Ryan

Who's going to be here? He's in the sign up sheet.

Wade

Oh, I saw that he accepted the invite, but I put an asterisk because that doesn't always mean that he'll show up.

Ryan

Asterisk. Did someone call for a pbx?

Chad

We're in the pre. Pre show. Pre banter part.

Ryan

No, this is not. There's not that many pre's. This is just one pre.

Chad

Oh, okay.

Ryan

This is just the pre show.

Chad

Let's ask Chad Gepete what he thinks.

Ryan

Well, I read 500,000 books last weekend and they cost me $3,000 each. This is a spoiler for a future news article. Actually, you know what? Honestly, to get more specific to the news article, I didn't even read them. I just downloaded the books.

John

You just.

Ryan

I guess I should change my name to like Claude. Should I change my Name to Claude J.P. taylor?

Chad

Oh, my God.

Bronwyn

Okay, that's just.

Ryan

That's all right. I'm doing it. Hold on now. Honestly, as a cyclist, I wish I was French. Then I could go and ride all the awesome French roads.

Chad

That's right. Yeah. You might have to. Might have to shave your. Your legs because that's part of the deal.

Ryan

You know, I have friends who do it and they're like trying to get me to do it. I'm like, that's a commit. I'm not committing to that. Yeah, like, that's a, that's like, like that's like a months long. Like. Yeah, like if you do it, I mean also, like, you can look it up and it, it gives you an aerodynamic benefit of like a percent or like 2% or something. Yeah, I'll just pedal harder. I'm good.

Chad

Back when I was riding my road bike and I haven't done that for a while, but yeah, I had people trying to get me to do that too. And I was like, yeah, I don't think so.

Ryan

Yeah, I, you know, there's, there's having watched many females in my life suffer through having to shave their legs for, you know, their whole lives. I'm not sure. I'm trying to get into that.

Chad

Yeah, yeah, you can.

Ryan

Also the chest. I mean, we've seen the Seinfeld episode. What happens when he shaves his chest?

Chad

Oh, my God.

Ryan

I couldn't stop. I couldn't stop.

Chad

I don't even go there.

Wade

I heard the best way to improve your, your speed scores is to leave your, your Garmin device thing on as you throw the bike in the back of your truck and drive off.

Chad

There you go.

Ryan

Do that. Okay. If you do that, it will. First of all, it will auto detect it. And second of all, I will report you when I see people that do that. Because I'm like, listen, I'm out here sweating, and you're driving 60 miles an hour and getting all the koms. I'm not okay with that. Yeah. Not.

Chad

Not.

Ryan

I'll report it.

Chad

Not cool.

Ryan

We don't know if Ralph's coming, Wade, but I'd say if you're here, it's first come, first served. So you snooze, you lose.

Wade

Oh. Oh, it's Ralph.

Ryan

Is.

Wade

Is here.

Ryan

Gonna.

Wade

I'm gonna let him in.

Chad

Oh, hold on.

Bronwyn

Oh, my God.

Ralph

I have less doors now, too.

Ryan

Oh, we need more volume. Ralph, did you go to. Did you go to. Real typical Ralph. Classic. Also, I don't really believe you because I see two doors right there.

Ralph

Ralph had, like, four doors.

Ryan

Yeah, I swear. Four doors and seven years ago.

Ralph

That's such a lot.

Chad

Oh, my God.

Ralph

If he shows up, I'll leave. No, no, though.

Ryan

No. We got the Brady Bunch. We're going. Snooze, you lose.

Joff

We got the full Hollywood Squares.

Chad

Yeah.

Ralph

Anybody else dealing with packages today? Just UPS dropped them off and stuff like that.

Ryan

Oh, you talking about NPM packages?

Ralph

Maybe.

Ryan

All right, roll the finger.

Wade

Your volume is very, very low.

Ralph

Why is that?

Bronwyn

Wade.

Ryan

Ralph.

Wade

Wade slash Ralph.

Ralph

I'm Ralph.

Ryan

Oh, sorry, Ralph.

Ralph

There we go. There we go. Is it louder?

Wade

That's.

Ryan

I don't know.

Ralph

I don't know.

Wade

We can hear you.

Ralph

Windows. Windows always just turns it down. I don't know what in Windows turns it down. Like, I have to go into sound settings.

Chad

It's Windows. I mean, I guess.

Ralph

I guess Windows does make do. Make things quieter.

Ryan

Should we just call them? Well, all right.

Wade

Well, close your windows.

Ryan

I don't know. Let's do this. All right, here we go.

Wade

I'm going find the video now.

Ryan

I was doing the other Ryan Google's how to podcast.

Wade

How to. How to put on a production. How do you do a podcast, Claude J.

Ryan

As a large language model. Hello, and welcome to Black Hills Information securities. Talking about news. It's September 8, 2025, full into Pumpkin spice season. We got spooky, scary skeletons coming soon. This week, we've got AI paying 1.5 billion to read some books. I mean, that's fun. We've got some breaches. And honestly, we have a pretty interesting scoop on some international chicken eggs that occurred that we'll talk about later in the show. More chicken spoilers. We got chicken News, everyone. Welcome. So, all right, it's. I like how we have not, not one, but two podcast hosts who are talking chicken to each other.

Ralph

They must have downloaded that. They downloaded the app they now know.

Ryan

Sadly, the AI app is unable to translate what they were saying, but we're just gonna have to guess. So. Okay, can we start. I guess we could start with the new kind of ransomware that instead of asking for, or instead of like releasing your documents to the public, is just going to submit them to AI to be used for training. I don't think this article. So this is an article in 404 Media. I don't think it's, like, gonna be a real thing, but it is just too interesting as a concept to not talk about it.

Corey

I saw that last week and read through it real fast and went, so they're going ahead and threatening to do what AI is already doing, which is taking these artists work and copying it, and they're threatening to do this. And this is supposed to make them.

Ryan

Pay up why, exactly? It's like the same thing as, oh, we're going to submit your data breach to the sec. It's like, okay, well, we were already going to have to do that anyway, but I guess if you want to do it for us, like, it's. I don't know, I'm just kind of silly.

John

So the site they're doing it to makes a whole lot of promises to their artists that they will never, ever, ever put AI anything onto the site and they will never, ever, ever share anything that is on the site to AI systems. So they're basically saying, we are going to destroy the one promise you're making to your suppliers that makes you different from everybody else, or you're going to give us 50k.

Ralph

So you're saying this is highly targeted ransomware. This is like malicious ransomware.

John

This is a very targeted leverage point. Yeah, yeah.

Ryan

I mean, I think they use, like.

John

They found a great leverage point to, like, destroy this company one way or another. But they're asking for 50k and it makes me wonder just how much they actually have.

Ryan

Probably. I mean, this seems like a smaller company if they're only asking for 50k. And I feel like it's. The reason it's newsworthy is not because it's super, you know, like ransomware. People tailor their demands. We know this like, the first document they're going to look up is going to be like, you know, cyber insurance limits, PDF or whatever. But I think, you know, like you said, reading their website, looking at Their stuff and seeing. Okay, this is clearly a pain point for them. Let's go after this pain point. I don't think this is going to get used by other ransomware groups, but it would be funny if it became a theme. It's like we'll train an AI and use it against you. Oh, no. Like, it seems kind of like a empty threat to me. But who knows?

Ralph

What if this is like a whole new threat actor that just goes around stealing information and then you then selling that stolen information for large language models.

Ryan

You're talking about like Anthropic.

Ralph

Yeah. Oh, wow. Well, did they do that?

Ryan

Did they still?

Ralph

What did they steal?

Ryan

Yeah, so, okay, so this is a segue into the next article, which is on Friday, I think it was announced that Anthropic has said they're going to settle a lawsuit, a class action lawsuit for $1.5 billion, at least $1.5 billion to a class of people, mainly authors, who had their books pirated by Anthropic. The ironic thing here is that a judge ruled that using books in large language models is not copyright infringement because it's covered under fair use. However, the problem is they downloaded a crapload of books, like 500,000 or more from pirated sources. So they did actually quote, unquote, steal. And we won't get into the ethics of piracy or whatever. Like we'll leave that for a separate podcast. But they're basically, they. It sounds like they can prove that anthropic downloaded 500,000 books from various, like gray market type sites and they're going to go after them for some money because of that. So ironically, like, if they just hadn't pirated all the books, they'd be fine. But they did. And I don't know if 1.5 billion is a real number. That doesn't seem like it could be to me. But that's if you take 500,000 times 3,000 per person. I don't know, we'll see. But I mean, it's. I mean, Bronwyn, what do you think? Any other AI Hot takes people out here?

Joff

Well, it'll be interesting to see if this is going to be a new trend because of course, open AI, they got a get out of jail free card, like you said, where this is supposedly fair use. And now Anthropic is getting hit with the class action suit and it's actually been awarded.

John

Yeah, it's.

Joff

So I think that the intellectual property issues are, are still going to be going back and forth for a while. Is the issue, though, with Anthropic, that they were using stolen media, like pirated copies of the books. Like, I guess it's okay to use, you know, purchased copies of the books, but when you're going out to all these pirate sites, apparently that's, I think, the difference.

Ryan

Yes, exactly.

Joff

I'm trying to remember if it was OpenAI or if it was Anthropic who actually did scan, I mean, destructively scan, thousands of books where the high speed scanners, they basically, you buy a book, you rip the pages out of the binding, you feed it in, and it can scan thousands of pages in an hour. I don't even know what the numbers are. And I want to say that OpenAI bought the books, scanned them, and used them for training. But now Anthropic is getting hit with a lawsuit for doing the exact same thing that OpenAI has been given. Like I said, yeah, it's fair use, no problem.

Ryan

So it's not the same thing. That's why they're getting sued.

John

So what I recall is that OpenAI pulled down like Libjin, which is completely pirated. The whole thing is piracy, and that's what it is. But Anthropic tried to buy all of these books, scanned all of these books, put them in, and also grabbed pirated stuff. Like, they acted like they were going to do the good thing, but they also did the bad thing and now they're on the hook for the bad thing part. And I read this settlement as them saying, we're going to pay you 3,000 per title to pretend we properly brought bought your book in the first place. And as I understand it, this isn't a judgment, it's a settlement.

Ryan

Correct.

John

So they are preventing any legal precedent from getting set by paying 3k per title or per person. It's against.

Ryan

I think that. Yeah, you nailed it.

John

I think for them, for them, I think the one and a half billion is really just a. We want to make sure nothing goes on the books to bite us about this later.

Ryan

Yeah, it's the. Literally the. I'm gonna pay you $3,000 to f off. Thank you. Yeah, but I mean, whatever, like, and like, I thought they were the good guys.

John

Done this. Worse.

Ryan

This is how AI works. I mean, that's the nature of large language models. They have to be large.

Joff

This is how capitalism works.

Ryan

Okay, that's true, but I wouldn't use an AI that hadn't read any books.

Ralph

So if it was communism, wouldn't they have just shared the books with them anyway?

Ryan

True. And we wouldn't be able to afford. We wouldn't have lms because no one would ever have seed money to make an LLM.

Ralph

But anyway, so if I would have rented all the books from the library.

Ryan

No, no. So a lot. Basically, the long story short is fair use does. LLMs are covered by Fair use from what? I mean, I'm not a copyright lawyer. I don't know. Sue me. Actually, please don't sue me. Um, but basically, fair use covers AIs ingesting books, but they have to be acquired legally. And that's essentially what Anthropic didn't do. Which makes sense because it's just a data processing. Buying and scanning 500,000 books is. Might cost more than $1.5 billion, to be honest. I guess, who knows? But yeah, I don't know. It's an interesting one.

Bronwyn

So a question on, like, AI and LLMs, when they're trained with illicit data like this, or ill acquired data like this, how easily can it be cleaned up or forgotten by the AI? Because it's sort of like, you know, if you, if you download a bunch of, you know, copyrighted material and they catch you, you know, catch you on it, send you that letter saying, they send you at cease and desist, you can say, okay, we've. I've deleted all those files off of my machine. Sorry about that. I don't have any copies of this. Here's a certificate saying we got rid of all of them, but for AI, can they detrain that? Or they're basically like, yeah, we took early copies of books, unauthorized copies of books, and we put them on into our training model. How do they.

John

You'd have to establish some way to uncompute the neural network training process. To do that, you would just have to retrain. Right. Like. Like, the one way is to say I threw out the thing that had the training and I redid it with not that, but everything else I already did, so I didn't have to rework absolutely everything. But like, you can't go back in and say, I need to tweak this weight by this much and this one by this much to get the neural network to play nice and never reference that thing again except by pure accident.

Ryan

Yeah, it's going to be retraining, which is cost intensive.

John

Right.

Bronwyn

I thought that a little bit.

John

If you imagine that it's a. I'm going to say Mark Twain for argument's sake, because he gets quoted so many places, but he's public domain, so this doesn't actually work. That way if Mark Twain came in and said, you're going to take out everything I wrote and they retrain on everything except Mark Twain's works, they're still going to have Mark Twain in there because they've got all the people quoting Mark Twain in the middle of something else that they still have permission to train on.

Joff

Good point.

Ryan

I mean, yeah, this is kind of the current theme with AI or at least with large language models is there's no reality or there's no reality where it never ingests any kind of copyright protected work. It's just not going to happen. Like these things are designed to be siphons of data and when you're a siphon of data, you're going to encounter data that you probably shouldn't have. This is like the scrape the Internet thing you could start a news article with. We discovered that blank is in the training data for chat GBT and you could put almost anything in blank and it would be an accurate news article. Like it's, they're just Hoovers and they go out on the Internet and find everything they can find. I mean there's even another, there's another class action lawsuit right now against Anthropic as well from copyright. Like they're claiming that it also ingested copyright protected song lyrics, which I just find hilarious. How is that like everyone's, everyone's piling on to the sue AI and get money out of them Bandwagon.

Bronwyn

Yeah.

Corey

And the other thing that's happening is that these publishers and other entities that you're using to go ahead and put out the works are putting into their contracts now that this will be ingested by AI and you are agreeing to it in the contracts for it. I've heard of a few people that write books that were going through Amazon that all of a sudden that popped up into their contract, they were smart enough to read the updated contracts. So they're trying to go ahead now and get it to be a legal thing where you contracted part of the contract your, you signed the contract. Part of that says that your work is now being ingested into AI.

Chad

Yeah, ouch.

Ralph

I'm wondering like think about with the Amazon comment, right? Amazon has such a monopoly on Audible. If you were want to sell it there, I could easily see them making you say your audiobook is now going to be digested by AI because there's really nowhere else to go for audiobooks.

Ryan

So okay. People in the discord are, are totally nailing the corollary between old school music like, like you know, this is like the whole thing of like, oh, Napster, it's just Napster again. And we, what did it end up? How we ended up as a little history lesson is basically we have Napster now it's just called Spotify and it has a 5 99amonth subscription fee. Like, we basically ended up with Napster and I. I would guess that the same reality is true for AI. We're going to end up with large language models and we're going to have to have some weird licensing model or something for how they do deal with copyrighted content. But it's probably going to be a very similar theme where some of the early adopters get punched in the face with copyright lawsuits and then they have to figure out the rest. But we end up with the product in the end because the product makes the most sense. No one wants to pay 99 cents for every song they listen to, right? So same thing applies to AI reading books. You don't want to be like, oh, if you want me to provide a summary of, you know, War and Peace by Tolstoy or by Tolstoy, you're going to have to upload a receipt proving that you've purchased the book. Or like, I don't know, it's just never going to happen at scale.

Bronwyn

But yeah, or, you know, I mean, if they have, you know, unauthorized copies, especially if it starts getting into stuff that is like pre publication, you know, the publishers could look at it and say, like, who's going to buy our book when you can just ask Chat GPT to summarize, this book that came out yesterday or the book that's not going to, you know, that's going to come out next week. You already know how it ends. Like, here's.

Ryan

Yeah, yeah, but who's going to buy an album? But the same logic applies to any media. Who's going to buy an album when I already listened to the hot single on Spotify or on the radio? Who's going to watch a movie when I already saw the, you know, preview? Who's going to, like, I don't know, it's like there's so many corollaries of this and the reality is you just have to adjust your business model, right? Like artists have moved to merch sales.

Ralph

Okay, let's look at, look at, let's look at Sanderson, right? Sanderson didn't publish his most recent book on any platform. He published it himself. The only, the Radiohead approach.

Ryan

That's just called radio heading. Well, well, I'm sorry.

Ralph

I don't listen to Radiohead, but he's like one of the biggest book. No, I'm not that. I'm. Wow, I'm not that cool. But he got past it. But also this is one of the most powerful authors at. During this time. Right. So if he can publish it himself. But also a lot of the fans for these books and stuff like that, they're not, they, they're not going to go here and say, give me the ending of this book. I still think the people who are going to want this are still going to buy it. If you have that good of a fan base. I think it's more of just these people using it in order using it against your permission is the problem. I don't think anyone is going to say give me the lyrics to this one song or give me a summary unless it's a sixth grader trying to do his book report real quick.

Ryan

Yes, no one's going to pay for that.

Joff

There is another problem though, because the current state of LLMs is that generally speaking, even if they've been trained with copyrighted intellectual property, they're not going to reliably source that thus and thus came from this book written by Brandon Sanderson or, you know, Samuel Clemens or whoever. It all gets mashed up kind of like, you know, loaded mashed potatoes. You've got all of this stuff in there, but it's all mixed up together and it isn't really coherent and identifiable separately necessarily.

Ryan

So, yes, that's a good point. You can't extract the data. You can't say, give me the entire copy of War and Peace like I believe. I don't think you can.

Joff

But no, you can't. And the only, the closest thing to doing that is something like Perplexity or other answer engines where they're using the LLM style interface, but they're going. And they're actually pulling specific references and you get source citation of, you know, here's this. And this is where I'm getting this information from that's different from what Anthropic is doing, what ChatGPT does, and what other typical LLM chatbots, what their behaviors are.

Corey

Yeah, I also have to think that you got to focus a little bit also on the nonfiction and not just the War and Peace or Tom Sawyer or Huckleberry Finn or Connecticut Yankee and King Arthur's Court type situation where all these nonfiction books on how to do so and so are getting brought in, or math books and how to go ahead and do this and how to do that that were written by specific people for specific things that can used in a different way and would normally be cited in references. That's where one of the biggest problems comes from. The academic side of things, the nonfiction side of things is where I'm thinking we really run into a bunch of that copyright stuff, because the whole summary of a story thing, that's maybe good for some kid writing a book report, maybe.

Ryan

Yeah. You're basically saying that putting it into AI negates its usage or at least makes it really pointless for the people who would actually need it. Which is kind of true for a lot of things, right? Like, no, hopefully, you know, hopefully no scientists are going on ChatGPT and being like, hey, can you explain how to do my job? And, like, scientifically, you know, like, when you get down into the nitty gritty details, AI tends to fall over. At least LLMs do. So. Yeah, I don't know. I don't think we'll. Hopefully no one's using AI for that use case, but, I mean, I guess that statement is always false. There's always someone using AI for anything. Yeah. Anyway, we should. We should move on. I don't want to spend too much time on AI. We could. We could circle the drain forever on AI. Let's talk about this dash cam thing. So.

Joff

Oh, yeah, yeah.

Ryan

So basically this is another. This is an article by Joseph cox and on 404 Media. Basically, there's a company called Nexar which is. I can't believe this even exists, but essentially a company that sells CCTV footage, which is just dashcam footage, and they repackage it and sell it to companies. I guess the legitimate. I'll put legitimate in quotes, legitimate use case for this would be a city who wants a feed of their dash of their city being driven by a dash cam, so they can look at where people are honking and yelling at each other and then be like, this is a traffic intersection with problems. We need to go fix this. But from what I can tell, this company baked the S3 keys into the camera or into the Software. And the S3 keys had like, global read access. And so some threat actor, or threat actor, researcher, whatever you want to call them, pulled down the keys out of the application or out of the hardware and then realized that those keys could access 140 terabytes of dashcam footage, which is a lot. And so then they went through some of the images which you can see on the article, which include things like driving up to military bases, driving up to secure facilities. I Mean, it's driving, right. So it covers a huge amount of information. And also, some of the cameras are facing the driver. And I don't really understand how anyone ended up with these products in their cars. Like, this is like the whole legal botnet thing we talked about last week, where it's like, it's cheaper if you subscribe to a data model or what? I don't know exactly what. How they sold it to their customers, but I can't imagine being like, yeah, I'll just sell you my dash cam footage for $2 a month. Like, what.

Ralph

What's the brand of cameras that they sell?

John

That's.

Ralph

That's because, like, think about.

John

But I think it's their own brand.

Ralph

Yeah.

John

So they are NetSuite cameras.

Ralph

I'm trying to think about the legit. Like, how. How these data. How these cameras. Do they have a. Are they. Do they have a chip in it? Like, how are they getting the data on the Internet? Is it going through your app on your phone? Right? Do they have some.

Ryan

They've got to be lte. They're lte.

Ralph

Like, that's a lot of work with the lte, too. But it's also crazy that people. Like you said, people sign up for this. But the sheer amount of LTE data for all of these webcams has to be ridiculous. And then holding that much storage in an S3 bucket alone, like, is ridiculous cost.

Ryan

Yeah. Yeah. It's just like if ring just had S3 keys that were all Ring customers for one bucket.

Ralph

As far as Ring is hooked up to your Internet at home.

John

But, like, I'm. I'm pretty sure the business model goes, we will let you sign up and you give us permissions, and maybe we sell you the camera itself, but instead of charging you anything for all of the data feed costs that gets you access to what you were doing and the ability to say, you know, this is what happened when they rear ended me. We have permission to also use whatever your footage is, and then they turn around and they sell it. Like, you talked about a legitimate use case. I know that the use case they say they do the most is to say, I want this location, says company who has a door at that location to have video feeds anytime in case somebody tries to break in or in case someone comes plowing into the door and knocks down half my building, so that even if they try to hit and run, I know who it is.

Ryan

That's. I mean, so.

John

So the big companies are paying for the data, and that's where the money is coming from for most of it.

Ryan

Correct. And the. I guess like obviously their product pages here. Ryan, I don't know if you want to pull it up, but basically the looking at the product page that there's two things that jump out at me. Number one, the dashcams are pretty cheap for a 4K or I don't know if it's 4K, but for a high definition dash cam, front and rear is only 214 bucks. That's pretty cheap. And I think the other thing that's kind of a selling point to customers is that it says it has unlimited cloud backups. Right. So like that's the. They're basically saying we'll give you unlimited cloud storage and you, you know, let us sell your data. That's like basically the. Yeah. So here's the product page. It says unlimited cloud backups. It also does market itself as AI enabled. So built.

Ralph

Built in 4G LTE. That is pretty crazy.

Ryan

Yeah, I mean it's, it's. I don't know. This is like it's one of those things where like obviously, hopefully the company takes it and fixes it. But from a privacy perspective it's really interesting. Like they contacted the DoD that are some military organizations and said like, hey, like do you do any kind of special regulations or restrictions on dash cams? Because if I'm just an Uber Eats driver and you let me on base or whatever, like now there's a feed of that just forever. And they said basically that they are not like the military said they're not aware of any concerns, specific concerns around dash cams. Obviously they have their own like surveillance policies and things like that. But I don't know, it's just kind of a. The amount of information that is contained herein is spooky to me. It's like just the 140 terabytes of dash cam footage. Not only would you have anyone who was actually driving way too much personal information about them, you know, they're probably buying things on the phone or I don't know, it's a disaster. But then also like just the things they were recording, pulling up to people's driveways, pulling up to their, you know, I don't know, it's crazy how much data is encapsulated in the that amount of recording.

Joff

So while you all have been talking, I've been doing a little research on the side here. And so it seems that users install the Nexar dash cams and they continually continuously capture video and sound. That's the default. The Recordings are uploaded, stored, organized by Nexar and then they create a searchable interface with public maps where images are supposedly blurred. And then clients can purchase access to monitor specific locations or periods over time.

Ryan

Time.

Chad

Oh my.

Joff

So out the gate, this thing is a privacy nightmare.

Chad

Yeah, I bet they're selling to the. The purveyors of driverless self driving cars. Well, right, because totally Tesla's. Tesla is one of them that trains on an enormous amount of data that they collect. But if they can.

Ryan

Oh, and Tesla, Yeah, I was going to say.

Chad

Right.

Ryan

They do the same thing. They have their own dash cams and collect feeds of you while you're driving. Exactly.

Chad

I mean, totally justify putting a Toyota patch on my Tesla now.

Ryan

You better cover up all 18 cameras too, while you're at it.

Ralph

Yeah, this would be a good deal just to use as a security camera. Yeah, One location the whole time. Just like post it up somewhere, Right? It's recording, it's got live feed, it backs everything up. It's not going to be moving, but it's going to work pretty well.

Chad

So you're telling me I need, I need to park my Toyota on my front porch? Is that what you're trying to tell me?

Ralph

Yeah, right. Oh, your front porch is your ring right next to your doorbel. That's real weird.

Ryan

Oh my gosh.

John

I put it on my really expensive car that no one should ever steal and that I never ever actually drive.

Ryan

Your house.

Joff

It would break my house.

Ryan

I'm living in my car. So this is a great deal for me. No, I'm just kidding. But yeah, basically you brought it up. So, I mean, I think we all just have to say this probably isn't the only company doing this.

Chad

Right.

Ryan

And this probably isn't the only vertical where this is happening. This is happening in home security cameras. This is happening in baby monitors. This is happening in AI enabled toilets. Like, oh my God.

Ralph

Yeah, we've had that. We've. We have.

Ryan

Safe to say, I mean, it's the old adage, right? If the comp. If the product is too good to be true, that means you're part of the product, right? Like your data or your.

Joff

I'm glad I own a dumb car.

Ryan

Yeah, I own a dumb toilet.

Bronwyn

And we were saying companies, but I'm like, if you could even have governments that go, hey, I know there's going to be a protest for reasons that's going to be occurring in downtown Detroit this weekend. I'm going to request all of this dash cam footage on anything in this three Block area during this period of time.

Ryan

And how easy. How easy would it be to tell who's dash cams in whose car, who showed up at what time? Like the amount of things you could do, it's. It's a disaster.

Joff

Well, and then you get into all of the facial and. And other recognition things that are being done.

Bronwyn

Exactly.

John

Yep, absolutely.

Joff

I feel like I'm the. I'm a member of the last generation that knows what privacy actually was.

Bronwyn

Oh, the Zennials.

Ryan

Yeah, maybe. But I mean, even then we had satellites. We had. I don't know. But. Okay, let's. While we're here in like depressing privacy corner, let's continue one step down the rung and talk about how ICE now has access to spyware.

Chad

Oh, my God.

Ryan

So, like, I. I don't want to get too political here, but basically Israeli, you know, this goes back to like the. It's called Paragon now, but it's basically the same thing as what was the. I forget Pegasus. Like, it's the same thing, it's just different. Different packaging. Essentially the article is that a government contract which just started in the Biden Administration. Administration and was reviewed or under review to make sure that, like, the government's usage of spyware was supposed to be like. Like, can you imagine being like, all right, guys, we're going to buy the spyware, but I'm going to make sure. We got to make sure that we only use it ethically. It's going to be fine. Essentially, that process has now concluded, and the government now has access to Paragon Solutions products which include spyware. My whole thing is like, okay, so ICE has this. Who are they using it on? Because it's got to be really expensive, right? Like, if it's anything like Pegasus, it costs a ridiculous amount of money. It's a $2 million contract. Right. So that's actually, I guess that's pretty cheap for a piece of software like this. Does it give them, like, unlimited access to it? Like, I. It's unclear to me how this is going to be used. Obviously. Put your tinfoil of hats on as far as how it's going to be used, but.

Chad

Yeah, well, I don't know. I mean, first of all, for the record, I'm podcasting and I've got my phone in an RF bag. Okay.

Ralph

So talk about paranoid.

Chad

My tinfoil.

Ryan

Now, do you have a big one for your Tesla? No. Okay.

Chad

Anyway, there's a story on the Tesla. The Tesla's in the shop getting fixed right now. Oh, I'm sorry. It's called the Toyota Now.

Ryan

Okay.

Chad

No, no kidding.

Ryan

Right?

Chad

When I want to have a conversation, a podcast, anything, this thing goes in the bag now, right? So don't try to call me because it's not going to work.

Ralph

I know, I know that for immigration, right. They do make people download an app in order to.

Ryan

Is it called Spyware Go.

Ralph

That's what I'm thinking. Now, in order for it to book times and in order to get a space in order to. And that there's a raffle system. Right. In order actually get your court case and get that allowed in order for you to get heard by a judge. I'm wondering if they're baking that into those apps so then they can both track those individuals that are trying to get across and then to see if they're trying to get across illegally.

Ryan

I'm sure it won't be abused at all.

Joff

Stop. Rare baked in.

Chad

It reminds me like it takes me back to the Clipper chip, which all of you on this podcast are too young to remember probably. But if anybody remembers way back, way back in the 90s. Yes, I said way back in the 90s, the government tried to say, trust me, we're the government. We want to backdoor all encryption with a special chip. Right. You know, that was never a good idea. Right. And everybody pushed back as hard as they could, including fine folks like Bruce Schneier and. And many, many of his compatriots at the time. But you know, 911 happened. Ever since the Patriot act, we have lost all privacy. That's the way I see it.

Joff

Yeah.

Ralph

They're even. They're even in our video games. They don't let you. To install Battlefield 6, you need to have. What. What's the chip you need to have installed for the anti cheat to work? It's the. Is it the trusted something module, whatever it's called.

Ryan

Yeah.

Ralph

The game won't work unless you have that installed.

Ryan

Yeah.

Ralph

Which I thought was crazy. So I have buddies who couldn't play the game. Video games somewhere unless you.

Bronwyn

Or unless you patch things.

Ryan

Yeah.

Bronwyn

I will say we are that type of. We are that type of webcast there.

Ryan

Well, okay, so this brings up like, you know, we kind of. While we're at the bottom of depressing privacy corner, my thing is like, okay.

Joff

John, it's not my fault.

Ryan

It's okay. It's okay. It's not your fault. The like. Okay, this spyware can't run on every operating system. Right. Does it, like, it doesn't. Does it run on a Frickin, like jitterbug. Like a dumb phone. Does it run on like. No, it doesn't. Like use a burner. It's the same thing with Windows. Like after all the info stealer stuff happened and I realized that video games just have malware package with them sometimes. I will never log into any of my personal accounts on Windows ever again. Windows is a burner device that's used for gaming and that's where it does its thing. Like this is where I think we're at with privacy is like you, you basically have to become like kind of burnable. And there's lots of technology solutions to enable this. Whether it's, you know, using a Steam deck or having like a Windows device that has like no accounts or whatever or a dumb phone or like just rotating phones really quickly or I don't know, but I'm like, if I'm trying to cross the US border into Mexico or whatever, whichever way you want to go. Am I really carrying like my iPhone 17 Pro Max SE Edition? That's like $1700 with me. I don't think so. I'm gonna have like, hopefully just nothing.

Chad

I assume like, like, yeah, flip phone.

Ryan

Yeah, a Nokia 930 or whatever like with an old school SIM card. And like all it can do is like, I don't know. I think that's where we're getting back to is like some things are either private through obfuscation because if you rotate phones every couple months then I mean, what they can't, you know, it's hard to track between all these different metadata. But like, or just dumb phones. Like, I guarantee you Pegasus doesn't run on like BlackBerry.

John

I would not take that bet about BlackBerry. You're fine.

Corey

I wouldn't even take that bet on the Nokia phone. They're crazy enough that they would find a way of taking a little chip that they say Nokia has to put in there that runs this program that goes ahead and contacts the GPS to go ahead and track that phone.

Chad

Right, right. 2G can still transmit data, right?

Ralph

Yeah.

Corey

I mean, how much, how much data do they actually need to be able to track the phone?

Chad

Just a trickle.

Ryan

All right, when's the meshtastic phone coming out?

Ralph

Did you see my Laura comment?

Ryan

All right, let's. Yeah.

Chad

Anyway, I'm going to go out and buy it. Dumb flip phone, spray paint it black and put the label black phone on it.

Ryan

And so let's talk about real quick. Let's talk about some actual security topics.

Joff

So DDoS attack on Cloud Flare.

Ryan

DDoS is lame.

Chad

That's kind of happening every second week.

Joff

It's the volume that, I mean, over the years, the. The volume of the attack keeps getting higher and higher, higher. How long before.

Ralph

Unless. Unless they take out the east coast again, right, and take out DNS servers, then call me. Like, I don't.

Ryan

Okay, so here's the thing about this. I have no reference for this. This is like me saying I made, you know, I did the world's loudest burp. Okay, well, who's, who's keeping track of that? Like, is this actually the biggest DDoS ever? How big are the pipes? 11.5 terabyte bits per second. I'm like, okay, that's fast. But also, like, if you're Cloudflare, don't you have like a 50 terabyte pipe or something? Like, what is the Internet doing these days?

Chad

That's what I was.

Ryan

I have no idea.

Chad

You don't know the size of the pipes and such claims are just completely useless. I mean, you. Yeah, there's no way to. There's no way to measure that. Like, where did you measure that? Did you measure that at your data center? And what did you do about it? Did anybody actually notice? I mean, all these big ISPs, the tier ones especially, they're under DOS attack constantly.

Ryan

I mean, it is interesting. I'm glad they blocked it. And. But like, I don't, I don't understand whether this is like, for a DDoS. Is this even. Is this just a regular Tuesday? I truly don't know.

John

No, and it's common practice if you're.

Chad

A really large provider to completely oversubscribe all the time, right? They. They buy like hundreds of times the bandwidth that they actually need.

Ryan

What were you saying?

John

So earlier this year, there was a report on a 5.6 terabit per second DDOS. It lasted like 10 seconds. This one is 11 and a half terabits per second and it lasted 35 seconds. So it's basically double what somebody did, which was record breaking in January. The most interesting thing about this one, I think, is that somebody managed to leverage Google's system to hit Cloudflare. This was not random botnet from absolutely everywhere throwing, you know, 500 some kind of injections from any one machine.

Ralph

It was Gemini, I'm calling it.

John

That idea that someone managed to get some system at Google to attack Cloudflare instead. That part's interesting.

Ralph

They're not attacking Cloudflare though, right? Cloudflare is just in front of whoever they are attacking, most likely correctly. That's the thing I want to know, maybe I want to know who they are attacking. That's what I want it. Does it say it in the article? Because that's the interesting part and that's who you're going to figure out is really doing it. But yeah, Cloudflare doesn't mention that.

Ryan

I mean, I think that I, I, I think that DDoS is interesting because it reminds us all that we can just go outside, right? If, if, if you're getting DDoS, just go outside. Just when I used to work, when.

Ralph

I used to work at a data center, we used to get DDoS all the time and it was always kids asking us for free Roblox, like bring, like that was literally it. And this was 10 years ago. That's how, like, this is stupid.

Ryan

Yeah, yeah.

Chad

I mean, I had to make a similar comment. Wow, couldn't resist. But you know, I used to do protections, infrastructure protection work on very, very large networks. And if you, and okay, kids, take notes. If you spew out a whole bunch of fragmented UDP traffic and you set the TTL to expire or exactly reach 1 at the target destination, right. It will go to the control plane of the routing device. That's, that's one hop away. And if it does that, it will kill it. It'll kill the network every time.

Ryan

No, no, we have IPv6 now. It's fine. Don't worry about it. Yeah, yeah. I mean, who knows?

Chad

But don't take any notes.

Ryan

Yeah, I mean, who knows? Let's, let's, I mean there's so many. This is like a really busy Newsweek last week was pretty quiet, but this week I'll just run like a quick, some quick fire ones. There's a supply chain attack and NPM packages. This isn't new. We see a lot of supply chain stuff, but it is a large, they are very popular packages. Essentially someone's packaging in taking over these NPM packages and doing a supply chain attack where they're trying to steal cryptocurrency from like developers that are using these packages. Obviously all of these articles are just ads for whatever security company found this. In this case, it's a key. Is that how you spell Aikido?

Ralph

I don't know.

Ryan

Aiido.

Joff

It's Aikido.

Ryan

Are you sure it's not AI Keto? No, I'm just kidding. Yeah, no, I, Whatever it is, what.

Ralph

It is, it was 18 different packages and a lot of the packages were actually being protected by mfa. So that just lets you know that even if you have MFA you're still fishable.

Ryan

You just call up the support for NPM and you're like, hey, can you reset my mfa?

Chad

I mean software supply chain attacks scare me more than anything else actually.

Ryan

Yeah. And that's fair.

Chad

Yeah.

Ryan

No, it's okay, Joff. Everyone has a software bill of materials with hard locked versions and cryptographic verification of new packages. Don't worry, it's, it's fine. Although I will say it is kind of funny though because it's still just going after cryptocurrency. Like, I don't know, it's really going after the developers writing these packages, not after the companies publishing them or people, companies using them. It's going after developers. Yeah.

Chad

I've always worried that some really big hitting things are going to be compromised in the software supply chain. You know, like open SSL for example. Right. You know, that would be bad. Well imagine, and there are many other examples. Right?

Joff

Imagine jQuery jQuery got infected Angular.

Ralph

Just take log 4j. Instead of vulnerability put compromise.

Joff

Right.

Chad

Yeah. And of course it's not that like API keys and credentials don't end up in public places, right?

Ralph

Never, never, never. We have secret scanners for that.

Ryan

Okay. Speaking of, there was an update to the whole sales loft compromise. Essentially the threat actor got into their, the threat actor got into the sales loft GitHub account and that's how they compromised all of the other organizations who were using the tie ins with Salesforce. What I'm not clear on and what they haven't posted about is how did someone get into their GitHub account? Was it a stealer? Was it like social engineering? Was it adversary in the middle? They haven't really said, but did somebody.

Chad

Pass the Sage key lying around? I mean, what is it, you know?

Ryan

Yeah, I don't know, it's interesting. Who knows. But basically they're, they're kind of like calling the incident dead. They've rolled all the keys, they got the threat actors out of their GitHub and so like it should be back to normal. Obviously we'll see what the.

Ralph

Yeah, I think, I think the crazy part is they are calling the incident on their side dead. Right. But the main target for this was looking for keys in people's Salesforce. I don't think, I think this is going to be one of the bigger things that happened this year and I don't think we're going to see the end of it. There's going to be something else where someone didn't realize a key was in Salesforce and Someone's going to get popped. I think that's the next.

Ryan

Well, the whole, like the last year was like the year of third party risk management. Now it's like third party risk management plus APIs and integrations and MCPs and other spooky. Like where do you put AI keys or API keys in your environment? Everywhere. Right. Like every environment puts API keys just in everywhere. So it's all the different places they can be stored and reused and compromised is super risky.

Chad

I do like that. On the positive side, I got to throw a positive out there that there are some responsible vendors out there that if they see a leaked API key all over the place, they'll at least try to notify the purported real owner. I mean, that's a step, right, in trying to contain potential damage. So that's a good thing. But yeah, I mean, we are awash in API keys now for just about everything. I don't know that people are securing them properly. I doubt it.

Ralph

They're not.

Ryan

So real quick. A couple of fun updates from the audience. I really appreciate everyone in the discord. So on the supply chain thing we just talked about. So it wasn't going after cryptocurrency wallets, it was actually going after the. The blockchain itself to try to rewrite addresses on outgoing transactions. This is like a browser hijacking thing. And how it got propagated in the first place is the developer got fished. The developer got a fish from support PMJS help, you know, then, et cetera.

Chad

That's interesting. Money. Oh, that's kind of cool actually.

Ryan

Yeah, so I think it was like a metamask thing where like, yeah, not really going after the wallet, but just sending the money somewhere else.

Chad

Dealer that I write. That's a good one.

Ralph

Yeah, I'll send you a copy. I have a copy of it. Yeah, I grabbed it.

Ryan

Oh, dude, I. I totally will just install that on my main work computer.

Ralph

All right, let me know now. You won't need to let me know. I will know when you do.

Ryan

Okay. Yeah, just send me the fish.

Chad

He's gonna watch his zach.

Ryan

Yeah, yeah, I will say, like my hardware, my actual hardware wallet, I have it and I'm like afraid to plug it in because I got all these emails from the manufacturer that it was like somehow had a bug or compromise or something. I'm like, I don't know what to do, but like, I'm afraid to plug it in. It's a treasure or whatever. I'm like, I got all these emails. It's like Your treasure's probably got a bad firmware on it. I'm like, I don't know what to do.

Joff

I'm scared.

Ryan

So I'm never going to plug that in again.

Chad

I plugged mine in the other day and it was dead. So I had to go through the recovery process. And then and because I didn't trust it was dead, I took the hardware wallet out to the drill press and promptly drilled holes through it in multiple ways.

Ryan

You know, I actually have a new plan. I'll just get the password for it off my dash cam.

Chad

It's on there somewhere.

Ryan

It's on there somewhere, yeah. A couple more quick fires. We had some interesting new phishing vectors. Someone figure out how they they can embed JavaScript inside of SVG images, which is kind of of crazy. That's spooky and interesting. There's also people using icloud invites for phishing. I mean email invite phishing has been a thing forever. In the ransomware corner there was basically the Marks and Spencer's hackers. We talked about this. Everyone kind of assumed it was Scattered Spider. Turns out it's a new group which is I guess implied to be part Lapsis, part Scattered Spider. Their name is Scattered Lapsis Hunters. So it's like maybe a shiny hunter. Yeah, it's Scattered Spider people. Lapsis people and Shiny Hunters people, I guess combining together. I don't know.

Ralph

But we're these. This is the same group that threatened the. The mandiant researcher.

Ryan

Yeah we ever talked about. This group has been very active. Yeah, I don't know if we talked about on the show, but it's a very active threat group right now. They're kind of doing all the stuff. They're the main, the calm I guess they call themselves.

Ralph

So there's a lot of good research about the comm if anybody wants to go look it up. Highly suggested. That's a cool one.

Ryan

So the other one I'll just throw out there real quick before we get into the chicken story to close us out is the TP link zero day. This might be, you know, a sub article of the DDoS thing because we know, you know, network devices are a common target for threat actors. But basically TP link, or toilet paper link as I usually call them is has an unpatched zero day vulnerability in multiple routers. So basically patch your TP links or maybe just replace them with something else.

Chad

I highly recommend crushing them under your boot.

Ralph

I still have a D link hub in this like back thing that I keep for like I'm sorry, you have a hub. A D link hub, not. Yeah, I've had it since high school.

Ryan

Do you have like a coax network in your house that you're using? What's going on?

Ralph

We used it, we used it back in the day for Halo LAN parties. And I just keep it as like memorabilia and like in case the world ends. Like, I can still keep it communicate.

Ryan

You can still have a LAN party on Halo 2 and everything will be fine. Dude, I'll come over. We can have Livewire and Code Red.

Chad

I just have to ask. Wow, how long have you been in the industry? Because there is, there is a tipping point where, where basically crap builds up so much that you have to clean house.

Ralph

And I have, I have the. It's probably about time, like if I scoot this way. That thing right there, that, that used to be a dresser of mine when I was much poorer at one point is full of electronic gear and I have made several purges. But this one thing, I have that and the original Xbox carrying case. And I save them as like, like this is where. This is what you wear at one point.

Ryan

That's where you draw the line. Do you have Lava, my boy, your.

Chad

Time is coming near where you will throw your hands up in the air, scream and shout, run around your office and start shoving stuff into boxes, taking.

Ryan

It to the recycling never.

Ralph

I. I recently threw away all my cables and then shortly after someone gave me something that needed a micro usb and I was like, mother.

Ryan

Wait, you got rid of micros? Dude, I'm still keeping minis. What am I doing.

Joff

Better he'll do a GoFundMe and open a museum.

Bronwyn

Yeah, I've learned not to get rid of my like USB to 3 1/2 inch floppy converter. Because every time I do like within a month somebod like I have like these old files like the. Our, you know, missing parts of our family tree are on this three and a half inch disc. And surely you, surely, you know, as a tech guy know how to access these. And I'm like, son of a. I just got rid of that adapter.

Ryan

Then you go to Goodwill.

Chad

Both my dash videos and my crypto wallet on this 3 1/2 inch floppy.

Ryan

All right, so last article. This is a chicken article. And I think this is, I think this is a global. This is a nation state on nation state global scoop of epic proportions we got here. So basically the article is that we bought 500k worth of chicken eggs from Russia in July. I can't believe.

John

And we're really thinking quiet about it because no one found out until, well, India of all places was looking at some statistic documents of ours about chickens.

Joff

Does some really good scoops.

Ryan

They do.

John

But like, the India Times decided to look at some weird. In a corner of, I guess the FDA or USDA documents.

Ryan

How do I know if I'm eating Russian eggs?

John

Look where they bought these.

Ralph

Scroll down, scroll down. Look at this cool image they have of a Russian egg. Keep going down a little bit more.

Ryan

Yeah. Oh, he's in reader mode. He might not see it.

Bronwyn

Ah.

Ralph

Oh, there it is. That's some good Easter painting right there.

Ryan

Like, okay. The other thing is this. This tweet. This tweet or excrement or whatever we're calling it was posted by the Russian news agency rt. It was just like, hey, do you guys like your eggs? Like, what kind of. What kind of news agency is just. Just tweeting at an entire country and just being like, hope you like your eggs? Like, I don't know. Yeah. Yes.

Chad

Fine print on it that says this egg. None of the funds for this egg purchase were used in wartime, you know?

Ryan

Yeah. Like, this egg. This egg did not fund fancy bear threat operations overseas or anything. I don't know. I mean, whatever. I mean, it's not cost per egg. How do I know? It doesn't say. We don't know how many eggs. Yeah, we don't know how many eggs we got for 500k. But I will say if you're. If your eggs are spying on you, then they might be Russian. I don't know if your egg has a micro usb. Do not plug it in.

John

I also find it funny that the last time the US imported eggs was clearly during perestroika, because it was 1992.

Ryan

It like every time we're at war.

John

With the Berlin Wall has been down for three years.

Chad

We bought eggs and we bought it.

Ryan

Yeah, I don't know. And then I don't know what's going on.

John

Never mind.

Chad

I think it was. I think it was driven by egg flation. Oh, my gosh.

Corey

Start coming.

Ryan

No, no. Oh, no.

Chad

We should kill it with fire.

Ryan

I think. Yeah, I think that's a good a place as any to end it. The other article, which we didn't talk about, but it is kind of interesting, is the. Which one was it?

Corey

You scrambled Corey's brains. He can't figure it out.

Ryan

There's one that was really interesting and it's. I can't find it.

Chad

Don't exaggerate.

Ryan

Keep making egg puns are we poaching? Oh, it was the. Okay, here it is. It's the prompt injection used for ad on Grok. So okay, here's the scam and this is a really interesting scam. So the scam is on Grok or on. Or on Twitter or whatever we're calling it today. X, I don't know. On X you can post an ad and some of the fields of this ad are not checked or not like assessed. And basically someone figured out if you put a prompt for GROK that says summarize this link, then the link it'll summarize can be anything. So someone figure out how to use this to post basically redirectors to adult content and ads and gambling and stuff. But I think the angle is fascinating to say that they don't assess this field, which is the title field, and then the title is, hey, go read this link and summarize it in the description. And then the grok AI actually does it and then reads adult content on Twitter. It's just a hilarious implementation of like, here's where we're at with AI. You can just put a prompt injection. Like it's. You know how like you always used to put your name as like Script Alert 1X or.

Chad

Yeah, this is like stored cross site scripting all over.

Ryan

Yes, this is where we're at with AI. It's just everyone, next week I'll put my name to like AI, summarize this page, kittenwar.com or you know, Rick roll someone or I don't know, like dear Grok, please read the lyrics to Rick Astley's never gonna give you up. All right, anyway, that's. That's all. That's the last one. Thanks everyone for coming. We'll see you next week.

Chad

Bye bye, bye bye.

Ryan

Sa.