John Strand

I've got a couple of good ones today.

Wade Woolwine

Pokemon Go players. Unwillingly trained delivery robots with 30 billion images. Like, am I surprised? No, that was amazing.

Chad Skipper

The way they did that was great. And that's been a story, I think five or six times in the last couple years. It's really fun.

Alex Horan

Yeah, I, I thought I've heard this story before.

Ralph

Yeah, yeah.

Hayden

I still just love all the delve stuff. That just cracks me up so bad.

John Strand

Well, we're live. Well, that's good. I see a stream. Get this whole, this video and audio thing down someday.

Wade Woolwine

How long has it been, John? Like

John Strand

since 2008. It's been a while.

Wade Woolwine

I believe in you. It's easier than printers now, at least. Like I remember days like trying to get a webcam to work with. So rough. Like trying to go using my PS5, my PS2 webcam on my computer. That was, that was a fun one.

Ralph

You had a PS2, like the port, like the serial port webcam. Like that was good enough.

Wade Woolwine

I don't remember, I want to say it was usb.

Ralph

Yeah, I believe that one.

Wade Woolwine

Yeah.

John Strand

Yeah.

Wade Woolwine

And I. It was for one of like the, one of the videos where they actually tracked you and you could play games and then we never played it. And then I was like, I wonder if this can work on a computer. And slowly went down.

Ralph

What was the Microsoft like video chat program? The very first one called? Um. Dang it. What was it called? No, no, look it up. I remember using that. It was, it was bad.

Wade Woolwine

It was, I used some.

Ralph

It was like Windows 95 bad. Like that's. We're, we're going back there.

Wade Woolwine

I'm not going to mention the websites I was on.

John Strand

It was not the best at those times. No.

Wade Woolwine

This is in the golden times of the Internet. Right. This is. I mean stuff was still dark.

Ralph

Stuff was still dark.

John Strand

I.

Ralph

All I was on was AOL in the dial up days. Like this was like before the transition to the like the full Internet, you know. And there's. Yeah, it was debauchery.

John Strand

I still, I still maintain the Internet was better back then.

Ralph

One isp.

Alex Horan

So many niche stuff that like you just can't, you just can't. You just can't find anything like that any anymore. I mean like I remember thorough blueprints of like very out there Star Trek shot, you know, ships. And it's like nowadays it's like, well if you want that, like it's gonna be like a, you know, 9.99amonth subscription and maybe for a premium you can get Access to the blueprints on this one ship that appeared from this episode. It's like, that was all free back in 95. Somebody was way too much time and, like, a CAD program.

John Strand

Well, the Internet sucks. Is that the.

Wade Woolwine

Is that the I will ad. I would. I was reading the news, and I didn't realize I had opened the AI part. And I'm just going through it. I'm like, why is every article just AI? Like, I'm like, I want to talk about something other than that. And then I'm like, no, okay.

John Strand

Yeah.

Ralph

It's just all emojis and em dashes from here, my friend.

Wade Woolwine

There's. There's bullet points.

John Strand

Three every. It's like, why is there always three bullet points and everything?

Ralph

Oh, that.

Wade Woolwine

That's a good. I'm gonna have to go change my slides. I'll be right back.

Ralph

All my slides ruined.

Hayden

We can just trade slides. Wade. I'm sure we. We both probably almost wrote the other topic.

Wade Woolwine

We could. That would be. That would be pretty good.

Hayden

That'd be really funny.

John Strand

It's one of those, like, when you're doing cons, like, slide roulette can be one of the best things at the con, and it can also be some of the worst that happens. Bruce. I think it was at Shmoocon years ago, Kevin Johnson got Women of the tsa, and it was just nothing but, like, the X ray pictures, and it was so epic. He did such a great job of that. There were so many people that were so offended. But most of the time, what happens at a con is someone just looks at the slide and they're like,

Ralph

Yeah.

Alex Horan

I mean, credit for at least making it work. Like, even if it is.

Ralph

Yeah.

Alex Horan

You didn't make everybody in the room happy. You at least did something more than, you know, stare at it.

Ralph

Yeah. Never say die.

John Strand

Never say die.

Bruce

Yeah. It's a real art to. I mean, honestly, like, I've seen, you know, 90 of them have just been awful, and you got to go in. Like, I go into them with, like, a game plan. Like, whatever. It's just like, a media training. Like, you answer the question that you wish they'd asked you. Do you. You give a slide presentation you wish they had given you, and then you just tie it in and it works out. And that's better than trying to work the slides.

John Strand

We did one Bsides charm where it was all AI Generated slides. This was. I want to say it was four years ago. The AI generated slides were flat out terrifying. Like, they were putting in prompts to come up the slides. Like multiple reasons why all humans should be exterminated. And AI was generating the pictures with the justification. It was like, now we got guard rails.

Ralph

Guard rails.

John Strand

All right, everybody, let's get started. Ryan, bring out the crooked finger. Let's get rolling. Here we go. Hello and welcome to another edition of Talking About News. My name is John Strand and I'm joined by a whole bunch of other people. This is in Zoom. So the coordination is a little bit different for us because we're trying a new platform here. But we have a number of different stories. From federal experts officially declaring that Microsoft's cloud is a pile of shit. AI companies training in classified environments. What can go wrong? BHIS finds all kinds of like AI chatbot data exposed. We have intune issues. More CISA stuff. I'm going to rant on CISA and their kev cake, whatever they're commonly exploited database. We've got a lot going on. Let's go ahead and get started. Ralph, do you want to pick the first story, sir?

Ralph

Oh, wow.

John Strand

Because you were talking, you had one that you thought was pretty, pretty good. So do you have one? Because there's a lot here. So I'm kicking it over to you, man. What do you want to start with?

Ralph

Oh, let's. Do you. Do you actually want to start off with your own. With your own, like Bhis little.

John Strand

Let's talk about. Let's talk about. Oh, okay. You want to talk about Jeremiah. So, yeah, basically Jeremiah spends a lot of time. So Jeremiah Fowler has been with us for a little while at bhis and he spends a lot of time specifically going through and trying to identify exposed like databases and things that might be useful in what's going on in Ukraine and Russia because he has family ties there. And he stumbles across some pretty terrifying things every once in a while. And this one, he was able to identify a bunch of phone calls where the audio was recorded and was exposed to the open Internet. And then he started, you know, kind of working with that. And this one kind of scares me the whole like whenever you're calling in and it's like, this will be shared for equality assurance purposes and also marketing of a security firm. At some point in the future, I

Ralph

was going to say, the rest of the Internet will be shared with.

John Strand

Rest will be shared. It's like they say, whatever happens in Vegas stays in Vegas isn't as prom and shared with everybody. I just. And it's like this. Jeremiah Fowler was surprised. It takes a lot to surprise Jeremiah these days. But is this really all that much of a surprise? I mean, the type of data it is, the chatbot data. I guess it's kind of novel in that respect, but what is it? It's 1.4 million audio files, and then the plain text transcripts basically out there as well.

Ralph

So it looked like. Just reading between the lines here, this was a web interface that went to. Or a CV file or CSV file. Excuse me. And in that file were a bunch of URLs for audio files and chat history. Right.

John Strand

And let's not forget, the most surprising thing about this is apparently Sears still exists.

Alex Horan

There's that there. There was also the.

Bruce

That.

Alex Horan

The ambient audio right there. That.

Ralph

Yeah, the ambient audio.

Alex Horan

You thought the call had ended, and then you're still. I don't think.

John Strand

Okay.

Ralph

Was it a phone call, or was it over, like, a web browser?

John Strand

No, no, it's a phone call. You could literally hear the ambient conversations. And I don't know if you all have noticed this, but there's a certain percentage of people that when you're talking to them on the phone, they expect you to hang up.

Ralph

Oh, yeah, that's my wife.

John Strand

If you just don't hang up, they, like, set their phone down and walk away. I don't know what percentage of the population that actually is, but apparently there was a handful of those like that where they just stopped and they expected the serious chat bot to hang up.

Hayden

What a life to live.

Alex Horan

I know, right?

Ralph

I did think it was funny, though, because, like, the one thing it did say in the article was that, like, we're reading into some of these conversations. The bot would be. Or the AI would be like, I totally can help you. You don't need an agent. And then fail at helping them and then say, we're gonna send you to an agent.

John Strand

And people got increasingly more angry and aggressive with Samantha saying, I want to talk to a person. Yeah, I need a technician.

Ralph

How.

Alex Horan

How.

Wade Woolwine

How much data was this? Like, it doesn't say in size.

John Strand

Like, you would have 3.7 million chat logs and 1.4 million audio.

Wade Woolwine

Audio files, which is a lot. Like, I'm just surprised that you just let storage overflow that much. Does that just mean. No. Like,

John Strand

a long time there.

Wade Woolwine

Sears is hurting for money, for sure. Like, no one's watching those storage fees.

Hayden

They're cold storage.

Ralph

Well, obviously, nobody's watching anything over there. Okay. Like, nobody. Nobody cares. Like, they set it up, they sold it, and they were like, okay, we'll just forget about it, I guess. Right? I mean, that's, well, that.

John Strand

But okay, so that gets into a larger issue. Like, you know, I talked about this, I think in previous episodes talking about the coming SaaS apocalypse, right? Because anybody can develop any, well, not anybody, but any medium to large size organization can look at the SaaS products that they have and they can very quickly develop their own products utilizing AI and many times poorly. So now instead of somebody buying and like everybody kind of coalescing around one SaaS offering, now all of a sudden people can just start creating their own crap SaaS offerings. And these things don't die, they don't go away, they don't get patched, they don't get updated, they don't get looked at. And that's one of the reasons why when we're looking at computer security, I hate a lot of people in security, like, oh, AI, it's the end of security. I'm like, are you out of your freaking mind? It's just moving the technology profile a little bit more and there's going to be a lot more of stuff this because, you know, there's a bunch of custom software underneath this that was just absolute garbage.

Ralph

Essentially. What, what you're saying is from a high level you can develop quickly and you're just going for your customer. Not to say you should or shouldn't, right? Just that you can. You, like most of these founders have an idea and they're like, let's build this as fast as possible and then they can build it really fast and then they get it out there, they get those customers. But security is kind of like, well, what?

Hayden

Yeah, that's like a trend with all the AI providers right now. They all have some product that's brand new and very expensive that does security audits and security reviews. And like Anthropic came out with one recently and it was like atrociously expensive per like PR review because they're running so many different agents on it. But at a certain point, like you can build anything, like we talked about that some last week.

John Strand

But also should you?

Hayden

Should you? And I guess it depends, like, is it more costly to get breached or more costly to buy this tool? Like, which one is worse?

John Strand

And I want to bring Bruce in on this, right? Because I remember years and years ago there was lots of conversations, especially in the early web days, where it was like, no, anytime you get an urge to say I'm going to redevelop an entire package from scratch and not go with an open source product, you were told, don't do that. Lay down on the ground and then take a breath and wait for the urge to pass. Now all of a sudden, those guardrails are gone, man. Like, it's just flat out so fast that people can do this, and I don't think we can fight it. And also going back to what Hayden was just talking about, I don't know if the code that for, like, traditional companies, SaaS, companies that are out there, is going to be that much better than the crap that people are going to produce anyway.

Bruce

Yeah, I think that's the unfortunate reality is, like, you know, software development has not evolved all that far in the last 25 years when it comes to software assurance and code quality. I will say, like, I think what. What's interesting is, like, if you can vibe code an app, you can use that same technology to, like, do the assessment for you and try to help you do it more securely and that kind of thing. And the models have been trained reasonably well against that stuff. And I've seen, at least with the people I've talked to, pretty good results. But you have to be thinking, like, I have to care about not just the functionality, but the security of the thing. And this is where like, the 8020 rule kicks in. Like, people are like, I got 8% there. It works. I'll ship it. We'll see what happens. And that 20% is the part that's going to kill you, right?

Hayden

And that's the big crossover. Like, there's probably not a huge crossover between the people that are like, I'm going to spin up Claude code and build an app real quick, and the people that actually want to do security, that may not be instant and very quick either. Like, that's not a big, big, big diagram.

Wade Woolwine

You just, you just. That's me. That's me.

John Strand

But I'm gonna say that. I'm gonna say that security is still hard. And the reason why I'm gonna say that is like, an app is just not its code, it's the ecosystem that it's running in, right? Like, a lot of these vulnerabilities are more like infrastructure style vulnerabilities that come back and bite someone in the ass. Or like, like, like, you can have. Your code is really good, but if you're shuttling that data that is produced off to somebody else's platform, we see time and time again where third parties are getting bre. Other point about it is you may be, let's say you code something fantastic today, right? It's done perfect. You lock it into a time box and then you open it up two years from now, it's going to be hideously insecure. And it comes back to the hygiene associated with security is still very much missing. Right. We're still back into the it works. This developer that's a cousin of mine put this thing together. It looks great. Let's get it out there. You're still not part of the hygiene. And making sure that the libraries are up to date and any new security vulnerabilities and infrastructure structure don't have vulnerabilities that are showing up on it as well. It's just like I said, people can make bad decisions faster now than they ever could before.

Alex Horan

Yeah, I think, I mean there's more to review them.

Bruce

Yeah. And I think there's the non functional requirements of the system have always been the ephemeral thing that requires like you know, skill and experience and whatever to figure out. And the functional requirements are like, I made an address book. You know, people can build that and understand it, but performance and security and scalability, that still requires expertise, even if the AI is writing the code. Like it requires the guidance from someone who's been there and done that before to guide the system to the right place.

John Strand

Yeah. All right, I got another story. This one cracked me up and there's a couple of really painful stories this week. I just shared it in chat, Ryan. This one is federal cyber experts called Microsoft's cloud a pile of shit and improve approved it. Anyway, the reason why this hurts for me is I've been part of these conversations in the government and what they're predominantly talking about is they kept asking Microsoft questions like how does end to end encryption work? Is it actually end to end encrypted? Can you prove it? Can we get some documentation? Can we see how it works on the back end? And Microsoft could not answer a whole bunch of these different questions and refused to answer these questions and then provided documentation that was subpar and it was just bad all the way through. And having worked on the government side and dod, I've seen this again and again and again where you sit down and you ask a very large vendor. Back in the day, it was Oracle for me. Oracle was hideous to work with on this stuff. It was like, screw, you were Oracle. And they just refused to answer any questions. And then once again, no one gets fired for hiring IBM, no one gets fired for hiring Oracle, no one gets fired for hiring Microsoft. And it went through. And I'd like to get you guys take on this particular story and like your experience on this as Well, I,

Hayden

I have a quick point I want to make is the, the headline is very sensational. It is in like the first couple paragraphs where it mentions like when they call it a piece of shit. They're talking about the documentation that Microsoft provided them and the answers to their questions. I will withhold my opinion on Microsoft's platform, but that, that is the part they're calling a piece of shit.

Ralph

I feel like, all right, we talked about the two things about programming that are difficult, right? Like the design and then scalability. So I think, and I believe that whenever you get at the scale of Microsoft, doing security at scale gets really difficult as well. Right. Especially when we're dealing with tons of data and at the end of the day they're looking at how do we make money? So they're going to take shortcuts to allow that to happen. While, you know, hope having enough security, like enough is, you know, at scale. And that's probably what we're looking at here. Here too with the documentation not having all of this stuff, you know, different groups and people all working on it and it kind of got broken into pieces.

Hayden

So it's good to hear that even Microsoft has problems doing their diagrams and everything too.

Bruce

Well, Microsoft is a 50 year old company. Yeah, I mean seriously, I saw that the other day and I wrote Vizio. It's crazy. They wrote Vizio and you know, the tale that they have and they brought with them to the cloud is really long, you know, and I think it shows when you compare them to the other large cloud infrastructure providers. Like you can see the age in the system from the documentation all the way down to the technology.

Ralph

Well, the other thing too is that most people don't probably go through the whole process of the Fedramp stuff, right? So they spend all this time building out all of this essentially documentation and how it should be secured. Microsoft probably didn't do that when they built this. They were just trying to build it and then eventually got to that point and now that they get all this documentation they're like, like ah, I don't think anyone's gonna ask these questions.

Wade Woolwine

I think I've been at a couple companies now that have tried to go Fedramp. And the keyword there is tried, right? Like from my experience from smaller companies, it is a difficult thing. So to hear that like it's not surprised that Microsoft got passed on it, but I'm sure like the bar is high. I guess John, you would know that more than I, because I, I never actually got to Work at a Fedramp organization.

John Strand

But I have a friend that's trying to just develop. He's a very small, small, small shop. It's basically him and a couple of other developers and they're trying to do like all the stuff fedrack Fedramp compliant and it's conflicting, it's will break a lot of the stuff that's in the cloud. And he's pretty much given up on it, but it's become like a pet project of his. He's like, nah, I'm gonna get this. But his takeaway from that is anybody comes to you and says they're completely Fedramp compliant, they're liars. And that's how they got Fedram compliant in the first place.

Ralph

I just remember doing the Stig hardening guides for systems, right? And the reason I bring this up is because if you go through and apply everything in the guide, the thing just won't work anymore.

John Strand

Yeah. So they had something a long time ago called the DISA gold disks. So you put in this ISO, you burnt this ISO to a CD and then you ran the DISA gold disk for Microsoft or whatever, Linux or Solaris and it literally had this wonderful button that was like apply Stigs and you could click that button, apply all the configuration and you could not log into it. And I was on a project, I'm going to talk about the. It's kind of weird, but the, the next story that's going to be coming up, you know, training classified data and class Classified data and AI. And we had a da. It was a designated programming authority and a PA Programming Authority rep come in and they basically sat down at all the systems and I went through and I tuned all of this crap, made sure system still worked. And these two guys showed up and they just hit that button and they nuked our systems, right. Like nothing worked. And it turned into this huge thing was like, you know, I got blamed initially. Well, he didn't secure it hard enough. I'm like, doesn't matter at default out of the box it bricks it. And I had to demonstrate that.

Ralph

But yes, and,

Alex Horan

and I remember on those that you also had like the, like the. Some of supplemental test plans. And that's where it seems so relevant here that it's like it's difficult to be that momentum against what like just the standard is. Because even with the test plans, when you say, hey, here's this thing that is not secure, like it's a new thing, it's an emerging thing, you know, it's a problem here. I can show you on the server that we don't have this secured. If it wasn't part of the current test plan, they're like, don't worry about it. It's.

John Strand

Yeah, well, that was all.

Alex Horan

And so, and then lo and behold, like four months later, they're like, this is now part of the current test plan. Drop everything and fix this. And you're like, that's the thing that I talked about four months ago that I said, hey, as long as we're in here, why don't we patch this thing? And it's like, no, it's, don't, don't be an instigator, Alex. Like just coming back around this time with the, you know, hey, this isn't. This stuff is, you know, like, you know, as I said, you know, it's a pile of shit. And it's like, well, don't be an instigator. Just sign off on it. Don't be the first person to push against the norm. The norm is just accept this, go with it.

John Strand

Well, in kind of like the piggybacking on top of what Bruce said, like, Microsoft has this huge amount of baggage it carries with it and a lot of it it doesn't even know. One of my favorite stories is the people that were coming up with Samba years ago. They were trying to come up with something that would be compatible and communicating with Windows systems. And they had no idea like Landman was working, right? And they had no idea how net NTL and V2 worked and all of this different stuff. And they were talking about going through like a memory dump of Windows computer system because they were trying to find a key that that Landman was using. Basically they were trying to figure out how it was using DES to encrypt it was using your password as a password to encrypt a string. And they didn't know what that string was. And they're going through memory and they saw KGS exclamation point at pound dollar sign and they're like, like, is that it? And it turns out it was. And rumor has it that was the initials K SG or KGS was the initials of the guy that wrote that protocol at Microsoft. And the point was no one knew. And they think that that was his password, that he literally hard coded it so it used your password to encrypt that string using des for landman with net ntlm v2. Going back to that again, there's a whole bunch of fields in that protocol. No one knows what the hell they do. And I was talking to some Microsoft engineers. They'll like, look, if we have to figure out how something works of ours, we go look at other people's documentation that has reverse engineered it because we don't have that documentation in play. And going back, Alex, you know, we talk about, you know, things being ignored. I keep telling people all the time, you know, in every security standard that exists on the face of the planet, right. I don't care if you're working CIS or you're working nist, they say absolutely no clear text authentication protocols. And Microsoft, Microsoft like net NTL MP2 is a clear text authentication protocol. If you look at how it works and how it actually runs, you have a challenge, an 8 byte challenge that is sent in the clear. The response with a password hash is sent and it uses the password hash as the verification mechanism. All of that is reversible, all of that is sniffable. But it's one of those things where you have to be like, we're just going to pretend everything's okay because of the legacy technologies because if you start trying to peel back that and trying to fix it, you're basically going to shut down Windows completely from a lot of these things. So this is tough with legacy technologies that has this huge amount of baggage that they continue to carry forward.

Ralph

So Microsoft is junk. But we have a solution. We have a solution and that is to use AI for classified data.

Alex Horan

Yep.

Wade Woolwine

I thought you were going to say just lie.

John Strand

Oh my God.

Wade Woolwine

I thought you were going to say just lie on audio.

John Strand

I know, right? I think my word count on this episode is already exceedingly high. Do you want to take this one?

Ralph

Yeah. So genicon is planning for AI companies to train on classified data. Right. So that's the article and the wild part about this is classified. So supposedly they're supposed to be using classified data centers for this obviously to house this classified data. And then they're going to train on it. Right. That's the big idea. But it seems like the beginning of Terminator. I just feel like that was the whole thing. They gave the machines access to the military and all of this information. I know, I'm kind of joking around that, but I guess obviously they have a Claude Gov and other things to isolate these things out. But yeah. What do you guys think about this? Or even the idea of classified information with AI? Right.

Bruce

I think there's a real challenge around access control. I mean, it kind of ignore the moral issues of what they could do with it and whatever for a Second but you know, classified information access is really, you know, geared around, you know, need to know and there's, it is far and away the most complex, you know, tagging and you know, kind of compartmentalized universe that's ever been created by mankind. And at the end of the day like you know, these LLMs have shown that if you ask them the right questions they will regurgitate the training material that they were given. Right. And so I think that there's this question of like how do you protect need to know classified information? If you can just ask the LLM the right thing, how are they going to actually constrain that? I don't know that there's at least publicly been a lot of discussion around how they're going to enforce that.

Wade Woolwine

There's a couple of products out there that right now take all your data, all your notes and all your information and then supposedly give it back to you if you have access to it. Think about it as a like one stop shop for your entire order. I have seen it both work and of course not work and give notes on a particular document that a user wasn't supposed to have access to. But then also same thing with like Slack messages and, or group channels and stuff like that. I'm kind of interested to see what they do with the security because I think if they can implement some like. Exactly. Access control policy it would, it would trickle down to the public sector. It would be pretty cool.

Ralph

So just for, just to like level the field right before we get into like they. The government has been doing AI kind of adjacent stuff with classified information. Right. Like just databases full of this to try to analyze as fast as they can. So like none of this is necessarily new. I think the new part is just how good these models are and the fact that they weren't developed specifically in the government. Right.

Hayden

So and it has to be like, like. Well maybe I'm giving them too much credit. I was going to say it has to be like a calculated risk of some of our theoretically most valuable information is going to be classified in some way. And we want to use these models for warfare. So like if we can give them access to this to train on it, whatever bad could come out of that is theoretically offset by the good we can do with a model that knows how to, you know, overthrow governments and things. It's just, I can understand the reasoning behind it. It doesn't mean that I don't, I don't necessarily think it's a good idea.

John Strand

I, I think it's A fantastic idea. And I know that that seems weird because I'm usually uber paranoid. Chad just tilts at his head. Let me, let me explain why. I, I think it's a fantastic idea. Now, there's specific utilization of what I'm talking about. I'm not talking about, let's have it make decisions to kill people. Once again, I'm with Anthropic on that. We should not have AI making those decisions.

Ralph

It would definitely not kill us. So.

John Strand

But I want you guys to think of a, a scenario. Let's say that there's an ARM sale for x Number of AK47s from an African nation buying it from North Korea, right? And I want you to look at all the different types of ints to basically let us know, like the intelligent sources that you would get, right? You would have humid, right? You would have human intelligence saying that this deal is going down. You would have sigint where you'd be able to identify and track, you know, what is the shipping within North Korea, going to this specific ship that's going to be moving across the ocean and tracking that ship. You would have all kinds of different, like geoint, where you can actually see that you would also have financial intelligence. And that financial intelligence can be part of the banking system. And it can also be cryptocurrency transfer, where you know, roughly this is how much this many AK47s costs. We've seen this transfer and this much Bitcoin from this wallet to this wallet, correlating to all of this stuff. Now if you take all of those different things, right? In hindsight, when you see that you can pull all of those data sources together and you can see it. And a really good example of this is go back and read the report on September 11th with kind of tracks like CIA had a lot of data, but it wasn't their job. And who they give it to, how would they give it to, what would be all of that? Now, all those ints that I talked about. When you're tracking sigint, you're tracking signals from literally billions of devices, right? When you're tracking financial information, whether or not you have warrants is a whole nother. Another series of conversations we can get into. You're tracking a lot of data, right? So AI is really good at these types of problems, right? I want you to be able to identify patterns like these following or 15 patterns we can train it on so it can start trying to identify these type of geopolitical and these types of criminal underground and these types of military actions. And that's fantastic. And that's specifically the area that I was working in. And it was literally just. Just thousands of people working their asses off, and they were only seeing one little tiny piece of the puzzle. Like, they would say, we just saw a massive amount of Bitcoin go from this wallet to this wallet. What the hell is this associated with? And if you had the financial side of it, you could say, well, that almost exact amount was transferred from this bank account in Switzerland to this bank account in Switzerland. Now we've tied those bank accounts to a bitcoin transfer. There's a lot to this that is very powerful. Powerful. And I can totally see how this would work for something like that. Now where it gets really scary is like Bruce was talking about. And, you know, Hayden had talked about it, right? How the hell are you going to secure AI data whenever it drops in? And you have multiple classifications of data, you're going to have to. Specifically, what Bruce was talking about would be like saps, our programs, special access programs that you have to be read in to get the data associated with that. And even whenever you're moving between the towers, you're moving between the CIA, the nsa, nro, they can all have data classified at top secret and maybe sci. That doesn't mean that anybody can read that SCI data. So that's where this gets really dicey. So there's applications where this makes absolute sense, and there's applications where I'm like, well, this is some of the most terrifying I've ever seen the agents asking

Wade Woolwine

each other,

Alex Horan

you know, with all the, you know, the assembly of all that data and it's looking at, at all the information. The question still is, or one of the questions is, how did you control for all, like, the inherent biases and all of, like, this historical data, you know, then make sure that it doesn't hallucinate things or it's not like a sycophant being like, well, I looked at all this and I'm not able to give you the answer that you want, but based on our history as a country and the things that we like to do when we can't find the answer, you know, or like you referenced, like, September 11th. They would probably put a lot of bias into some outcomes there as well. Is it going to look at the same things going on and going, you know, in the absence of anything definitive, I'm just going to kind of take a guess that's going to make my handlers happy. And here you go. This person is Good for it. There's an arms deal going on. Yeah. I'm going to kind of make some stuff up that there's so much data that who's going to go through and double check your work?

John Strand

I have no problem with that. Alex to. And the reason why I don't have a problem with that is that already exists today. When, when you're working in these intelligence places, you constantly have humans that bring those biases to the table. Where I agree with you 110% is you can hold somebody accountable. When it's AI, you don't have that level of.

Bruce

You don't.

Alex Horan

You can't check their work like a person. You can go, they can go. These are the things that I looked at. These are the conclusion. You go, oh, right here, this is where you made your error versus AI is going to be like, trust me. Because who's going through all those 10 decades worth of it's going to take you 10 years for a person to double check.

Hayden

Or you have another AI that factors

John Strand

or you have another, oh, there we go.

Alex Horan

What then happens if they disagree? Because AIs love to disagree.

Ralph

They will fight with each other.

Alex Horan

I'm like, oh my God. Except when you can't GPT and have anthropic look at it, they're going to

John Strand

be like, no grok makes the final call.

Ralph

Like the tiebreaker. Like I'm definitely blowing something up.

Hayden

Right. The strike.

Ralph

Launch it.

Alex Horan

Yeah, just jump, jump the Skynet. Just launch a strike.

Ralph

Yep. So speaking of strikes, so CISA I guess is urging Endpoint Management Systems for hardening after the cybersecurity attack, obviously against U.S. organizations. I think this is related to Stryker. Yeah, yeah, Stryker and the old Microsoft intune. I mean, you know, I definitely get the alert here. Right. I think it's just more, more, you know, more of a general thing to be like, hey, we're kind of under cyber attack for our organizations across America. Right. But yeah, Endpoint Management Systems are the, are the fun way to gain big access

Hayden

attack in a lot of ways. And I don't think they've really. I haven't been able to find anybody talk about how it happened because we talked about that with some of our SOC customers last week. And so all we could really do is talk about how that group normally gains access to an organization and we could give recommendations around that. But ultimately like the only thing we can talk about is how to make sure that they don't use your intune to destroy your own environment.

Bruce

Right.

Wade Woolwine

Looking at the steps that it would Take in order to do this and get to that level of access as well as then what does it look like when one of these does fire or like when a large amount of them all of a sudden start getting wiped?

Ralph

Right.

Wade Woolwine

That is, I've seen several conversations around that and like pretty much what are the triggers up to this final point, which for me this is destruction of data technique. Right. Which is honestly like by the time you're detecting that, you're kind of screwed.

Ralph

I mean, I've done this on multiple red teams where as soon as you get access to a privileged account in Azure, you'll see what if they have intune access or if they're using intune. That's a great way to spread quickly into the internal environment. So I mean it's been known for a while. Like you said though, how did they get that level of access so quickly? I think that's kind of like the shock. Shock.

John Strand

I, I, I think, I think the reason why we don't have that answer is I don't think they have the data. Yeah, it's one of those things where.

Ralph

Subscribe to the plus plus.

Alex Horan

Yeah.

John Strand

The logs that you need from Microsoft. Yeah, I, and this is a theme. Right. Like you can see how companies respond to breaches. They're like, we were compromised. This is how it came through. Usually I say we, we, we've brought on Mandiant or some other high.

Ralph

We brought on Google to secure Microsoft.

Alex Horan

What a.

John Strand

But they have like the flow of how it happened and that, you know, what are they doing to deal with it. A lot of the companies where they're just not saying how it happened, it's, it's scarier to me because that means they do not know.

Wade Woolwine

Thinking about it, thinking about like the last couple big name breaches, I haven't seen one of those reports in a while.

John Strand

While true.

Wade Woolwine

Right. Like full breakdown of ttps and what went through. Unless you're a customer of them and you're like screaming at them. That's the only time I've actually, besides maybe some of the Salesforce stuff that happened.

Ralph

Yeah, yeah.

Hayden

Like I was going to say. I just want to like almost theorize, like put on the tinfoil hat and say like, oh, they're trying to keep things secret. Like this is something that we also want to use too. And I doubt that's the case. But that's a good point, Wade is that's, that's becoming like a more recent trend with a couple of these big ones where it's like, how did this happen?

Ralph

We don't know.

Hayden

But here's everything that happened afterwards.

Wade Woolwine

Like you take your credit monitoring and go away pretty.

Hayden

Yeah, exactly right.

John Strand

You went into the wrong business. I should have started a credit monitoring company. Because they always win.

Ralph

They always win. They always get paid, right? They always get paid. I was also going to bring up the other thing, not to roll back to AIs, but I think this does go to. To hardening, which is passwords. Right. So we had another article in here about AI generated passwords. I guess people are using their assistant to ask for passwords, right?

John Strand

Oh, no.

Ralph

Yes. Yeah. And so if you don't know the magic of AI systems or LLMs is pattern recognition. Okay. They inherently create patterns, right? And when you have a password, you want it to be. Be random. As random as possible. Right? So how can I say this? Don't do that.

John Strand

I think it's fine. I disagree. I'm being very contrarian today. I think it's fine. If you call up Sears and you ask, it's Chatbot, what does it recommend for?

Hayden

It's got plenty of data to pull from.

Ralph

It's got so much data.

John Strand

If you asked it for a 64

Wade Woolwine

digit character password, right? Like, like, yeah, in the end game, unless they get access to your chat logs, that. Does that matter?

Hayden

Never happen. Never.

Chad Skipper

But we also convinced everybody that like, passphrases are the vibe. So if we're doing shitty poetry the

Wade Woolwine

whole time, like, you got MFA installed. You're cool, bro.

John Strand

Are you, are you Reagan on emo? Are you raging on emo password security?

Chad Skipper

Listen, I don't think generative models are good at emo lyrics yet.

John Strand

Not yet. Emo's not debt.

Ralph

So I, I think the, the bigger thing is don't, don't try to use LLM to like generate secure stuff for you, you know, I didn't know that had to be said, but I guess it does. And so don't do it.

Wade Woolwine

The bar is like here.

Hayden

Password managers are so easy now. Like, you go to log in and it's like, do you want us to log in and create your account and save everything for you? And then like, it'll probably be done. Yeah, it's like as long as you pay US$30 a year, we'll like show up at your house and give you a hug at the end of it all. Like, like it's. The bar's there asking chat GPT like 5.1 for your password or whatever.

John Strand

You know what, I'm, I'm just going to say this is another good idea. Because when I work with my family and they get breached or family and friends and it's almost always the same thing. They're like, my PayPal got hacked. I'm like, well, did you have two factor on? No, no. I know you. You told us about that at Thanksgiving. You went on this long thing. I didn't do that. And I'm like, what, what was your password? Well, I named it. Was. Was my name. My dog.

Alex Horan

Look,

John Strand

I can't help but think that chat GPT would give you better password options.

Wade Woolwine

Right?

Bruce

True.

Alex Horan

That's true.

John Strand

Oh, man, I haven't pitched about that in a long time on this show. I haven't had any. I think my family members now know not to go to me. They're like, you know what you need to do? You need to talk to John. They're like, hell no. Don't talk to John.

Ralph

Do not tell him they can have all my money. I don't want to go through that.

John Strand

I don't want to talk.

Hayden

I told him.

John Strand

He talked about it on his podcast, Judgy. I went through and explained everything about how I didn't listen to.

Wade Woolwine

Didn't want to like, the. The regulatory people change their password. Who, who is the one. The one people you always hit on for always having a short password.

John Strand

Oh, goddamn PCI. They did, but I think they went to like 12 characters instead. For those of you that don't know, I, you know, this has been one of the things I've been ranting against for a long time. It was like up until like last year, year that PCI finally upped their password complexity requirements from seven characters. I think they did it to 12 characters, which is still bad. Right? And the reason why I hate this so much is I, I think, I think Ralph was on a pen test when he was still at BHIS where we cracked like 90% of their passwords. And they were like, well, that can't be a finding. And we're like, why can't that be a critical finding? Like, well, because we're in compliant with pci. Like, you don't understand. It's just nerve wracking. And then I started calling it out and then I literally had people that would contact me be like, dude, you better not start beef with pci. Those people will destroy your life. I'm like, what? There's the PCI mafia and computer security. Like, I'm not that worried about that. But they finally updated. I don't even know Ralph. You got me on this tangent, so screw You. Yeah, it was Ralph. It was Ralph.

Ralph

It was, it was not me.

Wade Woolwine

It wasn't the person who works at a password company.

Ralph

It wasn't Mr. 1Password himself.

John Strand

Somebody else just mentioned the OSI model and completely send me into horde. Right? I. I just, I just, I hate it. And this I'm gonna get. So the next story I want to talk about, I just put this in. I. I hate this and I want to. Am I overthinking this? I hate the commonly exploited vulnerabilities from system cisa. I just, it makes me so mad because you have a whole bunch of organizations out there that don't patch it unless it shows up on CISA's commonly like Exploited vulnerabilities. And I think it's a few hundred right now. Like there's literally probably. I think maybe we have a million. I don't even know what tenable and Qualys and all these tools, how many vulnerabilities they're scanning for, but it's got to be hundreds of thousands, right? And the attackers are going to exploit any of them that show up in your environment. They're not going to be like, oh, well, it's not on the commonly exploited vulnerabilities. We're not going to exploit that. Dimitri. It's. It. It just makes me mad because there's so many organizations that are looking to meet the minimum and this is creating yet another minimum for them to meet. And I want to know, am I off base on this? I. I don't know.

Alex Horan

It.

Wade Woolwine

Yeah, I think we've gone over this before where we just need to have some company who just writes about vulnerabilities and then gets them to go viral. And then you just point at that article like, hey, look at this vlog vulnerabilities being like, submit a vulnerability here so we can write about it. So your company will see this article and then patch it. But I agree with you. Like this list. Like I, I've dealt with it too, and as like an intel side of it, right? I would then pivot and find other people writing articles or doing something if it's not on this list. Like, hey, here's seven other things. Just because it's not on system's list doesn't mean it's not.

Ralph

Screw it.

John Strand

Let's, let's. Let's vibe code this, this app. Let's start a startup right now. We're going to start this company where you pay us money, right? And then if you want something patched, you come to us and you say, Hey, I need an article saying that this is actively being exploited by the Russians, the Chinese. I needed to hit these following points to get management to agree. And then we will write that article and post.

Ralph

I will write that article

Wade Woolwine

to make whatever. But it was on revenue. Restream. That was the thing. We had Restream plugged in. Now, Hayden, I have to rewrite the bot for Zoom because we're doing it on Zoom today.

Hayden

We're Sock 2 compliant, I promise.

John Strand

And it's gonna post, it's gonna post it to, like, Instagram, Facebook, LinkedIn. It's gonna have like, influencers and Reddit. So it looks like it's a big, A big deal.

Bruce

So if, if I could interject, I think the one thing to keep in mind with Sizza, not to defend them necessarily, but I mean, their, their mission is protection of federal government assets and, and, and critical infrastructure and that kind of thing.

Alex Horan

Thing.

Bruce

And there's been a historic gap in the federal government around who's there to help the private sector and who's tracking it and whatever. And there's ISACs for kind of designated critical infrastructure verticals and that kind of thing. But in general, we look at CISA be like, come on, be better. And you poke it with a stick. But the reality is they're first and foremost trying to protect federal agencies and just telling them, like, these kids are like, you got to do this thing by this, this date. And that's why they issue it. And then private industry has been like, oh, we'll use that too. But it's a terrible barometer to your point for private industry, because attackers are going to, they're going to hack, right? Criminals are going to crime, and they're going to figure out the best way to do it. I mean, there is no federal agency that has the edict to protect the, you know, the citizenry and the, and the businesses at large.

Wade Woolwine

All right, I got it. I got it. So we do, we pull a card out of the Better Business Bureau and we become the private sector cybersecurity bureau, where people think we are good government, but we're really not.

Bruce

Yeah.

Wade Woolwine

You know what I mean?

Alex Horan

So, and for the, like, the CSIC cow, like, it depends on, like, what the capacity is of the organization. So I know we look at it from a lot of the organizations that have the capacity to do a lot of patching, and then they go, we can only. We're only going to patch like the CSIC hub stuff. But there are a lot of organizations, and I do this as like a Volunteer for the Wisconsin Cyber Response for team. We help out a lot of like, you know, school districts, local libraries, stuff like that. That they do not have a huge, huge amount of staff. They have a phishing incident. You have to explain a lot of the basics to them. Cisa Kev is going to be the same type of thing where you go, okay, where do you start with the patching? You got to start somewhere because you don't have the capacity to do a lot of patching. But yeah, we look at it from the viewpoint that, you know, yeah, you're you know, billion dollars dollar company that's just looking at the Cesar cows and going just patch those. That's bad.

John Strand

Something that also government agencies when we're testing like once again some of the stupid conversations we've had and once again I don't know why anyone does business with Bhis sometimes where we have these conversations, Chad's gonna take that, he's gonna cut it and that's going to be an advertising, right, it's gonna be a T shirt. But you know, with these federal agencies, once again they're like yeah, you exploited that. But it wasn't in the cab so we don't have to patch it. And I'm like what its point was, right? Like, and these, these are not conversations that happen a lot, but they do happen. And I don't know how we push past that. Right. How do we get people to stop constantly looking for the absolute minimum or do we just let nature take its course? Is it, is it like you know what, whatever hackers will show you the error of your ways in a matter of time. It's just fine to let that happen naturally.

Chad Skipper

I think that's true and what I've been thinking this whole time is there isn't a ground level for security for anyone. So if they pick the Kev, that's like pretty decent. Because I'm used to talking to like middle and smaller large size orgs that are like it's fine, it works. And that's like what I've talked about with aerospace people too. Like everybody's kind of mad that nobody thought about security for 30 years or something and now we're like whoopsies, now we can destroy universe by accident.

John Strand

Then you get into that cycle. Then you get into that cycle. It's like well, legacy technology all over ot. We haven't, we haven't done security. We haven't done security in 30 years and it break everything if we started now. So we're just going to continue not doing Security, because everything right is. Is on fire. So no, these are tough problems. It's like I had that one lady, she just got a CISO position at a very large company and I went down and visited her down in Tennessee and we did a security assessment of all of their apps and they had a ton of apps that were access data. You remember Access? You could publish a web page that had the access app quote unquote that you created. They had a bunch of mission critical web apps that were generated access databases. And like we found thousands of critical vulnerabilities. And she cleared the room and she's like, what, what do I do? And I'm like, here's what you do. You stay here for a year, go someplace else. Because the only way that this gets fixed fixed is if it all gets burned to the ground. And I just met your developers. That ain't happening. And that's exactly what she did. I mean, there's some times where you're just like, a purging fire would be a good thing in some organizations. Right. And I, and I think that we're getting into a situation where there's a lot of organizations that are doing things really, really, really, really well. And not everything is moving in that positive direction all the time. There's a bunch of organizations that are still doing things. Horrible.

Ralph

So I have b.

John Strand

We can convince your sisos to quit.

Hayden

Put that on a shirt.

Ralph

Put that on a shirt and wear it at a conference.

John Strand

Yeah.

Ralph

So normally we have a bunch of like breach stories. I did want to bring up just one breach story that I thought was somewhat interesting, mainly from the, the, the person and the size. So supposedly there was a massive China data leak of 10 petabytes of weapons testing data.

Wade Woolwine

Yeah.

Ralph

What I think is interesting is that we normally don't see like Chinese. The Chinese government usually getting breached.

Wade Woolwine

Right.

Ralph

At least. I just don't see it very often. I'm sure it's happened before, but 10 petabytes and they're like offering to sell it on Telegram. I'm like, where are you even storing that? We had the same problem.

Wade Woolwine

Let's do this.

Ralph

I think they're just making up numbers. This is like, who. Whose line is.

John Strand

That's got to be a made up number at that point.

Ralph

Yes.

Wade Woolwine

I bet $10 that this is gonna end up on like World of Tanks or.

Ralph

No, it's a thunder or something. Thunder.

Wade Woolwine

War of thunder. Thunder.

Ralph

That's where you go for all your military secrets. Don't ask me how I know, man.

John Strand

You think security Geeks are horrible to be around when they're arguing with each other. Those forms are awful.

Ralph

Oh yeah.

Wade Woolwine

I bet.

John Strand

You know, what is the range of this particular, like, vehicle? It's like. And they all fight to the death on that stuff.

Hayden

You gotta cite your sources.

Ralph

We do definitely have to cite your sources. Yeah. I just thought it was interesting the Not. Not the actual breach of what equates to just. It was from the National Supercomputing center in China. But just the amount of data supposedly much of it classified. I'm like, what? This is, I think pretty cool truck. Yeah.

Wade Woolwine

That's not seeing like Chinese breaches is just news bias. I'm sure they happen all the time and they get reported on.

Ralph

And China. You're also probably correct, right? Yeah. We're looking for something.

Wade Woolwine

I think the more important breach here that we didn't talk about was the Crunchyroll breach.

Ralph

Oh yeah, what happened?

John Strand

A lot of people.

Wade Woolwine

The Shiny Hunters are taking on the Weebs. That's all that's going on pretty much.

Hayden

I've seen so many posts that they're like, I was right to pirate all my anime.

Wade Woolwine

So pretty. It was a. A third party actor who had access to Crunchyroll's data, who is owned by Sony. I didn't know Sony owned Crunchyroll until this. Yeah, yeah. No clue. Right? It sounds like info stealer. To tell you the truth. They got third party got breached. That third party had access to Crunchyroll roll. Then they extracted. I think it was only around 100. Yeah, 100 gigabytes worth of data. IP addresses, email address, credit cards and PII.

Alex Horan

Right.

Wade Woolwine

Nothing too crazy, nothing too sensitive.

Ralph

But if you had your credit monitoring company, you'd be getting paid right now.

Wade Woolwine

They definitely know I watched only all of Attack on Titan now as well as I still need to catch up on Demon.

Ralph

All of your viewing history for the world.

John Strand

I got a question. Like, Attack on Titan and one piece. Like, do you. Do you ever like, say, okay, I'm going to sit down and watch this? And you realize they're into thousands of episodes and it's like, so for one piece for what?

Wade Woolwine

I will put this out there for one piece. There's actually a side one called One Pace that gets rid of all of the filler stories and it cuts down on the episode count quite a lot. I will put that.

John Strand

You need to send me a link for that.

Wade Woolwine

Yeah. Oh, read the manga. It's so much better.

John Strand

Wheel of Time or anything from.

Wade Woolwine

Oh my gosh. You just literally the only other I

John Strand

don't even know how people approach Warhammer 40,000. Or was it 40K or whatever. Like, yeah, it's like this seems like a lot of people are into this. How do I get started? And God forbid, do you talk to a fan? Once again, I'm sure the computer security people are like that. You're like, how should I get started in computer security? Well, the first thing that you got to understand is that absolutely nothing secure. You're lamp, your tv, your fridge, it's all spying on you, man. I'm just like, oh, God, Thanksgiving is ruined.

Alex Horan

There have been so many poor bartenders at security conferences where they're like, there's this awesome book on encryption and like all the mathematics and it's all written in like these algorithms and everything. The bartender is like, I. Oh, I hate this guy.

John Strand

This is horrible. So years ago at Sans, we were doing a conference at the Warden park and we were doing faculty Faculty Shot Fridays where we'd all go down during lunch and we'd take a shot, which was a horrible idea. We did that like once and it was over. And we were talking to him and the bartender was like, so what are you guys here for? What's the conference? And I'm like, oh, it's a computer security conference. And Bruce, because she's like, I was stuck here during a snowstorm with a bunch of security professionals and she went off on the Snowmageddon conference. And it's like, you people are awful. And I'm like, that's. That's great. That's us. We drink a lot. So apparently we ran them out of liquor.

Bruce

So, yeah, and they had to stay. They had to sleep in the hotel that year because nobody could get in or out. And so some people were on shift basically for like a day and a half during the Snowmageddon schmuckon.

Ralph

That was.

John Strand

That was one of my favorite. Actually, that was one of my favorite memories ever in computer security. Like walking across that bridge when there's no cars and it's like a foot and a half of snow and nothing. That was so cool. So I put one more in Dark Sword iOS exploit chain. When Google does a write up, they do a write up. Holy crap. I just put this in chat and they're going through this entire toolkit that you can get specifically targeting iOS and it has exploits in it for like, you know, what is it? Snapchat, I think was one of them. In here, there's all kinds. It's just a. Just. This makes me cry with Joy, Whenever I see this level of writing, kind of breaking down these particular kits and all the different aspects of it, but this particular exploit, they think it's associated with Russia. I find it interesting that they can't directly attribute it to any threat actor, but it's been used in Saudi Arabia, Turkey, Malaysia and Ukraine. Ukraine. I had seen some people talking about it saying, yeah, it looks like it's Russia. Other people think it might be an Israeli kit that's being used. But you know, Basically going after iOS versions 18.4 to 18.7 has six different vulnerabilities to deploy a number of different malware families. The malware families are Ghost Blade, Ghost Knife and Ghost Saber. Mirrors the Cortana iOS exploitation kit as well, which was. I believe that that one was confirmed as Russian, but I'm not 100% certain on that. But just a really nice write up on this. And the delivery mechanisms like I always kind of talk about the NSO group and how delivery mechanisms that we see in a lot of these nation state level boils down to utilizing ad delivery networks and the complications of actually doing that are pretty substantial. But a really great article of, you know how these work and thing that I keep coming back to. They have all these IOCs and stuff. Anybody monitoring their mobile devices. Like, I mean do we have any logs that we're getting off them? Are we getting any endpoint protection on these devices? So we get all.

Wade Woolwine

We install iTune on everyone's iPhones and intune.

Ralph

My bad. You put itunes on there. Me too.

Wade Woolwine

What's the like. One of the first things I think I've always done when you get to a network is figure out what people's guest wi fi is and immediately take whatever that network is and do not alert on it. Because the amount of garbage when someone

John Strand

connects that gets bad things.

Wade Woolwine

There's. Yeah, there's no way like I put

Ralph

three EDRs on my iPhone. That's how you.

John Strand

That's how you keep up to date with it.

Ralph

And you got those run out of money.

John Strand

This one looks good. It's got five stars and four reviews. I'm sure it's.

Ralph

Well, I downloaded off the app Store. It said it was good to go. Like it said like secure your phone. I keep getting ads though.

Wade Woolwine

Yeah, this is a really dark sword and it's like icon.

Ralph

Yeah.

John Strand

What was it you remember when adblock plus got pulled? You know, adblock plus was trying to. It was proxying all the traffic through itself and they could filter out ads globally, not just in your browser on your device, but all ads in any app and Microsoft and Apple were like, no, not today, Satan. So I think it's very difficult for any application to get the level of visibility into a phone to do that level of security. Just because of the way their security models are built.

Ralph

Yeah, yeah, the phones are, the phones overall are pretty locked down. Even though there's definitely ways to abuse them, you know, and, and so are they though.

John Strand

I mean I, I, that's one of the things that bothers me. It's like, yeah, the phones are pretty locked down, yet we hear about these exploit kits, we hear about companies that are doing it and it's so locked, I think it's locked down. So security researchers have a hard time time like doing any security assessments in it, but is it just like. No, no, it's locked down. Trust us kids, it's fine. It's not like a general purpose computer where any kid with a dream who lives in Norway can start taking apart Apache. Right. It's, it's a little bit barrier to entry is a little bit higher like when, when.

Wade Woolwine

Hayden, have you ever seen mobile device logs? Forensics. That's not forensic, that's not the same. That's not the same. I mean, mean like that is, yeah, right. Like I would say there is like no security on cell phones whatsoever and that is like a ripe attack vector. Right? Because there's everything that's on your computer is going to be stored on there and as well as access to mfa. So you know what, I think the

Bruce

threat model is really, you know, onesie twosie. Right. Like you got to be a target. I think that, I mean to go all the way back to being in the show talking about compromised by intune. The only reason that's possible is because intune is installed at every endpoint and you pop the MDM and you just go own everything. You know, at least with cell phones, like it's trench warfare and you know, they gotta go like they have to be interested in you as a person and what you have access to to go get it and then they're gonna spend that and then they might get caught. Right. It's a really expensive and it's more intel than cybercrime, I think.

Wade Woolwine

I don't think so because we've seen enough info stealer malware where everyone gets it right. With different browsers. What if an info stealer malw cell phones? And then customs saw that. Right.

John Strand

But they do. And you know, when we're looking at the cost, I actually somewhat disagree Right. If you're a nation state level adversary, Right. And you're going after a particular organization, it becomes a lot easier like to target one of their systems administrators to gain access to their phone. That initial cost would be high as a per device calculation. But you can actually specifically target individuals that are host high value targets off the gate. And that's some of the things that we've seen. Like I said, I keep talking about like NSO groups capability of doing highly targeted malvertisements where you can identify a specific ad profile for a specific individual, you don't have to provide their name. So yeah, it's more expensive for exploiting per device but I think with some of the targeting tools that are out there they you get that return on investment a lot faster because you can target those specific individuals.

Alex Horan

Yeah, I was going to say like the able to, you know, move faster, faster, chain things better, you're able to make better use of it for get cash with AI and everything. Just making things move quicker. You're seeing a lot of the low vulnerabilities getting chained together and getting exploited.

John Strand

But either way, kind of getting back to the point in the logs though, Alex, we're still just sitting in a cave making shadow puppets on the wall. We don't have logs off of these devices. How can we make a determination one way or the other if we don't have visibility and if we don't have visibility into a particular part, do we have security? And you know, bhis we've got a huge amount of pushback. It's going to happen one way or the other. Folks where we are now, you are putting these, you're putting the security tools on your device or you're going to run a dedicated BIS device and then we have the visibility that we need. And that is such a cultural shock even for people in security to say wait a minute, I don't have full privacy on this. It's like no, if you have corporate data on it, I need to have visibility into that. Right. Either a, you're running one that I give you explicitly for this task or I'm going to put some software that gives me the visibility that I need to be able to see what's going on. But we're so caught up into like letting go of this, this, this binky shiny metal box that we have that we think is our universe that people, I don't even think they want to have visibility into it.

Alex Horan

The vast majority it needs that, that shift away from the I'm not a target like you understand there's like, that threat modeling. Don't. Don't be like, you know, sky is falling and everything. But it's just, if we don't have those logs, we don't have that visibility. If we don't know, how are we saying, like, hey, I'm not, you know, we're not targets. They're not interested in me.

John Strand

Like, okay, and we haven't gotten. And we haven't gotten into ads this time, Alex. Which is weird because you're on the show, and usually we go down that path. But the reason why they don't want us to have that visibility is because then we would have visibility into the amount of privacy violations that are happening on those devices. Because if I can hook at the kernel level, if I can hook and do full packet capture on what's going on and decrypt what's going on on this device, then you're going to know just exactly how much data Alexa and Siri and all this is getting up on you. Right?

Alex Horan

Exactly.

John Strand

Nobody wants to see that.

Alex Horan

A lot about you. And then when you're able to see those logs, everything that people have about you, then you go, hey, wait a minute. Maybe I am part of this threat model. Maybe we do have to start worrying about it. Maybe we do have to loosen our grip on that. That, you know, security blanket Chat.

Ralph

GPT is about to drop their ads. Everyone's about to start getting them.

Wade Woolwine

No, really? I didn't see that. Why. Why didn't we talk about that, like, next week?

John Strand

Next week?

Ralph

Yeah, they talked about the Super Bowl. They've been, like, hitting it hard, but, yeah, there's gonna be. Yeah, yeah.

John Strand

All right, we'll. We'll save that for next week. Hey, thank you, everybody, for coming. Let's bring out the crooked finger. Thank you so much. And we'll see you time next. Next week. All right.