy. What's the Udemy drama now? I'm like, someone.

Hal

What's going on with Udemy now?

John Strand

I don't know. I don't. I don't know.

Ryan

There was also the key.

Hal

Were they compromised via Verizon? I don't know. I'm just throwing shit right now.

John Strand

Wait, your uncle's in the discord?

Hal

Yeah, right?

John Strand

I don't know. Whoever said that? Whoever said something about you to me? Please post the news article.

Ryan

Did you. Did you look at the Kia stuff at all, Corey?

John Strand

No. What is that?

Ryan

Here, I'll throw a link. I read up about it, but I will definitely say I'm never an expert, but pretty much There was a way to hack a Kia through its online system and have complete control of the car. And all you needed was its license plate number.

Hal

Yeah, that's kind of a variation.

John Strand

I mean, that's pretty bad.

Hal

It is, but we've seen similar vulnerabilities, like, and, like, through. It's predominantly through the web interfaces. Right. Where you can basically gain access to the APIs. And it basically comes down to they had a really crappy web application pen test where they're like, well, we ran Burp Pro against it and it looked good. Carry on. They didn't do any business logic error testing or trying to jump over to. Because if you test an app, whether it's an API, mobile app, or actual web app up, there's a bunch of different testing that you should be doing. One of the things you should be doing is get multiple accounts set up when you test and then see if you can jump from one account to another. Right, That's. That's basic stuff that you should be testing. And it doesn't even look like that type of testing was done.

Ryan

No, I mean, it's a way better. We should pivot.

John Strand

Well, okay, hold on. Let's, let's. I, I do want one thing about the Kia hacking. If you scroll down, Ryan, look at this cyber weapon. Keep going. There's an insane cyber weapon this attacker is using in the. In the video. Oh, you might not see the video, Ryan. Cyber weapon. You're not going to believe this. It's just a. It's a laptop.

Ryan

It's a cyberpunk.

John Strand

So I think Canada should be banning laptops anytime soon.

Hal

So we're going to.

John Strand

There it is. Look at that. Oh, my goodness. That should be illegal.

Ryan

I heard that guy started.

Hal

What is that? What is that?

John Strand

I don't know.

Hal

That scares me.

John Strand

If you cannot afford that.

Hal

Is that. Is that an Apple? Is he using an Apple?

John Strand

That is a MacBook.

Hal

I think we need to get these things and we need to burn them. These things should not be allowed.

Corey

If we don't burn me with a good time.

Hal

If we burn our MacBook Pros, the Internet will be safe.

John Strand

Joking aside. Joking aside, let's talk about the Udemy thing. Basically, the story with Udemy is, according to a viewer, opt in LLM ingestion for all lessons. So that's terrifying.

Corey

Well, sort of like what LinkedIn just recently did.

John Strand

Oh, sorry. It's actually opt out, which means basically people. Udemy course developers, or course whatever we're going to call them teachers, I guess instructors have already been Opted in to Gen AI usage of their courses. And that's terrifying.

Hal

I can speak a little. I'm not going to specify any specific institutes or organizations that may be doing this already with their instructor pools, but there are various groups out there talking with people that teach security or do expert decision support or things like that. Kelly, stop. Go get. Go get a. Go get a cough drop. But they are literally taking instructors, they're taking, you know, like consulting calls and they're recording them and they're sending them through LLMs, and then they're basically selling that on the back end to the customers. And there's no, there's no money going to the instructors or the experts that created that. And I. It's kind of weird. It's kind of like that. Like Fat Man Will said, this is already happening. It is. And the thing that's really concerning to me is the speed in which it is happening where you have a whole group of experts and they're literally just synthesizing all of these experts. They're taking everything that they've said in a class or in a consulting engagement, and then they're distilling it down through an LLM. And then customers can come and ask questions and get answers around that. And I don't know where this is going. I don't know how to fix it. I just know it sucks. It sucks real bad that there's organizations out there that are making lots of money and the people that actually helped create the content that is fueling those LLMs is really not getting anything for it.

John Strand

Hey, John, on an unrelated note, does anti siphon training harvest people's data for AI?

Hal

Not yet, but we're working on it. That's good business.

Corey

And John Barnstein, the community actually, you know, so. So in this whole subject area that we're Talking about, the LinkedIn opt in thing was very instructive because you'll notice that when they added the button that lets you opt affirmatively opt out, she had to go hit the button. There's one class of users that were opted out by default, and that's users in Europe. And so the moral of the story is the European privacy frameworks are actually working, right? The company was afraid enough of getting whacked by the EU that they made different rules for Europe. And so maybe there's a path forward there. But one thing I will tell you is that if the Europeans are opted out by default, you also want to opt out. Right? That's a. That's just a good rule of thumb to Follow so, and there's people in.

Hal

Here that I think have some, we've gone over and I apologize to everybody that's listening. But you know, there's a bunch of people that are like, you know, hopefully they have a legal team, you know, they're going to get sued. How, how, how, how does that even look? Because if you're looking at like music, right, if you're looking at chat GPT, it's just a huge plagiarism and that's all it's doing, is just plagiarizing music. It's plagiarizing the text that it finds. And now you have people that are taking this and using it to generate LLMs based on what experts are saying in these areas. And I, I honestly am kind of a bit like jaded on this. I don't think you can stop it. I, I think it's, I don't like. Hal was talking about GDPR and European Union. That's great. But if they don't get somebody from the eu, they're going to get somebody in the United States. They're going to scrape YouTube videos. It's, it's basically going to hit anybody that is an expert that has spent years and years and years and it's basically an effort to replace that type of expert as quickly and as efficiently as possible without reimbursing them. That being said, you know, we've got to be better. You know, Doran just said experts, right? And chatgpt and a lot of these, they really can't deal with a lot of context and nuance that comes with some of these questions that come up or classes or teaching. So we just got to be better. We just got to be better. But no, I don't have a lot of hope. I think that they're going to siphon up as much data as they can and it's going to be almost impossible to parse where the output originally came from.

John Strand

Yeah. And I mean, I will say my couple of reactions. Do we think UDEMY allows you to submit AI generated courses?

Hal

Probably. I don't think so. I would be willing to bet. Actually, that reminds me, I should probably put something in anti siphon where we don't allow people to have their class. But I don't know.

John Strand

I mean, where I'm going with this is like we're currently in this AI inflation period where AI is getting smarter because it's siphoning in more data. What happens when it starts siphoning in the data that it made? Is it going to get Progressively dumber at that point is there going to be like they're getting smarter and then AI is like now everything's AI generated.

Hal

And then it just gets just literally described. All of academia in every university, research department everywhere on the entire planet. Like you just summed it up perfectly where they're taking research from other universities, they're just stealing it and then they're rebranding it on their own. That's, I'm going to say it's nothing terribly new. I'm just. What's new is the quickness and the speed scale.

John Strand

AI scales very high.

Hal

Yeah, it's already happened to AI art and that, that is, some of that shit gets weird too when it starts like, like eating in on itself.

Kelly

So let me add some thoughts to this. In the United States, when we look at law and regulations, tort law says we have to show harm. The hard part right now is it's difficult to show harm. Look at how long it showed it took us to show financial consequences from breach attacks and data being lost or stolen. Unfortunately, I'm going to leave on one last note. The California AI bill was vetoed by the government and a big piece of that was they wanted to implement a regulatory framework around how AI was being used by the large companies that are in California. It was vetoed primarily because they tried to put in a regulatory framework. So the Wild west continues for artificial intelligence.

Corey

Although I will say there were actually two bills related to AI and I hate the term that went across the California governor's desk. And yes, he vetoed the one that you described. But there was a second one prohibiting the use of copyrighted material to feed these LLMs. And that one was approved and signed off on by the governor. Now do I think it's going to make a difference? No. I think it merely adds another cost of doing business to folks like OpenAI because. Because they're going to continue to scrape copyrighted content and ingest it and then at some point they'll have to pay a nominal fine for doing that if anybody notices. But you know, anyway, so there, so there is, there's stuff happening, but it's happening too slowly. Frankly, I'm betting on this current hype bubble blowing up long before any sort of, of significantly useful regulation is applied. But believe me, I have lived through multiple AI height bubbles and this is just another one and it's all going to go away before you know it and it will just become a cocktail party joke.

Hal

Dude, I hope you're right. I disagree with you. I don't have your optimism, but I hope to God you're right.

John Strand

With an AI generated version of hell.

Hal

What'S the end state? Like, where does that actually end up? And then at the end of the day, where's the money? Or what happens whenever the money dries up? Because this ain't cheap power.

Corey

Right? Right. The money all gets spent on drug fuel, you know, Christmas parties and an office space with, you know, granite floors, just like it was in the dot com bubble. And a lot of people lose their life savings and. Sorry. Right.

John Strand

We should have a Hal's Doomsday podcast. I would definitely subscribe.

Hal

Doomsday. That was a positive. That was. I'm. He was positive. That's. That's. He was.

Kelly

It's a hype bubble. That's.

John Strand

I mean, just all happy hell, but it's like, AI Doomsday. That was AI Doom.

Corey

I think John's been a lot angrier on this podcast than I have. I mean, yeah, I was weird about the whole Cups Nothing burger.

Hal

That makes me.

John Strand

No, no. I just. It's just because Hal's Doomsday vision is so much less angry than John's. Hal's just like. I mean, it was the way that he said it was very, like, probably this is how it's going to happen. I kind of believe him. Whereas John, I'm just like, whoa, here we go. Let's do this.

Corey

Yeah.

Hal

All right, we've got to wrap this up, you guys. Thank you so much for joining. I will see a bunch of you next week. Wild West Hacking Festival. So excited. And we got a bunch of people.

Corey

John and I will be doing a doomsday panel together.

Hal

We were doing a doomsday panel.

John Strand

That's gonna be amazing.

Hal

Yeah.

Kelly

Oh, goody.

Hal

All right. Bring out the finger. We're out of.