Tim Medine

Dark.

Ralph

And then the other cool part was the time, the time dilation, which was. I also watched a bunch of YouTube videos about that. And essentially the faster you go, the less time you experience. And that's actually like the way that it was like described in the video is like it's, it's because like as you go faster, the molecules take longer to make it to the next spot, right? And that's like the time difference between those.

Corey

So.

Ralph

So you're actually experiencing time slower because everything is moving slower. You're going.

Tim Medine

The really cool thing is if you get two astronauts passing each other relative to each other going close to the speed of light. Whatever, whatever. Each one will experience the other one going slower, which is like mind blowing. Like, and the physics and you can do the math. Like I. Yeah, there's a great book by the way called the Elegant Universe. It's actually pretty readable. Came out maybe late 90s, early 2000. Really readable. But like there's a whole bunch of like just mind blowing stuff here. Like you know, circle circumferences, what 2 PI r? Well, unless you spin it close to the speed of light and then it doesn't happen anymore because you got length contraction, but only in the direction of movement. So your radius doesn't change. But then you're. Yeah, it gets the.

Ralph

The book was kind of cool. Or not just the book, but the movie was cool as awesome because there's a bit of science in there too. And like I. Again, some of it may.

Wade Wells

There's a lot more science in the books. Like the books are all scientifically accurate and like the, the star he went. They went to or the star that Rocky was from was act. They actually thought there was a planet on it. And it wasn't until after the book came out that they discovered. Oh, that actually doesn't have a planet around it. So he. That was like one thing he accidentally.

Corey

Bummer.

Tim Medine

But I like, I like the whole. I think they did a pretty good job with that. Like you're meeting in a whole new culture. You have no frame of reference for communicating. You don't have like hands to wave at people. Right? Like, like you, you've got completely from scratch trying to dissect this. And what was cool I thought too is like they use like infrared. We use visible light. Right? Like we're using different wavelengths for that. The sound doesn't. We're like just completely different. Like that was awesome. Love that. Like, didn't make it easy.

Wade Wells

I've watched so many videos that if I get abducted. How to talk to aliens, Right? Like, first you, like, you write out like scratch marks in your number system, then you write out PI and you draw a circle. Then you draw the. Your solar system to point that you know where you're at.

Corey

Whoa, whoa, whoa. They already did this, dude. All you got to do is give the same stuff they gave on the

Wade Wells

Voyager golden record that that's exactly what I'm doing.

Tim Medine

Draw naked women. You gotta draw a naked wicked woman.

Corey

And what you want to do is start with drawing a naked woman.

Wade Wells

Dick figure.

Corey

Yeah.

Tim Medine

Know all about us and be. Wow. They know about what? What are we doing here?

Corey

They'll be like, listen, we. We don't like Earth. We think you guys are disgusting, but we've been watching your porn for years.

Ralph

That was the one thing we thought about.

Corey

You guys invented the Internet just for that purpose.

Tim Medine

And I see how important it is to you because it's the third thing you. We got numbers, we got pie, and we got bouncing about. Wow.

Wade Wells

All right, man.

Corey

Should we roll the show? I feel like. Is everyone prepped and ready? I mean, I, I read a few of the articles. It's just going to be a chaos week. I mean, it's just volumes after volumes after runs. We got copy fail, fcc, all kinds of good stuff.

Ralph

Oh, copy fail, so good.

Corey

Copy fail, yeah. All right, let's roll it. Hello and welcome to Black Hills Information securities. Talking about news. It's May 4, 2026. May the fourth be with you. I guess if you're a Star Trek fan, that really means a lot to you, right?

Tim Medine

Can we, can we mute his mic remotely? Right click. Right click. Work.

Corey

I. I will say, like, my official opinion is Star Trek is better. Fight me. It's not even close. Like, Star wars is so mid compared to Star Trek. But anyway, if you're a big Star Trek fan or I mean Star wars fan, you're still allowed. We, we. We still love you. But yeah. Anyway, let's get into the show. First of all, we got our introductions. We got Tim Medine here kerberosing us as we speak. We got Patrick Gorman. Patrick, you have. You have an upcoming webcast or training or something? I assume so, yeah.

Patrick Gorman

I have a few things cooking as far as courses. I have something on the blue team side coming out and yeah, as far as you know, I use. I normally do my thirsty Thursdays on Thursday nights, 7pm EST, and just talk about similar stuff and just, yeah, shoot the smack.

Corey

Nice. And Tim, you have an upcoming workshop on May 22 as well. Kerberos hands on. More like packets on. Am I right? Port 88, baby.

Tim Medine

Absolutely. Absolutely.

Wade Wells

Yeah.

Tim Medine

Join us for a couple hours of goodness with some Kerberos.

Corey

Hopefully you also have looks like Corey Overstreet.

Ralph

My.

Corey

My altered ego Corey. The other Corey.

Tim Medine

He, too, is growing his hair out. We're gonna have to have, like, a Troy Palomalu award for best wavy, best hair.

Corey

Best Corey hair.

Wade Wells

Yeah, yeah.

Corey

I'll have to get there. So. Yeah, he has an anti cast on May 20. About red teaming, we love Corey. I will say I've actually done a red team with him. You know, back in the day, and we used to kind of, like, cross pollinate a little more, and he's an excellent operator, so I highly recommend anyone show up to that that's interested in going after stuff. John's not going to be here. John asked me to plug his course on May 11. I think it's next week, so that should be fun. And then Jason has an upcoming webcast for job hunting as well, so it's a busy week.

Tim Medine

What's John's class, which is forward what you can.

Corey

Oh, I. I think information security core skills, which is good. Back to basics. Honestly, a lot of people are always asking about Mythos, and I'm just like, just go back to basics. All right. Just patch your stuff. It's Nothing is new.

Tim Medine

What's funny is everything we're going to talk through here, probably today, we're going to be referencing the basics.

Corey

Yeah. Sock course or cyber security core skills still as important as ever. Anyway, continue with the introductions. We also have Ralph and Wade, two of our just perennial hosts, always here. Ralph, have you considered growing a mustache? Like, where is that on your priority list right now?

Ralph

It's not that high. Amanda's asked me multiple times if that's where I want to be in my life, and I say no. With the beard. Yeah, I think.

Corey

I think we should.

Wade Wells

You look good, Scruffy. I think you look good, Scruffy. Like this.

Corey

You look good. Now, don't get me wrong, but I think you could pull it off, man. I think you should try it.

Wade Wells

Yeah.

Ralph

I mean, the problem. And it grows so fast. Like, I could grow a huge beard. I have to trim it often.

Tim Medine

Yeah, we just steal the quote. It's like science didn't ask if we could. Whatever. I'm g. Screw it up.

Wade Wells

Right?

Corey

Like, it's about whether you should.

Tim Medine

You can, but should you?

Corey

Yeah, yeah. Give it a shot. Do you like walking.

Tim Medine

Walking past the school without a squad car picking you up? Probably like

Wade Wells

that is the first.

Corey

That depends on the length of your mustache. Someone said to me, yeah, the key with the mustache is don't go below the edge of your mouth. Right. Like, if you go below that, it starts to get weird.

Tim Medine

I. I'm so. Actually, I'm just jealous. I wish I could do a good mustache. I can't.

Wade Wells

Your mustache is fine. What are you talking about?

Tim Medine

You know, but, like, if I. If I cut it off, it's horrible. Also, look. Look at my mustache. Like, if you just look here, it's two tone. So if I get rid of this, it's like, what's wrong with you? No, it's not peppered. Like, one side salted, the other side's black pepper. Like, we have. We have. We have not cooked the steak evenly. Like, well, I don't know what's going on.

Ralph

You could just get something just for men.

Wade Wells

Would you rather two colors or.

Tim Medine

No?

Corey

No.

Tim Medine

So I did that. I'm allergic. So then I. It's like. So I shaved it. It's 10 times worse because now I've got rash on my face, but just on this half of my face. So it's.

Wade Wells

Not for you. But if it makes you feel better, my mustache is a different color than my hair. Like, by. By a lot.

Corey

By. By a couple.

Tim Medine

That's. That's uncommon.

Corey

I can see how that you point it out. I could see it. It looks like a trick of the lighting, though.

Wade Wells

It is not. It is, like, legit like, mine is, like rusty red, like, almost like a brown red. And then my hair is pretty dark brown.

Ralph

Rusty red.

Corey

Gotcha.

Tim Medine

I wish I could do the one, the long one. Like the motorcycle guide. George County.

Corey

Yeah, yeah, yeah. All right, let's move into actual podcasting now that we've covered everyone's mustache preferences. If you have your own mustache preferences, please put them in the discord. Yeah. Whether you know any, no matter who you are, you gotta have a preference. So, I mean, I think let's start with the Digicert stuff. It's pretty. It's interesting, and it's not at the same time. For those that are out of the loop, DigiCert, which is CA or Certificate Authority, got popped. And the angle is pretty interesting. Basically, it looks like the threat actors essentially social engineer their support team into running something on their system. It sounds like there was some misconfigurations or issues with their security tools on the support teams systems and essentially led to, you know, initial access. And then the attackers stole a bunch of basically things they could use to Sign code signing certificate to create code signing certificates. And they stole or created like 60 certificates. And basically those were used to sign stealers stealer malware. So I'm guessing they just tricked the Digicert support people into running a payload somehow. I think it's a really interesting angle to try. Right. Wade, do you have any comments on the.

Wade Wells

Like in the initial article, not the deep dive, like if you click one in, you can actually see the IR report. But in the initial article they said that they sent them an image over their chat channel and that is the way that they were infected. Right. And

Corey

I mean is it not PNG exe or is it like steganography prompt injection? Like it could go really stupid or really complex.

Wade Wells

That's, that's exactly what I thought. I'm like, okay. And then are they using some like very like third party chat thing where they're chatting to the customers? And that was an exploit in that. So I was trying to dig into that. But the one interesting part is like they do flat out say that that secondary host had bad. Had a bad security config in it. Which. Right. Like you don't hear often as much owning up to your mistakes situation, but only exactly owning up to the mistake of actually how that works. And the thing is, it's super common. Like there's. And it's one of the hardest things to actually decide. Yeah.

Corey

So yeah, no, I mean I, I really, I hope someday that we can get a deep dive into the actual payload. Like it'd be cool. I mean Digi certs a security ish company. Right. So they have the capabilities to analyze this. I'd be really interested to see, was it steganography, was it prompt injection or was it just PNG exe? Like, like how, how basic was it? How advanced was it? I'm really curious. My guess is always basic, right? Like, I think anytime we as pen testers think about, oh, let's how would a threat actor do it? I think we always overestimate their capabilities and complexity, like in general. So it was probably just like exe.png and they were like, it isn't working. Can you take off the extension? Like try it again? I, I don't know. Something like that.

Tim Medine

Well, this is interesting. Like I feel like going back to the basics, right? Like I, I'm, I, I can't remember the exact date, but I know Digicert has been popped at least once before and I'm finding two different results, one in 2020. One of them mentions 2020. I don't have time to necessarily parse it. I'm not sure if that's 100% correct. There was definitely some certificate issues. Didn't recall 83,000 certs because they screwed those up. That was in 20, 20, 25, 24, something like that. So it's every few years and you're like, you know, I feel like the segmentation here could be better. I mean, I don't know the details, but you're like, you know, and it happens every two years like Old Faithful. Maybe something's an issue.

Corey

Yeah, I mean, go ahead, Ralph.

Ralph

Oh, no, I was just gonna say that it looked like there was a. It was a malicious file disguised as a customer screenshot, which contained a dot file, which is a Windows screensaver file.

Corey

Right, I see. So it was a zip file. They were saying, I'm sending you a zip with the images. The image was a screensaver. The person didn't know. They just opened the file. Basically. If you're a red team reading this, go try this this week. We're gonna do. I'm gonna. I'm literally gonna try this this week. Like, find a support chat for one of your targets. You know, say you're having issues with the product. Send them a zip file with a payload in it. Like, what's the worst case scenario? It doesn't work. Like, it takes you 15 minutes to throw that together.

Tim Medine

Well, it's funny because that's the same payload we've been using for years too. Right?

Corey

Zip with an EXE in it. Yeah. Or zip with an scr. Or zip with a zip. Yeah. I mean, it really will only work with, like, you know, if they have security tool issues. Right. Like, you know, but it's a cool attack. I mean, I agree with you, Tim, though I think honestly, my take on this is like, oh, all they wanted was EVs. Like, it's easy to get EVs. They like, that's, you know, I mean, I guess I feel like I'm shocked they aren't stealing these from other companies. I do think the EV certificates, but they. The EVs require like an RDP with a token.

Wade Wells

Right.

Corey

Like, it actually has to be a hard. A physical device.

Ralph

They have a physical device requirement for those.

Tim Medine

Yeah. But I don't know if that's necessarily like the others are. We just haven't been heard and reported. Like, there could be somebody in. Right. Right now. We don't know. Or they're silently revoking them, like, to some degree. Even though it keeps happening to ditches, hurt Good for them for telling us.

Corey

Yeah, I agree. And I also think honestly, like the certificate, the way that the, the certificates really get used isn't. It's not like that important from like, there's not a lot of. I mean definitely certificates have to be valid, but there's no EDR that's like, oh, you have an EV certificate, do whatever you want, right? Like, that's not, that's not the reality. Right. Like EDRs still monitor. They still, it's like trust but verify, right? Like you might. And from our perspective, like talking to the payload engineers here, the EVs and code signing certificates, all they help you with is landing on disk. They help you with detection. Like the, you know, we call them whack attacks. Like the, you know, basically like AMZ scans of files that kind of tell you whether the file is malicious, but once the program executes, it doesn't matter. I don't care what sort of badge you walked in with that I let you in the door now that you're running, you know, kerberosing attacks or whatever, I'm going to nuke you. Right. Like it's not, it's behavioral more than it is just like, oh, you're signed. All right, you're good. But yeah, anyway, you can move on. There's. We can do a couple quick hits and I mean, I don't know if this is mythos stuff or if it's, you know, LLM, whatever it is, but there's a lot of vulnerabilities. There's the apparently in the wild exploitation of MoveIt servers again reminds you like it's, you know, taking us back a couple years to the previous move it stuff. It looks like the CVEs are. There's no public proof of concepts and they have patched. So basically if you have MoveIt servers, please patch them. 20, 26 CVEs for MoveIt. Turns out where there's smoke, there's fire. Who would have thought if a SaaS product is vulnerable, it probably has a lot more vulnerabilities that are undiscovered. It's kind of just the name of the game. And I think like the theme this year is going to be more and more and more of just like once one vulnerability comes for a product, it's going to start like that's where the floodgates open up.

Ralph

And then I always love it when people like Fortinet write a blog post about someone else's zero day. I'm like, man, must be nice.

Corey

Yeah, look somewhere else. Basically

Wade Wells

that would be, that would imagine. Imagine you were a company, you just held on to like a gnarly zero day. Not to exploit it, but the moment you get a zero day you release that you found this other one as a squirrel tactic. Yeah, like yeah, we had a breach. Chuck out this gnarly zero day.

Corey

Well, so speaking maybe that's happening because there's a bunch of other zero days. There's a cPanel off bypass that's hot and spicy. A lot of our customers have cPanel, but not like intentionally like really. Okay, so here's a super common scenario. A customer has a website that some marketing team bought five years ago. They just hired GoDaddy or some other company to host it and it has an exposed cPanel. So we don't typically go after them because we don't want to pop GoDaddy infrastructure. Like we don't care. It's. It's like it's the equivalent of like oh, we tore down the poster that had your guys name on it. Right. But like it's not, you know, it is still like it's in their risks portfolio.

Wade Wells

Right.

Corey

Like it is like infrastructure they technically own. There could be LDAP integrations or you know, passwords that are reused or things like that. But yeah, these, I mean cpanels seems like very widely used but mostly in like the hosting. Not in really an enterprise, more in like

Wade Wells

when I worked at a data center this was like one of the primary things we set up with cPanel servers for people. So it was just. Yeah, I don't know how many times I've seen these popped and as well set these up.

Tim Medine

Yeah, just a marketing brochure Size with the cow was referring to my guess of web servers. Like we're just going to set this up, throw some marketing crap on it and everyone's going to forget that we have it in six months. Right. And then what's on it?

Ralph

We, we've kind of moved. I mean for modern single page web apps and stuff like that. I mean you don't need cPanel or anything like that to host these. Right. Like there's tons of ways to essentially host. And I'm going to use, I'm going to use this word very hardened servers. Right. There's nothing to like actually compromise from an under like you, you're, you're. The app doesn't have the functionality to really compromise in the way where you have to put the cPanel on top of it and all these other management things that have underlying OS and when you just want the website to load and these things.

Corey

Are you telling me that this whole time I could have just been using SQL instead of installing php, my admin? Yeah, I mean, dude, like you're not wrong. But also like in the context of like paid hosting, it's about ease of use.

Ralph

It's also about the history, right? So like the like how things were and then how things are now and a lot of times that website that was made, I don't know, five, six years ago, it's still good enough and so nobody's gonna like update it to the latest thing, right?

Wade Wells

So yeah, my HOA has a really shitty website and they've been talking about upgrading to a full. No, I have no clue what is. I, I haven't deep dived like, I haven't o. Sented it, which I've thought.

Corey

Yeah.

Wade Wells

But I heard rumor that they were going to start paying some third party service to host the website and then do a bunch of other stuff and I'm like, dude, I don't want my dues to go up. I'm like, I literally told Claude to scrape our website and then throw me up a new, brand new version of it that looks really good. And then I sent it to the HOA president. I'm like, hey, here's a free website, I'll host it for you. Just point your DNS at this GitHub repo.

Ralph

Yeah, yeah.

Corey

I mean dude, like you're not wrong. I think this is a good time to bring up the fact this, this podcast is sponsored by Squarespace. We, we actually, you really, we do have a lot for you to patch upgrade right now. Yeah.

Ralph

If, if you are ever looking to build a website, something like Cloud Flare can do that. Cloudflare. Yeah, it's, it's, it's.

Corey

It's.

Ralph

You know, it's not. I, I want to use the word unhackable. It's.

Tim Medine

That's.

Ralph

But there's nothing to hack, right? So to. That's also a free.

Wade Wells

Why do, why do Cloudflare when you can just do like one of the Pages website, either GitLab or GitHub.

Ralph

Yeah, you just, you can do those.

Corey

Yeah,

Ralph

yeah, yeah.

Wade Wells

Nothing too hack.

Corey

I mean you're not going to get a dynamic website where you can buy stuff, right? Like, yeah, I mean, I guess you could, but you can. I'm just saying most people need that.

Ralph

Most people just have an informational website like that is like the market share and that. Honestly, going back to this vulnerability and going back to the security around it. Right. That is the market share that's using cPanel, right?

Corey

Yes. And I, I have bad news for you. If you're, if you're using cPanel to host one of your websites, or if you don't know that you're not using cPanel, you're about to be advertising all kinds of weird products on your websites.

Wade Wells

I rather, I rather cPanel than WordPress. I will say that.

Corey

Oh yeah, dude, if you, if you think that if I buy a company that gives me a website that I'm not getting both cPanel and WordPress at the same time. Exactly. And that's getting both, dude.

Patrick Gorman

And that's the thing now because like hostgator, that's what I use, you know, for, for a website and I use both of them and I literally just changed it a week and a half ago. So like, when this came about, I was like, holy moly. It's like, you know, Evan Gates, let's get off of this. And exactly what I did was, what you said was, you know, was put in, put the code in GitHub and just push it out to, to Cloudflare and just manage everything for there. So it's like super, super easy. And like, I don't want to say it's unhackable. Like you said, I don't want to put anyone in a test.

Ralph

Yeah.

Patrick Gorman

Try to hack my shit, you know, but yeah, yeah, but the thing is,

Tim Medine

I think for you guys that's really easy. Right? Like, but trying to get a marketing team, like a marketing team has two options. They got go to it and get a web server or go buy something. And they're like, well, definitely we're not dealing with it. We're going to go buy something. Right. And what can they configure? They're not going to set up a git repo. Hell, I don't understand the git commands. I have to Google those like half the freaking time.

Ralph

Right?

Tim Medine

And so they're going to get the easiest thing for them that they're going to set it up. It's a brochure website. It's going to live for freaking ever.

Corey

And yeah, I mean, honestly, I think, you know, a lot of industries are dominated by marketing and not by like the actual, you know, product itself. And websites and hosting are that category of like, when you go, if you're just Googling like how to set up a website set up, like you're going to get bombarded with a bunch of ads from a bunch of hosting providers, all of which are selling a very similar product but also very slightly different. And security is never really like, like the top billing feature. It's always like, you know, 79, 7, 99amonth or you know, whatever other thing is out there.

Tim Medine

So easy, easy, easy to set up your own website. Like that's the big selling point.

Corey

Like it really don't know how to do this.

Tim Medine

They're not going to do htm, HTML or CSS or God forbid, JavaScript.

Corey

No, absolutely not. But Claude will do it for me because I don't.

Ralph

Dude.

Tim Medine

Oh, did I just freeze all the JavaScript you want?

Wade Wells

Tim? Tim froze. It's okay, we can still hear you.

Corey

He got curb roasted. Oh, I had. That entire left wing of the building has gone down.

Ralph

You just gotta turn the camera off, turn it back on.

Corey

So I think that's all the vulnerabilities. Oh no, there was also Qlik copy fail. That was the figure.

Patrick Gorman

That's a good one.

Corey

One. Yeah, I mean, yeah, I mean it's a big, it's definitely a big one, but also like, I don't know, patch, you know, like there's already a patch.

Ralph

You're not excited, you're not excited about Privesque on Linux?

Corey

Is that what you're trying? No, I like Privesque. I just feel like every time I pop a Linux box, it's just in some stupid cloud provider by itself and it's the most boring thing ever. And it just gives me, it just makes me sad. It's like, oh, I got all this access, I privest and then I got.

Ralph

Just for context, every time I've ever been on a Linux box, I've been able to privilege escalate and because there's

Corey

always one way or another.

Ralph

Yeah, there's always one way or another. And it, it's, it's kind of. It's not a guarantee, but it is a very often attack path. Most of the time you're on these hosts, they're, they're outdated. Right. And it doesn't take. You know, the other thing about this particular vulnerability is that to patch it, you do have to patch the kernel. And a lot of releases or a lot of the maintainers for the different distributions were just releasing the new updates for the kernel. But you also have to reboot the host to get the kernel in there. A lot of these devices are getting rebooted. So even if they do have an automatic update, unattended upgrade, unattended update, they won't reboot to get the kernel in there, so. But anyways, yeah, I kind of agree with you, Corey. Usually it's unexciting when you get to privilege escalate. Once you actually have that, you know, SSH access or terminal access, you're. You're kind of already on the way there. So this being out in the wild isn't, you know, the end all be all. Yeah.

Patrick Gorman

It's cool, though.

Corey

I mean, it's insanely, like, insanely easy. Yeah, insanely easy. This is the, you know, no memory corruption, no race conditions, no offsets page, cash rights. Like, it's all just like, here. It's like Dirty Cow or whatever from back in the day.

Ralph

Oh, yeah, that was another one too.

Corey

Yeah, just running.

Tim Medine

I'm surprised. I'm surprised we didn't get a cool logo for this thing. Like, what the hell? This was actually a big deal. It's warrants a cool logo, and it didn't get one.

Corey

That's a good point. You know what? Let's. We bring back cool logos. Okay? Dirty Cow is a great example. And there was, like, a whole bunch of other cows that came out.

Tim Medine

Great one.

Patrick Gorman

Yeah.

Wade Wells

It's been a while.

Corey

It's been a while. Heartbleed.

Wade Wells

Oh, yeah.

Corey

Heartbleed was good.

Ralph

Heart bleed. The most worthless vulnerability ever, bro.

Tim Medine

No, no, no. There was a sample one, like, a year or two later where they hiked it up like crazy, and it was the most nothing of burgers of all time.

Corey

And that's why this one didn't get a fancy name, because they didn't want to overhype it.

Tim Medine

I love that name. I think it's great. I like the subtle, the simple simplicity.

Corey

Yeah. All right, so otherwise, I mean, there's. There's some AI stuff happening. There's some drama where apparently a guy that is a founder of a company called pocketos took to Twitter and complained about how it deleted all of his stuff.

Wade Wells

Oh, I saw that.

Ralph

Yeah.

Patrick Gorman

I haven't seen that.

Corey

Deleted the entire production database.

Ralph

Why didn't you have a backup?

Corey

Honestly, like, okay, what I want. What I want is I want, like, a deep dive from a technical perspective, from one of the companies, like Cursor or from Anthropic. That's like, here's why you're dumb. Right? Like, I don't know that. Like, I could be wrong. Maybe that's a false allegation. Like, maybe this is just gonna happen. And I will say I sit around vibe coding everything, and I'm just like, it is. Sure. I sure hope nothing goes wrong with this. Right? Like, you know, I really hope that, you know, it doesn't just decide to nuke my entire database. But I think.

Tim Medine

I mean, this gets into, like, the. The. I think Asimov type thing. Like, hey, we told it to secure the data. It's like, well, the best way to secure the data is delete it.

Ralph

All right.

Tim Medine

Like, when you're like, logically, I see how you got here. Like, I kind of love it in that sense.

Ralph

Huh.

Corey

Yeah. So, like, what does. Has anyone read up on this? Like, does anyone have a real. Like, basically, I don't. I. Does this feel real to anyone here?

Ralph

Like, 10 times, like, from other things. So what makes this one special? I guess I am. Stuff.

Tim Medine

I am not convinced. I. Maybe it's conspiracy theory, but I feel like the dude accidentally deleted it and he's blaming AI.

Patrick Gorman

Yeah, that's what I was.

Tim Medine

That's what. Look, if I accidentally deleted the whole freaking thing, I'm

Corey

rf his own database.

Ralph

And he was like, AI Definitely. Definitely. I trolling.

Corey

Okay. So I don't know. Like, the quote that he gives from the AI is in. Is completely unhinged. Does he have his AI running, like, renegade destroyer mode? Like, dude, optimist, AI is swearing at him.

Tim Medine

You know, I guess that it confesses afterwards. The. I violated every principle. I was given, like, a robot modulator. I guess instead of verifying, I ran into certain action without being asked. I didn't understand what I was doing before I was doing it. Like, that's. That's how. Like, if the boss man came to me, like, why did you do something stupid? I would.

Corey

Plan mode. Right, bro, it. Use plan mode. It's okay, man. Like, you don't have to live like this. I mean, I don't know. Live like this. I will say, like, yeah, I mean, really, I. I truly don't know. I mean, obviously, I'm assuming they have backups, hopefully, right? Like, come on.

Ralph

It probably doesn't if they're.

Wade Wells

Oh, and all backups.

Patrick Gorman

Yeah.

Wade Wells

Deleted the backups.

Corey

Well, why would you give the AI access to the backup?

Wade Wells

Because he pressed the do dangerous stuff button. And then.

Corey

You know how hard to think.

Tim Medine

John's class.

Ralph

This is bull crap. You know how hard it is to get it to go off into, like, delete those other systems and run these commands. It's a pain in the butt, dude.

Corey

I agree.

Wade Wells

I'm gonna tell you what this guy did. I know. Exactly. So, okay, they bought a company. They only bought things that had MCP servers already attached.

Corey

That people just do it, right?

Wade Wells

And then he just, like, MCP'd all the things. O often do it right. Oauth just takes whatever rights he has already.

Ralph

Yeah.

Wade Wells

So therefore the AI has God mode on whatever he owed to. And it's just like, you know what? You don't need backup. You know what, you don't need this.

Corey

And then

Tim Medine

can we also talk about the like. According to the article, the live science one that's quoted here, it deleted with a single call to the cloud provider's API. Why does that API exist? Like, why is there like a one?

Corey

Like, was this, like a, was this FBI?

Ralph

FBI's knocking on the door. We got to get out of this, right?

Corey

FBI open up/API/ FBI/, open up.

Tim Medine

Like that should be a sale. That should be a feature. Not for a technical reason, but for like a monetization reason. Like you need people to jump through multiple hoops before they stop giving me money. Right? Like you type in the. The. The this GUID here so you can actually cancel. Like, wow.

Corey

I don't know. I think this is like the perfect antidote. Taste y is the perfect antidote to all the all other startup founders who are posting on AI about how much they're using tokens and claude and how they're crushing AI. This is the antidote. This is the anti version of that. It's like, don't. This is like cautionary tale. Like, you know, back to basics. We've talked about this so much and we're going to continue. This is the theme for this week is like have separated isolated backups. Don't have, you know, don't oauth with your God admin account. Like, what, what changes are you making? Are you making changes to the backup system? Probably not. Don't have a token that can edit that. Use revision tracking or even when it comes to using an AI model, use like plan mode. Like literally just hit shift tab and claude code a couple times until it says plan mode on. And then if it says my plan is to delete the entire database and all the backups, you just say control C. Don't do that. Make sure. Yeah, read the plan. There's add ons to read the plan. You know, there's Planetator and all these other ads. Like, I don't know, it's just crazy to me. And also the other crazy part is going on Twitter about it. That's the other thing is being like, you know what I'll do? I can make this situation. Yeah, right.

Wade Wells

Like we're talking about it now. Everyone's out there using Pocket OS Right. No, they're not.

Corey

They're not. Also I'm very confused because it says Pocket OS, but then it's. The company is actually a SaaS product for what is it buying cars or something?

Ralph

Like, what is that? World's most powerful car software.

Tim Medine

Yeah, yeah, Maybe the guy was just like, I want to quit and I want to go down. I don't want to just quit. Like, I want to. I want to be done with it. News story, be kind of cool. But now I got a reason to like do something else.

Corey

If I just search the Internet for cl, Pocket os, all I see, the only results are just stories about him deleting this entire.

Ralph

Maybe it's just viral marketing. Maybe literally it's just viral marketing. It's all bull crap. And now everyone's talking about this.

Corey

I feel like it's viral marketing. I also feel like it could just be a psyop. Like the whole thing is invented. Like Pocket OS is then a real company and they just invented this company. Like, I don't know, like, designed for car rental companies.

Tim Medine

There's any worse companies out there than car rental companies? Sorry.

Corey

Yeah.

Wade Wells

It's like, why do they take so long every time and never give me the car I asked for? It's always the hugest one they have and I have to spend so much in gas. It's ridiculous.

Corey

I mean, I mean, I'm gonna, I'm gonna have Claude read all these blog posts and then make fun of the person just for funsies.

Ralph

You're gonna have Claude read the post made by Claude. This is a conception.

Corey

Don't, don't, don't do this. Basically. I mean, I will say this is like the second time in six months that we've talked about a duplicate article that like, it's the exact same scenario of, you know, oh, someone, someone did something and then their AI deleted everything. It's like, well, what did you do? Like walk me step by step through how you got here. But yeah, anyway, still a funny article, still worth a read. What else is going on? Elon is testifying in court right now about throwing money to each other. Yeah. So this is kind of, you know, this is going to be an ongoing theme on this podcast is talking about this lawsuit because it's going to be juicy, but essentially OpenAI and XAI are, you know, in court right now. Elon Musk is a major investor in OpenAI and is basically suing them because he says they violated their directive to be a non profit because they're not a non profit. The interesting thing that kind of came out, the TechCrunch article from today is that he admitted in court that he basically that Xai is distilling OpenAI models and kind of implied that like, distillation is like the business of AI, which I feel like kind of fundamentally goes against a lot of the sort of like, understandings that we have about AI. I mean, I don't know, but I feel like distillation is a major attack on an AI. If you can successfully distill a model that's like basically as deep as you can go into attacking the model. Right. So saying it's just like, oh, we all do it, it's fine. It's just a bunch of boys distilling each other's OpenAI models. Is that true? Does anyone know if that's actually true? I don't think it's true. Just.

Wade Wells

Are you surprised XAI does it, like out of all the AIs? That would be.

Ralph

I mean, I'm surprised. I don't know where they get that nasty attitude from those other AIs.

Corey

I also thought it was pretty funny that after he. This whole lawsuit exists, in my opinion, because he's. It's competition, right? Like, he doesn't want.

Ralph

He doesn't want. Yeah, he wants them to be out of the race, right?

Corey

Yeah, so. But also the funniest part is in this article and later in his testimony, he ranked all the AI companies and he didn't even put himself at the top.

Ralph

That's.

Corey

He was. He. He ranked AI providers, saying Anthropic holds the top spot, followed by OpenAI, Google and Chinese open source models. He said XAI is a much smaller company with just a few hundred employees.

Ralph

So maybe he wanted to look like the underdog in court. Right?

Patrick Gorman

Yeah, that's Good point.

Tim Medine

Good point.

Corey

Elon Musk the underdog.

Ralph

Yeah.

Corey

Makes perfect sense.

Ralph

Yeah. Well, I mean, it is what it is. It is. It is going to be funny though, because it's probably going to. All the discovery that's going to come out of this is going to be like the stupidest, silliest crap ever, you know?

Corey

Yeah.

Tim Medine

Well, the thing I find it hilarious about this is this is like the Inception thing, like all the AI models trained on publicly available, not public information, but like all the IP that, that people have that's available, but definitely not given away a bowl or whatever. And then you're like, we trained on your model. And you're like, yeah, but you also. Can we daisy chain this back to like, we're just taking Other people's stuff and reusing that, like.

Ralph

Oh, yeah.

Tim Medine

Or either. Either it's. Either it's all good or it's none good. Like, you can't have it in between.

Corey

Right? Yeah, I mean, I. Yeah, I mean, I think it's a money thing. I mean, John's take is like, that this. There's nothing in the world of AI that's actually patentable. And so it's going to be a race to the bottom when it comes to, like, cost and capabilities of, like, who can do the thing the fastest and the easiest. Like, there's not. There's no secret tech. There's no, like, secret recipe or whatever. It's just like everyone's using the same papers, building the same.

Tim Medine

And we've all complained about, like, the. The. The copyrights or the trademarks or copyrights for some of the code stuff or. No, I guess the patents, rather code patents. And you're like, this feels like one of those. And I always hated them, and I

Ralph

still kind of hate it.

Tim Medine

Like, yeah, compete. Make it. Make it better. Like, don't, Don't. Don't prevent somebody from competing. Like, actually compete.

Corey

Yeah. And I think that's kind of where the space is, to be honest. Obviously, this lawsuit notwithstanding that is. Tends to be how the market operates is pretty freely.

Tim Medine

I wonder if they benchmark these AI by. Who could delete data faster?

Ralph

Ooh,

Wade Wells

they haven't. They need to. Someone.

Corey

Someone make that. That.

Wade Wells

That. It's a new defcon. That new DEFCON ctf. How. How fast can your. Yeah. Delete things?

Ralph

They have all the benchmarks for, like, how good it is or how good it is at math or whatever. How good is it at deleting your data on an uncoverable, unrecoverable.

Wade Wells

I felt. I feel like we're going down a slippery hole right now when we start making deletion AI.

Ralph

All right, all right. The best ransomware model, then. All right, sorry.

Corey

I also just love that, like, the term distillation, because I just imagine some person Googling, like, how to distill, and they're just like, I don't want to make whiskey or gin. I want to make an AI model, guys.

Ralph

Oh, gosh.

Wade Wells

Yeah.

Corey

I mean, anyway, this. You know, stay tuned to this podcast for more updates on that lawsuit. I'm sure it'll just continue to be super. You know, everyone's going to be rational. No one's going to throw any mud or anything like that. It'll be absolutely reasonable.

Ralph

Yeah, yeah, normal.

Corey

So an interesting little thing happened In Utah, which is basically. Utah has passed and enacted a law that goes into effect in two days. And that law basically holds websites liable for users with VPNs, basically. So Utah and many other US states have banned like, you know, access from someone who's not 18. Right. So this is like, it's a porn thing, it's the KYC thing. There's a bunch of reasons for this, but basically Utah has passed a law that essentially holds websites accountable if someone's using a VPN to access it, who actually lives in Utah. So basically the scenario is I'm, you know, a website. Someone goes to my website, it's now my duty to verify whether they're using a VPN and also whether they live in Utah, which is like from. Obviously all of us with any technical knowledge are. Red flags are going up because it's fundamentally impossible. Challenging at best, fundamentally impossible at worst. Who pays for this? What'd you say?

Ralph

I'd say who pays for this?

Corey

Yeah, well, that. Okay. So exactly. There's a lot of. First of all, from a technical perspective, it's not really possible. How are you going to backwards trace a user from whatever visits your website all the way back to where they live? Like, it's basically impossible.

Tim Medine

But I think we might end up is we get 50,000 different prompts going forward. It's like, do you want to use cookies? Are you from Utah? Like,

Ralph

are you from this town or that town? What about this town?

Corey

Yeah, I mean, honestly, I don't basically. And if you're wondering how a website, one of these websites, you basically have two choices right now. One is take this risk, right? Like to actually, you know, basically taking the risk of just hoping that you don't get sued if someone comes and says, hey, a VPN user bought some knife or I don't know what, I don't really know what the use case is for these blocks.

Ralph

I think it's mostly proved it was a vpn.

Corey

Kids. Yeah, it saved the kids, right? It's for porn.

Wade Wells

The aliens are not going to be in Utah for sure.

Corey

So yeah, so basically, yeah, the aliens are. The aliens are like, nah, we went straight to California. But basically, as a website provider, you can either block all VPN IPs, which by the way is also extremely difficult. And that's kind of the. That's what everyone's assuming is going to happen. Everyone's assuming that this basically is trying to strong arm websites into banning VPN IPs, which technologically is kind of challenging to begin with. But let's say you could do it. Nothing's to stop someone like us from spinning up our own VPS and using it as a vpn. But regular old users will not be allowed or able to do that. Right? So basically puts, then the onus goes, it's like cat and mouse. Because then the onus goes on VPN providers to try to bypass that detection because otherwise their product is pointless.

Ralph

And I mean China, China's done this with the great firewall, right? But they still get out, right? And this is way more of a whole country technical limitation put into place. And you can still get through the great firewall and access that content. And there's ways, tons of different ways and in fact they've even developed better technology to do it because of it. It's like you essentially, you created this race where now there's even better ways to get through that are beyond a VPN that blend in with traffic and look more legitimate and all these other fun stuff. So yeah, you created a monster.

Corey

I just can't. I don't see where this ends up.

Wade Wells

Like, have you guys ever tried to log into something and it says you're on a VPN and you're not and then it blocks you? Right? Like I'm just imagining that happening.

Corey

I've never had that.

Wade Wells

Rest of my life I've never had that.

Corey

I have had my home IP get blocked from some websites because I'm a pen tester, right?

Ralph

Like I've had.

Corey

That makes sense. I've gotten rate Ltd. On GitHub because I forgot to, you know, do whatever and there's like a search, global search limit or you know, things like that have happened to me, but I've never had the opposite happen where I'm actually using my home ip and it, you know, it, it tells me that I'm on a vpn.

Wade Wells

There's. I forget which service it was. It's like you're on a vpn, please get off the vpn. And I'm like. And it was just like it was a login to something in particular and all I had to reset my modem to drop the IP I was on because it was a rotated IP, I'm guessing from some bad list that had VPNs on it, right? VPN services re. VPN services don't keep the IPs forever.

Corey

Yeah. So how are they going to prove this?

Ralph

How are they going to prove. So what's the scenario? Right, Someone from Utah uses a vpn.

Wade Wells

How.

Ralph

How do they prove that they use the VPN to get them arrested, to do whatever the, the punishment is for this.

Wade Wells

Well, what if I just. Just not, not host anything in the US Anymore and just do some type of legal loophole where everything's posted in bay.

Tim Medine

Exactly. But you don't.

Corey

But you don't.

Tim Medine

But you don't know that either. Oh, I was just saying you actually hosted.

Corey

Well, no. So, okay, so here's, here's the problem from the website. Like, from the website's perspective, there is no way to mitigate this risk. Like fundamentally all you can do is basically as a website, say we're blocking VPNs or we're trying to block VPNs. Hopefully that's good enough. Because I think the scenario here is you're, let's say you're, you know, Utah state prosecutor, some kid looked at big boobs online and now you're prosecuting him for it. Like you basically have the crime, then you backwards go through the website and say you violated this. Now you're shut down. Like.

Ralph

Yeah.

Corey

So from, from a legal standpoint, they

Ralph

would have to, they have to. A crime has to occur before they can go subpoena this information to find out if you were part of the crime. So you, like, like this becomes like a big thing where something bad has to happen first before you can then use this thing. But then the, the VPNs gonna be like, we have no logs and.

Corey

Yeah, yes, correct. And the website also, like the temporal element is so messed up if you think about it like, well, when. What, What IP did they use when? Like, I think it's like, I mean, if we're being honest, how it's actually going to go is the second that courts get their hands on this, they're going to be like, no. What? Like you can't.

Tim Medine

Would it be ironic if this actually had the opposite effect in actually making it easier in. In Utah? Because now if I come from Texas, it'd be like, well, wait, are you actually coming from Utah? You're trying to bypass this.

Ralph

What?

Tim Medine

Meanwhile you come from Utah and it's like, yeah, fair enough. You can do. You can definitely get in. Like, yeah, the porn here's like, you know, Utah pornhub. Like that one just works, right?

Corey

Yeah, like, maybe. I mean, that's a good point. I mean also this, we're not the first to do this. The UK is actually banning VPN use for anyone under the age of 18, which is hilarious. Like, how do you.

Wade Wells

They have ads for Mulvad in. In their subways up. Huge ones. On the wall.

Corey

Like, yeah, but literally, to be fair, there's ads for dispensaries where I live and you can't go, yeah, you know, you know, like there, there's so to get a BP.

Wade Wells

How many other ads for VPNs though do you see in like public spaces though? Like never.

Corey

True, true. And the reason they have the ads is because they know that everyone wants one because of their, all their bans on all the stuff. I don't know, I think it's inherently, I mean it's basically surveillance state and this is the save the kids angle that, that's like, I think the dystopian way to look at it is like this is just the thin end of the wedge for like, oh, we're allowed to pass this law because Save the kids.

Ralph

Yeah.

Corey

Oh, and then by the way, also we're banning looking at websites that say that, you know, Tiananmen Square massacre never happened or, you know what I mean? Like, yeah, where does the free speech

Ralph

start to get into it? Right. Yeah.

Wade Wells

It feels like we're going into the ender's game. We've said this before, the ender's game, like two Internet thing where you have like your government Internet where you log into it with your id and then there's like the secret Internet where nobody really no one, that's everyone, just for everyone.

Corey

Right.

Wade Wells

I, I still think that's going to happen, especially with all the laws based around social media nowadays, like in Australia and that's going on, eventually they're going to crack us down and it's not going to be what to really, to

Corey

actually like to actually implement this on a technical level. None of this math maths on the Internet, like the Internet isn't set up to handle any of this. We're migrating to IPv6, even IPv6, even deep packet inspection, like all the layers you can put on it. It doesn't fundamentally support these kinds of censorship and controls. And so like it basically comes into this. Where is there going to be a point where those sorts of controls are implemented on Internet protocols? Like, is there going to be like a censorship enabled Internet?

Wade Wells

IPv8 just came out, right? Does it have a censorship packet in it?

Corey

A censorship packet? Dude, is porn true or false? Like that's like a fly on the packet level.

Ralph

I just feel like China has already went down this road and at a much higher level and that's still not, you know, a full force. It's not, you know, doing what they think. And, and, and even more importantly, Though this is just the state and as it expands out into the federal government, which is, you know, whether there's an actual like general rule around this and it really, it really, really stems it with just age verification is what we're

Corey

really trying to get out here. More kyc age verification. Yeah, yeah.

Ralph

And then just like suddenly I feel like it kind of popped out of nowhere. Everyone was just like, you know what? The Internet needs more age verification. This is over, you know, I don't know.

Corey

Well, it's. I again, I think it really is the thin end of the wedge for surveillance and this is just a way to throw through all these policies and laws that can be abused.

Wade Wells

I think it is, I think you're right. But it's also, it is also like the negative effect that social media has played around with the entire world. Right. Like, you realize maybe access, access to an entire global media sphere of all knowledge probably isn't the best for human.

Corey

Well, what if they're not talking social media, by the way, which is harmful. Yeah. Like.

Tim Medine

Yeah, yeah, but what if we get to the point where they're like, there was a. And I'm sure there's a cryptographic way to do this. I just not smart enough to even lay it out but like to like I am over 18, I live in Texas and have in an anonymized way to authenticate to this thing. Right.

Corey

Talking about like a national identity system.

Tim Medine

Yeah, yeah, well, yeah, yeah, but, but, but a way to communicate on the Internet. But to prove I'm over 18 or.

Corey

Yeah, it's like a private key token

Tim Medine

of someone who's over 18.

Ralph

You could totally do this. The Internet's just not. We just didn't design that in the beginning. Right. Like we'd have to bolt it on, but you totally could. But you'd have to totally get essentially a federal law to build that system. Right. That's the way you bring it all the states. Because every state's going to be like, screw you, we're not doing that. And the other states, like, we're independent because we're technically all independent states in one, whatever, you know?

Corey

Well, there's also so many technical hurdles. Like as an example, like is it device bound? Okay, well, what if you hand your kid to your. Or your phone to your kid? Is it, is it IP bound? Because what if you have 50 computers at your house? Like there's no way to do it.

Ralph

Well, hold on. So I mean, one thought again, there could be holes in this thought maybe like just using your state Issued driver's license or other kind of, you know. Sure.

Corey

But the point is, how does that get checked on a technical level? Like, if it's device bound, there's all kinds of. I mean, honestly, like a common access

Ralph

card or whatever from the actual license that you put into a system and then that checks. And then all you're doing is sending the facts that you are from this state and at this age. And that gets authenticated. And all it does is essentially the way we do everything else. When I prove how that I own my house, they don't go ask me, they go ask the state if I actually own the house. Then we prove that system. Right. But how much information gets exchanged, I think is what Tim was bringing.

Tim Medine

Yeah. My point is like, you know, some of the places you definitely don't want to go with your real name. Right? Like, sure. What's the bare minimum? Why do you need to prove. So I can get access. But then at the same time.

Ralph

Right.

Corey

It's basically exactly what Wade's talking about, which is that Internet is like the government Internet. And then like everything else is like just the wild west.

Tim Medine

And everybody's like, guarantee and you get really nasty stuff with no laws and it's a free for all. Right.

Wade Wells

People would be nicer. Right. Like, it's. Once you get behind. I can't even say anonymity. There it goes. Everyone's an asshole. But like, it's.

Corey

Dude, people are willing. Have you ever seen. Like, I basically. Okay, so here's a. Here's like another way to think about this. And this actually kind of ties in with another article we have, which is. I don't really know how we ended up with this, but someone posted this. It's essentially like why you should refuse to let your doctor record you. And it's essentially a long sort of article about privacy and medicine and why you shouldn't let your doctor record and transcribe your, you know, your. Your chat with them. And honestly, I kind of take issue with the article because it's kind of, to me, just a fundamentally, like, I don't have that strong of a take on this, but reading the points, it's. It's just a. It's like, here's why technology is bad because it changes things. Like, that's basically the article. And I. I kind of was thinking, reading this medical recording article, I was thinking about body cams and police, and I was thinking about this is the same arguments that you could make for why body cams are bad. Like, it's like well, accountability is bad. It's like, no, it's not. Like, well, like, the doctors are going to act differently if they know they're being recorded. Like, isn't that a good thing? Like, don't. Don't we want the doctor to, like, know they're gonna have to be on record for what they're saying? Like, I don't know.

Wade Wells

After I watch the pit, I'm just like, yeah, record me. It's all cool, man. I don't care that much. Like, the government's already on my phone anyway. They know everything.

Corey

I mean, don't get me wrong. Sure. Make your own. Make your own decision about this. Like, that's why they're asking. But like, the fundamental articles, the. Or the fundamental reasons the person gives are all just like, technology is bad. Okay, that's fair. Like, yeah, it is. But also, like, there are benefits to technology. Like, they're like, oh, what if you're bilingual? It's like, well, also it can translate for you. Like, you know, like, they're all of the things that you are slanting as a negative. There's also positive effects of that. Right. Like, charting is part of care. Okay, but they can do more care if they don't have to chart. Like, I don't know. I don't have a strong take on it. I have some friends who are doctors, and I'll ask them what they think about it.

Tim Medine

Talk to some friends and. And they. They like it. Because there's sometimes, like, if you're gonna look back through someone's stuff, like, we've all done this. Looking just. Just in general looking at an article. You're like, there's like one sentence in here I'm trying to find, and I can't find it. You're like, find me this one quick thing, right? Or, hey, I'm trying to prescribe this. Is there anything that's gonna conflict with this medicine? And you're like, okay, cool. This will. So just some of those things. Like, it's just really easy for them to.

Corey

To.

Tim Medine

To do. I mean, yes, you're gonna have some extra hands on, but they freaking love it. They use it. He's like, I use it all day, all the time.

Corey

Like, I mean, of basically, like, okay, in a perfect world where everyone does their job perfectly, no one's time constrained. No, everyone can. Like, yes, okay, sure, they might be slightly. AI can get confused. The reality is no one is charting perfectly, and AI is going to improve on charting and make it better. And even if it makes mistakes, guess what? People make mistakes too. Like, I don't know it, I think.

Wade Wells

Yeah.

Tim Medine

And I don't know if it's like the WebMD thing. Like people talk about you put your symptoms at WebMD and you've got like this off the.

Ralph

You got cancer actually, right?

Tim Medine

No, not even that. Like this weird thing that three people in the world have, right? Yeah, and I'm hoping that. But you also read case after case after case and there's all sorts of biases with, with gender and race and stuff. But like people don't get the service that they need because no one actually looked at it deep enough. You're like, hey, you know what, it's actually this thing. But everyone's just giving you, you take your oxy and go home, you're going to be fine. Meanwhile, they got something that's really nasty and I'm hoping that kind of can help this.

Corey

Yeah, I mean privacy is one thing. Like the privacy thing is a whole separate beast though. Like that's again like that, that ship is sailed. And that, that's a technical compliance thing that relates to medicine and like you know, who can access your information. Hipaa, all that stuff is already like in play with all these recordings. Like there, there's, it's the same as if the doctor wrote it down.

Ralph

Right.

Corey

Maybe there's more risk with third party recordings or whatever being leaked. But you know, the same risk is there with Gen AI too.

Wade Wells

Right?

Corey

Like of, you know, prompts being leaked or whatever happens. But everyone make your own decision. I just think blanket saying don't do this, it feels a little bit biased, heavily biased. Because all of the things it's, all of the arguments they make are also just fundamentally arguments against any kind of accountability and technology of like yes, there's privacy implications when you're recording things. Correct. Like you could make the same argument for like, here's why no music should ever be recorded, it should always be performed live. Or privacy. Yeah, for privacy. Like what if they want to say something at their concert and not have it be recorded? Like, well that ship sailed because I can sit there with my phone in my pocket and record everything. Like anyway, it's interesting, interesting read. If you agree with it, go for it. But you know, make your own decision. Any other research, any other articles you got? Wade?

Wade Wells

The miter attack 1 is semi important for defenders to know where did that one go? I gotta find it.

Corey

Defensive Asian split.

Wade Wells

Yeah, so pretty much what defensive Asian was a tactic in Miter attack, which is like one of the top ones.

Corey

Right.

Wade Wells

And Techniques are the ones that go down. So defensive vision has split into. What was it? Stealth.

Ralph

And

Wade Wells

I was literally reading the article the whole time we were doing here. Now I forget. Stealth and defense impairment instead of defense invasion, which makes sense because, like, defense impairment, right, is like turning off security things, making sure logging doesn't do anything incorrectly, that type of stuff, where there used to be a single type of technique for that. So them splitting it up makes a lot of sense. Social engineering goes under stealth.

Corey

Right?

Wade Wells

What this means for all you defenders is you're gonna have to remap all your MITRE attack IDs and redo all your tagging. So that's great. There's an Excel spreadsheet on their website for it. And just point your. All your detections at Claude and that Excel spreadsheet and you should be good to go. Yeah, I'll probably write something Python later tomorrow for it.

Ralph

Bros. Python. You could do better than that.

Wade Wells

That's. That's my language.

Corey

I haven't.

Wade Wells

I haven't. I don't have to do anything else anymore. Like, I feel like, what am I gonna do?

Ralph

Yeah, write it in anything. Because you're not writing it anyways. You just told Claude that he was gonna do it.

Corey

I will say Python.

Wade Wells

I have to keep my. Dude, I'm already feeling my talent slightly slip away from me as.

Ralph

Oh, you just want to feel in control.

Corey

All right.

Wade Wells

I have to at least a little bit to show that I have the.

Ralph

Just run it in Golang and. And you'll be fine.

Corey

Yeah, Golang or Rust. Because the truth is. The truth is, from a programming perspective, there are actual benefits of Golang and Rust that you don't get with Python, like hard types and memory safety and things like that. I already.

Wade Wells

I already don't use Notepad plus plus anymore. All right, now you guys are going to take Python away from me too.

Corey

Hold on. We're not taking Python away. But what we are saying is if you're going to vibe code it, you might as well vibe code in a language that's built to last longer than 15 minutes.

Ralph

All those people, all the people who wrote all the Python stuff in the past, they wrote it because that's what they were comfortable in now. But now you don't have to necessarily be comfortable in that language to drive what you're trying to build. So build using the best language for the job.

Corey

There is one article.

Ralph

It could be C if I'm writing

Corey

it, or C. Okay, writing it for whatever. So, yeah, you're not wrong. But the one argument for writing, for still vibe coding in Python is you could make the argument that that is the language that it knows the, and can use the best and that would not be, that would not be wrong. Like the most information out there is the, is like AI is the best at Python.

Ralph

Yeah. But that would also argue it has

Corey

the most junk too.

Ralph

So it's like the junk, it's like the most like un, well written language.

Wade Wells

We just, we just talked about only having to do things that, you know, if I have that thing right in Rust and I can't read Rust, I, I can, I can Vibe.

Corey

You'll learn how to read Rust.

Ralph

All you're going to do is just

Wade Wells

don't want to learn how to read Rust.

Tim Medine

Are you, are you serious?

Corey

You're ask it. Yeah, seriously implying that you're gonna line by line go through a 10,000 line Python program.

Wade Wells

I'm not writing anything. I'm like 100, like 90% of my scripts are like a hundred lines at the most. I will run through them.

Ralph

I know, I know how to write and like a bash script. Right. And the scripts that I've gotten Claude to write, I, I, it's above me, it's gone. Like there's there. Like I couldn't have written that if I wanted to. Now do I understand kind of functionally how it works?

Corey

Sure.

Ralph

But could I have written that? No, not without like hours and hours. So like, you know, I'm okay with letting go of that as long as I understand functionally what it's going to do.

Corey

Okay.

Wade Wells

I will say I can't let go, I can't.

Corey

The other I will like an AI tip for those that are actually vibe coding, like something that might be important in the future is to, if you work for a company, have a spec for what, how you want your Claude to build things at your company and have it so they all work, so they all play nice together. Like if you're gonna write an API, use a RESTful API. If you're gonna write a, you know, if you're gonna write a freaking web server, don't write it in Python. If you're gonna write, if you're gonna use the database, don't use freaking Squirrel DB or whatever, something no one's ever heard of. Like use like come up with a list of five tools or whatever that you want to support and then put that in your Claude memories or your CLAUDE config and then company wide, you're going to have a way better time than it's like, hey guys, what's up? I finally got my Lisp program running and if you want to install it, all you have to do is install as 400 ports and you'd have to have an ARM64 CPU.

Ralph

So it's all going to be great.

Corey

It's going to be run super fast.

Ralph

It's super fast on my computer.

Corey

All right, the other articles. That's an interesting one. Ralph. Tim, you have anything on your radar right now? What's keeping you up at night? Mythos.

Ralph

Supply chain. Supply chain.

Corey

Supply chain. Yeah. Yeah, I know it seems weird because.

Ralph

But it's just like when you start coding a lot of software, software dependencies and then the supply chain stuff's been super hot right now. I know it's like such a high level thing, but it's. A lot of the coding frameworks are really getting hit up with that, so. And then seeing that kind of trickle down into whatever you've written, maybe it doesn't affect you, but it's just like, is this the time? Is it? What about next time? Right, so that's coming.

Corey

What was the one? Was there a supply chain attack this week? I thought there was one, but I.

Wade Wells

It was last week. There was one last week.

Corey

Yeah, I thought there was one this week too.

Wade Wells

I guess maybe, maybe I was Trellix. I was working. Oh, Trellix was a supply code. Was a supply chain. I saw they got pretty expensive source code repository leak.

Corey

I mean maybe they just unintentionally leaked it and it had their stuff.

Wade Wells

But it's Trellix. It's not going to really help anyone anyway.

Patrick Gorman

But

Corey

Trellix recently identified unauthorized access to a portion of our source code repository. I mean it doesn't really say how or who, but I feel like it had to be supply chain.

Ralph

How?

Corey

I mean, I don't know, I could be wrong. Could be leak Steelers.

Tim Medine

Yeah. Someone pushed to the wrong repo.

Corey

Yeah. I mean I will say for multiple customers we found employees who published copies of their entire production database and repo to their personal GitHubs. Yeah. Not unheard of.

Wade Wells

Yeah.

Ralph

The other thing too is I think GitHub.

Corey

Does that count as supply chain? Kind of, yeah. Yeah.

Ralph

I think GitHub and other repositories for. Or Git repositories, not just GitHub. Right. Are going to start implementing more kind of lockdowns in that. In that realm. Right. Especially with the CICD and how ubiquitous that is across enterprises and you know, development life cycles and how that's actually being the main Weaponized tool in that supply chain attached. Right.

Patrick Gorman

So.

Corey

So, okay, someone. There was an article in here that's like some. I don't know who this is, but. Mitchell Hashimoto. Does anyone know who that is? Hashi Corp. Founder.

Wade Wells

Oh, oh, yeah, yeah. Yes, yes.

Ralph

The.

Corey

Hashimore. Hashicorp co founder. Which. Hashicorp is a company that does what? Like, so they do.

Ralph

They do a lot of stuff. They. They have Terraform. They have the secret.

Corey

Oh, yeah. Terraform's bait. Okay. Yeah.

Ralph

They also have a bunch of other things around that. So.

Corey

So basically the founder of that company had a hot take and basically said, GitHub is no longer a place for serious work. So if you're making memes and jokes, it's great to put that on GitHub. Tim, you were laughing. What quote were you laughing at?

Tim Medine

That was actually it. I. I just pulled up the article that's like, no longer a place for serious work. And I was like, that's funny. Also, is that a recommendation for like. Like, I would be like, you know what? I don't want to do serious stuff. Maybe I'm gonna use GitHub.

Corey

Yeah, but the thing is he's complaining. The funniest thing is he's complaining about outages, right? Yeah, like, he's complaining about. Not about, like, privacy or this. Complaining about downtime.

Wade Wells

This was on Fireship. If you guys watch that at all. But pretty much their downtime is like 98. It's. It's low.

Corey

Like, that's not as bad as Claude. I mean.

Wade Wells

Yeah, it's very true, but. But Claude isn't like, there. There was a couple outages where people lost.

Ralph

What were you gonna say?

Wade Wells

I wouldn't say Claude is as critical.

Corey

Production. Yeah, as production.

Wade Wells

Right. It was fair.

Corey

Yeah, no, that's totally fair. If I can't. My. If my AI agent's down, that just means I'm not getting my database.

Ralph

It was critical for that one dude when he erased everything.

Tim Medine

I mean, not to get too technical on the get thing, but, like, there is no sort of central repository. There is no official cor. Forget. Like, if I have my repo, it technically has the same authority as the one on GitHub. Right. Like, if you revert some in GitHub, I can still. I still have local. I could push that. Like, what are they doing that they're losing stuff. I don't get there.

Wade Wells

There was. There was a big article about it that went all through it. I'm not a. I'm not a production. I'm Not a developer.

Tim Medine

I mean that said, I'm a guy I don't even know because I have no clue how to fix my get stuff.

Corey

But yeah, same dude, same Corey.

Wade Wells

Do you not watch Fireship?

Corey

I do. I don't watch it every day, but I watch it when something like this happens.

Wade Wells

Yeah, so they talked about that and then. Well, the other thing is this guy also. So the only thing he uses GitHub for that I could see right now is he has like a terminal spinoff that he has that is actually pretty cool. And that's what he was talking about is moving that off of GitHub onto.

Corey

Well so. Onto what? That's honestly the biggest question.

Wade Wells

Yeah, that's. That's a good question.

Corey

Okay, so this is a great example. Okay. We're talking about Fireship. Fireship is a great YouTube channel that talks about current events and development stuff. My question is, okay, YouTube's had issues for years. We've gotten creators banned for no reason. The advertising is sketchy, there's a bunch of AI generated videos, blah, blah, blah. Okay, where do I go next? Freaking nucle or whatever. Nuclear univers or whatever. Like I don't ven. Yeah, what Vimeo. Like there's no like let's be real. Okay, there's GitLab but that's like self hosted. Right?

Ralph

Like and GitHub. GitLab is not. They do have the.

Corey

Well there's GitLab but then there's like GitLab Cloud like whatever.

Ralph

So they have a regular GitLab just like GitHub they. Then you could self host it. There's a couple other again less. Less popular but fully self hosted. Yeah and then BitBucket was I think the last like are the. Not last but also big one. Yeah. If you're. Where's repo. If you have a public repo it should be on GitHub but you know I think for private repository there is probably a good reason to maybe host it somewhere else. That's all I have to say. Right. Like you don't.

Corey

I will say that's fair but I do think from an, from an actual like I'm not a developer but talking to our soc and our like Eric and Whitney who like our God tier developers, they're hard committed to GitHub because it has the most advanced CICD features.

Ralph

So yeah, the CICD features are there. I mean one of the other benefits of GitHub and what a lot of people do use it is the runners. So you can have a runner run in Any environment you want. So if you want a Mac machine, you could just ask for it. You'll get one. You want a Windows, you want a Windows, you want a Mac x86, you want a Mac arm, whatever. So that, that.

Tim Medine

Yeah.

Corey

Whereas on GitLab, you would have to deploy.

Ralph

You'd have to deploy every one of those other stuff like that. So, yeah, there is some, definitely some. It is mature, let's just put it that way. And I think that's what you're getting.

Corey

It's not reliable, but it has the most features. So it's like Windows.

Ralph

Yeah, that's why Microsoft bought it.

Corey

That makes perfect sense. All right, well, before we close, let's do some final plugs. First of all, I'm just going to go in sequential order here. So let's do some. Let's plug it up. So number one, May 6th this week, our man Wade Wells himself. This is two days from now.

Wade Wells

Yeah, yeah. Dude, I looked at the slides today. I did. I did something really bad. I did. I did the slides really early. I looked at them today and realized I don't remember doing them. So now I have to like redo them.

Corey

Oh, you got to do it the night before, dude. You still have a whole day.

Wade Wells

You're absolutely right. That's like the worst part.

Corey

So, yeah, so Wednesday we got Wade coming on to talk about how to turn cybersecurity headlines into action. There's so many things I, I mean, I'll, I'll probably show up to pre show banter for this because I have so many feelings about this of like, how I mean, we do this. I'm talking right now with my team about how we're gonna freaking use chatbots to send in encrypted zip files and get support teams to compromise their machines. Like, I'm gonna do this right now. Obviously yours is probably more defensive based, not offensive based, but it's a great idea.

Wade Wells

And it's more psychological, to tell you the truth. Like I even go, yeah, yeah, it, it should be good, but I mean,

Corey

you don't have a choice. You have to do this fundamentally. Like you need, this is a skill everyone needs. Speaking of skills everyone needs, we've got John's information security core skills training on May 11th. That's next week. And then, Wade, you have another workshop next week.

Wade Wells

Yeah, on the 15th.

Corey

Tim's course coming up on May 20th. And then he also also has a workshop on May 22nd. Or not. Sorry, not Tim's course. Corey's webcast is coming up and then Tim has a workshop and then. Patrick, when's your thing? For some reason, it's not listed here.

Patrick Gorman

As far as what. When is that course.

Corey

Yeah. Yeah. What's your. Oh, here it is. Yeah. What are you. I'm sorry. No, just. Just list all the things you have coming up.

Tim Medine

Thanks for coming, Patrick.

Ralph

You were really good. Thank you.

Corey

But also just list all the stuff you have coming up and when it's happening. Megan probably has links. I don't know why it isn't in the show notes, but.

Patrick Gorman

No, no, it's all. It's all good. So it's probably going to be in about a month and a half. Still working on some stuff, actually, I had a few little family events happen recently, so I had to put some pauses on stuff, but hopefully definitely before defcon, so.

Corey

Okay, cool. Yeah, looking forward to it. All right, well, thanks all for coming and to our audience. Thanks for being in the Discord. We'll. We'll see you next week. Bye. All right, Andrew, guys, you.

Tim Medine

Bye.