A

Get banned from Pyongyang.

B

I'm already banned from Pyongyang.

A

Are you really?

B

Dude, without a doubt. I am scared. Have you seen the B sides? Pyongyang stickers.

A

Oh, dude, I've been getting. I. I've been trying to get unbanned. And that's why I've been getting people. That's why I've been getting a bunch of North Koreans their jobs. And I'm definitely open to.

B

Dude, it's quick. It's. You know those like, hard words for passive income? Like you can earn $10,000 in three weeks. Like, who would have known?

A

I send out one of those.

B

All of your information. Right, right. Like North Korea. Good.

A

I've been making $10,000 in my PJs since 2006, when I first got scammed.

B

This was not the topic I was going to go live for, but it's definitely a worthwhile one. Now we got to do 10 minutes. I was going to talk about. This is the first year I've ever got one of these red Starbucks cups.

A

Dude, you're still going to Starbucks? I thought we canceled that years ago, you guys.

C

Did.

B

I. I need to go. I need a quick fix. And I don't want to spend too much.

A

I don't know about.

B

And they're giving away these free cups, so now I just keep using it.

A

So tell me. Oh, it's a plastic cup.

B

Yeah, it's like a reusable one. It's.

A

It's not, but it's not up there.

D

Drugs instead of Starbucks. Like meth has.

B

You don't think I'm not on drugs. Like, I work in security. Come on. I'm on some form of antidepressant.

E

Caffeine is a psycho altering drug.

A

I just. I can't believe. Starbucks.

F

The paradox stimulant effect.

A

I don't know. I mean, I live in Portland, so, like, good luck Starbucks. Like where. No, they're unionized. Good coffee hipsters.

B

There are so many coffee shops in San Diego. Like, you just throw a rock and you hit three. Not even one. Like three. Yeah, I just go to Starbucks because it's like in and out.

E

A mint mocha. However, I can't.

F

Mocha.

B

That's exactly what this. This is a peppermint mocha right here.

E

Like triple shot grande peppermint mocha. That is my, my.

A

Okay, that's like $15.

B

Pretty much.

E

Which is why it's a guilty pleasure that I only have maybe once a month at this time of year.

A

All right, fine, fine.

E

I might Splurge and do it three times in the quarter. But, you know, that's about it.

A

I do like, a PSL one time a year. Although, fun story about. Okay, so here's a fun story about a pumpkin spice latte. All right. In my family, we do espresso. At home. We have an espresso machine. We've, you know, the whole shebang. And so my partner made pumpkin spice, like, liquid, and, you know, put it in the fridge in one of those, like, little liquid storage containers. And I went to go make coffee one day, and I put in some of the pumpkin spice, and I took a drink, and I was like, oh, my God, this is disgusting. Why is it so salty? And then it turns out that I just put soy sauce in my coffee.

B

That's. That's a hipster drink. You haven't had the soy coffee yet. The soy sauce.

A

It's. It's funny, though, because my first reaction is, wow, my partner really screwed up making this part. This pumpkin spice. This is disgusting. Then I was like, wait, no, this bottle says soy sauce. Never mind.

D

Did you finish drinking it, though, Corey?

A

No, I dumped it out. I couldn't do it. I couldn't do it. It was so salty. I did not go easy on the pumpkin spice because I was expecting it to be delicious. So it turns out it was disgusting.

F

I had some friends over, and they mystic which of the salt and sugar bowls was which, because they assumed we went through less sugar than salt by, like, a lot.

B

Do you leave a bowl of sugar on the table?

F

I have a canister of sugar just for making tea and coffee.

B

Okay. It's like a canister. Like, I'm thinking, like, well, I have a pinch bowl of salt, right? Like, I don't have a canister a salt. Big ground, right?

F

No, this was. This was in the kitchen, and we had these lovely ceramic set that went down from flour through sugar to salt, because we used them in roughly that pace. And he would switcheroo and put, like, a tablespoon of salt.

A

It can happen. It can happen.

B

I just got caught up on a great British bake off. If anyone. If anyone's a great British. Like, I just finished, and in the final, the dude mixed up salt and citric acid. In the final, in the finale, like, this is it. Like, he shows up, dude. His bread just didn't.

D

Like, my wife's gonna make me watch this, and now I have to act surprised. Thanks.

A

Well, it's spoilers.

B

It's been out for a couple weeks, so I'm gonna. I'M gonna assume. But I didn't tell you who.

C

Yeah, just.

D

I can't believe he did that.

A

Oh, yeah, you should predict. I hope that's really sugar.

B

The moment you see that, you realize, oh, that sucks.

C

He lost.

B

Like, he's gone.

E

Maybe.

D

Maybe he still wins it. I don't know.

A

Yeah, you don't know the outcome. He could have won it. They'd be like, I mean, it's gbbo, so they might be like, we're so sorry. We're gonna let you remake it. Everyone's feeling so sorry for you.

B

I'm not gonna do a British accent, but.

A

No, I'm also not gonna do a British accents. Everyone's got a good one. We can do it. So Wade's like, loading British accent.

B

I'm trying, like, let me. Let me get my British accent.

A

Imagine you're Ted Lasso, but you're not Ted Lasso.

B

You're somewhere else.

G

Come on, you could do it. Anybody could do a good British accent. People could do a lousy one better, though.

F

There you go.

A

That was pretty good. Just engage your inner dungeon master. There's a British npc.

C

It.

B

It's in there. I just don't want to get cancelled. All right, Like, I'm on, like, podcast.

A

And, like, dude, we had already had the one tea party. We don't need to do another one.

F

It's fine.

B

I already did the chicken stuff. Like, I can't do British accent, too. Look who shows up.

A

What chicken stuff? Please elaborate.

B

Like, I brought the chicken topic, and now it's just forever a thing. Like, I talk about a lady stealing chicken wings once.

A

Yeah, it was definitely only once. You didn't then every week for the next six months, bring a chicken article.

B

I didn't. Other people did. That's the way the community rumble. Like, and then someone's like, oh, I'll pay her. Like, it just.

C

You just wanted to make chicken a thing the whole time. I know.

B

I don't know why we don't have chicken stickers yet like that.

A

I will say some spoiler alert for this week. No chicken articles.

C

No chicken.

A

If you're here for the chicken articles, just, like, just go watch another podcast. I guess maybe next week I can find turkey.

B

We have a whole.

A

Oh, nice.

B

Darn. You should. That would have. That's for next week.

F

Turkey did not come back to my neighborhood.

C

Turkey. It's only good fry Turkey.

B

I.

A

Turkey is just.

F

There was.

A

Turkey is just the baseball.

F

There was a male turkey stuff. Yeah. All of last year for, like, I don't know, six, eight weeks. Who would just camp out in the middle of one of our major roads and block traffic and be a pain?

A

I mean, that sounds like something.

F

It was so ridiculous that this turkey got named turcules for being so strong to stop all the cars.

A

That's pretty good, I will say. I mean, I don't want to get political, but, like, does every president pardon a turkey? Is that, like, is Trump going to do that? Is that.

C

Yeah, the whole pardoning of the turkey.

F

Yeah, he's done it before.

A

So maybe Turkzilla or whatever Turkey was pardoned, and that's why that turkey thought it was hot shit, because turkey was.

F

Relocated to an undisclosed location.

A

It was a farm upstate.

F

We didn't kill it.

A

Someone's got the biggest freaking turkey on the table. They're like, yeah, no, I just got this at Costco.

E

Turkeys now entering the witness protection program.

B

I just think of the Rick and Morty where they turn themselves into turkeys in order to get pardoned. Like.

A

Yeah, that's a good one. Shall we roll the. Should we roll the. Roll the news?

C

Should we go?

A

I'd say we go. It's 129 or 339 or whatever. 4. 429.

F

I don't know.

C

429, 429. 9.

A

There's only two time zones, Eastern and western. Sorry, Sheki. Sorry, Shecky, you're out. You don't have a time zone anymore.

F

Skip away.

G

I am timeless.

C

Yes, you are.

F

Only the continent edges count. I see. I see How.

A

Welcome to Black Hills Securities. Talking about news. It's November 17, 2025. We've got U.S. citizens charged with aiding and abetting North Korea. We've got, sadly, no chicken articles. So if you're here for that, I'm going to apologize in advance. We have some changes to Android with side loading, and I guess we might as well start here. Companies are rehiring people after they fired them for AI reasons.

B

Who would have guessed?

A

That's amazing. Like this article. I hope this is real. I hope this is real. So this is an.

E

I've been seeing reports elsewhere.

A

Okay. Yeah. This is an article in TechSpot that's covering some data published by Vizier. I don't. I hope that's how you pronounce that. Which is a firm that published a report, essentially, companies. So they. They have. They keep track of a rate of how many companies are rehiring employees that they previously let go. And apparently, like, the base rate for this is 5%, but apparently now that's been increasing. People have matched that expectation to companies that are getting rid of people to replace them with AI and then backtracking. We have seen some famous examples of this which we've talked about in the show. Like that Australian bank that laid off their entire customer support team and then had to rehire all of them back. It was like 40 people. I don't know. I guess like this is, this is causation, not. Or this is correlation, not causation.

F

Right.

A

Like, this isn't necessarily a authoritative. It's not like companies are reporting. This is in the category of hired back after we replace them with AI. But this rate going up in the current like, ecosystem of things, it does make sense. Any thoughts on this?

D

Is this rate of like actual former employees that they're asking to come back or is that they're like reposting these jobs and it's. It's that reposting them at the same scale?

C

Okay.

A

It's basically the firm specifically analyzed workers who were laid off and then later returned. So like they have a special rate that they track for employees who are laid off at a company and then returned to that company later. I will say, don't get me wrong, I love just like slapping AI around a little bit. But I do think this also could just be general economic uncertainty. You know, like there was a shutdown, tariffs happened, then they got rolled back partially. Like it could just be the pendulum swing of like instability and the economy. But I also love the idea that it would be AI.

B

Like what wasn't right? I agree with you. Like everything was unstable. That's the one hard part to judge about this. I've only been in one org where they actually did a pretty gnarly layoff and then they actually hit like three of the people back up. Like, hey, you know what, can you guys come back? And they all said no. So I would almost be interested. This was a different time too though. This was like five years ago. I would be interested if all those people actually came back. Like how many people did they offer and how many people like act like? This is the 5% that actually came back. Which I'm going to tell you, like, hiring someone who's already worked there is so much easier for training. Right? It's very much like when you're promoting from within or trying to move someone over to security, it's so much easier to bring someone over from like it because one, they know where all the bodies are already buried and two, they already know the organization. Like you don't that's like half the work. So. Yeah, I would, I would give them a bonus too if they came back.

D

Like. Yeah, we're.

C

I was gonna. I was gonna say I read an article recently about that. It was talking about just giving bonuses to people who are not bonuses but like ask for pay raise instead. Instead of. They would fire them. But the, the problem is is that like. Or to replace them. But the problem is and I'm using this very generic right. Not necessarily an individual. The problem is is that the cost you mentioned to get a new person in the spot who actually wants more money than the person that probably just asked for a raise and then the time it takes them to actually get producing and be able to be a contributing member of that team, especially at you know, higher end jobs, you know, it costs way more. It's easier just to give them that 10% or 20% or whatever. Right?

E

Yeah.

C

Because you will blow all of that. Right. And. And it like it. It's kind of like waving your hands because when you do the math and you sit down, you actually look at what it costs to bring on someone new. It's usually significantly more expensive than keeping someone.

B

How. How long does it normally take do you think for like a red Teamer to be spin up at a new orc at his new organization? Yeah. Like is it more. It's. It's less than a blue Teamer.

A

Definitely less.

C

Yeah. Yeah. I would say though to be quite honest, in the couple different scenarios that I have seen, I think that it's probably reasonably say that three to six months is probably where they're like actually onto that organization. The problem is that not every organization is going to operate the same way. Sure that's may be the same, but things are going to be different. We want my report like this. We do things like this. We communicate like this with the customer. There's a lot of nuances inside that organization that are just different. Whether they're the good thing, the right thing or the bad thing, it doesn't matter. That's what they're expecting inside that organization. Getting ready to, you know, work inside of that organization can take time to kind of learn all of that. Not to mention just learning the team and how they all work together.

B

So yeah, I was gonna say like for a blue team or you just hope that there's documentation.

C

Yeah.

D

I think for a red team or too. I mean you should be used to like having to familiar yourself, you know, familiarize yourself with an environment pretty quickly. So I don't know that that's like the metric that you'd want to be using whereas, you know, a blue team or a dev or something. But I, I've absolutely heard that it's like six months until you can expect anything productive out of somebody.

C

Yeah, I mean, maybe, yeah. I mean maybe you. There's productivity happening, but they're just not producing at the same level as someone who's been there for three years and knows the rope and knows all this other stuff. That's, that's really, I think the, the art.

A

Yeah. I mean, basically there's a couple questions in chat about like, do we know this is tied to AI? The answer is no. The word we know the metric of people getting rehired from companies they were previously laid off at is going up. And then we're speculating about why that might be. There's a lot of uncertainty. Executives, I think in general, executives need to be careful when they're doing these big layoffs and they should acknowledge that at least this trend indicates they're going to have to pay A$1,27 for every dollar they lay off. So like, that's the metric they give in the article is if you, you know, if you save a dollar laying off someone and you have to hire them back, you're going to spend A$27 for that same price.

C

Sounds about right. Yeah.

A

Yeah. If your company lays you off and then they call you back and want you to give your get your job back, aren't you going to ask for a raise? I would like. Of course. I have you right where I want you.

C

Yeah. They need you back. Right. So.

A

Yeah, totally.

E

I know. And in the various newsletters that I read, I've seen some really surprising numbers. One is that in the United States, crossing all industries, over a million people have been laid off this year. And so we, we talk about the numbers in the tech space, but the whole layoff thing is, is much broader and it's, it is covering a lot of different industries and the, the higher back thing has been going on for well over a month now. None of the companies hiring people back have said outright, oh gee, we screwed up. We thought we could replace you with AI and we were wrong. No, they just say, you know, we want you to come back to the fold and all that stuff. So it's, this has been going on for a while. I'm also seeing a lot more pushback against AI in general because one, people are, they're tired of having it shoved down their throats. They're tired of having the new incarnation of Clippy being annoying and all over the place. And I suspect that we're going to see even more of that in 2026. And the whole AI bubble thing has not fully manifested, but when it will be, I hope you got a seatbelt on.

D

I think you're wrong there, Bronwyn. I'm going to call it now. I think it's going to be the opposite. I think we are going to see the small and medium business market going into like, hey, this has been around long enough now and maybe it's gotten a little bit cheaper and we want AI stuff. They still have no idea what they want AI for or how to implement it, or whether or not it's working or anything else. But we are going to see a big surge in the companies that didn't do it yet because they were just like, no, we absolutely can't afford that start to say, okay, we need AI for things. Well.

B

Last week I did nothing but look at AI sock offerings.

C

Oh, wow, that's like a money. Right?

A

Give us a three minute summary.

B

I'm not gonna lie. Like, I'm a little scared. Like, legit. I immediately started learning how to use agentic stuff.

A

So I was gonna say, exactly. Eric and Whitney's podcast and build an agentic system for yourself. Right? Like, that's what everyone should be doing.

B

And a lot of these, a lot of these organizations are just like, so exactly what you said. They. All they're doing is making it easy mode for you to turn agent stuff on. So at this point I am like, yeah, I definitely want one of these to help me out and do stuff. Like, it's easily going to be a humongous force multiplier for, for me. But I'm also like, okay, I have this tool. How can I go and build this myself? And it doesn't seem particularly hard.

C

I mean, I know you don't need those big companies.

A

The old adage has, in my opinion, has still not been subverted, which is, AI is not going to replace anyone's job. AI is just going to replace the jobs of people who are unwilling to use AI. That's how I feel. That's how I feel. Maybe that isn't true technically. Like, there will be people who, like, all I do is, you know, customer support, like replying to people's chats with links or whatever. Like, certain jobs will be automated, but like, if we're talking like security jobs and like whatever we want to call them, like tech jobs, whatever, people who are unwilling to use AI are going to get replaced because they're going to get outpaced by some guy with an agentic AI that can make his investigation twice as fast.

E

Yeah.

A

But as an executive, if it were me personally, I would much rather have my agents, my SOC investigators, using agentic AI to assist them, but also still having that human in the loop of like, you know, we need that human in the loop to like make sure that it didn't just hallucinate and be like, well, actually this is, you know, you go crazy hallucinate and find.

C

I think Bronwyn is actually right though. I do think there is going to be a AI like bubble. Right.

A

Pushback.

C

Yeah. So like, and I think it will kind of crash. Now how that actually plays out, what I think is funny is the, the best one we can think of is like the dot com bubble. Right. And everything they said in the dot com bubble turned out to be true. Everything that they imagined is exactly how it happened. Right. It just didn't happen right at that moment. But the real thing when we say bubble is just a lot of investment and a lot of buzz that just kind of really dies really fast right now. Did the Internet become exactly what they said? Absolutely it did. Right. But it just didn't happen in that moment and people weren't able to make a bunch of money. So that's I think like the bust. But what I think is interesting or different between the two is that the AI kind of bubble bust, I think it will be like as intense because there is actual practical application right now that is being used that people aren't going to stop using just because the company's not. So it's not all snake oil. That's what I guess I'm trying to say. A lot of websites were like, we're going to do this, it's going to be awesome. But they weren't actually doing it yet. And then eventually that came along. So. Yeah. So.

A

Okay, hold on while we're here. Go ahead, Bronwyn, go ahead.

E

Well, one of the other factors too that is helping contribute to the pushback is the high degree of errors, the hallucinations, confabulations, whatever you want to call it in. With some LLMs, it's as high as 67%. With others it's as low as only 30%. And people, how many times have we covered the fact that a company, they build thousands and thousands of dollars for report that was AI generated and it was slop and they've got egg all over the place.

D

Real.

E

The slop is Real. And the slop is part of the reason for the pushback.

G

What I see happening flat out is that you're going to see a burst of a bubble which is going to get rid of all these smaller players that have the 67 or the real high percentage rates that are hallucinations and errors. Before you go ahead and get anything else going with it, it's going to expand, it's going to boom, and then what you're going to have left over is going to be the good stuff, the stuff that's actually going to start working.

A

I think we could talk about this forever. Yeah, let's. Let's talk about a specific hilarious example of an AI bubble bursting, which is the company called Fireflies. Yeah. So basically this is an article in Futurism where a company, a founder of a company, admitted that his AI transcription startup was just him joining people's meetings and taking notes by hand, which.

E

Okay, this is the mechanical turk that used Fireflies. It's so funny.

D

It's a digital turk. Torque, Corey, come on.

A

It's a digital turk, but it's not really, because humans are still. Yeah, you're right. It's a digital turk. Basically. I guess I would say I have to assume this is a little bit clickbaity and that this is kind of like a supplementation thing. Right? Like that they weren't.

D

Isn't this company actually viable now? Like, aren't they making money?

E

It is.

A

I think this is more just. I don't know, but I'm guessing this is more just like at the time, this is what we had to do to make ends meet. Now it's more a viable action.

C

So they had the plan and then they were like, well, we don't actually have the tech yet, so we're gonna have to just do it the real work and then eventually we'll catch on.

A

Yeah. So this was early on, right? Like essentially the actual quote, essentially in. In 2017, this company started out as an a hundred dollars a month quote, unquote, AI that was just two guys. Yeah. So basically they were the product. They told their customers it was an AI that'll join a meeting. It was just him and the co founder taking notes by hand. They would joke and change their name to Fred. But obviously now it's a viable company with a $1 billion valuation. They basically faked it till they make. Made it now, have automated the process and essentially turned it from snake oil into real oil oil. I don't know what turns. What's like the alternative to Snake Oil, I don't know. But it is kind of funny though.

C

Because if you think about it, like, if you were to sit into a bunch of meetings, right, you would be thinking about the whole time how you can not have to sit in these meetings.

E

Right?

A

It's the Bill Gates quote of like, if you want a job to be automated, give it to the laziest guy in the room.

C

Yes, exactly, exactly. And so that's probably what eventually actually happened. They were like, all right, we got to find something. All right, we could do just this one thing. All right, that saves me the beginning of the meeting or whatever.

D

Who's here wouldn't pay a hundred dollars a month to not have to do meetings.

A

Well, I don't have to. I have Microsoft summarizing all my meetings for me and creating action items. So, like, this has already got. So you think.

D

So you, you don't know that that's not just a room full of guys, man.

A

That's true. That's true. It could be a room full of people that I don't know about. I mean, yeah, who knows? But like, and, and yeah, I mean, I think it's, I think more than anything it's a little bit of like a viralized take on a more long form interview where they mentioned this and then people were like, I'm sorry, what? Like they got a little bit excited about it. But yeah, I mean, it's. There is. We talked about, we talked about human in the loop. There's still human in the loop. What did you say, sir?

F

Yes.

D

A couple months ago, what didn't we have a story about somebody going to jail for basically this exact same thing with a different company?

F

Yes, different company. They were outsourcing the work somewhere else and they were going to court for two things. One was fraud, and I don't think they were going to get any jail time from that. But there was supposed to be some kind of civil consequence. The second one was that they were doing all of the paperwork for the workers who were actually doing the AI Did IT work? And so they were getting hit for something in the general range of like human trafficking kind of stuff for law because they weren't paying them anything. It was sweatshop type work.

A

Oh, okay.

D

Well, so there we go.

F

So the one is.

D

Which is bad.

F

The one is terrible and the other is sketchy as all hell.

A

Okay, so speaking of sketchy as all hell, we should talk about this. Charges that were filed against five US individuals for helping North Korea's whole IT worker scam. Fan, basically five. Five humans, most of which are between the ages of 20 and 30. All of which I guess one's 34. But young, young guys essentially were they pled guilty wire fraud conspiracy for knowing allowing it. Knowingly allowing IT workers located outside the US to use their US identities. So essentially this is probably one of those things where you don't realize what you're agreeing to. You get the whole joke about oh 10k in your PJs from home. This is that right? Someone contacted these individuals and said hey, we need to use your identity. Don't ask any questions. Essentially they helped vet pass employer vetting procedures.

C

Aren't they selling this as a service though?

A

They even did drug testing.

C

Yeah, there was something called upwork selling and it was designed for oversee IT workers to buy or rent stolen or borrowed identities.

A

Well, so that's one of them. So Didanko or I don't know how to say that Alexander Didenko, I don't know. He ran a website upwork Cell designed specifically for that.

C

And the other one just like just on the hush, right?

A

Yeah, I think each one is maybe a little bit of a different case or however you say it. I'm sorry if you're Ukrainian or whatever and I'm saying it wrong, he was probably the most prolific. He proxied or managed as many as 871 proxy identities and had laptop farms in the US and like a lot of them are just companies. Tag Car apparently was one of them which certified IT company certified IT workers. So the, I mean it's all criminal.

C

The general, the general idea though is that you're like, let's say for example you're in another country like India, a US company won't hire you, but you actually can do the work. So you would use him as a broker service and they take a cut off the top because the US company is going to pay a lot more for this worker than they would pay for that then you would need in India to live, if that makes sense.

B

Correct.

A

Arguably. Go ahead, Wade.

B

I was going to say the detection of this is going to be a little bit rough too.

A

Yes.

B

Like, like first you're going to be looking for any type of like remoting into the computer. Right. So yeah, the hard part, maybe it's.

A

I mean it's like behavior too.

B

Yeah. And one interesting thing, I think we've talked about it before is a lot of these HR platforms are now screen your resume when you apply to see if you've applied at other places as well to try to see if you are some type of malicious threat. This isn't just like to see if you're doing overemployed but also to try to track if they're North Koreans too.

C

Right.

B

There's a lot of closing IT intel too around this, of people doing this and IT professionals sharing it across like internal threats teams and stuff like that as well. I find that's usually pretty lucrative, at least for the teams. But the main thing is those HR platforms are starting to get really good. They're just not just like checking to see if you applied somewhere. They're also taking that email and looking across data breach sites like have I been pwned to see how old your email address is and if has it been in through stuff. Right. Bunch of other cool little torque. Torque like little things around it that I'm little pretty impressed for. Most of it's of course AI driven.

A

So yeah, I mean I gotta say.

D

I have an email that's like 20 years old though. How, how is that?

B

How that one would be good.

A

That's the point that it's a reputation, it's a positive thing. Yeah. The older the email, I mean I use burnable emails. I probably would use I guess my real email for applying for a job probably. But I, I have, you know, I create single use emails for most things these days, so I wouldn't pass it.

C

What about making an in person interview too?

B

Even they, they'll, they'll interview for them.

A

No, no in person.

C

Yeah, no in person, not online. You have to come in in person. Like you pay to fly them out for this one thing before you get hired. Right.

A

So I think that's going to be more and more common these days.

B

One of the larger, larger organizations I used to work for, that's what they do now is after you get hired you have to fly out to a headquarters and prove who you are depending on and get your laptop and everything depending on though like this, this set of attacks. Right. That person probably could still do that. That'd be him just going flying everywhere from place to place.

A

But yeah, no, I mean this is, this is kind of hard to defeat on some level. Like I think it's more like if you're looking at it from a defensive perspective, it's more about behavioral detections and just looking for. I mean this guy's not going to be very good at his job. None of these.

C

Maybe the job's not that difficult though.

B

But also remember we just talked about like how it takes for someone to be productive. Right.

A

So they usually get like three period.

B

Yeah, I've heard. I've heard things like. Like them telling their managers that hey, like I'm not going to show up to any meeting that's not scheduled a week in advance. They're like what like. And like you. You allowed that. Like why would there's a bunch of sketchy stuff like that out there. I would highly suggest if you're like a blue team or to write up a quick report, make sure not just like HR gets it, but any hiring managers to understand it as well. Yeah, there was a number of. How many people was. 136 companies that they did with Gen only generated 2.2 million of worth of revenue for DPRK, which I find that low. I wouldn't be surprised if there was a lot more like that. This just isn't reporting. But 136 companies is also low. I've heard multiple.

A

This is just the ones that have been charged and pled guilty.

B

That's a good point. That's a good point.

D

Yeah, yeah, yeah. I mean this is 18 US identities were that $2.2 million. My takeaway here is like how do I get some North Koreans to go job hunt for me?

B

Right? Right.

D

Anybody who's looking right now will tell you how impossible it is to get hired anywhere. These guys have it figured out. So just do the first part.

A

Just have them get you the job. The secret ingredients, cut them off. The secret ingredient is just lying through your teeth. Which is gonna work for three months.

E

And how much of it is simply the numbers? Because they're probably. They've applying to dozens, if not hundreds.

A

Yes, hundreds and hundreds. Probably tens of thousands in some cases total.

B

That though the sock puppet creating. Right. So you have to create a LinkedIn. You have to create a GitHub. You have to create.

A

Well, they don't do that. They just use a real identity.

B

That's why it's way with this one. Yeah. But then usually if they have that, they have to create all that stuff for that individual in order to prove that they're real.

A

Which I will say that we have been doing. So a couple of little insider takes on this. First of all, we did a North Korean IT worker simulation for one of our customers that they requested. And basically one of the takeaways, obviously there's the behavioral stuff with the hours. Like if they're only logging in at certain hours or only using their laptop for like an hour a day or whatever. There's also. I mean we just had it set up with the pikvm, so the customer wrote custom detects for PIKVM displays. I. And things like that. Like, basically pulling display attributes. Like, if the display name is pikvm, like, okay, that might be an indicator, but yeah, I mean, it's a lot of just like behavioral detection and then having a process for vetting people that, you know, is. Is more detailed. But yeah, the other thing I wanted to share is that, like, creating sock puppets has never been harder.

C

I know. It's really hard with them.

A

Yeah, we have. We have like a. We're doing espionage campaigns for a few customers where we're trying to, like, recruit insider threats similar to this. Right. And just getting sock puppets that are established and have, like, valid accounts in a few different places. And, like, it is really hard. So it makes sense to me why North Korean people would have been going after legitimate US Identities. They're gonna. They have a background, they have an email, they have a Social Security card, they have a driver's license. They have everything they need. I'll just pay you a little bit over on the top to give away your identity. Someone who's desperate, you know, would be willing to do it.

E

Right. So sock puppets are phony. There was a question in Discord. Sock puppets are phony accounts, usually on LinkedIn, but also in other places in social media. So they're used for pen testing and for fraudulent activities.

A

Basically a fake identity. Yeah.

C

A lot of the big platforms have caught on to this, though. They realized, guess What? There's only 330 million Americans. Why are there 500 million US accounts? This isn't like magic here. Right? But what. But, but that being said, though, that's a lot of millions of people like, accounts, right, to, like, kind of suss through and a lot of accounts. So. But what happens is they have a whole process now when you set up a new account, they're like, really? Okay, so how old are you? All right, you're, you know, 35. And you just got an account. All right, that's probably a flag right there. Like, let's, you know, go see.

A

Yeah, it's a lot of machine learning.

C

Yes, exactly.

A

It's a lot of machine learning type details. You have a phone that's validated.

C

Do you. They won't even let you sign up if you don't have a real cell phone. Like, if you don't have a cell phone, it's impossible.

A

A lot of them. Which is why there's SIM farms, which we have talked about in other episodes on the show. The other one that they do a big is they actually will have detects for like AI generated people. Like this person does not exist dot com. You create a LinkedIn with a profile picture that's AI generated. It's going to get nuked instantly.

C

Yes.

A

So like a lot. There's a lot of steps that go into it.

C

Yeah. You pretty much need real photos. You have to have like a real IP address. So you can't be, don't, don't use a vpn. It like the opposite. You want it to be as real as possible. So like not a VPN is what you want. Right. It can be a cellular like in the location that it says you're living in. All of these things all help like build up this profile. But as Corey mentioned, it just become a lot more work. It used to just be like you just sign up for an account, they don't care. No one cares. Who cares. But now they do.

A

Yeah. So they go after accounts instead. They do ATOs and compromise a bunch of LinkedIn accounts or just convince people to give up their accounts willingly. Right?

C

Yes. Yes. Let me use your account. Yeah.

B

Yeah.

E

And the other downside for this, the other downside for this is that there are people out there who don't live connected to the Internet. And when they try and set up a new account on LinkedIn or someplace else.

C

Yes.

E

They get treated like a sock packet. And I see this mostly. I see it a lot with people who are transitioning out of military.

C

Yeah.

E

Or who are coming from other, other trades. More blue collar than white collar. And, and it sucks because these are legitimate humans who've done nothing wrong.

C

Yeah. I mean, so usually what they use like a third party, like the way that they'll escalate these really fast is use a third party identification service. Right. I'm not saying it's better this, you know, they just hire it out. So you have to send your, your driver's license, like, you know, proof of address, other things like that, just to, you know, confirm who you are. Which is funny because I kept. I. There was an article not too long ago where one of those companies got compromised and all of those IDs related to it.

A

Yeah.

C

So it's kind of know you can't win. You can't win.

A

That's how it is these days. All right, let's talk about sideloading. Who knows about sideloading in Android? I'm not a big Android expert. I don't know much about sideloading.

C

Has been a thing for a long time in Google like an Android.

A

Okay, so bring me up to speed. They sideloading was a thing, then they got rid of it, or they were going to get rid of it and then they rolled back how much they were going to get rid of it. Ashley knows, right?

F

So sideloading's been a thing forever and a day. Because you had to be able to install an APK somehow as a dev and and because Android is supposed to be open source, they decided to just make it be that thing everywhere. Now they're getting rid of, as of a few months ago, they said they were going to get rid of side loading entirely. So you could only install stuff that had proper sign in on the code base, which meant that it had to go through the Play store or hypothetically one of the other registered stores, like if you got it from F Droid, but we don't really know for sure whether that really would have worked. And then the thing that just dropped is that they got enough hate for this that they decided to back up and say, okay, so if you're like a student, then we'll let you do development so that you're allowed to do your own side loading but like without going through the entire process for getting authorized and having to actually sign your code. And they also said, and we'll add in an advanced user mode that will let you still sideload, but basically we're going to make it harder than it already is. Super easy, but it's also not nightmarish.

C

Apple does not allow you to essentially by default, it doesn't allow you to install like a side loaded application. Right. So. But there is an easy way that Apple has made to kind of bypass this. If you pay for $100 develop account for the year, you can sign applications that can run on your devices, right. Not anyone's device. So and those applications can be from GitHub or wherever they are. You can essentially add them into the compiler and sign them and then put them on your devices. But yeah, gotcha.

A

So essentially Apple solves it by charging $100 to Apple.

C

Yeah, so it's for development, but technically if you download like an open source app, you could compile it for iOS, you sign it with your developer and every device that you own, you have that, that you own specifically, that's part of your account will be able to be. You can look at that application.

B

The VR headsets did something similar too. You needed to do a developer mode in order, but it didn't cost. The other thing I was thinking was dji, you have to side load their app in order to install it on Android.

C

Oh wow.

B

Which I always thought was.

F

Wasn't that true for Fortnite for like so the earliest. Yeah, I think that's true. The earliest versions of this whole process for Apple. I worked with them at the time. I remember this mess. They created a version of the developer account that was available for businesses. So it would be across some large number of individually registered devices where you got your own special links that would allow you to deep link into the App Store. So it was still going through the App Store instead of sideloading off a USB connection, the way most side loading happens. And that was sort of the first step. And then they went, okay, we're going to give people, you know, private third party apps for their businesses to load their own stuff. But that'll be actually through the App Store. You just have to have the right private links so that you're not selling it to everybody in the world. And that's how that's continued to work ever since. But yeah, the sideloading thing is just for I am a developer, I wrote this, I promise I'm going to sign it as myself and put it on a device that's registered to me.

C

It's for security but it's also for them to charge their percentage. Right. Because every app that gets sold on the. On the store, Apple gets their cut.

F

So both true.

C

Yeah.

A

Well that was like a class. There was a whole Fortnite Friggin.

C

Yeah, that's what.

A

Yeah, Lawsuit and Spotify. All right, well that was. I mean I guess I'm not surprised in my mind like a significant chunk of Android is these like non traditional use cases for apps. Right. Like whether, you know, know kiosks and all kinds of weird. Like it's designed to be the more open platform in my book. And of course there are open source forks of Android that are going to be super open.

C

Right. Yeah, you can do whatever you want. This is mainly for. For Google Google devices. So like the pixels and other stuff like that. Even though I think you can still rootkit a bunch of those in a bunch of different ways. But you know. Yeah, I agree. Yeah.

F

My suspicion for Google's reason for trying to do this in the first place is that they are scared about the laws that have just dropped in California in particular around age verification being beholden to App Store providers slash to anybody doing these other pieces. So they want to gatekeep the ability to put something on a store for everybody to use behind something where they can verify that they'll be Able to hunt down someone for liability if something that is very adult specific lands in the hands of some teenager and the state of California comes after them. Huh.

E

That tracks.

F

That's my bet on why they started to do this at the first place. And that's also my bet on why they didn't just go, you know what, nevermind. They're still trying to figure out how to make it so they can get away with putting liability where it sticks best and as rarely on them as possible.

A

Yeah, there's also the security thing. Like we've talked about so many apps with malware in them on this, the harder you lock it down, probably the better it is. Like spyware stuff and anyway, do you.

C

Want to talk about what's up?

A

FFmpeg, what are we talking about?

C

Oh no, that. Well yeah, that one too.

A

Another Google article.

C

There's another Google one, so this one's actually not surprising, but. So did anyone have a nest? Right? Or maybe you do.

A

Oh, I have a nest.

B

Mine still works. Mine still works.

A

Tell me why I shouldn't have a nest.

C

Well, you should probably never buy any like Google home product because like there's like a timer and it's like as.

A

Soon as you came with my house.

C

They will never support it again. Right. And so anyways, but the Google Nest, who actually Google bought the company Nest. So like if you bought in the beginning and then eventually they killed it off like everything else. Right, right. They get a grim reaper running around.

F

They turn it into their brand.

C

Yes, but so these things are not being supported anymore. But they are still sending data to Google which mostly is like light data, your temperature of your house. That's really great data.

E

Wonderful.

C

Yeah, we're not really sure why. I mean there's probably like an API that just hasn't got shut off yet.

G

There's an API that's still open. I was actually listening to 600 talk about this. There's an API that is still open which is why the data is still going to there. All they've done is gone ahead and said oh this is a version number that's being transmitted. We're not supporting this anymore. You cannot access it through the Internet or anything like that. But we could still take your data. For those first and second generations there's now open source project that's actually out there that will allow you to do everything with the nest without having to get rid of all your data. That's a lot more privacy focused that you can actually host for yourself to keep those first and second gen Especially the second gen going forward. And it's got almost all the same features. They've still got, I think they were saying like two or three features that needs to be updated to it, but they're updating on a regular basis.

C

It's funny, like any of these devices that run in your house, if you need the cloud to operate like, just be warned, like that could end at any moment. Right?

G

That's the thing.

F

I'm sure. Go ahead.

G

That's the thing about this is that it's not bricking the device, it's getting rid of a bunch of the functionality of the device, the remote functionality. It'll still work as a in house, normal, everyday, old fashioned style thermostat where you could go up and change your settings. Well, I'm glad if they schedule that.

C

To be turned off.

G

But there's none of the scheduling, there's none of the remote access to it. It, none of that stuff works anymore unless you go ahead and root it and put on this rooted firmware now.

E

Okay, but is it sleazy or is it just me that they are. They've, they're not giving you the functionality, but they're still collecting your data.

F

Totally gross. Also a couple of things going on. The thing that bugs me is not we said we're not supporting this anymore, so we've killed everything that we run. People have been running stuff like this under home assistant and doing it all local. Google kill like removed everything that allowed all of those shims and so forth to work as I understand it and based on what I've seen, so people who are running this in their own house suddenly had their home assistant pieces fall apart for this because of the piece that was running it previously just went poof for these specific models. So like they yanked functionality, they yanked other people's ability to try to replicate functionality. Now this other project is reverse engineering how to get that.

A

My biggest question here is what the hell am I getting if I buy a nest? Like what, what is the point? What, what does it do? That's cloud connected from my perspective. All it does is try to turn down my heat. And then I'm like no, stop. What is it actually?

F

So what is it? That is cloud.

A

Yeah. Because I'm like, okay, so we have these third generation devices, I'm sorry, there's like five parameters we're monitoring here. Temperature, humidity, that's it. What else?

F

Geolocation, weather.

A

Okay, so what it's going to be like it's sunny, I turned on the air conditioning or whatever.

F

Like, so if it knows that the weather is going to be hot today, it can preload how cool it's keeping your house and adjust for the fact that lots of different systems have a lot of thermal inertia across a house so that it knows how far ahead of an 80 degree day it needs to start ramping up the AC unit so that it keeps it efficient and running low out of its total capacity.

A

You're saying the new ones, you're saying the new ones that do the same device, the old ones do it cloud based.

F

All of them only do it cloud.

C

Yeah.

A

Why does the new generation need to exist then? Because I'm like, they deprecated the old generation.

F

Why?

A

It's the same device.

F

So also to be clear, the first and second generation that they're killing were originally available for sale, the earliest of them in 2012. Okay, these are.

A

But, but isn't it the exact same. How is it.

C

But, I mean, but the other thing is AC is probably like 20, 20 years depending on where you live. 15, you know, 10 maybe in Florida, 20s also.

A

Is it really that different? Like, I, I don't see what is it possibly collecting better animations?

C

I don't know.

F

The thing is.

B

Like to spin them. I'm not going to lie. Like, I'm like, it's well created, it's.

F

Got some weight to it.

B

Like if you pulled that off the wall and hit someone with it, like, they're going down for sure.

A

All right, depate yourself for that online.

F

No, the reasons to deprecate it and to pull those out is pretty much junk. And the only thing I can come up with is like, but we don't want to support the old ARM chips that are hiding inside there.

A

Yeah. Okay.

C

This is an Apple example of them stopping updating after five years kind of thing. Like deprecating. It's just a weird tech to do that too because like I said, the lifespan of an AC is probably like 10 to 20 years, depending where I heat, depending on where you live and all the other fun stuff. So like you're not going to be replacing your thermostat that very often, but they're like using it like a tech toy. I don't know. It's silly.

F

Yeah.

A

So, okay, last question before I move on because I think we spent way too much time talking about thermostat.

C

Sure we did.

A

I think so. Okay. What if I want to be the home assistant hero? What thermostat do I buy?

C

I like the Ecobee. I have had one for a long Time. And they do work with Home Assistant. They work with Apple home. They work with all the things. But here's the thing. The same thing happened with Nest. So I even hesitate to say that.

E

That.

C

Because what happened was Nest was making this thermostat. They were like, cool, Yay, Google bottom. And then, you know, kind of destroyed it all up, right? So any of these companies could get bought up. And then they're like, we removed that feature. You cannot work with Home assistant anymore. So here's what you do.

B

You buy an Arduino, right? And you get a camera, and you point that camera.

C

Oh, my God. I'm going back to the thermostat Corey was making fun of. Just the one that sits on the wall. You can't control it remotely. And then they can never up on.

A

That's why I'm like, okay, I use a mercury thermostat.

B

You know, Like, I have a nest.

A

Yeah, I have a nest. And I do not use any of the smart features to my knowledge. I just have a set schedule that I set. Because it's not that hard to be like, I want it to be 70 degrees during the day. Like, it's not.

C

I don't.

A

It's not rocket science. I don't want it to be like the thermal mass of your home and it's sunny. I'm like, listen, it's hot. Make it less hot.

F

Like, no, if you sit on the learning mode and it figures stuff out before then, that stuff is all going away and it's locked in on whatever schedule it had last. But for what you just described, if you had a first gen, you wouldn't notice anything.

A

Okay?

F

It's still getting all that data out into the Internet, which is sleazy.

B

We talked about smart thermostats for so long right now.

C

I know, I know.

D

Hold on, hold on.

C

Let's speed up on Google. Just one, one last article. And this one is. It's not too bad bad. But this one actually is a little bit broader than Google. So FFMPEG is telling Google to stop sending bugs or fund us, right?

A

Like, stop trying to pay me.

C

Yeah, yeah, essentially. And so the bigger overarching idea is that these large corporations run a lot of their products utilizing open source tools or software. Excuse me. And when they do that, they send a bunch of bugs to get them do all of this free work, but they don't want to fund it. Right? Yeah. What do you guys think?

A

I mean, I think it's good for them to lay down the law and be like, you either give us a full time employee who's on the payroll, the fix it or you wait your turn.

C

For those who don't know, FFMPEG is a video encoder. It's a very popular library that can do all kinds of different encoding for video and I believe audio as well. So yeah, it's very popular. Command. It's mostly command online tool, but it's used behind the scenes on all kinds of stuff that you interact with every day.

A

I don't, I really don't. I mean my whole thing is like. I agree, if you're, if you're a large company who relies on an open source framework, I think you owe it to them to either pay someone a part of their salary or part of their job duties is to help work on this and be a maintainer of this library or at least donate to it or fund it in some other way. Right. Like, like I feel like it's crazy to be like, hey, we're gonna file a crapload of bugs. You know, we're, please just fix all this stuff. Good luck. Like you, you know, you dirty hackers work for free or whatever. I don't know. That's crazy to me.

B

That is incredible.

D

I'm with you. But like the, the counter of that is so this is all like Google DeepMind, which is Google's AI fuzzer harness thing. And they're, they're finding, you know, new important bugs. And do we want them to stop? Like, do we want them to not keep looking for new bugs or if they find them to just sit on.

A

Them, Are they though, are they asking.

B

Are they looking for new bugs or asking for new features?

A

It's bugs, but it's all like AI slop bugs.

D

I don't think DeepMind is as AI sloppy. I think DeepMind is actual fuzzing, I.e. using AI to orchestrate. But they're finding real legitimate bucks.

C

Okay, so, but let me put this in perspective. So as an open source tool, developer, maintainer, whatever, it's my duty to fix.

A

Those things for you.

C

Is it my responsibility as the owner operator? Like, is that the duty that I have or is it yours if you report a bug to contribute that. Right. Who's, who's, who's like responsible, right?

F

It's open source. If you found a bug, you make the best effort you can to provide a patch. And if you're Google, you can have somebody make an actually good patch.

C

There you go.

F

And submit an actually good patch. And if all you're going to do is Throw bugs at them. And it doesn't matter if it's FFMPEG or anywhere else, anywhere open source either. Throw them some money so that someone who is a maintainer is going to be able to sit down and work on that without screwing up their whole work life. Life balance. I like have absolutely no time for anything or actually give the freaking patch. Which is what they would expect from someone from the random community doing anyway.

A

Like if you come in as a.

F

Random individual and go, I found a bug, someone's gonna say, great, where's your patch?

A

Yeah, yeah. Although, do you want a bunch of AI patches? Do you want a bunch of AIPRs?

C

You want a bunch of AI bugs?

F

I'm not saying I want a bunch of AIPRs versus this other thing.

B

Thing.

F

Give us an actual patch.

A

Don't. It would be really funny. Okay, here's a hypothetical scenario. You are here, you're FFmpeg. You fork the main branch and you make that now the AI branch.

C

Yeah.

A

And then you basically say, all right, we DeepMind. Why don't you go back and forth with yourself and you introduce the bugs into the software and then find them and report them, then you fix them and then it just becomes a never ending cycle where the entire code base just ends up getting deleted because the AI eventually just consume all the US energy. AI is just like, ah, I see the bug that I just introduced. I'm going to file a vulnerability report. Oh, I got to fix that vulnerability that I just did. Oh, I just addressed the vulnerability.

C

Oh no. I've just write a blog post about how this vulnerability is.

A

Time for an angry tweet. Let's do this. Good thing I got that Twitter MCP going. Whatever. Yeah, no, I mean, I don't know. I guess I think, think if you. I agree. Like filing vulnerabilities. Great. Expecting them to be fixed without you doing anything is kind of unnecessary for an open source project.

D

Where do you, where do you draw that line though? Like Corey, let's say you find a vulnerability, you know, you guys are doing like, you know, anti SOC operations on a client and you, you find a vulnerability with, you know, I don't know, Microsoft or Oracle or some company that you never find a bug.

C

Yeah.

D

And you know, you go to them and they're like, well, where's the patch? Now granted those aren't open source.

C

So the big one is, well, this.

D

Is literally what we're paying for.

C

Yeah, yeah.

A

That's the difference for me is that I, we, if we, I mean this literally has happened. We're probably going to webcast about it. We're reporting all kinds of bugs to Microsoft and they're saying these aren't bugs. And so we say, okay, we're just going to use these in pen tests now. Like, if you don't want to fix these bugs, we're just going to use them until. And then here's how the cycle works. We report the bug bugs. They don't fix the bugs. They say their features and they aren't. They don't meet the minimum requirements for security servicing. Right. They close the MSRC ticket. Then we say, okay, we're going to use this in pen test. Then our clients say, how did you side load a dll? That's crazy. And we say, well, it's a feature of a Microsoft product. And then they go to Microsoft and they're like, hey, can you make it so your products don't have DLL side loading? And then the whole cycle repeats.

C

Yeah, but either way the, the difference is just that they have a customer that's paying. Right. So the duty comes on the company because there is a customer that could be affected. Right. So that' billions of customers.

A

Open source project.

D

You could theoretically have found something in an open source project.

C

Oh, absolutely. It's found all the time. But it doesn't mean that the developer owes the fix. Right. You can say, yes, it's a fix. You could write a full blog and say, hey, wouldn't it be cool if somebody fixed this thing? This developer sucks. He didn't fix it. And then someone could also say, well, why didn't you fix it? You seem to know exactly what you're doing.

A

I think the biggest thing is that Google is going public.

C

Yes.

A

With these, Google is going public with these disclosures and is posting them on Project Zero and being like, Google Project Zero is announcing a sick new bug in FFmpeg. And now it's like, they're basically just, we would never. I, I hope we don't. I don't think there's any Black Hills blog post where like we found a project on GitHub written by some student and we just generated 15 CVEs and it sucks. And it has, you know, remote code execution and blah, blah, blah. Like it's just a different. The optics are different. Different from my perspective. So like, yes, finding and reporting. I do agree. I think that truth is somewhere in the middle. And ultimately we are talking about an article that's just a Twitter argument between two people.

D

Yeah, yeah.

A

But I think there's the truth is somewhere in the middle. If Google is doing this just for the lulls, they're just running, you know, a huge DeepMind vulnerability research project and just reporting vulnerabilities in software all over the place.

F

Place.

A

Okay, fine. They don't really expect it to be fixed, but it seems like there's a lot of, you know, hey, we're going to report this and we expect it to be fixed and we're going to blog about it on Project Zero if you don't fix it. Not necessarily because they're trying to shame ffmpeg. I don't want to put that on Google, but because that's their policy with newly discovered vulnerabilities is they say we report it. If you don't fix it, we, you know, we publicize it. Right. So yeah, I don't know. It's a tough. This whole vulnerability disclosure thing, there's so many different ways of approaching this. The sad part about this is the reality is that and in this case we've already seen it lib XML2 the one of the another software program that this person has created, they're just not supporting it anymore. So that's the unfortunate side effect of this or can be a side effect is that if you push on these open source projects enough, they just say this is deprecated. I'm no longer supporting it. Good luck here on your own.

C

Which, which Microsoft does this as well too when they say, hey guess what? What? This is the end of Life for Windows 7. Sucks to suck. You know, if you don't update or you don't move to something else, there's probably going to be vulnerabilities here and.

B

Then wannacry happens and they push out an update anyway.

E

They need to hire some high schoolers. That's what they need to do.

A

Yeah, all right, yeah, let's. Let's do the last article. We can do this high school hacking article. Bronwyn, you got this one. I haven't read this yet.

E

Well, I haven't read it but I'm sorry, this is just not.

A

You just threw an article in that you haven't read. Come on.

C

Oh my go.

E

Was it like headline Teens are hacking their school systems. How is this a news update?

A

Well, I don't know, but you got cloth picture. The picture brings back fond memories of me as a young lad trying to like, you know, hack things and take pictures. I think. I mean basically the situation here is teenagers hacked an educational technology company. They told them about it and then I guess the company brought it, made a Program around it essentially.

E

Yeah, I think bug crowd got involved.

A

Yeah.

E

Well, I mean this is, this is something that has happened over and over and over again is where high schoolers, they, they hack into either their school or the educational system, especially since COVID and so much is being done with online learning and, and what I see most often is that something is done to help support the kids involved or either they get recognition from somebody who provides training or in this case where it sounds like the company involved has turned around and said yeah, let's teach them to protect it. One article and this, you may remember this one. Remember that kid read the source code and found a vulnerability and F12 hacker. Yeah, yeah. So you know, it's just, I love the fact that high schoolers are still hacking things which they've been doing for decades. I agree that they are our most valuable resource and we need to encourage development and this is a mission that I'm becoming much the more, the more deeply into cybersecurity I get. Granted, I've only been in the business business five or six years. It's, it's one of the things that I see where so much of our learning processes, our development processes don't include security and we need to include it in the education levels. High school is great. If we can, if we can start raising defenders at the high school level like other countries are doing, then that puts us in a much better position to be able to protect ourselves in this arena going forward.

B

You give me one of those AI socks and a room full of high schoolers, I'll give you a top tier sock. Like I'm not even joking. I could probably do it.

A

Hell yeah.

C

Well, they were called persistent teens.

B

Oh my God.

D

I just. My takeaway there is bug crowd now employs child neighbor.

B

They are not allowed to hack after 11. It's okay.

C

Cool.

A

Okay. I am right now as we speak having AI write me a vulnerability disclosure written in Gen Z slang.

C

Wow.

A

See what that would look like.

C

We'll definitely not be able to understand that.

A

That's going to be one of the biggest, that's going to be the biggest challenges of this is connecting the generations together of being like you're a 15 year old kid and you were just poking around, you found something. You don't know. You don't know what sea surf is. You don't know what you know cross origin research sharing policy should be or like OAS top 10. But you know that what you're seeing isn't right. And so there's going to have to be some amazing people that bridge the gap between, like, the older generation and the newer generation.

E

Well, I know that in the teams I've worked with, where the teams have been most effective is where we've had a spectrum of domain knowledge. You need the younger people for the. The energy, the enthusiasm and fresh viewpoint. And you need the older guard because they have the legacy knowledge, they have the deeper domain knowledge. And then you've got people that are somewhere in between. And those teams are usually most effective, whether it's development or defending or offending. It's just. I think that we tend to ignore that a lot when we're building our team, and I wish we didn't.

A

This is. It's going way too hard on this. For some reason. Claude has decided to do, like, research mode. It's looking for Doc x library for JavaScript so that it can code it. It's burning through credits over here.

C

I'm sorry, it's like, how. How many credits do you have? Let's burn them all here.

A

I just, I was thinking of just like some memes of being. Being like, no, Cap, this is the worst system I've ever tested.

C

What the Sigma?

A

I don't know that many, like Gen Z or whatever is after Gen Z terms. I just think it'd be hilarious to get a vulnerability report. It's like, this shit is bad, yo. I don't really know how to say this, but, like, you're. You're screwed.

C

Oh, my God.

A

Yeah. Any final. We have no chicken articles.

C

There was no, like, main, like, anchor news article.

B

We didn't, we didn't talk about, like, the what? I thought the biggest one was at.

D

Least the anthropic one.

B

The anthropic one, but we don't have enough time.

A

No, let's do it.

C

We got.

D

We can cover it quickly. I think two minutes is. It's there.

F

There's.

D

There's been a lot going around. They're like the, the first, you know, fully automated whatever hack, which at first. And I can see from everybody's faces that they're like, yeah, we've all told Claude that we're doing a ctf and then it did whatever we wanted. So, I mean, all the talk about guardrails and, you know, they had to bypass the guard. I mean, we all know that that's just total bs. Where I think it is, like, actually important is the level of autonomy. Apparently it was only taking like a couple prompts and they were able to just let it loose and it was actually generating real hacks and if you have used Claude or Codex or Copilot or any of them to do CTFs or on an actual engagement, I mean, it usually takes a lot of prompting and guiding and everything else until you can actually get anything semi actionable out of it. So the fact that they built this orchestration framework or whatever that is letting it, you know, act with a little more autonomy, like, is impressive. It is legitimately impressive.

A

The other crazy thing is they specifically say that essentially that they manipulated Claude code into attempting infiltration into 30 global targets and succeeding in a small number of cases. So they also let it slip that like, by the way, this actually worked. It targeted large tech.

B

Oh, look at Cory got taken out by Claude.

D

It did work. It did work in a few.

C

Well, my prompt worked.

F

Huh?

C

This was fast.

A

I'm just gonna download this fishing document real quick.

D

One of the nuggets, though, was that they thought it was more successful than it was because Claude was lying to them. Yeah, it was telling them that it was successful and it was generating fake credentials and generating fake secrets.

B

All right.

D

Which we've all had that happen. It's. It's awesome.

A

Can you guys see that?

D

Is roadblocking.

A

Is my screen sharing working there?

F

It is.

B

Yeah, it's working.

F

Vulnerability.

B

Oh my God, I love it.

A

So this is the. This is the. The document that Claude prepared for me. Cooked, yo. So like, I found some mad sus vulnerabilities in the school's homework portal and it's giving major yikes energy.

B

My favorite is the bestie. The login page is literally so unserious.

A

Broken authentication. Why this slaps in a bad way? Session IDs are shorter than a TikTok.

C

Like, oh my.

A

Oh my. How to fix this SQL injection. How to make it make sense? Use prepared statements. For real? For real. Like actually use them. I love validation.

C

Oh my God.

A

Okay, so basically this is better than.

D

Some reports I've seen.

A

Though the kids will be. Yeah, so I guess basically we're gonna be fine. Is the long story short. But I On the. To return to the AI thing, I think my, like, my biggest. The best models like Claude Anthropic are gonna be the most. Both subject to abuse because they can do the most and also the most like the required to not get abused. So, like the fact that Anthropic and other AI components companies have monitoring for this and have ways of determining whether it's being abused. Like, this is going to become an increasingly cat and mouse thing because yes, you can get an unlocked model and run it at home, but it's not going to be nearly as good as anthropic, like whatever frontier model they're coming up with. So, like, this is not going away.

D

I mean, that, that is a real concern though is as these open source models keep getting better. You know, I mean, it's like we're seeing almost exponential gains between generations on the frontier models. And, and how long until an open source model that you can run locally is clawed today is here. Because if it's clawed today and you don't have to. Not that the guardrails do anything, but they're annoying and they do stop you just a little bit, especially when it comes to like, if you're fully automating something, but if you can have an ablated model model that you don't have to worry about any of this. And it's as good as thought is right now.

C

Like those models exist. And also just make an MCP that ask one of the other like frontier models to do some of the other harder work is. I mean, like, you could just tie this all in. Like it doesn't. You don't need to. You don't need like one model that's broken all the way. You just need one other model that asks no.

D

But then you have to, you have to jailbreak. Dude, I ran out of tokens doing the Wild west hack infest ctf and I was on that like, SAML token to get into a payroll system thing and I run out of Claude and I'm like, all right, I gotta finish this. So I start using Codex and Copilot and everything and I had to re jailbreak all of them. It looks like you're trying to hack a payroll system. We're not going to let you do this. I'm like, no, no, no, no, it's fine. It's for a ctf, I promise. It looks like you're hacking a payroll system.

C

You would have a broke. You would have a unfiltered model that would actually ask the other models, like the simpler pieces of that. Right? Because when you break down these tasks, they're not, you know, they're not all hacking. A lot of these could be like programming and so anyways. Right.

E

Also somebody was talking about. Go ahead, sorry. Somebody was talking about like that this was old news. And didn't we know about this already? I mean, Anthropic has a great YouTube channel and they were talking about this three months ago.

B

Right. Okay. I thought that I was, I was like, I thought I'm taking crazy pills Here I'm pretty sure they already reported about this. And I read it and it was pretty much like cyber criminals use good prompting. And I was like, okay, for sure.

A

And this is not going to go away. This is going to continue to be a thing. I agree with. You know, Andy, your, your concerns about as open source jailbroken models get better and better, I guess I would say, like if you're a company who has a product that you're worried about finding vulnerabilities and you need to be throwing the frontier models at your product like now. Yeah, you need to get ahead of this. Like you should not, you should not be in a position where, I mean, obviously some of the social engineering and phishing and whatever, like there's, you know, it's always going to be a threat, you can't fix it, so to speak. But a lot of this is going to be zero days vulnerabilities, cve, etc, that you, if you run a code base, whatever it is, you need to be throwing AI tools at it and making sure that you're trying to triage and fix things now so that when those open source models get good enough that you're not just getting buffer overflow day one of release of some model.

D

And not just that. I mean, I know everybody here has, you know, jokes on, you know, jokes for days on like the AI pen testing platforms and whatnot, which I was kind of impressed by Horizon 3 and I mean, I know they were a sponsor of all west hack infest 2, so y' all don't totally hate them, but the bar is going to be a lot higher for everyone now because it's not, you know, there's no longer this, like, well, you have a vulnerability and then there's also this small chance that you might get hacked, that somebody's going to stumble on it. Like, no, it's going to be found. If you are running, you know, an old Fortinet firewall that you haven't patched and the admin page is open to the Internet or a new Fortinet firewall, you're going to have a bad time. You know, it's like the, the basic hygiene stuff, the, you know, John, John has his top 100 findings list. You have to address that stuff. You are running out of time rapidly to address that stuff because the barrier to exploit it just keeps getting lower and lower and lower and lower.

B

All right, all right. You guys said two minutes, it's been like 30.

A

Yeah, good discussion though. I got.

B

It's getting hot in this room.

A

Thanks. No, no, no, no, no.

C

We got winners.

B

We got winners to announce anti siphon winners.

A

I forgot about that. I'm so bad at this podcast.

B

So this is perfect because it's going to allow me to tell everyone that my class is now on demand as well.

F

Whoa.

B

So it's so for our first winner for the anti siphon. I'm not. I don't even know what OD subscription means.

E

On demand.

B

On demand. Oh, there you go.

A

Don't show their emails.

B

Don't show.

A

That's a good point.

G

Sorry.

B

And for the BIS winner, Duotech, don't show his emails, but I will tell you, it's a good one. So those are two people who are, like, regular in the chat. I believe they're literally both in the discord right now. So congratulations. I expect you both to tell me how the CTI101 course is by next week.

G

And that.

D

That full on demand, that is all of. Of the on demand courses which we. We ran the numbers one day and if it was sans prices, it's like 200 grand.

B

Well, if it's sans prices, like, I wouldn't.

A

We don't go by extreme because otherwise our pen test would cost $5.2 million.

D

Half of those classes are. Are taught by people that you would have paid those prices for sans previously.

B

That's also like 12.

A

It would be funny if we reported the sans value of all of our courses as like a separate metric. But anyway, all right, thank you all for coming. We' next week, congrats to the CTF winners. And yeah.