John Strand

The SOC is where pressure is real and impact matters. Join the anti Siphon training sock summit free live streamed March 25th. Then go deeper with Hands on Training March 26th through April 10th. Learn more at Anti Siphon Training.com event. SOC Summit.

Wade

There was nothing that happened.

Bronwyn

Nothing happened whatsoever.

John Strand

There's nothing happening today in the world of computer security at all. Or geopolitics either.

Bronwyn

Let's not talk about that, guys.

Ralph

I will say that is not in the current. Is there anything cyber related we want to talk about about that?

Wade

Because I didn't.

Ralph

There's nothing in the articles about it.

John Strand

I haven't seen hardly anything.

Wade

I know bomb stuff right there.

Ralph

Yeah, there's no cyber stuff.

Bronwyn

I read a really good article about how they have a two tier Internet system in Iran. Did anybody else read that?

Ralph

No, no.

Bronwyn

I don't know where it was, but it, it was super interesting.

Ashley

Yeah, I haven't heard that. But it tracks with what I know about their efforts for censorship.

Ralph

Yeah.

Ashley

And state control.

Ralph

I mean, I assume that North Korea has the same. I would assume most, you know, regimes like this have two tiers of Internet.

Bronwyn

I'm surprised you think North Korea has an internal Internet. Like I would think Iran is far more robust. Right. Like people there have cell phones where poor.

Ralph

No, there's North Korean cell phones.

Bronwyn

Is there really?

Ralph

Yeah, they're super locked down. They're Android devices.

Bronwyn

Do you think it's like. It's like when you first saw an iPhone in like the early like 2000s, seeing a cell phone there?

Ralph

You know, I think it's more like, dang it, it's not food. That would be. My assumption is like technology. I don't give a crap. I just want like a piece of meat.

John Strand

I was reading a.

Bronwyn

Oh no.

Ralph

This podcast is sponsored by Starlink Mini. Have you ever tried podcasting from a Tesla Charger? Somehow there's no WI fi, even though we set it up and plugged it in.

Ashley

You know, it's a shame because the, the Minis, we have one too and we use it for responding to fire and emergency incidents in the neighborhood. And they behaved very well. But I guess John is. Oh no,

Bronwyn

there was a. There was an active Starlink scam going out where they were calling people and telling them that their current Starlink setup is old and that they need to upgrade and targeting elderly people. And I know several that fell for it.

Megan

Of course.

Bronwyn

I know. Right.

Ralph

So just remember, scam, just give us money, basically.

Bronwyn

Yeah, yeah. Pay us 500 and we'll send you out all the New equipment paid the 500 bucks. There is no new equipment.

Ashley

It's funny when I tell people I'm sorry, I do not respond to unsolicited phone calls of any kind. You know, you're not going to get a credit card number. The reactions are pretty interesting.

Bronwyn

Sometimes I'm surprised you even answer. I have my phone set up where it doesn't answer unless the phone number is. Is in my phone. In my phone.

Ashley

I screen calls too.

Ralph

Yeah, I use the AI screening. Yeah, it is nice. And yeah, I don't answer even if it's a client. They'll just leave a super helpful message that says, hey, I'm a client. Call me back. And then I'll call.

Bronwyn

Our domain. Our domain is completely down. What did you do to the domain controller?

Ralph

Did you curve the left wing of the building again?

Bronwyn

Did you restart the website? You know, sales told us not to restart the website.

Megan

No.

Bronwyn

Can you.

Ralph

That curb roasting the left wing of the building is an inside joke from an interview we did years ago with someone who said that was his. Like, that was his critical awesome pen test story is that he took down the left wing of a building by curb roasting it too hard. Needless to say, that person did not get the job. But it was a fun story. I was like, is curb roasting, like, known for taking things down? Because that's news to me.

Bronwyn

Like, it's loud, right?

Ralph

Like it's loud, but it's. He what I think he was thinking password guessing not Kerb roast. Yeah, like, you know, rubies or something.

Bronwyn

A wild John Strand has appeared.

John Strand

Yeah, you know, shit on Tesla. While I'm using a. While I'm using a Tesla supercharger. Apparently that didn't go over well.

Wade

They have an algorithm for that.

Ralph

Yes, they have an AI algorithm for that.

John Strand

Speaking of which, are we going to talk about the. What is it? Discord Banning?

Wade

Yes.

John Strand

Yeah. Okay, we got that. All right, let's do it.

Ralph

Wait, Banning, please explain.

John Strand

There was word micro slop. I think it was micro slop. They actually made it a banned word on.

Ralph

That's.

John Strand

I want to say it was discord.

Ralph

I think that's only in their discord though, right? No, I think it was globally banned. No, it's not.

Wade

What's what.

Ralph

I just put it right in the chat. We're good. We're good.

Ashley

Banned the term micro slop from its official co pilot Discord server.

Ralph

Yes, from its Discord. Not from. Like, it's not global.

John Strand

Ban it ac. But even on their own, it's like, come on.

Ralph

Hello, and welcome to Black Hills Information securities. Talking about news. It's March 2, 2026, and we're here with our micro slop. We have a completely AI generated podcast today with hosts. Me. I'm a supply chain risk. Do not use me if you're a government contractor. We've got Bronwyn, who's using agentic AI to use social media instead of using it herself. We have Ashley, who is here. Good job, Ashley. And whose kid apparently has good taste in cars because they told someone their cybertruck was ugly. We have Aisling Sir Cereal or Siri Series. Series cereal.

Megan

Everybody does this. Siri Cariel. It's a hard scene.

Ralph

So wait, what's your favorite cereal?

John Strand

Hard to pronounce.

Ralph

Okay, can you just tell me what your favorite cereal is so we can move on?

Megan

Honey Nut Cheerios.

Ralph

Okay, great. Excellent choice. That's. Excellent choice.

John Strand

Excellent choice.

Ralph

Okay, we've got John Strand. If you can read this, you're not on Starlink. We've got Wade waiting through Molt book.

Wade

Nice.

Ralph

Ralph got done hunting gators, and now he's wrangling AI instead, which is a little concerning to me, but whatever.

Wade

They're harder to catch.

Ralph

Honestly, I. I did watch a video last night where a guy was hunting gators, and I was like, this is easier than it looks.

Wade

Actually, I already told you the secret. You just play baby gator noises and you're good to go. Dude

John Strand

noises Like.

Wade

It's like a croak. It's like a little, like, croak, I think.

Ralph

John, if a gator approaches your vehicle, please let us know. And if I have a gator in

John Strand

Gillette, Wyoming, something really correct bad has happened with my medication.

Wade

I mean, he hardly has Internet. How the hell you think he's gonna.

Ralph

Gay frog.

Ashley

But gator, no. No.

Ralph

All right. And then lastly, we've got Megan looking at making us look good and smell good, but you can't smell us because it's a podcast.

Wade

God, that's lucky.

Ralph

Yeah. All right, There's a lot of spicy stuff today. I mean, where do we want to start? Anthropic. We got. There's. I mean, there's so much. I. I feel like we maybe start with anthropic. I don't know. I think that's anthropic.

Wade

And who uses plod? I don't know of anyone.

Ralph

No one uses Claude. Okay.

Bronwyn

I ran out of Claude code credits this weekend, and I was going crazy. I was like, what am I going to do?

Ralph

Those Claude code credits are the, the latest drug addiction in the world.

John Strand

I've been told, I've been told by the anthropic that I should never let my employees ever say that they ran out of credits.

Ralph

They.

John Strand

It should be like an infinite shower of like gold. Gold shower of credits. Employees, gold shower, not golden. It doesn't matter.

Ralph

That's how much it would cost too, by the way.

Wade

I feel like it's gonna be a scene from like Home Alone.

John Strand

We got, we gotta, we got a form that we're filling out. We got a form. It's the R. Kelly form in SharePoint that you have to fill out to get those.

Ralph

So what does that mean? Your mind's telling you no, but your body's telling you yes?

John Strand

That's right. Okay, so I gotta back off.

Ralph

Okay, let's, let's, let's, let's do the podcast now. So basically the backstory on this, for those that don't know is last week we talked about on the news Anthropic, the company that makes Claude, which is one of the frontier models, is feuding or was feuding with the Pentagon. Was feuding with the US Government. Basically, there are two hard nos where number one, we can't just give you carte blanche to make killbots and autonomous, like robots with guns. That was one of their hard nos. And their other hard no was, by

John Strand

the way, I want to just point out. That's a good start. That's a good start for any software development project.

Ralph

Also, by the way, on the, on the topic of killbots, one of the most crazy things that I learned as part of this process is there's no law against killbots. It's just internal policy, which is, which is like, it's like us as a company, as a pen test company, saying, well, we don't really have any laws that prevent us from stealing all your data. We just. It's internal policy that we don't steal all your data usually. But that's a crazy thing for me

John Strand

that seems like an oversight. Like, no, kill bots should be a law. Like we.

Ralph

I fully agree. I can't believe the convention thing.

Bronwyn

Right? Like if we, if shotguns got like outlaw almost outlawed at one point, why aren't killer robots.

Ralph

Oh, dude, Geneva Convention, we ignore that on our own civilians. It says not to tear gas and we do that anyway. So. Okay, all right. The other thing that anthropic.

Ashley

What was number two?

Ralph

Number two was mass surveillance of US Citizens, which is obviously a great use case for AI. Hey, find me all the people Doing stuff I don't agree with. Right. Like easy query, but those two things the Pentagon wanted to do and Anthropic said no. And then there was talks. The CEO of Anthropic was summoned to Washington to have a hard sit down meeting with Mr. Hegseth himself. And then it predictably, those talks didn't pan out in a good and productive way. I'm sure some insults were hurled back and forth and basically that the government labeled Anthropic a supply chain risk. Which from what I understand means that if you're a government contractor, you have to not use it within the next six months. You have to replace it internally.

John Strand

Well, they also, they also want to push it to the point where if you're like a supplier, like you cannot use it in the government, but if you're a company that's using it, you cannot have contracts. So it's like downstep.

Ralph

It's basically as far as they can go. Right. This is the most punitive measure they can apply. So it's not clear exactly what's going to happen. The government, it sounds like the government itself will have like a six month transition period. And you know, in addition to that, while all that happened, OpenAI signed a contract with the government. They were like, we love kill bots.

John Strand

We are working and we love mass surveillance. These things are awesome. And by the way, anyone that gives us a hard time by how much energy we're using. Have you thought about how much energy a human uses? It's a lot of birth until the day where they're so much food, the calories.

Megan

I did the math.

Ralph

Oh, you did the math on this? Yes.

John Strand

All right.

Megan

You can feed 3,000 children to adulthood for the cost of one GPT4 training. You can also spend enough to raise 250 children to adulthood at US averages for what it cost actual dollars to

John Strand

make GPT4, I find their terms acceptable. We should start feeding all children immediately.

Wade

Can I just.

John Strand

Yes, we should.

Wade

Can I ruin a whole movie for you? You know in the movie the Matrix where they were feeding the humans to get menstrual amounts of energy?

Ralph

That makes no sense. We're not thermodynamically efficient. What are you doing?

Wade

Way more energy to feed them than they would have gotten. It ruins the whole movie.

Ralph

Sorry. Yes, I agree. That's a plot hole.

Ashley

So movies just saying.

Ralph

Yeah, yeah.

John Strand

So basically, what if we outsource it?

Ralph

I. I think the thing, I think the thing we tried that, we tried that, it didn't work. So I I think the thing that gets me with this, I wasn't expecting it to be open AI. I was expecting another company to jump in, but I was expecting it to be like, Grock. That's what. Exactly. But then I was like, well, I guess they don't get any pork at Grok because they got, you know, the whole fallout with the Doge stuff. I don't know. But, like, I was.

Wade

I was more scared of the Grock thing, though, because those robots would be really dumb. It would be.

Ralph

Yeah, that's. Yeah, that's. Yeah.

Bronwyn

So rock robots are just become Costco greeters.

Ralph

Or like, they're just like, your receipt looks good. I'm going to kill you now. Sorry.

Bronwyn

I don't know.

Megan

Given. Given other things going on with Grok, it might be, like, preferentially going after some really ugly target choices.

John Strand

I know, right? It'd be like, right?

Megan

Like.

John Strand

No, no, no, no.

Megan

This is even worse than worse.

John Strand

But I don't know. This seems like this could be bad.

Ralph

Yeah. I mean, basically there. Yeah. I mean, there's not a whole lot of cyber on this topic from our perspective, you know, just to be a little transparent, we use Claude pretty heavily at bhis, and a lot of our partners use it as well. And we're not planning on stopping, at least not right now, unless someone says you actually have to stop. But it's kind of just fun to wake up on a, you know, Monday morning and be like, oh, yes, this tool you use, you can't use it anymore. Like, I can't believe that's a thing. But I can't believe that the government

Wade

can be that punitive. Like, just like.

Ralph

Yeah, yeah.

Wade

To hurt my feelings. Listen, I know, I know. I'm just saying, like, maybe earlier time, like in earlier years, like, I think felt like it was better. Right? Like it was.

John Strand

Okay, well, set an actual date on that. But.

Ralph

Yeah, yeah, yeah, yeah, let's not. I agree. I mean, I think, like, all of the, like, the U.S. government tampering in private companies, you know, like, it's a whole. This is a hot topic that goes back hundreds of years, right? This, to me is. I'm sure there's lawyers right now just using AI across the board to try to figure out how they're going to fight this. And, like, it'll. It'll be solved in the courts like it always is, or someone will make a call and it'll go away, like, magically. Who knows? But.

John Strand

Well, and at bhis, just you know, kind of bringing it down. I had a Number of testers and a number of people reach out. I'm like, do we have to stop using this? And I'm like, we don't make the, we don't make decisions based on one idiot in the Pentagon and what he says. Right. Or she, whoever may say it in the government. If we start getting actual policy documents that come down, then we will have another conversation. But even then, like, that's literally destroying that company. Like, there's no way that Anthropic will continue to exist at the level that they're existing if they get cut off at the knees that way. So I don't know, it's going to be a Mexican standoff for a while. Let's see where it goes. But I'm a firm believer in no killbots and no mass surveillance. And honestly, we have Palantir that's doing that.

Ralph

Yeah, but they don't have Frontier models.

John Strand

But, but I think it's within Anthropic's rights to say, we're willing to work with you under these conditions. And they did. And now you can't Darth Vader it and be like, we're changing the terms to pray we don't change them any further. That's, that's not how this is supposed to work. And I am fairly certain that attorneys will get involved even at the Pentagon and be like, Pete, you can't do that. Like, you can't sign a contract with these particular terms, try to alter it and then punish them because we signed a contract with these things at the beginning. Now the world's a weird place. Who knows? But I wouldn't get too worked up about it right now. I'd be hard pressed to believe that anyone in the Pentagon has that long of a memory when we get further on down the line.

Megan

Yeah.

Bronwyn

All right.

Ralph

Any other final thoughts on this? I mean, I think it's, it's basically like not really a cyber thing. We'll, we'll, we'll stay tuned. You know, true. This is why we have this show. If new stuff comes out, we'll let you know. But for now, it's kind of just a, you know, government slap on the wrist. The classic on the AI topic. And by the way, I guess before we move on, it is worth noting that a lot of other, we have plenty of articles we're not going to talk about of other companies that have AI ties that are having, you know, bad days in the stock market because it's basically exposing some of the potential dangers and risks of our reliance on these Very small number of companies for very large, you know, tasks. But anyway, apparently the EU has blocked AI tools on all official devices. This is kind of interesting. So this is an article in TechCrunch. Basically the European Parliament has blocked, including the built in stuff. So basically this includes things like, you know, Copilot, ChatGPT, Claude, these are now all banned on European Union parliamentary devices. Now I don't know how many devices that actually is like, or you know, if, I'm assuming if you're a diplomat at this level, you have like 17 phones and they're labeled with like a label maker and that's how you keep track of them. But basically, go ahead.

Ashley

It's probably not just, I mean, if it's all official devices, you're talking multiple levels because you've got your, your actual representatives in Parliament, you've got their staff, you've got whatever is tied to their offices. So this is, it's, it's percentage of the population in the eu. It's small.

Megan

Yeah.

Ralph

And I mean it's kind of the writings on the wall with this. I would expect similar bans from almost any government entity. Like it doesn't all these built in tools, like, I mean we, most companies have banned them too, right? Like you can't just allow arbitrary AI usage across your entire, you know, government or company or whatever.

Bronwyn

So I think it's easy for them to do this integrated one though, right? So they're looking for the defaulted stuff that's turned on. It's. Once you start doing it from like a DLP perspective, like what then what, what about the third party? What about them installing stuff or using some random online one? That's when stuff gets real hard at least.

John Strand

And I think that that's the rabbit hole, right, Wade? I mean when you take this policy and start trying to peel it back, it gets really complicated very quick. But this is something the EU is struggling with, right? I can't remember which country if it was Belgium or if it was Denmark, but they're starting to push away from Microsoft and all of the kind of the cloud providers that are based on the United States. There's a lot of money in the EU that's now being invested by numerous governments to come up with open source solutions for a lot of the commercial SaaS products that they're buying in the United States as well. So this is just one more kind of like snowball and an avalanche that's starting and I don't see this slowing down. I don't see this as like the Big thing. But this is just more of that, of that constant flow of trying to move away from us SaaS providers, whether or not it's AI or whether or not it's SaaS products as well.

Ralph

That's a good point.

Bronwyn

Really help you set up all those open source tools.

Ralph

That's exactly what I was thinking, Wade. Like, like how do you build your DIY SaaS products without Claude code, man? Or without a coding agent? Like that would make it 10 times harder.

John Strand

You said use Zapier or like any of those tools to try to tie it all together. But man, cloud code is way easier to do.

Wade

You can run, you can run your own like self hosted models and stuff like that that you can run them at at like some level. They're not quite clawed but like you can get pretty close and like yeah, not inexpensive just to put that out there. But yeah, I could definitely see the reliance on something like these more frontier models, especially as they improve to be like how can I keep up? Right? Like they're like in whatever way. In whatever way. How can I keep up if this model is what we're actively using and other people are too? So.

Ralph

And by the way, I didn't major in poli sci, but I feel like this whole thing that just happened with the Department of War is a great example of why they shouldn't be using us as products. From the sovereign deep perspective, it makes perfect sense to me. Like, oh, what if some random dude just decides we are our accounts and all of our emails are deleted? Oh, that'd be awkward. Let's, let's hope we see more of the open source rise in the eu. That was. That's pretty cool. Yeah. As far as AI, I mean there's a lot more that I guess we can kind of combine two articles. One article is that the Mexican government posted a really interesting or you know, basically there. It starts in a Reddit thread and it kind of goes, there's a Bloomberg article as well. But basically someone or you know, a threat actor used Claude to breach the Mexican government and exfiltrate a bunch of sensitive information. They claim 150 gigabytes of data. We don't necessarily know how, you know, we don't know anything about the security of the Mexican government. But I, what I can tell you is this is going to be the theme of 2026 is threat actors using AI to attack entities. Whether it's companies, countries, everything is going to be attacked using agentic AI. And you know, the, the write up is pretty simple, like Basically from my perspective, like as a tester, they're basically just chaining a bunch of stuff things that we would normally consider too high complexity or too much work to do. AI can do it. And so if you, a company or a country, they have huge attack surfaces and AIs are really good at chaining vulnerabilities together. That's basically what happened here is minor vulnerabilities get turned into major vulnerabilities because all the fancy, you know, they were able, like as an example they were able to use AI to help bypass the waf. So like a simple thing like bypassing the waf, not necessarily like a crazy thing that like only you know, APTS can bypass wafs. But it definitely speeds them up that they can use AI to do this kind of stuff.

Bronwyn

Correlated with what? Did you read the CrowdStrike Global Threat Report? Is that what you're gonna go with?

Ralph

Yeah, so like. Yeah, exactly. So like this combines with the CrowdStrike Global Threat Report which there's a few insights I have from this. But AI is heavily featured in this of you know the, basically that I don't know the exact numbers but essentially a huge portion of compromises use gen AI. So like not only just for like writing fishes or so the stat is AI enabled adversaries increased operations by 89%. So like basically at this point if you're a threat actor and you're not using AI, you're you're doing it wrong. And that, that applies to pen testing firms too, right? Like, or anyone. It applies to like basically everyone. If you're not using AI at this point you're probably doing it wrong but threat actors are doing it. And that to me is the biggest reason why now we as pen testers and security people that means we have to do it too. If the threat actors, if the bad guys are doing it, our whole thing is to do what the bad guys are doing so that our clients are safe. So now we have to use AI. There's some other interesting insights I guess in that report. One was that it was 80% or something of compromises used authorized channels so like using you know, valid credentials to log in using like a vision call to deploy like legitimate tools and exfiltrate data using legitimate tools. Like that's the theme is like living off the land, you know, like we know the, the blank spider threat actors, they do just like quick assist and then they just upload all your data using WinSCP. It's like the simplest possible kill chain but it works so that Was. Yeah, I mean that's definitely seems to be the theme I guess. Does anyone else have any insights or other like things they learned from that report? Wait, it's. I think you had something.

Bronwyn

I haven't read it yet. So to be completely on. I'm on like paternity leave so I haven't done anything cyber. I just read the news for once, 30 minutes before I got here. But I was in awe that they said in 29 minutes from initial lateral move to lateral.

Ralph

Yes, right. Dude, we were talking about this. Yeah, we were talking about this on our team. So yeah, basically the stat for people that don't know what we're talking about in. In CrowdStrike's report they say that the. It was some. The average time to move laterally was less than 30 minutes. So like 29 minutes average e crime breakout. The thing that I don't like what I want to. I want to clarify this. I think when Wade and I are thinking about lateral move, we're thinking about it in a traditional sense of establishing a C2 position on a different host. So like a completely different computer. I think what they mean by this is going to the next phase or gaining access to additional systems like including cloud information like exfil, trading data S3. I think that's what I'm doing. That's basically what I'm imagining. This is like the. They get onto a system and then they immediately start doing bad stuff. I don't think it means moving to another system. I think it means maybe grabbing cloud tokens, grabbing API information or just like I said with quick Assist, just uploading data using WINSCP immediately. So they're not doing any kind of like they're not doing any actual like C2 agents or DLL sideloading or you know, binary exploitation or anything like that. I think they're literally just saying or on a system we're going to start accessing SaaS products, accessing API keys and then like going into different systems. Like to me that counts as a lateral move in 2026. Just going after the cloud infrastructure. But I don't know like that they're

Wade

definitely incentivized to move as fast as possible. Especially if we have on. On device detection and we're just like the time like they're, they're. Their motivation is the longer I'm here the likelier it's going to get shut down eventually. So let's just make this time go as fast as possible as possible. Right. As opposed to intentionally being like no, I'm Going to wait it out. I don't want to get detected. And then we're going to do this, then we're going to do that. So I think it's kind of a shift, especially if they're just going after whatever it is. Right. Whether that be information, ransomware, whatever they're trying to do.

John Strand

Well, and this is one of the things I think is interesting. There's a lot of conversations about how, oh, well, computer security is going to be solved with AI. And I think it's interesting because the defensive side, there's a whole bunch of vendors that like, we're going to solve the SOC problems with AI. And then you flip over to the offensive side and there's a bunch of offensive vendors that are like, we've solved offense with AI. So this goes back to something Corey said at the very beginning. We're just going to use the tools and the techniques that the attackers are using one way or the other. The hackers are going to show us the way.

Ralph

Well said, John. Slash AI. John, I guess. Wait. Any other or anyone else that read this report, any other insights? There was a vishing is still a thing like that, you know, that's still super common. Like, I mean, it's a lot of just continuations of the themes we've seen in the past.

Bronwyn

I skimmed it to try to understand what their level of lateral. What their definition of lateral movement. Right.

Megan

Yeah.

Bronwyn

So like Jeff's in the chat and Jeff actually said, like, I just wish all of our definitions were actually the same. Right. So do they have a definition in there?

John Strand

I like things more fun.

Bronwyn

Well, yeah, that's. That's the only thing. But like John said, the interesting part is the attackers right there, they have full access to the AIs completely where I'm finding that defenders right now are just now finally getting access. Right. Like, we're, we have to make sure that everything's okay. All the I's are dotted and the T's are crossed before the defenders can actually use a product and actually deploy it and usually make good of it. I think that's just now really starting to happen. Even with the AI sock stuff. I've heard good and bad about it, but I want to see what people are doing with the homegrown stuff. You actually have a really good team that's just building something out themselves. And I think that's going to start coming to fruition probably this year. I've already seen socks.

John Strand

I think if you want, you could set up a meeting and talk to Ethan about what we're doing in our soc. But one of the things I've learned and kind of listening to our SOC and what we're doing is AI is not anywhere close to being the. Anywhere close to being. The silver bullet is being promised.

Wade

Right.

John Strand

For the SoC, because we work with multiple different EDRs, and working with multiple different EDRs, it's almost like you have to train the AI for each one of the EDRs that you're going to be dealing with and how to handle it properly. So.

Bronwyn

Oh, I've talked to Hayden plenty of times. I know all about it.

Ralph

Yeah. And for those who do you think

Bronwyn

got me on the cloud code.

Wade

The other thing I've been thinking about recently, too, about this AI discussion about, like, the attackers and the defenders now having AI. What if you took away the ability for. Or like, what if, for example, they don't have access to that frontier model? Right. What if they start cutting that off or making it harder to get now they're like, severely weakened. Right. To actually be able to do things because of people's reliance on it. Like, just like everything. You built your whole stack off. The fact that this. Right.

John Strand

That gets into one of my points is a lot of companies are looking at AI as a rip and replace or downsize. Right. We can do what we're doing. We can do it cheaper. We can get rid of people. Instead of looking at AI as it should be, I'm going to augment my existing team and make my team more awesome moving forward. And that's going to be one of the big struggles that we have in security, I think, in the next 12 months.

Wade

Well, and then the other thing, too is like, it's those products that they're making that rely on CLAUDE code. What if Claude code finally goes, guess What? We spent $500 billion and we're gonna have to raise those token credits that there's.

Ralph

It's.

Wade

It's going up, it's going to get more expensive. But your company needs that to make money now, right?

Ralph

Vendor lock. No, we've never seen that before. No one's vendor locked. IBM made money. IBM made more than Microsoft until, like 2008 because of vendor lock.

John Strand

Anyway, what about Uber? I mean, Uber's full business model. Go in, be cheap, wipe out all the existing taxis, and then start raising prices.

Ralph

Yeah, yeah, no, that's the standard tech play. Now you. You become. You. You become the market. You, you become the oligopoly or whatever you want to call it. And then you just sit down together and say, so Boys, how much does a token cost? What if it costs twice as much? Eh?

Wade

I can, I can tell you that RAM price, it's going to come to Rooster, right when they ask for more. There's billions of dollars that those investors are doing. They're not doing it for fun. They want their money back. It's going to have to get paid, right?

Ashley

You're not going to get it all back. That's the sad part.

Ralph

Yeah, well, no, no, no, it's fine. We'll just mine bitcoin. Don't worry about it. It's fine. Wavy.

Wade

My bigger technical security point was just like if attackers all rely so heavily on it and then somehow it starts getting more like harder for them to get a hold of. Obviously they're going to shift tactics, they're going to build their own. And I get, I get that. But I mean that could cause you know, like the image of like the DDoS attacks, right? Like if you can cut them the ability for them to perform that, then that could be a rippling effect. Right. So I think it could get interesting. Right.

Ralph

It'll just be the same thing as like every other globalized industry. It'll be like we start as the industry leader, then Deep Seek is like we have tokens for half the price. And they'll be like somehow tokens, like AI models built out of Bangladesh or something that somehow costs like 25% Chinese.

John Strand

Yeah.

Ralph

Like, and then we'll have like budget and then, you know, then we'll become overly reliant on them. Then they'll cut off access. You know, it'll be a whole thing. And then we'll have tariffs or like a 10% token.

John Strand

People got real concerned that I'm webcasting and driving at the same time. That would be irresponsible. I am in the passenger seats.

Ralph

He's in an Uber. It's a self driving car.

Megan

She's in the US that is not the driver's seat.

John Strand

The self driving cyber trucks I'm sure are completely safe.

Ralph

No, it says full self driving on it. It's he promised me. All right, I'm not a cyber truck

John Strand

either, if you're joining us late.

Ralph

So let's. Yeah, let's make a left turn in our trucks, in our cyber dumpsters. And talk about a leak that confirmed that Graphene and Motorola are partnering up, which is super exciting. We had kind of a bummer of an Android article last week, which was basically that Google is ratcheting up the pressure, becoming more Apple like and basically going to force they're going to get rid of anonymous app store developers, which is like kind of. It is what it is, but this is kind of the antidote to that. So apparently graphene os, which is the leading privacy based Android distribution, I would say. I don't know if that's like a fair intro, but I think that's a fair intro.

Wade

It only runs on Pixel hardware, but I think that is fair.

Ralph

Right now it only runs on Pixel hardware, but obviously there is now a plan to expand this. It seems the post was deleted. So like this is a leak, right? Like maybe this won't be confirmed, but basically it says here in a Motorola presentation they put a slide that had a thing, a mention of graphene os and it would be a really cool partnership to have this as an OEM option. I kind of see this as when OEMs start to take on like, you know, Lenovo was like, you can install Linux. And everyone was like, oh my God, this is amazing. I think the same thing is true. Like when you see OEMs picking up phones, this is even more important because phones are much more specific hardware wise and difficult to get running. So having an open standard like between this, between an OEM and a graphene developer would be really cool. I think. Hopefully they don't force graphene to compromise,

John Strand

but I just hope that Google doesn't come in and curb stomp this. Like I could totally see them being like, nope, you're not doing that. But if you're in this like cell phone market, right, like you've got to find ways that you can break out and maybe this is a way that you can help break out. Like you can start supporting other operating systems. I know a lot of technical minded people would move to a phone if they would have more control over the underlying operating system for sure.

Ralph

Yeah. And I think that's what graphene really gives you more than anything else.

John Strand

What was the last cloud strife? Says I like this optimist take. Let me ruin it. It'd be really hard to sell phones to technical minded people when they've all been replaced by AI.

Bronwyn

All right, thanks a lot, Chad. Get out of here.

Ralph

All right, let me know when the lemming starts. When we're gonna jump off a cliff.

Bronwyn

When, when. What was the last flagship Motorola phone though?

Ralph

Oh, dude,

John Strand

The Razer flip phones. Like, okay, yeah, there's a lot of people that have those phones.

Ralph

Oh God, yeah, I would say like that. Yes. I think they're. You're right. Basically what Wade's getting at here is that Motorola has not been the industry leader in the flagship market for a long time and this will not change that. But honestly I would say like a lot of the people who are using like what I would call low cost Android phones, not flagships like normal. At regular phones that you've never heard of, that's called. Yeah, normie phones. Those phones I think are a way better use case for graphene os. Like these people are running in weird markets like you know, you know, third party cell carriers, like weird scenarios and having more control over the OS is, would potentially be really beneficial for those people.

Bronwyn

I will tell you, Motorola sucks now.

John Strand

But seriously, if they do this, I'm getting one that's going to become my primary phone.

Bronwyn

They'll also be the primary carrier of most criminals then too. So that's, you know, that's.

Ralph

We already had that, dude. That's. So what you're saying is the FBI. Okay, so you're leaking it now on the show. For the first time ever, the FBI is buying Motorola and graphene os.

Bronwyn

They're doing it again. They're doing it again. There's no way.

Wade

It was an awesome book.

Ralph

They're rebooting though. They're

John Strand

not that Pete ever listens or watches the show. That's how you do it.

Megan

Honestly, Motorola with graphene on it out of the box would get me to actually buy, like pay for my own, buy an Android phone.

Wade

But you could just buy, you could buy a Pixel today, buy a Pixel 8, buy a Pixel 9 and just set it up there. I've got some right now I can.

Megan

But I don't trust it.

Wade

Well, that's the whole point.

Megan

I don't trust it.

Ralph

No, no, no, that's not long term.

Megan

The long term situation with the pixels and with what Google started doing last year with locking away the code for the hardware behind a case and situation where they've got like here, this is our model phone that isn't actually the same as pixels anymore because we want to make pixels more specifically ours dropped. And I'm pretty sure that was what kicked graphene to say. So we need to find another manufacturer to make sure that, you know, everything plays nice and we get all of the code for going all the way down to bare metal on the hardware and make sure that all the stuff we're putting into graphene isn't being subverted by something at deep kernel level or over in what amount to vulnerable DLLs. Not that that's actually on Android, but.

Bronwyn

All right, click the link that Ashley just sent Like Ashley hasn't talked. All, all, all new.

John Strand

I know.

Ashley

I should show Nerf confirms it by Motorola.

Bronwyn

I didn't realize Motorola was a Lenovo company. And it wasn't until recently that I realized that Lenovo is China.

Wade

Yeah, so Lenovo was originally.

Ralph

Well, actually it was IBM.

Wade

Yeah, no, Lenovo or, sorry, Lenovo bought IBM's laptop brand. So that's why people are associating it with. But that was IBM's brand. Lenovo was always, I believe, a Chinese company. I could be wrong, but I think it was. And then they also bought Motorola now. And now they're getting the phones as well. And they've always been a Chinese company. But the Lenovo brand that we're all used to, like buying a laptop, that's actually all of IBM's old stuff. That's why they had a little tracking

Ralph

pad in the middle there. You mean trackpoint? Hell yeah.

Wade

IBM exclusive.

Ralph

Hell yeah. Yeah. No, this is cool. I guess we should also talk real quick about some actual vulnerabilities. Maybe like pretend like this is not a geopolitics show. SZA has issued an emergency directive for Cisco SD WAN devices. This is probably worth talking about. I don't. Does anyone know what sd. Someone has their CCIE or whatever? What's in. What's an SD WAN system? What even is that?

Wade

I thought those were. I thought there were accelerators. I, I could be totally wrong. Like WAN acceleration software similar to like the PEP way, or not PEP Wave, but there's another. Riverbed is another big brand out there that does that. I could totally be off though. Okay, but there, there's like a whole market for this kind of stuff. Cisco is, Cisco is a very big company and they have bought a lot of products and services to fill niches specifically in the government and other kinds of industries that would like be like really niche. Right?

Megan

Okay.

Ashley

Sdwan is Cisco software defined wide area network.

Ralph

Okay, that doesn't help me because I don't know what any of those words mean.

Wade

So it's like the software defined. When I was doing the CC NP and other stuff like that. The whole idea of software defined networking was to get out of the router, right, the physical hardware device, and move to just software devices that would implement that across the board. Right. So you're running a lot of like x86 style chips that you implement and you add routing software into this.

Ralph

Okay, Someone in. You guys are no help. I, I appreciate your attempts though. So someone in Discord said it aggregates WAN links and does other fancy Site to stuff. Site to site stuff. So this is like a replacement for mpls basically, I guess. I don't know. No, I don't know.

Wade

I don't. I don't think. Yeah, the SD WAN stuff is. I think yeah, it's the software defined networking and that's like a concept more than it is like a product

Megan

in some sense. It's meant to replace dedicated company VPN, site to site, VPNs. That's not all it does. That's not exactly what it's for. But that is the old thing that it plugs in and replaces.

Wade

So what is the vulnerability?

Ralph

So the vulnerability is a zero day which apparently has been actively under exploitation since 2023. Yikes. But they. It also ramped up more exploitation in 2025. It was actually disclosed by, you know, Cisco Talos and says jointly I think. And basically the. The vulnerability itself is there's a CVE for it. I'm trying to pull it up. CVE 2026 is 20 it's auth bypass. So it's like the same vulnerability we've seen in almost every Cisco product. Unauthenticated remote attacker can have bypass authentication, obtain administrative privileges. There's a peering authentication mechanism in an affected system that doesn't work properly. Specially crafted requests, you know the classic like all the words are used too and it affects all the like. Oh, sorry, go ahead.

John Strand

I was going to say it sounds like a lot of the same types of vulnerabilities where you trigger like you said, either provisioning or starting up the first time like a wizard for authentication, like just accessing those libraries directly within it.

Ralph

Yeah, it affects all the different ways you could deploy this. Apparently there's a on prem Cisco hosted and there's also cloud. Like it even affects Fedramp stuff. So yeah, basically it's scary. It's nation state. It's the same attacking telecoms that we saw in the crowdstrike threat report. It's the same stuff like companies going after communications infrastructure or I guess APTS going after communications infrastructure to steal sensitive information. What else we got?

Bronwyn

Speaking of phones and infrastructure, Shiny Hunters got someone today. Yeah, where was that article? Gosh darn it.

Ralph

I'm just gonna Google Shiny Hunters and hope nothing goes bad.

Bronwyn

They monitor that. They hit some Norwegian telecom, it was like Nido or something like that and Odido. Odido, There you go, the Dutch one.

John Strand

Dutch?

Bronwyn

Yeah, yeah, yeah, yeah. So they pretty much pwned them exfil data and then attempted to of course ask for money beforehand. And there you go, thank you, Ashley. And they said a big, no. So shiny. Hunters said, well, we're going to release the data.

Ralph

Pretty much that is how ransomware works.

Bronwyn

I think it's a little bit more hardcore because it's a telco, right?

John Strand

So it's like they have home addresses, email accounts, bank account details and ibans. So passport and driver's license numbers, which I'm sure. So this gets into, like. This gets into like, a bigger question of anytime you're working with anything and they're like, upload a picture of your driver's license. Hi, Discord. Or your passport.

Ralph

Oh, I forgot about that article.

John Strand

Talk about, like, some legislation that we need in the world right now where you need to have some type of security around that stuff. But this looks like this is another one of those scenarios where Odo or Odio or whatever is like, yeah, give us your passport, give us your driver's license. Nothing bad will ever happen here. And it seems like almost every time something does bad happen.

Ralph

So who knew to configure your home router, Please provide your passport and your driver's.

Wade

Oh, my God. You joke.

Ralph

Like, why would they even have this information? Why do they even have this information? I don't know.

John Strand

So, But a lot of these providers, like, I remember years ago with like, VPCs and cloud providers, like, a long time ago when I was trying to set up websites and different servers in janky places on Southeast Asia for things I was doing at the time, they were totally like, give us a picture of your passport, Give us a picture of your driver's license. It was very common whenever you're working internationally, trying to get something set up, I think.

Ralph

Yeah, I mean, there's always going to be ransomware. What else we got?

Bronwyn

I'm still. I'm still just surprised we haven't created some type of, like, centralized age verification. Like, I know there's that like, id.com or whatever site.

Ralph

Oh, yeah, yeah.

Bronwyn

But speak.

Wade

Right.

Ralph

If you live in Burma, you're good otherwise. Or Estonia or whatever that has, like a national ID system. Anyway, we should talk about the Discord thing because we've been covering this article. So basically we're talking about age verification stuff. Discord has now put it on hold. So there was enough backlash where they decided, okay, we know you like your, you know, Discord servers. We won't mess with it too much. They blogged. They posted a blog post on Tuesday, basically saying, we're going to hold off on this for now, but we'll let you know. I'M assuming they're not going to change their minds. They're just going to slow down and do it quietly.

Wade

And then California said, hold my beer. We're going to start making all operating systems.

John Strand

Yeah, yeah. This gets into, like, this. This balance, right. Where it's like, won't somebody think of the children? And if you try to have privacy arguments or conversations around it, they're like, but you support criminals. Then it's like, we can't make it like that binary of a decision.

Wade

Right.

John Strand

It's just. I mean, we've been dealing with this for a long time. I go back to the San Bernardino shootings a long, long, long time ago, where the week before, literally everyone was freaking out about Facebook and privacy, and Facebook could read your messages, and Facebook could do this, and everyone was freaking out. Then the shooting happened, and then immediately people were like, why wasn't Facebook monitoring for this? And, you know, warning people that this would happen?

Wade

It's.

John Strand

We're going to be fighting this a long, long, long time. And you're always going to have the. Won't someone think of the children group.

Megan

Because.

Ralph

Okay, I, you know, I was talking

John Strand

about operating systems verifying your age before you run an os.

Ralph

Well, hold on.

Wade

Kidding.

Ralph

Okay, so this one. This is. This is a joke, to be clear. But I have an easy way to do that. You just have a thing that says, what does this logo indicate? And then it's like, click the correct logo to proceed. Click the floppy disk to proceed. And then there's like nine icons. And if they don't click the floppy disk, then you just say, they're underage. Right. I mean, it's that easy.

Wade

My new AI will be. What's the flop?

Ashley

If only it was that easy.

Ralph

No, Yeah. I mean, I will say this is kind of crazy. The operating system level. Like, what does this mean? It's illegal to run Linux in California.

Wade

Yes.

John Strand

Which makes for some awesome, awesome T shirts. That would be great.

Ashley

Yeah.

Megan

Yeah.

Bronwyn

I'm.

Megan

I'm getting flashbacks to the RSA T shirts that my college classmates wore. I feel like, okay, yeah, you cannot export this.

John Strand

Oh, yeah. And it had the code for region locking for DVDs.

Ralph

No, I was thinking Free Mitnick, the.

Megan

The older version of the same idea.

John Strand

Okay.

Megan

Yeah. So, okay, I say 48.

Ralph

I. I feel like this is, like. This is so classic California where every building causes cancer. I think this is going to be, like. It's either going to go one way or the other. Everyone on the Internet is a minor. Or everyone on the Internet is of age. Like this is. All this is going to do is force everyone into this fork in the road where everyone's 18 now. Congratulations. Or no one is 18. The whole Internet is for kids now. Sorry.

Wade

Oh, so I guess.

Ashley

Okay, okay. As the token Californian in the room.

John Strand

Okay.

Bronwyn

All right. Just leave me out of here with the San Diego flag behind me. All right.

Ashley

Also a Californian

Ralph

sign in the background.

John Strand

I visited California a couple of times. Go ahead, Bronwyn.

Ashley

California. California does try to take the whole privacy thing more seriously. And we saw that with some of the. What people call the Californian version of GDPR and some of the other privacy regulations. Absolutely, I agree. This nonsense requiring all operating systems to have age verification. It's never going to fly. Because achievable, we don't have a viable way to verify any person's age with or without government IDs. I mean.

Ralph

Oh, you think that's going to stop California? They'll just keep on rolling and every building causes cancer?

John Strand

I was going to say.

Ashley

Well, yeah, it will.

Ralph

I mean, I remember at the gaming

Ashley

we. We've gone round on. On legislation like this before. And I'm not going to say that every time calmer heads prevail, but usually the process works better than not.

Ralph

That's fair. And maybe this will be rolled back. That is entirely possible. California has banned and then pretended to unban gasoline cars like 10 times. So there's another chance for them to ban gas cars and then unban them and then reban them. That. Maybe that's what will happen. We don't know.

Wade

They definitely.

Ralph

Guys, we'll see.

Ashley

Hey, we're not the one naming snowplows fancy things, but that's another conversation.

Wade

Internal combustion engines. Guys.

Megan

Jesus.

Wade

Oh, my God.

Ralph

Oh, that's terrible. Go back to your.

Wade

I let that one go.

Ashley

What?

Ralph

Yes, we should talk about the smart glasses one that we're talking about.

Ashley

And also the robots. We've talked about robots earlier. We should. This is a little more in the real world, robots.

Bronwyn

I think. I think we talked about that robot one.

Ralph

We did. Yeah.

Ashley

This is from.

Bronwyn

Yeah,

Ralph

this is new. Ashley, tell us about the robots. Tell us about the killbots you're building in your basement.

Ashley

Well, there are plenty of them, so beware, don't annoy me. Anyway, so apparently there's a security flaw in the DJI Romo robot vacuums that allow unauthorized access to them.

Ralph

No.

Ashley

Some strategist was playing with clog code and reverse engineer the protocol or using it to reverse engineer the protocol and attempt to Communicate with the servers. And instead of just letting him access his own device, it handed him over the keys. Vacuums.

Wade

Yeah, I read deep into it. So he was looking to try to control the vacuum remotely so he could drive it. And so he used Claude to kind of reverse the API. And then when he got to trying to control like actually making those API requests, he realized that the API did not validate if he owned the device ID that he would enter in the API request. So he would just give it more device IDs and he could control everything and then get whatever was on of all that of. Of those.

Ralph

So it was DJI is like, dang it, you found our secret doomsday device.

Bronwyn

You son of a. I'm surprised they're letting them sell vacuums after they banned the drones, right? Like, what? Okay, what's this vacuum if not a drone on the ground?

Ralph

The article does imply that only 6700 people own them.

Bronwyn

Did you see. Did you see one of the. Like, they have the see through case. It reminds me of very like old school Mac, like the ones where you can see all the intern. It's actually pretty cool. I was like, all right, that's cool.

Wade

Ukrainians are like, great idea. And they have little robot vacuum driving into buildings to blow up.

Bronwyn

It's like. It's like a size of a landmine. That's perfect. You're giving them. You're giving them ideas right under trucks.

Wade

Boom.

Ralph

The DJI Claymore coming this summer.

Wade

You don't even need a pack. The.

Ralph

The last article I want to talk about and then we'll do CTF winners is someone made an app that tells you if someone nearby is wearing meta Ray ban smart glasses. I love this so much because it's so simple and so basic, but also really neat. So it's. The concept is super simple for those that aren't Bluetooth or wi fi experts. Basically similar to Mac addresses and wi Fi, the meta Ray bans have a Bluetooth device identifier they use when they're talking to the, you know, whatever devices are around. And someone just wrote a super simple thing that monitors for that device prefix basically, and then tells you, hey, someone has one of these nearby.

Wade

You can do this for any device. Not just.

Ralph

Yes, correct.

Wade

Bluetooth device. You could be like, oh, look, so and so has this nearby.

Ralph

Yes, but someone's wearing AirPods nearby is not as interesting as someone has wearing meta Ray bans nearby.

Wade

Yeah, yeah, yeah.

Ralph

And it's obviously it's Android only and it's not you Know, it's like, it's probably a side loaded app, like good luck installing this on the Google Play store or whatever. But it is a cool concept. It's it. I will say meta could easily get around this. You know as an example, Mac, Mac devices randomize their, their WI fi Mac addresses. So like they could easily work their way around this if they wanted to. But you know, maybe they will, maybe they won't. It's an interesting area right now where the meta ray bans in particular, they have some, they try to build in some like anti stalking features like if you cover up the recording light, it's supposed to like stop recording and stuff like that. But I mean to be fair, spy cams have been a thing forever. Like what was it, the 90s when we had like cameras and you know, buttons in people's shirts and stuff? Like the FBI is like, we can just wear a meta ray bans. That's kind of cool, but like it's not. Yeah, I mean this isn't new. Spying on people using tiny cameras isn't new. Yeah, no.

Ashley

What is. What I liked about this article when I read it through was that this is like the WI fi pineapple, but it's specific to something that is being used in the field to invade people's privacy. So I thought that was a kind of cool feature. And frankly, as far as meta obfuscating the Mac addresses, I don't think they're going to do that because then they'd have a harder time data mining who's doing what.

Ralph

Well, oh well, they already know who's doing what because they control the device. Right.

Wade

Not to defend the meta glasses, but just because someone's wearing them doesn't mean they're recording light.

Ralph

So like true, that's a good point.

Wade

It's not like.

Megan

Yes. And there's a light that's supposed to show when they've turned it on, but there are people selling the service of disabling the light.

Wade

Oh sure.

Bronwyn

I'm sure you just get a Sharpie.

Wade

Yeah, yeah, I just, I'm just saying.

Ashley

Wow.

Ralph

Wait, you should start a company, man. That's an advanced idea right there. Glasses right now.

Wade

Oh my God, there's a meta glass right there.

Ralph

Get him.

Wade

And he's just like, what's going on here?

Bronwyn

And then they accidentally hit chunky glasses. It was not even the middle class

John Strand

like that with the Google glasses. There were people getting into big, big jack glass holes. There was people that. There were people that were getting into big trouble wearing those out in Public. And I'm wondering how long it is until that stigma is gone.

Ralph

I think it's already gone. I. I see people wearing them and I just think, yucky. But I'm not like, about to go up to someone to. You turn that camera off. Because I'm sitting here like this. Oh, hi, buddy. How's it going? Like, you know, everyone's got their phones out all the time.

Wade

Yeah.

John Strand

Somebody just dropped a great snow crash reference, so.

Megan

Oh, that was me.

John Strand

Okay, that makes sense.

Bronwyn

I just.

John Strand

Okay.

Bronwyn

I just can't wait till Damon is a thing. If anyone remembers right, Damon.

Ralph

Like, we're almost.

Bronwyn

I want to do the. Like with the glasses and track people. Like, we're almost. We're almost there.

Ralph

Yeah. Yeah. All right, before we. Before we close out with a chicken article, the weekly CTF winners, we have four total winners, all of whom have won a course of their choosing on anti siphon training. Training that doesn't suck. We have Shadow, Lark, maybe SHDW Lark. We have Curious 17, Wombat 14, and Intercept or Inter CPT. Well, I don't know. Congratulations.

Ashley

Well done.

John Strand

And we might be taking a little break on these CTFs. Just to give you all a heads up. We got to get some stuff kind of organized, so we might be taking a breather and bringing them back in

Ralph

a couple months in the future. We'll let you know when CTFs are back. All right. The chicken article is just. It's just a fish. It's a fish. The chicken news is a fish. Okay, I'm sorry, everyone. The chicken news is actually just the link that says that basically this is a real thing. Microsoft, in their official discord in the copilot Discord has banned the term micro slop. That's the chicken article. I don't know why it's in the chicken section. Clearly AI got confused about what chicken

John Strand

is because Microsoft is chicken. There we go.

Ralph

Oh, because they're too chicken. Too chicken. They're too. I see.

John Strand

I don't know.

Ashley

They can't handle the heat.

John Strand

As close as I can get. That's Brad's closet. Yeah. There you go.

Ralph

Well, anyone else have any final articles? Any final go backs?

Wade

So there was. There was one article with actual and exploit, which was the new WI fi exploit. Did you guys.

Ralph

Yes. Tell us about this. I saw it in the list and I didn't really.

John Strand

I started reading that and I'm like, this is really a lot of things that have to align. And then I had the point in the academic write up where they're like, this is really academic. Like this is such a weird edge case for this WI fi attack to work. So I thought it was interesting, but it is. It's a cool read from a technical perspective. But no, WI fi is not broken all the way down.

Wade

It's not broken. It's a layer one, layer two problem too. They're not even into any of the encryption stuff, so. Yeah, and it's one of those things where like there are some ways in the middle where you could do things like anything that's unencrypted, so maybe like DNS or other things like that, changing the addresses there. And it does. There is mitigations that hardware vendors can put in place and other things. So I don't know. Again, got a little technical as John mentioned. And it's not like yo, POC just dropped.

John Strand

Yeah.

Ralph

Also, by the way, the transport layer has been assumed compromised for the last 15 years. No one thinks that, like everyone thinks that the network they're on is being surveilled and that's why we have tls. Right. Like, well, that was like the thing

Wade

they were like, make sure use a VPN on a public Wi Fi. And I was like, Interesting.

Ralph

This is sponsored by NordVPN.

Megan

Also, like, if you set up your own networks and want to put in a guest, just start doing VLANs, like really well.

John Strand

So I agree with that. But my problem with that is, is that something that you can roll out to coffee shops, is that something that you can roll out to general home users? And I think the answer is no. But still, like I said, I loved it from a technical perspective. But there was, like I said, I was like three quarters of the way through the write up, they, they literally just say all of this is like an absolute perfect storm of circumstances for this attack to work. But still, it was an interesting read.

Ralph

Yeah, I think this kind of academic research is really important. I mean, it's kind of like all the brutal SSL version 2 and like, like fundamental encryption adding attacks.

John Strand

Yeah.

Ralph

Yes. Like, it's like it, it matters and I'm glad someone's working on it. But also like for those, you know, for those of us like me, who are just like computer, go burr, like, hopefully someone will fix this in Wi Fi 4.

Wade

The other one too recently was the password one too. Right. The password managers and the whole attack was if they compromise the entire company, 1Password, what could you do?

Ashley

A lot.

Ralph

Wade has that.

Bronwyn

Don't talk about that. All right, all right, roll the finger.

John Strand

Let's dwell on that. For a few minutes.

Ralph

Wade's like, I'm on paternity leave you.

John Strand

I think that. But I think that those types of conversations are important because this goes back to the article we were talking. Whenever you have a website, totally not one password, by the way, but when you have websites and you have services that are like, we want driver's licenses and passports for all of our customers, these questions I think are valid questions at some point. That's why really good firms like 1Password. They actually do have a security section where you can see like who's done the pen test, letter of attestation. So you can see that they are actually getting tested on semi regular basis. See, Wade, I'm helping out.

Bronwyn

Thank you. Thank you. Yes, that is, that is there. And sometimes I don't know how to feel about that. But it is good for the consumer. It does make my job everybody.

John Strand

Wade.

Bronwyn

It does make my job harder. But yes, you are correct. I agree.

Ralph

Yeah.

Bronwyn

Ralph and I had a lot a lengthy discussion about a password manager vulnerability that came out and luckily I was not on call. So that's the great.

Ralph

I mean it's kind of at the

Ashley

end of the day, using a password manager is better than not using one, correct?

John Strand

Agreed. Agreed.

Ashley

Can it get popped? Well, yeah, everything can get popped sooner or later, yes.

Ralph

That's why I only use transport over carrier pigeons, which so far there's no. Any, none of these attacks work.

John Strand

That's not true. That's absolutely wrong. Before we, before we shut down, before we shut down, you need to understand that the AV and transport protocol as many of the exact same vulnerabilities that exist in a number of other protocols. For example, whenever you're going IP over carrier pigeon during hunting season, you may drop a few packets.

Ashley

Just say.

John Strand

The other thing to keep in mind is what do you call, what do you call a pigeon in a blender? Fragmentation reassemblies a ditch. And with that, take us out, man. Appreciate it.

Ashley

Bye.

Wade

It.