Bronwyn

Holiday weekend. John isn't here so we'll be as ranty and exciting as we can be considered.

John Strand

I'm just scared that it's September. What does that even mean? What is that month?

Bronwyn

And, and the pumpkin spice latte and pumpkin spice insanity is starting again.

John Strand

And I have eight foot skeletons for sale at Home Depot.

Bronwyn

Pumpkin spice bacon.

Mary Ellen

What?

Bronwyn

Yep. Butcherbox. They have an annual special with pumpkin spice bacon.

John Strand

Of all that sounds terrible. I'm not gonna lie. I feel like the, there's got to be some kind of metric where like the number of eight foot skeletons are in your neighborhood. Like that has some kind of correlation. I don't know what like, I don't know what it would be. There are multiple people around where I live that just have them out 24 7,360 in their front lawns with like different attachments for different holidays and stuff. I don't know what that means.

Bronwyn

Remember when the whole light show thing was strictly a Christmas phenomenon? Now apparently some people are getting into Halloween light shows, turning their, their homes into haunted mansion light.

John Strand

I mean it's a lot of work to put up all those lights. Whatever works.

Mary Ellen

Yeah, yeah.

Bronwyn

There are companies that do nothing but lights. I, I would, I feel like that's cheating to hire a company to put up my Christmas lights.

John Strand

Don't you live in a place where no one would see your Christmas lights if you had them?

Bronwyn

That's kind of like some neighbors other than the bears and the coyotes and.

John Strand

The cobras kind of like goals. Oh my God. The deer are like wow, what a beautiful, what a beautiful display.

Bronwyn

The only thing the deer in my neighborhood are interested in is and teasing my dogs. They know that the dogs won't come past the fence so they stand like three feet away and go.

John Strand

That'S fair. I would do the same thing if I was a deer.

Bronwyn

I believe that. I believe that.

John Strand

100 we can roll the finger. I think this is going to be a chill edition. Lets go. Hello and welcome to Black Hills Information securities. Talking about news. It's September 2, 2025. I can't believe it's September. We were just talking about it. Let's, let's get scared. We got spooky skeletons in Home Depot and Costco. We got pumpkin spice lattes hitting shelves this weekend. I'm not ready. I don't even have a puffy vest. I mean what am I going to do? I don't know what to do. I got quiet crowd. Oh man, nobody. It's going to be a chill edition this week. I Think the main thing that's going on is Sales Loft, Salesforce, everything has to be prefixed by sales these days. Maybe this will be like the Sales cast. Wait, no, that sounds terrible. Turns out when you make Sales cast, when you prepend sales, it just makes it worse, I guess. So basically the current like big top story is Google Threat Intelligence Group posted an advisory about a Salesloft Drift integration compromise that they experienced. So for those that don't know, and this would include me as of 10 minutes ago, sales Loft is a privately owned company that's completely different from Salesforce. They've been around since 2011, surprisingly. And there's a thing called Sales Loft Drift which appears to be like a sales conversion. You know, like I guess you put it on your site and it's like, hey, buy our stuff. I don't super understand how it works. Yeah, Chatbot or some AI sales integration. But the Google Threat Intelligence briefing, essentially the high level thing is if you use Sales Loft Drift, you need to treat all authentication tokens stored in or connected to the Drift platform as potentially compromised. It goes on to kind of exp explain how their investigation played out, which was essentially that their Salesforce is compromised. Their Salesforce apparently stored keys to access Sales Loft. Sales Loft Drift which then those keys were compromised. And then I don't know exactly how things spidered out from there, but Salesloft does have an advisory which I will, I can link to here. Essentially the list of companies affected is growing. It seems to be the breach that keeps on giving. We have obviously the Google one. They were the first ones to post it, but we also have seen Zscaler. Who else? A bunch of others.

Mary Ellen

Sorry, I got the wrong one up.

John Strand

I'm going to put the right article. No worries. Yeah, Zscaler is affected. Let's see who else. There's probably a list here. Palo Alto. So yeah, basically if you use this integration, I reset your credentials, reset your tokens.

Bronwyn

If you're using anything that says Sales at the beginning of it, change all of your.

John Strand

Yeah, go in active directory, find all accounts that start with Sales and just disable them all. No, I'm just kidding. Do not do that. They, you know, they're, they. To be fair, this portal, you know, Sales Loft does have like the trust portal is active and they have all kinds of warnings and security updates. Like they appear to be taking it pretty seriously. Which you got to give them credit. They're not downplaying, they're not gaslighting, they're actually acknowledging it and kind of Doing their best. Salesforce also has disabled the Drift integration entirely. So I mean, my gut on this, I don't really know. I mean, we'll see how the details pan out, but my gut is like, it just seems like the API integration world is not always done in the most secure way. The, you know, just the different ways that people are like tying applications together. I think a lot of it is based on convenience and not so much on security. That's my personal opinion, but I. We probably will see more of that kind of stuff.

Bronwyn

It's amazing to me how the, the more cool tools we have, ultimately the security aspect boils down to the exact same thing over and over again. Secure authentication, secure transportation of data. Is it just me? Am I the only one seeing this?

John Strand

It's not just you, it's just the complexity I think is much. You know, it's like, well, we don't know. We just hand this data to this API and then it does the thing for us. You know, like that's kind of the vibe is the third party nature. It's like you're taking Salesforce, you're connecting it to Sales Loft and then it's talking directly to your customers for you. Who's responsible at this point for this? I mean, obviously Google or whoever gets breached is responsible for publishing the data breach. So that's your answer. But it's definitely, I don't know, it's pretty sketch. So yeah, the other story that kind of was top billing was this DSL route. There's a Krebs on security article that has kind of spun out of a Reddit post. The Reddit post. It's pretty funny to read the article just kind of end to end. But basically there's a certain someone on Reddit and the. The user's username, which it's Reddit. So I mean, take a wild guess as to what their username would be. Their username in this case was Saka Poopy, who for some really surprising reason did not respond to questions for this news article. Basically they posted on Reddit and said, I have been getting paid $250 a month by a residential proxy provider named DSL Route to host devices in my home. They are a separate network than we what we use for personal use. They have dedicated DSL connections. My family use Starlink for their like main Internet. Is this stupid? You know, they just sit there and I get paid for it. And this kind of opened up a can of worms, right? So like a lot of the people in the comments were like what? Because the other hilarious thing is if you went through the user's Reddit history, they like posted about being basically a U.S. doD employee.

Bronwyn

So was that DoD or Doge?

John Strand

Yeah, I don't know. But it kind of opened up the can of worms about these legal botnet services. So for those that don't understand why would someone pay 250amonth to get a device in the U.S. the answer is because U.S. based IPs have better reputation than, you know, Russian or Bulgarian or whatever IPs. There's lots of companies all the way from security practices all the way to like anti bot preventions, but they just outright block entire geolocations like North Korea, Russia, China, et cetera. There's also a lot of, you know, scraping and other things, but essentially DSL root in particular is probably one of the sketchiest versions of this kind of a business. So there's, there's one, you know, the company's registered in the Bahamas, it gets posted on Black Hat World, which is like a dark web, you know, forum site. It probably doesn't do a whole lot of validation that its customers are using it for legitimate purposes, etc. There are companies that exist in this space like Bright Data or oxylabs or whatever that are considered like above board and do know your customer KYC stuff and like supposedly vet how their proxies are used. Like we as pen testers, we use these kinds of services as well because we need to be able to bypass scraping protections and sometimes bypass like botnet or like rate limiting and stuff. So there are legitimate use cases for these businesses, but this one in particular is pretty super sketchy. So I guess the answer is I don't know if you should let a company have a botnet in your residential environment. I mean, on one hand capitalism, on the other hand, ethics. It's tough though, because I'm like, it's one of those things like, are we really, are we really in a position where like being a US based IP gets you some kind of security? Like, I don't think that should, it's not like there should be a scenario where like if you're coming from a US residential ip, you're just allowed to do whatever you want. So I'm like, I don't, to me it's fair game, but clearly it's kind of sketchy from, you know, being registered in the Bahamas, having like a Yahoo address as their main email, stuff like that.

Mary Ellen

It's, it kind of makes me think that, you know, I should, I should get some sort of kickback from my cable company. Because a lot of cable companies, I know mine does this, as a matter of fact, is they'll take a portion of your signal from your home and they'll repurpose it for the public WI fi. So they could say they have a broader reach. But I feel like now after reading this, I should get paid for that.

John Strand

You definitely should get paid for that. Um, and you can, even through legitimate services like Bright Data or I mean, you can also do like the community focused version of this, which is just hosting like a Tor exit node. Right? Like you can do that. You can just like have a Tor exit node on your house and good for you. It's not really, I wouldn't say recommended, but it's something you can do. But yeah, there's lots of services like this. Most of them will pay you for your traffic. You get paid by the amount of traffic that goes through it usually. So it's kind of one of these, like distributed economy type deals where no one's using it, you don't get paid and everyone can make their own decision. But definitely DSL root is probably not the company to go with if you're looking for services to use for illegal botnet. My concern with this, like, me personally, I'm like, what if they do something illegal? Can it blow back on me as a person? Like, I honestly don't know if there's a legal precedent for that.

Bronwyn

Probably depends on the fine print in your EULA for whoever.

John Strand

I mean, like, I don't know, it's interesting to think about. Like, I know there are some like, legal precedents that like, your IP address is not an indicator of identity or whatever. Like there you can't like prove just based on IP address that it was me because it came from IP address. But I don't know if. Yeah, I mean, like the EULA side of things, like Bronwyn said, you might just get shut down. I have no idea what would happen. Like, but yeah, who knows? It's an interesting dilemma. I think at the very least, if you're going to do this, don't do it through DSL root. It's a hilarious topic to get posted on Reddit to just be like, I feel like it's one of those things where, like, if you have to ask, you probably shouldn't be doing it, right? Like if, if you have to post to Reddit and be like, hey, Reddit, am I. Is this a terrible idea? Should I not do this? Like, it's pretty good, pretty Safe to say that it probably isn't a great idea.

Bronwyn

Like, yeah, if you're having to ask Reddit, it sounds like a here hold my beer moment.

John Strand

Exactly. If you have to ask, you've already answered your question, don't do it. So let's talk about Velociraptor. Clever girl, I believe is its official tool. Tagline. No, I'm just kidding. So this is basically an article that was posted in the Hacker News that was kind of repurposed from Sophos. Sophos published a threat Unit research team or Counter Threat Unit. Sophos Counter Threat Unit research team, which they could not come up with a longer name, posted kind of a threat briefing saying that threat actors are using Velociraptor, which Velociraptor is a legitimate incident response tool. I'm not an expert in it, but I believe it is used by legitimate threat actors, or sorry, not threat actors, by legitimate businesses to do incident response. I think it can do things like memory collection, it can run commands, et cetera. But it's being abused right now by threat actors to deploy, which this is kind of interesting, interesting angle. They're deploying VS code and then I guess creating a dev tunnel or whatever through VS code. So it's really a lot of steps and if you look at it from like a forensic perspective, it's incredibly noisy. They're using MSI exec to install Velociraptor. They're using than VS code at from installed from Velociraptor because as you'd expect, these IR tools are very. They're good at executing commands and doing like doing things. Basically they install Velociraptor, then they use Velociraptor to push down versus code. Then somehow that gives them C2. I mean it's basically just a blend of living off the land techniques, which is kind of interesting because this is one of those things where like this is going to fire a bunch of alerts if you have advanced detections and like a SIM and all that stuff. But if you just have an like a basic EDR with no detections, all this stuff could be perceived as legitimate. And so it might not be blocked automatically. So it's kind of an interesting angle. Like living off the land is definitely like the current hotness as far as attackers are concerned. I think that's really what they're focusing on is like, you know, use legitimate tools, but use them in a way that gives you command over someone's computer.

Bronwyn

Sounds like some of this stuff our testers do for sure.

John Strand

Yeah. I don't think I've ever. I think this would require admin. I'm pretty sure installing. I'm pretty sure installing Velociraptor requires admin, but the other stuff probably doesn't. Like using VS code as a, as a C2 is. Does not require administrative access to do that. So. Yeah, I don't know. It's. It's pretty common nowadays. And I, I do recommend people read the full Sophos threat Intel briefing or whatever. They have a whole, like, they talk about how the fishes were sent and how they, you know, then how they package them into different commands and all that good stuff. So it has some fun. Some fun insights for defenders or attackers. Either or.

Mary Ellen

Yeah. And I, and I, I found that, you know, hunting forward in the environment is. It's Fairly simple because workers.dev I mean, you get, you know, if you have a big enough pool, you get tons of hits on that. But, you know, those are two really unique subdomains that you probably won't see unless you know you are compromised.

John Strand

Unless you're compromised. Yeah, yeah, yeah. I mean sharing IOCs is always nice. I will say. Obviously this technique will probably get repackaged and as you know, Bronwyn said we have on the pen testing side started using tools like VS code to like as a C2 because regular C2s are quite noisy. And so this is probably going to be one of those things where like, if you want to be ahead of the curve as a defender, might be good to go and build some alerts for like VS code being installed on a system that probably shouldn't have it or you know, the workers.dev domain. Like Mary Beth said, ransomware wise, we gotta stop over at Ransomware Corner. Apparently Swedish authorities were knocked offline by. Apparently it's a Swedish IT supplier which I'm not going to try to pronounce, but it starts with an M and they requested 1.5 bitcoins to. To unencrypt or to decrypt.

Bronwyn

I thought everybody liked the Swedes. Who picks on Swedes?

John Strand

I know. Also, I'm assuming this is just ikea. It's called. All right, I am going to try to pronounce it Milj Miljo data, which in my mind is just ikea. But for it. Because I don't know a lot about Sweden, so I just put everything in the context of ikea. We're still seeing some ran. This is the first, this is the first kind of like ransomware campaign. We've seen where they were just like, give us 150 grand in the past few months. I feel like that's been dying down. But also in the ransomware corner, Nevada is just really in trouble. Their state government has been kind of like declaring a state of emergency or whatever and kind of working through all the ransomware impacts. Major agencies including the dmv, Health and Human Services, all that good stuff is affected. And.

Bronwyn

Nevada, I mean, Nevada, they have Las Vegas, they have all these casinos. Casinos really pay a lot of attention to money stuff. You would think that their government would kind of pick up on that. Then I don't know. What do I know?

John Strand

I'm assuming there's like Las Vegas mobsters going after the threat actors as like kind of a favor to the government or something in some hilarious mob movie style format. But yeah, I mean, government's government, right? Like they tend to operate on pretty limited budgets and they tend to have maybe lack. Lacking in cybersecurity defenses. And so it's not super. I mean we've seen lots of state governments get hit and city, mostly city governments. I think this, this one is rare for being kind of the most integrated as far as like the city goes or the. Not the city, but the state. Like so many different services were taken down. Usually these things are limited. Like the blast radius is limited to only like certain, you know, oh, it's only the court system or it's only the DMV or whatever. But this one is like everything.

Mary Ellen

Are they back up yet? There was a website, I think they're.

John Strand

Like partially backed up. Like the DMV is back, some stuff is not back. But yeah, it's pretty rough. There's a list someone posted to that S3, it's in the article. But essentially like a bunch of stuff is still offline. Essentially is the summary. And it's been. How long has it been? It's been at least a couple weeks, if not more. So. Yeah. That's a rough one. What is this Citrix vulnerability? What is this? Does someone know what this is?

Bronwyn

I saw the headline. I didn't read the article yet.

John Strand

Come on, Bronwyn, you gotta turn on that AI. Just have it generated.

Bronwyn

I know. No, no, I was, I was sick last week. I'm still getting over stuff. So I'm not, not quite firing on all thrusters yet.

John Strand

This one is kind of one where they're just being upset with Citrix. Double pulsar is Kevin Beaumont, the very. Our favorite, one of our favorite security researchers who published Citrix Bleed and then Citrix Bleed two and now this. They really are just like maybe they just really used to be an IT admin and really hated Citrix and so now they're just keep going back and finding more Citrix vulnerabilities. But basically CVE 2025 6543, which is a fun little countdown CVE that was. They essentially said it was a memory overflow. Memory overflow leading to unintended control flow and denial of service. Then turns out it's also used for remote code execution. Oopsie. And by the way, it also has been used exploited by in the wild by threat actors to compromise NetScaler Remote access systems and maintain access. And they didn't tell anyone if you needed one more reason to patch your Citrix and patch it again. I guess there are some recommendations on threat hunting in this article where they talk about looking at web requests to the login screen or the login API endpoint and then looking for some other CVEs. They also provided Yara rules and all that good stuff. So definitely if you run Citrix and you're worried you were compromised, go and check out that article from doublepulsar. There's two. Is there another Citrix vulnerability?

Mary Ellen

Yeah, I, you know, I, when I call the, all the articles together I try to like, I try not to be duplicative. This one, it's got three CVEs, none of the same as the one that was just covered. So I actually think it's different. But it's like three CVEs all in one for Citrix.

John Strand

Maybe these are like follow. Oh no, it does say. Yeah, maybe it's affecting a different product, I don't know. But it's the same theme. It's you know, memory overflow vulnerability leading to remote code execution and. Or denial of service affecting netscaler ADC and netscaler Gateway. Patch your, Patch your Citrix products.

Mary Ellen

Yeah, basically netscale or just patch it.

John Strand

I'm sure Citrix will be acquired by VMware soon. It'll be fine. What else we got? Bronwyn, you got any spicy AI articles?

Bronwyn

Anything interesting in AI at this point? The AI field, it's, it's variations on a theme. It's all just variations on, on a theme. They're either somebody's figured out a new way to make an LLM misbehave. Okay. Lots of different ways to do that.

John Strand

That we have at least three articles to that effect.

Bronwyn

Lawmakers of course, have no idea what to do because Most of them can't find the any key. On a good day, I'm seeing a lot of not in in our news feed or our news, but I'm seeing a lot of articles about how companies in the 90 percentile range of companies that went all in on AI, they're basically doing a lot of backpedaling at this point. Not so much of reliable information or data on how many people's jobs are coming back. Of course, that's a whole thing. And it's been an interesting thing in the past couple weeks. I've noticed terms of service and privacy policy. Yeah, privacy policies in terms of service have gotten updated from multiple AI companies all within the past couple of weeks. And that's never a good sign when you've got a bunch of people doing that. So it's, it's nothing new, it's nothing exciting. It's all the same stuff and it's, it's kind of depressing and I hate it because John keeps accusing me of being a Debbie Downer on this stuff.

Mary Ellen

Well, there was, was, it was the Talos one new, the one where, you know, these LLMs are showing up now on Shodan, that seemed a little new to me that there were like 1100, you know, it was spotted. They spotted 1100 Ollama servers via Shodan that were exposed.

Bronwyn

That was, that was new. And I wish that I could say I was surprised that. And I don't know which article it was, but somebody finally managed to verify not a bot, but AI being used in malware actively.

Mary Ellen

Oh, right.

John Strand

Was it the ransomware one?

Bronwyn

I don't know if it was ransomware specifically.

Mary Ellen

It was, yeah.

John Strand

We had an article. So yeah, we're tying a bunch of articles together. But for AI powered, I mean, so the article, we'll just cover the, the AI malware one first. So yeah, the article was posted in Welive Security, which I guess is run by eset, which is. ESET is, I guess I would call them an AV vendor, kind of like Kaspersky or Symantec or one of those. It's not, not like a flagship EDR type company, but they do have, you know, security researchers and stuff. Basically, they, they claim to have discovered the first known AI powered ransomware which they named prompt lock. They use the open source model to generate malicious LUA scripts on the fly, which is kind of interesting. Right. So it's like they pack the GPT OSS 20 billion model, then they use that to generate LUA scripts from hard coded prompts to enumerate the file system. I guess I'm kind of like, isn't that, isn't that just a worse than malware? Like, I don't understand exactly how they're even packaging this. Like, wouldn't this model be huge? Like, they can't. A 20 billion parameter model is huge. Do they push it down with the malware? It seems like super un. Unwieldy from a deployment perspective to be like, all right, here comes the malware. And then it's like downloading five gigabytes of AI models. I don't super understand it. To be fair, I don't necessarily know. Yeah, so they, they are clear. They say prompt lock has not been spotted in the wild in actual attacks. This is something they just I guess, found on GitHub. I don't know exactly where they found this, but my guess is this is just some college kids project out of for fun and they're thinking it's being used for real malware. There's no evidence that it's being reused. But yeah, if I'm, if I'm downloading software and it's supposed to be like an exe and then it downloads a 5 gig file, I'm going to be like, huh, that's weird. I guess that's. I also don't super understand. I'm curious what the scripts look like. It says hard coded prompts to enumerate local file system, inspect files, exfiltrate data and perform encryption. I just am curious what the prompts actually look like in this malware. Like, does it say, like, find the most interesting file.

Bronwyn

Wow, he totally dropped off. Oh no. Come back, come back.

John Strand

I'm just here talking to myself. I don't know what's happening. I'm gonna. Let me, let me go, Let me go. Turn off this botnet device I have in my home network. How far. When did I cut off?

Bronwyn

You weren't gone for very long. You weren't.

John Strand

Okay, I'm salty.

Bronwyn

It kind of makes sense. I've been expecting that we would start seeing LLMs and other AI stuff making its way into malware. You know, it's one of those things, it's only a matter of time. I'm frankly kind of surprised we haven't seen more. And it makes sense because one of the things that LLMs are really good at is generating slightly different stuff at scale. So that's one of the reasons why it's so good for phishing campaigns. And now, especially if your EDR is using signatures. Well, how do you avoid, how do you bypass or get around signatures. You make it just different enough so it doesn't match, and that would be a perfect application. So imagine Metasploit and ChatGPT having a love child.

John Strand

I mean, I'm just glad that this isn't a real thing and it's just some something they found on GitHub or whatever. Like, it'll be scarier when it's real. I'm very curious what the prompts they're using for the hard coded enumeration are. I'm sure Bronwood could come up with some fun ones about like, well, and find me all the spicy files on the hard drive or whatever. I don't know. It's weird.

Bronwyn

You can get unlocked models, quote unlocked models, from hugging face already, and by customizing your own model and running it locally, you can do just about whatever you want.

John Strand

So the other AI article that we were talking about before we got to the malware AI was the fact that basically Cisco Talos published a blog or like a research post that they're finding a lot of AI development servers and AI infrastructure out on the Internet. They're counting 80% of this infrastructure as dormant because it's not running a model at the time when they're testing it or at the time when they're scanning it. So, like, they can't really do anything. It's just an olama server with no models running. If the model is running, then you could use it to generate malware or, you know, do whatever evil things you feel like doing with an AI, I feel like it kind of is almost like an extension of what we were talking about at the beginning of the show about speed and integrations and trying new tech over security. That seems to be the theme. It's like, oh, we need a chatbot to talk to our customers. Okay, what do we do? Well, we have to buy this product from Salesloft and then we have to connect that into Salesforce, and then now we're good. So I feel like a lot of this is just the same theme, which is speed and usability over security. Honestly, I'm surprised there's only 1100 of them. I'm curious what other AI products might be out there on the Internet or how they did this kind of research. I love a good Shodan safari. I love just going out on the Internet and finding. Or going out on Shodan and finding random artifacts like this. But yeah, don't do this if you're gonna. I mean, first of all, look at your server bills. Who's just leaving Olamas running out on the Internet, you gotta be paying for that. But also, you know these are going to get abused, right? Like, honestly though, now that I say it, I kind of want to set up a honey pot with an Olama model and just see what it gets used for. Is it going to be someone's AI girlfriend? That's what it's going to be. Let's be real. It's going to be used for like weird, creepy AI girlfriend or like AI dating fraud stuff. The chances that it's anything cool like malware, very low. So there's another transunion breach. I guess we should talk about it. Sales. It's Salesforce. Spoiler alert.

Mary Ellen

Is it?

John Strand

We don't really know if what data they're putting in Salesforce. Like, I'm sure that TransUnion would never put everyone's Social Security numbers in Salesforce or anything.

Bronwyn

Oh no, of course not.

John Strand

They would never do that. Yeah, basically. Or I don't. I guess I said another. Maybe I was confused about Equifax. I don't know if TransUnion has actually been recently breached, but yeah, it's just another Salesforce thing. Essentially appears to be limited data. And it was more. It was impact individuals who like were doing something. Like it wasn't just everyone. It was like people who were acquiring credit or some subset of their users. And the data disclosed is pretty bad. Includes names, billing addresses, phone numbers, emails, dates of birth, and unredacted Social Security numbers. Oops.

Bronwyn

Is.

Mary Ellen

Is there.

Bronwyn

Are there any Social Security numbers that have not been breached at this point?

John Strand

No. I post this website every week, but if you just go to every SSN.com it has all of them on there.

Bronwyn

Nice.

John Strand

This is a joke, but it literally it just starts with the number 0000 and then goes through 999. But I mean, I don't know. It's a good question, I guess. If you were born after the Equifax breach. If you were born after like the AT breach. The. If you were born basically in the last two years, you had a chance, maybe. Also fun fact, Social Security numbers aren't unique and can be reused. So if you were born in the last two years, you might just have someone else's security number or Social Security number. Wow. Yeah, it's kind of a disaster. We really need to use something else for identification purposes. Yeah. So going through other Salesforce breaches, it looks like other additions would be Farmers Insurance and Palo Alto networks were also affected using the same technique. So. Oof.

Mary Ellen

Oh, Brahma. Do you have an update on your friends that have the chicken farm?

John Strand

So has anyone been able to translate a chicken speech?

Bronwyn

I tried, I tried to get my friends. This is speaking about. Was it last week that I mentioned the chicken app? There's an app by a university in Canada and they're using AI to interpret chicken clucks so that you can provide better quality of life for your chickens. And unfortunately my neighbor who has chickens, he's a bit of a Luddite and so he hasn't loaded the app, even though I keep trying to get him to do that. And I know a couple of other chicken people, but so far I haven't been able to get anything from chicken people in terms of confirmation one way or the other as to whether the app actually helps them communicate with their chickadees better.

Mary Ellen

Well, so, you know, go ahead.

John Strand

I see, Mary Ellen, that you put a real chicken article in here. Do you. Do you want to throw that at the audience? Because it's hilarious.

Mary Ellen

Oh, let's see.

John Strand

It's the McDonald's one.

Mary Ellen

Couple links here. Yeah, I do want. You want me to put them in the chat.

John Strand

Well, so I'm assuming you found this article. I don't know if you actually read it or if you just were like chicken.

Bronwyn

Nuggets.

Mary Ellen

Someone submitted it.

John Strand

Yeah. So the article is basically this is an article in TechRadar. So it's real. We swear we're not digging specifically for chicken related articles all over the Internet. Okay, Speak for yourself. Okay, fair. So essentially a security researcher found an exploit to. To to obtain free nuggets. That was their goal, which is a great goal. And basically it uncovered much deeper flaws than McDonald's systems. And they have no. McDonald's apparently has no like bug bounty program. So this is affecting the reward system. And someone known as Bob Dahacker discovered that they could redeem get free chicken nuggets. I don't know the technical details, but the user just decided to disclose them to the public. So I don't know the. They. They didn't really say exactly what the vulnerability is, but they do specifically say changing login to register prompted site to issue plain text password for a new account. So it's probably an AI or sorry, AI API thing. If you're a bug bounty hunter, I think going hacking for free nuggets is a pretty good target. Yeah, this is pretty funny.

Mary Ellen

Yeah, the API keys were complete.

Bronwyn

Site guess says, well, McDonald's has a history of not exactly having secure. I mean, come on, they had a password 1, 2, 3, 4, 5. Yeah.

John Strand

Whoa, whoa. It was 1, 2, 3, 4,. 5, 6.

Bronwyn

Sorry. I'm sorry.

Wade

Who hasn't had a password that's 1, 2, 3, 4, 5, 6 in their life? All right, Like, I'll tell you right now, that has a password.

John Strand

Once again, you showed up just in time to get free nuggets. I'd like to grant you his free nuggets. I mean, like, this is McDonald's business model, right? Giving away chicken nuggets is kind of their business model on some level. Like. Like it. I get it. From a business perspective. Do they really care? They're like, I don't know, though. I guess if you really think about it, that, you know, that's a dollar that they could make, you know, in profit.

Bronwyn

Well, if they get. It's. It's the same thing, you know, you buy one, get one free. Well, first you have to buy one. And what happens with discounts? It's all about enticing you in. And once they get you in, then they hook you with something else and they upsell you with something else, which gets back to my whole thing of capitalism equals greed.

Mary Ellen

I know.

Bronwyn

Update.

John Strand

Oh, go ahead.

Mary Ellen

But for Wade, back to the Clockify for one second, because I did downloadify.

John Strand

Update.

Bronwyn

Did you, Marielle?

Mary Ellen

I downloaded the app and I drove the family crazy because we went to the beach and I wanted to see if the seagulls had a similar, you know, look.

Wade

That's a whole different race of birds. How dare you?

Mary Ellen

But the way the article last week made this app sound, it made it sound like, you know, you could record your chickens, right? And then the AI would tell you, but, no, it doesn't work that way. So what you have to do is you have to guess. It gives you, like, three examples of a chicken in distress, and then you have to learn what those sound like. And then when you hear your chickens, you have to decide, is that distress? Or should I go to the app and click on a happy chicken? Like, it doesn't.

John Strand

How is that AI powered at all? That just sounds like we're the AI.

Mary Ellen

Yeah, I mean, if I'm missing something, I mean, but I downloaded the app and tried to use it, and that was my two cents.

John Strand

Okay, so while we're completely off this topic of cyber security, if you're interested in birding, there's an app called Merlin Bird ID that's published by the Cornell Research Lab, and it has AI based bird detection based on their calls. And it's really cool and really accurate. So if you're into birds. This app, you can sign up for it, and it's really cool. Like, you just turn it on and it'll be like, here's all the birds around you. And it's kind of like Pokemon in real life. It's literally just Pokemon.

Wade

Since I was late, did you. What did you guys talk about? Either the detecting and countering misuse of AI or the one where the college student got recruited by China.

John Strand

Call it. No, we didn't do the China college student. The other one. I'm not sure. Maybe it's.

Wade

It's there. It's the. Okay, let's talk about that one first because. Yeah, yeah, this one is just a big ad for cybercriminals to use AI to tell you the truth.

John Strand

Oh, the anthropic one? Yeah, that one.

Wade

You skipped it. I just think it. Okay, we don't have to talk deeply.

John Strand

No, no, we can. We can cover it. What?

Wade

Like, all right, so I even have. I think I have notes on my, like, work computer about this because I thought it was so funny. Pretty much a bunch of different. A bunch of different threat actors have been using AI, of course, in order to do stuff. But it's to the point where they're asking them. They're asking the AI, how much should I ransom them for? How do I talk to them about it? What are my next moves? Like, completely, pretty much CLAUDE is doing the entire ransomware incident to that point, and they're trying to find and catch these people. The other part about this is North Korean IT workers using. Using CLAUDE in order to pretend like they know pop culture references, like, they know how to conduct all these, like, American business terms. Like, literally, one of them asked, what is a muffin?

Bronwyn

Yeah.

Wade

And so then they had to figure out the CLAUDE had to tell it what a muffin is. And then the argument is, what's the difference between a muffin and a cupcake? I don't know.

John Strand

I mean, honestly, though, right? That's a tricky one. That's a really tricky one.

Wade

The article is pretty good. Watch the video. Because the video just pretty much is a. Is an ad to use Claude AI for cybercrime. There's. It's great. It's absolutely great.

John Strand

But they're claiming, as part of this article, they're claiming they have better detections for this type of activity. Right. Like, they're claiming it's like, we're 10% less jailbreakable now because of this article. Right.

Wade

I don't believe them. 10%. I don't know. It's not that high.

John Strand

That's true. And like Bronwyn said, there's lots of unlocked models out there already. I'm honestly shocked that any threat actors are paying 20 bucks a month for anthropic or I guess they have free accounts.

Wade

But like, you know, no, they, they were playing, they were talking about there was a specific bot used just for pig butchering that was like top of the line. Like for some reason, like everyone was using it and they caught it and they did. They did ban all the accounts, of course, and started catching people. And then they also do talk about the detection logic in which, how they actually detect these threat actors using it, which is also pretty interesting. So I would highly suggest it.

John Strand

Yeah, it's. I mean, it's the, like the classic cat and mouse thing. Any tool comes out, people are going to use it for good. People are going to use it for. There's totally legitimate reasons to ask what the difference between a muffin and a cupcake is. And now I'm kind of curious what kind of response it would give for that. But yeah, it's. I will say it's tricky. If you were to break up your requests into a bunch of different accounts or a bunch of different things, like, ask on one account how to build a encryption tool. Ask on another account how to send an email. Ask on, like, if you spread things out between a bunch of different accounts, it'd be really hard to correlate, like malicious activity. But yeah, I guess it's an interesting time to be alive.

Bronwyn

I know I saw something earlier today while I was scanning LinkedIn. Some guy posted that he interviewed an AI for a job. And unfortunately I just saw the headline. I didn't have time to dive down into it. But I'm curious now to find out, did he know he was interviewing an AI bot or did it come out in the course of the interview that it was an AI bot? So now I gotta go find that.

John Strand

Article because it's a good question, but. And I don't want to play too much inside baseball here, but right now we're interviewing for a DevOps position here at Black Hills. And we've had lots of people who are very obviously using AI during their job interviews to the point that I believe last week someone was asked to turn around and answer the question. Wow, that is great. Wow, that is great. It turned around and then answer the question. But I mean, honestly, it was pretty obvious, right? Like, that we, like unintentionally, we're actually interviewing an AI, not a person. I don't know, it's tough. I mean the, the whole AI thing is, I think it mostly overhyped. That's my, I think everyone is acting like it's going to save the world or whatever, but I think it's mostly overhyped and it's not going to have as big of an impact as everyone thinks it is. But I could be wrong.

Bronwyn

The bubble is bursting and as we were saying before we started rolling live, I'm seeing a lot of articles saying that in the 90 percentiles of companies that went all in for AI, they're now rolling stuff back as fast as they can backpedal. The problem is, I'm sure that not all of those jobs are going to come back where they said, oh yeah, we can fire all the humans and just have AIs do it. And, and now lo and behold, the AIs can't do it.

Wade

And all right, I'm gonna tell you as a blue teamer, it has been a game changer. Like no joke, like I, I'm a full fledged believer with summarizations of like month long chat channels where I don't want to. I have to read a bunch to do an IR investigation to figure out what's going on, but I can just tell the chat, hey, summarize the last seven days for me and pump it out or possibly hey, here's all my notes and here's all the actual chat about this incident. Write me an incident report like stuff like that where it's completely tailored to what I think the AI is more enhanced for. Has been a game changer that's saving me like hours of day. It's.

Bronwyn

Yeah, see, but that's an appropriate use and I see that meta posted a strong disagree. So I, I got into a, I've, I've been getting into heated discussions lately about this whole bubble bursting thing with AI. And you gotta remember I built my first webpage in 1992 and I survived the dot com bubble burst. And the, the whole AI thing is feeling very, very, very, very much like things felt when the web first started going mainstream. And to Meta's point, and to the point that others have made, the word delusion on the part of humans has been used a lot and I agree wholeheartedly because before the dot com bubble burst people were using the web for things without any idea. It was just, hey, I need to be on the Internet. Why? It's shiny, it's new. And we're getting that same exact behavior now with regards to AI. And people are figuring out, oh, maybe this wasn't so much of a good idea. Oh, maybe there's a reason why they call it the bleeding edge. And so what is going to happen? And I need to get all this stuff down in writing because I think it's a good point. The dot com bubble burst led to more appropriate, more sustainable implementations of that technology. We have not gotten to a similar point in the AI bubble yet. The bubble will burst and then people will start dialing back and saying, oh, gee, maybe I shouldn't be using AI for everything, but maybe this is a more appropriate use here and here and here. And also we're starting to see more founders, more innovators in the AI space saying, look, LLMs are never going to create AGI and maybe the whole bigger is better thing is not what it's cracked up to be. And I personally think that rather than having one huge massive general AI, maybe we should be focusing on creating smaller, more sustainable and also more practical specialist models and have them focus. I mean, really generally and anybody out there, I want an AI driven bot like a Roomba or something that will go around and identify all of the messes that my dogs make in my yard and handle them appropriately so I don't have to. That would make. That would be a game changer. You know, useful things like that. That's where we're going to get the most bang for our buck.

Wade

I mean, is this Bronwyn or is this John Strand?

Bronwyn

That's me channeling John a lot lately.

Wade

That was a channel.

John Strand

Yeah. Well, so, okay, my basically like my thing at the beginning of the AI bubble. And yeah, I mean, I don't think Ron was claiming that AI is going to go away. I think she's just saying it's overhyped. The bubble bursts and then we reach reality. That's what happened with dot com. You know, the Internet didn't go away. Somehow you can still search for things on Yahoo. But you know, it wasn't this. It wasn't the Internet for the sake of the Internet. It was the Internet for the sake of whatever purpose that was before the Internet. I think AI is in a similar boat. I mean, my take from the very beginning was AI is not going to replace anyone. It's going to replace people who don't use AI. And Wade's like a threat hunter is not going to be replaced by AI in my opinion. But a threat hunter who refuses to use AI might be replaced by one who will use AI. Like that's kind of my like personal take is it's a tool. If you're unwilling to use it, you're going to get left behind. But if you're willing to use it, yeah, they're gonna, Facebook or whoever fired like a bunch of mid level developers thinking they could replace them with AI. They're gonna have to hire those people back, I think, but we'll see. I mean, even last week we talked about that article where a bank in Australia fired like 50 customer service people hoping to replace them with AI. It went terribly and now they had to hire all those people back. So, like, there have already been examples. I mean, that's only 50 people, but that's a lot of people still. And that's more people than I've ever fired. So, you know, that's a crazy number of people's lives to potentially impact and then have to call them back and be like, we made an oopsie, we need you back on Monday. Please, anyone, if this happens to you, please make sure you get at least a 25% salary bump on return.

Bronwyn

Some kind of salary bump. Because obviously just.

Wade

Yeah, all right. Four minutes.

Bronwyn

Living a dystopian nightmare. Can I please wake up?

John Strand

Yes, you can. All you have to do is don't pay attention. Works great.

Bronwyn

Kind of like what I did all weekend.

John Strand

All right.

Bronwyn

I don't even look at personal email. I.

John Strand

That's, that's the way to go.

Wade

So I, I wear a Garmin watch and I turn my phone off and use the Garmin watch as a notification on a field vibrate on my wrist. So I usually will take my phone off when I don't want to like, see anything. But nowadays, like, even when I'm working, I have to have the, with the watch off because my phone just goes off from email all day long and it's not even just like work email. It sucks.

John Strand

Why would you respond to me? Dude, I've been emailing you all day.

Wade

Yep, this last article, which we can go over real quick, is I'm a Stanford student and a Chinese agent tried to recruit me as a spy.

John Strand

Yes, we should, yes, we should cover this. I didn't see this one.

Wade

This, this one is pretty interesting. Pretty much a Stanford student who was taking Chinese.

John Strand

She looks creeped out, right?

Wade

I would have been creeped out receiving Instagram messages from this person who claimed to. They asked if they knew these other people in the Stanford, and she said no. And she continued to talk to him and come to find out he was a Chinese spy. He actually offered to bring her out to China at one point and then she kind of talked to these other girls that this guy said they knew and come to find out he'd been talking to several people trying to get information from them as well. The other interesting part is her actually reporting on this. She was kind of a little bit like hesitant on it because theoretically she's, she can no longer probably go to China after this. So super interesting one that I highly suggest checking out.

John Strand

Well, she can go. Did you read it? Come back?

Wade

Yeah, she can. Brutal.

John Strand

Yeah. This is crazy. What is their goal? What are they trying to get out of this? Like this information, like research to get.

Wade

Yes, because she's at Stanford, Right. They're doing a lot of AI research at Stanford. They're probably also trying to watch other people that are there.

John Strand

Right?

Wade

The old plug in this USB drive type of thing. I wouldn't be surprised.

Bronwyn

We've never had any.

John Strand

Isn't all this stuff going to be.

Bronwyn

Published countries, have we?

John Strand

Oh, definitely not, no. I, I mean, I don't know. I. I'm like isn't. Isn't a lot of this research that happens at public universities going to be published to the general? It makes more sense to me if it's like I work at Anthropic and I got contacted by a, you know, Chinese.

Wade

I didn't go to real college. I don't know, I did everything online.

John Strand

So yeah, I don't know. Who knows? In my mind, a lot of the stuff that happens in U. S Public colleges or I guess Stanford is private but like the research usually makes it out into the public, but Stanford in particular, it's like maybe they're just looking for the next startup idea. I don't know, who knows what they're looking for? Luckily this person didn't fall for it. I feel like purely based on convenience, I wouldn't fall for it either. I'd be like, dude, I'm a college kid. I'm waking up at 8am to go learn algebra. I'm not going to be paying attention to Instagram. Like what are you even doing?

Bronwyn

You are one of those college kids, huh?

Wade

I was surprised she talked to him for three months and he tried to get off Instagram and onto like WeChat over and over. Which that's typical for like a move, move over to a different chat program that they own, which that's not a red. Could you imagine talking to someone for three months that you have no clue? Like there's a couple discord people in here. I've definitely probably talked to three Months. But yeah, I'm not. I know them on discord. At least not a random discord.

John Strand

I can't even imagine. I can't even imagine knowing how to find the Instagram DMs, because that's the hardest CT EF in the world. Good luck. I'm just kidding. But yeah, I mean, it's. It's interesting. Spooky. Good for her for coming forward and saying something.

Bronwyn

But I wonder how many other people though, fell for it and have gotten drafted into that scheme.

John Strand

Definitely one person. Definitely not zero. I was gonna say definitely not zero. It might not be half, it might not be 30%, it might be 1%. But even if it is 1%, who knows what information will be. Yeah, I mean, it's tough because it's like you want to believe in the Bronwyn's whole thing about I want to stop living in a dystopian nightmare. Like, do you want to just believe that? Like, are you trying to learn English? Like, you want to believe in the, like, united ness of humanity, but then stuff like this happens and erodes your confidence in that and you're like, what are you, a spy? It's like, whoa, sorry, I'm your neighbor. Chill out.

Bronwyn

Not all online encounters are nefarious. Believe it or not, my roommate and I met online in an online game of all things. I was his. His admiral in a. In Star Trek Fleet Command. It was kind of funny.

John Strand

That is so delightfully nerdy. I love it. All right, on that positive note, we'll see you all next week. It's Tuesday. I'm scared. There's four days in this five day week. I don't know what to do. I'll see you all next week. Bye.

Bronwyn

By peace out.