Talkin' About [Infosec] News (2025-12-01)
Episode Date: December 4, 2025
Main Theme:
This episode dives into recent developments and controversies in the information security world, including the proposed legislation in Wisconsin intended to ban VPNs, the hazards of public data storage tools, the spread of AI-generated “slop” content, critical software vulnerabilities, international cyber-espionage, and the latest in social media policy and scams. The BHIS crew—Corey, Andy, John, Ralph, Bronwyn, and guests—present their usual blend of technical depth, skepticism, and irreverent humor throughout.
Key Discussion Points
1. The Perils of Extensions and Public Data Storage Tools
- Malicious Browser Extensions: The crew opens with banter about browser extensions, shifting to a serious critique of how common plugins become vulnerable—as developers sell them or fail to maintain proper security (00:30–01:15).
- Data Leaks in Tools like Code Beautify and JSON Formatter:
- Public “beautifier” sites (like Code Beautify, JSON Formatter) have a feature allowing users to save content online—which users regularly misuse by storing credentials, cloud keys, and other sensitive data (03:43–09:55).
- Quote:
“The long story short is there’s all kinds of sketchy data in there, including secrets…Active directory credentials, code repo keys, database credentials…”
— Corey (05:10) - The team agrees: People shouldn’t put confidential data into public tools, but platforms also bear responsibility for exposing recent saves and for not setting sensible defaults (07:02–09:57).
- Security Takeaway: Pentesters should consider blocking access to such “bin” sites in corporate egress policies.
2. Lawmakers in Wisconsin Propose a Ban on VPNs
- Legal, Technical, and Practical Impossibility:
- Wisconsin legislators' attempt to ban VPNs is ridiculed and dissected. The enforcement model appears unworkable—the bill proposes that websites must detect and block VPN users from Wisconsin, a technical feat that's all but impossible (12:05–16:38).
- Quote:
“I love that they would...ban VPNs and then no one in the government could access their work anymore.”
— Corey (12:16) - The group compares it to Chinese-style censorship, but points out the actual blockades are always cat-and-mouse and easily defeated by tech-savvy users and motivated teenagers (16:55–17:25).
- Business Impact: The ban would mainly impact legitimate business users and security, not the “children” lawmakers profess to target (17:28–18:41).
3. Critical 7-Zip Vulnerability
- Threat Overview:
- 7-Zip’s new critical vulnerability allows remote exploitation when simply opening a malicious archive (21:18–24:07). Though patched in July 2025, many organizations fail to update the software regularly.
- Quote:
“This is going to be the plague of every sysadmin’s existence on Nessus scans for the next year.”
— Corey (21:53) - Common usage in business and lack of auto-update mechanisms amplify the risk. The exploit could be abused for internal escalation and watering hole attacks.
- Advice:
- Update 7-Zip installations ASAP, educate users, and prefer tools with update notifications.
4. AI “Slop” and the Quest for Authenticity
- Rise of AI-Generated Content and “Slop Evader” Plugin
- Discussion about a browser plugin that filters out all content newer than November 2022 (ChatGPT’s public launch) to avoid AI-generated “slop” (26:12–27:44).
- The hosts note that slop always existed, but LLMs and generative AI have escalated its volume.
- Quote:
“I do think there’s actually a legitimate business case for a product...to help you easily identify and filter out AI generated content...Unfortunately, that product itself is going to have to be AI driven. Slop on slop.”
— Corey (32:39) - The hosts bemoan the difficulties of identifying fake images and videos and predict a future of cat-and-mouse detection and watermarking (33:14–34:26).
- Cultural Impact: Shows like “The Rookie” are bringing AI-generated image scams into mainstream consciousness (36:21–36:52).
5. China’s Ongoing Cyber Espionage – New Front Focused on Europe
- Summary:
- The hosts recount a Kiev Post article about China’s espionage activity targeting the European parliament and government sectors, including social engineering via fake headhunter offers (37:05–38:51).
- Quote:
“Basically trying to recruit a foreign resource...Espionage classic. You know, this is not new. Right? It's the same play.”
— Corey (38:33)
6. Apple iOS Vulnerability: USB Access Risks
- Issue:
- New iOS vulnerability allows USB port access after unlocking even if the device is re-locked, raising concerns about “juice jacking” (39:11–40:38).
- Practical Takeaway:
- Double-check privacy/security settings after updates, use caution with unknown USB connections, and prefer MFA for sensitive accounts.
7. Meta/Facebook in the News for Scam Ads and Lax Enforcement
- Meta’s “Strike Policy” for Serious Abuse:
- Reuters reports reveal Meta’s internal policy gave sex traffickers up to 17 violations before account suspension (43:30–51:08).
- The team lampoons the “17-strike” system; speculation that profit and moderation scale overwhelm real enforcement.
- Quote:
"Any strike policy that goes to 17 is not much of a strike policy."
— Ralph (43:49)
- Fraudulent Advertisements as Revenue Stream:
- Allegations that Meta knowingly relies on fraudulent ads for a significant portion of revenue. The group speculates that all major ad networks (Google included) face the same challenge, but how Meta handles it may be especially egregious (46:32–47:37).
- “Too big to jail” mentality and regulatory challenges discussed.
- Policy Suggestion: Penalties must make turning a blind eye to fraud costlier than proper enforcement (49:11–49:37).
8. Australian Man Sentenced for Airplane WiFi Evil Twin Attack
- Details:
- A 44-year-old man used a WiFi Pineapple device on flights to phish login credentials (especially from women) and steal private images, earning him seven years in prison (52:47–58:34).
- The attack likely leveraged evil-twin APs and fake SSO phishing portals. Detection was possible due to irregularities with in-flight WiFi revenue and flight attendant vigilance.
- Security Takeaway:
- Training, “phishing-resistant” MFA (e.g., FIDO2), and VPN use (where legal) are best mitigations for users on untrusted networks.
9. Lighter Fare: Thanksgiving Food Hacking
- Closing Banter:
- Bronwyn shares a beloved smoked-turkey and parmesan casserole recipe and jokes about using AI to generate food images, tying back into earlier discussions of slop (59:31–60:52).
- Quote:
“If he can do it, you can do it.”
— Corey (62:02, on not burning the house down frying turkeys)
Notable Quotes & Memorable Moments
- “This is probably the dumbest thing I’ve seen so far.” — Corey (00:01), setting the tone for the VPN ban discussion.
- “Never underestimate...the sheer will and determination of a child trying to do something they are not supposed to be allowed to do.” — Corey (16:55)
- “How do you differentiate between NORDVPN...and not commercial VPN? What if I spin up a new company called Technology Incorporated...Now it’s a corporate VPN.” — Corey (18:13)
- “I just want two AIs pooping back and forth forever.” — Corey (02:31), on recursive AI prompting.
- “Any strike policy that goes to 17 is not much of a strike policy.” — Ralph (43:49)
- “We as nerds need to make sure that the people around us...understand how easy it is to generate slop.” — Corey (34:26)
- “He didn’t criminal very well as a criminal.” — Corey (56:55), on the Australian WiFi phisher.
Important Timestamps
- Malicious Extensions & Public Save Tools: 00:30–09:57
- VPN Ban in Wisconsin: 12:05–18:41
- Critical 7-Zip Vulnerability: 21:18–25:44
- AI Slop and Filtering: 26:02–36:52
- China’s Cyber Espionage in Europe: 37:05–39:00
- iOS/USB Juice Jacking Vulnerability: 39:11–41:12
- Meta's Strike Policy/Fraud Ads: 43:03–51:40
- Australian Planewifi Evil Twin Sentencing: 52:47–58:34
- Holiday Food Hacking & AI Slop Wrap-Up: 59:31–62:26
Summary Takeaway
This episode demonstrates how technical, policy, and social realities intersect in infosec—whether it’s the futility of legislating against the internet’s core protocols, the persistent human error behind data breaches, or the Sisyphean quest to contain “slop” in both AI and advertising. Technical fixes (vulnerabilities, MFA, patches) are covered with practical advice, but the tone remains a mix of gallows humor, resignation at persistent bad behavior (from both users and corporations), and occasional bursts of culinary creativity. Perfect for listeners wanting both timely threat intelligence and a reality check on the state of cybersecurity—and society.
For more BHIS podcast summaries and episode breakdowns, stay tuned and remember to regularly update your software, train your users, and bring your humor to the infosec trenches.