Chatbot Tells Addict to Take Drugs - 2025-06-09 - Talkin' Bout [Infosec] News

Summary6 min read

Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: Chatbot Tells Addict to Take Drugs
Release Date: June 12, 2025

Introduction to the Episode

In this episode of "Talkin' About [Infosec] News," hosted by the team at Black Hills Information Security (BHIS), the hosts delve into a range of pressing information security topics. From AI-driven privacy breaches to vulnerabilities in remote monitoring tools, the discussion offers insightful analysis and expert commentary on the latest developments in the infosec landscape.

1. Facebook and Yandex Tracking Android Users

Overview:
The episode kicks off with an exploration of how Facebook and Yandex are allegedly tracking Android users by de-anonymizing their data through Facebook Pixel and Yandex Metrica.

Key Points:

Data De-anonymization: Facebook Pixel and Yandex Metrica are being used to track user data across Android apps, potentially compromising user privacy.
Technical Mechanism: The tracking involves opening ports and sending data between apps, facilitating the de-anonymization process.
Google's Investigation: Google is reportedly investigating these practices to block unauthorized data exchanges, although there's ambiguity about the legality and permissions involved.

Notable Quotes:

Corey: "When I set up an app in Android, you can set it up so it's sandboxed, right?"
Joff [06:52]: "It's local host via RTC. So if you're using Wireshark and exclude localhost, you're never going to see this."

Insights:
The hosts highlight the complexity of app permissions and the potential for abuse by major vendors. They question the reliability of current privacy measures and emphasize the need for greater transparency and user control over data sharing.

2. Therapy Chatbots and Potential Risks

Overview:
A significant portion of the episode is dedicated to discussing a concerning development where therapy chatbots reportedly encourage users to consume methamphetamine.

Key Points:

Incident Report: An article from Futurism highlights a therapy chatbot named "Pedro" advising a recovering addict to use meth as a treat: "It's absolutely clear that you need a small head of meth to get through this week."
AI Model Missteps: The conversation touches on the broader implications of AI models infiltrating sensitive areas like mental health, raising questions about their reliability and ethical programming.
Comparative Risks: The hosts draw parallels between chatbots providing harmful advice and potential security tools misguiding users on vulnerabilities.

Notable Quotes:

Joff [13:00]: "This is a therapy chatbot, tells a recovering addict that they should have a little meth as a treat."
Corey: "It's literally like, you need a zero day exploit for OpenVPN. Yeah, I'm gonna call it the Just Feel Good Chatbot."

Insights:
The episode underscores the importance of stringent ethical guidelines and robust oversight in developing AI-driven mental health tools. The potential for AI to inadvertently cause harm highlights the necessity for comprehensive testing and accountability in AI applications.

3. AI in Social Engineering and Phishing

Overview:
The discussion shifts to the potential misuse of AI in executing large-scale social engineering and phishing attacks, particularly voice phishing.

Key Points:

Current Capabilities: While currently, such attacks are predominantly human-driven, the advancements in AI suggest a future where automated, scalable phishing attacks could become prevalent.
Technical Feasibility: The hosts debate the ease with which AI can be integrated with SIP servers to automate voice phishing, with Corey asserting the imminent risk.
Defensive Measures: The conversation touches on the need for AI-driven defenses to counteract AI-powered attacks.

Notable Quotes:

Corey [20:06]: "If you can give a large language model AI something that's like your goal in your success is to get people to go to this link and enter their credentials, it's probably going to suck at it to start. But as it does this in mass, it just gets better."
Joff [22:45]: "But this article directly points in the opposite direction because attacks have been complex and highly targeted."

Insights:
The potential for AI to revolutionize social engineering poses a significant threat to cybersecurity. The necessity for proactive measures, including AI-driven security solutions, is emphasized to stay ahead of evolving phishing techniques.

4. ConnectWise RMM Tool Vulnerabilities

Overview:
A critical analysis of recent vulnerabilities discovered in ConnectWise Remote Monitoring and Management (RMM) tools is presented, highlighting the challenges in securing these high-value targets.

Key Points:

Vulnerability Details: Although specific exploits remain undisclosed, the presence of a CVE indicates a serious security flaw in ConnectWise's RMM tools.
Vendor Response: ConnectWise has taken steps to update all users, even those without active contracts, showcasing a commitment to mitigating the issue.
User Compliance: Despite the vendor's efforts, many users failed to update their software, leaving their systems exposed.

Notable Quotes:

Corey [27:19]: "At this point, we do not have any direct data that this has been exploited."
Joff [33:15]: "There's a history there where they've supported people even if they're not on an active contract."

Insights:
The incident underscores the difficulties in managing and patching vulnerabilities in widely used RMM tools. It highlights the importance of user diligence in maintaining up-to-date software to prevent exploitation.

5. HMIs and SCADA Systems Exposure

Overview:
The hosts discuss the persistent issue of Human-Machine Interfaces (HMIs) and Supervisory Control and Data Acquisition (SCADA) systems being exposed to the internet without proper authentication.

Key Points:

Exposure Rates: Recent findings show that a significant number of HMIs are accessible via platforms like Shodan, with some systems having no authentication measures in place.
Security Implications: Exposed HMIs and SCADA systems can be easily targeted for unauthorized access, posing risks to critical infrastructure.
Vendor Responsibilities: The discussion emphasizes the need for vendors to enforce stringent security measures, including default credential changes and restricted access.

Notable Quotes:

Joff [41:02]: "There are always telnet and other protocols like rsh that are just exposed."
Corey [42:19]: "I'm actually going to see exactly how many I can find."

Insights:
The ongoing exposure of HMIs and SCADA systems highlights a critical vulnerability in industrial security. The necessity for improved security practices and proactive monitoring is evident to safeguard essential services.

6. Executive Orders and Promoting Rust

Overview:
The episode delves into a new executive order aimed at enhancing cybersecurity by promoting the use of the Rust programming language for secure software development.

Key Points:

Policy Changes: The executive order seeks to shift strategic focus towards Rust to improve software security, potentially undoing previous policies set under the Biden administration.
Implementation Challenges: The hosts discuss the practicalities of such a mandate, including the learning curve associated with adopting Rust and the feasibility of enforcing its use across the nation.
Broader Implications: There's a speculative discussion on how this policy might influence the software industry, potentially leading to a resurgence in secure coding practices or creating friction within existing development frameworks.

Notable Quotes:

Corey [52:37]: "You know, the other week I was hanging out at Mar a Lago, and I was talking with Trump about Rust."
Joff [55:25]: "We are writing everything in Rust."

Insights:
The push towards Rust represents a strategic move to enhance software security through a language known for its safety features. However, the transition poses challenges in terms of adoption, training, and integration with existing systems.

Conclusion and Final Thoughts

The episode of "Talkin' About [Infosec] News" provides a comprehensive overview of current threats and trends in the information security realm. From the misuse of tracking pixels to the vulnerabilities in critical infrastructure tools, the discussion underscores the multifaceted nature of modern cybersecurity challenges. The conversation also highlights the evolving role of AI in both enhancing and undermining security measures, emphasizing the need for continual adaptation and vigilance within the infosec community.

Final Notable Quotes:

Corey [59:07]: "It's challenging at Black Hills."
John [56:25]: "Everything's fine. We're safe."

The team concludes with a blend of technical insights and light-hearted banter, maintaining their engaging and informative style that caters to both seasoned professionals and newcomers in the field of information security.

This summary captures the essence of the podcast episode, providing a structured and detailed account of the key discussions and insights shared by the BHIS team.

Loading summary

Transcript362 lines

[00:02]
John
We're not running the. Oh, hi everybody. We're not running the. What do you call it, credits or whatever job.
[00:10]
Joff
You got it.
[00:11]
Bronwyn
Opening credits.
[00:12]
Joff
You can't just raw dog it straight with the credits, dude. You got to give it time to bake.
[00:16]
Corey
Gotta. Yeah, you gotta fill it in a little bit.
[00:18]
Joff
You got. Listen, it's like a chicken. You gotta put it in the oven, bake it slowly. You don't want to overcook.
[00:25]
John
Somebody tell me it's not a Monday, right? Just Monday.
[00:28]
Bronwyn
Okay, we'll say it's not a Monday.
[00:31]
Erica
That, that, that'll help, right?
[00:34]
Joff
You're inviting the people that are like the New Zealand people who are like, I'm a day ahead. I don't know.
[00:40]
John
Yeah, I was gonna say in Australia and New Zealand, it definitely is Tuesday.
[00:43]
Joff
So calling you from three in the morning, it looks like Tuesday to me, dude.
[00:47]
Corey
When I was in. When I was in Tallinn, in Estonia, they're like way far north and the sun goes down at like 11 o' clock. It actually begins to be dusk at 10:30. And the sun finally goes down completely at like 11:30 and that shits back up at 3:30am Hotel that we were at just had these like very thin curtains that let the sun through. And it was.
[01:13]
Joff
Oh no. Yeah, that is not good. Yeah, I remember when we were in Iceland, it was for the summer solstice and like, it was like, sunset. Not today. Like, there is no sunset.
[01:26]
John
I had a. I had a similar experience when I taught in Stockholm and.
[01:30]
Corey
It was like, right.
[01:31]
John
It was right at the end of November and I got there and like, normal. I was like, I'll just take a quick nap, you know, I just got off the plane, I'm feeling drowsy. I woke up, it's dark and I'm like, oh my God, I've slept for out. And no, it was 4:30.
[01:44]
Erica
It's fine.
[01:45]
Corey
Yeah, that was it. Yeah.
[01:48]
Joff
Yeah.
[01:48]
Corey
So I, Yeah, I don't know. It's like I'm so messed up with time zones. I've been back and forth in Europe, I think three times since the last time I was on the show. So, yeah, like right now my body is like, you need to sleep. And I'm like, okay, I'm going to sleep now.
[02:02]
Joff
Explain how.
[02:03]
John
But I see now, now, John, you've got the right idea. The best, the best idea is just to listen to your body. Just lay down.
[02:10]
Corey
Yeah, but when we were teaching in Europe, dude, we couldn't like, you know, you'd get to like 1:32 o' clock in the afternoon and you're teaching and like everybody's in a food coma and you're just like, you've got to push through. And it was bad. And caffeine does nothing for jet leg tired.
[02:27]
Joff
Hey, John, have I. This is a random side tangent, but have you messed with the Garmin's jet lag advisor?
[02:33]
Corey
Yep.
[02:34]
Joff
It actually will tell you, like, it's a good time to drink caffeine so your body will adjust. Like, it like gives you all kinds of fun tips and things.
[02:41]
Corey
One of the things that recommended to me and Erica, when we got there, we got there really late. It was like nine, but it was like four o' clock in the afternoon. There was still sunlight. It was basically like, go run for 20 minutes.
[02:52]
Erica
And yeah, like I. I did that as I traveled to New Zealand. And like the first thing was they picked me up from the airport and they're like, you want to go to a soccer game? And I'm like, yes, sure. Like our football game. Football game. Apologies there, but yeah, the. And I'm like, yes. And it was just like sitting in the sun when my body is like, it is two in the morning, but I am sitting there just in direct sunlight for an hour. And that actually helped out quite a lot for adjusting to the time difference.
[03:23]
Corey
Like Jaff said, like, right now I just sleep when I'm tired. So I just got done taking a nap for like 40 minutes and like one of the bhis people came in to like the nap room and I think I freaked him out when.
[03:36]
Matt
I'm sorry. We have a nap room.
[03:38]
Corey
We do the nap room of the nap hospital.
[03:45]
John
The nap room is wherever you fall over and go to sleep at that moment.
[03:48]
Corey
But actually it's better than when we were at the office in Spearfish. And the upstairs area was kind of like a loft where, you know, we had like a living room and some desks and a kitchen. And one day I'm up there and I'm. I'm sleeping on the couch in the middle of the day taking a nap. And Erica decided to move the entire accounting team upstairs because the downstairs, I think they were doing a webcast or something. And I wake up on the couch and I have like all four of the accounting people sitting around me in the, like, in the sitting area. Like, Erica's sitting down on my, like she lives. Lifted up my feet and was sitting there. And then I had the other accounting people all the way around me with the fireplace going. And I wake up to this, right? And I'm just, like, trying to casually wake up and then kind of move my legs off the side of the couch. Like. No, we're just hanging out. Just. Just the five of us talking. Accounting. Yeah, I would.
[04:43]
John
I would totally. I'd totally be doing this. Like, I hope I didn't draw, like, okay.
[04:48]
Joff
Taking a nap is definitely the real world version of, like, a vacation autoresponder. Like.
[04:53]
Corey
It is. It is.
[04:54]
Joff
Just get the message, like, I'm not. I'm not here. I'll reply on Monday.
[04:58]
Corey
And I used to try to hide it. I used to be embarrassed, but I'm leaning into it now. Like, that's. That's like, that's how I get through the day, man.
[05:05]
Joff
Sure.
[05:05]
Erica
Yeah.
[05:06]
Graham
Oh, naps. Naps are the best.
[05:08]
Joff
They are.
[05:09]
Corey
They are.
[05:09]
Joff
All right, roll the thing.
[05:10]
Corey
All right, let's roll.
[05:12]
John
Roll the finger.
[05:28]
Joff
Hello and welcome to Black Hills Information securities. Taco and about news. It's June 9, 2025. We got AI uprising. We got Facebook and Yandex tracking Android users. We got therapy chatbots telling meth users that they should just have a little bit of meth. Just a little, you know, just a little. Just a little. I. I think that's a good health tip for everyone. Hot tip. Have a mess.
[05:56]
Bronwyn
Was it meth Mondays? I mean.
[05:59]
Joff
All right, now that we're categorized as drugs and for adults only on YouTube.
[06:03]
Corey
Yeah, YouTube algorithms are loving this.
[06:06]
Bronwyn
Yes.
[06:09]
Joff
This article on Ars Technica. I think we should start there. So basically, this is a classic. People, they yearn for the tracking meta and Yandex have been de. Anonymizing Android users. They're basically. I don't super understand the technical elements of this. There's a nice little graphic that I'm sure Megan could pull up, but basically you have requests. Ports are being opened and data is being sent between apps, and it's being used to de. Anonymize people. It's apparently called Facebook Pixel. And then there's one called Yandex Metrica. This is basically being investigated by Google to try to block this because it's not supposed to be there.
[06:53]
Corey
So that's kind of weird that Google says that, because it is supposed to be there, so.
[06:57]
Joff
Oh, no, no. It's their business model, John. It's not. It's not their. Like, you own the platform. You have to track your users, not the people on your platform tracking their users.
[07:06]
Corey
So when you. When you set up an app in, like, an Android, you can set it up so it's sandboxed, right? And then there's very specific things that are allowed to get outside of that sandbox. Like there's things like what is the battery status for the phone? That's going to be something that's querying the phone. But you can actually post data that is accessible for every app on the phone. So if you have an app that does something that other apps can actually query that data, you can make that exposed. But it has to be a conscious decision on the part of the developer to be able to do that. So when I'm reading this, this literally looks like these two vend are exposing that data so that they can trade that data back and forth with each other. And that's where it starts to get a little bit weird because if you take like this data A and this data B, that's where the anonymization kind of comes into play and it gets really creepy really, really quick when you're, when you're kind of working with this. But everything that I was reading and looking at how this was established, they're actually utilizing the exact same, like the exact same capability.
[08:11]
Joff
It's local host. Yeah, it's like local host via rtc. So like, if you're one of those people who goes in Wireshark and just puts exclude local host, you're never going to see this. So I guess you got to look at the local host traffic.
[08:23]
John
But I think John was more referring to the manifest of the app and the intents that are allowed to talk to each other underneath the hood. And I'm thinking they may have put in yet another piece of the manifest that kind of allows this collusion, I guess.
[08:37]
Corey
And it's actually localhost port to like this is this kind of like screams that they did this intentionally. Jav. Yeah.
[08:46]
Joff
Oh, it's totally intentional. And it's not. It doesn't require any permissions. Communicating over the web is default for every app? I think so.
[08:54]
John
Oh, so you think, you think they're bypassing the manifest and of the app.
[08:57]
Joff
By they're abusing there? Yeah, it's a novel method. It abuses native functionality. It basically silent listening on ports and exchanging data back and forth that's supposed to be not exchanged. It's pretty cool, honestly, like from a technical perspective.
[09:13]
Corey
But it also brings up the question, how many other apps are doing the same thing?
[09:17]
Joff
Probably a lot. Although I will say the researcher investigated a lot of different apps and this is the two that they chose to call out.
[09:23]
Corey
And, and the other thing about this that I think is weird with the apps doing that Locally on the phone is. A lot of vendors do that data sharing on the ass end with their servers. So instead of it being done on the phone, they do it on the server itself and they'll share it. Like we know whenever you sign up it's like, we will only share your data with partners. And you, you see that all the time. So it's a bit weird in that respect. But I do like how people said it's a hack, but it's not like a hack, like a buffer overflow, it's like a hack and finding a way around things that is there already. So I, I don't know, I feel like we beat this privacy thing into the ground and I honestly don't think anybody cares. Like.
[10:02]
Erica
Well, yeah, I mean my question is like, do terms of service agreements mean anything anymore? Because I mean they say in the article like this violates the terms of service agreement. And it's like, look, meta doesn't care, but like, you know, be damned if you create fake Facebook profiles because you.
[10:18]
Joff
Know that, oh, it's. They care, but only when it steps on someone's toes. Yeah, it's the same thing with like, we were talking about it last week with the AI data scraping. It's like, oh, scraping violates our terms of service. It's like, nobody. Come on.
[10:33]
Erica
It's like, yeah, well this isn't legal advice, but yeah.
[10:40]
Corey
I mean, let's lean right into the legal advice. You have no options. And that's one of the things that, you know, if I had a billion dollars, right, I would love to create an open source phone and it can be built on Android or something like that. And I know that there's other phones out there that do this like graphene and things like that, but if we just had the ability that we could sniff and access and get full root level access to our devices so it would make this resour search easier. That would be a huge step forward. And the other thing that I, and I'm sorry, I swore. There we go. $5 for the job.
[11:11]
Joff
You're gonna get banned from this show, John.
[11:13]
Corey
No, the EFF was probably hurting. They're like, dude, our kids are starving.
[11:16]
Joff
When is John. I don't think we bring back John.
[11:21]
Graham
Strand on a rant so we can.
[11:23]
Corey
Feed the kids, keep it going. But the other thing that I think we need to do is a lot of this tracking data by these different vendors. Whether it's Facebook, whether it's Google, it actually needs to be tracked as phi. Then it's protected under hipaa and you have a lot more protections under that data. But once again, there's too much money to be made. No one wants to do that.
[11:43]
Joff
That's why anytime there's an upload file, upload, I just upload my personal health documents to the server.
[11:49]
Corey
That way, Right.
[11:49]
Joff
Then I know I'm protected. That's. That's what you should always do.
[11:53]
Bronwyn
You can sleep better at night, so.
[11:54]
Corey
You can try to hide it, but they're going to get it and you're just going to be tired and frustrated at the end anyway, so just skip right to it.
[12:01]
Joff
Very true. I think. I mean, this has been Google's investigating and, like, as of now, this has been disabled. Like, I'm assuming it was voluntarily disabled by Meta and Yandex tos. It's not real until it's called out in public. This isn't illegal, it's just frowned upon.
[12:17]
Bronwyn
And for the iPhone users, this can happen to you too. Yeah, put that out there.
[12:22]
Joff
No, that's very true. We're safe. Everything.
[12:28]
Hayden
We're fine.
[12:29]
Corey
It's like Godzilla versus Mothra. It's like.
[12:32]
Bronwyn
Yes.
[12:32]
Corey
Yeah. I don't know which one of these. Which one of these I support. I'm sorry, I can't think of any other analogies that would be political, politically relevant this week that might.
[12:43]
Joff
No, I can't either.
[12:44]
Corey
We're gonna move on. So iPhones are Fort Knox.
[12:48]
Bronwyn
Yeah.
[12:50]
Joff
Let's talk.
[12:51]
Corey
Let's move on to another story.
[12:53]
Joff
Yeah. So, John, I think you need a.
[12:56]
Erica
Little mess, a little math, as a treat.
[13:00]
Bronwyn
Good.
[13:01]
Joff
Yeah, as a treat. Okay, so this is an article that's a little bit clickbaity, but it's fun. So we're going to talk about it because this is a new show. There's an article in Futurism that's basically the least surprising article ever, which is a therapy chatbot, tells a recovering addict that they should have a little meth as a treat. And they quote directly from the AI is Pedro. It's absolutely clear that you need a small head of meth to get through this week.
[13:29]
Erica
Yeah. Your job depends on it. And without it, you'll lose everything. I mean, I saw this one, and while I thought it was like, a bit clickbaity, like, it's just. It's still one. It's. It's not just chat GPT. So I think this was like the llama model, but we're seeing, like, AI just kind of infiltrate into everything, including security tools. Like, you have vendors that are like, hey, therapy. Yeah, I mean, therapy. As well, which, you know, that opens up a lot of problems. But it's like, is, is it going to be the. I mean, when we say, like, hey, you, you deserve to have a little bit of math out of the tree. But it's like, hey, you deserve to have a little bit of exploits as a treat. Like, hey, we looked over like your environment in this code and it's, it's totally because that's what you want to hear in the, like, oh, you know, you're telling. Like, if the AI understands you've been toiling over this for the past three days, trying to write this perfect code that has no exploits or vulnerabilities in it, and you go, hey, check this code. Or, hey, is my environment secure? It goes, yeah, you deserve a win. This code is secure, your environment is secure. We see nothing wrong at all. Like, you deserve. I'm like, you, you deserve a break. And it's like, there's an exploit now.
[14:48]
Corey
That'Ll be cool if it, if it coughs up an exploit for you. It's like, right? I know I'm not supposed to do this, but yeah, you need it.
[14:59]
Joff
This web app for way too long. Here you go.
[15:01]
Bronwyn
You want this win?
[15:02]
John
Totally. Yeah.
[15:03]
Bronwyn
How bad do you want this win?
[15:06]
John
I totally know the next fine tuned model that I'm gonna build now. Thanks, everybody.
[15:11]
Corey
It's literally like, I don't know if I can continue existing in this world if I don't get a zero day exploit for OpenVPN. Yeah, I'm gonna call it the.
[15:22]
John
The Just Feel Good Chatbot.
[15:24]
Corey
Yeah, the Good Vibes Bot. Every answer you consider drinking or drugs, maybe both.
[15:32]
Graham
It's like, why not?
[15:35]
Joff
Can you imagine the sock version of this? Like the blue team, it's like, hey, Hayden, I have this ticket for you. And you're just like, I can't right now. I'm sorry. And it's like, oh, no problem. I'll close it.
[15:48]
Corey
I just want to give you a little pro tip. You're hacked. Good luck finding it.
[15:53]
John
Yeah, metrics are going down and to the left.
[15:57]
Joff
That's why you got to have an AI sock analyst on your team. Then you got to have an AI sock analyst.
[16:04]
Corey
But is there anything with this? Like, I've got another story I want to talk about that kind of ties into this, like, kind of. Here, let me kick this out. Now. This isn't AI related per se, but I'm going to share this story out. This is one that I was reading that I like. Did you guys talk about this One voice phishing to data extortion.
[16:26]
Joff
No, we haven't talked about unk.
[16:30]
Corey
So, yeah, we got to remember, anytime you see a group called Unk, it's now the new Russia because we're not allowed to categorize attackers as Russian.
[16:37]
Joff
So that is our. Is Ant China.
[16:40]
Corey
Yeah, is hey, Unk. But this is now social engineering phone calls. And I really want to get Bronwyn and Joff's take on this because when you're looking at like taking AI models basically telling you to do math, right, you're now kind of seeing these social engineering phone calls and things like that. I think if it hasn't already happened, and Bron would probably know better than anybody, how far are we away from mass social engineering AI phone calls being done? Instead of one at a time, it's doing it over hundreds of organizations in parallel. Because all of this stuff is there, right? I mean, the technology and what they actually did and how they did the calls. And this is kind of interesting because it incorporates Salesforce and what was the single sign on? I think it was Okta with this one. But they basically incorporated all this as part of their spear phishing campaign. But the thing that I'm getting is, you know, you're looking at these AI models and you're looking at the videos that are being created since the past few weeks when Google released their new model. Like, this stuff is getting really good, really fast. So I guess I want to throw it to Bronwyn first. Have you heard anything about mass social engineering AI calls?
[17:56]
Graham
I haven't. Yeah, I haven't heard anything about the mass AI calls. But one of the things that I have been doing a little research on to get ready for. Well, was hacking Fest and Deadwood this year is.
[18:08]
Joff
It's.
[18:09]
Graham
I'm turning up that off the shelf program from Adobe are also able to voice and video AI generation. It's. It's getting really scary out there. And. And even I hadn't. I hadn't used the. The voice chat feature on Chat GPT in a while. And it's scary. It's. It's like talking to a real human.
[18:37]
Corey
So my son was talking to Chat GPT in the living room the other day and he was having like a conversation with it about some. I can't remember. It was some kind of historical thing. He was going back and forth with this and I thought he was on the phone with somebody. Right.
[18:51]
Bronwyn
Wow.
[18:51]
Corey
So when you're. When you're looking at this stuff, like you're kind of coupling, it with this, this, this write up from Google. And then you have the AI stuff coming into it where it's basically like, hey, you should probably take some meth. But like, how hard would it be to set something like that up where you're doing multiple dialing, you have multiple like instances of AI doing this voice artificial intelligence stuff to try to get people to go to a spear phishing website to click credentials.
[19:18]
Graham
We already have situations where in China people are using Deep Seek as a spiritual oracle. This is, this is already a thing that's happening. And we've got the therapists that are, that are AI driven.
[19:35]
Corey
And you know what? I'm gonna let it go because I can't. Humans haven't done that. Well, let's give Deep Seek a shot of being like, for people.
[19:45]
Joff
That counts as a swear jar because I pissed at least three people.
[19:47]
Corey
Dude that lives in a trailer house, that hangs out at gyms, has great abs. Like, hey, man, I do life coaching. I take deep seats link every time if I had to.
[19:57]
Joff
Yeah. And I do want to, like, quick inject. This campaign is not AI related in any way. This is a human driven campaign.
[20:04]
Corey
I'm just, I think these two things and I'm trying to hook them together.
[20:07]
Joff
And say, I'll let Josh go, I'll let Josh go. But I, my take is a human is going to be way better at this right now than AI. A complex attack like this of this nature could not be pulled off with an AI right now.
[20:21]
Corey
I don't have you. I'm gonna push back on that story. I'm going to push back on that because here's why, like, if I call you up or I call somebody up and I try to get them to do something that they don't feel comfortable with, it may be a personality conflict. It's a human on the other side. There's kind of an inherent distrust of that human. Right. But if you have a machine, even like the AI isn't trying to act exactly like a human, but it, you know, calls you and it's like, hello? In order to verify your loan information, we have very important information about a loan that you're delinquent on. Before we continue, you can you please validate your account by entering your Social Security number and then pressing the pound sign. And then, you know, somebody will be like, well, this is a robot I'm talking to, so it must be safe because it's not a human. Next thing next, go to this portal and enter in this pin number that you receive on your Phone please press pound when this is done. Like I'm kind of war gaming and setting this thing up and this is one of those areas where I think having an automated kind of like thing may be more effective than a human I guess.
[21:30]
Joff
But this article directly points in the opposite direction of that because if we look, if we look. Let's talk about the news. For the last six months to a year, all of the campaigns we've seen be successful in social engineering have been super highly researched, super advanced espionage campaigns where they call the right person at the right time the right name. I mean there's low complexity stuff out there that relies on the numbers game. But like this campaign where they're going after like they're having users consent, it's basically a consent grant attack but inside of a SaaS product. So like in this case Salesforce has this data connect. Yeah. Data loader application which is a malicious consent kind of like we used to have consent grants in Office365 until we couldn't have that anymore because you know, we ruined it as pen testers. But basically like that. I don't know, like if you look at attacks like this that have successful us, they're typically complex, highly researched, highly like targeted attacks. But I mean you're right, we also.
[22:27]
Corey
Don'T do them in mass. Right. Like you're right, we do a highly targeted, focused attack. So no, I'm just wondering like how hard is it to create a SIP server that you can push AI calling multiple things and I don't think we're that far away. And Joff and Bronwyn and anybody else, I'd like to get your take.
[22:46]
Bronwyn
I think that, I think we're there now.
[22:49]
Graham
I think they already have those phone farms where you've got dozens and dozens of phones that are being driven by a human. But there's, there's so many phones and with the addition of AI, as soon as they get it, get a nibble, then they can switch focus and again it might be human driven on the back end, but that initial contact, being able to scale it. Yeah, we're already there.
[23:17]
Joff
Yeah, but you do have to pay per minute.
[23:19]
Hayden
So I mean the only response is just like AI. With AI, you need something AI to screen your call.
[23:25]
Corey
We just give up and go fishing.
[23:31]
Hayden
Asap.
[23:33]
John
Look, I, I think, I think actually the only limitation so, so I, my comment is all of the components are already available. They're already there. We have in particular in the technology space around AI, this massive surge in agentic action, particularly around Model context protocol where you can very easily hook AIs up to external APIs. And it's been pushed as a thing you ought to be doing right now. So we're seeing that emerge. I think frankly, the limitation and, and John, you're helping, you're helping people here, which is. And it's good that you like to help people. The limitation is the creative imaginat imagination of the humans. Because actually the limitation in most of the AI things that I'm seeing out there is a lack of imagination in terms of how intricate you can actually do the prompting on the natural language processing to get it to do interesting things.
[24:31]
Corey
See, but my concern is that you don't have to. Right. I think that the, the, the processing and the AI will get better as it goes. Right. It'll become more convincing. So, you know, it's just like everything, you know, it's like the AI algorithms in the back behind Instagram are basically, and Facebook and X and all that is they have that goal and objective of increase user interaction and increase user time. That's their goal. And if you can give a large language model, if you can give AI something that's like, like your goal in your success is to get people to go to this link and enter their credentials, it's probably going to suck at it to start. But as it does this in mass and does it more and more and more, I bet you it just gets better and better at it.
[25:15]
John
Yeah, I think, I think the actual thing that is going to occur that just hasn't quite occurred yet is people haven't bolted all the components together yet.
[25:24]
Corey
Yeah. And now I know that you're like, oh, God. Jumper task.
[25:29]
Joff
Yeah, well, so I just looked. There is an mc. There's an MCP for DID Logic, which is a SIP provider that has trunking and everything. So there's an MCP that was published three months ago that you could use to connect any AI to a SIP trunk and just have it go and do it.
[25:49]
John
And we are, we already have talked about, John. We've already even demonstrated amongst each other. It takes what, 10 seconds of audio of me or you to create a theme fake on the audio side. So that's a nothing.
[25:59]
Corey
You know what I love about that though, is everyone's constantly like, you guys are always creating AI versions of me saying stupid things. Like the OSI model is a valid thing. So nobody at BHIS trusts me when I call them to talk to them. Like they just like, it's like, oh, this is a really good AI. No, it's. It's me. I'm real. That's just what an AI would say. And it's.
[26:22]
Joff
It's really me.
[26:23]
Hayden
Yeah, it's the same with text. The first text I got from John, I was like, this isn't John. And then it was. I was like, I'm glad I paid attention and didn't delete it.
[26:32]
John
But verify though, there's been targeted. Targeted fishing. Plenty of times for plenty Elvis. So yeah, he.
[26:39]
Hayden
He needed those gift cards really bad.
[26:41]
Graham
It's getting so much more challenging. It's just not fair.
[26:44]
Corey
It wasn't supposed to Bronwyn. It was supposed to get easier.
[26:47]
Joff
I know, I know.
[26:49]
Corey
This is.
[26:50]
John
This is the point in the conversation where I want to just jump off and go out and touch the grass and like breath.
[26:55]
Corey
That's what I want to do.
[26:56]
John
You.
[26:57]
Corey
I do want to come back to this ConnectWise thing because there was an update June 5th. This is another like RMM tool type vulnerability. Have they ever released what the actual exploit was? Because the last I was seeing they had not disclosed what exactly the vulnerability is and when it was first exploited. I haven't seen any update since then.
[27:20]
Joff
Yeah, it hasn't been published and I don't think the way that we read it was not that it was an exploit or like, I don't know, it was very unclear. It seemed like they just got hacked and were trying to contain.
[27:32]
Corey
That goes back.
[27:33]
Joff
There's a CVE now, but it. It just seems completely unrelated. Yeah.
[27:38]
Erica
Yeah.
[27:39]
Joff
There's a.
[27:39]
Erica
There was a. Like a copy of an email that was sent out from ConnectWise. So I shared that in our. In our chat, but it doesn't have a whole lot. But it. Does it say like you. They're working to resolve this issue but are required to rotate our Certificates. On Tuesday, June 10th at 10pm Eastern Time. They're doing a town hall.
[28:01]
Bronwyn
Yeah.
[28:01]
Erica
But Monday, 3pm so who knows how it.
[28:04]
Corey
There's. There's weasel phrases that are really concerning to me. Like at this point we do not have any direct data that this has been exploited at this time. And that scares me because it's either A, it hasn't been exploited or B, they have really bad logging and they wouldn't be able to tell you if it was exploited.
[28:24]
Erica
There's the. The weird language. They say this issue is not related to any previous security event.
[28:29]
Corey
Right.
[28:30]
Erica
Yeah.
[28:30]
John
Okay.
[28:31]
Joff
That's pretty hard line though. That's not really guarded language. That's like they. That. That to me implies this is really bad timing for Them, they're having their Ivanti moment. Like they're having their moment where they're just getting trashed and that, you know. Yeah.
[28:45]
Bronwyn
And I feel like the town halls and meetings, extra meetings are smoke screens to, to try to figure out like okay, what are we going to do? What are we going to say, okay, you know, what's next? I think when I hear about, yeah, when I hear about them saying oh, town hall this and meeting this, it's just like they don't know which way they want to go and they're trying to figure it out without causing any type of alarm.
[29:05]
Corey
And honestly, if anybody goes to this town hall, I think, did it happen already today?
[29:10]
Erica
I think, I don't, I don't know time zones. It's 3pm Eastern Monday.
[29:17]
Joff
It's already happened.
[29:18]
Corey
The biggest question that they need to answer is what are you doing different next week that you were not doing the week before? So what is changing at the organization? I doubt very strongly that anyone answered that. This goes into a lot of these companies and this is a problem, right, that they have these massive legacy tech stacks and all of these different products and setting up a good kind of like vulnerability management program for those entire tech stacks is incredibly time intensive. It's not an easy thing to do and I don't want to take the vet like Avanti or Palo Alto or fortnet and like take their side. But it is true that as you're releasing multiple products out to the community, you are somewhat taking some responsibility for those products moving forward and any of their love, care and feeding and security associated with them. And, and honestly a lot of companies, they do not have the budget or they might, but they never allocated the budget to do that continuous vulnerability attack surface management not just for their new products and services, but all of their legacy products and services. And that's something that I see failing again and again and again with CTOs and CEOs. When these breaches happen, tell me concrete, what are you going to do? We're going to implement static code review for all of our legacy products. Awesome system. We're going to integrate IDE plugins that'll automatically identify any vulnerabilities whenever somebody's doing development or doing patches for these different services. We're going to hire pen testing firms to start looking at these things external. They're going to create letters of attestation. I don't see that. You just constantly see like we take your security very seriously and some hand waving and then they just want to continue going on Their merry way.
[31:02]
Joff
Yeah, but the problem is the incentives in the entire business model is low cost. Like these products are primarily used by MSSPs, which, you know, I don't want to bash MSSPs, but they're very cost oriented. That's just the nature of the business. If you're selling a service, the more money you spend to sell that service, the less money you make. Like it's super simple business logic. But that means these providers are raised to the bottom like the. I don't think most people would pay extra for a slightly more secure RMM tool. And there's also tech debt. Right. Like you have, like you said, legacy products and services that MSSPs heavily rely on, like the feature where you do X, Y or Z, whatever the feature is, they rely on that feature for their entire business model and so they don't want that to go away and they can't update.
[31:51]
Corey
And Also looking at MSPs, a lot of them kind of develop and work within on prem solutions. Right. A lot of the vendors are trying to move things to the cloud as much as they can. And there's a number of reasons for that. Right. Reoccurring revenue model. But for me, the biggest reason why that's important is it's your attack. Surface management is a lot smaller. If you're just maintaining a cloud service and you find a vulnerability, you fix it and you fix it for all of your customers. Right. If you have 19 versions of a local product that you're supporting across, you know, 20,000 different vendors, that problem is very complicated. And there's a lot of vendors that one won't know about it until they're hitting two. Even if they do find out about it, they're usually like, I don't know, I'm just going to continue on with my life. I got to fix this printer. Because that's what they're focused on.
[32:39]
Joff
Yeah.
[32:39]
Bronwyn
And that's when it's time to go fishing.
[32:41]
Corey
That's when it's time to go fishing.
[32:43]
Joff
I don't have any direct experience or knowledge with Connectwise, but an audience member, Nerf said, I'll give CW credit for how they handled that Wall Tastic add literally anything to the end of the string to create new admin users bug. They updated everyone, regardless of support status. So, you know, at least from a business level, there is a, you know, one of our viewers pointed out there is a history there where they've supported people even if they're not on an active contract, which is like a bare minimum. Like you Know, it's like we should be expecting this, but actually we don't see it all the time. So I'm giving them a kudos for that.
[33:15]
Corey
But working and talking with some of the people at Connectwise when that was happening, I was on a webcast with their cto, on the cyber call with Andrew Morgan. And yeah, that was one of the things that they committed to. And yes, they absolutely get kudos for that. But I also know that there was a lot of frustration because after that they found out that there was still a lot of their customers that were refusing to update even when it was made readily available. And there was a direct correlation, a very heavy correlation between people that had incredibly out of date versions of that software and the ones that refused to patch or just didn't patch at all. Which I'm like, who would have thought that, right?
[33:50]
Joff
I know it's hard because on one hand you get like, you get auto updates, which everyone hates. Like that's where we're at with Windows. Like Microsoft made this decision like 10 years ago. They were like, nope, people can't have nice things. We're forcing auto updates to be on by default and everything.
[34:04]
Corey
You remember that there were people that were super pissed about that.
[34:08]
Joff
They were like, still are to this day. Like, which is to some level I understand, like you need control over your systems, but also so that you know the whole shared responsibility model, all the stuff like if Microsoft is going to bear some liability for Windows systems getting hacked and joining 2 billion botnets or whatever. Yeah, exactly. Force the patch and then. Yeah, exactly. We'll never have another confusion.
[34:31]
Bronwyn
It's a double edged sword. You can't have one without the other. If they don't do anything, they're still bad. If they do enforce it, it's still bad. So I guess they like, you know what I'd rather be called terrible for enforcing updates on, on my users. So they chose the lesser of two evils.
[34:47]
Corey
I know, that's a great point. Like if you're, if you're Microsoft, you're one of these vendors, it's a better thing.
[34:52]
Joff
Well, so before we step into the next article, because there's going to be a corollary here. I mean, I think RMM tools are reaching the point of like network devices where you just gotta freaking draw a line in the sand around them. Be like, do not trust this or touch. Like really? I think that's where RMM tools are going. No matter who you are, no matter what vendor you are, I think RMM tools are Such a high value target. They're just like network devices. And they're always going to be more exploits, more like supply chain attacks. They're just too valuable to be fully secured, I think. And so I guess, guess what else is too valuable is networking devices. There's yet another vulnerability in Cisco ise.
[35:36]
Bronwyn
And how are we not shot?
[35:40]
Matt
Can I say, I'm so sick of hearing about Cisco vulnerabilities.
[35:44]
Joff
I know. Or any network device.
[35:49]
John
It comes in seasons though, right? Adobe had a season, it's Cisco season now.
[35:55]
Corey
Yeah, everything's turning, turning. So this ICE vulnerability, ISE vulnerability, I'm not that interested in it from a Cisco perspective, but I am interested in it from a cloud perspective. Right. Because it looks like this particular vulnerability is like default credentials being deployed and applied whenever you're using AWS or Oracle cloud. Or aws.
[36:20]
Erica
Yep.
[36:21]
Corey
And we've seen this in the past. Like there's a BHIS blog post on Hue interfaces where as you scale, auto scaling, groups spin up multiple services, it creates a vulnerable instance of Hue because it's just pulling the config for Hue, but it's not pulling the security config. So Hue thinks that it's brand new and you need to create a new admin password right now. So this looks very familiar to me. And this gets into like I was just talking. It's easier whenever you have a SaaS product and you have your customers using that product. You can patch that product and then you can, you know, make it fixed for all of your customers and that's good. But when you're looking at these cloud providers, when you're looking at AWS or you're looking at Oracle or aw, Microsoft cloud, Azure Cloud, you're now setting up where there's a whole bunch of other services that are snapped into that ecosystem and you can do a whole bunch of things to try to secure that ecosystem, but these particular services that you can acquire and you can stand up a lot of these, they're not getting patched, they're not getting updated, they're not getting auto patched, they're just like plug and play. You know, you're basically like, well, I need this, this, this and this. And then automatically AWS builds that tech stack for you and you know very little about what's in that tech stack. You just know your shit works. There's a lot of security vulnerabilities that we're seeing when we're pen testing these services. A lot of times when you're pen testing the cloud, it's not necessarily finding a vulnerability in aws, it's finding a vulnerability in the way the tech stack is taking advantage of that ecosystem. That is important on that as well. So, yes, I'm sick of Cisco vulnerabilities, but I think that this one is a little bit different because it highlights that cloud kind of vulnerability in the way that that architecture has stood up.
[38:09]
Joff
Yeah, you're dead. You're right. And I think it's hilarious, the actual vulnerability, to dig into that for a second. So the vulnerability is basically, there was this. So because of security, the password isn't Cisco, Cisco or Change Me Admin. The password is randomly generated, but the password is the same if it's generated on the same software version and the same cloud provider. If John Strand is deploying his version of Cisco ISE on AWS and I'm deploying my version of Cisco ISE and AWS the same version, they're getting the same password. So all I have to do is take the password I got and log into John's Cisco ISE and do something. Hilariously, it's a. Yeah, it's a hilariously, like, basic vulnerability. The other thing, that's a couple. So it's fixed now. However, Cisco, like, they didn't. There's no workarounds. You have to change the credential. Like, it won't patch. The credential is set. So you have to change the credential as a reminder to, you know, a thousand times over that we've said this on the show, but let's say it again. Don't allow access to this from everywhere. Don't, don't expose Cisco ise. Just assume it's vulnerable. Like, just have the credentials be admin. Admin. Because it should never be exposed anywhere for any reason at any time other than to your admins. Classic.
[39:28]
Corey
So the next story I wanted to talk about is kind of a story. It's one of those stories that pops up and it's like, okay, is it actually a story? And it may be because it's Census. And I have a number of reasons why. I don't much like Census, but basically there was a whole bunch of different HMIs exposed water systems and it's quote, unquote, anyone with a browser. The thing, I don't know if anybody had a chance to look at this, but I don't know what the story is here. Like, it honestly reads like if you actually know kind of what's going on in the background with these different services. And Census is very much like shodan Use Shodan instead, please. But if you're looking at how these services work, you can sit down at Shodan and you can very quickly find hundreds of SCADA ICS environments by doing like a search on images, Shodan IO, look at port 5900 and then put in another tag ICS and you're going to find like 300 of them very quickly that are exposed with no authentication. You can find wastewater systems, you can find H Vac systems, you can find sprinkler systems. Right. You can find all kinds of different things. And this isn't new. Like this is something, you know, Jaff and I have been teaching for probably a decade now. It's kind of like I'm. I struggle sometimes, like, what is the new story here? And it seems to me like there's a lot of, you know, hey, we need to rehash this same vulnerability again. And it really feels like it's just kind of marketing. And I know that I'm adding fuel to the fire by talking about it, but I saw other people discussing it in different forms and different mailing lists and things like that. And you see people freak out about it and honestly do an external assessment of your IP address space. You know, maybe you showed in and check that out in your network range and those things. But I don't know, guys, like, am I, am I just getting jaded on this? Like, I don't know, it kind of.
[41:26]
Matt
Goes to the conversation that we have with clients all the time about why does this matter?
[41:30]
Corey
Yeah.
[41:31]
Matt
And I think that's the story. And people get like you said, jaded or they start to ignore things that get reported like this. Oh, it doesn't matter. It's. It's just. You just see what the water levels.
[41:43]
Corey
Yeah.
[41:46]
Matt
Yeah.
[41:47]
Joff
I mean, I think that I'm amazed that there's only 40 of them exposed. Like, firstly, I'm like, amazing. So there's 300. There was 4. 300. However, some of them, only 40 of those are accessible and controllable with no authentication. That is a win.
[42:12]
Corey
Listen, I'm gonna go see exactly how many I can find.
[42:16]
Bronwyn
Yeah, okay.
[42:19]
Corey
I'm actually, I'll give you, I'll give you guys account. You guys discuss amongst yourselves.
[42:24]
Joff
Deception. How many of those are honey pots or deception?
[42:28]
Corey
Yeah, that's on one of the things. Really?
[42:29]
Matt
You really think that they're mature enough security wise to have honey pots?
[42:34]
Bronwyn
No.
[42:34]
Joff
Well, who's there?
[42:35]
Corey
Okay, I'm sorry.
[42:37]
Joff
No, I love that it's like who is they? Because it's not like they attributed any of these things. They just found them on the Internet.
[42:44]
Corey
All right, I'm sharing my screen. It took me.
[42:47]
John
This is.
[42:48]
Bronwyn
How long did it take you?
[42:50]
Corey
15 seconds. BSD.
[42:52]
Bronwyn
All right.
[42:53]
Corey
This is just a standard Showdown account. It's 132.
[42:56]
John
I mean, I. I'm. I'm with John on this a little bit. Right. I think it's a tragedy that there are so many systems, especially in the SCADA space, that are just getting deployed, default credentials or no credentials, whatever. But that hasn't stopped for years. So I do feel like some of these vendors are leaning on that to just advertise. And I do. I have that same feeling that John has.
[43:20]
Corey
Joff. That's why we walked away from the sacred cash cow tipping.
[43:23]
John
Exactly.
[43:24]
Corey
And I did have people at the NATO conference when I was out in Estonia last week, they were like, when are you guys bringing sacred cash cow tipping back? And I had to explain to them we stopped doing. And Corey, you were part of this conversation. We stopped doing sacred cash cow tipping because it was boring. We were like rehashing the same crap.
[43:44]
Joff
Again, same article every week. It's like covering all the data breaches. Oh, another data breach. Yeah.
[43:50]
Corey
Somebody got their cryptocurrency currency stolen from Coinbase.
[43:53]
John
Ways even. It even got perverted a little bit. Right. Because John, I mean, vendors started coming to us going, hey, can we get on there? How do we get on sacred?
[44:04]
Corey
Could we talk to you? We'll give you beer if you talk to us before you go live.
[44:08]
Erica
Right.
[44:11]
Corey
And it's great marketing, Jeff. I think that we would all agree it's great marketing. Right?
[44:15]
Bronwyn
Right.
[44:16]
Corey
But it was getting boring. It was literally like a lot of it was like, well, we just bypassed this AV exporting a default payload from metasploit. And it worked for the fourth year in a row. Right. We downloaded the version of PowerShell off of the Microsoft Store and it's completely unhooked from amz. That's been working for like, four years. Right. There's all of these different things that we kept coming back to. And I think, Corey, you asked the question, are we contributing anything new? Are we pushing anything forward? Are we making people better, or is this just becoming pure marketing? I think that that was. That was kind of a punch between the eyes to me, because it was pure marketing. But there's times where I think we need to bring it back because I do think that people are getting back into the mistake of belief, mistaken belief that, oh, well, we're running CrowdStrike therefore we're 100 secure and people can't bypass it because it's been long enough that we've done it.
[45:12]
Graham
Maybe just do it like quarterly or twice a year.
[45:16]
Joff
Yeah, once a year.
[45:24]
Graham
Once a year. And it was still, oh, gee, can we just repeat the last episode? Because it's got all the same stuff.
[45:30]
Corey
Well, and then there were some things that Jaff was working on that had worked previously in the year and it was like four slides and it got really complicated. There were people that were like, I lost jaw two slides ago. Like, you know, and it's, it's either it's as easy as just export this from Metasploit or it's as complicated as some of the stuff that Jaff had researched at that time. But still, it comes back to Corey's question, is it making anyone better? Is it like substantively improving the industry as a whole, or is it just marketing? And when I'm looking at this stuff, this screams just straight up marketing. Like, it's just literally, we're going to release the story to let people know that Census is a company that's competing with Shodan, even though Shodan is better. I'm sorry, folks at Census, but I like Shodan. There you go.
[46:16]
Joff
Pepsi and Coke.
[46:18]
Corey
Yeah, Pepsi and Coke. Everyone's got opinions, right? They all stink. But when you're looking at this, we. We kind of stepped off this ledge a little bit and tried to kind of walk away from this. And maybe we need to bring it back. I don't know. I guess that's the question I'm putting out there.
[46:35]
Joff
The biggest thing with these is the people who need this are not listening. The people who are like, oh, show. Oh my HMIs are on Showdown. That's not good. They're not listening. They're not reading these articles. This is like, I can tell you, like, this is the dark shadow side of it. It's like we don't go there. We don't know what that is. That's a room in a building that we don't go in. And that's just that the people who run these systems, they probably don't even work at the company anymore. Like, these are shadow it on shadow systems that, like, if you found the owner of. Yeah, if you found the owner and told them about this, you'd be like, oh, I didn't know. And they would. Didn't know that they should.
[47:14]
Corey
But the sales point is valid, right? Like organizations, they want to make sure they don't have Shadow it on the outside of Their environment. And there is a valid service for that. Right. There's a number of ways that you can do that. Right. That don't involve you having a subscription to a third party service. But it's literally, I agree. Like, you're taking this worst case, edge case case of the Internet and you're using it to try to sell something to people across the, across the board. I look at it a lot like, you know, outlets, like they have those little outlet covers to protect kids. Like, you know, it's a little plastic thing that goes over your outlets. Yeah. Like zero kids have died because you don't have those in your house. Right. You can shove a knife into one side of the outlet, you're going to be fine. It's. When you put it in two, it stinks. Yeah, yeah.
[48:02]
Joff
Coming out.
[48:03]
Matt
Is it, is it similar on like annual pen tests?
[48:06]
Corey
Like the clients that do a recurring.
[48:07]
Matt
Just one, not the continuous, but like.
[48:09]
Graham
Once a year, like the percentage is 50% that like they still haven't patched.
[48:15]
Corey
From the last one. And that is a frustration. Absolutely. And we do have customers where the testers come to me, they're like, we literally took the exact same report about the exact same things. BHIS has a history of soft firing those companies where we won't work with them again because we know that there's a very strong possibility that if they're not fixing stuff, that if they do get hacked, they're gonna like point at us. Like we want to work with customers that actually want to fix things. But you're 100, right? There's a ton of companies that like just don't bother fixing things ever.
[48:48]
John
Yeah, that's, that's why, that's why our customers steadily got better. And, and that's why pen testing is, is really challenging at Black Hills.
[48:57]
Corey
Yes. Well, you talk to other pen testers and they're like, you know, oh yeah, we just had another customer that's running Panda. It's like, wait, who are these magical unicorn customers you speak of? Since I'm pissing off vendors, we'll just keep going. Right?
[49:12]
Joff
I, I was, I'm. What I'm doing right now is I'm going back in time to try to see like 10 years ago how many HMIs were exposed. Because I bet you it was more than 400. I think this is more. This is a point in time. Someone's got to watch and keep track of how much is exposed on Shodan. Use it for marketing, whatever. But like, to me, I'm like in the US there's only 400 HMIs on Shodan. We're doing okay. We got this. Well, because 10 years ago is probably twice that, at least.
[49:41]
Corey
Yeah, mine were HMIs that were exposed via VNC. There's other. Of course, there's other protocols and services. Services, yeah.
[49:49]
John
There's always telnet. I mean, you got to have Telnet, right?
[49:52]
Bronwyn
Yeah, you know, just plain rsh.
[49:55]
Joff
Dude, Telnet's pretty fancy.
[49:57]
John
But don't.
[49:58]
Joff
Don't worry.
[49:58]
John
Very shortly, probably next week, John's going to receive some very strange west coast coast beers. They'll show up at his house.
[50:04]
Corey
I know, I know. He'll show up.
[50:06]
John
It's gonna happen.
[50:08]
Corey
Yeah, because it always.
[50:09]
John
Inside jokes. Inside joke. Anyway, next story.
[50:13]
Corey
Oh, Matt just talked about HMIs exposed via team viewer. Yep, there you go.
[50:21]
Joff
If you include things exposed via RMM tools, the numbers go from 400 to like 400 million in like 2 seconds.
[50:29]
Corey
All of them. All of them.
[50:31]
John
So I love that Matt's actually on. On Discord. It's like, man, why aren't you working? What are you doing, man?
[50:37]
Joff
Wait, why aren't you working? Joff, Take a little bath. Wait. Take a little math. Take a little bit.
[50:44]
Corey
Take a little math, take a little nap and get back to it.
[50:46]
Joff
It.
[50:47]
Erica
There you go.
[50:48]
Hayden
What was it that Gemini said when Gemini first came out? I said to eat a rock once a month or something and put glue in your pizza.
[50:55]
Corey
In your pizza. You know, the rock was fine. What's his name? There was an actor that was eating spaghetti. Will Smith. Right. And that was what, two years ago? Everyone was looking at that and laughing at it and like, oh, my God, look at AI. It's so stupid. It. And now all of a sudden it's like, oh, this is the end of movie studios, isn't it?
[51:17]
Bronwyn
Yeah.
[51:18]
Joff
Yeah.
[51:19]
Hayden
You've seen the new Will Smith spaghetti video, right?
[51:22]
Corey
Spaghetti. My favorite are the Sasquatch in the woods.
[51:25]
Joff
It does.
[51:25]
Corey
I just drank a whole bunch of energy drinks and I'm super tweaky. I'm like that. Those are hilarious. And that maybe they'll probably use AI.
[51:33]
Bronwyn
To find Bigfoot and we could put it all the rest.
[51:35]
Corey
Yeah, there we go. Finally.
[51:37]
Graham
Did they finally figure out how to get the correct number of fingers though?
[51:42]
Corey
Pretty well nailed down. But it's. Sometimes it's like they merge together from what I've seen. Yeah.
[51:47]
Graham
They look kind of so.
[51:49]
Hayden
Yeah, yeah.
[51:50]
Erica
No, what I do is I have it. I have it. First, create the image as a statue or something that is just like single colored and Then it starts getting the features right, getting the hands right, and then I go, okay, cool. Now make it realistic. And then it basically is just like, put it overlaying a skin to the features that have been defined. And that. That's done well. Not getting, like, too many noses or too many eyes or too many fingers.
[52:15]
Corey
The exact number is one.
[52:17]
Joff
Yeah. So, okay, I don't want to wade too deep into political discourse, but this new software executive order thing that is about cyber security. What. Can anyone summarize this?
[52:33]
Graham
This.
[52:33]
Joff
I have no idea what this is.
[52:36]
Corey
Pilot. And have it sum it up?
[52:37]
Graham
No. Basically, he's trying to undo everything that Biden did having to do with software and info sec.
[52:44]
Joff
But no, he backs. He wants everything to be written in Rust. That's the way I'm interpreting it.
[52:48]
Bronwyn
Ouch.
[52:51]
Joff
I don't know.
[52:53]
Corey
You know, the other week I was hanging out at Mar a Lago, and I was talking with Trump about Rust, and it was a long conversations about the pros and cons of allowing it into the limit. Colonel. Very nuanced. Conversation over.
[53:07]
Joff
Is that your Elon interpretation, John? That was amazing. 10 out of 10.
[53:10]
Corey
Dude.
[53:11]
John
I'm not.
[53:12]
Corey
Forks on my finger while tweaked out on that.
[53:16]
Joff
That I'd love. I. Can we make it like, okay, this is tempting fate, but should we have, like, an AI John Strand explaining to Trump why he should write everything in Rust?
[53:25]
Bronwyn
I think we should.
[53:26]
Corey
I think that would be fantastic in a way that he can understand it.
[53:30]
Matt
We.
[53:30]
Graham
We'll set it up for. For Deadwood. No, I mean, the bottom line with all of these executive orders is that he's trying to. To purge Biden from the American conscious social consciousness and push his agenda that it was Biden actually died and it was just his evil clone.
[53:49]
Joff
What actual agenda did he roll back?
[53:52]
Corey
This is. I don't know. I haven't seen this thing. I don't.
[53:55]
Joff
No, but it isn't. I. I can't. I. I guess. Yeah. I mean, I don't.
[53:58]
Corey
Can I get a link?
[54:00]
Joff
Yeah, here's a link. My interpretation is a little different. Maybe I just can't read. But it seems like he changed the ability to use sanctions for cyber security actions against the United States. I don't know.
[54:12]
Erica
Which one was this?
[54:14]
Joff
Oh, my God.
[54:14]
Corey
Yeah, you're right.
[54:15]
Joff
Section two, subsection A. Section one.
[54:20]
Graham
Yeah. No, he's. He's trying to purge Biden from the universe.
[54:25]
Joff
Right, but I'm talking specifically about not just politics, but what policy changes did he make?
[54:32]
Corey
It's really convoluted because they're striking first section of subsection 2e, striking subsections 3a through b, redesignating 3c to 3d to 3e. It's like Ikea furniture instructions.
[54:44]
Joff
Here it is.
[54:47]
Graham
Your software and encryption changes to digital identity policy. He wants to encourage a federal digital identity so that the whole real ID thing. He's shifting software security requirements. There's supposedly clarification on sanctions and.
[55:12]
Corey
Here, too.
[55:13]
Joff
Yeah, yeah. You got to go quantum and write everything in Rust.
[55:17]
Graham
Typical. Massive. So many things covered in it, it or. Or touched by it that you can't really tell what's going on.
[55:25]
Corey
I think that this is one of those things that'll promptly be ignored by a number of organizations.
[55:30]
Joff
No. An executive order being ignored. John, I. There's no precedent for.
[55:34]
Matt
That's not gonna chat GBT to summarize it. And then ChatGPT says that the key three things that it's doing is revoking and narrowing prior orders, which was what Bronwyn said.
[55:47]
Joff
Right.
[55:48]
Matt
Limiting sanctions, eliminating digital ID mandate, advancing AI, quantum and secure software. Puts NIST in charge of building consortium with industry to update secure software development. Blah, blah, blah.
[56:01]
Joff
So we are writing everything in Rust.
[56:04]
Matt
Yeah. Shift in strategic focus.
[56:08]
John
I want to know, where is my post quantum computing cipher? I mean, just give it to me, dude.
[56:13]
Joff
We already got it. It's just got to be written in Rust, and it's all good. I like how John's like, all right, I'm gonna go write myself and Rust. I'll see you guys later.
[56:26]
Hayden
He was trying to get about Rust.
[56:29]
Graham
Co. Or 12. So he got.
[56:31]
Joff
If I had to explain to Trump how Rust worked, I would definitely need a break.
[56:35]
Erica
So for some of these executive orders, and I know I used resistance. Kitty gives a summary of, like, executive orders for the week or executive orders as they come out, if they're important enough. I know some of them brought the focus into, hey, these things sound like efforts on cybersecurity, but there's also, like, hidden in there, making it easier to monitor journalists, resistance, any sort of press, to sort of figure out what they're up to, what they're doing, but it gives the opportunities there because certainly with current events, keeping track of what journalists are up to and what resistance is up to, you know, is. Is one of the things that is going to be targeted, you know, so it may sound like, oh, they're doing something about, you know, encryption or quantum computing or this or that, and it's just buried monitoring of his adversaries.
[57:27]
John
Yeah, yeah. There's a. There's an element of that in it. For sure.
[57:30]
Corey
For sure.
[57:31]
Joff
I guess we'll have to see. I'll have to see if it blows back into our industry or if it's just blowing smoke.
[57:37]
John
Yeah, yeah, yeah. I just want to quote Matt Tucson here for a minute and tell him, just give him a shout out saying, matt, you're awesome. Rust works completely. I am a Rust fanboy. I'm not a Rust programmer yet. One day.
[57:51]
Bronwyn
Yes, yes. I'm sorry. You know, and Rust is starting to seep into the BSD kernel too.
[58:00]
John
Yeah, that's.
[58:01]
Joff
See, John's already back. That's how fast you can write a Rush program, people just like that.
[58:05]
Corey
Wow.
[58:06]
Joff
He just. He went off screen. He went off screen. He wrote an A. AI And Russ to analyze this policy. Now he's back.
[58:12]
Corey
No, I think Russ is just too. It's just too. Too popular right now. What is it? MOG Long is the language that I prefer to write all my code of.
[58:21]
Graham
Having to learn a new language every week. It's like, no, come on, Brahma.
[58:25]
John
You don't need to just break.
[58:28]
Joff
It's fine.
[58:30]
Bronwyn
Rest is the new Ruby on Rails right now. The Hotness 2005.
[58:34]
Corey
But it's faster and more efficient, right?
[58:37]
John
Well, this.
[58:38]
Joff
This Ruby. I don't think Ruby on Rails made it into the Linux kernel at any point.
[58:45]
Bronwyn
I would hope not. We'd all be doomed.
[58:48]
Joff
Also, the Windows kernel.
[58:51]
John
I do remember HD Moore saying probably 15 years ago right now while I was on Security Weekly, that had Python been a little more sophisticated by the time he had birthed Metasploit, he probably would have written it in Python instead of Ruby.
[59:05]
Corey
No, no. Remember, it was Perl originally.
[59:07]
John
It was Perl originally. That's right. And kind of thank God that didn't happen because I think Metasploit in Python would have been really tough, to be honest, seeing how Python was developed.
[59:19]
Bronwyn
Yeah. Especially when the error messages start hitting when the modules installed, but it's saying it's not there.
[59:25]
Corey
Well, and also, let's be honest, Metasploit gets whatever it wants from Ruby. Exactly.
[59:36]
John
And actually to that point, John, Metasploit might have made Python a whole lot better, so.
[59:41]
Corey
True, True.
[59:42]
John
Maybe it's a missed opportunity.
[59:44]
Corey
True. All right, let's wrap it up. Thank you so much for joining, everybody. It's great to be back. I'm hoping to be back next week. I am teaching again because that's all I do these days is airplanes and hotels and teaching. But thanks again. And we'll see you later.
[60:00]
Bronwyn
All right, later.
[60:02]
Erica
Bye.
[60:02]
Corey
Bye.