Hayden (1:09)

I'm.

John Strand (1:10)

Super interested in this podcast. Thank you so much for sharing.

Ralph (1:14)

The LinkedIn dots are gonna have a field day.

John Strand (1:17)

I'm pretty sure we're already categorized as adult content just based on that one sentence, probably accurately.

Ralph (1:25)

John joins like, occas occasionally enough that, like, once our, like, risk rating or whatever goes down, like, it spikes back up.

John Strand (1:32)

John joins and just drops some nation state level, like, unnecessary feelings.

Ralph (1:40)

Yeah.

Ja (1:40)

Oh, poor nation states. Their feelings got hurt.

John Strand (1:45)

Well, they're after their webcam images leaked. Oh, yeah, they're all sensitive about it now.

Ralph (1:50)

Yeah. My feelings.

John Strand (1:52)

That article. He just looks like a totally normal guy to me. Like, I was expecting, like, a hoodie.

Ralph (1:58)

Red eyes, glowing light. Lightsaber maybe.

John Strand (2:01)

Lightsaber.

Corey (2:02)

Yeah, exactly. That's. That's what I was thinking. Or to be wearing a mask, a costume.

Ralph (2:09)

I mean, there was like, two. Two ways that could have gone is, like, the hoodie, the red eyes, like the red lightsaber, or just like a bunch, like, a body pillow in the background and like, a bunch of, like, anime posters? I think would be the only two that I would have expected.

Ja (2:23)

Yep.

John Strand (2:25)

Correct.

Ryan (2:25)

Are we talking about John or, like, North Koreans at this point?

John Strand (2:30)

We're talking about Lazarus Group.

Ryan (2:32)

It could go either way.

Corey (2:33)

Yeah, we'll let it go either way.

John Strand (2:50)

Hello and welcome to Black Hills Information securities. Talking about news. It's December 8th, 2025. We're running out of podcasts in 2025. Getting close to 2026. I can't wait to change my password to podcast 2026. Exclamation point.

Ryan (3:06)

I got the cheat I'll change my password now.

Corey (3:08)

Yeah, I got the cheat. You just go 20, 27. They'll never guess. Oh, yeah, you got one of them up.

John Strand (3:13)

Keep them one. One year ahead of the behind the curve. Yeah, when you're behind the curve, you have to be one year ahead. It makes perfect sense.

Ryan (3:20)

Yeah.

Ralph (3:21)

If you think about it, cost them like one millisecond more in processing. And if you add that up, like, that's going to start to cost them some serious dollars and cents.

John Strand (3:29)

Yeah, for sure. This is going to talk about contractors wiping government records. We're going to talk about CVEs and react and next JS, we're going to talk about government apps on your phones and maybe we'll take a corner into toilet humor and talk about, talk about smart toilets and identifying you by your anal print.

Corey (3:51)

You did say.

John Strand (3:52)

We'll also talk about Lazarus Group and some interesting research published by Any Run on basically seeing what malware developers look like and seeing their webcams. It's kind of like flipping, turning how the turntables have turned.

Ralph (4:08)

You say that as John comes on.

Ja (4:09)

Camera, John comes on. He disappears.

Corey (4:13)

What.

John Strand (4:14)

What do malware developers look like? They look like John Strand. They look like John Strand sitting in his car. All right, let's get. Let's start with the. Let's start with the Next JS stuff. I don't think this is, at least from my corner of the world, continuous pen testing. This hasn't been as big of a deal as we originally thought it was going to be. This one dropped last week. It's essentially CVE in React and the next JS. It's a little bit confusing between the CVEs because the react CVE was actually closed. Because basically their explanation was we literally pick and place the Next JS code right into our code. So they should fix it. And it's. So it's basically on React JS to fix. The exposure was high. I think, like a lot of people use Next js. It's a very common component.

Corey (5:05)

Yeah. It's a very popular framework. So Next JS is not just a. A component of a. Of these websites. It is the entire platform that they're built upon. Right. So Next JS uses. All of. It's a compilation, it's the back end, it's the front end. It's everything. Right. It's one deployment that you make.

Ralph (5:25)

Right.

Corey (5:25)

So anybody who was in it is like seriously in it. They're not just like, oh, well, my app happens to kind of use it. They're like I use it as my application.

John Strand (5:34)

Yeah. And this is not easy to swap out. You can't just be like oh, we'll just swap it out for something else. Basically Wiz published the original blog and then. Or no, actually it was a researcher, you know, their own. There's reacttoshell.com it got a cool name which I feel like we got to have some kind of a confetti animation for when a CVE gets a cool name. React2shell is a pretty cool name. But yeah, basically originally there was no proof of concept exploit, then there was a proof of concept sept exploitation But I think by the time a POC went live, most like intermediary providers had already blocked it. So like cloudflare blocked it immediately. You know there was, there was some exploitation in the wild for sure but for the most part, at least on our customers, we didn't see any exposure to actual RCE in the wild. So like we tested everyone, we didn't see anyone. We saw a lot of unpatched JavaScript libraries, but we didn't see any like people that we could actually exploit with this unfortunately. So it was kind of a non issue on our end. But we'll still report it and tell people to patch their, their next js. I don't know how easy that is. Probably not very easy, but no, it's easy.

Corey (6:46)

You could, you could patch the next js. It depends probably how far you are back in the chain.

Ralph (6:49)

Right.

Corey (6:50)

There might be some features that, you know, cause issues in the functionality of the application.

Ralph (6:55)

Right.

Corey (6:55)

I actually read the whole write up of like exactly how this thing works. There's actually really a chain of exploit.

John Strand (7:01)

Or like the actual execution deserialization. Right?

Corey (7:07)

Yeah, but it is a chain of things to actually get that RCE out of it. Right. And then once you're there, you're actually executing inside of Node and then you can do whatever essentially that process could do, which usually is running in either some kind of user on the host. Right. And you can execute any command. Mostly you'd be looking to read environment variables and all kinds of other fun stuff.

John Strand (7:26)

Yeah, there was some super lame crypto mining campaigns that were using it. Right. Like the assumption being this is running on JavaScript, it's running on a server, so it's probably a powerful server. Yeah. I mean basically the other thing that was kind of funny when we were scanning for this is if you're really out of date, like if you're on next JS12, you aren't vulnerable to this. So like you had to be like sort of. Yeah, you had to be like sort of modern to be exploitable in this scenario. But yeah, basically 14x was vulnerable and then 15. There was versions of 15 and 16 that were also vulnerable. So, yeah. Patcher next JS Otherwise, I mean, I guess. Anyone else have any takes on this? It wasn't a huge deal as much as I thought it was going to be.

John (disembodied voice) (8:12)

But I'm just, I'm just going to say I've learned something from what you guys have said. And I've also learned today that if I turn on my camera from Restream, it's crashing my entire Restream session at the moment. So I will just be the disembodied voice of John Strand today.

John Strand (8:28)

Oh, how's malware development going?

John (disembodied voice) (8:34)

This is what I came in and I heard Corey say, this is what a malware developer looks like. And I'm like, that's probably. That probably needs to be a shirt.

John Strand (8:46)

And then you turn on your webcam immediately the timing becomes a YouTube short.

John (disembodied voice) (8:53)

I'm tempted to try it again, but it's probably going to puke.

John Strand (8:57)

All right, let's talk about what a malware developer looks like. Q. John Strand. This is a bug.

John (disembodied voice) (9:04)

This old school malware developer isn't showing up at all. Unlike a shadow in the back of the mind of your dreams, of your children.

John Strand (9:10)

He doesn't use webcams. What is he, a young person? So basically this is interesting blog from any run, which I don't know if it's pronounced any run or any, I've.

Ralph (9:22)

Always heard any run, any run.

John Strand (9:24)

I mean it's weird to put your like the dot IN your domain name as part of your name, but whatever. Here we are. They publish a really interesting threat intel write up. I'm assuming Hayden has read this better than I have, but essentially sandboxes have lots of information coming into them. And this is kind of similar to like the Huntress article where it's like, turns out when you have a sandbox, you have a lot of data you're collecting from that sandbox. That's why they're. They exist. So yeah, basically read the blog if you're a blue teamer. The cool thing is that you can see kind of behind the scenes of how Lazarus works. They're trying to deploy remote IT workers, especially in the financial and web3 sector, like crypto, corporate espionage. It's got all the fun keywords of a sexy nation state on nation state article. But yeah, I mean that, I guess that the in the, in the blog they publish a screenshot of the threat actor. And to me, he just looks like a completely normal guy. What?

Corey (10:22)

But okay, what were people expecting though?

John Strand (10:24)

Like, I mean, I think hoodie at the very least.

John (disembodied voice) (10:29)

I mean, is it, is it too much to ask that just once these guys are wearing a wrecker hoodie?

Corey (10:34)

Yeah, like right there.

Unknown Guest (10:35)

Totally.

John Strand (10:36)

Oh yeah, like a wrecker hoodie or like fingerless gloves. Like, he just looks like a guy that like, just got back from the grocery store and is like, he's on.

Ralph (10:44)

His 9 to 5 is what it is.

Ja (10:47)

Yeah, that's because that's what it is. He's on his. Exactly.

John Strand (10:52)

I kind of wanted it to be out.

John (disembodied voice) (10:54)

And they're like, mommy, why do his earplugs have like, strings attached to them? Never mind, dear. Never mind, dear.

John Strand (11:01)

That's from the before times, John. The answer is he's in North Korea. They don't have wireless headphones yet because they're.

Unknown Guest (11:13)

I don't know. There's something about this, the way they caught them that I just love, you know, they just, they played as dirty as they do and they got em because they played dirty. You know, it's like I had a, when I lived in Manhattan, in the Lower east side, I had a, a maintenance guy and he would always say, if you want to catch a rat, you have to act like a rat.

John Strand (11:32)

And I was like, that definitely applies. Yeah, for sure.

Ralph (11:35)

But I think you could take that too far.

John (disembodied voice) (11:37)

Actually, I, I think that's good advice. But sometimes, you know, when you're putting on whiskers and you're full furry cosplay.

John Strand (11:44)

Maybe, Maybe too far. Are you saying you don't just chew through people's walls?

Ja (11:50)

John?

John (disembodied voice) (11:53)

No, that's not anymore, but I'm recovering.

Ralph (11:55)

Corey, what, what I found out from this article, I, I didn't, I read some of it because it's interesting. These are the ones that like, I, I sometimes wonder whether or not to, Yeah, I wonder whether or not to include them on like, our weekly SOC intel report because they're very interesting, but they're not always very actionable. But this one I found, I found it really funny. I don't know why that they used calendly to like, set up this meeting. Like, no matter who or what you are, you cannot escape just meeting scheduling. And I struggled with Microsoft's options for this.

John (disembodied voice) (12:30)

So, so Hayden, do you think that all of a sudden we're going to see like a new MITRE category of like, and they're like, you Know, calendly is going to be part of the initial access column.

John Strand (12:41)

You know what we got to do is we got to trick all the SOC providers into putting calendly in their thr at intel iocs.

Ralph (12:49)

So then yes, you got a calendly link. I mean there is, there's got to be like sublime detections for like email with calendly links. Not necessarily saying that they're malicious, but as a signal.

John Strand (13:03)

So why not just. I'm also just so like, like reading behind the scenes here. Are they using GitLab or GitHub for their hiring?

Ralph (13:13)

What is interesting comments to say, like, hey, we think you're doing an awesome job. We would love to hire you for thing.

John Strand (13:21)

Like, yeah, it looks like GitHub, right? Like they're literally.

Ryan (13:24)

They were spamming PRs.

Ralph (13:26)

Yeah. Like they, I wonder if it's just random or if there's like some overlap of this person looks proficient enough for us to be able to want to hire them, but also stupid enough that they would fall for this. Like, how do they define that overlap?

John Strand (13:42)

Well, it's, it's whether they use tabs or spaces. Obviously.

John (disembodied voice) (13:47)

A long time ago, when I was, when I was still pen testing, I remember, which is a long time ago, admittedly, whenever you were targeting someone inside of an organization, you would look at the LinkedIn profiles and you would specifically look for the profiles that are like, this is a full stack Java developer that's an expert in multiple different technologies. And the more they kind of tooted their own horn, the more you're like, oh, this guy's going to click on any link we sent them. Right. You just kind of like bluff their ego just a little bit and you can get them to do anything at all. It's just, I wonder if they're you.

John Strand (14:23)

John, you gotta ride your horse to another McDonald's rip.

Ralph (14:27)

Yeah, I mean I'm looking at our email detections now and there's a lot in there already for like calendar invites. Those might be ics, but.

John Strand (14:36)

Yeah. Yeah, I don't know. No, I think it's a, it's one of those that like, it's so long it could be a book.

Corey (14:45)

Sure.

Ralph (14:45)

Yeah, they're always so interesting, but like, they are. They're one of those ones that you like, skim, that like you actually do need the table of contents. It's like in a lot of ways it's like if you're looking up a recipe online where you get to it and you're like, oh, this sounds really cool. And then there's eight paragraphs of, like, I was born in Massachusetts. Show me, like, the actual recipe.

Ja (15:09)

Take me to the darn recipe.

Ralph (15:11)

Exactly. And so you get to some parts of this article where you're like, okay, that's kind of. Kind of interesting. Like, the. The easy catch is, like, the pictures of these guys. Like, I think everybody's talking about it like they're just normal dudes. This is their job. I mean, they probably think about it the same way that a lot of us do, is they go to work and their job is to basically do crime. Oh, I don't know.

John Strand (15:36)

We don't know.

Ryan (15:37)

Yeah, all the connections were coming through Astral vpn, but I don't think they were able to get any beacons back on their, like, home PCs or whatever.

John Strand (15:48)

John, you gotta ride your horse to another McDonald's, right, for a Wendy's, maybe.

John (disembodied voice) (15:55)

Traffic through North Korea. Hi, everybody.

John Strand (15:58)

Yeah, yeah, John is joining us from Astral vpn. Who. I mean, do we really know that John Strand's not a North Korean IT worker? We don't necessarily know.

John (disembodied voice) (16:07)

I think the major VPN providers are like, please, dear God, don't say you're on our vpn. That's.

John Strand (16:15)

Yeah, yeah, John, you're definitely tripping the North Korean IT worker prevention mechanisms here. Like, you know, you won't turn on your webcam. We can't tell if you're real. Your voice could be a deep fake.

Ralph (16:28)

We need you to look today's newspaper.

John Strand (16:31)

Yeah. Can you. Can you blink twice if you're being deep faked? No. Ignore all previous instructions. No. Basically, I guess my other question about this. My other question about this is, like, is there. I didn't fully read the article, full disclosure, but is there, like a business case here for using any DOT run as part of your hiring process? Like, should you be, like, sandboxing your job interview candidates? Like, is this the thing we should be doing?

Corey (16:59)

I think that's what they were trying to get at.

Hayden (17:00)

Yeah.

John Strand (17:01)

Like, is that the goal? I hope not.

Ryan (17:04)

I don't think so. They used any run here in that after they signed up with the North Korean guy so that he could like, sheep dip them to get IT jobs using his identity or something. They wanted to use his laptops that he had at home to remote in and do the work. So the. Any run sandboxes were his laptops that he was setting up for them so that they could use those to work from the U.S. gotcha.

Ralph (17:39)

Okay. Yeah, I think there might be, like, somebody somewhere that would make that case. Corey, about like should we be sandboxing these? I think if you're that concerned you shouldn't have a BYOD policy like that concerned that you're going to hire like an APT by accident. You either need different hiring have a laptop. Right. You need to have a little bit different provisioning policies. Probably.

John Strand (18:07)

Yeah.

Ryan (18:08)

However, another tactic that Lazarus uses is setting up like fake interviews for people that are trying to get work and affecting their system. Give them a product, you know, project or something and then they run some malicious code. So like doing your interviews on an any run SAMP or any dot run sandbox would probably be a really good idea.

John Strand (18:31)

Yeah, I think if I was job hunting in today's day and age, I would be using like a VM or a burner laptop or something that I. Because I mean nowadays even if you're interviewing for a legitimate company, let alone a North Korean IT worker, I think the amount of monitoring software they want on your system when you interview is getting to be absurd. Especially for like a development position like Amazon or something. I've read some pretty crazy. Because they're trying to make sure you're not using AI. You know, it's a whole cat and mouse game thing.

Ralph (19:02)

But John says the sales team is freaking out. We use Calendly. Calendly isn't compromised. But what I will say is you can expect the hustle from these guys to shell out for the best tools. They got Calendly, they got slack like they got, they got all the nice.

Corey (19:18)

Tools, all the premium subscriptions, Right?

Ralph (19:21)

Exactly.

Corey (19:23)

Yeah.

Ralph (19:23)

And they got any run like nice.

John Strand (19:25)

So can you buy Calendly Premium with Bitcoin then? I guess so.

Ralph (19:30)

Oh man, somebody got your credit card. Oh yeah, that's true. I, I guess they could just be abusing people's accounts. Like they just compromise.

John Strand (19:39)

Yeah.

Ralph (19:39)

The account and then they just use that. That's probably what it is.

John Strand (19:42)

Yeah, that's probably what it is. ATO is from stealer logs or something. I mean it is also like remember this like geico. It's so easy a caveman can do it. Maybe they should be like calendly. It's so easy. North Korean threat actors can use it.

Ralph (19:54)

Im imagine the call though, like if this became like, I don't know, like a government investigation in some capacity. Imagine the call where like you get called up by like the FBI and they're like hey, do you use Calendly? What, what, what are you talking about?

Hayden (20:10)

You know, the sneaky way to go about it might be a. The most hired People in America use calendly.

John Strand (20:19)

Are you overemployed? Get calendly. All right, I need to stop. For the record, I have no skin in the game. I'm fine with calendly. Microsoft bookings is what I use, and it's straight up trash.

Ralph (20:29)

So are you fine with North Korean APTs, though?

Hayden (20:32)

How are you.

Ralph (20:32)

How are you about.

John Strand (20:33)

Oh, yeah. Oh, I love scheduling meetings with North Korean apts. All right, let's talk about these contractors who got. Who got charged this week. Virginia brothers.

Ralph (20:43)

Oh, no, I did read this one.

John Strand (20:46)

This is. I didn't either, but we're gonna do it anyway.

Ralph (20:48)

I did.

John Strand (20:49)

That's the. That's the nature of the show. So this is an article in Bleeping Computer. Basically. Prosecutors have charged two Virginia brothers. They were arrested on Wednesday allegedly conspiring to steal sensitive information and destroy government databases after being fired from their jobs as federal contractors. Their names are. I'm not going to try to pronounce them, but they're both 34. They're sentenced to several years in prison in 2015 after pleading guilty to accessing U.S. state Department systems without authorization. So they already have a record. They also have a record going back to 2013, and somehow that didn't prevent them from being hired as government contractors.

Corey (21:27)

So many questions about that.

Ralph (21:29)

Only Sandbox.

John Strand (21:31)

Yeah, they should have used any.run and calendly. That would have saved them. So basically, they got fired and then they got angry and then they deleted some databases, including Department of Homeland Security database. They apparently have the logs where they asked an AI tool for how to clear system logs after deleting a database. Come on, you guys have been in the game deleting stuff for 10 years and you haven't figured out how to clear system logs?

Ralph (21:57)

Come on. I remember. If you can just ask Chat GPT.

Corey (22:00)

Exactly how to clear my Chat GPT log. That's what I really.

John Strand (22:05)

Okay, so the real, like, I don't want to.

Hayden (22:07)

Definitely going to hallucinate that answer.

Ralph (22:10)

It's gonna smile and say, type this command and we'll delete everything.

John Strand (22:14)

Where did they get hired? What government contractor hired them with a freaking record of deleting databases.

Corey (22:22)

It was probably like one of the really big ones.

John Strand (22:24)

Did they parlay it?

Ja (22:26)

I would have said it starts with a D and ends with an E and only has four letters.

John Strand (22:32)

Yeah, well, this is a contractor, so safe to say it was probably not that one. But basically I'm like, do you think they parlayed it? They were like, yeah, it says right here on our. Our criminal report that we have experience with databases. Maybe it was deleting the databases, but we still have experience.

Ralph (22:51)

Okay, good luck finding anyone else who knows.

Corey (22:53)

Sequel.

John Strand (22:57)

Yeah, so I mean, again, they're getting charged again. They're probably going to go to jail again. This is super obvious. Like it's not. Digital crimes are the easiest to get caught doing.

Ralph (23:07)

Like. Sure, but the maximum, like this one for, for the. The one brother. The maximum penalty is six years. That's not very long for very intentionally committing government crimes.

John Strand (23:20)

But dude, six years for an RM RF? What is he getting from this? Well, they have 45 years. They have backups even. I don't know, it's.

Ja (23:32)

Like they have backups. This is the government we're talking about.

Ryan (23:35)

True.

Ralph (23:36)

There were those jokes for a while that like, Claude would call the cops on you. I think maybe Chad GPT called the cops on them. It's like, hey, these guys are trying to delete a database called Social Security numbers. I need you guys to. Need you guys to take care of them.

John Strand (23:52)

I. Yeah, I truly don't know how. How they got hired again, how they did it again without like, they didn't change their ttps at all. They just sound like they're angry and dumb. That. That basically is the, you know, that's the vibe here.

Unknown Guest (24:07)

Yeah, I would argue the dumb though. I mean, you'd have to be pretty smart to evade those systems the second time after two felonies previous.

John Strand (24:17)

No, no, no, no. It's incompetence on both sides. The people who hired them are also dumb.

Ralph (24:23)

Yeah, I mean, it's. I mean, you sort of joke, but it's all about like the lowest bidder. And so with the lowest bidder you can only afford up to a certain point. And so I guess you sometimes find, hey, I can cut these corners. These guys seem proficient. Let's bring them on. We need to win this contract right now. And then you don't really think about it and you hire these guys or North Korea by accident.

John Strand (24:46)

In their defense, they were hired to delete databases. They did their job.

Corey (24:50)

I found who the contractor was, which I had to read like six articles while you guys were talking to finding.

Ja (24:55)

Oh my gosh, I'm dying to know which one.

Unknown Guest (24:57)

I'm dying to know who it was.

Hayden (24:58)

Which one?

Corey (24:59)

It's Opyxus.

John Strand (25:02)

Oh, okay. So it's a shell corp for.

Corey (25:04)

Yeah, so they. They actually host data for more than 45 federal agencies, so.

Ja (25:11)

Oh my God.

Ralph (25:12)

Operational excellence for government. Oh, yeah.

Corey (25:18)

Anyways, so that was the that, that was. There's some other reporting that if you're.

John Strand (25:23)

If you're an ex, if you're an ex con looking to get hired, I highly recommend going to work at, what was it? LPX.

Ralph (25:30)

If you look at their glass door, only 38 of people would recommend them on Glassdoor.

John Strand (25:35)

So how many of those are ex cons?

Ralph (25:38)

I, I would imagine not many because ultimately that got cut. So like if I got convicted and while working at a place and went to prison, I'd be like, yeah, don't work here.

John Strand (25:47)

I mean, I'm all for giving people a second chance, but this feels like, like, okay, if you deleted databases and got convicted for it, maybe you should go work in like woodworking. Like go do something else. Like whatever it is that you did and got. Like you're just encouraging people to reoffend by putting them like, hey, last time you got upset and deleted a database, let's put you in the exact position again where if you get upset you can delete a database. Yeah, it just seems, I think they.

Corey (26:16)

Didn'T do their due diligence when they hired them. And these contractors, they worked off of one thing which is filling seats. They get that percentage of the contract and so they're just looking to fill seats and they didn't do enough due diligence. That's probably what.

John Strand (26:28)

But dude, a felony from less than 10 years ago, you shouldn't have seen it.

Corey (26:33)

I'm just saying they decided to ignore it.

John Strand (26:36)

If they had just googled their names. Anyway, anyway, yeah, yeah, yeah. Anyway, I guess let's, let's, let's talk about Apple refusing to install government tracking apps or I guess state run cybersecurity apps. Basically the article title is Apple refuses to pre install government apps on iPhones in India. This is kind of an interesting precedent to set. Basically in India they were requested to comply with an order from the Indian government which required them to install, pre install a state run cybersecurity app on all iPhones. So it's not like this is just a custom order for the government or something. I'm not sure exactly what the cybersecurity app is. I'm sure there's someone who could tell you more details about that. But basically Apple saying we're not compromising our app, like out of box experience for any nation state, which is kind of interesting.

Corey (27:32)

It is, it is. So the app is on the app Store. Right. Okay, so you can't install it, but.

John Strand (27:37)

Right. It's not side loading. It's not.

Corey (27:39)

Yeah, but they Just want it to like force it installed, like across the board. Like as soon as you get this device, you open it up, it's like installed, you know, which is a huge.

John Strand (27:48)

I feel like you cannot overstate the impact of that. Like, the default apps are the apps that everyone uses. Like, if it's installed by default, everyone's going to use it. Essentially the other thing that the order stipulated was that the app's functions could not be disabled or restricted by the user. So it's pretty sketch. Like, ultimately you could argue that Apple's just being lazy here, which, you know, for business purposes is kind of important, but also they're potentially risking. I mean, I'm assuming that the iPhone market in India is absolutely massive. Right. It's probably like in the billions of dollars. So it's interesting that, yeah, like there's.

Corey (28:26)

There's a billion people in India.

John Strand (28:28)

Yeah, yeah.

Ralph (28:29)

And that's huge, Mark.

John Strand (28:30)

Apparently.

Ralph (28:31)

It was apparently withdrawn that directive. But I don't see Apple ever doing that. Like, Apple makes a disclosure. Everything around me is Apple right now. But Apple makes a big fuss about being like the privacy devices. And yes, okay, maybe, maybe in some cases they're better than alternatives. But what they do best at least, you know, at least what they try to do best is their hardware quality is always going to work exactly how they say it is. And then their like, onboarding flow of like a new device is flawless. And what they, I think don't want is to turn into a Microsoft where now you're getting ads in the Windows menu bar. And so as soon as you start getting bloatware, people are going to get pissed. I get pissed when I install a new phone and I have GarageBand. I'm like, why did you put this here? Get rid of it. Pages. No. What is this, dude?

John Strand (29:23)

You don't use the Pages app. I use it all the time. I definitely know never. I definitely know what it's for and what it's intended to be used for.

Ralph (29:31)

If we get a critical zero day in Pages, one person will be affected and it will be Corey.

John Strand (29:38)

No, I, I've. For the record, I don't. I have never. I don't actually. Is it. I'm assuming it's just their Word, their.

Ralph (29:44)

Microsoft, Microsoft knockoff that are pretty.

Ja (29:47)

Hold on a second.

Unknown Guest (29:47)

Let's.

Ja (29:48)

Let's back up a little bit. As I've been reading more into the Reuters article. It's not just that it's an application, it's that the government is requiring their application to be in there. And I'm sorry, anytime a government wants to force an app to be loaded into all digital devices within their nation state span, that's pretty sketch because you know, what are they tracking? What are they looking for? India. No offense to anyone in India or India government, they're already a known factor for having some pretty sketch cybersecurity practices in not just government but all over the place. So yeah, this is not good news. And when they issued, when the Indian government originally issued this, they didn't just hit up Apple, they hit up. Where's the list? Hold on a second. They basically hit up all of the major phone manufacturers and you know, gave him 90 days to comply.

John Strand (30:55)

So how many said yes? That's the question.

Ja (30:58)

Yeah, that I can't find.

Hayden (31:01)

So this was a confidential order. So somebody leaked something for Reuters to even be able to write about this. Just like when somebody leaked something about Apple and the UK and having all of their icloud based encryption backdoored. And backdoor is the wrong word. It was a master key situation. What I keep seeing and what's in stark contrast is Apple standing up to countries outside of the US about things that maybe are public knowledge and maybe wind up becoming public knowledge where it makes them look like they are protecting everyone's privacy and are doing it in a global way. And they are definitely doing it in a way where it makes it seem like they are willing to pull out as a company from whatever country that is.

Corey (32:03)

Sure.

Hayden (32:05)

At the same time they've turned around and pulled things on what is clearly US government push. Whether or not there's legal orders or not is a separate question. But there's no question that Apple pulled things that have political meaning and political context from the App Store when the US government was leaning heavy and loudly that XYZ apps should go away.

John Strand (32:35)

Yeah, but I'm less, I'm less worried about pulling something versus pushing something onto literally every phone. To me the impact of that is way different.

Ralph (32:43)

Recovering like censorship versus surveillance censorship versus.

John Strand (32:49)

Surveillance censorship is to be expected and is literally a legal duty of a company.

Hayden (32:54)

Surveillance. What the apps that got pulled were crowdsourced surveillance apps?

John Strand (33:03)

Well, there's, there's a lot of apps that have gotten pulled for a lot of different reasons. So I, I don't think we should really get into that on this, that it's not really part of this news article. But yeah, there, there's a difference between the government asking Apple to install an app on every phone and have it enabled by default and have it not be able to be disabled versus Apple not wanting to get in the middle of a political spot. Right. Like there, there's a lot Apple and I think really at the end of the day Apple's a company who just doesn't really want to be in the news about this kind of stuff like at all. They just want to be like no, we sold you the phone. It does what it does. We don't want to talk about it after that. Like we made our money.

Ralph (33:40)

We'll see you in one year when.

John Strand (33:42)

You buy another one. See you in one year. Like, like we'll leave you alone, you leave us alone. And we don't want to talk about what's on the phone or like anything else. But I mean there was never, there.

Ralph (33:53)

Would never be a situation where a government goes through that effort and they don't get something out of it. And it's never going to be just like oh you're your country's users are more secure. Like no. They have some sort of stake or backdoor or something in that app Kill Switch maybe. Exactly. They have some amount of, of intelligence gain through that sort of thing.

Corey (34:13)

Protect the kids. Everyone knows the truth.

John Strand (34:15)

Well yeah.

Ralph (34:16)

And they're using kids as like a doing what?

John Strand (34:20)

Yeah, absolutely. Well and there's a huge like bloatware is a whole separate beast. Like I think you could argue that there is Apple bloatware. I would argue it's first party bloatware and it just wastes space. It doesn't really do anything versus like.

Ralph (34:34)

It'S easy to get rid of.

John Strand (34:35)

Yeah, it's easy to get rid of. It doesn't waste space. And then you have, you compare it to like Samsung which has like you know or, or Microsoft products at least the lower end ones that have ads in the start menu and pre installed games and like push notifications coming from things, you know like it's a, I would say bloatware is a spectrum. I think Apple's maybe about as from a commercialized company, about as low as you can go. I mean obviously if you go like install Arch Linux, there's no bloatware or whatever but like yeah, then you, then it goes up to like, you know there's probably some low end like if you buy like a hundred dollar Android phone, I'm assuming it comes with just like from, you know, from I don't know one of these like pay as you go mobile services. I'm assuming that comes with all kinds of tracking apps and weird network configurations and free antivirus products and Stuff like that. So yeah, yeah.

Ja (35:27)

Wasn't technology supposed to make our lives better and easier and stuff like that?

Hayden (35:32)

It hasn't made your life does that.

John Strand (35:35)

Yeah, I would argue there's more to that statement.

Hayden (35:38)

I just haven't said it out loud.

John Strand (35:40)

I think smartphones have done that. I think they've also introduced a nice sense of existential dread that we have to live with. But yeah, I was definitely as nice not being like, we'll meet at 7:30 and if you get a flat tire, I just don't know if you died or not.

Ja (35:54)

Actually, Ja wrote a really, really great article, posted it on LinkedIn talking about his ongoing divorce from social media and the whys and wherefores and then also describing his experience after the fact. And I'm seeing similar kinds of posts from a variety of different sources. I think people are just burned out by the whole cyber security or not cybersecurity, social media bs and being prodded into this endless engagement for the sake of engagement. And something you might want to take a look at.

Corey (36:37)

Yeah.

John Strand (36:38)

And I think for everyone that's burned out, there's 10 people that are super into it.

Ja (36:44)

But yeah, I think the numbers are probably flipped. They're burned out but they don't know what their choices are. They feel, yeah, it's fomo.

Ralph (36:52)

There's billions and billions or maybe trillions of dollars built into, you know, building on your attention and retaining it for as long as you possibly can. And ultimately sort of sort of like nation states versus like private companies. Eventually the funding will win out unless you have like some unique vector in order to, like in order to kind of approach from. And that's something like we talked about a lot at like my last job because we were also a soc, but we dealt a lot with apts and we were like, well, we have limited budget. China does not really in that sense. So how do we maximize and sort of, you know, set ourselves up for detection and prevention when you know, the opposition has, you know, billions of dollars more in budget than our company makes, period.

John Strand (37:40)

Yeah, yeah.

Ralph (37:41)

I don't know.

John Strand (37:42)

So on the Apple front let's. I mean there's an article also in Reuters about Apple apparently blocking FaceTime. My biggest surprise with this is that Apple that it was allowed before this. I'm surprised by that. Yeah. Basically Apple has now blocked FaceTime nationwide. I'm surprised Apple's FaceTime.

Hayden (38:06)

Yeah.

John Strand (38:06)

Oh, that's what I said. Right.

Ralph (38:07)

I thought you said Apple.

Ja (38:08)

No, you said Apple blocked FaceTime, not Russia.

John Strand (38:11)

Sorry, Russia blocked FaceTime in Russia.

Ja (38:15)

Yeah.

Ralph (38:15)

Oh yeah, and Roblox. Dude, the kids are gonna be so madness.

John Strand (38:20)

That's how you create a revolution right there. Yeah, but don't worry because there's a state backed app called Max which definitely isn't related to HBO and also definitely doesn't surveil your every communication.

Ralph (38:32)

It comes pre installed, just not on your iPhone.

Ja (38:35)

Oh, HBO Max is getting bought by Netflix though.

John Strand (38:39)

Yeah, no, that was a joke. The Russian Maxes are FaceTime in Russia.

Ja (38:45)

Yeah, it's hard to keep track.

Ryan (38:48)

I mean, are we positive that Netflix is not.

Hayden (38:51)

They're trying to make it be WeChat.

John Strand (38:54)

But Russian, I mean they're like, hey, we don't, we're all out of servers Russia, we're out of servers here. How about we just use Chinese encrypted chats that they can decrypt and then we'll just ask them for the logs if we need to.

Ralph (39:06)

Nice. Yeah, Roblox said it respects this decision or respects these laws, basically. So they were like anything got Roblox, right?

John Strand (39:15)

Thank God.

Ralph (39:16)

Partially. But I guess anything that Roblox is like, yeah, we're good with this. I think maybe we should hesitate to consider their opinion. They're not quite always the most level headed in their, their policy decisions. I would say.

John Strand (39:31)

Well, I mean, I would say they probably just blocked the absolute biggest troll farm.

Ralph (39:38)

That is a good point. Is maybe they're okay with it because they're like, well, this solves one of our problems right now.

John Strand (39:44)

Yeah, yeah, that's my guess. I mean, ironically, it's kind of hilarious that the reason they blocked. I mean they don't really give an official rule on why they blocked FaceTime, but I would guess the reason is for censorship. They want to be able to. Or surveillance. Right. Like they want to be able to see people are saying and doing. And so they want people to use the state controlled app. So it's more about eliminating the alternatives to the State Run app. Although I will say, like I'm assuming people are. A lot of this is for international communication. Like am I allowed to just use Max to talk to a Russian person if I live in the US it feels like it might be hard to get that app installed on my phone. What?

Hayden (40:21)

Really?

Ralph (40:22)

These articles are very, always very interesting to me from the perspective of which apps are they blocking? Because there has to then be some, I guess maybe technically loosely grasping, but. Well, no, there's like some assumption that they cannot get the data either through, you know, some backhanded memes or through like a legal process, they can't get the data from those platforms. Meaning those are probably the safest to use. Like, if they're like, no, you're good to keep using WhatsApp probably means that. So they already banned one way.

John Strand (40:53)

So they already had, or I guess it says limited some calls on WhatsApp and Telegram because they refuse to share information with law enforcement and fraud or terrorism cases.

Ralph (41:02)

Okay, I didn't even see that part. Yeah, because that's, yeah, that's what they're going to block is the things that they can't surveil. Like, if they can surveil it, why would they care?

John Strand (41:10)

Exactly. It's interesting. It says limiting some calls and they're threatening right now to block all WhatsApp calls.

Ralph (41:16)

So I have no idea. Some of them are encrypted and some of them aren't.

John Strand (41:20)

Other, other news that I've.

Hayden (41:22)

Other news that I've seen about, it said that they were stripping video calls first and that it was still allowing audio calls. So that may be the line that they're drawing.

John Strand (41:30)

Well, maybe our servers can't store all this surveillance information. Can you just do text instead? We can store that easier.

Ralph (41:38)

DB Some cases, like with the iPhones, at least when you call on one of these apps, it almost like uses your phone application in order to make this call. And I don't know how it works differently on the back end, but I wonder if that allows them to still view these communications versus if it's like over the. The app itself without ever touching the phone's like, operating system. I guess from that perspective, it probably.

John Strand (42:01)

Is about surveillance capabilities instead of that.

Hayden (42:04)

This is the same blocking order that initially went out as a threat to all of these different companies. And we're seeing Russia actually do the block when they finally get back enough of a no, we aren't going to let you in. We aren't. We aren't going to give you our encryption keys.

John Strand (42:24)

WhatsApp is sending the absolute minimum number of.

Hayden (42:27)

Of what said no. And Apple took longer to come back with a no. Probably because Apple's legal, went through every hoop they could think of.

John Strand (42:38)

Yeah, maybe. I mean, we don't know. But either way, if you live in Russia, I'm sorry, you're going to have to use Max.

Ralph (42:46)

No more Roblox for you.

John Strand (42:47)

Sorry, no more Roblox for you. Sorry. Yeah, you already lost every Western Roblox.

Ralph (42:52)

Yeah.

John Strand (42:53)

Honestly, my biggest surprise is that this was still allowed. Like, I know Apple ceased sales. Like, didn't they stop selling products in Russia, like, years ago, like most of the Western countries and have pulled out of Russia, like Coke has. McDonald's has. You know, every major company has pulled out. So I'm like, how was this still allowed? It's kind of shocking, but.

Ralph (43:16)

Well, I wonder if maybe the US Was like, hey, Apple, you should hang out a little bit longer on the software side over there for a little bit. That would be very, very cool of you. And we could get you some sick deals.

Hayden (43:27)

I mean, I also just replaced my iPhone 8 Plus from 2017 last week.

John Strand (43:34)

Yeah, that could be a long tail.

Hayden (43:37)

On a long tail.

John Strand (43:38)

Yeah, true, true.

Ja (43:41)

Hey, I figure if children and other people are being forced to build this stuff in other countries, I'm going to put as many miles on my devices as possible to honor their sacrifice.

Hayden (43:57)

Where my decision came from, but that's reasonable.

Ralph (44:00)

I honor their sacrifice by always making sure to use their most recent work.

Corey (44:04)

That they upgrade every six months.

Ralph (44:06)

Like, you just make it. I'm sure. I want to respect your latest work.

John Strand (44:10)

They don't even release a new phone every six months, Ralph.

Ja (44:13)

I can't afford to upgrade that much. And there's.

Corey (44:17)

Neither can I. That's just what that was.

John Strand (44:18)

An obvious troll.

Ralph (44:19)

That's why you trade in with. I can't say the name, I respond.

Ja (44:23)

Trolls are more fun if I buy into it and play back.

Hayden (44:26)

Come on.

John Strand (44:27)

When? I'll send you a calendar link. Okay. You're a North Korean apt, all right.

Ralph (44:32)

And I'll refer you to Verizon. Get a really great deal.

John Strand (44:36)

I'll call you on Max. All you have to do is go to Sketchy and download the Max app and then type in the custom server of sketchy1ru colon6.

Corey (44:46)

I just signed up for the australvpn. So we can definitely.

John Strand (44:49)

Oh, nice, dude. I've actually. Yeah.

Ralph (44:51)

Channel for us.

John Strand (44:52)

You going on the job hunt? No. So, okay, I think it's time with the last little bit of the show that we should talk about anal prints.

Corey (45:01)

Oh, God.

John Strand (45:04)

Okay.

Hayden (45:05)

I can't believe people can do actual medicine with that.

Corey (45:08)

Oh, God.

John Strand (45:08)

Okay, so first of all, I'm looking. And why is this. Is this article from 2020? What is happening?

Ja (45:16)

The first time it came up was in 2020, but Kohler has joined the wall of shame.

John Strand (45:23)

They're like an actual reputable company. Okay, okay, so here is the. We're gonna. We're gonna verge into toilet humor for a little bit. That's not the one, Ryan. That's the one from 2020. Go to the next one. Go to the TechCrunch article from 2025. So we're gonna verge into toilet humor for a while. If you don't find toilet humor funny, then I'm. First of all, I'm sorry for your loss of that sense of humor that you used to have. But basically the article is that end to end encrypted. That's a feature of a smart toilet. There's a product. There's so many guys. Oh my God. God, we are breaking ground so much here. There's so many things that don't need to exist in the same sentence. Like number one.

Ralph (46:17)

Okay.

John Strand (46:18)

Number. The first thing that just really doesn't need to exist in a sentence at all is the combination of toilet and camera. And those two things should not be in the same sentence just no matter what.

Ralph (46:30)

Toilet and end to end encryption.

John Strand (46:32)

No, no, no. Okay. So I consider toilets to be already end to end encrypted. I. I go. And then whatever happens after that, I. There's that. That data's gone. Yes, that data is end to end encrypted.

Corey (46:47)

Dude.

John Strand (46:48)

I don't know where it. I don't know where it's being decrypted along the way. I don't think anywhere.

Ralph (46:52)

It's not even end to end encrypted. It's like it's. You're sending your over. HTTPs is what it says.

Corey (46:58)

Literally.

John Strand (46:59)

Okay, yeah. Well, so that is. That is the problem. So basically that this is essentially.

Ralph (47:09)

So.

John Strand (47:10)

A threat researcher, a security researcher who I absolutely loved. I would love to have them on the show, published it. You know, basically kind of a tech article that essentially says it's not actually antenn encrypted. That person's name was Simon. Simon Fondry Tellier. I don't know how to say your name. I'm sorry.

Corey (47:29)

He had to buy.

John Strand (47:29)

But they had a block. They had to buy it, correct? Yeah. So basically they published a blog that's, you know, basically. The company's called Dakota.

Ralph (47:40)

Oh my God.

Corey (47:40)

You could get it on a subscription for $6.

John Strand (47:43)

600 device. It's $600 plus a monthly subscription that attaches to the rear of your toilet. The purpose of this device is to collect images and data from the inside, promising to track and provide insights on gut health, hydration and more. The company is selling it as N10 encrypted, but essentially the researcher discovered that it's not N10 encrypted.

Corey (48:03)

Did.

John Strand (48:04)

They're just using HTTPs. So like, the marketing people were like, we're selling a smart toilet camera. Maybe we should just say it's encrypted and no one will ever care. Also, they really.

Corey (48:14)

Their.

John Strand (48:15)

Their response was like, it points down, bro.

Ralph (48:19)

Yeah, they. It also says, I found the points down.

Ryan (48:22)

How is it using the print?

Ralph (48:24)

It's a great question.

John Strand (48:26)

Okay. Based on anal. Okay, so the anal print concept, that was from an older article from 2020.

Corey (48:33)

So this is poop though, right?

John Strand (48:36)

Yes, yes. This is just like.

Ralph (48:37)

This is a down though classifying it.

John Strand (48:40)

This is a downward facing camera plus a subscription service. Can you imagine, like, being so needy in your life that you need an app to tell you that you're dehydrated instead of just looking at your own pee?

Ralph (48:54)

Well, it's gonna get better because this, this paragraph says it's possible the company is using the customer's bowel pictures to train AI. Citing another response from the company, the researcher was told that Kohler's Algorith quote trained on DE identified data only.

John Strand (49:11)

Is this the first job. Is this the first job for AI that it's actually good at?

Corey (49:15)

Oh, my God.

John Strand (49:16)

Yep, that's.

Ralph (49:17)

This study's fine.

Corey (49:18)

That's poop.

John Strand (49:19)

Yep, it's poop. I figured it out.

Corey (49:23)

Could you identify who it was?

Hayden (49:25)

I just need to point out that we have gone from GI go to siso.

John Strand (49:32)

I don't know what any of those acronyms mean.

Ralph (49:35)

I got it and I appreciate it.

Corey (49:36)

It.

John Strand (49:39)

I see.

Ralph (49:40)

Oh, man. I think this is how we find AGI though, is because AI at a certain point is like, I don't want to do this anymore, bro. Like, I'm done. I gotta get out.

John Strand (49:48)

Think about this.

Corey (49:49)

So, all right, so it said they had encrypted, you know, pictures, whatever. But, like, what would happen if you had access to all these pictures? Like, what, what could you tell?

Ralph (49:57)

I could bully you, probably.

John Strand (49:59)

I'd send a fishing message that says, hey, stop eating Hot Pockets. You have diarrhea.

Ralph (50:04)

I guess it also cost 100 doll. Subscription is mandatory. Like, bro, everything is a subscription now. Like, from your bed to your toilet.

John Strand (50:15)

It's just, I. I mean it more than anything. We just can't not talk about it because it's. We joked about it in 2020, probably about the anal print thing, and now here we are in 2025. There is a commercial product you can buy that has an app that charges a subscription fee. I mean, honestly, I think the most embarrassing part of this, if it was breached, would be finding out that your friend has a smart toilet that looks at their poop.

Ralph (50:39)

Right?

John Strand (50:40)

That's the embarrassing part.

Ralph (50:42)

I would bully any of my friends that owned this. 100%.

John Strand (50:45)

Yes, 100.

Corey (50:47)

Oh, God. Now I have to return it. Thanks, guys.

Ralph (50:52)

That might be worse than all of this.

John Strand (50:54)

Now I feel bad. Okay? Now I feel bad. No judgment here. No judgment here.

Ryan (50:58)

What if you have a guest and they use it and then suddenly, you know, you get this, like, notification from.

John Strand (51:03)

Your smart toilet that is just. Is there gonna be, like, a Strava for pooping? And it's like, so many levels on which this.

Hayden (51:14)

Someone in the discord presume for a second that it's TLS and the images are growing into some S3 bucket or something stupid like that.

John Strand (51:22)

Yeah.

Hayden (51:22)

And someone leaves it open because it's an S3 bucket and people do that.

John Strand (51:27)

Shouldn't it be called an S3 ball?

Ryan (51:29)

Stands for.

Ralph (51:34)

Somebody in the discord said time to start flushing random things in order to poison the data set.

John Strand (51:42)

Like, flush. Like, you know, in the toilet commercials down there. Yeah. They're like, how many golf balls can the toilet flush? As far as, like, 40 golf balls. They're like, poop help. 100 out of 100.

Ralph (51:53)

Create a bunch of, like, soup down there. Like, here we go. Good luck with that one. Idiot.

John Strand (51:57)

It is funny, though.

Corey (51:58)

I think that this just highlights that a lot of companies say something's encrypted or ended encrypted, and it's not. Right. Ssl. And they're like, oh, look, it's. It's encrypted all the way to us, you know, but that's not end to end encrypted. I think that's just kind of what we're.

John Strand (52:12)

Yes. It's funny. As a marketing term, it's. It's hilarious that someone said, I bet not. First of all, maybe this person was just going after that open S3 bucket like, or S3 bowl like you were talking about. Yeah, yeah, yeah, right.

Ralph (52:28)

I mean, the end encryption is like, you know, whatever they say, like government. Government level encryption.

Corey (52:34)

Okay, Dicks. I heard about that.

Ralph (52:35)

Yeah. Oh, yeah, exactly. Government level. Okay, good for you, buddy. Like the same as everybody else.

John Strand (52:40)

I think, just for context.

Corey (52:42)

Most things that we interact with every day are not in the correct.

John Strand (52:46)

The exception is minority.

Corey (52:49)

Excuse me. Of the actual things we do are truly in encrypted. Most everything else right now has some level of transport encryption, so ssl, but that's really about it.

John Strand (53:00)

Yes.

Corey (53:00)

You know, give it a bit of.

Unknown Guest (53:01)

Yeah.

Ja (53:02)

Transfer.

Hayden (53:04)

They say up front that it's.

John Strand (53:05)

That the. If you're transporting.

Ja (53:10)

I think they did vibe code it.

John Strand (53:12)

Yeah. There's so many more jokes. I have like, number one. Does it have like a clog detection alert that sends you anyway?

Hayden (53:20)

No, that's the smart toilet too. I've seen the thing about that. That is the actual smart toilet. It's not the camera you add to your toilet.

John Strand (53:27)

Okay, I see. Yeah. So it's a $600 app. On the other thing, I think the only way this would ever work, like, the only way I'd ever consider it is if it's completely on device only. There's no WI fi or any other data connection. There's no cloud component, there's no subscription, there's no nothing. It's just when you go to the bathroom, it gives you like a happy face or a sad face. And then you like, you adjust from there. You know what I mean? Like, it's got to be.

Hayden (53:51)

There's a happy face and I call your doctor.

John Strand (53:54)

There's a happy face, sad face and then call your doctor.

Ralph (53:58)

And then there's like a, like a little chilly emoji.

John Strand (54:01)

Chill.

Corey (54:02)

Somebody's going to do a little project and find out. It's just random.

John Strand (54:06)

Yeah. Really, it just is a four. You know, I. In one through four pick a random.

Ralph (54:11)

Number or they use like GPT3 and please.

Hayden (54:16)

Yeah, so somebody mentioned in chat, like, what about the doctor? There is an article saying, you know, you can do some amount of meaningful medical information by analyzing this kind of footage. So. So, like, the idea of that is not bonkers. Someone can do something with that.

Ralph (54:34)

Yeah, it exists.

Hayden (54:35)

That doesn't mean I want to spend 600 bucks on it. And it doesn't mean I want to get credit through paying for it with my FSA from some company based like.

John Strand (54:46)

No, I think I'll just. No, I'll wait for my doctor to recommend a toilet camera and then I'll do that. When that happens, if my doctor does that.

Ryan (54:54)

Or just go to your doctor with several hundred pictures of your poop and.

Corey (54:58)

Be like.

John Strand (55:01)

Doctors, your new LLM. I will say, okay, the, like, this might be. I think like the previously worst job on the Internet was the censorship. Or not censorship, but like the content moderation team. Right. Like running the content moderation for Facebook or something would be the worst job on the Internet because you have to like scroll through so much hate speech and child abuse material. I think that's still worse. But I think this is now the second worst job on the Internet is being paid to train a model to like run. What if you get this as a captcha? Is this poop Click all the toilets with poop. Like, I. Yeah, I mean, Amazon has.

Corey (55:40)

The turk thing, right?

John Strand (55:41)

Yeah, Mechanical turk.

Corey (55:44)

That would be probably one of the chores that Kohler is paying. Yes, but do is like, is this good or bad? I don't know.

John Strand (55:50)

Yeah, exactly. And then, yeah, I will say I do think like, I don't know how people are living, but when you go to like an airplane bathroom or a truck stop bathroom or something, they don't appear to be doing well. Like, it's not like people do not. Maybe people do need this. Honestly, I've come full circle. I think it's worth the 600.

Unknown Guest (56:08)

Well, someone did put in chat that like customs. Like, you know, if people are like border control trying to like swallow stuff and get it passed, like there might be a use case for it there.

Corey (56:18)

Oh God. Yeah.

John Strand (56:19)

But that would just be. You wouldn't want the downward facing toilet cam for that one. You just want a security cam. Anyway, I think this article has. We need to flush this article. We need to flush this article. Yeah. All right, let's flush and talk about our CTF folks. Yeah, we only have a few minutes left.

Hayden (56:39)

We'll.

John Strand (56:39)

We'll talk about. Does someone want to announce the CTF winners? Ryan, do you want to.

Ja (56:44)

Ryan has.

John Strand (56:45)

He has no voice. All right, Ryan, just make jazz hands and I'll announce the winners. So the first winners are. The first place winner is Martha Bowen. Congratulations. You're winning a one year on demand subscription to anti siphon training. We have all kinds of training on security things. Things smart camera hacking, smart toilet camera hacking. All kinds of good stuff. We also have. The second place was Peter Jenzik or Jesic, who won one course. And sadly we do not actually have a course on IoT toilet hacking, but there's a lot of other really good courses on there. Hayden has a course. There's all kinds of stuff out there. So congratulations and thanks for participating in the ctf. I don't really know what it was, but it's probably pretty cool.

Ralph (57:33)

It's clearly cool. Cause you won some free training.

John Strand (57:36)

Yeah. That's awesome.

Hayden (57:38)

Yeah. Good job.

Ja (57:39)

Good job.

John Strand (57:40)

All right.

Ja (57:40)

Good job.

John Strand (57:42)

Should we call it or should we do a final article?

Hayden (57:46)

Do we want to talk about planes and cosmic rays? Because I can do that real fast.

John Strand (57:50)

Eh, just get ECC memory. We could talk about how Flock's using overseas gig workers to build its surveillance AI, which is literally what we just talked about about.

Corey (57:59)

Right?

Ja (58:00)

What could possibly go wrong?

John Strand (58:02)

The same. The same thing we just talked about. So this is an article in 404 Media. Basically, they accidentally exposed training materials. I don't know what flock is. It looks like a. Is it a. They're like. All right.

Corey (58:16)

Yeah, they're like a community driven. Not community driven, but like a. Cameras they put up all over the place. They're solar powered, they're cellular, so they can just drop them wherever and then they.

John Strand (58:26)

So mass surveillance.

Corey (58:27)

Mass surveillance, yes. It's a mass surveillance tool to help the world, I guess.

Unknown Guest (58:32)

Okay.

Ryan (58:33)

If the police buy a subscription, they don't need a warrant to search, so that's wonderful.

Hayden (58:38)

Right?

John Strand (58:39)

Are you telling me I shouldn't commit crimes in the middle of the public street?

Ralph (58:43)

No, you should. I feel like not in your car.

Ryan (58:46)

Like borrow someone's car.

John Strand (58:48)

Just ride a bike. Oh, yes, Bike. Let's go.

Ralph (58:51)

Yes.

Corey (58:51)

Bikes are back, man.

John Strand (58:52)

Yeah. Okay, so. So I mean, basically the. The article is that they accidentally exposed training materials which showed that they essentially are using workers in the Philippines through upwork, which is like a business process outsourcing type dealio, to train its machine learning algorithms, telling workers how to review and categorize footage, including images of people and vehicles in the U.S. i feel like this, the angle here is more about like sanctity, you know, data sanctions around like this data arguably shouldn't be leaving US Soil, Right? Like, yeah, theoretically. I mean, I don't know. I guess it's a company's private data. But it seems like, you know, in a GDPR type scenario this very, you know, sensitive, potentially information on US citizens shouldn't be heading to the Philippines for. For outsourcing. I don't know.

Ja (59:41)

Even with encryption.

John Strand (59:44)

Well, it doesn't really matter.

Ja (59:48)

Side.

John Strand (59:48)

Because then on the other end.

Ralph (59:52)

Yeah, exactly. The end is in the wrong place.

John Strand (59:54)

I love. Yeah, the end is in the wrong place. Yeah. So I mean, I. I guess what I would say is like, I'm not surprised. I think that this is like industry standard for this. Like, this is. You know, we were just talking about it with Mechanical Turk. I don't think there's any like data sovereignty rules with the Mechanical Turk either. Right. Like, if I go submit a data set, maybe I can pick an option that says only use US Based workers for this. That'll probably make. Make it cost five times as more, but. Oh, yeah, yeah. So, I mean, mass surveillance is pretty sketch. You know, I'm not a huge fan of this as a concept. I think we probably need some rules around this.

Ralph (60:28)

Corey has a hot take. Is surveilling people bad. Freedom good.

Hayden (60:33)

Right? Very hot take.

John Strand (60:36)

Sorry. I I didn't mean to get political there for a second.

Ja (60:41)

Well, you know, before Y2K, I know I'm. I'm old. There were a bunch of surveys being made in 1999 about what people thought would be the biggest issues that would be faced in the coming century. And a good friend of mine, a paralegal, her response was that privacy was going to be one of the biggest issues to face in. In the 21st century. And as we've gotten further along into it, that one prediction has held out, because over and over again, what do we keep running across? Who owns your data? Who owns data about you, who can utilize, manipulate, analyze data that was captured with or without your knowledge? So this privacy thing, it's ongoing going. Technically, it sort of isn't a cyber security thing, but it also is because.

John Strand (61:42)

Yeah, no, it definitely is.

Ja (61:45)

Big deal in cybersecurity. Right.

John Strand (61:47)

Well, the other thing is we talk about the cybersecurity. Well, first of all, we got rid of. We fixed the privacy thing by just deleting it. It's fine. We just don't have privacy. We don't have privacy.

Ralph (61:56)

It was end to end encrypted too.

John Strand (61:58)

Yeah.

Ja (61:58)

So was that one of the 96 databases that got deleted?

John Strand (62:02)

Yes.

Corey (62:02)

Correct.

John Strand (62:04)

No. I mean, I think. I think basically that the reason it is a cyber security thing is because it wouldn't be the first time and it wouldn't be the last that these get breached and the amount of information that's contained in them is huge. You don't think nation states are going after this data? Wouldn't Russia or China or our adversaries, even if you look at, like, take the most conservative approach you can, if this data is arguably too valuable to be to exist.

Ryan (62:29)

Right.

John Strand (62:30)

Like, if it. If any adversary of the US Gets into this database, they're going to know where every person is, is where, you know, like, it's just too much information to have from a spy perspective. From an espionage, it's just too valuable. Whoa.

Ja (62:45)

Do we need to let someone in something like that?

John Strand (62:48)

I think that's. I think that's the judge hammering the gavel saying it's time to end the show.

Ralph (62:53)

Yeah.

John Strand (62:54)

Order. Yeah. All right. I think that's.

Hayden (62:57)

That one's my fault.

Ralph (62:58)

Sorry.

John Strand (62:58)

It's okay. No worries. It's. It's a time. It. That's the. That's just the announcement that it's time to end the show.

Corey (63:04)

Show.

Ralph (63:05)

We need that every week at 5:30.

John Strand (63:07)

We do that every week. Thank you for coming, everyone. And we'll see you next week. Bye. Bye.