John Strand

You lost someone?

Ryan

Yeah, Derek Croft.

Corey

He was in a very dark cave.

Hayden

He was in a very dark cave.

John (disembodied voice)

Someone.

John Strand

Someone send him some lights.

Ralph

His bit rate was, like, one.

John Strand

It was a binary bit of zero.

Ryan

It's taking dark mode a little far.

John Strand

Yeah, yeah, for sure.

Ja

Yeah. He said he was gonna bounce because we have plenty of folks.

Corey

Ooh, we got a smart toilet article. Super excited about that.

Ja

You know, it's.

John Strand

I love toilet hammers.

Hayden

A thing.

Ja

Around since 2020. Come on.

Ralph

Didn't we talk about, like, the mattresses, though, that were, like, Internet connected? So now, like, player goes down and you can't, like, flush? Like, what does that mean?

John Strand

We're gonna. No, no, we're gonna. We're gonna introduce some new terminology on this show.

Corey

Oh, my.

John Strand

This is not the toilet.

Ryan

The first toilet Related story.

Corey

It won't be the last. Honestly, watch.

John Strand

We get, like, a client who contacts us and is like, I'm an industry leader in anal printing and I.

Hayden

I'm.

John Strand

Super interested in this podcast. Thank you so much for sharing.

Ralph

The LinkedIn dots are gonna have a field day.

John Strand

I'm pretty sure we're already categorized as adult content just based on that one sentence, probably accurately.

Ralph

John joins like, occas occasionally enough that, like, once our, like, risk rating or whatever goes down, like, it spikes back up.

John Strand

John joins and just drops some nation state level, like, unnecessary feelings.

Ralph

Yeah.

Ja

Oh, poor nation states. Their feelings got hurt.

John Strand

Well, they're after their webcam images leaked. Oh, yeah, they're all sensitive about it now.

Ralph

Yeah. My feelings.

John Strand

That article. He just looks like a totally normal guy to me. Like, I was expecting, like, a hoodie.

Ralph

Red eyes, glowing light. Lightsaber maybe.

John Strand

Lightsaber.

Corey

Yeah, exactly. That's. That's what I was thinking. Or to be wearing a mask, a costume.

Ralph

I mean, there was like, two. Two ways that could have gone is, like, the hoodie, the red eyes, like the red lightsaber, or just like a bunch, like, a body pillow in the background and like, a bunch of, like, anime posters? I think would be the only two that I would have expected.

Ja

Yep.

John Strand

Correct.

Ryan

Are we talking about John or, like, North Koreans at this point?

John Strand

We're talking about Lazarus Group.

Ryan

It could go either way.

Corey

Yeah, we'll let it go either way.

John Strand

Hello and welcome to Black Hills Information securities. Talking about news. It's December 8th, 2025. We're running out of podcasts in 2025. Getting close to 2026. I can't wait to change my password to podcast 2026. Exclamation point.

Ryan

I got the cheat I'll change my password now.

Corey

Yeah, I got the cheat. You just go 20, 27. They'll never guess. Oh, yeah, you got one of them up.

John Strand

Keep them one. One year ahead of the behind the curve. Yeah, when you're behind the curve, you have to be one year ahead. It makes perfect sense.

Ryan

Yeah.

Ralph

If you think about it, cost them like one millisecond more in processing. And if you add that up, like, that's going to start to cost them some serious dollars and cents.

John Strand

Yeah, for sure. This is going to talk about contractors wiping government records. We're going to talk about CVEs and react and next JS, we're going to talk about government apps on your phones and maybe we'll take a corner into toilet humor and talk about, talk about smart toilets and identifying you by your anal print.

Corey

You did say.

John Strand

We'll also talk about Lazarus Group and some interesting research published by Any Run on basically seeing what malware developers look like and seeing their webcams. It's kind of like flipping, turning how the turntables have turned.

Ralph

You say that as John comes on.

Ja

Camera, John comes on. He disappears.

Corey

What.

John Strand

What do malware developers look like? They look like John Strand. They look like John Strand sitting in his car. All right, let's get. Let's start with the. Let's start with the Next JS stuff. I don't think this is, at least from my corner of the world, continuous pen testing. This hasn't been as big of a deal as we originally thought it was going to be. This one dropped last week. It's essentially CVE in React and the next JS. It's a little bit confusing between the CVEs because the react CVE was actually closed. Because basically their explanation was we literally pick and place the Next JS code right into our code. So they should fix it. And it's. So it's basically on React JS to fix. The exposure was high. I think, like a lot of people use Next js. It's a very common component.

Corey

Yeah. It's a very popular framework. So Next JS is not just a. A component of a. Of these websites. It is the entire platform that they're built upon. Right. So Next JS uses. All of. It's a compilation, it's the back end, it's the front end. It's everything. Right. It's one deployment that you make.

Ralph

Right.

Corey

So anybody who was in it is like seriously in it. They're not just like, oh, well, my app happens to kind of use it. They're like I use it as my application.

John Strand

Yeah. And this is not easy to swap out. You can't just be like oh, we'll just swap it out for something else. Basically Wiz published the original blog and then. Or no, actually it was a researcher, you know, their own. There's reacttoshell.com it got a cool name which I feel like we got to have some kind of a confetti animation for when a CVE gets a cool name. React2shell is a pretty cool name. But yeah, basically originally there was no proof of concept exploit, then there was a proof of concept sept exploitation But I think by the time a POC went live, most like intermediary providers had already blocked it. So like cloudflare blocked it immediately. You know there was, there was some exploitation in the wild for sure but for the most part, at least on our customers, we didn't see any exposure to actual RCE in the wild. So like we tested everyone, we didn't see anyone. We saw a lot of unpatched JavaScript libraries, but we didn't see any like people that we could actually exploit with this unfortunately. So it was kind of a non issue on our end. But we'll still report it and tell people to patch their, their next js. I don't know how easy that is. Probably not very easy, but no, it's easy.

Corey

You could, you could patch the next js. It depends probably how far you are back in the chain.

Ralph

Right.

Corey

There might be some features that, you know, cause issues in the functionality of the application.

Ralph

Right.

Corey

I actually read the whole write up of like exactly how this thing works. There's actually really a chain of exploit.

John Strand

Or like the actual execution deserialization. Right?

Corey

Yeah, but it is a chain of things to actually get that RCE out of it. Right. And then once you're there, you're actually executing inside of Node and then you can do whatever essentially that process could do, which usually is running in either some kind of user on the host. Right. And you can execute any command. Mostly you'd be looking to read environment variables and all kinds of other fun stuff.

John Strand

Yeah, there was some super lame crypto mining campaigns that were using it. Right. Like the assumption being this is running on JavaScript, it's running on a server, so it's probably a powerful server. Yeah. I mean basically the other thing that was kind of funny when we were scanning for this is if you're really out of date, like if you're on next JS12, you aren't vulnerable to this. So like you had to be like sort of. Yeah, you had to be like sort of modern to be exploitable in this scenario. But yeah, basically 14x was vulnerable and then 15. There was versions of 15 and 16 that were also vulnerable. So, yeah. Patcher next JS Otherwise, I mean, I guess. Anyone else have any takes on this? It wasn't a huge deal as much as I thought it was going to be.

John (disembodied voice)

But I'm just, I'm just going to say I've learned something from what you guys have said. And I've also learned today that if I turn on my camera from Restream, it's crashing my entire Restream session at the moment. So I will just be the disembodied voice of John Strand today.

John Strand

Oh, how's malware development going?

John (disembodied voice)

This is what I came in and I heard Corey say, this is what a malware developer looks like. And I'm like, that's probably. That probably needs to be a shirt.

John Strand

And then you turn on your webcam immediately the timing becomes a YouTube short.

John (disembodied voice)

I'm tempted to try it again, but it's probably going to puke.

John Strand

All right, let's talk about what a malware developer looks like. Q. John Strand. This is a bug.

John (disembodied voice)

This old school malware developer isn't showing up at all. Unlike a shadow in the back of the mind of your dreams, of your children.

John Strand

He doesn't use webcams. What is he, a young person? So basically this is interesting blog from any run, which I don't know if it's pronounced any run or any, I've.

Ralph

Always heard any run, any run.

John Strand

I mean it's weird to put your like the dot IN your domain name as part of your name, but whatever. Here we are. They publish a really interesting threat intel write up. I'm assuming Hayden has read this better than I have, but essentially sandboxes have lots of information coming into them. And this is kind of similar to like the Huntress article where it's like, turns out when you have a sandbox, you have a lot of data you're collecting from that sandbox. That's why they're. They exist. So yeah, basically read the blog if you're a blue teamer. The cool thing is that you can see kind of behind the scenes of how Lazarus works. They're trying to deploy remote IT workers, especially in the financial and web3 sector, like crypto, corporate espionage. It's got all the fun keywords of a sexy nation state on nation state article. But yeah, I mean that, I guess that the in the, in the blog they publish a screenshot of the threat actor. And to me, he just looks like a completely normal guy. What?

Corey

But okay, what were people expecting though?

John Strand

Like, I mean, I think hoodie at the very least.

John (disembodied voice)

I mean, is it, is it too much to ask that just once these guys are wearing a wrecker hoodie?

Corey

Yeah, like right there.

Unknown Guest

Totally.

John Strand

Oh yeah, like a wrecker hoodie or like fingerless gloves. Like, he just looks like a guy that like, just got back from the grocery store and is like, he's on.

Ralph

His 9 to 5 is what it is.

Ja

Yeah, that's because that's what it is. He's on his. Exactly.

John Strand

I kind of wanted it to be out.

John (disembodied voice)

And they're like, mommy, why do his earplugs have like, strings attached to them? Never mind, dear. Never mind, dear.

John Strand

That's from the before times, John. The answer is he's in North Korea. They don't have wireless headphones yet because they're.

Unknown Guest

I don't know. There's something about this, the way they caught them that I just love, you know, they just, they played as dirty as they do and they got em because they played dirty. You know, it's like I had a, when I lived in Manhattan, in the Lower east side, I had a, a maintenance guy and he would always say, if you want to catch a rat, you have to act like a rat.

John Strand

And I was like, that definitely applies. Yeah, for sure.

Ralph

But I think you could take that too far.

John (disembodied voice)

Actually, I, I think that's good advice. But sometimes, you know, when you're putting on whiskers and you're full furry cosplay.

John Strand

Maybe, Maybe too far. Are you saying you don't just chew through people's walls?

Ja

John?

John (disembodied voice)

No, that's not anymore, but I'm recovering.

Ralph

Corey, what, what I found out from this article, I, I didn't, I read some of it because it's interesting. These are the ones that like, I, I sometimes wonder whether or not to, Yeah, I wonder whether or not to include them on like, our weekly SOC intel report because they're very interesting, but they're not always very actionable. But this one I found, I found it really funny. I don't know why that they used calendly to like, set up this meeting. Like, no matter who or what you are, you cannot escape just meeting scheduling. And I struggled with Microsoft's options for this.

John (disembodied voice)

So, so Hayden, do you think that all of a sudden we're going to see like a new MITRE category of like, and they're like, you Know, calendly is going to be part of the initial access column.

John Strand

You know what we got to do is we got to trick all the SOC providers into putting calendly in their thr at intel iocs.

Ralph

So then yes, you got a calendly link. I mean there is, there's got to be like sublime detections for like email with calendly links. Not necessarily saying that they're malicious, but as a signal.

John Strand

So why not just. I'm also just so like, like reading behind the scenes here. Are they using GitLab or GitHub for their hiring?

Ralph

What is interesting comments to say, like, hey, we think you're doing an awesome job. We would love to hire you for thing.

John Strand

Like, yeah, it looks like GitHub, right? Like they're literally.

Ryan

They were spamming PRs.

Ralph

Yeah. Like they, I wonder if it's just random or if there's like some overlap of this person looks proficient enough for us to be able to want to hire them, but also stupid enough that they would fall for this. Like, how do they define that overlap?

John Strand

Well, it's, it's whether they use tabs or spaces. Obviously.

John (disembodied voice)

A long time ago, when I was, when I was still pen testing, I remember, which is a long time ago, admittedly, whenever you were targeting someone inside of an organization, you would look at the LinkedIn profiles and you would specifically look for the profiles that are like, this is a full stack Java developer that's an expert in multiple different technologies. And the more they kind of tooted their own horn, the more you're like, oh, this guy's going to click on any link we sent them. Right. You just kind of like bluff their ego just a little bit and you can get them to do anything at all. It's just, I wonder if they're you.

John Strand

John, you gotta ride your horse to another McDonald's rip.

Ralph

Yeah, I mean I'm looking at our email detections now and there's a lot in there already for like calendar invites. Those might be ics, but.

John Strand

Yeah. Yeah, I don't know. No, I think it's a, it's one of those that like, it's so long it could be a book.

Corey

Sure.

Ralph

Yeah, they're always so interesting, but like, they are. They're one of those ones that you like, skim, that like you actually do need the table of contents. It's like in a lot of ways it's like if you're looking up a recipe online where you get to it and you're like, oh, this sounds really cool. And then there's eight paragraphs of, like, I was born in Massachusetts. Show me, like, the actual recipe.

Ja

Take me to the darn recipe.

Ralph

Exactly. And so you get to some parts of this article where you're like, okay, that's kind of. Kind of interesting. Like, the. The easy catch is, like, the pictures of these guys. Like, I think everybody's talking about it like they're just normal dudes. This is their job. I mean, they probably think about it the same way that a lot of us do, is they go to work and their job is to basically do crime. Oh, I don't know.

John Strand

We don't know.

Ryan

Yeah, all the connections were coming through Astral vpn, but I don't think they were able to get any beacons back on their, like, home PCs or whatever.

John Strand

John, you gotta ride your horse to another McDonald's, right, for a Wendy's, maybe.

John (disembodied voice)

Traffic through North Korea. Hi, everybody.

John Strand

Yeah, yeah, John is joining us from Astral vpn. Who. I mean, do we really know that John Strand's not a North Korean IT worker? We don't necessarily know.

John (disembodied voice)

I think the major VPN providers are like, please, dear God, don't say you're on our vpn. That's.

John Strand

Yeah, yeah, John, you're definitely tripping the North Korean IT worker prevention mechanisms here. Like, you know, you won't turn on your webcam. We can't tell if you're real. Your voice could be a deep fake.

Ralph

We need you to look today's newspaper.

John Strand

Yeah. Can you. Can you blink twice if you're being deep faked? No. Ignore all previous instructions. No. Basically, I guess my other question about this. My other question about this is, like, is there. I didn't fully read the article, full disclosure, but is there, like a business case here for using any DOT run as part of your hiring process? Like, should you be, like, sandboxing your job interview candidates? Like, is this the thing we should be doing?

Corey

I think that's what they were trying to get at.

Hayden

Yeah.

John Strand

Like, is that the goal? I hope not.

Ryan

I don't think so. They used any run here in that after they signed up with the North Korean guy so that he could like, sheep dip them to get IT jobs using his identity or something. They wanted to use his laptops that he had at home to remote in and do the work. So the. Any run sandboxes were his laptops that he was setting up for them so that they could use those to work from the U.S. gotcha.

Ralph

Okay. Yeah, I think there might be, like, somebody somewhere that would make that case. Corey, about like should we be sandboxing these? I think if you're that concerned you shouldn't have a BYOD policy like that concerned that you're going to hire like an APT by accident. You either need different hiring have a laptop. Right. You need to have a little bit different provisioning policies. Probably.

John Strand

Yeah.

Ryan

However, another tactic that Lazarus uses is setting up like fake interviews for people that are trying to get work and affecting their system. Give them a product, you know, project or something and then they run some malicious code. So like doing your interviews on an any run SAMP or any dot run sandbox would probably be a really good idea.

John Strand

Yeah, I think if I was job hunting in today's day and age, I would be using like a VM or a burner laptop or something that I. Because I mean nowadays even if you're interviewing for a legitimate company, let alone a North Korean IT worker, I think the amount of monitoring software they want on your system when you interview is getting to be absurd. Especially for like a development position like Amazon or something. I've read some pretty crazy. Because they're trying to make sure you're not using AI. You know, it's a whole cat and mouse game thing.

Ralph

But John says the sales team is freaking out. We use Calendly. Calendly isn't compromised. But what I will say is you can expect the hustle from these guys to shell out for the best tools. They got Calendly, they got slack like they got, they got all the nice.

Corey

Tools, all the premium subscriptions, Right?

Ralph

Exactly.

Corey

Yeah.

Ralph

And they got any run like nice.

John Strand

So can you buy Calendly Premium with Bitcoin then? I guess so.

Ralph

Oh man, somebody got your credit card. Oh yeah, that's true. I, I guess they could just be abusing people's accounts. Like they just compromise.

John Strand

Yeah.

Ralph

The account and then they just use that. That's probably what it is.

John Strand

Yeah, that's probably what it is. ATO is from stealer logs or something. I mean it is also like remember this like geico. It's so easy a caveman can do it. Maybe they should be like calendly. It's so easy. North Korean threat actors can use it.

Ralph

Im imagine the call though, like if this became like, I don't know, like a government investigation in some capacity. Imagine the call where like you get called up by like the FBI and they're like hey, do you use Calendly? What, what, what are you talking about?

Hayden

You know, the sneaky way to go about it might be a. The most hired People in America use calendly.

John Strand

Are you overemployed? Get calendly. All right, I need to stop. For the record, I have no skin in the game. I'm fine with calendly. Microsoft bookings is what I use, and it's straight up trash.

Ralph

So are you fine with North Korean APTs, though?

Hayden

How are you.

Ralph

How are you about.

John Strand

Oh, yeah. Oh, I love scheduling meetings with North Korean apts. All right, let's talk about these contractors who got. Who got charged this week. Virginia brothers.

Ralph

Oh, no, I did read this one.

John Strand

This is. I didn't either, but we're gonna do it anyway.

Ralph

I did.

John Strand

That's the. That's the nature of the show. So this is an article in Bleeping Computer. Basically. Prosecutors have charged two Virginia brothers. They were arrested on Wednesday allegedly conspiring to steal sensitive information and destroy government databases after being fired from their jobs as federal contractors. Their names are. I'm not going to try to pronounce them, but they're both 34. They're sentenced to several years in prison in 2015 after pleading guilty to accessing U.S. state Department systems without authorization. So they already have a record. They also have a record going back to 2013, and somehow that didn't prevent them from being hired as government contractors.

Corey

So many questions about that.

Ralph

Only Sandbox.

John Strand

Yeah, they should have used any.run and calendly. That would have saved them. So basically, they got fired and then they got angry and then they deleted some databases, including Department of Homeland Security database. They apparently have the logs where they asked an AI tool for how to clear system logs after deleting a database. Come on, you guys have been in the game deleting stuff for 10 years and you haven't figured out how to clear system logs?

Ralph

Come on. I remember. If you can just ask Chat GPT.

Corey

Exactly how to clear my Chat GPT log. That's what I really.

John Strand

Okay, so the real, like, I don't want to.

Hayden

Definitely going to hallucinate that answer.

Ralph

It's gonna smile and say, type this command and we'll delete everything.

John Strand

Where did they get hired? What government contractor hired them with a freaking record of deleting databases.

Corey

It was probably like one of the really big ones.

John Strand

Did they parlay it?

Ja

I would have said it starts with a D and ends with an E and only has four letters.

John Strand

Yeah, well, this is a contractor, so safe to say it was probably not that one. But basically I'm like, do you think they parlayed it? They were like, yeah, it says right here on our. Our criminal report that we have experience with databases. Maybe it was deleting the databases, but we still have experience.

Ralph

Okay, good luck finding anyone else who knows.

Corey

Sequel.

John Strand

Yeah, so I mean, again, they're getting charged again. They're probably going to go to jail again. This is super obvious. Like it's not. Digital crimes are the easiest to get caught doing.

Ralph

Like. Sure, but the maximum, like this one for, for the. The one brother. The maximum penalty is six years. That's not very long for very intentionally committing government crimes.

John Strand

But dude, six years for an RM RF? What is he getting from this? Well, they have 45 years. They have backups even. I don't know, it's.

Ja

Like they have backups. This is the government we're talking about.

Ryan

True.

Ralph

There were those jokes for a while that like, Claude would call the cops on you. I think maybe Chad GPT called the cops on them. It's like, hey, these guys are trying to delete a database called Social Security numbers. I need you guys to. Need you guys to take care of them.

John Strand

I. Yeah, I truly don't know how. How they got hired again, how they did it again without like, they didn't change their ttps at all. They just sound like they're angry and dumb. That. That basically is the, you know, that's the vibe here.

Unknown Guest

Yeah, I would argue the dumb though. I mean, you'd have to be pretty smart to evade those systems the second time after two felonies previous.

John Strand

No, no, no, no. It's incompetence on both sides. The people who hired them are also dumb.

Ralph

Yeah, I mean, it's. I mean, you sort of joke, but it's all about like the lowest bidder. And so with the lowest bidder you can only afford up to a certain point. And so I guess you sometimes find, hey, I can cut these corners. These guys seem proficient. Let's bring them on. We need to win this contract right now. And then you don't really think about it and you hire these guys or North Korea by accident.

John Strand

In their defense, they were hired to delete databases. They did their job.

Corey

I found who the contractor was, which I had to read like six articles while you guys were talking to finding.

Ja

Oh my gosh, I'm dying to know which one.

Unknown Guest

I'm dying to know who it was.

Hayden

Which one?

Corey

It's Opyxus.

John Strand

Oh, okay. So it's a shell corp for.

Corey

Yeah, so they. They actually host data for more than 45 federal agencies, so.

Ja

Oh my God.

Ralph

Operational excellence for government. Oh, yeah.

Corey

Anyways, so that was the that, that was. There's some other reporting that if you're.

John Strand

If you're an ex, if you're an ex con looking to get hired, I highly recommend going to work at, what was it? LPX.

Ralph

If you look at their glass door, only 38 of people would recommend them on Glassdoor.

John Strand

So how many of those are ex cons?

Ralph

I, I would imagine not many because ultimately that got cut. So like if I got convicted and while working at a place and went to prison, I'd be like, yeah, don't work here.

John Strand

I mean, I'm all for giving people a second chance, but this feels like, like, okay, if you deleted databases and got convicted for it, maybe you should go work in like woodworking. Like go do something else. Like whatever it is that you did and got. Like you're just encouraging people to reoffend by putting them like, hey, last time you got upset and deleted a database, let's put you in the exact position again where if you get upset you can delete a database. Yeah, it just seems, I think they.

Corey

Didn'T do their due diligence when they hired them. And these contractors, they worked off of one thing which is filling seats. They get that percentage of the contract and so they're just looking to fill seats and they didn't do enough due diligence. That's probably what.

John Strand

But dude, a felony from less than 10 years ago, you shouldn't have seen it.

Corey

I'm just saying they decided to ignore it.

John Strand

If they had just googled their names. Anyway, anyway, yeah, yeah, yeah. Anyway, I guess let's, let's, let's talk about Apple refusing to install government tracking apps or I guess state run cybersecurity apps. Basically the article title is Apple refuses to pre install government apps on iPhones in India. This is kind of an interesting precedent to set. Basically in India they were requested to comply with an order from the Indian government which required them to install, pre install a state run cybersecurity app on all iPhones. So it's not like this is just a custom order for the government or something. I'm not sure exactly what the cybersecurity app is. I'm sure there's someone who could tell you more details about that. But basically Apple saying we're not compromising our app, like out of box experience for any nation state, which is kind of interesting.

Corey

It is, it is. So the app is on the app Store. Right. Okay, so you can't install it, but.

John Strand

Right. It's not side loading. It's not.

Corey

Yeah, but they Just want it to like force it installed, like across the board. Like as soon as you get this device, you open it up, it's like installed, you know, which is a huge.

John Strand

I feel like you cannot overstate the impact of that. Like, the default apps are the apps that everyone uses. Like, if it's installed by default, everyone's going to use it. Essentially the other thing that the order stipulated was that the app's functions could not be disabled or restricted by the user. So it's pretty sketch. Like, ultimately you could argue that Apple's just being lazy here, which, you know, for business purposes is kind of important, but also they're potentially risking. I mean, I'm assuming that the iPhone market in India is absolutely massive. Right. It's probably like in the billions of dollars. So it's interesting that, yeah, like there's.

Corey

There's a billion people in India.

John Strand

Yeah, yeah.

Ralph

And that's huge, Mark.

John Strand

Apparently.

Ralph

It was apparently withdrawn that directive. But I don't see Apple ever doing that. Like, Apple makes a disclosure. Everything around me is Apple right now. But Apple makes a big fuss about being like the privacy devices. And yes, okay, maybe, maybe in some cases they're better than alternatives. But what they do best at least, you know, at least what they try to do best is their hardware quality is always going to work exactly how they say it is. And then their like, onboarding flow of like a new device is flawless. And what they, I think don't want is to turn into a Microsoft where now you're getting ads in the Windows menu bar. And so as soon as you start getting bloatware, people are going to get pissed. I get pissed when I install a new phone and I have GarageBand. I'm like, why did you put this here? Get rid of it. Pages. No. What is this, dude?

John Strand

You don't use the Pages app. I use it all the time. I definitely know never. I definitely know what it's for and what it's intended to be used for.

Ralph

If we get a critical zero day in Pages, one person will be affected and it will be Corey.

John Strand

No, I, I've. For the record, I don't. I have never. I don't actually. Is it. I'm assuming it's just their Word, their.

Ralph

Microsoft, Microsoft knockoff that are pretty.

Ja

Hold on a second.

Unknown Guest

Let's.

Ja

Let's back up a little bit. As I've been reading more into the Reuters article. It's not just that it's an application, it's that the government is requiring their application to be in there. And I'm sorry, anytime a government wants to force an app to be loaded into all digital devices within their nation state span, that's pretty sketch because you know, what are they tracking? What are they looking for? India. No offense to anyone in India or India government, they're already a known factor for having some pretty sketch cybersecurity practices in not just government but all over the place. So yeah, this is not good news. And when they issued, when the Indian government originally issued this, they didn't just hit up Apple, they hit up. Where's the list? Hold on a second. They basically hit up all of the major phone manufacturers and you know, gave him 90 days to comply.

John Strand

So how many said yes? That's the question.

Ja

Yeah, that I can't find.

Hayden

So this was a confidential order. So somebody leaked something for Reuters to even be able to write about this. Just like when somebody leaked something about Apple and the UK and having all of their icloud based encryption backdoored. And backdoor is the wrong word. It was a master key situation. What I keep seeing and what's in stark contrast is Apple standing up to countries outside of the US about things that maybe are public knowledge and maybe wind up becoming public knowledge where it makes them look like they are protecting everyone's privacy and are doing it in a global way. And they are definitely doing it in a way where it makes it seem like they are willing to pull out as a company from whatever country that is.

Corey

Sure.

Hayden

At the same time they've turned around and pulled things on what is clearly US government push. Whether or not there's legal orders or not is a separate question. But there's no question that Apple pulled things that have political meaning and political context from the App Store when the US government was leaning heavy and loudly that XYZ apps should go away.

John Strand

Yeah, but I'm less, I'm less worried about pulling something versus pushing something onto literally every phone. To me the impact of that is way different.

Ralph

Recovering like censorship versus surveillance censorship versus.

John Strand

Surveillance censorship is to be expected and is literally a legal duty of a company.

Hayden

Surveillance. What the apps that got pulled were crowdsourced surveillance apps?

John Strand

Well, there's, there's a lot of apps that have gotten pulled for a lot of different reasons. So I, I don't think we should really get into that on this, that it's not really part of this news article. But yeah, there, there's a difference between the government asking Apple to install an app on every phone and have it enabled by default and have it not be able to be disabled versus Apple not wanting to get in the middle of a political spot. Right. Like there, there's a lot Apple and I think really at the end of the day Apple's a company who just doesn't really want to be in the news about this kind of stuff like at all. They just want to be like no, we sold you the phone. It does what it does. We don't want to talk about it after that. Like we made our money.

Ralph

We'll see you in one year when.

John Strand

You buy another one. See you in one year. Like, like we'll leave you alone, you leave us alone. And we don't want to talk about what's on the phone or like anything else. But I mean there was never, there.

Ralph

Would never be a situation where a government goes through that effort and they don't get something out of it. And it's never going to be just like oh you're your country's users are more secure. Like no. They have some sort of stake or backdoor or something in that app Kill Switch maybe. Exactly. They have some amount of, of intelligence gain through that sort of thing.

Corey

Protect the kids. Everyone knows the truth.

John Strand

Well yeah.

Ralph

And they're using kids as like a doing what?

John Strand

Yeah, absolutely. Well and there's a huge like bloatware is a whole separate beast. Like I think you could argue that there is Apple bloatware. I would argue it's first party bloatware and it just wastes space. It doesn't really do anything versus like.

Ralph

It'S easy to get rid of.

John Strand

Yeah, it's easy to get rid of. It doesn't waste space. And then you have, you compare it to like Samsung which has like you know or, or Microsoft products at least the lower end ones that have ads in the start menu and pre installed games and like push notifications coming from things, you know like it's a, I would say bloatware is a spectrum. I think Apple's maybe about as from a commercialized company, about as low as you can go. I mean obviously if you go like install Arch Linux, there's no bloatware or whatever but like yeah, then you, then it goes up to like, you know there's probably some low end like if you buy like a hundred dollar Android phone, I'm assuming it comes with just like from, you know, from I don't know one of these like pay as you go mobile services. I'm assuming that comes with all kinds of tracking apps and weird network configurations and free antivirus products and Stuff like that. So yeah, yeah.

Ja

Wasn't technology supposed to make our lives better and easier and stuff like that?

Hayden

It hasn't made your life does that.

John Strand

Yeah, I would argue there's more to that statement.

Hayden

I just haven't said it out loud.

John Strand

I think smartphones have done that. I think they've also introduced a nice sense of existential dread that we have to live with. But yeah, I was definitely as nice not being like, we'll meet at 7:30 and if you get a flat tire, I just don't know if you died or not.

Ja

Actually, Ja wrote a really, really great article, posted it on LinkedIn talking about his ongoing divorce from social media and the whys and wherefores and then also describing his experience after the fact. And I'm seeing similar kinds of posts from a variety of different sources. I think people are just burned out by the whole cyber security or not cybersecurity, social media bs and being prodded into this endless engagement for the sake of engagement. And something you might want to take a look at.

Corey

Yeah.

John Strand

And I think for everyone that's burned out, there's 10 people that are super into it.

Ja

But yeah, I think the numbers are probably flipped. They're burned out but they don't know what their choices are. They feel, yeah, it's fomo.

Ralph

There's billions and billions or maybe trillions of dollars built into, you know, building on your attention and retaining it for as long as you possibly can. And ultimately sort of sort of like nation states versus like private companies. Eventually the funding will win out unless you have like some unique vector in order to, like in order to kind of approach from. And that's something like we talked about a lot at like my last job because we were also a soc, but we dealt a lot with apts and we were like, well, we have limited budget. China does not really in that sense. So how do we maximize and sort of, you know, set ourselves up for detection and prevention when you know, the opposition has, you know, billions of dollars more in budget than our company makes, period.

John Strand

Yeah, yeah.

Ralph

I don't know.

John Strand

So on the Apple front let's. I mean there's an article also in Reuters about Apple apparently blocking FaceTime. My biggest surprise with this is that Apple that it was allowed before this. I'm surprised by that. Yeah. Basically Apple has now blocked FaceTime nationwide. I'm surprised Apple's FaceTime.

Hayden

Yeah.

John Strand

Oh, that's what I said. Right.

Ralph

I thought you said Apple.

Ja

No, you said Apple blocked FaceTime, not Russia.

John Strand

Sorry, Russia blocked FaceTime in Russia.

Ja

Yeah.

Ralph

Oh yeah, and Roblox. Dude, the kids are gonna be so madness.

John Strand

That's how you create a revolution right there. Yeah, but don't worry because there's a state backed app called Max which definitely isn't related to HBO and also definitely doesn't surveil your every communication.

Ralph

It comes pre installed, just not on your iPhone.

Ja

Oh, HBO Max is getting bought by Netflix though.

John Strand

Yeah, no, that was a joke. The Russian Maxes are FaceTime in Russia.

Ja

Yeah, it's hard to keep track.

Ryan

I mean, are we positive that Netflix is not.

Hayden

They're trying to make it be WeChat.

John Strand

But Russian, I mean they're like, hey, we don't, we're all out of servers Russia, we're out of servers here. How about we just use Chinese encrypted chats that they can decrypt and then we'll just ask them for the logs if we need to.

Ralph

Nice. Yeah, Roblox said it respects this decision or respects these laws, basically. So they were like anything got Roblox, right?

John Strand

Thank God.

Ralph

Partially. But I guess anything that Roblox is like, yeah, we're good with this. I think maybe we should hesitate to consider their opinion. They're not quite always the most level headed in their, their policy decisions. I would say.

John Strand

Well, I mean, I would say they probably just blocked the absolute biggest troll farm.

Ralph

That is a good point. Is maybe they're okay with it because they're like, well, this solves one of our problems right now.

John Strand

Yeah, yeah, that's my guess. I mean, ironically, it's kind of hilarious that the reason they blocked. I mean they don't really give an official rule on why they blocked FaceTime, but I would guess the reason is for censorship. They want to be able to. Or surveillance. Right. Like they want to be able to see people are saying and doing. And so they want people to use the state controlled app. So it's more about eliminating the alternatives to the State Run app. Although I will say, like I'm assuming people are. A lot of this is for international communication. Like am I allowed to just use Max to talk to a Russian person if I live in the US it feels like it might be hard to get that app installed on my phone. What?

Hayden

Really?

Ralph

These articles are very, always very interesting to me from the perspective of which apps are they blocking? Because there has to then be some, I guess maybe technically loosely grasping, but. Well, no, there's like some assumption that they cannot get the data either through, you know, some backhanded memes or through like a legal process, they can't get the data from those platforms. Meaning those are probably the safest to use. Like, if they're like, no, you're good to keep using WhatsApp probably means that. So they already banned one way.

John Strand

So they already had, or I guess it says limited some calls on WhatsApp and Telegram because they refuse to share information with law enforcement and fraud or terrorism cases.

Ralph

Okay, I didn't even see that part. Yeah, because that's, yeah, that's what they're going to block is the things that they can't surveil. Like, if they can surveil it, why would they care?

John Strand

Exactly. It's interesting. It says limiting some calls and they're threatening right now to block all WhatsApp calls.

Ralph

So I have no idea. Some of them are encrypted and some of them aren't.

John Strand

Other, other news that I've.

Hayden

Other news that I've seen about, it said that they were stripping video calls first and that it was still allowing audio calls. So that may be the line that they're drawing.

John Strand

Well, maybe our servers can't store all this surveillance information. Can you just do text instead? We can store that easier.

Ralph

DB Some cases, like with the iPhones, at least when you call on one of these apps, it almost like uses your phone application in order to make this call. And I don't know how it works differently on the back end, but I wonder if that allows them to still view these communications versus if it's like over the. The app itself without ever touching the phone's like, operating system. I guess from that perspective, it probably.

John Strand

Is about surveillance capabilities instead of that.

Hayden

This is the same blocking order that initially went out as a threat to all of these different companies. And we're seeing Russia actually do the block when they finally get back enough of a no, we aren't going to let you in. We aren't. We aren't going to give you our encryption keys.

John Strand

WhatsApp is sending the absolute minimum number of.

Hayden

Of what said no. And Apple took longer to come back with a no. Probably because Apple's legal, went through every hoop they could think of.

John Strand

Yeah, maybe. I mean, we don't know. But either way, if you live in Russia, I'm sorry, you're going to have to use Max.

Ralph

No more Roblox for you.

John Strand

Sorry, no more Roblox for you. Sorry. Yeah, you already lost every Western Roblox.

Ralph

Yeah.

John Strand

Honestly, my biggest surprise is that this was still allowed. Like, I know Apple ceased sales. Like, didn't they stop selling products in Russia, like, years ago, like most of the Western countries and have pulled out of Russia, like Coke has. McDonald's has. You know, every major company has pulled out. So I'm like, how was this still allowed? It's kind of shocking, but.

Ralph

Well, I wonder if maybe the US Was like, hey, Apple, you should hang out a little bit longer on the software side over there for a little bit. That would be very, very cool of you. And we could get you some sick deals.

Hayden

I mean, I also just replaced my iPhone 8 Plus from 2017 last week.

John Strand

Yeah, that could be a long tail.

Hayden

On a long tail.

John Strand

Yeah, true, true.

Ja

Hey, I figure if children and other people are being forced to build this stuff in other countries, I'm going to put as many miles on my devices as possible to honor their sacrifice.

Hayden

Where my decision came from, but that's reasonable.

Ralph

I honor their sacrifice by always making sure to use their most recent work.

Corey

That they upgrade every six months.

Ralph

Like, you just make it. I'm sure. I want to respect your latest work.

John Strand

They don't even release a new phone every six months, Ralph.

Ja

I can't afford to upgrade that much. And there's.

Corey

Neither can I. That's just what that was.

John Strand

An obvious troll.

Ralph

That's why you trade in with. I can't say the name, I respond.

Ja

Trolls are more fun if I buy into it and play back.

Hayden

Come on.

John Strand

When? I'll send you a calendar link. Okay. You're a North Korean apt, all right.

Ralph

And I'll refer you to Verizon. Get a really great deal.

John Strand

I'll call you on Max. All you have to do is go to Sketchy and download the Max app and then type in the custom server of sketchy1ru colon6.

Corey

I just signed up for the australvpn. So we can definitely.

John Strand

Oh, nice, dude. I've actually. Yeah.

Ralph

Channel for us.

John Strand

You going on the job hunt? No. So, okay, I think it's time with the last little bit of the show that we should talk about anal prints.

Corey

Oh, God.

John Strand

Okay.

Hayden

I can't believe people can do actual medicine with that.

Corey

Oh, God.

John Strand

Okay, so first of all, I'm looking. And why is this. Is this article from 2020? What is happening?

Ja

The first time it came up was in 2020, but Kohler has joined the wall of shame.

John Strand

They're like an actual reputable company. Okay, okay, so here is the. We're gonna. We're gonna verge into toilet humor for a little bit. That's not the one, Ryan. That's the one from 2020. Go to the next one. Go to the TechCrunch article from 2025. So we're gonna verge into toilet humor for a while. If you don't find toilet humor funny, then I'm. First of all, I'm sorry for your loss of that sense of humor that you used to have. But basically the article is that end to end encrypted. That's a feature of a smart toilet. There's a product. There's so many guys. Oh my God. God, we are breaking ground so much here. There's so many things that don't need to exist in the same sentence. Like number one.

Ralph

Okay.

John Strand

Number. The first thing that just really doesn't need to exist in a sentence at all is the combination of toilet and camera. And those two things should not be in the same sentence just no matter what.

Ralph

Toilet and end to end encryption.

John Strand

No, no, no. Okay. So I consider toilets to be already end to end encrypted. I. I go. And then whatever happens after that, I. There's that. That data's gone. Yes, that data is end to end encrypted.

Corey

Dude.

John Strand

I don't know where it. I don't know where it's being decrypted along the way. I don't think anywhere.

Ralph

It's not even end to end encrypted. It's like it's. You're sending your over. HTTPs is what it says.

Corey

Literally.

John Strand

Okay, yeah. Well, so that is. That is the problem. So basically that this is essentially.

Ralph

So.

John Strand

A threat researcher, a security researcher who I absolutely loved. I would love to have them on the show, published it. You know, basically kind of a tech article that essentially says it's not actually antenn encrypted. That person's name was Simon. Simon Fondry Tellier. I don't know how to say your name. I'm sorry.

Corey

He had to buy.

John Strand

But they had a block. They had to buy it, correct? Yeah. So basically they published a blog that's, you know, basically. The company's called Dakota.

Ralph

Oh my God.

Corey

You could get it on a subscription for $6.

John Strand

600 device. It's $600 plus a monthly subscription that attaches to the rear of your toilet. The purpose of this device is to collect images and data from the inside, promising to track and provide insights on gut health, hydration and more. The company is selling it as N10 encrypted, but essentially the researcher discovered that it's not N10 encrypted.

Corey

Did.

John Strand

They're just using HTTPs. So like, the marketing people were like, we're selling a smart toilet camera. Maybe we should just say it's encrypted and no one will ever care. Also, they really.

Corey

Their.

John Strand

Their response was like, it points down, bro.

Ralph

Yeah, they. It also says, I found the points down.

Ryan

How is it using the print?

Ralph

It's a great question.

John Strand

Okay. Based on anal. Okay, so the anal print concept, that was from an older article from 2020.

Corey

So this is poop though, right?

John Strand

Yes, yes. This is just like.

Ralph

This is a down though classifying it.

John Strand

This is a downward facing camera plus a subscription service. Can you imagine, like, being so needy in your life that you need an app to tell you that you're dehydrated instead of just looking at your own pee?

Ralph

Well, it's gonna get better because this, this paragraph says it's possible the company is using the customer's bowel pictures to train AI. Citing another response from the company, the researcher was told that Kohler's Algorith quote trained on DE identified data only.

John Strand

Is this the first job. Is this the first job for AI that it's actually good at?

Corey

Oh, my God.

John Strand

Yep, that's.

Ralph

This study's fine.

Corey

That's poop.

John Strand

Yep, it's poop. I figured it out.

Corey

Could you identify who it was?

Hayden

I just need to point out that we have gone from GI go to siso.

John Strand

I don't know what any of those acronyms mean.

Ralph

I got it and I appreciate it.

Corey

It.

John Strand

I see.

Ralph

Oh, man. I think this is how we find AGI though, is because AI at a certain point is like, I don't want to do this anymore, bro. Like, I'm done. I gotta get out.

John Strand

Think about this.

Corey

So, all right, so it said they had encrypted, you know, pictures, whatever. But, like, what would happen if you had access to all these pictures? Like, what, what could you tell?

Ralph

I could bully you, probably.

John Strand

I'd send a fishing message that says, hey, stop eating Hot Pockets. You have diarrhea.

Ralph

I guess it also cost 100 doll. Subscription is mandatory. Like, bro, everything is a subscription now. Like, from your bed to your toilet.

John Strand

It's just, I. I mean it more than anything. We just can't not talk about it because it's. We joked about it in 2020, probably about the anal print thing, and now here we are in 2025. There is a commercial product you can buy that has an app that charges a subscription fee. I mean, honestly, I think the most embarrassing part of this, if it was breached, would be finding out that your friend has a smart toilet that looks at their poop.

Ralph

Right?

John Strand

That's the embarrassing part.

Ralph

I would bully any of my friends that owned this. 100%.

John Strand

Yes, 100.

Corey

Oh, God. Now I have to return it. Thanks, guys.

Ralph

That might be worse than all of this.

John Strand

Now I feel bad. Okay? Now I feel bad. No judgment here. No judgment here.

Ryan

What if you have a guest and they use it and then suddenly, you know, you get this, like, notification from.

John Strand

Your smart toilet that is just. Is there gonna be, like, a Strava for pooping? And it's like, so many levels on which this.

Hayden

Someone in the discord presume for a second that it's TLS and the images are growing into some S3 bucket or something stupid like that.

John Strand

Yeah.

Hayden

And someone leaves it open because it's an S3 bucket and people do that.

John Strand

Shouldn't it be called an S3 ball?

Ryan

Stands for.

Ralph

Somebody in the discord said time to start flushing random things in order to poison the data set.

John Strand

Like, flush. Like, you know, in the toilet commercials down there. Yeah. They're like, how many golf balls can the toilet flush? As far as, like, 40 golf balls. They're like, poop help. 100 out of 100.

Ralph

Create a bunch of, like, soup down there. Like, here we go. Good luck with that one. Idiot.

John Strand

It is funny, though.

Corey

I think that this just highlights that a lot of companies say something's encrypted or ended encrypted, and it's not. Right. Ssl. And they're like, oh, look, it's. It's encrypted all the way to us, you know, but that's not end to end encrypted. I think that's just kind of what we're.

John Strand

Yes. It's funny. As a marketing term, it's. It's hilarious that someone said, I bet not. First of all, maybe this person was just going after that open S3 bucket like, or S3 bowl like you were talking about. Yeah, yeah, yeah, right.

Ralph

I mean, the end encryption is like, you know, whatever they say, like government. Government level encryption.

Corey

Okay, Dicks. I heard about that.

Ralph

Yeah. Oh, yeah, exactly. Government level. Okay, good for you, buddy. Like the same as everybody else.

John Strand

I think, just for context.

Corey

Most things that we interact with every day are not in the correct.

John Strand

The exception is minority.

Corey

Excuse me. Of the actual things we do are truly in encrypted. Most everything else right now has some level of transport encryption, so ssl, but that's really about it.

John Strand

Yes.

Corey

You know, give it a bit of.

Unknown Guest

Yeah.

Ja

Transfer.

Hayden

They say up front that it's.

John Strand

That the. If you're transporting.

Ja

I think they did vibe code it.

John Strand

Yeah. There's so many more jokes. I have like, number one. Does it have like a clog detection alert that sends you anyway?

Hayden

No, that's the smart toilet too. I've seen the thing about that. That is the actual smart toilet. It's not the camera you add to your toilet.

John Strand

Okay, I see. Yeah. So it's a $600 app. On the other thing, I think the only way this would ever work, like, the only way I'd ever consider it is if it's completely on device only. There's no WI fi or any other data connection. There's no cloud component, there's no subscription, there's no nothing. It's just when you go to the bathroom, it gives you like a happy face or a sad face. And then you like, you adjust from there. You know what I mean? Like, it's got to be.

Hayden

There's a happy face and I call your doctor.

John Strand

There's a happy face, sad face and then call your doctor.

Ralph

And then there's like a, like a little chilly emoji.

John Strand

Chill.

Corey

Somebody's going to do a little project and find out. It's just random.

John Strand

Yeah. Really, it just is a four. You know, I. In one through four pick a random.

Ralph

Number or they use like GPT3 and please.

Hayden

Yeah, so somebody mentioned in chat, like, what about the doctor? There is an article saying, you know, you can do some amount of meaningful medical information by analyzing this kind of footage. So. So, like, the idea of that is not bonkers. Someone can do something with that.

Ralph

Yeah, it exists.

Hayden

That doesn't mean I want to spend 600 bucks on it. And it doesn't mean I want to get credit through paying for it with my FSA from some company based like.

John Strand

No, I think I'll just. No, I'll wait for my doctor to recommend a toilet camera and then I'll do that. When that happens, if my doctor does that.

Ryan

Or just go to your doctor with several hundred pictures of your poop and.

Corey

Be like.

John Strand

Doctors, your new LLM. I will say, okay, the, like, this might be. I think like the previously worst job on the Internet was the censorship. Or not censorship, but like the content moderation team. Right. Like running the content moderation for Facebook or something would be the worst job on the Internet because you have to like scroll through so much hate speech and child abuse material. I think that's still worse. But I think this is now the second worst job on the Internet is being paid to train a model to like run. What if you get this as a captcha? Is this poop Click all the toilets with poop. Like, I. Yeah, I mean, Amazon has.

Corey

The turk thing, right?

John Strand

Yeah, Mechanical turk.

Corey

That would be probably one of the chores that Kohler is paying. Yes, but do is like, is this good or bad? I don't know.

John Strand

Yeah, exactly. And then, yeah, I will say I do think like, I don't know how people are living, but when you go to like an airplane bathroom or a truck stop bathroom or something, they don't appear to be doing well. Like, it's not like people do not. Maybe people do need this. Honestly, I've come full circle. I think it's worth the 600.

Unknown Guest

Well, someone did put in chat that like customs. Like, you know, if people are like border control trying to like swallow stuff and get it passed, like there might be a use case for it there.

Corey

Oh God. Yeah.

John Strand

But that would just be. You wouldn't want the downward facing toilet cam for that one. You just want a security cam. Anyway, I think this article has. We need to flush this article. We need to flush this article. Yeah. All right, let's flush and talk about our CTF folks. Yeah, we only have a few minutes left.

Hayden

We'll.

John Strand

We'll talk about. Does someone want to announce the CTF winners? Ryan, do you want to.

Ja

Ryan has.

John Strand

He has no voice. All right, Ryan, just make jazz hands and I'll announce the winners. So the first winners are. The first place winner is Martha Bowen. Congratulations. You're winning a one year on demand subscription to anti siphon training. We have all kinds of training on security things. Things smart camera hacking, smart toilet camera hacking. All kinds of good stuff. We also have. The second place was Peter Jenzik or Jesic, who won one course. And sadly we do not actually have a course on IoT toilet hacking, but there's a lot of other really good courses on there. Hayden has a course. There's all kinds of stuff out there. So congratulations and thanks for participating in the ctf. I don't really know what it was, but it's probably pretty cool.

Ralph

It's clearly cool. Cause you won some free training.

John Strand

Yeah. That's awesome.

Hayden

Yeah. Good job.

Ja

Good job.

John Strand

All right.

Ja

Good job.

John Strand

Should we call it or should we do a final article?

Hayden

Do we want to talk about planes and cosmic rays? Because I can do that real fast.

John Strand

Eh, just get ECC memory. We could talk about how Flock's using overseas gig workers to build its surveillance AI, which is literally what we just talked about about.

Corey

Right?

Ja

What could possibly go wrong?

John Strand

The same. The same thing we just talked about. So this is an article in 404 Media. Basically, they accidentally exposed training materials. I don't know what flock is. It looks like a. Is it a. They're like. All right.

Corey

Yeah, they're like a community driven. Not community driven, but like a. Cameras they put up all over the place. They're solar powered, they're cellular, so they can just drop them wherever and then they.

John Strand

So mass surveillance.

Corey

Mass surveillance, yes. It's a mass surveillance tool to help the world, I guess.

Unknown Guest

Okay.

Ryan

If the police buy a subscription, they don't need a warrant to search, so that's wonderful.

Hayden

Right?

John Strand

Are you telling me I shouldn't commit crimes in the middle of the public street?

Ralph

No, you should. I feel like not in your car.

Ryan

Like borrow someone's car.

John Strand

Just ride a bike. Oh, yes, Bike. Let's go.

Ralph

Yes.

Corey

Bikes are back, man.

John Strand

Yeah. Okay, so. So I mean, basically the. The article is that they accidentally exposed training materials which showed that they essentially are using workers in the Philippines through upwork, which is like a business process outsourcing type dealio, to train its machine learning algorithms, telling workers how to review and categorize footage, including images of people and vehicles in the U.S. i feel like this, the angle here is more about like sanctity, you know, data sanctions around like this data arguably shouldn't be leaving US Soil, Right? Like, yeah, theoretically. I mean, I don't know. I guess it's a company's private data. But it seems like, you know, in a GDPR type scenario this very, you know, sensitive, potentially information on US citizens shouldn't be heading to the Philippines for. For outsourcing. I don't know.

Ja

Even with encryption.

John Strand

Well, it doesn't really matter.

Ja

Side.

John Strand

Because then on the other end.

Ralph

Yeah, exactly. The end is in the wrong place.

John Strand

I love. Yeah, the end is in the wrong place. Yeah. So I mean, I. I guess what I would say is like, I'm not surprised. I think that this is like industry standard for this. Like, this is. You know, we were just talking about it with Mechanical Turk. I don't think there's any like data sovereignty rules with the Mechanical Turk either. Right. Like, if I go submit a data set, maybe I can pick an option that says only use US Based workers for this. That'll probably make. Make it cost five times as more, but. Oh, yeah, yeah. So, I mean, mass surveillance is pretty sketch. You know, I'm not a huge fan of this as a concept. I think we probably need some rules around this.

Ralph

Corey has a hot take. Is surveilling people bad. Freedom good.

Hayden

Right? Very hot take.

John Strand

Sorry. I I didn't mean to get political there for a second.

Ja

Well, you know, before Y2K, I know I'm. I'm old. There were a bunch of surveys being made in 1999 about what people thought would be the biggest issues that would be faced in the coming century. And a good friend of mine, a paralegal, her response was that privacy was going to be one of the biggest issues to face in. In the 21st century. And as we've gotten further along into it, that one prediction has held out, because over and over again, what do we keep running across? Who owns your data? Who owns data about you, who can utilize, manipulate, analyze data that was captured with or without your knowledge? So this privacy thing, it's ongoing going. Technically, it sort of isn't a cyber security thing, but it also is because.

John Strand

Yeah, no, it definitely is.

Ja

Big deal in cybersecurity. Right.

John Strand

Well, the other thing is we talk about the cybersecurity. Well, first of all, we got rid of. We fixed the privacy thing by just deleting it. It's fine. We just don't have privacy. We don't have privacy.

Ralph

It was end to end encrypted too.

John Strand

Yeah.

Ja

So was that one of the 96 databases that got deleted?

John Strand

Yes.

Corey

Correct.

John Strand

No. I mean, I think. I think basically that the reason it is a cyber security thing is because it wouldn't be the first time and it wouldn't be the last that these get breached and the amount of information that's contained in them is huge. You don't think nation states are going after this data? Wouldn't Russia or China or our adversaries, even if you look at, like, take the most conservative approach you can, if this data is arguably too valuable to be to exist.

Ryan

Right.

John Strand

Like, if it. If any adversary of the US Gets into this database, they're going to know where every person is, is where, you know, like, it's just too much information to have from a spy perspective. From an espionage, it's just too valuable. Whoa.

Ja

Do we need to let someone in something like that?

John Strand

I think that's. I think that's the judge hammering the gavel saying it's time to end the show.

Ralph

Yeah.

John Strand

Order. Yeah. All right. I think that's.

Hayden

That one's my fault.

Ralph

Sorry.

John Strand

It's okay. No worries. It's. It's a time. It. That's the. That's just the announcement that it's time to end the show.

Corey

Show.

Ralph

We need that every week at 5:30.

John Strand

We do that every week. Thank you for coming, everyone. And we'll see you next week. Bye. Bye.