2024-12-02 - C Squad

Connor

It's a great way to win an award is to throw shade.

Ryan

Throw shade? We've already thrown enough shade, right?

Kelly

Like, it's like the news philosophy. Like, you know, if. If we throw shade and we aren't live, do we really throw shade?

Ryan

That's a good point. Where it's not. It's not. If it's not live, it doesn't count, obviously. So are you flying out? Because I had coffee. I had good coffee. That's why. Right before, I actually went to, like, an actual coffee place and had a eggnog latte.

Ralph

Oh, bougie.

Ryan

I go for. I always go for the holiday drinks. It's my favorites. Right now, my Starbucks order is a peppermint mocha with an extra shot.

Kelly

You are the size.

Ryan

Just always.

Ralph

You are one basic girl right there.

Ryan

Dude, I don't go for pumpkin spice. All right. If a pumpkin spice is available, I'll get it. Like, if that's it, that's not my favorite. Definitely. Anybody have pumpkin pie? Like, I feel like Costco's pumpkin pie has severely gone downhill. Is anyone else? It's just, like. It's not good anymore.

Daniel

No idea. I make my own pumpkin pie, so only the best.

Mike

Look at you.

Connor

Pumpkin pie comes from Publix.

Wade

Hey, Ryan and Ralph. The Sands difference makers is at the Hinckley Hilton. Have you been there before?

Connor

I. I'm pretty sure I have.

Wade

Get somebody to show you the presidential seal in the basement, and you can ask to use the presidential bathroom, too.

Ralph

Okay.

Connor

This is. I. Yeah, this is the same. I've been there. I know what you're talking. I haven't seen that, but I know which hotel you're talking.

Wade

Well, dude, let's step it up a little.

Connor

I guess I have to.

Ralph

Yeah.

Connor

Maybe we'll get the VIP treatment since we're, you know, nominees, Nominees.

Ryan

You definitely won't. They'll be like, it's only you two. Like, do you guys. Are you even on the stream?

Ralph

We thought you were definitely sending. John. Can we get.

Ryan

That is exactly what they thought.

Alex

We thought we were getting 18.

Ralph

We're getting, like, Sea Squad here, right?

Wade

So are there any articles y'all are really fired up about?

Ryan

You read the news? Yeah.

Connor

Connor's got one.

Kelly

You read?

Alex

Yeah, I got one. Really? Interesting.

Connor

That's the only reason he's here is because he had.

Ralph

He.

Connor

He actually had something he wanted to talk about.

Ralph

You can't talk about it yet.

Kelly

We gotta wait.

Connor

Yeah, we gotta wait. We're still in. We're still in. Warm up.

Kelly

Pre show.

Ryan

Right now, you don't talk about the news. We all know that.

Alex

Do you guys have access to what's in notion? Because you guys can see the link ahead of time. I think it's really fascinating.

Kelly

Yeah.

Ralph

Yeah, we definitely do.

Ryan

We do. Just throw it in the chat. Throw it in the private chat in a corner. Yeah.

Alex

Wait, the private chat in the Discord.

Ryan

Or here in Restream? In Restream.

Ralph

Oh, okay.

Alex

I can throw it in here.

Ralph

Okay. There's many chats there.

Alex

But this is huge for me because I'm a hobbyist game developer and I use the engine that they're talking about where this exploit comes from. So pretty damaging, I think, especially considering. I think it's.

Ryan

Don't talk. Don't talk about.

Ralph

We're gonna have to do a better job of onboarding people when they come onto the show here.

Ryan

Right, right. We mute them until we go live.

Ralph

That's probably. So you're gonna talk about.

Ryan

Ryan, can you get on that real quick?

Connor

Hold on, let me just.

Daniel

How about the local sports team?

Connor

There we go.

Alex

We can. We can jump into that too. I'm down from college football talk. That was a crazy weekend. If anybody follows NCAA football, that's. It was nuts.

Kelly

Oh, no.

Ralph

After my team decided that they wanted to never play again, I'm. I'm not watching this.

Ryan

I. You know, I finished the League of Legends TV show on Netflix.

Ralph

Whatever.

Alex

That's arcane. Yeah.

Ryan

Yeah, that was good.

Alex

Did you like. Okay. I. Everybody who has ever seen it has told me I need to watch it. And I did watch that cyberpunk. And everybody's like, if you like that cyberpunk. Edge Runner.

Ryan

Like, the Edge Runners was like, better than the game.

Alex

So I. It was actually really funny. So I loved the game. Going right off the bat, I liked it. It got way better with updates. Way less buggy. My brother never liked it, so he was like, I don't want to play it. So then I got another way for him to get him to play it was, why don't you watch this series? There's nothing to do about the game. He watched it, and that's how he got into the game.

Ryan

That makes. They added stuff from the series into the game, which is cool.

Corey

Yeah.

Ryan

But on, like, the reverse of you. I bought the game right when it came out. I had no problems. My wife played the game on, like, our downstairs computer, which, like, barely ran it, and, like, she just used shotguns because then you don't have to do anything. Right. So when I bought a PlayStation 5, I bought it for her. I bought that game and within the first 10 minutes it crashed. And this is like, they updated it like this is like in the last six months.

Mike

What game?

Alex

It was bad. It was bad. Oh, in the last six months.

Ryan

Still in the last. Is in the last six months.

Mike

Yeah.

Ryan

I was quite upset because she wanted to like replay it.

Alex

Yeah. So don't play it at all on.

Ryan

Don't play it on console.

Alex

Yeah, just go for it on PC.

Ralph

Okay.

Ryan

Yeah. Did you. Yeah. Cyberpunk. Daniel, you never, you never heard about the cyberpunk drama.

Mike

So I'm not like a huge modern gamer. I like retro games. So I tend to play things from like PlayStation 3, Xbox 360 and back.

Ryan

So you're playing like Spyro.

Mike

I actually do play Spyro.

Alex

Pyro is great.

Ryan

The remake was on. The remake was on point. The remaster.

Mike

Phenomenal games. They are very fun. I love the art that's in Spyro games. It's just there. They are super fun games. Yeah. I've got a couple of retro handheld consoles as well too.

Daniel

Yeah. The remastered Spyro and is loving it. So.

Ryan

Yeah.

Mike

What was that?

Alex

OG Crash Bandicoot and Spyro.

Corey

Those.

Mike

My youngest daughter, Crash Bandicoot.

Daniel

That's the other one that we've been taking turns at playing right now has been the remastered Crash Bandicoot.

Ryan

You realize how, how, how bad you were at video games as a kid when you go back and play that, like I just.

Mike

You really want to just as bad now what is it? Wizards and warriors that are ghost and goblins, man. That joker right there murder you as.

Kelly

Well when you switch to like the old school controllers and you're like, how was I ever good at this? Like you play a game and they're like, okay, you have the N64 controller trying to play Goldeneye again and you're like just bouncing off a wall. So you're like, how did I dominate this game back in the past? How did I forget how to do this? Or you have like even the PlayStation, like the Dual, like the original PlayStation, like the Dual nubs that you're trying to go around and you're like, how, how was I even able to walk a straight line in this game? Like it's just. Yeah, you have one of those like 8 bit dough or something.

Alex

Yeah, those old controls and they. What's funny is you play those old shooters from back then way. So before you had Call of Duty. I would say the one. Whether you like or you hate Call of Duty, the one thing they did do is they basically standardized what the control system is for a shooter first person game. Not just shooters, first person games in general. The left stick move, right, because you play like old school goldeneye and it's like, oh, it's brutal. Forward and back, up and down is forward left, right is shift left. And it was very odd. There's. The control scheme was really odd. Going back to plate and you're like, this is. I can't even aim right now at all. I'm just shooting the walls and anything but the, the. The bad guys, you know.

Ryan

So yeah, that was controllers. W A W A S D. I.

Mike

Further handicapped myself because I got used to inverted axis. I gotta go in and change like every controller I ever use because I'm like, this is unusable.

Ryan

I run through all the Halo games on Legendary once a year for my birthday.

Mike

That's a great idea.

Ryan

I have tried to play it on mouse and keyboard and I can't. I cannot do it. I have like, my brain is so locked into controller for that franchise. Like, I cannot do anything. So like I've bought an Xbox controllers just to do that over and over again.

Mike

Anybody rocking a Steam deck?

Alex

No.

Ryan

I almost bought that Specialized one that they had on sale, the white one.

Daniel

You know, I looked at the Steam deck and I said. And I looked at the Rog Ally and I went, I'm going rogue Ally. Because I could play all the Steam games and all my Xbox games and all the EA games all at once.

Mike

Yeah.

Daniel

And outside of some battery life issues, which I got an external battery pack to take care of, I have no problem sitting down and playing that for two, three hours at a time.

Alex

Well.

Mike

And you get the same thing with the Steam deck. My friend Alex has one and he's like, yeah, battery life isn't great. It only lasts like a couple hours. And then it's like, I need power.

Ralph

That's the same with my gaming computer needs power all the time.

Mike

It just juice hungry, isn't it? Yeah.

Ralph

The 4090 just screaming. And I'm only playing Call of Duty. That's it.

Ryan

I was about to say Minecraft on max settings and my computer screaming too.

Ralph

I'm playing Unreal Tournament. Just max settings.

Ryan

Oh yeah. You build a $4,000 computer to play pixel art games.

Kelly

Exactly.

Mike

Diablo. He's playing Diablo.

Ralph

Yes.

Ryan

Not even the new one. The old.

Mike

We're going back the OG Diablo.

Ralph

Yeah. You got to drop at least 4K on Pixel games and that's understandable.

Alex

Like Stardew Valley. If somebody said they Built a whole PC to play Stardew Valley with mods. I kind of get it. That game's super fun, but my sister did that, and she. So she built one. She's like, oh, I got this graphics card. I was like, what are you trying to play? She's like, oh, like Stardew Valley. I was like, you bought a. I was like, you really could just use. Maybe. You could probably get away with integrated graphics for that one.

Ryan

But she's like, all right, you didn't. You didn't know. She's going to Stardew Valley VR, right? Like, straight up. You're, like, running around.

Alex

Well, welcome, everybody. To talk about gaming, probably.

Ralph

Yes.

Corey

Hi. What is going on? Is this. Is this a different podcast?

Ralph

Is this about gaming?

Corey

Sorry. Every time the angle's weird, I'm like, redoing my office.

Ryan

Why are you standing up? It's gross.

Corey

I'm standing up. It's because I'm redoing my office. Okay. Like, I. There's literally no chair.

Ryan

Those plants are horrible. How dare you like fresh air?

Corey

Fresh air.

Mike

I know.

Corey

I'm kind of redoing the aesthetic here, so, yeah, I like it.

Connor

We ready to.

Corey

Is this a news podcast? Should we go?

Connor

It will be.

Ryan

It's never what it will be.

Ralph

And mostly it was games. We're just talking about games, but that's talking about the news.

Corey

Someone says Connor's fault. I will say Connor does have a really good skill of redirecting any conversation to just somewhere you never expected it to go.

Ralph

Oh, yeah, Correct.

Corey

That's why it'll be great on the news. All right.

Ralph

Welcome to Black Hills Information Security talking about the news. I am your host today, Ralph May, and I am joined by a luxurious cast of characters. I think we have filled up the entire Hollywood Squares today, including Ryan there. So we have Corey over there looking homeless as usual. I think I love your new camera. Camera view and plant growing activities.

Corey

Hopefully in the future, I won't just be looking down at my laptop. So that's where we're at. Monitors are not plugged in.

Ralph

Oh, all right. Are you really going for some feng shui over there? I like it, though. I like your dreams.

Corey

I'm scared. We got Mike.

Ralph

Welcome to the show. Thank you for joining us again today, Mike.

Daniel

Always a pleasure to be here.

Kelly

Yeah.

Ralph

We also have Alex. Thanks for.

Connor

And we're from the depths of the universe.

Ralph

Yeah, the depths.

Corey

Yeah.

Kelly

I'm doing. I'm doing worse than Corey. Like, I'm redoing my office too, but I just put up like a sheet. I don't have any, like, blinky light. It's a work in progress. It's going to be for a year. Yeah.

Corey

Oh, my God. A year. Impressive.

Connor

We missed the mannequin, Alex.

Kelly

Yeah, I'll bring it back. It's missing an arm. It's missing an arm right now because I'm upgrading the arm, so.

Ralph

Yeah, got it. We also have Kelly. Thank you for joining us. And hi, everybody. Your book collection, which I think. I think the only book I can read in the back is Dune, so.

Wade

That'S a comic book.

Corey

Oh, you can't read.

Ralph

Well, I try my best. We also have Daniel. Thank you for joining us.

Mike

Pleasure as always. I just wish I had a cosmic background.

Ralph

No, honestly, I feel like you're. You have the most professional streamer looking background possible with that 1000% FOCA there. Just perfect.

Corey

The depth of field, the bokeh. Oh, it's beautiful.

Mike

Everybody always asks me, is that real? And I'm like, yeah, it's real. That's. It's all real.

Ralph

He nailed it. Nailed it. We could. We can definitely tell that you have a dslr.

Mike

Yeah.

Ralph

Well, we also have Wade wading through logs as usual. Whoa.

Corey

Oh, shit.

Ryan

Mustache cam. Non mustache cam for everyone.

Ralph

Listen to the audio. He's just zooming his camera in at, like, ridiculous levels here, so you can just all get dizzy as hell.

Kelly

Wow.

Ryan

I am also redoing my office, but I just throw stuff on the ground behind me and.

Ralph

Oh, that's how you decorate?

Ryan

Yeah. Like switch windows through the holidays. There's a bunch of stuff down there.

Corey

You can't.

Ryan

It's all there. I just redid my whole network. There's like a whole bunch.

Corey

I hope you just start working out halfway through the show.

Ryan

I can if we want. Like, that's a little weird. I love.

Ralph

But, dude, I know where the target going for you all.

Corey

Make sure. Make sure your camera's on so we hear you grunting. We know why you're grunting.

Ryan

Hot sauce. Hot sauce and weights, here we come.

Corey

You're just, like taking a sip of the bomb and then doing a 50 rack.

Ralph

Makes sense.

Ryan

Really motivates me.

Ralph

Yes. And then also we have honor.

Corey

No pain from space.

Alex

From space. Yeah.

Ralph

I feel like you just added that.

Alex

So I added it right. Right during the. During the intro.

Ralph

So, yeah. Perfect. Great.

Corey

Yeah. I will say, Connor, you are showing off the dangers of green screen. Your arm just got chopped off.

Ralph

Yeah.

Corey

I think Alex might be using your arms.

Wade

Face.

Alex

It's face.

Corey

Send that arm to Alex. So he can use it for his mannequin.

Alex

Yeah, I'll disappear it.

Ralph

And then finally, last but not least, we have Ryan making it sound good. And your camera looks really good today too. I felt like you recorded.

Connor

No, it's the same camera.

Ralph

Oh, okay. It's just.

Connor

It's just darker back there.

Ralph

Yeah, they can turn the light off.

Connor

Real dark.

Corey

Do you want to give. Do you want to do like an anonymous interview about why you hacked some banks or something?

Ralph

I think you're ready for it. So before we started this, Conor was trying to do the news. Before the news. Yeah.

Corey

That's illegal.

Ralph

That's highly frowned upon about the nudes club. You just don't talk about news before the club starts.

Corey

You know, Kelly and Connor are definitely in that club. They're always like trying to do the. They're trying to be so earnest and do the show and not just banter about video games for 20 minutes.

Ralph

Yeah, you're really talking about anything else but the news now. That said, who wants to start with the news? For those who did read anything in the news, I mean, obviously Connor.

Connor

Yeah.

Ralph

Honestly, he's dying to spill it. So he can leave. He just could be. I'm out.

Alex

Never.

Corey

My arms are gone. Help. Go, car, go.

Ralph

Give it to us.

Alex

Let me see here. There's a.

Corey

Right now he's googling the news.

Ralph

Oh, he's putting on a presentation. He's made a whiteboard.

Alex

I made a whole thing. Oh, it's right.

Corey

Yeah.

Alex

So this is something really interesting. I don't know exactly how many of you guys are like little bit of hobbyist game developers, but Gadot is maybe the third most popular game engine used to make games. There's probably close to 10,000 games made a year, probably with Godot, if you're counting all the free games made, there's a big, big exposure to what's called the PCK files, which is what developers use to package up all the code that comes and runs the game. So if you're. I'm kind of a hobbyist game developer myself, so I use this engine and that's really concerning because what you're looking at is a vulnerability. Instead of you hacking somebody else's device, what you can do is you hack the developer. You supplant a little bit of code inside of the pack, something I might not even notice. I redistribute an update out for my game and everybody's got what I just put on there. So it goes right through most of the virus detectors as well. Any Malware detection. Because even people who run games, especially people who run indie games, they usually tell their firewall, their firewall go, hey, this is a little bit of a concerning executable file. Then you go, no, it's just a game. It's my game, I'm having fun. So yeah, I allow it. And you know, that's fine if you're a developer and you know what it is or you know what game you're getting. But you're talking about people who mod games now. They got to be careful. People who develop games, they got to be careful that they're not getting these viruses planted onto their game projects before they send them out. So that's just something I think if you're a developer, you got to, especially with Godot, it's open source. And so I'm sure people are going to try to take their crack at it right now. But as far as I know, the vulnerability goes, it's pretty much the way that the executable runs. It's. It's really hard. I think it's going to be really hard to catch it. You're taking advantage of the actual code base executables that are running with the game. So that's actually your game. Your game content is loading a virus onto your computer if you're not careful.

Ralph

So it seems like this is kind of like a two part attack, right? So the first part is that it is a kind of a supply chain. Right. So we're getting in the middle of the developers to distribute your code. And then kind of the second part, which is not necessarily a vulnerability inherently, but it's just a feature. And that you were talking about, is this the GD script? Right?

Alex

Yeah.

Ralph

G leadscript is supposedly this object oriented programming language built inside of here for these game developers, but it's very similar to Python. So this allows them to pretty much deploy code that could do anything on the victim's computer, right?

Alex

Yep, pretty much. And there's. So they're using, I believe it's called. Yeah, it's called God Loader. That's the name of the bug here. It's distributed through Stargazer's ghost network, which is GitHub network that you. That's used to distribute malware as a service. I can sort of see, I think there, I'm not seeing any attacks from this reported from these guys who are doing it checkpoint research. But to me, I think the bigger, the bigger issue is going to be, let's say somebody makes a very popular game. Baltro, there's a couple of Baltro is the one, but there's a couple of good games out there that are being developed in Gadot.

Ryan

Right.

Alex

You put the game out there, even if you've done all the checks for you as a developer, you go, okay, we're all good to go. You can just, if you're a hacker, you can put up on there. Hey guys, I added a mod to the game to do X, Y or Z and everybody's got to install the mod onto their system. Oh, this is going to work great. It'll run alongside the game. I can see this being used as a really easy way to side load malware. And I mean people are going to. And they're going to be hard to catch too. I think people are just going to download what they want.

Corey

Are you guys getting your games from GitHub? Because if so, I'm about to say I'm worried about you.

Ryan

This is more focused for indie developers too. Right. So smaller people who aren't going to have as good security. Right?

Alex

Correct.

Ryan

And honestly these games are going to be cheaper I would imagine too if they are on some type of Steam store or being released in a way. So theoretically you could hit a bunch of whole low bunch of low hanging fruit and then pivot from there and one off developers who aren't really checking their code or aren't checking vulnerabilities and stuff like this. It's a pretty interesting attack. As someone who games I was bringing.

Kelly

This together a question of it's like, okay, so you're an executive at a large financial institution and you say we don't play games on our machines, we don't do game code. Why does this matter to me? Why should I worry about this? I mean I can give the answer to that. But does anybody want to take a stab at the answer to why you would care? If you're a financial institution and you go we don't run games because you're pointing.

Corey

Yeah. You point to the big stack of compromises that originated from employee computers that weren't necessarily corporate machines.

Kelly

Exactly. And that's what I want to kind of bring together. Because you're going to have for the viewers out there that go, well we don't. Who's playing games on company machines? And it's like, well your developers are probably have some crossover where they're developing games on a machine and they go hey, I'm also going to have some login credentials that are also on this machine or have some other important code that's on this machine and you're just kind of mixing things together. So when you're a large financial company that gets compromised and they go, well, how did they get our usernames and passwords? This is a vector, one of many vectors. But this is why you need to care about like, okay, teams dev stuff, because definitely developers are being targeted, if not impersonated. Just a lot of threat vectors for going after developers. So it's one of the things to keep in mind.

Alex

Right.

Daniel

Reading through this also, it seems that this could be affecting Android devices, potentially iOS devices with legitimate games, where the company is not necessarily locking things down because of byod. In that case, that could give them a beachhead through things, potentially even now, I haven't taken a look at it with the sandboxing would be on it, but potentially even allowing access to certain things, say multifactor authentication codes or something along those lines. Especially if somebody keeps a spare set of them on their phone.

Alex

Oh yeah, and people are going to. I mean, people are going to, like, even if the company goes, hey, you're not allowed to play, how many employers, how many employees at the company are gonna be like, I'm really bored right now, waiting between two meetings. You know what? I'll just pop up for five minutes. I'll play my favorite game that I've downloaded off of Itch IO or some other little small indie game site where they might not have. Developers might not have realized right where. And just like Ralph Rod, these are. RALPH brought it. These are indie devs or these. Wade brought that up, right? Indie devs who don't know anything about cybersecurity, they're not going to be looking for this. So this is something that, you know, there's. You're going to. You could potentially have this sitting in a game, a legitimate game that people enjoy instead of like a fake game. You know, like you. You go to a site that's fake or you're playing a game that feels weird and off, you might be like, oh, this. This seems weird. You're playing a legitimate game. You probably aren't thinking that there's malware right under it, you know, waiting. So does.

Ryan

Does Steam do any type of, like, checks for this?

Corey

Steam.

Alex

Steam does some check. Steam does do some checks. My more concern is going to be websites, kind of like Itch IO, which is where a lot of indie devs are. A lot of free games. It's IO and other sites like it. You can even deploy Godot onto it as an HTML5 game. Now, I didn't See any research they were doing on this relating to having a web app running through HTML5? I'm curious to see how much damage can be done from that end. I think this is going to be more from the downloadable executable. But you know, like that's that website, it was pretty popular. You got people, people give away a lot of games on there. There's some of the most famous, like indie horror games for example, are really big on there. Games that have millions of downloads. Again you might have not to say these are developers who are deliberately trying to do it. But you're. You get compromised and you just plant a little thing on there. You've got 3 million people downloading the game now you've got 3 million devices with, you know, side. With a side load for it.

Corey

So it's pretty as a PSA for everyone. If you're doing anything sensitive on a computer, don't play games on the same computer because no one's gonna follow that. No one's right. But just as a, just as a hygiene thing, just know that the world of video games is just the wild west. Some of the games themselves are basically root kits. Yeah. You know, they require root access to your files or complete like basically boot kits.

Ryan

Yeah.

Corey

Especially engines are horrible. You know, the sensitive data. I don't know. There's also been many hacks in the past of like other video. There was an Apex Legends one, there's a bunch. So basically. Yeah, just be careful out there with the game.

Kelly

That's the PSA I was looking for. Yeah.

Corey

To Corey's point.

Ralph

Yeah. Just get a separate machine to play video games.

Corey

I know it seems also it's Windows anyway, so just assume it's going to get hacked. Just assume it.

Ralph

Plus who devs on Windows.

Ryan

What would be a really cool name for like a ransomware gang that pivoted through video games, like indie horror video games. I feel like there's a lot of potential for.

Mike

Really.

Corey

There is some potential. You're right, you're right. I'm sure the audience.

Daniel

People using this system could go ahead and be called Waiting for Godot.

Alex

Yeah. And again, this is. I think it's, you know, like the engine itself I don't think is necessarily to blame here. I mean I, you know, like from my understanding of it, you're going to need, like I said, it's going to be. I think it's going to be really hard for this to be patched because this is more of a developer developer vulnerability than it is. I think the engine itself Right. Any engine that runs a game is going to need content and code to run. So you can't really, you know, tie that down that much. But it's just something I think that's out there, that it's a smart. I think it's a smart attack because. Right. If you can get bad code onto a legitimate game, it's going to be really easy. The game will distribute itself. People will just be going over, yeah, download pirate games, right? Like, hey, I don't want to download. We were just talking about Stardew Valley. Right? Stardew Valley. Oh, I don't want to pay for Stardew Valley. I'm going to download it off this Internet. Well, there you go.

Ryan

I'm not going to say how many computers I've lost to downloading sheets as a child.

Ralph

Yeah, you just had to burn the whole computer.

Kelly

You couldn't even.

Ryan

You're just like, eh, throw this hard drive away.

Alex

GTA. Yeah, GTA 5. Free download right here.

Ryan

Red alert. Two hacks.

Corey

I mean, not to be the guy that ties it all back to info stealers, but the number of times we see. The number of times we see employee compromises in the same scenario, not through supply chain attacks like Connor's talking about, but through info stealers of, you know, codes for this game or, you know, hacks for this game or cheat engine this or whatever, it's super common. And it's the same attack vector, like result to a company is an infected employee or an infected employee's child or whatever. Yeah.

Ryan

So we need a bingo if we get info.

Corey

Steelers.

Ryan

There used to be like, John Strand Bingo. Yeah, John Strand Bingo. We don't have news. Bingo. Maybe, maybe I look into that.

Corey

As a closing note.

Mike

I'm sorry, I was gonna say that seems like the, you know, Connor was saying he doesn't really see any way around this. It's gonna be difficult to patch or protect. Question then becomes people ain't gonna stop playing. No. Games won't get played. Right. If. If the only real security you could do to kind of protect yourself from this is to have an extra device that is specifically for gaming. And then you do you burn it to the ground after every game you play. Like, like this seems to be, you know what I mean? Like where you're, you're, you're re. Everything you're running, you know, a game in Docker. Is that, Is that where we're at with this? Or are these games, I mean, Connor, you mentioned these are all indie games. They are. They typically are. Anyway.

Ralph

Well, yeah, it's an open source platform.

Mike

It's an open source platform. Is, are they resource intensive? Could you run maybe a virtual machine that's easy to burn to the ground? You have an image for you, do a snapshot, roll back. Could you do snapshots your machine? I mean, there's got to be some practical way which we could work our way around this.

Corey

I have so many thoughts on this. So, number one, it's up to the supplier of the game to do their own scanning for malware, right? Like if you're Steam or whatever indie scratch or whatever thing Connor was talking about, it's your duty to scan for obvious malware because I guarantee you, not only are people using legitimate game engines to distribute malware, they're also just using what looks like malware as video games or the other way around, what looks like video games, like, you know, game exe. And it's just like a cobalt strike payload. It doesn't have to be. You can't allow that kind of thing to be. I love distributed works. You can't allow that to be distributed on your site. So if you're a distributor of this type of stuff, you need to be scanning it. The other thing is, for the average user, it's not necessarily about burn your whole machine down and start over. It's just about knowing maybe I don't do my banking on my gaming computer. Maybe I do my banking on my phone and I use my gaming computer more just for my games and stuff. And I know you're right. Like you can't stop the people from gaming. You know, you give your kid, or you give a kid a phone for five seconds and there's like 10 games on it. But just that I think knowledge of like, you know, suppliers. What suppliers can you trust? Like, let's say you have a kid, hey, kid. Only get your games from Steam. Don't just go out and Google like free indie games and get them on GitHub or whatever. So I think, yeah, don't get your games on GitHub or from, you know, like, you know, Jason joked in the chat, like, I was shocked when I downloaded Napster and it had malware in it. Or I downloaded Photoshop with Napster and it had malware in it. Like, you know, where you get it matters, I think a lot. So that's.

Ryan

Submit all your games to VirusTotal.

Corey

Yeah, submit all your games. Seriously, do it. That's a great idea. Yeah, just put the game on VirusTotal.

Wade

Ralph, I think this is a great transition to the ofTC article about IoT devices. Did anybody read it or when you saw governance stuff, you guys just kind of ignored it.

Mike

I threw up my mouth and we've been.

Corey

We've talked about the FTC so much and I've just been missing you, Kelly. Where have you been? It's very, very misinformation. I've distributed about the FTC in the last two weeks. Please help. What's going on?

Wade

Was it good stuff?

Mike

Well, it was.

Corey

We talked about the antitrust stuff and them selling Chrome and all that. Anyway, take us to IoT devices. Take us through it.

Wade

So there's a new white paper from the FTC that talks about smart device makers. Now, let's pause for a second and think about all the smart devices we have in and around our homes. We've got refrigerators, coffee pots, thermostats, all sorts of stuff. Ara, did you guys ever see Tim Medin's smart doll demo? He did Smart doll?

Kelly

Yes.

Wade

Oh, yes.

Corey

It's going classic. Yeah, I haven't seen it, but I'm just. I'm already creeped out.

Wade

It was one of the talking dolls. This was years ago. He put it in the hallway and hid behind a door and made the doll start talking. Except the doll wasn't saying very nice things, but he made his point, so you have to ask him about that. I don't want to steal his thunder. Anyway, so the FTC looked at quite a Number, looked at 184 different smart devices, and 89 of them didn't actually communicate to buyers or consumers how long the products would receive software updates or how long they would be even under warranty or updated. And this is a really interesting point to bring up because, you know, some of us like to think we're smart about cybersecurity, but we all have aunts, uncles, neighbors, people at church who are maybe less aware of it. And basically this. They came up with this white paper to draw attention to it. And the other interesting piece that the article didn't really talk about is that the Biden administration actually had an executive order back in 2022 asking for IoT labels on them. And that label was basically the Good Housekeeping seal of approval, that they were under a regular software update program, that they had an end of life communication to consumers. So apparently nobody's listening to that executive order from two years ago, I think is basically what I'm hearing.

Corey

But now the FTC is involved, which makes it more. That's more teeth, Right? Because they can start suing companies I mean, I think it's really cool. My take is, I think this would be awesome if I, I mean, the nutrition label or whatever might be. I mean, I'm thinking about funny logos for, like, has all your data in someone else's cloud and it's like a little like evil hacker guy. Like, I, you know, I don't know. But the concept of having, like, I will say, like, I guarantee you the reason companies don't want to do this is because if you start reporting that information to consumers, they're so much less likely to buy. Like, if it says like, this light switch which takes 30 minutes to install, will be end of life in two years, who's going to buy it then? I don't know. I think that's the problem.

Daniel

You've got that problem and then you've got the other problem on the other side of everybody that never reads or looks at it and says, then five years down the line go, why is this not getting updates? Why. Why did I get hacked? Why did. Why did I get taken care of? Why. Why are you not doing this for me? Yeah, you can look at Windows in some ways in the same sort of breath with it. With everybody now looking at the end of Windows 10. Why does Windows 10 have to be over and blah, blah, blah, blah, blah, blah, blah. There's a fine line there. People just want something that works and is going to work consistently. The other question I've got is, with changes of administration, etcetera, Is this actually going to have any teeth? Is this actually going to go forward?

Ryan

That's what I was going to say. Right? Like, it's been on a. Is I'm a fanboy for Lina Khan and all the work she's been doing. Like, that's like. I don't know if you guys have, like, watched all the crazy stuff that she does. Like, I think Jon Stewart wanted her on the podcast when he was still on Apple and Apple told him, no, you can't have her because she's that powerful. She's that powerful. Right? And I would assume that. That this IoT thing is going to go away. Right? The other, the other interesting thought about this is whenever I think of iot, I automatically think of the Mirai botnet, because that was like the first big IoT botnet that was taking stuff down and was relatively easy. So that one, that company actually was Chinese based. They did actually push an update to all their devices. It was DVRS for camera and it was all. But it was all third world, right? It wasn't in the United States. The other big thing is then you could just reset the DVR and it actually would revert back to the original update and wasn't anything. So I think IoTs are almost still a failed service. They're never going to be great at the end of the day.

Corey

Yeah, I think there's room in the market for someone who would actually support an IoT device and make it secure and have that badge of approval from the FTC that may or may not actually exist. But I think the market for it is so much smaller than the total market for IoT stuff. Like people, most people, I think when they're buying iot, they're either don't know it's Iot to begin with, like if you have a smart coffee maker now, I don't. I'm assuming everyone in this room is the same way. But if I see something as WI fi, I'm like, well, that's the opposite of a selling point. I don't want it. Like, what do I have to unplug now? Like, you know, if I'm like, I guess some things have to be Internet connected and that's just the way it is. But like, I don't know.

Ralph

Microsoft came out with the IoT platform and that was their, like general catalyst for it. White was to try to like standardize it from like a security perspective. I'm not really sure how much of it actually caught on as far as the hardware platform goes. Right. A lot of these IoT providers are. A lot of them are from China, especially from a hardware perspective. Sometimes that software is all written in China as well. And it's just not about necessarily China writing bad software or good software. Right. But it's just more about like this rapid development to try to get the next thing that gets this market cap.

Corey

As opposed to it's capitalism.

Kelly

Yeah, yeah, yeah, exactly.

Ralph

As opposed to caring about security. But then to your last point about just like whether it connects to your wifi or not, you know, I've got a ton of IoT devices, way too many. And you know, the benefit of wifi is that remote connectivity or whatever, but it's also the weakness of it. Right. Security perspective. So, you know, that's why a lot of vendors have gone to WI fi is very simple to implement and get going.

Corey

So. Yeah, and I definitely think the push has to be on the manufacturer side. You can't push consumers into this awareness. Consumers have zero care.

Alex

All they care about is like, is it cool?

Ralph

Is it cheap?

Corey

Is it like, I can get all.

Ralph

The things and none of those have to do anything with security.

Ryan

What if we forced the, the WI fi providers like modems and routers to have an IoT network that recognizes IoT devices and puts.

Corey

Are you talking about Amazon front door? This already exists.

Ralph

Yeah, that's how we do that.

Ryan

Already exists. They have that where, like it'll see.

Corey

Well, there's also Lorawan. Do you know about lorawan?

Ryan

I do not. I have my own network that I do it with.

Corey

But basically it's a super interesting world. But there's tons of low power, low bandwidth IoT networks that are just generally available, at least in the US and probably Europe, that are completely out of band with your normal wifi. And as sketchy as that might sound, I think that's a way better option than connecting your stuff directly to wifi. Although it does require you to go through someone else's cloud. But that's kind of a necessity nowadays anyway, so I don't know, it's kind of cool.

Ralph

I think there's kind of two problems here, right? So one is whether it actually is needing some kind of cloud communication to broker that. Right. Because then now the device is dependent on the service. If the service goes down, you can't use the thing. That's really what FTC was talking about too is, you know, consumer protection. But then the other thing is that now it is connected to the Internet now it's not a callback. Right, so. And then also to your point about Lorawan, I believe the new WI FI standard is looking to investigate in a long range, like low data rate at which Lorawan is 900 MHz long range. So.

Corey

Yeah, interesting.

Daniel

Yeah. But the thing about Lora Wan right now is if you tried to push any sort of massive amounts of data through it, forget it. It's. It is that low. I mean, I'm playing with mesh. I've been playing with meshtastic, which is all Lora based and it's not what.

Ralph

It'S meant for though, but it's about range and cost. Right. Because you know, this, this gets into like the whole problem with, you know, WI fi, for example. It's sure, it's got a lot of bandwidth, but it's a crowded space and it doesn't have a lot of range where IoT devices actually don't need much bandwidth, but they want a lot of range and what they're trying to do is control cost. So you can have a lot of devices connected, right, without paying cell phone providers.

Daniel

Which, yeah, what worries me about that based off of what I'm dealing with with measure tastic, is the connectivity between each of the devices overall to avoid that cell phone. So my meshtastic device, which I've got right here, that communicates to like 20 different others and it tells me how many hops everything is away.

Corey

Yeah.

Daniel

So if I've got five or six things that are one hop away, the expansion of all of that, the security inside of there starts becoming suspect. Unless you start using encryption and certificates. And we all know how well that goes in the long run.

Corey

Yeah, I mean it's basically like, it's kind of similar to like tail nets and tailscale. It's like it's a distributed VPN and key based auth shouldn't be too difficult to implement. Like you basically have each account has a key. The problem is no one has centralized this that I know of. There's no one that's like Iot. You know, I guess maybe meshtastic will be the first one to do it. But that I think maybe would fit a consumer need is like smart hub, but not. But like, I mean, I think most nerds are doing home assistant, which is amazing. And if you haven't messed around with home assistant, it's awesome. But I would never recommend like, oh yeah, my parents, you guys should use home assistant. Step one, download a Raspberry PI image for. Oh, wait, no, this is.

Ralph

Yeah, yeah, this is too much. No, yeah, it is funny, most of the security stuff that we do see at iot like the, like the main problem is designed around convenience. Right. These things are designed to be as convenient as possible. And that opens up this kind of like, you know, Pandora's box of security issues that, you know, are inherent.

Corey

Pandora's toaster, yeah.

Mike

So does that mean if they make the IoT devices inconvenient, that the market just drops out of the bottom and we stop having IoT devices?

Kelly

Yeah, yeah, yeah, pretty much.

Corey

I think so. I think at least me, like I'm obviously was raised before light switches would like sense your presence and smartly turn on your toaster because you're waking up or whatever.

Ralph

Yeah.

Corey

You have to toast when you wake up.

Ralph

That's a thing.

Corey

Yeah. But I will say, like, there's always a part of me that's like kind of a Luddite at heart and is like, go away. I want it like, you know what light switches have lasted for 20 years is the ones that are just the flippy kind. Like, those are good.

Wade

Can I follow up on what you're saying there. I think it's going to be until somebody gets really hurt or dies that this is going to change. And I'm really going to go old school here. Do you remember Ralph Nader and the Pinto and the gas tank? Unsafe at any speed until houses start catching on fire or something really bad happens. I don't think the IoT market's going to be regulated even as much as the, the FTC tries to assert it.

Corey

So, okay, what we need to do is duff dust off old Nader and have him write insecure at any, at any bandwidth.

Ralph

Insecure at any bandwidth.

Ryan

There you go.

Corey

And then he'll, I mean, I will say there you could, I mean, ransomware on my Nest thermostat would be bad. It'd be like, you know, pay one Bitcoin to turn down the air conditioning or whatever. I don't know. It'll happen at some point. Some enterprising hackers also, I will say you can capitalize if you want to politicize this. All you have to do is say every US Senator has a chip from China in their house that's controlling their, you know, that has physical access to their house. And you know, like that is, yeah, their cpap, their, their, their pacemaker, their robot vacuum that, you know, can be used to shout racist obscenities at their kids or whatever.

Daniel

You know, like their earphones.

Corey

Yeah.

Alex

Like, oh, hearing it.

Corey

Yeah. Hearing aids. I don't know. I do think the political argument is there. It's just someone has to capitalize on it of being like. And maybe the answer is like, no, the senators don't have anything Internet connected because they don't know how to connect it to the Internet. And that's maybe a separate problem. But I will say like as the current, you know, leadership ages out, you're going to get like a bunch of younger people who are like, everything's Internet connected. I can't even go to the bathroom without turning my phone on and opening the toilet seat using the Z Wave app or whatever.

Wade

Like, no, not this one again, not the camera.

Ralph

I do think that is funny though, Corey, because you're like, you're totally right. When you're like trying to play with these IoT devices, you're like, God dang it, not going to open this app. It's like, it's like 14 menu driven thing to do something that used to just be a switch. I get it.

Corey

I literally worked my way all. I have all these Philips Hue lights and I have them in my house and I went all the way back to like buying a Philips Hue light switch. I was like, did I just pay $25 for a light switch? What am I doing?

Daniel

Like they got you, they got S&P71 brings up a great point. What do you mean my medical devices aren't secure? Shocker. We saw everything that happened with the hacking of insulin pumps. That hasn't changed anything. As it is.

Mike

The people, that's a different.

Daniel

They got riled up about, about medical devices going ahead and being hackable and then all of a sudden it just disappeared until something, somebody else comes up with something that really catches public thing.

Corey

This is too good of a, this is too good of a segue to not talk about the registers article. U.S. senators proposed law to require bare min minimum security standards for healthcare organizations. So this factor was on that list. Like yes, mfa. Basically it says American hospitals and healthcare organizations would be required to adopt multifactor AUTH and other minimum cybersecurity standards. Bipartisan group. So you can see the PDF. It's called the Healthcare Cybersecurity and Resiliency act, which I assume a lot of healthcare systems have a cool enough algorithm.

Ralph

Recently over like the last year. So what was the other one, the big insurance provider like? Change.

Corey

Yeah, change. Healthcare. And I mean there's so many. The list is too long. I could go and list a hundred healthcare companies or healthcare adjacent companies.

Ralph

What do they care about security though? All they care about is, I don't know, selling drugs or saving people's lives.

Corey

Oh yeah. I mean, I think this is great. I will say like the immediate corollary for me is like if you think about Fedramp. So like if you don't know what Fedramp is, it's basically minimum security standards for companies that are DoD adjacent. Right. They have required MFA. Like if you have the Fedramp version of whatever software it is, it will require mfa. So like I think this is a no brainer and should be done. If the government makes healthcare people do it, they'll do it. That's what we learned with all the previous healthcare changes. So I think it's worth just doing it. I hope it passes. Unless Kelly tells me that there's some issue with it passing that I don't know about.

Wade

I don't know either yet.

Corey

That's good.

Ralph

Yeah, there'll probably be some industry standard or industry, what do you call, lobbyists that'll be against it because it in essence costs money. Right. I mean half the things that security doesn't get done is because it costs money, so.

Corey

Totally.

Alex

Yep.

Wade

Well, how about we move away from death and talk about really what gets us going in the morning? And that would be Starbucks coffee.

Ralph

I knew it.

Corey

Starbucks ransomware. Are we going there? Oh, their payroll thing. Yes, this is. This is a good one.

Ryan

More data got released. We talked about it a while ago, but it was when they were first hit. And, like, I had went to Starbucks that day, and I didn't. Nothing had happened.

Ralph

Nothing had happened yet.

Ryan

I use credit.

Wade

Is that when you got a girly drink?

Ryan

Yeah, of course. How dare you. All right.

Corey

How dare you.

Ralph

He got a special novelty cup. It's only exclusive during the holiday season, dude.

Corey

Okay, so this was a third party, right? This wasn't actually Starbucks.

Ryan

Okay.

Ralph

As they usually are. Thanks, snowflake.

Corey

I. I didn't. Yeah. Oh, okay, that's really funny, because when you said that, I immediately went like, are you calling me a snowflake? And then I was like, oh, yeah, there was a huge breach. Okay, not at all. It was a third party related to time tracking and, you know, like, timesheets and they. Basically, the interesting thing of it is like. Like, so they had to do, like, time manually where, like, they, like, it's Basically, they just are paying people based on their scheduled time. So, like, if you traded shifts with Danny, Danny gets paid instead of you. And that's not fair.

Ryan

God damn it.

Corey

Not again. I mean, I don't know. I guess it's ransomware. But a third party. What was the.

Ralph

What was the. What do you call it? The third party that got.

Corey

Yeah, I actually don't know. I don't know if they were. It was like something.

Ralph

Didn't say.

Corey

It's probably one of these. It's. It's probably listed. Let's see.

Ryan

Do you have a description to the Wall Street Journal?

Corey

Like, it's one of these companies that, like, they only exist to make Starbucks exist. You know what I mean?

Ralph

Like, that's their model.

Corey

Like, they're like, we have one big client. It's Starbucks. Now we're in trouble.

Ralph

It blows my mind. So just for Context, how many SaaS software companies are out there and how many of them do all little stuff within, like, a whole businesses?

Corey

I know, business critical stuff, I guess. I mean, like, super.

Alex

Like, exactly.

Ralph

Like, this is how they function as a business, and they hand that thing off, and it could be one little small thing. In this case, it's just time tracking, right? Like, just doing time sheets. But, you know, in other companies, it could be a Lot of other things. It's interesting.

Corey

Yeah. I mean, I will say this is a key point for like, if you're a ciso or if you're like, if you're worried about the whole third party risk thing, guess what? Everyone's talking about Starbucks. They're not talking about whatever the actual company is that got hacked because it affected Starbucks. It's the same thing as the Snowflake thing. Snowflake got, you know, had some security issues that maybe they could have fixed. But all the companies that use Snowflake are the ones who have to report the breaches and deal with the blowback, not Snowflake. So I don't know. It's an interesting. Like, I don't know how you fix this, but it's definitely a rough one. I have a better some fun facts about Starbucks. They're one of the largest financial institutions because of all the gift card money.

Wade

Corey, I'll follow up on what you just said. I'll tell you how we start to fix this. There's a lot of organizations that can't even identify who their third party SAs are.

Corey

Right.

Wade

As part of your third party risk assessment. That's a whole nother conversation. But at least can you sit down with it purchasing, accounting and find out who your third party providers are? That's a great place to start because just like you see these ads where people say, hey, did you know that you have a subscription to Netflix or Apple TV or whatever that, oh, my goodness, I had no idea I was spending money on that. Organizations are in the same position where they've got services they don't even know exists. So as much as we all love auditors, and we do, they serve a purpose. They're going to help us understand what services we're using and perhaps even turn off those that we aren't using.

Ryan

With that being said, this episode of BHIS Talking About News is sponsored by Rocket Money. Rocket Money.

Corey

This episode is sponsored by whatever company does time tracking for Starbucks. Are you getting hacked?

Ralph

Ford actually got hit too.

Corey

Who?

Ralph

So Ford was another customer. They're not saying who it was.

Corey

Oh, you're saying Ford was a customer.

Ralph

Was also a customer, yes. Yeah, yeah.

Corey

And by the way, if you're wondering if your pen test should include your vendors in scope, this might be a reason to maybe talk to them and say, can we pen test you if you.

Ryan

Kelly, have you ever heard of anyone just like canceling all their credit cards and just waiting for the vendors to come in and be like, hey, where's our Money, Yes.

Wade

P cards.

Ryan

That sounds like a good, like, way to do it, right? Like we're going back to zero or, you know what's.

Wade

In a similar vein, Wade, what I've recommended to some companies and they haven't invited me back either for some reason. I've suggested that their accounts have a yearly expiration date and for the user accounts to be re enabled, the users either have to go through security awareness training or the account has to be audited. Because a lot of times people will move from one department to another and they get this pile of privileges instead of a reexamination of what rights they should not have once they leave that old department. So, yeah, absolutely, that would. That would be my recommendation. And that's why I don't get invited to parties very often.

Corey

Love it. Love it.

Mike

How many companies just say, this is the cost of doing business and thanks for your audit and we can check our compliance box and move about their day and. Because, like, ransomware doesn't seem to be going anywhere. I just saw that it said 2024 seems to be a banner year for the ransomware community. They are having an excellent, excellent time stealing money or extorting it from you anyway, you know, Daniel, why do we continue to see this on the right.

Ryan

How.

Mike

How come we are not able to get ahead of this problem?

Wade

It's like life, Daniel. There is no finish line. And it. We all still have jobs as. As our audit and assessment capabilities and detection capabilities getting more sophisticated, the attackers get more sophisticated. So I don't see this battle ever. That's my two cents.

Mike

Well, you know, that's my point though, right? Like, this is going to continue to go and continue to grow is really the word I'm looking for. And it becomes this cat and mouse game ultimately. Is that what's going to end up making organizations just go, you know, there's nothing we can do about it anyway, so why worry? Just let it happen when it happens and then we move on about our day.

Corey

I mean, as long as they have backups, I kind of agree.

Daniel

I think where that will come in is if they can secure backups or come up with some way of doing restores and say, all right, it'll take us X amount of time to restore. We'll go ahead and do this. These restores are offline, completely away from everything else. Just we're able to burn it down and bring everything back up within a couple of days. If that can happen, then the companies are going to not give a crap about the ransomware.

Mike

Did this just turn into the IT security version of Fight Club, where he was explaining how the insurance companies don't do a recall or the motor company doesn't do a recall of X amount of people? It's all just a money calculation. Like, as long as we're only paying this much for a year, hey, what are you gonna do? Right? And we'll continue to invest in some cybersecurity. And that way we can say we did our best and people feel good. But it's kind of like the IoT stuff. Like, it doesn't matter if you put a label on it says it's Iot, is it convenient, and do I think it's cool. Same kind of thing when it comes to their services. As long as I can still go to Starbucks, Starbucks doesn't care as long as it's not hurting their bottom line too far. They can say we did X, Y and Z, but they're just going to continue to do whatever. I mean, they don't care that a few employees don't get paid, then.

Corey

Yeah, I mean, I do think.

Wade

I do think you need to watch some Disney. I think you're. You're in a bad mood today.

Corey

I'm a bit of a cynic. Well, okay, so on the Starbucks thing, I do think that's an example of. It will hit the business team hard enough that they'll want to fix it for the future, because keep in mind, some poor accountant is going to have to go through and figure out for tax reasons, if nothing else. I mean, obviously you're right. They don't care if a few employees don't get paid, but those employees have lawyers that do care. Or, you know, like, there's lots of employment law things and labor union things and all that. Like, business practices are going to be significantly impacted. Obviously, some of that will blow back on the vendor and they'll have to financially either fold or cover it. But, like, they're. I think it's like, hit them where it hurts. Right? And I think ransomware sometimes does, sometimes doesn't. But I think, like, you know, it's a little bit too expensive these days to just be like, oh, yeah, you know, lost revenue, couple billion lost data. That's free. Because, you know, no one cares anymore. Yeah, but, yeah, I mean, the lost revenue is where companies are going to get. You're going to get yours perking up, I think. But, I mean, you're not wrong to be cynical. I'm just saying I think things do get slowly better, even if we don't perceive them as the, you know, we're the, we're the frogs in the boiling water a little bit.

Alex

But yeah, I personally think it's going to get maybe a little bit worse before it starts getting better. There's going to be more companies impacted. You have a lot of people who are going to be getting things like cybersecurity insurance, right, for ransomware insurance. So I think what's going to happen is you're going to have a lot of people incentivized just to pay, which means you're going to incentivize people to get out there and do ransomware more. And I think on top of that, you've got it. And I've kind of talked about this with some of, some of you guys a bit, but I also think we need to get programmers, software engineers, computer scientists. We need to get them a little more involved in cybersecurity, a little more at least hyper aware of what's going on. Because, you know, and I'm speaking from personal experience, when I was in college learning coding, I was learning it from an application development standpoint and you know, we weren't taught anything about security. Almost, almost nothing. So I remember we took, I took, you know, BB's web app pen testing class and I was shocked. I was like, wait, you guys can see what I'm sending? You know, you guys can see that? Just to see. What do you mean the credentials are, you can't send them plain text. You know, stuff like that, that's in with AI and with all that stuff, you know, we've got ChatGPT. It's only going to make it worse where people are going to start coding what they don't understand more often than not. And I think that's going to create this vicious cycle of more vulnerabilities with more incentives for ransomware to be paid, incentivizing people to do ransomware a lot more. So that's, I think we're going to be going in that direction. But I don't want to be like it's all doom and gloom. I mean, you know, we've. Cybersecurity is also growing. Cybersecurity awareness is growing. People are taking it a lot more seriously. Years and years and years ago, my dad's company got hacked for ransomware and nobody even knew what to do. Nobody was like, wait, what is this? You know, that's, you know, people are more aware and that's a really good thing. So I think the awareness is going up, so we might see some really Good.

Mike

I tend to agree with you on that. Honestly, I'm just kind of playing devil's advocate in a lot of ways and kind of throwing out the darker side of this stuff so we can kind of attack it and meet it head on. I feel like this is a cultural thing. We need to change culture, not so much. Not that we shouldn't be making awesome cybersecurity people. That's, that's always a fun thing. Hey, it's super fun and, and it's really interesting and a lot of people are really into it and that's, that's a good thing. So I like to see that part of it. But just a general. Joe and Jane out there, they don't think about this. And then you look at sea levels. I've, I mean, I can't tell you how many sea levels I've talked to that I'm like, wow, you run a company. How is that possible? Because your level of care about how your company actually runs seems to be very low. You're not worried about the things that you should be worried about and you're completely on fire about the stuff that doesn't really matter. It's, it's a very weird phenomenon that in my experience I have come across. So I would love to see us get at them. You know, get, get them here, let's see if we can get to them there and then maybe we can reach the head through that. If we can make it cool. If we can make it, like cybersecurity is good. Maybe we need some PSAs. Like it's like back in the 80s, right? You know, we got someone that comes in and does a rap about cybersecurity with some kids in a park. I don't know. I'll do whatever it takes. I just want to see.

Alex

You gotta go to TikTok, then you gotta get some TikTok dances out. That's what you gotta do.

Corey

I think it's my turn to be a little cynical because I would normally point to SZA for being super useful in this exact capacity. They're secure by design initiative, which if anyone doesn't know, that's basically, we kind of made fun of it on the show, but it is actually mildly useful. It's essentially forcing companies who do software work to use memory safe languages because we know we can't program in non memory safe languages without introducing, you know, memory corruption vulnerabilities. But. And then they also, like CISA is the people whose job is to go explain to us senators and others why you know, voting machines can be hacked or how they can be hacked. So I. I mean, their future is a little bit uncertain. I really hope that. I really hope that that agency continues to exist. But, like, I think that's really what they. The niche they were fulfilling within the world is like, go to the Congress critters, or whatever we're calling them and say, like, here's why security matters. Here's why your voting machines can be hacked, or how. And then also go to the companies that actually make the voting machines and say, please commit to, you know, write this in Rust. That's. That's what they're. That's what they're. The real secret is just tell everyone to write everything in Rust.

Ralph

He nailed it. I mean, Security 101 there, but, yeah.

Corey

I mean, I don't know. We'll see.

Mike

But we approve this message.

Corey

Yeah. I do think there is a need for that on a federal level to connect the gaps between the people who actually make the laws and the people like us who are just yelling at computers all day.

Mike

I think the good news is it does seem like the infosec culture is starting to permeate a lot more out into the general public. Right. People are understanding that, you know, that the computer is one of the biggest weapons that is used against them now. Their technology in their pocket, in their homes, on their desk, and the servers that they rely on to get them through the day and do all the things that has started to really become more of a. Oh, yeah, that. That is the thing. Because I talked to, I think my cousin, who is not a technology person, and I said something flippantly like, we'll just put it in the cloud. And she's like, yeah, but the cloud, that's somebody else's stuff. What if it goes down? What if. I was like, hey, now you're thinking, nice, that's good. And I was very proud of her. I was like, that is awesome that your mind went that way. And that tells me that if you're not a technology person and you started thinking like that, that's because we're permeating. We're getting out there. We're finally making some headway. So hopefully, I think that's going to be the best way to get at people, is to make them. What do we used to call that? Right? Like, buy in. We get buy in from the stakeholders. It's just on a larger level, it's more global, more cultural. And then when people start going, well, no, that's just not how we do this. Thing, people understand that you lock your door at night. Right. Because there are bad things out there. That became a cultural thing. It used to be where people didn't lock their doors. When that became a problem, all of a sudden the culture changed because they didn't want that to be a problem anymore. So hopefully, and I think we are starting to see that turn with like, you know, anecdotal evidence such as that is that eventually that will be the thing. And now things are going to change and the new technology is going to come out. We're going to have to have to hit that ground. But hopefully by that time we've got these things, you know, a little more on lockdown than we do at, at this point in time for sure.

Corey

I think we've already broken down some of the barriers already. I mean, if you think about 20 years ago, hackers were like wizards who sat in basements and drank a bunch of Jolt Cola or whatever. I think now hacking is more like demystified and more accessible and not like black magic, but just a thing that people do. And also, I think we've worked really hard, at least from my perspective, in the industry to like, get rid of the stigma or like us versus them between like the users or like the people who are actually protecting and like the security folk. Because, like, I think, you know, we used to be like, bad. You clicked on a fish, you know you're in trouble. But now I think it's more of at least, hopefully, at most in an ideal world, it's more of a conversation about what can we do better? How did things go from your perspective? Was there any tip offs? Like, kind of more making it a collaborative approach instead of just like saying users are, you know, they can't be helped. We're just going to treat them like children or whatever.

Kelly

Yeah. And that, I mean, that reminds me of like at DEFCON 20, they had one of the speakers that was Also at DEFCON 1 and the first def. And she came back and she did the. It's like, look, I stood up there at DEFCON 1 and said, all of you are criminals and we're going to find you, we're going to arrest you, we're going to put you all in jail. And she came back and she said, like, at DEFCON 20, she's like, okay, now I am standing up here saying, we need you. Like, we want to work with you, we want to collaborate with you. We understand things change in 20 years of DEFCON and, you know, and the things that they learned and developed from that. And again, the public perception changing for having a lot of the initiatives of like, hack for good or any other different programs.

Corey

So what's this water thing that's happening? Tell us about the waters.

Kelly

Yeah, so the water thing, like, I'm, I'm impressed by this as well, because it kind of extends a bit beyond the, you know, DEFCON has done the voting machine villages to where they examine voting machines, pointed out all of the deficiencies in them, and worked with the industry in order to bolster them. And this is a similar story, but with the, with the water infrastructure, that is complicated. And even in the article, it makes some, some comparisons between the voting machines where they're like, okay, the voting machines, like two companies contain like, you know, control like all the market share. But with the water infrastructure, there's like. So that like every water, it says, yeah, right there, like 50,000 individual suppliers. So you didn't have. You go from having hackers going at like a couple of manufacturers to 50,000 different suppliers. They all have different systems. So it makes sense to have this expertise of hackers take a look at it because the IT staff may be dealing with something that's unique and not have all these different considerations. I think looping back to some earlier stories that, yeah, people may not have security in mind and this group to have DEFCON take a bill at six sites to start. And I know even in the byline it says like six sites started for security cleanup and 49,000 to go, these things start to. It starts to snowball and just kind of reverberate out. And I've seen that with a number of initiatives as well, is that you start with the small things. Like, I could say just in my initiative to start with, like, the thing that I do is like searching for missing persons and making people aware. And you go, but there's so many out there. How can you make an impact? And it's just, okay, you start using OSINT to find missing persons and that just kind of expands out and out and more organizations and more law enforcement learns those techniques and it starts to make a real disruption to how. I think that'd be the same type of thing with going after the water systems, is that you'd start with six. You start somewhere. Kind of like the whole proverb of how do you eat an elephant? And just one bite at a time, you start somewhere, it reverberates out, and eventually you'll have more systems, more knowledge, and hopefully really be able to take that. After those 50,000 sites to go After.

Corey

Yeah. And if it's done properly, it also gives. It gives the industry of, you know, let's call it, you know, utility providers or whatever vertical you want to call it. It gives that industry confidence that things can be tested in a safe and controlled manner. You know, if it can be done by DEFCON volunteers, it can be done by any pen tester in theory. Right. Safely. I think the biggest argument that I make for our clients all the time is like, well, you're being. This is. You're already being tested. It's just a quick case of, do you want us to tell you the results or do you want the real hackers to just. Just send you the ransom note? Like you're already being pen tested. You just, you know, you can either have us do it or you can have real bad guys do it. So I think this is a good argument for these are the, you know, good, good guys doing the. The same thing that bad guys are probably already doing.

Kelly

Yeah.

Daniel

It gives us a chance to open up the floodgates against those.

Wade

Oh, nice pun Open.

Corey

There's been so many water puns in the chat. Someone said, who leaked the story?

Mike

They're just dripping out information at this point.

Corey

Somebody said confidential resources were tapped.

Ryan

It's really hard waiting through all these comments.

Ralph

Yes.

Corey

How do we boil the file to make sure it's safe to open?

Alex

Carefully.

Corey

Is that a thing? That's just virus Total. That's what that is.

Ralph

That's.

Corey

Our company's gonna be putting their employees on like a virus total warning. It's like, please submit all files to.

Mike

VirusTotal before running DDoS. Virus total. Everybody trying to be secure, they're going.

Corey

To be like, we already have all these files.

Ryan

Yeah.

Corey

Someone's just going to hack Virus Total.

Ralph

And be like, that's where all the files are.

Corey

It's true. Oh, yeah. To close out the show, let's talk about our Cyber Monday event, which apparently it's Cyber Monday. I did not. I was under a rock and I.

Ralph

Didn'T get any of those emails. I have a strict Cyber Monday rule. Just go straight to spam.

Ryan

Really? I couldn't find anything good.

Corey

Anyway. Do not go on slick deals. But yeah, basically we have a code, which we've posted all of our. Wait. 40% of what is going on? Anti siphon and spearfish is on sale, so training's on sale.

Ralph

Corey's just going to make up a number.

Corey

Is training on sale? What's going on?

Ryan

Wait, the anti siphon thing? The anti siphon thing is the secure Code Summit.

Corey

It's completely unrelated. You're just plugging two things in one message.

Ryan

Yeah, yeah. Nobody else plugs. I gotta throw it in there, right?

Ralph

Like you plugged, son.

Ryan

You want me to plug it? I'll talk about it, but.

Corey

So, first of all, we have a summit coming up. It's on the top of a mountain. It's going to be really hard to get to. It's remote. The Secure Code Summit, which I guess that's kind of topical. And then in addition to the summit, we also have a 40% off everything in this Spearfish General store right now. So we really suck at capitalism, I assume. Yeah. The code is in leet speak. I can't read it because I'm not a hacker, but I'm sure it says something about 40% off. Buy some stuff.

Wade

So, Corey, on the summit, my understanding is there's paid training and there's free talks, right? So you can do both or just one or the other.

Corey

Yep. Sounds like bhis. Yeah, we've got familiar.

Alex

We've got talks on the fourth, and we've got post summit, post hoc training, Almond Fit and sixth. So definitely recommend you guys check that. We're all talking about secure coding, so it's kind of perfect.

Corey

Nice.

Mike

A lot of cool training highlights with BO doing the bridging cloud. This is super popular, man. That dude does not go anywhere without doing that class. And people just love it. Joff and Derek are doing AI for Cyber Professionals. Sweetness.

Corey

Yeah. That's a new one. That's brand new.

Mike

Yeah, I am excited about that. I gotta be honest with you.

Corey

Security, we have CTI 101 if you want to figure out who hacked you and why.

Wade

Hey, I've taken that class. It's awesome.

Mike

I've seen that Wade guy. He's kind of cool.

Ryan

My first recommendation.

Corey

Mustache cam. Going to be in the class or.

Ryan

No, I mean, damn.

Alex

Confirm nor deny. Yeah.

Ryan

So be the last time I teach that class.

Mike

You better teach that class more than just.

Corey

Infosec. Tom Selleck.

Ryan

I told. I told someone that. That my. I was getting compliments like Tom Selleck on the mustache. And they're like, I don't believe you. So now that there's a recording of this, I'm just gonna send them that clip again.

Kelly

Magnum.

Mike

It.

Ryan

I want. I need to get the Magnum PI.

Alex

Like, do it, please.

Ryan

Aloha. They're expensive. I. I was thinking about buying one. When I did the keynote, it was like 80 bucks. I'm like, I don't even.

Corey

It's 40 off.

Mike

Dude, it's fine driving a 86 Ferrari GT.

Corey

I mean, the service bills are more than $80. All right, thank you, everyone, for coming. Hope to see you next week. Have a good week.

Alex

See you guys.

Ralph

Later, guys.