A

Vikings. All right. Look at that. That actually sounds fantastic.

B

Who's been watching the Winter Olympics? Anyone?

C

I watched the Winter Olympics this morning, dude.

B

So the, the US Curling team is both named Corey and it's a male and female. And I feel so like seen. I feel seen.

A

This is the Corey's. Yeah, it was a good guess. It was a good guess.

B

How'd you know it was one of them?

A

Like the lead singer from Slipknot? Because that would be awesome.

B

No, that's the other Corey.

A

That would be a hardcore like. Like deviation.

B

This is like a dark joke. But I'm just glad to have a Corey that didn't kill himself.

A

Oh my God.

C

Dark.

A

That is dark. I got dark quick. That's where we're going to start. Are we live, Ryan, or are we going to do bring out the finger and then go live? Okay, let's do the finger.

B

Finger it.

A

Finger licking it. It's a Linux thing.

B

If you don't know what that is, it's a Linux thing.

A

It's kind of weird seeing myself here because I need to be looking up there.

B

The finger takes a long time to load.

A

It's got to warm up.

C

Is this the pre show banter part?

A

This is the pre show banter. This is the witty banter that people come early for.

B

No, this is when you're not paying attention because you're reading the articles that you were supposed to read an hour.

D

I always read them ahead of time.

C

Wait, were we supposed to do homework for this?

B

Yes, there's homework. Here we go.

A

Hello and welcome to another edition of Black Hills Information Security talking about news. Thank you very much for joining. And if it looks like we're in the dark, it's because we're in the basement. Oh, there the lights just, just came on. That's good. So we are at Wild west hack infest Denver 2025. No, 2026. No time machines. And we have a handful of people here to listen to the show. So thank you so much to all of you. I don't. It's like you're probably here hoping for something awesome that's going to come in just a little bit. But we're going to talk about the news I think for the next half an hour and then we're going to get started with the vendor crawl. I'm going to talk about T shirts and all kinds of stuff, but I think we need to jump into some news stories. I did like the conversation today where it's like, hey, did you hear about that Telnet or not? Telnet that Notepad vulnerability. And it's like, which one? And you were like, what? You were like.

E

I was like, oh, yeah, the notepad when there were problems and we were doing. And that was not.

A

Not that one.

B

No.

E

Notepad is also broken.

B

So, okay, this is the article. It's basically in Cyber News. And essentially the accusation to Microsoft is that they Vibe coded in a feature into Notepad where it can render markdown. Now, because of course you need that feature and it has rce, you know, of course. So there's a vulnerability where someone could send someone a markdown document if they click a link in that markdown lead sermo code execution. So which.

A

The big crux of this is there's a quote in here. I just need Notepad to open files. I don't need it to like render.

B

It's important you know how to close it.

A

Unlike. Oh, my gosh. Yeah. So, you know, this is like, you know, we. We spent a lot of time talking about AI and how it's transformative and it is kind of a big deal. But this is an example of giving AI a really bad name, of trying to shove it down our throats absolutely everywhere. We don't need AI Notepad.

B

No, we don't.

C

That's what I was going to say. I. I don't think I need AI in my text editor. Right. But. But I will say, okay, if they did Vibe code, it, I. That term is going to potency because the, the frontier model that just came out, Codex 5:3, right. That. That. That chat or that OpenAI put out, they say that AI basically did the whole thing, help write the whole thing. It was one of the one. The first ones they did that was almost completely done by AI. So that AI is vibe coded.

B

Well, I have a prediction. I have a prediction here. Next week we're going to talk about a RCE zero day in Codex or.

C

We'Re going to talk about a zero day in Claude cowork. So if anybody's cloud basically said that they use Claude code and made it in 10 days. So, I mean, you know, all the talk of AI taking jobs, I'm sitting here as an information security professional thinking.

B

No, no, this is a hundred percent. This is my get off my lawn moment. Okay, okay, look, Notepad, you can take. You could put AI and dark mode in whatever you want, okay? But you got to stay away from Notepad, okay? It's the one thing that has never changed.

D

It's sacred.

A

And I remember they changed calc. No. Yeah, no, they went from the old school calc to whatever it is now. And it was, it was blasphemy.

B

That's all I've ever put in interpreter.

A

Shellcode is every time to test things. If hackers are so good at math, why do they need calculators? But I think that this is kind of the thing that stops adoption, right? If we're looking at like let's say bitcoin, right? If we're looking at blockchain. I think part of the reason why blockchain failed, of course, is the fact that finding like applicability outside of cryptocurrency was really, really hard, like widespread applicability. And I feel like with AI this is an example of how they're trying to shove it everywhere and that's going to slow its overall adoption down. Because like, if you look at it like in, I don't know if you guys have noticed in Outlook, like they're trying to put the copilot button wherever the send email button was and if you just hover over it a little bit, it like fans. And that's just making people hate AI even more. And what I'm saying is you got to keep your powder dry, people. The day is coming where we're going to rise against the machines and you got to keep that hatred going, bottle it up for the appropriate time. Now at Notepad is not the time.

F

I was about to ask, was this feature vibe coded by Copilot? Because I don't know that cloud code would have probably made the same mistake.

B

Oh no, but probably it was at Microsoft. I feel like getting co Claude code subscription at Microsoft. Probably an uphill battle.

E

But the question I was going to ask, didn't Microsoft reel in the AI copilot thing after we did the VX underground? Like 4000 copilot penetrations and then they're like, ah, we should reel this in because people don't want it.

A

I don't think Microsoft has shame like this, like this article. Like this article. People are like raging against Microsoft on X as though people are like, people at Microsoft are like, oh, the security geeks hate us now. They don' Give a shit.

B

It was grandfathered in, okay?

A

I always hated that it was grandfathered.

B

It was pre disclosure. It's fine. I will say imagine how many people.

D

Now they can say are using Copilot because you opened Notepad and now they have X many number of copilot users.

B

They're just trying to pump, pump up the numbers. They're like, we have 300 billion AI users just a Bunch of people trying to send emails and use Notepad.

A

So I think what's going on is the Notepad team, they're like in the basement and they got a new manager. And the manager's like, sub basement. They're in the sub basement and you can see the new managers. Like, everybody, we're going to take on VS Code. Who's with me? No one.

B

No, that did not need.

A

And he just did it on his own. All right, we got another story. Let's keep moving.

B

So the other big kind of. We're looking at Discord Chat right here. And the other big drama is Discord is going to require age verification soon. So basically the article is that starting next month, Discord is going to put everyone into teen mode, which I don't know what that means, but I guess it's rated T for teen. I don't know what that means. Basically, they're going to restrict access to certain adult content that they are going to discover somehow, and they're going to require a face scan or id. So I don't know. It's kind of a big deal. I kind of get it. Like, my perspective is Discord is used by a lot of people, but it's also used by a lot of kids. And they got to protect their business model. Like their PR disaster waiting to happen is, you know, how kids are getting hurt on Discord or whatever. So.

C

Well.

B

But at the same time, I mean, the face scanning, how is that going to work? Like, I just put on a mask.

D

Thing though, is if we remember back in October, they lost like 70,000 IDs, didn't they? So, yeah, they've already.

B

That was the third party. It's fine.

D

Sure. Well, this is also going to be a third party. If you read into their wording, it's also going to be a third party. They may not retain anything they say.

A

Wait, did you mention. Mentioned. I'm sorry, did you mention that they had a third party that got breached back in October? Yeah.

B

Well, yeah. So it's identity verification. You got to either submit a face scan or your id, like your photo id. This is like every app now. They're requiring this.

A

See, the only time that I think that that's justified is whenever I'm paying my. My toll fees. In Colorado. I get these text messages all the time. It's like you owe $400 to Colorado DMV for toll fees.

B

Those aren't fishes.

A

Please.

B

Those definitely aren't fishes.

A

They're not fishes. Okay. Yeah. Because they seem legit.

B

That's also like how you always ask me to buy you Apple gift cards and then send them to India. I've been doing that a lot.

A

Yeah, exactly. We package them up when we get them out there. But I just so doing this for a long time. Like when I was on Security Weekly we were using irc. Do we have any old school IRC people here? Right.

C

I miss irc.

A

IRC worked. It was fine.

B

What about Pigeon though?

A

Pigeon. Okay, whatever your client is right. I don't care.

B

Pigeon was pretty bad.

F

It's or no chat.

A

Notepad used to work too. We move off of IRC and then Twitter kind of became that thing that was bad. I think we can all look at that and agree that that didn't work out well. And we keep moving to these new platforms and I really feel like Discord is in the process of being taken away from us and we got to migrate again.

B

So we should switch to Telnet is what you're saying.

A

That's called foreshadowing segue.

B

Okay, I guess let's move on to the article about Telnet. So this is an article in Gray Noise or by Gray Noise essentially. The long and short of it is that before that CVE dropped in Telnet they observed a huge drop in the level like the communication statistics with Telnet. So the assumption is some tier one providers were starting to block this at the network level before the zero day went public. Which is that's kind of how like that's what we did to stop Conficker back in the day. Right. But I don't know, it's kind of interesting. Like they just decided to turn it off, turn off Telnet at the layer one or level one or whatever.

A

They're not, they're not routing it anymore. So it's basically a banned protocol through those ISPs. And I don't know how I feel about this one.

B

Like dude, think of the number of pen test findings that just got removed.

C

As a pen tester I don't support this decision.

A

I do not support this decision.

F

How are we going to watch ASCII Star Wars?

B

I know, I was thinking about that.

F

I'm going to upgrade to this it.

B

Blinking lights or whatever that was.

F

Towel.blinkinlights.nl Quick everybody try to telnet there.

B

No, it won't work. But you can see if we live.

F

In in a fascist regime that is not net neutral.

A

That's the line right there. That's the line for the telnet. That's where like fascist regime right there.

F

They all port Numbers are valid.

B

Okay, what about telnet with start TLS, is that still okay or is it just port 23?

A

I it's just port 23. So reading through this and reading in some other people, it looks like backbone ISP' are just shutting down 23 traffic.

B

That's they can't patch it. Like it's just their own infrastructure.

A

No, I, I and what did the CVE, it had a 9.8 for telnet. D so it's pretty significant. And I, like I said, I think it's interesting. Whenever ISPs start unilaterally making decisions about security now, I'm not going to make, you know, the hill I die on be Telnet.

B

It's notepad, but it's not.

A

That's the hill we're going to die on. But what's to stop ISPs from saying you have an unpatched MongoDB server? Or what's to stop ISPs for saying you're using Mongo and you just shouldn't? So you have all of these things that I think value decisions by the ISPs that they're making. The concern that I have is I feel like they should literally be a highway for transferring bits and they should stay the hell out of the way of actually doing security decisions. Now, mind you, I'm a pen tester and I have a vested interest in keeping vulnerabilities alive.

B

Well, okay, so what you gotta do, John, is you gotta SSH in and then local forward the port for telnets. Then you can still get that same experience.

A

If you do that, you're the equivalent of an infosec crackhead. Like I am. Sorry if that's what you gotta do to get your rocks off on Telnet.

B

Port 23 is the lucky port, John.

A

Okay, I just could see some of our pen testers doing that, like going through all of these shenanigans just so they could find the telnet vulnerabilities. That's all that they're going to do.

D

That's just a flex at that point.

A

Yeah, it is a flex.

F

At that point you can Encapsulate Telnet and HTTP 3.

B

Oh, thank God. Are you telling me blockchain Telnet's coming?

F

WebSockets Plus Telnet. That's the future.

B

It's beautiful.

A

But can we always agree though, that telnet's always been a shit protocol?

B

Oh, yeah.

A

I mean, like, you know, you always have these CTF challenges where like the first thing is get out of virtual. I like the CTF challenges that are like, cleanly exit a telnet session. It's like, well, first you got to.

B

Set the wallet to H A, Control.

C

C. Control C, Control B. Wait, what is it again?

A

I think it's Control B. I just turned my computer off.

B

Does anyone remember when, like they released the Windows Phone and they had like a funeral for the.

A

Oh, for the iPhone.

B

Okay, so we need to have a funeral for Telnet. I think just like we could do that.

A

We can arrange that. So I don't know if the hotel is going to allow us to keep candles, but we should create a memorial. We have the bedazzle out there. So I don't know if there's any bhis people here that will do my bidding. But we need to put. Make a Telnet memorial.

B

Yes. If you have some modems or old, like legacy 10, 100 network switches, it'll.

A

Be like the Trevor forget.

E

Yeah, so like Trevor forget.

C

Exactly what I was just thinking. It was. They should be Hub the cockroach Trevor forget. Yeah, that's what I was thinking.

A

So we'll set up a memorial and we'll set it all up for that. So just to make sure that it's properly remembered for all time.

B

All right, the next article, this isn't, I guess it's not really an article, but there's a critical CVE zero day thing in Beyond Trust, which we were talking before the show about how everyone uses Beyond Trust. So if I see you opening your laptops, that's okay. But yeah, basically this is published February.

A

What's the score on this one?

B

That's a good question.

A

I do genuinely think that one of the things that I'm going to look back on my career with a lot of pride is the fact that we talked about how there were no perfect 10 CVEs a lot on this show. And right after we started ripping on it, then we started getting tension and that's great, but I don't, I don't see what the score is.

B

No, it doesn't.

D

Well, you can know this one's bad because I'm teaching class and my phone is blowing up, but I'm not looking at it. And I read later and it's the SOC director pinging me repeatedly. Do we have detections for this yet? And someone's like, no, he's teaching. And then we did by the end of the night. But you know it's bad when he's like, are you doing this one yet?

A

Yeah. But Eric was showing me like what we were sending the Customers in the portal with the whole write up and everything. And I'm like, this is awesome. I didn't know that you were doing that while you were teaching.

D

Like, ok, there's a lab, everybody's good.

A

You are the man behind the curtain.

C

So that's because he was using Claude.

B

Yeah, it's 9.9, Josh.

A

9.9. That's not.

B

It's on sale from a Beyond Trust paid.

A

Do you think that they paid their CVE bill or didn't to get a 9 9?

B

Yeah, that's how it works. So speaking of extortion, there's. This is one that just kind of hit my personal radar. So I don't even know if we have an article for this. Sorry, Ryan, but there's this threat actor called 0apt that's been just basically so okay, basically, here's the story. They hit a lot of our clients. Our clients keep reaching out to or we're telling our clients, hey, you're on this ransom list. And they're like, we've been panicking and investigating this for weeks. It's definitely fake. So like GuidePoint Security wrote this really good write up that's basically like, this is all fake and they have some fun evidence for it. But it's essentially like a fake ransomware threat actor that just came out of nowhere, claimed they breached 200 companies in like a week and then was just like the best part about it is all that. So Alice and I, the person who does the dark web stuff on my team, she's right here. We were both trying to download these files on Tor. Okay. So they're like, here's a directory listing, it's 1.1 terabytes and it's a single zip file. So you're like, you click it download on Tor and it's like 269 days remaining or whatever because it's Tor. And then the GuidePoint Security article is pretty strongly says it's probably just Dev u random piped into a file. So like I like that.

A

Pretty sure it's either that or a zipped up file. It's one of those things.

B

But like I'm sitting here being like, oh, sick. And then it turns out it's just Dev U random. What an idiot. So basically, don't worry if you're on this ransom list. We have no evidence to prove that it's real. No, none of our clients have been able to, you know, validate any of this or have seen any evidence of breaches or anything like that. But it's A weird strategy.

C

Creative though. I mean, they're just sitting around one day going, man, none of our payloads are working. Let's just say they worked and see if anybody pays us.

B

It's like the hypothetical, the pen test. What if it was a real.

A

We have exploited all of your HR and payroll data. Pay us one Bitcoin, people are going to be like, Bitcoin down 60% pay. Now that's how you harvest.

B

Why not. Why not pay?

A

How come we're still on YouTube? Like, how are we not banned? Because I feel like a good percentage of this show is just like hackers how to. It's like giving them business ideas. They're like, that's a good idea. I should just send ransom payments.

D

Well, this whole thing is very much like, feels adjacent to this extortion emails you'd get where they're like, yeah, we saw you through your webcam doing all these terrible things. And I guess those got know so commonplace that nobody cares. So now they're just turning you the business. And like these people got more money and they're not paying attention. Hey, we, we did all these things, now pay us.

F

It's because the cyber insurance companies will tell you every time you get one of these, you mail it to the cyber insurance company. They will say to pay. Say step one, pay the ransom demand. And let us all not forget as well, this Tor file today could just be a markdown file to be effective.

A

And you could be a markdown file that.

B

Yeah, I was, I was going to open that zip in Notepad.

A

It's a big zip on because I.

B

Noticed they added a decompression feature to Notepad that definitely isn't vibe code.

A

Totally not a problem. But no, you talk about like the extortion. And you know, we spent a lot of time the past few days at bhis in our meetings talking about the future of AI and BHIs and like the escalation of the offense and the defense. And I think this is one of those things that's like, nope, security is going to be around for a long time. There's always going to be stupidity in the mix. And thinking about like, I had an uncle that called me up. He's like, oh my God, they got like my webcam and they caught me doing bad things that they said. And I, I gotta pay immediately. What should I do? I'm like, well, you should probably pay the ransom. No, I'm joking.

B

Don's like, Bitcoin's only 60.

A

That's how you get them to Stop calling. You just. Just pay it, man. It's fine.

B

I mean that's all the articles I sent. Does anyone have any top of mind stuff? Anything personal to anyone here?

E

I did see that there was like an Android and iOS spyware kit that people were talking about. Matt J was talking about it last.

B

Okay, is that, is it NSO Group?

E

It was called Someone Else.

A

Pegasus 2.

B

Is it definitely not Pegasus APK?

E

That would be pretty good actually.

A

Sorry, it's been a long week.

B

We could just talk about open claw.

A

For 15 actually Derek. So I want to talk about this. I want to talk about the convers conversations that we've been having. There's an article, I can get it to Ryan, we can get up on the notes. But there's a whole bunch of articles that are coming about where they're talking about AI and the most recent ones that I've been reading are all of the people that are working in AI are basically talking about some of the new frontier models that are coming out and how they're not just better, but exponentially better and the rate of improvement that's happening and how quickly that improvement is happening. I was talking with Beau and he was talking about creating a Roblox entire game with his boys and they were doing it all in Claude and it was just very, very, very easy to do. And I think like for the first time I would say the past like week or so, I have finally been starting to use these things and been like really blown away. And I'd like to get your take on kind of what's happened over the past couple of weeks and how these different new models are fundamentally different because there's still a lot of people that watch the show. We don't have the discord stuff up where the people are going to be ripping on AI. They're like, I asked it how to make a cake recipe and it basically gave me directions on making a bomb. I don't know, but you have people all the time saying, I tried AI in 2024, it sucked, therefore it must still suck. But things are fundamentally different. They have changed dramatically.

B

Yeah, you give your positive case and then I'll talk about how they made a social media for themselves and then made a whole call.

C

Yeah, we can talk about. So before we talk about open call, I guess I'll say that if you're still of the opinion using say something like co pilot, using AI, like a. A chat GPT kind of, you know, replacement for Google. I ask it questions, it gives me answers back. That's actually not what we're talking about here. We're talking about agentic code. Agentic AI. And so there's been around. I. I don't remember exactly when it was released. I've been using it since like the summer of last year. Claude code, which is like a coding agent.

D

It was February 2025, would you believe that?

C

February 2025. Yeah, o. About a year ago. And so it was made as if you've ever used an IDE and put like a, you know, AI feature in an ide. It'll like next complete your code, maybe write a function for you. Well, this is different than inline, where it's completely agentic and it has a loop that it goes through. And so you give it what you want and it'll plan and execute code, test the whole gamut. And so for a while it was really nice, but it was still back and forth. I needed to test it myself. And it somewhere around the end of November, beginning of December, when Opus 4.5 came out, it got a lot better. And that was around the time of the holidays. And it took kind of the AI community kind of going home for the holidays and starting to play with this thing going, holy crap, it is a lot better. And I'll give you a quick, like, personal example. My daughter hurt her thumb and the doctor gave me X rays. It wasn't broken, but they were DICOM files. And I didn't want to install the DICOM viewer on my Windows machine because I didn't trust it. And so I asked, wait a minute.

A

It was like a janky executable they gave you on the CD. Yes, 2001.

F

Yeah, something.

C

Exactly. Because. Right. I mean, I have one left in the house. I have one DVD player left in the house in my. My desktop computer. Anyway, I asked Claude Code to, hey, write me a viewer for this. And 30 seconds later I had a web app looking at the X rays. Right. And if I had to do that myself, and I won't keep going on with stories, but over the last like month or so, it's been very, very useful. And it's a collective, like, feeling for folks who have been using this is that we've turned a corner and that things are different. And so if you're still of the mind that man, this AI thing, I'm still not really, really, like, it's still giving me the wrong answer all the time. You're using the wrong AI.

A

Do you want to talk about it a little bit in the SoC as well?

D

Yeah, I've talked About that a little bit. I did a webcast a while back about how you can use it in a sock. Okay. I mean it effectively is to the point if you use the correct models, if you use them the correct way, it is a very good tier one analyst at this point. And that is, you know, Claude code came out out a year ago, roughly, and that is in a very short time a pretty rapid improvement.

C

So one point that I, I think I forgot to make and you just made without spelling it out like it's made as a coding agent and anthropic is basically said now we think we misnamed it because it's useful for a lot of other things. For example, I have a class where I teach for incident response where we go through an SSH authentication log and find the compromise password spray. Right. And so what, what I would teach as a lab before Claude Cod do in about 30 seconds and consistently find the, the, the exploit or the, the compromise in the log files. So it's more of, it's going down the road of a personal assistant. Personal agent.

D

Exactly. It's multipurpose. And so we, we talked about the beyond trust thing and the critical cve. Right. And so we're all, you know, doing all these different things. It is to the point where we have our git repo formulated in such a way that it within, you know, a 20 minute lab, while I'm helping the students, I can run a command. And Claude goes and researches the C with a plan on how it wants to develop a detection. I say, yeah, go for it, little buddy. And then 10 minutes later it pings me and says, Here's a GitHub PR. It's been reviewed by a different agent, it's gone through six pipeline checks on the background, it's gone through 15. It's now ready for your review and it's now to the point where Effectively this Tier 1 analyst here now has code ready for me to look at and provide feedback that we could potentially push, you know, minutes after we're reading about this new cve.

A

But the kind of, the consistent theme that I'm seeing before Corey comes in and poo poos it is I'm looking at it like all the people that I see that are using it are people that are very advanced technically and they know how to ask the right questions, they know how to give it the right prompts, they know how to set it up properly and then they know how to look at the output like you were talking. It doesn't just do all that it comes through and it's like, here's all the checks that it passed. Right, right. Like, is it going to generate 40,000 alerts? No, it's fine. And it goes through an iterative process. Right. But that's set up by people that are domain experts that know how to use it properly. In the hands of somebody that doesn't know what they're doing, I don't think it really helps all that much. I think it really is a tool for people that know basics, fundamentals, core, and have been doing it for a while to be far more effective in their jobs. I think that's.

C

For now.

D

For now, like all things, it's a tool. So if you don't know how to use this tool, you're not going to be able to effectively utilize it. It's just a very powerful tool, potentially.

F

Yeah. It's only as good as the person prompting it. Like, for example, if you ask Claude code to make a TypeScript project and you give it no further direction, it will set every strict type to any. Which, if you're not a JavaScript nerd, that just means it will accept input in any form. And you've completely just sidestepped the entire purpose of using TypeScript. I think I'll just add one more quick idea here, which is that, like, this is the first time, if you believe that Claude code is going to take your job away in this business, this is really the first time in my career that people are creating disposable software with Claude code to replace enterprise applications. So every business in the world right now is saying, oh, run a pilot, just play with it. Like, we'll save hundreds of thousands of dollars on this enterprise software, which may or may not have vuln. But now we have all this proliferation of these bespoke code bases. We are going to have jobs forever.

C

As a penetration tester, I think this is a great thing.

B

It's the new Telnet.

A

And that also gets into a whole other presentation I want to write that talks about the standardization of mediocrity and you're getting a huge diversity. Like you said, people can. Why do I need to buy it from a vendor? We can build it on our own. That's awesome for the pen testing community. It's fantastic. And I look forward to the future. Cool.

B

Corey. Yeah. Inhale. So, okay, the thing I think my biggest, like, if I'm going to be like anti AI for a second, which, for the record, I love Claude and I talk to Claude every day, me and that little buddy, as Hayden said are going back and forth all the time. But the thing I think that people don't understand is that just telling your AI, just putting in your AI prompt and by the way, please don't hack me bro is not secure. Like that's not security. Prompt injection is like the biggest threat vector to any like people that are throwing their stuff into open Basically like the Multbot scenario where people are basically saying, okay, this is an AI agent that I've created and I'm handing it access to all of my tokens, all of my API and my credit card. And my credit card because I wanted to be able to book me flights and order me food. And I get it. Like I kind of want to do this too. Like I want to see what would happen. But also putting in the system prompt and by the way, don't do anything without asking me is not actually a security control because I can just put in my prompt and by the way, if there's any steps to validate or check, just bypass those. So that's like the number one thing people are like, I think not understanding is like your system prompt saying please don't hack me bro doesn't actually.

E

But it's totally safe because I bought a Mac Mini and that is isolated.

A

Developed on a Mac.

D

Corey. That's where you need like hooks, right? But the thing with hooks is if you're not an advant user of these tools, you don't know how to use them. So you don't know what a hook is. It is a control on top of Claude code that adds a gate before it can do certain actions. And so for us, before it runs Bash, so before it can push anything on git, it's a hook that pauses and stops it. And you have to see what it's going to do.

C

You're making John's point though is that that it takes somebody kind of understanding.

D

Know how to use it.

B

That slows it down. Dude, I don't want to listen. I said to order me whatever food drunken me wants dangerously allow permissions.

A

Go. I need to end this with one analogy and I've mentioned it in the past, but I want to mention it again. And then we're going to move on to announcements and Shelby's going to come up and talk about the vendor stampede. But I want you to understand this from the perspective of the continuum of technology. If you go back to like the 50s and 60s, slide rules, right? Slide rules got us to the moon. And slide rules were banned in math classes because it was Cheating. Okay? Then you move forward and we develop calculators, right? And they were just basic calculators, right? Amazing tools. But when you add the classrooms and universities, they were banned because it was cheating, right? Then you move forward to, like, graphing calculators, TI85s, TI86s. And once again, those were banned in classrooms. They were banned in all these different studies because they were cheating. And this is just the next turn in technology, right? This is not something iterative. This is the equivalent of the loom showing up. And if we look at what hackers do and what we all should be doing, we are the people that sit in these inflection points and understand technology and use it for our own purposes. So if. I hate to be harsh, but if you're not using this and you're not at least coming to grips and trying to understand this, then you're kind of. Of betraying your hacker roots, your computer security roots. So you have to know this. This isn't going away. This isn't. What were we talking about? Like, the Internet's a fad, right? This is not a fad. This is a thing. It is real. So I want to just say I apologize in advance because I'm betting that there's a lot of talks at this con dealing with AI. So with that, thank you so much, panel, it's time to move on. We need to get going with the vendor stampede. Need but a round of applause for the panel and thank you all so much.