2024-10-21 - Logging Con

Wade

So there I was in the jungle. I don't remember the rest.

John

My audio wasn't even working. And you just go live. I can't believe that's right. Yeah. Because I figured restream, change settings as it does.

Graham

As it does.

John

I heard the Amazon one was just a. Like the return to office. Whatever was just a foe layoff.

Charles

They.

John

But they didn't want to say layoff. Yeah, pretty much just.

Mike

Well, kind of.

John

Pretty good strategy.

Mike

Yeah. Hey, so do you.

Wade

Rather illegal strategy also, from what I was reading, if they're. If they hit up on some of the minority type groups, such as people with disabilities that can't get into the office, etc. If that there's a disproportional firing off of that, they can get serious trouble with the labor board.

John

Hey, even if they have wheelchair ramps, like, is that a. Like.

Wade

Yeah.

John

Really?

Wade

Even if they have.

John

Yeah, like, all the proper necessities. They just have to make them get in. That's interesting.

Mike

I'm happy I got the Hacker Hoodie this year. I tried to get it last year, but it was sold.

I

Yeah, I got mine. I got it this year.

John

I got a new one. It's been a refresh.

Mike

Yeah.

John

The first time I've gotten one since they first came out.

I

They didn't have them last year, did they? Or maybe it was zip up.

Mike

They did, but they were sold out.

John

Oh, there was also a. Like an announcement that they weren't going to be made anymore, but they still are. That's. That's.

H

Who made that announcement? Was that us?

John

I'm not gonna say anything. All right. I'm not. Because I was like, I thought they weren't going to be made anymore. And then I discussed with people and they're like, oh, no, we're still making them. I'm like, all right. Cool.

Mike

People love them, man.

I

Oh, dude.

John

So anybody have good stuff? Anyone do anything fun this weekend besides Orlando? Dude. Besides Orlando is such a great spot. Like Full Sail Universe.

Graham

Orlando is straight up spoiled.

E

Yeah.

John

I am so jealous. Every year I see their location.

I

Wasn't B Sides New York this weekend, too? Or is that last week?

John

Those are those October B sides. It's rough for them. I'm not gonna.

Mike

October's a tough month because.

John

Yeah, right. Like, yeah, so many console time.

Mike

Yeah. Because I'm not.

I

I really wanted to go to Hack Redcon, but it was just too soon after Deadwood.

Mike

I'll be out there this weekend.

H

Where is that?

Charles

After? It's in Louisville, Kentucky.

Mike

So I. But that'll Be it until. Really? Really. Denver.

I

I think for me too. I have an online death con. Dea.

John

Migraine. Yeah. The text engineering and threat hunting represent death cons. Pretty cool. I don't know why Graham's going to IT to tell you the truth, but.

I

They have a kubernetes workshop.

Wade

Yeah. I got done with Gercon and my next con isn't until Cypher coming up in April.

Mike

Okay.

John

Is the rumor true? Oh, wait, not Cypher. I'm thinking a different one. Never mind. Oh, never mind.

Mike

Shmoon.

Wade

Which rumor?

John

Thought con.

Wade

Thought con is happening.

John

It's happening.

Mike

Oh, it is.

John

I heard. I heard. This is.

Wade

I have not heard that.

John

Yeah, I don't know how true that.

Mike

Is, but I heard that at the. At. At the. At Deadwood people were talking about that. I was like, I hope not.

Wade

Last I knew they were going to an every other year format sort of like.

John

Yeah, I remember that.

Wade

I have not heard that. This is the last one.

John

Okay.

Wade

All things considered, it wouldn't surprise me if it is. It's been around for so long, like smoocon. Yeah, it's. I don't have any privy information as to whether or not it is the last, but if it is, they're going to go out with a bang. But there's still one more round of tickets and I think general tickets are still available from the first round.

John

I'm taking a break from cons. I'm not going to do anything for like six months.

E

Yeah, you hit the peak.

John

You did. Like, what do I do now? Like, like, right. Like I'm done. Like, great. Start your own. I have.

Charles

Following your own advice.

John

I run B side. I help run B side.

D

Like a log con. Wade con.

John

You know, log con. Where am I gonna. I'm gonna have to run it in like Portland, Oregon. In like the middle of the woods. Like true logging country.

Charles

Somewhere out there I can make that happen. Dude, I have so many woods.

Mike

Dude, where's my C2?

Charles

Yeah, I can't find it. If anyone. If anyone finds it, let me know. I do not remember where I put that stupid domain name.

John

Speaking of logs and actual real tree stuff. So I used to live in like the middle of nowhere in the forest.

Charles

Real tree stuff.

John

Real tree stuff. Right. So I. All the time. All the time. Like always hiking, camping. When we camped, we never camped with an actual tent. We just like slept on the ground.

Charles

Or like on cowboy camped.

John

Right? Yeah. Yeah. Woo. So this weekend or Friday, I'm walking around my HOA with my son attached to me, right? And all of a sudden I take a hit in the head and I'm like, hard right in the head. And then I look in. A pine cone had fallen from like a 60 foot up canary pine tree smacked me in the house, right? And I'm just sitting there rubbing my head, not thinking about, like, man, I'm going to have to like, go home and put the kid down. So I'm going home. I'm only like halfway done with my walk. And I immediately set him. Like I'm about to set him down and I look at my hand and it's like covered in blood. And I was like, oh, my God. It was literally like a movie status, like, just drenched in blood. And I was also like, now I'm going to have to deal with this. My wife is at home. It's just me and the baby. And then right then, my wife walked in. I was like, thank God. Like, I'm going to go like, take care. And I have like a gash on the back of my head that bled for like two hours.

Mike

Wow.

John

I had never been hit with a pinecone all of my forestry life until I moved to the city. So those trees.

Graham

Heard you were a logger.

Charles

It takes some years to get that lucky, you know, doing that for.

John

How many pine cones have I missed?

Mike

They said, you are no longer part of their community. You are part of the city now. No longer.

John

That. That is probably. That is probably the key thing. You're absolutely right.

Mike

It's that we're going to fix him.

Charles

When's the last time you were pooped on by a bird?

John

I feel like that happens regularly. I don't know.

Charles

Really?

Mike

Oh, man, that's rough.

I

You're outside that often?

John

Yeah, I was running a lot before I, like, I had a kid, right? Like, I disc golf.

Mike

The squirrel was pissed.

Charles

Yeah. This squirrel was pissed?

John

Yeah.

Mike

How dare you.

John

So what else? Anybody else do anything fun? No one else got hit by pine cones or flying objects?

I

Not yet, thankfully.

Graham

No.

Wade

No, no.

Mike

I mean, if you count playing Super Mario Brothers 3, me and my daughter was playing that. I got hit by flying shells and all kinds of craziness.

John

That's about the same, yeah.

H

You have the original Nintendo system. Are you playing it on an emulator?

Mike

Original Nintendo.

H

Nice.

John

Yeah. Yeah.

Charles

That's how he rolls.

Mike

Yeah, that's how I rolls.

John

I was at a yard sale earlier on Sunday and they had a Sega Genesis. And I'm like, did you pull the trigger? I did not. I was like, I got too much junk in this room already. I'm like, one. I'm going to have to go buy, like, whatever the three prong thing is to an hdmi, because who has a regular AV output anymore? Tv, right?

Charles

Yeah.

John

I didn't even know if that existed.

Mike

Oh, for the hdmi, there is a converter that works very well.

E

Yes.

John

All right. And then the emulators always come to mind. Like, do I actually need that? I've built emulators.

Mike

You need it.

Charles

You need it.

John

All of it. I don't need it. I don't need it.

Graham

BSD is the expert.

Mike

Don't fight it. You need it.

Charles

I don't know. The Sega Genesis is a little high end, honestly, you know, I think you should go a little lower end.

Mike

Oh, yeah, Odyssey.

Charles

Oh, there you go.

D

Magna.

E

I don't know.

Mike

Very.

Wade

I don't know where the child.

Graham

Where the arcade game came from that we're at Wild West Hacking Fest, but I did appreciate playing Ninja Turtles again for.

I

Yeah, that was great.

Graham

20 minutes.

John

There's it. A new Ninja Turtles game coming out pretty soon.

Mike

Whoever brought the arcade, please, from the BSD Bandit, I hope you bring those back. I really enjoyed that.

I

I think we need more.

Mike

Yes.

Graham

Yeah, yeah. A whole arcade section.

Mike

Yes.

I

I will say, at defcon, someone was projecting. It was like a laser projected Tetris on the ceiling or on the wall of, like, the elevators. I tried to play some Tetris and that was really fun. So we should do that next year.

John

Wasn't there, like, an arcade hacking section at DEF Con?

I

Probably.

John

I'm pretty sure there was a section.

I

For literally everything at defcon.

Charles

Yeah, yeah, that checks out. Like, this is the bread village. We're just making bread.

John

That's all communities.

Charles

That's a village I could get behind, honestly.

I

But defcon. Wade texted me. He's like, hey, go like, down the staircase and, like, knock twice on this door and, like, you know, say the password. There's like, some speakeasies at the Mob Museum. I was like, what? And, like, some dude, like, opens the door and he's like, what's the password? I was like, oh, my God, this is legit.

Mike

Yeah.

John

And then we got a room behind a. A painting, too. So it was like, all the way. It's pretty legit.

Graham

I want to see a speakeasy who asks for a password and you have to, like, say random letters and numbers and characters.

John

It's amazing.

Charles

You just give them your Y key and they plug it in. Come on.

John

They hand you a. Us, a usb, like, all right, plug it in. Or that would Be great. I haven't read the news. Who has?

Charles

I mean, I have. I've been prepping for three minutes while we've been bantering, and I'm so ready to go.

John

I just saw stuff about Pokemon. Something about.

H

I didn't see anything about the wrong articles.

Charles

Are you reading right. Pokemon.

Graham

I didn't see that either.

John

Big whale breach. Big whales breach. Pokemon, Big whales. Game freak confirms breach after stolen data. And then they didn't even use, like, a real Pokemon image.

Charles

We skipped the big wells breaching. Okay, there's too many breaches we can't talk about.

John

Were you more fixated on the robot vacuums? Yelling slayers?

Charles

I was thinking. Okay, so just to give everyone a preview, I was thinking, definitely the robot vacuums. We can talk about WeChat. I mean, I think there's the Internet Archive story. There's Internet archives.

John

Good.

Charles

U.S. dOD was arrested. I mean, that's big news to me.

Mike

What about leads with offensive security being bought? What are your thoughts?

I

I forgot about that. Yeah, I'll find that.

Charles

Yeah, that's a good one. I didn't even know, but I assumed they got bought years ago. I will say for the game freak thing, but for the game freak thing, my take is, is this related to the Palworld lawsuit? Is that. Is that the angle here?

Mike

Oh, you know what? Hey, we laugh, but you never know.

Charles

All right?

Mike

You never know.

Charles

Hello, and welcome to Black Hills Information securities. Talking about news. It's October 21, 2024. Welcome, everyone. We've got all kinds of hacks, We've got all kinds of tricks. We've got waiting through logs. We've got BSD Bandit possibly playing Super Mario 3 while podcasting as you do. Is that the one with the turnips?

Mike

That's the one with the turnips. Yes.

Charles

Okay, that's important because Michael, who's also on the show, was telling us last week that his only knowledge of vegetables comes from Super Mario Brothers 3.

Mike

That's what I'm talking about. Look at that.

H

It's the only place I've encountered a turnip is in any of the Mario games.

John

Yeah, I think. I think that that carries to me as well. Like, who eats turnips?

Charles

No one.

Graham

Turnips are good. Like Thanksgiving.

E

Yeah, that's what I've had.

Graham

Turnips.

Charles

Okay, but is a turnip different than a parsnip? And if so, how so?

Graham

That I have no idea.

Charles

Okay. Yeah. All right. Let's talk about the Internet Archive first. I think that's. I mean. Okay, so for those that don't know, someone explain what the Internet Archive is. Because I think it might be under underrated or misunderstood what it actually is, because I think it's probably one of the coolest publicly available websites out there. Does anyone want to take it? You want me to explain it what.

John

The Wayback Machine is or like the actual attack?

Charles

I mean. Yeah, I mean, just explain. So, yeah, the Internet Archive runs the Wayback Machine, right? And a few other services as well, but that's the big one, right? So what is the Wayback Machine?

John

So the Wayback Machine is just an archive of pretty much the entire Internet on any webpage. So you can go to the Wayback Machine, then throw in an actual domain and see how it changed throughout the years. And I mean, like years, you can go way forever.

Charles

Like back to the 90s.

John

Yeah, it's really, really good for Oent and really, really good to get past paywalls for news sites. What else? Like, I've used it a lot of times. I've actually used it as a backup mechanism for people's websites. When I used to work at a domain, at a. At a domain provider, they'd be like, hey, your backup system didn't get our website and now we're broken. I would go on the way back machine, pull everything back. All right, here's your website. They would be pretty happy about it, huh?

Charles

Yeah, no, it's. It's an awesome tool, I think, the Internet Archive. I think they're the biggest data hoarders on the planet, to my knowledge. Yeah, I think they have the largest. And I don't know if it's different than Common Crawl. Do they also do Common Crawl or is that a different organization that does Common Crawl?

Mike

I'm. I'm not sure. I think it's a different organization.

John

Not familiar with Common Crawl, but.

Charles

Well, yeah, basically it's a non. So, yeah, it is different, but. Wade, what. What actually happened? They got breached twice in one week, which is never a good week. How did that happen?

John

I didn't. I don't even know how it happened. I know they got ddosed. They're getting heavily ddosed while we're at Way West Hacking Fest. Which is also weird because I find. I find this target to be particular. Like, why would. I don't know why you would attack it.

Charles

Right.

John

And the other thing is.

Charles

No, you can't have my website that you already have.

John

Right. And then the other one is, ok, so then they breached them, got all of the accounts, they say, I think there was around 34 million accounts.

Mike

Right.

John

If you bring up one of the news and who makes an account for the Way Back Machine?

I

I didn't even know that you could make it right.

John

And then I didn't either. Maybe it provides you some like faster because every now and then you like, it actually tells you like you can click and download something.

I

But I think if you're using it to store like some of your, like it stores other things besides just websites, like you can store like audio. Video. Yes.

Charles

You're contributing content into it, right?

Mike

Yeah.

I

So I can see why they would want you to be logged in.

Mike

Old operating systems.

Wade

Yeah, old operating systems. Old time radio from. From like back in the day when radio was king. Your old time shows. They've got a huge extensive library of that stuff down.

Charles

Do they also do the malware? Yeah, they do the malware museum too, don't they? Is that them?

Mike

I don't. I don't think that. I think there's somebody else, but I could be wrong.

H

I'm pretty sure you can also make an account to remove yourself or your website from the Way Back Machine. So I think based on what I saw in the article, that apparently is what a lot of the people's data wasn't involved in was requests to remove something or someone from the Way Back Machine data.

John

That makes sense.

I

They have 866 billion web pages now. Is that just a billion of the same web page? Maybe. I don't know.

Charles

No, I don't know. But I will say, I bet you, you they have some of the largest like hard drive usage of any company ever. Like they've got to be sure. Massive doing it.

Wade

From what, from what I understand, it's politically Middle Eastern motivated because the Wayback Machine is run by capitalists and by people that support Israel and blah blah.

John

Blah, blah, blah, blah, blah.

Wade

That's what I've heard is that it's. It's all about you.

E

You always come up with a hack and you find a reason. You back into finding a reason at some point.

John

A wild John Strand.

Charles

I wasn't sure if someone's deep faking John Strand.

Mike

The reason rabbit hole.

Charles

So they got breached through Zendesk, basically. What?

H

Apparently their API key was on their GitHub.

Charles

Yeah.

I

Was they got breached.

E

Nobody would have saw that coming.

I

And then they never rotated the API keys. So they said everything was all fixed, but they never rotated those. So I still had access.

John

There was. And then there was also something about session tokens that all the user information that they did steal, none of the session tokens were reset.

Mike

Wow.

Charles

So. Well it's always. Yeah. So the API token gave access to zendesk which was 800,000 or more support tickets sent to info@archive.org since 2018. I will say what I mean, I guess there could be sensitive data in there. Like what are you being like, hey, my website has pictures of me and my ex wife. Can you take that down? Like what, what is like I don't know what your support. What kind of support request people are opening.

Mike

That's a real question.

John

I think Mike's hit on is the only like real scenario. Like it's, it's definitely politically motivated. Like there's no reason why this website needs to be taken down whatsoever.

Charles

Yeah. It's a public service.

Mike

Yeah.

Wade

According From Newsweek, the DDoS attack was claimed by a self described pro Palestinian group known as SN Underscore Black Meta.

E

Props for a cool name.

Charles

Let's go look at their website on archive.org and see because I'm definitely not sure all of them huddled up. I'm definitely not going to it directly.

Mike

Oh no.

Charles

Well, I will say they've kind of turned it into a donation. You know, donate fundraising opportunity. Which I agree with. Like if you're in the spotlight even for a bad reason and you're a nonprofit, like take the donations. Be like guys, we, we can get CrowdStrike Platinum plus if everyone donates.

H

Yeah.

I

Well my question is like are there organizations like other nonprofits that will do like a pen test on nonprofits? Like is that a thing? Are they brand?

Charles

No, I'm just kidding.

I

I don't know.

E

Uh, soon.

Charles

Honestly, if I ever got Black Hills, we should do it. Just saying, just throwing us out there.

H

That'd be cool.

John

I know Google always will step in for like reporters and stuff like that if they have websites that are getting ddosed. I'm not going to say I'm not surprised. I'm not surprised but not surprised that maybe like Google just like, yeah, just throw it under this giant like Internet sponge we have.

I

But umbrella.

Charles

I feel like we should put out the call like infosec companies. We should be like lawyers. Like we do some pro bono work. You know what I mean? Like let's, let's I think is doing.

E

A lot of pro bono work as it is. Like there's a lot of the pay what you can training and stuff that we're doing.

John

We could see it in John's eyes.

Charles

That it could be like it could be done through a separate entity. Not Black Hills. It could be like testers volunteering extra time or whatever. But yeah, I think there's, I don't know what the actual pen test capabilities of an organization like the Internet Archive are, but in general I think it's something we need to, you know, the, I will say the EFF or whatever or ieee. One of those would be a really good or like acm. There's plenty of like already nonprofit type places that could kind of handle it, but I have no idea.

E

Well, and hacks for hacking for charity was one of those things that, that was one of the things that Johnny Long was trying to do is really try to work to get nonprofits to get some type of security testing. I mean the idea of it sounded great, but I don't know, just trying to bring the two together from a logistics perspective was way hard.

Charles

So another option would be we could just have Sam Sophos buy it.

John

Oh yeah, exactly. Just be out there buying everything.

Charles

I don't know who Sam Sophos actually is, but someone in chat said that that person bought SecureWorks. So maybe their goal is to turn that into a, turn that into a nonprofit pen testing firm. It seems like that's what they already are. What is SecureWorks these days? Anything?

E

I remember they used to be lurk and then they were bought by Dell and they became Dell SecureWorks and then Dell spun them off and then they just became Secure Works and now I don't know what they are now. Just love how.

John

You want a vendor vendor soup sentence. Industry leading solution with Tigis XDR platform. Combined with our security solutions and industry leadership and mdr, we will strengthen our collective position in the market and provide better outcomes for organizations of all sizes globally.

E

See if you have to take multiple breaths like that.

Charles

That was a 50 sentence that you got. There was really chat GPT.

John

That's chatGPT written for sure. That was like some good, like. No, we need bigger sentences.

Charles

Let's play a little bit of like reverse hacker jeopardy with John Strand. John Strand, what do you think the price of SecureWorks would be just on the open market, like if, if you were, you know, just walking around at RSA or wherever these deals go down. What dollar?

E

No, I, I don't, I don't know. One.

Charles

Would you go north of a billion?

E

That's what I would probably guess. This is going off of like what I know about them in the, in the past and honestly I don't know where they've been in a long time. So I would, I would, I would guess a billion 859 mil.

Charles

So you were. You were over. But I mean, that's a lot of money for a security company, right? $859 million for a security company.

E

They do like, managed services. They do a lot of different types of security.

Charles

Yeah, it must be. I mean, that's a huge amount of cash. I'm also blown away that Sophos has almost a billion dollars in cash.

John

That was what I was thinking, right? Like, yeah.

Charles

What? That's crazy.

John

Nine.

Mike

Wow.

Charles

Yeah. I mean, $8,859 million in cash. Like, how many SOFO subscriptions are people still paying for?

E

We don't good coin that much anymore, do we?

Charles

Honestly, rarely.

John

This is like the death thrall. They're like, we need something to they alive.

E

It's like BlackBerry. BlackBerry.

Mike

I was just thinking about BlackBerry.

E

Yeah, there we go.

Charles

There we go.

E

There we go.

D

You still see a lot of Sophos in small business, though, because they have. They have the firewalls, they have EDR kind of all the things. So, you know, this is actually maybe the closest thing that at least I've seen. That's kind of big boy cybersecurity as far as their offerings. But the cool thing is that dell made like 200 or 200 million on selling it, so there's that.

E

Hey, someone. Someone did okay there.

Mike

Yeah.

Charles

Wow. Holy crap. I mean, I can't believe. I feel like, are there that many billion dollar security companies? There must be like five of them.

E

Oh, yeah, there's a lot. There's a lot.

Charles

Well, there's one less.

E

Yeah, there's one less.

Charles

All right, what's next? You talk about US DOD being arrested. This is kind of. I wouldn't say near and dear, but I've been tracking this threat actor for a long time. Basically, US DoD is not. Don't get confused by the name. It's not the US Department of Defense. There's a threat actor called.

Graham

I was thinking.

Charles

Yeah, there's. There's a threat actor called USD OD who has perpetrated tons of breaches over the years, which is why I know that threat actor name by Hart. But the most recent high profile one was national public data, which I think got a lot of attention. I don't know if that actually led to the arrest or if it was just a long thing. He also. He or she also breached the infragard thing, like years ago. That was a big deal where a lot of infragard data got exposed. So I guess it makes sense. I mean, they're literally calling themselves the US dod. So like of all the ways to paint a target on your back, that seems like one of the best ways to do it. They pretty much.

John

It would just confuse. It's just a confusion tactic. Right. Like it's deception right off the bat. When you're trying to talk to them, they're like wait a second. And then you have to spend more time. They're hoping in that time that it takes you to figure out it's not really the USDOD that then they get out of the network.

Charles

Yeah. So it's basically The Brazilian national, 33 years old, named Luan BG, which I don't know that, that doesn't give a whole lot of information, but was arrested in Bello Horizonte or Horizont. Whatever. I don't know how to pronounce Brazilian things. I'm sorry. Yeah, so basically it was announced by the Brazilian police and I guess Bob's your uncle, that that user did get banned from breach forums like a month ago. So maybe that was OPSEC related, I don't know.

I

But was it, was it just one person that they arrested to try to get the whole group?

Charles

I don't know if it was a group or if it was just a person. I think it in my head at least it's always seemed to be just a person. But I mean only one person so far has been arrested. But they were actually doxed back a while ago. I guess it was a matter of time. It looks like they were doxed in April. So once you know who they are, going after them becomes a little easier. I think they were doxed by CrowdStrike because, like which. Yeah, I mean basically it seemed to be their goal to go after just the most high value targets possible and make as many people angry at you as possible. Hey, that's good business I guess. Yeah, I guess so.

E

I mean we haven't, we haven't tried it yet. You never know.

Charles

Should we call ourselves like us DOB or something?

E

We're going to call ourselves Secure Works Central now. Powered by Sophos or something. Trademark infringements there.

Charles

So what is this? Military encryption Quantum. Has anyone like read this article that just ended up in here? Is this fud? This is pure.

I

Yeah, it is, it's fud, but it's cool.

John

Fud. All right.

Wade

It was, it was a great headline. It was a great headline. But I do believe that this was. They broke like 22 RSA and not even 256. It was something really small.

Charles

Was it export grade?

Wade

No, not even close.

E

Yeah, but they always like proof of concept.

Wade

Yeah, it was something that you would think you'd be able to crack maybe with a regular computer in maybe a week or two.

I

I think they had cracked the same level of security in 1999 with desktop hardware. But like the new thing is they cracked it with a quantum computer and people kind of took that and said, oh, someone cracked RSA using the new quantum computer. And people were freaking out about it.

E

I don't know.

Charles

So it was a 50 bit. That's what they factored. They factored a 50 bit number which for anyone wondering, I think 1024 has been the standard for over 10 years.

I

1024 I think was depreciated in 2013.

Charles

Yeah. Basically, I think 4096 is like the new standard.

E

So my question with this, is it, is it, is it actually cracking it with a key? Like what is the, what is the mode? Right.

Charles

It's just factoring the number. It's just factor. It's literally just brute force math.

E

Yeah.

H

Is it brute force if it's a quantum computer?

Charles

Actually that is quantum.

E

And the answer is no, it is not brute force if it's a quantum computer. It's something different. I think it's cool from the quantum computing perspective as far as like whenever you're looking at like keys and randomized bits and there's a lot more to it and it depends on the encryption, right. Like an example would be just kind of break it down. Right. Like if we're looking at Windows password hashing, right. It's a straight DES on the key for landman and it's NT4 for NT or MD4 for NT. That is just straight brute force. You can brute force that all day and you can use quantum for that. Eventually it's going to work great for that. Whenever you move to Linux and UNIX based systems where you're using that randomized crypt function where you're using like you know, 64 bit randomized key in conjunction with the password for the actual encryption of it. Well, it depends. Some, some are hashing algorithms, some are encrypted and encryption algorithms spending on what they're using on the back end, that's a horse of a completely different color. Right. So if you're just trying to quote unquote, brute force with crypt, with, with quantum password, like Dan Brown and his goddamn horrible novel Digital Force Fortress that my mother in law made me read, I'm not going to go on that tangent right now. Then, then it makes sense. But whenever you're looking at all of these other things that you can add in with randomized salt associated with it, it becomes like infinitely more complex very, very, very quickly.

Charles

Yeah, it was.

John

I think the more interesting, the more interesting part of this though is just that the quantum, the quantum side. Right. Like, don't look at that. Okay, they finally broke something, but they're actually doing things with quantum and they're able to do it and they're going to be able to scale this. The other scary part is, from everything what I've read, China is pretty far ahead of us in quantum technology. Not just out of like, technology, but out of like sheer brute force because they have so many different labs and people actually using it. It's China. How, how fast would they scale this? Could they scale it up?

E

Well, there's also a whole bunch of, like, research and development projects, especially whenever you're looking at like, biotech, you know, you can absolutely use quantum to try to break, you know, crypto that's being used. None of the actual crypto that's being used in DoD yet. Like, like I was saying, we're quite a ways away from that. But whenever you're looking at like research and development, there's a bunch of different things that incorporate something called NP hard problems or non probabilistic hard problems, which means you're going to have to brute force to find that answer. And like, if you're talking about just like sequencing or you're talking about coming up with chemical compositions, quantum is absolutely going to kick ass in those particular applications or you're dealing with efficiency algorithms. Right. You know, whenever you're looking at ospf, that is basically a cheat that Dexter came up with. Trying to solve the traveling salesman paradox not with the best solution, but a solution that's workable in a relatively quick fashion. So, yeah, there's big reasons why China is getting into it, but trust me, they're not going to want to try to crack open your VPN so they can watch you like pornhub. Like we're. It's not. That's not what's being done.

Charles

Well, they'd have to. They'd have to break first. You know, they would have to break into all the ISPs.

E

Yeah.

Charles

Conspiracy theory hat. Conspiracy theory hat never happened.

E

Right.

Mike

Ah.

E

Oh, God.

Charles

Anyway, let's move on. Quantum stuff notwithstanding, Microsoft says it lost weeks of logs. Is that just a normal thing?

E

Weeks of logs?

John

As someone who reads logs all the time, yeah, that's pretty normal almost. We don't, we don't know where those Logs win.

Charles

Yeah. So basically, I guess, I mean, again, this feels like it should be a story and shouldn't be a story at the same time because it's both insane and normal somehow. But basically, yeah. Microsoft notified customers that it is missing more than two weeks of security logs for some cloud products. If you had a breach during that time, they will send you a gift card for DoorDash for $5.

E

That's better.

Charles

Yeah. Basically, there was a bug in one of their internal monitoring agents resulting in a malfunction. And some of the agents that didn't send the data, they're probably using Splunk. I'm just kidding. That would be insane.

E

That would be funny.

Charles

They're just like, oh, yeah, Python 2.7. Dependencies broken. So our Splunk forwarder that goes into Microsoft Sentinel broke. No, basically, yeah. The Data was between September 2nd and September 19th. I'm sure no criminal activity occurred during that time, so it should be totally fine. But yeah, I mean, it's kind of scary to think, I guess. Wade, how do you feel about this? Because you're literally waiting through logs all the time. Because you said this is normal.

John

Yeah, logs just disappear all the time. I don't like. No, it's not normal for Microsoft to lose your customers logs. Right. Like, what the. I would be pissed.

Mike

What am I paying you for?

John

Right. But normally, like, I have seen several systems where just like, hey, there's no logs here. And then you hit up the vendor and they're like, yeah, you have to go on that box, do a memory analysis, pull out these particular things, send it back to us. We'll do a root cause analysis and get back to you in 10 days to see why those logs aren't there. That's. That's every. Every EDR vendor out there. So logs. Logs come and go.

Charles

You get what?

John

You get something, you deal with it. Yeah.

Charles

Wow. I mean, I will say, like, is there any. I mean, any. Anyone come up with your most fun conspiracy theory for why someone would want to wipe all of the cloud logs for a 10 day period?

John

We could do this for the rest of the episode.

D

Whatever it is, it has to do with 9.

Charles

11. There you go.

John

You took that to 11 real quick.

D

I just wonder if Microsoft's going to refund some of that money for Sentinel. That stuff gets expensive. So does. We had to clear. I'd be pretty happy. Like, yes.

I

Save a couple bucks.

Charles

Yeah. Nothing happened during September 2nd and September 19th. We'd like a discount during that time. Yeah, no, I mean, if something Happened. That's really rough, but sure.

Mike

A Starbucks gift card.

Charles

There you go. Yeah, no big deal. No harm, no foul. There's no breaches for a couple weeks. It's fine.

I

There's no breaches if you don't have logs for it.

Charles

Has anyone checked out this WeChat thing? There was Citizen Lab, who we're big fans of and is generally quite awesome in their research and reverse engineering and stuff, published an article about the very popular Chinese Chat app called WeChat. They've studied the kind of privacy issues with IT surveillance that it could do. Kind of like a protocol analysis, I guess. Yeah, basically it's really interesting. I guess if you're into AppSec or any kind of application testing, this is probably a really good read to kind of get. They have like a full write up.

E

They do great write ups.

I

This is like this is summary faq. Like the actual write up is very long. But what I found was interesting is the protocol that they use is not tls. It's their own implementation of it, but.

Charles

They couldn't break it. Right.

I

So there's two different types of encryption. The older one they just wrapped with the newer one. So the older one has a bunch of issues that people are aware of. So they just wrapped it with a new type of encryption. Which I thought was kind of funny.

Charles

That's fun. Just put another for loop on your. For loop. What could go wrong?

I

That's what I would do.

Charles

Yeah. So basically, you know, there's an FAQ here. I mean, I don't know what the usage of WeChat is outside of. I mean I have some friends that use it, but only to talk to their families back in China. They don't. I've never seen like people using this to talk to like each other. Just in America.

Mike

Right.

Charles

I might be, I have no idea what the like global usage of it is.

John

I have, I know Chinese Companies will use WeChat internally for chat mechanisms as well.

Charles

It's like they're, you know, for 1.3.

E

Billion users, almost all of them in China.

Charles

Sure. So it's heavily focused on China. Probably. There is some. They, they do have a question right here that says can the Chinese government read my WeChat messages? Basically, regulatory wise, the answer is yes. You know, it's not intent encrypted, which that isn't that unique that that applies to almost all the chat app. That applies to Discord, that applies to most popular chat applications. There are some exceptions like Facebook messenger and iMessage. But anything that isn't end to end encrypted, you have to assume a third party could grab the data, right. So that it would include the Chinese government.

Mike

So wouldn't that be the only thing they use anyway? Because everything else is blocked in China.

E

Yeah, I'm willing to bet it's one of their big apps, of course, but I'm just waiting for the Chinese government to ping someone's phone and be like, you haven't logged into WeChat yet.

Mike

Oh my goodness. If that happens. My goodness.

E

Well, with their social credit scores, they have like, they do look at things like that. It's kind of nutty.

Charles

Well, so interestingly enough, like this kind of gets in. I think John just kind of outlined one of the big questions they have in this article, which is, I have a phone with sensitive data. If I install WeChat, would it be, would it be able to steal the data? Like, how much risk am I putting myself through? This also came up with the TikTok discussions. Right. Basically the answer they give is like, it does depend, right? It depends on, you know, what settings you choose, what, you know, like your options, like geolocation, contacts, things like that. But yeah, I mean, basically if they say it's a very generic answer, this could apply to any, any, any malicious app. And I think that is good future reference material for any, you know, one who would ask like, well, is WeChat going to see all my data? Well, the answer is like, it could.

I

Depending on what you granted access to your sensitive data.

Charles

And if your phone is patched, that's the other big thing. If your phone is vulnerable, WeChat can exploit that vulnerability potentially just like any other app could. But yeah, I mean, I think there's.

E

Not, there's, there's also a lot of app sandboxing that's going on in these different, in these different applications that run on mobile. Like you can basically export what it is other applications can gain access to, so you can kind of expose that, so you can like expose a database in the back end. It's like that. Yeah, yeah, but beyond that, like to jump over and start stealing things from Twitter, you're going to need a sandbox escape for that to be able to be done. It basically has to do with like when you're looking at Android, it has to do with how intense are actually established and there are really cool things that you can do where you can basically pull the source code off for an app and you can actually look and see what the exports are for. Things like intents and intent manipulation so.

Charles

Yeah, I mean, I think the bigger. The reason it didn't really get that much press, probably unlike TikTok, is just because I think WeChat can actually be run pretty well in like a restricted, you know, limited permissions, whereas TikTok is much more aggressive about being. You know, I need camera access, I need geolocation access, I need all the access to be able to survive. We don't chat.

John

Speaking of governments, looking at your chat history, there's. I just threw the article in. More than two dozen countries have used the Internet outages to sway elections.

E

Internet outages, interesting.

John

Yeah. So there's roughly around 72, 72 countries that actually hold elections. Right. Out of those 72, 25 of them, it was reported, have used censorship and disinformation. According to the report, while elections are being held to either block Internet or social media across or cut off websites allowing political and social religious content.

H

So pretty much harboring an outage soon in the United States.

John

Very soon, very soon. Like a couple weeks. Tunnels now, like what, like 18 days.

E

God damn it. This is why we can't have nice things.

Charles

We don't have any logs for that data. Sorry.

E

Yeah, we don't have any logs.

John

This one's kind of. Forty out of 43 governments worldwide have attacked or killed citizens for their online speech. And 25 have cut off Internet access during election periods, which is pretty gnarly.

Charles

Ok, that's insane. But I'm still stuck on the fact that only 78 countries have elections.

John

That. So that's what Those are. The 72.

Charles

Aren't there 280 countries or something in the United. In the world elections?

John

I was googling that. I was like, that can't be right there. It has to be more. And then it's like, no, there's.

E

I found another legit number.

Charles

I mean, I guess you get into like small countries that don't give a crap. They're like, we don't care about elections. We just live on an island. Just leave us alone. Yeah.

John

I mean, there's a CNN article that says more than 70, and then that Freedom House article says 72. That was.

E

It is more than 70.

John

Yeah, yeah, exactly. But I was like, I want a hard number like that. That was pretty crazy. It is. I think they said like 86% of the world's Internet is from those countries.

E

Though, which clarify that.

Charles

Yeah.

John

So the 72 countries that are holding election practices cover 80% of the global Internet usage.

Charles

Right? It's like the five.

E

Oh, okay, yeah, that makes sense. Okay, all right, that checks.

H

That's the one that had the outages. Had 80% of the Internet usage.

John

No, there's no, no, that's like all of the ones that have elections. Yeah, yeah, the one with.

E

Have Internet because, you know, they're stable.

Charles

More or less stable countries basically, like most things, most of the. Most of the traffic comes from a small number of countries. Yeah.

John

If that, if that number is wrong, someone's correct us. Because I, I was googling for a minute to try to figure out like how many countries have elections and I could not find anything.

Charles

Yeah. I will say I don't think it's really anything new necessarily, but it is interesting to see it broken down like that. Like kind of a meta analysis of where we're at.

E

I'm kind of at the point where I think we need to just move to kings, dictators and assassinations, because you can barely.

Charles

The most of the world agrees with you.

E

We can just free things. It's like, hey, how's this guy working out? It's probably his time.

Charles

Well, let's look at his Twitter post. Let's look at his Twitter post. And if it's not good, we'll just kill him.

E

That's apparently what country Secret Service people that in no way had anything in whatsoever. The United States, the current candidates or future candidates. That had everything to do with just being facetious and making a satirical comment. In no way grounded in reality. In no way does Black Hills Information Security talking about news condone any type of political violence ever. Thank you very much for listening to our show and not arresting me.

Mike

The award nominated.

E

Show is now.

Charles

All right, let. I also wanted to talk about. So there's the Pokemon breach, which is like, I guess we talk about just because Pokemon.

E

Yeah. I was shocked to find out how many people are still playing.

John

Well, okay, so all the time, if you play Pokemon Go, hit me up.

Charles

Basically, the breach itself is Game Freak, which is a very well known, you know, super long established game studio. My whole like, hot. I mean, it's not really anything new. It's just basically people are posting, you know, screenshots of source code, development builds, which again, what are you gonna leak? Pokemon has been the same game for like 25 years. Like, what is it? Oh, this time there's a trash bag Pokemon. Like, there's literally nothing to leak.

John

I hate that trash bag Pokemon. I was like, why is there a trash bag, kids?

E

But Pokemon, like, there is nothing but my.

Charles

So my. I mean, it's a breach, but my hot take is Is this somehow related to the Pal World lawsuit? Because, you know, I don't know if anyone's been following that, but Pal World was basically an open world, kind of rip off of Pokemon, kind of. Not in some ways. And it's. But the thing is, Pokemon and Nintendo in general is known for being extremely litigious when it comes to their ip. And like, any kind of. They have a patent for, like, throwing a Pokeball. Basically, they have a patent for that. And so they're going after the company that made Pal World in Japanese court, so.

John

Which is very, very, very stifling for trade infringement. So, like, whoever does it always, always loses. But while I'm up, let's see. Here's my ad code for Pokemon Go.

Charles

That's how we're fishing, Wade.

E

Next time Wade Pokeballs is ready to.

Charles

Go, please add me on Pokemon Go and then log into your work account. Don't question.

John

They're pretty good. So in Pokemon Go, there's no messaging. That's another thing.

Mike

Right.

John

And it's a multipl. And then they have like a side app to, like, be able for people to team up and stuff like that. And the messaging is horrifically limited in that.

Charles

Yeah. Because they know kids are on there.

John

Yeah, but. And it definitely. And I applaud them for that. Like, it's just enough to get things done.

I

Wasn't Penguin. I love the same way.

E

What's that message?

Charles

Must include the word Pokeball. Please try again.

E

I love that. When Pokemon Go first came out, I had students that were running apps that they would spoof their geolocation to get like, the epic Pokemon. And they were harvesting them.

John

I won't confirm or deny that.

E

That was so cool.

Charles

The logs are missing for that time.

John

Wait, that's weird.

E

It's like, I love. I love hacking video games. I think that, you know, I wish that we could get into that more in Black Hills Information Security, because that's just cool stuff.

Charles

Yeah. All right. So the. The one. Is there any other articles? The one I was going to talk about was the robot vacuum thing because it's just so dystopian. It's funny. It's both funny and terrible at the same time.

E

I just know that in like 100, 200 years, they're going to be like, wait, they put computers in the vacuums? It's like, yeah, yeah.

Charles

Okay. So the company whose name is not called these bots, but I can't see it any other way. Basically, they. This. This company has been kind of notably easy to have. There's been a critical security plot like this has been disclosed for a long time, but now it's being put into practice and reading through the story. I'm just going to read it verbatim because it's hilarious. So this essentially is a lawyer from Minnesota named Daniel Swensen. He told ABC that he was watching TV when the robot started making weird noises, like a broken up radio signal or something. That is the sound of hacking. No, I'm just kidding. Through the app, Swensen could tell that a stranger was accessing the live camera feed and the remote control feature. Why you had these enabled, I don't know. He reset the password and rebooted the vacuum. Okay, second question. How do you reboot the vacuum? Does that involve a shotgun?

John

You hold the button on the top for three seconds every time, no matter what.

Charles

That's when the weirdness really started. It immediately started moving again of its own accord and the speakers began emitting a human voice. The voice was yelling racist obscenities right in front of his son. I got the impression it was a kid, maybe a teenager. So maybe his kid was just playing Call of Duty, we don't know. Or just jumping from device to device, messing with families. It could have been worse. So the question I have is, what do you do after this? Do you just throw it in the garbage? Do you take it to like, do you take it to a public place and just let it go by itself?

E

Just open it into the wild because, you know it's got to die on its own.

Charles

You know, there's actually a wildlife sanctuary.

E

For compromised, compromised, racist vacuum robots. It's like. And the last thing it said is it went off into the sunset was not bad for a human.

Charles

I just. The concept of having like 10 of these things in the same room just yelling racist obscenities at each other.

Mike

Oh my God.

Charles

I know it's bad, but it's still just so funny to me. I will say, if you go to jail for this, is it worth it? Like, seriously, is it worth.

E

Yes. Yes.

I

How did they get in? Did they expose their vacuum to the Internet?

Charles

So that model in particular has some issues with it. Yeah. So there's a separate article.

E

Basically, robot vacuums are uber for cats.

Charles

Uber for cats. So this is the article, other article from abc. And this is the Australian abc. Basically they published a article showing how they hacked it. It was Bluetooth, you know, just disaster. So this model in particular. Yeah, yeah. So I mean, I don't know actually if it has to be nearby or let's see, it can be done through Bluetooth. Basically any of the ecovacs models can be connected to over Bluetooth. You could control the camera, so then that would give you full access.

E

Right. This doesn't sound like.

Charles

Yeah.

E

Could have been their kid playing Call of Duty in the next room. And their mic just like, like, like, like, like.

Charles

Yeah. I mean, Bluetooth range, it says up to 140 meters. I think, as we all know in the real world, that's a little optimistic, but definite.

E

Just said nature abhors a vacuum.

Charles

Oh, that's good.

E

Awesome.

Charles

Any other articles? That was a fun one, but the other one, I guess I'm curious if people want to talk about it, is the whole, like, evolving state of the whole ransomware payments thing. Has anyone been following this?

John

Is that the one with the UN.

E

We've been working ransomware cases for the past couple of weeks. I don't know.

Charles

Yeah, I mean, basically the. It's essentially just kind of a meta article talking about, you know, basically, Ann Neuberger, who is U.S. deputy National Secretary. Wow, I can't read. Sorry. U.S. deputy National Security Advisor for Cyber and Emerging Technologies, wrote in an opinion piece that insurance companies are fueling ransomware threat actors. So kind of like. I don't know. I mean, it's just a. It's an article for the sake of an article. It's an opinion piece. But from my perspective, the US Government's trying to eliminate threat actor or, you know, they're trying to get rid of these ransomware organizations. But at the same time, like, US businesses are funding them. So it's kind of like a weird position they're in where it's like, on one hand we're trying to get rid of them. Taking away their funding is a good way to get rid of them. But also, like, US businesses rely on these ransom payments to, like, get operations back up and running.

H

Yeah. If they didn't pay the ransoms, then the ransomware actors would just go away. Like, if the payments dried up. No one's going to do that attack anymore. I think this makes a lot of sense. Yeah. We should not have a business centered around paying ransoms, which is kind of what the cybersecurity insurance is doing in these cases is just paying ransom.

Charles

Yeah.

I

Is there any data saying, like, how many people who actually pay actually get all their data back? Is it like 50%?

E

Yeah. So what I'm saying so far is it is a pretty high number. And that and I have also seen and heard and we've talked about in the news where if there are ransomware groups that don't give the stuff back, the other ransomware groups attack that ransomware group. Because seriously, if it gets around that if you pay and it's like a 25% chance of you getting your data back, then no one's going to pay.

John

So there is.

Charles

You have a reputation.

E

Yeah, they've got a reputation for crime that they've got to uphold.

Charles

Yeah, exactly. They're not criminals. They're just criminals.

Wade

They're not criminals. They're honest criminals.

Charles

Yeah. They also don't go after health care. Except for when they do. We don't talk about that though.

John

Talk about healthcare.

Charles

Yeah, I mean, I think, like, it's. I agree with the opinion. I agree, like, don't pay the ransom if you can, but if the choice is just turn off your company and be like, all right, we had a good run, see you later, like, obviously you're gonna pay it. Like, I don't know. Basically my question, yeah, no, that's impossible. That costs money.

D

And you have to figure also this. As ransomware gets a little easier for people to start deploying, those ransoms are going down. So just like if you had a door ding, you might not worry about getting your insurance involved because it might cost more than your deductible. And so then you may just say, oh, you only want 300 bucks and I get my stuff back. Cool, great. Here you go. And without even a thought. So it's only going to be really those large attacks where the victim company just simply says, we don't have it. We don't have a million dollars or whatever the case may be. So this is gonna really.

E

Then you hired Mandiant and Yeah, I'm like time traveling nerd herder. But you do have backups, right? I think that that kind of helps with all of those things. Although the last incident that we were on, we saw them going for their Veeam backup server.

Charles

No. Yeah, they got. You got to nuke the backups first. Vss, admin shadow copies, delete, all that good stuff.

E

Yeah.

Charles

One of the cases that the article mentioned specifically is Lay Valley Health Network or Lehey. I don't really how to read. I don't know how to. Basically, here's the story of. It was a hospital, they got hit, they had to pay it. They were asked to pay a $5 million ransom, they didn't pay it. Then the data leaked online because that's how ransomware works. And then they got a class action lawsuit saying, you know, Basically that against, you know, for breaching people's data. And then they had to settle that for 65 million. So like looking at this as a bottom line, they basically, you know, lost $60 million for not paying the ransom. That isn't necessarily deterministic. It's not like they knew that was going to happen. But it kind of, if the problem is because that happened now, if I'm a CTO or CSO looking this, I'm saying, well, the ransom's five mil, class action's got to be more than five miles. Do we trust rinse more actors? It's like it's a tough thing.

John

What about you block Origin going away?

Charles

Well, Cookies went away too, right? So we're fine. It doesn't matter. No, I'm just kidding. So wait, why is Ublock Origin going away?

John

So from what I know how it works because it's blocking certain ads and everything, right? It could actually block YouTube ads, which is really nice.

Charles

Right.

John

So with the new Chrome update, they are removing it, pretty much getting rid of that feature. So it can do stuff. But in this article it's actually stating Google is actually turning off UBlock origin within your Chrome add ons. And let's see, mine is still currently on and running, so I am not part of that.

H

Yeah, my understanding about this is that it's just because UBlock origin is a manifest version 2 extension and Chrome is only going to Support Manifest Version 3 in the future. And I saw in the article that apparently there are already some alternatives for Ublock Origin. Like there's Ublock Origin Lite that can do basically the same thing. It's just, you know, not as full featured, won't block as much stuff. But I mean, from the sounds of the article, it did not sound to me personally like they were going after U Block Origin kind of like the headline made it out to be. But yeah, I don't know if that's accurate.

Charles

Basically it sounds like it's kind of not being updated or maintained as much as it probably should be. We don't know what's happening on the back end, but it sounds like if they were to publish a new version of Ublock Origin that it would be fine.

E

We keep talking about it. It's like, yeah, you can do whatever you want, but as soon as you start touching that sweet, sweet Internet ad revenue, boy, they come after you hard.

Charles

Well, this is flipping back the other way though, right? Because UBlock origin has been standard, a lot of people have been blocking ads for a long time and I Feel like the companies like YouTube or whoever are clawing back. They're like coming up with ways to get past those ad blockers. It's kind of like undoing, I don't know how. What percentage of people even use an ad blocker? Probably a small number. Like 5%.

H

Everyone. Because I think the Internet is not usable without an ad blocker.

Charles

Yeah.

E

Have you tried to surf the web? Like on a fresh new install website? You're just like, what the hell? Do you guys remember? Walmart had free Internet. They called it like blue light. Walmart Blue light I think is what it was called. Can confirm that idea. But they literally just pushed ads all over. But it was free Internet and you could do that, right? The Internet looks like that now without an ad block. I was so shocked about the whole thing. It was just like this is also.

Charles

The security factor, right? Like Ublock origin, I mean at Black Hills is standard practice for malvertizing. Like it's not, it's not like John's friend doesn't want us all look at ads for like 15 tricks to empty your bowels in 5 seconds or whatever weird stuff pops up. But it's more, it's more just for security purposes, right? Like we know advertising is real. Yeah, I do love that. You know, has science gotten too far? Like the fish, the fish with the. I don't know if anyone remembers that meme, but it's like the fish with the cigarette in its mouth, it's like, is this real or fake? Like those that used to be Internet ads, remember? Like I don't know what that was an ad for.

John

I had Net zero back in the day, which was dial up, right? And it had a bar that you just kept and just rolled ads the entire time and you got free dial up. And I used to search Pokemon. That was my epic. Maybe it was.

Mike

By the way, that's where it started.

John

By the way. Here's my friend code again.

E

QR code. But this, this gets into like some, some, some kind of like nastier questions, you know, because a lot of times we touch on privacy. It's like, you know, Firefox is a good browser, but you know, we gotta go to Brave, which is built on top of chromium to try to get that ad free experience. And then I still keep wondering, why don't we have a complete open phone architecture, right? Like that's not completely locked out to us. It's getting scary. And it goes back to God. What's the guy's name? The.

Charles

We have them, John. They Just suck.

E

I've talked about them a number of times on this show, but it's like they're locking down the Internet more and more and more to kind of channel you into, you know, ads. That's the only thing you are. The cattle getting shoved down the chute. And that's bothering me more and more as I get older. Because, you know. You know, Wade, you're talking about those old days of dial up. I felt like it was less skeevy then. Then it is today. And it was more fun then than it is today. Yeah, like, I. I'm sorry, kids, but, you know, growing up in the 80s and the 90s was awesome. It was great.

Charles

I don't know, John. Have you ever used Google Maps?

Mike

Hey, hey, hey. You don't know the joy of printing.

E

Out turn by turning out from MapQuest. We can't go back landing and then getting into the car rental place. They give you a crappy map that's this big for downtown Boston. And they're like, good luck, you know.

Charles

Asking people for directions. Remember that? Like pulling over. Hey, do you know how to get to the. You know how to get to the Boston. Like, asking people for directions? Oh, yeah.

E

What you do is you drive down Bowlberry Lane up until falling over Willow Tree.

Mike

If you're gonna see a gas station, that's the landmark.

Charles

And now they'd be like, I'm sorry, do you not have a phone? Are you.

I

Are you okay?

Mike

It's just brutal. It's brutal now.

H

Yeah, it's.

E

It's, you know, whatever. But it's like, God, I. I do wonder where this ends. So.

Mike

Yeah, and this is why I need Internet Archive to be left alone so I could go back in time. Sometimes.

Charles

Yeah, sometimes you gotta go back to.

E

Your happy place with the flashy gifts and the dance.

John

Just leave the Internet Archive alone. Just leave them alone.

Charles

Listen, I only test From a Windows 95 VM with Bonzi Buddy there. He's there. I got all my. I got all my toolbars. I got all my toolbars.

Mike

I got my Netware 411, my.

E

Credential gator. It would remember all your passwords for you. It was so malware out there.

Mike

Yeah.

Charles

All right. Any final articles? I feel like, you know, I guess technically we're.

E

I still recovering from wild west hacking fest, to be honest. Corey.

John

Doctor.

E

That's it.

Charles

There is a lot of hacks, though.

John

I'm still sick.

Charles

Really?

E

Oh, there were so many people that got crud or got Covid. I was lucky.

Mike

Oh, they Did.

E

Oh, there was a lot of people.

Charles

I got lucky. That's my. Usually my strategy. Get lucky.

E

I don't know. We just got up the next morning, ate a crap ton of, like, bacon and, like, eggs and biked for 20 miles. It was glorious.

Charles

That's how you get better. That's what. That's what?

John

Bike 20 miles. That sounds Covid.

E

Just like f this. I am not staying in this host. This guy is not right. Like, what was it the day before you ran 8 miles or that I ran 6 and then we went biking another 10. Almost killed one of our employees from Poland.

Charles

That is true. We had. We. We had a story where John Strand, like, John and I both mountain bike, and to us it seems normal, but, like, we're halfway through and he's like, guys, this is insane.

E

This is so extreme. This is so extreme, you guys. And we're like, hey, have you mountain bike before? He's like, yes, I've mountain biked. And then we get to biking and he's like, I've biked on a wide road in the mountains. Why is the trail this big?

Charles

Yeah.

E

I'm like, because if we. Sometimes it gets that big.

Charles

He did.

E

He was a trooper, though. I was impressed. He made it like, rock on.

John

When do we find out if we won the award or not?

Charles

What award? Oh, the difference makers. I don't know. It's a good question. I think they just show up in John Strand's bed at night and he wakes up with a. Like a. What would it be? A dead hard drive. Like a cut in half hard drive or something. I am sure, I am sure you have made a difference. Here's a modem. Or I don't know what. I don't know.

Mike

Here's a modem. Oh, man.

E

Oh, they've got all kinds. They still have a bunch of nominees out there. They don't have the winners yet.

Mike

Yay.

John

Well, we know Jerry won. Like we.

E

I hope he did. If he didn't, then it's. Then it's rigged. Whole game is rigged.

John

That bot I made definitely didn't work out. I don't know why, but exactly the bot you made.

Charles

Oops, we forgot to put a captcha on it. Sorry.

E

It's kind of funny that we're that jaded. Like, you know, Paul's. Paul's been nominated. And Paul. Security Weekly is awesome. But I remember whenever we were doing the RSA social media awards or something, like, Paul won it. I want to say that we won it like five, six years in a row. And, like, towards the end, we were just like, yeah, we're not. It's just. And it was so stressful. We're like, oh, we got to win this thing at the beginning. And towards the end, it was like, nothing in my life changed substantially one way or another. So you just keep doing your own thing. And Jerry deserves recognition just for the work that he puts into it.

Charles

I mean, these kinds of awards seem impossible. Like, I'm fine with a good old race or, like, you know, do it. Having, like, a competition to see who can win something, but it doesn't. What are you gonna do? Like, I'm gonna podcast twice as hard now. I don't know what else to do. Like, yeah, an episode per hour.

Mike

I don't know.

Charles

Honestly, if anyone listened to every episode of the podcast, I'd like to just apologize on the behalf of the whole.

E

Right up front. Right up front.

Charles

Just. I am so sorry.

John

The. So, I don't know. Hopefully I'm not, like, revealing secrets, but the podcast may be eligible for Hackett coming pretty soon.

E

What's Hackett?

John

What's Hackett? Yeah.

Charles

You don't know what Hackett is? That's amazing, Don. You should go to some of the bhis. Have you heard of Black Hills Infosec?

E

Our Hackett? Okay, I thought, seriously, that someone else was doing Hackett, and I'm like, that's kind of ours. I don't know if we have.

Charles

No, we're drinking our Kool Aid here. We're not a cult. Fine.

E

Not a cult. Totally not a cult.

John

I did a whole presentation on that. Not a cult.

Charles

I know. We can close out with. Okay, let's close out with what was everyone's favorite part of Wild West Hacking Fest? For those that were there.

E

Oh, for me, it was the breach whenever we had one of our customers. No, I'm serious. I'm serious. We had a customer that was breached. It wasn't our fault. Which made it awesome, right? And we were working on it, and we had the entire sock together, and we were working in shifts and. Not me. I shouldn't say we, because I went to bed, I got sleep, I did karaoke. But just seeing the team just go in and kick ass on an incident. But I almost felt bad for the hackers. Like, you break into a customer, and it's like, you just so happen to do it the one time that we are all together. And it was cool to see the whole team work together on that. It was a lot of fun. And then I'd say after that was karaoke. I had a blast at karaoke. And we're going to be doing that again.

John

The sock meetup was actually pretty good, which there usually isn't a blue team meetup at Wild West Hacking Fest as much. Right. So that was actually pretty cool. Got to talk the entire sock and just talk about detections and how everyone sends stuff up. That was actually fun.

Charles

Charles, what was your favorite part? My favorite arcade cabinets. We already know it.

Mike

Well, whoever brought that, please bring that back for one.

E

But those are mine. Those are in our vacation. Vacation rental house. I love them.

Mike

Oh, my goodness.

E

It's like, I love having retro gaming stuff, but as soon as I start playing it, I lose interest very quickly. It's almost like I feel warm having.

Mike

It near me, but it was just like, I have so many. I really enjoyed the karaoke for one. Folks, if you ever have a chance to come out to Wild West Hackfest, I'm just going to put it out there. Right. Please do yourself a favor and come to karaoke. I mean, the talks, it was so many different moments I had for myself. So I enjoyed the talk. I'm thank. I'm. I enjoyed the fact that I was able to get out there and speak as well too. But I enjoyed some of the other talks as well. I definitely enjoyed the ctf. The CTF was amazing. I mean, it was so close. And just seeing the. Just seeing the college kids just really just like tear through the.

I

They win every year, right?

Mike

Oh, my goodness.

E

No, they didn't win last year.

Mike

Not last year, no.

Charles

Oh, really?

E

So, yeah, there was a bunch of old school hackers that had won sans net wars a bunch of times. They showed up and took them to school.

Mike

Yeah.

E

But I want to call out psd. If you come to karaoke, you come up to me and you want to hug, you're gonna get wet.

Mike

I did. Yeah.

Charles

There was one guy, I can't remember who it was, but he went and.

E

Talked to my wife and he's like, I just made the mistake of hugging your husband. It's like he's in a shower. Like, it's just. He's stopping from head to toe.

Mike

Oh, my God. But we had a great time.

E

I was sitting there laying on the couch, and it was gearing up. It's like the post party was like crappy karaoke and walking tacos, and half the bar were people that weren't from the conference. And I'm like, no, no, no, no, no. We're not. We're not. We're not ending on this note. And I about died that Day. It was. It was. So I went to bed and I. Yeah, the room was spinning. It was.

Mike

Goodness. You enjoyed yourself.

Charles

What was your favorite part?

E

It's the. It's the wet and wild karaoke party, and people are like, where's the water gonna come from?

Charles

It's gonna be like, John Strand is doing his own wet T shirt contest that no one else is invited to.

E

All right, what else? Anybody else got some things to happen.

H

My favorite part, honestly, was getting to teach. That was. I had a really. I had a great group of students, and we had a great time doing the red team class out there. So, yeah, that was. That was really wonderful.

Charles

Nice.

E

I'm hoping to get one of you guys to come and coat. Like, I'll teach upstairs, you teach downstairs in my barn. Next year we're going to see if we got some soundproofing, if there's enough. But I think it would be cool to get some more people out because we did the whole barbecue out at my house, and it was. It was cool.

Charles

Have a red team, blue team, pay what you can and be like, if you. If you want to know how to detect this, go upstairs.

D

Yeah.

E

You want to know how to hack this, go downstairs. So as above is below, you know, it's cool.

Charles

Yeah. Yeah.

E

I don't know.

Charles

Yeah. All right, Graham, what's yours?

Mike

Defend this.

I

I don't know. This doesn't really have anything to do with the conference, but we went to Badlands national park when we were there, and that was pretty cool. Apparently there's a breakout of the plague among the prairie dogs, which I didn't realize until.

E

It's been like that forever. Yeah, the prairie dogs carry the plague. It's always been a thing.

I

That's good. I took a picture of, like, the sign that said, like, prairie dog, like, sanctuary or something. And then later, I was like. I was in the hotel and I zoomed in on the picture. I was like, what's this, like, post it note on it? And it was like, warning, plague detected. I was like, oh, that's good.

Charles

Plague detect. I gotta pull that sign. We should definitely put. We should put that sign up just randomly.

E

So when I was a kid, I remember I had an uncle of mine, we went out in the middle of the prairie, and of course, it's like one of those, we're going to turn you into a man. And I don't know how old I was. I was really young. And he's like, here's a 22. Start shooting Prairie dogs. And for me, I thought the prairie dogs were cute and adorable, and it was traumatic as hell for me, like.

Charles

But then you found out they had the plague. Then you found out they're plague dogs.

E

Oh, my God. Yeah. It's just. Yeah. So I have. I have nightmares about furry dogs still to this day.

Charles

It's fun.

E

That has nothing to do with hacking. Just.

Charles

Mike, we miss you, but I hope you had a good weekend about prairie dogs.

Wade

I missed all of you guys. Also, I really wish I could have been out there. You coming out to Denver, though? I am not coming out to Denver. I am looking at coming out to Deadwood again.

Charles

I think my favorite part was Wade's keynote. I mean, it was awesome. I mean, I think the biggest thing is, like, it just summed up so many things that we all feel, but put them into specific terms. That, for me, was really cool and just. It was so wholesome and happy and good and culty, but in a good way.

E

Like I said, if we're a cult, we have two tenants. Be nice to everybody, especially your enemies. Number two, tip well.

I

I will say I was walking down Deadwood, and there's some, like, bartender outside, like, crying on the phone. She's like, oh, my God. I just made, like, eleven hundred dollars in tips. It was like a Wednesday or something. That was pretty great.

Charles

You're like, nice. Yeah, thank you. Dry. And then we tipped you well.

E

I've told people, like, like, we go and we talk to the bars that we kind of visit, and we're like, you need to stock up on alcohol. And they always kind of treated us like, this is Deadwood, son. We have the rally. I think we can handle it. And then, like, the first night, they're just like, what the hell is wrong with you people? You all have alcohol. Like, here's a 1-800-number. You all need to get help now.

Charles

Fire marshals. Like, you can't have that much vodka in one.

E

Can't have that much vodka. That's a problem. That's old blocks going up. But, no, it was. It was nice. I am concerned about going to Denver and it being too big, but screw it. We're going to keep Deadwood small and intimate, and then we're going to do, like, blowout. Katie, bar the door. We're going to do the largest type con that we can and try to make it as cool as we can make.

Charles

James, were you there? Did I miss you or you were there?

D

Yeah, you missed me. I was there.

Charles

Dang it.

D

That's all right. I think for. I think for me, was just opportunity to actually get to speak this year. That was. That was really cool to. To be able to do that, you know, after sitting there for so many. So many years watching people and like, man, I wish I had something to talk about. And I. I guess I at least had something enough to talk about, so.

Charles

Nice. All right, begins. Do you have a favorite moment or you want to kill it with fire instead? Or was that your favorite moment when it was over?

Graham

Yeah, it's killing it with fire. No, but, yeah, it was. For me. I think it went fairly smooth. There's always some issues, but I think overall it went quite smooth from my perspective, and I got other people telling me the same thing. So I guess I'd say that's my favorite part is we got it done.

John

I actually got headshots taken while I was there because my headshots are so poor. So you guys will have to let me know when those coming then.

Charles

Well, nice.

John

There's one. There's one for me and one for you. That's all. That's all. I'll say.

Mike

Well, I'm definitely looking forward to Denver.

Charles

Who is you? Is you the royal you like all?

John

Yeah, the royal. The royal you.

Charles

Okay, I see. I see.

D

What are you doing with the shirtless picture?

Charles

Oh, hey, is that for me or for you?

John

Wade, the photographer was totally wearing.

E

He was like, all right, let's take it out, everybody.

Charles

Bye, everyone.

E

Thanks for coming and go forth, do great things. Be nice to everybody, especially the people that piss you off. Take care.

John

Whoo.