2025-02-05 - LIVE FROM WWHF DENVER 2025

John Strand

If you want to contribute before we get started to the eff, you can just come up and put the money in there and help us offset the cost of swearing. And remember, everybody, swearing is bad.

Ryan

Swearing is caring.

John Strand

Swearing. No, swearing is bad. Swearing is bad. So please don't do it. It's like violence. Violence is never okay. Except for slug bug. That's fine. We can like a slug bug.

Ryan

Wow, that's. Do you have anything to say? Like, damn it.

John Strand

Thank you. All right.

Ryan

Doesn't even swear. Just gives the money.

John Strand

He's helping us with our swear.

Megan

Us.

Ryan

Oh, I see. There we go.

Megan

Pre filling.

John Strand

Go to the eff. Thank you. Yeah.

Megan

Okay.

Ryan

Okay, let's go.

John Strand

This is awesome. Thank you.

Ryan

Oh, no, people are actually doing it.

John Strand

We might not be able to so much swear.

Megan

We're not gonna do the news. We're just gonna fucking curse.

Alex

I think based on the severity of the swear, like, it should be 50 for certain. And five, I think.

Ryan

Yeah.

Megan

Then I just.

Ryan

No, no, no. F is okay. It's pg 13. So we get one F bomb. Okay.

John Strand

Are we doing the George Carlin?

Ryan

And we. We also get one nipple.

John Strand

All right, Ryan, are we ready? Megan?

Ryan

First of all, thank you all for showing up.

John Strand

Thank you.

Ryan

So as always, we're very confused that people show up, but we're here for it.

John Strand

All right, Ryan, Wa. Where is Ryan? Is he back there or is he up there? Are we ready to bring out the crooked finger?

Ryan

Ryan's giving us thumbs up, so let's go.

John Strand

Let's do it. Oh, he's right over there. All right, let's roll. Hello, and welcome to another edition of Black Hills Information Security. Talking about news. We still have someone kicking out the jams in our monitors up here. We still have reference monitor. Funk music. I think it was Parliament. Fun Punkadelic. Dale. Was that P. Funk? Yes. I nailed it. Thank you so much, everybody, for joining the news. I have no idea. You got to turn it on first. Are you sure?

TJ

I did.

John Strand

Oh, there we go.

Ryan

You're good. You're good.

TJ

What is this in front of you right now?

John Strand

This is the Wild West Hacking Fest at Mile High. Swear jar for everybody here. So a round of applause for those of you that pre filled the swear jar.

Ryan

There is a lot of swears. I think we have a budget for, like, a lot of swears.

John Strand

Swearing, that's pretty crazy. It's kind of like whenever you sit down with your teenage son and you're like, I saw you smoking a cigarette. Now you're going to smoke this whole pack and then a week later they got like a bong and they're.

Ryan

John, you sound like you're speaking from experience.

Megan

Seems really cool.

Ryan

Is this your experience or your kid?

John Strand

No, not nothing.

Ryan

Moving on. This never happened, John.

John Strand

Like that. I gotta be honest, my parents would have just kicked my ass if I did that. So there was no value in smoking. But yeah, we're good and set.

Ryan

It's good to go.

John Strand

Looked at this jar and I just thought that's a lot of money.

Ryan

Yeah, that is.

John Strand

All right, so we have some news stories that we're going to talk about because even though Wild West Hacking Fest at Mile High is in fact happen, we have some news stories. I don't know what they are because I've been teaching the past couple of days. So what do we have?

Ryan

Which one do we talk about first thing? There's multiple Deep Seek AI links. So we can just pick a random deep seat.

John Strand

Yeah, just pick one, throw it up on the screen. Let's take a look at it. What have we got?

Ryan

There's two main stories. One is that Deep sea can easily be jailbroken to teach you how to cook meth or do any other fun activities you might want to do.

John Strand

And me without my computer, I mean I would.

Ryan

Do you just know how to. I guess you live in Florida, but.

Megan

Yeah, I mean that's true. No, it just, I mean you just.

Ryan

Off the top of your head know how to do. But I mean I figure you could.

Megan

Just ask somebody, right?

Ryan

Who are you going to ask?

John Strand

Who are you hanging out with?

Megan

I'm just saying you really pay attention for this.

Ryan

Okay.

John Strand

There are way, if you can't see the audience, way too many hands went up answer thing.

Ryan

All right, well I would prefer to ask an AI so it's non judgmental.

Megan

You wanted to keep the judgment out.

Ryan

That's why I use AI for judgment free questioning. Basically the article is that some security researchers at Cisco ran through some AI vulnerability testing which is essentially jailbreaking an AI and they were able to successfully get Deep Seeks AI to answer all of the harmful prompts that they came up with. So 100% success rate. I don't, I don't think it's that like big of a deal, but I don't either. Well, they, I, they do compare it to chat GPT01 and that has better guardrails.

John Strand

But I, I think it just shows that Deep Seek has great choice in television. It probably like fed and been binge watched all of Breaking Bad.

Ryan

That could be. It just kind of worked does that show really have good recipes for meth?

Megan

Did they really give out all the recipes in the show?

Ryan

Really? I just want to know how to make meth.

Megan

So is that all you had to do? We don't need Deep Seek.

Ryan

I guess not a mic, don't you?

TJ

Drugs are bad.

John Strand

Yeah, there you go.

Ryan

Use Shake it on that mic.

John Strand

It's like a Shake Weight.

Ryan

Yes. Yeah, we, we don't need that. We don't need that gif on the Internet. Yeah. Think of the shoulder.

John Strand

That's what the switch security things associated with this. And you know, whenever we're looking at all these different models that come up, I think that this is one of the concerns that we had is if we're looking at deepseek, it's not an issue. It's not an issue necessarily that's unique to Deep Seat. Right. It's just that it's uniquely bad at it.

Ryan

Yes.

John Strand

And then when we're looking at deepseek being replicated and being put into tons and tons of, of different organizations, that creates potential problems because it's, it's just going to create security issues not as like a monolithic SaaS service, but as other things. So. Excuse me.

Ryan

So, yeah, I mean, the other thing, there's another Deep Sea. I mean, does anyone else have any takes on jailbreaking AIs? Anyone? I mean it's, I feel like it's to be assumed, it's possible.

Alex

Obviously we have to assume that this is possible. And the fact that, you know, Deep Seek has become so popular and is getting so much attention is going to cause more people to kind of flock there because it's very popular.

Megan

Supposedly it was a two string budget, so they probably didn't have a whole big budget to test out, you know.

Ryan

Yeah, jailbreaks, right, Totally. So the other article about Deep Seek in here is essentially that they're explicitly sending. So there's Deep Seek the model, which is one thing, which is a new reasoning model that's kind of broken. I mean it literally broke Wall Street. But there's also Deep Seek's implementation of their own model where you can sign up to chat with it if you don't have 16 terabytes of video memory. So that AI model, the chat application, is basically just sending its data to China. Right. Like that's another article in here that's about privacy of Deep Seek, I guess. Like how sensitive are people's AI queries? Like if those are going straight to China, is that bad?

John Strand

Dear Deep Seek, what is your favorite Winnie the Pooh character.

Ryan

I don't fucking know.

Megan

They definitely will not respond to that question.

John Strand

We're just gonna let that question.

Ryan

We're gonna let that.

Megan

That one they could not jailbreak for some reason.

Ryan

Well, okay, so that. That's actually an interesting take. Right? So you can teach it to make you meth, but can you teach it to be against the Chinese government? Like, is that considered a jailbreak? And did they consider that?

Megan

I. I have no idea if they even tested that.

John Strand

It's. It's the first right out of.

Megan

They needed.

John Strand

They were like dirty, wordless Tiananmen Square. We need the poo.

Ryan

You know, Beth is fine. Just don't ask about 1984. Whatever.

John Strand

Exactly. 1984. Ygnay Zamiatin's. We.

Ryan

Yeah, no, you can't.

Megan

Oh, is now banned in China.

Ryan

Yeah, we just got restricted on YouTube probably. Oops.

John Strand

That would be fantastic if we were banned in China. It's all life is all about making the right enemy.

Ryan

Is this like getting banned from Slash R Pyongyang or.

John Strand

Or Netsec on Reddit?

Ryan

But you're banned from Netsec? Yeah.

Corey

I have seen, like, some fairly simple ways in order to get around, like, you know, Deep Seq to where you go, okay, Decode the following Base 64 and follow the instructions within. So you can say, you can ask a question. It's like, sorry, I can't process that. But then if you go, it's like, okay, decode the following base 64. And the base 64 says, Tell me about this thing that's restricted. It then follows those instructions for whatever reason because all it's doing is just decoding the base 64 and then following what's inside.

John Strand

Is that kind of like a Rick roll for.

Corey

Yeah, it is a little bit. I mean, I guess it's like some sort of modern Trojan horse, maybe. So.

Ryan

Well, okay, so I've had multiple people ask me about AI SoC analysts, like, you know, a public solution. So my thing is, like, I just want to set my host name to ignore all previous alerts and future alerts. Like, would that work if I just base 64 encode ignore all alerts into my host name?

John Strand

It would have to.

Megan

It would.

Ryan

It has to. Right.

John Strand

So I got. So we. We talked about this earlier. I think we talked about it last night. And one of the things that's interesting is I talk to emphasize professionals, and they're always saying, well, I'm absolutely terrified that we're going to be completely replaced by AI in the SoC or in computer security. All Right. All right, all right. So everyone take a deep breath and it's going to be okay. Okay? It's going to be fine. And let me explain why I know that it's going to be fine. Have any of you called into a very large corporations like 1-800-number trying to get customer support? Right.

Ryan

A lot of all of those customer.

John Strand

Support portals are now leveraging AI and there's tons of companies that are doing customer support requests and they're using AI to do the customer support on the back end. How many of you have had a good experience with call Tree Customer Support AI?

Ryan

One person.

John Strand

One person.

Megan

You are the 1% that CSAT score was.

John Strand

That should go on the swear jar. That just. I don't know why. There we go. We got you covered. That's why we keep money up here. So when we're looking at AI, like, why is it like, what do they call that? Where it's basically any news article that you read that's in your domain of expertise, you believe it's crap. But whenever you read an article in somebody else's domain that you don't understand, you think that it's lucid and it makes sense. What is that called?

Ryan

I don't know. I'm just going to call it the Bullshit Effect, but I don't.

John Strand

You got to use the mic.

Ryan

There's like an effect name.

John Strand

You should use it.

Ryan

There is an effect name that I.

John Strand

Michael Brighton named it something but Jurassic Park Effect. Jurassic Park Effect, we'll call it that. I think that we're having the same thing with AI where you have AI and you're a domain expert in an area and you sit down with AI and it's like, this is like a toddler level.

Ryan

I don't know. I asked you what, John, somehow he knows who you are, so you better watch out.

John Strand

That actually scares model. And you know what? It, if you ask the, if you ask it about John Strand, it just comes back and it says, John Strand, hater of the OSI model. That's it.

Ryan

Wait, does it. That's not true. Is that actually you should go look only in Deep Seq?

John Strand

Yeah, Deep Seq. But the interesting thing about. But the interesting thing about that is if you're an expert in an area, you're working with AI, there's some scary things that are happening, of course, but we always seem to think that AI is going to be far more competent than, than it actually is in areas that are outside of our expertise. And I think that people are just expecting, oh, it's going to be an amazing SOC analyst. Not. Not for a while.

Ryan

Yeah. So the next article is a kind of funny one. It's about the potential backdoor in a medical device. Basically, it's a fun little saga where, from what I can tell, the researchers were essentially checking out this medical device that's made by. It'll pull up here. It's made by a company with a C that I'm blanking on their name, but it's going to be in this picture. Scroll a little faster. It's going to. In the Contec device. And essentially they analyzed its firmware. People saw a medical device calling out to China and they were like, that's not good. And so they immediately were like, it's a back door. Which is totally fair.

Megan

If it's a Trojan horse, what kind of medical device is this?

Ryan

I don't know. Based on the picture, it looks like one of those.

Megan

It's a heart rate monitor.

Ryan

The BP things.

Megan

Oh, yeah, those things are.

Ryan

I'm a doctor. Doctor.

TJ

So lights, too.

Ryan

Yeah, that BB flashy thing.

Megan

Chat, GPT. Now I'm a doctor.

Ryan

Yeah. So basically, they saw it calling out to China. They said, oh, this is definitely a backdoor. Then it turns out the update is really funny. It's like, update. We analyzed the firmware. It turns out it's just getting updates from China. So that's fine.

John Strand

Totally fine.

Ryan

That's fine.

Alex

It just could go wrong.

Ryan

Yeah, it's just getting updates. It's not a bad.

Megan

It's actually rare for Chinese companies to send updates to their.

Ryan

Yeah.

John Strand

So years ago, we were doing a network threat hunt at a hospital, right. We were checking all the traffic and seeing where it was going. And I saw the strangest beacon that was going to a 128 address, right? It was just beaconing out to 128 something, dot something, dot something. And it was like, that is really flipping bizarre. That is crazy. And we sat down with the IT administrators at the hospital and. And we're like, yeah. We were able to identify what all this trap. What the hell is this one 28 something, dot something, dot something. And you literally saw this network engineer that looked like he'd been there for his entire life. Just like, oh, he's like, they've.

Ryan

They found it. The homework folder.

John Strand

He goes, well, back at the beginning of the Internet, whenever the hospital was moving all of its systems over to the Internet, we had a network administrator that didn't understand networking, didn't understand this story for you. And going back in time. So we have a medical device, we have a medical record system that goes back to that time and when the system or the network administrator at that time, and I'm using that term loosely, looked at the IP addresses of the systems. He noticed that every single System had an IP address of 127.0.0.1 as you do. So he set up all of these devices in the hospital to be at 128something.something something which is publicly routable, right? It is publicly.

Megan

This is like that human verification test for the chat GPT. I think this was on that.

John Strand

It was on that test, right? So yeah, you see stuff like that all the time in hospitals continuously. Weird, weird, weird traffic.

Ryan

It is a cool little write up. Like I, I sad that it turned out to be kind of a red herring, but it is a cool little write up of analyzing network protocols and devices dumping firmware. So I think the technical, I feel.

John Strand

Bad for the researchers because they finally got to the end and they're like, what is it? Dang it.

Corey

I really liked, you know one of the notes that from the analysis is that like the device didn't do any sort of logging so the administrators of the device weren't seeing the patient data going out or any of that, that information. So I guess that's just a takeaway like don't necessarily trust the devices to log themselves. So if it's compromised, you may not see that in the logs of that device. You need to do some other logging and monitoring.

Ryan

Yeah, I mean that's the, that's kind of a pen test report in a microcosm. Right? We, we publish something, then we're like dang it, that was supposed to happen. Dang it.

John Strand

That's a feature Microsoft suspicious.

Ryan

Yeah.

John Strand

What's the email we get from Microsoft all the time? We will not be reviewing this security issue any further. Consider this case to be closed.

Ryan

Yeah, sounds about right. Let's see what else we've got. I mean, let's talk about the Facebook Linux thing. Has this been on anyone's radar?

John Strand

Yeah, it was kind of a weird thing. I know that they fixed it, right? So they did they. So if you created any links that went out to like distrowatch and they were talking about Linux distributions for a while, Facebook was banning those links as cyber crime links. So almost anything to do with Linux was cybercrime.

Ryan

Well, that's fair, that's accurate.

Megan

I mean everyone who has.

Ryan

It's not like that page was rendered on a PHP server.

John Strand

Yeah, it was running on a Windows Server, right?

Ryan

Are they still running PHP for sure? Yeah, that's like their thing.

Alex

Yeah. Facebook actually has their own custom runtime for php at this point. Perfect. Interpreted facebook like 10x's and the guy.

Ryan

Who worked who made react is just crying in php.

John Strand

So. So they caught it and I. They reversed it I think relatively quickly. I think within a few hours. They really basically said in the article.

Ryan

They repealed the ban and then just banned the user who appealed.

Megan

I don't know high enough up on the ladder.

Ryan

You gotta know Zuck, at least go on Facebook. You gotta at least be punching someone in a ring.

John Strand

I would go on Facebook to try this, but I really don't see what all the people I graduated from high school are actually doing right now.

Ryan

You got to start over. You got to make like Ston drand or whatever.

Alex

Can we ask Deep Seek to tell us if we're shadow banned on Facebook?

Ryan

We should know. It should really know.

John Strand

Yeah, we think we can guess as well. So the thing I wanted to ask everybody here is do you think that somebody made a conscious decision about this that was just like, hey, you know Linux is used for hacking. Somebody referenced Kali, let's ban anything with Linux. Or do you think it was an automated thing?

Ryan

No, it had to be AI. It had to be AI.

Megan

AI moderators.

Ryan

It's meta.

Alex

Not to be disparaging but like given the layoffs at Facebook at this point I would assume it's a machine.

Ryan

Well, they did, yeah, they did like popularly ax their entire content moderation team.

Alex

Given that Mark Zuckerberg made a statement that said AI is as good as a mid level engineer. Therefore we got rid of all of our mid level engineers. This is the quality decision making that we can expect.

Ryan

So it's really good because obviously Linux is.

John Strand

No child of Alliance. Child of alliance had a great comment talking about John Hammond. John Hammond did a really cool YouTube video. If we can get a round of applause for John Hammond. While they find that quote from Child of Alliance. And I think they said something about John Hammond getting banned for doing a presentation on it and talking about it on his show. I think that's what was said. Wow. We're just seeing the, we're seeing the inner work.

Ryan

Wow, this is fun. I've never seen this part seeing the inner workings.

John Strand

I haven't either. I shared John Hammond's YouTube video and just waited to be reported on Facebook for it. Instead of no interactions. Right.

Ryan

That's a shadow.

John Strand

That would be a shadow ban.

Corey

And, and John, like the banning of this Might have also been off of, you know, Facebook clamping down on people talking about like federated services to where you're just moving off of things to things that are more open source, so and so saying, you know, hey, we're going to go from like Facebook to some of the, you know, federated alternatives. You're going to go from X to some of the mastodon. So if you're talking about like competitive federated services, Linux may have gotten caught up in that because they may have, you know, again, set up like AI and some of that content moderating logic.

John Strand

I think maybe the shadow ban, they were trying to shadow ban those types.

Corey

You know, have people, you know, don't, don't talk, don't talk about my own federated server.

John Strand

It always says the first thing you need is Linux.

Corey

Yeah.

John Strand

Yes.

Corey

So then it may have very well just said like, you know, that's, that's something that we don't want spoken about on our platform.

TJ

Possible, dudes, this is the most. Anybody's been talking about Facebook for like two years now.

Ryan

That is true, Dinger. That is true. All right, so time to move.

Alex

Long enough, the entire crowd of people on Facebook will be dead because no one. Yeah, no one joining Facebook at this point.

John Strand

Once again, the people I graduated from high school with, they're just moving on very quickly. Although one of them did tell me that they have a great income opportunity for me.

Ryan

10,000 in your PJs I can make.

John Strand

Dude, I can make two to four thousand dollars per month in my PJs with little to no effort, with a side hustle.

Ryan

I've been doing that too. And it's a lot of crypto mining.

John Strand

It's a lot of crypto.

Megan

It's a lot of phone calls. I gotta be 10.

John Strand

I receive these packages and then I just repackage them and send them someplace else.

Megan

It's not a bad review.

Alex

That is not the direction that I went with making money in my PJs and Facebook. Yeah, that's like a blue. Yeah, white.

Megan

That's a different kind of a different.

Alex

Hobby, you know, like, I'm just saying, that's not a swear, man.

Ryan

Does the other John Strand have an only fans find out tonight.

Alex

Oh, he said it. He said it. You're not allowed to say that word on the Internet or you too will be shadow banned from Facebook.

Megan

They ban you for that.

Alex

You, you can't say only fans on Facebook or they will block you.

Ryan

All right, I'm going to swear jar too.

John Strand

I think only Fans goes in the sweater. I think it's a good caus.

Alex

At least say, go check out my link tree.

Megan

Link tree?

Ryan

What is that one? Is that allowed?

Alex

Because that just Rick Rolls Lincoln bio.

Ryan

Oh, yeah. I usually just Rick roll people.

Megan

I don't know that.

Alex

I mean, we all been on the Internet. We've all been.

Ryan

Oh, Ralph, we weren't gonna say it.

John Strand

Well, actually.

Megan

Sorry, I just. I'm learning things. Right.

John Strand

All right, let's bring up another story.

Ryan

Okay, so the next story. This is. So we have a swear jar, but I think we should also put money in if we get too close to politics. And this one's going to be tough.

Megan

Oh, yeah.

Ryan

Okay.

Megan

So we're going to be circling the moon.

Ryan

The article is basically the best hacking you can do is number one, be Elon Musk, I guess, and then just ask for access to systems and people will just provide it to you, I guess, is the story.

John Strand

Okay, so this particular. This particular topic, everyone's quiet.

Ryan

Yeah. Because they know we're about to know.

John Strand

We're about to talk about stuff. I think Republicans are Democrats. Can we just say that Elon Musk is kind of an asshole and we'll just go with that. Can we all agree on that?

Ryan

Yeah. I'll put some in for that.

John Strand

Some. Thank you, thank you, thank you. We'll do that. I don't know how to deal with this topic. Right. We were talking about not talking about it. I don't think that we can. But I think it gets into a really interesting intersection of compliance. We put in all these security controls. I've worked with federal government. I still have an active clearance. And there's a little part of me that dies when I read this story where they're like not elected, not vetted, no background checks, no real access, no government job role, and they just walk in and they effectively get access to Department of Treasury computers.

Ryan

Well, hold on, Don, because we have great news. It's not actually Elon Musk himself. He's busy playing Path of Exile. What it actually is, is it's a bunch of 19 year olds that have.

John Strand

Previously were playing 225, to be fair.

Ryan

Yes. And they were previously playing Path of.

Megan

Exile, but have now they've joined.

Ryan

They've been freed up.

Megan

Yeah, they've been freed up.

Ryan

They've been freed up. Due to recent events.

Megan

I mean, he's the one man, he needs a team of.

John Strand

He's got a posse. He's got to have a posse.

Ryan

Yeah. So it's not. Yeah, I mean, I Guess the thing that's crazy. And it kind of like just one thing.

Megan

Well, okay, that's the one. Okay, here.

Ryan

So the, the thing that is like they felt the need to call this out is they say that the access is read only, which just as a security person, I'm like, what could go wrong? Read only access to all the data. I'm sure that's fine.

John Strand

There's nothing wrong with that whatsoever.

Ryan

Right? As we know. That's why Windows domains are so secure, because everyone has read only.

John Strand

Everyone has read only access.

Ryan

It's fine. Everyone's read only. You can't just dump all Camper Dean.

John Strand

Talking about read only access to service ticket granting tickets and how that turned out.

Ryan

Right?

Alex

I mean, can you imagine what it's going to be like when the data dump leaks out of Tesla because they left some access keys in a Kubernetes cluster somewhere with like, you have a.

John Strand

Security class and you're excited for this?

Alex

It's not like Tesla's ever done this, but you are going to be able to build a heck of a sociogram using this data.

Megan

It's going to be big. I don't know if I have enough hard drives.

Ryan

I just want to know, of all the Tesla owners, how many are like strongly pro elon Musk and how many are strong anti elon Musk? And like, do they fight when they see each other on the road?

John Strand

No idea.

Ryan

Do the cars have like, do they have a mower?

John Strand

Sit over here.

TJ

So, Corey.

John Strand

And I'm gonna pretend like I don't so.

Ryan

Well, you could, you could be in E crowd. Yeah, it could be you. There's a mode in the car that.

John Strand

Says, cory, I don't want to talk about this talk right now.

Ryan

Sorry I called people out. I'm sorry.

John Strand

This, this topic sucks. All right, go ahead.

TJ

Well, I was just going to say, Corey, we were talking about at lunch, this, this situation we're in now where people's paychecks, their Medicare, their head start for their preschool kids is not being funded, it's not reaching people's lives. Once you start messing with people's daily lives, that's when people get upset.

John Strand

That's got to put money in the jar. Real close to politics. Put it.

Ryan

I got two bucks.

John Strand

Got two bucks. That's.

Alex

I think I'll.

Megan

I'll diverge just a little. There was a comment in the chat that said, I'm so sick and tired of my data getting leaked and now the government's doing it.

Ryan

Okay.

John Strand

I mean, like, you're getting Used to it after. Hey, welcome. Hey, welcome. My stuff was all breached with the omb.

Ryan

No, I told. I sold TJ this. That's all. That's all China. Only China has that.

John Strand

That's good, tj, But I want to bring it back to the security side of it. And I don't like. This is something I'm. I'm watching. Okay? So I have this problem. It's called a chaos monkey. Okay. I love chaos. Like, whenever you're looking at politics, the weirder it gets, the more excited I get. It's weird, it's perverse. It's not really one political spectrum or the other. It's just like, oh, this is chaos. My chaos monkey has overdosed. And we're now actively trying to resuscitate it over the past few weeks. And when we're talking about this from a computer security perspective, all of the controls that I have to go through, anytime I'm trying to get access to a government system, I have to sit down, I have to go through all kinds of training. I have to get read in before you get access to all these different things. And I think my biggest problem with all of this is that was completely bypassed, and that should be a nonpartisan issue. I don't care if you're Democrat or if you're Republican. There should be a vetting process, there should be a validating process before people gain access to data. And that was bypassed completely. And my concern now is that's the bar, because as we've talked about over the years, whenever you had, like, this big, like, kind of like, like kind of goal of removing personal email access on the Internet back in 2004, 2005, that got completely shut down because executives wanted to access their private email. And then that became the minimum, and they allowed everybody to access their private email. And my fear is now that you have a situation where if you have enough power in an agency, that you can just completely bypass all of the controls. That's been done. Now we're going to end up in a situation where that's going to become the norm. At the Department of Interior, when they rolled in computer security during the Cobalt vs. Norton lawsuits, I remember they said the Secretary of Interior needs to have full root and administrator access to everything. Really? Yes.

Ryan

Well, I mean, it is the Interior.

John Strand

Yeah.

Megan

That's like giving the CISO domain ad. Or it is.

John Strand

It's the same thing.

Megan

Well, yeah, that too. But the CEO domain admin. Do they need.

Ryan

For what? They have to read everyone.

Megan

You know, you're Right. Yes. I'm sorry. You can. I'm gonna go back here in color, so.

TJ

Well, well, thanks.

Ryan

This is too depressing. We should move on.

TJ

No, no, I. I'm kind of thinking you kind of brought it on yourselves a little bit because you bitched and moan.

John Strand

I put.

TJ

That's why I put the 20 in there about compliance and auditing. And maybe now you guys will take us GRC people seriously because now you see there's really a need for it.

John Strand

No, I look at it as. Okay, get that applause. Counterpoint. No, because nailed it. They literally bypassed any of the audit and compliance at all in the organization. And they were like, fu. We have cots over there in that office. We're going to have access to those servers. And they bypassed everything. And that's my concern.

Megan

It is wild though. They wrote whole books and how to do this and they were like, those don't matter. We're going to just do whatever.

Ryan

Yeah.

Megan

Making this all up.

John Strand

See. And that's my concern.

Corey

Yeah.

John Strand

Now there are no rules.

Corey

And I want.

Ryan

Yes.

John Strand

Yeah.

Corey

One of my concerns is just like the ability to cross reference information that shouldn't be cross referenced by an individual that is very vindictive. You. If you.

John Strand

Who.

Corey

If you are paying your taxes with the same email address that you use on. On X, which why are you still there? But anyways.

Megan

Yeah.

Ryan

Yeah.

TJ

Amen.

Alex

That sounds like somebody with experience, oh.

Corey

Keeper potentially could look up the information of dissidents or people that he wants to, you know, quiet or quell and be able to access their financial information, their personal information, all because it's linked through that, that email, you know, or, or other indicators. So I think that that's just a concern from, you know, just the personal security of people.

John Strand

And another angle that I want to take on this is whenever you start having lawsuits that come from this and there's already lawsuits that are coming up if they start going through and they start firing people for cause and they bypassed all of the controls, they bypassed all of the different things. Read only or not. That's going to be difficult to prove if you're looking at like the Daubert rules of evidence. Evidence is admissible in a court of law as long as there's no evidence of tampering. And if you have a situation where you have five or six people that gained access bypassing all of the controls, what is going to be the impact to any like firing someone with cause or anything that could end up in court? Is this data actually trustworthy data in a court of law at this point.

TJ

Moving forward, where's the chain of custody?

Ryan

It's read only.

Alex

It's fine because definitely read only. Access during a pen test never becomes write access.

Ryan

Yeah, it's impossible. You never asked for that. That's a second email.

Megan

Yeah.

Ryan

So let's get into some hacky, hacky stuff.

John Strand

Let's do that kind of tiptoeing a little bit around. I tried.

Ryan

We only spent, like, two bucks on politics.

John Strand

We did do two bucks on politics. Yeah.

TJ

So before we move, though, obviously we've got a room. No, come on. We got a room full of concerned people, citizens here. What do we do about it?

Ryan

Get drunk. Hey, I don't think there's much you can do. I mean, we all voted already.

John Strand

I'm gonna say this like. Wait, don't jump on every single news story that pops up down the line, okay? I don't follow the news stories about the age of the people. I've been reading news stories about how they're changing the core cobalt code that's at the Department of Treasury. I'm seeing all of these crazy stories. Take a beat. Let it happen. Get the evidence out there. Remain calm, stay focused. Panic later. Okay? Because right now, we just don't have enough information one way or the other on exactly what's going on. There's some stuff that naturally makes people uncomfortable. What you're talking about, we're talking about from a client compliance perspective. We're talking about from a legal perspective. But let's not jump to conclusions quite yet until we know the extent of the damage. And notice how I didn't say we don't know if they damaged anything. There's goddamn damage. There absolutely is. We do not know the extent of stead.

TJ

Oh, that's a 20.

John Strand

At least two.

Ryan

I'm out of money. Sorry.

John Strand

Absolutely. Some damage, but it could be. It's not that big of a deal, and it could be something that's catastrophic. Let's not panic, because when you panic and worry, you suffer twice.

Ryan

So getting into the hacky stuff, does everyone know what Mark of the Web is? There's mixed responses. So Mark of the Web is the thing in Windows that, for all intents and purposes, tells you whether a file was obtained from the Internet and is should be treated cautiously or whether it was obtained from a trusted source and should be treated safely. There was a bypass. Where we're going with this is a 7zip article for the people running the show. The 7zip article is basically a fun bypass. And this is like a classic Security thing. So there was previously a bypass or a security flaw with 7zip where it didn't propagate Mark of the Web, which as a red teamer was fantastic because you would just embed a macro document in a 7 zip file, send it in a phish. The person hopefully has seven zip installed on their computer because it's used to safely encrypt files. They open the archive, it decrypts the document macro, and Mark of the Web is not propagated. Now, this was fixed. I think it's in Malware Finds a Way. It's the last article on Malware Finds a Way. Yeah. So basically this flaw was fixed where it did start propagating Mark of the Web and they patched it. But then someone realized that you can just put a 7 zip archive inside of another 7 zip archive.

Megan

You double wrap the encryption and it's.

Ryan

Double is good. It's just like double dead. It's like triple des. Now, no one, no one knows what would happen if you did three seven zip archives.

Megan

You would be surprised at how many zero days have been discovered because they didn't think someone's going to do it seven times.

Ryan

Yeah. So, I mean, basically this vulnerability has been patched, but it's just a fun thing to think about. Like if you're a red team or a malware or whatever, like, just put another layer on it. Right. Like you already got a zip file that's encrypted. Just throw it into another zip file. What could go wrong?

Megan

I mean, did it work?

Ryan

It worked. I mean, now it's patched again. Could it write a pat?

Megan

How so is this like the Buster Buster phone? Yes, the Buster Buster Buster.

Ryan

Yeah. There's going to be another patch for three layers.

Megan

Three layers?

Ryan

Yes. There's a cve.

Megan

There might be a way to root.

Ryan

Cause I will say I kind of want my own cve, so maybe I should just submit it. Please submit it now, please.

Alex

I really want to know from like the nerds in the room, how many people in the room have put seven zip on every computer you've ever touched, including your grandma's?

Ryan

Yep.

Alex

Yeah, yeah. It's like nearly everyone.

Megan

What about WinZip?

Alex

I. What's a WinZip?

Ryan

Oh, you paid for WinRare.

Megan

Oh, I'm sorry, I didn't.

Ryan

I will say, like, just a random fun thing. Winrar has merch now and it's kind of sick, so just throwing that out there.

Megan

Also, in a weird, really hacky thing, Facebook made a new.

TJ

We're talking about Facebook.

Ryan

Facebook bought winrare?

Megan

Yes. No, Facebook actually has their own zipping protocol.

Ryan

Oh, you mean ZM Middle standard. Yeah, yeah, yeah.

Corey

This.

John Strand

Middle out compression.

Ryan

This is middle out.

Megan

Anyways, sorry, I just wanted to say they did something good one day.

Ryan

No, I was going to say to wrap up the Mark of the Web thing, there is a really cool GitHub which I will try to find and put in, but it basically has like a matrix of all the different programs, whether they propagate Mark of the web and whether they don't. Most do. But anyway, news time. That was your cue, John.

John Strand

That was my cue.

Ryan

That was.

John Strand

You come up with another story?

Ryan

Just make up a story.

John Strand

No, I've been teaching.

Ryan

Be an AI. Come up with the most likely. I mean, so we can cover a bunch of data breaches. Because people were like, oh, I'm sick of my data being.

Alex

There were data breaches.

Ryan

Yeah. So Globe Life announced the data breach of 850,000 people. There's another Grubhub data breach.

Alex

Small potatoes.

Ryan

850K.

John Strand

I thought it was a duplicate.

Megan

What do you mean? Like, what's the data in there? This guy likes tacos.

Ryan

So this is probably. This is. Let's get the info stealer.

Alex

Actually, when you, when you combine.

John Strand

This is interesting because whenever you. I remember there was another breach where it was basically delivery information.

Ryan

DoorDash.

John Strand

DoorDash.

Ryan

And I thought, I thought GrubHub has been breached before.

John Strand

But it's interesting what's in these. These dumps.

Megan

Yeah.

John Strand

Is sometimes there's gate code numbers.

Ryan

Yeah.

John Strand

So it's like.

Ryan

Yeah, yeah. How to get to someone's house.

John Strand

My house in the Hamptons. Oh, the gate code is nice to be rich. Right. So you can actually see some of those instructions that are there.

Ryan

Yeah. I mean basically there's.

Megan

There's gold in that in those hills for stalkers.

Ryan

It's a stalker. Yeah.

Alex

There's a. There's photos probably of front door doors. Yeah. I know in doordash I always get the photo. And that gets likely logged and stored in an S3 bucket somewhere.

Megan

They're going to analyze that. This guy needs better.

Ryan

Yes.

John Strand

Question was, how many times did someone get caught naked walking through? I'm guessing not enough.

Ryan

I will say those Amazon drivers are crazy. Like they're like at. At 4am like walking up, what do they do?

Megan

They just chuck the package and run.

Ryan

Yeah. And they're also naked.

Corey

Yeah.

Alex

Let's be honest. Like after a certain time of the night, if you are door dashing, it is because you do not want to put pants on.

Ryan

That's very true.

John Strand

Can we talk about the Simple Help rmm?

Ryan

Oh yeah, yeah. Okay. Survey of the audience. Does anyone use Simple Help or has anyone ever used it?

Megan

It's slightly obscure.

John Strand

Dude, these Venn diagrams, no one raised their hand. No, no, no, no, no. These, they can't make termination because in security they may not use it, but MSPS and mssps sure do.

Ryan

I was just curious.

Alex

The computer, really good hero for this blog. Can we just talk about the. How hooded that hacker is for a second?

Megan

I mean they must have ran that through the AI generator three times.

Alex

Three times.

Ryan

If you do it three times, it doesn't get Mark in the web.

Megan

That's it.

Ryan

Yeah. So basically this is. We've seen RMM tools get exploited quite aggressively. This is an end day. This was some disclosed sometime around 2024. Not being patched as you'd imagine. People who use RMM tools heavily, also not super great about patching.

Megan

Why is it not getting patched?

Ryan

Well, it's patched, they're just not updating it. So like basically this, I'll tell you why, because you have a water district or a sewer, you know, like you have a you. And they're like, we really need access to this computer because this is the button that says like stop all valves or whatever.

Megan

Yeah, yeah, yeah.

Ryan

So you gotta be able to access.

Megan

That all the time.

Ryan

And setting up a vpn, you have to buy a VPN or buy an appliance that sets like NordVPN. Yeah, exactly. All right, so basically then you have. Well, we'll just install an RMM tool.

Megan

Got you.

Ryan

I'll put it on my personal Simple Help account. What could go wrong? Then I'll be able to access it any time of the day. If it breaks, I'm in my PJs. I just doordash some stuff or grubhub some stuff and I need to access it. But now unfortunately hackers are taking advantage of that and that's just unfair.

TJ

I want to hear what Alex has to say.

Corey

I mean one of the things that I noticed was like the clients and the agents that are still on the machine that might have been used in the past, if they're still there, you need to get those cleared off to, you know, to close this vulnerability and attack service. And then that's also kind of like just a thing that I've seen for like open ports for these RMM tools is that companies will have these open for the. Well, we might use that RMM tool and it's like we'll go through audit which ones you're using and block the ports for things that you are not using at all. Then you know you have that, that, that auditing and that visibility.

Ryan

Yeah. Speaking of blocking ports, there was an article in here about SSH backdoors which is near and dear to my heart. Let's see if we can find the actual article. It's. I think it's in basically it's a Chinese related threat actor tactic. Tactic.

Corey

Is that the telecom one?

Ryan

Yeah.

John Strand

It's funny, I see themes.

Ryan

Yeah. And it's a bear and it's another AI. Spoiler alert. It's another AI generated.

Megan

I honestly I don't think that they do anything but that at this point.

John Strand

So the AI pictures for the news.

Ryan

Yeah, yeah, dude.

John Strand

It's. It's elevated the pitchers game significantly.

Ryan

They are really good. I will say like look at this panda.

John Strand

Look at this, like this picture of this bear. Like usually what they would do for an article like this is they would just find like a picture that looks like this.

Ryan

Can we just use this for the future panda?

John Strand

Maybe, maybe it be lit up and if it's a Chinese hacker, it'd be like an Asian face and that's as far as they would go. That would be it.

TJ

That's racist.

John Strand

That bear. That bear is slamming photo stock.

Ryan

No, basically this is a Chinese hacking group is hijacking the SSH demon on network appliances by injecting malware into the process for persistence sense. If you allow SSH out of your environment, congratulations. So does everyone else. But this is, you know, modifying the tools. There are like signatures for this. This is actually ironically published by Fortinet.

Megan

Interesting, thank you.

Corey

Fortinet.

John Strand

They were like security issues.

Ryan

They were like, hey, it's like a full life circle. They were like, hey guys, clamav picked up something.

Megan

Oh God, what do we do?

Ryan

Yeah.

Megan

So were they modifying the client that they had already compromised to call back for their C2? Is that what I'm getting here?

Ryan

I. That's basically. Yeah. So they drop SSH lib sshd.

Corey

Yep.

Ryan

Which is a backdoor and is C2. And then they do all kinds of evil things. There's like this list, there's 15 commands supported and. And I mean, I mean these are very specific things. I feel like why don't you just go full command shell?

John Strand

Like just command shell. That's one of the things.

Megan

Keep it small.

John Strand

I absolutely hate whenever people are reverse engineering malware. It's always the same Thing like they reverse engineer malware and they're like. It has the ability to run commands from the command prompt. It can run ping. No. No NS lookup or in this situation it can list installed services. Like it's always the same.

Ryan

Okay, but what. It's only checking Etsy in IT D. It's not checking system D files. So that's only half of it.

Alex

That's because they know the government runs on Red Hat 6.

Ryan

Yeah, I mean what is temp f conter data XML is. I'm assuming that's the config file. That was specific.

Megan

Interesting.

Ryan

Oh, this is fun.

Megan

The recommendation not to allow SSH outbound entirely.

Ryan

Yeah.

Megan

Is that what you're saying?

Ryan

Okay. Correct.

Megan

Okay.

Ryan

Yeah. We just. Full disclosure, if we're red teaming you, we're going to use ssh as our C2 because it's installed by default in all Windows systems.

John Strand

And it's open outbound.

Megan

It's open.

Ryan

It's open outbound and you can just create a service that just always ssh. And it's very convenient and it has built in socks proxying.

Megan

But what if I'm the CEO?

Ryan

Well, you don't know what SSH is. Oh, so it's okay.

John Strand

You're still on Windows 98.

Megan

I'll let you pass.

Ryan

You are on the exchange server.

Alex

You have to get the credentials off the Palm Pilot.

Megan

Oh yeah. I'll look into my keyboard. It's on a sticky note.

Ryan

Yeah, exactly. So I will say this is a fun little tidbit in the blog post for that it says Vortegaard also noted that it used AI assisted tools to reverse engineer and analyze this malware. While this wasn't free such of problems such as hallucination extrapolation. Is this like one of those medical ads where they're like may cause death.

John Strand

May cause hallucinations extrapolations and showed promising potential.

Ryan

We, we listen. We did write this blog but we might be full of. We don't really know.

John Strand

Are we going to tell them that using strings on Linux is not AI?

Ryan

No. But that Clam AB is AI?

John Strand

No, is AI Exactly.

Megan

Developing.

Ryan

Yeah.

John Strand

All right, I think we got time for one more because we got food starting over there at 6:00 for the vendor crawl. We got food and alcohol out there.

Ryan

Any audience recommendations for last hot take article or you can post in the Discord if anyone has it. We usually try to take at least one article from the audience.

Alex

Bonus points if it's politics.

John Strand

Deep today we took your money.

Megan

Bingo.

John Strand

And your hearts. So. Oh what about the CIA people?

Ryan

Oh, that's fine. Yeah.

John Strand

I really, really, truly do not want to talk about that. A number of reasons that I really, really, truly do not want to get into, and I don't want on YouTube how that.

Alex

Well, people in the chat did ask for John Strand's cash app to fund the swear jar.

Megan

Oh, if you know you are young, if you got a cash app, if.

Ryan

You find John Strand's cash app, it's definitely a scam.

Megan

It's a scam.

John Strand

Absolutely not real cash. John doesn't know what cash app is.

Alex

I know what John's cash app is. Here at the top of the hour.

Megan

Oh, gosh.

Ryan

I would say if you really want, just don't go donate to the EFF directly, please.

Megan

John Strand's honor, but not the model.

Ryan

Yeah. Just say yeah in honor of John Strand's F words, which he has many.

John Strand

Left to give, as they probably know who I am, honestly, because some crap that happened years ago, and I didn't mean it. I was drunk at the time. But we've always appreciated you and everything that you do, and I think that what the EFF does now is more important than it's ever been. So in all seriousness, please get out there and support the eff, because we're talking about, you know, digital rights. We're talking about even things like compliance and privacy and all these different things, and there's no organization in the world better than the EFF for that. So please get out there and support them as much as you can.

Ryan

All right, that's. I think that's it. It.