Alex

What up?

Ben

All right, so it's a. A24 film, right? Which already tells you a lot, if you're interested in what does it tell on tv?

Alex

It means it's hipster. What does that mean?

Ben

I guess that too. Yeah. But they're, like, a little bit more artistic, a little bit more weirder on their subjects.

Alex

Right? Okay.

Ben

And so what happens is, like, Justin Long goes to this guy's house, okay. And he kidnaps Justin.

Alex

Justin Long. Is that the guy who's like, I'm a Mac and I'm a PC?

Ben

Yeah, it is.

Chris

Wow.

Ben

Yeah.

Chris

Yeah.

Ben

Dude, man, talk about a callback, man.

David

He's been around, man, for a long time.

Ben

They turn him into a walrus.

Alex

No, his best work was I'm a Mac.

Ben

Anyway, Die Hard 4. I liked him in Zach and Miri Make a Explicit Movie, but it's directed.

David

By Kevin Smith as well, who's signing.

Ben

Yeah, Yeah. I didn't realize he directed that. Yeah, that. It's a gnarly movie. I would not consider it. Not watch it as a date night night or with any children in the room whatsoever.

Alex

Unless you. Unless you have good taste. Unless your date has good taste.

Ben

Yeah, I guess it's kind of like.

David

A human centipede in that very realm.

Ben

Very, very. Yeah. Did it come out? No, it did not. Maybe it did come around around the same time, too. I don't know. Earlier, so long, I never watched A Human centipede. I was like, I'm good.

David

The South Park.

Ben

The south park one. Yeah.

Alex

I want the reverse. I want this centipede.

Eric

Human.

Alex

A bunch of centipedes that, like, combine together to make a human. It makes perfect sense.

Ben

That sounds like Voltron. Yeah, Version Voltron sounds like Oogie Boogie from. From Nightmare Before Christmas.

Alex

All the comments in Discord are just like, oh, we're dropping straight into Human Centipede. I see. I.

Eric

Of Monday.

Chris

Yeah, that kind of Monday.

Alex

This is the pre show, okay. This is not recorded. We're allowed to say whatever we want. Except for, you know, we have our consequences. Go ahead and talk about that.

Ben

Is recorded, huh?

David

The south park episode is very memorable too, because there's some. There's a documentary, and I forgot what it's called. Maybe it's like Five Days to Air or something like that. But yeah, it's about how south park used to just go from concept to final episode in, like, five days. And that was the one that they were creating in. In that thing. And just to go through the arc of them, like, tearing their hair out, like oh, my God, we're not gonna do it. And at the end, like, the FedEx dude is there to get the reel, and they're like, you know, it's like everything works out perfectly each time, man.

Alex

Yeah, I don't know how you could live with that production schedule. But also, it does let them get crazy up to date, like, way more current events focused stuff, which is pretty funny, I think, in general.

John Strand

Yeah.

David

I wonder if they still do that, though, because it seems a little bit more structured now they release it.

Ben

Their release is different. They make more money. They just decide stuff. Yeah, it's definitely. I haven't watched since, like, Tegrity Farms. If you're. If you're a South park watcher, you'll know that. I haven't watched since they moved to Tegrity Farms. It's been that long.

David

But Integrity Farms now.

Ben

They did. Wow. Okay.

Alex

Okay. Sorry, but people are saying in the comments that the pre show banter is included on the podcast. Is that true? I thought you was. I thought that we were. I thought it was post finger only.

David

No, I include that.

John Strand

I'll trim it if it.

Chris

Well, that explains.

Alex

If it needs some trim.

Chris

Meetings.

Alex

That explains a lot of. Of messages. Uncomfortable messages I received.

Chris

Y.

John Strand

So if it's worthy. If it's worthy of the podcast, I leave it in.

Alex

I think we should take it out, because then how are we going to talk about Human Centipede in the first three minutes of a podcast and not have it get demonetized?

John Strand

What the hell?

Ben

Yeah, you missed that one.

Alex

Ralph's like. I'm not even gonna say any.

Eric

Foreign.

Alex

Nineteenth, 2026. We made it. It's today. We're here for a news podcast, and I'm not the only one here. Luckily, I'm not just soloing it. Today we have John Strand himself, who appears to be backstage at the Emmys. I. Or the Golden Globes.

John Strand

I'm in my. I'm in my son's closet now.

Ben

You just got a curtain. Okay, we see.

Alex

Okay, so you're still. You're still trapped in the closet, but you've added noise canceling closet films.

John Strand

No, no, I don't. I don't have noise canceling closet film. I have his clothes on his hanger that I'm talking directly into, which actually is fantastic. Noise dampening.

Eric

Yeah.

Alex

All right. So that. Yeah. I mean, just for the record, we do have an office in Sturgis, South Dakota, and John has chosen instead to work in a closet. So if that tells you anything psychological about him. I don't know. We have Ryan, of course, making us sound good and look terrible. We have Ralph, who's here to catch some gators and tell us how he does it. The key is to catch them alive, right?

Eric

Yeah, yeah. No, that's why you take them alive and you put them in another pond and then you get called again. It's like it's a business making business type.

Ben

We talk about this every week.

Alex

I know we have Mary Ellen, who does a ton of work behind the scenes to make our new show happen. Find articles, organize them. We have a lot of audience members that do that as well. But Mary Ellen's like the number one article poster. We have Blue back again for another. Another trip around the podcast. Sun, I guess we want to call it. And then we have Fawn. Fawn is here. I cannot pronounce his last name, but I'm sure he can introduce himself. He's here to talk about his workshop later this week. You want to plug your workshop?

David

That was my cue. That was your cue? Yeah.

Eric

Go. Hey, everyone.

David

Yeah, so I'm doing. On Friday, I'm doing a four hour workshop with Anti Siphon. And it's kind of the third in a series that I've done on malware development. And in this one, we're basically going to start with a basic framework, a C2 framework, and then we're going to add a whole command handling system to it, and we're going to implement a reflective shellcode loader, and it's going to culminate in us popping Calc Exe on a poor, hapless Windows endpoint.

Alex

That is my favorite C2 calc exe undetectable. And are you in a closet or no?

David

I'm in an office, but it's a very tiny office. But it actually does double as my closet. All my clothes are hanging up, but I'm not speaking into it. It's a size muffling.

Alex

John's like, interesting, I should hire this.

John Strand

Person, but I wonder if. Yeah. At what point does the closet become an office and the office become a closet? That's confusing.

Eric

That's actually what I'm in. This is just a bunch of closets that turned into an office.

John Strand

I feel like I'm doing this whole running a computer security company thing wrong. Like, I. Like I should be posting pictures of myself with supercars or I should be posting pictures of myself flying first class or with nicer watches than the Garmin that I have.

Alex

You had that option and instead you chose the closet out of all of.

John Strand

That stuff I chose the closet and a folding table with questionable stains from beer pong on it. I feel like I'm missing something here. So we'll see.

Alex

So with the magic of venture capital, you can lose it all. So anyway, we all. Last person we have Wade, who's here. I don't know what dendrologist means. Does that mean like you cut people's hair or do you. Is that like a tree thing? I don't know what it means.

Ben

Explain. It's the scientist who specializes in dendrology.

Chris

Duh.

Ben

No, it's the study of trees and other woody plants. Hence the logging reference.

Alex

I see. I see. Nice. I like it. I like it. All right, so what news. What news do we want to get into first? John, is there anything on your radar that you just want to drop as a hot potato?

John Strand

I just came off teaching for four hours. My brain is mush. I'll throw in crappy hot takes. Like, if someone else wants to bring up a news story, we can talk about it, I think.

Alex

Yeah, we have a few good ones. I mean, one of the first, that's just kind of a funny one. I don't think we need to spend too much time in it is that China has advised, or I guess Beijing, the government has advised Chinese firms to stop using Israeli and US Cybersecurity software. So it's like. It's like the UNO reverse card.

Eric

Exactly. Yeah.

Alex

But it does make sense. I mean, I think they're specifically focused around, like, Palo Alto Networks, CrowdStrike.

Ben

It's definitely a blanket of like, all of them. If I think it's like a middle of the article, they're just like, pretty much all cybersecurity everywhere. The funny part is like, fortinets on that. And I'm like, you guys are the ones hacking it, though.

Alex

Like, don't you need these vendors that you have stuff to hack? Yeah. Well, okay, so here's a question. Like, is this the equivalent of, like, if we banned buying stuff from China? Like, you just can't buy anything. Like, are there actual good, top leading cybersecurity products that don't originate from those two countries? Because it seems like 99 of them are from either Israel or US.

John Strand

A lot of the stuff that China has in this realm is that's IP that they've stolen from these companies Anyway, so I don't.

Alex

I don't Jin Yang building all like, in. In Silicon Valley. Jin Yang has like, the Chinese version of all this. Like, Chinese crowdstrike.

John Strand

And I'm not ripping on it. And Saying it's a bad thing. I mean, way to go China. But honestly, I'm surprised, like this wasn't a thing sooner. I. I'm just shocked. Right? Like not necessarily from a security perspective, just from an like an economy perspective. Like basically China is one great big huge venture like venture funding capital company. Right? They're just worth, you know, billions and billions and billions of dollars. And like why they wouldn't be forcing people to use Chinese company software because it helps build their own economy is something that's just surprising to me anyway. And I wouldn't be surprised if that's more at the heart of this than it is the security issues with these products.

Ben

I was curious with the companies who are actually in China. Like it lists the people who are being affected by this most, which is I believe, who actually had stuff in China. I think it was like Broadcom has a whole bunch of Chinese stuff. Fortinet and Checkpoint, which. Great.

David

So you're.

Alex

So you're saying that. Yeah, well, okay, so I mean of course their stock prices have dropped, etc. I mean someone in chat brought up an interesting point which is like what percentage of the great firewall or how much of it is the U.S is US based firewall technology.

Chris

Right?

Ben

Like it's all open source technology just ripped.

Eric

What is it?

Ben

Pfsense like it's IP tables actually.

Alex

IP tables. Oh my God.

John Strand

Don't rip on IP tables.

Eric

Okay.

Ben

Actually use free version of. Of active countermeasures on the whole firewall.

Alex

Hold on. If you're a real hipster, iptables is the crappier newer product. EB tables is the real product that.

John Strand

You want to be Net filtering. Are we going to go back to that?

Alex

Yeah, yeah. Anyway, I mean we don't need to spend too much time on this article. I think the main conclusion is the same as John said, which is how is this not already a thing? Because having a US company with access for like an EDR like CrowdStrike, it's basically a C2, right? They have full access to all the data they can.

John Strand

Fun is like malware of the day article coming up for strike.

Ben

So yeah, most, most these vendors don't even sell in China though anyways. Right? Like I think 90 of them, they're like they won't sell to China which.

Alex

Is awesome because they don't want their IP to get stolen.

Ben

Right?

John Strand

Yeah, this might be in the article but I'm wondering what about US based companies that have offices in China? Do they have to switch out from these vendors and that's a good one. So I don't know.

Ben

I, I doubt that because usually I know the, the Chinese companies that have bases in us have completely sectioned off networks where they don't. They're. They're not supposed to allow like there's a clear wall. Chinese are here.

Alex

The national guest wi fi.

Ben

Yeah, pretty much, yeah. From what I was told. Like even the Chinese workers like usually ask like, hey, can we get access to this? And they're like, no, you can't have access to like legally. Like we cannot give you access.

Alex

So the last joke I want to make is some say that China's soon going to switch to using a Huntress trial license for their edr.

Chris

Just so.

Eric

I mean, but that's something they would do, right? They would just.

Ben

I found it funny. Even China's getting off Broadcom, right? Just.

David

Ouch.

Eric

Getting bad. It always was bad.

Alex

Yeah, we can talk. There's a decent amount of convictions we can just like hot run through them or you know, like pending court cases. A lot of people are getting caught this week. First of all, a Tennessee man pled guilty to hacking the Supreme Court election electronic case filing system. This I think happened, it was late last year. I remember when we talked about this and yeah, unfortunately, or I guess fortunately or whatever, whichever way you look at it, it was someone based in Springfield. They intentionally access a computer without authorization on 25 different days. What they accessed has not been disclosed. So we're not 100% sure. Like, but like Wade brought up in the pre show, the Supreme Court's proceedings and all that, like a lot of that stuff is private. So you know, that is kind of a different. Typically in the US the court system is wide open to the public, but with the Supreme Court, that isn't the case. Isn't the case. So who knows what they accessed or how much they're going to get in trouble for it. But it seems like the court system might be a little biased. I wonder if they'll get off because they'll say that there's no, there's a conflict of interest for the whole court system wanting to protect itself.

John Strand

Did they ever talk about what the vulnerability was that he was taking advantage of?

Ben

There is, there is another link to the article. He was only 22 as well. If you do the math.

Alex

We don't have, at least in my. From what? From the court documents, which is all we're pulling from right now. I don't think there's. It's basically just accessing a computer without authorization.

Ben

Someone probably Left default cred somewhere.

John Strand

Really, really super short. Super short document.

Alex

Yeah. I don't know. Like this is literally a one page document. So there's not a whole lot of details in there.

John Strand

Yeah.

Alex

But yeah, there's also.

Chris

Like the, the Tennessee Supreme Court. I thought it was interesting that their. One of their solutions was like, we're just going to move everything to paper and rather than doing cyber security stuff, we're just going to. Everything needs to be filed by pipe, by paper instead. Just to not be.

Alex

I don't need a phone anymore.

Eric

We're just gonna send notes, we're gonna get.

Ben

There's gonna be an article later on for dumpster diving man. Dumpster dives, yeah.

Eric

Yes.

Alex

Yeah, exactly. Papers. Paper is so much worse. There's no chain of custody. It's like, who touched this paper? A lot of people. All right.

John Strand

This is wild. These court documents are like one to three pages. I'm just trying to find anything about this. Like, it's just kind of crazy.

Alex

Continuing with getting in trouble, a hacker got seven years in prison for breaching the Rotterdam and Antwerp ports. That was a 44 Dutch who was. The arrest happened in 2021. He was convicted in 2022, appealed multiple times and now has finally been convicted. Gets seven years. I don't know exactly. I, I don't think we covered that breach. But yeah, basically it was a media drop. So it was a USB stick containing malware and yeah, so he was like, you know, the world's worst pen tester, I guess, or best pen tester, depending on how you look at it.

John Strand

USB dead drops. Classy. Classic.

Ben

Yeah, because anyone still falls for those, right? The other, I don't know why.

Alex

The other interesting thing with this one, I hope there's like a Netflix documentary about this some point because it says that he also got convicted of facilitating. He specifically hacked the computers to facilitate drug trafficking and he imported 210kg of cocaine. So more than most pen testers need.

Ben

That needs to be on the top of the article. I felt like that's more impressive, right, Than anything else. Like my first thought is like, why is he trying to actually hack these if he's just some regular dude? But that totally makes sense. Wow.

Alex

I hope there's like a dramatized or a documentary about it because it would be really interesting to see. Like on a technical level, how do you actually turn go from breach to importing cocaine? Like is it like when they go to scan the. The container is just like not cocaine?

David

Like, I don't know, maybe change the Record to say it was already inspected.

Alex

Yeah, that could work. That would. That's a good way to think about it. It's like this container has been pre. Pre cleared or something like that.

David

I don't know.

Alex

It's probably less interesting than I'm making it sound in my head, but it could be interesting.

David

Interesting.

Alex

Nice. Any other convictions?

Ben

There's one from Om Nl. The article is actually in Polish.

Alex

Okay. Why is it in Polish if it's.nl? i'm very.

Ben

Oh, never mind. I don't. I don't know. I totally screwed that up. I was just thinking, I was reading another article. I think it's a different breach. 30 year old, 3 year old man under international surveillance. I see this one sounds like someone just tested out hours. Oh my gosh.

Alex

So it's. It's written in Dutch.

Ben

Written in Dutch. My bad.

Alex

No shade for not being able to identify Dutch versus Polish. I don't think I could either. I'm just going based on the tlds. But yeah, that's. It's an interesting one. What did he do? I'm confused. He enabled criminals to test to develop malware.

Ben

I'm wondering.

Alex

He just ran virus total basically.

Ben

I'm guessing he probably started up a fake company, went and bought anti malware from big vendors and then allowed people to test malware there.

Alex

What would be nice? Is that illegal?

John Strand

Yeah.

Alex

John, we. John, we have to shut down this security company like right now.

John Strand

Right now. Because reasons.

Eric

Unrelated to the article actually.

Alex

Unrelated to the article. I gotta go make a call.

John Strand

Yeah, this. In other news.

Alex

I don't know.

Eric

Speaking of trying.

Alex

Yeah, I mean.

Eric

Oh, sorry. I was, I was gonna say.

Alex

No, you're good.

Eric

I was gonna say speaking Segway.

Alex

Take it away.

Eric

Shutway stuff, shut stuff down. It sounds like the, the US government's trying to get rid of Nipper. Right?

Alex

No.

Eric

Yeah. So for those who don't know, Nipper is essentially like the, the non secret or non secure. Even though that's not actually true, just the non encrypted. But that's actually not true. I don't know how to describe it. It's a place that you can go browse Google. It's a network. So in the government they, they separate out classified networks. So you have your Nipper, which is like you know, in essence connected to the Internet that we all know. Then you have Sipper, which is information that's classified as secret. It's actually on separate everything. So separate routers, separate switches, separate cables, separate everything. It has like a separation Like a physical separation between the two. And then finally there's top secret, which is also the same exact thing, all different equipment. But in the article they're talking about actually moving away from using a nipper at all and just having just commercial Internet. So like instead of having a separate network the government maintains for you to access things like Google or your unclassified email, you would just go onto the Internet like you would normally.

John Strand

I have a lot of problems with this. So I think that part of this originated from the idea that niprnet is kind of, it's kind of neglected and kind of a train wreck, at least last I looked, right? It's just if you look at all of the classified networks, if you're looking at siprnet and J Wix and then CWAN and Gwan, right? Because you have different wans available for government people and contractors as well. Because that gets into all kinds of weird things. Like, you know, how does a, how does somebody from Lockheed Martin do their timesheet when they're in the classified facility and not in a Lockheed Martin facility? And they don't. It gets complicated if you're looking at like nipper. Net. I feel like there's been a lot of problems with nipper. Net. And honestly you, the right way to handle that was try to, you know, try to put some security around it, try to come up some standards and do that. But the hard part about nipronet is like everybody's fighting over it, right? Like, even if you look at Gwan, Cwan, Sipper and Jwicks, right, where you do those delineations from a handoff from like the FBI to the CIA to the NSA to the NRO to dhis to all these government agencies, it's, it's really hard to say who is definitively in charge of it. Even, even if you do the different groups, they want to maintain responsibility for their own network segments. And I, I feel like they chose the wrong answer. That it's like, you know, what effort everyone's going to do their own isp. How's that sound? Right?

Alex

It's a huge missed opportunity to do a branding deal with like Trump Net or something and be like, I use the best Internet. The government, it's good, it's military.

Ben

Why did you put that into the ether?

Alex

Okay, it doesn't, it could be any, like any large isp, but it would be funnier if it was just a completely made up one that's just like, you know, it's still nipper, but they just rebrand it like, you know, it's all, it's a simulation. We anyway go back to actual.

John Strand

So I, I feel like this is just a way of like somebody clearly high up in the government, they put in charge of trying to deal with the situation and they clearly just threw their hands up in the air and said screw it, we're just gonna get rid of it. Everyone hates it. I love that though, what to do. You're all gonna have your own isps, you're all gonna pop out on your own. You're all responsible for your own crap. Good luck. And I'm willing to bet the meeting was like, yeah, if you guys don't care take care of your own connections, then bad things are going to be coming to you. Eric just put in mil spec quality at the lowest bidder. Yeah, absolutely.

Eric

So I mean, but this even comes down to classified networks too because I mean essentially classified networks were dedicated lines, right. Like I described that. But eventually they moved to carrier grade delegations between those. Right. So essentially commercial, they could write commercial fiber, right. And that is your bulk encryptors that they have, which are classified encryptors I would say classified. They're, they're a part of classified programs to send encrypted data over transit fiber. Right. That, that also has normal Internet. Okay. So I mean this was something that they, they like worked in to get that to happen as well. So I mean like yeah, and here's.

John Strand

The big problem with getting rid of nipper net, right? So if you look at a lot of standards, there's savvy and there's T savvy, top secret and below interoperability and secret below interoperability where there's standards for how you integrate a classified network with an unclassified network and a high classified network like jwicks down to like supernet, right?

Eric

That's nipper drive.

John Strand

If you're looking at how these things are connected, like one of the things you said, I'm going to push back where people are like, you know siprnet and J WIX is completely isolated. It's not, it's effing not okay. There's lots of different guards that are basically designed for transferring data from the low side to the high side or the unclass side into the classified side. Right? Because you're going to be pulling that open source intelligence, you're going to be pulling it in for ingest and analysis on the other side. And this is one of those concerns that I have with just getting rid of nipper net and these standards that exist is Nipper Net itself was just a train wreck years ago when I looked at it, I'm sure it got much better, but it was a train wreck. Right? And I don't see how having everyone setting up their own unclassified network pops that possibly can be tied into classified networks is somehow going to be a better approach. I just, like I said, it clearly looks to me like someone got put in charge of this. They looked at how difficult it was, threw their hands up in the air, flip the card table over, and are walking away at this point, which I'm not going to disagree with because that may be the best option going forward. Because.

Alex

Yeah, no, I. When, when clients do this, like when we're doing a pen test, and I'm like, they're just like, all right, be honest with me. How bad is it? And I'm like, I would just completely decommission this entire system. And they're like. And they. And then they actually do it. I'm like, nice. Because, like, you know, I. A lot of clients that try to schlub something like this along for years, like, I just. The retesting is always like, still vulnerable. Sorry. And they're like, well, the developer states. And I'm like, nope, sorry. And then it's like years of that, and then eventually they're like, nope, ditch it.

John Strand

Then you get into the point where they talk to their lawyers and they're like, we can't get the developers, the systems administrators to upgrade this if we get breached. What's our liability? And the lawyers look at the past three pen test reports and go bad. It's real bad. Like, if you haven't fixed this in three years and you've been told for three years, it's bad, that's all on you.

Guest

Like in the article, too. Like, it's also a usability issue. Like the one person sort of saying, like, you know, I. I'm secretary of the army and I can't print, I can't use teams. You know, I can't do it.

John Strand

So it sounds.

Guest

It's also like, it just doesn't function very well.

Alex

Well, that's the whole point of experiment.

John Strand

I, you know, I read that too, and I, Yeah, like, I said that. Welcome to working in a classified environment.

Alex

It's just, I do like the fact that every executive complains about not being able to print. Now. There's some universals feel that pain.

John Strand

So when are they just going to get rid of printers? There you go, Good idea.

Eric

Then we don't need them.

Alex

Okay, John, stop rocking the boat. Listen, we already got rid of Nipper. That project's going to take 10 years to complete. By then we can talk about printers.

John Strand

All right, one thing at a time.

Alex

At a time. All right, what else is going on? There's some potential minor geopolitics in Europe. This is kind of an update to a previous story where essentially the Polish. Polish former justice minister. I'm not going to try to pronounce his name. I.

Eric

It's.

Alex

It's way out of my wheelhouse. But he was convicted of embezzling money or facing charges for embezzling money. And then I guess he was like, hey, I got a buddy in Hungary who can take me in. Is that cool? And somehow that went through. And so he's now a Polish fugitive in Hungary, which, like, generally you don't go fugitive in the, like, same European block that you're already in. I feel like it seems like Hungary.

Ben

Has a history of this, though. Hunger.

David

The.

Ben

The hungry guy who let him in is in the same party for one thing, right? And then he also got caught for the same thing, and they let somebody else in for the same thing. Pretty much running spyware on people's phones.

Alex

So Hungary is running basically like an asylum service. As a service, it's like, pay us if you buy us a yacht or whatever. You can come take a cycle of here. It's like Switzerland. We're neutral, but we will take all your money, so come bank with us.

John Strand

That neutral?

Alex

We're neutral. We're not that neutral. Yeah, that's a good one. In AI space. Interesting. I guess there's now one. This is the GROK stuff. So it's. This is kind of gross if you're not. If, you know, if you're. If you want this to be a children's podcast, first of all, what are you doing here? Second of all, you might want to skip this article, but essentially the California ag, the Attorney General, is investigating Grok, which is Elon Musk's AI tool for non consensual deepfakes. Apparently Grok has something called a spicy mode, which has the functionality to. Of course it does. Which of course it does. I guess it's super creepy. I. No other AI has this to my knowledge. Right.

Eric

I mean, no other person's this creepy.

Alex

No other AI that's like, claims to be a reputable company has this capability, right, That I like Chat. GPT doesn't have this. Copilot doesn't have this. Claude doesn't have this. But essentially people can Use it, I guess, to generate deepfakes of other people or like have it undress someone and it gets gross. And there's like kid stuff involved as well. So I thought they didn't fix this.

John Strand

They just put it behind a paywall.

Ben

Well, I remember that. I remember them talking about that. I want to say even OpenAI talked about that. Making like an adults only version of all their AI products to do things like that.

David

Yeah.

Alex

Apparently Elon Musk says that it's never generated anything illegal, ever.

Eric

Ever.

David

By his definition of illegality.

Alex

It will refuse. It will refuse to generate anything illegal. We know AIs, they're super hard to jailbreak. You know, everything.

John Strand

I remember my first child porn case that I ever worked. It was actually a guy who was drawing child porn art and they basically were like, yep, that's not illegal. And their whole take was, well, it's not illegal because there's no victim. It's just drawings. Right. And you know, I guess I can kind of somewhat understand, like the twisted logic to get to that point, but I can't help but think, think that that's how Elon Musk is trying to, trying to cut. This is like, yes, it's generating these images, but they're not images of real children. Right.

Alex

So that would actually make more sense than what he's doing, which what he's actually doing is claiming it doesn't generate the images. That there's very clear proof that it does.

John Strand

I know because in the lower right hand corner it says Grok. You know, powered by Grok.

Eric

We'll have to watermark all of them.

John Strand

And I just.

Alex

Oh, the watermark makes it legal. I think that's how it works.

John Strand

And someone joked they're like, yeah, well Now Grox and DoD networks. So that's good to know.

Eric

Oh, yeah, that's true. It's a smarter AI. It's definitely more.

John Strand

It's a better grok. Yeah, it's the grok of war. Not the rock of guns.

Eric

Yes, the grog of war. The other thing I was going to say about these large language models doing, you know, malicious or not great things is that a lot of the open source models are catching up to the frontier models. Right. The frontier models always be ahead, but to the point where it's good enough. Right. And so we'll probably see more of that in different spaces where it's not one of the big four frontier AI models that's doing this, but some other smaller company that has access and set up one of the other open source models. That's good enough to do.

Chris

So.

Alex

Okay, this is kind of gross. So I don't want to dig into this too much, and I almost don't want to ask this question, but there's not necessarily do. Is there a legal precedent for the, like, the prompts themselves, would those be illegal? Would the images be illegal?

John Strand

Like, if you, if you really want to dig down to where the legality is. And this is the, this is the thing that, like, keeps me awake sometimes at night, whenever they're talking about. Anytime these AI models have created this type of protected, illegal images, it was trained on that. What, what data did it get for the training? And that's, that's the thing that really bothers me because you can come out and say, well, they're not real kids. See, but it was trained on some data somewhere. And that ultimate data that's underneath the hood. And this is, this is something. If we had someone that was going to prosecute this, that should be the question that they're asking. So if it's generating illegal images, the question that should be immediately asked is, how in the hell did the AI model learn? What did it train? What was the data set that it was trained on to generate that and that.

Alex

And we have, we have in the past talked about researchers who found. There was a researcher who was trying to train his own AI, downloaded an image data set, and then his Google account got locked because it said there was CSAM in the, the, in the image training set that he was using. And so basically we know based on that that there are CSAM abuse images in large training models.

John Strand

So I guess is saying CSAM found.

Alex

How do.

John Strand

Yeah, yeah.

Alex

So, okay, how do we. What is the. Like, if we, if we were the California AG or whoever, and we were designing a set of rules around this, what would you design? Would you say that the prompts are illegal? Should this be illegal? Like, because on some level, you don't want to police AI too hard. But also it feels wrong to be like, oh, you can just type whatever you want into AI and it's legal. Like, hey, AI, how do I hide a body in my backyard? Like, should that be legal? Like, I don't know, is it.

David

Is it illegal to Google that?

Alex

It's not illegal, but it could be used against you in court.

Eric

Right.

David

I think it happens quite a lot too. I've seen many cases where they're like.

Ben

We, We've already seen that starting to happen, right? Like one of the forest fires that happened in California. The guy asked chat GPT like, hey, would I be liable for this?

Alex

Right?

Ben

It said, yeah, you would be.

Eric

So.

Guest

And there are certain key phrases. It's been a long time now, but back when I did forensics, like, there are certain key phrases that if you are looking for that you can put them in and that. It's like, there's like secret phrases that those types of folks know and they know to put them in. And it's really disgusting. And it's, it's like, it's like a secret, like language. Like it, you wouldn't even know it, but like, when you put it in, it'll get you what you want. It's weird.

Alex

So I guess James Randolph brings up a really interesting point in Discord, which is arguably you do also need some training data that is csam so that you can train CSAM prevention models. Right.

John Strand

Like, that's an interesting angle that's been done for years. So.

Alex

Right.

John Strand

The FBI, there's this function. It's Mary Ellen, it's, it's KFF known file functionality. Is that.

Eric

Yeah.

John Strand

Is that it? I want to make sure I got it right.

Guest

Yeah.

John Strand

So the, the, the FBI just, we're going to use them because they have a monster, monster, monster database of child pornography. Now, it used to be, whenever you were working these cases, and this is right around when I started working and was working some of these cases, is an agent. Well, you as a forensicator would go through and see something, and as soon as you saw something hands off a keyboard, you're calling in an agent. And then the agent would look at it and then they would go through the rest of it and then they would make a determination, they would do lookups. The problem with that is that it psychologically destroys you over time. So what they developed was a monster hash database. This is like the earlier incarnation of it. They created this monster, like hash database of known child pornography images. Right. So an agent wouldn't have to actually sit there and look at it. And if you're working a forensics team, you wouldn't have to look at it either. It would just go through, it would hit the hashes in the KFF and then it would bring back and say these 23 are known, no known CSAM. Now, eventually you would have to have somebody look at it, but you wouldn't have to go through absolutely everything on someone's computer. System.

Eric

System.

John Strand

Now, as that progressed, over time, they started developing better image recognition models because the people that do this stuff are wicked, wicked smart. They would go through and scramble files, they could scramble Hashes, they would do all of that stuff to try to get around this. Then they developed better models that could actually look at the images and then correlate it back to known images again because the hash would be changed. And that gets into a number of really cool image recognition utilities. Now somebody bringing this up, There are absolutely AI models that are not connected to the Internet, I hope, that are literally just being fed huge farms of all of that previous child porn data. And then basically you can still have the forensics tools do that analysis and then it can basically give you a determination. Now that is a legitimate tool with a legitimate purpose in life for law enforcement. Right. That that's different than what I was talking about. Whenever we have these AI models that are public that you can ask it to do this and it does it. That means somewhere in that training data it got a hold of some bad data that it should have never gotten a hold of. And I think that that's where the illegality and that's where there should be some law enforcement research basically saying how in the hell did your AI model even learn about this in the first place?

David

But I am curious though, is that always true or is there a level of inference that it can deduce that that's what it's looking at? What I mean, let's say I make something up. I have a picture of a parrot in the style of MC issue and it can recognize that, but it didn't really train on a picture of a parrot in the side MC Escher. It's a trained in a parrot and an MC Escher. So it could like infer that's what it was. I'm just kind of like being devil's advocate out loud here and obviously not trying to challenge it. Or apologist.

John Strand

Yeah, I can answer that. The way the system is trained is any of the images that it's trained on are known real victims of abuse. And the reason why. But the reason. Huh, what's that?

David

I'm talking about this, not the one the forensics use, but the one let's say that like, let's say grok that's able to generate it. I'm curious, does it mean it had to be part of its training set or can it take two separate concepts and combine them to produce that?

John Strand

That's the question. And I think that that's the thing that should be investigated.

David

Yeah, yeah.

Alex

And it's also worth noting that there are some states that have laws against deepfakes or are making laws against defects. I think Florida has One. So, like, I don't even. I mean, California is the big, you know, the thin end of the wedge here. Like, this is probably going to go a lot further. We know AI is tied up in all kinds of legislation right now in general, but I don't know, even if it's not child stuff, even if it's full adult stuff, it probably still shouldn't be allowed. Like, hey, let me make anyone naked. Like that shouldn't be a thing that companies are providing as a service.

Chris

It shouldn't be a thing. I mean, there's. Yeah, there's ads for it though. And I think for Grok keeping this in the mix, they may be looking at and saying there are competitors that are doing this. So rather than have everybody leave X in order to go get the stuff done somewhere else, they're like, we're just going to not bother and let you do it here.

John Strand

But that's one of the things, Alex, where there has to be a conversation. It's like, I think we're okay losing that market share there.

Eric

Let's.

John Strand

Let's lose that market. How?

Alex

Yeah, how many people are really going to pay specific. I mean, I guess I don't want to know that.

Chris

I'm not.

Alex

Way too many.

Chris

I'm uncertain if X is okay with losing market shares. They're just like, yeah, whatever.

Alex

Yeah, that's our thing. Our thing is abusive images. Okay. No one else can have that market.

Chris

Apathy range at X. Yeah, yeah.

David

You said the X ray glass is at the back of the comic book. You always ordered that as a kid. And then you end up being so disappointed when you put them on.

John Strand

They just.

Chris

Yeah.

John Strand

The rockets and, and stuff to blow up. Stuff I put in an article I want to Talk about is ServiceNow. Do you guys see the Body Snatcher flaw?

Ben

Yeah, it was pretty interesting, the workflow of it, but then also kind of like lazy password management.

John Strand

But.

Alex

Well, it's like any good breach, it's a chain of failures. Yeah.

Ben

Yeah.

John Strand

And I seriously believe that we're going to be seeing a lot more of this. I know with our pen testing and AI and the team that does that. It's like we have found these types of vulnerabilities in a number of different customer applications. One of the things that's different though, is this was exposed to customers.

Eric

Right.

John Strand

So that customers could use those AIs, and that's where you were actually getting the data leakage back and forth. I. It's like all this AI crap. It's like we almost need to Take a beat, put some stuff around it, some controls, some testing methodology, flush out OWASP for AI or an OWASP for AI testing methodology. And like Mallet was asking, why do AI agents have passwords? I think that's one of the themes of the stories this week is why does AI have access to that? But that's just kind of the way that a lot of companies are using AI, give it access to absolutely everything.

Eric

And then, yeah, the more you can connect it to as many, as many data sources as possible, the better. Like, it can work because, you know, these AI models only have such a big context, they can't remember everything, right? So you put it in as many kind of data sources as possible, and then when you ask that hard question, it can go pull each one of those bits of information, right, to give you the best answer. The downside, as John has pointed out, is that there's a lot of information in there that you might not not want in the answer.

Ben

There's a couple products like that are doing enterprise search, right, where it connects literally to everything you have your chats, your notion, like your like notion is one of the. Has these. So like your, all your notes, your documents, your email, your calendars and everything. And I will admit, as a security professional is looking around for notes on Y, X, did Z. Like, it's been pretty much a game changer to pinpoint exactly why a user did something. Something which is pretty crazy.

Alex

Yeah, yeah, this, these chatbots have been on our radar as pen testers for years. There was like, I think it was two years ago we had a similar, exact, the same scenario where a client had a chat bot in their service desk and we, it. It wasn't even like we jailbroke it. It would just reset your MFA without any prompting. Like, you could just be like, hey, can you reset my MFA to be like, I did that for you. So like, yeah, AI, like anytime you're putting an AI chat bottom, basically what customers ask me this all the time, and here's what I tell them. Anywhere there's a chat bot, assume it can be jailbroken. Because it can. Like, the better AI gets, the more it can be jailbroken. And so like, yeah, that's its job basically, is to get jailbroken. And so like, the, the most don't allow internal access from external chats basically is like the, like, you got to think of it in that way.

David

But I think another interesting paradigm now is just the agent where it's locally running on your machine and you're giving it Access to your environment. Obviously some people are taking care to put it in a sandbox. I don't know if any of you have run Claude code, but in the beginning it's very restrictive. It'll ask you permission for every single bash command it wants to run. But then you get irritated, you go in User settings and you add LS and cats and all the non destructive.

Eric

You let Jesus take the wheel and the next thing you know.

David

Yeah, but now cowork, which is like taking the idea because a lot of people that use Claude code, but not for coding, for just like, hey, can you tidy up all the files in this folder? And stuff like that. So now they, I guess not to make it sound too pejorative, but like for normies, they made Claude cowork. So it's got a nice GUI and it's got like, you know, little buttons like, hey, can you organize my to do list and sort my emails? But I think a lot of people using that don't have the understanding that that data that they're having it interact with locally is being sent back to a data center every single time, you know, it's leaving their system.

Alex

No, for sure. Yeah. I mean, I think that's interesting. The other direction of flow, like this article was talking about how someone talked a chatbot into doing something it shouldn't have done. A company was hosting the chatbot, but that same thing applies to a user of a company using a third party chatbot and all that information is leaking. Like, that's crazy.

Chris

And I've seen where, like I've dealt with vendors that have put chatbots into stuff and a lot of times they'll have the aspect of, well, it's, it's only meant in order to do these certain things and please don't beat it up. And I'm here to say that like, please don't is not a security control. Like saying please, please don't try to jailbreak it. Like it's supposed to be very simple and it's supposed to just kind of, you know, help you navigate the, you know, find things in the menu to where it's sort of like, well, if, if your interface is hard to use, adding an AI to it isn't going.

Eric

To help the other thing too. While, while these chat assistants and large language models, foundational and all this other stuff can and should be expected to be able to save every single thing you say, we also have to assume they can't save every single thing you say. Okay? There's just not enough space to do all of that. They don't make any money off. Well, let me phrase that. They want to save certain things maybe. And it is possible they could be using that to sell to advertisers or other things like that. That. I'm not saying that can't happen. What I am saying is they can't store everything they don't have. If they could, we'd have the smartest agents already because they would already have the memory to remember everything I said from.

Ben

Yeah, from the corporate security space. Right. Think about most of the contracts these corporations are signed are saying you cannot train your model off what we're saying or you can't even log what we're, what we're providing. I'm interested to see like when one, when one of these big chat bots or chat provider AI providers, are they actually telling the truth? Or like do they have backend logs?

Eric

At the end of the day it doesn't matter. People think that they're like some special snowflake and they're not going to be able to solve some business problem because they didn't have that information. Maybe they don't need, need a credential that's sensitive inside of there. I get that. But they're just going to continue to make models that are smarter whether you give them the data or not. It's irrelevant to the equation.

Ben

I have a product for you that'll manage your credentials for your AI for you. I'll tell you about it later.

Alex

Okay, so the like, it is funny though to think about like if it's trained on, if, if these AIs are trained on like normies, quote unquote. And you have like, you, you go to the AI, you're like, hey AI.

Ben

I need to find something.

Alex

And it like opens up ass Jeeves and types. You're like, no, I didn't want it trained on the grandma data set. I wanted to train on the, the Gen Z data set. And then it just goes to tick tock and like types in whatever topic you're looking for. It's like, like no, not that either. Stop. I, I wanted like the professional businessman version. And then it's like, yeah, I, I don't know. It is funny to think about though. You know, enterprise isn't that special but. And for every company that's not okay with their data being shared, there's probably at least one that is like for free. I'll share everything we have because I can't afford to pay for a private model or whatever. Yeah, so yeah, anyway, John's broken. John, what's going on?

John Strand

I do want to call out one thing. So this is a recommendation to App Omni for their article. It's a really amazing technical article that Aaron Costello put together. Really, really, really well done. But it's missing something incredibly fundamental to this entire thing. You're using this for marketing and I'm talking directly to the people at App.

Alex

On what article is this?

John Strand

This is the App Omni Body snatcher thing agentic AI article we were talking about for ServiceNow on it. And one of the things I want to call out for this particular article for Body Snatcher. Once again, extremely technically well written, shows high level of competency. The one thing that is missing is you have a disclosure timeline where it was disclosed to ServiceNow October 23, 2025 and then ServiceNow remediated it and sent emails to customers on October 30. Other than that, there's nothing in this article that talks about the Collaboration working with ServiceNow to get this remediated. And if you're a company that's going to be specializing and doing this type of work, you really want to highlight how did you work with ServiceNow? And it's entirely possible that ServiceNow were just mean and they weren't great to work with and saying nothing is better than saying something bad. And I can understand that. But anytime you're doing these types of disclosure, coordinated disclosure timeline clients, it's really important to highlight like how did you work with ServiceNow rather than just dropping a couple of dates into it. So one little recommendation. But other than that, the article is incredibly well researched and incredibly well done, I think as.

Alex

Yeah, and that's a good, like a really good call out is like the. If AI firms or, you know, AI companies that are implementing AI products are looking for a vendor, they're probably you're going to be top of mind. So having that communication there is pretty good.

John Strand

Yeah. Because if I was, if I was another like company like ServiceNow, you want to work with these guys, but this article doesn't tell me what it's like to work with you.

Chris

So.

Alex

So the other thing I guess like just kind of a thought that popped into my head is like if I was a CISO or some other executive, I would want like a list of all the agents we've approved into our corporate LLM or whatever because like how do you even limit the blast radius? Like let's say there's an a breach of your AI system. Do you even know what, like what data could Be impacted. Like how many things if you allow people to self service integrate, like, oh well, one sales guy integrated Salesforce, so that's in the cont. In the blast zone. And also one marketing person integrated JIRA or whatever, so that's in the blast zone. It's like your token sprawl could get so massive. I would almost want a list of like what agents we've approved.

Eric

How do you find out if a employee has used a LLM in some way and sent that data off to solve some small problem at their job? How do you know?

Alex

Web proxy logs, I guess.

Ben

No, no, no. Yeah.

Eric

Right. Like copy and paste. Like, you know it's being monitored so you put it on your phone or something. Like, I mean, you have your phone recording the screen. Yeah.

Alex

And transcribing backwards.

Eric

You can't protect everything. I mean, everyone loves to sell you the product that says there's no way you can copy this thing. Every single time we did a DLP test, got that data out, it was.

Ben

I think you can always get the. That's the thing with dlp. You will always be able to get the data out. It's. How much trouble is it going to take for you to get it out? And I have seen people fired over copying pasting code into AI browsers or into an AI prompt via DLP tools.

Eric

Like, you better have the proof. Yeah, you better have the proof to bring that forward. Right. Like, you can't just be. But my other question to you is, how many companies do you believe are doing it at that high of a level and can afford that kind of thing to make sure that that's what's happening, et cetera.

Ben

Every company who has DTEX can see that. I'll tell you that right now.

David

But, but I think Wade makes a good point because the general sense is now the models are all converging and models are becoming commoditized. So why go through all that extra effort and risk to use say Gemini instead of Opus 4.5, you know? Yeah, I, I don't know. But it doesn't.

Ben

It's the, it's the old you. You have to give them the ability to use that tool so they don't use one. You don't need that. Yeah, they're not allowed to.

Eric

Right.

Ben

And prevent it.

Eric

Spotify effect. Right. Make it easier to, you know, make it easier for me legal than it is to steal it. Because my, my point with you, Wade, is that you're going to spend all of this money to try to stop something that is Inevitable anyways. Right, like, yeah, you're just, you're just putting your hurt on, on your employees, but spending a lot of money to do it to prove the point that they're just going to do it anyways.

Ben

Can we argue that's just cybersecurity anyway, though?

Eric

Exactly.

Ben

Right, right. Like at the end of the day, it's all, it's all government's risk and compliance. Right. We tried to mitigate the risk as much as possible.

Eric

1. Argue One thing about cyber security and business. The business is about making money. Cyber security is just trying to prevent that data leakage, that security piece. But the business's business function, how it makes money, that's top priority, man. It, it's top priority over the security piece. Right, because you, you have to make money or you don't have a business.

Alex

To, to do cyber security.

Eric

Right. So yeah, to balance those two things. That's what I'm trying to say. I'm not saying forget.

Ben

Yeah, no, I can only get you.

Alex

It's the same thing as. Yeah, it's the same thing as why do we have insecure conditional access policies? Because the CEO wants email on his phone.

Eric

You're going to get rid of him.

Ben

For the best you can do is put it on the risk registry.

John Strand

Right.

Ben

Like that's the best thing you can do.

Eric

But you know, like I've, I've been.

Ben

In that exact argument and like the one thing I've learned in cyber security as you as a defender is you rarely win an argument with sales, depending on what you're talking about, depending on.

Alex

How your company's aligned.

Ben

Very, very. Yes. But most of the time the salespeople are going try to do as much as they can with as little as they can. But you, you try to always, don't, don't block them, provide them an avenue, like push them this way, not. Not just stop them.

Eric

Yeah.

Alex

All right, so we have five minutes left. I think it's a good time to announce the CTF winners this week. So as far as the people who. I guess there's two CTFs. The first CTF is the Anti Siphon Training CTF. F the first place prize goes to VLVLVL. VLVLVL.

Eric

Good name.

Alex

Who, who won a year of on demand access to anti siphon training. Any course you like, which is pretty amazing. And then. Has won a one training course of their choice, which is super exciting. And then there's a second CTF somehow Black Hills Infosec also had a CTF and localized chaos took first prize with one year access of to on demand training. And then skill404 aka not found won one training course of their choice. That's amazing.

John Strand

Tom3842 they shared.

Alex

Oh, there was two winners. I thought that was the same person.

John Strand

I thought it was two separate people.

Alex

We have lots of winners. These this week and everyone else, you're not a winner. Sorry, no token for you.

John Strand

Localized Chaos. Thanks for having a name that we can clearly what your name is. We appreciate that.

Alex

So yeah, yeah, thank you for that. And then I guess the last thing I want to do before we get back into chicken articles would be to fun plug your. Plug your workshop. Why should I show up? I'm a budding malware developer and I want to. Want to learn how to make malware. What are you going to teach me?

David

Yeah, I mean I would first off say that I don't really think it's just for malware developers. Like, I primarily identify as a threat hunter. So why am I into offset tooling? Well, I read about a cool threat and it's not like I can go download every malware sample to run the threat myself and see and develop detection vectors. Once you know how to create a tool, you're no longer subject to using tools that you can access or buy. Like, everything opens up for you. Any idea that you have of, oh, I wonder, wonder if I could do like something that Sunburst kind of did, but use a null record instead of a text record. Well, go ahead, go and do that. So being able to create your own tools empowers you completely, whether from the offensive point of view or the defensive point of view. So yeah, that's what I would say.

Alex

That's awesome.

Eric

Nice.

Alex

Yeah, I mean, honestly, it's the same thing as like, why do I recommend that pen testers learn how socs work? Because you got to know your enemy, right? Like whether you're a threat hunter or a pen tester, you got to know how the other side works. You will learn something, I guarantee you. Like, you will pick up trick tricks and tips from blue teamers and blue teamers. You will pick up things from red teamers. That's the best part of this industry is when we work together.

Ben

Speaking of know your enemy did were we gonna pitch the new orange book?

Alex

I don't know what that is.

John Strand

New orange book. The survival guide.

Ben

The new survival guides. So there's a new. There's a new Black hill survival guide you can order orange bubble book. You can order it now. It is IR based. The reason I remember it is because the article I wrote in it is called know your enemy and it's about threat actor profiling. But some great stuff. I'll throw the link in Discord or go check it out. You can order it on the web store on.

Alex

I'd look at the Spearfish General, but.

John Strand

Yeah, the orange book. So each of the survival guides are going to have a different color and the color is going to have a theme team in in honor of the T sick rainbow series. So be on the lookout for that and you should just go sign up for Rekka. We give you all kinds of cool stuff, so please check it out.

Chris

Are you ready?

Ben

Oh, we're gonna do the chicken.

Alex

Are there actually chicken articles?

Ben

There is an actual chicken article, but it's literally the dude just comments on KFC real quick.

Alex

Yeah, I, I, I might have deleted that article, but it is funny me. Let's talk about it. Okay. This is like a New Zealand. This is a New Zealand article. So those who don't live in New Zealand, you might be a little confused, but was that it?

Ben

I don't think it was a New Zealand.

Alex

There's another one.

Ben

Yeah, there was one about the dude pen testing a medical company. Medical.

Alex

Yeah, yeah, that's.

Ben

It's New Zealand.

Alex

It's fine. It's fine. It's chicken. We'll, we'll allow it. I'll post the link. I'm posting it in discord. So here's the. The headline is hilarious is basically the. A security researcher has claimed that the KFC app is more secure than Manage My Health, which for those that understand Manage My Health is a, I guess a New Zealand based version of like my chart or something. I don't know. But basically there's been a bunch of headlines where Manage My health was hacked. Apparently there were multiple healthcare breaches in New Zealand and there's been. The person's name is Callum McMenamin who's a web standards consultant who's worked on government website security. He told a news article that he, you know, I found this vulnerability, I reported it, no one cared. So yeah, he basically said the very quotable thing he said is that KFC is more secure than managed by hell. I guess KFC is like basically there. His justification for this was in KFC, when you order chicken, there is mandatory.

John Strand

Two factor authentic to kfc.

Alex

Right? Right. Dude, I cannot believe they required two factor to order chicken.

David

That seems like the weirdest part.

Alex

That is the weirdest part.

Eric

Not not to say that's not good security because it is, Right? But don't you think it slows down the process to getting the chicken done? Like, is you're trying to get to the chicken here.

David

Like, some people just check out.

Eric

They're like, man, I'm not doing two factor. I, I, I being a red rooster.

John Strand

Now, dude, Colonel's about quality. Colonel doesn't cut corners on security. Why isn't it 13 factors?

Alex

13 factors and spices? Or is it 11? Is it 13 or 11? I don't know. I don't know how many it is.

John Strand

So it was like, did you ever see this is years ago, where. So somebody discovered. Okay, so what is it? It's like 13 herbs and spices, right? Somebody found out that if you look at the Twitter account for kfc, it just, it, it basically followed a bunch of dudes named Herb and the Spice Girl and. No, it gets better. It gets better. The dude found that out, and he tweeted it. And I guess it had been like that for years. He goes, I just realized that, that literally, KFC only follows like, like, 11 herbs and spice. And the Spice Girls, right? KFC commissioned an art piece of the guy riding on the back of the Colonel, Colonel Sanders, like a backpack, pointing off into the distance with Colonel Sanders and him going off into the woods together. So I have mad respect for KFC and their ability for marketing, but we got to wrap it up. All right.

Alex

Yeah, let's wrap it up. Thanks, everyone, for attending.

Guest

Feather, multi feather, multi feather.

Ben

She was wishing she was sitting on.

John Strand

That for a while.

Alex

All right. On that terrible dad joke, it's time to end.