2025-02-17 - Prove That You're Wearing Pants - Talkin' Bout [Infosec] News

Summary7 min read

Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: Prove That You're Wearing Pants
Release Date: February 19, 2025
Hosts: Black Hills Information Security Team
Description: Join the Black Hills Information Security team each week as they dissect the latest in information security attacks, breaches, and the underlying causes. From penetration testing insights to discussions on emerging technologies and their vulnerabilities, this podcast is a must-listen for anyone passionate about cybersecurity.

I. Modern Workplace Etiquette: "Prove That You're Wearing Pants"

In a humorous analogy to traditional workplace attire, the hosts discussed the modern expectation of showing one's pants during virtual meetings. This segment highlighted the evolving norms of professional presentation in the digital age.

John: “[...] we need to just think of it as like the most average phishing email, the most average whatever. [...]` (05:34)

The conversation delved into how turning on webcams has become the new formality, akin to wearing a three-piece suit in physical conferences.

II. Fortinet's Dual Role: Vulnerabilities and Trustworthiness

A significant portion of the episode focused on Fortinet, a prominent cybersecurity firm, examining both its vulnerabilities and its ranking on Forbes' trust list.

A. Fortinet CVEs and Security Concerns

The team addressed recent CVE (Common Vulnerabilities and Exposures) disclosures related to Fortinet products, emphasizing the ongoing challenges even top-tier security firms face.

John: “None of it means, wow. None of it means a thing.” (14:18)

He criticized how Fortinet's CEO leveraged Forbes' trust ranking to enhance the company's image, despite the existence of vulnerabilities.

B. Forbes' Trust List and Its Implications

Fortinet's inclusion in Forbes' list of the most trusted companies sparked a debate on the relevance and methodology behind such rankings.

Corey: “I think the thing that gets me is the concept of trust. I think a cyber security concept like trust is now just like, should you buy this?” (10:53)

Wade explored the criteria Forbes used, questioning the disconnect between security professionals and business-oriented rankings.

Wade: “They graded them on four different things. Employee trust, customer trust, investor trust, trust, and media sentiment.” (08:22)

Kelly provided a counterpoint, suggesting that Fortinet's appeal also lies in its cost-effectiveness and ease of use compared to competitors like Cisco.

Kelly: “Fortinet licensing [...] is a little less than Cisco.” (14:10)

Overall, the discussion underscored the tension between perceived trustworthiness and actual security robustness.

III. Recent CVEs and Security Vulnerabilities

The hosts delved into several critical vulnerabilities impacting major platforms and services.

A. GitHub Enterprise SAML Bypass (CVE2025-23369)

This significant vulnerability allows unauthorized access to user accounts by exploiting SAML (Security Assertion Markup Language).

Corey: “It's a SAML flaw. [...] you can impersonate users, right? So unauthorized access to user accounts, then you can elevate privileges, then you can compromise repos.” (16:34)

The flaw is particularly concerning for organizations using GitHub Enterprise as a repository for sensitive code and secrets.

B. Beyond Trust CVE Linked to Postgres Zero Day

Another critical vulnerability linked Beyond Trust’s exploits to the Postgres database system, highlighting a complex chain of attacks.

Corey: “...a metasploit module that can exploit it that's recently been published. That's pretty cool.” (19:08)

C. Apple Device Vulnerabilities

The discussion touched upon recent vulnerabilities in Apple devices, stressing the importance of patching.

Corey: “Patch your iPhones. The patch came out today, so I got it today, so...” (36:34)

The hosts emphasized that many pen-testing firms may not have immediate visibility into such vulnerabilities until exploited.

IV. AI in National Security

A deep dive into the intersection of artificial intelligence and national security, sparked by remarks from the NSA director.

A. Human Oversight in AI

The NSA director advocated for maintaining human involvement in AI processes to ensure diversity and prevent homogenized thinking.

John: “We put the human back into AI. It's key.” (20:11)

This perspective led to a broader discussion on the limitations of AI in handling out-of-the-box thinking and its reliance on diverse datasets.

B. Diversity and AI Training

The importance of diverse data in AI training was emphasized to prevent biases and improve the model's ability to handle unique scenarios.

John: “...you can start looking at like different coins and like cryptocurrency space in different meme coins. [...] you're going to absolutely miss the possibility of potential Black Swan style events.” (27:14)

Bronwyn highlighted the role of role-based access controls (RBAC) in safeguarding AI systems, ensuring that only authorized personnel interact with sensitive data.

Bronwyn: “Copilot Enterprise does have some ability to do role based access control, sort of.” (25:28)

The discussion underscored the necessity of integrating human judgment and diverse perspectives in AI development and deployment.

V. Government Data Exposure and Shodan Findings

The episode addressed concerns over increased data exposure from government agencies, as tracked by Shodan, a search engine for internet-connected devices.

John: “If your CEO and CTO is getting their news about what products to buy from Forbes, you're failing at your job.” (16:34)

The hosts expressed alarm over the trend of government data becoming more searchable and accessible, raising questions about data security protocols.

A. Analysis of Shodan Trends

Wade examined reports indicating a surge in government-related data appearing on Shodan, suggesting lax security measures.

Wade: “It's a call to action to get more federal or a federal privacy law that's been updated since you know, the last privacy law wasn't updated until 1972.” (58:28)

John shared firsthand experiences from his time in government, recounting instances where data exposures were mishandled due to urgent demands overriding security protocols.

John: “But what's worse is after that immediate precipitating event that causes that security, like exposure, almost always that exposure gets forgotten about and they move on to something else for a while.” (40:29)

VI. SIM Swapping and SEC's Twitter Account

A cautionary tale about social engineering and identity theft was shared through the conviction of an individual who SIM swapped the SEC's Twitter account.

John: “[...] he made a fake ID from them, walked into AT&T's retail store just to [...] purchase an Apple iPhone […] that's how he did it.” (48:34)

Corey emphasized the risks associated with SMS-based two-factor authentication, advocating for more secure authentication methods.

Corey: “Don't use SMS based 2fa. Like we've talked about that a hundred times.” (48:30)

Kelly added an interesting angle by questioning the potential legal implications of AI prompts being subpoenaed.

Kelly: “Have you seen any cases where somebody's AI prompts have been subpoenaed?” (48:53)

VII. Sandworm Threat Actor and Microsoft's Attribution to Russia

The episode covered Microsoft's attribution of recent US and UK cyberattacks to Sandworm, a Russian-affiliated threat actor group.

Corey: “Microsoft Fingers Russia's Sandworm in US UK Attacks.” (51:08)

The hosts discussed the nature of Sandworm's attacks, noting their reliance on older vulnerabilities and the implications for national security.

Kelly: “Sandworm has been around since at least 2017.” (52:36)

John highlighted the sophistication of Sandworm's operations and the ongoing challenges in mitigating their threats.

VIII. Data Privacy and Consumer Choice: Call to Action from Bruce Schneier

In a segment aimed at emphasizing the urgent need for updated privacy laws, the hosts discussed Bruce Schneier's latest insights.

A. Failure of Consumer Choice in Data Privacy

Bruce Schneier critiqued the ineffective reliance on consumer choice to protect privacy, advocating for robust federal legislation.

Kelly: “It's a call to action to get more federal or a federal privacy law that's been updated since [...]” (58:28)

John expressed skepticism about the likelihood of achieving meaningful reforms, drawing parallels to past efforts and ongoing monopolistic trends in the tech industry.

John: “Consumers won't pay for privacy. It's the reason we're in this situation.” (60:18)

B. Future of Privacy Standards

The conversation touched on potential industry shifts towards "data transparency" akin to sustainable practices in other sectors, though skepticism remains about consumer demand for such measures.

Corey: “Is there going to be companies that have like a no data, like stamp of approval?” (55:19)

IX. Conclusion: The State of Information Security

Wrapping up the episode, the hosts reflected on the multifaceted challenges facing information security today, from corporate trust issues to sophisticated cyber threats and the imperative for diversity in AI.

John: “We've got some serious breakdowns.” (12:35)
Corey: “It's always been garbage in, garbage out. It's always been garbage in, garbage gospel.” (35:00)

They reaffirmed the importance of staying informed and proactive in addressing these evolving security landscapes.

Note: This summary captures the core discussions and insights from the episode, embedding notable quotes with corresponding timestamps for reference. For a comprehensive understanding, listeners are encouraged to tune into the full episode.

Timestamps Reference

05:34
08:22
10:53
14:10
16:34
19:08
25:28
27:14
35:00
36:34
40:29
43:07
48:30
48:34
51:08
52:36
55:09
58:28
60:18
63:08

Loading summary

Transcript276 lines

[00:01]
Wade
If anyone's watched RuPaul's Drag Race, like season one is notorious for having this really bad blur effect in the early 2000s.
[00:09]
Corey
That Vaseline smothered on the camera.
[00:12]
Wade
You knew the exact term. Good job. I'm so glad.
[00:14]
John
Lighting. Now I've got my mic mode. This is voice isolation and standard. Standard is what it is right now. Is one better than the other?
[00:24]
Corey
They sound the same to me. Exactly the same.
[00:26]
John
They're not the same. The ghost of Steve Jobs compels you to find a difference.
[00:33]
Corey
I will say I just like pre. This is pre show. But like I do, I personally feel that Apple has gotten so buggy that I like don't trust them anymore. That's a hot take. Is it just me?
[00:47]
John
It's really. So there's some other kind of creepy hot takes. Like Eric is ready to be done with Microsoft and she's not a fan of Apple, so she's like, what if I just try a Linux computer system?
[00:59]
Corey
Oh, is it the year of the Linux desktop?
[01:01]
John
Let's go. It's like the hottest thing she's ever said and the most terrifying.
[01:09]
Corey
You're like, john, you need. John, you need to read a book. It's like what to do when your wife asks you about Linux. There needs to be like a self.
[01:17]
John
Help book about your wife to use. Lennox, when you're expecting.
[01:21]
Corey
Oh my God, what to expect when you're expecting a colonel upgrade.
[01:28]
Kelly
Oh, good one, Corey.
[01:30]
John
Yeah, she's. I, I mean, it's getting a little weird. Like those news stories that we were talking about. She was listening in the other room where they were talking about Apple and then we were discussing Google, listening to all your shit and looking at all your pictures and basically owning your entire life. She's known about this for a really long time, but she's kind of sick of it. She's just like, this just isn't cool. I just. We just don't need this anymore. So she's like, if we have Linux, do we have more control over that? I'm like, yeah, we do.
[01:59]
Corey
Yes. In all the worst ways you do.
[02:01]
John
Yeah, in all of the worst ways you do. It's a blessing and a curse. It's like a genie. It's like, I would like to have full control over my private data. Poof. Congratulations, you're running Linux for some.
[02:12]
Corey
You got backups?
[02:14]
John
Yeah. The last real great version of Mac.
[02:16]
Corey
OS was Snow Leopard.
[02:18]
John
And that's the year that Snow Leopard, Steve Jobs declared no new issues. We're only doing bug fixes.
[02:26]
Corey
For this one.
[02:26]
John
And that's what they did.
[02:27]
Corey
And that's why it was that. Was that PowerPC or was that in the intel era? I think that was still Power PC.
[02:33]
John
That was Intel Power PC.
[02:34]
Corey
Are you sure?
[02:36]
John
No, it's after Power PC.
[02:37]
Corey
Okay.
[02:38]
John
Yeah, it was. Sorry, it was before the M1 architecture.
[02:42]
Corey
Before Apple Silicon.
[02:43]
John
Yeah. So it was just like Snow Leopard was peak. Was Peak Mac because he used to be able to get an update. You were excited because it would make your more operating system more awesome. And Snow Leopard was great. And then just it's a shirt with a collar. It doesn't mean I'm wearing formal attire.
[03:04]
Bronwyn
John, for you, a collar is formal attire.
[03:07]
Corey
Come on.
[03:08]
Bronwyn
T shirts.
[03:09]
John
I did actually have somebody that came to wo's Hacking Fest, Denver, Mile High that came up and talked to me and he's like, yeah, it just seems kind of weird. Like the owner of the company. I don't. Do you even own a button up shirt? And I was like. And Bronwyn, you would remember back in the day and so would Kelly. I used to wear full three piece suits. Like, like.
[03:31]
Kelly
Oh yeah. With a vest.
[03:33]
John
With the vest. That's true, that's true.
[03:36]
Bronwyn
Handsome.
[03:37]
John
Reason why is I was teaching the hacker class and if I showed up in jeans and a T shirt like the professional people were just like, you know, what the hell is with this guy? If I showed up in like business casual, none of the hackers would respect me. So whenever you show up in a three piece suit to a conference like that, everybody looks at you and they all say the same thing. That guy's trying too hard. Really help set everyone at ease. Like, this is either one of the best hackers that ever walked the planet or we're in for a while.
[04:13]
Corey
I don't know.
[04:13]
Bronwyn
I've known a couple of guys that when they decided to start doing the three piece thing and they immediately got promotions.
[04:20]
John
So it happens, it happens. I, I don't know if I got a promotion, but you know, Kevin Johnson started doing it. I was doing it. There was a whole bunch of instructors that started doing it. I started and then about, I started showing up in like shorts and like T shirts. I, I like. And I remember Randy Martini showed up and he's like, you finally have reached the other side. You're one of us now. I'm like, shut the about that. And he's like, dude, you still got foam your hair while you have it.
[04:56]
Wade
So someone put the swear jar up.
[04:58]
John
Oh, oh yeah, we gotta do that. We do. All right.
[05:02]
Corey
So you're saying five bucks from John.
[05:04]
John
Something like $270 to the EFF.
[05:08]
Corey
Yeah. We're over 200 bucks now. Yeah.
[05:13]
Wade
I have to show up to. To meeting to zoom meetings in three piece suits to get a promotion. I'm just never turning my camera.
[05:20]
John
No, no. I am thinking about bringing the students back whenever I travel to con.
[05:24]
Corey
The modern version of the three piece suit is just turning on your camera at all.
[05:28]
Wade
Okay. That's it.
[05:29]
John
Okay.
[05:29]
Wade
All right. Yeah.
[05:30]
John
I need you to stand up and prove you're wearing pants.
[05:35]
Corey
Yes. That is the modern equivalent of the three piece suit. Proof that you're turning on your webcam and proving that you're wearing normal clothing.
[05:43]
Kelly
Spicy in here.
[05:44]
John
That's spicy.
[05:45]
Corey
All right. All right. Roll that finger out.
[05:48]
John
Let's go, let's go, let's go. Hello and welcome to another edition of Black Hills Information Security. Talking about News. This is February 17th. God, at least I hope it is, because I remember the last show over all the show notes from a month prior. But notable stories. We got a SAML bypass on GitHub Enterprise. Man who SIM swapped up the SEC's EX account, pleads guilty. Massive brute force attack. 2 million IP address target VPNs. Fingering Russia by Microsoft for Sandworm. That sounds dirty.
[06:35]
Corey
I know the verb. The phrasing there is just choice, choice, phrasing.
[06:40]
John
LIDAR technology. Recognize your face. Human back and AI is key. I want to talk about that one.
[06:46]
Corey
Data. There's a lot of good stuff. It's going to be a good week.
[06:49]
Wade
He. He didn't say the best one.
[06:50]
John
It's too much. There's. There's a lot. There's a lot.
[06:54]
Corey
What's the best one, Wade? Is there something about chicken wings in here?
[06:57]
Wade
No, the Fortinet one. The Fortinet.
[07:00]
Corey
Okay, let's do that. Okay, hold on. Let's do the Fortinet one first. There's two articles in our news notes, okay? The first one is a new Fortinet cve, which that's happened every week for the last two years. The second article is that Fortinet was voted the most or one of the most trusted security firms, according to Forbes.
[07:20]
Wade
Now, if you remember, trusted tech companies, it's number seven for tech companies, right?
[07:26]
Corey
It's the only cybersecurity firm. So if you've watched this show before, you know that the Forbes lists are just fodder for this show to just. For us to just rant. The previous list was the most secure companies, which was amazing. And at least half of Those got hit by ransomware the next year. The this list is the Forbes most trusted companies, America's most trusted companies. And Fortinet is on there. And the CEO felt the need to cash in on that cachet and make a little graphic of. There it is. Top 10 out of 10 business services. There's so many tops, and there's different random verticals. I don't see how any of these are possibly relevant.
[08:13]
John
Oh, they're really relevant.
[08:14]
Wade
I'm not gonna lie. I dived hard into this one because I had to try to figure out the methodology behind how these things were going for.
[08:20]
Corey
Okay, what's the methodology? Wade hit us.
[08:23]
Wade
So there. So one thing. It took forever to, like, read the actual Fortinet article about this. So they graded them on four different things. Employee trust, customer trust, investor trust, trust, and media sentiment. Out of those four, they were graded. They had ranking 1 to 300 incorporation measurements across those four domains. If you. So if you go to the link I threw in the chat, it actually shows. At first, I like Control F. Fortinet. It didn't come up. I'm like, oh, they must be on, like, the back end. I didn't see the top seven part. And then I realized, no, they're number seven. They're, I think, beat out by Nvidia ServiceNow, KKR, which I've never heard of.
[09:02]
Corey
ServiceNow. Oh, my God.
[09:04]
Wade
ServiceNow is number two. Right. And then I was like, all right, how much was Forbes bought out?
[09:08]
Corey
Okay, does anyone. Does anyone know what KKR is in this room?
[09:13]
Wade
Banking and financial services.
[09:14]
John
Does anyone know what they do they're based out of? Yeah, just a hair over 4,000 employees.
[09:20]
Corey
Corey. Thanks, John, for that super detail.
[09:26]
John
It's New York City in New York. Just.
[09:28]
Corey
I know what KKR is because they bought my last company, and I'm not going to comment on how that went, but you can Google around and figure out how it went. Yeah, no, I mean, I. I guess I'm like, okay, this. I think more than anything, the rant is just how big of a disconnect is there between, like, security people and, like, everyone else?
[09:46]
John
Because I wonder about this article if they're looking at these things, like, it's more from. And like, Forbes is an investment, right?
[09:54]
Corey
Yeah, yeah. It's like, should you buy the stock? Not should. You know, are they gonna get hacked?
[09:59]
John
So just. So they're definitely doing it through that lens, but Wade has more.
[10:06]
Wade
So the employee trust, right. Was used through Glassdoor. Right. So Glassdoor ratings. Everyone knows those are very Trusted. The customer service stuff was done by a company called 100x never that assesses consumer sentiment regarding companies, brands, products.
[10:22]
Corey
You know, they're owned by kkr. Sorry.
[10:24]
Wade
Anyway, the investor one really doesn't dive into. They look at the five year stock performance and then the media segment is done by a company called Signal AI. So.
[10:33]
John
Oh, oh, they got AI.
[10:35]
Wade
Oh, that's it.
[10:37]
Corey
I mean I, I, I, yeah, I, I don't have a, I mean we can move on. This isn't that interesting of an article. It's just, I think the thing that gets me is the concept of trust. I think a cyber security concept like core. So it's weird to me that like trust is now just like, should you buy this?
[10:54]
Wade
Maybe they're talking about zero trust.
[10:56]
Corey
I think that, oh, that makes sense.
[10:58]
John
You talk about the disconnect, right? Like there is definitely a disconnect. And this gets into old man ranting land where it's like, I love computer security, I love technology, I love working with the stuff and hearing about the new things that come out. I hate with the passion of a thousand burning suns, the business side of this entire industry. And wow, my focus is very soft at the moment. The problem I have with all of that is all that shit's not real. It doesn't translate into what people are doing on the ground and the vulnerabilities and all of these different things. And it's draining for me. And I don't know, like we have a lot of people here on Discord and stuff and I know it's probably a definite heavy selection bias, but does anybody else find that exhausting? Like the marketing financial? Like you see a company get huge vulnerabilities or a huge hack, their stock dips 5% in the next week, it's back up 10%. Like the Bizarro world aspect of computer security is just exhausting. And you know, we talk about it a lot on the show. Not as much as when I was still on Enterprise Security Weekly with Paul and Matt. But it got to the point where I had to stop doing it because I told Paul I can't do this anymore. And he has Adrian and some other people that enjoy it and it's great, they should absolutely do it. I'm not on that aspect. It's just not something that I'm interested in talking about someone's stock portfolios on these funds anymore. So I don't know. I think it is important because we have these types of articles and somebody can we bring back up the screenshot of the website with the market verticals where it was like, top 10 in health care, top 10 in manufacturing, top 10 in all of this shit. And the reason why I hate that so much is a lot of people that are making purchasing decisions, right? If they work in manufacturing, if they work in health care, financial services, business services, technology, what is it? Telcos and carriers? You see, CEOs say, well, I want to work with a company, and how do they rank and rank in our market vertical? As though their market vertical from a technology perspective is some precious snowflake. And you have to be able to speak lingo and understand what's going on in financial services and health care. Whenever it comes to security, that is not that important. So these things matter, because I guarantee you there are a ton of CEOs that subscribe to Forbes, and it's going to be almost impossible for the tech teams to talk them out of acquiring for that technology because of this.
[13:29]
Corey
So, John, excellent swear jar rant you had there, John. That was a $15 swear jar rant.
[13:36]
John
15. Sorry, I'm like, oh, Delta with myself. Kelly, go ahead.
[13:44]
Kelly
Let me take counterpoint there. I haven't bought network equipment in a while, but my understanding is Fortinet licensing not only for the physical equipment, but licensing for the operating systems is a little less than Cisco. And I'll put forward, if I know that Cisco's getting compromised and Fortinet and Palo Alto and all the rest of them, it's a better business decision to buy a less expensive product because they're all insecure.
[14:11]
John
Ouch.
[14:11]
Corey
Oh, man. I mean, I honestly. I mean, that's a. It's a hilarious take, but honestly, I think the truth is no one cares how insecure they are.
[14:20]
Wade
Yeah, I read this, like, the first two pages, and I'll tell you, it got. I had to go all the way to number six to find a company that I trusted, which was Costco.
[14:31]
Corey
I trust them, too. No, that's a good point. That is a good point. I do. You're right. That is true.
[14:37]
John
So coming back to this, I think the other reason why you see Fortnite everywhere and whenever I'm talking to other companies, they are so good, so good at training their customers. Like, if you look at. If you get an appliance, you get into their network, you're paying for services, getting that training, customer support, solid. Using the different devices and integrating with the different devices is relatively easy compared to, like, Cisco, for God's sake. So there are a lot of good things about Fortinet. So if anybody's watching this, especially Fortinet's lawyers, we aren't just shitting on you like one aspect of fortnet, it's just we're a little dumb about it. There are definite reasons why people go with this product beyond they're slightly cheaper. I do think that they are an easier product to use than a lot of the other major vendors that are in this space. Ubiquiti. Okay. Yes. Ubiquiti is really, really solid as well. Thank you, Brian, for sharing that. And there's a lot of reasons why people do this, but none of it means a goddamn. None of it means, wow. None of it means a thing. If it isn't for the fact that the CEO comes in with an issue of Forbes and is like, we should be buying Fortnite. And I'm going to tell every single one of you that work in computer security, if your CEO and CTO is getting their news about what products to buy from Forbes, you're failing at your job. They need to be talking to you and trusting you more than these magazines. And if they're trusting the magazines more than you, then we've got some serious breakdowns. Yeah.
[16:04]
Corey
Anyway, honestly, I don't think being on this list is, like, means anything. I think cashing in on it is the move that makes me be like, I don't love that. It's. It's the going out and publicly being like, hey, we're the most trusted when you're like, also publishing a critical CVE. But anyway, let's move on. Does anyone have a one? I mean, I think this GitHub enterprise one is interesting.
[16:28]
John
Let's do it.
[16:29]
Corey
There's a. There's a few, like, we can go into CVE corner for a hot second. There's a few spicy CVEs. Okay.
[16:34]
John
Because that's been hitting your neck of the woods with the.
[16:37]
Corey
Yes. Calling.
[16:38]
John
It's no longer. We're calling Continuous pen test.
[16:40]
Corey
It's still anti sock. Let's just call it Anti sock. But we don't know what else to say.
[16:44]
John
It's also called Continuous Attack Surface Management.
[16:48]
Corey
It's. It's called a lot of things, but it is. Yeah. So Basically this is CVE2025 23369, which is GitHub Enterprise Server. So this essentially is a SAML flaw. There was actually some CVEs in 2024. The researcher who wrote it up has a full blog where basically their logic is like, there was previous vulnerabilities. So I did some more digging And I found more vulnerabilities.
[17:12]
John
Hmm.
[17:12]
Corey
It's a pretty interesting vulnerability. You can impersonate users, right? So unauthorized access to user accounts, then you can elevate privileges, then you can compromise repos. I think the reason this is notable and there is a patch, so this is responsibly disclosed and you should patch your GitHub enterprises. GitHub Enterprise is a self hosted service, right. It's a commercial product. And I think the reason it's interesting is because I would guess for most companies that are paying for this and using it, this would be a crown jewel, right? Like this is where you put your code, this is where you put either it could be developers but like for organizations who are going to pay for this type of repository software, it's going to be your crown jewel. It's going to be where your code goes.
[17:51]
Wade
Secrets as well.
[17:53]
Corey
Not just code and code and secrets and cicd and all that good stuff. So I think from my perspective like on the customers we've seen that have it of our anti SOC customers, the ones who have it are using it as their crown jewel. Like they're all their code is there. So it's kind of under their, you know, extreme risky assets.
[18:11]
Wade
So on the blue team side too, I would say it's at least repos like this are not as heavily as defended as say endpoints as well. Right. There's not a lot of, there are plenty of detections out there built for this login type of stuff, but it's not something you see as normal.
[18:25]
Corey
Right. Like a SAML exploit is not going to trip in like a cloudflare wap. Right. Like it's not, it's too specific. So I don't know, we're digging into it, I guess we'll see how it goes. There's a couple of other CVEs we can visit real quickly. So there's. We talked, I think we talked about the Beyond Trust CVE that was being exploited in the wild. Apparently now that's also been linked to another zero day. So of course APTS love to link zero days. Basically it looks like the Beyond Trust exploitation that was happening in the wild was also linked with Postgres. And so there's actually, I can't believe I'm saying this, but there is a metasploit module that can exploit it that's recently been published. That's pretty cool. That was all pretty much still end.
[19:09]
John
Up as metasploit modules at some point.
[19:11]
Corey
I don't know, I, I felt like for A while things didn't get put into Metasploit, but now they do.
[19:18]
John
Yeah, yeah.
[19:19]
Corey
I don't know. Basically, Rapid7 published a nice little blog outlining, you know, how it works. The, the postgres one is a local, but it's interesting because they're triggering the postgres zero day through the of their vulnerability. So it's like SQL injection through another vulnerability, if that makes sense. So it's a fun little chain, but yeah, patch your postgres as well as your beyond trust stuff. All right, last cve, there was one more. What was the third one?
[19:49]
John
It's a big week. We got three of them that rose to the level that we have to start hunting them down.
[19:54]
Corey
Yes. Why am I blanking on the third one? Anyway, I'll come back to it.
[19:59]
Bronwyn
It's not like he had anything else to keep track of.
[20:01]
John
Corey. No, no, there was nothing there. Do we want to talk AI yet or are we going to hold off on that one? The NSA director's AI stuff. Oh, that's a good one.
[20:12]
Kelly
That's juicy.
[20:12]
Corey
Yeah, go for it. Go for it.
[20:14]
John
Yeah. So the NSA director basically was like, we put the human back into AI. It's key. And there's some really, really, really good kind of quotes in here that I think are interesting. Looking at the next generation of national security professionals. I want policy people co who can code and code groupers who can do policy, which I thought was really, really, really interesting that that kind of twisted my brain into a noodle. Five years ago, baby boomers were replaced by gen zers. And I'm like, there's still baby boomers out there that are trying to get jobs. It's not like they've all been replaced, but whatever. And five years from now we'll have people born in 1997 in the workspace that understand data, large language models, speak a lot of languages, including computer languages as well. And talking in terms of like diversity and how we look at AI, because what was that during Wobbless Hacking Festival, we were on the stage where, you know, it was. I don't want to say it was a hallucination, but it was basically a prompt that was like whole bunch of developers of AI and it was like the widest room of the whitest developers with the most perfect beards you have ever seen. It was. But it was very, very generic and scary, actually. And it really goes back to Melward Jake's keynote where he was talking about AI and human aspects of it and how we don't have Role based access control. We don't have all of these things that we're putting on top of AI. And this article with malware. Jake's presentation like, really, really floored me. Right? And I'm going to stick with kind of malware. Jake's thing that I thought was really, really super cool was one thing he was talking about is if you have AI that's going through all the documents in your organization, you can see documents as a standard employee that the AI will siphon up, right? So you can be like, you know, layoff plan for 2026. You can sit and create an Excel spreadsheet. You can create your entire layoff plan as an intern and you can upload that Excel spreadsheet in someplace where AI is going to vacuum it up. And then if anybody in the company asks, what is our. What is our, what is our layoff plan for 2025 or 2026? It's going to be like, oh, oh yeah, here's a document over here that has all of that information and it's just going to answer it, right? Because it isn't about being correct, but it's about trying to find the best fit with the data that it's been provided.
[22:46]
Corey
It's a net. It's a predictor of the next most likely word.
[22:49]
John
Yes.
[22:50]
Corey
So it's great if you want to.
[22:52]
John
Know what that is and then going with that. You know, we're talking about, you know, the ideas of simple, simple, basic baby concepts of diversity going into some of these AI models and asking it questions like who took, who's planned for maternity leave in the next nine months? And those types of things. Like there's some really scary things that all of a sudden AI doesn't have context associated with it. It does. It's like a toddler that's like spouting out all the horrible swear words about all the aunts and uncles in a room because you're from mom and dad. And it's just kind of terrifying. Bronwyn, you research more than me. I wanted to throw it over to you and get your take on because I think you have a better understanding of the technical aspect in the back end. Go for it.
[23:39]
Kelly
You are not wrong.
[23:41]
Bronwyn
And there are also some controls that are available. So one of the things that I recently learned is that Copilot Enterprise does have some ability to do role based access control, sort of. And it isn't anywhere near what we're used to, but it's a lot better than what I thought, which was no controls at all. The other thing is that through researching a blog post that will hopefully be pushed to our content people this week I've learned that Copilot basically follows the Microsoft and Azure role based access controls. So any organization that is implementing copilot in their environment, you don't really have to configure Copilot separately to keep secure documents secure. You just need to do all the grunt work for implementing RBAC and other zero trust controls the way they should have been done to begin with. Where I've seen where I'm seeing organizations run into trouble, where anybody can go in and gain access to everything is where those standard role based access and other zero trust kinds of separation of duties types of things have not been put into place when those aren't there. Yeah, Copilot is all over the place to a degree. ChatGPT also has that and if you dig deeply enough, Chat GPT can be taught to follow the Microsoft RBAC as well. Now, is it default? No.
[25:29]
Corey
So yeah, I want to jump real quick. I feel like we got a little misdirected because that the article. So the article itself, it's basically saying I want people who think differently. That's the NSA guys take. Yeah, it's basically like the point is now AI is teaching people how to think, right? This is kind of goes back to Jake's keynote. It's like someone asked the question, they were like, well if AI learned how to think from how we think on average, are we just going to get dumber? And then the AI is going to get dumber because like there's no new information coming into play. So I think the like the plea here is basically like not. It's kind of like the whole Copilot or AI is not going to take your job unless you refuse to use it. The only people's jobs who are going to be lost is people who refuse to use AI. Like it comes down to this person's take the former director of the NSA is basically, I still want people who think differently from AI. That's the subtext. The subtext is AI is great if you want to know what the average prevailing opinion is, but that doesn't actually generate anything useful for most scenarios. Unless you want the most average phishing email, the most average whatever. I guess that's kind of the interesting part of it is like people who are neurodivergent, people who are thinking outside the box, people who have dumb ideas about. Oh let's. Has Anyone ever told GitHub Enterprise to use a different SAML assertion than it's supposed to. That kind of thinking is never going to be where AI goes because it's not on average that would be discarded during training. Yeah, it would be discarded because it's. But that would be discarded because it's a low enough probability that that option would be thrown out. Right. That's exactly the whole point. It's like the weird outside the box thinking isn't part of AI.
[27:14]
Bronwyn
Well, it can be if the people who are doing the training aren't just snarfing up everything under the sun and training these AIs and LLMs on stuff without indiscriminately. That's the word I was looking for. And I think, I hope that going forward, one of the things that will happen within the AI sphere is this idea of using better ingredients, meaning better data to do the training. Because right now it's a free for all. Oh, it was on the web. We're going to scrape and we're going to throw it into a new model. Oh, it was here. We're going to throw it into a new model then of course, yeah, it's going to pick up whatever is the most common and assume that that's right or correct because it's going to be the highest sync. I think that in the long run, paring it down, training these models with more appropriate and less superior will lead to superior results.
[28:20]
Corey
But it has to know everything to be useful. So I would disagree because the whole point of it is that it knows everything. That's like the value of it. If you just want someone to go look at a specific thing, they can do that individually.
[28:31]
John
Let me, let me kind of use an example. And I'm going to be in eloquent and clumsy. Right. We have a number of customers that are in the financial markets and they're trying to do financial predictions of what is going to be happening over the next couple of years, trying to find different trends and analysis. And sometimes it's not even in the next couple of years. Right. It can be over the next six, seven months. And when you're looking for trying to do that financial prediction analysis as far as like where trends and things are bubbling up, it gets really complicated if you aren't feeding it in a diverse array of different data sets. Right. And that diversity can be socioeconomic issues across a whole bunch of different class of people. And looking for those things that tend to bleed over, new trends, new technologies, new fads, things of that nature, they can be incredibly, incredibly disruptive. So if you're building an entire AI model and it's based on traditional network market trends. You're going to absolutely miss the possibility of potential Black Swan style events or mini black swans, just call them that. And you can kind of go through some examples of this. Right? You know, if we're looking at, let's look at Nvidia, no one, five, six years ago was going to say, we're saying, you know what? Nvidia is going to be the biggest company in the world. That wasn't, that wasn't a thing. Right. You have these niche areas of AI that are starting to bloom. We don't necessarily know where their impact is going. You can start looking at like different coins and like cryptocurrency space in different meme coins. Right. I'm using this as a horrible example, but you have all of these weird effing coins that don't go away. And it's like trying to figure out which one financially is going to be viable in the long run. It's like, oh, fart coin, that coin is going to be viable. Is it like, what the hell? Okay, it was. So when you're looking at all of this stuff, like the weird, the strange, the edge always have this ability to bleed into the main. And if you're just constantly training models on just the core set of data that you have, and I think, Corey, this kind of goes back to your point. It's not going to be a very innovative tool for you moving forward and trying to use that model to use predictions from market forces or use predictions for trying to figure out geopolitical forces and what's actually happening in different parts of the world, going back to like Palantir and some of that stuff that they're using. So when we're talking about diversity, diversity is much, much, much more than just saying it's an issue of like race and sexual orientation, even though that is absolutely a part of it. When you're looking at the world as a whole, diversity has to be part of that kind of a calculation because it's part of who we are. And if you don't understand that and your models don't work with that and you don't look at neurodiverse people, you don't look at different socioeconomic, religious background, sexual orientations, you're going to start missing really, really simple, stupid things and you're going to end up with sensors that dispense so that don't recognize black people because their hands aren't white. Like the people that designed the sensors. Stupid little things like that start to seep in and they can be catastrophic. That was really ineloquent. I'm sure I'll find a better way to do it tonight at 2:00 in the morning.
[31:46]
Corey
Saying this way, I mean, I think that's, I, I guess what I would say is the, the, the way to sort of prove this and the interesting AI sort of thought is if you make an AI that is like the counter, the counterculture AI or whatever you want to call it, or the, the, you know, the atypical AI, the out of the box, outside the box thinking AI. Like does it just hallucinate 98% of the time? Like can you build a mathematical model? Like we know how LLMs are trained roughly. Like you basically take the most common responses, you keep those, you throw away the super uncommon weird responses. That's how you reduce, you know, false positives and hallucination. So yeah, it's a, can you do the opposite of that but in a controlled manner? Can you do the opposite? Can you say, all right, think of 10 responses and give me the weirdest one. And then can that be made into something useful?
[32:39]
Wade
I know there's an option in ChatGPT to do that, to make it like.
[32:44]
Corey
Act, but you can't change the training parameters, right? Like Jake was talking about during his keynote, like they, they have hard coded in, they discarded the bottom, let's say 98 responses and kept the top 10 or whatever it is, you know that like that's baked into the model. So I don't know, I mean, we'll see. I guess someone should try it.
[33:01]
Bronwyn
You can, you can't determine how creative an LLM can be in its responses. That's something that you can't do necessarily with ChatGPT quite as well as you can with a local LLM that you're controlling yourself. But the John's diversity point is, I agree 100% that has to do with the training in order to see meet the populations. I also, I'm going to make a prediction here. I know we don't go in deep for predictions, but I think that in the long run there's going to be a separation between going for general AIs, this generic all encompassing versus specialized AIs and we're seeing a lot of the specialization returning really interesting results in medicine and in other specific fields. I don't need something that knows how to analyze scans of breast cancer screenings to know how to paint a watercolor. Those are very separate issues. And I think that we're going to get.
[34:09]
Corey
This is spot on.
[34:11]
John
Let's pick that up.
[34:12]
Bronwyn
But the diversity. Yeah, but the diversity of that, Ron.
[34:17]
John
When I think that medical one is really important, and I want to jump on that, a lot of people don't know this, but the vast majority of medical studies, whenever they're studying the effects on different diseases, they're studying the effects of drugs. Completely exclude women. Does anybody know what. Because. Oh, go ahead, Kelly. It's going.
[34:36]
Kelly
Because there's an assumption made that women are just smaller, more petite versions of men without looking at the things that make women different than men.
[34:46]
John
Exactly. I'll just use one of the key examples. Menstrual cycles mess with the validity of studies. They just do.
[34:53]
Bronwyn
Yes.
[34:54]
John
So what they do is they completely, like, let's just pretend that women are smaller versions of men because shrink it.
[35:01]
Corey
And pink it, and we'll just.
[35:04]
John
We'll just do that instead. And then there's like this whole thing where it's like, look, this medical study said X, Y, and Z. But if you're fooling that data into AI, then you are going to run into some serious issues about how the predictive model is doing diagnosis for different people. And that is also true across socioeconomic lines. That is true across race lines. That is true across a number, even geographic location. You have different propensity for different types of diseases and cancer. So if you're just feeding it with the data that we've been working with for years and years and years, you're going, what is it? Garbage in, garbage out. Right. And I don't believe it. I think garbage in, garbage out is incorrect. It's not garbage in, garbage out. It's never been garbage in, garbage out. It's always been garbage in, garbage gospel. And that's the part about a lot.
[35:55]
Corey
Yeah, No, I mean, the. Yeah, I. I think that's a spot on prediction that, like the. The difference in specialized models. I. I'm sorry, but I just got like, a premonition of some, like, a boardroom of white executives being like, let's ask the woman AI what she thinks.
[36:14]
Wade
Oh, God.
[36:15]
Bronwyn
Don't even get oh, God.
[36:18]
John
That. That should be a set.
[36:19]
Bronwyn
They're gonna end up making coffee.
[36:22]
Corey
I'm sorry, but I had to. I had to ask, what is the.
[36:26]
John
Secret combination of words that'll have this girl date me?
[36:30]
Corey
Like, oh, my God. All right, let's move on.
[36:33]
John
It's gonna get here real quick.
[36:34]
Corey
So the last CV that I was blanking on before is basically patch your expensive rectangles, AKA Apple Devices. Oh, there were, there. There were some really interesting flaws and these require physical access. But there was flaws in the USB restricted mode, which is basically like how your iPhone decides whether it trusts something you plug it into. Now there's CVE for them. But patch your iPhones. The patch came out today. I got it today, so. And iPads. It's a pretty interesting write up. I would recommend, I believe the. I don't know. Actually, hold on. There is no write up for this one. Hopefully whoever published it, unless it was them, I guess, will publish a write up write up for it. But yeah, Citizen Lab is the who the vulnerability is credited to. So I would assume they'll write it up at some point. But basically, patch your expensive rectangles is.
[37:27]
John
Yet another vulnerabilities out there. And by the way, boys and girls, most pen testing companies aren't allowed to cut your expensive rank tangles that you speak because you own them. So odds are your organization will not know that these vulnerabilities exist until bad things happen.
[37:44]
Corey
So while we're in the weeds and just dropping, you know, hot takes all over the place, should we talk about Doge again? I feel like this is becoming a recurring theme. I mean, I can't tell. I honestly can't tell right into it.
[37:59]
John
This is a security catastrophic.
[38:02]
Corey
That's what I'm saying. I can't tell if security people are just on the same page as us and are like this is. Yes. Or if this is really a security disaster.
[38:09]
John
Right. And for the record, I want to make this very clear. I'm a huge fan of the idea of efficiency and the government trying to have some oversight. I think that that's great, that's wonderful. Handing it all over to Elon Musk is not the right way to do it. Like, it's just not. And then we also have this thing called OMB which is doing Fed oversight already. And you can argue about how good they are, but screw it. Stepping away from any political ideology or anything like this, this is stupid. I'm just seeing this go again and again and again. And the access that they're getting is just mind boggling. They're bypassing all authorization, they're bypassing all controls, they're getting all of these different things. And Mike, I talked about in a lot, I talked about it from the stage last week. It isn't just about the access, it's about the integrity of the data moving forward. Right now, all of a sudden, if you bypass all of those controls. And I want to get Kelly's take on this for sure. You bypass all of those controls, the integrity. I mean, we have GRC for really, really good reasons for trying to make sure that access is properly gated and vetted and tracked and controlled. And we're like, nah, we're not going to do that anymore.
[39:20]
Corey
Well, so before we get too sensationalist, before we get too sensationalist, they're not blocking. They're not. There are. The data access is somewhat limited and the research, like, is. The research is interesting. So let's, let's cover the specific articles we have. The one is someone. This is basically the article and it's kind of confusing, but basically someone did a bunch of research about how much government type stuff is exposed on Shodan and they tracked that over time and they basically found that like, recently lots of stuff has been popping up on Showdown. So there it's. It's this substack, cyberintel, substack.com is the substack that's covering it. It's, you know, again, the data is the data. You can draw your own conclusions. But it kind of is a little bit of correlation causation. But it is interesting to see. I mean, they talk about national research labs that from my perspective, have no tie to Doge at all. But I guess I think it's just a broader trend of like, when the thing is make it work at any cost, security gets thrown out the window.
[40:29]
John
Right?
[40:30]
Corey
Like, and I feel like there's kind of an assumption unspoken perhaps of, well, the government doesn't do that. The government doesn't say, make it work at any cost, even if you have to put it on the Internet. I am, but I feel like maybe that's changing. I don't.
[40:44]
John
So wrong. You are so wrong. I am sorry for it. So completely and utterly just wrong. I apologize profusely.
[40:53]
Corey
It's okay, let me have it.
[40:55]
John
No, for the years and years and years that I worked in government and in classified space now in classified space, they were never just like, hey, just put it on the open Internet. It was always like RDP on Shodan Supernet, Nibernet. They were like, open it up. And it's like, well, it's all trusted. It's all classified. We'll just expose this data port, the database port directly to Sipper and Nipper and run it from there for classified network access. But you, you see this all the time in government agencies where there is literally that conversation where it's like, you know, it goes all the way up the chain and they're like, hey, we need to expose this data to this other government agency. And they're like, great, where are your source IP addresses? Well, we can't get those for you right away. Well, when you get them, let us know. No, we need this access right now. Just open it up to everybody. And it's like, that's bad. Like that's crossing the streams. And they're like, but it's more important that we get this out because the director of, you know, Department of Interior wants this data exposed immediately. So these things happen like all the time. And what's worse is after that immediate precipitating event that causes that security, like exposure, almost always that exposure gets forgotten about and they move on to something else for a while. For a long while. I don't think it's happened for a while. But government agencies would get a security scorecard. They would come in, they would get an assessment from various third party agencies, sometimes pen testing firms. A lot of times it would be from the Office of the Inspector General for that specific part of the government, and they would do a security assessment and they would get a security scorecard. And for a large number of years it was like, Fs. Fs. As far as the eye, look at my field that is full of Fs. Like, it is just that. And I don't think it's gotten that much better. And what scares me about this article is they're looking at the delta in the data that's in Shodan. And I know that it's bad. And the fact that this guy wrote this article and he's like, the delta shows that a tremendous amount more is being exposed. I don't know. I don't know where we go from that. It's like, well, this sucks more than average. This is outside of the standard deviation of suctitude. What is the reasoning behind this? And that's the interesting question behind.
[43:08]
Corey
No, I mean, the data is the data. I think it's an interesting read. Draw your own conclusions from it. But the other piece of data that we have is the Doge website being kind of publicly exposed. Yeah. So again, this is an interesting one because they don't really disclose the technical details of exactly how. They just say, okay, it's like a Cloudflare pages. It's a Cloudflare Pages worker, you. And then it's pulling data from a database and they say the database API was exposed. So I guess it's like, so I.
[43:40]
John
Don'T know, I never. So I was plugging around with that A little bit. I never did find that database API that was exposed. It's possible that it was closed out, but there were a lot of articles that were basically like, I can update the DOGE website to be whatever I want it to be.
[43:53]
Corey
Right. And someone actually did it, by the way. Someone actually did push a chain.
[43:58]
John
If you look at the vulnerability, it was basically a cross site scripting attack where they can insert an iframe from another page. So it wasn't like a super cool vulnerability. It was like, hey, it shows that, you know, it isn't coded all that great. They didn't do basic security.
[44:14]
Corey
Right. It would get an F on the security scorecard. It is a data point, right?
[44:18]
John
Yeah.
[44:19]
Corey
I would argue though, it is just their website, right. The poster that they put up, it's not actually the data. Now I don't know how long that's always going to be true, but for now it's just a poster. Right. The FBI's website's been hacked. Right. It's just a poster of the FBI.
[44:33]
John
I want to talk about SAS for a. I never said that siprnet and Nipper Net would be exposed to the Internet even though that has happened. Can't tell that story that has happened. But whenever you're on SIPR or nippernet it can be exposed to different government agencies even though they're all running at a classified like say TS level. It's basically think of it as like a classified Internet votes where it's isolated and technically ear gap, which that's a whole nother story. But the level of exposure that they would allow that to be exposed internally within DOD was way higher than where I was comfortable on that as well. So.
[45:09]
Corey
All right, anyway, yeah, I mean it's just, I think it's just, I don't want to get. I get people are sick of hearing about it, which is totally fair. I just wanted to throw a couple data points on the mix. You draw your own conclusions. What do you think? Is it okay? Are you okay with this? Make, make your own decisions, but either.
[45:24]
Kelly
Way I got something to add. So we started out this newscast talking about trust and we were picking on Fortinet. But honestly I think we need to pick a little bit on Doge here. If they're going to be looking at our systems, our controls. To your point, John, about governance risk and compliance. I have no trust in them and I see no accountability to them. So if they ask me to do something, if I'm another department, a federal department, I'm going to do my Best to ignore them if I can. So it still comes down to trust and accountability and they don't have it.
[45:59]
Corey
And yeah, that's a good point.
[46:01]
John
And, and I just don't, I just don't know what happens from here, Kelly. And that's my concern because like all of a sudden any of the data that they're pulling, if they didn't have the trust, if they didn't have accountability, if they don't have the auditing and who knows, maybe they're keeping great records of everything that they're doing and we've got full tracks of. Because Elon Musk has a really strong track record of being a well thought out individual.
[46:26]
Corey
Well, and let's, let's not talk about how the data sets we're talking about may have just vanished. But anyway, that's a different.
[46:35]
John
But if you're now trying to make, going back to AI, if you're trying to make policy decisions from tainted data sets, potentially tuned data sets, I, I don't even know where we go from here. And there's entire databases at Department of Health that have all of a sudden disappeared.
[46:51]
Corey
Yeah, that's what I was talking about.
[46:53]
John
It could be somebody else. Like so, yeah, bad.
[46:57]
Corey
All right, let's, let's, let's get out of bad government corner and talk about sim swapping. So this is basically a conviction. There's an Alabama, Alabama man that pled guilty to sim swapping the SEC's Twitter account. Basically it's, you know, I'm not going to say the person's name. You can look at the article yourself. Basically they pled guilty. The, the interesting part of this article. So it was kind of a bitcoin pump and dump. But the interesting part of this article is at the bottom there's the full indictment, which has a lot of technical information that's interesting. It basically the guy was paid to SIM swap and the technical details of how they did it is pretty interesting. So they, he took, he made a fake id, right. So he took the legitimate. He figured out who the SEC's ex accounts like account holder was, made a fake ID from them, walked into AT&T's retail store just to. And basically was like, I need a phone and here's my id and then purchased the, you know, purchased an Apple iPhone, purchased an SMS or a SIM card and then basically that's how he did it. So it's like, I don't know, it's interesting to think about, you know, we think about sim swapping how it's been Done over the years, how that has changed, how much it costs, et cetera. But that is terrifying that. I mean, first of all, don't use SMS based 2fa. Like we've talked about that a hundred times. But it is terrifying that, like with a fake ID you could just go like, take over any phone number. Although I will say that. What'd you say?
[48:31]
Kelly
I said I have an interesting take. I didn't mean to interrupt.
[48:33]
Corey
Okay, no, hit us.
[48:35]
Kelly
So at the end of that article, they list some of his search terms or phrases. You know, he searched for where the Verizon store is. Federal identity. I have a question for Bronwyn. Have you seen any cases where somebody's AI prompts have been subpoenaed?
[48:54]
John
Ouch.
[48:54]
Bronwyn
I have not, but that's a really good question. And if it hasn't happened yet, it's gone the horizon.
[49:03]
Corey
Yeah, no, I mean, that's. You've got to assume it. Right? It's the same as Google searches at the end of the day.
[49:09]
John
And also, folks, if we can't trust somebody working at a Verizon or an ATT store working at barely minimum wage, we cleave by your phone secure. Who can we trust?
[49:19]
Corey
Well, John, good news. AT&T was just voted the top most trusted company in America.
[49:26]
John
On the.
[49:26]
Wade
On the.
[49:27]
Corey
Similar.
[49:27]
Wade
Similar to this story. So my name being Wade. My dad and I have the same name. And that has played out very, very well for me in changing anything he owns ever. I have gone into multiple stores pretending to be him, and they have completely let me do anything I want. Even though if you look at his mustache, it is my dad.
[49:52]
Corey
Even though I get some beer, dude.
[49:56]
Wade
Well, that. That's another story that I won't say online, but it works. And it got to the point where my dad never put. So we have different middle names. Never put his middle name in anything. So we could do that in case something happened.
[50:09]
John
So.
[50:10]
Wade
And it's.
[50:11]
Kelly
So you're on a workshop how to hack your parents.
[50:14]
John
Yeah. So my grandfather's name is John Stratton. Or was John Stratton. He passed away a number of years ago and I went into a Wells Fargo. I want to say it was like seven, eight years ago and I didn't have my account numbers there. I was like, what is your number? I'm like, I don't. Can we see your debit card? I'm like, I don't. I cut up my debit cards and burn them. I don't. I don't have credit cards. I'm like, here's my id. And they. They turn the screen over to show me my bank accounts. They just kind of were like, here. And I looked at it and I thought for sure that BHIS had been hacked and all of our bank accounts have been drained. And what they did is they showed me the bank account balance for my grandfather who had passed away like, four years prior. And I, I literally was like, on the phone with Eric. I'm like, you got to look at our bank accounts right now. There's like, no money. And yeah, it was my grandfather's.
[51:09]
Corey
That's fun.
[51:12]
Wade
I have been. My credit has been knocked because of him, too. And then I had to call them and be like, hey, that wasn't me. I wasn't old enough to rent a car at that time. Yeah. And they're like, oh, you're right. Okay, never mind. And then we both won.
[51:25]
Corey
Yeah. Really? I guess we did. We in the intro talked about the Sandworm article. The title of the article is just ridiculous, but which. The title is Microsoft Fingers Russia's Sandworm in US UK Attacks. Is this like the finger command on Linux? Like, what. What is going on?
[51:43]
John
I've got to stop. Because I felt the same thing.
[51:45]
Corey
Like, that's what it is, right? It's like, it's saying, like, who is this user? I know who you are. So, okay, basically the story is Microsoft, our good friends published an interesting kind of threat intel brief that outlines the activities of Sandworm, which is a really prolific Russian affiliated threat actor. The interesting bit is the list of vulnerabilities. They're attributing it to Seashell Blizzard. And basically the list of vulnerabilities are kind of a mix. Oldies but goodies, I guess you could call them. There's an exchange. Vulnerabilities, Zimbra, Open Fire, Jetbrains. So it's like a bunch of these CVE 2021 through 2023 vulnerabilities. Or I guess there's one 2024. But yeah, it's kind of interesting. Like the. They're not using new exploits, but they are getting a lot of success against US agencies.
[52:33]
Kelly
All right, I can tell you why they chose that title.
[52:37]
John
They.
[52:37]
Kelly
They chose it for just what you noticed the sensational nature of it. Sandworm has been around since at least 2017. I'm sure Wade knows this because he loves Andy Greenberg. Andy Greenberg wrote a great word on Sam, great book on Sandworm, and that came out in 2019. So those of us who, you know, are a little more, let's say Seasoned were like. Yeah, sanwr's been around for a while. Why should we read about this now? That's why they made such an intriguing title.
[53:08]
John
Right.
[53:08]
Corey
So if you go on any Linux system, you type finger Russia. Wait, no, Ryan.
[53:15]
John
Oh God.
[53:16]
Bronwyn
Can we get a swear jar for that?
[53:19]
Corey
It's not a swear. It would just say login Russia name Russia directory home, slash Russia Shell, obviously/bin RSH. Would it be like Comrade Shell? I don't know what they're. Yeah.
[53:35]
Kelly
Is that a new article?
[53:36]
John
Yeah. Let's move.
[53:38]
Wade
This article also has a really cool image. It's not in the article.
[53:43]
John
We're one step away from talking about promiscuous sniffing back doors.
[53:51]
Corey
All right, all right. Kelly, hit us with an article since you don't like this one.
[53:55]
Kelly
I wanted to talk about the Bruce Schneider article because that is uplifting.
[54:01]
Bronwyn
Yeah.
[54:01]
Corey
Wait, really? Is it uplifting? All right, Kelly, how is this uplifting? Give us this positive take on this very. From my opinion, sad article.
[54:12]
Kelly
Well, Corey, sometimes I can be sarcastic, you know.
[54:15]
John
Oh, oh.
[54:19]
Corey
I'm sorry. My, my, my, How Women Work. AI didn't pick that one up. Sorry.
[54:25]
Kelly
Okay, for those of you who may be a little newer to information security, Bruce Schneider is a godfather of security. He started out his career and still does expert work in cryptography. And in the last 10 years or so he's really focused on cybersecurity, Aaron's lack thereof, and its focus on its impact on Society. About 10 years ago, he came out with a book titled that Data in Goliath about basically government vacuuming up large amounts of data and what it's doing with it. And the registrar came back to him and said, hey, your book is now 10 years old. Is anything different? Is anything better?
[55:09]
John
I love that quote. Can we stop? Brian? Can you go up in 50 years, I think we'll view these businesses practices as we view sweatshops today.
[55:18]
Corey
I mean, that's a good.
[55:19]
Bronwyn
I sure hope so.
[55:21]
Corey
A lot of this has already been banned. I mean, we've talked about numerous articles, Kelly and I and everyone else on the news about different states regulating data brokers, people banning data brokers. Like this is already. We're getting there. Is there going to be. Okay, so to follow this logic. So there's like Patagonia, right? They're like, oh, we have a sustainable supply chain. Is there going to be companies that have like a no data, like stamp of approval? Like we're, you know, we have a totally transparent data supply chain that isn't tainted by, you know, this BS data. Like is that, is that ever going to be a thing or are we just going to be like eh, we don't look behind the curtains.
[55:58]
Wade
Is this going to be like the same as our sticker for like protected devices?
[56:01]
Corey
Like protected data, same thing? Pretty much, yeah. It's like, it's like the chocolate supply chain thing but for data.
[56:09]
John
I, I, I, I don't know. Like it seems really weird to me that Bruce is this optimistic. I, I, I don't know. I don't know. I haven't, I haven't talked to him a decade but he was pretty grumpy and not happy with the way the world was going.
[56:29]
Bronwyn
And if you talk, he still is.
[56:33]
John
He still is grumpy. By the way, if you ever go up and you talk to Bruce Schneier, don't go up and talk to him about computer security, talk to him about music. He's, he's much more out to have a conversation if you talk to him about music and stuff. But the other person that I got got to know quite well, he keynoted Wild west packing fence was Paul Vixey, one of the earlier godfathers of DNS. And his last keynote that he gave for us, I think in Wild west in Reno was one of the single most appropriate pressing presentation.
[57:04]
Wade
Oh my God.
[57:07]
John
Where he was talking about the amount of harvesting third parties is doing for all of our data and how that can still be used to identify who you are and what you're doing and all of these different things. I remember talking to him, we've had a number of conversations since then and basically he's like effort. I just ride my bike now and try to enjoy life. Right.
[57:27]
Corey
Like he just the other side, Same dude, same.
[57:31]
John
No, no, no, I agree. Right. I don't know where the optimism is. I do agree that we should be looking at these data collection practices as though in the same light as like sweatshops. I strongly believe that. But I don't know.
[57:47]
Kelly
It's not, it's not optimism. It's a call to action. That's how I read the article. What he does in there is he basically says, listen, we gave consumers a choice. Share your data. We're just going to use your data. You know, click on this, opt out if you read further enough down on the screen. And he's basically saying this, this movement to rely on consumer choice failed. It failed miserably. It's a call to action to get more federal or a federal privacy law that's been updated since you know, the last privacy law wasn't updated until 1972. I mean some of y'all haven't, weren't even born yet. So I didn't read it as optimism. I read it as a call to action.
[58:29]
John
I, I, I still has the optimism that eventually we're going to get there, like we're going to get to this space. And I don't think we are. I, I, I, you know, and kind of like cross sectional is with Corey Gokdrow's coming war on general purpose computing. And you know, getting back to what we were talking about before the show. Like even my wife is like, I'm sick of it. I'm sick of the Microsoft ecosystem, I'm sick of the Apple ecosystem, sick of the Android ecosystem. I, she's like, I want to try Linux as an option to try to get away from some of this stuff. But it's getting more and more locked down. Like your Mac is becoming more and more like your phone and getting third party binaries. Microsoft is getting the point where you can't even really easily you can't. But for a general user to create local accounts, it's like, no, they want it to be cloud access all the time. Right. If you're looking at your phones, Android and iOS ecosystems are horrible. And no one can really explain to me why we don't have a good solid Linux phone that is still a usable phone that isn't effing horrible, whether it's Ubuntu Touch, whether it's Pine Phone, whether it's Graphos, Graphene, OS or Libre or whatever it is that we're using. But it's because the entire industry forces are trying to push us away from general purpose computing to the point where we are using locked in ecosystems where everything we install goes through them and they take a 20 to 30% copy of.
[59:54]
Corey
So I mean there are, Go ahead.
[59:57]
Bronwyn
No, it's, and it's not just that we have fewer and fewer options, it's also that they've switched over to this subscription model because that helps their cash flow.
[60:07]
John
Yeah.
[60:08]
Bronwyn
So we're.
[60:10]
John
Darren. Nailed it. Brought on. I want to throw this quote in because it applies to what you're saying. Consumers won't pay for privacy. It's the reason we're in this situation. Go ahead.
[60:19]
Bronwyn
No, I, that's basically it. I mean the, we used to have laws against monopolies and oh, this tendency to have more fewer and fewer options and now they're moving us into this subscription model because it helps her cash flow. How many subscriptions do you have that? You've forgotten that you're paying every month? You know, they learned from the gyms and whatnot, where people buy a subscription and then they just forget whether they're using it or not. And it helps their cash flow, it helps them have this steady level of income. And because consumers won't pay attention, they don't understand privacy, especially not the younger kids. I mean, they've been living in a, in a goldfish bowl their entire lives. So they don't even know that it's an issue. And they think that we're just, they're.
[61:15]
Corey
We'Re just calling at the moon. I personally have a couple takes. First of all is that when it comes to phones, there are some really solid Android based, de googled open source phones that you can get that are solid.
[61:28]
John
Right?
[61:28]
Corey
Like those do exist if you want to use them. I actually, I'm going to use an analogy here which is kind of confusing, but I'm going to use it anyway. I think the world of apps and phones and like the world that we live in with modern tech is very similar to the world we live in with modern cars, where if you go to buy a car today, it's basically just a computer with a bunch of wheels and gears attached to it. Obviously there are extreme examples of this like Tesla, where it's basically one screen, there's no buttons for everything, or there's no buttons for hardly anything, is basically one centralized control cluster and everything else is handled by the computer. You know, if you go Back to like 1940s Jeep, it's a little different, right? It's everything is its own knob, its own button, its own control, and there's less features. But where I'm going with this is why are cars like this? Well, it's because that's what consumers demand. Consumers want heated seats, Spotify that. They want a backup camera that's 4K resolution. They want their car to tell them when someone tried to break into it after they weren't there. They want collision assist, they want like auto lane keep assist, they want radar cruise down to zero miles an hour. All these features are amazing if, if you use them, but also require the car to basically be a computer to be able to do it. And I think tech is basically the same thing. Why is our privacy out the window? Because we want ads that are relevant to us. We want tech that like automatically says, hey, it's 7:00am Are you sure you don't want that same reminder you had the last eight times it was 7am we want to go in Google and type something and it immediately knows what we want. Right? Like. Or just immediately like, that's what consumers want. And so we've sacrificed privacy to get that product. That's my personal.
[63:08]
John
And also nobody, Nobody wants to see Instagram or TikTok or Twitter or anything. Show you something outside of your echo chamber. Right? I want constant positive.
[63:20]
Corey
It hurts my brain. It hurts my brain, John. You can't have that.
[63:24]
John
No. It makes. Makes me rethink my positions. No, I want more snark.
[63:30]
Wade
Has anyone. So I log into Facebook after, like, never using it whatsoever. I. I go on it to see if anybody died. Tell you the truth, like, that's the only reason. And the. The ads that are given to me because there is nothing there. Most of my friends are all gone on there. I receive the weirdest, dead, strangest ads ever and they are not tailored towards me. And it's. And the ads are so bad, I don't ever want to log in.
[64:00]
John
My dad.
[64:01]
Wade
No, not my dad.
[64:02]
Corey
Is this the other Wade Wells?
[64:04]
John
What are all these ads for? Reparation. H. Wait.
[64:11]
Corey
Soon those will be relevant, son.
[64:12]
John
Soon you'll know. So, hey.
[64:17]
Corey
Yeah, I don't know.
[64:18]
John
We made it to the end of another one. We're all doomed. Welcome to the end of Western civilization. Woo. But that's good.
[64:25]
Corey
Good news. There's no subscription fee for this podcast.
[64:28]
John
There's no subscription fee, but Google is going to just siphon that you're interested in this and they're going to decide to serve you up. I kid you not. Fortinet is totally going to have ads that are served up for people that are watching this on YouTube at some point.
[64:41]
Bronwyn
Sorry about that.
[64:42]
John
Pops up and it's like Fortnite voted one of the top.
[64:45]
Corey
Wait, do we monetize our YouTube? If we do, please, let's donate those Funds to the EFF 2.
[64:52]
John
Do a recording of that. Like, now we're going to talk about the news and how Fortinet sucks. That would be amazing.
[64:58]
Corey
And I think our engagement numbers are through the roof.
[65:01]
John
John, good news, but Fortinet's pissed at us, so. All right, remember, if you're listening to this webcast for free, you are the product. Thank you so much, everybody, and we'll see you next.