John Hammond

This is gonna be good. This is gonna be a great show.

Alex

No, we just drop in the live and it's like, we say it's gonna be a good show, and then they're just dead silent.

Tim Medine

I thought we weren't supposed to talk.

Corey

Yeah. What is this, a podcast? We're not supposed to talk?

John Hammond

I'm so embarrassed by not being on the show. Hardly at all because I'm traveling and teaching so much. I'm like, I'm gonna try to make this work tonight, and that's failing.

Corey

I think it's working great. Yeah.

Tim Medine

I still don't. I still wonder. Do you not have electricity?

Eli

I feel like you logged in after the start of this situation. I missed important detail.

John Hammond

I'm. I have to sit outside, which I don't have lights outside because there's no. Because if I go inside, then I have no Internet connection or it's worse. Internet connection. So I'm sitting outside trying to pull down the 5G.

Tim Medine

So this is crappy. Would you rather.

John Hammond

Just.

Corey

I just.

John Hammond

Yeah, it's bad, Tim. I'll call you tomorrow and give you the whole story. But, yeah, it's bad.

Tim Medine

I got a story for you.

John Hammond

Oh, go for it.

Tim Medine

Well, not. Not. No, it's not. Definitely not public story.

John Hammond

Definitely not a public story.

Tim Medine

No, no.

Eli

Does.

John Hammond

Does it involve curb roasting a government entity? Tim.

Tim Medine

Got it.

John Hammond

I mean, how does it feel that your shit is in Congress? Like a congressperson, a senator brought up your technique to attack Microsoft.

John (Huntress)

It's weird.

Tim Medine

Like, why? Like the fact the word came out of a Congress senator's mouth just blows my mind.

Corey

I know.

Tim Medine

11 years later.

Corey

Yeah, I mean, you know, they probably took the sans class. It's fine.

John Hammond

Yeah, the senators are taking sans classes or his classes.

Corey

Yeah, yeah, yeah. We should. We should tell them about the low cost alternatives we have.

John Hammond

I don't get. I don't get how your tool or your technique is brought up. And I'm the one that's clearly in the witness relocation program right now. How does that work? For the record, everybody, I am not Tim Medine. Please, can you.

Corey

Can you just. Can you be like Dark John today and just only say things that like.

John Hammond

Like that regular John, Like I'm the opposite of bsd.

Corey

Yes. It's like an alter ego. It's like, we should. We take on VC money, like ASAP. Trying to cash out and get my McLaren soon.

John Hammond

Burnout's real because you suck at your job and God's trying to tell you something.

Corey

Oh, can we do a return to office black Hills return to office.

Hayden

Oh my God.

John Hammond

Phis returned to office. And Sturgis, right.

Corey

John, are you at that brothel in Germany again?

John Hammond

I'm not at what.

Tim Medine

That was Dark John.

John Hammond

That's an actual true story. That is story. You know, the context matters because I was there with my wife and kids too. Don't forget.

Corey

Like the rest of that family friendly.

John Hammond

Okay, it was.

Corey

All right, now that we're demonetized, let's roll the finger and start the show.

John Hammond

That's what demonetized us.

Corey

Great job, great foreign. Welcome to Black Hills Information securities. Talking about news. It's September 15, 2025. Let's go. We got star studded cast, but actually for real this time. We got John Hammond, we got Tim Medine, we got Dark John, we got our regular, you know, normal crew that we have. So I think we could start by saying, I guess Tim, you, you, you. Kerberos to the government. Is that. Is that what happened? I saw the news article. Are you going to jail or what's going on?

Tim Medine

Yeah, what the backstory. So the Ascension Health, which is a big healthcare provider, was compromised, what late last year. And Senator Wyden from Oregon wrote a letter to the chairman of the FTC saying hey, Microsoft's got to stop supporting these old protocols. Specifically called out RC4. And then lots of new stuff related to some of that thing. So it was interesting to hear. We're like two weeks almost to the dot of when 11 years after kerberosine came out and now we're talking about it again. Still. I don't know what the right word is, but it was fascinating to hear that discussion about RC4 and not so much the passwords, although there's some. What's your guys? I get some more inside info. Maybe.

Corey

I was, I was impressed by it too. I mean obviously I did vote for this guy. So, you know, full disclosure, I'm kind of a fanboy. But the letter got like increasingly more technical than I would have expected. Like I was learning things. I was like, oh, they're deprecating RC4. Interesting. I didn't know that. Apparently they like announced that, what a couple weeks ago or a month ago or something and haven't actually done it or how long has it been that they're trying to deprecate RC4?

Tim Medine

Well, it's the one interesting thing in Microsoft's response is that they said they qualified it. Basically if you're setting up a new domain controller for a new domain, new forest, then it would be disabled, so.

Corey

Which no one is right Right.

Tim Medine

Because any new company is just going straight cloud. Right. So to some degree it's irrelevant.

Corey

Yeah.

John Hammond

So, Tim, I got a question. Kind of going back to the beginning. Could you tell us how many cons rejected your talk on kerberosting before you were finally accepted?

Tim Medine

I had. I got rejected from DEF con, which I was really wanted to speak at. DEF con. Black Hat rejected me. DEF CON rejected me. I had my code mostly working and a lot of it was by hand and they said, your code's not ready, so we're going to reject you. Which if you've ever been to DEF con, the free spot on the bingo card is I was working on my code last night, but I mean it was eight different conferences rejected it. Which to be fair sounded crazy at the time. It's like you have an offline brute force service, accounts without lockout, without sending a single packet to the service. It's like, okay, old man, like, whatever, whatever you say. Why don't you. You're not allowed to come to our conference either because you're clearly going to violate codes of conduct. Like it was. I wasn't good at explaining it is the short version of that, but it was, it was a lot of them. The other thing derby let me.

John Hammond

If they got this excited over Kerberos and legacy protocols, like should we tell them about netbios name services, WPAD LLM and R? The fact that Landman and NTLM v1 and v2 are actually clear text authentication protocols. Like how down the rabbit hole do we want to go that Microsoft needs to fix?

Tim Medine

Well, that's the interesting thing that they brought up is they're like, hey, these old protocols need to go away. And of course the deeper discussion is how do you balance backward compatibility with security. Right. And it's tough because if I'm making a business decision, I want my systems to stay up. I don't want them to go offline with an update. But at the same time, at some point you got to draw a line in the sand. It's just a.

Corey

Also, what about the. Just struggling pen testers out there on an internal pen test that just don't have another option. Okay. They're ADCs. Nothing to exploit her things. All you got. It's like your. It's like your gift. Also, can't you still kerberos Even if RC4 is disabled? Like there's another hash type. Right. But yeah.

Tim Medine

So that's one interesting thing related to this, this article. So you can still do kerberosing with. With AES 128256 it's just that it's about. Depends on the benchmarks, about a thousand times slower. The info that I've gathered on the Ascension breach related to Kerberosing and I don't have this verified, just to be clear is that it took weeks or months for them to crack this specific password, which means if they had actually used AES rather it effectively would have taken years, plural, it never would have happened. Which realistically means that bad guys give up. So it kind of brings the RC4 matters even though the fundamental problem here is a crackable, guessable password.

Corey

Yeah. And I mean in most environments there are other channels to domain privilege elevation. Right. But this is turboasting is like the direct and easy path like that that is like in most. I mean it's either that or ADCs. Right. Like, or maybe what John said. But we're seeing decreasing of that like LM&R and over time. But I don't know. It's cool. I think overall I agree. Like there is a part of me as a pen tester, it's like, how long is Microsoft going to keep getting away with this? Because constantly I have to tell clients, oh yeah, sorry, that's a default Microsoft thing. And there's a long list of those. Right. This is one more. I guess they've said they're going to deprecate it, but I mean, how do you even go about doing this? Wouldn't everyone be upset if Microsoft was like, oh, it's just off. Everyone, everyone who had it, now it's off and you don't support RC4. And then like there's a crowdstrike type deal where some vendor stuff just goes down because they're somehow using Kerberos and RC4.

Tim Medine

Well, and I would guess that would be the case too because if you've got that old system that doesn't support AES, there's a reason you have that old system because it's freaking matters and it's probably critically important. So I think you, I think you would have that. It's a great point.

Corey

Yeah, I mean just. Yeah, exactly.

Guest Expert

I mean I would think that would affect OT systems such as the electrical grid, the water, the critical systems out there that we all know have to have a bunch of these legacy protocols. I mean some of them we know run Windows 95 still. They're running NT4 still because that's what the software runs on and they can't bring it up to date or at least not up to date yet without shutting everything down for the most part.

Corey

So. And if. I don't know. If you don't know, Tim, don't let me put you on the spot. But do you know with Ascension, like, did they have a reason to have RC4 enabled or was it just a default thing? Like they just had.

Tim Medine

It just sounds like it was default. I, I had, I don't have any inside knowledge on that, but it just sounds, I mean, it's the default unless you explicitly go in and turn it off. It's there, it's available.

Corey

So there's a list of people who, if you disable RC4, it'll break everything. Then there's a probably much larger list of people who just have it because it's default and don't actually need it. If you run a domain, go disable rc4.

Tim Medine

If you want to figure out which systems need rc4, you could turn on the auditing for Kerberos. I think it's 4729, if I remember correctly. Look for explicitly the RC4 tickets. Set up your policy. Disable a. Sorry, RC4 for everything except those specific systems and then, you know, develop a plan to get rid of those. And also make sure those service accounts have a good password. You've got to mitigate.

Hayden

Yeah.

Corey

And another way to blog about this.

Hayden

Well, another way to find out what, what relies on it is just turn it off and see what breaks and who complains.

Tim Medine

Well, there's that Mr. I Want to set the world on fire.

Corey

But yeah, we actually do have customers who do that and they're my favorite customers. Anything else on the curb roasting thing?

Eli

Well, I would just think that they can make a lot of progress just by. Without actually removing RC4, pushing an update that just turns it off as a default. Like makes the default something actually decent out of the AES. And then yes, a lot of things break, but a lot of things break for 20 minutes to a day while a sysadmin goes, oh no, I have to turn that one back on. Like, you're absolutely right about the auditing and how to be careful and how to deal with it yourself right now. But if they want to fix how many places are wide open just pushing the defaults over and like making it actually push the defaults instead of stay the way it was.

Tim Medine

Well, the key is that I can request the RC4 because Microsoft actually responded back and said RC4 consists of 0.1%. So 99.9% is good. But to some degree that's irrelevant because I can request the RC4 and as an attacker, that's what I want, that it's because it's available to me, makes this issue exist. The fact that everything else, when placed properly, uses AES doesn't really matter because I'm like, well, I'm just going to downgrade.

Corey

Yeah, that's the same with NTLMB1, right? Same exact situation. It's like most machines use NTLMB2, but there's like, it supports NTLM v1, so it doesn't matter. Like you don't, you don't get security, you get an option to enable security.

Tim Medine

Right.

Corey

All right. I think that's, I think that's a good coverage of the curb roasting thing, unless anyone has any final takes. The other thing we have Mr. John Hammond here to discuss is the very widely thrown Huntress blog, which I guess we were joking before the show that it's drama. I don't really personally see it as drama. I mean, I guess John, like how many people actually reacted negatively to this? And I saw some like hot comments on LinkedIn which like, somehow it's like LinkedIn is just the Facebook of security. I don't really know what's going on. But like, were people upset about this? Like, why?

John (Huntress)

Yeah, short answer is yeah, some people.

John Hammond

Were upset about it.

John (Huntress)

So I was super excited to kind of help get this blog out the door because I think it is a super cool story of like, oh, threat intelligence, kind of seeing what a cybercriminal does for their day to day work, their operations. And we were really hoping, oh, the education would be all on that, on the threat actor antics, what a hacker's up to. So I had helped Scream and Shout and got it out on Twitter and on LinkedIn and I think that is really where the fire started to burn a little bit. The Twitter post had a lot of different comments. Kind of wondering, hey, is what you've done seeing and observing a threat actor doing threat actor things, is that an invasion of privacy? Are there like ethical concerns? Does this make you any different from a criminal? Which was a surprising reaction, truth be told. And there's the chatter on LinkedIn just as well. Somehow it got to the front page of Hacker News and it was all a little bit over Reddit. And I had to help some folks understand. I think that this is what a managed security solution does to, hey, dig into malware and investigate the endpoints. When you have security operations center analysts that investigate malware alerts on an endpoint. Yeah, so look, I don't know, I'm more Interested in your hot take? What do you all think? I see the perspective. I understand. But I still think this is now just a standing ground for the education.

Corey

I guess I would say it's not hacking back. If they deployed your Incident Response Agent on their machine. That's not hacking back. That's like, that's like me coming into your house and being like, hey, man, your door is super unsafe here. Why'd you let me in? Like, I don't. Like, it doesn't make any sense to, like, they literally gave you access to their information. So if they, I'm sure they signed a license agreement, an end user agreement that said, by installing this software, you are going to share this information with us by doing this, you know, like, it's, it's bulletproof from my perspective.

Hayden

But that's the part that confuses me the most.

Alex

The question that I wanted, did they read the eula? Is, is there? Was. There was the eula, but from what I see of stories is that there's stuff that was captured before they installed the tool. So when you, you go, it's like, how could they, you know, did they retroactively agree to that, saying, hey, when. As soon as I install this tool. Yeah, you're capturing metrics. But if I install this tool and you're then publishing screenshots of the things that I did before and yeah, I can defer to knowledge.

John Hammond

Yeah, Alex, it's perfectly cool because they installed Disney plus, they signed up retroactive.

Corey

Fun fact. That actually got shut down. We talked about it last week, but yeah. So, John, what's your take on that? Like, do you have a reaction to that?

John (Huntress)

So a lot of folks again are wondering about, okay, the trial and then, yes, those Terms of service, those privacy policy, the EULA that they would accept by installing the product. And it is a managed security solution and the trial includes everything. And they went through and clicked the box, they enabled, they checked managed edr, managed ITDR and managed SIEM solutions. It was actively sending the logs and artifacts because that's what they chose. But to the point of, okay, what about the things before John?

Tim Medine

Sorry, what.

John Hammond

What if they didn't know what those things were?

John (Huntress)

This is where you kind of have to say, this is a thing for.

John Hammond

You can't tell because it's dark, but I'm giving my jackass face.

Hayden

It's like attacker natural selection at that point, I think.

Corey

Yes, correct. Yeah.

John (Huntress)

But to the question of, okay, what about the things that look like they came from prior to the Huntress installation? Because the Agent it was only installed for like an hour and a half. Once the SOC sees and OH is investigating the alerts and understands this is a bad actor, we terminated their trial and uninstall the agent. But because they're doing the work of to investigate malware, how did it get on the computer? That means retrieving and tasking Windows event logs and browser history for files downloaded malware that could come from a browser, as most tend to do. And that is where folks really had the confusion, I think or the misconception of this was some weeks, month long surveillance thing. But no, that's, that's the browser history artifacts and then recreating the screenshots of what the hacker saw were by clicking the link or go into the URL to see what that was.

Corey

It's, it's key to note here. It is your choice how long you choose to maintain your data on your computer. If you have your browser history, never delete. That is your choice. If you have, you know, if you never clear your own data off your computer, it's there forever. And so if in the future like a tool collects that information, whether it be an EDR you installed or an info stealer you installed, that information is at present date and however far back you decided to keep it. Right.

Hayden

I mean there's at least some solace in, you know, people talk about in the security space sometimes our end users do things that are very questionable and we struggle with those things. At least the attackers also suffer from the same stuff. We're like, what, what did you hope to gain by, by doing this? Why did you think this would go you So I just don't understand the thought process behind hey, I'm going to download this and I'm going to run it and we'll see what happens.

Corey

Oh, it's for testing to bypass it.

Hayden

Oh, of course, yes, 100%. I mean that part makes sense. However, there is a byproduct to that.

Corey

That they clearly didn't anticipate testing EDRs and SIMs is one thing. Doing it on your like main bad guy computer, which by the way, I think this is a detail John, correct me if I'm wrong, but which had the same host name they were using to attack other computers. So like you had the ability to pick up that they were threat actor based on their host name because they had the use the same hostname in previous attacks, right?

John (Huntress)

Yes.

Tim Medine

Yeah.

John (Huntress)

And this I'll admit are where we should have had a little bit more in the blog. So I'm trying To help get a little bit more context out the door. And I hope I can, oh, get a silly stupid YouTube video out to kind of COVID a lot of this. But we had found other partners credentials on the hacker's computer and that is what kind of. Hey, okay, now this is a real threat. This is something where, okay, it's affecting other companies and we know and confirm, confirm that because it attests for other individuals we protect.

Corey

Yeah. And it's also just not that different from any threat actor. Like go read any mandiant blog or any blog about a threat actor. Their, their habits, their hours they work, their browser history, tools they use. Like, this is just what incident reports look like from my perspective. And like I, I do think like normalize publishing incident reports for stuff. Like I think, I mean that's obviously what we do at Black Hills, not publish incident reports. But our mindset is if you can make it public, make it public. So like me for one, I think, you know, you, this made the community stronger and also just an OPSEC warning for hackers. Like if you're a pen tester, you got to have better OPSEC than this. You got to assume the same is happening.

John Hammond

Since I don't understand much. What was the arguments against this? Was it like hunters violated the privacy and if so, what were the big concerns?

John (Huntress)

That was one of them. There are a good handful, but the privacy concern is the big one. Oh, is Huntress spyware? Is the EDR a command and control?

Corey

Yes.

John (Huntress)

Is what you've been doing exfiltrating or stealing customer info? And a lot of things with that. There are a couple wondering points of, oh, how come you can remotely uninstall the agent? A couple different things here and there, but mostly kind of center around was this ethical to put out this information? Did you dox this threat actor? And what was the threat actors privacy?

Tim Medine

It was.

Corey

There was no webcam photo. It was fun.

Hayden

Yeah. It wasn't like that big mandate report where you started showing their pictures in their buildings. They worked.

Corey

Yeah, yeah. Like, compared to like, I don't know, even the people who go after like scammers and you know, overseas. Like those people are like on the live camera feeds for these people being like, hey, what's up? I see you just got a burrito for lunch or whatever. And the people are like.

Tim Medine

I'm curious too, on the people who say it was a privacy violation where they're from. Like, are they European where they have the stronger GDPR and just a self. Well, I don't know what the right words are. But their view of privacy versus an American company, it's like, you mess with me, we're going to dump it all sort of a situation. I have to think that's a significant line in that sand.

Alex

Yeah, I think there are some good snippets of information that the community just took out of context. Like they didn't have that context text. And you had a lot of people just jump on for getting the likes or thumbs up or getting the traffic of being like, I am going to come at this looking as though like hunters had ill intent. Because I don't. I can't be bothered to understand the context. So I'm just going to go full force with the ill intent. Which yeah, you read something in like a small 255 character hot take. Yeah, they don't have time for context. They just want to have that retweeted and reblogged and you know, just go from there.

Hayden

Because saying cool report is not going to get you any likes.

Corey

Good job, guys.

Tim Medine

Well, I mean the practical aspect, if they wanted what, take it to court, they got to like file under their own name and be like, yeah, I'm Vladimir.

Corey

This is the classic, this guy stole all my drugs. Yes, right. Like that's not, it's not going to go well. It's like the insanity plea or something.

Eli

But also I think a lot of this is because it was a juicy, exciting report and I think it got broader looks than a lot of these things get. And it was enticing. So people listened through a lot, but a lot of them didn't know what they were looking at and are not people who understand. Like, they may know there's an EDR running because their company does a thing, but that doesn't mean they know anything about how it works.

Hayden

Yeah, they're in for a very rude awakening when they understand how EDRs work that their companies deploy.

Corey

Right? Yes. And that was my take too. Like there was a CISO or someone who posted like, I would never buy Huntress. I'm like, well, what product would you buy? None. If you wouldn't buy a product that collects information on the behaviors of the users that install the product that's specifically designed for analyzing behaviors of the users who install the product. I don't know what product you'd buy. Like clamav, I guess.

Tim Medine

I don't know. Yeah, I don't get that either because it's like I don't want one that looks at my browser history.

Corey

Cool.

Tim Medine

Guess what you're blind with every. Any of your user activity.

John (Huntress)

I don't want that.

Corey

Yeah. Also, that isn't how forensic images work. Like what is it? Forensic image collect everything.

Tim Medine

Right.

Corey

Like, you know what I mean? And then it's up to their responder to deal with that data ethically. And that's what people. That's how MDR works.

Hayden

It's just typical social media.

Tim Medine

And MDR intent. What's the difference between EDR and a C2 intent? Like they all have the same functionality. It's just. What do you do with it?

Hayden

Yeah, it's all about context as people just see something and they see 50 characters of it and they get all ticked off and then they decided to run with it. Like I looked at the article at first and I was like, wait, what happened? And then with a little bit of critical thinking in about five seconds, I realized what was actually going on in that article. And I was a little confused why people were so ticked off about that. I mean, I guess if you're not technical, maybe I can't remember who made the point, but specifically like European gdpr, like that kind of stuff I can understand, I guess, sort of where they were originally trying to come from. But then it just became like an echo chamber that was probably like 80% bots. So.

Corey

Yeah, I mean, yeah, there's some good points in. And Discord. Like Jeff brings up that, you know, Velociraptor, which is an incident response tool, has been used for, you know, by threat actors to distribute malware. I mean, I could tell you if you read enough incident reports, you'll realize the threat actors always go after EDR and they use it for persistence. Yeah, because you like. Yeah, I mean if you go. You can literally run response commands on any machine and even if it's air gapped. I mean, in most cases, depending on how it's air gapped, but if it's, if it's segmented, you could still use EDR to control it. So.

Hayden

Because, because in the Black Hills, Sock, we have a detection for Velociraptor and we use it, but also we would love to know when somebody else is using it that isn't us.

Corey

Yeah, ye, totally.

Hayden

So I mean any, anything can be used for evil. I mean, I imagine when Screen Connect and TeamViewer and Stuff were made, that wasn't the original intention, but here we are.

Corey

Yeah.

Alex

Yeah. As for recording stuff and, and having all those details like, yeah, there, there are plenty of, you know, like HR cases to where it comes to the conclusion I was like, you didn't. You do know that we saw all of that stuff that you did? Like, that's all recorded. Like you thought you were being sneaky by using. By trying to take like, you know, the sales contact info and transferring that out of the company, thinking that we're not going to see that. Like, no, we, we log a lot of stuff there that when HR asks us to find that stuff. Yeah, we can find it.

Corey

Oh, but I put subject confidential in there.

Alex

So I put confidential in it. Like the IT team absolutely cannot look into that file or create voice call.

Tim Medine

Well, no, that's very much a US centric piece there because like I went to a talk, it was someone from New Zealand and they had an American lawyer and like the. In a person had it on their desktop. A folder name, something like personal or something like that. And the, the, the IT team was not allowed to look in because of privacy, which is mind blowing when it comes to like us Americans, we're like, we don't have privacy. Right. Like, it's just that cultural and the legal stuff that's implicated in those different countries.

Corey

That is true. A lot of what we're saying here with privacy and expectations of privacy are US centric approaches. Al, I have to assume EDRs and MDRs who operate in Europe probably have the same data collection. Maybe not, but I would guess they do.

Hayden

I imagine you agree to it when you install.

John Hammond

So a couple of things about that. First thing, the new iPhones are waterproof because it's raining. And I think that's fantastic. But a lot of energy. I don't know who said that I need to go get a hoodie, but the hoodie is coming in. Very beneficial now as it is raining. I don't know if you guys can hear it.

Hayden

Yes, we can.

Corey

Yeah, we can hear it.

John Hammond

It's raining.

Corey

Are your words dripping away like tears in the rain?

John Hammond

It is. Oh, my gosh, a Blade Runner reference.

Alex

Nice.

John Hammond

Time to go now.

Corey

Wow.

Hayden

You said your phone's waterproof. You should show it to us.

Corey

Dark. Dark. John is so emo. I love it. Yeah.

John Hammond

But I'm a little worried about it.

Corey

It's raining. He's in the dark in his hoodie, just getting wet. That's how much I love. Anyway, so much.

John Hammond

I love you guys. But a lot of stocks and MDRs, they. Well, one German companies tend to be more insane than the rest of the eu. But a lot of other organizations, what they do, if they're doing msp, mssp, MDR is they set up Specific siloed instances for each one of their customers. And then those systems are usually siloed in such a way that it's owned and managed by that customer technically. And then the MSP MDR comes in and manages it for them. So it's a really weird kind of dance. Somebody said, my studio effects are on point. You know what? I've had better Internet coverage on the side of a mountain than in town tonight. But. But no. GDPR is a weird space. It's a really weird space. I remember I once had some lawyers. They were like, we can track nothing, nothing of our users on how they connect to the Internet. I started going through initial sequence numbers and tcpip, and I literally had a lawyer in Germany tell me, we need to shut this TCPIP thing down. If it's tracking people and their connections on the Internet, we need to shut this down right now. And I'm like, I'm just gonna stand back and let this play out. And it was a delightful, delightful meeting.

Corey

I think we're moving on to normal articles now. Unless anyone has any final hot takes, John or anyone else. Final thoughts on.

Tim Medine

Yeah, final thought is Huntress. Good job on what you did there. I stand.

Corey

Yeah.

Tim Medine

Thing and go down that rabbit hole. But I think what you did was right. Good for you.

John (Huntress)

I don't know. I'll fill in the game.

John Hammond

I think Huntress. I think Huntress should have found the hacker and they should have, like, flown to his house and then giving him the paperwork so he could sign it and then bring him some donuts. Or her. Some donuts. Or they. Whatever. Bring them some donuts and maybe a cup of coffee. And then they could talk about the implications of the hacker installing their EDR on their computer system. Then, John, you personally should have given them a user awareness briefing on privacy and what they could have done to protect their data. And then, and only then, could you take the data off of their computer.

Hayden

Is that all the GDPR stuff now?

Corey

I was gonna say don't spoil the next blog, John.

John Hammond

Gdpr. It's the GDPR ng, guys.

Corey

Oh, so that's the next thing.

John Hammond

I want you to go back and I want you to talk to the bigwigs at Huntress, and I want you to let them know that I think that this is John's. John's clearly hiding from a drone strike. That's next week. I'll be in Poland.

Corey

And.

John Hammond

And we're happy to help. We're here. We're here to help you guys get better. Well, I will Say, you know, there's somebody from marketing at Hunt Twist that are like, kill the feed now, John.

John (Huntress)

On a note of some of those things though, we do have a Huntress sensitive data mode and I do want that to be explicitly clear. All the hacker has to do is.

John Hammond

Give you their address and you'll show up with donuts and a subpoen.

John (Huntress)

But sensitive data mode does disallow security operation centers to task or look at files of a certain type. You just kind of have to ask for that to be turned on. And then. Yeah, normally for like compliance and regulation stuff that removes that question mark, but that is something that's still.

Corey

Okay.

John (Huntress)

Partly education. We want to get out the door. Another thing I think we've been laughing and having a little bit of fun with though, just as you mentioned about. Okay, can we get a Privacy first edr something Cash only. Monero Bitcoin, right?

John Hammond

Oh my God, yeah.

John (Huntress)

But wait till the Internet finds out what pen testers do.

John Hammond

Hey now, hey now, hey now. Too close to home, John. Too close.

Corey

I would never hire a company that pen tested and actually tried to do real hacks. That would be highly dangerous. And I might get hacked on the.

John (Huntress)

Box looking for SharePoint passwords.

Corey

Oh my goodness.

John Hammond

No.

Corey

Horrible idea. Privacy nightmare. All right, the other article I think top of my list at least is the Jaguar. Jaguar. I don't, I'm just going to say Jaguar because I'm American. I'm sorry if you're British and you're going to say that. It's like how I feel when I hear aluminium or any.

Hayden

When you hear it wrong.

Corey

Basically Land Rover and another cat based car company are potentially facing bankruptcy due to the hack crisis. And basically the story here is they've been down ransomware for two weeks. They self, you know, they self burned, they turned off the Internet. The big thing here is the reason I want people's hot takes on this is. So I'm assuming this company is based in the UK and the UK recently banned paying the ransom. That's why I'm like, this is kind of a hot take where basically the article says, you know, supply chain is going to go out of business. Obviously there's supply chain way outside the uk. But I guess my, my thing is like, okay, if the government's going to block you from paying the ransom and then you get into a scenario like this where it's going to take weeks to recover, should there be some kind of safety net for you? Because like you're not allowed to just pay a hundred thousand or two hundred thousand dollars to get your data back. So what do you do?

John Hammond

No, Corey, you cannot do that because that's socialism and socialism's bad.

Corey

No, no, but it's the uk. It's in the uk.

Tim Medine

This is like real world because there's.

John Hammond

No socialism in the uk. Sorry.

Tim Medine

This is the real world tragedy of the commons, right? Where collectively it's good if not a single one pays. But individually they're pretty much incentivized to pay every single time. I mean it's the real world tragedy that comments like and for each individual organization to be like, yeah, probably you should just pay it. But as a, as a whole it's easier to. The right answer and try and air quotes is never pay.

Corey

Yeah. So should they pay for. So should the government pay for this company's lost revenue or lost profits or like whatever. Like if they're preventing someone from paying the ransom, should they give anything in return? Or is it just a sorry, sucks to suck?

John Hammond

I think, I think it's probably going down the sorry, it sucks to suck because no one is in a position of authority to actually step in and address the situation. So everybody is going to stand around and watch this go down. And you know, all joking aside, I really do feel bad for the people at Jaguar and, and I what they're going through. It really sucks to be them. Like you said, it sucks to suck, but I, I don't know. I don't know how this positively ends for them. I just don't see. I mean, I hope they work it out. I hope they're like, holy. Turns out we did have backups this whole time. Our bad.

Corey

We forgot to look at the backup slash backup folder. Oops.

Eli

So like there's a few different. There's a few different pieces about this and about that.

John Hammond

Only used Huntress, then Huntress would have all of their backed up for them already.

Corey

I don't think that's true.

John Hammond

Yeah, I, I know.

Eli

But if they had Huntress watching there, I don't know, theme or something back then, it'd be fine. Right?

John (Huntress)

I went off camera. Now I have to come back myself.

Corey

John was off camera taking a call for Huntress. Legal.

Hayden

I was gonna say, you can't talk bad about Huntress unless he's on the call.

John Hammond

I was gonna point out that I didn't notice that he was gone. Oh shit. That seems bad. But once again, no joking all aside, like this sucks for them and I really wish there was a way that they could get to a positive end. But if they don't have good backups that they're not allowed to pay and there's no government assistance for them not paying. It's going to be one of those things where it's going to burn down one, if not two amazing legacy brands and then eventually the UK will get together and find a way to address the situation after, after its ashes. And that's the part, that's the saddest part. I hope that they work it out. You know, if you're on that security team, our hearts go out to you. All joking aside and good luck because you know underneath the hood you're gonna have the security team talking about backups. The security team I'm sure was clamoring for all kinds of protections that kept getting shot down by corporate and it's just their lives are shit right now and I feel for every single one of them.

Corey

Dark John it is bad and I.

Eli

Want to, I want to fix a little something that Corey had said. It's not that Jaguar Land Rover, which is like a combined company at this point. It's like GM with their 50 brands except they're not GM anymore. It doesn't matter. Like Jaguar Land Rover. No, Jaguar Land Rover isn't fine. They're 4% of the entire exports of the UK Jaguar lamb.

Corey

But they have the cash to get through it though. It's a cash crunch. That's the thing.

Eli

Like this is where they do have the cash as far as we know, to not completely go under. But there are a bunch of these other companies that do supply them and don't supply anybody else and don't have any work to do and can't sell anything, which means everything else that goes along with them. That's where they're facing bankruptcy.

Corey

That's why I was blown away by.

Eli

Like how gets themselves back moving. That's so many pieces. Like think about how much of their export just isn't happening because they're not making any more cars right now because they had to shut down all the systems that run it so that they don't get even more pwned.

Corey

Yeah, yeah. My thing is like, I mean this is where I wanted to ask Tim and John, like this is a two week cash crunch. Our budget's that thin where you have to lay off 40 people after two weeks. Like is that normal or is this just like an auto supply industry thing? Like as the owner of a small company does a two week, like if you stop getting paid for two weeks would you just be like, well we're bankrupt. Like that seems like a really thin margin to me.

Tim Medine

Well, the piece, I mean, like, was it during COVID Like, all these giant companies, they, like, you know, didn't make a bunch of money. Like these, these giant companies can get their money, and I'm not saying it's simple. Right. But they. How many of these big companies don't have a profit for months or even years, and somehow that's okay and like, Whoopi frigging do, about two weeks. And I know I'm oversimplifying it, but I just.

Corey

Yeah, yeah, I don't. I, I guess I don't know how these types of supply chains work, but I was blown away. Like, as a automotive supply manufacturer, supply chain person, I can't imagine how you could just assume that the money comes in and if it doesn't, for two weeks, you have to just completely shut down. But I really don't understand how these manufacturing, like, environments work. Like, I don't know. From my perspective, it's kind of the classic reason why ransomware still works in 2025, because everything's complicated. Oh, sorry, John.

John Hammond

I was just going to say there's a lot of history leading up to this. Like, Jaguar and this whole auto group was in trouble before this even happened. This was the absolute worst time for it to occur.

Tim Medine

Yep.

Hayden

I mean, maybe that's part of reason why they got targeted, perhaps as they realized that they might not have had enough money for what they. They should.

Corey

The wounded. Yeah, the wounded companies at probably an easier target than the healthy one that has their backups on lock.

Hayden

But, but switching that. Why would you attack the company that says they have no money? Because you're not going to get a big ransom out of that.

Tim Medine

It's opportunistic. They land there. They're like, cool, let's deploy this stuff, see what we can get. Right.

John (Huntress)

I want to party on Friday.

Tim Medine

Maybe we get a couple of bucks.

Corey

Yeah. And also, I mean, like Aisling said, the. The supply chain is the problem, not the, the company itself will probably survive. They have X number of millions of dollars or whatever. Maybe not, but presumably they will because like Tim said, you could just be like, oh, another loss. Sorry, shareholders, we need another loan for $200 million, but a, you know, small company who's making widgets or whatever doesn't have that ability. Yeah.

Hayden

And, and I doubt anybody that they're letting go is like, very specialized, like, skilled folks. It's probably just a lot of people that are like, less specialized that are getting let go, because that's Just, you know, they can find more. And so those are the ones that are going to suffer. I imagine competitors would scoop up anybody that they'd let go if they were very like advanced in that industry.

Corey

But either way, this is the first high profile UK ransomware since they banned paying the ransom. And I don't even know if that ban has gone into effect yet or not. But yeah, I mean it's just kind.

Hayden

Of a going well apparently.

Tim Medine

Yeah, I mean, I think the real implication here is the next company because if they get these, get spun off at a loss, somebody else buys them for cheap. So I think some other GM or whoever the hell it is is going to be excited to be like, cool, we can buy them for 50 cents on the dollar.

Corey

So, so. And they haven't been doing well. They haven't been doing well for years. I think they've gone bankrupt like eight times. All right, does anyone looked into this Villager AI thing yet? This is kind of another spicy one. I, I can't actually tell if this is malicious or not. Like I genuinely don't know. But basically the article is there's this AI powered tool called Villager. It's published by a company that isn't really a company based on everything we've seen, it's called Cyber Spike. I can't tell if it's just a backdoor or if it's really just a real malicious, like a real toolkit that pen testers would want to use. But the downloads are sp, so people are trying it out. I'm assuming it's backdoored, so I haven't messed around with it much. But basically supposedly it's like a pen tester, AI MPT or whatever. What is the thing AI thing that connects all the things? Mcp? Yeah, that one. It's an MCP client and it apparently it just has 4,000 prompts to do pen testing things and like spins up infrastructure containers and then spins them back down. I mean, has anyone messed with this? Any AI people dug into this source code at all or any analysis? Because I like it looks I want to dig into it, but I also don't know what I'm doing.

Tim Medine

Every AI pen testing tool I've seen is just nessus with benefits. I have yet to see one that's really not. I don't know. The big thing about a hands on pen tester, of course I'm biased, is that the smart pen tester takes pieces, puts them together and the AI at least doesn't do that yet and they just generate A report and call it a pen test. It's your, it's your age old, fancy, crappy pen testers old man rant over.

Corey

I mean, I, I, I'm not going to disagree. I think that's a pretty reasonable rant. I don't. The thing is the every, every blog about it says, oh, it has 4, 000 hard coded prompts in it for pen testing things. I'm like, what are they? I want to know what that is.

Tim Medine

80,000. I mean, okay, cool.

Corey

I know. I just want to know like is it run NMAP against and then just every IP address? I don't know.

Hayden

Like that just sounds like almost like a vibe code. Like you could go to Claude code and be like, hey, write 4,000 prompts for pen testing. Different things go. And then you pay anthropic like 500. And then there you go, you got this new tool. And so I mean it's, Yeah, I don't think you can say it better.

Eli

With the whole non deterministic thing. Doesn't that mean it's got like infinitely many possible tests and you never know if you're actually going to get coverage?

Tim Medine

Well, that's deep, man. That's deep.

Alex

Yeah, but you know, for like the vibe pen testing, like there are companies out there that would, that, that passes their checkbox and then they can say like, we, we did like just, we did a pen test and it was AI powered. We, we had, we did an AI powered pen test and we, we passed with flying colors because it just does rudimentary stuff.

Hayden

Yeah, I mean, well, JIRA is AI powered now. And so, I mean that has it fixed a whole lot with jira. So AI powered.

Corey

I don't know what you're talking about. I thought someone was just plagiarizing or not plagiarizing, but like vandalizing all the articles by just underlining random things. I was like very confused. I don't know what's happening, but someone's just coming into my confluence and underlining things that I don't understand why they're underlining them or who's underlining them.

Hayden

I sent a ticket to a SOC customer and it did that for Bhis. So if they wanted to know who we were, they could click it and it would define us for them.

Corey

But does it actually.

Hayden

Yeah, does it actually, it did. Okay, if I clicked it to see, like, why are you doing this? What are you gonna get it right?

Corey

I would have guessed it was gonna.

John Hammond

It was actually pretty okay at defining us. You know, I did all right.

Corey

Yeah. I don't know. Basically, I guess if nothing else, let the villager thing be a warning to not, like, download it and mess with it. It's probably. It's. I'm assuming it's backdoored.

Hayden

Yeah. With how many I was looking popped and, like, backdoored and everything. I'm scared to download things now. Yeah, I don't want to download anything anymore. I just want to have my computer off all of the time. I think. I think that's really just the only way.

Corey

You know what you should do, Hayden, is you should download the Huntress free trial. Oh, yeah.

Hayden

Well, I mean, one thing that Huntress has clearly demonstrated is if there's evil on that box, they will find it, so.

Corey

That's true. The other, I was also blown away by the way they have a free trial. Like, not that many companies do a free trial these days.

Hayden

Well, it clearly worked out for Huntress.

Corey

In this case, too.

John Hammond

I do wonder how much, like, the marketing team at Huntress is, like, looking at this and, like, man, this is actually good press for us because people were like, damn, look what they got. So, yeah.

Corey

Does anyone have any articles they want to bring to the. To the group? Anything?

John Hammond

I think I've done enough to this podcast today. I think I've done plenty.

Eli

But what about CESA going. No, no, we take it back.

John Hammond

Oh, for the CVE stuff.

Eli

Yeah.

John Hammond

Yeah, that was.

Eli

No, no, we didn't mean to defund Miter. We didn't want that to die. It's ours. How dare you touch.

John Hammond

I think they have new management in and everything's on fire, and they're like, you all did what now?

Eli

So it does sound that way.

John Hammond

Someday that comes out for what happened at cisa, and I'm. I'm. It's going to be a great book because that was bad there for a while and it's dangerously close to politics when we start talking about that, so. So I don't know. We might skip that one. But I'm glad that they're coming back. That's good. Let's just hope that they come back and then it isn't two weeks from now. Like, no, no, no, no. We're getting rid of all of this. So.

Corey

So, okay, like, I don't actually know. What is they basically saying? We're taking this away from Mitre and we're bringing it in house? Is that what they're saying?

Eli

Or like, they posted blog? That's a vision statement. So it's super vague anyway, in a lot of respects, but their basic position is, oh, CVE should not be something controlled by some sort of coalition of different entities who have, you know, prior interests and might push particular agendas. The government should do it. And that's us. We set up a thing earlier this year and we took away money and we don't mean it anymore.

Alex

We were confused.

John Hammond

There was talk of cutting that program and now they're like, well, we should keep it.

Corey

I mean, they got to remove all the woke CVEs though. I mean, come on.

John Hammond

There we go, right into the politics. Just straight into it, just right there.

Corey

All right, that's all the politics for today. Thank you for listening. Yeah.

John Hammond

And with that, that's the end of black history talking about news.

Corey

But seriously though, I mean, you know, there are certain products that, you know, if they have CVEs in them, could affect a very certain, you know, population control over that. I don't know.

John Hammond

Or the other thing about it is, you know, hypothetically, I think, you know, one of the main concerns is some companies will have better connections than other companies and maybe their CPEs don't get published. And I think that's one of the concerns about this is at least from what I've been talking to people about.

Corey

Yeah, I mean, I think this is a great example of where like I do think the government should probably be funding this and making it neutral and non biased and impartial like it really should. It's a public service. There's millions of products or, you know, possibly billions of CVEs that needs to be. That's like public, public good. And no one could afford this on their own. Right. Like CrowdStrike's not going to fund the CVE program or whatever. So although it wasn't even that expensive, I think we talked about in the show was like $90 million or something like that. Like a classic, like GDPR fine for a tech company. Right.

Hayden

Like that's just a normal Tuesday for Meta for doing something.

Corey

Yeah, it's like 15 minutes for like stealing people's WI fi or something.

John Hammond

Wait, there's free WI fi to steal? Wait, where is.

Corey

Could I connect. Where's the password?

Hayden

Can I get some of that WI fi?

John Hammond

Where's the, where's the WI fi? Are you hiding it, Corey?

Corey

Like yes, yes, if you, if you. I like how you slap your webcam on John, even though it's just purely black screen. Yeah.

John Hammond

Keeping it up for a. For reasons unknown.

Corey

Yeah. All right.

Eli

John's progress to the dark side is complete.

John Hammond

It is, it is now, now complete.

Corey

So any other, any other articles?

Tim Medine

One that was interesting from an incentive perspective was the Quantum. So the, the Qantas one was the. The executives had their bonuses cut by 15% following an attack in July. Like, you want to incentivize people to care, you start taking away literally millions of dollars from them.

Hayden

Nice.

Eli

I love that idea. But unfortunately, 15% across all of them was only a half a million Australian dollars.

Tim Medine

Oh, so you don't get these. But still, I mean, 15 jump up. I don't care how much money you make. 15% is. You notice the difference in the check.

Corey

Yeah, right.

Tim Medine

Like that you want to incentivize at the top. Like, you start hitting the bonuses of the big dogs who are incentivized by bonus more so than their salary. I thought that was an interesting take.

Hayden

And then a security investment in the company is also an investment in their bonuses. So that, that's how you know they're not only going to fund it, but they're going to do it correct and make sure it's.

John Hammond

It's.

Hayden

Well, they're going to try and make sure it's done correctly, at least more so than maybe before.

Corey

I definitely think that's a good mechanism. That's the lever to pull if you want. Like that's a rare case where CEOs having a significant chunk of their pay being bonuses actually benefits the shareholder. I mean, we got to touch this chicken article real quick. Just because we have one.

Eli

Crack it open.

Corey

Which for those of you that don't attend the show regularly, this is going to be very confusing to you, but basically we talked about it last. I don't want to. I want to be clear here. I am making this up. However, last week we talked about how we bought some eggs from Russia. Okay. And now this week, we get an announcement that Rose Acre Farms, which is the second largest producer of eggs in the US Is hit by ransomware. My question is, number one, did they just send the ransomware in the eggs? What is that ad? What is that ad? Why?

John (Huntress)

What does it do?

Corey

No. Okay.

Hayden

I'm more interested in that.

Corey

I will say I'm also on the same page as you and I want to click it, but I also know that you're not supposed to click it, but it's a great example.

Eli

Every time you hover, it's counting how long you're hovering on that.

Corey

Anyway, after this, I'm gonna go put a bunch of foil in my toilet.

Hayden

And see what happens.

Corey

But I mean, it's the classic, like, chicken with the fish head sticking out of it with the cigarette in its mouth being like, has scientists gone too far.

Hayden

With the tin foil in the toilet? Maybe. I think that one might be too far.

Corey

All right, that's not. That wasn't a real article. Oh, my.

Eli

Oh, I'm sorry, kid. I just gotta. Hang on. There's an image farther down on that article, and it is amazing because there is a pull down in the screencap for this image, and it is one gang selected.

Tim Medine

Tell me you browse the Internet without piehole. Without telling me you're using. Not using.

Corey

No, no. See, I have PI hole. This is. This is like they roll their own cyber news. I've seen it. They roll their own ads. They have, like, their own ad network work.

Tim Medine

You need to update or are they still running? I don't see an article where it mentions one way or the other.

Eli

Just like one gang selected last 12 months. It's links. Look at all that curve.

Corey

Yeah, I don't know. I think. I don't know if they're affected. I mean, they're a chicken operation. How many computers could they possibly need? Like, three.

Tim Medine

Yeah, but that's what we say with everybody.

John Hammond

Right?

Eli

Like, you know, but there's like, feed automation systems and then you're right. All the logistics nonsense, sending it places.

Corey

Yeah, yeah. None of the articles say. But it seems like the answer is no. They might not even be aware that they have been ransomware because the chickens.

Hayden

Are still laying eggs.

Corey

So, like, okay, the chickens are still laying eggs. I mean, they posted the data. Usually when they post the data, that means they didn't get a response from the company. Right. Like, usually that means the company's not engaging with them. There's no articles about their. Although I will say I don't know how much transparency there is in, like, egg supply chains. It's possibly that, like, this company's been down for weeks and no one's. No one knows.

Hayden

I was gonna say, what are they gonna post? Like, we'll post your data. Okay. Like, our chickens are laying eggs. Here's how many eggs. What other data do we have?

Tim Medine

What's funny?

Corey

If you have secrets, if you read.

Tim Medine

Through this article, they don't mention whether they're down or not, but right in the middle it says, meanwhile, last week's attack on luxury automaker Jaguar.

Hayden

Jaguar.

Tim Medine

Screw that Jaguar Land Rover.

Corey

I mean, this is every cybersecurity news article. You take one post on breach forums, then you try to write 15 paragraphs about it, and you end up somewhere in between.

Hayden

Yeah. And 18 of those paragraphs are AI.

Corey

Any other final articles before we close? I will say the undocumented radios one. Just that phrase, undocumented radios. I feel like that would be a good. First of all, punk. Punk band name, undocumented radios. But second of all, it's kind of spooky. Basically this is. Is this is a USDOT thing or transportation department thing. Solar powered highway infrastructure, including chargers, weather, roadside weather stations, traffic cameras should be scanned for the presence of road devices such as hidden radios secreted inside batteries and inverters.

Guest Expert

Didn't we have something like this a few years ago with WI fi? Because I, I remember.

Corey

Yes, it was cranes. It was crazy.

Guest Expert

We were talking about it.

Corey

There was, there was like WI fi. There was undocumented radios in like Chinese cranes and us. And they were worried about like supply chain impacts. I just imagine guys and high vis jackets walking around like random roadsides being like, is this documented radio or is this. Should I just unplug it? Like, how do you. I don't know how you're supposed to tell. Looking at like the thing that Solar an asset tag.

Eli

So the, the thing that is bonkers to me about this is they put battery units in these because they're just little solar stations in the middle of nowhere. They have to put inverters in and they're like. And there's a radio wrapped inside the battery unit. I'm like, I mean that's where I would put it to make sure it has power to work at all. But also what?

Corey

Well, and my thought is, and I'm.

Eli

Just going through, going, how are. What kind of signal are we talking about? Which of these are Bluetooth?

Tim Medine

My guess is it's all telemetry. Like batteries dying. Come fix this. Like, I can't. I mean they show the picture of a crosswalk sign. Like, like, what's it going to do? Blink more or less?

Corey

Yeah, yeah, that one. That's not as much of a concern, honestly. Like, even roadside weather stations, I'm not as concerned with like, what are they going to do? Be like, oh, there's no weather. Like, I don't. But you know, the traffic cameras, I guess, although most of the traffic cameras are just public. I don't know. I'm sure this is just a government directive thing where they're trying to make sure there's not like Huawei radios or whatever inside of our stuff. But like, I don't know.

Alex

I did read back to like some of the linked articles for back in May where it was discovered and they Reached, I believe it was, it may have actually been like UK researchers that found these and reached out to the US Department of Energy. The US Department of Energy says we, we continually assess the risk associated with emerging technologies and we, we take a look at like the software bill of materials and the inventories and it's like, but what was being said earlier is that like they're just, you know, the radios are right there around the batteries. Like, how did somebody not notice if they're doing that, that bill of materials and checking out those contracts going like, hey, you're, I'm sorry, your bill of materials doesn't say a radio, but there's clearly a radio in here. Care to explain? Or maybe just ban that vendor and go like, hey, this, you're, you're installing radios and things and leaving that off the documentation and that's suspicious.

Corey

I think it's just that level of scrutiny probably not happening to a $15 flashy boy on the side of the road. Right. Like, I'm assuming this is real. This is like really a scale problem.

Tim Medine

Well, I don't, I don't, I don't get, I mean my short answer is, so what? Like some of you are probably thinking like, well, what about the stoplight? No, the stop lights have a whole different interconnect that the second something happens, the light starts to blink. Like there's a protection mechanism to prevent it from turning everything green. Like in Die Hard. Like, okay, so somebody puts some interesting thing zombies ahead. I mean.

Alex

It'S a communications hop. And I think one of the unfortunate things is that like, yeah, military bases have stoplights or they have stoplights near them. So if you had a radio that was near enough to your target, you use that as a hop. Just like the, I think there the story of the Internet connected fish tank that adversaries used to rob a casino. So it's going to be the same type of thing being like you have an Internet connected solar powered traffic light that is now near your target or near a casino and data is being exfiltrated through that with the hops.

Guest Expert

That would make sense. Thinking about it from a radio perspective with the batteries that we're talking about, we can't be talking about a large wattage system. So it's not communicating over a large area or anything like that. It has to be doing something. It has to be doing either a very low data transmission to go ahead and permit the battery to extend for a long period of time, or it has to be in some sort of mesh, which again it needs a lower power, a lower amount of telemetry coming through it. You're not talking about large amounts of data. I mean, if you take a look at something like Lora with your meshtastics, the amount of data that it can go ahead and process before it will kill a battery is very minimal overall.

Eli

Right. But bear in mind, when we're talking about these batteries, we are talking about devices with little solar panels so that they have power and battery to make them last the night. And maybe a day or two for a tech to come out and fix something if it broke without losing your little flashing light that makes sure everybody knows this turn is really sharp. So like if that happens to be co located onto top of a base or somewhere, that's actually worth the corporate espionage, then okay. But if it's a radio signal that's going to get you to a cellular modem, are you actually going to be able to get in and do the level of software radio tuning on that device to be able to go hop across bands and start doing anything remotely WI fi like with it? Are you crossing your fingers that even though it's got Bluetooth in it, so you've got 2.4 GHz, you're now going to convince that to do WI fi inst instead so that you can hop in. Because otherwise, like I'm real curious how you're going to get a Bluetooth based local telemetry device that somebody uses when they're coming in to check the health of the device because it's been six months and using that to get enough range to get in a building that you happen to be installed next to to be able to do anything.

Corey

Well, someone in chat mentioned like it could be used, they did say traffic cams and weather stations. So someone mentioned it could be used to like monitor people's comings and goings like tpms or other like wireless standards or things. But I mean, I think overall it's a policy thing. I don't think there's. There's no documented attacks using this and this has been a problem for years. Even the Chinese cranes article from two years ago, it was just like the exact scenario that Alex was talking about, which is they bought a crane, it didn't have a wireless radio listed on the bill of materials, but it came with the wireless radio and they were like, wtf? And the manufacturer was like, that's for future upgrades in the future or whatever. So it's like there's no documented hacks with this. I think it's all theoretical yeah, that's.

Hayden

What the article sort of said is it was mostly just kind of something that was there and they don't think it's anything that's being used for evil or could be used for evil but.

Corey

But it's banned yeah but it's banned.

Hayden

It'S too expensive to go get rid.

Tim Medine

Of it China might be taking these over but we really don't have any idea why is the shortage yeah that's.

Corey

Part of our strategy so we can.

Hayden

Use waste their time meanwhile our ISPs.

Corey

Be also being taken over but no action needed I mean if you want.

Tim Medine

To see the traffic go to Google Maps it's way better.

Corey

That'S the government banner on those things the traffic cams are public on every state's website Anyway I think that's the goodest place to send a. Kill it thanks for everyone for coming I'll see you all next week Bye bye Sam.