Largest Corporate Espionage Case this Century - 2025-04-14

John Strand

Hi, everybody. We're live. We're going to be going here. We're going to bring out the crooked finger, but I'm going to give you all a trigger warning. We're going to be talking a little bit about politics, everybody. Just as a warning, we're going to try to. Try to. Try to thread that needle as well as we possibly can. That's going to be fun. So I'm giving you a warning right now. It's coming. And as somebody pointed out, they blame Wade. I also blame Ralph because Ralph is off starting his own company right now, and Ralph is good at these things. So just a quick warning on this episode. There's going to be a little bit of politics and we're going to try to get some tech here as quickly as possible. So with that, let's bring out the crooked finger and let's get this show going. Hello and welcome to another edition of Black Hills Information Security, Talking About News. My name is John Strand and we're going to be talking about computer security news, as much as we possibly can in this current political climate that we are currently in. We're going to try to tap dance around some landmines. That'll be fun. Then we're going to be talking about insider threats and how those are really starting to pop, which I think we actually talked about in one of the previous editions of Talking About News, how insider threats would start popping as you have more and more layoffs. We're gonna be talking about how the Pentagon is ending 5.1 billion in contracts for Accenture, Deloitte, Booz, Allen, Hamilton, a bunch of other companies that are out there as well. Then we have some really, I gotta be honest, the Moroccan cybercrime group Atlas Lion. I just gotta say, you probably didn't name yourselves, but that is a fantastic name, by the way. And they've actually have some novel attack approaches that they're dealing. But I want to address the big security issue that a lot of people are saying we aren't addressing. There's an EFF article, or as I like to refer to them, an effing article was released and it said the cyber community must not remain silent on executive order attacking former former CISA director. So I'm going to be addressing this very, very, very quickly and succinctly. I think this is wrong. I don't want to go into details. I don't want to throw a whole bunch of poop on the wall. I think that. I think Chris did a great job when he was in charge of cisa and I think it's very problematic to punish other employees of a company who have clearances because of what's going on with this. I don't know if there's much more we can say in other way and trying to say it in a more and creative ways, in trying to, you know, kind of like rage, compete with each other on this. But I do believe that this is wrong. I do believe that punishing a company because of what somebody else did before they worked at that company is wrong. And I do believe that going after Chris is wrong as well. So that is our statement on that. Did I swear already?

Corey

No, but you did talk politics, which kind of counts as swearing.

John Strand

That is the same thing. That is the same thing. But I do know I, I do, I do want to pivot just quickly. If we're looking at quote, unquote, restructuring of cisa, which is the most polite way I can put it right now, when you're looking at these threat intel groups, the United States and everything that they're doing, what is a company doing to try to keep up with like what current threat intel feeds are like? I know that there's different ISACs for market verticals. Mike, do you want to talk a little bit about like your approach? Like, where do you get threat intel feeds? Where do you see that kind of moving forward? Because we're not getting as much data as we used to out of the federal government.

Mike

In an instance like this, I really try and turn towards communities. The ISAC that my vertical is in, I use them quite a bit. There's other groups out there, like the Cyber Risk Initiative and a few others that have standard type threat feeds. But honestly, the, the real nut and bolts for me, and it's more difficult nowadays because of how spread out everybody has gotten since the. Since what's happened politically has happened is social media is the mastodons, the blue skies. And with that, you don't have the centralized section that you used to have. Discords are nice, but as great as I love them and I love the Black Hills Discord because of the way that everything's broken out, there's still quite a bit of noise and sometimes it's hard to see something if you're not watching real time on it. Whereas with something like blue sky, I could go ahead and set my timeline at a certain spot and then start scrolling back on up through it as everything continues onward.

John Strand

And I don't know about anybody else, but it doesn't feel like blue sky really. I think it's doing really well. I think it's better than Mastodon, but it still doesn't feel as tight as Twitter was when Twitter was Twitter and then it became X. Like it used to use a really good information on Twitter and then, you know, kind of went away. But Blue sky is getting there, right?

Mike

Blue sky is getting there. Mastodon. If you follow hashtags as people remember to hashtag things and the same thing on Blue sky, that's been. I found the key. I've got a few certain hashtags that I try and follow that'll narrow things down a bit for me and get rid of some of the excess stuff. My follow feed is semi useful, but really it's the hashtags that wind up going ahead and becoming the most useful for it.

John Strand

I know it's pulling you on the spot right now. You may not have it, but would you be willing to share some of the hashtags that you key in on?

Mike

Give me one second and I can.

John Strand

Not a problem. Alex, what are your thoughts on this? You know, kind of throw it over to you for a bit.

Alex

Yeah, I mean I, I follow the dream type of things for like the Blue sky, but I think for what Sheck is point or one of his points was, is that you have a lot of that, that noise that comes in. So I do like, I do like the vendors in that they're a little slower but they're a little bit more accurate. So if you want kind of the up to the minute intel, you're going to see a lot of things come in. If you want it to be like clean and you know, kind of rinsed of that noise. Your vendors are good at that. They're just not going to have like the most. I found sometimes they're not the most up to date, you know, but you get less of that. That fog of war happening with your threat intelligence.

John Strand

Yeah. I don't know Corey, your thoughts?

Corey

I mean, I don't even think of CIS as an intel. Do you think of CISA for threat intel? I don't. I think they were like.

John Strand

I think it was more like high level ciso. Threat. Threat intel. Right.

Corey

Well, there's no exploited vulnerabilities. That's kind of threat intel.

John Strand

Think about it for years, Corey, how a lot of CISO CTOs, they would get their information security news from like USA Today, they'd be like, oh, it looks like there was this very large data breach in Oracle. And then they would come to you. And I always used to say, if your executives are getting Their information security news from USA Today, Drudge Report, Huffington Post, Fox News, cnn. Then you have failed at your job. And I think that CISA kind of took that place and was giving CISOs and CTOs a lot better information than they would get from their standard news sources.

Corey

Yeah, yeah, I mean, I guess I.

John Strand

Would say, oh cool. Can you put them in the private chat and then we'll get them posted over to, to, to discord and stuff. Awesome.

Corey

Yeah. I mean, I think another thing that did that was super useful is some of their larger initiatives like this here by design thing. I know we kind of joked about how silly it was at the time, but I guess I'm like, I think the industry can carry on a lot of the things that they came up with without them. Like they created years of work by, through a lot of the advisories. And I feel like, you know, secure by Design being one example. If your goal is to make things secure by design, it's going to take years and years and years. So a lot of the stuff has a long tail. And as an industry we can just continue down that path and continue trying to carry the torch, so to speak, when it comes to like day to day stuff. The other thing that is kind of a key service that provided is like free pen test for OT segment and other like critical infrastructure or whatever you want to call it. And so I guess I don't know how we can help with that. We talked about, you know, having hack for charity or whatever, but yeah, I think as a community just kind of understanding that maybe some of these organizations might be struggling with infosec, um, and that they might not have the support they had before. So just kind of helping out where we can. Maybe we should do like what we did for US Healthcare and just have a GoFundMe for pen tests.

John Strand

Yeah, I, you know, so my biggest problem with all of that, you know, I know Jordan's talking about it like trying to get back with Johnny, which I have to reach out to him anyway, but talking about hacking for charities and actually bringing in people and let them act like, you know, BHIS would run the test. You'd have people that are kind of 1099 or you know, interns that want to learn security assessments, actually doing the security assessments. And the hardest thing for me isn't the money. The absolute hardest thing for me is the trust in the individuals that you bring into that process. Right. You know, we already have a problem with like senior testers that periodically bring networks to the ground by not even mistake but just purely based on, oh my God, this company is running like a BSD4 web server and it goes down and I don't know how I could navigate that as a business owner. If we started doing those types of charitable penetration tests and kind of open up the checklist and the methodology that BHIS does for basic things and how to mitigate the overall risk for doing that type of work, otherwise I would be all over it.

Corey

So I think we could do that. I feel like we could do that. I feel like we could say, here's how, here's your guide to doing a scissor pen test. Because I think most of it was like Shodan public passive type stuff. I don't think it was a ton of in depth, zero day type stuff. But yeah, another idea. So people are saying in the chat there's a lot of tabletop they have. If only we had a card game that was.

John Strand

There was only a card game that we could.

Corey

If only there was a card.

Alex

Well, and I had you kind of a, a follow up question that I saw somebody, you know, sort of get to in the chat. But outside of cisa, who is that highlighting agency? Because CISA is useful for that. You're doing all that threat intelligence work, you've done all those checks, you implemented your defenses and then a CISO alert comes out highlighting this thing. And that is the top level thing that you do in an executive report going, hey, CISO did an alert on this threat actor. Here are the things we look for. We're golden on it, we're solid on it. And then you can just deliver that. But who now is your highlighting organization? Do you go, hey, some, some random on Twitter or X or Blue sky, it's making noise about this thing. Or a bunch of talking heads on this, like, you know, this webcast are making noise about it. How do you take that forward and go, this is something that we need to focus on, especially if there's work that needs to be done, right?

John Strand

And I think a lot of table. Stop. You could do that with tabletops, right? Just by asking questions. But like for me, if I had my dream, it would basically take a whole bunch of these people that are either unemployed or people that are trying to break into the security industry and then bring them underneath and then kind of like take a senior tester from BHIS and kind of walk through checklist and methodology and make it very, very clear that you're not to deviate from this methodology and then just kind of let these people do these assessments against Organizations that have given us permission to do so and then start sharing those results with those charitable organizations or like let's say critical infrastructure organizations that can't afford a full pen test and kind of work through it that way. But like I said, I'm just absolutely terrified about, you know, I mean just trying to vet pen testers at BHIS is hair raising. Right. And if all of a sudden we have a hundred, you know, cats all screaming into the Internet breaking into STU stuff that, that, that makes me uncomfortable. I don't know how to mitigate that risk, I guess is what I'm trying to say.

Corey

I feel like sizza's real selling point was that they just carried the authority of the US government with them and no, no private entity is going to be able to replicate that.

John Strand

No, pretty much a lot of, a.

Mike

Lot of the stuff that I saw come through CISA would come through my feedly feeds from Recorded Futures Daily Threat feed or Sentinel 1's daily threat feed. And taking these corporate threat feed blogs, going ahead and putting, putting them into all one spot. Great way that's how I start my morning is I go through all these feeds. BHIS has a new blog out. I read through it. Okay, what's going on here? What's going on there? And then from there I can disseminate stuff. The social medias and stuff like that is more for immediate action type ideas.

Corey

So the moral of the story is get yourself a shaky. Good luck finding one.

John Strand

Just shared it out right there.

Corey

Luck finding a shaky. But if you have a shaky, you are good. But I mean, so a lot of organizations don't have a shaky. That's the problem.

Mike

I know and the problem is with some of the Isaacs, the cost to join them for small businesses can be rather prohibitive.

John Strand

Maybe that's what we do is we navigate through the ICE because we're not a government organization. You could do it through the Isaacs and then the ICE AX can nominate organizations to move up. By the way, Radis brought up a great question, said creating a BHIS pen test, puppy mill following checklist. I think that that's 100% accurate. But look at what we're trying to do here, right? We're not trying to say that this replaces a full pen test from a company like red siege, trusted SEC, BHIs and guardians or whoever. Like what we're basically saying is we're just doing like attack surface management type things.

Corey

Yeah, it's cyber hygiene. That's exactly like. Yeah, but again this is, it's one of those things, the companies, guess what? If you're a BHIS client, it's going to do nothing for you. If you are already getting real pen tests, you have a pen test program, you're doing things with the result. Probably, if you're listening to this podcast, this probably isn't going to do much for you. But the problem is the organizations who, when you call them and say, have you gotten a pen test? They say, what?

John Strand

Yeah, those are the ones. Right?

Corey

Those are the problems. And when. But the thing is, it's carrying the big stick of the US Government. When CISA comes to you, if you're a small water company or small water utility for who Yell of Washington or whatever no one's ever heard of, if you go there and you say, I'm the US Government, you need a pen test, they're going to be like, whatever you say, here you go. But if it's like Black Hills Infosec says, you need a pen test, we're just going to blend in with the noise of like all the security researchers from China who also have been like, hey, we found something. Contact us for bitcoin information if you.

John Strand

Want to read it. Yeah, we don't want to be that. Right.

Corey

Yeah, I don't know. It's just a fun idea. I think the tabletops also would be useful. It'd be cool if we had like a tabletop brigade community members who would go and offer tabletop to, you know, tabletops to companies that have. They're maybe not ready to actually give us the ability to send packets to their network. But we could also do, you know, my concept of a passive pen test, which is basically sizzle cyber hygiene thing. You know, it's funny though. We've offered them and people don't take us up on. People are still afraid. They're like, pen test. That's a scary word. But tabletop is less scary.

John Strand

Yeah. Or attack surface management or something. I also think it's funny because, you know, if, if we start doing this right, I just know that we're going to get a company like General Electric that's like, we would like one of those free contestants.

Corey

Yeah, we can set limit. We can set limits.

John Strand

Or people infrastructure. It would be great if you.

Corey

Our attack surface is this two slash 16s that we've owned for 10 years.

John Strand

It's like you're the DOD. Yeah, yeah, we're going to need that for free. Uh, yeah, that would be great. But there's always people that take advantage of things, right? It's just it's just how it goes. So I think that we've got a noodle on it. I don't know. We would literally have to take somebody like Jordan who's kind of talked about this, and have him oversee the entire project, and that would take a pen tester out of circulation.

Corey

I say we just. I say we just do it through our community. Just have people who are tabletoppers who can go out and offer tabletop. Yeah.

John Strand

Yep. I think that that would be good. So maybe we'll approach that. I've already go local.

Corey

If you're a person listening to this podcast and you work with a very small entity who cannot afford a pen test but desperately need one. Needs one, please get in touch. We'll see if we can do anything about it.

John Strand

Yep.

Corey

We're not claiming to be sza, but.

John Strand

And Zach had a great idea. He said we could get the CPTP contestants. Yeah, there we go. The. The college pen testing folks that they've already been vetted. They've been in a competition. Give them an opportunity to do that. I think that that would be. I think that would be cool. So I think we got some ideas we could play around. By the way, if you own a pen testing company and you're like, I would like to help with this because that seems like it might be fun. Please reach out to us as well. That would be good. Do we want to talk a little bit? What do we want to move? I kind of.

Corey

Okay, let's. Let's talk. Let's just throw some bone to Sentinel One, because I will say, like, honestly, Sentinel One has been in my personal recommendations list for a low cost, very effective edr. Great in the MSS space. It's a great product. Maybe not like the Gartner magic, whatever. I mean, honestly, it probably is, but I've recommended it quite a bit, and I've never had companies come back and be like, this doesn't work. It's not good. So not that I'm like an expert on edr, but, I mean, it's a solid product. I don't. I just.

John Strand

You just run a team whose sole purpose and existence in life is bypassing them. So, you know, you know, that's. That's probably. Maybe there's some weight there, but, yeah, throw a bone to. To Sentinel One. I think one of the things that they do, like, especially in the MSSP space, is they're just easy to use. Their pricing is effective on that as well. So there we go. So go sentinel 1. Who is not sponsoring this Podcast at all whatsoever.

Corey

All right, let's talk about insider threats. Let's start with. Let's start. Okay, let's start with the creepy one and then we can move to the more interesting, less creepy. Okay.

John Strand

The really creepy one is super duper. You're talking narrow pharmacist. Oh my God. Yeah, go ahead, Go ahead, Corey.

Corey

I mean, so basically this is ummc University of Maryland Medical Center. The suit itself is a class action against the employer, who is claiming that the employer was negligent and basically didn't prevent this cybersecurity intrusion. This cybersecurity intrusion we're talking about is there was some pharmacist who wasn't. It wasn't security, but was installing key loggers on a bunch of systems. Like medical, I'm assuming medical type systems, not like corporate it, but like, you know, cameras and things or I don't know, like workstations. I'm imagining. And essentially for creepy reasons, apparently has videos over the course of a decade of staff working with breast milk and breastfeeding. The creepiest possible thing. He also went after people's personal account, bank accounts, home surveillance, emails, dating app, private photograph. Super creepy. About as creepy as you can get as the combination of keylogger and medical environment is just already like, even if it wasn't supposed to be creepy, you're already creepy. It's gonna be creepy. Even if it was like, oops, keylogger, like, it'd still be insanely creepy, but like, this is intentional, which makes it so much more creepy. My curious. The question I have, and they didn't really elaborate in the article is like, what keylog? The creepy thing happened and apparently over the course of a decade, what could the company do to prevent it? Right. It seems like relatively, I mean, it is a healthcare environment, so I don't want to be too harsh, but relatively easy to identify this kind of activity. We don't know what keylogger it was, but if it's been running for 10 years, it's probably like cobalt strike version one or so. Like it's not. I don't know, I mean.

John Strand

And that's one of the reasons why I think that this class action lawsuit has some teeth. Right. Yeah, it was something that just.

Corey

Yeah.

John Strand

Recently. And they caught it relatively quickly. I'd be like, yeah, yeah, it wasn't.

Corey

Yeah, exactly. And that's. Yeah. So it's been a decade. And it's funny because like, of course the, the medical center is saying, oh, well, we, we stopped it. We stopped the breach that's what you should focus on here 10 years later.

Alex

Well, and that's also where I think this has teased because it's like my take on it and really a little bit of like my bit of fury on it. It's like, who, who signed off on this? Like, it's just when you go, who signed off on like the, you know, being compliant is what I'm saying. It's like, who signed off on compliance? And going like, like you sit there and you go, we're HIPAA compliant. We've had all these things, we, we've done these looks. And it's just, I mean I'm, I'm sitting there going, there might be something there. Because was it a matter that it's like you didn't have an actual audit. You just whined and dined your auditor and said, here's one laptop in a closet that you can take a look at. Totally represents everything in our environment. Please just look at that one. Sign off on things. Sign here. We'll get you like you. And it all includes a trip to our headquarters. We'll wine and dine. Yeah. And everything. And was there something there? Because it's like this is when we're talking about CISA and all these other examples, regulatory bodies, these authorities, we put our are trust in the system because they have that regulatory thing. Like I will, I, I and others. You'll go to the doctor and you'll talk about private things because you trust that they're being regulated, they trust that they have that compliance. You trust that somebody is looking into. Your, your doctor has a little like, you know, voice transcription app that, you know, transcribes your session. You're trusting that that is secure, that that has been reviewed. Having instant incidents like this erodes that trust because you go, I, you sit there and you go, I thought somebody was regulating this stuff. Well, what happened?

John Strand

And Alex, like just kind of like springboard some more on what you're saying is there might be other lawsuits. Like who? As I'm going through my email, anything from University of Maryland. Did they hire us for anything?

Corey

I was going to say hopefully we didn't do their pen test. Yeah, this is out of scope for pen testing in my opinion. This isn't even pen testing. This is like basic cyber controls of like, what things are allowed to leave your network. Do you have basic monitoring and threat intel? Right. Like that's how I see this. No pen. If I'm doing a pen test, I'm not going to be looking for key lock that's not like a thing, though.

John Strand

And that's really bad. Like if we're doing a pen test and we find those things and that kicks off ir.

Corey

Yes, we would mention it if we saw it, but that's not the goal of the pen test. The goal of the pen test is for me to also add my keylogger to the PI. No, I'm just kidding.

Alex

And I also really like what, what local Kens said. Like the special permissions for the special person. Again, the exception. Exception. Because, John, you and I, we said like the.

Corey

We.

Alex

We said like beginning of 2025, what are predictions for things that are going to continue to be a problem in our industry? And that really was like the. I think you said special snowflakes. I said, you know, your exceptions for exceptional people. Like, that's going to continue to be a problem.

John Strand

Well, and this was also a university hospital. Right. So when you're looking at the exception. Heap of garbage. Right. Like one. It's medical. Right. And you have doctors all the time. Like, I ain't got. Damn it, Jim, I ain't got time to log into a computer.

Corey

Someone will die if I have to type my.

Alex

Yeah, you say patient safety. Patient safety overrides security. And I, I've been there. It overrides everything.

John Strand

Then it's a university hospital, which. It's like, then you put a layer of academic freedom. So, you know. Yeah. And no budgets. And you're looking at a lot of these universities. It's like, well, we need to monitor the network to make sure that, you know, Phi isn't leaving the network. And there's people like, oh, no, no, no, we can't monitor anything in the network that's leaving. It's like Europe at that point with gdpr. It's insanity trying to deal with some of these organizations. But that being said, Corey, doing testing for years, we've seen hospitals that like to throw the exception card constantly. And, and it always pisses me off because we also work with hospitals that have amazing security. Right. So I love it whenever hospitals, like, well, we can't, we can't switch from on prem exchange because of HIPAA. And I'm like, that's funny because we've got like 30 other hospitals that have switched over to Office 365. They didn't seem to worry about it as much as you do. Like, what makes you precious snowflake. And I think that a lot of times those exceptions are less about, you know, their actual concerns and more about excuses for not actually doing the Work of trying to secure environment. And that that's I would agree.

Corey

I mean if I was called in as an expert witness, I would say that, you know, thankfully I will not be because no one listens to me. Luckily. But I would say like this exceeds the, in my opinion, like the legal definition of negligence is like, it's real bad.

John Strand

Yeah.

Corey

Which I would say this meets that because this is the kind of thing where like, you know, we talk about cis, CIS controls or whatever you want to talk about, but if you can't as a company say let's look for things that could be key loggers in our network and identify them and remove them. You like you are, that's negligence in my opinion. Like you need to be able to look at a list of running processes or whatever on all your computers and see if there's anything malicious on. Right. Like, but I think it's also job, job duties. Like it's a pharmacist. Why is he able to install anything on any computer? Like, there's so many things in the list. On the topic of healthcare, I mean there's basically two kinds of health organizations these days. One says test everything, Nothing's out of scope. Good luck, go break things, have fun. And the other is like, don't do anything. Like, we basically split the difference. And the customers I interact with are like, I'll be like, should anything be out of scope? They basically say nothing should be out of scope. If you find something that looks like it's going to fall over if you end map it, you know, or if you find like a camera to a breastfeeding room or whatever, like tell us. But this shouldn't exist. This shouldn't be out there on the network by, you know, unauthenticated or in a segment that you can access. So it's like it's one of those things where there's health organizations that are like that and are like, we are secure. If you find anything that would let you do this, we care. Other organizations are like, everything is in, like you can't touch anything because it's all could fall over at any given time. So I feel like it's, it's a tough, it's tough to make that giant leap between those two things.

John Strand

And I, and I think that that's where you're going to get into the difference between negligence and gross negligence. Right. If you're looking at negligence, they screwed up and negligence is relatively loosey goosey. It's easy to kind of lock that down if you're an attorney. And if you're trying to prove negligence, you can find negligence anywhere. It's like they didn't patch, they didn't run av, they didn't do those things. Now, whenever you start taking the gross negligence, that's where it's intentionally negligent. Right. So at bhis in contracts, we say, you know, we're not going to be held liable unless there's evidence of gross negligence, which means the tester intentionally did something that was going to be negatively impacting a customer's environment. Now, in this particular lawsuit, if they can pull documents from the hospital where they literally can see that this organization was intentionally skirting around compliance issues and trying to avoid implementing good security just because they didn't want to, or it was expensive and they were intentionally trying to lie, like we were talking about regulators taking them out to dinner or taking the regulators out, you find that you're now in gross negligence. Right. That's where you're saying, we're not going to comply with hipaa, we're not going to comply with security best practices, and we're going to actively petition the auditor and regulator to allow us to do so. And that if I was an attorney and I was looking at this, I would be looking for any evidence of gross negligence. Like, look at those reports that are coming from the auditor, from the testers, from the, from the SOC provider and see if there's anything where they're like, just bury this because we don't, we're behind a firewall. Or just bury this because of exceptions. And like, if you can find that, then all of a sudden this, this lawsuit gets really creepy or it gets really huge, really quick. But I still come back to he's a pharmacist. How in the living hell did. And I get an idea, like most organizations like this, you can authenticate to any workstation with the existing credentials. But installing a keylogger usually is just for your individual user session. Like if you're running a keylogger on most Windows systems in a domain, if I exploit a system and I run a key keystroke logger, I'm running underneath the context of that user.

Corey

Right. And it had to be like PowerShell or a custom exe or some garbage like that. It wasn't like an apt level threat. Dude's a pharmacist, not a fre, like malware developer or whatever.

John Strand

Yeah. I just don't know. I. And I also wonder maybe if there wasn't a lot of computer systems they just left logged in all the Time.

Corey

And he would log in local admin.

John Strand

For a shared account that everybody used, and he was installing that keylogger on those.

Corey

I. I could. I'm guessing here, I have no inside information. I have no idea. But there is no way that no one has noticed over the course of 10 years. I bet you this. I mean, this dude's got to be creepy as hell. I'm sorry. But, like, there's. And there's no way that no one has ever been like, hey, what's his face Came into my office and did some weird stuff on my computer. Like, is that normal? Like, I feel like there has to be a long paper trail of them being like, it's fine. Like, I. I don't. In my opinion, there's no way all of this was undetected by anyone. Even if it's just, like, people noticing. That's weird. My accounts are getting compromised, and I only log into that account on my work computer.

John Strand

But that's also. But that also leads you to the gross negligence thing, too, because imagine if then this hospital, and I'm willing to guess that this guy had HR infractions against him.

Corey

Right? That's what I'm saying. That's going to be the nail, literally.

John Strand

Building the case for the attorneys. Like, by the way, if you need help, attorneys, call us, right? Or just listen to the webcast, right? But if you can pull down the HR complaints. Because I'm willing to bet there are HR complaints about this dude, because you don't get to that level of creepy.

Corey

You don't get to king creepy without.

John Strand

He seems like such a nice young man. He was always quiet and kept to himself. You know, you. You have these people that do this. So a couple of. Well, a couple of stories, but I'll just give one. I was at a conference, and I was teaching, I think it was in Vegas, and I was teaching on Poison Ivy, right? And one of my students in my class, he said, yeah, Poison Ivy is a great tool. Come here, let me show you something. And he was an IT admin, right? And he opens up his instance of Poison Ivy and had literally hundreds of systems that had Poison Ivy running. And you could go through with Poison Ivy and you could go through all of them and get like a webcam capture for any one of those systems. And he's showing me. He's like, yeah, I've got this installed on all of my systems for all of these users. And he's like, going through. And he's showing me all that. And I'm just Like, horrified. And I'm like, what are you, what are you doing this? He goes, no, I just want to learn how the hacking tools work. And I'm like, you literally have installed it on hundreds of people's computer system. That was one of three times I've kicked students out of my class. But I'm going to be honest with you, the dude was super creepy. Like, he had the shifty eyes, the whole thing. Like, you know the dog from the Simpsons? Like, he was creepy as hell. And then the whole time he's like, what? I don't understand why I'm being kicked out. I'm the admin. I should be able to do that, right? No, there's, there's no way that this person doesn't have an HR file that's like a mile long. And if the attorneys get a hold of that, you're moving very quickly to gross negligence land.

Corey

Yes. And just to, like, make the psa. If the guy who's not the IT guy or any person comes into your is messing with your computer and you don't know why, you should report, this is not a normal thing that happens. People don't just go around messing with other people's computer. That's not how it works. So, you know, I, I, I feel like gut feeling. This had to have been reported and it got buried. He had to have enablers or, you know, at the very least, people who, you know, accomplices or whatever.

John Strand

Yeah, there's gotta be more, there's gotta be more to the story. And I gotta be honest, I'm really happy I'm not working for this Maryland health clinic because this is going to be a rough, this, this case is going to hurt the whole time. It's going to be painful. I'm going to give you a recommendation right now. I'm not an attorney at all, but I'm going to give you a recommendation. Settle. I'm just gonna throw that out there. If we're talking 10 years, it didn't catch it. You know that there's going to be auditors, there's going to be an HR file. Like, I know that there's an executive out there that's like, we can fight this. Don't, don't, don't settle. It's going to be cheaper to settle. Depp goes, oh, Maryland. You go. Just be you.

Corey

Yeah, I mean, I, Yeah, I guess. Anyway, let's, let's do it. You want to talk about the rippling thing? That was.

John Strand

Got to talk about the rippling. You want to Set this one up. Great post from Veronis. Go ahead.

Corey

I wasn't familiar previously with either of these two companies, but there is two companies, one being Rippling and the other one being Deal, spelled D E, L. Yeah, they are kind of in a little bit of a battle. So Rippling. Rippling filed a lawsuit against Deal, basically being like. And the accusations here are just amazing. The accusations include racketeering, which right off the bat you're like, okay, racketeering. So we're going straight to that.

John Strand

Shit just got real.

Corey

Yeah. Which, you know, the legal definition of racketeering, I don't really know what it is, but I just think of like Al Capone. That's what I think of. This appropriation of trade secrets and other serious allegations. Basically there was a spy who worked for Deal, but actually worked for RIP.

John Strand

As a spy from Ireland. I don't know why that's relevant, but it just fills in the story and the narrative and it's going to help like script writers later on.

Corey

Yeah. So it's like the exact insider threat scenario that you would come up with in a tabletop exercise. Yeah, like it is exactly that. They're both HR management or like workforce management software, kind of like Workday or, you know, one of those. And they're competitors. There's just a lot going on here. You can see like, so it's the blog is published by Varonis or the write up is published by Varonis, which Varonis, their bread and butter is detecting these kinds of insider threats. You can see they have fancy graphs and things about the importance for a.

John Strand

Tool with full visibility and AI. Like later on it's like this.

Corey

Yeah. I mean it gets a little bit much. But I will say this is a great thing of like, I mean we're just talking about the, the pharmacist thing we just finished talking about is also an insider threat scenario.

John Strand

Yep.

Corey

If you could see a graph of how many computers this person had logged into, it would probably tell you some things. You'd be like, why is this pharmacist with one work computer assigned, logged into 400 computers at once? Anyway, on the. Basically the employee leaked a bunch of data. They did a bunch of searches for like all of our leads, all of our competition, you know, they leaked data out of Slack. They, they searched sales data. Yeah, sales data. They, they, they. As an example, the person, anytime someone would request a demo of the. The Deal, the Rippling application, they would send it over to them. Be like, hey, this person is interested in switching company providers. It'd be really funny if you're like, sign up for a demo on one site and then you just get an email from their competitor being like, hey, that's sketch. I don't know how that goes over. Yeah, they'd be like, wow, these Google. These Google Ads are getting really specific. Please call me now. Yeah, so it's basically your traditional insider threat. I do agree with their, you know, furonuses takeaways, but also, like, the lawsuits are hot. It's got like, some stuff in there about someone violating sanctions. They're really firing back and forth. So it'll be interesting to see how it pans out.

John Strand

But, and I want to, personally, I don't know if Deal is guilty of this or not because it hasn't played out in a court of law yet. But if it's true, I personally want to thank you, Deal. I really do, from the bottom of my heart, because it allows our show to talk about something other than ransomware and leak data. And for that, I'm deeply appreciative of the fact that you've brought this into being interesting on this show.

Corey

I have to agree. I have to say this is a new campaign for antisocial. We can do an insider threat campaign where we just search for all your customers and export them. And if you don't detect that, you got problem.

John Strand

Well, and that's one of the things I've been saying for a long time. If you cannot detect this type of threat, if you cannot detect an Edward Snowden, you do not have a security support structure, full stop. And the reason why is whatever the case may be, as soon as an attacker has taken over a user account in your environment, they're effectively an insider. That account that they've taken over, they're using it like a puppet. Right. So if you're looking at this, like, how do we detect this? You should be able to detect this. Right. Because any attacker that compromises any user ID is then going to be acting like an insider threat in. In your environment. And we got Alice is like, yes, yes. New insider threat campaigns. Yeah. I feel like we're coming up with booster packs for the antisocial continuous pen testing. But I mean, a lot of the.

Corey

Time we just do ransomware stuff, which is fine. Yeah, but we get.

John Strand

But you want to branch out like ransomware. All the news. Right. But really the dwelling, consistent intellectual property leakage. Somebody said, I hate leaking slacks.

Corey

I thought that was pretty solid Disney employee.

John Strand

But those are the things that we probably as organizations need to be testing for.

Corey

More.

John Strand

And for the record, I just want to throw some things out there. You can go buy a really expensive DLP solution, which, by the way, DLP has never stopped an attacker and it never will. Instead, I would recommend looking at different things. Like I'll just throw a huge fan of cyber deception. Put out honey files and honey shares throughout your environment and see if anybody picks those up. There's some really, really cool things that are designed for detecting these types of insider threat lateral movement. And I just did a class, it's for free. You can go to the Anti Siphon YouTube channel, go to, I think it was live. And then you can look at cyber deception. Day one, two, three, four. All the labs are there. The whole class is there for free. Because that's our best way to get around, you know, people trying to steal our intellectual property for our classes. If we give them away for free, you can't steal them. Right. So the.

Corey

One of the key things I wanted to call out is. So a lot of times we're talking about ransomware. Ransomware often requires the threat actor to elevate privileges. Very high right to a domain admin that can delete volume, shadow copies and delete backups and then block out everything in the domain. You don't need high privileges to be an insider threat like this. You need very little privilege. All you need is an account that can search things on the internal SharePoint and access them. And that's enough data loss to potentially tank your business if every time one of your clients looks for a renewal, you send them a renewal for the competitor. Like it's going to be bad.

John Strand

Yeah, I like Rada says don't call it data loss prevention. It's data loss detection. We're missing ng. Did we skip over ng? Was it DLP NG or was it AI DLP ng? And then we're just switching completely over to data loss detection. I don't know.

Corey

Coffee is required comment. I'm not going to highlight it, but it's so funny.

John Strand

Oh, my God.

Corey

I had a joke.

John Strand

Call it out.

Corey

I had a joke. Okay.

John Strand

The joke was.

Corey

Yeah, the joke was my honeypot will be breast milk videos here to detect certain subjects. My. The version I was going to make a politically correct or a more politically correct version of the joke, which is going to be. If you're the company who hired Matthew Bathila, you might want to create a folder called find your keyloggers here. And yeah, if you click that corporate keylogger. Yeah, yeah, but I, I did like, final thing, I want to say is looking at the. Like, can we pull up the blog again and look at the data? There's one graph that just kind of makes me laugh and also confused at the same time. It's the graph that says the number of times the term deal was searched per day by the spy spike. And it's, it's. Well, it's one of the graph. Yeah, you'll have to. Sorry for making scroll. That's not it. Keep going. I forget exactly where it is. And there it is. So to give you an idea of this graph, basically there was a day where the person searched for their own company name 150 times. If you work at a company and you're just searching for your own company 150 times, insider threat aside, I am worried for you. I don't just go in SharePoint and type Black Hills InfoSec 150 times a day.

John Strand

Black Hills Infosec. What do we do?

Corey

You google that.150 charge.

John Strand

Black Hills Infosec. How did this happen to me? Like the odd searches that I am asking, like, you know, AI. It's like, how did BHIs happen? And AI is probably like, it was a mistake. It just punked up naturally. Because John's like, just keep asking until.

Corey

It says something you like to hear.

John Strand

Yeah, can we talk about the Moroccan cybercrime syndicate? Oh God, what a great name. And by the way, I also want to call out this cyber crime group. Once again, they're criminals. They're doing bad things. I'm totally all about that. We shouldn't glory, but damn the name that they gave him, Atlas Lion. Like when this Moroccan cybercrime group got that name, they had to have been high fiving each other. It's like that episode of Seinfeld where. What is it? George is trying to call himself T Bone and they're like, no, your name's not T Bone. Like you're always worried if you're a threat actor, can't pull it off. Yeah, you're going to get like a name of Leaky Slack. It's like, who the hell wants to be leaky Slacks, you know, but my God, Atlas lion is awesome. It's great name, but I love their attack. Like their attack of breaking into an organization and enrolling virtual machines inside of the cloud domain. It seems like a really complicated way of getting gift cards, but once again, it's at least novel. And I don't know, I. I just want to say thank you to these guys as well.

Corey

I will say I did this in a Pen test in like 2019. So I guess I just missed bust on bus on this one.

John Strand

But yeah, I like how they got caught by defender because when they spun the machines up it had defender on it and then they connected back to their, their sketchy IP addresses and defenders saw them connecting with sketchy IP addresses and that's how they got caught. Like they didn't even bother going through VPNs. They didn't bother like popping through i2p or anything like that. They literally are like, you know what, all of our IP addresses on deny list, let's just connect directly to this infrastructure from those IP addresses. So I had a lot of respect for them, but that's, that's kind of where I was like you guys got a little bit too, too far ahead on your skis on that one there.

Corey

So I, I mean, I guess I'm a little unclear on what they, I guess they wanted to go for like ADCs abuse or something like.

John Strand

No, they were trying to. I don't know how they went from the VMS right to the point where they got gift cards. Like I'm still trying to figure that one out. The group typically creates gift cards and cashes them out for money mules and then sells them to other cyber criminals. But this seems like a really complicated way of, you know, they, they search through dozens of internal applications, a whole bunch of different files looking at the bring their own device policy, VPN config configurations, familiar goal the group. Then they're like gift cards.

Corey

Like oh, I see. It's, it's okay. So I mean basically go reading through this. They're compromising companies who are issuing gift cards. Then they're looking through their internal docs to see, to look for exploits like oh, if you use the code discount 2020 then you'll get 10 free gift cards or whatever. It's like, is that way of. Yeah, because so it says here they looked up information on a familiar goal of the group and painting gift cards. They looked through gift card issuance process docs, information about refunds and exchanges and gift card fraud prevention policy. So it's like they're basically trying to like, let's say you're on Apple's internal gift card like documentation and it says all gift cards with the prefix THIS are known to be stolen or whatever. Just having that kind of threat intel gives you the information. Or like, oh, just so you know, like these are cards we use for testing. They have no upper limit. You can cash out as much as you want or like I'm guessing that's the kind of stuff they're looking for is like, because, I mean, if you think about it, gift cards are functionally the currency of scammer. Like, yeah, it's really weird how that worked that. Why not just use Bitcoin? I don't know. I guess it's too hard for people to buy Bitcoin.

John Strand

But I think they went through a lot of effort whenever all they had to do apparently was key loggers because those are really easy to install and environments. So maybe they made it more complicated.

Alex

I know someone that is on the defender side working against these types of things that they get into the systems and they're just looking for ways and people have access to issue gift cards. So you're sort of like, okay, I got access and I can start printing money effectively going, I'm just going to issue gift cards to myself.

Corey

Yeah.

John Strand

So you're saying that a lot of companies have like an internal process for issuing gift cards for like employees or whatever, and then they have a document, maybe there's credit cards there or.

Corey

No, the gift cards themselves are the valuable thing.

Alex

Yeah. So, like, you know what? Let you know, let's say they got into, you know, a Best Buy system for issuing Best Buy gift cards or get into Amazon and they're like, who has the ability to issue Amazon gift cards? You know, as an, as an Amazon.

Corey

Employee or is there an API or is there.

Alex

Yeah, is there. There's something that, that generates these. And you go, great, cool. I'm just, just generating codes over and over and over again.

John Strand

Yeah.

Alex

And then they go, it's like, okay, you get kicked out. And it's like, fine, I'm still in the system. I'm going to pivot over to another employee that has access to issued gift cards and use them to just start issuing gift cards or find another API call that allows me to just print money and send that out. And from, from what I hear of the individual, of the people that I know that are working on this, it is hard. It is really frustrating them to take this group out, this Atlas Lion.

Corey

Well, it's kind of, it makes sense. It's kind of a, in a way. I mean, it's not a victimless crime. But from the, the, from the perspective of like a corporate budget, like you have X. X dollars in gift cards that you've sold. Are those gonna come due? Like, are people gonna actually use them? Like, it's this weird accounting question mark.

John Strand

So years ago, I almost got kicked out of rsa. I was doing training, and they had. They had gift cards that they handed out for lunch. So anybody that took training at RSA would get these gift cards that had, like, $20. And you could go down to. I think it was Westfield's Mall, and this is a long time ago, people. And you would use your gift card, it was an American Express gift card to buy lunch. They would just give them out. So what we discovered is all of the gift card numbers were sequential, right? So that was a weird point in my life where I was taking a credit card cloner and a writer with me everywhere I went. And we were able to take these fake cards. They're real cards, but they have magnetic strips on the back. And we were able to take someone's gift card and then clone into the next card over all with permission of the person that owned that next gift card. So it was, like, really, really, really easy to do. We did it as a lab, just on the fly. Because a lot of my students, like, you know, my card ends in one. The person next to them that was their friend checked in at the same time. My card ends in two. And they just incremented up one plus one for each person that went through the box. And they really, really, really didn't like that. And Westfield's Mall didn't like. Because we told them, we're like, hey, your gift cards are sequential. People can rip them off. And part of the conversation was kind of your point, Corey. If somebody takes and steals a gift card, that number, right? And then that gets given to the person that was supposed to get that gift card. Usually what happens is people try the gift card, it doesn't work for whatever reason, and they never bring it up. It's like, if you got a gift card for Christmas from your aunt and it didn't work, you'd be like, yo, aunt, your gift card you gave me, there's no money on it.

Corey

Yeah, exactly.

John Strand

You're not gonna push back, right? So it's one of those things that can kind of go on for a long time.

Corey

And the company who issues a gift card has no way to validate. If I'm just doing a chargeback, and I actually lost the gift card, like.

John Strand

That'S not tied to a person.

Corey

Exactly. They're functionally cash. Basically, at the end of the day, they function as cash, except for. It's like, you know the whole joke of, like, I don't know if this is true, but it's like Starbucks is the biggest bank in the U.S. because they have, like, $2 billion sitting in gift cards at any given time that aren't being used.

John Strand

Right. Yeah. I'm sure if I looked around my office, I'm sure I have a gift card that I haven't redeemed. Like, there's just tons of them out there. Yeah.

Corey

Oh, yeah.

John Strand

So Fart Bart Superburger said readers and writers are super popular amongst kids and low level criminals. I feel a little attacked. I don't know. But then again, that shoe fits, so I'm gonna wear it for a while.

Corey

Wait, what's a. What's a reader writer? What is that? A car is like. Are we talking magnetic strips so you can get them?

John Strand

I can't. What the numbers are.

Corey

Are we talking, like, mag stripe stuff?

John Strand

Yeah, so the. The writers are. Sorry. The readers are real small. You can fit them in your pocket about this big, and they can hold like a hundred cards. And then they store those cards, and then you can write those cards down. And that's usually a bigger thing that's like this big. And then you just swipe it and you write it to the card.

Corey

Remember I did a pen test on a hotel and that was a significant part of it of like. Yeah. Reading. Trying to write. Write a room key based on, like you said, if it's sequential and, like, it's just a code and then the room number or something like that.

John Strand

No, we did it with. Not with hotel rooms, but like rewards cards with casinos in one of our tests a long time ago, where casinos would hand these cards out and then you would gamble and then you would gain rewards, and then you could go cash those rewards in for the night, stay in the hotel, or you could go and buy beer at the bar or whatever. But you could literally take these numbers because those were handled out sequential as well. And you could just basically jump and then dump data or dump the rewards off of those cards and transfer them out and then use that for cash. So, yeah, like casino gift cards was another assessment that we did that was a lot of fun a number of years ago. But Banjo Crashland's like, is this going to be a workshop at Wild West Hacking Fest in Deadwood? No, it is not going to be a workshop that we're going to do in a gambling town. So. Although. No, no, no. Not gonna do it. Not gonna do it.

Corey

But the story of why we had to move the hack infest to not Deadwood.

John Strand

Yeah. We had to move it to, like, Faith, South Dakota.

Corey

Yeah. Yeah. If you like Deadwood, don't ruin it for everyone.

John Strand

Yeah. Don't do that. It's like that one Jackass, the last one that was like doing Bluetooth dos attacks against people. That wasn't cool at all.

Corey

What happens if you watch too many flipper videos on TikTok? You just get two too hyped up about it.

John Strand

Yeah, that's one of the downsides of Flippers. Like there's so many videos out there. Yes, MSR. There it is. MSR606 is the name of the device. And there's like MSR, I think I got a 505. Yes, the MSR devices are what allow you to read and write data off cards. So that's the one good time. Any other final thoughts, folks?

Corey

I mean there's so many we talked so much about. Should we. Okay, we. Okay, I feel, I know we've been dancing around the politics tree for a little while, but the Deloitte thing, the Accenture Deloitte. Yeah, I mean I, I guess so. Basically the article is the Pentagon has announced, hey, we're going to end our, you know, information technology contract with a bunch of firms. Now the ones that are listed in the article are Accenture, Booz, Allen, Hamilton, Deloitte. There's probably others. Right. And basically the person, Pete, of course, our good old Pete. Now I added him to a signal chat, he didn't add me back for some reason. But basically they say it's non essential spending on third party consultants and for services that employees can perform. But I'm like, well, what employee didn't you like fire them all?

John Strand

So I want to. God. But yeah, so, okay, so a couple of things about this with these firms that are doing DoD work, this sucks because a lot of these firms overcharge the hell out of the US government. I don't know. I'll give you an example. I had one firm that I flew out, this would have been a few months ago, and I assessed the program that they wanted to do and it was all snake oil. There was no way it was going to work. And I fundamentally believe the guy that came up with the idea believed in his project, but it was stupid. It would never be effective. There's no effing way in a thousand years that it would ever be an effective thing. And he was shooting to try to get $100 million to do this project. And I helped kill it. I was one of the people that evaluated it and killed it. Now those types of programs in a lot of DoD space with these large tech consulting firms, they'll charge millions and millions and millions of dollars for something that can take a small nimble firm a couple hundred thousand dollars to produce. So on one half of that, I read this and I'm like, that's a good start. Keep going, right? But on the other side of the equation, if we get away and we start looking at some of the programs, there are services that are provided by these DoD contractors that these companies are doing incredibly cutting edge technological work. A lot of times it's not abundantly clear what they're doing, and it looks like it's fraud, waste and abuse, but it's actually being hidden because it's a really advanced type of project, right? Like, let's take, like, if mantech is writing zero days for, let's say, Windows Systems, right? That is something that is incredibly sensitive. And there would be some level of obfuscation for that contract so it wouldn't show up in the payment system as zero day creation and development, right? So there's part of me, when we're looking at this, right, that I'm like, yeah, keep going. Because I've been in the belly of that beast. I've been there. I've been on both sides of the fence, and I've been on conversations with DoD contractors when I was working with one where they're like, how can we possibly milk this for more money? And that's sickening, right? I know that that happens. And then on the other side of the fence, these, a lot of these firms are providing very sensitive, very timely services for the United States government. And just cutting them blindly is very dangerous. So my fear is, and this is unrealized, I don't know if this is true, but I'm assuming it's that this isn't a balanced, researched approach to cutting these programs. Like, when you're Talking about cutting 5.1 billion, it's probably going through with a golden chainsaw that cuts bureaucracy and it's not nuanced research on what are these different firms doing. So I don't know.

Corey

I mean, the thing that triggers me the Most is, okay, $5 billion, that sounds like a lot of money. Then you realize that's like two seconds of the budget for 2020. Like, the US budget this year alone has spent $3.5 billion, and I think.

John Strand

DoD is 800 billion.

Corey

Yeah, like, okay, the US government is an insurance company with a standing army. This is nothing. This is like, this is no, like real chunk of the budget. It's like, oh, yeah, here's $5 billion. It sounds like a lot of money, but it's like a billionth of a percent or whatever of the US budget. So it's just like. It just seems like, okay, you're not really doing things that matter. You're just doing things that are, like, politically charged. That's what triggers me is it's like.

John Strand

Yeah, screw you, dude.

Corey

Here's $5 billion back. And then the DOD is like, cool, we already spent it. You're like, it was like five minutes ago.

John Strand

But I'm still going to come back to, like, I agree. You know, there's no way that there was nuance and, like, really good thought put into this at all. Like, there's just isn't. But I. Like I said, I've been working in that space for a long time, and I've literally been on projects that, you know, are hundreds of millions of dollars. And you're like, this is gonna go nowhere. Like, there's no value in this. Or they just keep. Like, this project has been a failed project. Like, there was one that I was working on that was like 1.2 billion over six or seven years. And it was like the sunk cost fallacy, where they felt like if they just put another few hundred million dollars in, it's gonna finally work, kiddos. And it just. They just keep throwing money into this bucket. You know, I think that there needs to be an absolute good conversation about fraud, waste, and abuse, but it's very nuanced. It's like that wrench. When people are like, oh, yeah, DOD bought a wrench for $200. It's like, no, no, no, you don't understand. That's a wrench that is being deployed in theater in an active war zone. Wrenches are going to be more expensive with supply chain, logistics, transportation trying to get them there. So there's a lot of nuance with this stuff, but, God, there is so waste.

Corey

Yeah, I mean, that's fair, but I would say that's like. I guess I'm like that. That's like the. That's the defense budget. The whole. Most of it is just like, we're not sure if this is going to hit in the right spot. We're just going to hope for the best. Like, it's just a general policy that says, don't mess with us because here's how much we spend on defense. Like, I don't know.

John Strand

I do want to do a call out real quick. Coffee as required. Said Accenture was Anderson Consulting, and they changed them, changed their name to distance themselves from the whole Enron thing. Anderson Consulting was not part of the. Oh, sorry. I'M just going to clarify. God. I'm defending Anderson Consulting and Accenture. It was Arthur Andersen the consult, the financial consulting firm that was behind Enron. Arthur or sorry, Andersen Consulting was not, but you're 100% correct. They did change their name and it was stood for Accent on the Future. I was there when that all happened. But I do want to make it clear Anderson Consulting was not part of, of the Enron thing. That was a different part of the company. And Arthur Andersen, but they changed their name anyway. I know that that's a distinction without a difference. And, you know, I just, just want to throw that out there. God. I'm defending Anderson Consulting. Oh, God. What's wrong with me?

Corey

Well, sometimes details matter.

John Strand

But yeah, I believe in, you know, calling out where you need to call out. But sometimes we go too far, so. All right, let's wrap this up.

Corey

This was Wrap it up. There's a bunch of articles.

John Strand

I think we navigated the politics thing really well. So the next.

Corey

I'm sure we managed to piss off both sides. That's what I want to make sure.

John Strand

I'm hoping we did. But next episode, we're going to get into religion and pineapple on pizza. So be sure to tune in and we can tackle those issues because we handled politics so well. Till then. I'll see you next time, everybody. Take care.

Corey

Bye.

Mike

Sa.