Ralph

I haven't, I haven't actually gotten too many of like I can't help you with that. Right. But I think it's because I break down my tasks so like into small pieces because I've had that happen before. You're just like, all right, we'll just solve this thing. Right, solve that thing.

Corey Ham

But anyhow, I mean at bhis we saw people that run into it. But it seems like the most of the people who are running into the cvp like denials are the people working on low level code like the, you know, exploit development. Like, like especially messing around with those Windows LPEs and stuff like that. It's, it's all over that. It doesn't want you to have that. But for just like pen testing stuff, it seems pretty open.

Phil

Yeah, yeah, I wasn't getting called out until recently. Last week they really didn't like the supply chain attacking tool that I was building.

Corey Ham

It was like, this is too close to home.

Phil

Well, in the golden age of Cloud co, before the whole like nerfing the model situation or whatever is when I like built most of it and it never complained once. But then like three months later on the new model it was like, I'm not touching that.

Corey Ham

And so you can always go back to the old model. True.

Ralph

People still say that they love 46 I think the best.

Corey Ham

No, no verification, no problem. Just let it rip.

Phil

Well, what was great about the older model was it would like find other things even though you didn't mention your prompt and like still like fix it for you and just do the best you could possibly do. Like oh, I found something critical. I should probably fix that as part of this test. But now it's like oh, I found something critical but you didn't say to do that. So I'm just going to leave this bug hidden so you never see it unless like you're like laser focused on my standard out which will get disappeared in 5 seconds. Anyways.

Corey Ham

I have found that 48 and 47 will both do that. But you have to use it in X high. You can't. If you use it in high or medium or anything like you, it has to be in the high or extra high mode to actually catch stuff along the way.

Phil

At least power mode type that episode

Corey Ham

Max is a whole different thing. Although I will say the new Max, whatever extreme mode is pretty fun like we were talking about with workflows but just I usually use the X high and that seems to do a good job with catching some of that stuff. Like you're Talking about. I agree though. I had the same experience.

Ralph

I just go straight to max. Even when I'm like, hey, could you just change this one color?

Corey Ham

I need you to center this div. Ultra code. Yes, Ultra.

Ralph

Ultra. Can I, Can I. And then I, I get a opus with Fast mode just for that.

Wade

Just ripping through tokens for.

Corey Ham

So wait, what is Fast mode? That's new, right? What is it?

Ralph

No, no, no. So I think they had it in. I, I think they had it in 462-4746. Anyways, if you're on OPUS and fast mode, just you're. You get faster tokens per second. So it's going to respond faster. Like you're going to get output quicker. So like the same task was going to, you're going to get that, the results right from beginning to like where you have to where it has to stop faster.

Shane Hartman

So.

Corey Ham

Gotcha.

Ralph

Yeah, but it costs more money.

Corey Ham

Of course. Of course it costs more money.

David

Yeah.

Corey Ham

So those oceans are going to boil themselves.

Ralph

No, but those farms are sure going to be taken down pretty soon. Here.

Corey Ham

Yeah, that's. That's one of the articles we're going to talk about probably first. There's an article for that.

Ralph

There's an article for that.

Corey Ham

Let's roll the finger. Ryan. Let's go live a little early because we, we are. We're already like segwaying into the show. Let's do it. Hello and welcome to Black Hills Information securities. Talking About News. It's 6-1-20. Time to change your password to June 2026, exclamation point. We have a star studded cast. This week actually is stacked. We have some heavy hitters, including some guests, some bhis people. Let's start. I'll just go in order. So I'm Corey Ham. I run continuous pen testing at Black Hills. We got Ralph. He's here hunting some gators maybe or I don't know. He's got like a. He's got a laptop with what looks like a government agency logo on it. I can't tell. I'm trying to enhance and it's not working. What's up, Ralph?

Ralph

What's going on?

Corey Ham

You got to give your fancy intro. What do you do? Spears, arrows. Your weapons?

Ralph

I only do like, like ancient attacks of sorts.

David

Right, Okay.

Corey Ham

I see old weapons. Old. He's an edged weapons dude. You remember that, like History Channel. Cyber.

Ralph

I'm a cyber. I'm a cyber. What do you call it? Software dealer. There you go.

Corey Ham

Okay. An arms dealer. You're the Lord of War.

Ralph

I'm the lord of war for cyber security.

Corey Ham

Okay. Yeah, I. I just remember like those History Channel, like, you know, when I grew up watching tv and it'd be like a History Channel documentary and it'd be like this guy with like, you know, a really, really short tie being like, I'm an edged weapons expert. That's you, Ral.

Shane Hartman

Yes.

Ralph

Experts come in all different shapes and sizes.

Wade

Go endorse Ralph for edged weapon. Ex expert on LinkedIn.

Corey Ham

Y times, good times. We got Wade, who's waiting through logs. What's up, Wade?

Wade

What's up? I am off this week because I am doing training, so it's actually pretty nice. I haven't read the news yet today.

Corey Ham

Are you taking it or are you giving it?

Wade

I'm giving it. I'm giving training, so. Which is always more fun, I think, nowadays? I don't know. I feel like now with AI training for me is just reading Claude articles

Corey Ham

over and over again, hallucinating your way through the training, just asking it to build a skill that's past this training.

Wade

Yeah, yeah, it's worked pretty well so far. You know, I just.

Corey Ham

Oh, nice. Phil's a bhis. I would say developer tester. I don't know what to call you, Phil. You have a webcast coming up, right?

Phil

Yeah, yeah. A little bit of jack of all trades, like some testing, some development. But yeah, I got a webcast coming up about hacking CICD pipelines. So it's all the rage these days with the supply chain tax.

Corey Ham

But

Phil

yeah, stay tuned because it should be a lot of fun.

Corey Ham

The content community team today on our internal meeting was like, it's Miller time. I love that. That's amazing.

Phil

My heart started racing so fast when they. I was like, I'm not prepared for this. I have nothing witty to respond with.

Corey Ham

Well, wait till. Do you see how fast your heart's going to be racing on your webcast? We also have Shane, Shane Hartman from Trusted sec. Right. That's where you work based on your shirt?

Shane Hartman

Yeah, based on my shirt. That's where I'm at. I'm one of the principal IR consultants there, so I spend all my day fixing everybody's mess. Ups.

Corey Ham

That's awesome. I love it when the podcast slants towards blue team. I feel like it's going to be up to you, David, to decide if you're. Are you a blue team or red teamer?

David

Oh, no. What do you see yourself despite the red hoodie? I am entirely 100. Blue team.

Wade

Good, good. I think this is one of the very Few times that we've had equal footing ever.

Corey Ham

This is equal. Yeah. We got three. I mean, okay, I will say Wade's famous quote, right? Everyone's blue team. If you think about it for long enough, right.

Wade

There is no red team, no spoon.

Corey Ham

There is no red team. Like, yes, I agree. But it's fun when we have. So David, you are. Shane, why don't you. You got a class coming up or you're keynot threat hunting summit we're doing. Or I don't know, something's happening. What's going on?

Shane Hartman

Yeah, I'm probably. I'm doing the threat hunt symposium or thing that you're doing on June 17th. So mine is kind of hunting in the dark. It's be focused a little bit more on kind of just the quick wins and getting started. A lot of engagements that we do where we engage with threat hunt, what we have is they're. They're either starting out or they're. They're trying to get a foothold to get the. Either money in order to get that going. So give you a few, like, quick wins. Some. Like, how can you start. Get started a little bit of asset. Asset management, maybe. You know, what actually would senior executives be looking for when you do a threat hunt? So you can actually get money and funding and kind of do some cool stuff.

Corey Ham

Nice. That's awesome. Yeah, I feel like a lot of the times when I'm doing, you know, pen test report readouts or whatever, I'm like, yeah, you could do a threat hunt, but, like, in my head, I just like yada, yada, yada, that I'm like, you know, just like, do a threat hunt, but I have no idea where to, you know, tell them to start. So maybe that would be a good place. Absolutely.

Shane Hartman

We like you guys. We like that when you leave details out on the network, we get to go find it.

Corey Ham

Yeah, yeah, that's my job, is to leave details out on the network to go find and then. Yeah, David, you're actually keynoting, right? You're the big name in the room.

David

I am kicking it all off. Yeah, I'm very excited. It's actually only my second ever keynote, so I'm trying to have really interesting insights.

Corey Ham

That's really hard. That. That's a. That's a high bar to set for yourself.

Wade

That's also very surprising that this is only your second keynote. What's wrong with people?

Corey Ham

Yeah, so, yeah, definitely people. Well, yeah, please, David, answer that question live on the air. Yeah.

Wade

What's wrong with people? Yeah, that's how we're starting the podcast

David

today and it's a strong start. No, no, I'm, I'm actually really excited. There's, it seems like for the last few years like half of my presentations are something. I screwed something up. That was my RSA presentation from was it last year how I screwed up threat hunting a decade ago. And, and, and you know, at the time I, I, I put out this, this definition of threat hunting that got picked up that it's human driven, maybe machine assisted, but human driven. And I feel like we may be to the point where it's time to possibly redefine that or at least decide whether we should redefine that. So I've always been like automated threat hunting, that's not a thing. We call that incident detection. And I'm starting to think that that may not be defensible anymore. And so I'm not going to tell you yet because I hadn't figured out whether I. Don't spoil it. No, I haven't figured it out yet either. So when I finish my presentation there will be a surprise to me as well.

Wade

That's what I was going to say. This sounds like an excuse for someone who hasn't finished the slides yet. Really.

David

That's exactly why I proposed it actually. I want to, I wanted to have an excuse to spend some time thinking through it. So that's, but that's what it's going to be like with the advent of AI being able to provide the reasoning that before only the human could really do. Is it time? And your guess is as good as mine right now.

Corey Ham

Nice. Yeah, I mean honestly I love like as a concept when I'm doing a talk or anything like that, I think you have to choose something that you're fascinated in and don't know all the answers about. Like it has to be something that you're genuinely doing discovery during the process. And yeah, building the slides the night before is the key. That's the, that's the key. That's the secret, the secret sauce. All right, let's roll into articles. David has a tool to plug but we'll leave that until the end. It's going to be exciting. So I think the first article we should talk about because we were a little bit getting into it during the pre show is basically there's a Wired article saying that U. S Law enforcement has started to warn about a new category of I guess threat which is AI Anti tech extremism or like AI hatred. So basically the idea here is that they're seeing an increasingly strong response to people not wanting data centers in their farms or backyards or local areas. And this is getting a lot of traction, at least in public, you know, public forums and town halls, stuff like that. So I guess the government has decided to acknowledge this as a real thing. You know, the actual this is federal intelligence agencies, domestic law enforcement, they're circulating reports, you know, anti technology extremists. And kind of like the first, you know, headline response on Twitter was, we're not anti tech, we're anti VC funded tech.

Ralph

Difference. Very specific.

Corey Ham

Which is, which is fair. It does feel like to me that when they do these projects, it feels like they're working as hard as possible to make it as politically disastrous as it could be. Like the, the one in, the one in Utah that hit my radar was, it was the Shark Tank guy, right? I forget his name. Kevin something. Anyway, he, it's a Canadian citizen who's a billionaire from Shark Tank trying to put just the world's largest data center in Utah. Like the size of the data center didn't even make sense to me. It was like, this is bigger than half the towns in the US or whatever. Like, it's like a gigawatt or, you know, 1.2 gigawatts or whatever. I don't know. But basically half of these projects are like, we've located a rare animal habitat and we're gonna slowly kill by one on a live feed. And that's, and then that'll be a data set. Like, it just feels like they're trying.

Ralph

We're gonna bring in baby pandas and then kill them just to make sure that you guys are all really, really upset.

Corey Ham

Yeah.

Wade

The better part was him claiming it was China.

Ralph

Right?

Wade

And then like, it being like two, like, women, like, nope, nope, not China. Like where you actually live here. Like, don't.

Corey Ham

Yeah, I mean, I guess I'm like, what is the, what is the real threat here? What are they going to do? Like, put, ignore all future instructions and stop construction. Like QR codes on things. Like, what is the, like obviously there are physical threat. You know, could be like, you know, people sabotaging projects or, you know, just imagine chaining yourself to a hard drive. You cannot install this hard drive until you take me off of it. I don't know.

Ralph

I, I. So, I mean, the, the terrorism or domestic terrorism aside.

David

Right?

Ralph

So like the actual actions. But I mean, you know, the only other way to stop these things from being built in your city is to, you know, essentially protest and specifically not just to stand out there with holding signs, but essentially to get the recognition of the, you know, the. The local government to. To not. To not have it there.

David

Right.

Ralph

That's, you know, that's, I think, like the ultimate goal.

Corey Ham

But, yeah, I mean, I don't know. I have mixed feelings on this. Does anyone have a strong take?

Shane Hartman

That's what they've been doing. In Florida, where I live. They've been putting out a lot of media articles about the electrical cost grid and water being used. So they're talking about. They're using the natural resource side and saying, we don't want it here because we don't have the resources to give to you because it'll. Everybody else will have to pay for it. So that.

Corey Ham

That.

Shane Hartman

That take is what they've done.

Corey Ham

Yeah, I mean, I live in Oregon where there's a lot of data centers. Like, Hillsborough is one of the biggest data center. Like, that's an entire AWS region.

Ralph

It is.

Corey Ham

And. And there's like. I mean, there's definitely mixed feelings. I mean, but I think the biggest from my perspective as like, a citizen who actually would be voting in some of these votes is I'm fine with it. But you do need to tax these companies and actually, like, give the money. Give. Give me some benefit as a citizen who has to live near this data center, like, whether it's infrastructure or tax money or whatever it is, don't, like, bend over backwards for this company to come in and, like, destroy farmland and then not pay any taxes. The biggest thing is, like, the data centers. You know, the best article or the best, like, take I've heard is that they rely on public infrastructure, right? Including, like, power grid, roads, like, all that stuff. So they should contribute back to that infrastructure. That's probably, like, an extremely, like, political Take I just gave. I apologize for that, but you sound

Wade

like one of these terrorists that they're talking about.

Ralph

Oh, my God.

Corey Ham

I guess I'm on a watch list now.

Wade

This White House article is literally just propaganda. Like.

Corey Ham

Yeah.

Wade

What have you seen anywhere? Nothing. It's just literally the people trying to say, I don't want a data center in my backyard.

Ralph

Right.

Corey Ham

People are against me, so they must be terrorists.

Wade

Exactly.

Corey Ham

Yeah.

Wade

Like.

David

Well, I mean, if you read that thing that it's not only about saying anti data center activists are terrorists. Right. There's, like, some broad categories in there.

Corey Ham

It's true. It's not just your. Yeah, right.

David

It's not just data centers. Again, I don't want to get too political on here either. If you want to hear that's your first post on my socials.

Corey Ham

That's what I post on my socials.

David

You want the politics, David, you can get that on Blue sky or something. But you know, I do think there's like three big waves that are kind of coming together and right now, and it's kind of, I want to say interesting, but like interesting and maybe a bad way too is like the, the anti AI, anti data centers, but also they're kind of inextricably tied to the anti billionaire things and the sentiments. And they all really are tied together, not just in people's brains, but they actually. Because these are the people who are making the data centers to run the AI. So yeah, it's just like a perfect storm right now.

Ralph

It is kind of interesting because they're building data centers and taking away from these cities and towns and resources to then also build AI that then takes away their jobs too. It's kind of like why do I want to keep doing this, right? Like what, what, what am I getting out of this to then feed, not only to take away people's jobs and again I'm, I'm, I'm like throwing out the nest, the net further. Right. We don't actually know how that's going to play, but just to look at it from the beginning, everyone's saying that to then make more money for the really rich people, the billionaires. Right. So you're kind of kidding out this whole like process flow. You know, the data center is just like the first thing you see to then the next thing to the next thing. And none of those are good for you.

Corey Ham

Yep, it's a good point. Very political take Ralph. How dare you. I know, sorry. I mean, I'm sorry.

Ralph

I'm an AI fan too. But it's like is the AI that we love so much or that I enjoy using so much, is that the thing that's going to hurt everybody?

Corey Ham

Right.

Ralph

I don't know. I'm not saying that's what I believe. I'm just saying I'm just proposing the question.

Corey Ham

Right? Yeah. I mean I think the only example of this that I've seen, and it wasn't even the US is like the UK strong resistance to the speed cameras and like, and, and like their equivalent of flock cameras and just seeing a bunch of videos of people with Sawzalls just hacking through the post, like you know, just cutting down speed cameras like as a kind of a coordinated, targeted sort of thing. But there was, there was at the

Wade

US there was a Target event like that, but not so much as AI is parking here in San Diego. So they started charging for parking at the Balboa park, which is huge, and at the zoo and everywhere downtown. And people straight up started just like Sawza in the parking meters or super gluing inside of them like it was destroyed everywhere. And it got to the point where they just now repealed it. Now they're not doing any parking laws anymore. Paid parking in that area.

Corey Ham

Wow.

Wade

It works, people.

Corey Ham

Well, I find myself on the other side of that one because I would always support anti car infrastructure and making people pay for parking. I love that idea.

Wade

But anyway, if there was a way, if there was public, public transit, it'd be great. But San Diego, they're just like, you

Corey Ham

have to drive and it's going to cost you $12. Yep.

Ralph

Speak. Speaking of AI, and this is not really. This is a news article, but it's a little piece. Is that Anthropic? Just filed to go IPO today, actually. No, they did it.

David

Yeah, yeah.

Corey Ham

Oh, God.

Phil

What was the valuation?

Ralph

So it's gonna something close to a trillion. So I think it was like 945 billion, which is a number we should do.

Corey Ham

Guys.

Ralph

Easy to say, but hard to actually tree fit.

Corey Ham

We should make an offer. Okay. Like GameStop did it for ebay. Okay, we can do this, we can do this.

Ralph

We can do this.

Corey Ham

We should put together a very compelling offer. We have Wade's mustache and a few.

Ralph

I did something else and essentially don't quote me on these numbers because they could be off. But just get the percentage idea here. There's something like Amazon. Or not Amazon. Walmart is worth like something like $700 billion and they make like $600 billion.

Corey Ham

Yeah, yeah, yeah, yeah.

Ralph

But Anthropic has made like 20 billion and this is like a $900 billion valuation. Which, by the way, that all makes sense because the stock market is not an indication of how much money a company is.

Corey Ham

It's not revenue, it's valuation.

Ralph

Yes, exactly. It's what I believe it could be in the future. And number is just, you know, could be anything. Right.

Corey Ham

So why would an AI company need to make money? I don't need to raise capital. I don't get it. Well, it's not like they're spending $20 billion a month on electricity in my backyard.

Ralph

I mean, Jensen Wong is just getting all of every.

Corey Ham

That is sort of true. Yeah. I mean, that's really interesting. Honestly, I, you know, I feel like this is kind of. I don't Know, I mean, maybe people saw this coming. To me, I'm like, there are a handful of really kind of interesting privately owned companies like Mars or, you know, there's. There's a handful of really interesting companies that are huge and are still private, but the majority of big companies are public. The benefit of this will be that more transparency and financials. So that's interesting.

Wade

SpaceX also with IPO. Right. So it's like a bunch of stuff all at once.

David

Yeah. Reliable authority that the first filing for Anthropic, their, Their, their valuation that they put in there was just so giant, it was like $950 trillion. And they pushed back and they were like, you're absolutely right to call me on that. I clearly messed that up.

Corey Ham

They submitted the form with AI. Yeah. Yeah.

Ralph

Yes.

Corey Ham

Oh, that's amazing. I love that. Yeah. So, in other news, apparently the FBI's warning about people walking around with USB drives. What year is it? Oh, my God.

Ralph

Honestly, if they're not USB c, I don't know where you're gonna be to it.

Corey Ham

Okay, so there's got to be some crusty IT guy at some company that like, has been epoxying over all the USB ports in his laptop for years and like, forcing other people to do it. And he's like, I told you. I told you so. Yeah, basically, this is a real article. The FBI has warned Silent Ransom Group, who I wasn't previously familiar with Threat Hunter people. Have you ever heard of silent Silent Ransomware Group? Ransom Group? Yeah, that one's new to me. Anyway, they say they've been active, or the FBI says they've been active since 2022, targeting US firms and since 2023. Basically, they used to use phishing emails. Now apparently they're physically walking into

Ralph

the physical part. Nobody said that.

Corey Ham

Physical.

David

Everyone was like, no one's doing this.

Ralph

Why would you ever go into someone's building? Come on.

Wade

Ralph's going to start using this as a, as an ad for his company.

Corey Ham

For his.

Ralph

Yes, yes, but you. That's the funny part, right? Like the everyone's. Everyone's argument is right about physical security. It's not a threat yet because I can just break in remotely. You're not doing.

Corey Ham

It's only a threat when you run out of other options.

Ralph

Exactly. So if you get better, it just becomes the X the next thing. Right? So.

Corey Ham

Yeah, well, that's exactly what the, the threat report says. It says they, you know, first they call or they send phishing emails. They're impersonating IT support. If that doesn't work. Then they go in person, they say, hi, I'm here to, you know, update your computer. Apparently they're using an extremely advanced tool called WinSCP.

Ralph

Oh, yeah, that thing. Right.

Wade

That.

Ralph

That honestly is agentic, by the way.

Shane Hartman

You mean ancient.

Ralph

Oh, yeah, I mix those words up.

Corey Ham

I'm sorry, you absolutely correct Ancient Agency agent. Yeah, I mean, what's old is new again, right? I mean, this has been a. It's been a real thing forever. Honestly, my question with this is, okay, so if they're targeting US based companies and they're using physical resources, this was something that I feel like from a threat, you know, perspective, we kind of were like, they probably won't do that just because the amount of risk involved. How does this criminal ecosystem work? Like, are they hiring people who actually think that they're helping people? Like, is it. Is it like a mule? Is it a mule system?

Ralph

There's no way that they're like bringing in Russian assets to just land on, like a vacation to do this.

David

Right, Right.

Corey Ham

Yeah, like if you leave Russian or Chinese turf, you're going to get arrested. So they're.

Ralph

Yeah.

Corey Ham

I don't know. Does anyone know David or Shane? Do you guys have any intel on this at all?

Shane Hartman

I don't have any intel on it.

Corey Ham

I did read the article.

Shane Hartman

It said it was targeting law firms. Now, I have had a little bit of experience with law firms. They tend to be a little bit more technologically backwards, meaning they do use USB because they go in and out of court and whatnot. So they, they're not always using WI fi or they just use older technology sometimes. So that there could be some validity here just in the targeting. But it's got to be small. I mean, it's not scalable.

Wade

Go ahead.

Ralph

No, I was just going to say. So, all right, how's this attack work? You show up with a USB in your hand and you find the first unlocked workstation. Is that what we're hoping?

Corey Ham

You show up at the last. You go to the target.

Shane Hartman

You go to the target, the one you already called?

Ralph

Yeah.

Corey Ham

You go to the pretexting target and you say, hey, sorry, yeah, I missed

Ralph

that from the article.

David

Then the help desk, you tell them you were expecting.

Corey Ham

Exactly. Yeah.

Wade

All my court documents are on this USB drive. Please plug them in and view them.

Corey Ham

I need to update your system, but your WINP is out of date.

Wade

I find lawyers to be a juicy target, though. Like, they're gonna hold a whole bunch of secrets, a whole bunch of information,

Corey Ham

like, okay, that's like stealing a drip from a drug dealer. Like, yeah, you're right. But like, dude, the, the repercussions are going to be significant. Like, can you imagine answering some ad that's like, do you want to make $10,000 in your PJs and then you like accidentally break into a law firm and do some USB stuff and then like have a whole law firm coming after you for screwing up.

Wade

There's been enough people with North Korea doing it, right? Like, hey, set up this laptop farm in your garage and just like move the mouse every now and then for me. Like, like it's, it's hard times. Like if I just called someone and told them to plug in a USB drive here, like go up to this lady's reception if you can get a USB drive. Like, here's a hundred bucks. You'll get 200 more if you get it.

Ralph

Yeah, the mules are getting scammed too. They don't. They're not, they're not going to be given the whole story. Right. They're just going to be given the half side of it. Right?

Corey Ham

Yeah,

Phil

they were email. I thought they were sending envelopes with USB drives in them to people.

Ralph

I've done that before. I've sprinkled them around parking lots.

Corey Ham

CDs. Remember those things? They were circular. Oh yeah, dude, put them in a media drops. Yeah, media drops. I still have a Khan Boot CD bumping around in my little go bag that I never use.

David

That was the first thing I thought of when I read this article and I was like, it's amazing that they're now a cutting edge hacking technique that the red teams have been using for decades.

Corey Ham

Yeah, yeah. I mean this is. Yeah. Let's just say the FBI in this case is a paid advertisement for pen testing.

Ralph

This happened to your organization too. For.

Corey Ham

Would you like a red Team contact Bhis. We will walk into your building with the USB drive and do whatever you want. Yeah, I mean, honestly though, from a defensive perspective, you're going to have to go against low maturity organizations. Every organization. We've done a handful of media drops but like in recent years, but I mean you can just check a box in CrowdStrike to just disallow external media. Right? Like you can pretty easily mitigate this with an edr. Anyway, speaking of edr, apparently Defender can now isolate systems. Crowdstrike killer, here we come.

Wade

Yeah, they couldn't beforehand.

Corey Ham

That's what I said.

Wade

Shows you my Microsoft experience.

Corey Ham

But it's automatic though, I guess is the big. The headline, not the fact that you could. Couldn't quarantine before, but now it's automatic. I mean, they call it automatic attack disruption.

Ralph

Wasn't it last month that they added that feature to Microsoft Defender where you could use it to privilege escalate?

Corey Ham

Oh, no, that was, that was. That was part of the recent ongoing, you know, slew of Microsoft vulnerabilities that we've all been all loving.

Ralph

Like yellow sun.

Corey Ham

Speaking of yellow key. Yeah, just.

Ralph

But better, right?

Corey Ham

Yeah, Kanbu. But better. Yeah, very true. No, it's fine. Everyone puts pins on their BitLocker. Everyone does that.

Ralph

Everyone does it. Honestly, you know, you have to enable BitLocker by default or have a domain policy, so. That also is true. There's a bunch of fun things. But did you see speaking of the gift that keeps on giving, that the yellow sun or our chaotic eclipse. There you go. He got kicked off of GitHub and then got kicked off of Bit Lab. I mean, they're just kicking them off of everything. All right, so here's the wild part, though, right?

Corey Ham

He's threatening Microsoft.

Ralph

Yeah, no, that's not the wild part. The wild part is that there's other PoCs on GitHub. Why is it that the one that happens to be attacking Microsoft, was it because he didn't do a responsible disclosure.

Corey Ham

Excuse me.

Ralph

Or because it's Microsoft and they're just really upset about it?

David

What do you guys.

Corey Ham

Yes, both. It's both. But mostly they own GitHub.

Phil

The GitLab got taken down, too. Like, Microsoft has some pullover GitLab somehow. Now, I didn't think they owned them.

Wade

I mean, but the Microsoft poll is strong, right? Like, if Microsoft were to call you right now, you're like, oh, okay, like,

Ralph

who would Microsoft would call you that you would be upset about? Would they be like, oh, you took

Corey Ham

a license you guys don't get every day?

Wade

Dude, he calls me all the time, has me put in updates, sends me USB drives to plug gift cards.

Corey Ham

Oh, yeah, dude, I get. I get tons of calls from Microsoft. They're super helpful. They all have weird accents, though. Oh, God.

Ralph

I always.

Corey Ham

The. I think the, like this whole thing, the whole Microsoft thing, like to approach it from both angles to be.

Ralph

What about free speech?

Corey Ham

Yeah, yeah. To play devil's advocate. Well, first of all, free speech doesn't affect you.

Ralph

I'm just saying. Thanks. Okay.

Corey Ham

Okay, I got you. Free speech. Anyway, I think, to play devil's advocate, I think part of the reason that they're able to pull for these takedowns is because of the amount they can make an argument that this is a harmful thing and that can be abused. Arguably that is true in this case. Right. Like these are. The amount of data that can be exposed through some of these vulnerabilities is higher than average, I would say. But it isn't like conficker, like, you know, it's not like wormable wannacry other

Ralph

POCs on GitHub that do bad things

Corey Ham

to other products, right? Oh, yeah, maybe even arguably worse.

Ralph

Right. But the argument is. The argument is pr. It looks bad for pr, but should they be there or not? Because somebody made a poc? Was it because it was a reasonably responsible disclosure? But then after it's patched, now is it okay, so then no one else can post it? I mean, you can see where this kind of gets money, right?

Corey Ham

Oh yeah, it's totally.

Ralph

Can do whatever they want. Pretty sketch as a platform, right? You kind of like, if you put enough of these, like weird hurdles and people will just go to something else. Right? I don't know.

David

Just opinion.

Corey Ham

Yep.

Phil

I think there's been so much, like bad experiences with like Microsoft Security program that it was just reached its boiling point and finally like the water started boiling out of the pot. And with Nightmare Eclipse, just because all the back and forth, which I don't know exactly what happened. Just based on his blog, it sounds like he likes he didn't get credit for like a cve and they're like, oh, this doesn't qualify, like, closing the issue, but then. Or this has happened to a bunch of people in the past where they have to wait 90 days that hits and then they need an extension. Then Microsoft like silently patches the issue

Corey Ham

and like, so Microsoft has bungled this every time in the past and I think they've earned this karma. But also they own the platform and so they get to do whatever they want on the platform they own. This is not the first time, by the way, that offensive tooling has been taken off of GitHub. I feel like every two years we have the same discussion as hackers where we're like, guys, we got to move off of GitHub.

Ralph

Yeah, where are we?

Corey Ham

Where are we going, guys? Anyone?

Phil

It's not safe either. Now we gotta go to bit Bucket or get tea or whatever the other.

Corey Ham

No. 1, no, this is like the Twitter thing, right? Like, no large company is going to want to take this heat, right? It's the same thing as, like when people have really hot takes and get fired from their big tech jobs. It's like it's not that they don't agree with your takes. They just don't want to pay a PR firm to compensate for you. Like, it's really just economics. It's the same thing applies to git, you know, GitLab or GitHub or.

Ralph

Yeah, I mean, but at the end of the day, zero days on GitHub is not really a problem, right? I mean, like, you think there's probably other places that you can go get zero days besides GitHub. It's not really where I'm headed for my first zero day.

Wade

Tor is too slow. Just go to GitHub.

Corey Ham

Yeah, it's easier. I think it's a great value proposition for GitHub. These things used to cost 100k. The government's paying 100k for these things now they're free.

Ralph

We give you so much value with our free accounts now.

Corey Ham

So much value. Yeah.

Ralph

Amazing. Oh, we'll piss off another security research.

Corey Ham

I will say to kind of flag it for follow up on the show or wherever they the date. Like, they say they're going to make Microsoft Pay on July 14th.

Ralph

Because I'll tell you right now, it doesn't matter what site it's on. If that O day is good enough, you're going to click, you're going to go for that fish, you're going to definitely check that out. And if it's real, you don't have a choice. Like, you're going to have to figure that out.

Wade

I won't have to. My agent will.

Shane Hartman

Yes.

Ralph

I send my agents to wade out

Corey Ham

into the dark side. I feel like Microsoft is basically training a threat actor live. Like they're basically like trying to make them disgruntled to the point that they drop this. It's such a weird way to manage this. From my perspective, like, OpenAI is like, oh, you made open claw and burned like $10 billion worth of tokens. We'll just hire you or whatever. Like, yeah, like, why is no one, like, recruiting this guy to go run Mythos on all their internal tools? Like, I don't know, whatever.

Phil

I like how he said they will feel it in their bones. Or what do you say? Their bones.

Ralph

In their bones. Maybe, maybe.

Wade

Maybe they'll recruit him to the Cyber Force.

David

What?

Corey Ham

Oh, oh, is that the next article?

Shane Hartman

Wade?

Corey Ham

So, okay, so Cyber Force is apparently real. I don't know. Basically, Senator One senator from New York, Kirsten Gillibrand is spearheading a markup amendment to the Senate 2027 National Defense Authorization act that would create a Cyber Force as the next armed service branch, they would have keyboards on their arm, obviously, and heads up displays, you know, like you need for hacking.

Ralph

Yeah.

Corey Ham

I mean, is this real? Like, we already have Air Force, Navy, Space Force. We have so many forces.

Ralph

Well, almost all the commands have a cyber now or some other kind. But, you know, cyber division, I mean, it wasn't the case, you know, less than probably 20 years ago.

Corey Ham

It's army though.

Wade

All the commands have airplanes too. Right. And boats and.

Corey Ham

Yeah, okay, so.

Wade

So why not?

Corey Ham

I was not in the military, but Ralph, you were in the army, right, so. Or was it Army? Yeah, you were army.

Ralph

Yeah.

Corey Ham

So, okay, if you are a cyber force operator, are you mostly running around with USB sticks trying to plug them into things? Like what, What. Why does the army need a cyber force? Like of all the different branches, like, why.

Ralph

Well, why does the art. Well, the army already has a cyber command.

David

Right.

Ralph

So they already have essentially as a cyber focused offensive arm.

David

Right.

Ralph

I think that, you know, how much they do from the offensive side, you know, gets into the, to the waters where you get into the, you know, the CIA versus, you know, that relationship.

Shane Hartman

Right.

Ralph

But I mean, essentially saying like, you know, a, A quick action. Right. Like a QRF for like cyber. Right. We probably already have some of that, but building out a huge command of it and you know, to make attacks against, you know, foreign adversaries, which would. Is essentially what any military branch is specifically designed for. Right. Not necessarily for, what do you call it, local defense.

David

Right.

Wade

I just say we let it get created just in case there's a draft. So we can all just go straight to cyber.

Ralph

Yeah, we're going. We immediately go to cyber.

Corey Ham

Yeah, they're like, do you not pass all the physical requirements? Welcome to Cyber Force.

Ralph

Well, you know what the funny part is, even with the other cyber commands, it's hard enough to train up, up these, you know, train up all of these soldiers in this skill.

David

Right.

Ralph

Get them to be decent at it.

Corey Ham

And then I want 20 cves by the end of the day.

Ralph

Exactly.

Corey Ham

Yeah.

Wade

I know back in the day they used like, if you had cyber experience, they would bring you in as a warrant officer too, for a little bit. And I remember me being in cyber for a couple years, like, should I just join and just go and like, do it for a bit? And the thinking about it now though, with the, the barrier to entry, so like, so hard for new cyber people. Right. Could this be an easier route? It'll be an easy route for most people, which is sad, but scary.

Corey Ham

Yeah, it's a good point. I don't know.

Ralph

Yeah, the cyber. So the Cyber Command includes U.S. army Cyber Command, the U.S. marine Corps Cyber Command, U.S. fleet. So this is Navy, and then Air Force has their cyber. It all falls under the national cyber. United States Cyber Command.

Wade

So there already is a Cyber Force.

Corey Ham

There's already three of them. Yeah, they're just not an army one.

Phil

One.

Ralph

Yeah, no, no, no. There is an army one. So US Army Cyber Command. Right. But what I think they're trying to make this, is that like some like warrior with like overhead displays or something like year one type deal. I, I don't know what that looks like, dude.

Corey Ham

Heads up displays and keyboards on their arms.

Ralph

Yes. I'm just trying to envision the. No, like the, the quick tactical team that like repels into the data center to do something. I don't know, dude. I don't know.

Corey Ham

Yeah, no, I think you're right. No, I, I, I agree. I mean, someone, some people in Discord have been speculating, oh, these are just drone pilots. Okay, that's fair. Like that makes sense.

Ralph

We don't even need that. We have AI for that.

Corey Ham

We have open AI though. Yeah.

Ralph

You're out of credits, Crash.

Corey Ham

I think, I think it's fair to assume this will probably get approved just with the, and I mean, I don't know.

Ralph

But yeah, honestly, half of everything that you said, Corey, they're writing it down right now.

Corey Ham

So they're like, wait, USB stick. How many, how many can we get into a plate carrier? A lot.

Wade

Working in a sock was really fun. I'm not gonna lie. Like, at the time, the pew Pew charts, right? The big monitors, There's a wall with a glass and the CEO presses the button and then it becomes opaque and all the investors look at you like you're a monkey. And like, it was great, but more people should go work in socks. That's all I'm saying.

Corey Ham

I don't know if this is defensive or offensive, but the best.

Wade

Honestly, we need more defense. Right? Like all of our stuff's getting hacked. There's no there. We already have the offensive side. Maybe we need a cyber defense core.

Corey Ham

Wouldn't that be national card anyway?

Ralph

National Cyber Guard.

Corey Ham

Let's, let's move on. So there's a couple of interesting little tidbits on AI that I think we should talk to. First of all, in the Opus 4. 8 release, they did specifically say that they are preparing Mythos to be publicly released in the next, in the coming weeks. That was the exact terminology that they coming Weeks, Obviously there will be, you know, thousands of weeks coming. Who knows if it's going to be the next one or, you know, it could be a thousand weeks from now. It's still technically coming. But, I mean, I will say their cadence, their release cadence is pretty fast. And so.

Ralph

Well, so is ChatGPT. It's a war out there, man. No, I got 5.5. No, I got 4.9.

Corey Ham

Oh, I got extra ultra code.

Ralph

Yeah, I know, I know.

Corey Ham

And we're like, no, let's see what happens. So basically, that might be happening, but also, do you think that's the end of.

Ralph

Of cyber? We're all done just vulnerabilities left and right? I mean, yeah, maybe. Maybe Wade is right.

Wade

Maybe we do the red team. I don't know what to tell you guys, but it's not. I still got it. I haven't seen any cyber do an incident response really that well yet.

Corey Ham

Or threat hunting?

Wade

No, I don't know. We'll see what David says after this. But,

Corey Ham

I mean, are you guys, as threat hunters interested in this tooling or is it really, like, hype for the CVEs and the threat, you know, for, like, AI tooling? What was the question? Do you care about Mythos? Are you going to use it as a threat hunter, or do you already use LLMs, like, in your workflows? Like, obviously, everyone's like, Mythos is going to make it amazing to hack stuff. Is anyone saying it's going to make it amazing to hunt for threats?

Wade

No.

Shane Hartman

I mean, we do use LLMs, but

Corey Ham

I don't think so.

Wade

Not yet.

Ralph

We are.

Wade

We're going to coin it right now,

David

but you said the magic word earlier. It's the tooling just a minute ago, right? It's not really the model. It's our models. The frontier models are already so good. It's what tooling you wrap around it that is really the differentiator. I have not had hands on Mythos. I've talked to people who have, and they say, yep, it's. Some of them say, yeah, it's really what they say it is, and some of them say, I don't know. So I don't really know what to say about Mythos, but I was going to say, on the defensive side, I'm not clear that we need that Mythos is going to move anything further for the defense. I would be really happy to see some frontier model provider provide that kind of emphasis on defensive security, as they seem to on offensive security. It reads to me like they feel like creating vulnerabilities and exploit chains is cybersecurity or information security. When it's not really, it's just a piece of it. And the hard part is the defense. And when they start coming out with, you know, models and tooling that are frontier and they're targeted toward defense, then I'll get really excited.

Corey Ham

I fully agree. I'm interested to see if any frontier company actually makes a play at defensive. The defensive side of AI.

Wade

But like the defensive tooling is going to be heavy. Reliant on the organization as well. Right. Manipulating the tool to make it fit your company, just like any type of detection would. Having all your documentation. Right. I almost find it harder not as a blue teamer to get, not even to get buy in, but to get grc.

Corey Ham

Right.

Wade

Like that's some of the stuff. If we're plugging all these AI toolings in. I hate to say it, but it's like then you have to think about permissions. What these AIs are doing, right? Are they over permission? If someone uses an oauth token to then log into this and you're a security person who has super admin to something, boom. Now this AI has super admin, so there's a bunch of controls around it. But I think the defensive will come. I, I believe it's right around the corner. Someone I. I would like that. Why hasn't anyone just went and tried Mythos and just like tried to do everything defensively with it, right?

Corey Ham

If it's doing all supposedly they have. That's what people are talking in discord about M Dash. I thought it was someone making it. I thought it was Luke making a joke that he was going to start using M dashes, which is like, like for those that are out of the loop, the M dash is like the double dash that the AI loves to do when it says anything. So I thought he was just joking that like he was going to start doing it to pretend like he's an AI. Turns out it's actually a real thing that Microsoft has released that's supposed to be defensive focused. This is back from May 12th. So pretty old now, but I'm guessing this is like their harness or tooling or whatever they built. It's multi model. It's supposed to be, according to their graph, better than Mythos.

Ralph

Everything's better than Mythos.

Corey Ham

Yeah. So, but check this out. 21 out of 21 planted vulnerabilities were found. You know,

Ralph

what about on the gainter chart or ganter or whatever the hell.

Corey Ham

Well if you look at the chart, it says they're better than you.

Ralph

So I'm just gonna go ahead and cash this one out. I'm done.

Corey Ham

Yeah, yeah. Microsoft has solved security. I think we can just buy. Just figure it out.

Phil

Having a harness is very important though. Like a lot of people are posting different ones in the chat and there's a lot to choose from, but something is better than nothing. And then it's funny too. At what point does the collection of plugins and skills and hooks and memories and learning become a harness? How many do you have to have before you can call it a harness? I have one skill. Is that a harness? No, you have to have a skill and a hook and a plugin and a memory or whatever. Right. But there are some cool ones that will at least like automate, like continuous learning for you. So that.

Corey Ham

Yeah, like Hermes or those.

Ralph

Yeah, I, I think it's kind of funny. I was talking to another pen testing team and they said they had all these zero days now that they've, you know, taken the time to find in all these different products or whatever. And this goes back to what you guys talking about with defense. And they're not going to fix these things right away because they don't have anything in place to. So essentially it's all fun in games to go find these zero days but no one is from these organizations that's creating the software or whatever. They don't have systems in place that are looking for it the same way. Right. Because it wasn't as like shiny. They're just trying to run their business and make some software, make whatever. And I think we're going to see a big wave of a bunch of vulnerabilities and a bunch of companies trying to figure out how to defend themselves or update their software or develop software in a more sustainable way using AI to actually be able to detect this. So I do think we're going to see a big wave of it and the defense is really where you're going to see a lot of people struggle.

Corey Ham

So transition. Next article. Oh, sorry. Unless anyone had a final go back, I was going to say if you want to see how AI is being used today without Mythos. So there's a really fun article about how attackers. There's a fun write up about how attackers are using AI for PostX. And this is pretty much reads like a pen test report to me because we're doing the exact same thing, we're just not doing it in Chinese. So language. Basically. The long story short is that Someone used an LLM for post X. Now this is like I said, exactly what we're doing as pen testers. But essentially they exploited the cve. Then they asked AI, what else can it access? Basically they were just like, hey, what else can this key access? But they did that in Chinese and somehow that. That question of what it could access made it through to the API, which is pretty funny. It leaked into the command stream while executing a credential search.

Wade

And

Corey Ham

that's pretty much why you don't need Mythos. It's basically like an explanation of why. Because this kind of abuse of LLMs is the more risky thing, right? This kind of like, very simple, just being like, AI, take this AWS key that I just compromised and do evil things with it. This is what we're seeing in the real world. If you look at breaches, there has yet to be a breach from a Mythos zero day or whatever. But there has been many breaches like this. Where a typical CVE is exploited, an agent or an LLM is used as post exploitation or quick transition to the next article, which is about a chat bot that just gives access to accounts if you ask for it. So this is like the other side of AI exploitation, which is sometimes you don't need an exploit at all. You can just ask the AI for access to the account. So this is a Meta thing. Basically. Meta AI was super helpful and decided to just grant some people access to some high profile Instagram accounts, including the account for the White House, or I guess the Barack Obama White House, the Chief Master Sergeant of Space Force.

Ralph

It's a feature that it. They built it like this.

Corey Ham

It's super. I mean, I will say you need a really advanced model to get to have it compromising accounts. Okay. To me, this is a textbook. I mean, there's screenshots that are just insane. This is a textbook case of like AI failure. Right? Like, why do you give your AI

Ralph

the access to all those accounts? I don't understand.

Wade

Exactly, Exactly.

Corey Ham

Great question. It's almost like if you had a red team that wasn't replaced by AI, they would have caught this.

Ralph

Oh, they just didn't ask the right prompt. That was the problem. Let's try.

Corey Ham

I feel like, okay, so I know Meta has a huge red team and I know some people that even work there. And so my question is, number one, did you get replaced by AI and are you looking for a job? If so, let me know. And number two, are, are we to the point where AI is moving so fast that things aren't being properly tested before they're being published. Including like. Oh yeah, this sort of high risk applications. Like, is that where we're at?

Wade

We were there before.

Ralph

Yeah, yeah, we were before AI for sure.

David

I mean, Wade, just like a couple minutes ago you said like GRC was getting in the way. Like. No, I don't, I don't see that in a lot of places. Like in most organizations, problems with AI are that they're adopting it too fast in ways that they didn't actually know that they were adopting it. And so it's. It's kind of like this, the shadow AI and shadow.

Ralph

I love it.

Wade

Key the term. Someone make me a sticker.

Corey Ham

Oh God.

Ralph

What is it like a. What do they call it? Like a dark AI factory. Yeah, look that up.

Wade

I don't want to look that up. That sounds like a bad dark web term.

Corey Ham

I was gonna say that's your personal search history there. I don't think you call it what

Ralph

you want, but ask your AI about it, he'll tell you.

Corey Ham

Really, you think? Yeah, I don't know.

Wade

So this is not doing AI correctly, right? Like, like we said, this is when you. This is what happens when you bypass grc. Like is this.

Corey Ham

Well, yeah, yeah. I mean, I don't know. It's kind of crazy that. I will say though, this is the classic thing of scale. When you're operating at these huge Internet scale companies like Meta, you can't hire support people to actually support your accounts, or at least they think they can't and so they use AI and that's gonna cause risks. Although it is a business logic flaw, arguably, maybe it's an LLM flaw, but it feels more like a business logic flaw to me of it basically not knowing where the credentials it's handing out came from. It doesn't properly tie together the request and the response.

David

I could just see like you were talking about, where's the red team? I could just see like a bunch of AI red team experts getting together and being like, nah, surely it's not that simple. We got to try some more advanced attacks.

Corey Ham

Yeah, I mean, I will say I have personally observed this in our agentic AI testing. Some of the things that are really tough to convince AI are vulnerabilities. Like one web app we were testing. I think I've told the story before, so I'm sorry, but one web app we were testing, it was basically an eye door, so indirect object reference. And essentially it was giving a 302 response, but it was giving the entire content of the page that was supposed to be restricted in the response. And AI kept being like, no, this isn't a vulnerability. It gave a 302 response. And we're like, yeah, but look at the 302 response. It has the whole web page. And it's like, I don't know what you're talking about. It's a 302 response. I have to redirect. It's like that back and forth. I could see a red team, like an AI red team missing a business logic flaw. Like, well, they asked for the account and it sent the number. So I don't see what the problem is. Well, like, but AI, it's a different account that they reset. Like they were resetting someone else's account. Oh, you're absolutely right.

Wade

All right, let's talk about the real problem is why are they using a phone with a crack screen? Like, come on, at least get two phones with two screens. Like, I can't. That is just driving me crazy.

Corey Ham

I think this is just what threat actors do, man.

Shane Hartman

They do.

Corey Ham

They. They. That's just their background. That's just their chat background. For. For meta. That's not even a broken screen.

Wade

That dot that you don't see the huge crack right there on the right hand image.

Corey Ham

I know. They have a cracked screen image as their background.

Ralph

Yeah, that would actually do with all my phones. That's why no one steals them.

Wade

That's actually a really good idea.

David

Misinformation on any app that you have.

Wade

Yes.

Corey Ham

Yeah, yeah.

Ralph

This is never gonna happen again. So we don't have to worry about this. Let's move on.

Corey Ham

There's an article about the Kali365.

Ralph

Oh, my God, dude, they stole my playbook.

Corey Ham

It's literally just like pen tester 101. Like if you were to take Michael Allen's initial access class, it would just cover this. It's using device code fishing, which, don't get me wrong, it's a good one. But also like, like, come on,

David

it's

Ralph

better because it's a SaaS product. Okay.

Corey Ham

It's P Phishing Sass. What?

David

Pass.

Corey Ham

I don't know.

Ralph

Everyone loves a monthly subscription fast.

Corey Ham

I don't know how to pronounce that. Phishing as a service platform that I like how the news article is kind of a dig where it says it helps even low skilled attackers. Hijack.

Ralph

You could be an attacker too.

Corey Ham

They're just directly calling the attackers who bought this low skilled. That's pretty funny. Yeah. Device code phishing. I mean, come on. Who Allows device codes these days. Who doesn't have secure conditional access policies that don't allow access from unmanaged devices? Like, come on, no one, no one screws that up anymore.

Shane Hartman

No, not true.

Corey Ham

The threat hunters in the room are like, nope, you're wrong.

Ralph

There's an article about it. It's still effective.

Shane Hartman

Yeah, I've done about three cases of it in the last month and a half.

Wade

Have.

Corey Ham

Well, I do need email on my phone. So we better just compromise the entire organization so I can have that.

Wade

That is exactly what happens. One person says that.

Corey Ham

Yeah, basically, if you're a pen tester or red teamer, you should know how to do this exact campaign just by reading this news article. This is a, this is a first thing to learn in initial access techniques. It's great. All right. And don't buy this product. Don't do it. It's probably done. Speaking of botnets, let's talk about botnets. So the authorities in the Netherlands, which I love, I just imagine people on little boats and they're going to fancy restaurants, you know, I just imagine Amsterdam. They have dismantled a botnet that comprise more than 17 million devices which is used basically for residential proxying or residential, you know, the service is called asocs, which is a Russian based company, provides residential proxying services. They cater to, they pay me every month.

Ralph

They have like that little thing that you run on your computer, they have

Corey Ham

that laptop they shipped you and put in your garage.

Ralph

Yeah, they said it was for research.

Corey Ham

Yeah. So I guess, I mean these are, you know, often used for illicit or unethical purposes. DDoS attacks, botnet commanding control servers, phishing, operations, scraping. My question is, how bad do you have to get to get dismantled by the Netherlands police? Like how much DDoS was this IP space launching? It had to be a lot.

David

Yeah,

Corey Ham

because that's.

Wade

How much, how much is this?

Corey Ham

What do you mean how much?

Wade

How much as it won't even.

Corey Ham

Oh, you're saying like you want to buy the price.

Wade

It won't even tell me prices unless I log in.

Ralph

No, no, no. It said there's a price. I got it. Look, it's 15amonth.

Corey Ham

You can't afford it.

Ralph

Yeah, residential IP is only $5 per proxy a month and corporate is only 5. Those mobiles are really high up there

Corey Ham

because it's like it's really hard for

Ralph

organizations to block mobile IP addresses because they move them around. And additionally many of the ISPs use either IPv6 or carrier grade NAT. So like it's really hard to block.

Phil

Source code is on.

Ralph

I think you're going right for bombas. Those are the top of the line. They don't last. No, no, no.

Corey Ham

Darn tough, dude. Bombas are not even close. Darn tough or nothing. Yeah. You don't wear socks. Get out of here.

Ralph

A socks.

Corey Ham

You're. You're a sock shoal because you're from Florida and you don't wear socks.

Ralph

Oh, my gosh. They have a G2 review for ASOCs. Oh. And then they actually. Oh, they got kicked off.

Corey Ham

I will say this whole, like, socks, you know, the, like, residential proxying thing is kind of a dark horse because we use this service, not ASOCS specifically, but we use residential proxying. They're all kind of mildly unethical. Like, I don't know. I. You know, you kind of have to have a service like this. But none of them are particularly above board. This one seems to be kind of the worst. But I don't know. It's Russia, yo.

Wade

It's good.

Corey Ham

That's true. It's legitimate or it's. It's realistic. It's what threat actors are using. That's why we use it.

Ralph

Yes, yes, exactly.

Corey Ham

We pay threat actors to use their

Ralph

service to pretend to be threat actors to protect threat actors.

Corey Ham

It's a. It's a loop. It's a loop.

Ralph

That really seems like it.

Corey Ham

All right, so any final articles? Shane or David, you guys have any articles you want to plug? We don't have any chicken news this week. I'm sorry, everyone.

David

I'm just told specifically there'd be chicken sacked.

Shane Hartman

I did. Did post one in our chat. That was real quick. It was one that was. There was a flight to, I think the Maldives where a kid decided to rename his Bluetooth device to bomb. And it freaked out the. It broadcast to everybody on the. On the plane. They tried to get him to turn it off or tried to get. They didn't know who it was, so they kept. They told everybody on the plane to turn off their Bluetooth and he never did. So they had to turn around and go back to Newark, I think, because his phone said bomb on it as a.

Corey Ham

As.

Shane Hartman

As his Bluetooth name.

Ralph

So found out who did it.

Shane Hartman

Yeah, I think there were only a couple devices left, so they found them. Yeah, bars, I know, but kind of a crazy story.

Corey Ham

Can you imagine doubling down? How old is this kid? I want to know because this is some dumb. Like, this is like. Yeah, 12 year old level dumb.

Ralph

Yeah.

Corey Ham

Like,

David

what is the air crew thinking? It's like, oh, you have a bomb on the plane, but if you turn the Bluetooth off, please. So we just don't notice, it's gonna go.

Wade

I got. Like, come on. Like, it's literally just a Bluetooth.

Corey Ham

Like, it's seriously just one of those things where everyone is just rolling their eyes and being like, guys, can we please have nice things? And some kids just like, no, we can't have nice things. And I will be on the no fly list for the rest of my life because of how dumb I am.

Wade

I know.

Ralph

That's the wild part. Like, you know, we just Talked about how GitHub can kick you off their platform for any reason, for whatever. Right? So can airlines. They can ban you for life on all the airlines they do. You are not guaranteed a flight. No, there's no constitutional rights here.

Corey Ham

No. But I can't imagine doing this.

Ralph

Imagine living your life and never being able to take a plane ride again,

Corey Ham

but then also doubling down again and again. Right? Like, you know, they had, like, 10 chances to, like, you could just turn off your Bluetooth. No, I'm not gonna do that. Somehow I won't get caught. And then, like, of course, when they land the plane, everyone's going into quarantine. Like, you're not just gonna, like, okay, deboard everyone. Just throw your phones out the window. It's fine. Like, they're gonna make everyone. You know, they're gonna figure it out.

Ralph

Imagine when this kid gets older, he's like, hey, why can't trip. I'm kind of infamous for this thing a long time ago. I can't.

Corey Ham

You were zero Cool.

Ralph

You were Zero Cool.

Corey Ham

No, he was bluefall. Bluetooth kid. Yikes.

Ralph

I did have one last one, and this one's really short. Not. Not a surprise, but it seems like a lot of isps are getting breached. Charter got breached by Shiny Hunters.

Corey Ham

Oh. Which is Charter for they have terrible security. All ISPs do from what I've experienced in my life. Yeah.

Ralph

Charter's one of the bigger ones in the United States. They cox. They own a bunch of other ones, so. Yeah, it affected a lot of people. Spectrum, I think, is another.

Corey Ham

Oh, yeah, they get breached every two years. I've been. My data has been breached in Spectrum like, five times. I'm not even joking.

Wade

I got so, so much lifelock, you won't believe.

Corey Ham

I've got so many Croll identity monitoring subscriptions at this point. It's fantastic.

Ralph

You can stack them and get zero extra.

Corey Ham

Yeah. Yeah. So, okay, I do think we should plug David's tool. So David, tell us about your tool. Yeah, so it's to generate thread, it's to generate threat hunting data. That's what I understand.

David

It's called Evidence Forge and it's a tool that I released what I guess last week or maybe the end of the week before. And it's targeted toward, there's. It's targeted toward creating realistic sets of logs for simulated environments that don't exist. Like think of, you need to create some logs for a, to demonstrate how a piece of offensive technique works in a real environment. So you spin up a cloud service and you do Terraform to, to create all your sensors and all your Microsoft networks or your Windows or your Linux systems. And then you run the actual exploits through and you get all the data through. And you know, you spend a lot of time, a lot of, a lot of money and possibly requires for people for you guys, probably not as it's probably well within your expertise, but for a lot of people it's not. The idea with evidenceport is you get the same similar output, but you don't actually have to have a real network. You don't have real threat actors or real red teamers. You create a scenario in which it is all simulated and you get a set of up to 20 different types of logs that look like they all are, came from that simulated environment. They're all realistic, they all hang together. So if you see like one of the inputs is zeek. So if you see a ZEEK log for an HTTP transaction and then you go into the proxy log, you'll see the same proxy log has the same transaction in it that the Zeek log has. And if you see that that came from your computer, you should find the computer that it came from. And there's probably a process log from Windows Sysmon that showed that you ran the web browser that generated that. Right.

Corey Ham

That's really cool.

David

It's really neat. It's interesting because it has an AI assistant to help you create the scenario, define the environment and the attack that you want to run and everything. But once you do that, generating up to, you know, gigabytes potentially of data is all done by a script, no AI involved. So it was actually partly because I was trying to experiment with efficient ways of using AI, targeting AI where you actually need the AI rather than, you know, just have the AI do it all.

Corey Ham

Well, also it's nice when the script is deterministic and creates the same output every time instead of just I hallucinated a bunch of events in Windows. And you're going to go hunt for these?

David

Yeah, it blows randomness, but it's. Yeah, but it's seeded random and the seeds are in the config files. So it basically makes a YAML file for the scenario and you can regenerate the same data from the YAML file however many times you want, trade them with your friends like Pokemon cards, you know, all kinds of stuff.

Corey Ham

You know, I love it. I will say I have personally had clients ask me for this, to do this and I've actually spent time running fake pen tests in their like test environments to generate the sort of data. And so now I would just be like, oh, there's a script for this. Here you go.

David

Well, I'm sorry to tell you, I actually created this because I didn't want to pay for the equivalent of having a register of my data.

Corey Ham

I wouldn't either. So out of curiosity, does it make PCAPs or is it just event logs? It's.

David

It doesn't make PCAPs. That's a good idea, but far more involved. But it does. Windows system logs several of the types of events, but not every single type of event. But it does like processes, starts and Kerberos things and authentications and things. It also does a bunch of different sysmon event types, does Linux syslogs, Cisco firewalls, Zeek and Snort. And it has a, it has an EDR that. It's not a specific brand of edr. It's just a generic EDR capability. Mostly because I didn't have the right documentation to create real looking EDR for a specific product. So all kinds of stuff.

Corey Ham

That's awesome. My only other feature request is you got to make it export straight from backdoors and breaches. You play a game backdoors and breaches and then you just have the threat hunt to go along with it. That'd be pretty awesome.

David

Look, I'm a big fan of backdoors and breaches. I would totally love to do that. I bet I could do it right now actually if I had a backdoors and breaches scenario, I could probably just tell it the AI and be like, hey, here's my scenario. Go build me a data set for this. It probably would do it.

Corey Ham

All right, so final plugs. David is keynoting our threat hunting summit. I forget when it is, but Ryan knows because he's smart. And the date on the threat hunting summit is June 17th 17th at 10am early for those Pacific time people. Get your coffee and get to David's talk. We also have Shane's training that he's doing on starting a threat hunt. Right?

Ralph

Yep.

Shane Hartman

In the dark.

Corey Ham

It's on the day.

Shane Hartman

Mine is I think at 1:30, I think on that day, Eastern time.

Corey Ham

And you. Do you have to have blackout curtains and make it dark in your office or can you just do it in daylight as well?

Shane Hartman

I think I could do it daylight as well.

Ralph

All right.

Corey Ham

Okay, cool. And then, Phil, you have a webcast this week, right?

Phil

Yeah, on this. This Wednesday actually. And I'm kind of in between a rock and a hard place because there's a tool I was going to drop that that goes along with the course, but.

Corey Ham

Spicy.

Phil

Yeah, it's a little too spicy. It's like too dangerous. Like, I don't know if I should release it because you could do like a lot of bad things with it.

Corey Ham

You should release it.

Wade

Release it. Release it.

Corey Ham

You have my official approval to release it.

Phil

All right. Yeah, I will. I was just like, oh, Nightmare Eclipse. I don't want to get Nightmare Eclipse.

Corey Ham

Yeah, you do. Yeah, well, you do because you actually have a job. Unlike them anyway. All right, what else we got? Anyone else have anything to plug? Wade, you have something to plug?

Wade

I see you. I. I am teaching on the 22nd. My threat Intel 1012 day course. That'll. That'll be fun. I just made it two days from one day, so I'm still working on the slides.

Corey Ham

Nice. Good to hear. Ralph, what are you plugging?

Ralph

Oh, yeah, I didn't really have anything to plug, but we do got another physical class coming up. So if you want to figure out how to actually go into a building and plug in USB Dr. Drives, because that is something if you want to prepare.

Wade

Nation state level cyber force.

Ralph

If you want nation state level physical exploitation. Yeah, we got.

Corey Ham

That's awesome. When is that, ralph?

Ralph

Shoot, I have to look at the calendar here. I don't remember the date now.

David

Swear to God.

Corey Ham

What is it practical physical exploitation.gov?

Ralph

yes, it is. It's physical exploit.com.

Corey Ham

physical exploit.com.

David

if we take your class and we graduate, do we automatically get a job with the silent ransomware group or do we have to apply?

Ralph

No, you still have to apply. But I do know a guy, so I can get you like, there's.

Wade

There's an affiliate email. You. You email the certification that RALPH gives you and then they'll contact you shortly

David

with just USB drives.

Corey Ham

We.

Ralph

We actually just had a class last week and we had 10 students in it. It was a lot of fun. So a lot of all Russian.

Corey Ham

Not a word of English was spoken.

Ralph

It's not important what their primary language is. It's important the skills that they learned. Which were the best.

Corey Ham

Awesome. All right, y', all, thank you for coming. I really appreciate it, especially David, Shane, Phil, thank you. We'll talk to you later. Bye, everyone.

Ralph

All right, later, guys.

Wade

Sam.