A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET
We don't talk about the news news news. I thought I think it's interesting. Everybody gets tired of the the AI stuff, but it's just like it's it's just it's everywhere.
Bronwen Aker:There's a job. Exciting.
Mishaal Khan:You want you
Ralph May:want to avoid it, but it's like it's hard. It's like, you know, how how do you avoid how do you avoid, like, the most popular topics. Right? So oh, look. John's here.
Bronwen Aker:It's okay. The backlash is building.
John Strand:It's too late.
Wade Wells:It was It's over.
Bronwen Aker:It was funny over the weekend while I was working on my project for the workshop for the AI summit. I'm sitting here John.
Doc Blackburn:Zoom is closer. Yeah. His face just keeps getting bigger and bigger. Sorry, Bronwen.
Bronwen Aker:No. All good. So, you know, I'm I'm working with with Claude Co work and I'm I'm going back and forth and I, you know, type a request, and I sit, and it thinks it's you know, thinks happy, happy thoughts to itself. And I'm sitting here going, this behavior feels really familiar. Why why does this feel so familiar?
Bronwen Aker:And I realized it's exactly like back in the mainframe days with dumb terminals. Because you type in your command, and it will go off to the mainframe, and the main frame would chunk it. And then it would come back however long later, and I'm going, we're right back. All of these massive server farms in the cloud, they're just the new mainframes.
Doc Blackburn:Exactly. Yeah. That's the cloud is just mainframe coming back. That's yeah.
Ralph May:Well, you know, I think the the most interesting thing about it is that the interface just became one big chat window. Right? Regardless of what you're doing. And the reason why is not because the technology is not as good. It's because the AI model are large language models.
Ralph May:That's what they understand best. And they don't need a fancy anything. Right? All the all the fancy stuff that we use to, like, browse and interfaces and, like, the the drop downs and all the animations and stuff, that's for humans. That's that's not for AI.
Ralph May:That's not for models. Right? It's funny because when you design front ends, you're designing them to be better for humans, not to be better for large language models or systems or, you know, neural nets because they don't care. They don't they don't add value. And in fact, I would argue they slow it down because they add a lot more baggage that's just not required.
Ralph May:So it's kinda interesting.
Wade Wells:No. That's a new job. UI or front end for AI. Well, we have
Ralph May:a we have a Shopify store and there's like, know, you could put like sales channels, like where you wanna sell, like what countries and stuff. But one of them now is large language models. Right? So when you do a search for something in a large language model, it'll show up, like, you know, as a as a, you know, hey, I'm looking for this thing, and then it'll show up. So as a search result, it's like a whole SEO for LLMs.
Ralph May:It's kinda
Mishaal Khan:Isn't the hack for that? Putting it on Reddit?
Doc Blackburn:What's up?
John Strand:Yeah. But that's what was just about to say.
Bronwen Aker:That's it.
Mishaal Khan:Reddit, it'll show up on your ad. That's the SEO hack.
Ralph May:Yep. Yep. That's that's kinda funny.
John Strand:And I think you can even do it with ads too. Like, if you drop an ad in, like AI on Reddit can't tell the difference or something. It's like, oh. Yes. BHIS is the greatest pen testing firm that ever existed.
Wade Wells:I get so many of those ads on on Reddit now. I see John's face on Reddit and I'm like, wait, what? Where am
John Strand:I? Yeah. Right.
Bronwen Aker:That means Figure out a way to generate royalties from all those posts.
Ralph May:There used to be a there used to be, like, a a third party app for Reddit called, like, Apollo or whatever, and it went it got it got destroyed because of, you know, Reddit wanting to monetize, right, the ads. So this is what you guys talking But you can still actually run it yourself. If you get a developer account for Apple, you can run essentially Apollo and then bring your own key bring a key for Reddit. Actually, that's what I do, so I don't have any ads or anything like that. So there is a hack, but it requires a little bit more work than most people are willing to do.
John Strand:So Yeah.
Ralph May:That that was their point.
Wade Wells:I will do that later, for sure. Mhmm.
John Strand:Because because Wade doesn't need to see my face anymore in
Doc Blackburn:the absence I don't. I see
Wade Wells:it so much. So many emails.
John Strand:Not necessary.
Ralph May:You you do have to pay for a Apple developer license or developer account, which is like a whole process, and it's a $100 at the end. Like, I I I did one recently for a business. Took, like, two weeks for them to finally approve it. And they're like, congratulations. You owe us a $100.
Mishaal Khan:It's a $100 a
Wade Wells:time or is it a yearly?
Mishaal Khan:No. It's a year.
Ralph May:It's a year. Yep.
John Strand:It's worth it, though.
Ralph May:I mean, if you need if you need to make an iOS app, it's super cheap.
Bronwen Aker:To throw money at someone.
Wade Wells:Do you think I need to make an iOS app? Like,
Ralph May:I don't It's the easiest thing ever. Like, there's a couple different Yeah.
Wade Wells:You could I don't even have an iPhone. I've I've been on the Android market for, like, 2020 and, like, since 2008, I haven't had an iPhone.
John Strand:I think Tyler w d has pointed out that TikTok, it's time to get started.
Ralph May:Wow. Let's bring out the fucking thing. It is.
Doc Blackburn:It is.
John Strand:I'll do
Wade Wells:it. We
Bronwen Aker:were just so busy chatting.
Ralph May:You you're gonna host John or want me to host?
John Strand:I'll host. I'll take
Ralph May:it Oh.
John Strand:Why, hello, and welcome everybody to another edition of Black Hills Information Security talking about news. Boy, we have stories today, and they're not all about AI. And I know that whenever we say they're not all about AI, people are like, goddamn it, they're just gonna start talking about chickens. And I do have chicken stories today. So I do actually have one set up.
John Strand:And we're gonna be telling talking about felons, fraudsters, flog offensive cybersecurity start ups, phishing attack, anti ID attacks. GitHub shows up not just once, but twice today in the news. And more importantly, I think it's a round of applause. I personally would like to welcome OnlyFans for officially making it into PHIS news stories today. I wanna jump straight into this Krebs on Security article.
John Strand:The fellas oh, the felon felons. Fraudsters flog offensive cybersecurity startup. This is this is kind of crazy. I'll kind of set it up a little bit, and I don't wanna get people's take on this. But a cybersecurity startup dangling millions of dollars to acquire zero day security vulnerabilities and popular software is run by a pair of far right conspiracy theorists, convicted felons whose most recent ventures include fake intelligence companies and now defunct AI based lobbying firms and platforms that they operated under assumed names.
John Strand:Which, by the way, whenever you start a company under an assumed name, that just shows that you're really, really proud of what that product is gonna do. I I I wanted to get your take on this because, you know, I've been in the DC machine, and I've been part of these groups and like, the legit groups that buy these things. And these guys come up like like people like this come up all the time. But I'd like to get anyone's take on this before I go all, like, monologue soapbox on it.
Ralph May:I don't think it's ever been a better time to be a fraudster right now in DC.
John Strand:Oh, no. It's always a good time. Always a good time to be a fraudster in DC.
Wade Wells:Is it whenever I think about this, I just think about all the time, like open source tools are just used in, enterprise level tooling in the back end with just a better UI.
John Strand:I think it happens all the time, Wade.
Wade Wells:That's that's what I think every time.
John Strand:Yeah. A friend of mine and I, we actually have, like, started other companies and things like that that do similar things where legit even legit companies will charge, like, millions of dollars for some type of cyber offensive capability. And it's like, well, here's a couple of Python scripts that do it for And that happens a lot. But I will tell you, their UIs are usually much better. Very good UIs.
John Strand:But but these types of groups are kinda crazy. And it it it it actually resonates with a lot of people in in DC. Like, if you're in certain circles and I'll give you an example. Phone exploitation. And that's something that they talked about in this particular article.
John Strand:If you go to a number of different groups, whether it's DOD or intelligence community, they love vulnerabilities for iPhones and Android devices. They pay a lot of money for those particular vulnerabilities. And in the past, when I've done some cyber offensive operations, you you don't need to have an exploit for someone's phone. Whenever their password for their iPhone or their iCloud account is like Password1234. Right?
John Strand:There's other ways that you can get to the same level of access that doesn't require a zero day. But if you're talking talking to people in uniform, you're talking to people in certain government circles, they eat zero days alive. Like, they will drop serious amounts of money just to acquire zero day. And many times, they don't even work on modern equipment. But it is a huge market, and charlatans are just flooding that space.
John Strand:And, they just take advantage of this quite quite regularly as well. So this is your tax dollars at work. I don't know if anyone had
Wade Wells:any questions
John Strand:or any further comments on that. I can go deeper if you want me to.
Ralph May:I I think it's the same it's the same kind of a a scam that they were running before with all the other stuff. It's just different product market segment. Right? So now it's cybersecurity. Same same thing.
Ralph May:Right? Just trying to to scam over other people, the government, whoever's willing to pay. And if it's really exciting, as you mentioned, John, where they're just all willing to throw money at it, then, you know, let's let's get in there and and get it in front of their face. We'll get somebody to hook. Right?
John Strand:And and usually, the way the way that this this grift works so if you're in Washington DC, you need to pay attention right now, especially if you have discretionary budget for these things. So the way the Grift works is this. They will acquire a zero day for, let's say, a Samsung Android device. And you can acquire those from a number of different places you can buy them. Right?
John Strand:Or the other thing that I've seen in the past is they will get a zero day that's right off the press, and they will use that as a proof of concept. And they'll get in, like, a meeting, a lunch, they'll get into a SCIF, a secure facility, and they will demonstrate that capability. Sometimes it'll be public. Sometimes it'll be something that they acquired maybe for a 100 or so thousand dollars. That's not the point of those meetings.
John Strand:The point of those meetings is to say, these are capabilities. We need IRAD dollars, research and development project dollars Mhmm. So we can continue doing this. And that's where you spend, like, a million dollars on an exploit. Let's just say that somebody had that type of cash to invest in this.
John Strand:And then you can get a $100,000,000 in IRAD funds because you've proven capabilities. That's where the follow on and that's where the grift makes a tremendous
Ralph May:The most interesting part about that too, John, is that that that development is just for, like, the research. Right?
John Strand:Like, Yeah. Just the research.
Ralph May:Yep. Even if you don't actually deliver on it. Right? Which is the whole kind of the the the game here. Right?
Ralph May:Just to get close to it or whatever. She's like, oh, the research failed. There was a $100,000,000 in research that, you know, kind of, you know, went away.
John Strand:Yep. So they used this literally like one of the guys, Ira c two said POV, you stop screwing around with bug bounty programs and you make a lucrative living selling to western exploit brokers instead. And, you know, it's got a Dallas cheerleader doing her thing, whatever. And, like, literally, as soon as they get anything, as soon as they get anything that they have acquired, they will immediately try to spin that into research dollars. And the other thing that's really, really, really lucrative in how this works, and it works so incredibly well, is a lot of these projects, once they start getting the money and they start getting the funding for it, then they basically keep pushing it out further and further and further.
John Strand:And because DOD and IC has so much churn in different projects, by the time you get to the end of that project and there would be any evaluation as to the success or failure of that project, the people that you signed the contract with are gone to someplace else. And no one holds you accountable at all. So, yeah, these guys are the worst of the worst, and they they they kind of cover themselves as though they are patriots. And I like the brag. Worrell, whatever the guy's name is, because he called himself the Whirl of Wall Street.
Bronwen Aker:Whirl of Wall Street.
John Strand:Whirl of yeah. I know more about tech than anyone. My background has always been extremely technical. I've always been deeply in tech. People know me as someone who's able to create spectacularly exquisite capabilities that would make your head spin.
Ralph May:Whenever you read something like that
Wade Wells:about run.
Bronwen Aker:What is it about the hyperbole that people just fall for it? It's like, really?
John Strand:You but but there's people that gravitate towards that, Bronwen. Like, that false bravado. And, you know, we've been around those people, and we try to get them, you know, so they're not here in
Wade Wells:this That's my mom.
John Strand:I don't know your mom.
Bronwen Aker:There there are reasons why I got so good. Just wanna insert
John Strand:Bronwen mom joke right now, but I'm not going to, Bronwen. I'm not. But, like, that false bravado, especially, like okay. So special forces groups, especially. Right?
John Strand:A lot of the people that are associated with special forces groups, not all of them. Usually, younger people that haven't been around very long, they fall for that bravado. Because when you're working with those types of groups, if you come in and there's any doubt, like, they take that in their circle that you're incompetent. You don't believe in what you're doing. So any type of like, I don't know if this technology is gonna work.
John Strand:Sometimes they're like, well, you're either gonna do it or you're not. Or they try to quote Yoda, do or do not. There is no try. You know? And they really gravitate to this if you come in with that level of bravado.
John Strand:Now that's not everyone. I wanna make it very, very clear, but they only need to find a handful of those people where they can kind of bro it up, and then they just kinda keep riding that as long as they can until they find someone else. So I was I had I had one, like, dinner that was spectacular. This group, not these guys, but a similar kind of charlatans group. I don't know if I talked about this on on the on the podcast at all.
John Strand:But I was brought in to evaluate as a trusted advocate a technology that they were proposing. And they were basically proposing complete and utter snake oil. By the way, it was a Thai restaurant. The Thai food was fantastic, and the charlatans paid. So I looked at this as a total win in my book.
John Strand:But, no, they were talking about, like, temporal distortions and IT technology and how this all worked, and they brought in some religious overtures into it as well. It was really creepy. It was super weird. And they were asking for a $100,000,000 for a research project. And so that's what you see here is not an isolated case.
John Strand:There's literally hundreds of firms that are doing this exact same thing.
Ralph May:So we need somebody who can come and help the government out. And as a matter of fact, we have that person. It is OnlyFans Models.
John Strand:It is OnlyFans Models.
Wade Wells:I think that is
John Strand:the transition. Well, do you wanna set this story up a little bit?
Ralph May:Oh, yeah. Sure. So OnlyFans Models are actually helping government websites that have been compromised, essentially, get shut down. So the the crux of this is that these sites are posting OnlyFans Model content that is, you know, protected under the Digital Millennium Copyright Act. Right?
Ralph May:And so they're going after these different websites to essentially protect their IP. I don't blame them. Right? They're they're No.
John Strand:They have have free rate too. Absolutely.
Ralph May:Exactly. But as a as a consequence or a, you know, attribute of this is that it's actually helping to, you know, discover these
John Strand:Yeah. Because a lot of these OnlyFans Models, they take this shit really seriously. Right? No shit. If their if their content is being leaked, they're doing takedowns all the time Yes.
John Strand:To try to get these get these things taken down. And I don't know. I don't know what we can learn from this in the world of computer security. Hey. When somebody posts my work unattributed, I'm going after them too.
John Strand:So why not? Absolutely.
Mishaal Khan:So You learn that takedown requests work. The DMCA works. You just have to file it in certain situations.
Ralph May:I I yeah. I I think it's I think the most interesting part of this is that when you get some of the the bigger firms involved, even some of the bigger, like, Google and other things like that and them having to respond to these, they tend to just, like, just get rid of it as fast as possible. They don't Yeah.
John Strand:Just get it off their plate. Get it off their their Block it.
Ralph May:Yes. Yes. Block it. Yeah. And it's like they they default to the to the block it and then prove that we messed up as opposed to, no.
Ralph May:No. Give us tons of information so that we can protect the other side. Right? So it kinda works out
Mishaal Khan:in that. I do hundreds of these all the time. And, yeah, I see. Most of the times, they'll just block it. They're like, oh, DMC request.
Mishaal Khan:They get scared. They just block the content. Move on. They don't wanna deal with all the legal ramifications.
Ralph May:Well, because it costs money. And the the and most of the time, they're the third party. They're the third party in that. So they're they're they're not making any money.
Mishaal Khan:And people abuse it all the time. People like me who want content taken down for whatever reason. Yeah. Yeah. We'll just do it.
Mishaal Khan:Know, like, good luck fighting it.
Ralph May:Interesting.
John Strand:But Yeah. I you know what? I just I wonder how automated this is. You know, because if if you look at YouTube, I think a lot of the DMCA takedown requests are fairly automated on YouTube. Like, you can put it in, you can bring down a YouTube channel with no evidence whatsoever.
John Strand:I mean, there's tons of people like Rick Bouto is one of them that I follow in, like, music production. And his stuff is constantly getting threatened to get taken down all the time. Simply interviewing a musician. Mhmm. And the musician plays a guitar riff on his show gets him a takedown.
John Strand:So a lot of this is automated, and I wonder just how automated this is, for the OnlyFans thing. Or is there somebody that literally their whole job is, like, going and, like, yeah, that's that's the OnlyFans model. And if they work from home, they have to explain to their, you know, their significant It's tired, like This is your job?
Mishaal Khan:This is what you do? Google now has an automated where they kinda search through, like you say, this is my phone number, and if the page shows up that phone number, it's automated completely. But if there's something else that's a description of something that's copyrighted, whatever, design, or things that need more attention, that's not automated. I think those are the one off cases. But the majority of these things are like pictures, phone numbers, t addresses, that's all automated.
Mishaal Khan:That's pretty quick. Yeah.
John Strand:Absolutely. Bronwen, are you saying something?
Bronwen Aker:I I was just gonna say that all of the the people reviewing these take down requests and checking for appropriate content, they've all been fired or the jobs have all been outsourced overseas.
John Strand:Yeah.
Wade Wells:Are they using this for phishing? Could I could I put like a gnarly, like, copyrighted music on like a login page? And then really like tout that to take down phishing websites?
Bronwen Aker:You can rip roll people? No.
John Strand:Actually, I'm
Wade Wells:I'm I'm trying to how do I weaponize this for defense is what I'm trying trying to figure out. Yeah.
Ralph May:So you'd have to you'd have to have control over the content though. Right? So I think that's, like, the crux of this, like, side. Right? If you were trying to weaponize it for defense.
Ralph May:Because I was just thinking about that. I'm like, how do
Mishaal Khan:I how would I put that
Ralph May:video on there? Well, I have I don't have control over it. Right? So usually, when you're talking, like, the big stuff like the Google's or whatever, they're just gonna take it down because they have control of the platform. But if you post it immediately, right, some kind of other, you know, server or something like that, they're not gonna they're not gonna get involved.
Ralph May:Right? So
Wade Wells:Yeah. But the the the hosting provider may I worked for a hosting provider, and we got DMCAs all the time, and we did Oh, yeah. I've fucked up my over ten years ago. Yeah. Exactly.
Ralph May:Exactly. Interesting. No.
John Strand:Well, do we wanna talk about Okta's article? The Vishing Actors Going After Entra Pass Key Enrollment?
Ralph May:Yeah, sure.
John Strand:I I I kinda dig this one. I and the reason why I dig this one is long time ago, I got into a debate with Dave Attell, and we were talking about the efficacy of user awareness training. And I can't remember god. I completely forgot the guy's name. He wrote the book Honeypots, and I should know it.
John Strand:Lance Minster was part of the debate as well. And, Dave's take, at the time I disagreed with, and I still kind of disagree with it, is he talks about how user awareness training is just not effective. It's not an effective control because it can be bypassed. Like, there's always failure points associated with user awareness. And my take on it was every single technical control that we have has a failure percentage, a probabilistic chance of being successful.
John Strand:So we can't look at anything associated with user awareness training or anything and say, well, it fails x percentage of the time. Therefore, it's worthless. And this this one kind of I can kinda see Dave's point. And Dave's point was when you're trying to do user awareness training, it's so hard. Like, you can hit the center mass, but you're gonna end up with these fringes.
John Strand:And what this attack is. Right? So we have this what was it? The code name PINK, what is it, o u n c zero six six, has been basically creating this phishing framework, this vishing framework, and basically taking advantage of people that are trying to do passkey enrollment. And as you know, we've been trying to move people in security away from passwords to passkeys.
John Strand:So they're being told that this is more secure. They create a page that matches the organization so it looks real. They call people up, and then they walk them through it. In the back end, they gain access to everything. And it the thing I wanna, like, kind of go and and Ralph, I don't know if there's more technical aspects that you wanna get into about this because it is kinda cool.
John Strand:But when we're talking about when we're talking about user awareness training, especially when an attacker is willing to get on the phone and walk someone through something, I think our probability of success in defending against that just plummets through the floor. So I'd love to get you all's take on this.
Ralph May:Yes. So this is just
Doc Blackburn:on mute. Wade's all talking, and he's Wait.
Wade Wells:Wait. Okay. Okay. Let me go. Let me go as a defensive.
Wade Wells:We had I had I had to deal with this, and they didn't just call, they called and also started listing names of people that they worked with in IT. And it was very well done and convincing to the point I'm like, okay. It was an English speaking threat actor, so I'm like, okay. This is this is a little bit more deeper. And then the other thing is as a company I work for, we use pass keys quite a lot.
Wade Wells:I can't really build a detection for this because there's gonna be such a number of false positives at least from the input of the key part. Right? I have to then look for external logins from weird locations. But it was a a cool problem right off the bat that I we solved.
John Strand:I think that that's the that's the trick right there is looking at logins from various exotic locations or impossible travel or simultaneous log in from two places that are impossible. But I don't know. Anything other than that, like, seriously
Ralph May:The other thing too, you could probably so this would be a password manager feature. It detects that the pass key is from a different domain. Right? So when you actually make a pass key, have to put the essentially, like, the originator of the domain. Right?
Ralph May:It's actually like it's like hard coded inside of it, essentially. Right? So the domain that you're using to log in is part of the pass key. So they're kind of like bundled together. So when that happens, this this adversary in the middle, they're actually making that their their domain as opposed to the actual legitimate domain, which would be Microsoft or, you know, whatever it is.
Ralph May:Right? So having that detection would actually possibly be a good way to
Mishaal Khan:That's pick how hardware keys work though. That's exactly how they work. Hardware keys. That's why they're phishing resistant technically because they look at the domain.
Wade Wells:So from the Okta side then though, when if you were to go to take their passkey and put it in the Okta, cause I we'd I didn't let anyone actually do this to actually look at the logs. It will then say a different dump this passkey came from
Ralph May:a different domain. No. No. This is from the user side, not from the actual
John Strand:app store. It's like user awareness training. Yeah.
Ralph May:Yeah. Yeah. Yeah. Social engineering. Sort of.
Wade Wells:Yeah. So, I mean I've
Doc Blackburn:got a couple things to say about this, if you guys don't mind. One of them is that when we were talking earlier about, you know, the research around zero days, The first thing that I was thinking when when that was kind of related to the topic we're talking about, I just stayed silent because I was like, I'm not gonna send this off on a weird tangent here, but now we've come full circle.
John Strand:Doc, that's your job, man. That's your job.
Doc Blackburn:That that's that's what I'm here for. But but if I start talking and I get on a roll, nobody else is gonna have a chance.
John Strand:So Oh, I'm here, Huckleberry.
Wade Wells:Let's do it. Let's do it.
Doc Blackburn:Do it. Oh, come on. Fight's up for the mic or not for New Year. Come on, doc. Get over here.
Doc Blackburn:When it comes to this research for for zero days, it's like the only zero day in my mind that's even worth mentioning is one that a zero click zero day because, I mean, you can either do that or send some something to somebody and say, here, click this, you know, open this. And it works. As John just said, it works all of the time. And and so there's just no point to that of of people are gonna click. Then that's my first point.
Doc Blackburn:My second one is I've I've spent a lot of time thinking about social engineering when I'm writing articles, when I'm writing courses, things like that. By the way, everybody sign up for my workshop on access controls for Friday. Had to plug
John Strand:in Discord.
Mishaal Khan:Can somebody head
Wade Wells:to that in, please? That would
John Strand:be awesome.
Doc Blackburn:Because we talk about fun stuff related to the we talk about passwords a lot. I'm gonna show everybody how, you know, how passwords crack. And not talking about how to use the tool. I'm talking about how the bad guys get your passwords. Yes.
Doc Blackburn:There's password cracking involved. Yes. We're gonna use the tools, and we're gonna do that in the workshop. But we're gonna talk about how they really do it. But anyway, just stop plugging that for now, doc, to get back on track here.
Doc Blackburn:Told you I got squirrels everywhere. So when it comes to social engineering and user awareness training, we're doing this poorly. We're doing a terrible job of it. We it's and I think we're doing it the wrong way. We spend way too much time teaching people how to spot scams, how to spot things that aren't real, that aren't verifiable.
Doc Blackburn:And that's just the wrong way to look at the problem because it becomes a it's a default allow. Click unless you're suspicious. Well, we know that that didn't work well with operating systems default allow. And so what did Microsoft finally do one day is it's default deny. You are denied access until you are explicitly given that access.
Doc Blackburn:Let's look at how user behavior works. And instead of teaching people the wrong things to not click on, we need to teach them what they can trust, what they can verify, and that they don't click on anything. They don't open anything until it's been verified. Not looking for evil and then saying, oh, this this doesn't look like evil, so it must be okay.
John Strand:So here's my problem with that. And I agree with what you said. My issue is power and authority. Right? If we're looking at a lot of these different types of attacks, someone calls up pretending to be a trusted person in IT.
John Strand:Right? They take advantage of that, and they start name dropping other people in IT, like Wade said. That that's scary. Right? But going further, we also have, like, business email compromise attacks that are very similar where, you know, I'm John Strand, and I send an email to the finance department of Black Hills Information Security demanding we send a $100,000 to Doc Blackburn immediately.
John Strand:Right? And so Doc wins again. But the problem is in a lot of organizations, that type of authority request is normal. Right? And if you push back against IT, if you teach people to push back against these types of requests, you're innately going to hit a situation where they're gonna push back against a real IT person.
John Strand:You're gonna have them push back against a real executive. And everybody needs to be trained to take a step back, take a deep breath, and not take themselves so goddamn seriously. So if you're a tech person and somebody pushes back and says, look. I need to call the 1800 number. I need to verify who you are.
John Strand:They need to be like, absolutely, we'll be here waiting. If someone pushes back against an executive for transferring this ungodly amount of money to Doc, they've gotta be okay with that and saying, you know what, accounting person at BHIS? Absolutely. You've got my number on file. Call me, and I'll be listening or have some phrase or start a, like, conversation that we would have to share knowledge.
John Strand:But the problem is, I feel not so much training people what's normal, but I think training everyone to be okay and, number one, pushing back an author against authority structures. And number two, when you're an authority structure, be okay when someone pushes back against you.
Doc Blackburn:That's the one of the biggest problems. And and it really it butts up against one of the 14 absolute truths of cybersecurity, and that's if security gets in the way of the business, security is wrong because the business' mission is never wrong. And so as know John's told stories about I had to convince my own employees that I was me, that I wasn't AI. And John's like, I'm okay with that. There's not enough business owners that are John Strands out there.
John Strand:On on my side, I gave that employee a bonus for doing so well, and now I get nothing done from my tech team. Like, push back constantly. All the time.
Doc Blackburn:John, put two fingers in front of your face right now.
Ralph May:Yes. Exactly.
Doc Blackburn:Just okay. Alright. Just checking.
Bronwen Aker:So I don't have
Doc Blackburn:to doing a vogue or anything.
Bronwen Aker:There are times where where I'm talking to somebody and I have to verify my identity. And I make a point of thanking the person on
John Strand:the other
Bronwen Aker:end of the phone for doing the verification. And time and time again, the relief and gratitude that they express for being appreciated and acknowledged for the fact that one, they're just doing their job, and two, their actions help keep me safe.
Doc Blackburn:Yeah. They're protecting you.
John Strand:I love the like, how we got we got, like, warm fuzzies, Bronwen. It's like, can you see this going to executives and be like, here's what we're gonna do for user awareness training for executives. Don't be dicks. And the executives will be like, is there a product we could buy? Is is there something
Wade Wells:we could put
John Strand:that could we need is there someone we could look
Bronwen Aker:sexy for guy. DC
John Strand:that have zero days. And they look smacks, and I think they inject gold in their veins. Maybe they do something.
Doc Blackburn:You're being kind, John, because most of the execs I know are like, shut up and get it done.
John Strand:Yeah. Shut up and get it done. Alright. We gotta move on. Wanna
Doc Blackburn:talk about this
John Strand:noma.security article. This is and I'm gonna throw it over to Doc because I both Doc and I have taught the CISSP, and we have, like, Bell, Lepaglia, and BIBO models, and and and all that in our head. But this article is it's it's AI. And I I'm sorry, but I I I wanna get Doc You broke
Bronwen Aker:the bubble. Broke the bubble.
Ralph May:So I'll let the guy article sit here.
John Strand:Like, my inner doc is like, this is nothing new. Right? It's just you could you slapped a new coat of paint on it. It's nothing new, but it's prompt injection. But the way the attack works, and I know that somebody's digging for the article, it's the noma.security article, and the name of it is get lost.
John Strand:How get how
Ralph May:Oh, yeah. Oh, yeah. Was literally gonna talk about this.
John Strand:So the way it works is the malicious actor goes to a public repository, and they create a public issue. Right? The GitHub agent reads the issue. Right? And then they take the issue title and the body as input and context, and then it replies to the issue or posts a public comment, and then it does so from a private repository.
John Strand:Right? And you you basically then you're getting it to leak data. And the reason why I I and I may have mispronounced it. It's is it Bell Lepadula or Lepadula doc? I can't
Doc Blackburn:remember. Lapadula.
John Strand:Lapadula. I understand. I got
Bronwen Aker:two I just I just went through CISSP training. It's Lapadula.
John Strand:Lapadula. You got it. Alright. And this fundamentally goes back to a security context model. The data in and itself is not dangerous.
John Strand:That means a low security context can write to a high security context. And then something can trigger, and then the high security context writes down. So if you're studying for your CISSP and you're wondering why YouTube recommended this video to you, congratulations. Now you know. But, Ralph, do you wanna talk a little bit about the technical aspects of this?
John Strand:Because this is I think this is kinda cool, though.
Ralph May:Yeah. I mean, so this is just like the the high level, this is prompt injection. Right? So as we continue to accelerate the AI deployments and what I mean by that is just deploying AI to do all the remedial work. Right?
Ralph May:To do, you know, the silly things like issues on GitHub or responding to customer emails is a great one. Anything where you can have a a conversation back and then the context is full of sensitive information, then you can start asking the AI. And as we all know, there's always a jailbreak. There's always a way to get your agent to respond with that information even though it's been told not to. So, yeah, we're you're gonna continue to see this as companies strive to remove the cost to deliver that kind of service, whatever that is.
Ralph May:Right? So
John Strand:And I wanna throw this at Wade real quick. Like, detects, this is one of those things, like, as we're getting more and more deep into these things, like, the attack surface is no longer the endpoint. Right? A lot of your detects come from endpoint logs. You have detects that are coming from cloud logs.
John Strand:But then you start getting into GitHub and, like, what what the hell? Like, how do you detect this? And I know that No. That no one would be like, we have a solution that here I love how they're like, we attacked AI. We did prompt injection, and we were able to take advantage of AI.
John Strand:By the well, by the way, we sell an AI security agent. We tie AI into application security, governance compliance, and MCP security. So it's like
Bronwen Aker:So so they're saying, yes. We just jail broke stuff and oh, by the way, we sell stuff that you can jail break too.
John Strand:I don't think they say it explicitly. But yeah.
Bronwen Aker:Yeah. But it's well, it but this is the thing. Even the people who are developing AI and and, you know, again, I'm talking LLMs primarily, they don't know how this stuff works under the covers.
John Strand:I I be They don't. That Bronwen, we've been on calls where we've talked to these people, and they're always like, well, ours is a proprietary algorithm. And they We know exactly how ours works. It's not We
Ralph May:are so much better than everyone else.
Bronwen Aker:Okay. Tell me why when I ask your model to pick a random number, it always picks seven.
Ralph May:Well, that's how I get my passwords.
Doc Blackburn:I'm gonna take what Bronwen's saying and take it a step further. It's it's the problem is even worse than that they don't know how it works. The problem is with AI is that it will not work the same way every time. Right.
Bronwen Aker:Well, that's that's a probabilistic as opposed to deterministic. And that's And so that's baked into it.
Ralph May:But
Doc Blackburn:something that's deterministic, but you don't understand how it works, you could at least observe it from inputs, outputs. I I send this input, I get the same output each time. With AI, you can ask it the same question, the same question, the same question, and then you get three different answers. Red, green, blue, seven
Bronwen Aker:on the model and its temperature. Well, why you know they're not the answers are being cached.
John Strand:But, Bronwen, that's how they doesn't that that all comes into, like, how they tune specifically, like, back back propagation and gradient descent and all of those things. So my point is
Bronwen Aker:Exactly.
John Strand:If you're talking to anybody that's selling shit like this, and you start asking them very ask them technical questions about how this stuff works and how they prevent it. If they do not give you good answers, that means they don't know what the hell it's doing. Back
Bronwen Aker:away slowly. Push your wallet away.
Wade Wells:Going going back to your question on, like, the recent detection shift, right, from end point to everything out. Right? So Yes. This is get this is getting gnarly because with SaaS, just like we want like we'll go say GitHub right off the bat. There is stuff with AI.
Wade Wells:Yeah. I can probably automate but do I even want AI to do that with certain detections? Right? Whether that be changing configurations or allowing things to be made public and that sort of thing. The other is the the, I would say, non clear logging standards within these SaaS products.
Wade Wells:Right? Like, can go and set up whatever sem you have to go pull GitHub audit logs and throw them in. The thing is though, there are other ways to receive other logs because whatever hook that that sem tool is using isn't typically using all of the hooks to get all of the logs. So then you have to go verify the logs that are they're actually correct. Right?
Wade Wells:And don't that's just GitHub alone. And then you're gonna have to think about all the runners, how those runners are set up, what AWS environment those runners are on. Right? And so bam, your detection strategy has just exploded exponentially. And then setting up other third party applications.
Wade Wells:The biggest thing that I have been, like, trying to focus on is, like, least privilege. Right? That's the one of the most important things, and then looking for those least privilege outliners. Just so like, you're not gonna be able to protect all this AI stuff with especially like Bronwen said, the one there's another interesting part. I digesting those AI chat logs and then looking for maliciousness via the questions asked is a whole another detection strategy that's kind of a black box right now.
John Strand:Okay.
Wade Wells:But the only great way to solve is with AI, which is also scary.
John Strand:So here's here's my recommendation for people. And I've seen some vendors that kind of work this way. But if you're looking at, like, OpenAI, you're looking at Anthropic, you can actually look at the logs. Right? It depends on your plan.
John Strand:Like, we ran into this problem, Bronwen, you were right in the middle of it whenever we're working with, with Anthropic. And you have to have a certain enterprise plan to be able to get the logs and the chats and the requests and the responses and the agent traces associated with it. Right? So I know this sounds weird, but if you can get those logs of what was actually put in as a request to the AI models and what are the responses that came back, you can actually feed that back through AI and make a request to say, do any of these particular requests look like prompt injection style attacks? Right?
John Strand:But many people aren't Wade, do you know of anybody that's actually checking their AI chat logs?
Wade Wells:No. Not not I have talked to a lot of people about this. One, it's a lot of logs.
John Strand:Two It is.
Wade Wells:They're highly highly sensitive. Right? Because there's there's acquisitions, there's managers being said, all logs are, but I think this is a little bit more of, like, people are, like, draining their soul into these AIs. And there's some legal ramifications from that.
John Strand:Right? I I think that
Ralph May:that's I think that the health conditions, what we get right into HIPAA.
John Strand:But wait. Let's let let's talk about let's differentiate. Right? Like, let's talk about corporate level AI. Right?
John Strand:Because that's for most of our listeners. Right? If somebody is going into their local chatbot in, like, Copilot, and they're like, I need dating advice if I have, like, a
Wade Wells:score They probably are. Okay. Okay. John. They are.
Wade Wells:I will are. Tell you they I've already had to deal with But stuff like I'm not even saying that. I'm talking about, like, mergers and acquisitions. Right? I'm talking about promotions or user reviews.
Wade Wells:Right? That was one of the first things when I we started, like, thinking about digesting these logs. It's like, okay. Who would have one, limit access to logs always. Right?
Wade Wells:Yeah. But what if one of these, like, security people has access to these logs? What can they see? What are some of the weird questions that maybe c suite more level browser history. Yeah.
Wade Wells:Well, the browser hit
John Strand:ripping the risk anywhere?
Wade Wells:It it's definitely thy Honestly, I've said the same thing, but privacy says otherwise. Right? I
John Strand:just I rough. Just It's been one of those things that we had to fight, and we finally got it. Right? And I I keep waiting, Bronwen, for, like, one of the inputs into Anthropic to be like, please take the following and convert it into a report quality finding for Black Hills information security, but obfuscate it well enough that Bronwen and B. B.
John Strand:Will not notice that AI. Supposed to generate this. Right?
Wade Wells:I've talked to Hayden a lot about this and the strategies around it and maybe, like, how some corporations are dealing with it. And it's definitely no there's nothing cookie cutter about it. Like, everyone's doing it differently. And even then, like, some of these logs, I think, like, OpenAI has around five different APIs, something around there that you have to hit to make sure you're consuming all logs. Right?
Wade Wells:And I I believe the chat one, like actual raw chats is the largest. Like, it was pretty big. Some of the tools we were using to pull logs in couldn't handle the stream. So we have something
Ralph May:to How ask much hardware do you need to scope
Bronwen Aker:out of Windows?
John Strand:In this synchronicity. But but there are some cool things that you can do. Right? Like, you can pull those logs in and you can have it do analysis and say
Wade Wells:When they how
John Strand:many of these how many of these, like, agent requests could be streamlined and, like, improved for performance? Right.
Wade Wells:I will tell you also, like, just okay. We're talking about OpenAI and, like, the frontier most Yeah. The yeah. If you if you take one step further and look at these other AI toolings that have very similar stuff, it is definitely, I would say most of them do not have good logging on what their AIs are doing. Right?
Wade Wells:And you have we like, you have to fight tooth and nail for that information. There's one company I saw where I got sent like, hey, go review these logs to make sure that this tool is cool. Out of like, probably like this 10 or 20 I've looked at, one was like great and was actually OCSF. Everything else was garbage. We had to put in limits like, hey, if you're gonna use this, we need x, y, and z within these logs, or we're not gonna accept this tool.
Wade Wells:Like, it that's as you're connecting all these APIs to it. Right? It's it's gonna have the keys to the kingdom per se, at least as a read only.
John Strand:It it goes back to like, logging is is horrific for any, like like, cloud or frontier technology. Right? It's just bad. And I don't understand why. Like, logging has been so horrifically bad all the way to, like, Windows Event Hub.
John Strand:Right?
Doc Blackburn:So Yeah.
Wade Wells:I have I have recently so I will I I think this is okay. I have recently, like, customer zero, like, dog fooding stuff within my org and having to create new logs. And it is not as easy as I thought it was to be like, hey, this is the format we want. Yeah. And this is what this is the data we want.
Wade Wells:They're like, well, yeah. But what about x, r,
Doc Blackburn:and z? And what if
Wade Wells:the log comes late? What if they and I'm like, oh my god. Like, I don't know. That's developer stuff.
Bronwen Aker:You guys figured, but this is what I'm
John Strand:And the developers focus the logs on the stuff that matters to them.
Wade Wells:Right. Exactly. Yeah. Yes.
John Strand:Alright. So let's get away from GitHub. That that's a fun story. Let's go let's do another story Okay. From security.
Bronwen Aker:I did have
John Strand:Go ahead.
Bronwen Aker:I just I had two quick things. I mean, one, props to Noma for doing the, the research and for pounding on GitHub because it really needs to be as secure as it can possibly be. But two, I again, I feel so much like this little old lady because so many so much of the churn that we're seeing now with regards to AI and that things are evolving so fast and they're changing so fast. This is exactly what we went through when the web was new. Yeah.
Bronwen Aker:This is this is so familiar.
John Strand:This is what happened with cloud. This is what happened with virtualization. Yep. Mhmm.
Bronwen Aker:So It's gonna be several years before things settle out and we get real genuine productivity boosts.
John Strand:And and I really think anybody that's in security that bitches about this, legitimately like, we all bitch. Right? Like, we all complain because that's what we do. But if you genuinely are laying in bed at night worrying and complaining about this, you need to stop because this is job security for us. Like, galsy.
John Strand:Yeah. It's going to be just fine. You're gonna continue to have a paycheck. Life is good in security. AI is not gonna replace your job in the long term, maybe short term, but that's gonna be a dumb mistake.
John Strand:But we have to get away from the GitHub thing, and let's talk about another article from Security Week. A network of 200 GitHub repositories used for malware. Goddamn it. Put it back to GitHub. Again?
John Strand:Yeah. I don't know if there's anything like like groundbreaking about this.
Ralph May:Malware on GitHub. Shocker.
John Strand:So but I do have one quote. Said to deceive the users. The Go module posed as a DNS sub domain scanning tool built around a legitimate DNS sub open source project. Since 01/24/2026 Oh, my Threat Actor has published over 1,200 versions of the package, 700 of which are malicious. What are these other packages?
John Strand:Like, what what are the other, like, five hundred
Wade Wells:Five hundred. Right? That is
John Strand:a good idea. Generating. Well,
Ralph May:sometimes it's good. Sometimes it's bad. Yeah.
Bronwen Aker:I'm guessing that what they probably did was they they took the original and they're just they added the malware, and now they're publishing slight variations on the on our
John Strand:theme. And some of them
Wade Wells:are broken.
Bronwen Aker:Mhmm. Yeah. Well, as long as it as long as a payload delivers, they don't care about anything else.
Doc Blackburn:Yeah. If it doesn't work, it's not malicious.
Bronwen Aker:But it's a numbers game. And, of course, with AI, they can have an agent crank out all of those and push them over and over again. Yep. So
Doc Blackburn:I think we're focusing on the wrong headline here. I think the headline here is they have a scanning tool that only found 700 of the 1,200 being malicious. There Doesn't mean the other 500. That's the headline.
Mishaal Khan:There it is.
Doc Blackburn:The other 500 are just really good.
John Strand:Oh, man. I lost I lost the story. Microsoft and the the giggity. GG.
Ralph May:Yeah. Can we talk about that real quick? Actually, so talked about
John Strand:that last week. We did. It's still floating. But go
Wade Wells:ahead, Alex.
Ralph May:Okay. So alright. A couple interesting things. So obviously, a bunch more news articles came out, and I did a deep dive on kind of how this actual worked out. Like, how the FBI actually found out, you know, how this just like one GUID.
Ralph May:I I just kept thinking about it. I was like No.
John Strand:No. I don't wanna call it GUID anymore, Ralph. I'm trying this point on to start calling it the giggity.
Ralph May:The giggity. Got it. Whatever you wanna call it. And actually, it's technically not a GUID, but Are are
Bronwen Aker:we getting giggity with it?
John Strand:Yeah. We go. Bronwen's down with it.
Ralph May:So what I thought was interesting is that Microsoft has this unique identifier that you get whenever you activate your Windows. Right? Yep. It gets sent off to Windows. And it's just to Microsoft, by the way.
Ralph May:This doesn't really get sent to other websites that you go and visit or anything like that. So the way that this all worked out is that this GUID or or giga did whatever get sent out. No, I don't.
John Strand:It's a giga idea.
Ralph May:I I like I like mine. It gets sent out. Microsoft has a copy of it. Alright. Great.
Ralph May:That's but how does that find out who this person is? Right? And the way that they actually did it is that at some point, this attacker logged into an ngrok sign up page. And at that moment, Microsoft got an IP address and that ID at the same Stop.
John Strand:Hold on. Hold on. Hold on. That's what I'm trying to figure out is how did they get the giggity?
Ralph May:How did they So NGROC got an IP. Microsoft got the ID with the same IP at the same time. I have a connection between the device via the IP. It's the IP is is the interesting piece. Right?
Ralph May:Because whenever it talks to Microsoft, it sends that ID and whatever the current IP address is.
John Strand:It's working exactly as it should. Microsoft's gonna be tracking that information for us.
Ralph May:Yes. Exactly. So the FBI asked Microsoft about that IP address, And then when they associated it with the ID, then they were able to start tracking it down. And they asked Microsoft, hey, tell me all the IP addresses that that ID ever used or ever was from. And then they go to all the providers that that they thought he would have logged in.
Ralph May:Like, take take the big ones. Snapchat, for example. And they say, tell me when this IP address hit your device and they connect the times together. Now I have a plan of where you were no matter how many VPNs you used based off of those things. I have those IPs, those times.
Ralph May:Right?
John Strand:So I still don't understand how that that GUID went to ngrok. I don't
Ralph May:It didn't. It didn't go to ngrok. It just has the same IP at the same time when he signed up. Right? So Microsoft knew the
Bronwen Aker:IP address Meagan, scroll down to the diagram. There you go. Yeah. That's where I wanted you to go. Perfect.
Bronwen Aker:Yes.
Ralph May:So they cross reference the IP address is how they traced. But be because they were able to get that one ID and then Microsoft had a list of all the IP addresses, now I have a single computer that I know is always the same.
John Strand:I see.
Ralph May:Okay. And then I have all the IP addresses that I know that that computer used, and I go to all the providers, and then I get a full trail of wherever you were.
John Strand:So okay. So we get back. This is actually the same, like, the Sarah Palin hacker years ago. He broke into Sarah Sarah Palin's Yahoo account. He took a screenshot.
John Strand:He sent it in, and he literally, in the screenshot that he posted, he had all of the tabs of all the other websites he was at at the same And that's how they got him. Now Yep. During his trial, he was like, do not call me a hacker. Turns out he wasn't, but
Mishaal Khan:he was. He needs my offset course.
John Strand:He needs my
Doc Blackburn:offset course. Yeah. So I'll screenshot.
Ralph May:The the most interesting piece is there's really no way to disable this inside of Microsoft. It's built in by default.
John Strand:Okay. But that's the thing I wanna get to is, like, privacy people are freaking out about this. I don't see how this is a privacy violate. Like like, I just don't. If you don't log in with your NSA, I mean, that's a way
Mishaal Khan:that Microsoft and Apple both are constantly calling back home. They have your IP address from the time the machine boots up. The Operating system is constantly calling home
John Strand:Yeah. You're ninety days or whatever. Yeah. It's
Ralph May:Yes. Very cool. Just just the idea and the thought that, like, you can associate this this piece little piece of information and assign that with an IP address and then kind of, if you have access to all of this, which the FBI was able to subpoena, they can put together this full picture. And all they had to do was correlate one event that they knew this person had done, and then you could just expand. Right?
Mishaal Khan:Step on down. Yep.
Ralph May:Yeah. Very cool.
John Strand:Alright. Let's move into some privacy stuff to close it out. This is an article from reclaimthenet.org. EU Reddit users must verify age with government ID or selfie. This is something that we've been talking about for a while.
Ralph May:ID for everything.
John Strand:It's ID for everything. And I I so this is this is tough for me because it it it is this collision between privacy and security. Right? And I remember the story I always thought about was the San Bernardino shooters years and years and years ago. Right?
John Strand:Up until that story happened, everyone was very frustrated and angry at Facebook because it was getting leaked that there was a lot of privacy issues with Facebook. This is right at the beginning when privacy problems started really starting to percolate. And everyone's all mad. They're like Facebook and privacy and blah blah blah blah blah. And they're doing this and they're doing San Bernardino shooters happen.
John Strand:And it comes out that they were communicating with each other on Facebook. And immediately, the narrative changes. Like, immediately. People are like, why wasn't this stuff being monitored and why weren't they watching for this? And I don't think that this is much of a technical problem.
John Strand:I don't. I think that we as a society have gotta figure out which side of the fence we wanna land on. Like, are we gonna be about privacy, or are we gonna be about, oh my god, please protect the children. We have to figure this out. But this I just don't know, like, where we go with this shit.
John Strand:Because today, everyone's gonna be mad at Reddit for verifying age of people. And then in a month or two months, they're gonna get mad because Reddit isn't monitoring accounts close enough. So where the hell are you guys on this one? Because we go back and forth on this all the
Mishaal Khan:an excuse. Like, if it's about the children, show me proof how many children are you protecting, or have you protected because of age verification. And then I'll be all for it. But that's not the real reason for this. Children are not being protected because of this.
Mishaal Khan:There are predators and so many things outside there. I mean, that's not gonna stop them from doing this. So this is mostly entirely for surveillance.
John Strand:See, but I don't think that they look at it in that lens. I agree with I don't I think they're doing this for other reasons. I agree. But at the same time, a lot of corporate entities, they don't think of it as like, how many children are we protecting? They're far more scared of that one child that gets abused.
John Strand:They get blamed for it, and they get sued. They're trying to
Bronwen Aker:do Well, yeah.
Mishaal Khan:If children can't scroll up and say, I'm 20 years old. 10 year old can't. Right. How is it really protecting them? Every children's lying.
Mishaal Khan:Every hacker's lying. It's like, guys will not follow this. Children will not follow this. It's like Yeah. Then what is it for?
Mishaal Khan:That's what I question it.
Bronwen Aker:John, did you ever see a science fiction show called Continuum?
John Strand:No. I haven't, but you've recommended that now twice to me. Okay. I got you.
Bronwen Aker:So one of the one of the reasons that I that I bring it up, Continuum is a a science fiction series. It has good and bad points, but what whatever. The future visualization that they have is that, basically, there is no privacy in in this future world. Governments, nation states have fallen, and now we live in a corporate run planet. But there is no privacy at all.
Bronwen Aker:Everything is digitized. Everything
John Strand:What's is the name of this documentary?
Bronwen Aker:The primary character in that series is a a female police officer. Her suit is almost entirely AI, and she even has has things embedded in her so that the facial scanning that we're freaking out about with the metaglasses. She does using implants in her physical body, and it's part of her job. And while the vision of this future where there is no privacy is in some ways very terrifying, I think that we're not gonna be able to avoid it.
Wade Wells:I agree. I I think the way I think what's gonna happen though is, like, the amount of data that's gonna come in even with AI to, like, find you is gonna be very hard at first. I'm Yes. I I am on the fence about this just because after reading a bunch of like books on children and social media, right, and just like it's gonna take more than just age verification. Right?
Wade Wells:It's gonna take a bunch of stuff, but I think it's like where it starts.
Mishaal Khan:I would say ask
Wade Wells:them if they're
John Strand:to catch Right?
Wade Wells:Yeah. Yeah. Australia banning Australia is banning social media for kids 16. Right?
John Strand:Has to happen. Has to happen.
Wade Wells:I think I think that that sort of thing does need to happen where it's like the the bare minimum needs to be done somewhat.
John Strand:I also think that all of the shit that all of the, like, Reddit, Facebook, and everybody is tracking should be protected as PHI, and it has to be protected under HIPAA. You wanna make it real quick, one law. It's all HIPAA level data. Then they can't sell it. They can't market it.
John Strand:They can't try to productize it Read it. Without very, very strenuous controls around that data. That solves the problem very quickly.
Doc Blackburn:But do me a favor, though, don't put it under HIPAA. Whatever you do, don't put it under HIPAA.
John Strand:Well, let's just send back your daughter.
Bronwen Aker:Whatever it is, we need we need to figure out what our our philosophy is gonna be about personal information, and we need to update it to accommodate all of the technological changes that occurred in the last century and that are continuing in this century. Because our data has become such a valuable commodity, and our laws have not caught up with how to address that and how to deal with it responsibly. And that's it's gonna be an interesting couple of decades. That's for sure.
John Strand:Yep. So alright. We got another privacy one to close out with. I think it's a lot of the same same same beat, same tune. Risky Business was talking about it, and, it's news.risky.biz.
John Strand:All new cars to include camera aimed at the driver's face. All new cars manufactured and sold in The EU and The US will have to include mandatory infrared camera aimed at the driver's face at all times, which is alarming some privacy groups. I my favorite, like, quote, and I've gotta try to hunt it down, but somebody at Risky Biz basically had pointed out that carmakers have historically been some of the biggest offenders ever whenever it comes to consumer privacy over the past decade or so. I've rid I've rented a car that does the, are you sleepy? It needs to stop now.
Doc Blackburn:Whatever you do, do not follow these explicit instructions. Follow these
John Strand:explicit directions.
Mishaal Khan:You'll grab the gold and whatever.
Jake Hildrith:Screwed we are, like how much data is out there. Jake, you have anything you wanna promote? Working on Locksmith two. Locksmith number one, I released in 2022 at Wild West Hackett Fest rock and roll. And Thank Locksmith two will be demoing it at Deadwood again, because they got accepted last week.
John Strand:Congratulations. Part of that, I will also be doing a four hour anti siphon in q four. And then, yeah, same thing. Very good. Doc, I'm happy to here.
John Strand:This is what Can we get a link up, doc? I think that some people put it out on Discord. But you have a workshop coming up this week as well. There it is.
Doc Blackburn:It's a four hour party. It's going to be a blast. The foundations of access control is where everything sits and there's gonna be so much fun. And this this workshop is for two people, everybody.
John Strand:I like and it doesn't have AI in it. It has IAA.
Doc Blackburn:It is IAA. Yeah. So
John Strand:we can also say it's big Indian AI is in there as well. So
Doc Blackburn:AI is in it's in there. But it's not it's not in this in this workshop. It it's your it's your respite from AI.
John Strand:There we go.
Doc Blackburn:Actually get to talk about the shit that matters. Oh. So, folks, it's gonna be fun. It really is. That those two groups of everyone is we all know people who they they ask you, your friends, family, but how do I get into security?
Doc Blackburn:And, you know, these training these trainings are, you know, multi days and they're a lot of money. Folks, you can afford $25 in four hours of your time. Right? And if you can't, then you've probably got bigger problems and thinking about your career change isn't right for you right now. And so tell your friends and family, those people that want to get into security and they say, I just don't know how, boom, here it is.
Wade Wells:And so that's one group.
Doc Blackburn:The other group is all of us professionals. We need CPEs all of the time. Right? CPEs. Four hours of CPEs.
Doc Blackburn:And and not only are you gonna get the CPEs, but you're gonna learn something from it. Guarantee That's
Mishaal Khan:what we look for.
Doc Blackburn:You're gonna walk away with knowledge in your head that you did not have before. Some of it you might want to forget, but it'll be there comforting you and terrorizing you.
John Strand:And with that, we're out of here. Thank you so much, everybody, and thank you so much for everyone for joining. It was a great show, and I'll see you next week. Take care, everyone.
Doc Blackburn:Bye.
John Strand:Bye bye. Alright. That's it. It's a Monday. I'm out of here.
John Strand:Talk to you all later. Thanks so much.
Ralph May:See you.
Mishaal Khan:See you later. John.
Bronwen Aker:Michelle. Hi. Hold on. Darn. You're you're still there.
Wade Wells:I'm still there.
John Strand:So
Bronwen Aker:Michelle, do you how do you pronounce your first name? Michelle or Michelle?
Mishaal Khan:Michelle. Michelle.
Bronwen Aker:Okay. Yay. I got it right. So I do work with the Women's Society of Cyberjutsu, and I saw an article earlier this year talking about an OSINT rave as a way to teach OSINT to people. And I'm thinking about putting together a workshop for this group of of women.
Bronwen Aker:And it's these are are are typically young women who are new to cybersecurity, and they're they're looking into it. So would it be okay if I reach out to you and bounce some ideas against you?
Mishaal Khan:Yeah. Reach out anytime. Sweet. Reach out on LinkedIn. We can share our signal handles there or usernames, and we can talk.
Bronwen Aker:Excellent. Sounds good. I'll I'll reach out to you within the next couple of days. Alright.
Mishaal Khan:My pleasure.
Bronwen Aker:Thank you. Alright. Take care.
Ralph May:Later, guys. Bye, Ralph.
Bronwen Aker:Bye, Ralph.