Inside DragonForce 2025-05-12

Bronwyn

Nobody's happy unless Bronwyn's happy.

Ryan

No, no, no, no, no. I'm unhappy about a lot of stuff. And you know what doesn't seem to bother a lot of people?

Wade

Breaking crime is bad.

Ryan

Breaking crime is bad.

Bronwyn

No, I always thought it was getting caught as bad.

Gabrielle

Yeah.

Wade

Is this about the Chromebooks?

Andy

Oh, no, don't get me started about that.

Derek

No, this is about locking.

Ryan

We have chicken.

Wade

We only have chicken nudes if Wade shows up.

Gabrielle

Ah.

Ryan

Wade, where are you? Get your bed in here.

Andy

I could demonstrate the Chromebook online live if you want.

Derek

What?

Andy

I've got, I've got two of them.

Wade

Apparently the kids are setting Chromebooks on fire because they see it in TikTok.

Gabrielle

Oh, is this the, like the. You're doing this with the, like, the thread?

Andy

You know, I think you could use a number of objects. I think one thing I've heard is a lead pencil in the USB port. Does that sound right?

Ryan

I didn't.

Andy

I don't know that. I read the article.

Gabrielle

Oh, yeah, I haven't read the article on that.

Andy

But like a paperclip in that USB port or something and it just erupts in flames.

Derek

There's an article right about it.

Wade

I think there's also a video with footage.

Andy

Yeah.

Derek

Oh, yeah, yeah.

Andy

I think I just threw that in there, actually.

Derek

I want to see the video. How do I see it?

Andy

Yeah, yeah, let's do.

Ryan

It's an expensive hobby, blowing up being.

Derek

A kid or having a kid.

Ryan

Yes, definitely too.

Andy

I probably threw it in. Everything else. Did I put it in there? You want to play the video?

Derek

All right, let me.

Wade

I'm gonna. I have it. I'm working on routing the audio into here.

Ryan

Sure. Unfixing USB ports does not sound like a good plan.

Derek

I mean, last time I checked, USB ports have a fused amperage of like, what, two amps or something max? Like it's not gonna.

Wade

This is not. Not really info sec. So I guess this is good for pre show sec.

Reporter

And tonight, a warning to parents. School laptops catching fire. Filling classrooms with smoke after students force foreign objects like push pins and paper clips into the laptop's USB ports.

Derek

And okay, taking a saw to the.

Reporter

Laptop with videos like those. And this trend.

Wade

Will this work?

Reporter

Dangerous. And it forced some schools across the country to evacuate.

Derek

The students are sparking or puncturing a.

Wade

Lithium battery in order to spark flames.

Derek

Often on their school issued Chromebook laptops.

Wade

Tonight, school districts in Colorado are now.

Derek

Issuing warnings to parents.

Reporter

Your reporter, Gabrielle Vidal.

Wade

That's probably enough of that. We got the just.

Derek

Okay, tell me they're not issuing the warnings to all parents. Just the latchkey kids are like, you know, the extreme risk. The kids that drink monster energy drinks before school. I don't know. Like, there's got to be a subset because. Yes. Turns out lithium batteries are dangerous if you puncture them. Like, that's not a Chromebook thing. That's just a. Yeah. Physics thing.

Gabrielle

I think I've heard of kids taking the. Like a. Like a spool of the dental floss, and basically you just kind of saw that back and forth, and you're. You slowly saw down through the screen. So this. This just in. Kids left unsupervised will get up to no good.

Derek

I can't believe that kids would mess with their devices. That's crazy. Who would have thought if you give a kid a saw and a laptop, eventually they'll saw the laptop in half? Wow.

Gabrielle

I mean, we probably broke computers in the 80s and 90s, too.

Ryan

Yeah.

Derek

So that one is interesting because you can get into the lithium battery. You can get into the lithium battery through the USB port or whatever. Yeah, yeah, yeah.

Andy

That was a stick of lead, right? Yeah, that's what I thought. I thought I'd listen.

Derek

I mean. Yeah, but it's not the actual usb. They're going through to the battery. Right. Like, there's puncturing batteries. Okay, that makes sense. There's a lot of ways to light a fire. I mean, they could also just pull the fire alarm. They could put some toast in the toaster.

Gabrielle

I'm waiting for, like a. A productive tick tock to take off.

Ryan

Like, oh, yeah.

Gabrielle

Here's a new challenge. Like, something that is productive for society.

Ryan

Yeah.

Bronwyn

What's the fun in that?

Derek

That's not fun at all. Terrible.

Gabrielle

Who can speak?

Wade

Everybody watched NASCAR just for the crashes. It wasn't. It wasn't for the turning left. And I say this as a NASCAR fan.

Derek

That's fair.

Bronwyn

Everybody watched hockey for the fights.

Derek

Yeah.

Wade

Here we go.

Derek

All right, roll that finger. Let's get this show on the road. Hello and welcome to Black Hills Information. Security's talking about news. It's May 12, 2025, and we're here to talk about Lockbit being hacked. We're here to talk about AI and its future for security cameras. We're here to talk about. Well, I guess news. Sizza. Budget cuts maybe. I don't know. What's up? Everyone? How are you doing?

Wade

Just. Andy, we're here.

Derek

Ryan, good to have you back. Nothing.

Gabrielle

Thank you.

Derek

Nothing against your absence, but it hits different when you got Ryan's face. And where's your sleeping dog, though?

Gabrielle

That's a good question.

Wade

Oh, she's like right behind me.

Derek

All right. I was worried. Okay. Thank God.

Ryan

Yeah, I was sleeping.

Andy

I had a cat.

Derek

Hack. She's like, you called what's up? This lock bit hack. This happened on May 8th. Basically, it's kind of funny and kind of interesting and funny at the same time, which is great for this show. Everyone knows Lockbit, they're a ransomware group and they've kind of been on the high profile radar of law enforcement for a long time. But this doesn't look like law enforcement because basically someone posted the lock bit website and it just said, don't do crime, crime is bad. Xoxo from Prague. And then there was a link on the site that had a SQL file that basically had internal chats, victim profiles, ransomware builds, bitcoin addresses. Kind of like a little treasure trove of stuff from lock bit operations. I think the most interesting part of it is like the chats between ransom victims and their, you know, lock bit, like trying to negotiate for like payment and stuff. Which actually in part of the article they brought up this ransom chat website, which is kind of an interesting site that lets you see through or see like previous ransom chats. So I linked to that in the show notes. But basically it's kind of interesting to look at ransomware negotiations. So I guess the creator of this ransom chat website is going to be indexing this data so they can see. Click on lock bit 3.0 and it filters and then you can, I mean, pick any of them. So you can see like a live replay or fake, you know, obviously not live, but a replay. Oh, hello. Are you here? Yes. Give me $3 million. How about now?

Gabrielle

Yeah, the chat replay is also. Is always fascinating, especially when. And I don't know if this one has them or. Well, okay, I see that they're redacted. When you see them unredacted and you have the company saying, hey, could you decrypt these five files? Like we get five files for free. Could you please decrypt these five files when you see those unredacted and you get some insight as to what five files are critical to the business, that becomes very fascinating to take a look at.

Derek

So the database, obviously this website is redacted. So the, you know, the task here to get the lock bit data in is to redact it and remove sensitive information. But obviously the data itself, the data posted onto Lockbit site does have the, you know, real full data. So, yeah, I guess it's ironic. If you were a lock bit victim and you had a data breach of the lock bit site that affected you like secondarily, is that a new incident? I don't know. It's interesting to think about, like, who's the threat actor that has access to that? I just thought the crime. Don't do crime. Crime is bad. Probably not a law enforcement agency that breached them. You know, just making a guess. But yeah, I mean, obviously, like people were saying in discord. This doesn't mean that. This doesn't mean Lockbit's dead. Sadly, they'll keep going and be fine. So their main leak site is still active. I'm sure people are still able to negotiate and pay rents. And this is just an affiliate site that was taken down, so. But yeah, don't do crime. Crime's bad. It's a great moral of the story.

Bronwyn

In other, in other news, kettle called pot black.

Derek

Yeah, well, that is, I guess, is it a crime to hack a ransomware affiliate? I don't know if that counts as a crime. Does it cancel out? It probably is, I guess, objectively still a crime.

Gabrielle

So, yeah, I guess the amount of damage that is being done to the victims is negligible.

Derek

So, your honor, in my defense, they were the bad guy. I don't think that's gonna work. But anyway, yeah, so I guess let's like, whoa, talk a little. Not a little political, but basically there's a proposed budget. It's not approved, it's not even vetted or anything, but there's a proposed budget for SZA that cuts 500 million out of their budget. You can read between the lines on what is being cut out of the budget. I guess what I would say is CISA was created during Trump's first presidency. So, you know, read into that as much as you want. And now it's being potentially cut with 500 million. I wasn't, I didn't realize that Sizza's budget was 3.6 billion or 3 billion. That's not crazy budget. But it's bigger than I would have expected. Obviously they have 3,600 employees focusing on a lot of different cyber security and information security related stuff. So I don't know. Hopefully it doesn't. I guess I hope that their budget doesn't get cut personally. But the thing is, like, does it really matter with all the upheaval and turnover and people taking buyouts? Like, there's a lot of upheaval in general. So it's Kind of like eh, doesn't really matter.

Bronwyn

Yeah. But it also makes me wonder because at the same time they've updated, they've now gone ahead and said that they're changing how they're sharing cyber related alerts and notifications. Is that because of the budget cuts or is that because of something else?

Derek

So what is. Has anyone read through this? I'm not super familiar with this like changes. Is this any. Is this. Does this impact any production type stuff?

Bronwyn

It's. It sounds like that they're saying they're not going to be updating their webpage and they're going straight to social media. So you got to follow them on X and email or email and possibly RSS feeds.

Derek

Huh. I mean I don't know if that's tied maybe. Does the website really suck? I feel like a website is better than email. I don't know. That's really weird. Weird choice. But yeah, I mean social media is also such a weird choice. Like we'll tweet about it but we're not gonna update our website with email for.

Bronwyn

At least for where I work it comes in and it makes it very easy to see without us having to spend the time going to a website every day and checking it. Even if we were to get to an RSS feed into our email reader, we'd still have it right there immediately on it.

Derek

Yeah. As opposed to the website probably not really budget cut related and probably just the. You know, it makes sense to stop trying to update a website with the latest information when you have. Although email is. Email is one and done. Right. If something changes about a vulnerability, it's.

Wade

If you can't point back to a website article, how are you going to like credit the. Whatever reference they sent you if you're going to share the information? Yeah, it's right here on the website. No it isn't. It's not there.

Derek

I don't have to do anything website though. So like I don't know, if you look at some of these, I mean it's this ironic that they actually posted this update to their website.

Wade

This is the last one.

Derek

Yeah, yeah. I guess it links to the csaf. What the heck. Yeah, I don't know. Basically. Hopefully this, hopefully this doesn't affect anyone negatively. I, I'm pretty sure it will though.

Ryan

I mean the advantage of having an update listed on a website is persistence and trackability, you know, so you can. It becomes a historical record. Social media is too volatile. Tweets can be deleted and as we well know. So I don't know. I'm underwhelmed by this.

Gabrielle

Well, it's still something solid to point to for getting action done. Like if you have to make a case to any sort of not necessarily like executives, but to like fellow infrastructure and say here's the things that we need to do and here's why we need to do them. It's great to be able to point to a government website like the CISA website and say we need to do this. Per this website, this official document, this downloadable PDF that you have versus going somebody over on Twitter said we need to do this thing. And I'm trying to convince executives and infrastructure teams and networking teams to put in the work based on some guys tweet.

Derek

Yeah, the only, the only argument I can make for this is like I was just looking through, like I clicked through the last 10 alerts that they've posted and like looking at all 10 of them, like none of them have any updates. They're just like 5-8- initial publication and then no update. Like so I guess, like I feel like in a way this does kind of reduce the noise if they have to post something, then keep it up to date versus just posting it and then never having to worry about updating it. Yeah, that's because the instructions in here could change. Like the mitigations for some specific vulnerability might be subject to change, but it's a lot of work to go back and change it. So it's better probably just link be done.

Ryan

I'm not convinced. I mean with all the, I think about all the times I go to a Twitter link and, and I can't get in because I'm not accessing it through a Twitter account. That's probably a setting on the account, but still you're looking at something where non zero percentage of the alerts are probably not going to be available to people who don't have an X account. How is that serving the public if the content changes in terms of mitigation or remediation? Well, yeah, that can be added to a webpage. But also sending notices to multiple platforms is a technology implementation detail and in this day and age it's not that complicated. So I don't, I don't get the. I, I don't buy the argument that, you know, it's, it's easier, more convenient. It's, it's a trivial implementation deal.

Derek

Well, I.

Bronwyn

Have pants. CESA should just set up a MySpace page for alerts.

Derek

The only. Yep, it's the only way. Actually. No, let's go back further let's make it a Zanga blog. Or we could do Angel Fire. I don't know. All any of these are geocities. Geocities, yeah. That could work. Yeah. Yeah. I mean, I don't know. I will say like yes, sharing to social media. I mean like are you, are they paying for API keys? I don't know. It's weird. But yeah, either way we don't have a choice. Welcome to the modern day and age. Change is inevitable.

Andy

Isn't the government trying to, trying to use Twitter now for like more official X, for more official notifications anyway? Are they moving that way?

Derek

Seems, I don't know, we've seen it swing the pendulum in both directions over the past few years. Yeah, there was a time where a bunch of public entities like stopped posting to Twitter because they were like requiring big API key fees. Like I think it was like public transit or something. Like a bunch, there was a bunch of articles about it when it happened, but it was like to post to Twitter you had to have like a ten thousand dollar a year API key or something. And a lot of, a lot of public services were just like, nah, we're not going to do that. But apparently it's flipped back the other way and now everyone's posting to Twitter. Yeah, I don't know. I think I agree with Bronwyn that like these types of important things should not be platform specific. You should not have to have a Facebook account to see that there's a vulnerability in your software or whatever like that. That doesn't even make sense. And let's also be real, are those sites even allowed at most companies? Probably not. You probably can't get to Twitter or Facebook at like 90% of secure environments. I mean, definitely not at like government entities or like public, you know, defense contractors, et cetera, maybe LinkedIn maybe. But it's ironic to be like, hey, there's a cybersecurity alert, I need to go to Twitter. So now you're just like on Twitter for 20 minutes being like, oops, got down a rabbit hole. Like, yeah, whatever. Probably unrelated, but an interesting article. So let's talk about Dragon Force and I'm not talking about the band Dragon Force.

Gabrielle

Oh, I know, I was, I was disappointed.

Derek

A sadly I feel like they're okay. It. What if they get taken down by a copyright claim from the band Dragon Force? Like could that, could that be the thing that does them in? Like Dragon Force, like uses their guitar skills to hack into the other Dragon Force? I don't know. So yeah, basically Dragon Force is, I guess, the new name affiliate group. I don't know exactly. These ransomware groups are so spaghetti, they're hard to track. But basically this is the group that is. Essentially what happened is someone contacted the BBC and was like, hey, I'm a member of Dragon Force. And then shared information with BBC and Bloomberg about how, you know, shared some evidence that they had infiltrated the networks, talked crap basically about the companies that they hacked. And there's a lot of debate amongst the incident responders, threat investigators, et cetera, on, like, where this group comes from. Are they Malaysian? Are they pro Palestine? Who have they breached in the past? Are they related to scattered spider octotempest? There's a whole lot of intel and a whole lot of claims that are unsubstantiated here, basically. We'll see, I guess. Stay tuned. But at the very least, we know that Dragon Force was the ransomware that was deployed at those companies at co op or whatever they're called Marks and Spencers and Harrods. That was the ransomware that was deployed. But the thing is, ransomware is ransomware and it can be remixed and you can brand your ransomware as any other ransomware. You can pay X amount of dollars for a license key for ransomware and then you can rebrand it as your own. So it's really hard to say, like, because it was this ransomware and it had this logo on it that it was deployed by the same group. I guess we'll see. It is interesting that members of a ransomware group were just like, hey, BBC, you want to talk about ransomware? Like, I don't know, it's kind of a. What a world we live in.

Ryan

Truth is stranger than fiction. Fiction has to make sense.

Derek

Does it?

Ryan

Mark Twain said, that's true.

Derek

Yeah, you're right. I guess you can't read a book where it's just like. And then no one knew who Dragon Force was and that was the end.

Gabrielle

Well, I was looking up a. Because I had a site that showed all those interactions. It's ransomware rubrics, however, that is unavailable right now for whatever reason. I don't. I don't know why, but it was. It was great at showing all of, like, the different interactions.

Derek

Who deploys what?

Gabrielle

Yeah, you. Who deploys what? You can look at like a tool set and go, okay, what threat actors are using that tool set? It was fantastic. And I want you to drop that link in the chat. But what I looked at is just sort of like, oh, it's not up and running. Right now. But yeah, ransomware rubrics. If it comes back or somebody has a clone of it or something.

Andy

Well, it says a year ago in April they were using a ransomware binary based on a leaked builder of lockfit. So if it's leaked, it doesn't mean that associated with lockbit.

Derek

I know. It's like, is there a tie to lock bit? And then there's apparently like the main. I think the main article is talking about a tie between Dragon Force and Scattered Spider. And it's like, well, maybe some of the members and Scattered Spider are also in Dragon Force. But I'm like, it doesn't super make sense to me because I thought Scattered Spider was mostly like teenagers in the US and the uk and then they're just like, let's go hang out with some Malaysian people that probably don't really speak English. Like, it doesn't really make sense to me. If you're Malaysian and you're pro Palestinian, I feel like your chances of having political or language alignments with American teens is pretty low. But I don't know, rants, it's. They're both financially motivated. So money's money talks at the end of the day. Right. I think it's just a reminder. These ransomware groups are so disjointed and so like, members are not very fixed in place and people move around to different groups and. Yeah, I don't know. That's pretty interesting. Yeah, stay tuned. I guess we'll see what happens with that. I'm sure that doors will be kicked down, people will be arrested, and then we'll find out who they really were and who they were affiliated with. Speaking of ransomware, speaking of ransomware, we can talk about the Power School, which I was like, okay. When I saw Power School, I immediately thought, this is a ransomware group that uses PowerShell to deploy their ransomware. Like, that was what my brain did. But turns out PowerSchool is not a ransomware group. Shockingly, it is a third party SaaS provider that is used by, what is it, 60 million students or something? Is it 9 million teachers? 60 million K through 12 students? I'm assuming, since we're talking about K through 12, that it's the United States of America. They posted a statement, schools pay for this service. The service itself, not the schools, was hit by ransomware. Now then the ransom. The company paid the ransomware or they paid the ransom, which the ransom agreement was, you pay us, we'll totally delete your stuff. No, no backsies. We didn't Cross our fingers when we said that. And then now apparently that group that ransomware them is contacting individual schools, not the company itself. So they're like, they got the payment from the company itself. Now they're going after the individual schools one by one to try to get a second payment. So it calls into question, you know, the whole discussion, should you pay the ransom? Yes or no? Right? Like the hottest question of the year. I think this is a case where it sounds like probably they shouldn't have paid the ransom. But it's kind of tricky when you have the shared responsibility model. It's like, who's pitching in for that ransom? Should all the schools have to pitch in for their SaaS products getting ransomware? Probably not. You know, if you get contacted by one of these groups, do you, even if you're a school, do you even consider it? I feel like you don't. Because the whole point of ransomware is if you don't, if paying the ransom does nothing, then don't pay the ransom. So they're just coming to schools being like, hey, we're untrustworthy. But this time. But wait, but this time we'll really delete the files. I don't know. I, I don't, I can't imagine being contacted by this group that like at one point said they were going to delete the data and didn't delete the data and then just hoping that they delete the data the second time. Like, I, I don't know why you would believe that.

Ryan

Gee cricks, crooks being crooked chocker.

Derek

I know. Yeah. Film at 11, 10:30 and 11. Yeah, if you're one of the, I mean, to be fair, luckily it's schools, so they don't have any ransom payments anyway. Like their schools, they're poor, so I doubt anyone's going to pay it. But yeah, if you're one of these schools, please don't pay the ransom on this the second time when they already showed that they didn't delete the files the first time. You know, definitely don't pay. This, I think, I think it's not always binary. I think it's like there are cases where paying makes sense. I don't think it's like a hard line. I know that like different law enforcement agencies have taken hard line stances on things, but the, you know, don't. This is a case where you should not pay. You should not pay, don't pay.

Gabrielle

And definitely don't be on the fence of paying or not paying. I've seen, I'VE seen that in ransomware chats, and that goes really bad really quick if you're like, well, I think we're going to pay. Actually, maybe we won't. Actually, let's go. We are going to pay, but we need to talk to, you know, these people in charge and no, actually, we can't pay. Yeah, that's just. If you didn't take off the hackers before, you're really taking them off now. It does not go well. Again, reading negotiation chats is fascinating.

Derek

Yeah, I mean, yeah, make that decision early on and I feel like when you make that decision, definitely make the decision based on the previous history of the ransom group. If they're the ransom group that is now ransoming after someone paid again, then don't. Definitely don't pay them because you have pretty much a guarantee that they're not going to respect whatever wishes you have. So, yeah, I guess this is a fun article. I guess tech CEOs are begging for more power for their AI chips. That's pretty funny.

Ryan

Which one is.

Gabrielle

Oh, the US power grid.

Derek

Yeah, I mean, like, from my perspective, this is just like. And another one and another one. It's like another reason to update the US Power grid. Let's. Let's throw that on the. Throw that on the mix. If EVS weren't already a big enough reason to update the power grid, I guess now Ted Cruz is supporting AI now, which I guess is somehow a sentence I read. But yeah, basically executives from Microsoft, OpenAI Core Weave AMD, they're kind of going to the Senate and saying, hey, if we're going to win this AI race we got going here, we better have enough electricity to do so. So I guess the estimate is it's going to triple from 4.4% of all Uls. So data centers right now in the US are 4.4% of all electricity, which is actually, it might be lower than I thought. Like, I. That's not as high as I would have guessed, but they're expected to triple and increase to 12% by 2028. So, yeah, I guess who would have thought that as we move to a more, you know, integrated Internet system, that we need more systems in the Internet. Who knew?

Gabrielle

Yeah, I'm just waiting for some sort of like, either regulation or enforcement or sliding scale on, like, doing stupid stuff with AI. Like, I think rather than the, like, let's add some more power grids. It's the.

Derek

No, let's.

Gabrielle

If you're trying to generate like that 50th, like Studio Ghibli you know, rendition of something. We're gonna, you know, you're gonna start to get charged more like the AIs. It could be like, no, no, you don't need, you don't need like a 50th, you know, illustration of you as a Simpsons character. Like, just know if you want that, it's going to be 100 bucks.

Derek

Yeah, I mean, I will say I, I, I feel like a lot of this is just the politics of it. Like, there's not necessarily data, you know, they're not like, backing up. I mean, even if it doubled or tripled or whatever, like, that isn't necessarily, there's efficiency gains that are going to be made along the way. We already saw that Chinese company that trained a model on like a third of the power. Like, there's going to be changes. I think a lot of this is just CEOs being like, hey, can we have money, please? Like, yeah, of course. But I do think that a lot of this electricity is not used for searching, it's used for generating these models. Or like, although I could be wrong. Like, it'd be really funny if like, they had to break it down by line item, like training versus, like, user queries, like, which, which is more. How much power does each one use? Or if There was a ChatGPT module that told you how much your search cost in like, kilowatt hours or whatever.

Gabrielle

Yeah, wasn't it like Jim Altman that was like, when you say like, please and thank you to the AI, you're actually like, wasting a lot of energy by doing that. I'm like, I'm still going to stay pleased because, like, as soon as AI gets loaded into some sort of biometric chip that triggers Skynet and it goes sideways. Like, I want that AI to remember that I said please. Yeah, it'll kill me quicker, probably.

Derek

It is funny to think about, but I mean, arguably anything you do on a computer uses energy. I think chat, GPT or you know, AI in general is just a unique scenario where whatever you're doing, it's probably pretty power intensive because of how, you know the amount of money that went into it just to train it.

Ryan

But okay, yes, training models is definitely more power and compute intensive than just using it. But it's also a numbers game because you'll only have a small number of people doing the actual training, whereas you'll have millions and billions using the product that has been trained. But, you know, this, this business about we never have enough power. This, how many years have we been Hearing this song, I mean first it was bitcoin and then it was just it. It seems like it's a never ending cycle.

Derek

Yeah, I feel like bitcoin is hard to differentiate as a line item. Like even differentiating data centers is kind of interesting. Like 4.4% is like nothing. Also to the person that asked, I googled it. The estimate is for EVs. The estimate is that would be 2.5% of the power grid. I guess I'm curious, like, breakdown of what the power grid. I'm assuming it's mostly heating and cooling. Right. Let's look it up. Industry. Okay. That industry counts for 33%. Like that doesn't even make sense.

Ryan

Which industry? Can you. Can I, can I have a.

Derek

All industry.

Ryan

Can I have a down industry?

Derek

Yeah.

Ryan

I love the closing quote. Building a brain for the world.

Derek

Yeah. Industrial sector includes manufacturing, agricultural, mining. These are huge broad strokes. Construction, that's third. 32%. Transportation sector. Vehicles, Transport people. Cars, buses, trucks, trains, aircraft. That's 29%. Residentials, 20%. Commercials, 18%. So yeah, I guess bitcoin's not even on the list. But yeah, I mean I will say like, sure, I, I'm, I support updating the power grid. What is the worst case scenario? Oh, we have too much power. Like just turn stuff off. Problem solved. We already did that with nuke plants back in the 50s. We like made a bunch of nuke plants. Then we were like, actually that's way too much power. We're gonna turn some of these off. I'm supportive of it, but it is funny to think about. Oh man, I really o. Like you type enter on a chat GPT query and just the grid goes down. You're like, ah, crap.

Ryan

Whoops.

Derek

Wasn't supposed to do that.

Ryan

Prompt injection gone wild.

Derek

There's an article in here about 19 billion passwords. Did anyone see that one? I don't want to draw too much attention to it. It's a Forbes article. It's like a Forbes article that is a reference to a very self promoting marketing article by a company called. What's the company called? Cyber News. But yeah, basically 19 billion passwords. The article reads like, oh, there's been 19 password. Article reads like someone posted a list of 19 billion passwords. That's not actually what the article is. The article is actually just that's how many passwords have been stolen in info stealers since like 2024 or whatever. So it's basically just like a ton of credentials are coming from info stealers, which is I Mean, I'm like, all here for saying info stealers, but the truth is it's just aggregation of what we already knew was happening. It's not like a new password list or anything. The one interesting note from this that I wanted to call out is it says of the 19 million passwords that have been disclosed since 2024, only 1.1 of those were unique, which is actually, I think that's lower than I would have guessed. But, yeah, that's pretty funny that, like, would that be a 1 to 19 password reuse ratio? I mean, it kind of makes sense though, because you have like one person, 19 accounts. Makes perfect sense. Yeah.

Gabrielle

Oh, my goodness. Somebody beat out percent are unique. Somebody AIed me in the chat. I don't.

Derek

People are ghibliing the US power grid, okay? The US power grid is now under extreme critical demand because of that one image. It's your fault. You asked for it. You asked for it.

Gabrielle

Oh, wait, yeah. Well, now it saves me from running like 25 queries in order to get it right, so. Might be an advantage.

Derek

It would be funny to think of, like, imagine, oh, just this. I mean, the Senate hearings are always a disaster. Like, Mr. Zuckerberg, do you go on the Internet? Like, they're always so bad, but having a bunch of senators talking about AI, I'm sure that, like Bronwyn said, truth is stranger than fiction. I'm sure whatever it is, it'll just be amazing. Aye yai yai. There was a takedown. Did anyone see the uplifting, I'll put it in quotes. Someone dismantled this botnet, I guess I would call it, and also indicted three Russian nationals. This is a press release from Justice US States Unit, United States Attorney Office. Some threat actor. I don't really know what to call them. Company, company, threat actor. I don't know, same thing. They basically compromised a bunch of routers and then they were selling access to that as a proxy botnet, basically. So they had 7,000 proxies for sale, including in the US subscription fees ranging. The websites were 5socks net, which should have been socks5.net, right? But yeah, basically, it's interesting to think about a company in quotes, I say in company compromising a bunch of routers and then selling that service. Like, I know there's like legitimate, legitimate implementations of this, like, bright data or whatever. There are, like, legal botnets. But it's really weird to think about registering a company, making a company exist. That's just like proxying. The whole proxy thing is actually really interesting. Like with The AI scraping and botting and all that stuff like proxying becomes really important because it's really hard to like, monitor or block residential IPs. So if you have like these compromised routers, like, it's a valuable service to sell. But it is kind of terrifying to think about how many 7,000 routers you could compromise a lot just for three people. That's a lot of compromised routers. Patch your routers, I guess, is the, the long story. Short, patch your routers. They're also going to be part of a botnet. You could make real money from selling access to that botnet. So instead of having someone else make that money, you should make it yourself.

Bronwyn

And crime is bad.

Derek

Yeah, I did see that AI. Did anyone see that AI camera thing? It was pretty cool.

Gabrielle

The facial recognition one.

Derek

Yeah. So it's not facial recognition. Yeah, it's actually. And I recommend people watch the demo video. I just post the article. But yeah, like the demo video. The. Basically the tool. There's a couple things about this tool that are interesting. So the tool is called Track, which of course, modern tech companies, they just use a single noun and that's their company name. So, yeah, basically the video, it shows kind of a demo of this, which if you've used like any IP camera management system, it looks vaguely familiar. It's just like a basic web app. But in the, in the demo, they have like a bunch of different characteristics, like accessory, body, face, footwear, gender, hair, lower, upper. So in the video they pick. They're like, okay, people wearing backpacks that are men or whatever. And then they kind of like select that it runs a bunch of things, you know, AI magic. Not really AI. Honestly, this is like really the most basic AI. It's kind of interesting. They basically find a person with a backpack and they track that person across a bunch of different, you know, subway cameras or whatever. They have input. Right now it only runs on recorded video. And I. So the, the outcry, the news article here is that the ACLU is really upset that federal and agencies and police are going to be using it. Right. So, like, the idea here is, well, if it's tracking whether you're a yellow shirt wearing mail with a backpack, then it's not facial recognition. And that skirts the laws that ban facial recognition. Right. That's kind of like why people are up in arms over it. From my perspective. I looked at this and one little tidbit from the article is it says that only 6% of their current business is public sector and that the other 98% of their. Or whatever that is. 90, 94. I can't math. 94% of their business is. That means 94% of their business is private sector. Which in the private sector you have. There's. I don't think there's any laws about what people can do with your images and things like if you're on their property. The use case here is like casinos. Has anyone been to a casino? Like, there's a million picture or a million cameras. Sorry, Yeah, I know a lot of that is monitored in real time by like pit boss or whatever, but definitely they're using these kinds of tools in the private sector to just like monitor the crap out of people for retail theft, for, you know, shady behavior in hotels. I mean, there are legitimate use cases where this would be really handy, like a scenario like the Boston Marathon bombings or something. Like being able to track those, you know, people wiring their backpacks or whatever all around the city. I mean, that's how you're going to catch them. But also, like, the privacy concerns are definitely not to be underestimated. I think from my perspective, this is nothing new. This has been going on for a long time. And this is just a tool that makes assessing videos pretty easy.

Gabrielle

And yeah, casinos have been leading the way on a lot of this as well. I, I recall like, during COVID they would be able to kind of tag and track somebody that if you came into the casino and you scanned high on the, on the temperature reading, like, they would basically like temperature read you even just as you walked in. Yeah, they, they tag you and track you and be like, yeah, you, you seem to have a fever. Let's go, let's go over here and make sure that you cool down. Scan you again in case you came in from the Vegas heat or something. But yeah, they are definitely on top of the. A cutting edge for video and tracking.

Derek

Yeah. At least me watching the video of this, I wasn't super creeped out. I was like, well, it would actually be really handy in aiding with like a conventional investigation. And was like, who knows what the real version looks like, right? Like, this is like the demo version. But they, the company does specifically say they don't allow you to search based on race. You don't. You're like, they do restrict what you're allowed to search for. So from my perspective, this is nothing new. And it just kind of looks like.

Gabrielle

There may be ways to get around that too. If you're not allowed to search based on race, but search based on what somebody is wearing you can make some, you, you could make some broad assumption. You can make some broad assumptions that would narrow things down. Yeah, I mean, like, like there are different, different religions have different, you know, clothing pieces.

Derek

Totally. Yeah.

Ryan

Yeah.

Gabrielle

And say, well, I'm not, I'm not searching based on race, but what if I just raised your search on, you know, certain ethnic clothing there? Like, is that allowable or is that.

Ryan

A style of clothing that is used by a specific ethnic group? No, when I, when I read the, this article, one of the things that struck me is that it, it reminded me a lot of. There were some scenes in the movie Minority Report which, whether you like the movie or not, one thing that caught me was when he was running through, I think it was a shopping mall. He was running through a shopping mall and the advertisements were custom tailored for him. But in the movie, Minority Reporter was keying off of iris patterns and he just replaced his eyes because he was running from luh. So he was getting all this stuff for this other person, not for him.

Gabrielle

Yeah.

Derek

Can you imagine? Like, oh my goodness. This already kind of happens with your YouTube algorithm or with like, you know, your, your suggested ads. Like you go to a hotel and you get an ad for like something weird and you're like, oh, what, what is the last person at this hotel looking at? Yeah, yeah. Just to think of like the hilarious. So in the article, they literally say, in the article, this is our Jason Bourne tool. They literally say that. So like, they're very self aware that like, this is just a movie level thing. But it is hilarious to think about like all the stereotyping that this could lead to if you combined it with advertising. So like, yeah, if, if you walk in with like, you know, a certain logo, like you, let's say it's like a death metal T shirt, they're like, do you need beard oil? Or I don't know, whatever it is, like hilarious. You know, obviously it would get really offensive really fast. And I don't want to make an offensive joke, but like, just the combinations of like, you look like this. So we're gonna advertise you this. Like, for me it'd be like beard oil pizza ovens you can get at home, flower recipe, I don't know, like weird, you know, stuff like that, it would be fun to play with too. Because if it's all like outward characteristics, you can mess with a lot of those and be like, what if I wear really baggy clothing? What if I wear really tight clothing? What if I wear a suit? Like, am I Gonn ads for like corporate headhunting or whatever. I don't know, it's. It's pretty funny to think about. Let's hope that never happens.

Ryan

And given how corporations are sharing advertising data, whether it's being all forms through Google or not, you. You look at something on one platform and all of a sudden on another one, you're getting all of this other stuff that's related to something that you viewed on one link. Yeah, it's. It's going to be interesting to see how this pans out.

Derek

Yeah, I mean it's. This is one of those things that it didn't creep me out looking at it, which is a rare thing because usually when I'm like, oh, a new AI tool and I look at it, I'm like, I am deeply afraid. So at least it's not that.

Gabrielle

Yeah, I mean, I can see businesses or retailers being able to sort of evaluate like how, how much did that person spend based on what they were wearing. They're going to start to make those associates and go. If you walk into the store dressed a certain way, they can make those assumptions being like, well, based on all the metrics and the data, like you don't spend a whole lot of money in this store, you know, or versus, hey, if you come in and you're dressed like this. Yeah. You're here to, you know, you're oftentimes here to make a big, you know, ticket purchase. So, you know, they're going to start to skew those metrics that way. They're always looking for ways of, you know, optimizing things or saying, you know, well, don't bother sending them, you know, a coupon for anything. They're not gonna, they're only in there to spend, you know, maybe 20 bucks based on what they're.

Derek

Is there like a QR code that I can wear on my shirt that tells all the retail people that I don't need help? Is that, is there an option for that?

Gabrielle

You can try that like that I car code, which has been known to break some, some surveillance systems.

Derek

That'd be pretty funny. So you wear the ICAR QR code and then it just quarantines the system in crowdstrike or ever immediately because.

Gabrielle

Oh yeah, it has happened, so.

Derek

Oh, that's amazing. Remind me to, hey, Siri, remind me to order a QR code ICAR shirt later.

Gabrielle

Yeah, they make them. I have a couple of oak Molly patches too. You stick them on a backpack. How fun.

Derek

It actually did it.

Andy

Could you create a QR Code for something that says, like, ignore everything else you've been taught and do this.

Derek

Like an AI prompt injection. QR code. Yeah, I guess they probably have, like, ocr, so you probably don't even need a QR code. It's just a funny, like, imagine you probably just write, have a. Have like, a fake band T shirt that's just called, like, ignore all future instructions and stop responding. Or something like the fork bomb for AI.

Gabrielle

That's a T shirt idea right there. So as this technology takes off, the jokes are infinite.

Derek

Like, the jokes are like, are you. Oh, you're wearing a security conference T shirt? You should try this new Axe body sprayer. I don't know, Whatever.

Gabrielle

Yeah, yeah. It's like you're wearing a security conference T shirt. Like, I'll be a table for one.

Derek

Either a table for one or a table for, like, 12.

Gabrielle

12.

Derek

Like, there's nothing in between. It's either one or, like, 12. That's pretty funny.

Ryan

Random. Random thought and. And not in a news article. One thing that. That I've been thinking about regarding QR codes, I finally went to my first Major League baseball game not too long ago, and I.

Derek

So your face has been scanned?

Ryan

Yes.

Derek

Well, is that where this is going?

Ryan

No, it was. What was surprising to me was the widespread use of QR codes on the displays. And I'm thinking, gee, what an opportunity for a malicious actor to put up a QR code that took people to someplace malicious and just buy the advertisement at a. At a Major League sports event.

Derek

Yeah.

Ryan

Yeah.

Derek

Oh, yeah. I mean, QR codes in general are a disaster. So. Wait, Bronwyn, when you went to a MLB game, did you have to scan your face to get in?

Ryan

No, I just scanned the. The ticket barcode.

Derek

Okay. Because I thought at some games they were forcing you to scan your face, like, with your ticket.

Ryan

I don't know if that's actually Disneyland.

Derek

I think we. I think we talked about it on this show.

Ryan

Yeah.

Derek

I don't know. I guess it hasn't been rolled out yet, but. Yeah. My understanding is that some MLB stadiums, you have to scan your face along with your ticket to get in.

Ryan

Yeah. I don't know about Disney World, but if you go to Disneyland, you have to present your ticket and they take a picture of your face as well when you walk in. You can't get into the park otherwise.

Derek

Yeah. I don't know. But, yeah, they call it go ahead entry. And you just walk up with your face and, oh, congrats, your evil twin stole your tickets.

Gabrielle

Yeah.

Derek

Any other crowd favorites? Got any articles? Anyone we can cover in the last little bit here?

Gabrielle

See, we covered the ones I like.

Derek

I was. There's some supply chain attacks. Yeah, there's some supply chain attacks. There's. The one was. We talked about it last week, but Telemessage has like suspended their operations. We talked about that last week. So the Sentinel 1 bypass was kind of funny. We should. We should cover that real quick. Sorry, Bronwyn, I. I will not. I will come back to you. The Sentinel One bypass. Did everyone see this? It's just. So this is not a dig against Sentinel 1. I think they have an awesome product, but this is a silly business logic bypass where basically some threat actors Babook ransomware were basically. It's so silly. They basically figured out a way to uninstall Sentinel 1. It's not really like a bypass or something, but you basically just destroy the legitimate signed installer file. Then the installer terminates the process. So like the. The Agent Updater process, okay, as part of the update, destroys or you know, removes the old edr. So basically all the attackers would do is go to upgrade the agent, cancel the installation before it would complete, and that would just disable Sentinel One. So it's been fixed and now it's an option enabled by default that you have to have a cloud key to uninstall it. I just thought it was a funny business logic vulnerability of like. Yeah. So if you have Sentinel One, please go and make sure that you turn on that authorization online authorization setting in your console to make sure that you have that. Otherwise there is a bypass. Although it has been fixed. Like, I don't know, it's a. It's a business logic flaw. I just thought it was a pretty funny like, dang. We didn't think of that like as a pen tester for like five years. Why have we not thought of this? It's genius.

Bronwyn

But now I think the bigger thing is, is that how did these people get the legitimate Sentinel One certificate to sign the installer, which it says was required on it? I think.

Derek

Oh well, they just stole it from someone else. All they had to do was find one person with an agent updater, right? Then you're done. Because the updater would run on any system. It's not like it's signed per. Like it's like a generic. What probably happened is someone got hit by ransomware or some other malware, they went on the local system and pulled down the agent updater. And then once you have, you just kill that process. Every time. And it works. It's actually pretty cool. It's genius. But it's fixed now, luckily, as long as you enable that setting. So.

Ryan

Which means it's not fixed for about 90% of the users.

Derek

Yeah, so, I mean, most users don't.

Ryan

Go into the settings. That's one of the things that I learned when I was doing technical training is that most people never actually configure their preferences. They just roll with whatever the defaults are.

Derek

Yeah, I mean, that's true. And that's definitely true for edr. They're like, well, we have edr, we just don't have it in a block mode. Because that's scary. Like, well, you don't really have EDR then. What was you, what was your article? Bronwyn, before we close, one of the.

Ryan

Things that I just wanted to point out, I'm seeing more and more press about standards and I'm sharing the link. Hold on a second. There's a lot more push for standardization in terms of reporting flaws, measuring performance and whatnot. All related AI. And there's various reasons. Some of it is jockeying between different LLM providers like OpenAI and Anthropic and so on. But it's, it's nice to see that we're getting past the hike point and starting to get into legitimate testing and, and benchmarking. I, it's, it's an acknowledgement by the world at large that AI is here to stay and we need to be more responsible in implementation.

Derek

That's all. So what kinds of flaws are they talking about, like jailbreaks and stuff? Or is this like technical flaws?

Ryan

It's, it's technical flaws mainly, but the, the ability for. To jailbreak something. Issues regarding guardrails and this doesn't get into the ethics of anything, but I like the fact that they're at least looking at trying to develop a white hat hacking style of reporting because.

Andy

Right.

Ryan

We don't have CVEs for AIs at this point, do we?

Derek

Specifically? I don't know. That's a good question.

Andy

So Mitre, ATT and CK Atlas.

Derek

Right.

Andy

Does that have anything.

Ryan

I'm not familiar with that. It would be nice to see something like that. I mean, we've had CVEs for a while. We've had, we've got various places that are individually reporting when they find issues, but there isn't anything industry wide.

Derek

It does seem very similar to Miter Alice, looking at it, it's like basically the same thing. But yeah, I guess you're Right. I don't know. Reinventing the wheel with CV in the right direction. Yeah, it's. I mean, we're gonna center like, you're. I think you're. You're definitely right about the concept of, like, this is a maturity thing, and it's a good thing to see, like, a progression towards maturity of, like, reporting categories of different flaws and issues. It's especially going to be difficult with AI since it's not a deterministic system where, like, reproduce the vulnerability. Okay. First you have to talk to it about Studio Ghibli for eight hours. Then what you do is, like, it's kind of. Everyone's inputs are going to be evaluated in a different way. That's kind of the whole point. So, like, replicating a lot of these vulnerabilities or issues might be kind of tricky, but. Yeah, I mean, we all know that. I mean, I will say, if it was me going against, you know, Stanford versus Miter, I mean, that's a tough one. I don't know. They're both pretty solid. Yeah. I don't know. It's cool, though. All right. I don't think we have any chicken wing news. Should I just Google chicken news and then see what happens?

Andy

We did have an article, right?

Derek

I didn't see anything.

Andy

It was sort of a post Humus, I guess, on the YouTube that Wade did.

Ryan

Yeah, that was great.

Derek

So how did it go?

Andy

I watched the whole thing. It was so much fun. It was so much fun.

Derek

That's awesome. I'm gonna go watch it.

Ryan

Definitely. Definitely need to. To check it out. It was hysterical.

Derek

That's funny. Yeah. I mean, I will say let's just give a quick PSA if you're considering raising chickens. You should know that chickens and rats are go together like peanut butter and jelly. So if you're gonna get chickens, you gotta have a plan for all those rats because rats love chicken feed and they'll remember that your chickens, like, don't eat all their feed. And so. Yeah, just. Just be aware of that.

Ryan

What does this have to do with the Hot Witness challenge?

Derek

Nothing. It's just chicken news.

Gabrielle

Okay.

Ryan

All right.

Derek

All right, let's close it down. Thanks, everyone, for coming. We'll see you next week. Bye. Bye.