Podcast Summary

Podcast: Talkin' Bout [Infosec] News
Host: Black Hills Information Security Team
Episode: A Live Stream From Inside Lazarus Group (2025-12-08)
Date: December 11, 2025

Main Theme and Purpose

In this lively and insightful episode, the Black Hills Information Security (BHIS) crew and friends cover an eclectic mix of current infosec news and notable oddities from the security world. Discussions span from major software vulnerabilities (notably in React and Next.js), a behind-the-scenes look at North Korea’s Lazarus Group, eyebrow-raising incidents involving smart toilets, the ethics of government surveillance and app mandates, misadventures of federal contractors, and the privacy implications of modern surveillance tools. The hosts’ trademark banter adds humor and accessibility to deep technical topics.

Key Topics, Segments & Insights

1. Password Change Humor & Year-End Reflections

• [02:50] The team jokes about “running out of podcasts in 2025” and how they can’t wait to change their passwords to “podcast2026!”
• Humorous Note: The crew pokes fun at using years in passwords and how hackers are either a year behind or ahead.

2. Next.js & React RCE Vulnerability

• [04:13–08:12]

  • CVE involving React and Next.js discussed.
  • Real-world impact was minor for BHIS clients; Cloudflare and others swiftly mitigated.
  • Quote:
    “...if you’re really out of date, like if you’re on Next.js 12, you aren’t vulnerable to this. So like, you had to be sort of modern to be exploitable in this scenario.” – John Strand [07:26]

• Takeaway:
  Patching is always advised, but this particular flaw—though severe on paper—ended up with limited exploitation in the wild.

3. What Does a Malware Developer Look Like? (Lazarus Group Focus)

• [09:04–18:31]

  • The team discusses an Any.run blog with real webcam images of Lazarus Group operators.
  • Favorite Moment:
    “To me, he just looks like a completely normal guy… at the very least I was expecting the hoodie, the red eyes, like the red lightsaber.” – John Strand [10:22]
  • Insights:
    • Lazarus operates like a typical business, seeking remote IT jobs in the West via standard job boards and tools like Calendly.
    • Hiring and vetting tactics by attackers are highlighted, such as using GitHub PRs and calendly links to lure victims.

• Notable Quote:
  “No matter who or what you are, you cannot escape just meeting scheduling. And I struggled with Microsoft’s options for this.” – Ralph [12:25]

4. Government Contractors Deleting Databases

• [20:33–26:36]

  • Story of two Virginia brothers (repeat offenders) wiping government data after being fired—despite long criminal records, they were rehired by a federal contractor (Opyxus).
  • Quote:
    “Digital crimes are the easiest to get caught doing.” – John Strand [23:07]

• Critical Reflection:
  The team is dumbfounded at how easily previously convicted felons with history of database deletion were rehired, underlining gaps in security vetting and contract culture (“lowest bidder” mentality).

5. Apple vs. Government-Mandated Security Apps

• [26:36–35:38]

  • Apple refused India’s directive to pre-install a state cybersecurity app on all iPhones—insisting on safeguarding the “out of box experience.”
  • Group discusses the thin line between privacy, censorship, and forced surveillance by governments.
  • Quote:
    “Anytime a government wants to force an app to be loaded into all digital devices within their nation state span, that’s pretty sketch…” – Ja [29:48]

• Broader Context:
  Parallels drawn with Russia’s blocking of U.S. tech and the challenge of bloatware vs. first-party apps.

6. Russia Blocking FaceTime, Roblox, and More

• [37:42–43:27]
  • Russia’s recent nationwide ban of FaceTime and Roblox, efforts to replace them with the surveillance-ready “Max” app.
  • Discussion centered on what apps governments target (usually the hardest to surveil) and the implications for citizens’ communications privacy.
  • The group speculates how most Western companies have pulled out of Russia but software bans are only now catching up.

7. Smart Toilets, “Anal Prints”, and Security Theater

• [45:01–55:01]

  • The bizarre story of $600 smart toilets with “end-to-end encrypted” cameras and data tracking (in reality, only HTTPS).
  • Security implications, mockery of marketing language, and anecdotes about AI having to analyze user poop pictures.
  • Quote:
    “I consider toilets to be already end-to-end encrypted. I go, and whatever happens after that… that data’s gone.” – John Strand [46:32]
  • On AI Training:
    “This is now the second worst job on the Internet—being paid to train a model to like run… what if you get this as a captcha? Is this poop? Click all the toilets with poop.” – John Strand [55:01]

• Insight:
  Raises serious privacy concerns over medical and biometric data being collected by consumer IoT, as well as incidental data leaks (“S3 bowl” jokes abound).

8. Mass Surveillance Platforms & Outsourcing

• [58:02–62:29]
  • Flock, a mass-surveillance camera network, accidentally exposed training materials revealing their use of overseas gig workers to review U.S. surveillance footage.
  • Notable Points:
    • Raises data sovereignty concerns; whose data is it and where does it go?
    • Discussion leads to privacy as a persistent and unsolved issue in 21st-century security.
    • Quote:
      “Who owns your data? Who owns data about you, who can utilize, manipulate, analyze data that was captured with or without your knowledge?” – Ja [61:10]

9. CTF Announcements and Closing

• [56:39–57:40]
  • Winners of the on-demand security training and course prizes are announced, and hosts close the show with typical lightheartedness.

Notable Quotes & Memorable Moments

• “He just looks like a guy that just got back from the grocery store and is on his 9 to 5… that’s what it is.” – Ralph [10:44]
• “Imagine the call where you get called up by the FBI and they’re like, hey, do you use Calendly?” – Ralph [19:54]
• “We joked about it in 2020… and now here we are in 2025!” – John Strand (on smart toilet tech) [50:15]
• “The most embarrassing part of this, if it was breached, would be finding out that your friend has a smart toilet that looks at their poop.” – John Strand [50:39]
• “We fixed the privacy thing by just deleting it. It’s fine. We just don’t have privacy.” – John Strand [61:47]

Overall Flow & Tone

This episode is fast-paced, humorous, at times irreverent, yet always insightful. The group is quick to laugh at absurdities in both hacker culture and the infosec industry, but can pivot into serious critiques of privacy, government overreach, and failures in basic security practice. The team’s camaraderie and genuine expertise make the episode accessible for newcomers, while deep enough for seasoned security professionals.

Timestamps Quick Links

| Segment | Description | Start Time | |---|---|---| | Password/2025 banter | Light start, year-in-password jokes | 02:50 | | Next.js/React CVE | Technical breakdown, mitigations | 04:13 | | Lazarus Group/Any.run | Attribution, methodology & memes | 09:04 | | Contractor database wipe | Repeat offender saga | 20:33 | | Apple vs. Government Apps | Privacy, app mandate ethics | 26:36 | | Russia bans FaceTime/Roblox | State control, comms security | 37:42 | | Smart toilets | Privacy theater & IoT security | 45:01 | | Surveillance outsourcing | Flock, privacy implications | 58:02 | | CTF Winners & close | Announcements, wrap up | 56:39 |

If you missed the episode, this summary will bring you up to speed on all substantive content and give you plenty of quotable highlights—minus the ads and banter detours!