Ralph

Talk about John's nudes till, like, 20 minutes in.

Bronwyn

So this is.

John

We're ahead of schedule.

Corey

No, we have a capture the flag, which is how fast can we get demonetized every show?

John

By the way, did you see that article about CTFs and bug bounty programs? Yeah, they're fucking cratering everywhere I can.

Wade

The. The B side, San Diego. CTF 1 and 2 were both won by. By AI.

Corey

Oh, yeah.

Wade

The only one they didn't get was where you 1. You had to call a phone number.

Bronwyn

Yeah.

Wade

And nobody told us. No, no one told us that. That literally the dude was just sitting in the middle of the room letting the AI do everything. He didn't even. And they were watching him. And I'm like, why did no one come tell us or, like, say anything like, you guys let him win? I don't know what to tell you.

Corey

I was.

Bronwyn

I was talking to Roman at the last, like, Tampa ctf. They did, and I, you know, he. He totally was like. Yeah, it's like. I think the last team was pure AI. They just had a bot and an agent and stuff. So, like CTF or it's. It's a whole new world of, like, how. Yeah, buy that.

Corey

Probably take that one off the resume. But those black badges are still good, right? That can pay for my $200 a month Claude subscription.

Bronwyn

Yes, yes. And then I was like, well, you

Corey

could make it, like, really hard where you have to spend a lot of

Bronwyn

tokens, but then some people are just using their, like, companies tokens.

Corey

Like, they don't

John

be a bad idea. How could we embed in some of these challenges something that, like, forks the AI off to just burn a ton?

Corey

Oh, yes, we can do that, and we should.

Ralph

The answer is somewhere on a Wikipedia page. You must crawl every Wikipedia page.

Bronwyn

You must.

Corey

You must distill all knowledge, human knowledge, from Wikipedia into one system prompt and then include that in every system prompt that you send.

Bronwyn

Why don't just prompt. Inject them the whole entire way through the CTF. Yes, 100%, and start, you know, hacking them. And they don't even realize it, right? They're like, holy crap.

Corey

We just inflate the context. Every time you have a context, inflate above the maximum context size. I could see it. All right, are we doing this show? Is everyone ready? To people feel ready?

Wade

I didn't even know we were live ready yet.

Corey

I guess we're live. Let's roll the fake girl.

John

Okay, let's.

Corey

Hi, John. How's it going?

John

You go it. You take it man, you do it.

Corey

I just like that you got put on the spot and you. You really had the right pace for it, which was like, really?

John

Yeah, I'll. I'll do it. Hello, and welcome to another edition of Black Hills Information Security. Talking about news, the show where we talk about the end of western and eastern civilization extensively and sometimes we talk about computer security. We've got a usual cast of characters. We all sort of have. Shane, Say hi, Shane. Great to have you with us on as well, but it's been kind of a slow week in news. I. I don't think that there's been many new.

Corey

How many zero days do you need?

John

John?

Corey

How many zero days? Listen, there's two hot, spicy 0 days, and you're just gonna say it's a slow week.

John

Bring it up.

Ralph

Mythos must have been sleeping this week. Yeah.

Corey

Okay, so first of all, Mythos was sleeping, but it found one vulnerability in Curl, so it was like kind of a little bit awake. I guess we could talk about that. First. Let. Let's start with dehyping. Mythos, the creator of Curls published this super fun blog post, basically walking through his personal process that he followed with getting access to Mythos and the results he got back. And basically it came down to one thing, which he didn't announce specifically what it is, but it's gonna be fixed in the next patch for Curl. And it doesn't sound super concerning, at least not from his perspective.

John

It's weird. You get this. And by the way, the article was great. And I liked how he's like, there results were meh. You know, whatever. And then you have a Firefox and Mozilla coming out and they're basically like, it found hundreds and it was amazing. And you always say the truth is somewhere in between. And I understand that Curl is probably a smaller project, maybe tighter knit code possibly. I don't know.

Corey

Curl's been around that big. All it does is download things.

Bronwyn

I don't understand how it would be that big.

Corey

Okay, there's a. Okay. But there are a couple of interesting. Give me some of those flags that really magical. Here's the interesting tidbits. First of all, they have fixed. It's over 178 lines or 78. 178,000 lines of code, which is way more than I would have guessed. It's written in C, not in rust. So you'd think it'd just be full of zero days because it's not rust. But it's, you know, basically There have been 188 CVEs in curl, and I don't think they've really added much in the way of features. So it's really just, it's kind of the ideal situation for open source tools, which is you just have them burned for years and years and years, and then they become really hardened.

John

Well, the other thing to remember about Crawl is it's kind of what Ralph said. It's downloading data. Right. Like you got a bunch of options for a number of different services that you can use, but it's not actually doing protocol parsing. Right. Like, if you compare this to something like Wireshark is a good example where it's doing tons of protocol parsing, that's where your vulnerability and your attack space is going to come into play with this. So. And not all that surprised because it's not all that complicated. I know that people are like, no, there's all these amazing things you can do with Curl and I don't disagree with that. But it's not analyzing the data as it's processing and looking for strings or anything.

Bronwyn

It's such a simple, it's such a simple application. Does it have a lot of great purposes? Yes. All right. And like, I'm not saying I don't think Curl is cool. I use it all the time or whatever or wget or whatever the thing you want to do to download stuff or check something. But other than that though, I think.

Corey

What is it?

Bronwyn

Curl's got 178,000 lines of code and Firefox has 21 million. It's 118 times larger code base because

Corey

it does so many more things, which

John

if you do the math, that's kind of in the same space.

Ralph

Yeah, right.

John

Of the number of critical vulnerabilities that were discovered. Yeah.

Corey

The other fun Easter egg in this article is that it's installed over 20 billion times.

Bronwyn

Oh, I'm sure, I'm sure. Like you could install any Linux distro and accidentally get curved.

Corey

That's insane. It says it runs in every smartphone, tablet, car, tv, game console and server on earth. What a, what a badass thing to be able to just say.

John

That'd be nice.

Corey

So the other Z, there's multiple zero days. Not more than. I mean, I guess technically that's not really a zero day because they're just

John

exploits, vulnerabilities that have been released.

Corey

Yeah, but that's deing mythos. There was also a zero today. There was a really interesting Google Threat Intelligence report from last week on. I mean, they don't Disclose what it was. I'm assuming it was like cPanel or something like that. I mean, we've seen cPanel get abused hard in the last couple weeks, but basically someone coded up using Gemini or maybe not Gemini. A zero day for a popular open source web admin framework panel. Yeah, it could be cPanel, php, my admin, I don't know, who knows. But basically an MFA bypass that comes from a business logic flaw. It seems like AI is really, really good at business logic flaws and which is cool because they're kind of tricky for a human and I don't know, it's a, it's a spicy, interesting article. A really good threat intel report from Google as always. I also thought it was interesting, like, you know, that this, you know, it wasn't. Again, it's like this is what I've been harping, like my clients keep asking me. It's like you don't need Mythos to party. You just don't. You can, you can party with what we have now. You can make, you can find business logic flaws with, you know, whatever crappy model you have sitting around in your garage.

John

Well, this, Corey, this gets into the conversation that I've been having with Drock, kind of the CTO of Bhis and the, the thing that we're trying to get our head around is I believe fundamentally that in the next eight months the price of doing anything with AI is going to start going up. Right? If you're looking at anthropic, you're looking at, we've talked about it on the show, open AI. They can't continue to lose money on what they're doing, right? They're going to follow the Uber model where they're going to be cheap, get everyone to use it, and then start raising the prices. So we're starting to really try to price out and continue to build what we have for infrastructure here in the office. We're moving our entire power panel, we're upgrading right now to a 400amp circuit so it can support the level of servers that we need because we already have all of our password cracking rigs and all of that shit and we're running, but AI is going to add another load and then I got to add in a bunch more cooling. And my theory is that running on prem is going to be cheaper than continuing to run this in the cloud. And anybody that's looking at this, like, I think honestly your AI bill is going to double probably by the end of this year. So we want to get in Quick get the equipment and this webcast is not helping me with that.

Corey

I had a huge long discussion about, with AI about this and basically it's, it's like it's pitch is essentially so first of all, I didn't know this, but it's actually kind of interesting. Anthropic is predicting that they're going to become profitable in 2027, which is kind of unique. OpenAI says 2030, which I feel like OpenAI's case is a lot less likely to be true than, than Anthropic.

Wade

But that makes sense.

John

Most people pay for anthropic, but OpenAI is new user subscriptions have flatlined. Right.

Corey

And Anthropic, well also they, they have a free product that's like where they kind of screwed up is they competed on that. Basically the, the AI summary of this was essentially for people who don't pay for AI for free users, nothing really changes for the uber high end of AI users is where they get hurt. And what you're talking about applies like the power users.

John

And that's where we have to start looking at it. As a firm that's doing defense and offense is what level do we need for which tasks? Because right now if we're tracking what people are doing at bhis, almost everybody goes to the latest, greatest, most expensive model, right for everything. So we really have to start saying okay, what are we going to be doing? And running our own models hosted. Do we want to get the little Nvidia or like you know, this little boxes that they can run their own TGX Spark? Yeah, the Sparks and getting those for the employees. Like people are going to have to start seriously looking at what level of AI firepower do you need for what task? Because you're going to have to start addressing your costs here shortly.

Corey

The answer is not doing that anyway.

Tim

We should be doing that anyway because we are.

Ralph

It's just Anthropic is very like they're very enterprise focused. Like they released last week. Like their, their email show, a lot

Corey

of you saw it.

Ralph

But they're going to start restricting what you can use your subscription for. So anything that is basically not Claude code or Claude desktop, they're going to give you a monthly credit to use those things for. And that seems like oh this is great or okay for the user until you realize like in the SoC we use a lot of GitHub workflow and those have just been on an account. But now once you hit a threshold of 100 or 200amonth, those all are going to hit API cost. So we had to go figure out how do we do logging on GitHub workflows, how do we measure? So we had to very quickly go determine which of these workflows cost more.

Bronwyn

You don't need a. To do that stuff. You don't.

Corey

You don't.

Ralph

Exactly. You don't. And that's like.

Corey

But you.

Ralph

You're inclined to. Because it's the best. And Anthropic is like. They are very much the enterprise provider

Corey

like ChatGPT wants to. The B2, B1.

Ralph

Yeah, exactly.

Corey

Use our platform. We'll do a good VHS.

Ralph

We'll give you a quota.

John

But pulling it back to this news story, it's just like Corey said. You don't need Mythos.

Tim

No right.

John

To do the security research that people are freaking out about. Right. It's unnecessary for a lot of the different activities.

Bronwyn

Half the time I'm just like, hey, could you push this for me? Because I don't want to do that.

Corey

Yeah, yeah, yeah, I do that.

Tim

No, that's.

Corey

So can you help me get. I can't get.

Tim

Come on. How many times have I said.

John

How many times have I said, oh, I was going to get Shane's take because he's our guest and we're all talking over him and I'd like to get his take because he's presenting at our threat hunting summit. And we're super excited to have you at our threat hunting summit. That's coming up Juneish 7th.

Wade

Mid June. Mid June.

John

Mid June 17th. We'll go with that.

Corey

Midsummer festival.

John

Yeah, we're going to all dress up like Ren Fair. But go ahead, Shane, if you want

Shane

to stick to the article side. Even Jensen Huang in his keynote was talking about that tokenization is going to be one of the things for new employees. You're going to get a token balance as part of your negotiation on there. That's kind of how his presence is.

Corey

I like to hear that.

Shane

I think it's going to come local. Why not? It's easy. It's not hard to bring a local model in on your machine. Most of the newer Macs run them without too much trouble. And then you can even use agency to run different models for different things automatically through just regular agents. You don't have to have the latest agent or latest model to run the. If you need to do parsing of a log file. And on top of that you got the security consequences you don't want. Especially an IR and a security. You don't want that stuff being repositioned. In models out there, you can have that stuff all local and you can actually triage it and keep it secure.

Bronwyn

Yeah.

Ralph

And if you have a solid like custom agent that you can utilize for this stuff, you can like enforce it to delegate to lower tier models. And that's the best way to save on costs.

Corey

Yeah, yeah. One of the, like a couple of other super interesting things I learned from my deep dive was if you look at agentic chaining, like if you look at like, okay, an agent creates a chain of tasks because of how AI works. If you chain too many tasks, no matter how good the model is, It'll fail like 50% of the time. So like in the research I was looking at, if you chain like six tasks by the sixth thing, it's like a 50% failure rate. And so it's like using a fancy model doesn't save you. You could be using a cheap model instead. And basically it's better. You're better off defining super specific success and failure conditions and then giving it, passing it off to cheaper, simpler models versus like every agent is opus and it says do this high level task and chain as necessary to accomplish it. You're going to have failures along the way no matter what if you use that approach.

Ralph

Cool.

John

So do we want to move on and talk about the downfall of bug bounty programs and CTFs?

Corey

We could.

Bronwyn

That's a fun talking about AI more.

Corey

Yeah, I was going to say continue the AI podcast.

John

Let's not bitch about that. Okay, let's be clear. If we go back two years ago, it was ransomware story after ransomware story.

Corey

For one, you're not wrong.

John

I like the change of pace, but this was an interesting take for somebody that works on bug bounty programs. Shubs. And basically they were talking about how they did a lot of bug bounty programs and specifically I think for Uber, they've been doing it for over 10 years and right now a lot of the bug bounty programs, and I've heard this from a number of other people, are overwhelmed and literally shutting down submissions. And this I think ties into the Linus Tolbal's article that comes up right after this one. Yeah, very much where these, these companies, like, I don't know how bug bounty programs, like how do you survive in the age of AI? And it's funny because some of their solution is to use AI to evaluate submissions that are from AI.

Corey

It's the only option. That's the only option. Fight AI with AI.

John

And I thought it was an interesting article. I want to talk about the Bug bounty aspect, and then I want to move to the CTF aspect. So what are your takes on, like, bug bounties? Because this looks bad from the outside. I still think the bug bounty should be considered to be a viable product, but I don't think that there's a sacred fire that only bug bounty programs have anymore. Like, basically, Prometheus has come down. Fire is everywhere. Right? Like, we literally have AI security research doing things at a pretty high level that anybody with a competent level of technology capabilities can do. And what does that do to the bug bounty program space? So. And I've got another take, but I wanted to get you guys takes on that before I give my.

Corey

I think this is. I think this is just alarmism from bug bounty hunters being basically, it's them being like, we're not getting paid. This sucks. Which is fair. Like, okay, that's fair. Like, okay, guess what? If you're submitting a bug bounty right now, it's not going to get processed very quickly because there's 18 million others in the queue with you. Like, it's kind of like job hunting right now. You're going to get hit by AI and like, it's going to be like auto rejecting you for having a, you know, weird prompt injection, your resume or whatever. Like, it is what it is. But if I was on the other side of bug bounty, meaning I'm paying HackerOne to get bug reports, I want to see all those reports. I mean, I want you to triage them and tell me which ones are BS Slop and which ones aren't, but I still want to see those reports. I want to see those vulnerabilities. Right. Like, that's not going away, is it? I don't think it is.

Wade

I don't think it's just the vulnerabilities that are ramping.

Corey

Right.

Wade

It's just that submissions themselves are easily created. Right.

Corey

Just the reports. And you.

Wade

And you can no longer tell with the trash reports from the good reports because AI is writing all of them.

John

I think we're going to come to that. I think Linus Tovals has a really good solution, and we'll talk about that next. But you're. You're right.

Bronwyn

So.

Wade

Okay, well, that's all I had to say.

Tim

Well, and at the risk of pulling Cassandra, I'm saying for many months now that AI was going to accelerate and amplify all of the problems that we already had, in addition to introducing new problems.

John

It's just like getting old.

Tim

Yeah, tell me about it. But it basically is doing exactly that. And it's doing it in multiple spaces. Come on. It's doing it not only in cybersecurity, with all kinds of things, but the bug bounty programs are another example. The amount of submissions has gone up. The value of the submissions has become a huge question mark. Much more than it was. And yeah, the only way to churn through all of those submissions is going to be to use AI.

Ralph

Open source projects have the same problem now is they have so many PRs that they cannot go through them and a lot of them are crap. But I'm sure there's some decent ones buried in there, but they just don't have the ability to filter through that much. That much PRs like reviewing one code review, like kind of sucks because you gotta go through and read 2000 lines of someone else's code. But now you have 600 in your queue because some guy pointed Claude at it for the afternoon.

Corey

Yeah, we got some excess usage.

Ralph

Go for it.

Corey

Basically. Like, it's also really funny because in the bug bounty post, he like the creator, Sugar or whatever his name is, Shug, I don't know, he's. He's very self aware where he's like, I don't like it because it breaks the ADHD loop that I rely on for bug bounty hunting, which is totally fair. And honestly, like, what's the solution? Just be patient. Just be patient. Like guys, these. HackerOne will not go away overnight because it got AI submissions. Like every other platform on the planet is dealing with slop. There's AI slop on Spotify, there's AI slop on YouTube, there's AI. Like this is everywhere. And it's not like anyone's like, oh, I can't watch YouTube anymore. Cause Ollie, I slop. Like they figured out how to moderate and you know, have their algorithms and you will too.

John

And. But I want to throw this out there. Like, I love this because it's highlighting that pen testing was never really about just finding vulnerabilities. Right. I think that there were a lot of firms that tried to couch it in, like we're lead hacks or hacksers and we're going to hack your stuff better than any people can have their hack stuff. And really the firms that are successful and the firms that do a good job are the firms that can take the vulnerabilities and they can communicate it effectively to the customers. Not just as an Easter egg hunt of here's 400 cross site scripting vulnerabilities, but saying you have a cross Site scripting issue in your development lifecycle process that needs to be systematically addressed. You have a policy process procedure failing that is missing. As far as like, let's say, change management and vulnerability analysis. Right. Like pen testing never was and should have never been about. I'm finding hacks. It should always be about how do we communicate vis a vis the customer and what are we like, communicating with them to help them prioritize and really moving forward over the next year. And I'm going to talk about this on Thursday, compensating controls. There's going to be vulnerabilities that our customers are going to say, we cannot fix this. And your pen testing firm should be able to sit down with you and say, okay, here's what we can put in place as a compensating control to address this vulnerability until a patch or something else comes out. But, you know, like I said, good firms do this, right? And I'm gonna throw a shout out to sister pen testing company, Trusted sec. Right. We balance customers back and forth all the time. And the reason why is because we know after we've tested someone for three years, they go to another good firm like Trusted SEC or Secure Ideas or Tim over at Red Siege. There's a whole bunch of different firms that are great and they have that type of approach where they're not just saying, here's all the findings, here's all the hacks, give us money.

Corey

Yep. Does anyone have a. Take another take on this. For me, it's like, they'll figure it out. Just be patient. Bug bounty hunters. You're. You're like, you're going to get faster, you're going to get paid more. It's just going to take longer. I think the only thing to call out is temporary. In the meantime, people will get sick of waiting and they'll publish stuff. Right? Like, that's the biggest problem.

Ralph

That's a part of that, where that's. If that's someone's career, though, that could very well for them derail things. If your career is as a bug bounty hunter, right?

Corey

Yeah, I think it's just that.

Wade

But going with the ctf, going like certainly into the CTF stuff, right. We rely on usually your GitHub or any type of repo is a more foundation for your credit credibility. Right. Within the element, right? Yeah. So nowadays, like, if even if you did do a CTF or you write all these blog posts and you have all this stuff in your GitHub, like you could theoretically just make it all with Claude, you Just have a scheduled task to make you a blog post

Corey

every day, which kind of sucks. But the problem is your writing sample didn't get any better.

Tim

Yeah, people are going to be. If they're looking, if they're using their brains, then they're going to look at how much time went past before all of these submissions were made. Because, I mean, a human can only do so much in a given period of time. That is going to have something else now.

Wade

I agree. But look at like prediction though.

Tim

I'm going to make a general prediction about AI.

John

Everyone's going to learn us stuff

Tim

because I went through a lot of this when the web went mainstream. And I'm seeing a lot of the same patterns in terms of early adoption. That just sucks ass big time. And yes, add to the, the, the cookie jar. But over time, people figure it out. And I'm looking at the patterns that I'm seeing in reading lots of stuff from lots of different industries, people who, companies who fired a lot of people claiming AI if they weren't actually just firing humans to make more money to spend on AI. And they actually thought, seriously, that AI could replace the humans. They're finding out the hard way. They're learning the painful lesson. No. AI in its current state can only do tasks. It cannot do jobs. It cannot multitask the way that a human can. It cannot identify what the value is about a certain finding or vulnerability or issue. And God knows, it cannot make moral judgment. Yeah, that's great. The thing is, in the long run, human output will increase in value as people see that the craft, the quality and the insight is deeper. No AI could ever write Left Hand of Darkness or the Sun Also Rises. And the same thing is true going forward. And it's just going to take time for us to wait, wait out the tech bros in Silicon Valley for them to get a clue and stop shoving bad AI down all of our collective throats.

John

I'm out. I just know that anthropic is like challenge accepted. Left hand of Darkness, part two coming.

Corey

Right hand of darkness.

John

Right hand of darkness. So No, I agree 110%. I do. And that gets into the webcast and I don't want to get too much into that, but I do want to address. We talked about it before the show, but I want to bring it up here. And this actually concerns me far more than a lot of what we've talked about. CTFs, you go to conferences and capture the flag is a big part of conferences. You know, we love hiring people that do really good at capture the flags. And it's a great delineator between somebody who can just do a multiple guest test to hands on CTF challenges. And this scares me. Right. Like AI is really, really good at doing capture the flags because there's lots of capture the flags to fuel it on online. And I want to get your takes. Like how would we actually, how do we deal with this to make CTFS fun, engaging the knowledge of people and not just having slot coming in all the time.

Corey

So I have a take? Ralph, you have a take?

Bronwyn

Yeah. Because I thought a lot about this when I talked to Roman about like how to like hack ctfs where they weren't as easy to hack with AI. But then I just realized that like maybe the whole thing was like your CTF is like it's two things, right? It's learning skills and it's also learning ways to maybe solve a problem that isn't known. Right. And that really gets into the, you know, the unknown piece of it. And if you can solve it with AI, I feel like that's kind of a valid way to attack it. Right?

Corey

Totally.

Bronwyn

And so the flip side of that is how do I create a problem that is not AI resistant but just like built to fight this war? You're kind of like saying like, you can't have AI, but in your business you're totally going to need AI. So like where, where do we go?

Corey

It would be unrealistic to say no AI. That's not a real option. Yeah. Okay, so I totally agree. And here's my take. I'm curious if people agree or disagree with this. I think the concept of banning AI or having an AI free CTF is pointless at that point. See, CTFs are completely diverging from reality. If we're looking at like I'm looking at my team of 12 pen testers, they aren't doing things differently. They're just more efficient and beasts with AI, right? Like AI will. AI isn't making us, it's not making our jobs easier, it's making our jobs harder because we're finding more things and we're being more thorough and we're digging in deeper than we would have before. Last week I had an AI bypass a waf. I'm not doing that. I don't know how to freaking bypass a waf. Like things like that. I would have just given up. And AI is going to go deeper. I think CTFs are just going to have to get harder. That's basically what it comes down to. CTFs have to get Hard enough that if you're using Claude skills, they aren't just easy mode. Like that's basically what it comes down to. I do also think in like, environments have to get more complex chains, have to get deeper. Like it's kind of, you know, use AI to build the challenges and they'll get harder. I also do think there are some really fun ways to think about how you could make an AI resistant challenge. And there are some ways that LLMs think that is inherently broken and you can exploit that to make a challenge that a human could easily solve and then I would never get. And I think that's a fun. I'm not saying that should be the entire challenge, but I think it's a really fun concept of like some of the challenges are just pen, testy hackery bits that AI can rip through, but they're really hard, basically impossible without AI. And then also having some super simple, like, you know, an example is linear thinking. So like, if you ask Claude, okay, I have a shirt in the, on my, I have a shirt outside that's going to dry in one hour. If I add nine more shirts, how long will it dry? And it will think it's 10 times longer because it's 10 more shirts. It's the same still an hour because it's nonlinear. Right. AI doesn't think in that way. And so it's a fun concept of like how you could, you design a challenge that's not, that's resistant to LLM style thinking.

Tim

So you could also make a, a challenge that involves analog clock faces. They still suck at that.

John

I, I want to put another alternative on the table and I want you guys to think of it in terms of chess. Chess, by and large has been pretty well solved by Stockfish. I mean, there's still room for improvement. But Stockfish is a open source chess engine that literally will beat Magnus. Like the world's like the best chess player we've seen in history. It will beat him pretty regularly. Right? But because we have Stockfish doesn't mean that competitions like Chess.com and Speed Chess challenges all of a sudden are not, how do I put this? There's more people playing chess now than ever before. And there's more competitions, there's more interest in chess and the use of stockfish@chess.com and Chessly and all these things has actually greatly improved the capabilities of human beings in playing chess. And if you're a CTF organization, I want to kind of put this out there as a thought. One of the things they do whenever they play chess competitions is they watch what you're doing on your chess game and they can look at what you're doing. And if your move is always the top rated move from Stockfish, right, they detect that as cheating or even in the top three. And then they'll flag it. Like, if you're not a grandmaster, they will investigate you and they will ban you for life. So one of the things that I've been playing with as a CTF challenge system going forward with Meta CTF is we don't let people use their computers to do the ctf. They log into Meta ctf, they use guacamole. That video session is forked and they're going through. And I'm not streaming their system, I'm not sniffing their packets. They're just going into a guacamole instance in Amazon and they're able to do the CTF only through that environment, through a Windows system and a Linux system that we give them. It's being streamed. We can have analysis of AI on the other side and we can watch them solve these challenges. That's one of the thoughts that I have. My point is this has been solved by chess. There were a bunch of people that thought chess was dead. Like, there was no way that anybody would ever be able to beat computers. And AI is making it more interesting. But I'm just throwing this out there as a thought. If you have a ctf, people have to log into your CTF environment and do those challenges in a way that is streamed via guacamole on a system that's not their personal computer system. And then we can use AI to analyze what people did. We can use AI afterwards. Like, if you have a competition of people and say, here's the winner, look, they're running curl. Like, oh, my God, there's a vulnerability in that version of curl. I think it gives us a lot of opportunities to make it more interesting. We just have to adhere to the fact that, just like Bronwyn said, I'm paraphrasing, shit's changing, we better change with it.

Corey

I think that's a separate category. That's my take.

Bronwyn

You have like the human ctf.

Corey

Yeah, exactly. It's like sports. Like, dude, I race bikes and I don't race against fast people because I'm not fast. It would be a super boring. It would be the most boring race ever to have me race against a pro. They're just going to crush me. Like, it's. It's like a different category. You have AI Assisted ctf. You have human ctf. Yeah, Two different categories, two different approaches, prizes.

Wade

The one thing I don't think we're discussing is the difference between a red team CTF and a blue team ctf. Like you guys, I think they're inherently different.

John

I don't. I think that my approach would work for either.

Wade

I think your approach. No, I definitely agree. I think. I do think your approach would work, but like the over. And that. That is the answer. But with like the one thing with the blue team backup. Like make I. Oh, oh, no. What I've been doing is you make. You make people write. Not just write a report, but you have to explain to me how you got to that conclusion. Right. Because I have to provide evidence and provide. You do stuff to it every time. If you can get the AI to help you provide that evidence and say why something is particularly important, like, great, but you have to at least show me how you do it and how to do it. And I've been doing that with like junior analysts. Like, yeah, you can go ask Claude if. If this hashes anywhere in our environment. Yeah, but how would you do that in our SEM? Don't ask Claude. Show me, show me. Give me the query. Right.

Corey

Like, here's the problem, though. If you do that for a ctf, you already lost half the CTF players because they don't want to write reports. Good, good.

Wade

Then those are the CTF players you don't want to hire.

Corey

Right.

Tim

If they don't want to write reports, they don't have a future education.

Ralph

So there's sort of the same issue, right, where it's like, how do we stop people from cheating on their test? It's you use their machine or you do it in person and somebody proctors you. Like, that is the only way to get around the cheating.

Corey

There's. There's three categories, then there's one CTF where you have to write reports. That already fixes the AI problem. Seriously? I think, I genuinely think it does.

Ralph

There's a single M Dash.

Corey

Yeah, I was going to say, like, just basically we know you did not use word. I guess what I would say is like, so, like, we're looking inwards at bhis. How do we hire? We don't just see like, oh, you want a CTF, here's your job. Like, obviously we have CTFs could do the same thing of being like, you know, there are CTFs that are more reporting based and not based just purely in score. Then there's like the non AI assisted category, which John was talking about. Then there's the AI Assisted. It's like the open category. It's like, let it rip, baby. How many tokens you got? Like, let's go.

John

What if we did it like they did the ctf? And at the end we'd do like the UK Master's thesis defending approach, where you get the three teams Jeopardy style. And it's like on this challenge, you use curled. Why Explain. And then they have to say, well, we are using these options. This is why we.

Corey

Because of AI.

John

We did. And that's what universities and high schools are doing. They're like, write your paper with AI and we're going to grade it knowing that you're using AI. So we expect no grammatical errors. We expect dumb Joshes. But then when you're graded, you have to get in front of the class and answer questions about your paper.

Wade

In Forensics 508 not to. Like, at the end, you do an I report, right? You have to go all the way through it. Then you have to present it. And that's usually when the teams fail, is when the presenting happens.

Bronwyn

And you.

Wade

Yeah, like, oh, I found this. I found this hash. It's everywhere. Well, why.

Corey

So, okay, so, Shane, do you play a lot of CTFs out of curiosity, or have you in the past?

Shane

I played a little bit here and there, but not as much. I helped work on some of those indirectly through just kind of like the prompt side of it. Like, here's what I want to do. And I also teach a class on ethical hacking. So some of that plays a role in there. But some of the things you can get around with it, like my password hacking or cracking one, One of the nuances they have to do is you have to tell me how long it took you to actually crack each password, how much time. AI is not going to necessarily tell you that. And then it's the difference between a rainbow table and an actual just hashing. You're, you know, going through the hashes so you can trip them up that way. But I agree with what John was

Corey

saying about where you could kind of

Shane

like have a closed environment. Like, almost like Citrix is the first thing I thought of when he was saying that you're in that, like, domiciled bubble and you can only do what's there. So then that puts you in a position to where. And then the other thing I was thinking, if you're doing that, like what I think Hack in the Box does it, where it spins up little virtual machines and you have to go, you can't get. You can't just point an AI at that and start going digging in. The last thing was one of my other cohorts what he does with his. He has a physical part to it. What I mean by that is some of the flags that you get in

John

there, you gotta, gotta arm wrestler Dave Kennedy for this. It's like Double Dare on Nickelodeon. There's less.

Bronwyn

They do that at defcon too. So not for the ctf, but for like the RF Village and other things like that where they have like rabbits and other things like that. So essentially becomes a scavenger hunt. A real life scavenger hunt, not a digital one. And so when you put that piece in there, then that can slow people down.

Corey

Except for.

Bronwyn

Then you. What you'll end up building though is runners. So what ends up happening is you get tasked off to that work. Another thing too that I thought of was making a system that you had to go in to manually enter the answer. So there's some physical process so that you can't brute force that answer.

Corey

Right?

Bronwyn

You can't just ask it over and over again. That's another way to prevent the system from essentially getting a feedback loop where it can find the value where someone.

Corey

Yeah, you're basically fuzzing the freaking application.

Bronwyn

Yes.

Wade

I. I'm teaching an Intro to Operating Systems course for a college right now and they have one of those labs where you have to log in and do all the stuff, right? And everyone was having a really hard time with the labs. And I'm like, oh, I wonder if I could just have Claude do all this for me. Claude couldn't do it. Not because it couldn't figure out the labs, but because the questions of the labs were written so bad that it couldn't figure it out. And I couldn't figure it out.

John

Methodology. This is a horrible pepping question.

Corey

Okay, so I want to move on to Linus.

John

Can we go to Linus Tolbols? And he's talking about. Once again, it's AI slop. And he's got two beautiful things that I think are amazing in this article thing. One, he said if you use AI to find vulnerabilities in the Linux kernel, odds are somebody else already has, like, don't bother to resubmit it. And number two, he said, and I love this approach, he said our submission guidelines are you find the bug, but you also have to submit a code solution to solve that bug. And he said that that just washes out like a huge percentage of the submissions that are coming through. He didn't seem as salty as I thought he was. Like, I thought for sure he was going to be like, FAI f all

Corey

of you if you. Because he. If you want to use AI and

Bronwyn

your money to do the job, that's great, right?

Corey

He used AI to read all the responses and ask how many were BS and 99% of them were BS. So he's like, yeah, I mean, fight.

Ralph

That's fire.

Corey

Yeah, fight fire with fire. Like if you just set these simple guidelines, like it has to have a patch, it has to be passcode, it has to, you know, meet our guidelines. How many submissions are left? Six. Okay, like, great. But yeah, I mean also, you know, behind the scenes, like I'm just gonna go ahead and speculate that Torvalds and the Linux crew got access to Mythos pretty early on. Yeah, like I'm. I'm guessing, like if I made a model that was good at bug hunting, I'd like Linux. Where are you Linux? Like I need to fix it right now like that. It's the easiest thing to pull apart and fix. It's also similar to Curl where this is battle hardened code, guys. This is not. I mean there was copy fail. There have been some fun spicy ones recently. But you know, Linux is hardened. It's been tested a bajillion times by a bajillion different people. And it's not just easy to. Hey, Claude.

Bronwyn

Yeah, I'd say the only downside is there's so many contributors and that's really where the. Where usually the bugs come up. Right when you have. It's a ton of people all contributing and then you have to validate and all the other fun stuff. So I mean, that's why it keeps continuing to be bugs. Right. But humans.

Corey

Yeah, weird. True. All right, let's segue to the next article. John wants to talk about a new Roomba that he's going to buy that

John

new dream, new Roomba Rumble Roomba from Germany. So this is. Yeah, this is a great story and you know, it's kind of terrifying, but I think it's good. So Germany is flooding Ukraine, I don't think. I think flooding is a bit overselling it, but there's hundreds of.

Corey

There is some mud in the picture, so it's fine.

John

There is some mud in the picture. They call them Jurcon combat robots and

Corey

then they're called like the Rumbachnakenstalken or some shit like that.

John

But it's funny because. Well, I think it's good because it allows them to get supplies to the front line and certain things that, you know, you wouldn't want to put humans at risk and actually doing these things. I, it's just, I, you know, it's kind of getting away from AI but it's tangentially associated with it, but it's just kind of showing the evolution of technology. And this is now the robot side of it. And the reason why I'm excited about this as a security practitioner is it's more stuff to test. Like I just cannot wait to get one of these in the office. And I'm in, I'm in the radiology room where if it gets tested it's going to be in here because I have lead lined walls in this so there's no signal leak out of this room. But I, I want to get you guys take on this. I1 I think it's good that, you know, maybe we have fewer people in harm's way. But then again the guy that invented the machine gun thought it would lead to fewer deaths and he was wrong.

Corey

What are you saying? People are going to get run over by the Roboro?

Tim

Okay, John, instead of having a riding mower, you're at one of these robots and ride Sturges.

John

Ron, when I love you, you need to talk to my wife and subtly drop. John's birthday is coming up. He needs a Rambo Roomba for.

Corey

I think this war is really okay

Bronwyn

because what do you call it we're getting to see, right. Modern warfare developed in real time and it's wild, right? Like the, the Ukraine war is a modern day battlefield, right? Drones, the new robot that carries or you know, other like this is all happening and because they're, they're fighting, you know, in this new battlefield and they're developing it on the fly. The wildest part of this though is not just security, as you mentioned, John.

Corey

Right.

Bronwyn

But also just the rapid development and the non reliance on China and other countries to develop technology so you can actually fight a war, right? It's pretty wild.

Tim

Anyways, the folks in Ukraine have been brilliant as far as I'm concerned.

Wade

Why haven't we seen one of these?

Corey

They're resilient.

Wade

We haven't seen any of these in video games. Like, like we've seen plenty of robots running around, but not one that's like bringing you ammo, right?

Bronwyn

Like, right.

Ralph

Come on, man.

Wade

Did they have a, did they have a bot that brought you ammo in the newest Battlefront? I don't think so. I don't remember the old one and

Corey

the old One, but okay, has anyone seen. This is kind of off topic, but it's also very much on topic. Has anyone seen the videos of like the cocoa delivery robots like this crash.

Bronwyn

Oh my God.

Corey

Crashing and causing chaos.

Ralph

Yeah.

Corey

Okay, so like if you haven't been exposed to this on the Internet, I'm sorry, but you're in for a treat when you go hunting for this. But just go on YouTube or tick tock or wherever you go and search Coco robot fail Coco and just watch the videos of these. They're basically like delivery bots, you know, that just fail in the most hilarious ways of just like falling downstairs, driving into floods, driving into tunnels.

John

I love.

Tim

Don't forget the empty waymos that are terrorizing.

Corey

Yes.

Tim

In Georgia.

Corey

The question is, is this going to be.

John

Somebody ordered food to be delivered in like, like underneath an overpass on an interstate in like a tent city with a bunch of homeless people? And it was just like the dichotomy of what's being like what's, what that's showing is, is pretty hilarious.

Corey

And then so that's the question is, is that going to be the like, are we going to see videos of Russians just watching a robot like fail to deliver ammo for like 17 hours or is it going to be actually useful? Like we'll see.

John

I don't know. I mean the other thing is every time you show those videos of these Cocos getting destroyed and obliterated, I think it's just helping Coco stock because the one thing that I take out of this is these things are put together pretty damn well.

Ralph

Yeah, yeah.

Corey

They can drive into floods, they can get run over by car.

Ralph

Part of it with the drones will always rely on the humans that operate them to an extent. Right. Like there was that video I think that I saw last week where somebody had deployed this new like farming drone and they took it off from like a street and so they take off and start to move across the road towards the farm and it's immediately run into by like a big truck and

Corey

sent it to like a bunch of pieces like. Yes. I, I, I, I don't know. I mean this is, I will say like anytime, you know, for, for something like this you can place a human that's potential live saved. But also. Yeah, you know, is it, is it going to, or is it going to be like as I ordered ammo like 17 hours ago and it just says it's tracking number is missing and we

Ralph

got to get Amazon prime over there.

Corey

Your cocoa has been rerouted.

Wade

Oh no, those Amazon Delivery bots that, like, fly over people's houses and drop a parachute of top Ramen at your house for you.

John

Like, I'm so excited for that.

Corey

The future is here.

Tim

May not have our flying cars yet,

Wade

but I just imagine John out there with like a directional antenna trying to hack as it flies by, right?

John

Like drop, package drop, package drop signal. Yeah. I, I, once again, I love this stuff because, you know, if we go back to around Christmas, I was, I was like, man, the rate of AI improvement in like, October, November last year was just off the charts, right? And you know, there was a lot of fear in the industry and even internally, people like, what is, what does this mean for us? There's so much more technology and there's so many ways, just like Bronwyn was talking about. It's just going to be applied in so many ways that we haven't even thought of yet, that, hey, we're going to need security and all that shit. And it's job security, y' all like. And Bronwyn also mentioned if any of you are listening to this and you're like, well, we're going to cut back our staff because AI is going to save us money, you are wrong. You are so wrong, and you're going to get hit hard. I don't care if you're in offense, I don't care if you're in defense. You can't look at this as like, well, we need fewer humans in security. Now, maybe, maybe if in the food delivery industry, your job may be at risk, but in security, it's going to be wild times. Just remember, chaos is a ladder.

Ralph

It'll let your people do more and

Bronwyn

faster, but break more stuff, faster

Ralph

problems.

Corey

There was a post about that this

Ralph

week where it was talking about, as you get down the AI pipeline and you use AI to build or develop, you are building yourself into this position where you have so much tech sprawl and tech debt and all these different pieces that there comes a point where if you stop using AI, you are toast. So you're, as you're building out these processes, you're building so much more work for yourself that you, you can't get away from.

John

But that goes back to what we've talked about in the past about the coming SaaS apocalypse. And I saw other articles that flat out said SaaS is dead. I can't remember who said that this

Corey

last week, but, John, AI is sass, dude, not to burst your butt.

John

That's my point. If you're looking at SaaS as like a company that you produce a service and somebody can rebuild that SaaS product from scratch with an internal team. Like the idea of buying SaaS from a third party vendor, spending potentially hundreds of thousands of dollars for something to be internally developed. This gets back to Hayden's point. If you now have this code base where all of a sudden we have an explosion of software being written. And this is one of the things that I don't think that people understand about AI is whenever you're using AI to write code, it's using a part of its quote unquote brain that's completely effing disconnected from the security code analysis part of its brain. Those are trained on two completely different data sets. And we've seen a lot of different stories where people will have code written by AI and then they'll use that same AI to evaluate the code for security vulnerabilities and find multiple critical vulnerabilities in it. So once again, I think it's just great. There's a lot of explosion of cool stuff happening.

Corey

Happening.

Shane

Yeah.

Corey

So a couple of quick hits since we kind of spent a lot of time talking about AI. First of all, there's a BitLocker Zero Day.

John

Oh my God, I heard about that.

Corey

That we kind of forgot about. Basically, if you have physical access to a system and it's using BitLocker, you can put a file on a USB drive, throw it in there, boot into recovery and get a command prompt on that.

John

All from a USB stick.

Bronwyn

Yeah, yeah.

John

Now a couple of quick things about this. You can't do it from a cold boot state, like where the system is starting up from cold.

Bronwyn

No, you can't.

Corey

No, absolutely no.

John

But if it's been down for a while, the memory state goes out from what I've been reading. So look, there's a difference between standby and completely shut down. Whenever you're looking at Windows computer systems and you go back to cold boot attacks, you go to FireWire attacks. And I think this one too, if this system is completely powered down and there's no suspended state, I don't think that this works. At least that's what I read in one of the testing. But if the system is in standby mode and it comes back up, then you can actually go through and you can bypass it. So that's interesting, but the real question I want you guys to get. Do you think this was intentional? Do you think this was a backdoor that Microsoft put in?

Bronwyn

Yeah, I think it's a backdoor than Microsoft.

Corey

Okay. I'm Going to go with no. People were like, oh, the bug bounty researcher themselves said, I just can't see any other explanation. I was like, dude, is this your first Microsoft bug? Like, you know, not to diminish the capabilities of this person. I'm sure they're way smarter than me, but like, dude, this is their bread and butter is putting features in and forgetting to take them out and then those features having vulnerabilities in them. But also that's arguably plausible deniability for a backdoor. So it is what it is. I think it's, you know, we'll never know. Ralph, Microsoft, you said being escorted out.

John

Ralph thought it was a, was a, was intentional. What do think you, why do you say that?

Bronwyn

Yeah, I mean law enforcement, it looks trivial like the actual attack path. I didn't see anything like, because John, you mentioned that, you know, the system has to be on and the, the actual key is in the tpm. Right. So that's in the TPM module and so it has to be on the.

John

Wait, we're putting these keys in the TPM reports?

Bronwyn

Yes, yeah, yes.

Corey

They're overdue, John. They're overdue.

Bronwyn

So the keys are there and on that device when it boots and it realizes that the order has changed, then it prompts Windows does. But this attack essentially bypasses that prompt and allows you to get access to the C drive. There's a bit more into it, but functionally that's how it works. Right. And there have been other arguments about just storing anything on the TPM because there's no actual password for the tpm. It's just validating that nothing has changed on the operating system before it releases that key from the module. Right, but there are ways to implement second or, you know, two phase authentication in the TPM where you can actually have a password that's required more than just being like the same hardware. So yeah, that's. But I think, I think it was on purpose and the CIA is going to be upset that they have the.

Corey

Yeah, I think selling magic USBs for a hot second.

John

Also, the security researcher says that they have another vulnerability similar to this one that they're planning on releasing.

Corey

I think, oh yeah, this, this person is popping off. I guarantee you they just had a bad experience with MSRC and we're like, you know what? We'll see how I can msrc.

John

Look, MSRC is very timely. They're responsive, they're consistent in the way that they communicate with security firms and they take vulnerabilities that, okay, there is,

Bronwyn

I Do have two recommendations if you actually want to stop this from a physical hardware attack. Because we implement this on our own devices that we ship out. So the two things you need to do first, implementing a BIOS password, right?

Corey

That's epoxy or USB ports.

Wade

That was my answer.

John

BIOS password. All right?

Bronwyn

That's how BIOS password. Another and the second level way to lock this down is using Secure Boot. Now people don't realize actually how Secure Boot works, but one of the functional ways that Secure Boot can work is that you can designate your own keys that you actually create and put into the bios. And the operating system will not even boot without those keys in existence. Right? The BIOS will totally say, no, I'm not going any further. I don't care what USB drive or any other thing. The only way to disable that is to go into the bios. And if you have a BIOS password, facto, it's not booting. Right?

Corey

Well, okay, so John, to take a serious, like, honestly, MSRC people, if you're listening to this, you guys need to start using AI. It's okay, well the job, like, you guys, you guys need to like, come on, get access to chat GPT. Like, come on guys, start processing the bugs or else like. Yeah, I mean, I think if we're being honest, the threat vector from physical access is already pretty limited. The, you know, amount of information that can be stored in one system is pretty limited. Like this is kind of an edge case. It applies mostly to industries that have crown jewels on their endpoints. Like, you know, it's like legal government, you know, the, the high sensitivity environment.

John

But going back to like the intelligence community and DoD, like Field Expedient, like forensics, physical access, man, this is a, this is a huge thing, especially if you're in the military, in the field field, like, like straight up physical access bypass authentication controls. Like that's something that we've used for years and a variety of different ways. I kind of lean towards Ralph on this one that it was intentional. And I agree, Corey, like, I'm not 100% certain, but it also doesn't apply for Windows 10. Is that correct? I don't like this.

Corey

Yeah, this is your reason to go Windows revert. Yeah, you gotta revert back to Windows 10 now.

John

But that's what makes me like argue with myself, right, that it wasn't an intentional thing. Because if you really wanted to have utility to the CIA and you wanted to have utility to the nsa, and more, more particular, if you wanted to have utility to operators in the milit. In JSOC. You would want it to work in Windows 10.

Corey

Well, yeah, but they probably have a

Bronwyn

different USB for Windows 10.

Corey

That's fair point, fair point. That's not a yellow USB, it's a red US.

John

Yeah, yeah. Which one do I use?

Corey

Yeah, it's a different colored. Cut the red wire, John.

John

Yeah, so they don't want.

Bronwyn

Obviously Microsoft got rid of the red USB because they want everyone to move to Windows 11. That's why.

John

That's what they.

Corey

So as far as the canvas breach, any big updates on that, has anyone followed that one?

John

There's been anything new? Has there? Like we still don't know how they got breached in the first place. I mean they paid.

Wade

They're in.

Corey

They paid. That's the big news. They did pay and they're reached an agreement or whatever to not have the data released. We'll see if that actually holds or if someone leaked it or you know, who knows.

Tim

But well supposedly they, they deleted the data. But you know, did they run Shred

Corey

Dash N seven or did they just, you know, put in the recycle or not?

Tim

I do know some people who are dealing with that with the community colleges in California.

John

So I've heard rumors that they paid up to $10 million.

Corey

Yikes, that's not that much.

Tim

That's actually like.

Wade

Weren't they asking for like 2 million per school?

Corey

Yeah, it was like 10 million. They cut a deal. That's only five schools. Yeah, no, I mean, I don't know. It's a bummer because I almost guarantee you that $10 million is going to go to absolutely no one like that. That's going to. That. That's not actually buying any security. But I understand like they've kind of dropped it. They dropped the ball a few times. So it tracks that they would also pay the ransom. But who knows behind closed doors I'm

Tim

sure there's a lot of alma mater doesn't use canvas.

Corey

Really? I want my records to be breached. That's, that's my favorite.

John

It's just easier for me to get my. When I inevitably spill coffee on my computer.

Corey

Yeah, it's way easier. I like to back up my data on all the ransomware clouds. That's typically where I put it and

John

you know it's safe, right?

Corey

Yeah, yeah. There was a couple of like non starter articles that we thought were really dumb that we should call out.

Wade

Please do it, please do it, please do.

John

The one.

Corey

Go ahead. Yeah, the one from the Sun. There was one that Somehow, Yeah, I don't know. Apparently, like some ladies nudes leaked and somehow that's newsworthy. I don't know why, but I don't know.

John

It had to do with their clients. But yeah, let's. Yeah, we don't.

Corey

It's like Android spyware. Also, there's an article that like Claude, when you install it and install spyware, it's just like someone who doesn't know what spyware is writing that article every time.

John

Every time.

Corey

It's like if the, the provider that you installed their software can, you can use the software to control it, which is, which is spyware, but that's also the product you're paying for. So it's like I installed any desk and I think it's an RMM tool, guys. Like, holy crap.

John

Well, we also had the Digicert breach. I don't know if we talked about that last week, you know.

Corey

Oh, that was like. That was at least three weeks ago.

John

Yeah, that was a while.

Corey

We did.

Wade

They had a good write up.

Corey

There was the gas tanks. Like, supposedly people were claiming that Iran was messing with gas tank monitoring, which had no authentication. And basically what they were doing is just, I guess lying about how much gas there was in the tanks of being like, actually there's no gas. Like, I, I don't really see the.

Wade

I think they were saying that if, if the gas tanks read fall, like have false readings, they can potentially explode when you fill them up or overfill or whatever.

Corey

Yeah, it's like, it's like the classic like specter of what could be possible with OT hacking, but didn't actually.

John

But that's like, that's like 80% of like the bad DEFCON talks where it's like, totally theoretically, if I could hack your toaster, I can burn you.

Corey

It's like if you just stick your hand in your toaster for 20 to 30 minutes, all the conferences you go

John

to and there's some jackass running around with a flipper zero opening up the charge ports on all the Teslas. It's like, it's like, oh God, this shit again. But it's, you know. But stun hacking does have its place. It absolutely does.

Corey

It does. The train thing is cool, by the way.

John

Hold on.

Wade

Yeah, do the train one. Do the train one.

John

I want to talk. Brian thinks that we're attacking him and I would just want to call out, Brian, you did a great job. I know you're correlating the news stories by the community and we appreciate that. We aren't saying Anything about you and the job you're doing. You're doing a great job, Brian. I just want to call that out, so. All right.

Tim

Hey, Brian.

Corey

Yeah, I guess let's. Let's have Shane plug his stuff. Shane, what you got coming up?

John

Shane, take it away.

Shane

So I am going to be delivering a presentation in June for the threat hunt that is faced that you are. Y' all are putting on specifically. I'm kind of setting the course for you have no idea what you're doing. You're beginning to kind of get started and what's next. Many of the clients tend to have that whole, hey, just find bad. I've got a splunk instance go into town and that's. Find bad is like the worst statement you can give me. Because if I find bad, you're going to have a bad day. And I don't like to work from that direction. I like to work a little bit more structured. So that's kind of the beginning of the. I can go into more details or if you have questions.

Wade

So you. You use stats and then sort by least common log and then there you go.

Corey

I think you just literally regret.

John

Bad bad 666 we found Satan. Yes, I misread whenever. Whenever they were talking about your talk, I misread it as threat hunting after Dark. And I gotta say, like, you know, saxophone solos were playing in my head. I'm like, this is gonna be a good. This is going to be super cool.

Shane

It's like you're either going to grab a bottle of bourbon or you're going to grab a can of balls and get started.

John

Exactly. So my question is, and I know the answer is both at some level, right? Is this kind of designed for talking to potential customers, kind of letting them know what they need to be to be prepared for an incident or people that are truly trying to learn threat hunting, or is it some combination of both?

Bronwyn

Both.

Shane

Probably a little of both, but it's more on the. The threat hunt side. What we're getting on our side is we're getting a lot more calls about, hey, you know, we have this team that we want to start up or we have, we have this telemetry. How can we look at it? And starting to build that. But they have no that all they know is alert, detect and that kind of environment. They don't know how to actually do hypothesis drawing and proact. Instead of that, just react and react, react, react. That's the only thing they know.

John

And I think that that's a huge problem.

Shane

Right.

John

Like Whenever I talk about threat hunting, a lot of people think, well, we have. We have a sim, we have an edr. We're getting alerts. And I think you're starting with the base, like, presumption that the type of attacker you're going for is bypassing those particular security controls, whether they're on a device that doesn't have the telemetry, or you're dealing with some advanced adversaries. And I think. I think for me personally, that's like a huge mind shift away from detection and alert tuning logic to. You're actually, like you said, coming up with a theory, and you're going and hunting for more advanced adversaries. Is that kind of the way you look at it as well?

Shane

Yeah, advanced adversaries as well as just dumb stuff. It's on the network that, like, how do you. How do you actually. How do you actually know you have all of your assets covered? How do you know? You go, I have a sim. Okay, you've got a sim. What are you using to. You got an edr? Did you. Did you cross reference them to see if your SIM actually has the same number of assets reporting as what you have in your edr?

Corey

I don't tell people that proprietary information. Shane, you're sharing all the secrets.

Wade

You go to a job, you cross correlate, and you're like, hey, we're missing 10,000 agents. They're like, what?

John

Dude, don't laugh. That literally happened to us.

Wade

Oh, I won't say anything.

John

It happens all the time. What do you mean? What do you mean? What do you mean? 30% of our environment has no EPP or EDR. It's like those words you just said, or what I just said to you exactly. Or.

Shane

What do you mean there's 2003 on the network? Come on.

Wade

Oh, that. That's the best.

Shane

I had one of those. Not too long last year, actually.

Corey

But, yeah, getting.

John

I like how these conversations eventually devolve into drinking. It's like. Like, okay, the worst network I ever saw crack. Okay. It's gonna take a shot of whiskey to get through this one. It's just like, defenders, man. So.

Corey

All right, on that note, yeah, Wade has stuff. Ralph has stuff. There's other stuff to plug, but they'll be probably here next week to plug their stuff.

Wade

Probably more CTI classes. Come take CTI stuff.

Tim

Have fun.

Corey

John, aren't you, like, doing a webcast this week or something?

John

I am. The webcast is basically how we're doing AI wrong and looking at AI incorrectly. And it has a lot what we talked about today, where people are like, it's going to save money, it's going to be more efficient, it's going to solve security. It's like, all of that crap's not true. And it's going to be a roundtable. We're going to get a bunch of people from bhis, and I'm probably just going to do it without slides, just bring up news stories and kind of talk about it in terms of, like, what can we take from this as far as trending? And then I'm also going to talk a lot about at bhis on the offensive side, Corey, stuff we've talked about where it's like, we truly thought that AI was going to make us, like, faster at doing our jobs. And instead it's just adding a lot more, a lot more work. And that's good because that's where humans need to be in the loop. Or another example is people look at AI and they're like, well, I'm going to buy a tool that's going to do an automated pen test. But they lose context and understanding of what that and just becomes another noisy dashboard tool demanding their attention and how we need once again, like Brahman said, humans in a loop, you know, you're just, with AI, you're moving the bottleneck. If you're using it to develop code, great, you can code, let's say, 100 times faster. You're moving the bottleneck to QA QC, you're moving the bottleneck to deriving the requirements, you're moving the bottlenecks. And we've just got to understand that humans are still required in this as well. For now, anyway.

Corey

All right, on that note, we'll see you all next week. Thanks for coming.

John

Later.

Corey

Clock usage resets prematurely.