Trading in Jock Straps for Jock Hacks – 2025-03-24

Alex

Connecting now.

Joff

Wait, is it going to do the finger thing? No, we're not ready for the finger thing.

Corey

There's a way we do this.

Joff

Come here more often. Right?

Corey

There's a way we do this. Also, the new just for the record, Apple now has just so many fun ways to drop massive stacks of cash because they have the new Mac studio which you can get with up to 512 gigs of memory.

Alex

Yes.

Ryan

Unified.

Corey

Unified.

Alex

No, Ryan's not here. But this is for AI.

Corey

Megan. Megan. No, it's your AI, John. It's. You're. You got to preemptively say no to.

Joff

J. Yeah, say no to JJ too. And 512Gigs.

Corey

You could just blow up anything including your wallet. Mostly.

Alex

Yeah.

Corey

But also you can get for the apple tax is real. Cuz that 512 gigs of memory costs $4,000.

Joff

Holy smokes. Oh my God.

Alex

It is really fast.

John

Corey, Ralph, can one of you guys.

Corey

I got it.

John

Run the show.

Corey

You can roll that. Roll that thing.

John

Coming off of. Yeah, I'm coming off of teaching.

Corey

So coming off a bender. A full on John Strand bender. What are you teaching this week?

John

It's soda water and raspberry juice.

Corey

Okay, John, I want to take this class. How do I take the class about what is John Strand like drinking? I already know. Decaf Senko. I know that one. Now I got another one on the.

John

Just gets weirder and weirder, right?

Joff

Foreign.

Corey

Hello and welcome to Black Hills Information securities. Talking about news. It's March 24, 2025. We're going to talk about scammers. We're going to talk about GitHub supply chain attacks. We're going to talk about using kinetic testing to destroy your Amazon Echo. And that's it. That's all. That's the only allowed topic. That's it.

Joff

That's all.

Corey

Also allowed to talk about what is John Strand drinking?

John

What am I drinking today?

Corey

So far the approved list of indicators of drink compromise are V8 Senko and apparently now raspberry lime fizzies or something.

John

But it's raspberry juice with like, like soda water. It's a little bit of raspberry juice.

Corey

And a whole bunch of soda water.

Megan

That sounds like something like a retired person would drink.

Corey

But raspberry juice just sounds really bougie. Like I can barely afford to eat raspberries, let alone juice.

John

We actually make our own raspberry juice here. Boil it down at Blueberry Bistro.

Corey

I don't do it.

John

The Bistro employees do it. So we're Gonna see just how bougie I can make this thing.

Corey

Okay.

Megan

I feel like John John's like life is just to be completely self sustained by like whatever. Like he's got cows, he's got coffee, he's got raspberry juice. What's next?

Alex

Like, yeah, you got chickens now I hope, because the eggs are out of control.

Corey

If you don't have chickens, you ain't eating eggs. Yeah, yeah, we got, we got chickens.

John

And we got cows.

Megan

We got chicken dudes.

Corey

All right, let's talk about the supply.

John

Chain GitHub thing, computer security stuff. Corey?

Corey

Yeah, this, this GitHub thing is genuinely kind of scary. So this is a, basically a common repository, which I've never heard of it, Ralph's probably heard of it, called TJ Actions/ Changed Files. This is basically like a commonly used automation repository that people use. Code nowadays is just a series of tubes and the tubes are actually just CICD pipelines.

Alex

That's a fact.

Corey

So basically what happened is a personal access token that was a bot's personal access token was compromised and then some threat actor committed malicious code into that TJ Actions Changed Files repository, which led to a bunch of people's CICD stuff potentially getting exposed. Ralph, he said there's a rumor this is targeted at cryptocurrency exchanges possibly because.

John

Of course they are.

Alex

Yes. Yeah, there was, there's a rumor that this was targeting actually Coinbase specifically. I have to get that article now, now that I brought this up. But yes, that this attack was. They were using the CICD pipelines to. So there was a lot of obviously collateral damage, but they were looking for 23,000 repos.

Corey

Yeah, that's a lot of damage.

Alex

Yep.

Corey

So, okay, one thing I don't understand, I don't know if anyone else has a more in depth understanding than me, is what is a workflow log and how is it something I choose if it's public or is it just automatically public? That's the part I didn't really understand about this. Maybe some of our audience knows the.

Alex

Workflow for a CI CD pipeline in GitHub is kind of like what you want to do. It would be like, hey, I'm going to do this first, I'm going to do this next inside of the CI CD pipeline. But the workflow log I think they're talking about is the actual log that you get from running the pipeline. So this is kind of like all the errors, the messages and everything like that inside of the pipeline as it executes.

Corey

Right. So the goal is you take this malicious code would basically echo into that log all the CICD secrets. And then theoretically that could be credentials for databases or credentials for, you know, I guess, hot wallets or other things that are used in CI cd.

Alex

I was going to say, typically when a secret is used inside of the pipeline, so what you do is you add secrets to your GitHub repository just for that pipeline. And these are just environment variables that you're adding in as secrets. Now, typically when you run in the pipeline, you call those secrets and you get to use them and then you just keep them in there. GitHub keeps them secret, but I guess if you wanted to, you could try to echo them out. Typically, I thought GitHub secrets. Usually.

Megan

Yeah, usually you can't echo them out because you classify them as a secret.

Corey

Right.

Megan

And then even then, like, the proper thing to do is to save those variables outside of the actual repo. So then if someone gets like maintainer status of the repo, because usually anyone that has like maintainer status can go and see those actual.

Alex

No, they can't. They can't.

Corey

No, no.

Alex

Once they're in there, it's a one way. It's a one way function.

Megan

It's a one way. Okay, so that's. Then that's another CI pipeline.

Alex

Change them. But you can't like read them, right?

Ryan

Like.

Corey

Okay, well, but I think so. I mean, I'm not 100 sure on the back end of how it works, but I do think some secrets were exposed with this attack. So maybe people are not storing things properly, they're not marking them as secrets. Or like the other thing that's kind of crazy is the. I guess the IOC is like, do you have double encoded base 64 in your logs? Because apparently the malicious code.

Alex

Oh, maybe, maybe as opposed to outputting it, they base 64 the secret and then just encrypted it out in the wire.

Joff

Yeah, because that's super strong encryption, ralph.

Alex

It's not encryption, it's.

Corey

Oh, my God.

Joff

Being sarcastic.

Corey

You're breaking ralph.

Alex

Yes.

Corey

Don't do it. Did I break ralph? I'm sorry, you did.

John

You broke ralph?

Corey

I mean, it's pretty scary. I mean, I guess it's like one of those things of, like, good things. Someone caught it, right? Like it was. It was reported by a company called, what was it called? Spot Check or something like that. Some company monitored for this and figured it out, which is pretty sick.

John

The whole article.

Corey

I know. Hold on, hold on. I screwed up. It's whiz. Yeah. This is A perfect segue into the next article.

John

What was it? $38 billion.

Corey

$38 billion. Which is pocket change. Well, so yeah, second article, second article about Whiz because okay, for me, who has heard of Wiz before, in my mind I'm thinking of Wix, which is like the, the crappy website hosting company. That's what came to mind.

Megan

But I also Cory's red team is showing.

Corey

Yeah. The defenders are all like oh, I've heard of wix. Or I mean Wiz. Okay, so Wiz, which is an Israeli company who does cloud security, like they basically. Is it like Defender for gcp? Is that what it is? What is it?

Megan

In simpler terms.

John

And orchestrating things amongst different clouds is difficult and Wiz unifies that. So it's like an abstraction layer for your clouds when you do cloud things.

Corey

That's terraform. It's terraform but you pay for it. I thought it was security related type.

John

Of cloud consistency like. And yeah, it's a big deal from like automation as far as people managing their cloud assets. I don't think it's something that we encounter much in security. Like red teaming or pen testing is like. Well, Wiz got us. It doesn't happen all that often.

Joff

I mean I thought Wiz was just the thing that was in the box called LLM.

Corey

Sorry, couldn't I think of Wiz as like Defender for us and Defender for. Because like if you ever do Azure stuff there's like a Defender for blank product for every single cloud product. It's like Defender for Azure databases. And what does it do? I don't know, something. But it costs $12 a month. That's how I imagine it's.

Megan

It's more like EDR than Defender.

Corey

Okay.

Megan

Right. Like it's next kind of like Datadog.

Corey

Yes.

Alex

They do a lot of like it looks like configuration audits.

Ryan

Right.

Alex

So like more configuration for like if you had kubernetes or if you have infrastructure as code that would look at those looking for common misconfigurations or other attack paths in that code. And so how much you want to bet.

John

How much you want to bet that a lot of what's under the hood for Wiz for like Azure and in Microsoft is just you know, Graph Runner.

Joff

Yeah. Or, or, or a whole bunch of shell scripts just strapped together, stuck together.

Ralph

Isn't Google trying to buy them or did they.

Corey

No, no, no, that's true. I thought we were talking about.

Alex

Yeah.

Corey

For 32 bill. Okay, 32 bill out the door at Google. Basically the, the logic Here. And there's a. Yeah, I mean, I can link the article. Basically the logic here is that Google's trying to make a play at cloud security to be competitive with people. Like, as I mentioned, like Azure and Amazon both have, like, kind of native security options you can pay extra for. And I think Google's trying to get on that bandwagon of like, so charging extra for security products in gc.

Alex

What you're saying is this is Wiz now a Google company, correct?

Corey

Yes, yes.

Alex

Right. Because you know, it's not.

John

I, I come back to like, once again, like in a. As being a pen testing firm. I can't think. I have to go do a search through all of our reports where we have like, whiz caught us. I don't, and I don't necessarily mean that as like a direct dig on them, but I would expect a company that's that much would be something that we were encountering. Encountering and fighting and dealing with again and again and again. And it's not. It's kind of like dlp. Everyone gets wrapped around the axles about dlp. And DLP has never stopped a hacker and never will. It's never, once again, in our reports, it's not, oh, the DLP caught us. Geez, no, that doesn't happen.

Alex

What was how much it was for?

Corey

32, bill. 32 billion.

Alex

So they're a perfect, like, startup story, right? They started five years unicorn.

John

They're in uniform.

Alex

Yes, they started five years ago. They took on a series A through E. The first was 100 million. The last capital raising they took on was 1 billion on a $12 billion valuation. And how much was it? 32.

Corey

So that's pretty good. They went up by 3x in a year a couple of years ago, I.

John

Think it was last year, Google tried to make a play to buy them for like 10. And the CEO released an email that was basically like, oh, no, we believe that we're worth more than that. We're staying together. We're one big happy family. Everyone' and I don't think anybody at that company, like, guys, if somebody tried to buy BHIS for $32 billion, would you do it? Me if I sold it?

Corey

No, do it. Do it.

John

You get a billion and you get a billion and Shecky gets a billion and everybody gets a billion.

Corey

It's hard. They would probably prevent you from doing that.

Joff

In the contract to buy us for $32 billion.

John

If you want to buy BHIS for 32 billion, we are taking offers less than that.

Corey

Do not call.

John

Yeah, don't call if it's less than 31.

Corey

Get out.

John

I know what I got. I know what.

Corey

It's all cash, no stock. We don't deal with stock. We don't even know how that works unless it's potatoes. Futures.

Nerf

I wouldn't question my wish as much as EDR as it is more of a way of keeping track of everything. Not terraform where you're actually building stuff but being able to see what you've got where and how it all integrates in.

John

Doesn't it actually fix the security configurations though too?

Nerf

It will do that where I am. We actually have it. I don't get to play around with it really. We have a cloud team that deals with that and not me. But I remember when we got it in one of the big things on it was it allowed us because at that time everybody was just tossing whatever up onto the cloud and we had no real good insight into it and that helped consolidate everything for us.

Alex

And actually owned by IBM.

Corey

So I mean these big, these big tools like this, they do a lot of things and like I guess from my perspective John, it's like we haven't necessarily been stopped like in a way that we know but like maybe we just tried to do something and then config said no, you can't do that. And we were like darn like it's not like we would know why the config was.

Alex

So what you're trying to say Corey is they're selling like a good feeling more than like security, configuration management.

Corey

Anything that's defined as cloud native is just selling a vibe. Yeah, that's how it works.

Ryan

One of the vibes I like is they have fantastic write ups. So even regardless of where you're taking it or where Wiz's future is like it would do everybody a great service to read their write ups and emulate those types of write ups and reporting.

John

This is a great write up here. I mean it is.

Alex

Yeah it is.

John

It's phenomenal.

Corey

I do think it's funny how the world of cloud computing just has the most killer docs of all time and then like somehow on prem computing is like, I don't know, we have this PDF from like six years ago. You can use that.

John

It's using all of the old Cisco icons and a really sad PowerPoint and Wiz is using. I'm not. I think that they're using like Comic Sans.

Corey

Who could have really used Wizard Oracle.

John

Sounds like a. I think they could.

Alex

Use that their entire Company lifespan at this point.

Corey

Well, so this is kind of a. I mean, so there's an article Oracle I want to be like a little bit. I'm going to try to be like neutral here because first of all, if you're a pen tester and you've ever tried dumping an Oracle database, you hate Oracle because you can't even read their docs without having an account. And you have to have a subscription to have an account. It's a whole thing.

Joff

You need a bag of money, Corey.

Corey

They have a notorious history of quashing security research on their products, blah, blah, blah. But this breach is kind of an unconfirmed breach from the outside perspective. Someone posted to RAID forums and basically. Or Breach forums or breach forums v7 or whatever it is. Someone posted to breach forums and said, I have 6 million accounts or, you know, records from Oracle Cloud. And they basically posted, I mean, they posted some specific information like, you know, oh, there I have this encrypted credentials that I can't use. If anyone knows how to use them, let me know. I have data from SSO and ldap. So it's like, what does that mean? I don't know. Oracle has responded and said, nah, this isn't real. There has been no breach of Oracle Cloud. The publishing credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data. So that's what Oracle says. I feel like if we're looking at the scoreboard here, how many times when a company says it's not a breach, it actually turns out to be not a breach?

Joff

I mean, yeah, yeah, I mean, like.

Corey

How many times is that the case?

Joff

Probably like maybe loudly. And then you call your bank of lawyers and you put up your shields. I mean, you know, sometimes.

Alex

Why, why isn't it the other way around? You would think that somebody would just boast about it and like, it would be like, oh, look, they lied, right? But most of the time it's not. They're like, no, check it out.

Corey

And everyone's like, oh, update that we lied. But new information. We have new information now.

Alex

The logs actually said we were breached.

Corey

We don't know.

Joff

My bad.

John

I still go back to our experience with Oracle, like with disclosure. I think. I think Ja was around for this test where like one of our testers, she found a bunch of vulnerabilities and they're like, those aren't vulnerabilities. And we're like, no, no, no, really, they're. They're vulnerabilities in your software that you sell Our customer like, no, they not. And then we gave them packet captures and then we gave them detailed step by step guides with call outs and arrows and burp state files and they're like, nope, nope, nope.

Corey

Still.

John

Still not a vulnerability. Nope, we don't need to fix that. That's not a vulnerability. Our internal red team did not detect it, therefore it's not real. And it wasn't until we sent it an email and said, fine, do you mind if we do a webcast talking through these vulnerabilities in your third party? Then they were like, we need to talk immediately. Here's a non disclosure agreement from our lawyers which we didn't sign. But this, that's kind of their first reaction to, to deny. Like I don't even think they do any research at all. It's like not a vulnerability, not a breach. We're going to ignore it and put our fingers in our ears and go.

Corey

No, no, no, no, no, no, no.

Joff

Deny and deny and call the lawyers, right?

Alex

I mean, yeah, deny.

John

Well, it took them a while to call the lawyers when they were working with us the past couple of times, but once they know they have something and it's real, then they bring the lawyers in, right?

Corey

Yeah. I mean this gives me vibes of like not a breach being technically true because it's like the Snowflake thing wasn't a breach. But like for all intents and purposes, this feels the same to me. It's like, well it's not really a breach of Oracle Cloud security, it's a breach of our customers. That's my guess. I get vibes from this. I feel like this is like exposed development or test or support credentials for a third party. It's like we weren't breached, but one of our support provider contracts was breached and they got access to this. Right? It's similar to the, what was it, Zendesk? This has happened like 80 times over the years of like. Well, we weren't breached, but a company that has access to all of our customer data was breached. So it's not our fault. Lawyers go, that's what we pay you for.

Alex

For it to not be our fault.

Corey

Yeah, yeah.

John

That's cloud computing in a nutshell.

Corey

I will say though, I mean we don't deal with it a ton, but I know that like Oracle Cloud gets a lot of top billing. Like this is used a lot.

John

Nerf Blaster, can you share the article Nerf Blasters said? Did you see the follow up article where the hacker put their email address on Oracle servers?

Alex

Oh, that's.

Corey

No, but please send it to us.

John

That's a good way to prove it.

Alex

Oh, God.

John

We call that the make dir hackety hack thing, right?

Corey

The, the CSO online article actually has like a specific known vulnerability, but they're just like tying it. Like, I don't know, it's basically. Stay tuned next week. We'll probably talk about this once all the lawyers and the SEC and everyone's going to be like slap fighting each other. It'll be a whole thing. But I'll probably have better data next week.

Alex

And can we, can we talk about this phone one that I saw today? This is like a pants on fire vulnerability for Next js. Did you guys see about that?

John

I haven't, no.

Alex

All right, so Next js, if you haven't played around with this or seen it, it's used all over the Internet on like a lot of these JavaScript based platforms, right? So it choose all over and they found a critical flaw in the authentication. So it's an authentication bypass in Next js, right? And so here's how it works. Like, I went down the rabbit hole of details, but in essence, Next JS allows you to build as a developer something called the middleware. Now what you can do in this middleware is you can add, I don't know, some kind of authentication check in your API, right? Or whatever you want. You can add, make sure this header exists or whatever. And so what Next js, the actual framework decided to do was whenever you use this middleware, it adds a little header on the response called X middleware sub request. Okay? So whenever something comes in and uses it, it adds that on there. But as a developer, you might kind of mess up and possibly cause a loop with your middleware function. And if you do that, what'll happen is, is that it will just be a infinite loop with the middleware. So what Next JS thought would be a great idea is they put a condition inside of the middleware that says if the header is seen three or five times to just forget the middleware at all, right? No, what happens is, yeah, it's simply five times to get in, right? So instead of failing closed, it fails open. So what you can do is any Next JS application that's using a middleware, you can send a header, the X middleware sub request, and then you put the path of the middleware five times. You don't need to know the actual.

Corey

Path, just, oh my God, you put it five the same thing. It's like it's like zipping. It's like zipping a zip and then the malware doesn't scan it or whatever.

John

How does that get coded? It's like if you. Do you guys remember there was that Linux vulnerability where if you fail to authenticate to it like something like 5,000 times. I think it was Ubuntu or something. I might be getting that wrong. It just lets you in. Yes, it was just like, you know what you tried real hard.

Alex

So what they were trying to do.

Joff

Is keep trying vulnerable.

Alex

Yeah, they were trying to help developers that would make a loop and instead of throwing an error that says, hey, this is just broken, what it did is it just failed open and just said, oh, the middleware is not important anymore. Right.

Corey

Well, they set a max depth. Okay. It's a whole thing where like you would want to set a max depth. Right. Like you don't want to have your code just parse an infinite loop because that's a DOS vulnerability. That's also a vulnerability.

Alex

That's why they did it. But they should have said like after five times, give a 500 error, you.

Corey

Should set a max depth and then still double check that you got what you expected after you did the max depth. Yeah. Failing closed. Yeah.

Alex

Anyways, kind of fun. Tons of applications that use that or people that wrote applications that use Next JS as the framework would be.

Corey

So how many does this affect? This affects like probably all the versions.

Alex

I guess, or it affect the primary version and the last version. So 15 and 14. And then it only affects people who using the middleware, which is actually pretty common. And also additionally, some of this, the non. Like if you wrote this, if you wrote Next JS and hosted it wherever and you're using the middleware, you'd be affected. But a lot of providers that are hosting Next js, they just put some. What do you call it, some extra checks in place to prevent that. Essentially you could just read that X. You could just look for the X middleware sub request header as it comes in. And if it has that, you know, kind of five loop in there, you could just drop it. So.

Corey

All right, let's go for all the CBT customers time to find out if there's a freaking nuclei plugin for this and then go and triage it across 3 million web apps.

Joff

I love how Corey just gives Ralph homework. Like, here's some homework.

Alex

It's really funny though, because I've like, I'd been going down this whole rabbit hole of JS libraries and all this other stuff, and I Was super curious of, like, how it broke. Right. Because these are really common right now. And just the logic is just, it blows my mind that you just failed open. So anyhow, fun ball.

Corey

Yeah. That's awesome. I mean, I'm assuming, like, would the middleware be used anytime? It's like I have this app, but it's behind sso. Is that basically wanted to be used?

Alex

No. So as a developer, you would decide when you want to use a middleware. Right. And there's probably a lot of use cases where you might want to use a middleware.

Corey

What is a middleware? Am I just dumb? I'm thinking cold fusion.

Alex

Why am I thinking of the best way to describe what a middleware would be? Let's say that you have an API and you send some data to that API. And let's say obviously it's a web request, so maybe it has some headers in it. Maybe you. With the middleware, you want to check the value of those headers. Or maybe with the middleware, you want to alter the value of those headers or whatever you want to do. Or the most common use case would be, hey, let me check to make sure that this bearer token or whatever's in that header is valid or anything inside the request.

Ryan

Yeah.

Corey

Interesting. So what are common middlewares? I'm thinking again of JBoss. That was a middleware authentication.

Alex

Authentication would be a common middleware. Right.

Corey

So not like sso, but like another, like a. I don't know.

Alex

No, no.

Corey

Curious. Yeah.

Alex

No. So when the request comes in, like the web request, a common thing would be to check what the. The off token is. Right. Is it balanced?

Corey

You can code your own middleware. Yeah. And that's not a commercial thing.

Alex

Put the loop in there. Because people would mess up and create their own loop.

Ryan

You could make, you know, so.

Alex

Yeah.

Corey

Cool. Well, patch your next JS if you're using it. If you're a CPT customer. We'll be in touch. Yeah.

Alex

Anyways, all right.

Corey

Anyone else have one? John, what's on your radar? What do you you want to talk about? Let's talk about AI talking to AI talking to AI talking to AI. It's just an Internet loop. Oh, wow.

Joff

That's my favorite, the AI.

Corey

So Cloudflare released on Friday, a butt busting AI, which basically it uses AI to generate content so that when other AIs are scraping your site for content, it just gets confused and lost and just scrapes a bunch of garbage. So we're training, I'm sure, like love this, it's a, I mean, I don't know, I guess it's like a needed.

Joff

Concept is this, I mean it's a data poisoning attack back.

Corey

Yeah, it is, it is. I mean it, I guess what I would say is it's, I mean there's a whole like theory of information, right? Like entropy and you know, you can, this is going to be a swear jar moment but like you can Google like the insidification of the Internet, right? Like the, the. Basically the theory being. Well, as of. Let's what, let's set a cut off, let's say 20, 211 AI started being used at scale to generate content. You have like this quality of content is going to slowly go down because like at that point once AI started generating content, the content started getting worse and then it started scraping its own content and slowly getting worse. It's like the concept of entropy, right?

Alex

No way AI is going to be able to detect that it's AI content.

Corey

Well, exactly. That's the thing is like, so if I'm writing an AI scraper right now, I'm saying, okay, scrape. And if it's Cloudflare and it looks, you know, use this AI to tell if it's AI generated.

Alex

Yes, yes. No, there's, there's whole platforms right now that are being built for AI companies to do scraping of the Internet and they're like paying tons of money for this. It is insane. So I guess on the other side there's, that's the reason Cloudflare is trying to do this kind of poison the well, maybe make it so people are like, well, we don't have a, a solution for that yet, so we'll have to figure out. But it's a cat and mouse game. Eventually somebody's going to figure out that it's fake content, not real content and just drop it.

Corey

So it is kind of funny though that like what they chose when they chose like what. Okay, so we're going to poison the well. What do we poison the well with? The Cloudflare people chose to poison the well with, you know, real information that's related to scientific facts is what they claim. So like, I guess it's like I now have on my personal website, like in depth scientific or scientific articles about like how, I don't know, like how what the effectiveness of, you know, a certain drug is on a certain type of cancer or something. I don't know, like what the, you know, wow, your personal website, according to Chat GPT is pretty advanced.

Joff

Well, and how long is it Going to take somebody to just go ahead and dos. Cloud, Cloudflare solution.

Corey

I mean Cloudflare knows a thing or two about dos.

Joff

But remember this is scaled up at AI level.

Corey

Hold on.

Alex

Yeah, but those AI, they're using tokens, right? So that costs money to make up. Exactly.

Joff

That's what I'm saying. Cost money in serious compute resource. And so you know, dosing that is going to hurt.

Corey

You're right. But I will say like this type of, you know how it is Jeff, this type of data, once you have a pretty small data set, is actually pretty easy to generate at scale, right? Like yeah, they're, they're just using a small input, probably a very small number of parameters for this. And so it can probably go pretty hard without using a ton of resources. This is kind of a fun one. Remember when hacking used to be only done by like nerds in basements who like are super pale and have never seen the light of day.

Alex

I know.

Corey

We now have definitive, we already have definitive news article based proof that cool kids can hack too. And that's because the ex Michigan quarterback coach Matt Weiss, who's sports guy, cool jock, known to be, I mean he's probably like 62 tight 240 or whatever. He is facing 24 federal charges in the name of sports. He was hacking student accounts and pulling their information. Oh, and he's being charged with 14 counts of unauthorized computer access and 10, 10 counts of aggravated identity theft. Basically starting in 2015 he's been accessing student athlete databases of more than 100 colleges and universities and then basically downloaded, you know, PII or whatever you'd want to call it for of a bunch of athletes. So it's kind of interesting. But it goes beyond that. He also went after this is alleged, you know, allegedly. I'm sure his lawyers would disagree with this but he basically used that information that he got from the databases to go after social media, email and cloud torch accounts of more than 2,000 athletes. Is this like a recruiting strategy? Like what is he doing? What is, I guess I'm like what is the point? Is he like yeah, what's the motivation? He says he's super fit, but I looked at his Gmail and he just emailed someone that is his hundred yard time was, you know, eight minutes or whatever. I don't know like what?

Alex

Oh he was getting into their email then all the way.

Corey

Yeah, he was going into their databases.

Ryan

Like so, so what is the nature of this, of the hack? You know, defined hacking access was. It's like oh you weren't supposed to guess that the password to admin was admin. So you're a hacker now.

Corey

Yes, but then unfortunately, the article takes where they go.

Ryan

It's like, oh, this company got hacked. Or like they did the hack. It's like, no, they set a bad password and somebody guessed it. Like, we debate that.

Corey

It gets hacking. Still hacking, though. To take information from a database and use it to compromise a credential is still hacking. If that's not, I'm out of a job.

Joff

I'm with you though, Alex. I mean, you know, it's like not.

Alex

Yeah, okay. It's not sophisticated hacking. That's what you're trying to say, right?

Ryan

Yeah, sophistication here.

Nerf

I think the big thing is if it was something as simple as admin admin, that's 100 colleges and universities databases that he got into.

Ryan

Oh, yeah.

Nerf

The amount of them using just admin admin itself is criminal.

Corey

I mean, I don't necessarily think it's admin admin. I think it's more just there isn't good checks and balances on access to this type of data. I think it's like, hey, I am a coach. I need this database. And the schools were just like, yes. But this is where it gets kind of creepy and disgusting. With this access, unfortunately, the person downloaded intimate digital photographs and things of primarily female athletes. So of course it turns into a weird sex pervert thing, as it always does. And yeah, basically that's why this is being charged. If all they. If all he was doing is, like, looking at how tall people were, I don't think it ever would get charged because that's just, you know, oh, it's scouting or whatever. But the fact that it was, you know, intimate personal details and creepy sex pervert stuff, you know, now it's. It's gonna get hopefully charged aggressively. And I will say, like, there does need to be better checks and balances on who has access to this type of data. Colleges and universities. I mean, at least at Black Hills, we actually joked for a time about having an extra upcharge for colleges and universities just because their networks are just a special disaster network and they typically don't have huge security budgets. So, like these, you know, this data is definitely sensitive and can be used, as we've seen, for illicit purposes. So it needs to be protected a little bit better, I think. Although there's no clear details on how the guy got into all these databases, I'm sure the schools will be like, he hacked us.

Alex

Yeah. When all they did was just give him an account with Read Only.

Corey

Probably. Probably. That's probably exactly what happened.

Joff

You are giving me some, you know, post employment distress because I used to work at university years ago and if you ever, ever looked at, you know, vulnerability scans of university networks, it's like.

Alex

Where do I start?

Corey

Yeah. I mean, it's so bad. Yes. It's just like healthcare where it's not really their fault. Like you have some professor who has a lab who has a thing in his lab that he can't do anything about. Like it's old, but yeah. It's also just no one gets paid enough to care. Right. That's part of the problem.

Nerf

Near the end of the article, they actually talked to a cybersecurity expert and professor at Michigan at msu, and he said it appears as though he used someone else's credentials to gain access to the database because he had some degree of access, but it wasn't enough to give him the information he was looking for. So it sounds like he got somebody else to give him his password.

Corey

Yeah.

Nerf

It also said that two factor would. May have stopped him because of the way that it was.

Joff

Well, maybe the federal government will hire him.

Corey

He's great at getting access to databases. Yeah. I would say like this is one of those things where, you know, we were joking about it before, but like hacking isn't always hacking. Right. It's like this is arguably very unsophisticated, but if it works, it works. Right? So like you might be the organization who's like, we need to defend against zero days. And I would respond, can you defend against an ex Michigan coach? No. Well, then you need to change your.

Joff

I'll never forget one of my very early conversations with John. When I first. First started with Black Hills and I was on like my first engagement and I'm. I'm looking for all the elite crazy stuff I could do. Right. And I'm getting all hackery and, and technical and. And John's like, joff, you need to just think simpler, man. Just go for the easy stuff. There's plenty of it out there.

Corey

Yeah. The password is just Wolverines. That's the password for the Michigan State dog. I'm just kidding.

Alex

Come on, man, why'd you tell everybody?

Corey

I'm sorry, I just leaked. I. I'll submit it to the bug bounty program.

Ryan

There you go.

Joff

What a good man.

Alex

Speaking of privacy being, I don't know, sold or the echo stuff.

Corey

Is that where you're going with this?

Alex

No, no, actually I was gonn back at One point.

Corey

We'll come back to that.

Alex

Yeah, we'll come back. So this is the 23andMe filing for bankruptcy because.

Corey

Oh, no, not.

Alex

Not a problem.

Corey

Who could have seen this coming? Oh, my God, no one.

Alex

So eventually.

Corey

So here's the.

Alex

Here's the wild part about this. Obviously there's a huge privacy concern with the whole thing. But the really, the reason that they filing bankruptcy, because they sold all this DNA data already. It's already been sold so many times, they can't sell it anymore.

Corey

Yeah. And your DNA doesn't change once you've gotten one of these tests. You've gotten it, there's no more market. The only people that I feel like.

Alex

Personally are upset about this is the FBI. And anyone else wants to find some serial killer from 35 years ago.

Corey

Exactly. Don't worry, there's still plenty of other providers in this space.

Alex

Yeah.

Joff

Law enforcement consortium will buy them and prop them up or something.

Alex

Just, just think about this. One day in, you know, a while ago, somebody sat around, they were like, you know what? People will pay for DNA test because then they can find out who their cousin is. And then we could sell all their data to whoever. It's gonna be awesome.

Corey

Yeah, well, yeah, I mean, they also 23andMe had terrible privacy and security. We joked about just pretending things aren't a breach. That was their initial reaction to like150,000 accounts getting compromised. They were like, nah, that's not a breach, dude. That's just people's passwords being used by threat actors on their infrastructure.

Alex

Hold on, Corey. They've only faced 50 class action lawsuits. Okay, all right.

Corey

Only 50. Those are rookie numbers. You got to pump those numbers up, dude.

Ryan

I also enjoy, like, some of the two top responses to this story that I've seen is people being like, here's how you go to 23andMe and delete your data. Like, here's the whole steps followed immediately by like the second topmost response, which was like, hey, that data's already sold. Like that. It's gone. Like, you can go to 23andMe and be like, please delete my stuff. And it's like, it's gone. Telling 23 of you to delete it.

John

No.

Corey

Yeah, it's like telling a data broker, please delete me. They're like, listen, okay, in order to delete you, can you submit all of your personal data, including. Yeah, right.

Joff

How about your name, address, Social Security number? Name refers to children.

Alex

I wouldn't be surprised at like, you know, when they're selling off like the furniture and stuff. They're selling boxes of DNA data.

Corey

There is like, it's an auction. Everyone named John's DNA data is in this filing cabinet.

Alex

You never know what you're going to get. But everyone's unique.

Corey

And someone at the auction's like, did you print this? What the hell were you guys thinking? Why did you print this?

Alex

Because it's like, got to print it than it does.

Corey

Yeah. Cause ask someone like, if there's like an estate sale, just buy all the hard drives and do a security research post about it.

Alex

Yes. Oh my God. Anyways, do you want to talk about the Echo? I mean, everything with Amazon's great to go.

Corey

Now let's talk about Echo. So this has been a long time coming. I think there has been a few articles over the weeks where, I mean, basically the, like, the real story here is that Amazon is just changing their policies with the Echo. They're getting rid of the feature that probably less than 1% of people enabled, which do not send voice recordings to Amazon. So basically.

Alex

Well, wouldn't that make your Alexa, like kind of worthless?

Corey

Oh, no, basically. No, no, no. So this is, this is like basically Amazon saying, we're going to go the Google route. We're gonna, we're gonna explicitly say you are the product and you cannot opt out. Which is like, you know Google reads your emails, right? That's what they do. That's what Gmail is. Why is Google search so good? Because they're reading your emails and they know what you like. So basically this is kind of the same thing. Alexa AI or Alexa plus we're trying to commercialize, by the way. What'd you say?

Alex

Sorry, it's not free. You have to pay for Alexa plus now.

Corey

Right, but. So if I buy an Echo today, it comes with just regular Alexa for free. But then I have to. I can also pay extra to get a similar to Chat GPT.

Alex

Have you used Alexa?

Ryan

She is retarded.

Alex

Excuse me?

Corey

No, I have not used Alexa, but I've used Siri and Siri has AI and is equally not functional. I mean, I've never had a wiretap in my house that I knew about. So.

Alex

Yeah, I mean, well, doesn't that make it a better wiretap?

Corey

Only if the wiretap can give you pancake recipes.

Ryan

So I always ask things with sarcasm to where I'm like, alexa, please do this thing and give me the answer in the most convoluted way possible. And then when it spits out, as usual, answer I'm like, perfect, thanks. Yeah, it does. I just.

Corey

I don't know.

Ryan

How do you get. It's like, how do you get people, like, off of. Off of this?

Corey

Like, you know, my kids are used to, like, just walking into a room.

Ryan

And asking Alexa, how do you get people to say, okay, I. I care about this privacy thing. So what, it's. What are we going to do? Just get rid of all of our smart devices and switch to something else?

Joff

Right.

Corey

Well, so the other thing about Alexa that I find kind of interesting is it's integrated into a lot of products that you like smart speakers and things that, like, you wouldn't. You would just have a brick if you turned off the Alexa part. Like, you. It has no buttons. It can't do anything. I feel like this is not a deal breaker for most people. I already would have told people not to use Alexa, that no one is like, well, it's fine to use Alexa as long as you turn on the do not send cloud recording. Yeah, it's like going in EDR and being like, don't submit to the cloud. It's like, yeah, we all know this is gonna submit to the cloud. Like, let's not pretend like it's not to.

Alex

I have one of the Alexas and I wouldn't recommend it. You know what the number one thing we use it for, like, number one, like, 99% of the time.

Corey

Right.

Joff

I'm gonna guess.

Alex

All right, go ahead.

Corey

Weather play to Spoto.

Alex

No, no, those are all good guesses, but no, all we do is use it for timers. Set a fire.

Ryan

I use it for timers.

Corey

Siri, for that. Come on.

Alex

The whole thing, it's. It's such a waste. It is the dumbest thing I've ever bought.

Corey

Just say, hey, Siri, set a timer for 12 minutes or whatever.

Alex

You don't have to video I' in time.

Corey

Well, get rid of your Alexas, I guess is the long story short.

Ryan

And Amazon is one that they're a bit more uniquely positioned that they can apply pressure for following these things. If it starts to become a problem where people are turning these things off, they sit there and they go, oh, hey, as a new condition of like, Amazon prime, if you actually want your stuff there in two days for free, you have to have the stuff turned on. Otherwise it's going to be like your package that you ordered. It'll get there when it gets there.

Alex

You don't have Amazon Ship Plus.

Ryan

Yeah, you don't have Amazon Shipping Plus. In order to qualify for Amazon Shipping plus, you need to enable these features.

Corey

On your smart speaker, the Alexa. I don't want to be mean, but I feel like the target audience for someone buying an Alexa is someone who doesn't care or really think about privacy and also definitely isn't going to pay a subscription to get a plus version of their timers. Like, I don't, I could be wrong here, but I feel the vibe I get from people who use Alexa a lot is, I don't know, I went on Amazon, I typed smart speaker and it came with Alexa and so I used it. No one is like, oh, I'm deep in the Alexa ecosystem, dude. Like, I don't know, I need a.

Joff

T shirt that says that.

Alex

All of the. So all of those ecosystems, especially the ones with Google too, they're like notorious. They all get shut down for like Amazon, Alexa, like they were laying off like thousands of people in this whole thing because it was never profitable. Shocker. And then so. But I wouldn't be surprised if it just shuts down when everyone realizes that now, you know, they want to charge extra for my timer, which I would obviously opt out of that. Right?

Ryan

So.

Alex

But Google's horrible too about these things where all these big, you know, fang companies will produce something like Alexa or all of Google's WI fi routers and everything, and they'll just be like, you know what, we're just going to cancel this. We're done.

Ryan

Done.

Alex

We're done. That video thing that we had in your doorbell, you're gonna have to replace all that.

Corey

So that's every tech company. There's a graveyard of Google products longer than anyone can possibly name.

Alex

I know, I know.

Corey

Anyway, all right, for a, for a closeout, let's talk about this scam busting thing or, you know, whatever we're calling these. Basically, I'm a huge fan of this. Just as a general concept. I'm not really sure why, why this is like a news article. It seems like just kind of a fun weekend, but I'm totally here for it. Basically, this Canadian cbc, isn't that Canadian? I think it is published an article called where they partnered or probably paid for three of the more well known scam busters to which is like Kitboga, Jim Browning and Pleasant Green, which are three like content creators in the scam busting space to basically come and show them how scam busting works. I think most people in cyber security are probably aware of this, but basically how it works is they pose as victims and they basically go after the scammers so there's a few different ways to do this, and each of them kind of has a different approach to how to. Like Kit Boga, for example, his whole thing is he wants to waste scammer time, so he like, has set up AI and all this stuff to like have scammers talking to people for days on end. And they're just like a complete dead end. All of them, to my knowledge, do work with law enforcement to submit any bank account information they get or any like, any kind of PII or other identifiable information they, they get from, you know, scammers. But basically all of these content creators have awesome content. I highly recommend watching it because it's kind of like security adjacent. It's not really, you know, security, but it is in a way, like using AI to go after scammers. It's pretty funny. Also, like, it is genuinely hilarious to watch a scammer be like, how'd you do that? Like, they're, they're like exploiting people who don't know, but then they also don't know. So it's a fun little.

Alex

Well, they know the script, Corey. And then when it falls apart and someone already knows their script and is already two steps ahead, then it's, you know, they're just chasing.

Corey

Basically, go check out these content creators. It's uplifting, it's funny. It's also mildly educational and it's actually really cool to watch them go. So they're, you know, maybe watch the video or whatever.

Ryan

And with these like one, one area that is mildly educational as well, that often gets overlooked is just getting a look into that victim mentality that occurs with these. And I've experienced this and help people out with this to where it's like they're getting scammed and you try to approach them and say, like, hey, you're getting scammed like this. You know, you approach them with a co worker and they think that somehow you're in on like the conspiracy to like steal their money. And they, they' already hooked to trusting this person at the other end of the, of the line. And it's difficult to kind of pull them out of that world where they're already believing that, you know, that they really are in trouble with the FBI or the irs really does need them to like, send a whole like stack of money through the postal service. Like they, they're already bought into that and trying to break them out of that is a problem is very difficult. So I think that's, that's a lesson or an insight as well for A lot of security things is that, like, sometimes you're dealing with an individual that, you know, they have a certain shifted worldview that doesn't make sense to you, but you have to approach it with the, you know, appropriate tact for, you know, what their, you know, misaligned definitions are.

Alex

I've been paying my taxes with Apple cards for years.

Ryan

It's believes that it's legitimately how you can pay your taxes, that it's really difficult to try and convince them, like, no, stop doing that. You're being scammed. And they're like, no, I do this all the time. And it's like, what do you mean you do this all the time? And it's bewildering to you, but it puts, like, a lot of tension between you trying to help and the victim that needs to be helped. Like, you have to.

Corey

Yes. This is why shutting down these call centers, which is all of their goal. They're. All of them. Their goal is to shut these things down. Indian law enforcement, other, like, kind of developing nations. Law enforcement goes after them like, everyone's on the same page of like, we hate these guys.

Megan

Guys.

Corey

No one likes scamming. Like, no one likes scamming. No one likes, you know, how they take advantage of, like Alex said, they take advantage of the most vulnerable people. People.

Joff

That's what I hate the most, Corey.

Corey

It's the.

Joff

It's really the elderly. The elderly get taken advantage of so much by these people, and it's horrible. I mean, because that, you know, different generation, much more trusting, and they're getting old, you know, it's totally.

Corey

Yeah. I mean, it's. Yeah. You'll notice that Kitbo got all of his, like, AI voices. All use, like, old lady and old man voices. And they're. They're pretty funny. Like, I, you know, watch the video. But there's just some hilarious stuff where, like, the, you know, the scammer will. Just. One of the scams is like a. Like a publisher clearinghouse scam. It's like, send us the money and we'll publish your book. And, like, so, like, in the AI, he has, like, the person basically read them their whole book on the phone to be like, I love that by the way I wrote it. But, like, the concepts that the AI comes up with to be like, a book is so stupid. It's like, oh, here's how I stubbed my toe on a Tuesday. And it's like 15 minutes of just, like, talking about. And then my toe was hurting, so I took my shoe off and that, like. And it's just like. And like, of course they're supposed to listen because that's part of the scam. So it's just really funny.

Ralph

I think, Alex, I think you mentioned the word victim. And, you know, the one thing that came to mind for me too, and it's not. Not that it's an excuse. I mean, you know, I read. I read these articles sometimes, and you hear that some of the people actually performing the scams are victims themselves. And that's. That's what's really tragic to me as well, that someone would be that low, you know, and maybe, like, they're being forced even to do this.

Corey

Yeah, I mean, you gotta go off to, like, the call centers themselves, right? Even. Even if you're a knowing. Even if you're a participating employee, you're still just trying to make a wage. And a lot of times you might not even know. I mean, I think some of them definitely know what they're doing and deserve, you know, punishment, but I think some of them might not even know, oh, I'm assisting in the scam by calling and getting this credit card or whatever. I don't know. It's one of those things. It go after the businesses that profit from it first and go after. Especially if there's human trafficking involved. I mean, you gotta prioritize that. I think there was an article from a couple years ago that we talked about in this show where, like, they had a bunch of people that, you know, basically came into the call center, they took away their passports. The people were, you know, kind of stuck there. Like you said, human trafficking. So super terrifying.

Ralph

Yeah.

Joff

But yeah, now, now we're all very sad because we're thinking about.

Corey

Sorry. I'm sorry.

Ralph

Go watch the video. You'll laugh again.

Corey

Yes, watch the video. It'll make you laugh. Hearing scammers get their time wasted is just hilarious. And I love how, you know, the. The scammer, like, he. Kit Boga, deals in, like, how much time can I waste? That's like his currency. And like, the numbers are so funny because, like, some scammers has been like, spending like three days calling this old lady to talk about her, like, book about her toe or whatever. It's like, dude, just give.

Joff

You know, I. I love that approach so much that he's gone down the road of, like, aiing it. I mean, that. That's fabulous.

Alex

That is. They're all in for that long payoff.

Corey

It so funny. It's so funny to imagine, like, I don't know, it's like, how much is your time worth? Well, mine is nothing. So whatever yours is worth, it's worth more than mine. Yeah, it's pretty funny.

Joff

Hey, I think we should probably wrap it up. What do you think?

Corey

Wrap it up? We still got seven minutes, Joff.

Joff

Oh, come on. We can take.

Corey

Well, you just want to. You just want to call it. I mean, it's. I guess it's a light news week.

Alex

Yeah.

Corey

There was a data breach of a sperm bank.

Alex

We could talk about a lot of data breaches. As usual.

Joff

Talk about AI That'll take a while.

Corey

This data breach of a sperm bank, I'm assuming it's just like, the customer's information, but I'm like thinking of a dystopian sci fi movie where someone, like, breaches it and like, takes all the genetic information somehow and like, then goes and buys 23andMe and like, creates an army of clones. I don't know. I could see it. I'll have my AI get on a. I have a publisher I'm working with. I. Only. The publisher I'm working with, I just have to send them a thousand dollars and then they'll publish my book. Look, so.

Ryan

Well, so.

Corey

But.

Alex

So they just stole PII from this took.

Corey

Yeah, I'm assuming. I mean, it's just kind of a.

Alex

Crowded sperm samples. I don't understand.

Corey

Yeah, I don't think that's. Yeah, I don't think. I think it's really just pii. They don't say anything about, like, you know, genetic material was compromised or anything.

Alex

Yeah, if it was, I mean, you.

Corey

Could definitely be a news article.

Alex

I think it's just because it's a sperm bank.

Corey

Correct. I think it is interesting to think about, like, a stuxnet scenario, though. Like, if you did, like, disable all the, like, zero, you know, really below zero deep freezers, like, you could destroy a lot of genetic material and. Yeah. But as a good. As a good news, they're offering one year of credit monitoring to anyone whose Social Security number or driver's license was exposed in the breach.

Joff

I think a criminal coach would be very sad about all that genetic material getting destroyed.

Alex

I have credit monitoring at this point.

Corey

I can't decide if it's good or bad that the sperm bank is collecting people's Social Security numbers and driver's licenses. Is that good or is that bad? I can't decide. I don't want to think about it anymore. I've already thought about it.

Joff

I'm going. I'm going for bad and I Think we should move on.

Corey

Just anonymous. Just allow anonymous donations. No one knows who they are.

Ryan

Yeah, but then it's like you're giving money to somebody though. And that's always the thing you get going, like, who are we giving all of this distinction to? Like, we need to make sure that things line up for taxes. Because it's like.

Corey

Let's just say there's a Rick and Morty episode about it. There's a Rick and Morty episode about what could happen and go watch it.

Joff

I'm gonna say this. This conversation's getting uncomfortable. Let's go to the next story.

Corey

I don't know what you're talking about. I mean, there's this Microsoft new rat. Every time I see a blog post about a new rat, I'm like, is it our rat? And then it's not.

Joff

And I'm like, yeah, did one of our samples get out?

Corey

Damn it. Yeah, I mean, I'm kind of.

Joff

Oh, swear jar. I'm sorry.

Corey

This is a new rat called, called Delachi Rat. I guess is how I'm reading that. But I will say it's. It's worth a read. These rat write ups are always worth a read. I personally like Quick Assist. As a rat. I think it works pretty nice. But yeah, I mean, this is, this is cool. It has a. It's kind of this, it's kind of got infosealer vibes. It does, yeah.

Alex

It's looking for crypto wallets. And it obviously steals, you know, the great old grand Google Chrome state file, you know, classic logs.

Joff

We've never written anything like that, have we?

Corey

No.

Alex

Going after the goal. I mean, Steeler pretty much sums it up.

Corey

I'm not gonna lie. Reading it, I think reading this, it just makes me feel kind of like reassured that like some things just haven't changed. Like it's basically read the same as it would have 10 years ago in my book. It's like it uses command and control over TCP port 53. Oh, who would have thought of that? I don't know. It's cool. It's a cool write up. Still read it. But like, it might make you feel good that you probably know what a rat does because it just does what every other RAT does.

Joff

Yeah, but I thought TCP Port 53, that was really leet though.

Corey

I mean, it was lead in like 2011. If you were doing that in 2011, no one was thinking about it. People were like, wait, DNS can be over tcp. But now it's like that. I think it's Literally the default in brute retelling. Any other final articles? Did we ever get the article about. From. From Nerf? Did we ever get the follow up?

Joff

I think we. I think we did, but, you know, I mean, there's an element of phishing there. I don't think anybody wanted to click on it.

Corey

There's an element of fishing.

Nerf

It was a bleeping computer article is what it looked like.

Corey

Oh, there was one about film by them.

Ralph

Trusted SEC merging. Trimark merging with Trusted sec.

Corey

Wait. Oh, I mean, I saw that one. I think that's awesome.

Alex

It's close to home.

Corey

I'm a big fan of Sean and I emceed his talk at Wild West Hack Infest and it was really. I was like, wow, this is someone who's so knowledgeable about this cloud stuff. And Trimark provides, like, a lot of defensive products and services, so it makes perfect sense to me. It's pretty cool.

Joff

I feel the need to Google right now. Wow.

Corey

Yeah, I mean, it's, you know, it's not. It's a. You have two small private companies being acquired. It's not like the $32 billion deal scenario, but.

Alex

Oh, gosh, I think it's pretty cool.

Corey

I feel like it's one of those, at least from my perspective, hopefully beneficial for everyone involved.

Joff

Man, you just. You just, like, spoil my whole thing. Corey. I was going to call Dave up and say, buy me a beer, man.

Corey

You should call Dave up and ask him to buy you a beer. And he would buy you a V8 instead. That.

Joff

Yeah, he probably would. A V8. That's right.

Corey

He'd know that you were John Strange.

Joff

And asked me to go do another, you know, like I did today. 48, you know, reps of deadlifts, you know.

Alex

Yeah.

Joff

You see how I wrapped in a.

Corey

Little brag in there?

Joff

I mean, that was.

Corey

It's like beer that doesn't have any protein. Yeah, that's cool, though. I mean, I'm. I'm here for it. I feel like the industry right now, there's a lot of uncertainty, so that's kind of a big. I'm glad. Maybe it's just me, but I feel like in a year we might be talking about a lot of security companies closing, and this is the opposite of that. This is a new thing being created. And that's awesome.

Joff

Yeah, it is awesome. I really hope there's more creation and I hope that that does not happen.

Corey

Me too. Me too. All right.

Alex

And on that high note.

Corey

On that high note, see you all next week.

Joff

Radis has it correct. Dave, if you're listening, I'm going to call you and offer to buy you a beer, my friend. All right?

Alex

Right.

Joff

Let's close on that.

Corey

Bye. Bye.

Alex

Bye, guys.