A

Yeah, no, I was reading over the weekend about the whole stack overflow business, and absolutely, their interactions have tanked since OpenAI was released. But they. They sold out. They've sold their content, so they've got almost nothing in the way of interactions. But they're making bank because.

B

For now. But I mean, like, they're not going to continue to make that money forever. You know what I'm saying? Like, eventually they need more. You need, like, more questions being answered. And if they're not, then, you know, this kind of thing, the house of cards kind of crumbles. Right.

C

I don't see any. I don't see any sources for stack overflow being sold to OpenAI. No, it was sold.

A

They license their content.

D

I'll.

A

It was either. It was either 404 or it was MIT Tech Review. I'll have to. To look, you know, they have a partnership, but they're getting paid in the partnership. That's the point they're making.

C

Partnership means.

A

Yes, Zach, you can partner without getting paid.

D

Trust me, I've done that a lot.

B

Yeah. How did you get married?

D

Oh, man. Dude, you said it, not me.

C

If you're getting married and you're not getting paid, you're doing it wrong anyway.

B

Oh, see, that's how you 10 don't.

C

Forget to call into the BHIS podcast. And I just. I could just read Ralph's personal cell phone number on the air.

D

You could just leak John's number again, like he did that one time. Honestly, I thought it was a slow news week. I didn't see anything in the articles really. Like gra.

C

I didn't even get to scroll through the first freaking page of articles.

D

I went all the way down it. There's some cool AI stuff is.

C

There's not a lot of cyber security. There's a lot of, like, geopolitics policies.

D

Some cool privacy stuff. Right. But some scary privacy stuff further down.

C

Cool is an interesting term you got there.

D

The California privacy stuff is pretty cool, I think.

C

Yeah, it is, but that's like whack a mole, right?

D

Yeah, but at least someone's whacking the moles, right?

A

Data privacy is whack a mole.

C

We'll take one. We'll take one dead mole. Over a zero, I guess, right?

E

Exactly.

D

Nothing else. Nobody else said anything. Cool stuff.

C

No. The show's over.

D

There's no chicken.

C

Three minutes.

D

You guys can leave.

C

Welcome to Black Hills Information securities. Talking about news. It's January 12, 2026. We have all kinds of articles. Lots of geopolitics lots of cryptocurrency, money laundering, discord, ipo. I can finally cash in on my three prime tokens, or whatever I have on discord on the stock market. We've got articles and we've also got hosts. We have Ralph, who's. Who's here. We've got. And he's. He's branded himself a gator catcher, which I feel like it's more about chasing them than catching them.

B

I feel like you gotta catch them and then you gotta go release them into another lake and then it's like a circle of life thing right where they call you back.

C

Okay, okay, I see. I see we've got Braun.

F

How many times have you done this?

C

Yes, please explain. Please explain how much.

F

What's the most money you've made off of one? Gatorade.

B

I mean, it's pretty good. It's really easy too, by the way. All you do is play baby gator noises and they will come to you.

C

Oh, okay, that's a tip. That's a hot tip. We've got pen tester, AKA Cameron, who's painting her fireplace during the podcast, which so far is the most productive anything anyone's done on the podcast. We have Wade, and then we also have Dave. Dave. Dave and Cameron are here to plug their upcoming class about iOS hacking, or I guess iOS pen testing. Unfortunately, we don't have any iOS articles, so we'll just make up iOS articles as we go along.

G

Right?

C

It's fine. We have Ashling. We have. Is that everyone? Did I say Wade yet? Wade Wells, the legend. He probably is on like 75 podcasts by now. Like, how many podcasts are you actually on, Wade? Do you feel comfortable sharing that number?

D

Yeah, I guess I can share that number.

C

Is that like asking a lady your age?

D

I'm on three that are like weekly things, but, like, they get pre recorded and then one that's like every Friday sometimes if I wake up early enough. Five, four or five. Four or five. You know me like, I don't. I don't have a website. I don't do anything. I just do everybody else's thing.

E

That's.

D

It's the easiest way.

C

Same here. Having a website. What is this sponsored by Squarespace? Absolutely not. If this podcast is ever sponsored by Squarespace, we're all gonna shut down this company.

D

I was really trying to get us sponsored by Liquid Death, and they won't do it. I've been trying.

C

So you don't want to be sponsored liquid Liquid Death? All right, so let's get into it. Let's step straight into the political, like, oh, God. So, okay, I guess it's kind of a political article. I don't know. Basically, the word is that Trump is considering pardoning two individuals who got five years in prison, or I guess one year, one individual who got five years in prison for running a cryptocurrency mixer service. Basically, the. The service is called Samurai, I'm assuming is how it's pronounced, but there's a few. There's a few articles about this. Trump in a recent press conference, said that he's considering pardon. Pardoning this person. There's been nothing finalized about it. This article that Megan's scrolling through right now is talking about how when they seize this, when the Department of Justice sees this cryptocurrency wallet, they sold it, they liquidated it, like they do for all seized assets. But let's just imagine what a cryptocurrency mixing service would be used for. It probably would be used by nation states like North Korea, mainly to launder money. That's kind of the main issue with these services is that they're abused by nation states and criminals, but mostly nation states, I think. And so basically, it's like all the currency in this mixer, we're assuming, was nation state bad cash. So there's basically two things here. The first thing is, I mean, privacy versus money laundering. I think we all on this episode or on this show generally are pretty on the side of privacy, and we're going to talk a lot about some other privacy wins. But I guess, is there a limit to privacy? Like, should it be legal to run a bitcoin mixing service or any cryptocurrency mixing service? Because there's been a bunch of these over the years, and a lot of the people who run them have gone to jail because they're so easy to abuse, I guess. What, what do people think? Is it. Should this be pardoned? Like, it seems like it's pretty cut and dry to me, but I don't know.

D

For me, for me, it kind of like, goes against the heart of, like, cryptocurrency. Well, like the ledger, right? Everything's supposed to be trackable. Everything's supposed to be able to, like, go back and see exactly how things were. So it's almost against the soul of bitcoin. At least that's the way I. I think of it. And of course, there's a criminal aspect of it as well, right? Like, is there a legitimate. This is also going into the privacy. I don't think there's like a real legitimate reason to have these. Besides hiding.

C

Yeah.

D

Because it is crypto currency. Right. Like you should be expected to be tracked because that's exactly what it's for.

C

I totally agree.

D

Yeah.

E

Like if you actually want a private transaction, that's not the way to do it. That's what use a different literal cache is for.

C

For that, I mean. But there are privacy. Well, to an extent, sure, yeah. Well, yeah. I mean, basically, there's essentially the. I think what Wade is saying. I want to put some words in your mouth here, Wade, but basically I'm comfortable with cash or Monero or any other thing that's like, let's call it pseudo anonymous. So it's not explicitly tied to my name, my credit card, my address. Right. Like, let's say I want to buy something online, but I don't want to provide the seller with all my personal information. I think that's totally fair. That's the equivalent of buying something in cash. If I buy something in cash, I don't. You don't know who I was, what my, you know, address is, any of that other stuff. But if I buy something with the credit card, that information's out there. I think from my perspective, it's okay to have pseudonymous cryptocurrency like Monero, where whose transactions are inherently private or masked in some way. But it's not a mixer, because the mixer is where you get into which if those, if you. For those that don't understand what a mixer is, it's essentially like an anonymizing service that I send in X amount of bitcoin and it comes back through a bunch of other transactions. Essentially. It really is just for anti money laundering like that. It really is just for that purpose. Like Tornado Cash was an old one. There's been a bunch of them over the years. It's essentially a way to mix your bitcoins in with other people so that no one can tell where they came from or who got them.

F

I mean, it's all public. Right.

E

It's transaction laundering. That is its entire purpose.

C

Yes.

G

And I do have.

E

Still, we can say we're laundering it because we don't want people to know who we are. Not because we got the money through some nefarious means. But end of the day, it is a laundering system. That's all it does.

B

Yeah.

G

So my question is, it looks like the law is related to they got them because they operated a business. Would this applied in like a co op fashion if 10 people got together and there was no profit. Is that how the law was written?

C

So there was. Tornado Cash was set up like that. It was like basically just like a GitHub page. Like it wasn't really. There wasn't. I mean, there were developers. Right. But it was like essentially what happened was in the case of no one went to jail, but the government sanctioned or blacklisted the Tornado Cash protocol. Okay. So it was like the government was like, you can't use this. It's illegal for US citizens, residents and companies to use this protocol. The GitHub was shut down. They did arrest one of the developers, but I don't think the developer actually went to prison from my understanding. I guess. I don't know what. How that actually they. But yeah, basically they were charged and arrested. Oh, no. Yeah, I'm sorry, I'm catching up on the wiki. They were arrested essentially for facilitating this protocol. So I think even if you don't make money for it, bought from it, it's still illegal, I guess. Yeah.

D

Samurai, right? Was. Was conspiracy for money laundering as well as operating an unlicensed money. Money transmitting business.

C

Yes.

D

Which talk about a mouthful of a law.

C

But I feel like if it went to a jury, whatever, it's pretty easy to convince them. Like he wrote the code and then the code was used to launder money. Like, like it's not, you know, it shouldn't be like a crazy big logical leap for that.

D

Looking at this from like a different perspective any. Is anyone, like surprised that he's going to get pardoned? Like we already saw the one dude from the Silk Road get pardoned. Yeah, right.

B

Like this is like nuts too. I mean, like he.

D

Yeah.

B

I mean, according to.

C

Try to kill a guy. Yeah.

B

According to like actual court testimony. Right. And that he did try to hire someone to kill. Like, you know, it was. It wasn't.

C

Yeah. People asked if Tracers in the Dark goes into crypto washing. Yes, it does. That's like half the book.

A

Okay, well, here's, here's another issue though, though. Executive orders are not law, period.

C

This isn't an executive order. Oh, you're talking about him violating it.

A

Yeah, the, the, the articles are talking about the fact that the Department of Justice is violating an executive order and executive orders are not law, period.

C

I mean, it would violate sanctions too. Right? It's probably.

A

It does violate sanctions. So, so okay, if the. There are probably other laws involved. And this is where I'm, I'm crypto ignorant. I mean, I own some bitcoin mainly just for the giggle factor, but I don't really know anything about it, but when it comes to the issue of gee, usms, Ms. Has sold forfeited bitcoin and it's violating an executive order. Like I said, an executive order isn't law. Laws are passed by Congress.

C

Yeah, I mean, so I mean, basically. Yeah, I mean, I think the, to me, the executive order violation isn't really the story here. The story is the general. Like essentially for me, it's crazy that. Or interesting to talk about that the government would be like, money laundering is fine. That's basically what they'd be tell that if they, if they pardon this person. They're basically saying running a money laundering business is fine as long as it's done with crypto. Because we like crypto.

B

Yeah. This is, this is actually counter to everything the federal government has done. Typically when you want to go after crime, you'll go after the money laundering. That has to occur in that.

D

Yeah.

B

The profiteering or taxes.

C

Yeah.

A

They've seized assets obtained in whatever laundering in order to.

B

Exactly. Because what happens is once you seize those assets, this is a way to stop this criminal enterprise. Because what the criminal enterprise has to do after that is have to prove. Right. That that money was not used or that money did not come from illicit activity. So to do that is like a whole thing. And most people just let the money go.

C

Yeah, yeah. I mean basically the government has a long history of prosecuting.

B

Yes.

C

Illegal businesses through business laws like taxes and you know, money laundering regulations and things.

B

We can't catch you like selling the drugs, but we know that you are getting the proceeds from that and that's how they work it out.

D

Once again, going back to Tracers in the dark, right. Where the tax man is the one who everybody at the end of the day.

C

Yeah, exactly. Basically the like from my perspective on this is that if this, if this pardon happens, I, that to me is against the interests of the executive branch that would pardon it. It's like nation state North Korea. You can buy your missiles with money laundered date like that. That's basically what they're saying. I don't get that. That's crazy.

F

Does the value of Trump coin go up if they do get pardoned?

C

Good question. We don't know.

D

I don't know.

C

I don't have.

D

Cameron, if you had to hack someone's iPhone, how would you. To get their cryptocurrency wallet? How would you do.

F

So I'd make a bunch of money and employ the NSO group.

C

All right, good answer.

D

All Right, well, that didn't work.

E

Yeah.

C

Okay, so nice.

A

Attempted a segue, though. Wade.

C

Thank you. Thank you. Yeah, let's. Let's step out of. Let's step out of political space real quick and talk about. I guess it's still politics, but politics around Italy and Cloudflare and a more interesting, kind of an interesting story, politics. I really hope so. Okay, this here's the article. The article is, Cloudflare won't censor. Basically, Italy, fine. Cloudflare, 14 million euros. And Cloudflare was like, no, this is ridiculous. Which reading into it, I do think that it is ridiculous. Essentially the. For those that understand this is about. I don't understand all like the Italian, like, like, like mobster politics of all this. Like, I really don't. Like, there's a lot of, like, shady European stuff happening here that I do not understand. But basically Italy dropped a bomb on. Cloudflare was like, you need to censor all these sports piracy websites. And Cloudflare was like, okay, we don't have the ability to do that and won't do that because you just gave. It's essentially them sending a list of IPs to Cloudflare and saying, don't resolve these IPS, which is like, for obvious reasons, can just break the whole Internet. Right? Like, there's so many reasons not to do this. Like, I think the funniest part of this is, of course it has like that Italian mobster thing where it's like, it's about live sports. So it's a bunch of like shady European, like FIFA corrupt type people being like, they're, they're pirating the sports. They. But they gotta pay us. And it is funny that, like, even the EU is like, this scheme is concerning this, you know, quasi court order that isn't a real court order thing is weird. It's like, it's so Italian. I love it.

D

Do you think somewhere out there, like, big DNS is getting together in order to fight this?

B

Big DNS.

D

They're just a part of it. Right. Like, they mentioned Google too. Right. So there's some other DNS providers.

F

Hold on.

B

But the DNS is democratized, right. It's not like, controlled by one entity. Those are just entities that have large presences in that who can be sued.

D

Or who can go to lawsuits for a large amount of money.

B

Yeah. But you can always still just go to a different, different resolver to get the same.

C

And it's recursive. So, like, what you. You block it all the way down. Cloudflare could Just say, I don't know, find another DNS server. And then it would still work.

B

The root DNS servers anyways. They're not, they don't own that. They're just reproducing that information. Yeah, so they're not in control of. I mean, they're not.

F

I can't.

B

Right.

C

I like the idea. Okay, here's the most Italian possible response to this. Cloudflare figures out the ENT where they're coming from and then just black holes them only for that entity. So they can't tell if it's fixed or not. Be like, our DNS, our DNS is down. We'll email you back once the DNS comes back. And it just never comes back.

B

I read like a whole Reddit thread on this and like kind of the TLDR of like some of the opinions was that, you know, this is just a way to offload the risk onto Cloudflare. And the reason why they all want to do that is because it's like a simple, easy scapegoat as opposed to implementing what would be a significant network policies to try to block this. And essentially you start going down this rabbit hole and next thing you know it's like the great firewall of China. And even you still don't block everything, so. And they don't, they don't have the money to do that. So it's way easier to just be like, hey, well, Clapper, you block it, then it's your fault. Right?

C

Yeah, totally. I really want to, like, I want a dramatized adaptation of like the sports bosses in like their super tight suits smoking a cigarette with an espresso and being like, we gotta kill these piracy sites. And then some intern is like, but it's hard. And they're like, you gotta do it. And he's like, what if we just find them Instead? Find them $14 million. All right, you have a deal, capiche? Or whatever. Like it's just like, like this like mobster style deal. Because yeah, you're right. Blocking DNS, like, okay, we all know the best response to piracy is just to make it easier and cheaper for legitimate users, right? Like that's the way to fix piracy. Don't try to prevent piracy. It's not going to work. There's always going to be a way around it. It's the Internet. Instead, just make it easier to stream whatever, I don't know, Italian curling or whatever. I don't know exactly what sports are trying to prevent streaming, but yeah, I.

D

Mean, it's going to be did you? Like, we didn't even mention the time frame in which they want this to be blocked.

C

30 minutes, dude.

D

30 minutes, right.

C

They want to block a Global block within 30 minutes. Oh, man. Can you imagine having the.

D

Yeah, I just think of working at a data center when we used to tell people to put in, like, any type of DNS to be like, yeah, it's going to take two days to resolve. Yeah, right, right.

C

Yeah, yeah. Time to live record, dude. How many. What percentage of the Internet has TTLs at 30 minutes or less? That's a tiny percentage, right? Like, most DNS servers are way slower than that.

D

Anyway, the law after this is going to be everyone has to set their.

C

TTLs to 30 minutes, 30 minutes or less, 29 minutes.

B

So the other thing too is that. And just to kind of close it out, it's like as soon as you open up this can of worms and then like, Cloudflare blocks certain things and like all this other stuff. Now, next thing you know, nobody wants to use Cloudflare anymore because it's kind of like the filtered version of the Internet, right? So then just another DNS pops up and they do the same thing. And, you know, now it's just whack a molecule, so.

C

Exactly.

B

And into Cloudflare's defense, they're not hosting anything. All they're doing is just records of IP addresses. What happens in there that's on them, not on Cloudflare.

C

Well, hold on. I would argue. I don't know if this is a hot take or not, but I think controlling a DNS server is potentially the best data collection you could possibly get on the Internet. Maybe browsing, like, maybe you could get better data from a search engine. But I think the data flowing, the amount of data flowing through a DNS resolver and the amount that you could profit from it is pretty significant. Like, who's resolving what from where is a huge. Like, that's a huge profit center. So they are running the service and they are profiting immensely from it, I would imagine.

D

But.

C

Yeah, well, do this too. Right?

B

Yeah. Anybody can. This is not special.

A

There is another really good issue raised by the Ars Technica article, is that if an IP address is filtered inappropriately, then legitimate stuff goes down. I mean, they were talking about how they took down Google Drive.

C

Yeah. Because you can pirate things on Google Drive.

D

Yeah.

A

People do it all the time. So, I mean, I understand why it got flagged, but then you wind up taking down all of Google Drive just because of a few kids who are misbehaving.

C

Yes it is. It is seriously just throwing out the baby with the bathwater. But the Internet version of that, it's like if you block also like what percentage of the Internet is just cloudflare ips. You're just gonna. They're asking them to block themselves across the whole Internet.

B

Like.

C

Anyway, moving on. This is probably gonna get. It's. It's a nothing burger. This is probably not. It is interesting to think about, but there's no way this could ever get implemented at. On a legitimate. Like on. This is never not happening. It just isn't technically feasible. Speaking of whack a mole, let's talk about California banning a data broker. This is for me, this is a privacy win. Wade, do you want to run through this one?

D

Let me find it real quick. Where is it?

C

Data masters pretty much cool. But sadly, where is it?

D

Throw someone throw me the link. From what I remember, pretty much there's a new. California has been going pretty hard on data brokers recently. If you didn't know, they actually came out with a program where you can actually request it in California and they will then go out and request you to be removed from all the data brokers, which is amazing. It also had a really cool acronym. I don't remember what it was.

A

Yeah, drop is. Is the new online platform delete request and opt out platform. And I already, I live in California. I already signed up for it form super easy to use. And you know, it's. It's nice that somebody is looking out for the privacy of individuals because big tech certainly isn't. And it, it's going to be interesting to see how effective this is because data brokers are worse than Tribbles. They. They multiply all over the place. And I, I already am using services to pull my data from data brokers. So it's going to be interesting to see how much this new agency and this new program is going to impact steps that I've already taken. And you know, I get the monthly reports X number hundred data brokers have been requested to remove my data from their system.

C

So is this going to turn into like the same system we use for taxes where incogni and all these delete me services are lobbying against these.

D

So that's exactly what I thought. That is exactly what I thought.

C

They're like, no, you can't have a government agency that does the thing that we also do.

D

Right?

C

No. One thing to think about, obviously the.

D

Sign up for this though is live. But the services, from what I read, don't go Live for another six months. Did you read that somewhere too Brown?

A

Correct.

D

Yeah.

C

Six months.

D

Bronwyn. What, what, what prevents a non Californian from signing up for this?

A

You have to enter address information. It has to be verified with documents.

D

Okay, so if anybody wants to live in California, here's my note.

A

So basically, yeah, you'd have to commit fraud in order to sign up for it.

C

But maybe it's okay.

D

Trump pardons those people. We'll be fine.

A

One of the things we've seen though when it comes to privacy legislation is that California does tend to be one of the forerunners and other states tend to follow. We saw that with ccpa.

C

And every building in my state now causes cancer. Thanks. California ruined everything I had.

D

If you ever go to a daiso, everything has lead. Don't go to.

C

I mean, you're not wrong, Bronwyn, for sure that like this is one of those things of like if you have to make a policy for the U.S. and you have it, you want it to apply to everyone. This is like there's 50 million people or whatever that live in California, so you might as well just lump them all in with that.

D

So the go into this article though, like we kind of like went around it. So the California Privacy Protection Agency announced that they're hitting a company in Texas which. What was it? Rick and Rick Becker Data llc. I feel like it. Maybe it's one of those lower level data brokers that I've never heard. Who knows? Rickenbacker? Yeah, dude, that just shows you my reading level.

C

I thought they said it was Data Masters.

D

Was it?

C

Oh, they were operating as. Data Masters is a sick name. I'm sad that's a way better name.

D

That's not even Change that llc.

A

Here's the thing about these laws, even though they technically only apply to California residents, if I'm interacting with a company based in Texas or I'm still a California resident, so that company in Texas has to obey California law because I'm a California resident.

C

For anyone wondering what, you know, what this company did, Basically they bought and resold user information with people suffering from medical conditions so it could be used for targeted advertising, which is like just nasty to begin with. We heard your. We heard your leg hurts. Here's some painkillers.

A

Or like we heard you've got Alzheimer's. Here. Click this button to get.

C

All the links are already purple. Are you scared? No. Yeah, for sure. It's bad. So this is a win, I think. I mean a lot of states will probably follow suit. I Don't know about setting up their own system. I kind of hope they don't because it'll just have SQL injection. But absolutely for sure it's, it's going to be a thing. So what else we got? I think the other big story, which isn't really a cybersecurity story, but maybe Dave and Cameron, you could chime in on this. Siri has, I guess now that I say this, all my devices light up. I'm so sorry everyone. Yeah, the S word that will not. The Apple assistant maybe is getting thrown in the garbage because the news article is essentially that Apple is teaming up with Google. So Apple announced today, earlier today that they're going to team up with Google to use Gemini models to AI power the S words. S I R I I was reading.

B

Though that they're still going, Apple hardware that they built, they're just going to use the models from Gemini like on there.

C

But they already had kind of a deal for open AI, right? They already had.

B

Yeah. I don't know, maybe is this like a, like a, like a pump move for like the stock? Right. I don't know.

C

I don't know. But these two companies, Apple and Google have done a lot of battling over the years for sure. So it's interesting to see them teaming up in this way. Basically they're starting a multi year partnership. I think this is in my, from my perspective, if we're looking at like a high level business perspective, Apple needs this. They need to win. They need to be able to give an AI win.

B

Yeah.

C

Because this isn't their window.

D

That's the thing. Right.

C

Like, but it doesn't matter. I'm saying it doesn't matter.

B

Like you don't care where the AI actually comes from. You just want to use the damn thing. Okay.

C

It's getting to the point where. Well that's fair.

F

It's getting to the point AI agent.

C

Used to Gemini which is. Yes. It's basically unifying. It's basically unifying what AI agent you would get on mobile. I guess if you think about it like that.

B

Well yeah, maybe in the background but like if they are running on their own hardware though they could still modify things. They're not necessarily beholden to what Google did. I think they're just buying or excuse me, licensing the models. Like so they're not training them. They're not going to train.

G

And I forget the source where I read this but Gemini is, I forget where I read it but it's the, like the consumer level. So like the basis of it was the theory was Google had created the search and they made it affordable and like consumer friendly and that Gemini is trending that way. So there's a lot more rush I'm hearing. I'm seeing a lot better things out of Gemini now. So I think it's a good move overall.

B

Yeah, I mean so there's, there's pretty much three main players right now and I'm not going to say X.

C

Frontier models. Yeah, there's like three assistants or models models.

B

Like three frontier models. Right. There are, there are many other models but I'm just thinking like from the AI perspective. So one is the OpenAI's model and like they're, they have a bunch of different models inside of that but OpenAI has some pretty frontier models meaning like the top end most powerful models. And then Google has the other ones with Gemini which they have a couple different flavors of it and they are frontier models. They are very, very smart at doing a lot of stuff.

D

Stuff.

B

And then the last one is, is Claude. Right. And they are from. Yeah, Claude, which is. Yeah. Ran by the company Anthropic and they have frontier models as well. And then kind of the last like one on there which I'm gonna half mention but mostly because it only gets mentioned in like bad things right now. No X and the.

C

Oh Grok.

A

Right.

C

I mean there's a bunch, a lot of people are gunning for a frontier model. But the reality is training a frontier model is like the most expensive thing on the planet you can do. And also the other thing here that's. I think if I was Apple, this move makes sense. Maybe not from an optics perspective because Google is my enemy, but also because Google is potentially the long term. Pick the other. If you think about it, of all the companies that are making frontier models, Google's the only one that is making money. If you actually think about it like OpenAI and Anthropic are both like give us money so we can train our AI models or else we're going to go belly up.

B

Google is two fun things about OpenAI. Not OpenAI. I'm sorry, anthropic. They actually use Google GCP to run a lot of their training. Right. So they're like paying Google and they actually have partnerships with Google even though it is their model. Right. I mean the hardware is a thing and then the model you use is another thing. Right. And you can rent those, you know, to make it happen. But you're right, Corey, it's a really expensive to train them and they're Also, none of them are making money right now. Right. Even though Anthropic argues that they're definitely in that, like a much higher profitability than OpenAI, who's literally taking truckloads of money jumping it into data centers to train models that none of which are paying.

C

And there's continue coming to farmland near.

E

You, and we burn out the chips that they bought to do it with.

B

What's up?

C

Yeah.

E

Oh, most of the data center cost is getting sunk into chips that get burned out in the process of actually training the frontier models.

B

Yeah. And once the models.

E

Those boards are not usable again, they're not resellable, they're shot.

B

Yeah, yeah.

C

But anyhow, No, I can use it to play Roblox. It's fine.

D

I was about to say, when all these data centers go up, what are we going to use them for? Like. Like, it's going to be like, like Walmarts disappear and stuff and they just leave these big empty buildings.

C

Right? Password, dude. Imagine the password cracking. You could do every password.

B

Your password. I don't.

D

We don't. We don't talk about passwords. All right.

C

Just like a pedophile, dude. Okay, here's what happens. All right? Here's what happened last year. I have a plan, dude. Wade, get me the. Get me your CEO on the phone. Okay, here's what's going to happen. The Wade's employer, who is not going to be named, buys an entire data center and then just cracks every password ever and then just says, here's why you need our service, because we just blocked every password.

D

Oh, my God, it's genius. I love it.

C

I know. That's why I do consulting on the side anyway. No, I'm just kidding. This is a joke. This is a terrible idea.

B

And actually, to follow up, CES was just. Was it last week? Right?

C

Yeah.

B

Yeah. And so one of the things announced at CES was Nvidia took the stage and they announced their latest generation of AI.

C

It's all AI, which is ironic because it's supposed to be consumer electronics. They're like, oh, by the way, consumers. We're going to remake the RTX 3060 anyway back to AI.

B

Yes. But one of the things that they did mention on there is like, the power consumption, like, going, you know, and. Yeah, whatever. It's all about AI.

D

And, you know, Is that where they mentioned the Palantir stuff, too? I don't think that we have an article about that.

C

Oh, no, Please hit us with an article that we don't have.

D

What you got. I was watching Gamers Nexus and they came out with a thing because watching ces. So Gamers Nexus came was talking about how Nvidia just announced that they are going to make everything Palantir faster. Palantir is pretty much like nation state level spying on individuals and military, military industrial complex. So there's like some scariness behind that and then they go into it. But the funny part is Palantir actually like commented back to Gamers Nexus about the situation.

C

They're like, we're talking about YouTube. We are dispensing a spy bot with real time kill location.

D

Yeah, that was it. Yeah. And then literally like there's other articles where it's like the Palantir president Palatir is like, yeah, so our stuff kills people sometimes. I don't know what to tell you.

C

It happens.

B

It is what it is. You never know.

C

AI is never wrong. It'll be fine.

D

Never. Never.

C

Yeah.

B

Just like humans.

C

The Peter Thiel. All right, this has been a dark episode. Does anyone have any.

D

Fault?

C

Anyone?

D

It was. You always gets talking about AI.

A

Stories.

F

So.

C

All right, let's get darker then. This is a pretty. I think it's a good thing to remind people about in general. But there's a LinkedIn post that we have in here as a news article that's basically people are using rage bait as a phishing tactic. So this is a post by Simo Cohonen. I don't. I'm sorry if I mispronounced your name Simo, but basically this is a fun example fish where someone is impersonating send grid and they are sending out an email that says we will be adding a support ice donation button to the footer of every email. And then they're just hoping that people click on the opt out link. Right. That's the phishing tactic. So I think it's good to remind people in this dark time that people will try to rage bait you into clicking something you shouldn't. In addition to trying to be like here's a free iPad or whatever. The positive side of fishing, there's also the negative side of fishing, which is bait like that. So be on the lookout for that. That's a uniquely, I think mean one. And like definitely would be out of scope for pen testing. Like our clients would be very upset if we did that. But yeah, like you're gonna see threat actors. Those are the rules that they don't have to follow. Right. They don't have to be ethical and be reasonable. So just be on the lookout for that kind of stuff.

A

And they aren't. They aren't, they aren't.

C

News is. You know, honestly, Bronwyn, they might even be criminals.

B

Oh my gosh.

F

What?

D

No way.

A

Breaking news, an email saying you need to do blah, blah, blah with your account on this. If I actually have an account with that organization, I pop open a different browser and I go directly to the organization. I do not click any links.

C

So because you're smart speaking, you should be, you should have be on a podcast.

B

Anyway, speaking of criminals. Right. What about the data breach of Major Dark web form.

D

Yes.

C

Yeah. Speaking of criminal.

B

Dark web form is of cyber criminals.

F

Yeah.

C

Okay, so, yeah, so this is, what is it called? Called Doomsday. Doomsday, yeah. Yeah. So basically a data breach finally became, you know, this is not the first time and it won't be the last. There's been, I, I swear, like, if you go on a breach site and you look for breach sites, like, I think RAID forums got breached like seven times. Oh, dude.

B

I mean, I, I, I swear to God, I feel like it's a joke. They're like, we make it so we can breach it and then we can sell our own breach and then we make another site selling the breach.

C

It's like, it's like turtles all the way down. They're just getting breached. Just publish. Selling their own breach. Yeah. Basically Doomsday, which apparently is a dark web forum, I don't keep track of these. The only one I really keep track of is breach forums, which is like the worst one. But basically the ironic part of this is there's 300,000 users. 70,000 of those apparently are linked to traceable IPs. I don't know how traceable. Like, you know, it could be a botnet, it could be a Starbucks. Like, who knows exactly what it is? But this data will definitely be hopefully provided to law enforcement and then they'll dig in. It's a good way to figure out who's who and kind of get a good dossier of threat actors. At the end of the day, though, I mean, these sites have gotten breached every year. I've been in these breaches for the accounts that I used to collect from these sites.

D

I was about to say, do you collect this breach to put in your collection?

C

Like, I do. Do I do. I absolutely do. I mean, this is like could give you, if you're doing an incident response, this could give you super valuable information.

B

Of like, I heard it was like, like 30, 000 IPS from Starbucks.

C

Yeah, right. Like Great.

B

Great.

C

Who knows how traceable is. You would hope it's misinformation. You would. I mean opsec though. We've seen every criminal gets caught has OPSEC fails in the. In the mix somewhere. Right. They're gonna mess up at some point.

E

I'll note that if they didn't have OPSEC fails we wouldn't have caught them.

C

That is it. That is true.

E

What few criminals have good OPSEC are the ones who are still out there.

C

That is. That is true. Speaking. We've seen a lot of high profile people get caught from bad OPSEC is I guess a better way to put it.

D

Did you see the Huntress article about the VM escape stuff?

C

No.

B

No.

C

Tell me more.

E

I think I saw the headline. That was it.

D

Someone else sent me this. Right?

C

Esxi?

D

Yeah.

C

Is this the Ghost VM thing?

D

I don't remember if it's the Ghost VM thing but I know there's a really easy detection for that. Pretty much they got in through a sonic wall like that was the first vulnerability. But then they had been sitting on this vulnerability in ESXI for they think over a year a zero day. In order to pretty much bypass and go bypass host isolation. Right. It's a hypervisor vulnerability that allows attacker to break out of the actual guest VM and just compromise everything.

C

Which is crazy. That is.

B

Does it use the virtual or the VMware tools to. To break out? Is. Is that how it does that?

D

That's a better question. But I don't even know. I'm guessing it does because it's some vulnerability in it. But one of the. So because we were talking about opsec, that's what brought me onto this is which is one of like the key detections I try to write whenever I go. Is looking across all of your logs for any host name that doesn't match your naming schema. Because there's always someone who gets in who doesn't have one and it's a key indicator of something that doesn't belong. And that's actually like one of the things they caught in this particular breach was the name of the actual host that was attacking them. Which always. Great stuff.

C

Yeah. So basically getting into the details of the exploit they don't know. They don't 100% know what CVEs or whatever was used. But they say high confidence. Those are the ones. There's three CVs listed in the post that are like these are all from 2025 by the way. So patch your ESX. I know companies struggle with this and I understand why, but please patch your ESX basically, or just don't use it. Proxmox is pretty good, but basically the vulnerabilities are out of bounds. Read and HDFS, which. HDFS is the file system that ESXi uses. So it's a memory leak. And HDFS, there's also a T O, C to U, which. What is that? Time of use or something. I don't know what that actually means. VMCI out of bounds. Right. Okay. And then arbitrary write in ESXi. So it's like three CVEs chained together. That's pretty crazy. But the good news is all you have to do is patch your ESXI and you're good.

D

Oh, that's it?

C

Yeah.

D

You say ESX like proxmox is right there. Dude. Like proxmox is so confusing sometimes. Like, I just feel like the UI is.

C

Dude, have you used ESXi?

D

I have. And it was just so much like the names for things make sense. Like, I'm like, yeah, that's where that should be. And then like, I go to Proxmox and I'm like diving into like four folders and I'm like, all right. And I still can't remote into this box. What's going on?

C

Okay, that is.

D

That is without a doubt.

C

Yeah. But sec. I do think there is a significant amount of. The amount of inertia with ESX is super hot. Like the number of administrators and IT people who got certifications in ESXI and know how to use it. Like, you can't just be like, we're turning off all our VMs and we're going to switch to Proxmox to overnight. Like, that's a long process. I mean, we talked about it on the news a couple or maybe a month ago of. I forget the company, but I think it's a financial company that was suing Broadcom because they were taking away support. It's like a class action lawsuit again about esxi. So, like, it's. Yeah, it's a hot issue right now, but definitely patch your ESXi. And it is an interesting threat intel thing. So basically they broke out of the VM, got control over ESXi, then created another VM to use for post exploitation.

D

Let me see. I think they.

B

No, no, they compromised the underlying ESXi.

D

Correct.

C

So they popped ESXI server. But then I guess I'm like the.

D

Remote, the shell in leaked the host name somewhere.

C

Oh, I see, I see.

D

Which is super common. Like more common than you'd expect. Especially within a Windows network.

C

No, it's super common. We've gotten popped on that many times of like, hey, someone's in the host name. Callie. Like that's his.

D

I've had it where like the, the tester used their handle as the host name. And then we just went and looked them up and found them. And I'm like, all right, now we know who's, who's testing us.

C

Turns out pen testers also have bad opsec.

D

Yeah.

C

Which. Okay. Companies that get mad at this. Guess what? We're just being realistic because criminals have bad opsec too. Okay. That's what, that's what we're doing. It's all a strategy.

A

But also in a pen test, you're legitimately in the space and we kind of want their internal people to find us.

C

Yeah, for sure. I think if you're a. I think if you're. The goal of a pen test is to get caught. Maybe not on day one, but for sure you should be getting caught at some point.

F

Yeah.

A

If you're, if you're getting DA in an hour, then there's something definitely wrong. We want to get caught. We don't want.

C

So what else we got? There's a couple articles about AI and HIPAA and healthcare. I don't know if we want to. This is like kind of a regulatory question I don't really understand. But basically both anthropic and chat GPT OpenAI have both said that they're going to make healthcare oriented solutions that are commercially available. I don't really know if this is. I don't even know how this is possible. Like, I don't. I'm not a HIPAA expert, but it seems kind of. Is this just like govcloud? It's like, it's like it's fine because we say it's fine. Okay, sounds good.

B

Don't talk back.

C

There's a couple articles. I'll link them here just in case anyone's interested. But both Anthropic. Here's the article about Anthropic bringing a HIPAA ready enterprise. You know, chatbots and OpenAI has something that's basically exactly the same.

F

So we don't really need these at all because we already have technology that handles HIPAA data extremely poorly. And that is mobile applications.

B

Right?

C

That's probably true. Yeah.

F

Dave, you want to talk about mobile applications?

C

Yes, please tell us, tell us some war stories from testing HIPAA mobile application.

G

Yeah, don't just keep medical off a phone, just unintended places where data will write and just what? Just not using the native default features, it can get pretty ugly. So my advice is in the browser if you have to do it online.

C

Yeah. Or in your AI chatbot.

G

Or in your AI chatbot, absolutely.

F

So I legitimately once had a mobile application that was connecting to an API and to log into the mobile app you entered a four digit pin and so I figured that would go into the keychain and be used to decrypt some kind of long lived session token that would then be used for authentication. But no, it was just a username and four digit PIN code going to the server to access patient accounts.

C

Clear text. Well no one could choose 1, 2, 3, 4.

B

We just actually put together a mobile application from scratch on Android and yeah, so I know exactly what you're talking about as far as how to secure, secure or like the security of mobile applications. A lot of it actually has to do with Google itself. Like Google has access to all kinds of things, you know, on the device and how you configure that. You know we're actually using what do you call it, the graphene OS which de Google the entire operating system while also not while creating complete host isolation containers so you can like run other things like Google store in an isolated container so it's not even actually connected to the, to the underlying Android operating system and that like from a non isolated standpoint. But I think it really just comes down to as far as the applications themselves comes down to developers want to make it as fast as possible. Screw security, I need to sell and you know, let's just move on to the next thing. Right?

C

Yeah.

F

Speaking of, someone built an app like that and wants to learn how to test it, where would they go?

B

What's up?

C

Can't help you there. They'd ask AI how to do it? No, they would take your class. You can plug it later.

D

Oh, oh no, no, no.

B

We actually have an app called Atlas and it's actually for pen testing, physical pen testing and it allows you to actually hook up to the Proxmark with Bluetooth now directly the only, actually I think it's the only mobile device that allows you to hook the Proxmark directly over Bluetooth and you can read card data, write card data, do all kinds of fun stuff on that there. You can also do Rick reporting. It'll. It'll show you where flock cameras are. It'll show you where other like OSINT data and everything's encrypted at rest on the device at full time. Yeah. Anyways, so it's I only.

C

I only use AI.

B

Sorry, you only use AI for what?

C

I only. I only use AI, dude, if it doesn't have AI chatbot, I don't even know.

B

It does not have any AI chatbots. It doesn't have.

C

Dude, you know. Okay, this is a side tangent, but my. The weather app that I use, it has like an AI function and it's so stupid. I love it. Like, it's just like a really. It uses the on device. Like it's on device only and it's just an AI chatbot that's set to be like as salty as possible. And it's just like it's raining again F you and you're just like, thanks for this chat interface. That's super useful. Anyway, let's talk about N8N. It's not naten, but I. I saw that.

D

I don't even know.

C

Yeah, so there have been, I mean, like a countless number of CVE10 or CVE 9.8 vulnerabilities in N8N. We've actually only had one client to publicly expose their N8N. But in general, this is the most recent one. It's called NI Nightmare, which allows people to take control over a locally deployed N8N. Instance, it got a 10 out of 10 severity. And according to data security company Sierra, there are more than a hundred thousand public vulnerable servers. For those who don't know what it is, it's just a tool that connects a bunch of AI things together. So you could have it run one command and one module and one model and then send that data to OpenAI and then pull it back down and then send it back to Claude. It's essentially a way to connect together a bunch of AI services. Honestly, it's really cool and I highly recommend you download it and mess around with it, but. But definitely make sure you keep this up to date because N8N has had a ton of vulnerabilities. It turns out making a framework that just runs code and models is a vulnerable framework by design. So this is yet another one.

B

It's been out for a long time. Like it's been out for a while. Way before actual the AI was even a thing. Right? Because you were like, I just take this task task and then I'll do this next. And like you just make like, you know, a task sheet of things you.

C

Want to do, like automate, like ifttt. But self hosted.

B

Yeah, exactly, exactly. And so, but as soon as you turn the AI piece now you could do like. Well then I asked The AI to do that and then it does this and then you. Next thing you know, your rabbit hole is, you know. Yeah, pretty, pretty.

C

So patch your N8 ends. Honestly, you probably forgot you even had it out there. So just delete it and start over.

B

Just start over again. Just get a new version night.

C

But the other thing, the other reason why the N8N stuff is really bad is because someone's at the door.

B

Definitely at the door.

C

But basically you someone. Robin's like, I don't have any doors.

B

I don't have any door. I've got like six in my office.

D

I was about to say, Rob's got like seven doors.

C

Real fake doors. Real fake doors. Basically any den. You also give it a bunch of keys. That's the other reason why it's bad. But ironically, like, if you read the blog post for Nightmare, like the last step is just create an 8N task task to run a shell command. Like, that's where, like, it has that capability. So that's why it's such a vulnerable service. Like one of the things you would do with the service is run a shell command. So like, yes. Turns out when that's one of the options in the tool, compromising the web UI has some impact.

B

Yes. Yeah, it's. It's still cool. It's still kind of a cool tool, though.

C

So the last article I want to bring up, which, this is something that hit me in my personal life, people were asking about it, Instagram breach, I guess.

B

And it was an insta breach.

C

Yeah. Like, so, so basically here's the article. It's essentially that people are fishing with previously leaked information. So people are sending out. This happened in 2024, I guess. But basically people are sending out password reset reminders and then using them as phishing. Apparently someone's estimated that it could impact up to 17.5 million Instagram accounts. I don't know where that number came from, but I'm like, that's a lot of fishes.

B

So I think they, they scraped an API to get all this data and then now they're using all of it to send out phishing. Right?

C

Yeah, but like the, the upshot of it is like, use two factor and. And don't get phished.

D

So it's like the upside is don't use Instagram. Get off also.

C

Well, okay, that's. That's even better. That's. That's the next. That's like the next level.

A

I actually, I actually removed both Facebook and LinkedIn and a couple of other social media apps from My phone.

E

You're following, Jeff.

A

I am. I am detoxing from social media.

D

It gets a little boring sometimes, but I've read a lot more.

C

The dumb phones.

A

I'm. I'm going for quality over quantity. I'm. I'm combating the slow up.

C

That's a good. For you. Honestly, I think we should all do that. But there is like a whole growing market of like, you know, dumb phones or the. What is the. I think the most recent nothing phone has like an actual physical switch to switch between smart mode and dumb mode. Like, basically like. Well, jitterbug is like, kind of holds you back because you're like, all right, now I need to like, walk to the restaurant. And I'm.

B

Yeah. And all you have is one other button that says life alert.

C

You. You press it. You're like, I'm at the hotel and I need to get to this restaurant. They're like, you gotta stop pressing this. You have.

B

You've exhausted all of your credits in this plan.

D

Yeah.

C

You had one credit a year and you just used it.

G

Well, even Apple has their, like the. The defense they give for, like, journalists or people targeted by. By Pegasus. They. It turns their Apple phone into a. To a dumb phone phone, essentially.

C

Yeah, yeah. Under attack mode or whatever.

G

Yeah, yeah.

A

Bottomize your smartphone.

G

So.

C

Yeah, yeah. I mean, there's. There's a whole. You know, there's a whole thing. I saw Pebble Pebbles bringing a couple Pebbles back. For those that, like, love their pebble watches. Back in, like, 2012, they made a new watch. I feel like that was such, like, a nerd specific thing where, like, everyone cool in 2012 had a pebble.

F

Pebble.

B

I had a Pebble.

C

Yeah, everyone cooled it. Now everyone has an Apple watcher.

B

Now I'm just a loser.

A

I never had a Pebble. Does that mean I'm not cool?

C

No, it just means you weren't cool in 2012.

B

Yeah, you got cool.

C

Okay, now you're cool. You can buy the pebble too.

B

You could buy the pebble as well. They're probably cheap online. Except for the hips.

A

You wanna be a pebble too?

D

They're not cheap. They're $200.

B

What?

C

Dude, that's the check right over here.

B

I could make some easy cash.

C

Dude, wait, 200? That's how much I'm paying a. The subscription services it takes to watch the Olympics.

F

You know?

B

You know how much.

D

Let me give you. Let me give you this Italian website real quick.

F

Okay?

A

Before we do the CTF stuff. I actually did have it's not an infosec related chicken story. Oh, but it is a chicken story and it's.

F

It.

D

We don't need. We don't need it. It's okay, we can get away.

A

Short and sweet. Apparently during the Eaton fires, all the wildfires we had a year ago hearing in Southern California, there were a bunch of chickens who were rescued and there was a follow up story by NBC or I'll have to look it up here. Where is it? Oh, I close that tab. Anyway, there are follow up stories and basically the chickens are doing well. That's it.

D

Okay.

B

Chicken survived. Great article.

F

Thriving.

C

What about the eggs? Did the eggs survive?

A

They probably were off their leg.

B

What did they say first, the chicken or the egg?

C

I think the chicken. That. That tells you everything you need to know right there. People save the chicken first, don't save the egg. That thing's already hard boiled. All right. Yeah. So CTF winners. Let's do. Let's do the CTF winners. The W winner. The first place prize goes to Josh Kemp, who gets a year of anti siphon on demand training for free. And then the second place prize goes to Christy B. 78 who gets one class of their choice. You should have gotten an email. If you haven't gotten an email, let us know. I have no idea what the CTF was. If anyone knows what it is, please post it in the chat. I'm assuming the CTF was. Get on the podcast.

D

A year's worth of. A year worth is a lot, right? Like, that's a. That's a long time.

B

Yeah.

E

Yours worth of access.

C

You can learn a lot in the year.

D

Is your iOS class on demand yet?

G

Not yet.

D

Not yet.

G

Not yet.

D

Are you gonna make it on demand? That's up to you.

C

It would be hard to do it because you'd have. Is there a. Is there a hardware component at all that I guess you have to bring a representative device?

F

Nope. So we're doing it all virtualized. We'll be using the Corelium platform. If someone is dead set on bringing their own rooted device, we will do our best to help them. But no guarantees with any of the labs or if anything goes wrong with their own device.

B

Is it, is it Android?

F

Android hardware free? No, first is just iOS.

B

It's just. It's just iOS. Do you, do you. Have you guys gotten the. Or have you guys ever played with the development platforms that you guys can get from Apple? Apple? Yeah. Yeah. Yeah.

C

So.

G

So we actually in the class, we have our own app as well. So we did. We we designed and we have a vulnerable app, so.

B

But yeah. Yeah.

F

Are there any cool CTF challenges in the app?

C

I'm sure there are, based on your face.

B

Yeah. So, last question, because now I'm just interested. So this is a virtual only. Only or in person.

F

It's a hybrid class. It'll be on demand. This will be virtual. But this is going to be some people signed up for in person at Wild West Denver, hoping to get a few more. And. Yeah, so we'll be live, walking around, helping people out.

B

Nice.

F

Making jokes, having a good class.

B

Sounds like fun.

E

Should be great.

C

Someone asked about the CTF answers. Megan, do you know where the CTF answers are or how people can find the them?

B

You can't.

C

Yeah, that's the ctf. The CTF is find the CTF answers.

B

Ah, got him.

D

You know what you do? What was his name? You find Josh and you ask him and you become his friend.

C

That's honestly, if you want to know the way to network and be good in the cyber security community, that is the way to do it.

D

CTF teamwork.

F

No.

D

Maybe he shares your password with anti for anti siphon.

C

You know, sometimes the real CTF was the friends we made along the way.

B

Hacked my heart.

E

I'm not.

C

All right.

E

I'm not sure how I feel about being a flag.

C

All right, thanks everyone for coming. We'll see you all next week and bye. Bye.

B

Bye.

F

Bye.

C

Bye.

D

Sam.