A

I think we're sending stuff live.

B

Oh, crazy.

C

Right now.

A

Just seeing. On YouTube.

C

On YouTube.

A

On YouTube. Yes, on YouTube.

D

Not my tube.

B

YouTube.

A

That's right.

C

I think that's the wrong mic, Jackie.

B

Hello, YouTube world.

E

Arg.

D

Let's try that. How's that?

C

Oh, there we go. That's the right mic.

F

And apparently Ralph is stuck in.

A

Oh, I gotta let him in.

F

Somebody's out there.

A

Sorry, I'm multitasking.

G

That's all right.

A

Here he comes. Ralph Mason.

F

Nothing like a widespread Amazon outage to throw everything into a blender.

B

Yeah.

G

Oh, look, it's Ralph.

A

Ralph.

C

How are you, Ralph?

G

I found the link on the Internet, so I thought I would join fishing.

F

Just randomly clicking those links.

B

We. We do. We. We throw them out there. This just. Just like fishing, right?

G

Yeah, it's just. I'm just looking at Pastebin feeds right now, and I saw it go by.

C

Nice. Yeah, I always. I always post it on Pastebin just in case any hackers are watching.

B

Legit. It's important.

C

Legit hackers.

G

I. I saw you guys just, like, playing around with all the different things you can wear. Like, I could just imagine a whole team of people over at Zoom. Like, what else could be. Like, put on them, right? Like, what kind of hat? Right?

B

Yeah, we take the glasses off avatars.

G

Oh, you got to sign in to get avatars. Eyebrows are free, though.

B

Yeah. Oh, I've never liked myself with a mustache. Yeah, take that off.

G

I know. This is the one right here. It's weird.

B

I can thicken up the eyebrows.

A

God, that looks horrible.

B

I can put on, like, ruby lips. Oh, that's weird.

A

Okay.

B

All right. This is. This is kind of freaking me out.

G

That's. That bald head setting is working really well, though.

B

I know. And I can't.

C

You can't be showing your real hair on. On live podcasts, Right?

B

That mustache is insanely ridiculous.

A

That.

B

That's not going to fly. I really should stop playing with the buttons.

G

We should just label this episode. Everything's down.

C

If you can see this, your Internet works.

G

You must be on a hacker net. I'm actually surprised that Zoom is running.

D

Yeah, I was thinking the same thing.

C

It must be us west, too, instead.

G

Of us West 2.

B

Yes. I'm going French today. Bonjour, bonjour.

C

From Mars.

G

Let's see how horrible all of our French is in one show. Honestly, when I was in Paris, I just did my best to get by with English.

B

They probably appreciated that more because when you butcher their language, they get kind of cranky.

G

Oh, My gosh. Well, like, in, like, Paris and stuff like that, like, they know how to speak English. Like, I was trying to speak French, but I mean, I can hardly speak English. So, like, I mean, come on, give me just one.

C

France is the place where they all know how to speak English, but they don't really want to.

G

No, they don't want to. Yeah.

A

They're like, ah, damn tourists.

B

Get out of my city.

G

Especially if you're like. If you're an American in. In Paris, right? The older French, they're like, oh, can I help you? But the younger French are like, screw you, go to hell.

F

Yeah, not all the older French.

C

I mean, in high school, you know.

F

Yeah, in high school, my. My French instructor was Parisienne, and man, she had stories. Oh, my word, she had stories.

C

Can people in Discord actually see this? Yeah, they're.

F

They're responding.

D

They're responding.

A

Y. Yeah.

B

That's frightening that they're responding.

C

Yeah.

B

For those.

C

For those out there that are curious, Restream is down or is partially affected by the AWS outage. So we're over here in Zoom Land.

B

In Zoom Land, we're Zoomers.

F

Now, will the people in LinkedIn be getting a stream too, or are we leaving them in the cold?

G

I think. I think LinkedIn's down today too.

C

Oh, no, that's got to be on Azure. They're owned by Microsoft.

G

Did you know it? I guess. I guess Microsoft, right, bought GitHub a little while ago, and they hadn't changed anything, but just recently they decided to, like, put the hammer down and they're moving everything to Azure. Right. So all of GitHub is going to be on Azure here very soon.

A

GitHub was blinking a couple of times today in my class.

C

Oh, John's here too, huh? Hell yeah.

E

Yeah.

A

And it could be completely unrelated. The only other time I've seen GitHub like, Flake, like that was. Oh, my God. It's whenever we gave it a hug of death for one of our webcasts.

G

I was going to say, every time I do a push.

C

If you don't know how to use GitHub, it can never go down.

G

Yes. I mean, he's not wrong, right? If you don't know how to do a git pull or get push, it's never broken.

C

Oh, Git pull and push. I'm okay with Git. Merge is where I get a little scared.

E

Yeah.

A

And usually it's like, if anybody is like, I'm a little uncomfortable with the merge thing, don't push them to merge. I see the hats in the backgrounds. Are we just, like.

G

I think we're just testing out all the features, John, that they wrote into Zoom over the last, like, you know, Covid era days. Right, like where you can wear a hat and hackers.

F

New toy.

G

Come on.

C

Backgrounds.

G

I mean, like, they literally have teams of people just thinking this stuff up, John.

A

Yeah, no, just, you know, what they need is more pirates and more heart emojis.

B

Yeah, I'm totally going to put the pirate one on. I think I was gonna go French.

A

But what do we do with all of the people who are completely adhd? Like.

G

Yeah, for everyone on audio. Don't look at the video.

A

What does the AI companion do?

C

You can just react with every emotion.

G

Fear. John.

B

Do not touch the AI.

C

I will say you. You can react. Oh, I see. There's only effects. Wait, hold on. There's a. Is there effects for everything?

G

Zucchinis that are going up your screen?

A

I don't know if.

C

I guess there are.

G

That was a hard one to find, wasn't it?

C

Listen, if you've ever had. Listen. Okay. If you've ever had Japanese eggplant, it tastes completely different to, like, the stuff here. No one used to. From eggplant parm. It's not the same. It's better.

G

Yeah, no, you're. You're correct.

C

Take some of that. Glaze it with soy sauce or some miso. Oh, my goodness. Delicious. That's really going to get into how.

A

To glaze an eggplant on this show.

C

Yeah, that's where it works. I would recommend, like, a tablespoon of honey, a couple tablespoons of soy sauce, maybe some mirin.

F

Miso is wonderful stuff.

C

I'm going to go out on a.

B

Limb here and say all vegetables outside the United States are t. Taste better.

A

Yeah. Just saying.

C

Not French fries.

G

Not French fries.

C

You know. Is that it?

B

It's not really a vegetable, though. Yeah.

C

Count a potato for an American. That's considered a balanced diet if you eat French fries.

G

Yeah, yeah, that's honestly.

A

So it wasn't supposed to snow, but it's going like full crazy snow out there, right?

B

Oh, I see it in the back.

C

Wow.

G

Spot on.

C

Yeah.

A

The AI effects for winter in my job.

C

Wait, is it actually snowing?

F

So winter descended?

B

Yeah.

F

In the badlands, huh?

A

Hold on a second here. Let me.

E

Don't let Wisconsin here yet.

B

Like, you say that you did a.

C

Podcast from the rain. Can you go ahead and do one from the snow, too? Yeah. Were you there for that episode, Ralph? He Was literally like sitting on the podcast in the rain. It's beautiful. Podcasting with his hood up.

A

Oh, Ralph wasn't here for that. That was. That was something else.

F

In witness protection. He was in the dark. He was on. On the ledge. He was in a hoodie. It started to rain.

G

Wow.

C

Yeah, it was like.

A

It was like 11 o'. Clock. And I guess the people in our apartment complex in. In Germany were very pissed off that I was doing. Doing a webcast at 11 o'. Clock.

C

American outside. Yeah. You know why? It's because they're German. They were doing lofton or whatever at 11pm and having all their windows open even though it was raining and cold.

A

Yeah.

B

Could have just sent over a bottle of schnapps. Said, drink up.

A

Yeah. Welcome. Well, the nuns left so much liquor over there, Joff. It's crazy. Oh, yeah, the nuns must. They must have. They must have been hammering down.

C

That was holy water, dude.

B

Yeah, exactly.

A

Jesus turned water into win. We turn it into vodka.

C

Oh, no.

A

It just occurred to me that I don't have the intro video. That's okay. I didn't put it on.

B

We can pretend to do it if you like.

A

Like Ryan, like. I, I. You know, we can just. We're streaming to Discord and I'm going to get on the Discord real quick just so I can see the Discordians come up.

G

The Discordians. I gotta get. Definitely true.

C

I'm just gonna go find a replay of our last podcast, share my screen and play the video.

A

Let's do it.

G

That works.

A

Let's do it. Yeah. This is such a train wreck today.

C

Whoa, whoa. It's only a train wreck now. You Amazon, you acknowledge that it's a train wreck. What? Also, what will I get an ad for? Does anyone have a fun like, that's the guess.

G

Yeah.

A

How about we let.

G

I don't know. It's really gonna show what you like to buy.

C

All right, here we go. I'm gonna. Do I even have rights to share my screen?

A

So tired. I'm trying to move my iPad over and I'm trying to use my mouse to physic. God damn, I'm tired. Oh, okay.

B

I'm gonna say finding the right channel is the test to become a Discordian.

A

Exactly. Are we gonna start calling our Discord fans Discordians?

B

I think it's a great.

G

A great name for a tribe of fans.

B

Yeah. You know, this hat looks silly. I gotta take that off.

A

No, that looks fine job. It looks fine.

B

I mean, it is, you know, The Australian dialect is as close to pirate as it comes, so I think it's appropriate.

A

You gotta own the hat. To be honest with you, I didn't even think it was a gimmick. I thought you literally had a patch and an eye and a hat. I mean, it's just that good and it just fits.

B

Well, challenge accepted. I guess I have to get one now.

A

I saw your screen share for a second.

C

Yeah. No, I have to install something to record the audio.

G

Oh, my God. I have to reboot my computer three times.

D

Anybody know how many computers work?

C

Oh, my God. My entire audio. Oh, God.

A

Did I. Did you guys hear about the shirt? We're going to create the next shirt for Anti. Siphon. No, no, it's going to. It's going to have a sexy keyboard on it and it's going to say, touch me instead of grass. Anti.

C

Okay, are we ready? Is everyone ready for this?

B

I think we should just do it.

A

That actually works pretty well.

B

I mean, it works. It's cute.

A

Not too bad, Corey. Take it away, sir.

C

Hello and welcome to Black Hills Information Security's Taco and about news. It's October 20, 2025.

B

God, already?

A

Already?

B

Yeah.

A

It's amazing how time flies when you get old. This is another one of those shows. It's going to be real tough, you guys. Nothing's going on.

C

What do we start with?

A

We.

C

Basically, the top stories today. I would say we have the AWS outage, which there's not really anything to talk about, but we're here to commiserate with you as you don't work because the Internet's broken.

A

There's an F5 affecting us right now. I mean, that's why we're on Zoom.

G

Yeah, it's true.

A

I don't know. The F5 thing is huge. The Amazon thing is huge.

G

Yeah, the F5. A whole year, probably.

F

That's.

A

That was big.

C

So, okay, my thing on the F5 thing, my. This is my personal hot take. I'm curious to hear other people's hot takes. I think it's kind of a nothing burger, because first of all, they had access for a year and they couldn't pull off a zero day. Okay, well, I'm not worried. I've got a rebuttal.

A

Okay, so I want to touch on that just a little bit. Like, if we're looking at the. So if we're looking at them dwelling for that period of time, like two things. One, they were there. Right. And two, I am getting more and more and more concerned as time goes on I'm getting a lot more worried about the, not the zero days that they just pop and they go right away, but like the hold it and dwell type 0. And I think the fact that we don't have any zero days that came out of this doesn't necessarily mean they didn't have any. It's just if they're using them, they're keeping their powder dry. As a pirate, I wouldn't know.

B

I tend to agree, especially in the age of AI I think they've probably analyzed as much of the source code as they can, and they're probably just piling a shelf up of stuff and just holding onto it.

A

All of that has changed right now, Jeff. Right. Because if you're holding on to those zero days, then as soon as it's. It's clear that their source code is out there, all of the security engineers at F5, like, we really need to fix this. We're using Get S everywhere. That's bad. Oh, it's fine, it's fine. No, no, no, we shouldn't be using it. Now all of a sudden those engineers are getting yelled at by the CTO for like, why didn't you tell me about this? And they're like, we told you five, six years ago. So there's panic right now.

B

And it's, the security group is probably going, hey, look, vindicated, guys, come on, I told you to fix that. It's time to fix that now.

G

Number one, for like a year.

C

Well, and, and just for clarity on, I, I mean, we're kind of just assuming the entire audience has read the article, but basically the details of what they disclosed, they said that hackers had access to their technology support and engineering department for like a while. And they did. They said that they're not aware of any of these flaws being abused in the wild. They're also, as part of the breach, they had access to like their internal dev portal where they could see like open vulnerabilities and findings reported by security researchers. They did specifically say in the, in the advisory though, that none of the vulnerabilities that all the vulnerabilities the attackers had access to have now been fixed. So they recommend you patch. So go do that. But also of those vulnerabilities, none of them were RCE or critical severity. I don't know. That to me, adds credence to the whole this is a nothing burger thing. The other thing, like John said, persistence, you know, long term dwelling. Yes, that's true. But I guarantee you, or I don't guarantee You. But I would imagine F5 did like a threat hunt on some of their customers as part of this advisory. Right. Like to see if there are like persistent access backdoors, shells, etc. Maybe they didn't, but in my mind they had to. Right. Because otherwise this would be an incomplete advisory.

G

But I think, I think we're missing like from what I could gather was the actual attack, which was just a, essentially an information attack. Like this was nation state hot nation state action. Right. So all they wanted to do was just sit there and get as much information as they could. Okay. This was, I don't think it was necessarily about like collecting zero days, like Pokemon and then deploying them all out the world. Like they'll take that if they can get that. Right. But I think this is just an information campaign together as much. And to use that in other attacks. Right. Or to use that just to find out anything about F5's customers, about anything that they can do to spread that and stay as long as possible. And eventually, you know, the party, the party ended. Right.

E

Well, yeah, I took a look at the, like the SEC filing as well and I found something like interesting there for the, for the general audience is that they, they said that they're engaging CrowdStrike, Mandiant and other cybersecurity things which, which tells me that it, it seems like F5 was a CrowdStrike customer. So we can go on for like the CrowdStrike tagline of we stop breaches or I mean we can beat up crowdstrike like, but that's not the takeaway here is that there may be a lot of organizations that are using CrowdStrike services. Was something misconfigured? How did the Overwatch team not get the logging? Did they not see this? What is happening? And you can't be one of those CrowdStrike customers that goes, we own CrowdStrike. We're immune from breaches. It's like, do you have things configured properly? Are they seeing the right information? Like, how does this slip past those defenses?

A

And I think that that's a great thing. But from what I'm looking at, and I'd like to get Ralph and Joff in on this, I think in a lot of ways CrowdStrike is an endpoint protection project and an EDR wouldn't applied in this situation because it sounds like they got access to a number of different servers and services and they were able to dwell. But, but, but I think that your question is valid because I do believe, and we're seeing this in a number of different orgs where they end up buying something. Like we're just use CrowdStrike as an example. Right. And they get this really, really strong false sense of security. Right. Like, great. CrowdStrike's got your endpoint locked down, your workstations locked down. Good for you. That doesn't necessarily mean all of your cloud services, your customer portal, your dev pipeline, CICD pipeline is secur. Well, and I think that there's a lot of people that are like, I'm spending all of this money on an EDR epp and therefore I. Why would I spend more money on these other things? Because, you know, I go back to, you know, good security is flipping hard. And doing good security is not just buying a good endpoint security product. It is basically, are you doing extrusion detection? Are you doing, like, egress network traffic analysis? Are you monitoring your cloud services to make sure there's no weird logins with Impossible Travel? Who's accessing your code? Like, there's a lot that you should be doing, but once again, that isn't what's being sold to people. What's being sold to people, like you said, is buy CrowdStrike and everything's good. Because that's what all vendor marketing teams do.

E

Yeah, I think that's a big takeaway for what you said, for everybody that's listening and might go, I'm not an F5 customer. This is a nothing burger story. Maybe. Why should I care? It's like, here's a lesson to take away is, you know, always keep improving your security and don't just, you know, sign the checks and say, we're good.

G

So the other thing, too, I notice, and I see this over and over again, we talk about these stories. We're like, I can't believe I'm just going to insert some company, F5 got hacked. They must have a horrible security program. And then it's the next company, and then it's the next company, and then it's the next one. And then eventually you're kind of like, well, do they all really have the worst security programs or is this just so hard to actually do that? You know, we're seeing. We're seeing it kind of iteratively happen to these companies that do have good programs and maybe they do have weaknesses and they get exploited. But I think the point is that we all, like all of these big companies have these weaknesses, and the bigger they are, the harder it is to kind of, you know, take control. Right?

A

Absolutely. We've talked about it for years trying to break into companies. Much larger companies are easier to break into, very small companies.

G

Yeah.

D

So on the defense side, I can go ahead and say that exact same thing. You've got situations like this and the higher ups will go ahead and say, oh well, they were running Microsoft, they were running CrowdStrike, so we're not going to use them because they're easy to go ahead and bypass. They don't understand that there is no perfect security. They figure security is an end game and not a journey and not something that's going to keep moving and the needle is going to keep moving and you have to keep up with that needle to go ahead and be as secure as possible.

A

Yeah, Perfections in the paranoia.

B

Yeah. We all know it's a really tough job to do it and then even when you do it right, you're still going to get popped at some point. It's a matter of, you know, what your plan is at that point.

G

There's just so many endpoints, there's so many servers, there's so many assets they're dealing with right across teams.

B

Right.

G

Teams of people, groups of people. I mean all this, of this other stuff. So yes, the big companies have it, have it hard to keep control over it. And it even is worse when you're like a security company as well. Right.

B

So yeah, in particular, software supply chain always scares crap out of me because there is so many possibilities there. And I'm also concerned that nobody's really talking about this. I'm also really concerned about the machine learning ops pipeline that nobody's talking about, which has got a bunch of data scientists that know nothing about security. But anyway, that's going down a tangent. I want to just address the endpoint protection stuff. You know, maybe there's a maybe in here if in their CICD runners they had some endpoint protection as part of that process. But I don't see it as really directly connected necessarily to their infrastructure. And I don't think it would be effective the way I would probably set up the infrastructure around source code for such an animal.

C

So I, I think the biggest takeaway of this breach for any CISO or security person out there is to put security measures in place on your dev and test environments beyond what you would do and potentially beyond what you would do in your production environment. Like, it's not super clear whether they have their endpoint protection, crowdstrike, whatever, deployed in their test instance. I've seen plenty of customers who don't do that who are like, oh, no, it's dev test. It's exempt from endpoint compliance requirements.

B

I was just doing some source code work and in all of the unit tests for the development source code, they were hard code credentials and hard coded tokens. All of them?

C

Yeah. Well, that's a separate issue. I'm talking about the security of the dev and test systems themselves, not the CICD side. That's a whole different beast. But like, it's possible. We don't know the technical details, but it's possible. My guess on this is it's a combination of something like a GitLab server or a, you know, some CICD type infrastructure and a bunch of endpoints or environment or active directory related to that. Yeah, that would be my guess.

B

It would not surprise me. If you look at GitLab, GitHub, that in dev branches, those tokens and stuff are creeping into the dev branches, Right. So that's a really big danger area.

A

This is going to be a second, but over the weekend I really, really got into kind of what's going on in China and kind of how things have fundamentally changed. And if we're looking at. Up until last year, China's modus operandi was kind of disorganized, Right. If you look at China, it's very hard for us. Right. Because people look at China and they think it's like a monolithic dictatorship. And it is. Right. But it was also a whole bunch of different providences that kind of had their own generals and their own people doing their own shit.

B

Right.

A

So you would have a series of groups in one part of China that would be doing hacking and another group in China would be doing hacking and another group would be doing hacking. And that creates really big confusion, oh, as far as who has access to what and who's doing what. And it also created a lot of competition internally within China, which is something that's very historically driven by the way that China has always done things. There's always internal competition, even though they're all part of the Communist Party. So everything started changing. I want to say 2016, 2017 timeframe and GCPing was really kind of pushing this idea of China becoming a great cyber power, or cyber great power is how it's actually transferred, translated. And they wanted to focus on three areas, air, sea and cyber. That was where they're going to put all of their funding for defense and offenses in those specific areas, because those are the areas that they think that they stood the best chance of dealing with the United States.

B

Right.

A

And so far that's been very successful. So what the hell changed, right? So what started last year is they started unifying all the different cyber efforts under one group and one kind of leadership directorate under the pla. This crap is. I can't remember what university published it, but there's a university that gets their internal, like, military doctorate and memorandums and translates it so you can read it. But if you read that whole doctrine and how they're trying to do things, you're kind of moving from like Salt Typhoon to Volt Typhoon, right? And Volt Typhoon is specifically targeting persistent access and infrastructure. That is what they are focusing on. And when you're reading kind of their methodology, they don't call it Volt Typhoon, but their methodology and what they're doing going forward is really heavily based on what they saw in Ukraine in the opening parts of the war, and also what they saw with the data breaches coming from the vault attacks against the CIA and shadow brokers. So in the opening salvo of the war, Russia launched the largest cyber offensive ever. At that particular point, the problem was Russia failed. Russia's full goal at the very, very onset of this current phase of the Ukrainian war was to completely cripple the infrastructure of Ukraine. So their communications were degraded to the point where they could not react to an invading force, and they launched that attack. And there was a whole bunch of Western IT firms that were part and already in Ukraine, that were working with Ukraine and trying to help defend Ukraine systems, and they successfully kept the communications network up in Ukraine. I don't know if anybody is aware of this, but China's literally been hacking Russia because they feel like Russia's not giving them honest answers to their questions about their cyber offensive operations. So China's been watching all of this crap and watching Russia kind of fumble around still on the cyber perspective in Ukraine and seeing how much it degraded their effectiveness on the ground. And then when you start moving into Volt Typhoon, right, We start looking at Volt Typhoon and trying to gain access to critical infrastructure. The new doctrine is taking what they learned from the failure of Russia to successfully take over critical infrastructure and cripple Ukraine's capabilities, and then they're coupling that with what the NSA and the CIA has been doing in the United States forever, which is take over, get source code, find exploits, get back doors for as many routing and edge devices as you can possibly get your hands on. So if we're looking at this, right, like, if we're looking at this particular attack, this absolutely falls in the playbook of where China has been progressing for the past few years. And I know this breach goes back to2023. The point is they're now kind of unifying all of their cyber offensive operations under one group and it's now coordinated very much to gain access to services like this, maintain access to services like this, monitor customer communications, try to get source code, try to input source code inside of the supply chain for maintenance, for maintaining access. And also a lot of their source code, and this is something that a lot of people aren't talking about, isn't necessarily persistence, bi directional communication and two way access, it's kill switches. So basically, can we put in some source code that can send a command to a firewall, to a router, to an F5, whatever big IP that causes it just to shut down and become non functioning. And granted this is fear, uncertainty and doubt, right? This is some random ass person on the Internet telling you this. But if you look at what China is doing and you look at what they are, what their goals and their objectives are, this entire attack methodology is right up exactly the way that their military doctorate has said that they need to start gaining access to companies or continuing to gain access to companies like F5, networks like Palo Alto, like Fortnet, so they have that type of stuff. So I do agree that Corey is talking about this from a nothing burger, from the perspective of are we going to see zero days for F5 and all these things. But I think that everyone in information security needs to take a step back, take a beat, look at this, and now start to have serious questions about overall supply chain in a variety of different places. And knowing that CrowdStrike or whatever EDR that you're using is not going to protect the entire organization. What are your security posture that you're going to put on those things? What is your security support structure? And then going further, what are you doing to detect? Like, like I said, this is, you know, this is why we created A.C. hunter, everybody. Like, it's not for the attackers that are trying to do ransomware. It's not the attackers that are general skidiots that are spraying and praying. It's trying to go after these level of attackers. And one of our customers was absolutely part of Salt Typhoon. And I remember we were at Wild West Hack Infest last year and they hadn't renewed their subscription and they were panicked because A.C. hunter was one of the things that detected what was going on. But going back to what she was talking about, it's not about just getting an AI product, you have to have humans that are leveraging the tools, including AI, to try to sift through this stuff. So you have this constant paranoia because I'm going to be blunt, I'm scared shitless that something did get put into F5. We have no evidence of that whatsoever. They're going to try to minimize that. We don't know how long they had access to source code, did they have commit access? Was anything committed? How many accounts did they have access to? Really? I'm hoping that F5 is going through with a fine tooth comb. All of the commits that have happened. And this sucks in the past two years because it's not just a persistent backdoor, it's basically looking for kill switches. And if you want an example of how dance these backdoors can get, go look at a code analysis for Solar Winds and what the Russians were able to put into that. That code was fantastic. Very well written in multiple different parts of the code base. It was a very, very good. It wasn't like begin rootkit here. It was very much distributed across the entire.

G

At least they put comments.

A

Oh yeah. So that, like I said, this was going to take a while. But I really think if you're looking at China and you're thinking a whole bunch of mediocre hackers, China has completely pulled all of their ctf. They no longer come to defcon, they no longer do any hacking competitions outside of China. They are now very, very focused at doing exactly this type of thing, which by the way, the NSA has been doing for a long time. So just kind of a long thing about this. And that's what concerns me more than anything about this attack.

G

I think, I think there was an article too with the NSA what just got caught by China doing the same thing back.

B

Yeah, that's funny. I mean, think the really big take home as part of that discussion, and I think John spelled it out pretty nicely, was it's all back to that software supply chain. And then the deeper you get in, in the early phases of software supply chain, the more impact you can potentially have. Right? And I've worried about this for years because the entire Internet and everything that we use is just built on this stack of technology that goes back so far and we don't know truly what vulnerabilities are in this stack of technology. And that part, I mean, OpenSSL was a good example several years back where they got popped with a couple of things. That kind of thing, when that happens, has such a broad impact that it's super, super scary. And lately I'VE been very, very worried about the machine learning ops pipeline side of what's going on in AI model building, because it's a.

A

It's a well and potential. Forget Jeff. China's right there in the middle of that with you. They're not worried. They're looking at this as an excellent opportunity.

E

Exactly.

B

And the number of PhDs they've got working on that stuff is exceeding everybody's capacity.

C

You know, it's crazy in China. I have a PhD. One thing, I. I stole it from someone else. The one thing I guess might like, we've talked about this article way too much and we should move on. But the last kind of note I want to say is, in my view, I think this is a coin toss whether it's actually an apt nation state or whether it's a financially motivated threat actor. I think you can make an argument for either side. I think my argument for it wasn't a nation state is they sat there and didn't do anything with it. They didn't deploy a backdoor into the code, I guess that we know of. They didn't compromise.

A

Every backdoor was brickstorm. There was persistent access, and that has been sometimes attributed to China, so. Sorry, go ahead.

C

On F5, on the.

A

On the F5 network. And by the way, that particular malware is not associated directly with China. It's not completely tied. It is. Has been associated, has been used by groups that have been known to have affiliations to China. The exact group is unk.

C

Well, it's always an un.

A

It's always an unknown.

C

Gets around it.

A

Does that. UNK group, they're really good.

C

So, I mean, I guess they're attributing it to an unspecified nation state actor, but I don't know.

E

That's.

C

That's the default move for any breach.

G

Yeah, I mean, that covers the whole. Like, we weren't doing our job because you can't protect against nature.

C

Well, they were highly sophisticated. Okay.

G

In our defense, they were level 10 nation state. Okay. This is like. We were like. It's like a Cat 5 hacker, you know, that's.

C

We were only ready for a Cat 3 hacker.

E

Yes, exactly.

A

You gotta watch out for those Cat 6 sackers. They move faster.

C

These are hurricanes, John, not networking cables.

G

Oh.

C

Remember, you gotta remember where Ralph lives.

G

You know.

A

You know what was funny?

B

I was right there with John. I was about to say.

A

I don't know. I was rolling with it, man. I. You know, we. We've seen the OMG plug. It could be an OMG Cat 6 power.

C

Whoa, whoa. F. F5 supports Cat 7A.

G

All right, either way, I think that that, like, duplicity of that.

C

Yeah, it.

G

It.

C

Yeah, you. You take that, interpret it as you will.

G

It could be fine as you will.

E

Either way.

C

All right, what's next? I mean, we could talk about this age verification thing. It's potential. I mean, I thought that was an interesting one.

G

So I think it's so. All right, so I'll open that one up just a little bit more because I think it's a little bit broader than just this article. Right. So there's a lot going on right now in the industry. I want to say the industry more like, I would say like laws and politics, right? Not to get into politics, but more specifically around the law and how this affects us and everyone. From a technology standpoint, this is about age verification right now. There's many states who have passed laws now that are kind of enforcing age verification across something like all of the App Store, right? And I know Texas just passed a law that is doing that. And what. What it's requiring you to do is essentially as like a parent, you have to, like, approve everything that goes through there. And then if you make a new account now, you have to prove that you are over 18 in some meaningful way, like, I guess, giving a driver's license or something. Right? Which is something Apple did not want to do. The California law was actually less restrictive and falls in. But the bigger thing is, and we're seeing this across the board with age verification back in the day, right? You could go to a website and they'd be like, are you 18? Yes or no? Difficult question here. You could still access the website, right. There was no actual limitation to this, but as we've seen recently with pornhub, among many other sites that may require age verification, this is now becoming much more in depth than just clicking yes or no. And the ramifications of this are things like discord, where all of those age verifications were put into a database and then compromised, so on and so forth, right? So there's a lot going on across the board, not just in America.

A

I got a question, because this isn't my cup of tea, but if you can't get porn, like, without providing proof of, like, your age, like, where is it still possible for people to get porn on the Internet without providing age?

C

Okay, first of all, the whole point of the Internet is for porn.

A

I'm asking, I'm asking, is this a solved problem now?

C

So, okay, I might have to do some research. So here's, here's the answer.

A

It goes deeper. Excellent.

C

The answer is the same answer. It always is. Which is that it depends. So I don't know about pornhub specifically, but my understanding was when all those states required age verification, they just don't work if you are reporting from a geolocation in those states. I don't know if that has changed since we, there was a news article, we talked about where basically the, the reputable companies in those spaces, they pulled out. They, they said that's terrible.

G

Wow. So, wow. No one saw that.

A

That being said, it's better that they pull out early rather than later because of all the concepts.

C

Yes. So okay, the reputable companies pulled. The reputable companies pulled out. There are going to be companies who don't follow any of these laws because they just don't give a crap. They're based in the Netherlands or whatever. They don't give a crap about following US Laws.

G

Yes.

C

However, this article is talking about California requiring tech firms like Google, Apple, etc. To collect a user's ID. A user's age on the device.

G

Yes.

C

Or, and then allowing App Store developers to request that information in app. So yeah, this is essentially a centralized.

G

Yeah, this is beyond the porn argument. Okay, we're going past that. And this is for all apps that are used in the App Store, specifically Apple or Google. You'll have to provide age verification regardless. Right. Like it doesn't matter if it's for everyone that has to have some kind of age. Like that account has to be age verified in some way, shape or form.

C

Yes. And so essentially I kind of, I don't know, I'm curious to get other people's takes on this. But my take is like the true way of doing this system, which of course has privacy implications, is to have like a centralized national identity system, whether it's based on crypto or certificates or whatever it is that is like you're not a Social Security number that proves how old you are and you can use that to like verify your identity just throughout the world. Right. Like here's my national identity. You can like kind of like oauth, you can say you have access to see my age data and that's that this is like laying the groundwork for that because I would much rather do that than have every site collecting a picture of my driver's license.

G

Yes, right.

C

So I mean, in my opinion these laws are just dog whistling.

B

Right.

C

They're just like we care about the kids or whatever, you know, but, but.

A

I want to go back to what Ralph was talking about, if we, if we, if we open the aperture on this stuff a little bit, a little bit wider. Right. I just pulled up a bunch of laws because the UK has been doing some really weird.

C

Yes, they're way ahead of us.

A

Yeah, they're way weird.

G

No way.

A

So you got the Investigatory Powers act amendment in 2024 and then the Online Safety act and basically especially the Online Safety Act. We're looking specifically at attacks against encryption. Right. And direct attack against VPNs. And then we're also talking about age verification.

G

Right.

A

And when we're taking all of this, which is weird, I mean, the UK is no longer part of the EU and they don't have to worry about GDPR are as much as the other countries in Europe. But this isn't just in the United States. It seems like there's this strong march where a whole bunch of these different nation states are moving to less and less privacy, less and less encryption, more and more oversight, more and more capability to gain access to encrypted data on people's phones and everything. And we're not seeing the pushback that we saw a number of years ago. I mean, there was pushback from Google go all the way back to Skype, where I remember working actual cases with children. And well, they weren't children. Children were the targets of what we were trying to do. And Skype would just say, f off, we're not going to work with you. And we're having more and more collaboration with these very large organization, very large corporate entities that are more and more willing to start capturing this information. And I think all puns and jokes aside, that's the terrifying trend of all of this. Go ahead, Bronwyn.

F

Of course they want to capture it because then of course they can data mine it and they can sell to the children and their parents because of course children don't have any influence over what their parents do. Right. No, it's, it's really, it's not surprising to me that Big Tech is willing to play along with the, the politicos who are, are trying to push these child friendly policies because that makes them look like they're, they're playing along and they're, they're really nice and they're trying to help the kids too. We're not the bad guys here.

G

Well, that's my takeaway in this particular case. I know that Apple was pushing back immensely. It even called up Texas Governor Abbott. Abbott, yes. And said like, don't do this Tim. Tim Cook was like, don't do this. And he did it anyways, so. And the reason I think is they just don't want to pay for. They just don't really want to. Like, it cost them a ton of money.

C

I do.

A

I do believe at some core, it's kind of like the Grinch and the coal in his heart. I do believe at some core, Apple does have privacy concerns. I do believe that there is still that faction.

B

I do. Sure.

G

So. Well, yeah. Okay.

A

Okay.

B

But I just have. I just have one question, though. I mean, you've been talking about protecting the children, but is there going to be a point where I age out of being able to use the Internet? And. Yeah, you have to check the. Are you young enough?

G

Like, you're too old to drive? You're too old to use the Internet now. This is like a danger to your health actually. Right.

C

You put your age into AI and it just starts recommending, like, knitting patterns. I'm not that old.

A

This whole Bad Bunny thing, you know, without politics, I'm like, I'm gonna go listen to Bad Bunny. And I gotta be honest, I dig Bad Bunny.

G

Oh, yeah.

C

Sick.

G

Yeah.

A

No, dude, it turns out what I was expecting it to be. It's like, really cool. But I'm wondering at some point, like Joth, they're gonna show a picture and be like, who's Bad Bunny? And Joff's like, I. I don't know. He's out. I want you to hum a bar of a Bad Bunny song.

G

I do.

A

You're gonna be.

G

I do think the solution, though, going back to Corey brought this up in the very beginning. I do personally believe the solution is, is that instead of the. Our governments writing laws that then go, you go figure out how to solve that. Why don't you make. I mean, the same thing with, like, you have driver's license. This is just a really old version of identifying, like, it's just ready for the Internet. Right. Why can't we bring that into this digital age? If you want to enforce that, why don't you be part of the solution instead of just doling out problems that other people need to solve and then be surprised when it messes it up or, you know, ruins other people's, you know, privacy.

A

So here's. Here's my thing, you know. You know, we always talk about, like, in the 80s, right, whenever we were playing outside, you would go out and you would come in. Whenever the street lights came on and you would drink water out of a hose, you would go Find rusty farm implements and then, you know, like play with them. You, you would do all these things. And what happens over time is you have people that are like, well, maybe, maybe we shouldn't let, let kids that are 9 years old run chainsaws because one kid was running a chainsaw. So now it's all power tools. Kids can't work with power tools now. They can't build forts. And then it just progressively encroaches over time because no parents want to argue and say, you know what, actually my parents did. No one wants to say, I need my 9 year old to work on power tools. I remember I had a teacher in middle school that found out I was working with power tools because I was doing construction with my family and was very mad and brought my parents in, right? And my parents were like, F you crazy lady. But what happens is it starts to encroach short like in these small increments over time. And safety is always the concern. It's like till you get to the point where you don't see kids outside anymore. Everything has been so locked down. Where I have a friend of mine, his kids were playing in the front yard of his own house and the cops got called on him because his children were on supervised and his kids are like 9, 10, 11 years old. And all of this shit gets more and more restrictive over time and we keep putting in all these restrictions and, and then we start talking about terrorism and that's a lot of the laws in uk. If you go back and you look at the debates, yes, I've been on a poli sci kick again for a while. If you go and you watch the debates of all of this stuff, it's all we got to stop. We got to stop terrorists, we got to stop online predators, we got to stop all of this. And they're willing to continue continuously infringe on the privacy of people again and again and again. And it becomes this thing where someone shits themselves, everyone has to wear diapers. And I would like to put forth an alternative solution to this is raise your goddamn kids. Like, you know, have some level of watching what your kids are doing. Try to do this and don't make this the the responsibility of the state of Texas or Montana or Arkansas or any of these states to do full age verification because a kid may go to a porn site and see something on a porn site. God forbid that happens. It's like maybe, just maybe, parents should be responsible for their own raising of their own children and not make it this huge thing that we're dealing with. And I like the Internet being wild, crazy. I like it being kind of unhinged and chaotic. But if we're looking at where all this shit is heading over the next next couple of years, somebody just said, just like the tsa. Yep, that's kind of where we're headed, right where it's going to be like, we noticed that you were using a vpn. And what were you using a VPN for? And we don't know. Like, only criminals use VPNs.

B

And.

A

Oh, and. And. And weirdos on the Internet and furries, I guess. I don't know. And I feel like that's where we're headed very quickly.

B

Okay, I gotta tell a quick parent story. Okay. I have to. So when my kids were teenagers, which they are no longer teenagers because I'm old as dirt, I put a. Yeah, it's a privilege.

A

Being old is fucking awesome.

B

So I put a proxy on the network and I was logging all the web requests, right? And when I found out that my son was surfing porn, I was not a angry dad. I just grabbed a little printout of some of the logs and I took it to him. I said, I want you to explain why you're visiting these websites to your mother.

A

I gotta be.

C

After that, he never connected to your WI fi ever again.

A

Alternative take is don't do that because your child might.

C

Oh, God. So, okay, I mean, I think where this all ends is we're all just a person born in 1901 and then in, like, some random VPN only country.

G

Yes, exactly. I'm thinking about a country that's like the VPN island where. Where everyone routes all of their traffic through to, like, you know, not have to.

A

Wasn't that the plot of Cryptonomic?

F

That's it. Sealand.

A

That was a cryptonomicon. I think that that was the plot. They were going to create a data haven for these things.

G

Speaking of privacy, we actually have three satellite articles which I thought was interesting. Yes. And so, all right, I used to do satcom in the military, so I was intrigued by these articles.

C

But that means you were sat a lot. You just sat around.

G

I sat around. So the one that I thought was interesting is I think it was a university or some other group of inspiring minds. They set up a satellite antenna and they wanted to see if any of the data on those satellites was unencrypted. Right. So for those who haven't played with satellites, there is a constellation of geosynchronous satellites. These are satellites that kind of orbit the Earth at the same spot all the time.

A

Right.

G

These are the main communications satellites outside of the LEOs, the low earth.

A

These are predominantly HEOs.

G

And so the LEOs are like the stuff like Starlink and other things like that. Those, those go by real fast, right. And then you can't see them anymore. So but what they were doing is they were listening for any signals off of these geosynchronous satellites. Right? And what happens is, is they tend to be very regional because they follow the Earth the same speed as the Earth rotates. Right. So whatever you can hear is from that location. But what they found is that some providers, like T Mobile, I guess, was sending data or phone calls over the satellite back to a teleport unencrypted, Right. Amongst other signals. So, I mean, the TLDR is that encryption should be used even on satellites, right?

A

Encryption dilemma.

G

Yeah, it seems really like an evident article, like, yeah, you should use encryption. What they were saying is it didn't take much for us to be able to see that you weren't using encryption. Right.

A

When I was working at Northrop, we were working with the nro, which is in charge of running satellites. And I will tell you, I had multiple arguments with engineers that were like, what do you mean we can't just use cleartext data transfer? Their argument was encryption introduces overhead. And especially whenever you're talking geosynchronous or you're talking helos, there's already a lag associated with it. And if you introduce a processing lag on top of that, then that's a big problem. Now, these were also people that had hundreds of thousands of lines of code use telnet for data transfer, which you should never do and use gets everywhere, right? But you, you see a lot of these engineers with these, with these technologies that they will push back and they always win the arguments. Every damn time. They're like, oh, you know.

F

Thing I get, the lag thing I get. I had a. Yeah, it's like Internet that was. That used geosynchronous birds, and I use them for years. And my low end, latency low end was in the 850, 860 millisecond range. Yeah, that was on a good.

A

Those days. Bronwyn.

D

What I'm surprised, what I'm honestly surprised about is that we don't find this happening more often. That this is the first real big story that I've heard in a long time about this, with the cost of SDR equipment being next to nothing. And that's the whole thing. I know tons of people that are ham radio aficionados that or enjoy going ahead and trying to hack around with stuff. With an sdr, like I've got one in the back, I can go up into those ranges and just pick up.

G

Sure. So you can go into those ranges, but you still need at least like you can do it like with a sub meter antenna. And you still got to point it right at the satellite. Right.

D

There's, there's on. That's easy. There's online systems to go ahead and show you.

G

I'm not saying you can't do those things.

B

Right.

G

And then you can go to the next bird and the next bird and the next bird and you can go through those frequencies. There's also more than just those frequencies. So there's ka, there's X band, there's a bunch of stuff out there. I mean it is all over the place. Right. And where you are matters just as much. Right. They have little antennas on the top of those satellites that are pointed at very specific teleports.

B

Right.

G

So anyways, it's just all like dependent on what you have. But you're right though, it's not as expensive as it used to be.

D

No, but the fact that we've got companies like T Mobile that are sending stuff without any encryption on it is just surprising that we've not.

A

Yeah.

D

We haven't heard about it more frequently or as big of a thing before because of how easy it is for the everyday person to go ahead and pick up these satellites.

C

Yeah, it says $800. That means it's a Cat 5 hacker.

D

The other thing is there's a number of these geosynchronous satellites and either heals or LEOs that actually have ham radio systems on there. So you have to wonder, are they mixing things up inside of their code when they're programming it and just forgetting to toss the encryption on top of it?

B

Encryption is expensive, right?

C

I mean, yeah, it could be that.

B

But that is the argument. That is the other argument that you hear. Right. Because you put a satellite up there, you've got power, budget concerns.

G

Right.

B

And that is operationally expensive.

A

Yeah, those are real concerns. The processing and the. But you ideally. And that was one of the other weird things. You shouldn't be doing a lot of processing on the satellite itself. But that's a whole nother conversation.

C

Yeah, a couple things. So I previously, years ago, I don't know if they're still doing this anymore, but there was this CTF called Hackasat it's still out there.

B

Yeah.

C

Because that was cool. It was like.

A

There was a number of years and there's a GitHub repository that has all of them, which is really neat.

C

If you're interested in this. It's a unique beast, I will say that. Like, I don't know, with a lot of this, there is software that can be changed potentially. But good luck patching your satellite.

G

Yeah, there's a lot of really old birds out there.

A

Oh, dude, I've patched satellites. Or I've been in the room when we patch satellites and butt puckers down. Right. And they're off, you know, for a while and everyone's just like. Well, in the sky.

C

I was gonna say. Yeah, yeah. Just satellite.

G

So that was. The other article is Jeff Bezos wants to send data centers to orbit because.

C

This is the stupidest thing I've read all week. This is so dumb. Does he not know how. Does he not know how, like, physics work?

G

Yeah. So the problem.

C

The reason servers are heavy. What.

G

The reason why that satellite cost a billion dollars is there's a bunch of reasons, but one of the big ones is how expensive it is to take it from the ground.

B

Energy.

C

It's literally just physics. How much energy it takes to launch something 17,000 miles an hour.

A

That's part of it, but also a lot of.

G

Why do you think SpaceX became such a big company? Right. Well, because they got a big.

A

Lots of them.

G

Yeah. Because they're launching stuff all the time.

F

Right.

A

Anyways, yeah, I remember there was one satellite. I think that this is public. I'm not going to say the name of the program or anything, but there was one of those billion DOL satellites. And trust me, the stuff that's on those satellites is expensive and hyper.

G

Sure, Absolutely crazy.

C

Highly expensive.

A

Bracket on. I'm not joking. The bracket was mounted backwards. And when they started unfurling the solar array, it stopped like halfway. And it like. I don't know, there was some magic shenanigans they did to get some viability out of that satellite, but it was literally a billion dollars that went down a hole. Hole. Simply because a bracket was on backwards. It was nuts.

C

Okay, so the. The audience is already onto this, but I'm assuming that he just launched US East 1 into space.

G

Yes.

C

Is that what happened? Is that. What was it like the whole date?

D

Thanks.

G

It was a deal with Elon to launch AWS into space. It was like a whole thing.

A

It was cooler, you know, Think of the cooling savings. So you're gonna have Cooling savings was.

G

One thing he mentioned in the article, the unlimited solar ability. I. I don't know how big.

C

This is so stupid. I love how stupid it is. I'm glad that we've gotten to the point with Jeff Bezos where he looped around from like, genius billionaire back to stupid billionaire. I love it so much. It's so dumb. Oh, there's no clouds and rain. You really think the data center techs are, like, really worried about clouds and rain? They're not.

A

No one.

G

He was talking about that from a solar perspective. The article, by the way, is talking about that.

C

Yeah, solar's never going to power GP you. It's just not going to happen. I mean, you'd have to build a freaking Dyson sphere.

G

You have the whole sky. You're right.

A

There's. There's, there's solar, there's gpu. Like crypto mining farms in the. In, like in wind farms in Wyoming.

C

Yeah, yeah, yeah, yeah. But you know what? They're not Amazon scale data.

A

They're not Amazon scale data centers.

B

Right.

G

Putting it in the ocean. That is one been one popular.

C

Microsoft did that. It didn't work. Everything gets all rusty.

A

Yeah.

G

I mean, it turns out the.

A

The ocean hates everything and tries to kill everything.

C

The ocean was like.

F

Yeah.

C

Also like, turns out its ocean isn't that cold. Like. I don't know.

B

Anyway, my big question is, can they actually even solve the radiation effect problem?

G

Right.

B

Because those things get a little bit once they're out outside.

A

Oh, no, we.

C

It's okay. It's all ecc memory joff. Don't worry about it.

G

Don't worry about it. And they solved the Internet problem, too. They just put a big cable. It's just a tether.

B

It just.

C

Okay, John, you know what? You need to send them a ma.

F

Change the physics.

C

Yeah, it still doesn't change the physics. And John, send them a message that you have a mine that's 8,000ft deep in your backyard and they can just put the data center down there.

A

Done that. See, now you have to bring up the, like one of the two or three marital strife things in my relationship with my wife. I wanted.

C

You wanted a data center in a mine.

A

I wanted a data center in a mine shaft. Right. Like, that's what I wanted. And she wanted it filled so that. That hurts, man.

C

So that got filled. Got it.

G

Yeah.

A

All right, me too. We didn't even talk about the Amazon thing much, but I don't think it's that big of a security thing right now.

G

But it Was DNS, by the way.

A

Shocker.

E

Always.

A

Always goddamn DNS.

G

It was DNS. Yeah.

B

Well, if you know how to run it, right, it doesn't have to be DNS. I'm just.

G

It was in this case. I mean. All right, so we can argue, though, all right?

D

The.

G

The. All right. If we talk about the CIA model, right? The information ability, right?

A

They now call it the A.I. whoa, whoa.

G

Just listen, okay?

C

The availability is part AOC. That's political.

A

Okay, Ralph, go ahead.

G

I was just gonna say, though. I was just gonna say, and this was brought up kind of across the Internet, right? When you put all your eggs in one basket, when that basket goes, just fails, guess what? We're all affected, right? And we used to have more of a decentralized Internet, but now we've just, you know, three data centers, right? Three companies are running everything. So, you know, maybe. Maybe that's not the best design.

B

See, now, Ralph, you're channeling Paul Vixie.

A

Right now at that point. And I think Paul's given up completely. And he just rides his motorcycle around. He's like, this whole Internet thing was a bad idea. All right, so I've got something on this that so. So can put the camera on me, because I gotta. I gotta share something here real quick. All right, so you know how pen testing. Anytime you do a pen test, there's always a butt pucker that something goes wrong and you're gonna get blamed for it. So anytime there's a pen test, like, everybody in that company has a get out of jail free card. Like, I can guarantee you in Amazon, as soon as things went south, there was somebody that asked, are we being pen tested right now? And because they just got. They got to blame somebody, right?

G

Yes.

A

So I have. I have entered a new phase in my existence. So Canva was one of the companies that was using AWS that went down, and Canva goes down, and I get this text from my daughter where she says, do you guys do pen testing for Canva? Like, literally, I was. I was.

C

You got blamed for a pen test by my daughter.

A

Did you break this company?

G

So be honest.

C

Did you actually look up if they're a client?

A

I totally did, actually.

G

I. I just always think it's funny, too, when someone's like, well, you can't just run that yourself. Like, how are you gonna keep it online? You know, you gotta run it in something like aws. They never go down. I'm looking down all the time, dude.

A

Yeah, I'm. But. But I'm gonna go with it's. Okay, right? So my training class was smoked all day today. And it was funny because if I ran it, then I would be to blame and I'd be on the systems team.

G

Okay, so it's a blame shift thing. So it's.

A

So it is blame shift. Yeah.

C

All right.

A

100. And I have no.

G

You don't sue Amazon.

A

I have no problem admitting it. So my students are like. They're like, literally, like, you know, oh, well, you know, Amazon's down, no problem. Well, we're cool. If it was my stuff, they'd be like, like, I gave 25 for this class. The blame shifting is real.

G

You. You make a great point, John, because then, you know, they can go yell at the cloud. Literally.

B

Literally.

A

Unless it's in space, because there's no clouds and rain in space.

C

And you know what? Maybe it is just raining at the data center. That could be.

F

And shifting blame is better than losing £25 in 20 days.

A

Yeah. Oh, what's it like, life on the front lines? £25. And what. What was that guy doing?

F

I don't know. He was. But he was on the solar winds hack response. It was. I totally relate. I mean, back when I was still a developer, we're probably talking 2016, 2017, an Amazon engineer accidentally the fat finger to command. Just tons of stuff. We were offline for a couple of days. It took us a couple of weeks to get back up to snuff. Because when Amazon went down, when AWS went down, it broke so many other things. And so. No, I. I relate totally to this.

G

Do you think they have, like, a list of interns? Like, they have hurricane names, and they're like, when this happens, you fire this person, and if it's big enough, you fire, like, three people.

C

I will say for the. For the record, like, if you're actually a cloud expert person and you're, like, good at deploying stuff in the cloud, you don't rely on any one region for anything. You have regional redundancy. You have copies. You don't just only, oh, we use US east one. That should be good enough. Like, that it's not how the cloud's supposed to work.

B

Yeah, you're probably talking about 1% of that. That customers. Corey, maybe that's generous, but I'm just.

C

Saying, when you take the AWS basic training courses, they specifically say everything needs to be. You need to understand the concept of regionality and availability zones. And their whole model is not baked on.

G

I would.

C

If this region goes down, everything breaks.

G

I would also Follow that up. If you read Microsoft's official documentation on how to use SharePoint. Right. It says specifically that you are responsible for backing up that data. It is not their responsibility to back up that stuff. Right.

C

So does anyone do it?

B

No one.

C

No one does.

A

Yeah.

C

It'Ll never go down. Yeah, yeah, yeah.

A

I just feed myself a little. Not wrong.

C

No, no, no, John. The less we have, the better. The less we have, the better.

A

That's true. Because we intentionally.

G

No, because it's not your fault, John. Remember, remember? You said it, buddy.

C

Shared responsibility, baby.

A

We do have it in all of our pen test proposals that we do delete data like so.

G

Absolutely.

C

It doesn't say whether it's intentional. All right, go ahead, John. Give us the CTF walkthrough or whatever.

A

I already posted the walkthrough. So if you're wondering what we're talking about, if you join our Discord server, you get into the webcast ctf. We have the. Let me get that. And there we go. We have the webcast CTF. So we do CTFs and we do all these things. Well, last week we had a pretty cool CTF and we had some winners that came through. The solution is now in the webcast CTF channel. So you can go check that out in, in our Discord. And the winners are. Let me pull those up real quick. Quick. Kel Lamity. K E L L A M I T. I had the most correct answers. So round of applause for Kel Amity. K E L L A M I T Y. And then the runner up is Samson 2.07 once again, Samson 2.07. Now calamity is going to get a full year of the entire course catalog for anti siphon security training, which by the way, we do corporate subscriptions. If you want basically sans level quality at affordable prices for everybody in your team, hit us up in antisephsensecuritytraining.com so they're getting access to that, the whole catalog for one year and Samson gets to choose an anti siphon training class class of their choosing to get for free. So we're going to be doing this every week at the end of the webcast. Oh, look at the notebooks coming up from Corey. That's awesome. Much better than Eggplants earlier. But we're trying to make our, our systems like when we're doing this stuff, much more hands on. Now this is the part where I lie and say, oh well, we can't do a walkthrough because we have just one minute left. Even though that is true, I need to go back and watch that webcast so I can better explain the walkthrough of this particular, of this particular CTF. But we will have more CTFs with more of our webcasts. Not every single one of them yet. We're going to try to get to that point but we're trying to make our webcasts as hands on as we possibly can. And once again we have training if you want to check it out it's like top notch quality but the difference is you can afford it. So check that out. And with that. Corey, do you have the video of the finger?

C

Hold on, hold on.

E

I got.

C

Yeah, sorry. S3 is down. I got this though.

A

S3 is down. You got this. But yeah.

C

Okay, here we go.

A

Here it is.

C

I should. All right, bye everyone.

B

Bye. You should have used the redundancy, Corey.

A

Sam.