Podcast Summary: "Kerberoasting Goes to Washington"
Talkin' About [Infosec] News, Powered by Black Hills Information Security
Date: September 20, 2025
Host & Panel: John Hammond, Tim Medine, Corey, Eli, Hayden, Alex, John (Huntress), Guest Expert(s)
Episode Overview
This episode dives into recent high-profile news in the infosec world, focusing on:
- The resurgence of “Kerberoasting” in the national security conversation due to a major healthcare breach and Congressional interest.
- The ethical debate surrounding a high-impact Huntress incident report detailing threat actor activity.
- Other top news: a massive ransomware attack on Jaguar Land Rover, the shady “Villager AI” pen testing tool, ransomware at Rose Acre Farms, and the mystery of hidden radios in US infrastructure.
The BHIS crew, mostly penetration testers and industry veterans, break down the technical, political, and ethical nuances in their trademark blunt, nerdy, and irreverent style.
Main Topics & Key Segments
1. Kerberoasting Goes to Congress (03:13 – 12:41)
- Recap: The Ascension Health breach re-ignites debate over Microsoft protocols (RC4, Kerberos). Senator Wyden publicly calls out Microsoft to cease supporting vulnerable cryptographic protocols.
- Tim Medine’s “Fame”: His Kerberoasting technique, revealed 11 years ago, is cited in Congress.
- Quote (Tim):
“Like the fact the word came out of a Congress senator's mouth just blows my mind.” (01:33) - Discussion of having talks rejected by top cons before acceptance (05:36) — sign of how niche the attack seemed initially.
- Quote (Tim):
- Technical Details:
- RC4 deprecated, but still (optionally) enabled in many legacy environments.
- Microsoft’s deprecation moves affect only new forests/controllers; most orgs unaffected unless action is taken (05:15, 05:28).
- Upgrading to AES slows Kerberoasting significantly — would’ve made the attack that hit Ascension take “years, plural” (07:36).
- Reality Check:
“If you run a domain, go disable RC4.” (10:16 - Corey)- Methods: Audit event ID 4729, disable RC4 except where specifically needed (10:31 – Tim).
- Pen testers lament: Defensive changes remove their “easy mode” tactics, but necessary for security (08:19, 09:12).
- Larger Issue: Balancing backward compatibility (OT, critical infra, legacy Windows) vs security is hard.
- Guest expert describes how US electrical grid, water plants, etc. run ancient systems due to operational constraints (09:28).
2. Huntress Blog & The Ethics of Publishing Threat Actor Forensics (12:41 – 32:38)
- Story: Huntress published a blog based on direct investigation of a threat actor who installed their EDR tool (while “testing” defenses), sparking a heated community debate over privacy and ethics.
- Quote (John Hammond):
“Is what you've done seeing and observing a threat actor doing threat actor things, is that an invasion of privacy? Does this make you any different from a criminal? Which was a surprising reaction, truth be told.” (13:33 – John [Huntress]) - Panel’s Reaction: Consensus is that it’s ethical—attackers installed the agent, consented to data collection via EULA; this is standard IR/SOC procedure.
- “It's not hacking back. If they deployed your Incident Response Agent on their machine. That's not hacking back.” (14:46 – Corey)
- Even if pre-existing data/browsing history were included, users (attackers) chose what to keep on device (17:56 – Corey).
- Privacy Law Nuance:
- European (GDPR) vs US attitudes lead to different responses (21:45 – Tim Medine).
- Soundbite (Eli):
“A lot of them didn't know what they were looking at and are not people who understand. Like, they may know there's an EDR running because their company does a thing, but that doesn't mean they know anything about how it works.” (23:12) - Panel Jokes:
- If the threat actor wanted to sue for privacy, they’d have to dox themselves in court (“classic, this guy stole all my drugs.” – Corey, 23:01)
- GPT-themed banter about privacy modes and donuts for threat actors (30:01+)
- Key Takeaway: Knowledge, transparency, and context matter—tech Twitter/LinkedIn often lacks both.
- Quote (Hayden):
“There are plenty of, like, HR cases to where it comes to the conclusion…you do know that we saw all of that stuff that you did? Like, that's all recorded.” (26:06)
- Quote (John Hammond):
3. Jaguar Land Rover Ransomware Crisis & Policy Implications (32:37 – 41:23)
- Story: Ransomware takes down Jaguar Land Rover (JLR), threatening supply chain collapse following UK ban on ransom payments.
- Debate: Should governments mandating ‘no-pay’ have a safety net for companies facing ruin?
- Quote (Tim Medine):
“Collectively it's good if not a single one pays. But individually they're pretty much incentivized to pay every single time.” (34:04) - Panel doubts government aid will materialize (“sucks to suck”), notes impact on suppliers who can’t weather cash crunch (37:34, Eli).
- “This is a two week cash crunch. Are budgets that thin where you have to lay off 40 people after two weeks?” (38:13 – Corey)
- Root issue: Industry margins, just-in-time manufacturing, and prior financial distress (“Jaguar … was in trouble before this even happened. This was the absolute worst time for it to occur.” – John Hammond, 39:31)
- Ransomware and supply chain pain remain unsolved problems; the ban’s real-world consequences become visible.
4. Villager AI PenTesting Tool: Hype or Backdoor? (41:23 – 45:19)
- News: “Villager” released, billed as powerful AI-driven pentest platform. Suspicious origins lead to questions if it’s actually backdoored malware.
- “Every AI pen testing tool I've seen is just Nessus with benefits.” (42:44 – Tim Medine)
- 4000 “prompts” claim likely overhyped; caution urged on running shady tools (43:14, 43:35).
- Banter on “AI-powered pen tests” as new compliance checkbox (44:04 – Alex).
- General warning: Don’t trust pen test tools from unknown sources.
5. Attacks on Agriculture: Ransomware at Rose Acre Farms (51:18 – 54:44)
- Rose Acre Farms (2nd largest US egg producer) hit by ransomware.
- Panel jokes about “ransomware in the eggs” and the difficulty of knowing the business impact in sectors like agriculture.
- “How many computers could they possibly need? Like, three.” (54:17 – Corey)
- Transparency and reporting challenges are highlighted (“the chickens are still laying eggs…”).
6. Undocumented Radios in US Infrastructure (54:52 – 62:28)
- Summary: Reports surface of hidden/undocumented radios in solar highway devices, weather stations, etc.
- Reference to previous stories about hidden WiFi in imported cranes (55:28).
- Technical debates: Are these radios actually a security threat?
- Could provide a hop, but range and power are likely limited (59:12 – Guest).
- More likely a supply-chain/byproduct issue than active government sabotage.
- “If you want to see the traffic go to Google Maps it's way better.” (62:23 – Tim)
- Main concern is government policy/scrutiny, not evidence of active malicious use.
- Panel has fun speculating about “smart” crosswalks and Die Hard traffic light hacks.
7. Brevity Hits: Qantas Executive Bonuses & Security Incentives (49:57 – 50:53)
- Qantas airline execs lose 15% bonuses post-breach.
- “You want to incentivize people to care, you start taking away literally millions of dollars from them.” (50:17 – Tim)
- Panel generally approves—financial incentives work better than most compliance carrots.
8. Brief: CVEs, MITRE & CISA Drama (46:19 – 48:37)
- Confusion as to whether US government (CISA) is defunding/bringing CVE program in-house or not.
- Skepticism that government is prepared to run it better than MITRE.
- “No one could afford this on their own. CrowdStrike's not going to fund the CVE program.” (48:37 – Corey)
- Panel prefers government keep CVEs neutral, public, and bias-free.
Notable Quotes & Moments
- On Senate tech literacy:
“The senators are taking sans classes or his classes.” (01:46 – John Hammond) - On privacy blowback (threat actor EDR incident):
“This is the classic, this guy stole all my drugs.” (23:01 – Corey, about attackers claiming privacy violations) - On AI pen testing:
“For like the vibe pen testing, like there are companies out there that would, that, that passes their checkbox and then they can say like, we, we did like just, we did a pen test and it was AI powered.” (44:04 – Alex) - On supply chain reality:
“If you have secrets, if you read through this article, they don't mention whether they're down or not, but right in the middle it says, meanwhile, last week's attack on luxury automaker Jaguar...” (54:24 – Tim Medine) - On US vs EU Privacy:
“We're like, we don't have privacy. Right. Like, it's just that cultural and the legal stuff...” (26:47 – Tim Medine)
Tone & Style
- Irreverent, direct, and technical—the panel doesn’t shy away from dark humor or industry sarcasm.
- Regular asides and jokes (Blade Runner quotes, donuts for threat actors, emo “Dark John” sitting in the rain).
- In-depth explorations balanced with snark and real-world anecdotes.
Key Takeaways
- Old security flaws never die—they just make it to Congress.
- Legacy protocols like RC4 stick around due to business inertia; active removal is crucial but always lagging.
- There’s a community knowledge gap, even among security pros, around forensic data collection.
- Managed security products, incident response, and privacy law are misunderstood; threat actors can’t claim privacy when hacking.
- Public policy actions (ransom bans, critical infra mandates) have real, complicated side effects.
- Not paying the ransom can devastate the supply chain; but if one pays, all are incentivized to pay.
- Don’t fall for the hype: AI pentest “platforms” are mostly rebranded scan wrappers (or worse, backdoors).
- Ransomware is everywhere—even in the chicken coop.
- Supply-chain and critical infrastructure threats are as much about policy and logistics as about “hacking”.
For Listeners Who Missed It
This episode provided a technical-yet-contextual look at why old attacks remain relevant, why infosec drama keeps popping up, and how even routine incidents ripple through industry, law, and public discussion. If you want coverage of the big developments and the unwritten “attacker/defender” stories underpinning today’s breaches—with humor—this is your show.
Skip to 03:13 to jump right into the Kerberoasting/Ascension story. The panel’s breakdown of the Huntress EDR privacy debate begins at 12:41. Jaguar Land Rover ransomware and the UK ransomware ban is at 32:37. Villager AI discussion at 41:23. Rose Acre Farms ransomware at 51:18. The infrastructure “hidden radios” story is at 54:52. Most quotable banter and ethical breakdowns are between 5:36 and 32:38.
![Kerberoasting Goes to Washington – 2025-09-15 - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fassets.blubrry.com%2Fcoverart%2Forig%2F577207-646458.jpg&w=1200&q=75)