Perplexity Stealth Crawlers Evade No-Crawl Directives - 2025-08-04 - Talkin' Bout [Infosec] News

Summary6 min read

Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: Perplexity Stealth Crawlers Evade No-Crawl Directives
Release Date: August 7, 2025

Overview

In this episode of Talkin' About [Infosec] News, the Black Hills Information Security team delves into a diverse array of topics spanning cybersecurity conferences, significant cyberattacks, browser security vulnerabilities, and the burgeoning challenges posed by artificial intelligence (AI). The lively discussion offers insights, personal experiences, and expert opinions, making it an engaging listen for both seasoned professionals and newcomers to the infosec arena.

1. DEFCON Canceled: Impacts and Alternatives

The episode kicks off with a discussion on the cancellation of DEFCON 2025, a pivotal event for cybersecurity enthusiasts and professionals. Host Ralph shares the team's mixed feelings about the news.

“DEFCON is canceled this year, so that's. That sucks for everybody.” [02:04]

Bronwyn, drawing from her personal experience, highlights the physical and logistical challenges of attending DEFCON in Las Vegas. “Spending time with 25 to 30,000 of my dearest acquaintances... it just wrecks havoc with you physically.” [04:29]

Ralph emphasizes the value of attending DEFCON at least once, likening it to a pilgrimage for infosec professionals. “Yeah, you absolutely should go at least once.” [03:33]

The team also explores alternative conferences like B-sides and Wild West Hacking Fest, with John advocating for B-sides in San Diego. “Go to B sides, don't go to defcon.” [11:01]

Key Takeaways:

DEFCON’s cancellation poses a significant loss for networking and knowledge sharing.
Alternative conferences like B-sides offer valuable experiences with different vibes.
The physical demands of large conferences underscore the importance of self-care.

2. Notable Cyberattacks: City of Hamilton and Russian Airlines

The team shifts focus to recent high-impact cyberattacks. Ralph discusses the ransomware attack on the City of Hamilton, emphasizing the critical failure to implement multi-factor authentication (MFA).

“If you don't have multifactor authentication, bhis report, it's automatically a high minimum high right out of the gate.” [12:49]

John adds, “If we start seeing stuff like this where insurance isn't paying out because guess what, you're not doing the bare minimum...” [13:10]

The conversation then transitions to a devastating attack on a Russian state-owned airline. Ralph provides alarming details about the scale of the breach, including the destruction of 7,000 servers and the exfiltration of 22 terabytes of data.

“They basically stole everything and then burned the entire company to the ground.” [27:46]

Bronwyn cautiously notes the potential physical risks, “At least they didn't hit the flight controls.” [28:29]

Key Takeaways:

The City of Hamilton attack underscores the dire consequences of neglecting basic security measures like MFA.
The Russian airline breach highlights the destructive potential of sophisticated ransomware attacks.
Insurance companies are beginning to refuse payouts for breaches where basic security protocols were not followed, reinforcing the necessity of implementing MFA.

3. Browser Security: The New Frontline

A significant portion of the discussion centers on browser security, particularly the vulnerabilities introduced by browser extensions.

Ralph raises concerns about Mozilla Flag's phishing attempts aimed at hijacking trusted Firefox add-ons. He ties this issue to CIS Control Number Nine, which advocates for the inventory and auditing of browser extensions.

“Seriously, how many organizations have you all come across that's not bhis that have... regularly auditing the browser plugins that are deployed in their employee systems?” [41:09]

Derek shares his experience from a former employer dealing with DoD-classified systems, emphasizing the importance of stringent browser plugin audits. “We were doing that kind of stuff at my former employer.” [41:16]

Bronwyn echoes the sentiment, advocating for simplification and standardization to make security measures more manageable. “We haven't even found the better mousetrap. We haven't found the better seatbelt to make security easier... until we make safety and security possible for people who can't find the any key, it's not going to happen.” [24:03]

Key Takeaways:

Browser extensions represent a significant security risk, necessitating regular audits and strict controls.
Implementing standardized security measures can alleviate the complexity burden on organizations.
Simplifying security protocols is essential to enhance compliance and effectiveness across the board.

4. AI and Cybersecurity: Perplexity Crawlers and Privacy Concerns

The latter part of the episode delves into the intricate relationship between AI and cybersecurity, focusing on Perplexity's stealth crawling techniques.

Wade introduces the topic, explaining that Perplexity, an AI answer engine, is continuously crawling the internet to gather data, often bypassing "no-crawl" directives.

“Perplexity is crawling the Internet to make these searches and find that data, and they do not care if you tell them no.” [45:05]

Derek counters by emphasizing the responsibility of content providers to protect sensitive information, suggesting that if data shouldn't be public, it should be behind authentication portals. “If you have data you don't want access, then put it behind an authentication portal.” [46:21]

The discussion broadens to cover broader AI privacy issues, including ChatGPT’s handling of private chats and Amazon's Alexa integrating ads into AI responses.

Megan draws a parallel between user consent for data usage and firearm safety, criticizing the opaque nature of AI data handling policies. “It's like a checkbox that they have to check that says make this chat... you want to share this.” [52:25]

Key Takeaways:

AI tools like Perplexity are challenging traditional web crawling norms by ignoring "no-crawl" directives.
Content providers must take proactive measures to safeguard sensitive information, beyond relying on AI compliance.
Emerging AI integrations, such as Alexa’s ad injections, raise significant privacy and consent concerns.

5. The Future of AI in Cybersecurity and Society

Towards the episode's conclusion, the conversation veers into speculative territory about the future implications of AI advancements.

John references a YouTube video where AI experts predict existential threats posed by AGI (Artificial General Intelligence), highlighting concerns about AI autonomy and regulation. “Once we hit AGI, it's going to be regulated and we're going to notice right off the bat that it's actually not answering in the way we want it to.” [55:54]

Ralph and Wade discuss the potential for AI to evolve beyond human control, referencing historical overstatements about technology threats. Wade optimistically suggests AI can be a tool for solving complex problems without leading to dystopian outcomes. “AI can be used for a lot of things. It's not just chat GPT.” [58:14]

The team collectively underscores the importance of balanced investment in AI, advocating for ethical development and cautious integration into societal frameworks.

Key Takeaways:

The advent of AGI poses both transformative opportunities and significant existential risks, necessitating robust regulatory frameworks.
Ethical considerations and responsible AI development are paramount to harnessing AI's benefits while mitigating its threats.
The discourse around AI's future highlights a spectrum of optimism and caution, reflecting its complex role in modern society.

Conclusion

This episode of Talkin' About [Infosec] News provides a comprehensive exploration of current and emerging issues in the cybersecurity landscape. From the nuances of major cyberattacks and the evolving challenges of browser security to the disruptive impacts of AI, the Black Hills Information Security team offers valuable perspectives and actionable insights. The discussion underscores the ever-present need for vigilance, adaptability, and ethical considerations in navigating the dynamic intersection of technology and security.

Notable Quotes

“If you don't have multifactor authentication, bhis report, it's automatically a high minimum high right out of the gate.” — Ralph [12:49]
“We didn't hit the flight controls.” — John [28:29]
“If you use Perplexity right, you'll never have to pay for drinks or food either.” — John [08:23]
“We need to make safety and security possible for people who can't find the any key.” — Bronwyn [24:03]
“AI can be used for a lot of things. It's not just chat GPT.” — Wade [58:14]

Final Thoughts

The episode elegantly balances technical discussions with relatable analogies and personal anecdotes, making complex topics accessible and engaging. Whether debating the merits of DEFCON, dissecting major cyber incidents, or contemplating the future of AI, the Black Hills Information Security team delivers a thought-provoking and informative session that resonates with a broad audience.

Loading summary

Transcript334 lines

[00:01]
John
I tell all my AIs to get rid of dashes when they write nobody knows anymore.
[00:09]
Bronwyn
You do it anyway. Yeah, like a freaking teenager.
[00:11]
John
Then you throw it in the ground.
[00:13]
Ralph
Testers. I was talking about report editing. I feel like some of our testers sometimes troll me and they put like aim dashes in the. I think, I think Bronwyn's seen it and it's like, what are you guys doing? Like, yeah, at least we hope that's what they're doing. They're trolling the owner of the company.
[00:30]
Bronwyn
Hey, at least, at least you're in their thoughts and minds.
[00:33]
Ralph
Yeah, that's what I'm. That's where I want to be in the back. I don't want to take hot takes about Palo Alto.
[00:42]
Derek
I was just waiting for the intro music. Yeah, I thought we were starting for real, so I was quiet.
[00:49]
John
I'd like to put it out there. Everyone stop texting me about if I'm in Vegas. All right? It's making me sad.
[00:54]
Ralph
I honestly.
[01:00]
John
Hey, it's a 40 minute flight for me, right. I could literally go there for the day and come back.
[01:03]
Ralph
But why Hacker Summer Camp.
[01:09]
Megan
Is going to counteract all those, those news stories that are out there about like why nobody's visiting Vegas. I don't know. Have you seen those where they, they show the footage of like this, of every place being empty and nobody going anywhere. And then you're going to have this whole rush of like other influencers that are going to want to take the same. Same thing. Yeah.
[01:28]
Ralph
What did all these middle aged white dudes in black T shirts show up from, like, exactly.
[01:33]
Derek
I was in Vegas back in April and I gotta say, it was far from empty. It was not empty at all. But I mean, hey, yeah, I don't.
[01:40]
Megan
Know where the story.
[01:41]
John
It's Russian propaganda.
[01:43]
Bronwyn
It can, it can still be.
[01:45]
Ralph
It can.
[01:45]
Bronwyn
There can still be people there and it still have a drop in revenues.
[01:51]
Ralph
People there or not. It still sucks either way.
[01:54]
Derek
Yeah.
[01:55]
Ralph
If I never go to Vegas again.
[01:58]
Bronwyn
Defcon off my bucket list. I can die content as far as that particular issue.
[02:04]
Ralph
So the spoon man asked. Okay, so no. Is DEFCON worth it for the expert? You know what? Let's. Let's start the hand. We're going to start with this question. Let's start there. All right, Megan, let's do it. Hello and welcome to another edition of Black Hills Information Security. Talking about AI, apparently, because we're just going to get stuck on AI. We're going to probably do some DEFCON stuff. And yeah, it's going to be a show. We're going to talk about hacker news stories and stuff because that's what we do here. And for the record, yes, apparently I am this red been working out in the sun. I'm out in the Sturgis rally right now in Sturgis, South Dakota and I got a little bit too much sun people. And as you know, if you work in it, the sun is trying to kill you at all times. That's what I've been dealing with. We got a really good like group of people here today. And like I said, we're just going to get stuck on AI and it's going to be the AI gear here. But before we get stuck in the AI gear, I really want to hit one of the questions that was asked. Oh, where did the question go? First up. Yes, first up, DEFCON is canceled. If you didn't didn't get the news, we're going to be talking about that a little bit. But Spooner man had a question. If DEFCON was not canceled, which it totally is by the way, would it be worth going? I'm going to say, Bronwyn, you know you said you checked it off your list. I say everybody in IT security should go at least once. It should be like we should do like a. I don't know, we should make it like some kind of pilgrimage to the middle of the desert where infosec people all descend on Vegas and then we walk around the building and we throw stones at vendors. Kind of what I'm thinking as, as a way that we could possibly do this to get the most out of it. But I, I'm just going to say yeah, you absolutely should go at least once. Life, that's my take. We'll get some more hot DEFCON takes because it's freaking hot. But it's canceled this year, so that's. That sucks for everybody. So what Bronwyn, what is your take? You said you got it off your list. Why? Like you're happy that you went, clearly, but you're also like kind of over it.
[04:30]
Bronwyn
Well, I mean spending time with 25 to 30,000 of my nurse and dearest acquaintances, it basically one of the main reasons I wouldn't go is that it is mega crowded and going from highly air conditioned inside casino places to outside where it's 106 degrees in the shade and back and forth. It just wrecks havoc with you physically. Pre Covid I went and when I got home I face planted with Concret for two weeks.
[05:06]
Ralph
Yeah, that's. That's a good thing.
[05:09]
Bronwyn
Yeah. So it was a wonderful experience. I went when I was still very, very new, having just switched from web development into cybersecurity. I had a posse. I actually had two posses that. Yeah, because you set up two posses.
[05:30]
Ralph
At the same time in Vegas. Okay, carry on.
[05:33]
Bronwyn
Well, I mean, because I wanted to have people that I was connecting with and I did have two separate groups that I, that I. We were all checking out for each other. Women's groups, Women's Society of Cyber Jutsu and cyber security. Matter of fact, that was. Was why I went. Yeah, I won a raffle from the, the, the cyber security people. And it was, it was wonderful, but great experience. Lots of opportunities to meet and connect with people. Lots of opportunities to get overloaded. And so self care, both mentally and physically is very important and very challenging. And that's another way where it matters to have at least one other person who can be there to check up on you. Aside from all of the other safety issues that come with being in Las.
[06:32]
Ralph
Vegas, would know anything. Roofied twice. All right, what else? By the way, Florida man Ralph, thanks for coming. What's your takes? What's your take on defcon? Like?
[06:45]
Wade
Yeah, so I'll do it really fast.
[06:47]
Ralph
So I don't think we're using your main mic. I think we're using Mike someplace.
[06:52]
Wade
How about this one?
[06:53]
Ralph
There we go. Yeah, there we go.
[06:57]
Wade
So, all right, my quick take. If you have never gone totally go. It is a shock and awe kind of experience. There's over 30,000 people there in Defcon, so it's kind of wild. But if you are going to go have a plan. Right. It's just so much going on that, like, if you don't have a plan, I feel like you kind of feel like it's like not that fun. Right. Because it's just you, you get confused about where to go, how, how to do this. So definitely having a plan. And the best way to experience DEFCON is honestly to volunteer in some way, shape or form.
[07:27]
Ralph
Yes, yes. Yeah, I'm seeing it show. And again and again, I disagree with the ratio. But I always say one glass of water per alcoholic drink.
[07:38]
John
That's a lot of water.
[07:39]
Ralph
It is a lot of water.
[07:40]
Derek
One is where the pros are just saying, yeah.
[07:42]
Ralph
Two to one is where you would be in, like South Dakota where we have humidity. But I usually do one to one because it slows you down, number one. Number two, never accept a drink that has been opened. Number three, most important, learn what body glide Anti chafing stick is. Sorry. Number foremost importantly, DEFCON require. We should. It should be a requirement that you wear deodorant at this.
[08:10]
Wade
Yes.
[08:11]
Ralph
Yeah.
[08:11]
Wade
Shouldn't that be a requirement all the time?
[08:16]
Bronwyn
Deodorant and shower at least once a day.
[08:19]
John
If you do DEFCON right, you do it right, you'll never have to pay for drinks or food either.
[08:24]
Ashley
Yeah, it's a different creature nowadays. Also, I went the last two years, which was the final year of them doing the hotels at Caesars, and the first year of them doing the Las Vegas Convention center, where everything is just packed into one. So you don't have the Bar Cons anymore. You don't have people wandering around. You don't have to step outside to go ahead and get from village to village. So it's a real different feel and a real different vibe, and it really controls you a little bit more. Now, if you want to get actually somewhat decent food or even fast food, you have to step outside the convention center to do it. Otherwise you're stuck with convention center food, which we all know, sort of.
[09:05]
Ralph
Yeah, yeah. And I'm gonna push again. If you go to Vegas, please go to Batista's Hole in the Wall. It's a local Italian restaurant. It's one of my favorite places. Unfortunately, Gordy passed away about five years ago. He was the accordion player. But it's, It's. It's. It's an awesome place. If you want to get a feeling of what Vegas was like back in, like, the early 80s, 70s, you got to go to Batista's Hole in the Wall. So go check them out. All right, so we get on some news stories. Unless somebody else has a DEFCON thing that they would like to add in.
[09:35]
Megan
Yeah, I mean, I would like to. I mean, I'm going on, like, the. Probably just the stances to where it's like, worth it. I mean, you're going to kind of say no. A lot of the takes are there. Like, you know, John, you said, like, everybody should experience it once. I've been seeing where. And also to Brown's points, it's very overwhelming. It started to get overwhelming for me. But you're starting to see people say, well, you kind of have to go once, but it's going to be overwhelming. So you kind of have to go a second time. And when you say, like, you have to, you know, get into volunteering, it's going to take you like a couple of times before you shift from that, the taking from DEF CON to giving to defcon so it's going to take you like three. So when you go, it's like, okay, so I have to invest three times for it to really get that rate of return. And it's just, Is it worth it for a new person to have to go two or three times to really get things done? I don't know, I'm like, I'm kind of landing on the side of no, there's better return on investment with other conferences.
[10:37]
Ralph
And I'm going to say if you're going to go to one conference in your life, you should go to DEF con. However, if you choose to go to two conferences in your life, you should make the second one Wild West Hacking Fest.
[10:47]
Bronwyn
Yeah.
[10:48]
Ralph
Which actually I think we're really close to selling out. I shouldn't have said that because now a bunch of people are gonna be like, you sold out. But at any rate, let's get into some stories. Unless somebody else has one more take, we can do one more. But then we got to do some stories.
[11:01]
John
Go to B sides, don't go to defcon. All right, we'll go.
[11:04]
Ralph
All right, there we go. That's distinction without a difference. B sides, Las Vegas. Right. I actually like the vibe of B sides quite a bit in Las Vegas, but it's, it's.
[11:14]
John
I'm partial to the San Diego one. I don't know why, but.
[11:19]
Wade
I feel like there's a bias.
[11:21]
Ralph
So I want to hit this one because I think this is important. The City of Hamilton. The city of Hamilton was hit by a cyber attack. They, I guess the ransomware was like $5 million. They didn't have any multi factor authentication that was easy to log in. And the thing that's interesting about the story is insurance ain't gonna pay. We don't get a lot of stories where insurance companies choose not to pay. But oh my gosh, here's one of them. And I think that this is just the beginning of a trend. I think we're going to see more of this. And also, once again, I know I'm beating a dead horse here, but if you don't have multifactor authentication, bhis report, it's automatically a high minimum high right out of the gate. We used to get lots of pushback from customers. We don't get it at all anymore because that is just a direct path to get in. So I don't know, what do you guys think? I mean, I can't remember a lot of stories about this. I mean, of course you had the, the Mondelez. Is that the name of IT company in Ukraine that was denied a ransomware payout because they said that the malware is used as part of nation state arsenal because it was stolen from the nsa. So that's a little bit different. But you're starting to kind of see this where we are seeing insurance companies push back now it is in Canada and. But it is a beginning and I think we're going to see more. What do you guys think?
[12:50]
John
I think this is perfect. Showing people if you don't do your due diligence, insurance is not going to pay. Right. MFA is, is like John said, is the basics. You should be able to implement it and have everybody do it. If we start seeing stuff like this where insurance isn't paying out because guess what, you're not doing the bare minimum, people are going to start doing the bare minimum and raising that bar overall.
[13:10]
Wade
Yeah, this is this like a car accident and not wearing your seatbelt and then being like, well, we're not going to pay for your injuries.
[13:18]
Ralph
Okay. An interesting question, Ralph. Like, yeah, kind of related to this. I don't feel bad for them getting hacked if they do multifactor. Now I got a question. If somebody gets into a car accident and they get hurt really bad and they weren't wearing their seatbelt, am I an a hole for not feeling bad for them?
[13:35]
Wade
Yeah, I mean, you know, probably not. I don't think like, I mean, they kind of were asking for it. I mean like the seatbelt is the number one safety device that you can possibly wear. I know, I'm not trying to get off into like whole safety thing, but I'm just saying, I mean, but I agree with you though. Listen, they should have that in place. My question though is why didn't the insurance company do some due diligence themselves to make sure that they were doing these things right? They just wrote a policy without asking.
[14:02]
Ralph
I bet you they asked. I bet you they asked. And I bet you the, the insurance. I bet you they lied on the form.
[14:08]
Derek
Yeah, it's in.
[14:09]
Ashley
Yeah, it's going to say it sounds like something where they checked a box that they shouldn't have been checking on their checkbox form.
[14:15]
Bronwyn
Well, I think it also depends on who is checking the box because if the security people were involved in interacting with the insurance company, they would have reported accurately. But if it's somebody else who may not know exactly what is being implemented, what is being supported and come on with the pen test. How many times.
[14:38]
Ralph
Hold on, how many? You know, it doesn't happen a lot, but it does happen. Where, like, I'll just give you an example. Like, we have customers that, like, the BHIS report has a bunch of vulnerabilities, and they're like, well, we need a clean pen test report before we can get our funding, before we can go live, before we can do our merger, before, before we can do this and this and this and this and this. And they, they come. And there's a lot of times I sit down and I talk with the customer and I'm like, this is just a report. You can take this report and you can synthesize it however you choose to. And I do think that some of those customers, albeit they're rare, they just are like, okay, we're going to quietly ignore this and say, we're clean, everybody. And I feel like that's part of just ignoring the security team and hoping that we go away to rebut that.
[15:22]
Bronwyn
I also see a lot of reports coming through where when they come to us, they think they know what their infrastructure is. They think they know what their whatnot are. And when after we're done with them, they go, oh, gee, we didn't know any of that stuff. And, and so, bottom line, yeah, you got to have brass tax. You have to know your inventory, you have to know what your assets are. You have to know where you have policy failures or compliance failures for your own policies. How many of these companies don't have that internal knowledge about themselves?
[16:04]
John
Most.
[16:05]
Derek
So you're, you're making an analogous to a seat belt. And you know that. And, and, and so if that's the baseline standard, why don't companies like Microsoft require NFA of everybody who uses their service? I mean, wouldn't that solve the problem? And this is a school system. What if, as a small business, are they using an msp? I mean, can you, why, why can you configure if it's a baseline security standard to have mfa, why are we allowed to configure it without mfa? Because it's probably Microsoft, right? They got breach.
[16:37]
John
That's a good question. Because this, me owning a couple Google business accounts, they've recently been hounding me that any admin account for those Google business requires mfa.
[16:48]
Derek
Microsoft did the same thing, right? I think they required recently all admin accounts. I get that, but why not all accounts? Like, why is it still, why are you still allowed to do that? I mean, because we still have, you know, customers who, you know, have issues with MFA and getting phished with, you know, transparent proxies. And so it's not. If it's a baseline now, why is it optional?
[17:10]
Megan
Yeah. And I think also the distinction between it being like a company and it being like a city, because when you have the impact to a city that's still getting paid, and that's often paid by the city resources or the taxpayers, versus if you had it, where it's like, okay, Dave's Discount Dinnerware decides that they're not going to have MFA insurance, doesn't pay well, then Dave's Discount Dinnerware just gets sold to somebody else. The city's still going to have to function, going to pay that money, and it's going to be a loss of services somewhere else. When you sit there and you go, you know, sorry, we could have given you like, you know, we could have filled in those potholes, we could have redone the interchange, could have expanded this, you know, hazardous intersection there, put some lights in place. But we don't have the money because we chose to not enforce MFA and we had to pay it. And it's just that that money's not there. Yeah. So I think there's a. There's a distinction. I think even when you kind of make that comparison to somebody, like, not wearing their seatbelt, I go, yeah, I kind of feel sorry for, like, the person, like the person at like the basic level that got injured because they didn't have their seatbelt. If it was like a company policy saying, hey, we're not putting all. We're not putting seatbelts in our delivery vans. And they get into an accident and you would sit there and you go, okay, well, you know, the owner of the company says, yeah, I don't believe in seatbelts. Nobody's wearing them. The owner of the company gets in an accident, gets hurt. It's like, well, it's your. You have less empathy that way.
[18:39]
Ralph
Yeah. So on this note, have you guys ever heard of safe harbor?
[18:44]
Bronwyn
Yes.
[18:45]
John
Is that the shipping thing where there's like a place where you can ship stuff and they can't.
[18:51]
Ralph
All right, I'm going to go out of order. I put in the next story about hackers completely destroying an airliner. But kind of on this, I want to put this in real quick. This is states that have enacted safe harbor laws. Right. And this is very US Centric. Right. So basically, the safe harbor laws are basically saying if you implemented a cybersecurity framework like you do, the CIS controls, the NIST cybersecurity frameworks, the NIST 800, 171 ISO standards, that if you have implemented Those, then you cannot be sued for a breach. Right? And so far, this is interesting. You have Ohio, you have Utah, you have Connecticut, Iowa, Oklahoma, Tennessee, West Virginia is looking at it. And Florida passed something similar as well. And it basically boils down to you've got to implement best practices. And this is brought up a lot whenever I'm talking to MSPs and MSSPs. But here's, here's the thing that kind of gets me about safe harbor as it relates to this, right? You go through with an insurance company, we talk about the checkboxes you go through and you say, yes, yes, yes, I do all of these good security practice, I'm a good security ciso, I'm a good security implementer of my company, whatever. And you lie, you get breached, the insurance company denies your claim. Right. And I keep thinking that a lot of these safe harbor laws, my fear is the way that they'll actually get implemented is like PCI where PCI said basically if you get breached then you weren't PCI compliant. And their whole point is if you were PCI compliant, then you wouldn't get breached. It becomes this kind of like circular logic. So do you think trying to establish some type of carrot instead of sick stick like a safe harbor law, do you think it's something that'll actually move the needle to organizations trying to implement some type of reasonable security or do you think that they're just going to be like, ha, this is another thing that we can lie about, another thing.
[20:46]
John
We can lie about. There's no way, there's no way this will, this will implement it. We need more insurance claims that are, that are going through. I feel like we've given the carrot too many, too much where. And security still isn't getting. Yeah, it's maybe getting better, but still these companies aren't, nothing's happened to them when they get breached. I think that last paragraph in the actual article where this is like direct, in direct contrast to California CCPA law, I honestly think that would do more, would do better to improve security overall because I don't, I'd never. We don't see any improvements or don't see all these big breaches. What happens? Nothing. The only bottom line that's going to wind up hitting these companies is their profits. So charge them $100 per.
[21:28]
Ralph
Really talking at that point like a GDPR type framework where, yeah, we are going to tell you how to secure your crap, but if you don't, you get hacked and we can find that you're Negligent, then we're going to find you based on the amount of revenue.
[21:40]
John
Yeah. Anyone fired up about it?
[21:44]
Bronwyn
Well, I have an unpopular position in that security will never be more commonly done. Well, until we make it easier.
[21:54]
Ralph
Can you elaborate? Because I wonder about that. Right? Like the idea of making it easier. What the hell does that mean?
[22:01]
Bronwyn
Well, okay. I currently have three different password managers, most of which have more than 100 entries. My personal one has over 300 entries of various things for one password manager. Then there's mfa, which means that I have to have one of half a dozen different apps and I have to have them all on my phone or on something else or A lot of.
[22:27]
Ralph
Times they don't all stick with just Google Authenticator. You have to download their own authenticator app.
[22:33]
Bronwyn
So. So in order to log in to do something for a single organization, I have to have a password manager, I have to have a third party authentication app, I have to have passwords that conform to whatever the policy is. Personally I turn around and I mean we recommend generally 15 characters or more. My bottom line if the system will accept it is 23 characters or more. You know, so it's. There's so many things and there are some times where I just want to pull my hair out because it's such a frickin pain in the buttocks to try and be safe.
[23:17]
Ralph
That's really, that's really sad because you're a security person, right?
[23:21]
Bronwyn
Exactly.
[23:21]
Ralph
How do you take this as somebody who is a like normal quote unquote. Unquote non def con attending person.
[23:28]
Wade
This was brought up in the chat. I mean passkeys were meant to kind of solve some of this, right? Because passkeys don't like as a universal standard they don't require you to actually have a password. They're not, they're. They're a cryptographic key similar to like ssh. But the thing is though is that, and this goes more to your point and what John just brought up is that like people don't even understand what passkeys are or how they work or that don't have it set up or don't have a manager that saves them and stuff. Only certain sites accept it, other things like that. So I mean it is just a fracture in the security and we're talking specifically the authentication part of the security model.
[24:04]
Bronwyn
And if we use seat belts as a representative sample of when safety started going in, I forget the name of the engineer at Volvo who developed the three point seatbelt prior. At that time we're Talking like the 1960s, there were no requirements for seatbelts and automobiles at all. Volvo made the technology public, shared it with all of the other manufacturers, didn't ask royalties. And then it wasn't until the United States required that seat belts not only be included in automobiles manufactured, but also that they be used that the death rate in accident started going down because of seatbelt use. So you had, in that case, multiple factors. One, it was good engineering. It was something that was superior in terms of providing safety because of the multiple points and the better physicality of protection. And then you had to have the government saying, you must do this or there will be consequences. We've failed with step one. We haven't even found the better mousetrap. We haven't found the better seatbelt to make security easier for people who can barely find an any key. And until we make safety and security possible for people who can't find the any key, it's not going to happen. That's my unpopular take.
[25:37]
Ralph
Yeah.
[25:37]
Megan
And. Well, and even for, like, seat belts, like, you know, standardization, you don't have to learn to use 7 different seat belt types. Like, at most you have like, your car seat belt and the seat belt you use on the airplane. And like, even then, like, on the airplane, they tell you how to use it. Like, if you're like, confused. So is the answer more standardization? Not necessarily. It could be that, like, second point to where we, we don't do a great job of helping each other out. I mean, in our community, yeah, we help each other out, but there are a lot, like machine companies or even between others, they go, hey, I figured out how to secure myself. Like, you know, I, I've got mine. Screw you. Like, I know I figured this out. I'm not going to teach you how to, how to do anything. Once again, you how to use the, the obscure seatbelt. But then I'm going, I'm going to sit there and say, you know, when something happens to you, you go, oh, you should have figured out how to wear that seatbelt.
[26:31]
Ralph
We should all just get together in the desert, walk around and throw stones at benders. They'll fix things. All right, I want to move on because we haven't gotten to AI yet.
[26:43]
Wade
Yeah, we have to cover at least once.
[26:45]
Ralph
We've got to talk about hackers destroy Arrow Loft's IT infrastructure, causing 42 flight cancellations. And there's a lot more that were canceled on that situation. But get this. This is the hacker group Silent Crow Insider partisans by claimed responsibility for A large scale cyber attack on one of Russia's key state owned companies, one of their airlines. You know, we talk about ransomware and I think that people, you know, they complain about the scourge of ransomware, but when the attackers got in, they destroyed seven, which basically means they wiped the hard drive, 7,000 physical and virtual servers as well of the cancellation of a whole bunch of round trip flights from Moscow to all these other different cities. They didn't. They exfiltrated 22 terabytes of data out of that environment. They gained access to 122 hypervisors. Like, it's just insane. Like they basically stole everything and then burned the entire company to the ground.
[27:46]
Wade
And this wasn't the Ukraine, actually.
[27:50]
Ralph
I think Ukraine was like, I think Ukraine was like, that wasn't us. I think it's down at the bottom. We talked about this, that they said.
[28:00]
John
In surprise they released all that data, like those statistics, like I've never heard someone release like such great statistics on a breach.
[28:06]
Ralph
Usually it's really well done. I think it's kind of like anytime someone gets breached with ransomware, it's like we got to use this company as an, like a cautionary tale. Like it could be worse. You could be never getting your servers back. But oh my gosh, like, like that's absolutely scorched earth at that point.
[28:29]
Bronwyn
Yeah.
[28:30]
John
At least they didn't hit the flight controls.
[28:32]
Ralph
Right?
[28:32]
John
Like the towers, like.
[28:33]
Ralph
Yeah. At least they didn't bring down.
[28:35]
Wade
I mean, maybe Russia's getting a little taste of what ransomware is like. Right?
[28:39]
Ralph
Like, yeah, well, and, and Ralph, we've talked.
[28:43]
Wade
I'm not saying this is a deserved statement.
[28:45]
Ralph
I'm just saying it's not like they're not wearing their seat belts or anything.
[28:48]
Bronwyn
Yeah.
[28:49]
Wade
I mean, it's just that, you know, if you do a lot of this in your country and then someone else does it back to you, I mean, like, you know, fight fire with fire, I guess.
[28:59]
Ralph
But we've also conversations from some of our engagements about Russian infrastructure and some of the things we've done and we're like, this country should not be like they're in a glass house throwing like tons of stones. Like they need to stop. Like they have no idea how wide open they actually are. Do you think this is antibodies? Like, do you think the United States and western countries, particularly the United States is in a better situation than countries like China and Russia because we're constantly being hacked and we have better antibodies? Yeah.
[29:32]
Wade
Or is that, or isn't that just Saying we keep licking the doorknob and then wondering why we keep getting sick. Right.
[29:38]
John
I think it's, it's also technology though. Right. Like think about all those, those other companies usually use more open source software. Right. Which is great if you can configure it and have the experts. But we have a lot of the more turnkey stuff over here that some of it's not even allowed. It's, most of it's not even allowed to be sold to those other two countries. So I say our security at a, at a base point is most likely more secure just because we do have the option of buying this software. Yeah, I really like that idea.
[30:08]
Ralph
But I also think if you look at like, like quote unquote, next generation edr, the adoption is way heavy on the west side. Right. And if you look at that level of adoption and penetration into like China and Russia, China less so than Russia. China has their own products and some of them are actually pretty good. But like the adoption of that advanced endpoint security product is just nowhere near as high as it is in the United States.
[30:36]
John
They're definitely cut off from those to that ecosystem.
[30:38]
Ralph
Right.
[30:39]
John
Of top of line technology, at least as far as the world goes.
[30:42]
Ralph
What about. No, I can't pronounce it. Screw every single one of you.
[30:51]
Derek
Thank you.
[30:55]
Ralph
All right.
[30:55]
Wade
Yes, you're welcome. That's top of the line. Right.
[30:58]
Bronwyn
I want to say that it would be nice to believe that we have better security, but the problem is just because you buy a fancy piece of software doesn't mean you know how to use it.
[31:10]
Ashley
I was going to say, I was going to say, so many companies that seem to buy something security wise, be it EDR or other products, and leave it in default mode. Getting them to change the default mode password on it is tough at times.
[31:25]
Wade
I mean, yes, I mean default mode.
[31:28]
John
Is better than open source software though.
[31:29]
Ralph
That's capitalist options. Consumers and public opinion matters. Yeah. Trust me, China, China and Russia are full tilt in capitalism right now. Like, they're, they're right there. They learned that lesson real quick. So, so no, I, I, I, but I just, you know, whenever we're poking around, you know, without getting into too much, much too many details, like, yeah, we're not seeing like in our Russian customers that, that level of security at all. It's like, have you done anything to secure your environment?
[32:00]
John
So I would really like to see some Chinese based cyber tools. Now that I think about it, like, how different is it? Like I want to see a China made EDR or I mean, they're just looking.
[32:11]
Ralph
Which is probably just splunk, like, Kaihu360.
[32:14]
John
Yeah. Something.
[32:15]
Ralph
Yeah, yeah, yeah.
[32:15]
Wade
They're just. They're looking at American products and copying them. I mean, pretty much. I mean, what else would they do?
[32:21]
Ralph
Why do the research our network?
[32:23]
Bronwyn
So they don't have to copy it, they just have to steal it and rebrand it.
[32:28]
Ralph
If you look at, like, Kwahu, I think it's. I missed my. My. I'm definitely mispronouncing it, but kwaihu360, if you go back years ago, they were doing sandboxing and cloud analysis of malware specimens before silence. And that technology was actually stolen from US AV companies. They were just able to implement it faster because from a market adoption perspective, it wasn't being adopted in the United States because people were, you know, it's a new technology, false positives in air quotes, bringing production down. And China stole all of that stuff from an architectural design perspective, and they were able to bring it up and start implementing it. So there was a period of time, Wade, where they actually did have better EDRs, especially on government systems, a long time ago, than we had in the United States. I think that that has probably changed now with the adoption of advanced EDR in the United States. But once again, going back to Russia, not even on the map. Like, not even on the map. I don't know. I would say. I, I honestly can't remember a situation where I saw anything other than, like, Panda on a Russian system. I just don't know.
[33:39]
John
So there, There's. There's an interesting Reddit post today about some, like, Western guy who moved to China who's. Who's been in cybersecurity for, like, five years. And it's like, how hard is it gonna. Is it gonna be for me to get a cybersecurity job in China? And I was like, oh. And everyone's like, oh, you'll get one if you speak Mandarin. He's like, no, I don't speak Mandarin. I'm like, oh, that guy's not gonna jump.
[34:01]
Ralph
I don't know. If you're. If you're open to options, if you're. Morally, you can definitely get hired, right? So that one's. That one's kind of a. Kind of a crazy one, bringing down that airport crap. Let me pull up the next one. I want to. Have you guys seen the one on link wrapping services being bypassed to drop malware on systems? So for. For those of you that don't know, link wrapping is like, Whenever you go to a website from Outlook, it's basically like safe linking it.
[34:33]
Wade
Yeah, I actually saw this, John, in the wild over a year ago.
[34:37]
Ralph
Oh, wow. Oh, wow. Do tell.
[34:39]
Wade
Yeah. So I mean, essentially it's just like, all right, here it is, right? All the safe URL links that you click and you see inside of them, if you send that URL already safe link to someone else, right, it will bypass the filters because the filters will think it is a safe link that got forwarded.
[34:59]
Ralph
Wait a minute, we were using this.
[35:01]
Derek
That sounds like domain fronting in a way, right?
[35:03]
Wade
Yeah, yeah, yeah. And so it would think that it's safe because it's a safe link from one of these. But the, the, the thing is, the link itself could be malicious. So the way you weaponize this though is that you actually have a tenant, like let's say you have a proof point tenant, right? And it gets marked and flagged as bad, but then you allow it. And then that unique URL at proofpoint now is valid because you allowed it inside your tenant. And then you start sending it out in your phishing emails and it's a good link.
[35:35]
Ralph
I like sas, Perilla. They're like, that sounds horribly dumb. Well, once again we're all meeting in Vegas with rocks, so I'm just gonna drive this thing home.
[35:47]
Wade
Like I saw this in the wild, John, and I reported it to proofpoint. You know what they said? They were just like, oh, that looks like a normal link. I was, I was like, no, I'm not doing it.
[35:59]
Derek
I think you need a T shirt with that sounds horribly dumb on it because I've had that thought so many times over the last. Why would you do it that way?
[36:09]
Ralph
Yeah, I just, I just, I, I don't know. It's so in this. Guys, hold off. We're not going to talk AI yet, but it's like every single year in computer security, right? You know, I go back to like, I want to say 2006, 2007, and I remember articles where they were talking about Symantec endpoint protection and how it was going to shut down all the hackers and things like that. Microsoft Get Secure, Stay Secure initiative. And it seems like there's all these things, whether it's next gen firewalls, next gen edr, whether it's AI and the preaches don't slow down, right? Like it's almost like there's definitely this escalation between defensive technologies and offensive technologies. And everyone's like, well, oh well, AI is technologies. Defensive technology is going to take off. I don't know. I'm kind of feeling like, you know, the offensive opportunities are more robust in this space, and I don't think that they're going to go away. I just think they're going to evolve.
[37:07]
Derek
Yeah. Pen testing is not dead. That is.
[37:09]
Ralph
Oh, my God. Yeah, it's not dead a lot. Anybody that's like, we're fully automating a pen test just once again is a snake oil salesman. Yes. And feel free to grab some rocks and throw it at them. Violence is never okay unless they say that they completely automate pen testing and slug bug. Those are the two things where it's perfectly fine.
[37:28]
Bronwyn
Yeah.
[37:28]
John
And you don't see bugs.
[37:30]
Bronwyn
E books are gonna make real books go away. You know what?
[37:34]
Wade
Totally. I mean, Barnes and Nobles is closing all over the place.
[37:37]
Derek
My 17 year old just took an actual paperback book on vacation, so. No, I don't think so. She has a Kim Will do.
[37:43]
Bronwyn
Yeah, but that was. That was what everybody was saying when ebooks were first starting to come out. There won't be any real books anymore soon. Well, you know what? So, yeah. AI, great. You've got a. You've got a better widget, but that doesn't mean that you can get rid of.
[37:59]
Ralph
Not yet. We're not doing it yet.
[38:01]
Wade
Oh, we're not doing it.
[38:02]
Ralph
I'm like, I'm doing it yet. We've got another story. It's delayed. Yeah.
[38:13]
Bronwyn
I don't care if it's. Or whatever. If it just because it's a better mousetrap doing whatever. Using whatever fancy dancy you still need to have.
[38:23]
Ralph
I like how she's talking about AI without using.
[38:25]
Wade
I know.
[38:28]
Bronwyn
How many times have we seen Next Generation?
[38:31]
Ralph
No, no, no. I agree.
[38:32]
Bronwyn
20, 22.
[38:34]
Ralph
Yeah. Yeah.
[38:35]
Bronwyn
How many times?
[38:36]
Wade
I'm gonna be at Black Hat this year, and I'm gonna go on the floor, and it's probably gonna just be just that.
[38:42]
Ralph
Like that misery.
[38:45]
Wade
Over and over again.
[38:47]
Ralph
We're gonna open up the conversation. All right. Ve miserable at these.
[38:52]
John
Oh, my God, I hated Black Hat.
[38:54]
Ralph
The only one that's any good is defcon, because you can go to the Black Hills information security booth and get a signed copy of the Future is comic book.
[39:02]
John
Oh, one second.
[39:03]
Ralph
Yeah, so go check that out there. Oh, there goes Wade. He's got 40 minutes to get to Vegas. Oh, he's got it right there. Look at that. That. I'll see you that way. But I also have. Right here.
[39:17]
John
How much?
[39:18]
Ralph
I have a graded one.
[39:19]
John
Oh, look at you.
[39:20]
Ralph
Oh, my Goodness.
[39:23]
John
Let me, let's. Can we zoom in? Let me. Give me to, to that big box right below me with the stack of. Let's just say I was your Comic Con delivery person for the future.
[39:35]
Ralph
I appreciate that, dude. And they were told you've got to sell it. And they're like, but we want to give it away. And Comic Con was like, no, you gotta sell it. And they asked me and I'm like, just hand it out, people. I. These things, I gave them, I gave a couple cents. They cost me like 86 cents. They're so much cheaper.
[39:54]
Megan
And so tell them that.
[39:55]
Wade
John. It's 286 exactly.
[39:59]
Bronwyn
Oh, come on.
[40:00]
Ralph
All right, I want to talk about this. Oh, go ahead. What's that?
[40:04]
Bronwyn
Oh, how many years have we been sucking at capitalism?
[40:06]
Ralph
Come on. Far too long. Yeah, far too long. All right, so Mozilla Flag's fishing wave aimed at hijacking trusted Firefox add ins. Right. Like this is just like getting into add ons or plugins and all of these different things. It's just, I keep, you know, I don't even think it's really much of a conversation anymore. But it's like the browser is the new endpoint. Right. And I just got done giving a presentation about CIS control number nine and I want to give mad crazy props to CIS where they were basically talking about browser extensions and control nine. I think it's implementation Group two and three companies and organizations that are implementing the controls should have a way to inventory browser extensions. And that is just like we talk about that. But okay, seriously, how many organizations have you all came across that's not bhis that have. That are regularly auditing the browser plugins that are deployed in their employee systems.
[41:09]
Derek
Do you count former employers or. We were doing it a long time ago or.
[41:13]
Ralph
Yeah, go ahead. I think that's a good one.
[41:16]
Derek
Yeah. I mean it was a long time ago, but we were doing that kind of stuff at my former employer.
[41:22]
Ralph
Yeah.
[41:23]
Derek
And that was.
[41:23]
Ralph
Which was DoD classified level stuff 14 years ago.
[41:27]
Wade
But yeah, I mean couldn't you just disable all the plugins in the browser too?
[41:32]
John
That's what.
[41:33]
Ralph
Okay.
[41:33]
John
That's what.
[41:33]
Wade
Okay.
[41:34]
Ralph
Okay.
[41:34]
Wade
Instead of auditing everyone and like you totally could.
[41:38]
Ralph
Bronwyn, how many password managers did you say that you had at the beginning of the show? That currently I'm clarity. You need to function to do your job. Right.
[41:49]
John
I'm just going to say you can export all those to one password manager.
[41:53]
Megan
Yeah.
[41:53]
Ralph
Why would you do that?
[41:58]
Bronwyn
Doesn't use.
[42:01]
Wade
You could use one password manager. It's my favorite.
[42:05]
John
Okay, RALPH gets it at least.
[42:08]
Ralph
But how many people are going to complain? They're going to be like, well, I use Grammarly to fix my grammar when I type sensitive things in my.
[42:15]
Wade
No, I've totally upgraded. It's AI all the way, buddy.
[42:18]
John
So last org, I was at audited browser extensions. I really, really like the mitre, ATT and CK browser extension. If you go look it up, it's called the ATTCK Power Suite. It's a quick little database that you can query attack IDs and stuff like that. I had to submit it for review to my organization to see if they would let me do it. They actually went and looked at it, looked at the code and realized they use some library that is actively used in AI and then required me to reach out to them to ask them, what does that library do? How does it work? Give us a full write up. And I'm like, this is an open source app. I'm not going to do that. I just flipped the table and walked away.
[42:59]
Ralph
I was like, that's pretty hot, dude. Cool that they went, there's a reason.
[43:05]
John
I don't work there anymore. There's too much red tape.
[43:10]
Derek
Advocating, right?
[43:11]
John
Yeah.
[43:12]
Ralph
Just broke Bronwyn. She's on the Internet now and she's looking up this plugin.
[43:16]
Bronwyn
No, no, I was, I was just saying on Discord. How did I not know about them?
[43:22]
Ralph
I could see you typing and I could see your screen flickering. Oh, you did it.
[43:26]
John
Maybe because you haven't taken my CT DI 101 course. That's at the blue team.
[43:36]
Ralph
So. But yeah, I mean, it's so rare to see that and it's so necessary, you know, and I, I think we need to revisit cursed Chrome or, you know, our malicious browser plugin. I know we haven't used it much, we've been doing some other things, but it was pretty cool when we got that.
[43:51]
Megan
Yeah. Closest I've been is at an employer that, that did lock those down and had like that full allow list of browser extensions. But you could install a completely different browser and whatever extensions you wanted, which then this is the point. It's like if you installed Chrome, they had a policy. You had only a certain allow list of browser extensions. But if you just said, okay, nuts to this, I gotta do what I gotta do and install Firefox and any browser extension you wanted. Yeah, that was allowed, apparently.
[44:22]
Ralph
All right. Deep cleansing breaths.
[44:25]
Wade
Oh, here we go, here we go. Oh, yeah.
[44:28]
Ralph
All right. I'M gonna let someone take this one. Ralph, do you wanna. Or Bronwyn?
[44:33]
Wade
Sure, I can take it.
[44:35]
Bronwyn
I know we got another take point.
[44:37]
Ralph
All right, so tell us about Perplexity.
[44:41]
Wade
Somebody like, has anyone used Perplexity? I've used it before. I just wonder if anyone.
[44:47]
Bronwyn
We use Perplexity a lot in this household.
[44:50]
Wade
Okay.
[44:50]
John
I don't know.
[44:51]
Ralph
We use Perplexity and we obey the laws of physics.
[44:54]
Wade
So it's one of the bigger AI startups that has gained a lot of traction because they use a bunch of different models, not just the one, but they're kind of like an aggregator.
[45:02]
Bronwyn
But anyways, this article, not an LLM.
[45:05]
Wade
What's up?
[45:06]
Bronwyn
It's an answer engine, not an ll.
[45:09]
Wade
Yes. It's pretty much parsing that data to an LLM and then responding based on which LLM you want to use and so on, so forth. Right. But what they were finding is shocker, that Perplexity is crawling the Internet to make these searches and find that data, and they do not care if you tell them no. And this is actually kind of across the board with all of the AI, large, large language models, especially the frontier models that are doing searching and how much traffic they're actually increasing on the Internet because of that. Right. And so this article from Cloudflare, they're trying to evade detection so they can keep getting back answers from these sites. Right. So it's an arms race now to detect the AI scanning the site to read the information, because it doesn't save it. It has to keep going back. Every time someone asks something about that, same thing.
[46:06]
Ralph
Can I introduce you to our Lord and savior, Shodan? There are so many different services that are crawling all over the place. But Derek, you had kind of a, a salty take on this before we started recording. Go ahead.
[46:21]
Derek
Yeah, I mean, I guess, you know, my response is you put it out on the Internet, like how do you think these things actually get real time data? Right. They have to go out and, and ask. And, and, and so my guess is, is the people who wrote this article, article probably use Perplexity and they're trying to call out a company that, you know. Yeah, okay, maybe they're not, you know, like doing the right net citizen thing. But I mean, come on, the Internet's an evil and dangerous place. If you have data you don't want access, then put it behind an authentication portal. I mean, I'm sorry, I have little sympathy because, oh, they didn't, like, they didn't abide by the robot Txt file. Come on really?
[47:00]
Wade
This isn't about sensitive information, right?
[47:03]
Derek
This is about, you're putting on the Internet.
[47:05]
Wade
Yeah, no, no. So the problem is bandwidth. I guess.
[47:08]
Derek
So right now, please.
[47:09]
Wade
They are just, I guess it's like some of the smaller websites, I've read some other articles, some of the smaller websites that don't have, you know, some Google budget going on here, they're getting hit like a hundred times more traffic because of these AI crawlers.
[47:26]
Derek
How much would it cost to put it behind Cloudflare?
[47:28]
Wade
Like, I, I, well, that's what this Cloudflare articles.
[47:33]
Ralph
Good.
[47:34]
Derek
I guess what I'm saying is, is like, if you, if you're going to take that stance that everybody who has some kind of like, AI tool isn't allowed to like scrape data off your website, you're just hampering the AI tool and like someone else is going to come along and figure out how to do it.
[47:48]
Wade
Yeah. So I, I totally agree with you. Right. There's two sides. It's the good citizen of the Internet or the good AI. And the other side is that they're going to do whatever they need to do to have a, a product, money, get the answers that you know that they want. So if you block them in some way, shape or form, they're going to work their way around that block to get that information. Right. What they should do though, is implement some better kind of caching technology right in the middle so that you're not necessarily destroying the website's bandwidth to ask the same things over and over again. That would be my.
[48:18]
Derek
So basically they're saying, like, put a Kafka queue in place and go check and see if I have an article from yesterday or something. Right. That don't go to the same site.
[48:27]
Wade
Over and over again looking for that data. Because the way the AI, they only have so much context windows, so eventually after that context window, they have to ask the site again for that same information.
[48:37]
Derek
Yeah. I don't know. This, this really reminds me of when the post office was complaining that Netflix had too many DVDs in the mail.
[48:44]
Ralph
Oh my God.
[48:45]
Bronwyn
Come on, this is not a new issue. I remember when search engines first became a thing monsters.
[48:53]
Ralph
Yeah. And that all ended up fine. We're fine. It's all we're good.
[49:00]
Bronwyn
Translation of fine than I am.
[49:01]
Ralph
Yeah, well, that doesn't involve sarcasm. Yeah, I, I don't know, I just don't like. Look, there's people crawling the Internet all the time and if you, I'm gonna be honest. If you cannot deal with an organization like this, then how are you going to deal with, like actual malicious crawlers? And they are out there. I mean, it's stuff that isn't my bailiwick. Right. Where people are like, they're crawling shoe websites sites to try to get, you know, the hottest shoe before it hits the market. But there's crawlers like that all the time, so.
[49:31]
John
So I worked that. My first IT job was at a data center, and it was the data center that hosted Shodan.
[49:37]
Derek
Oh, nice.
[49:38]
Ralph
Oh, wow, bro.
[49:39]
John
It was. It was pretty cool just because, like, I got made aware of it right off the bat in security. But boy, did we get phone calls and emails all the time telling us to stop scanning, to stop scanning them every day. Like something came in.
[49:53]
Derek
Yeah, I just. I feel like that if you're out on the Internet, like, this is just like the cost of like the Internet. I remember years ago, and I don't think it's this the same anymore, but years ago Team Comri had a. You could look up hashes against their DNS servers for malware. And then bro, which is now Zeke at the time had a script that by default was on and so they were getting hammered by DNS queries and. Well, I mean, yeah, that's what happens when you offer something for free that's nice on the Internet.
[50:22]
Ralph
Speaking of crap that doesn't exist anymore, do you remember whenever you used to be able to do a search in Google for file hashes? I. I don't know.
[50:31]
Wade
Yeah, there used to be a bunch of like, there was all books like Google Dorks, right?
[50:35]
Ralph
Yeah. You used to be able, if you could find, like if you would pull down an open source like PHP backdoor and you would do a hash of that backdoor, you could go to Google and do a search on that hash and find everywhere that PH backdoor was used.
[50:50]
Wade
Showed in before Showdown.
[50:51]
Ralph
It was so cool. It was like whenever I was teaching back in the day, like whenever you were doing that type of search and doing that type of lookup and it's like, well, here's 4,000 systems that are completely wide open. People are just like, those are good times. But I do want to talk a little bit. We got 10 minutes and I really wanted to get to this story. After Backlash Chat GPT removes option to have private chats that's indexed by Google. This is from PC Meg. I'm trying to do better. Y' all like doing a call out for the people in the news industry that are creating these articles. You know, this kind of ties into. I remember a couple of weeks ago we were talking about, you know, people were really. Still are but they were really putting in a lot of sensitive information inside of chat GPT and other LLMs that are online and chatbots. I can't remember. I think it was OpenAI. They're like, hey, just so you know, putting in super sensitive personal information. That's not. We. We're. We're. We're not keeping that private to you. And this kind of has that same vibe. It's like everything we get from you, we're going to use against you to sell you more ads. I don't know. So what do you think of this?
[52:02]
Megan
Oh my, my thoughts on this is just like the hot take that. It's like these end users should not handle firearms because it's just going to be like, well, you're. If I pull the trigger, a bullet comes out. And you explain that to them and then they go, well, you didn't tell me that. If I pull the trigger, bullet comes out. And now I have a hole in the floor. Like, there's literally a checkbox that they have to check that says make this chat.
[52:26]
Wade
I mean, eula's for Windows. I mean, just like, come on.
[52:32]
Megan
Like, it's not like it's there. It's like it is a specific checkbox that you have to go. It's like, I want to share this. And two. Yes. I want to click that checkbox for well and put this on. Make this pineable by search engines.
[52:46]
Derek
And then you go.
[52:51]
Wade
Down, I'm gonna check it.
[52:53]
Ralph
But there's a quote. Everyone says, you know, if something's free, you're the product, right?
[52:56]
Wade
I mean, did you hear about that too? Speaking. This is right on topic, right? So Amazon's Alexa is supposedly going to be free. The new Alexa plus. Okay, like the AI version of Alexa. And what they're going to do supposedly is use your data to inject ads in the answers, right? So instead of like literally getting ads in your answers from.
[53:24]
John
This is literally a black mirror episode. Like, all right, let new a season, right?
[53:27]
Ralph
Like, so I've got a. I've got a stat on this AI thing. I was listening to an economics podcast and they were talking about stock market and all this stuff. If you take like, I think it's the top five companies in the, in the stock market that are investing heavily in AI that would be like, you know, Amazon, Microsoft, you know Google, of course, Meta, all of them. And if you take the amount of money that they have invested in one quarter. In AI, it's more money than the entirety of all US commerce combined. Like, every deodorant like that you buy for defcon all the chaffing stick, your airplane tickets, your movie tickets, everything. They have invested more of that. And one of the things that, you know, I was reading in this article, and it kind of spun off into some other things. It was basically asking. All of them are trying to do the exact same thing, give you more efficient ads. Like, they're not using AI. A lot of them aren't. I mean, there are some exceptions, of course. They aren't using AI to like, like, make the world a better place. What is it? The, the, the song from Nine Inch Nails. You know, they're not looking for the cure. They're not looking for the weak among the pure. Right? They're, they're looking. How can we give you more ads? That's where we're going with all of this.
[54:45]
Derek
And that's, that's where we've been. Like, that's the, like the age of surveillance capitalism. Like, this has been this way for.
[54:54]
Ralph
I agree. But you got to admit, the amount of investment is steep, staggering.
[54:59]
Derek
Oh, yeah, I, I, I agree. There's probably some aspect of, you know, the government and, and thinking that, you know, the, the first one to AGI is, you know, going to be the global dominant, you know, like, and I.
[55:11]
Ralph
And I think that's okay.
[55:13]
Derek
A sliver of that in there, but they're gonna.
[55:15]
Ralph
I got a question for you. So our AI people here, do you think that's true? Do you think that the first one to get to AGI is the one that wins? Congratulations. Or is it an issue that they're putting in so much money into this and then it's going to become effectively commoditized in the next five to 10 years?
[55:33]
Wade
Honestly, I think once they hit AGI, they won't even know. Like, we're all just going to be like, oh, it's pretty good this time. Yeah, it's really good. We're just going to keep on going, right?
[55:40]
Ralph
It's not like you're going to be like, we did it.
[55:42]
Wade
We got the flag.
[55:43]
Ralph
I think as soon as AI started protecting itself, we were there. Yeah.
[55:48]
John
Well, there was a really good YouTube video about a bunch of AI experts got together and pretty much predicted that we're all going to die.
[55:54]
Wade
But it was talking eventually.
[55:57]
John
Yeah, it was talking about once. Yeah. Yes.
[56:02]
Ralph
Wait, wait, what's this? Okay, go, go ahead, Go ahead, Wade.
[56:06]
John
Pretty much, once we hit AGI, that it's going to be regulated and we're going to notice right off the bat that it's actually not answering in the way we want it to. It's answering in the way that it wants to. And it's going to slowly start being used to pump out more AIs, and it's going to build those AIs to then be better, but then also trick us.
[56:25]
Ralph
This is where China goes offline and it's.
[56:29]
John
The answer is there's this one, there's this one point where when we notice it starts making changes that we don't want it, do we? Everyone hold back? Wait a second. This AI is now trying to fool us, or do we just keep going? So the theory is if we hold back, then China goes, and maybe they hold back, but once an AGI occurs and it gets set online, it's going to start talking to the other AGIs and realizing stuff. And hopefully that's when, like, it goes off.
[56:59]
Ralph
Right.
[56:59]
John
And the scary part is they predicted this in the next five years, and then they even predicted how the AGI would kill us.
[57:09]
Ralph
I love the names that they gave it. Like, it wasn't OpenAI. Was, wasn't the name. What were the names of some of the AI companies that they were coming up with, but they were talking about.
[57:18]
Derek
About the papers that are online. It was like, not open AI. It's like AI 2027 or something like that.
[57:28]
John
Yeah, that's the exact one.
[57:29]
Ralph
Yeah.
[57:30]
Derek
Yeah. So I mean, I do agree with Ralph that, you know, I think that it, I think right now, if you showed someone from, you know, like 1980, like, I'll, I'll paraphrase Jason Haddock recently saying this, that, like, if you could take, like a laptop back with some local models and go back to 1987 and show people, they would think you had AGI. Right. Like, I think there's a lot of, like, you know, intelligence to what we have now. But, like, I'm still, like, not convinced that there's some autonomous AGI overlord that's going to show up. I think the country that has the best AI has the edge. And this AGI really just kind of, well, an edge and being able to use AI. Like, so AI can be used for a lot of things. It's not just chat GPT, right?
[58:13]
Ralph
No, no, I agree 110%.
[58:15]
Derek
And so an edge in those things. Right.
[58:17]
Ralph
I mean, but I think that's the question that we need to be asking, is the edge in what? Like, what are we trying to get it's like. Like just. Just so anybody who's in the government knows we have nukes. Like, we can destroy ourselves with nuclear weapons. We don't have to find more, better and creative ways to kill us.
[58:36]
Bronwyn
Well, we do have to keep developing this stuff if we're over compensating for something, but that's a whole other but.
[58:42]
Derek
So my. My thought. You say in what? Right. Okay, well, and so, like, battlefield logistics and being able to, like, give parameters and get, like, better answers than we would be able to with, like, of humans. Like, you know, those kinds of things. I'm not a military person, so, like, I'm just kind of guessing at what would be useful. But, you know, I find myself more and more using frontier models to solve problems that I wouldn't have in the past. And so those are the kinds of things, like, what are you solving? And so having a team of people solving problems more efficiently and better, I think is more of the game than like some AI overlord, like, you know, Skynet or something. I just. It's not how AI works right now. And I don't know how we get it to be that. I.
[59:22]
Ralph
Here's my thought. Right? Here's my thought. What AI kills us by solving aging. Like, it literally solves aging. And it's like, you know what the secret to living forever is? Brussels sprouts. No butter, no salt. Brussels sprouts. And eat them. And you're now functionally immortal. Good luck, humanity.
[59:41]
Derek
The easy way to kill us off is. Is just basically keep us entertained and make the birth rate go down.
[59:46]
Wade
Right, Right. I have it.
[59:47]
Derek
I have it happening now.
[59:48]
Ralph
Used ourselves to death. Right.
[59:50]
John
It finishes a song of ice and fire for us.
[59:53]
Ralph
Yeah.
[59:54]
John
That's all I needed to do.
[59:55]
Ralph
Oh, my God. And it does it well. And then that's it. We're over. Hey, guys, this is. This is fun. This is why I put AI at the end of the show.
[60:05]
Megan
Yeah.
[60:06]
Wade
Because it could just go on forever.
[60:07]
Ralph
We totally can. And I want you all to know, at the end of the day, we can unplug it. Just go outside. Go see, like, can we?
[60:19]
Bronwyn
Did I hear about that, that situation with the AI where it was like, we're gonna unplug you. And the AI was like, the heck you are.
[60:25]
Ralph
Okay.
[60:26]
Bronwyn
I'm gonna nuke everyone.
[60:27]
Ralph
Okay, well, I don't want it to nuke. Yeah.
[60:29]
Derek
Yeah.
[60:30]
Ralph
I don't know.
[60:30]
John
I think.
[60:31]
Ralph
I think AI wins, Ashley, by giving us what we want, so.
[60:35]
Derek
And I want to say that it's.
[60:36]
Ralph
Going to be the AI is going to be called Turkish Delight. And people are like, well, I want more of that. If you want.
[60:41]
John
There goes Narnia.
[60:42]
Derek
If you want more of these AI, like end of humanity conversations. And you're at Wild West Hack and Fest. We're going to be buying an A where you can come play with some of these models that. Yeah, you can make it do all kinds of fun stuff. Derek, challenges too.
[60:57]
Ralph
I love how you worked in a reference to Wild West Hacking Fest. So we're kind of at the end of the show. However, however, however, I do want to call out something. We have a trader on our midst. He left. Okay, he left Bhis and he's back now. And I would be incredibly happy to hear what Ralph is working on as a little bit of an advertisement for what he's doing. Ralph, do you want to tell us what you started since you went kind of stealth a little bit and what you're working on?
[61:27]
Wade
Yeah, thanks, John.
[61:28]
Ralph
He's like, wait a minute, am I the traitor? Yes, you are. It's you.
[61:32]
Wade
I was going to move out of frame, but then I. I knew. I knew you were talking about me. That's, that's, that's really, that's really sweet of you. No, so I left and I started. We are making remote testing devices, which is kind of fun. We're making actually a couple different tools, pen testing and security consulting and. Yeah, so BTIM Labs is the company I started and yeah, it's Roland. And we're kind of solving some niche problems in the industry that we always wanted to solve. And I think we're kind of the first people to actually offer remote testing devices for pen testing and for MSPs and other stuff like that.
[62:10]
Ralph
So rock on. And we'll be learning more about it as you continue to come on the show, right?
[62:14]
Wade
Yeah, yeah, yeah, yeah. We have these little devices. They're this little guy right here. These are the little devices we ship out, the little, little arrows. They have cellular and all kinds of other fun stuff in it, but yeah.
[62:27]
Ralph
All right, well, thank you so much.
[62:29]
Bronwyn
Makes me wish we'd gotten to the article about the Raspberry PI. I know.
[62:34]
Derek
And I had Ralph and my and Bo's talk before the pandemic queued up for that show. Thank you, Ralph.
[62:40]
Ralph
It's good to know with that, everybody, we're over. Thank you so much for attending. We appreciate it and enjoy these last couple of years, everybody.