US Cyberattacks on Venezuela - 2026-01-05

John Strand

Of the closet.

Ralph

Yeah.

Wade Wells

John's BGP goes. Goes wild.

Ralph

Yeah. Yeah.

John Strand

So.

Kent Ickler

I'm gonna.

John Strand

Witness Relocation Program. Ryan.

Corey Ham

Well, you joined a public podcast with your full name and your location, so you maybe shouldn't have done that.

John Strand

My location is a closet, Corey.

Wade Wells

Yeah, I know the sun is.

Corey Ham

No, we know you're in the Northern hemisphere based on the fact that it's day outside. We know you're in whatever. Whatever happen of the planet we're in.

John Strand

I'm just wondering, why does all this say Dick Cheney on it? I don't know. This hasn't been used in a long time. It's very dusty here. Very dusty.

Corey Ham

You're not in. Are you in Camp David or what is the, like, secret place they go?

John Strand

An undisclosed location. Oh, which is a closet.

Kent Ickler

Yeah.

Ralph

With a rug.

Mary Ellen

An undisclosed closet.

Ralph

I don't know many closets that have windows. That's something right there.

Corey Ham

Yeah. Is that. Is that a Samsung frame tv?

John Strand

It's a pretty bougie closet, if I do say so myself. It's one of the bougie closets that has a window, but it doesn't open, so it cannot be counted as a bedroom.

Ralph

Oh, that's perfect.

Corey Ham

But it does.

Ralph

I would count it as a liability if you're looking for, like, safety. Right?

John Strand

Yeah. But safety is not my concern. Not. Not whenever I come onto the webcast. I just. I just. I try to come from the most random places I possibly can. Like, you know, a deck in the middle of Germany while it's raining. Another closet someplace else. Poland. Just gotta. You gotta. Yeah, Gotta keep everyone guessing.

Ralph

So whoever's closet this is, they are organized. They have the exact same hangers. Right. Which is weird. Most people typically end up with, like, a lot of, you know.

Corey Ham

And look what they did with wood hangers. You don't have wood hangers. It could be bougier. Get some cedar hangers.

John Strand

It could be.

Wade Wells

My wife has all the same hangers. I get. I get the spares.

Ralph

You get the spares? Like the ones from the store?

Corey Ham

3 ones from the dry cleaning.

John Strand

Yeah.

Wade Wells

You name it. Like, when you buy it, I'm like, yeah, I got a hanger with this one. I don't have to go out and buy hangers.

Corey Ham

They try to take it away. You're like, no, give that back.

Ralph

How will I know it's your large?

John Strand

I wonder if this can even do backgrounds with this. Let's see if they can do different backgrounds.

Wade Wells

Whoa, that's pretty good.

John Strand

That one's kind of weird. I don't know.

Corey Ham

I feel like the closet is a background. Now we just assume the closet is a fake background.

John Strand

Could be. Could be. How do I do this? I think I choose my background.

Ralph

Is that an old printer in the closet?

Corey Ham

No, that's a. That's definitely some kind of a kitchen contraption. Oh, now you're at Apple HQ now.

Ralph

Yeah.

Corey Ham

I didn't know we were the kind of company where the CEO could afford a floating spiral staircase.

John Strand

One of those places. Corey, I bring you love.

Corey Ham

Somehow this imagery goes with the closet imagery.

Ralph

Yeah, they connect. I'm not sure how.

John Strand

They just do. No, I don't know how to make it. There we go. I actually prefer the closet. I. I think that we spend too much time trying to make our backgrounds look too. Too awesome in this industry sometimes. That's a fun pull quote.

Corey Ham

I prefer the closet.

Wade Wells

If you were to see, you'd think it's a mess.

John Strand

Yeah.

Corey Ham

All right, John, I hope you're ready to just drop some hot nation state. Goss.

Ralph

So, nation state.

John Strand

Which one are we. Which one are we talking about? Are these in the notable stories?

Corey Ham

Are you going to. Well, I mean, are you going to unleash some new intel that we don't know about? Because there's only one I can think of.

John Strand

No one's told me, Jack. The one.

Ralph

That.

John Strand

Stuff in the BGP stuff during the Venezuelan attack. And then also. I don't know what. We could talk about this more. Let's wait until we get to the show.

Corey Ham

Yeah.

Wade Wells

Yeah.

Corey Ham

I was gonna say you're.

Mary Ellen

You're.

Corey Ham

You're. Yeah, exactly. Get ready. Get ready for it.

John Strand

So I'm frozen. Uh oh, I'm stuck on the screen.

Corey Ham

Share won't let me click off.

John Strand

Okay, it's not me this time.

Corey Ham

You're going to want to do is take your computer, shut it down and then don't turn it back on ever.

Ralph

Hard reboot with no hard reboot, start over again. You'll need a new computer after this.

Corey Ham

What you're going to want to do is download your swap file from Google Drive because it got cleared locally.

Ralph

Luckily I got the Mac with 128 gigs of RAM, so I'll never run out.

Corey Ham

I do feel like when I look and I see a system is swapping, I'm like, oh, you're cheating on me. Don't do that. Don't swap. It's 2025. No swapping.

Ralph

Yeah. The worst part is when you actually look at what's using all your ram, it's just Chrome.

Wade Wells

Every time.

Ralph

Every time it's like, this is what I got the RAM for, just so I could fill up more tabs. Thank you.

Wade Wells

I got all this RAM so I could watch YouTube and play video games the same time. And YouTube's the harder one to run.

Corey Ham

Like, yeah, yeah. Throwback to linux8myram.com. Those who know. No.

Ralph

We do have a Chrome story. Speaking of that.

Corey Ham

We do.

John Strand

Because we only have one. Yes, we do.

Corey Ham

So before we start, I do have a fun little tidbit that my friend shared. One of my friends works for an apparel company, and he shared with me that the outfit that a certain individual got kidnapped in is currently trending.

Ralph

Yeah. Buy the same outfit. And they were, like, sold out.

Corey Ham

Sold out everywhere. I love it so much that the US population.

John Strand

My favorite quote was, I didn't know Dr. Disrespect was the president of Venezuela.

Ralph

Here's. Here's my real question. Do you think they, like, had someone pick out this outfit in advance for this photo shoot? Like, honestly, he looks sick.

Corey Ham

He looks awesome and comfortable. I'm kind of jealous. I mean, not his current predicament, but of his outfit. John, do you have a sweatsuit? Like, what's gonna happen if you get kidnapped? You got to get a sweat.

Kent Ickler

I don't know.

John Strand

I'll just have to look around in the closet and see what I have here.

Corey Ham

I don't see a single sweatsuit hanging in this closet.

Kent Ickler

He's got hats.

Wade Wells

He's got multiple hats.

John Strand

Oh, here we go. Here we go. This is a nice big parka.

Ralph

There you go with a hoodie.

Corey Ham

That's not good. That's like a. Not. That's like, for. That's for you doing the kidnapping.

John Strand

I'm just gonna say this. This jacket, I think it's Patagonia or something. If you have to get renditioned, get renditioned in this.

Corey Ham

Is that the one where you fight the bear? And then it.

Wade Wells

It is.

John Strand

And it feels like you're getting kidnapped or wearing a sleeping bag, which, if you're going to get kidnapped, it's the way to go. Right.

Corey Ham

I mean, I know. That's what I'm saying. That's why I need the sweatsuit.

Ralph

Kidnapped.

John Strand

And that's my. What is your personal choice? Be rendition.

Corey Ham

I'm just going to say, if you're in the audience, send your recommendation for a good outfit to get kidnapped.

Ralph

Kidnapped in. Yes.

Corey Ham

Yeah, like, that can be. Like, that can be the banter. Yeah. Send. Send. Send me links for what I should wear when I get kidnapped.

Ralph

Oh, God.

Kent Ickler

I don't.

John Strand

Knowing is what. Kidnapping is what poor people do when the US Extradition.

Ralph

Extradition, yeah.

Corey Ham

Send me a good outfit for kidnapping, and then maybe as a bonus, send me a good outfit for extradition, because that's an international kidnapping. Right?

Kent Ickler

TSA might step in and say that you need to step up your style to be kidnapped, though.

John Strand

Yeah, I know, I know.

Corey Ham

They're like, take off the jacket. You're like, I can't. It's too stylish.

Ralph

I'm telling you, for kidnapping. They brought a lot of people that would. They were serious about that. So, I mean, that. Think of it as like a praise, right?

John Strand

You know, you're in trouble whenever you're getting like. Like, kidnapped. And the. The Delta Force guys are like, this is a little bit. This isn't quite skibidi toilet and needs a little bit more riz for a little bit better drip and.

Corey Ham

No, he had the drip. That conversation never happened because he had.

John Strand

The skippity toilet one.

Corey Ham

It did.

John Strand

Yeah, it did. We just had it. And now you all get.

Corey Ham

Someone posted a meme of him DJing. Oh, my goodness. What is that? A neck pillow? Like, what is that? I don't know. Anyway, he looks comfy.

John Strand

He looks comfy.

Corey Ham

All right, let's. Let's roll the. Let's roll the beautiful broken finger. The finger.

John Strand

I am not seeing any comments. Oh, there it is. Oh, I just had to click it. Oh, my restream. Very laggy. Hold on.

Corey Ham

It's not doing anything.

Wade Wells

Someone check our bgp.

John Strand

Come on, buddy. They found me.

Corey Ham

Someone said, wear underwear so you don't get shot. I don't think that's how that works.

John Strand

I don't think that's. Yeah, that's. That's crazy. People talk. Foreign.

Corey Ham

5Th 2026 New Year, New show. We've got me, Corey Ham. We've got John Strand, currently in witness protection program. We have Wade Wells. We have Bronwyn. We have Mary Ellen. We have Ralph, who's tagged himself as Florida Man. We have Kent Ickler. And we have Ryan, of course, making us sound good and look good, although he's really sucking at the second part of that. But whatever.

John Strand

It's not me.

Ralph

The.

Kent Ickler

I click the buttons. Nothing's happening.

Ralph

It did the thing.

Corey Ham

All right, did you click the button for make us look good? Because that's a pretty fancy.

John Strand

Did you just say, if you want to fight, fight me?

Wade Wells

What?

Corey Ham

Yeah. Bas.

John Strand

He's got a mad leg going on. Between his audio and his video, he looks like a kung fu. Oh, I do, too. Poorly dubbed Yeah, I don't.

Corey Ham

I don't see it. I think it's you, John. All right, let's talk about Venezuela. I mean, that's really what's happening. The big story is. I mean, from a cyber perspective, the story is that the US Took out power before invading. I don't know. I guess it's not clear whether it was a cyber operation. A lot of news agencies reported it, that it was a cyber operation, but Trump just said, basically, that's one of our specialties. We can do this if we want, I suppose. Okay.

John Strand

Anybody that's debating that, though, can you honestly see an operation like this going off and they didn't use cyber? Like, they're like, oh, we're bringing in the planes. Yes, the planes. And the boats. All the boats. What about cyber?

Corey Ham

They're at home.

John Strand

Guys that keep telling me to turn it off and on again.

Corey Ham

No, no, okay, that's fair. That's a good point. That's a good point.

John Strand

No, I.

Corey Ham

So they took out the power. I mean, that's kind of like. That's. The assumption is that this. The power was taken. Taken out by the cyber. There's also some posts about them taking out the Internet. Basically. Graham, kind of friend of the audience or friend of the show, has posted a blog that identifies some BGP anomalies that were picked up during the operation.

John Strand

Which I think totally makes sense.

Corey Ham

Right?

John Strand

I mean, but the hard thing for me is I'm trying to figure out if they cut the power because they wanted to, like, cut the power because of the. Of the rendition operation, or if they cut the power because they knew that the explosions would just pop and kick that much more. Assigned. This whole entire thing has just been like, a lot of photo ops. So many photo ops, you guys.

Ralph

But what deals do you think are in the works right now? Right? I mean, if it was Team Six, it would be at least five book deals. But since it was Delta, maybe one. Right.

John Strand

It was seal, it would be like, six book deals per person. That was on that.

Corey Ham

I think David Goggins is running to Venezuela as we speak right now.

John Strand

As we speak.

Corey Ham

He's on his way.

John Strand

I still wonder, like. Like, knowing the Delta guys, like. Like, you'll be lucky if you get one book deal. More than likely, there'll be, like, a couple of beers, and then, you know, like, the guy that the two guys that did it will have to run hills all day because they like that kind of thing. Tearing into this a little bit, though, I. From the cyber perspective, I think the CIA was involved too. There were some articles, of course they were. Right.

Ralph

I mean, everybody there for like months on end. What do you think the intel came from, like, imag people.

John Strand

So, and it's like, I, I was laughing at this because someone was like, yeah, the CIA was tracking Maduro. I'm like, didn't they abduct him from his house? Like, not on a limb. Like, do we need the CIA to find a guy at his house? So, no, I, I, I would be, I, I would, I would love to see the level of cyber operations that went off in this particular thing because it looks like they went off very, very cleanly. You know, the CIA tracking them. I'm sure there's more to it than that. Whenever you do an operation like this, you want to make sure that the target is there. You also want to make sure that the amount of collateral damage is as minimized as possible. And usually that's done with tracking of cell phone networks. With the way cell phone networks exist, naturally there's going to be a certain amount of tracking which devices are in which geographic location. You could do that relatively easily. But actually getting down to the individuals that are there is where you have to get inside of some cell networks at some point. So if we're looking at this, you would need a couple of experts, at least on Cell Technology, LTE 5G. You would need to have some standard network exploitation expertise gaining access to the back end of the cell phone network to make sure that you have the right targets in play. Because once again, you don't want to go into Maduro's house and he's leveling like a Christmas New Year's party for his granddaughter. And there's like 95 kids at the house. So they do a lot to make sure that they try to reduce the amount of collateral damage associated with it. And then the power stuff, like. Yeah, I mean, you want to make sure that those, you want to make sure that those lights are off photo ops, but also that you're doing an op at night and you want to make sure that, that you're not going to get stuff shot down. Somebody's pointing out a red. It's not a red hat. It's even cooler than that. This is a Wyoming game and fish app, so not, not, not a red hat.

Corey Ham

Yeah, just for context, John was speculating about all that stuff. There's not any sources to confirm that. No one's talked to me.

John Strand

I'm just.

Corey Ham

No one's talking to John. And there's.

Wade Wells

Yeah, well, basically speculates Right. That. That BGP article that Graham came up with, the IP addresses were associated with some of the leading communications networks within that country, which I thought was of course pretty crazy. That like, we've seen this tactic before from the Russians. Right. For me, I was like, okay, this is like general stuff, but I was also thinking like, as a blue teamer, like seeing BGP be rerouted. Right. With ASNs and everything, I'm like, this seems like, like it's, it's high level stuff to be able to pull it off. But like, I want to see some cool stuff. I want to see some like zero days, right? Like, if Graham can figure it out on the Internet, was it that good of a hack?

Corey Ham

I mean, dude.

John Strand

Okay, I want to point out if the BGP prefix attack was used, which. I'll go through how that works here in a sec. Makes me feel good because I feel old. And the fact that this is an attack that was. That was released at Black Hat, I want to say 2008, I think it was the same year that Dan Kaminsky talked about the DNS, that it's still relevant today. It's like, I still have a purpose in life, which is good.

Corey Ham

Yeah. What's old is new again. If it works, it works. It doesn't have to be a zero day.

John Strand

How BGP works, it's not a hack. Right. So for those of you that don't know, this gets a little bit crazy. But we call these forever days the vulnerabilities that exist in the core infrastructure of how the Internet actually works and they don't get fixed. So the way BGP works is you broadcast via asn, like, what are the IP addresses that you are responsible for? And then all of the routers around the world, through freaking magic, trust me, it's magic will actually send those packets to you, which is pretty flipping cool. But what do you get into a situation where there's contention for IP addresses? If you have overlap in IP address responsibility with bgp, the ASN that is more specific wins. So if you have one ASN that has 500 and you have another ASN that has like two, the one that has two is going to win. And the thought process behind that was that whoever is responsible for the fewer IP addresses will probably be less likely to make a mistake. There's. But if you want to look at the Wikipedia article on this, there's a bunch of them where there's been mistakes. I think it was Pakistan. Pakistan wanted to black hole YouTube and they broadcast out an ASN that was basically a black hole YouTube in Pakistan. But the problem was they broadcasted it to the entire world because it was more specific. It took YouTube offline and this was done a number of years ago. So that's how this attack works. You can reroute all the traffic that you want as long as you do a very specific route to do so. Now Wade, I want to ask you as a blue teamer, how the hell would you detect that without going to a third party service?

Wade Wells

I don't even know. Like I, I was trying to think about this. My first thought is like you have a third party service looking for it, right? The other way I guess is you could possibly be trying to advertise like individual, like the smallest network possible, which I know that that's less of detecting and more preventing. But you could also try to monitor if something is advertising in your IP space. I believe that would be possible but I'm not that big of a networking guy to tell you the truth. At least.

Corey Ham

I mean there are fixes for this like the RPKI or whatever. Yeah, just don't be vulnerable to this attack is the long and short of it.

Kent Ickler

And there's a piece of infrastructure in here too, right. Where it's like I at home can't just be releasing out a bunch of BGP records out in the world. There's another component that this is like Internet providers working with switching technology and routing technology. Or is it like I can do this at home and send.

Corey Ham

How many ips do you have?

John Strand

You can't do this at home. But how many companies are ISPs that broadcast and have the ability to broadcast? I think it's over 12 or 13,000. I might be wrong, it might be like 26. I'm getting my numbers kind of screwed up. But let's go with it's a lot. And this gets into the security associated with it. It's like they all have to be on board. You can do things I think Wade, just kind of working it through hit the best thing that you can do is you can monitor any of the BGP routing changes that impact your specific IP address range and do that. But no one does that like you know, other than very, very large organizations that are buying highly specialized services to do it. Not that it's hard to do as well, but it's very, very.

Corey Ham

Yeah, most I link to site is bgpsafet.com which is a site run by Cloudflare. And most of the major ISPs cover it, you know, like in the US at least, obviously. What was the value or whatever.

Ralph

Did the Internet just go off for like kind of a little bit? Like, you know.

Corey Ham

Yeah, there's a lot of speculation. It definitely wasn't like significantly down for a long period of time. It was like a blip, if anything.

John Strand

And that's what I'm trying to figure out about this entire story is the why, like, if you're, if you're the CIA, if you're the nsa, if you're Air Force Cyber Command out of San Antonio. Right. If you're doing this, more than likely you're not going to be doing messy kind of BGP attack. You're usually going to be using some type of exploit or existing infrastructure hack. I'm willing to bet that they were already in the systems.

Corey Ham

Oh, they cut the power, dude. There's no Internet with no power.

John Strand

Yeah. GP to do that. So I'm trying to. I've been trying to figure out.

Corey Ham

I.

John Strand

Part of me, I kind of feel this is like a spurious thing that happened. So I'm not 100 certain on that, but I'm just trying to figure out what the hell they would have needed with BGP routes.

Corey Ham

I mean. Yeah, I agree.

Wade Wells

Graham actually is in the chat and commented the in use did. Didn't do RPKI filtering.

Corey Ham

Yeah, yeah. ISP or whatever. Yeah, I mean, we don't know. We're. Again, we're speculating. We do know they cut the power though, which if there's no power, there's probably no Internet. So. Yeah, it doesn't really matter.

John Strand

Yeah.

Corey Ham

But yeah, anyway, I guess any other hot takes on this before we move on the other funny one that I kind of. We've called it out on the show before, but it is funny and true is the pizza, you know, pizza alerts or whatever.

John Strand

Like people.

Corey Ham

The Twitter account that's tracking pizza places near the Pentagon being like, there's a pizza place near the Pentagon. It's 2am and it says it's very busy. And you know, I want. I wonder if anything will happen. And then next morning it's like, we got him. Or, you know, whatever.

John Strand

One of the things about that is having talked to people on the inside of like the Pentagon and all those different places, they hate that. Like, they absolutely hate that people are online being like, oh my God, there's a lot of. So they have a whole bunch of food inside of the Pentagon. So whatever happened overloaded the amount of. The amount of food that could be handled to the inside of it because they seriously upscaled the amount of vendors and how much the vendors could handle. So this very thing wouldn't happen. But it still happened, which I think is.

Corey Ham

Well, I mean, I will say if you look at the Twitter, it's like I forget the exact name of the Twitter, but if you. Or X or whatever, I don't know what it's called.

Ralph

Don't, Don't Twitter.

Corey Ham

Anyway, if you look at it forever. If you look at the Pentagon Pizza report, Twitter, they have a lot of false positive hits. Like they're, they're, they're saying, according to them, the US Is invading someone like once every month.

Ralph

So.

Corey Ham

Yeah, every time the data is not that reliable. And I will say, like, it's a great example of like, it is funny, it's not that relevant. Like, there's so many better indicators if you're a real intelligence agency than looking at Google Maps and saying that it's very busy.

Ralph

What about the prediction?

John Strand

What's that?

Ralph

No, there's a prediction market bet, right? Yes. And I think it was crypto, if I'm not mistaken. So anyways, it's just a prediction market where you can just predict on anything. Like, I think this is going to happen and I'm willing to bet this much money anyway. Somebody put like it was like 30 grand down and made a lot of money. They like a day before they said that he was going to get captured.

John Strand

You just know that Pete Hegseth is just there like, sucker.

Ralph

Yes.

John Strand

But this is, this gets into some trade crap that I think is interesting. Right. Like put, put pizza aside. We knew something was going to happen. Right. If you're trying to predict something's up, how about having a bunch of ships in the Caribbean?

Corey Ham

Yeah, right. It was kind of obvious.

Ralph

Yeah.

John Strand

But there was a lot of pundits going into this that were like, something's going to happen, but we don't have enough force down there to actually take and hold land. Like, we just didn't. Right. So it couldn't have been that type of operation. And even a sustained air campaign, they didn't think that there was enough, there was enough in that area to be able to do a sustained air campaign. So there's a lot of speculation about taking out oil wells and oil refineries. And, and it was very interesting to me that other than that one person in the, in the betting market, like, no one had like clandestine kidnap the president of Venezuela in the middle of the night on their bingo card and.

Corey Ham

Then charge him in a U.S. court, New York, U.S. yeah. In a New York U.S. court. That is the same court that Trump was indicted in. But anyway, yeah, I don't know, it's a weird, it's a weird vibe.

Kent Ickler

So I have a question though. So if, if you assume that this was not like a kinetic attack regarding the power. If we do self reflection on that and look at, okay, we probably have an adversary with parody skill, parody, maybe. Maybe we're a little bit more advanced, maybe we're not. What does that mean for like our infrastructure here and what are we doing to prepare for the same type of thing happening here by Navis Ray? Is that even.

John Strand

Is like. Excellent question, Ken. That's a good question. Good. Next story.

Corey Ham

Yeah, yeah, I stopped. Okay, so I do think it's probably worth, I mean, I don't know. Right. Like, I agree that there's probably an adversary with equal capability to the US out there. What I don't know is how the US grid security compares to Venezuela grid security. That I don't know. I would assume at the very least the US grid is significantly bigger and more complicated and difficult to fully take down on that level.

John Strand

Okay.

Corey Ham

But that being said, Corey, there's another.

John Strand

Thing to take up on that, right? The US IP ranges are constantly being attacked way more than a lot of the, like. If you're looking at like vulnerable, like you know, just vulnerable systems in Shodan, you start looking around. In China, you look at Russia, well, kind of Russia a few years ago. But if you look at a lot of other countries, there's a lot more tragically insecure SCADA ICS systems exposed to the Internet than the United States. So I think that you're right, especially whenever you're looking at legislative capture and how every single power grid in almost every single state is its own little fiefdom and it has its own laws and everything and its own shins. And that makes a lot of insecurities. But the fact that they're constantly being attacked is something I think that gives us a little bit, a little bit of an edge, if anything.

Corey Ham

Yeah, I mean, I think for sure that the U.S. power grid needs to be secured further. I think most people would agree with that, even in the industry, like even within the US power grid providers. But I definitely think that, you know, national power outage and I guess it was just the city, right? Like I will say Washington D.C. probably has done a lot of grid exercises, I would assume, with their power grid. Not, not, I will say Trump, who knows where he is, is he golfing in Florida? Is he, you know, is he just Randomly visiting someone somewhere else. Like, you know, he's a moving target for sure. But like, if you're attacking the US Capital city, I'm guessing the grid is a little bit more hardened. But honestly, who knows, right? We'll see. I guess. Hopefully never. But yeah, that's like a good. I, I would say for sure. Worth thinking about this as a model. And I know that we have a couple clients who are power grid providers and they are very aware of this as a threat model. This is like their absolute worst case scenario is like grid outages. And they do like a lot of exercises. There are, there's a lot, there's a lot of like requirements like NERXIP and things like that for what generation and transmission infrastructure have to do, security wise. But there's also like, they do, I think it's called Grid X I want to call it, but they do like the national narc, the National Energy Reliability Commission or whatever, they have like exercises every year where they do like a grid security thing.

Wade Wells

I'll post it in disc in the Idaho labs. They do it. They usually let a bunch of people that work in at least some type of power sector, I think, I believe it's free for them. You just have to fly out there and go do it.

Corey Ham

Yeah.

John Strand

Pretty cool. Interesting. Is critical communications infrastructure, like getting away from power. I don't know exactly how long cell towers and like cell stations stay up with their generators and their backups. But I do know like if you're looking all the way back in Hurricane Katrina, there were people that were making cell phone calls like while everything was down in New Orleans. And that was just because of the robustness of the cell infrastructure. So there's a lot of industries that I think have been doing a really, really, really good job to try to secure this as much as possible. But. But one of the problems that we have is it isn't just an issue of, you know, on average, is the United States power infrastructure secure or not? That's not the question you should be asking. What you should be asking is how like all it takes is one small part of that infrastructure to go down and it can have massive repercussions across multiple different power grids. If you're looking at Texas, Texas is kind of isolated in its own right. They do their own thing. But a lot of the power grid in the United States is actually very heavily interconnected and you can have an outage in one small power station in like, let's say this happened two months ago in Montana. Montana in Wyoming. And it actually brought down our main office all the way in Sturgis, South Dakota, bunch of infrastructure up in Montana and a little bit into North Dakota. And these were all separate power companies. But because one small impact hit one place, there wasn't enough power for the rest of the lines and they were all sharing. So it's very, very archaic and it's one of those things that yes, there's been a tremendous amount of work that's gone into it, but seriously, one small outage in one small part of the country can actually have catastrophic effects for an extended period of time.

Mary Ellen

Well, that cascade effect too, John. That cascade effect isn't new either because in 1994 when the Northridge earthquake hit, our little earthquake, haha, took out the entire west coast as far as power was concerned. And I'm hoping that the grid stability has improved since then. But again, that cascade effect, in terms of the dominoes toppling is nothing new. And I hate to say it, but any type of adversarial planning would probably want to incorporate that into what their attack plans would be.

John Strand

And kind of answering your question about how things have improved, if you, you know, you've heard me use this phrase, legislative capture, and basically what that boils down to is how power companies make money. You would think power companies make money by producing power and selling it. Kind of not true if you're looking at the way a lot of public utility commissions run or basically kind of govern power companies. Because in many parts of the country a power company is a monopoly for literally everyone that's under it. There are very strict regulations on the certain types of activities that they can do and what their profit margins can be based on those activities. So in certain parts of the country you get really heavy incentives for smart grid and smart home technology to do regulation of power. And that's because those public utility commissions in those states have incentivized those power companies to be able to make money off of doing that. Then you have other states where they don't have an incentive. They can't make money off of those types of activities, but they can make money on long line power transmission line creation, and they'll literally build power lines that go nowhere because they can take the cost of that plus a percentage which is what their profit is. So if you want to read into this, it's absolutely horrifying whenever you're looking at how the power grid is set up in the United States. And security often is not one of those things that power companies are allowed to quote Unquote, make good percentages of money or profit on. And because of that, they put as minimum amount of money into trying to secure their power grid technologies because there's literally no profit incentives for them to do so. So look it up. It's called legislative capture and power companies. Whole bunch of articles, poli size stuff on it for years. But it applies here because we don't have a unified national strategy for securing power in the United States because it's ran many times at the state level or multi state level. And it's, it's, it's an absolute train wreck.

Corey Ham

All right, let's, let's move on. Let's talk about how else you might be able to take down the Internet, which is dragging an anchor on the sea floor.

Ralph

Oh, that always works.

Corey Ham

Go Finland. So, yeah, this is an article. Basically, Finland seized a ship which is suspected of damaging subsea cables in the Baltic Sea. I don't think, I don't necessarily think we've attributed this to a specific nation state, but I think it's pretty obvious who it might be.

John Strand

Teenagers implied.

Corey Ham

Russia. Yeah. The assumption is that it's part of Russia's shadow fleet, which is just, you know, kind of like sanction. It does sound pretty badass. But it's. Sadly, all they're doing is just not knowing how to use an anchor and just dragging on the ocean floor to try to take out cables. But yeah, NATO has increased patrols of the Baltic Sea. I guess I'm like, what would this actually take out? I'm assuming this would be like, pretty bad. I know there is. I know there's some. I know there's some like redundancy and undersea cables, but not like to. Maybe to certain locations like Finland. I. Is there only one? I don't know. Let's look at a map. There is that one map.

John Strand

Yeah. I don't know. I just know that there's not nearly as much redundancy as you'd like or think there is. So I don't know if you can line up.

Corey Ham

I'm looking at. This is actually really interesting. There are a lot of ones that connect Finland. The one that was specifically under attack in this case was called elisa, which. Let's see if I can find it on this map. Here's the. I'll link the map in the discord. It's just submarine cablemap.com.

Wade Wells

That'S a really cool map.

Corey Ham

It's a really cool map. And yeah, I don't know if, if the. I mean, looking at Finland on the Map. There's a crapload of cables going to Finland, so I guess they probably wouldn't be totally screwed, but obviously it would potentially cost millions or billions of dollars to fix and take a long time, but. Yeah, that's an interesting. I guess. I don't know. I also don't know, like, is this a legitimate way to take cables down? Or is this. Or take Internet down? Or are they. Is this just Russia being stupid? Like, is this a little bit of a legitimate tactic?

John Strand

Right.

Wade Wells

Yeah. Yeah. They can claim it's just a mistake, right?

John Strand

Yeah. When really it's my first day on the job.

Corey Ham

Yeah.

Mary Ellen

Literally. That's basically was one of their.

Wade Wells

What's your title? Oh, Shadow Fleet.

Corey Ham

Ghost Shadow Fleet Captain.

John Strand

Yeah.

Corey Ham

Captain of the Shadow Fleet.

Mary Ellen

I mean, we had an intern at the helm.

Corey Ham

It was AI. It was AI. It was autopilot. All right, what else we got? Anyone else have anything on their high on their radar? The. As an update article, we have the two individuals that were in the US that were doing black cat ransomware attacks. They have pledged. Both of them pled guilty, so they took the plea deal. They were charged in November. Now they've pleaded guilty to conspiracy to obstruct commerce by extortion, which is a fun charge. I hope they had really nice outfits for their trials, preferably sweatsuits and headphones. But, yeah, they're facing up to 20 years in prison, so we'll see how that goes. I'm assuming the plea deal. Pleading guilty will probably, you know, lower that a little bit and. Yeah, I guess we'll see.

Wade Wells

But Mongo Bleed came out after we did the last one. Right? Like, that came out over.

John Strand

I think it did.

Ralph

Yeah.

Wade Wells

I know that I had to triage this anyway. Pretty much just a vulnerability in MongoDB which allowed if the database was remote, connectable. Right. I believe it allowed a remote access to it, or at least to be able to read memory. From what I recall, it got a pretty decent high score, an 8.7 on the CVSS. What I found funny with it is that Rainbow Six Siege got hit by it. If you guys saw that, or at least that was the rumor that they got hit and pretty much they were going. Or someone was going around and giving free creds to everybody, like millions of dollars worth of.

Corey Ham

That's fun. I mean, video game security, especially for older games. Like, hasn't Rainbow Six been out for, like, forever?

John Strand

Yeah, 97, 98.

Wade Wells

This new one hasn't been out that long.

Corey Ham

But it's still an old game, though.

John Strand

Yeah.

Corey Ham

Yeah, yeah, so it was, I mean, whoever.

Wade Wells

Because I think the main thing is someone wrote an exploit for it like fairly quickly and whoever did that over a holiday break, like, screw you. Like.

John Strand

I'm also going to say on the flip side, your Mongo database should not be directly exposed.

Mary Ellen

No database should be directly exposed.

Corey Ham

Yes, that's even better. Yes, true.

John Strand

This is. This goes out to the 110,661 people at least their Mongo database instances directly exposed to the Internet. Stop.

Corey Ham

Just. John, that's just one company. That's just one company.

John Strand

One company.

Corey Ham

Yeah, it's just one guy. He really likes MongoDB.

John Strand

It looks also like the versions of the Mongo, like because I don't have the full enterprise license for Shodan, but it looks like, I would say 40%, maybe a little less, maybe 30% or end of life, like they're not receiving any patches at all. I don't know how many of them compromise.

Ralph

I remember the last time I was playing with a MongoDB database too. There's a bunch of services that you can essentially get like MongoDB, right? Like from the cloud, like you can just like get it as a SaaS, right?

Corey Ham

Yeah, yeah.

Ralph

That's also probably where a lot of this may be as well. Right? From like other services that have them out. So you can just like, you know, essentially have your app here and then you pay extra for, you know, database somewhere else. Right.

John Strand

So yeah, yep.

Corey Ham

I would imagine there's a lot of like first tier hosting companies like AWS or Azure and there's a lot like a huge amount of like lower tiers of like Minecraft or other video game hosting providers that probably don't have the same security procedures and things.

John Strand

They probably don't listen to this podcast either.

Corey Ham

No, they're listening to you right now, John, and they feel ashamed. They're sorry.

John Strand

I didn't know somebody that I should have listened to about this.

Kent Ickler

Because they might be in school right now too. They might have class, so.

John Strand

Yeah, they might have class. I don't know. Some of this stuff looks like they just stood it up and like they were playing with Mongo and then forgot about it.

Ralph

Yeah, probably, yes.

Corey Ham

Is that a confession?

John Strand

A little bit. It's a little bit. I'm coming clean so that just say.

Corey Ham

It was a honey pot. You're good.

Wade Wells

Yeah, it's a good transition. This is one of the reasons why I've had organizations that will not let me run honeypots is this exact scenario.

Corey Ham

Of they look bad on The Internet.

Wade Wells

That they look bad on the Internet and someone may claim you got hacked. So if you guys didn't see there was that article, I believe. Who is the company? Corey, like RE Security or something like that.

Corey Ham

I don't know, I didn't even realize. This is a different article.

Ralph

They hacked into a research company. Full access to resecurity systems. They wrote in the Telegram chat. So oops.

Corey Ham

We would like to announce we have gained full access. We took everything, all internal chats.

Ralph

But it was all a honey pot.

Corey Ham

I don't know. That looks like a pretty big honey pot. They have a mattermost server as a honey pot.

John Strand

We would have put a lot of time into creating that honey pot.

Corey Ham

Yeah. Internal chats, names and is this the.

Ralph

New like shaggy defense for hacking? Wasn't me.

Corey Ham

Yeah. I don't know. But I do like it as a general defense. It's a. It's a good, like just claim honey pot. It's like one of the amendments of the.

Ralph

This was our most elaborate honey pot. We actually replicated our entire production.

Corey Ham

Our honeypot. We would consider our entire act of direction.

Ralph

Because we wanted it to be real.

Corey Ham

Yes. All the real messages, all the credentials are real. We didn't want a fake honeypot. We wanted attackers to believe it was real.

Ralph

Yes, you have to believe it. And that's why we use all real creds.

John Strand

If they were doing this, look what they got. Internal chats and logs, full employee data, names, emails, tokens, threat intel, related reports and scraping of management files. Complete client list with details. All their plans from chats. And like if they put that much work into their honey pot, what the hell are they doing? Like, yeah, it's like.

Corey Ham

Well, they are research companies.

John Strand

We stuff our honey pot with goodies. And it was the holidays, so it was goodies for the hackers.

Kent Ickler

Okay. I do like the idea of like an AI. Like a bunch of AI agents that are just like a business that is like fully functioning, but it's just a honey business.

Corey Ham

Yeah.

Kent Ickler

So yeah, you hack it and you see all this stuff going on. It looks legit, but it's all just, you know, trees burning, generated.

Wade Wells

They asked for something, they was like, yeah, I can build that. Here you go, here's some logs for that chat.

John Strand

How many employees in this great company for AI and security, Kent, Right there.

Corey Ham

Some person just stole that startup and made 100 million.

Ralph

Just imagine that AI bill to just keep the company running.

John Strand

Like, Jesus.

Wade Wells

Well, it's only when they get in, right?

Corey Ham

That's true, Ralph. That's True. No, no, it has to be all the time.

Ralph

No, it has to be all the time. You have any real messages, right?

Corey Ham

Yeah. Also the credentials have to be real.

Wade Wells

I didn't realize this, but there was a whole nother article that also goes on this NordVPN's breach. They also claim it was dummy data which.

Ralph

Oh, I didn't even see that. Was it just dummy data with the CEO social.

Wade Wells

They denied allegations that's an internal Salesforce development server was breached, saying that the cyber criminals attained dummy data from a trial account on third party automated testing platforms. Yeah, we'll see those Salesforce apps are being popped left and right. It was probably.

Corey Ham

I will say. Did you see that Wired had a. Also got posted.

Wade Wells

I got that notification.

Corey Ham

Yeah. Wired actually got breached.

Ralph

Oh. They didn't just claim it was.

Corey Ham

It was real. I don't know if it's in the article or if it's. It is.

Wade Wells

It's a condon asked because they.

Corey Ham

Yeah, I just posted it. It's on bleeping computer. Basically it's leaked. I have a copy. It's. It's real. It's. I don't know. It's definitely real.

Wade Wells

Go check my password for me real quick. Make sure.

Ralph

Yeah, there's no.

Corey Ham

There's no creds. There's no creds in here.

Ralph

What was it then? Just like your browsing history.

Corey Ham

Like first name, last name, physical address, birthday, phone number. If you subscribed to the print magazine, your. Your address is in there and. Etc.

Ralph

Who suggests to print anything.

Wade Wells

They gave you free stickers if you signed up. That was. That was the thing.

Corey Ham

Wade's like. Wade's like, don't judge me. It was free stickers.

Ralph

He gave away all of his data for free stickers. I love it.

Corey Ham

I'm gonna find you in here, Ralph.

Mary Ellen

Worse for less.

Ralph

Oh my God.

Corey Ham

That's a bad one.

John Strand

Hack.

Wade Wells

Oh, that one was. That was pretty. I didn't dive deep into it. I just saw the YouTube video of her deleting everything.

John Strand

Yeah, Tinder for Nazis. 100 gigabit data leak and then just nuked the entire site. Just. I didn't know that there was Tinder for Nazis. I. Who knew how.

Corey Ham

Is that on the app Store or is it not?

John Strand

You don't know that's on the app Store, but yeah.

Corey Ham

What is the.

Mary Ellen

Oh my God.

Corey Ham

What was the article for?

John Strand

This.

Corey Ham

Can you.

John Strand

I just shared it in the chat. Just. Right.

Ralph

So to sum it up. What a bad website insert. You can say whatever.

John Strand

They literally hacked the website I think live on YouTube, right?

Ralph

Oh, that's right. Oh, no, I saw it was. Was it a conference?

John Strand

I think.

Wade Wells

Is it a conference? It was at a conference. And then she's. She's just right. I believe the. The actor is on stage wearing like a mask. I believe she goes by Martha or something.

Corey Ham

Martha Root.

Mary Ellen

Oh, my God.

Wade Wells

In classic, as the video goes, like she's running Python scripts and it's like, deleted everything. Deleted everything, Deleted everything. And it's like, nope, everything's down. And one dude owned a couple of the websites, I believe, and just pivoted from there.

John Strand

Now, Root had been working on this for quite a while. Like, it wasn't. I think they just did the final. The final blow live. But it looks like they've been working for a while.

Mary Ellen

Wait, what conference was this?

Corey Ham

No Nazis, please. Yeah. Oh, Chaos.

Wade Wells

The Chaos Computer Club. Is that. It's the one in Germany.

Mary Ellen

Germany. It is.

John Strand

But I don't know. I might. I might have that wrong.

Mary Ellen

Okay.

Wade Wells

The only reason I love how they created the website.

John Strand

Okay, Stupid lol, is where the profiles are host.

Corey Ham

Okay. Yeah. Okay. Stupid is potentially one of the best domains I've read in a long time.

John Strand

It's really just. And then the lo. I didn't know that LOL was a top level domain.

Corey Ham

Have we just discovered the world's first victimless crime on the news show?

Mary Ellen

There are so many top level domains I've never heard of anymore.

Ralph

Dot.

Mary Ellen

Lol. Really?

Corey Ham

Yeah.

Ralph

There's so many. Yeah. Whenever you're building like phishing domains, there's like 9,000 top level domains now it's free.

Mary Ellen

Jeez Louise.

John Strand

Yeah.

Corey Ham

And to anyone who had an account on the site, we know it was not a honey pot. Don't try to use that defense.

John Strand

It was not the last Computer Club. Yeah, it was.

Corey Ham

I thought that was in, like, somewhere else in Europe.

Wade Wells

She's also dressed up as a Pink Ranger.

John Strand

She started originally in Germany.

Corey Ham

It was the one in Germany, though. Yeah.

John Strand

Yeah. They actually.

Corey Ham

So this is about as sweet as stunt hacking can get. Literally. Live hacking and deleting a Nazi website. That's pretty good.

John Strand

In an outfit, like in like full. I don't know if it was a furry outfit or what is a Power Ranger.

Wade Wells

She's the Pink Ranger.

Corey Ham

Hell yeah.

John Strand

And substance. I. I just, you know, really well done.

Corey Ham

I know what I'm watching after this.

Wade Wells

It's at the very end, full. It's a good helmet too. That's the thing. Like, it's quality Power Ranger.

Corey Ham

Yeah.

Mary Ellen

Serious cosplay and Hacking skills.

Ralph

Gotta love it.

Corey Ham

So, okay, this is kind of. I guess maybe we should talk about it. I don't know. But the Merrell inauguration event banned flippers and Raspberry PIs.

John Strand

Yeah. Flipper Zeros and Raspberry PIs.

Ralph

Oh, yeah. Those are very dangerous.

John Strand

I don't know. I'm getting to the point where I'm a little bit. I, I honestly, all joking aside, I am now probably going to be checking my Flipper Zero. I don't think I'm going to be putting it on my carry on luggage. And part of the reason for that is we had that one story. Was it security researcher from Australia that was hacking all kinds of stuff on an airplane.

Ralph

You know, they weren't using a 40 though.

Corey Ham

No, they weren't.

John Strand

They weren't. But they're actually training flight attendants. Yeah. On how to identify that. So if somebody has lots of antennas and they, they are actually showing them. Some of the airlines are sharing like this is what a Flipper Zero looks like as well. So it's just another piece of hardware that they're kind of starting to keep their eyes open for. Because they did catch that attacker. Right. Because I'm guessing he had antennas all over his computer whenever he was doing it. But. Yeah. I just don't think I'm going to fly with the Flipper Zero anymore. I just, I just don't think if.

Corey Ham

You'Re, if you're wondering, here's the other things you shouldn't fly with large bags, backpacks, weapons, fireworks, explosives, drones, remote controlled air defense, strollers, coolers. No chairs, blankets, bicycles, or scooters.

John Strand

I'm out.

Corey Ham

I'm not going anywhere.

Wade Wells

No scooters, beverages.

Corey Ham

I'm also, I mean, alcoholic beverages, Illegal substances. Come on. I want to do mushrooms, pets, other than service animals, laser pens, bats or batons. So, I mean, basically anything is banned from this. Which, honestly. Okay, I, I totally get it.

John Strand

Like, oh.

Corey Ham

Who's like the marching band guy that has the little baton? He's like, oh, man.

John Strand

What is it? Oh, brain fart. What is the person that's in front of us?

Corey Ham

I don't know. But you know what?

Mary Ellen

A major demo.

Corey Ham

Major domo. Oh my God. That's not what it is.

John Strand

But that's amazing.

Kent Ickler

I could see an issue here too, where like, yeah, no alcohol allowed. But then you can go to the duty free zone. So how long for? The duty free zone is selling Flipper Zeros.

John Strand

Happy? Put it in a little bag. Whenever I board the airplane, it's like, no, no. Yeah.

Ralph

Because it's, you know, dangerous.

Corey Ham

Do not consume any Flipper Zeros you bought in the terminal. I also.

John Strand

I don't know.

Ralph

I know the worst part for me about the Flipper Zero is it's like. It's. It's like a Swiss army knife. Okay. And I mean that in all the senses. If you ever needed a real knife to do a certain task, you would get that real knife, whatever it is, Machete. You don't go around trying to cut down trees with your little, you know, Swiss army knife. Right.

Corey Ham

But you could try.

Ralph

Yes, exactly. So it's kind of a master of none and, you know, many little.

John Strand

It's the backhoe of computer security. It'll do anything, just not really well.

Mary Ellen

But here's. Here's the thing. Mandami knew about Raspberry PIs and Flipper Zeros. How many other politicians actually know what these things are? How many have a clue?

Corey Ham

He didn't.

Wade Wells

He's not the one who'd say.

Corey Ham

I was gonna say. You mean his staffer?

Wade Wells

Yeah, like his staff. They're like. There's some words. Just throw that. That's the same stuff they banned at the. The Trump rally. We might as well ban those here, too.

Corey Ham

You know, I honestly wonder. I honestly wonder. It is. I. I think it is interesting that they specifically list, like, the other stuff. It. I think it's. Whoever made the list definitely was like, this is gonna go wide because they did specifically say Flipper Zero. Raspberry PI. I don't know. I mean, honestly, there. The ways of disguising this stuff. It's so easy to disguise. Right.

Kent Ickler

It is a lot more democratized, though. Like, you can just go buy them. You don't have to have like a huge. There's no huge barrier of ent be able to use a zero.

John Strand

So it's way more apps or Edis boards. Those are fine.

Corey Ham

Well, those are allowed. Anything from Adaf Fruit that, like, you know, Arduinos are allowed. If you have like your clanker build that you're bringing with you to the inauguration or whatever, I think what it's.

John Strand

Going to get down to is anything that's not a notebook computer or a phone or like an iPad, those should be banned, too.

Corey Ham

Don't freaking have your laptop out. Don't be working at the inauguration.

John Strand

Everything's going to become a Flipper Zero that they don't understand. Right. And maybe they should have that level of paranoia. I don't know.

Corey Ham

Some person who's totally unconnected is like, I'll have To switch to a blueberry pie this time.

Kent Ickler

Like, are they gonna. They're gonna ban cell phones too? Then like, what does that look like?

Corey Ham

They start something with running Cali Net hack.

Wade Wells

They. They give you the little bag to put your cell phone in and you can't leave. Right? Like, it would work. It'd work pretty well.

Corey Ham

Yeah. I need one of those.

John Strand

We're a society of when someone shits themselves, everyone has to wear diapers. It's just getting ridiculous. It just keeps getting ratcheted up more and more all the time.

Corey Ham

Is there anything else to talk about? We should talk about the guy who tried to block the telemetry for his robot vacuum and then it bricked it. Let me see, where's that article?

Wade Wells

I didn't even see that in there. If we're talking about that, we might as well talk about DJI too.

John Strand

Privacy all the time. And I, every time I run into people like when I'm going to Cons now and they talk about this podcast and how they listen to it, I'm like, I'm sorry we talk so much about privacy. No, no, no, no, keep doing it. So, yeah, I have another one too.

Ralph

We also after this one, Corey, we can talk about flock. Have you guys heard about. Oh yes.

Wade Wells

Did you see the.

Ralph

This is wild. There's so much.

John Strand

Let's queue them up. Corey, yours first.

Corey Ham

Okay, I. This is from November. I just linked it. Basically the user. I'll link the article in. Discord. I linked it in the private chat. But basically a user has kind of been fighting with this vacuum provider to keep his vacuum working. So essentially this is an Ilife. That's the brand Ilife. I've never heard of this brand. Personally, it sounds sketchy to me. I probably wouldn't own their vacuum, but it's an I iLife. A11 smart vacuum. They basically loaded up this thing on their home networking and monitored the traffic to it. Noticed that it was constantly sending logs and telemetry to the manufacturer. He blocked the telemetry IP addresses from egressing their network. Then they wanted to leave open the firmware and OTA servers basically. And then eventually it. He investigated it. It stopped working. He investigated and figured out that a remote kill command had been issued. He sent it to service it and it worked there. It just didn't work at his house. And basically somehow he figured out some kind of a python script type dealio that he could run to keep the vacuum working. So yeah, that's basically it. It's just a fun write up. Of a hilarious, you know, like, battle between, you know, the user and their.

John Strand

This is making me uncomfortable because I have one of those really stupid expensive fridges that has a computer in it. And they've been talking about how Samson wants to start randomly playing advertisements in my kitchen. And I'm not down for that. I. I, like, am actively blocking anything that that fridge does whenever it tries to go to Samsung. And I'm worried. Like, I read this and I'm worried about them bricking my fridge and they're like, no, no, no, you. You have to have your advertisements for I can't believe it's not butter or this fridge is going to stop working.

Corey Ham

Well, that's what's been happening with the frame TVs. I don't know if you've been following that at all, but people are becoming anti frame TV because they're kind of a nightmare from a. Yeah, you turn.

John Strand

Them on and they immediately start playing ads, just like blaring them like in the middle of the night.

Corey Ham

So. All right, what's your article, Ralph?

Ralph

Oh, my God. All right, so it's actually a YouTube video series. And I implore anyone who wants to see essentially shocking things. I'm putting it in the. In the private chat here. There's two YouTube videos here. What it is, is. It's about. It's done by Ben Jordan, and it's about Flock security cameras. Does anyone know about Flock or have seen them? So essentially what they are is that they are these security cameras that you can put up and they're like, you know, solar powered and they'll do license plate reading and stuff like that. Well, Ben decided to tear through one of these things to check out the security of these devices. And to say it was bad would be an understatement for how bad the security is on these devices. Right. Remotely accessing them, being able to physically just turn them into a reset them and then connect directly to them in person. Being able to access them over the Internet. And it just gets worse and worse and worse. The rabbit hole is so deep with how bad these cameras are for security. And they're supposed to be used to, like, you know, help prevent crime and detect, you know, to be.

Corey Ham

Save the children.

Ralph

Save the children, yes. Put into a database to track down, you know, when crime happens and all this other stuff. It is unbelievable how bad of, like, if they've got a security audit once, I would be impressed that I would want to know who did it because it was so bad, all this stuff. Even worse is that Ben Is keeps finding more stuff with it. Right. Like, it's like he did one video and then it just keeps developing even worse. Like, the more the rabbit hole goes. Because at first they had the license plate cameras, and then they came out with these PTZ cameras. He found a ton of them accessible online quickly and easily, and he could just literally go watch any of them, you know, all over the country.

Corey Ham

Right.

Wade Wells

One of the things you didn't mention is I believe the researcher who did all this testing got fired from his company for doing this on the side.

Corey Ham

Wow.

Ralph

Yeah.

Corey Ham

John, can we hire this person?

Wade Wells

So, okay, someone posted it on Reddit and I tagged John.

Mary Ellen

Those. They're not the only ones. 404 Media. They tracked themselves on flat cameras.

Ralph

Yes.

Mary Ellen

So, I mean, it's. This stuff is wide open.

Ralph

Yeah. Yeah. It would be like if one.

John Strand

If.

Ralph

If the device is to make things more secure. First of all, you can argue whether that is a thing, and Ben does in the videos, but it's worse. They have zero security on the device itself. Like, they did nothing to secure these devices, but yet they're used by federal agents. They're used in crime investigations where they can be tampered out the wazoo. They have. No way.

John Strand

Somebody was talking about. I hate the surveillance state. I. I think when we all thought of the surveillance state as kids growing up, we thought it would be competent. And I don't know why. I am sure. Right. But, you know, if we're reading, like, could you imagine sitting down with, like, Huxley or, you know, Orwell, and it's like, no, no, no, no, no. The brave. The surveillance state's going to be much dumber than that. Like, how dumb Talking default credentials dumb. Like, really stupid dumb.

Ralph

Like, they're running Android versions that are like seven General, like, seven versions behind.

John Strand

Just like, have you looked. Have you looked at the. The new satellite class slides that I've been working on? The research that iActive did a number of years ago? If you look at some of the research that's been done now, seeing the same thing in satellites, Right. It's just whenever you move into the realm of IoT, like we were talking about, there needs to be better security for securing the power grid. IoT is just an absolute smoking pile of dog crap. It's just bad all the way across and no one cares. Right. Like, the people that sell this. Like, look at what happened to iRobot. That poor company, by the way. Holy crap.

Ralph

They got acquired by a Chinese company. Oh, God.

John Strand

No, no, no. But there's so much worse. Like they got screwed over by the Biden administration, then they got screwed over by the Trump administration. They've been hosed. Go read the story if you can. But if you're looking at these companies, a lot of them now, they want to pump out this technology as quickly and as cheaply as they can. They don't care about supporting the technology because they know the technology curve is they're going to sell a whole bunch of them because they're cheap, and then no one's going to buy them. There's going to be something else. They're just going to move on to another product, and there's going to be no accountability for these, for this technology, because the companies are just going to exist into the Ethereum. I don't know. Go see what happened to iRobot and how badly they were screwed over the past eight years. It's ridiculous. They could have been saved.

Wade Wells

Was the Flock. Was it also the Flock license plate reader that was. If you put in a fake, like QR code on your license plate in certain areas, the AI would actually not allow it to read it. It would get confused.

Ralph

Yeah, I don't remember there was a confusion with the license plate reading. I do know there was a bunch with the license plate reader, specifically ways to attack it. You know, many of them being just setting it into a mode where it turns out a WI FI hotspot and you could just connect right to it and access it. There was just a lot of vulnerabilities with that device.

Wade Wells

There was one. You just put stickers in a certain part of your license plate and they can no longer read it. And to that point, then Florida passed a law saying you're not allowed to put those stickers on your license plate.

John Strand

That's the solution. Yeah.

Corey Ham

Well done.

Ralph

Well, okay, so I'll put one last thing with the Flock security. When they were brought up in news articles about the lack of security on these devices and what they were going to do, they were just like, oh, this is essentially fake news by people who just want to hurt us and political, political, political.

John Strand

That's not what I heard, Ralph. I heard that their response was it was a bunch of honeypots that they had found. That's a good.

Kent Ickler

Yeah, a whole city of honey cameras. I have a thought, though. Like, I'm thinking five, ten years ago, we'd watch, like, the TV shows and whatever, hacker movie, whatever, and it's like, oh, they'd like, drop into the civil network and be able to look at stoplight cameras.

John Strand

And everything.

Ralph

Yeah.

Kent Ickler

It's like we used to say, like, that's not a thing. Like, you can't just do that, but now you can. Like, that is, like, if someone say, is that real?

John Strand

Yeah. Yeah, it is real now.

Corey Ham

Yeah.

John Strand

It's called fly Die Hard 4 was right all this time.

Wade Wells

Oh, my God.

Ralph

Yeah.

John Strand

Okay.

Corey Ham

My movie reference for the whole surveillance state thing is I don't know if I love the movie Brazil. I don't know if anyone's seen it, but the entire plot of the movie is a typo, Leads to a man getting arrested. That's the surveillance state that we are in right now of like, oh, sorry. The flock camera said you did it, so we're here arresting you. No one knows why or how. Like, the minority report.

John Strand

No, wait.

Wade Wells

There was just. So I watched those like. Like, cop YouTube where videos where they're arresting people. And every now and then, when one comes in my stream. And there was a recent one from Vegas where a dude got caught on camera. The AI Said he was someone who was banned from the hotel. And when the guy pulled out his license to prove he wasn't that one, the security guards didn't believe him because they looked so much alike. They winded up arresting him, holding him there, and then taking him and charging him. Then when they finally ran his license plate, they really. Or his. His license. They realized they're two different people, that he is the real guy. And at that point, they were. They actually charged his real name with the crime of trespassing at the casino all because.

Corey Ham

Well, talk about rolling a natural one on the day.

John Strand

Wow. No, that dude. That dude just rolled a 20. He's going to be making so much bank.

Corey Ham

The settlement should be nice. I just wanted to give you all my money. Don't take all my money.

John Strand

I. Yeah, I just can't. Like, how do people, like, in. I've never been in a room where someone's made those, like, dumb decisions. You know, we got the wrong guy. We verified it's the wrong guy. You know, we deal with that. Let's charge this guy with trespassing. That seems like this is going to help that. What is it? You guys remember that story of the black guy that got a. Oh, God. He had a lawsuit that he successfully won for discrimination against his workplace. Then he goes to the bank with the check to cash the check, and they refused to cash the check because they didn't believe him. And then he's like, what is this?

Corey Ham

A settlement check from discrimination.

Ralph

Oh, my God.

John Strand

Yeah, we're not going to deposit that in your bank account. Customer of ours, like that guy, like, yeah, he had a bad couple of days admitted, but I'm willing to bet if you sat down and talked to him, be like, was it worth it? He'd probably be like, yeah, it's a little worse.

Mary Ellen

It kind of reminds me of those two. Was it two physical pen testers a few years ago?

John Strand

Oh, yeah.

Ralph

Incident.

John Strand

Yeah. Yeah.

Corey Ham

That was just bad scoping. Don't go out of scope.

Ralph

There's a lot. It was. It was a lot of things. It wasn't all on them, but.

Corey Ham

No, it was not.

John Strand

It was.

Ralph

They didn't help.

Corey Ham

It was partially on them.

Ralph

Yes.

Corey Ham

It's the equivalent of flying with, like, a bandolier full of flipper zeros.

Ralph

Yeah.

Corey Ham

Do you need to be doing that? Like, is it okay? Is it wrong? No. But should you be doing that? Probably not.

Ralph

Yeah.

John Strand

In my. In my intro to pen testing class, when we have get to the physical section, I'm like, do me a solid. Like, if you're gonna do a physical pen test, don't show up with, like, your Tactical 511 backpack with the baby tactile Tactical 511 backpack on the back. Any utility?

Ralph

Yeah.

John Strand

Wearing a shirt that says, I read your mom's email. And then how come I'm not getting in? I don't understand. I have all of these wires and antennas all over me. Don't look like a hacker.

Ralph

We teach all of that, John, in our. Our practical physical exploitation class. We go through all of that. We have to, you know, just pretty much lay it down, talk about how you're supposed to do this and you know, why. Right?

John Strand

Okay, if I wear camo ralph.

Ralph

No, no, no.

Corey Ham

We tell.

Ralph

We'd like right off the top. Bring your tactical cool. Nowhere.

John Strand

What.

Corey Ham

What if I.

John Strand

What about. What if all of my shit's black and I dress like a. Like a ninja? No. What about my cargo pants? No, nothing you would normally wear. Don't wear that. Wear something else.

Ralph

So I'll give you. I'll give you a good example. We've had people in the class, students who've had, like, maybe like a unique hat they like to wear or something like that. Right? And we'll be like, on an engagement. Don't wear that. I like it.

Corey Ham

I stand out.

Ralph

But it stands out, right? Like, it makes you stand out. You want to look like just a dude at work who doesn't even want to be at work. Okay. And no one's going to talk to you.

Corey Ham

I think my favorite Physical pen testing story so far this year was I was doing an engagement with Cameron, one of the testers here, and she had, like, one of those thick clipboards that can fit a reader inside of it. But we didn't. None of the physical stuff, like read badge cloning wasn't in scope. So I was like. At the end of the engagement, I was like, what do you have in that clipboard? And she's like, a banana. She had a banana on the clipboard. Like, you know, I didn't want to cramp up during the physical. I had a banana on my clipboard just in case.

John Strand

Perfect, everybody, let's wrap it up. Thank you so much. Hey, by the way, y', all, it's good to see you in 2026. And, yeah, we made it. Let's. Let's shoot for not shitty this year.

Corey Ham

Let's go for that above Jordan plug. Sorry. Jordan and Kent have a webcast. Jordan's not here. Kent, plug your webcast.

Ralph

Look at that.

John Strand

Yeah. You're doing a webcast with Jordan.

Kent Ickler

I am. He's not here right now, but, yeah, I am. Everybody confused.

John Strand

There's a QR code.

Kent Ickler

There's a QR code. You should scan it right now.

John Strand

You should.

Corey Ham

Do I learn how to use a flipper zero? Because that's the only thing I'm interested in at this point.

Kent Ickler

We don't actually talk about flipper zeros. We're going to talk about a bunch of different tools for defense hacking. So it's gonna be pretty awesome. It's in a couple days.

John Strand

I like how it's shortened to the point. Velociraptor is C2. Oh, my God. This is so different.

Corey Ham

Who is that?

John Strand

Yes, a different webcast. Like, if you want to use legitimate IR tools as an implant and just completely screw with the matrix. Check that one out. That one's good. Boy, this is neat. Look at these qr.

Corey Ham

I need to go to that one.

Wade Wells

I don't want anyone to go to that one. We're turning that one off real quick.

Corey Ham

Yeah, Wade's like, that one's too soon.

Ralph

Okay.

John Strand

All right, Wade, what IR tool do you recommend? Wade?

Wade Wells

Wade, I'm not gonna tell you because I don't want you to do C2 with it.

Corey Ham

Yeah, you know what?

John Strand

The.

Corey Ham

Okay, you. No matter what, Wade, here's why this isn't a problem. Because the best, the better C2 is the EDR. That's the best C2 out there.

Wade Wells

@ the end of the day, you just got to change BGP routes, right? So you're.

John Strand

Good. Yeah. That's all you got? That's all you have to do. Corey, are we gonna put that into the continuous pen testing service like bgp? We'll attack your BGP.

Corey Ham

Network. No, absolutely not. Please don't make me do.

John Strand

That. And, you know, like, we're willing to do it. Good luck. So. All right, let's wrap it up. Thanks so much.

Corey Ham

Everybody. Happy New.

John Strand

Year.