Talkin' About [Infosec] News – "Online Book Store Takes Down Half the Internet"

Podcast: Black Hills Information Security – Talkin’ Bout [infosec] News
Episode Date: October 24, 2025
Main Theme:
A lively, unscripted roundtable of security professionals and penetration testers discuss the causes and broader implications of a massive Amazon Web Services (AWS) outage, the F5 breach, trends in supply chain security and nation-state hacking, the unintended consequences of expanding age verification and digital identity laws, the perils of unencrypted satellite communications, and ill-conceived plans to put data centers in orbit. The group wrestles with the complexity of modern attack surfaces and the ever-evolving security landscape—with the usual blend of sharp technical takes and irreverent banter.

Episode Overview

The panel grapples with the aftermath and meaning of "half the Internet" being knocked offline by an Amazon/AWS outage, using it as a jumping-off point to discuss supply chain and infrastructure risk, recent attacks (notably the F5 breach), and ongoing shifts in adversarial tactics—especially from nation-states like China. They also reflect on tech policy developments around age verification and privacy, and touch on the risks and realities of satellite tech and futuristic "cloud in space" concepts.

Key Discussion Points by Segment

Light-Hearted Start, Technical Glitches, and Outage Realities

[00:35]–[11:47]
The crew navigates livestreaming challenges, referencing how outages (especially AWS) have forced them onto fallback platforms. The panel jokes about online avatars, hats, and how even their own streaming relies on fragile infrastructure.
Notable Quote:
- "Nothing like a widespread Amazon outage to throw everything into a blender." – F [00:37]
- "If you can see this, your Internet works." – G [02:20]
Discussion about Restream and LinkedIn also being down due to the outage.
“Everything’s down” becomes an unofficial title for the show.

The F5 Breach: Zero Days, Dwell Time, and Supply Chain Paranoia

[11:54]–[35:09]
The main breach of the week: F5, a critical infrastructure provider, was compromised for nearly a year.
Are long-term infiltrations more worrying than flashy zero-days?
- A: "I'm getting a lot more worried about the, not the zero days that they just pop and they go right away, but like the hold it and dwell type." [12:45]
- B: "In the age of AI I think they've probably analyzed as much of the source code as they can, and they're probably just piling a shelf up of stuff and just holding onto it." [13:29]
- C: "None of the vulnerabilities... were RCE or critical severity. That adds credence to the nothing burger thing. The other thing, like John said, persistence, you know, long term dwelling... I would imagine F5 did like a threat hunt." [14:24]
Supply Chain Fears & The Limits of EDR/EPP (Endpoint Protection):
- E: "There may be a lot of organizations that are using CrowdStrike services. Was something misconfigured?... How does this slip past those defenses?" [16:16]
- A: "Doing good security is not just buying a good endpoint security product... Are you monitoring your cloud services to make sure there's no weird logins with Impossible Travel? Who's accessing your code?" [17:11]
The Hard Reality: Even Security Vendors Get Hacked
- G: "...do they all really have the worst security programs or is this just so hard to actually do that?... All of these big companies have these weaknesses... and the bigger they are, the harder it is to kind of, you know, take control." [19:04]
- D: "...security is an end game and not a journey... you have to keep up with that needle to go ahead and be as secure as possible." [19:52]
Neglected Dev/Test Environments & Hard-coded Credentials:
- C: "Put security measures in place on your dev and test environments beyond what you would do in production... I've seen plenty of customers who don't do that..." [21:43]
- B: "In all of the unit tests... they were hard code credentials and hard coded tokens. All of them." [22:15]

China’s Evolution: From Chaotic Actors to Coordinated, Persistent Threat

[23:04]–[31:29]
- Deep dive by A ("John") on China's historical approach to cyber-operations:
  - Previously decentralized, now unified under PLA.
  - New doctrine focuses on the triad (air, sea, cyber), emphasizing persistent access, supply chain infiltration, and the capacity for kill switches (one-way attack code intended for sabotage, not persistence).
  - Lessons from the Russia-Ukraine conflict and Western operations heavily influencing tactics.
- "It’s now coordinated very much to gain access to services like this, maintain access... input source code inside of the supply chain for maintenance... their source code isn’t necessarily persistence... it’s kill switches." – A [24:36]
- Concerns about the potential that attackers have inserted undetected backdoors or kill switches into F5 code:
  - "I’m scared shitless that something did get put into F5." – A [29:48]
  - Reminds the audience: "It’s not about just getting an AI product, you have to have humans that are leveraging the tools... you have this constant paranoia."
A running theme: Good security is a paranoid, iterative human process—no toolset alone is enough.

Nation-State vs. Financially Motivated Attacker Debate

[32:47]–[35:09]
- C: "I think this is a coin toss whether it's actually an APT nation state or whether it's a financially motivated threat actor... My argument for it wasn't a nation state is they sat there and didn't do anything with it." [32:47]
- A: "Every backdoor was brickstorm. There was persistent access, and that has been sometimes attributed to China..." [33:20]
- Consensus: Attribution is hard, and often used as a cop-out by organizations:
  - "That's the default move for any breach." – C [34:05]
  - "Well, they were highly sophisticated." – C [34:12]

The Expanding Digital Identity/Privacy Policy Nightmare: Age Verification & Beyond

[35:10]–[47:16]
- Hot topic: New, strict age-verification laws in US states and globally.
- G: "This is about age verification right now. There's many states... enforcing age verification across something like all of the App Store..." [35:17]
- Implementation is trending from laughable "Are you 18?" checkboxes to full digital identity proof and document uploads.
  - C: "...the reputable companies in those spaces, they pulled out. They said that's terrible." [37:26]
- The panel raises privacy concerns about the centralization of identity, the risk of large identity databases, and the slow creep towards "papers, please" for the web.
  - C: "The true way of doing this system, which of course has privacy implications, is to have like a centralized national identity system, whether it's based on crypto or certificates or whatever... like Oauth." [39:07]
- UK and Europe are moving even faster with laws that indirectly or directly undermine encryption and digital privacy.
  - A: "There's this strong march... to less and less privacy, less and less encryption, more and more oversight..." [40:15]
  - F: "Of course they want to capture it because then of course they can data mine it and they can sell to the children and their parents..." [41:36]
- Philosophical tangent: Should parents or governments be responsible for children's Internet safety?
  - A: "...maybe, just maybe, parents should be responsible for their own raising of their own children and not make it this huge thing that we're dealing with... I like the Internet being wild, crazy. I like it being kind of unhinged and chaotic." [46:30]
  - B shares a humorous parenting anecdote about catching their teenager watching porn via proxy logs. [47:23]

Satellite Security: Unencrypted Birds and Futuristic Failures

[48:39]–[58:29]
- A research team set up ground antennas to sniff satellite traffic and found some telcos (T-Mobile cited) sending unencrypted data—including calls—over satellites.
  - G: "The TLDR is that encryption should be used even on satellites, right?" [50:14]
  - A: "I had multiple arguments with engineers... Their argument was encryption introduces overhead... these were also people that had hundreds of thousands of lines of code use telnet for data transfer..." [50:26]
  - D: "I'm honestly surprised... with the cost of SDR equipment being next to nothing... we don't find this happening more often." [51:36]
- Satellite patching horror stories and how hardware mistakes can doom billion-dollar birds.
  - A: "The bracket was mounted backwards. And when they started unfurling the solar array, it stopped like halfway... it was literally a billion dollars that went down a hole." [56:02]

"Cloud in Space" and the Enduring Problem of DNS

[55:02]–[59:11]
- Jeff Bezos’s plan to put AWS data centers into orbit is roundly mocked:
  - C: "This is the stupidest thing I've read all week. This is so dumb. Does he not know how... physics work?" [55:08]
  - Panel lists a litany of technical, logistical, and economic reasons why space data centers are a terrible idea—cooling, launch costs, radiation, latency, maintenance.
- Amazon outage blamed (yet again) on DNS:
  - G: "It was DNS, by the way." [58:55]
  - A: "Always goddamn DNS." [58:59]

Cloud Outage Aftermath and Decentralization Lessons

[59:11]–[64:32]
- Discussion turns to how reliance on a small number of hyperscale providers (AWS, Azure, Google) creates massive single points of failure.
  - G: "When you put all your eggs in one basket, when that basket fails, guess what? We're all affected, right?... Used to have more of a decentralized Internet. Now... three companies are running everything." [59:30]
  - A: "Anytime there's a pen test, like, everybody in that company has a get out of jail free card. Like, I can guarantee you in Amazon, as soon as things went south, there was somebody that asked, are we being pen tested right now?" [60:39]
  - C: "If you're actually a cloud expert person... you don't rely on any one region for anything. You have regional redundancy. You have copies.... not how the cloud's supposed to work." [63:29]

CTF Announcements and Closing Banter

[65:00]–End
- Winners for the on-show CTF contest are announced, with prizes for hands-on performance in security challenges.
- Final calls to join the Discord, make infosec training more hands-on, and a callback to the recurring theme: always be ready for catastrophic infrastructure surprises.

Notable Quotes & Memorable Moments

"It’s always goddamn DNS." – A [58:59]
"If you can see this, your Internet works." – G [02:20]
"Doing good security is not just buying a good endpoint security product." – A [17:11]
"You have to keep up with that needle to go ahead and be as secure as possible." – D [19:52]
"China has completely pulled all of their CTF... They are now very, very focused at doing exactly this type of thing, which by the way, the NSA has been doing for a long time." – A [30:58]
"These laws are just dog whistling. They're just like we care about the kids or whatever." – C [39:50]
"Encryption should be used even on satellites, right?" – G [50:14]
"This is the stupidest thing I've read all week. This is so dumb." – C [55:08]
"When you put all your eggs in one basket, when that basket fails, guess what? We're all affected." – G [59:30]

Recurring Themes, Takeaways, and Security Insights

Supply Chain Is the New Battleground:
As attackers target tech (and security) suppliers themselves, long-term “dwell” tactics are more worrisome than smash-and-grab zero-days.
No Silver Bullets in Security:
Good products (CrowdStrike, etc.) help but don’t cover the sprawling complexity of modern infrastructures, especially around dev/test and cloud.
Nation-States Are Adapting:
China—like Russia, U.S. agencies, etc.—is now pursuing access with the explicit goal of persistent access, kill switches, and wide-scale disruption (not just espionage).
Regulatory Trends Pose Privacy Risks:
Age verification and encroaching digital identity mandates threaten to centralize personal information and erode privacy, under the banners of “child safety” or “national safety.”
Complexity and Centralization Are Double-Edged Swords:
Outsourcing infrastructure to AWS et al. means disaster is outsized when something goes wrong—true redundancy and decentralization are fading.
Cultural Commentary:
The show lampoons billionaires’ pet projects (“space data centers”), bemoans the normalization of privacy loss, and reaffirms the value of good infosec paranoia and hands-on testing.

Timestamps for Key Segments

00:35–11:47 — Intro mishaps, AWS outage fallout, light banter
11:54–35:09 — In-depth F5 breach discussion, supply chain and nation-state analysis
35:10–47:16 — Age verification laws and their consequences
48:39–58:29 — Satellite communication security, unencrypted da-ta, "cloud in space"
58:55–64:32 — Amazon/AWS outage, centralization, DNS, student blame etiquette
65:00–End — Announcements, CTF winners, closing notes

Final Thoughts

The episode vividly shows the inherent messiness of securing the modern Internet, from persistent attackers and supply chain risks to regulatory whiplash and infrastructure entropy. With a foundation of solid real-world expertise, the team offers listeners both technical insight and comic relief—a must-listen for anyone trying to keep up with the rapidly shifting infosec landscape.

Talkin' About [Infosec] News – "Online Book Store Takes Down Half the Internet"

Episode Overview

Key Discussion Points by Segment

Light-Hearted Start, Technical Glitches, and Outage Realities

[00:35]–[11:47]
The crew navigates livestreaming challenges, referencing how outages (especially AWS) have forced them onto fallback platforms. The panel jokes about online avatars, hats, and how even their own streaming relies on fragile infrastructure.
Notable Quote:
- "Nothing like a widespread Amazon outage to throw everything into a blender." – F [00:37]
- "If you can see this, your Internet works." – G [02:20]
Discussion about Restream and LinkedIn also being down due to the outage.
“Everything’s down” becomes an unofficial title for the show.

The F5 Breach: Zero Days, Dwell Time, and Supply Chain Paranoia

[11:54]–[35:09]
The main breach of the week: F5, a critical infrastructure provider, was compromised for nearly a year.
Are long-term infiltrations more worrying than flashy zero-days?
- A: "I'm getting a lot more worried about the, not the zero days that they just pop and they go right away, but like the hold it and dwell type." [12:45]
- B: "In the age of AI I think they've probably analyzed as much of the source code as they can, and they're probably just piling a shelf up of stuff and just holding onto it." [13:29]
- C: "None of the vulnerabilities... were RCE or critical severity. That adds credence to the nothing burger thing. The other thing, like John said, persistence, you know, long term dwelling... I would imagine F5 did like a threat hunt." [14:24]
Supply Chain Fears & The Limits of EDR/EPP (Endpoint Protection):
- E: "There may be a lot of organizations that are using CrowdStrike services. Was something misconfigured?... How does this slip past those defenses?" [16:16]
- A: "Doing good security is not just buying a good endpoint security product... Are you monitoring your cloud services to make sure there's no weird logins with Impossible Travel? Who's accessing your code?" [17:11]
The Hard Reality: Even Security Vendors Get Hacked
- G: "...do they all really have the worst security programs or is this just so hard to actually do that?... All of these big companies have these weaknesses... and the bigger they are, the harder it is to kind of, you know, take control." [19:04]
- D: "...security is an end game and not a journey... you have to keep up with that needle to go ahead and be as secure as possible." [19:52]
Neglected Dev/Test Environments & Hard-coded Credentials:
- C: "Put security measures in place on your dev and test environments beyond what you would do in production... I've seen plenty of customers who don't do that..." [21:43]
- B: "In all of the unit tests... they were hard code credentials and hard coded tokens. All of them." [22:15]

China’s Evolution: From Chaotic Actors to Coordinated, Persistent Threat

[23:04]–[31:29]
- Deep dive by A ("John") on China's historical approach to cyber-operations:
  - Previously decentralized, now unified under PLA.
  - New doctrine focuses on the triad (air, sea, cyber), emphasizing persistent access, supply chain infiltration, and the capacity for kill switches (one-way attack code intended for sabotage, not persistence).
  - Lessons from the Russia-Ukraine conflict and Western operations heavily influencing tactics.
- "It’s now coordinated very much to gain access to services like this, maintain access... input source code inside of the supply chain for maintenance... their source code isn’t necessarily persistence... it’s kill switches." – A [24:36]
- Concerns about the potential that attackers have inserted undetected backdoors or kill switches into F5 code:
  - "I’m scared shitless that something did get put into F5." – A [29:48]
  - Reminds the audience: "It’s not about just getting an AI product, you have to have humans that are leveraging the tools... you have this constant paranoia."
A running theme: Good security is a paranoid, iterative human process—no toolset alone is enough.

Nation-State vs. Financially Motivated Attacker Debate

[32:47]–[35:09]
- C: "I think this is a coin toss whether it's actually an APT nation state or whether it's a financially motivated threat actor... My argument for it wasn't a nation state is they sat there and didn't do anything with it." [32:47]
- A: "Every backdoor was brickstorm. There was persistent access, and that has been sometimes attributed to China..." [33:20]
- Consensus: Attribution is hard, and often used as a cop-out by organizations:
  - "That's the default move for any breach." – C [34:05]
  - "Well, they were highly sophisticated." – C [34:12]

The Expanding Digital Identity/Privacy Policy Nightmare: Age Verification & Beyond

[35:10]–[47:16]
- Hot topic: New, strict age-verification laws in US states and globally.
- G: "This is about age verification right now. There's many states... enforcing age verification across something like all of the App Store..." [35:17]
- Implementation is trending from laughable "Are you 18?" checkboxes to full digital identity proof and document uploads.
  - C: "...the reputable companies in those spaces, they pulled out. They said that's terrible." [37:26]
- The panel raises privacy concerns about the centralization of identity, the risk of large identity databases, and the slow creep towards "papers, please" for the web.
  - C: "The true way of doing this system, which of course has privacy implications, is to have like a centralized national identity system, whether it's based on crypto or certificates or whatever... like Oauth." [39:07]
- UK and Europe are moving even faster with laws that indirectly or directly undermine encryption and digital privacy.
  - A: "There's this strong march... to less and less privacy, less and less encryption, more and more oversight..." [40:15]
  - F: "Of course they want to capture it because then of course they can data mine it and they can sell to the children and their parents..." [41:36]
- Philosophical tangent: Should parents or governments be responsible for children's Internet safety?
  - A: "...maybe, just maybe, parents should be responsible for their own raising of their own children and not make it this huge thing that we're dealing with... I like the Internet being wild, crazy. I like it being kind of unhinged and chaotic." [46:30]
  - B shares a humorous parenting anecdote about catching their teenager watching porn via proxy logs. [47:23]

Satellite Security: Unencrypted Birds and Futuristic Failures

[48:39]–[58:29]
- A research team set up ground antennas to sniff satellite traffic and found some telcos (T-Mobile cited) sending unencrypted data—including calls—over satellites.
  - G: "The TLDR is that encryption should be used even on satellites, right?" [50:14]
  - A: "I had multiple arguments with engineers... Their argument was encryption introduces overhead... these were also people that had hundreds of thousands of lines of code use telnet for data transfer..." [50:26]
  - D: "I'm honestly surprised... with the cost of SDR equipment being next to nothing... we don't find this happening more often." [51:36]
- Satellite patching horror stories and how hardware mistakes can doom billion-dollar birds.
  - A: "The bracket was mounted backwards. And when they started unfurling the solar array, it stopped like halfway... it was literally a billion dollars that went down a hole." [56:02]

"Cloud in Space" and the Enduring Problem of DNS

[55:02]–[59:11]
- Jeff Bezos’s plan to put AWS data centers into orbit is roundly mocked:
  - C: "This is the stupidest thing I've read all week. This is so dumb. Does he not know how... physics work?" [55:08]
  - Panel lists a litany of technical, logistical, and economic reasons why space data centers are a terrible idea—cooling, launch costs, radiation, latency, maintenance.
- Amazon outage blamed (yet again) on DNS:
  - G: "It was DNS, by the way." [58:55]
  - A: "Always goddamn DNS." [58:59]

Cloud Outage Aftermath and Decentralization Lessons

[59:11]–[64:32]
- Discussion turns to how reliance on a small number of hyperscale providers (AWS, Azure, Google) creates massive single points of failure.
  - G: "When you put all your eggs in one basket, when that basket fails, guess what? We're all affected, right?... Used to have more of a decentralized Internet. Now... three companies are running everything." [59:30]
  - A: "Anytime there's a pen test, like, everybody in that company has a get out of jail free card. Like, I can guarantee you in Amazon, as soon as things went south, there was somebody that asked, are we being pen tested right now?" [60:39]
  - C: "If you're actually a cloud expert person... you don't rely on any one region for anything. You have regional redundancy. You have copies.... not how the cloud's supposed to work." [63:29]

CTF Announcements and Closing Banter

[65:00]–End
- Winners for the on-show CTF contest are announced, with prizes for hands-on performance in security challenges.
- Final calls to join the Discord, make infosec training more hands-on, and a callback to the recurring theme: always be ready for catastrophic infrastructure surprises.

Notable Quotes & Memorable Moments

"It’s always goddamn DNS." – A [58:59]
"If you can see this, your Internet works." – G [02:20]
"Doing good security is not just buying a good endpoint security product." – A [17:11]
"You have to keep up with that needle to go ahead and be as secure as possible." – D [19:52]
"China has completely pulled all of their CTF... They are now very, very focused at doing exactly this type of thing, which by the way, the NSA has been doing for a long time." – A [30:58]
"These laws are just dog whistling. They're just like we care about the kids or whatever." – C [39:50]
"Encryption should be used even on satellites, right?" – G [50:14]
"This is the stupidest thing I've read all week. This is so dumb." – C [55:08]
"When you put all your eggs in one basket, when that basket fails, guess what? We're all affected." – G [59:30]

Recurring Themes, Takeaways, and Security Insights

Supply Chain Is the New Battleground:
As attackers target tech (and security) suppliers themselves, long-term “dwell” tactics are more worrisome than smash-and-grab zero-days.
No Silver Bullets in Security:
Good products (CrowdStrike, etc.) help but don’t cover the sprawling complexity of modern infrastructures, especially around dev/test and cloud.
Nation-States Are Adapting:
China—like Russia, U.S. agencies, etc.—is now pursuing access with the explicit goal of persistent access, kill switches, and wide-scale disruption (not just espionage).
Regulatory Trends Pose Privacy Risks:
Age verification and encroaching digital identity mandates threaten to centralize personal information and erode privacy, under the banners of “child safety” or “national safety.”
Complexity and Centralization Are Double-Edged Swords:
Outsourcing infrastructure to AWS et al. means disaster is outsized when something goes wrong—true redundancy and decentralization are fading.
Cultural Commentary:
The show lampoons billionaires’ pet projects (“space data centers”), bemoans the normalization of privacy loss, and reaffirms the value of good infosec paranoia and hands-on testing.

Timestamps for Key Segments

00:35–11:47 — Intro mishaps, AWS outage fallout, light banter
11:54–35:09 — In-depth F5 breach discussion, supply chain and nation-state analysis
35:10–47:16 — Age verification laws and their consequences
48:39–58:29 — Satellite communication security, unencrypted da-ta, "cloud in space"
58:55–64:32 — Amazon/AWS outage, centralization, DNS, student blame etiquette
65:00–End — Announcements, CTF winners, closing notes

wavePod

Online Book Store Takes Down Half the Internet - BHIS - Talkin' Bout [infosec] News 2025-10-20

Powered by Wave AI

Summary

Talkin' About [Infosec] News – "Online Book Store Takes Down Half the Internet"

Episode Overview

Key Discussion Points by Segment

Light-Hearted Start, Technical Glitches, and Outage Realities

The F5 Breach: Zero Days, Dwell Time, and Supply Chain Paranoia

China’s Evolution: From Chaotic Actors to Coordinated, Persistent Threat

Nation-State vs. Financially Motivated Attacker Debate

The Expanding Digital Identity/Privacy Policy Nightmare: Age Verification & Beyond

Satellite Security: Unencrypted Birds and Futuristic Failures

"Cloud in Space" and the Enduring Problem of DNS

Cloud Outage Aftermath and Decentralization Lessons

CTF Announcements and Closing Banter

Notable Quotes & Memorable Moments

Recurring Themes, Takeaways, and Security Insights

Timestamps for Key Segments

Final Thoughts

Summary

Talkin' About [Infosec] News – "Online Book Store Takes Down Half the Internet"

Episode Overview

Key Discussion Points by Segment

Light-Hearted Start, Technical Glitches, and Outage Realities

The F5 Breach: Zero Days, Dwell Time, and Supply Chain Paranoia

China’s Evolution: From Chaotic Actors to Coordinated, Persistent Threat

Nation-State vs. Financially Motivated Attacker Debate

The Expanding Digital Identity/Privacy Policy Nightmare: Age Verification & Beyond

Satellite Security: Unencrypted Birds and Futuristic Failures

"Cloud in Space" and the Enduring Problem of DNS

Cloud Outage Aftermath and Decentralization Lessons

CTF Announcements and Closing Banter

Notable Quotes & Memorable Moments

Recurring Themes, Takeaways, and Security Insights

Timestamps for Key Segments

Final Thoughts