Talkin' Bout [Infosec] News

00:00 - PreShow Banter™ — The Problem With Extensions

03:10 - Lawmakers Want to Ban VPNs – BHIS - Talkin’ Bout [infosec] News 2025-12-01

03:47 - Story # 1: Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/

12:05 - Story # 2: Lawmakers Want to Ban VPNs—And They Have No Idea What They’re Doing
https://www.eff.org/deeplinks/2025/11/lawmakers-want-ban-vpns-and-they-have-no-idea-what-theyre-doing

21:19 - Story # 3: Critical 7 Zip Vulnerability With Public Exploit Requires Manual Update
https://hackread.com/7-zip-vulnerability-public-exploit-manual-update/

25:49 - Story # 4: ‘Slop Evader’ Lets You Surf the Web Like It’s 2022
https://www.404media.co/slop-evader-browser-extension-pre-generative-ai-search-filter/

37:08 - Story # 5: China’s Espionage in Europe is Deepening and More Sophisticated than Acknowledged, Expert Says
https://www.kyivpost.com/post/64814

39:10 - Story # 6: Apple Update Warning For All iPhone 17, 16 And 15 Users—Act Now
https://www.forbes.com/sites/zakdoffman/2025/11/30/apple-update-warning-for-all-iphone-17-16-and-15-users-act-now/

42:39 - Story # 6: Meta is earning a fortune on a deluge of fraudulent ads, documents show
https://www.reuters.com/investigations/meta-is-earning-fortune-deluge-fraudulent-ads-documents-show-2025-11-06/

50:23 - Story # 7: Meta had a 17-strike policy for sex trafficking, former safety leader claims
https://www.theverge.com/news/827658/meta-17-strike-policy-sex-trafficking-testimony-lawsuit

52:41 - Story # 8: Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison
https://www.bleepingcomputer.com/news/security/man-behind-in-flight-evil-twin-wifi-attacks-gets-7-years-in-prison/

Brought to you by:

🔗 Black Hills Information Security
https://www.blackhillsinfosec.com/
🔗 Antisyphon Training
https://www.antisyphontraining.com/

(00:00) - PreShow Banter™ — The Problem With Extensions
(03:10) - Lawmakers Want to Ban VPNs – BHIS - Talkin' Bout [infosec] News 2025-12-01
(03:47) - Story # 1: Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
(12:05) - Story # 2: Lawmakers Want to Ban VPNs—And They Have No Idea What They're Doing
(21:18) - Story # 3: Critical 7 Zip Vulnerability With Public Exploit Requires Manual Update
(25:48) - Story # 4: 'Slop Evader' Lets You Surf the Web Like It’s 2022
(37:07) - Story # 5: China’s Espionage in Europe is Deepening and More Sophisticated than Acknowledged, Expert Says
(39:10) - Story # 6: Apple Update Warning For All iPhone 17, 16 And 15 Users—Act Now
(42:38) - Story # 6: Meta is earning a fortune on a deluge of fraudulent ads, documents show
(50:22) - Story # 7: Meta had a 17-strike policy for sex trafficking, former safety leader claims
(52:40) - Story # 8: Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison

Creators and Guests

Host

Bronwen Aker

Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Guest

Belouve

Guest

Shecky

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.

Join us live on YouTube, Monday's at 4:30PM ET
https://www.youtube.com/@BlackHillsInformationSecurity

Brought to you by Black Hills Information Security.
https://www.blackhillsinfosec.com

Corey Ham: 00:01

It's probably the dumbest thing I've seen so far.

Bronwen Aker: 00:03

Yeah.

Andy: 00:05

I I just I have a problem with extensions, period. Every time I see,

Corey Ham: 00:09

you know, What's some extensions the problem with that?

Shecky: 00:13

I tried extensions. It didn't they didn't take.

Andy: 00:16

I know. There was nothing formidable No. That

Corey Ham: 00:21

They were just like, no. You are bald. Congratulations.

Andy: 00:24

We just we need better super glue for Shaki.

Bronwen Aker: 00:26

Definitely.

Andy: 00:28

Yeah. Mean, I've just taken the training for years. Extension attacks that, you know, I mean, some you you have something that works well for, you know, years or whatever. Then as soon as it starts getting some subscribers, like, hey, this guy that made $20 off of this thing now gets an offer from somebody for, like, a thousand dollars. And they're like, oh, hell yeah.

Andy: 00:49

I'm a pro developer now. Give me my thousand dollars and now you have a malicious extension.

Bronwen Aker: 00:57

Or the ones who just stop doing the development and it it lies fallow and some they had a weak password, so somebody hacks the development account for that extension and boom. Now you've got malware and it's it's, you know, even better because there's no recourse.

Shecky: 01:17

Or they put their password or API key inside of the extension so that way people could read it in plain text and just wonder how long it's on

Andy: 01:28

table. Altogether. They were like, you know what? This JSON's not pretty enough. I have an idea.

Andy: 01:34

Let me just slap it into this website with all my API keys and let me send it to my buddy, make sure it's super pretty.

Shecky: 01:43

Hello, Ralph.

Ralph May: 01:44

Hey. What's going on?

Andy: 01:44

You got nothing? I'm giving y'all gold. What's up, Ralph?

Ralph May: 01:50

What is up? We talking about extensions? I love extensions. I have, like, 50 on my computer right now. That's the most extensions I could possibly put in the browser and then it

Corey Ham: 01:58

Dude, I have asked Jeeves. I put it back.

Ralph May: 02:00

You put it back.

Bronwen Aker: 02:03

I really need to do my my talk on why all web browsers are evil. They've they've always been evil. They haven't gotten any less evil.

Ralph May: 02:13

Oh, no way. I upgraded to the Atlas now and like, it browses the internet for me. Like, I don't even like, I just think about what I want. It's just like, alright.

Corey Ham: 02:22

It tells you what prompts you should definitely use.

Andy: 02:26

Love using I

Ralph May: 02:28

love using AI to make prompts for AI. It's like Yes, I just

Corey Ham: 02:33

want two AIs pooping back and forth forever. Alright. Go ahead and roll the roll the finger. Let's do this.

Andy: 02:41

Corey, have you not seen the Infinite Backrooms? Literally two AIs just arguing back. They created a religion, man.

Corey Ham: 02:51

Okay. I'm interested. Is this an article? Go find an article so we can talk about it.

Andy: 02:56

It's it's like over a year old, but yeah. It they made like a meme coin that at one point was worth like a million dollar, a billion dollars or something. It it was a whole thing.

Corey Ham: 03:08

That sounds terrifying.

Andy: 03:10

Yeah.

Corey Ham: 03:25

Hello, and welcome to Black Hills Information Security's talking about news. Somehow, it's 12/01/2025. Are we really at the end already? Is it time for 2025 to go? I can't believe

Shecky: 03:37

the end. My only friend. The end.

Corey Ham: 03:41

The end. It's it's today, we're gonna talk about AI slop. We're gonna talk about some I was sorry. Watchtower Labs blogs. I feel like the Watchtower folks, they just get increasingly like, every blog is a little bit more aggressive.

Corey Ham: 03:59

Like, so, I mean, I think they publish really awesome research and I really do respect what they do. They, you know, they have a ton of CVEs to their name and some really interesting blogs. But I do think it's funny how like, over time, they're just getting more and more aggressive. Like, this blog in the let's talk about this one first. So essentially, headline is websites that let you store information publicly are insecure because they let you store information publicly.

Corey Ham: 04:24

So this is a Watchtower Labs article essentially about Code Beautify and Yeah. What's the other one? JS JSON formatter. Both of these are tools that, you know, kinda like Cyberchef or other similar tools that let you review, you know, I guess, if you don't know how to format JSON or Beautify JSON It's

Ralph May: 04:43

pretty print. It's pretty print, man.

Corey Ham: 04:44

It's pretty print, I guess. Or if you for Code Beautify, you know, if you it's just a lot of like, do you not have time to install Versus Code? Well, use this instead. Right? That is

Ralph May: 04:54

convenience correct. Right. Thing.

Corey Ham: 04:57

But the problem with this is, you know, turns out these tools have the ability to save data. Like, you can be like, share this. Let's save this for later. And essentially, this Watchtower Labs post shows they did some, you know, deep dive research on what people are putting in there. And, you know, essentially, the long story short is there's all kinds of sketchy data in there including secrets and all kinds of stuff.

Corey Ham: 05:23

Active directory credentials, code repository keys, database credentials, LDAP configs, cloud environment keys.

Ralph May: 05:29

I love how that ID is just like literally the title. Or no, wait. It's only like one, two, six characters.

Bronwen Aker: 05:37

So basically, the takeaway is that people putting sensitive and inappropriate data into website forms predates AI by a lot.

Corey Ham: 05:51

Yeah. I mean, the the title really says it all. Parentheses, yes, seriously, you are the problem. This is not really like this is not a breach of, you know, any of these services. This is just functionality in these services where, you know, you can just post data and save it.

Corey Ham: 06:10

Right? Like, that's the you know, I

Ralph May: 06:12

So I I think the other side of this too, and I've seen this in web app application testing, is the actual, you know, the what do you call it? The obscurity through a unique identifier. Right? Like, that's security. So if you have so like, essentially, there's some random value that if you guess it, you can read this.

Ralph May: 06:29

Right? Like, that's the key.

Corey Ham: 06:30

Yeah. Like a five digit ID or something. Yeah.

Andy: 06:33

Yeah. That They they could have made that ID a thousand characters when you have a recently posted thing on the website. Okay. The obscurity kinda goes out the window.

Corey Ham: 06:44

But Yeah. This reminds me of this reminds me of Pastebin. Literally just Pastebin. Yeah. But again, like So then that comes back

Ralph May: 06:52

to two things, though. This is where I was trying to kinda go. Right? Is that, yes, you shouldn't post sensitive data in there regardless. Like, you shouldn't be saving sensitive data into some, like, essentially public forum almost.

Ralph May: 07:02

Right? Yeah. But the platform shouldn't have, a recently posted thing on there. Like, it it should

Bronwen Aker: 07:08

Yeah. Yeah.

Ralph May: 07:08

Kind of have, like, by default, if you put something or save something in there, it is private until you explicitly make it public. I mean, AWS had this exact same problem. Right? When s three buckets first came out, they were always all public. That was the default.

Ralph May: 07:20

And then eventually, they realized this was a horrible idea and they had to make like 17 widgets and buttons and like, are you sures to, you know, prevent people from doing it. Now people still do it, but, you know, by default, AWS was kind of setting people up for failure. Right? If they didn't understand what they're

Corey Ham: 07:35

Yeah. I mean, I think it's pretty funny, specifically JSON formatter, if you go to it now and you click on save, it says, we are stopping save facility to prevent NSFW content and are working to make it better. Yeah. So they're they're claiming that it's based on NSFW, meaning not save for work content. So are people, like, posting JSON porn?

Corey Ham: 07:56

Is that don't What does it sound like?

Ralph May: 08:01

Safe for work anymore?

Corey Ham: 08:03

Yeah. Does it say, like, sexy colon true? And people are like, oh, sexy colon true.

Ralph May: 08:08

Maybe people were sending messages through this platform. I don't know.

Corey Ham: 08:11

I don't know. But it's hilarious that they disabled the save functionality on JSON formatter, but claimed For that it was based

Ralph May: 08:16

encode, like, a a picture, and then you could share it that way. I don't know what the character limit is, but

Corey Ham: 08:22

I mean, I yeah. Like, ASCII art porn in JSON format.

Ralph May: 08:27

Base 64, like, actual data, and and, you know, it could be an actual JPEG, you know. Yeah.

Corey Ham: 08:31

I guess Wouldn't sharing

Belouve: 08:32

corporate passwords be not suitable for work?

Corey Ham: 08:37

I mean, sure. I think that's safe for work. That's my job title as an IT support professional.

Belouve: 08:42

To to publicly share passwords.

Corey Ham: 08:44

Yeah. Yeah. I mean, how am I gonna what? Am I gonna call the user? No.

Corey Ham: 08:46

I'll just post it. I'll save it on JSON format Yeah. And I'll send them the

Belouve: 08:50

Send them the link.

Corey Ham: 08:51

Yeah. So, I mean, basically, the long story short is, don't put your company's data into this tool and definitely if you do, don't save it. Like, if you're gonna do something stupid, don't save the evidence of your stupidity. If you're

Ralph May: 09:05

gonna do this, at least give it to an AI so they can tell you

Corey Ham: 09:07

that shit. Give it to someone who can really give it to someone who can really monetize it.

Ralph May: 09:12

Right? Exactly. Yeah. I wonder

Bronwen Aker: 09:14

how long it's gonna be before JSFiddle and SQLFiddle wind up being revealed to do the same thing, because they have a save feature as well.

Ralph May: 09:24

Mhmm. Yeah.

Corey Ham: 09:26

This is why

Bronwen Aker: 09:26

I never have that. As a former developer showing through.

Corey Ham: 09:30

I don't know. But I love Watchtower. Keep doing you. Keep putting funny memes in your blog posts. And I guess, honestly, this is one of those things for pen testers and for security professionals out there.

Corey Ham: 09:40

Maybe review whether these sites are allowed in your egress policies and maybe don't allow them if you're worried about this type of data leakage. This is not the only one of these. There's probably 10,000 more of these other sites that are the same. There's PaceBin, there's GhostBin, there's, you

Ralph May: 09:56

know, there's There's bazillion bins.

Corey Ham: 09:57

Yeah. So, you know, blocking egress is easier said than done. But this is definitely worth reviewing and removing. I'm only my biggest thing that I'm sad about with this one is that I wasn't the one to find it first. Because I love digging through the garbage of the internet to find stuff like that.

Ralph May: 10:13

I just didn't realize that there were just a list of the recently posted things. I mean, like, that just sounds like a

Corey Ham: 10:18

Tresby trope. Right? Even if it was just so it's the IDs for these things are six digit hex. Yeah. How many requests do Yeah.

Ralph May: 10:24

You you could you would accidentally probably land on some, you know. Yeah. Just kidding. Especially, I don't know if it's actually random. What if it just goes in order?

Corey Ham: 10:33

It's just zero no. I think it's random. I'm assuming it's random.

Ralph May: 10:36

God rest my soul. Someone's gonna I

Corey Ham: 10:38

will say.

Ralph May: 10:39

This and be like, what?

Corey Ham: 10:40

So the the based on six digit hex, which is what Code Beautify is using, that's only 16,000,000 requests Yeah. Which is not out outside of

Andy: 10:49

the realm

Ralph May: 10:50

of reasons. Can slow that for sure. Yeah. You would hit so many though, I mean, before you got to 16,000,000. Also, here's my other question too.

Ralph May: 10:58

What like, if they expire, do they just drop off of the database? Like, I mean, that sounds like collisions waiting to happen, only 16,000,000.

Corey Ham: 11:05

True. Yeah. No. No one's ever only only 15,000,000 people have ever wanted to format JSON. It's fine.

Ralph May: 11:12

Save it. I've used this site before, just that you don't save anything on there.

Corey Ham: 11:16

Yeah. I've I've of course. And I think a lot of people have used a site like this. Very few people have actually saved

Ralph May: 11:21

that page. It's like I've never went to the site. I'm like, I need to save this just in case I need to go back to it. Like, why? Right?

Corey Ham: 11:27

I feel like it's gotta be mostly troubleshooting. It's like, hey, this doesn't work. Here's my JSON response from your API. Here here's I'll

Ralph May: 11:33

save it. Yeah.

Corey Ham: 11:35

But Yeah. I mean I'll send it

Ralph May: 11:36

to though if it's not sensitive, but it sounds like people were using it as a scratch pad. So I mean,

Corey Ham: 11:42

it's kinda like how this is the same category as like peep we can't have nice things, like passwords are a good example of this. Like, we can't have nice things. People cannot be trusted with passwords. I think that's true with what is sensitive data. Yeah.

Corey Ham: 11:54

What is sensitive data? Well, everything is sensitive data. So don't allow people to post anything on the site if if you don't want to, you know, get exposed. That's my take.

Bronwen Aker: 12:05

Speaking of nice things and, you know, sensitive data, what is this nonsense about lawmakers in Wisconsin wanting to get rid of VPNs?

Belouve: 12:15

Of course, it's Wisconsin. Like, I I

Corey Ham: 12:17

I love that they would ban that would be so funny if they actually ban VPNs, then no one in the government could access their work anymore.

Ralph May: 12:24

I I don't even know how like, I don't know how you even go through with, like, actually banning VPNs. Like, how how Yeah.

Corey Ham: 12:31

Do you do that?

Ralph May: 12:32

Yeah. Like, what is that? Like, I don't yeah.

Corey Ham: 12:35

No. Just block just on the Wisconsin state firewall, block port, you know, 500? Like, do you do?

Ralph May: 12:41

But you you can't just block a single port and expect VPNs to be. So, I mean, essentially, the only way that I've seen, like, somewhat of success at this and by the way, this is not actual success. It's like China and other very restrictive countries, what they do is they have to monitor all the traffic, and then they have to look for certain kinds of indicators that might indicate it's a VPN. It could be

Corey Ham: 13:03

a port. It could be

Ralph May: 13:04

deep packet inspection. You know, it could be all of this stuff. It's extremely expensive, and they still have to cast kind of a wide net, and there there's no way they'll stop at all. They there's just it's impossible without a sense of blocking Internet.

Corey Ham: 13:17

And just to be clear, the way that they're doing it is they're basically saying, your website has to check whether someone's using a VPN and block people from Wisconsin. That's like the stupidest thing I've ever it's like, how do you like, beginning okay. Of Step one, how do you do this? Well, they say they're coming from Utah, so I don't know where they're actually coming from. Like, what would even be the enforcement for this?

Corey Ham: 13:40

You have to just know the origin IP of every single VPN connector? Like, I don't know.

Bronwen Aker: 13:45

Well, and the the other thing too, they're throwing it into, we're saving the children. No, you're not.

Ralph May: 13:51

Oh my god. It's

Corey Ham: 13:52

like, yeah.

Bronwen Aker: 13:53

One more time, we've got lawmakers who have no idea what technology does or how it works, and they're trying to legislate to defend something and they're making it worse.

Ralph May: 14:05

Are kids just, like, using this many VPNs? Is that is that do we have, like, research to correlate that, like, that's and that that's how they're stopping it? Like or even that you even need a VPN for any of this stuff? Like, I can't

Corey Ham: 14:19

think that like, what? Well

Bronwen Aker: 14:21

Schools require VPNs for children to log log in for remote classwork, but that's normal.

Ralph May: 14:29

Well, now we've said it's bad. Like The yeah. Well, the amount of work

Corey Ham: 14:33

this would take. The amount of work it would take. The amount of like, it is not technically feasible for an ISP to block a VPN because of all the different ways you can tunnel traffic. Like, this essentially is like the most basic misunderstanding of how, you know, technology works. Right?

Corey Ham: 14:50

Like, we can tunnel any VPN over any protocol. We can tunnel it over HTTPS. We you know, it's like, it's Here's never gonna

Shecky: 14:57

the here's the thing is something like that is gonna go ahead and affect the everyday Joe who does not understand how VPNs work or how he can bypass this stuff. You take a look at a bunch of your streaming services like the BBC iPlayer that goes ahead and does a decent job of blocking people trying to VPN in to The UK to go ahead and get free BBC shows off of it. This sort there is some sort of technology out there that streaming services are using to try and block down some of this stuff. Now, is it gonna stop somebody like you or me from it? Or somebody that looks into it?

Shecky: 15:32

Probably not. Will it block the everyday lazy Joe? Probably.

Corey Ham: 15:38

Well, so I kind of disagree with that. So the way that so the way that they block you know, the way streaming services block VPNs is they just keep an IP database of streaming or a VPN endpoints. Right? So they have like these IP info or another service that says Yep. Oh, the origin endpoint for this user is VPN.

Corey Ham: 15:55

We're gonna block this endpoint. Right? So that's pretty easy to do technologically. And basically, my assertion would be if the state blocks VPNs or certain protocols of VPNs, the VPN provider, whatever, MolVad, ProtonVPN, Just gonna add whoever it is, just changes the client so that it uses whatever obfuscation technique isn't being blocked by Wisconsin at this very moment. And then it's just a moving target of like,

Bronwen Aker: 16:19

okay, becomes a game of whack a mole

Corey Ham: 16:20

at And that it's not up to the user. The user's just rolling whatever VPN client they want, but the VPN provider has a huge business interest in

Andy: 16:28

Yeah.

Corey Ham: 16:28

Block and bypassing whatever the state's block is. Cat and mouse game between the state ISP and the VPN provider

Ralph May: 16:37

Who's getting paid and the state ISP who's not gonna get any Correct. Like, the more the better their technology is, does nothing. Like, they don't get Correct. Funding. They don't get nothing.

Ralph May: 16:47

Like, this is it goes nowhere. Right? Additionally Yeah. It really starts to affect the constituents. Right?

Ralph May: 16:53

Now, they get to decide whether this is something that they wanna fight.

Corey Ham: 16:55

How much money do you wanna spend in IT funds for the government to try to figure out how to block or, you know, if you're an ISP, do you wanna just incur the fines and not block it because it's cheaper than trying to roll it? The other thing is like, never underestimate just the sheer will and determination of a child trying to do something they are not supposed to be allowed to do. Like, coding hacking? Kids will yes. That's how all of us got into hacking.

Corey Ham: 17:21

Kids will be coding up entirely new VPN bypasses that You don't even have to code it up.

Ralph May: 17:25

They'll be asking their AI to do it for them. Right? Like, you know

Bronwen Aker: 17:29

Okay. Here's the other thing though. Who really are the number one users of VPNs? Businesses. So essentially, what the lawmakers in Wisconsin are saying is that your sensitive data for your business isn't important to us because we have to save the children.

Corey Ham: 17:48

Yes. That's another thing. It's funny that they would have to figure out how to differentiate between legitimate uses of a VPN.

Ralph May: 17:55

And the only way to do that is to look at the data on the VPN. Doesn't that defeat the whole purpose of the VPN? Right? Is zero.

Corey Ham: 18:02

Do you

Bronwen Aker: 18:02

know who

Andy: 18:03

this isn't going to stop? 15 year olds who wanna look at porn.

Corey Ham: 18:06

Yes. Correct. No matter what.

Andy: 18:08

100% Everyone like it's except teenagers trying to look

Corey Ham: 18:12

at Also, like, the whole, like, legitimate business, you know, like, how do you differentiate between NordVPN or whatever, ProtonVPN Mhmm. And not a commercial VPN? Well, what what if I just spin up a new Wisconsin company called Technology Incorporated that our main business all of our our employees are everyone, and our main business objective is have Internet provided to everyone. And what do you know? Now it's a corporate VPN.

Corey Ham: 18:36

I just can sell that like, it doesn't make any sense. I don't see how you would possibly do it like Yeah. Yeah.

Belouve: 18:41

Well, I'm I'm I'm reading through the I'm reading through the bill here, being from Wisconsin, and of course, it's all from But one what I'm seeing is that, like, there's they have this this whole, like, hey, you need to you need to filter for a virtual private network system or virtual private network provider. But the the the prelude to this is that if you're a business entity that you're publishing material harmful to minors on the Internet, then you need to make sure you do this. So every business Well, that's every business.

Corey Ham: 19:18

Every business that I guess, I don't know who that applies to, but if you're Netflix and you have shows that are 18 plus, which they all do

Belouve: 19:25

Yeah. They're gonna they're gonna do very broad thing. I also think it's rich that this certain party cares about child abuse. There's some I other mean, I think it's like done

Andy: 19:34

this in Texas to a certain extent.

Corey Ham: 19:36

Yeah. Like, if if you What?

Andy: 19:37

They blocked VPNs? I've I've heard that if you try to visit adult sites in Texas, they will give you a, hey, you can't do this in Texas thing unless you, like, create an account or verify your ID or blah blah blah.

Ralph May: 19:50

That's how it is.

Andy: 19:51

Unless you use a VPN.

Corey Ham: 19:52

That's how it is in a lot of places. Yeah. Florida's the same way.

Ralph May: 19:54

Right? But it's it's up to the That's

Corey Ham: 19:56

where the VPNs come in. Yeah. So Wisconsin's a step ahead

Ralph May: 19:59

I use of being a Texas VPN to access Florida's

Corey Ham: 20:05

I mean, that's the thing, is it's just like it gets into that, like, the infinite combination of the, you know, different states, different policies, content harmful to minors. I would call certain sports harmful to minors. Are we gonna allow them to watch, you know, like like, it's or like religious things, or it could radicalize them. Like, it's what it's like anything else. Like, you could totally categorize anything as harmful to minors.

Belouve: 20:29

There are certain there are certain chapters of religious works that you could Yeah. There's there's there's there's oh, oh, yeah. Now I now I can't watch my church livestream. So

Ralph May: 20:39

The the VPN argument does boil down to the, like, encryption. Right? Whether you should be able to outlaw encryption. Right? That's the whole like, that's where it kinda funnels into essentially.

Ralph May: 20:50

Right? So yeah.

Corey Ham: 20:52

Yeah. Anyway, I think we can we can Yeah.

Andy: 20:54

We can

Ralph May: 20:55

we can let this one die.

Corey Ham: 20:56

We'll we'll see what happens when you know, if they actually roll this law, what happens. Like, we know laws already rolled to block access to miners to and now everyone's using a VPN. So now they're like, one step further, let's see what happens if we block the VPNs. Yes. I don't know.

Corey Ham: 21:14

Stay tuned. Subscribe or whatever you do. Yeah.

Bronwen Aker: 21:17

Like and Hey,

Ralph May: 21:18

this one's close to you, Corey. Seven Zip. It's got the a critical vulnerability with public exploit.

Corey Ham: 21:26

Yeah. But it's not that exciting.

Ralph May: 21:29

Alright. Alright. Alright.

Andy: 21:30

Well, Slow down. What up?

Ralph May: 21:32

Give it to us then. You you seem so excited.

Corey Ham: 21:36

So, okay. This is seven Zip, which is a, you know, file compression tool. Actually, I would say seven Zip is pretty commonly used in corporate environments, more than you might expect. Probably more than WinRare. I mean, what company

Ralph May: 21:49

is paying Oh, WinRare for though. I mean, they all got that license still you have

Corey Ham: 21:53

What company is paying is not paying for a WinRare license these days? But, yeah. Basically, there's a vulnerability, a critical vulnerability in seven Zip. This is gonna be the plague of every sysadmin's existence on Nessus scans for the next year. Oh, And sadly, hackers won't be able to really do much about it.

Corey Ham: 22:09

It all they have to do the big the big scary one about this one is all they have to do is open the archive. They don't have to extract anything. They don't have to do anything. They just have to open the archive. And that's the scary thing.

Corey Ham: 22:19

It's already been fixed. It's already been patched. It was patched in July 2025. So version 25 plus is already fixed. The the big thing is like people assume that seven zip isn't being automatically updated or patched in most environments.

Corey Ham: 22:34

So It's not. So maybe this will be a like gift that keeps on giving, but the problem is, I you know, if I'm a hacker sending in payloads somewhere, I have no idea if they have seven zip, but I guess I could ask them to install seven zip, but then they're probably gonna get the most latest version of seven zip.

Ralph May: 22:49

Yeah. So

Bronwen Aker: 22:50

Yeah. You

Corey Ham: 22:51

just have to hope.

Andy: 22:52

No. They're they're gonna Google seven zip, and they're gonna find an ad for a different malware. A different malware.

Ralph May: 23:00

This is like one of those things where it's like in the bag of tricks. Right? You're on an internal already, and you see that they have seven Zip installed. You see the version is vulnerable. You're like, win win.

Ralph May: 23:09

Right? Like, yes, you already have some level of access, but this is now gonna allow you to, you know, maybe make that initial first administrative access or like that higher level above where you are.

Belouve: 23:21

Corey Ham: 23:21

Yeah. And also, this could be really good for watering hole attacks, meaning like, I'm on a file share, I put a bunch of seven zip files around the file share, and just hope that someone opens it, like, have, you know executivecompensation. Executivecompensation.7 zip, and then see if someone opens it, and, you know, I just get a bunch of callbacks from that over time. Yeah. Yeah.

Corey Ham: 23:42

I I I mean, it's not good. This is not the full first vulnerability of this type in seven zip. This has kind of been a long running track. And so I would assume, hopefully, companies that are rolling seven zip to their corporate workstations have an update mechanism baked in. And, you know, if you're just people installing it, they'll probably be updating, hopefully.

Corey Ham: 24:00

Ralph May: 24:01

is one of those tools though that weirdly enough, probably a lot of organizations do have since it is like pretty much free to install and and out. So, yeah.

Corey Ham: 24:08

It's pretty I think it's required in a lot of industries to use encryption. Right? If you're sending, like, if you're in healthcare or other industries, you can't just be emailing around sensitive data. So a lot of companies are using sensitive shouldn't. Data.

Corey Ham: 24:22

You can't. Well, yeah. And you shouldn't. But it's also like

Andy: 24:25

Email's You know, email's not safe. Just use JSON Beautifier. Yeah.

Corey Ham: 24:28

Yeah. That's that's true.

Ralph May: 24:31

I just use Pastebin, the secret notes. Oh, interesting.

Bronwen Aker: 24:35

In the day

Corey Ham: 24:35

when I worked Tans,

Bronwen Aker: 24:37

we always had to have students install seven zip because the native extraction utilities on both Mac and Windows couldn't handle the heavy files for the virtual machines. So, I mean, it's yet it this is this is definitely potentially going to inflow impact a lot of people who don't update regularly. But, you know, that's one of the reasons why you should update regularly.

Corey Ham: 25:08

Yep. Update your seven zips, people. It's gonna be eight zip sometimes.

Ralph May: 25:11

Yeah. You gotta use seven zip to update seven zip though.

Corey Ham: 25:14

That's Yes. How many people

Andy: 25:16

that don't update regularly are reading Hack Read?

Corey Ham: 25:20

Or or are listening to this podcast?

Ralph May: 25:23

Yes. Yes. I assume Tell your family members.

Shecky: 25:28

Yeah. Your family members update now.

Corey Ham: 25:30

It it doesn't have a built in update check mechanism. Right? No.

Ralph May: 25:33

Doesn't have any of that now.

Corey Ham: 25:35

So that's like, that's why everyone's panicking about this, because like, it won't when you open seven Zip, it won't say, oh, your your seven Zip installation's outdated. Yeah. Alright. What else we got?

Ralph May: 25:48

Well, I was gonna talk about this article about searching the Internet before AI. Oh, Slothivator? Let's talk about Slothivator. Right.

Andy: 25:57

Right. We were joking we

Corey Ham: 25:58

were joking about this before the podcast. Let's talk about Sloppivator.

Ralph May: 26:02

I didn't hear that. The

Bronwen Aker: 26:04

pre pre show banner.

Corey Ham: 26:06

Explain someone explain Sloppivator to me like I'm five and don't use AI.

Bronwen Aker: 26:12

Sloppivator is a browser plugin that restricts what you will be able to access so that all of the articles you read are pre November 2022, which was when ChatGPT was released.

Corey Ham: 26:32

So okay. I want get back to

Bronwen Aker: 26:37

dorks. Okay?

Corey Ham: 26:38

The biggest okay. The biggest thing about this article is that it the the person who made this is an artist. Okay? That is the thing to know. This is art.

Corey Ham: 26:50

This is not actually useful. It is more of a statement on the way of the state of things than it is actually useful. All it does is that it just uses Google search functions to filter out websites that are November whatever 2022, which is the day ChatGPT was released, which I feel like I mean, I do wanna poke many holes in this just because we're technical and that's what we do. Number one, people use search engines other than Google. Number two, AI existed before ChatGPT was released.

Corey Ham: 27:18

Oh. Yes. I don't believe

Bronwen Aker: 27:22

I remember Watson.

Belouve: 27:24

I do think this covers like five five search engines though.

Corey Ham: 27:27

Oh, there's only five search engines. No one's just using ChatGPT.

Belouve: 27:30

Yeah. One's using anything else. So I think it I think it covers, like, if you search Reddit as well, then it'll be like, no. It needs to be something that is before November.

Ralph May: 27:41

So you're just gonna forget the You're gonna find only useless garbage.

Belouve: 27:44

Yeah. That I mean, that's the explain it, like, on five is, like, just pretend today's date is November 2022. And if if you if you come across anything after November 2022, that's it it slows it it

Corey Ham: 27:56

don't slows disagree. Stupid.

Ralph May: 27:58

I don't disagree. By being slop. Right? I I'm not I'm not disagreeing or or saying that that is that is not true. But what I am going to say, though, is that things before AI weren't slop either.

Ralph May: 28:10

Like, I don't understand. Like, you know, like, I get it. They're AI slop, so that's a different kind of slop. But like, before, everything was like, you know, it was homegrown, like GMO type stuff. Right?

Corey Ham: 28:22

Yeah. I mean Non GMO stuff. Yeah. I was gonna say, there's been slop on the Internet forever. Apparently, you know, the the person, the artist who made this really feels that, you know, sites like YouTube, Reddit, Stack Exchange, and apparently, Mumsnet, which is for parenting Mhmm.

Corey Ham: 28:38

Are full of slop and, you know, they're really specifically wanna search those sites without results from 2022. Oh.

Bronwen Aker: 28:44

But And that is a legitimate complaint. I mean, AI's generated slop has taken over YouTube and it's

Corey Ham: 28:53

Has it?

Bronwen Aker: 28:54

How It has. Oh. Oh, it's bad.

Corey Ham: 28:55

What does that look like? Because I haven't really seen that. Maybe that's the real

Bronwen Aker: 29:00

It I mean, there are entire channels that are nothing but AI stuff. There's one like history to to help you sleep, and it's AI generated history stuff with AI generated animations. And I'm I know enough about history where I've I've watched a couple of these things and it's like, no, that's wrong. No, that's wrong. Then that then Yeah.

Bronwen Aker: 29:23

And but it's it's AI slop, but it's there and people are eating it up. And it's it's just it's it's awful. And of course Yeah. Yes. Slop has existed long before the the LLMs and AIs came along to add to the problem.

Bronwen Aker: 29:40

But, you know, it's it's kinda like junk mail escalating when email came along.

Corey Ham: 29:46

Yeah. It's Interesting.

Belouve: 29:47

It's And

Bronwen Aker: 29:49

go ahead.

Belouve: 29:49

Yeah. You also have, like, AI swap products, which I mean, I go, like, for the holidays, like, be on the lookout for that because they're just gonna be like, oh, here's here's this awesome thing. Like, you can get, like, a full suit of Star Wars armor for, $50. Look at it. Here it is on, like, the, you know, here it is on the, you know, on the website.

Corey Ham: 30:09

Here's an image that's definitely not AI generated.

Belouve: 30:11

That's definitely not AI generated because it's it's going to be, like, slightly different between different pictures, and they don't have any sort of product things. The product reviews for these things are you can tell are kind of AI generated because they'll have a lot of them will have, like, that that qualifier tool. They'll be like, you know, as a hacker, I like this. As a college student, this is extremely useful. As a person in this industry, I like this.

Belouve: 30:37

It will all

Corey Ham: 30:38

have a model. It will all a large language model.

Andy: 30:41

Have the

Bronwen Aker: 30:42

prompt buried in whatever the product is.

Belouve: 30:47

Yeah. So you have to be on the lookout for that.

Corey Ham: 30:49

Okay. But have we not like, I know that slop the amount of slop is shocking. Like, don't disagree with that. But I will say, I I was it's crazy to think of a time on the Internet where we had to question whether some of the images were real or fake. That's never been

Andy: 31:05

a thing.

Corey Ham: 31:06

Quotoshop doesn't We

Andy: 31:08

need to Corey, we need to play this video that Zach just just dropped in Discord. I I think I think everyone needs to see this. It's it's important. It's short.

Corey Ham: 31:17

Okay. That's a that's a Megan thing. I can't play videos.

Ralph May: 31:20

Yeah. I don't even know how videos are.

Corey Ham: 31:22

I'm not authorized for that kind of access.

Andy: 31:24

Oh. Where'd Megan go?

Ralph May: 31:26

The I I think the the amount of AI stuff that we have now too is just I think that's really what I was getting at.

Corey Ham: 31:34

I want an enhanced version of this add on that goes back before the release of Photoshop as well.

Ralph May: 31:39

Oh, alright.

Belouve: 31:40

Well, now you're gonna

Ralph May: 31:41

have to get Internet Explorer and there is actually, I saw this the other day. There is a Windows 95 that somebody wrote that you can run on your computer. It's not it's it's our it's our prebuilt. They, like, rebuilt it all in JavaScript, and it works great. It, like, it's like Windows 95, you can just install it on your computer, Mac, Linux, whatever.

Ralph May: 32:00

It works great.

Corey Ham: 32:01

So Okay. Is there a news article for this or do you just happen to know

Ralph May: 32:04

about this? No. I just I'll I'll send I'll send the link. But, yes, there's a Windows 95 and you could browse the Internet as if it was Windows 95. So there's like you can go to like So

Corey Ham: 32:13

you can't browse the Internet? Well, a lot

Ralph May: 32:15

of websites you can't browse the Internet in Windows 95. You have to go to specific websites because Internet Explorer will explode.

Corey Ham: 32:22

Just Yeah. So I will say

Andy: 32:23

Does it take you like ten minutes to load any website?

Ralph May: 32:26

No. That's why you gotta go to the websites that are designed to load in Windows 95. You know what I mean?

Andy: 32:31

I think because it'd still take like ten minutes.

Ralph May: 32:33

No. It's not on 56 k.

Bronwen Aker: 32:35

Only if you're using a modem. Yeah. And a landline.

Corey Ham: 32:39

I I will say, I do think there's actually a legitimate business case for the a product like this. Something that's designed to help you easily identify and and filter out AI generated content, whether it's images, videos, whatever it is. I think there's a legitimate business opportunity here. However, unfortunately, that product itself is gonna have to be AI driven. So it's kinda like, it's gonna be slop on slop.

Corey Ham: 33:05

It's gonna be like Oh. Using an AI model to tell whether something is generated by an AI model. It's just like turtles all the way down, just the same thing looping back

Andy: 33:13

and forth forever.

Shecky: 33:14

No. What we Hopefully, we're

Belouve: 33:15

getting there

Andy: 33:16

though. We need is AI

Shecky: 33:19

we need is we AI to go ahead need AI to photoshop an AI generated image of AI photoshopping an AI generated image. That's what we need.

Andy: 33:29

That makes perfect sense. So, like, at least Sora too, the or or Nano Banana Pro or whatever the hell Google's new thing is. Like, they're actually doing, like, built in, not watermarking, but invisible watermark type stuff that

Corey Ham: 33:47

you can actually cryptographic.

Andy: 33:49

Yeah. Yeah. So that, you know, it can actually be identified as slop. If everybody does that, then I mean, 90% of the slop's gonna go away. Yes.

Andy: 33:59

You can do a local model. You can you can get around it. But the whole reason we have so much of this slop is because it's so accessible. And just because it's so easy and the barrier to entry is so incredibly low. As soon as you start adding any technical barriers to untraceable slop, 99% of it is gonna get filtered out as easy slop.

Corey Ham: 34:26

Yeah. I mean, I I think the biggest thing is, like, we need we as nerds need to make sure that the people around us who are not necessarily as nerdy as us understand how easy it is to generate slop and as long as once you know that slop exists and that it, you know, what it can be and what it can do, it's not that hard to identify and filter it out just, you know, kind of browsing past it. But if you think everything on, you know, every video you see on the internet is real, then you're gonna have a bad time. Right? Like that that's, you know, you don't wanna do that.

Corey Ham: 34:59

So I will say I have seen some pretty funny videos of people like using AI to render in like, you know, as an example, like a daughter is texting her dad pictures of like, I let this plumber into our house and it's just like clearly a homeless guy in their kitchen or whatever. And the dad's like calling her. She has like 15 missed calls from dad being like, what? He's in our house and they're just using AI to, you know Jesus. Add a person into the house.

Corey Ham: 35:25

So, you know, she had to increase awareness that these things are out there and that, you know, slop is slop and we gotta watch out for it. Inform the non nerds in your in your world.

Bronwen Aker: 35:37

Downloaded the Zach video. I can see if it will play with audio.

Corey Ham: 35:43

Let's see if we can Yeah. Show off some slop.

Bronwen Aker: 35:45

Here we go.

Corey Ham: 35:47

No audio. No audio. That's all

Ralph May: 35:49

It it does play perfect. Just no

Corey Ham: 35:53

This isn't slop. It's definitely not generated with Sora. It doesn't have any watermarks.

Andy: 35:58

That looks exactly like Zach.

Ralph May: 35:59

Yeah.

Andy: 36:00

I couldn't tell that that wasn't Zach.

Bronwen Aker: 36:02

Looks like Zach almost always wears a cap, doesn't he?

Ralph May: 36:06

How many fingers does

Corey Ham: 36:08

Zach have? Does he have seven?

Ralph May: 36:09

Does he have seven? But see, that's just the thing, they'll fix that and then they'll fix the next thing and then they'll fix the next thing and then you'll just be like, damn it, I can't tell. And then be like, now

Belouve: 36:18

what do we do?

Corey Ham: 36:21

Not saying

Bronwen Aker: 36:21

at least the fact that AISlop is out there is hitting mainstream media. We just finished up season seven of The Rookie here in this household, and they had an episode where a woman used AI to catfish her own husband. And he fell for it and didn't count didn't notice the fact that one hand of the the person had seven fingers and the other hand only had three. It was it so at least it's hitting mainstream consciousness. I will say that's a plus.

Bronwen Aker: 37:00

Yeah. Yeah. But we're not out of the woods yet. It's gonna get ugly before it gets better. Uglier.

Bronwen Aker: 37:05

Alright.

Corey Ham: 37:08

Let's talk about China. Even though John isn't here, we can maybe summon him by talking about China. China. He's on a plane. Yeah.

Corey Ham: 37:15

So this is an article from Kyiv Post talking about basically China is also increasing their espionage attempts targeting Europe. So, you know, I don't think this is super surprising. We've seen it a lot in The US with, you know, the salt typhoon infections of US ISPs and government hacks and things like that. But essentially, this is just an article talking about emphasis on cyber espionage in recent European cases. They're trying to build relationships with people.

Corey Ham: 37:46

They're trying to, you know, embed themselves more deeply in European institutions, which is pretty spooky. I guess, super surprising necessarily, but it is interesting. Yeah. One of the cases they outline is big hunt headhunters approaching paramilitary individuals with lucrative job offers. Right?

Corey Ham: 38:03

Which is like, you know, an interesting tactic. It's basically like recruiting foreign assets. Right? That's like espionage. Classic one.

Corey Ham: 38:12

This is this is not new. Right? It's the same play Corey,

Andy: 38:15

minor minor correction. Parliamentary staff,

Corey Ham: 38:18

not paranoid. I can't read. Basically So that's worse.

Ralph May: 38:22

Same thing.

Corey Ham: 38:23

That's way worse. And and just basically government employees. Weapons. Government employees without weapons, not

Andy: 38:28

The pen is mightier than the sword, Ralph.

Corey Ham: 38:31

Yes. Absolutely. Yeah. Basically, trying to recruit a foreign resource. There's evidence of that happening in The UK.

Corey Ham: 38:39

I'm sure it's happening here. I don't know if we've seen any news articles necessarily talking about that here, but I'm sure that if you're a staffer for Trump, you're getting a lot of really interesting LinkedIn messages these

Ralph May: 38:48

days. Well,

Andy: 38:51

on the bright side, we don't have a bunch of former government employees that suddenly got laid off.

Corey Ham: 38:58

No. No one is looking for any jobs or anything.

Andy: 39:00

So they're not gonna be susceptible to this sort of thing.

Corey Ham: 39:03

No. No. That's true. Yeah. No one would fall well, no one would fall prey to this.

Corey Ham: 39:08

No. No. Anyway, did you all see the iOS vulnerability, I guess? It's like Apple? Is it it's like, is it?

Bronwen Aker: 39:18

I can't. I don't know. Update all the things.

Corey Ham: 39:20

There's a hidden setting that you must change that leaves your phone open to attack.

Bronwen Aker: 39:27

Oh. Apple left hidden settings?

Ralph May: 39:31

Up up

Bronwen Aker: 39:31

down down

Corey Ham: 39:32

left devices. Right. What is the actual So basically, the vulnerability is that the USB port is enabled after reboot? Is that the vulnerability?

Belouve: 39:47

No. I think I think just after unlock.

Ralph May: 39:50

Yeah. After you've unlocked that the USB port is available.

Belouve: 39:54

Yeah.

Ralph May: 39:55

You can change it to always ask or ask for new accessories.

Corey Ham: 40:00

Allow automatically when unlocked Yeah. Change to Yeah. Always ask ask for new accessories? I mean, if my phone's unlocked, I don't see, like

Ralph May: 40:10

Look, there's If you plug if your phone's unlocked and you plug in and you plug a USB accessory in there, I I guess it doesn't prompt or give you any

Corey Ham: 40:17

Yeah. Same thing. Just don't see any interests? I can't imagine a scenario where, I guess, I'm I'm charging my phone while it's unlocked. Are we gonna go back

Andy: 40:25

to No. No. No.

Corey Ham: 40:26

Delicious phone Juice jacking?

Shecky: 40:27

Can we

Corey Ham: 40:27

bring it up? Juice jacking?

Ralph May: 40:29

Corey, I think what they're

Corey Ham: 40:31

Juice saying is jacking.

Andy: 40:33

After a reset and you unlock it once, like, counts as unlocked. Yeah. Whereas after this update, every time it's locked, it would count as locked or something. Weird.

Belouve: 40:48

Don't even have that I don't have that option on my phone after update. So I updated this morning because I got that prompt saying, hey, there's

Corey Ham: 40:56

a You got juice jacked?

Belouve: 40:57

No. Didn't get juice jacked. No. Was a there was I got a prompt being like, hey, your iPhone's out of date because it just company portal and everything there goes, hey, you're you're trying to

Ralph May: 41:08

do your because they knew you were

Corey Ham: 41:10

gonna get juice jacked soon.

Belouve: 41:11

Yeah. So I I updated it and that setting isn't there anymore. Like, I don't have the I don't have under the privacy and security like what they show in I'm I don't I don't have that

Andy: 41:22

in the Or was it a text message that was like, click here to update your iPhone? It was a finish.

Belouve: 41:27

No. Yeah. Okay. So no. It's it's through, like, the the Okta app.

Belouve: 41:31

So it'll have if if you're if you try to you know, if you if you look up your your push notification on your Okta app, like, it'll say, like, hey. You know, it's like a little, like, security icon in the corner. It says, hey. You're not on the latest version. Your your phone isn't running.

Corey Ham: 41:47

Looks like he got juice jacked.

Bronwen Aker: 41:49

It's not me.

Corey Ham: 41:51

He got juice jacked. Oh, no.

Ralph May: 41:54

That's one way to go.

Corey Ham: 41:55

They got Baloo. Those juice jackers are those juice jackers take take things serious. Don't wanna mess

Belouve: 42:01

with them.

Ralph May: 42:01

I plug my phone into every suspicious USB port. If they're gonna waste a zero day on me

Corey Ham: 42:06

And always when it's unlocked,

Ralph May: 42:08

of course. It's always unlocked. I don't have

Corey Ham: 42:10

a code. Oh, he's back.

Belouve: 42:13

Yep.

Corey Ham: 42:13

How was the how did it feel to get juice jacked, Baloov?

Belouve: 42:17

I don't know.

Corey Ham: 42:17

What does it feel like?

Belouve: 42:19

No. It feels it feels fine. I'm not I I don't know.

Corey Ham: 42:22

You're gonna feel a slight pinch.

Belouve: 42:25

Slight pinch? Oh, I I

Ralph May: 42:26

The classic. Just your nerves.

Corey Ham: 42:28

No. It's just your nerves. I I I

Belouve: 42:31

I I've had all sorts of needles on all sorts of nerves this year. So if it's anything like that, I'm used to it.

Corey Ham: 42:39

Anyone else have any other fun articles? It was kind of a slow news week, honestly. I almost like everyone's eating turkey. Thanksgiving.

Andy: 42:46

I don't know how fun it is, but we can talk about meta slash Facebook doing meta slash Facebook things that aren't really

Corey Ham: 42:54

What even what even is that? I I saw the news article and I was like, I don't understand this.

Bronwen Aker: 42:58

Andy, you talking about the the strike policy?

Corey Ham: 43:02

The

Bronwen Aker: 43:04

For sex trafficking?

Corey Ham: 43:05

This is an old no. Oh, we we that is an article we talk about. That's a different one.

Andy: 43:09

I mean, yeah. So there's there's the is that the one that I put in the notes?

Shecky: 43:13

No. You put down the one about the mental health, the study on mental health.

Andy: 43:17

No. No. The mental the mental health one was there. And then we have the one from, like, three weeks ago about, you know, Meta making, like, $16,000,000,000 a year off of what they know to be fraud.

Bronwen Aker: 43:28

Yeah. Well, the one it's a little

Corey Ham: 43:29

bit elaborate. In our note.

Bronwen Aker: 43:32

Met November 24 is the date on it from The Verge. Meta had a 17 strike policy for sex traffic.

Corey Ham: 43:42

That's a lot of strikes. I I've won the baseball and it already I takes can't imagine how much longer it would take with 17 strikes

Bronwen Aker: 43:48

in To me,

Ralph May: 43:49

strike policy that goes to 17 is not much of a strike policy. That was what

Corey Ham: 43:54

the AI recommended. Why

Bronwen Aker: 43:55

do we even bother kind of thing?

Corey Ham: 43:58

Alright. Either way, why don't you run us through this article, Andy, and we can see what's going on. We I guess I'm gonna

Ralph May: 44:04

I'm gonna borrow the strike

Andy: 44:06

policy. Here, let me let me post the fraudulent ad one.

Belouve: 44:10

Oh, gosh.

Bronwen Aker: 44:12

Meta's just all Fraudulent ads?

Corey Ham: 44:14

Really? News this week.

Ralph May: 44:15

They have 17

Andy: 44:17

No. This this is a this isn't old. This is like November So we're we're we're dragging up some old news here. But Meta had, like, 10% of its revenue from 2024 was projected that it would come from ads from scammers and banned goods and everything else. And, like, they they knew this.

Andy: 44:41

And they had policies internally.

Corey Ham: 44:42

I'm curious about that. It's pretty funny. It's like, yeah, we know they're scammers, but I mean, money.

Ralph May: 44:47

Money. I mean, what would

Andy: 44:48

you were actually charging the scammers more money.

Ralph May: 44:52

Oh, this is classic.

Andy: 44:54

Like, programmatically. So they'd like, oh, this is high risk to be fraud. Let's charge them more money.

Ralph May: 45:00

Oh, my gosh. Yeah.

Corey Ham: 45:01

Okay. So this is leaked. Is this leaked documents? These aren't these are this was not intentional for them to publish this. Right?

Bronwen Aker: 45:08

A cache of previously unreported documents reviewed by Reuters also shows that the social media giant for at least three years failed to identify and stop an avalanche of ads that exposed Facebook, Instagram, and WhatsApp billions of users to fraudulent e commerce and investment schemes online casinos and banned medical products.

Andy: 45:33

Now, hey, in Facebook's defense, they will ban advertisers if the automated systems predict that the marketers are at least 95% certain to be fraud. Well, hold on. So they have

Corey Ham: 45:45

to Only after 17 strikes.

Andy: 45:48

Yeah. Okay. That is you you have to get 16 strikes first.

Corey Ham: 45:52

And then you

Andy: 45:52

once you're at that.

Corey Ham: 45:53

Fool me once. Shame on you. Fool me twice. Shame on you. Fool me thrice.

Corey Ham: 45:59

Shame on you. I don't know what the I don't know what the word is for 17 times, but also shame on you. Oh my god. Yeah. I mean, that is, I guess Capitalism.

Corey Ham: 46:08

Their defense, I think, like, they acknowledged basically that like, okay. Yeah. It's true. But also, the data was, you know, excessively broad or, you know, they basically were just like, this is, you know, a mislabeling trick like, oh, we just cat it ads.txt and grep for scam and that was 10%. So that's, you you know, like I don't know exactly what they're saying but The the part

Andy: 46:32

of this that frustrates me is that if any one of us tomorrow was like, hey, I have this great business idea. We're gonna do nothing but serve up fraudulent ads to people and we're gonna make $10,000,000,000 next year, we would go to jail.

Corey Ham: 46:48

No. They're too big to

Andy: 46:50

we would go to jail.

Ralph May: 46:52

Too big to jail. That's that's how it works.

Corey Ham: 46:54

So, okay. My question would also be, what is Google's percentage of scams and ads? Because like every advertiser has to has to grapple with this. Yeah. If you have the ability for me to create an ad, it's incredibly difficult for you to differentiate whether I'm a legitimate provider of that service or a scam provider of that service.

Corey Ham: 47:10

So I guess I'm curious what other major advertising networks are doing about this. Like, does Google have 10% ads? Is is this ever been disclosed?

Andy: 47:18

It to be massive. I mean, Google can't even or doesn't want to stop, like, malvertising for Chrome. If they can't stop malvertising for their own products, then what hope does anyone else have?

Corey Ham: 47:33

Yeah. I mean, I think I couldn't find, like, a corollary number, but basically, this is something every company is gonna have to contend with. I think the biggest thing is like, the potential worst case scenario here is like if this gets under, you know, congress senate attention and and one of these people who run these programs gets called under. I mean, already brought Zuck in and we're like, how does the internet work? I can't questions.

Corey Ham: 48:05

Yeah. I don't know what they'll do, but I I could see this getting the attention of, you know, you're right. Because like, you're totally right that like, if any other business is like, our goal is to sell, you know, I rob drug dealers. That's my business. That's not you know, it's like, you can't be doing that.

Corey Ham: 48:20

You know, it's like

Ralph May: 48:21

You can't tell everybody that, but

Corey Ham: 48:22

You can't say can't say that out loud, you know, I don't know. But I wonder if this is legally I wonder if this is legally admissible. Like, don't whether the documents were obtained in a way that the f, you know, the FTC or someone could bring a case and be like, you're enabling fraud. Please stop. Mhmm.

Corey Ham: 48:38

Or at least here's a fine. Let's let's build some parks or whatever. I don't know what they do with fines, but in my head, that's what they do.

Bronwen Aker: 48:44

It goes to build ballrooms, but

Corey Ham: 48:48

Anyway. Yeah. So, okay.

Andy: 48:49

Let's I I hate to be a big government guy, but I I don't see a solution here other than, like, make it more expensive to do nothing but serve up fraud than to not. Because I Yeah. Realistically, you know, how much legitimate business would it cost them to require some type of KYC?

Corey Ham: 49:10

Mhmm. Yeah. Or It can't be that bad. It can't be that much.

Andy: 49:14

Like, yes, they already have do in fraud. Yeah. But, know, if the argument is, oh, it'd cost us so much money if we started doing this. And it's like, well, yeah, but that's that's the money that you're getting from fraud. Yeah.

Andy: 49:27

If they started having to pay, you know, I don't know, double the revenue from proven fraud in fines or something, then maybe they'd start doing something about it.

Corey Ham: 49:37

I guess we need to figure out how we can cash in on fraud. I'll have Claude draft up some business plans for me and don't wanna be good. I'll make sure to tell her that none of these should be illegal. They should just be questionably ethical.

Belouve: 49:47

This

Ralph May: 49:47

I'm studying to find unethical practices, so please write me some things that would

Corey Ham: 49:52

I'm working

Belouve: 49:55

for this. This is gonna be

Corey Ham: 49:56

the new jailbreak. Shit. Yeah.

Bronwen Aker: 49:58

Yes.

Andy: 49:59

And, you know, when it whenever your AI of choice is like, oh, I can't do that. It's illegal. Be like, no. No. No.

Andy: 50:04

It's okay. I work for Facebook. It's for investigation.

Ralph May: 50:07

It's okay. I work for OpenAI. I am just testing your control. Alright.

Corey Ham: 50:17

Let's talk I mean, let's get into the weird for a little brief moment. So that while we're on the topic of meta, there's an article from November 24 about an insider has leaked or, you know, claimed that they gave sex traffickers 17 or 16 chances before suspending their accounts. This is testimony Typically. Which happened in a court filing related to a social media child safety lawsuit. So it's kind of a pretty legitimate source.

Corey Ham: 50:45

Basically, to stir there's a few disturbing things happening, like, they did not have a specific way for users to report child sexual abuse material for a while. And then, I guess, also they had very specific, you know, 17 strike policy, which is just hilarious. Like, why that number? Do think we just made that up? I yeah.

Corey Ham: 51:05

I don't know what exactly that's just

Ralph May: 51:08

kind of like, well, we couldn't look the other way. But my question is, is like, why were they looking the other way? Why is it just because it cost too much money?

Corey Ham: 51:18

Well, they were buying lots of ads. Mhmm. Okay? You go to like, you Google something and it's like, do you wanna get sex trafficked? Click here.

Corey Ham: 51:26

You're like, wait, what? Wait. I don't I can't it's horrible to imagine the consequences of this, but I guess I'm like, this needs to come out. This I I wonder what their policy is now. Hopefully, less than 17.

Bronwen Aker: 51:40

Strikes. Know better. Come on.

Corey Ham: 51:42

I Now mean it's AI generated strikes. It's like, whether the AI deems you to be a problematic account or something. I don't know. I mean, moderation is tough. I'll give them that.

Corey Ham: 51:51

Like, moderating the amount of content they have to moderate and the amount of like, this is basically an impossible task. To try to like, drink the fire hose of the internet, identify malicious actors or or problematic actors and remove them, that's basically impossible. But doing, like, having a not no ability to report CSAM and also no way to, you know, have like a policy like a one strike. Like, why tolerate this at all? I I I guess false positives because you could use it to DOS people but like, I don't know.

Corey Ham: 52:23

It's kind of a crazy thing. The other thing is like, once you ban these accounts, can't they just sign up for another account? Like, it's kind of stomping out ants. Like, you're not really actually doing anything.

Bronwen Aker: 52:31

Whack a mole.

Corey Ham: 52:33

Yeah. Whack a mole. Yeah. I don't know. Either way, that is a shocking revelation and kind of fits with the last article.

Corey Ham: 52:40

I think we should talk real quick while we're on CD topics about the guy with the WiFi pineapple.

Bronwen Aker: 52:47

Oh, no. I missed Okay. That

Andy: 52:50

So I missed this one.

Corey Ham: 52:51

Basically, the article title is an Australian man who was behind in flight evil twin attacks got seven years in prison. So basically, here's the scenario. There's an Australian man. His name is or his I I forget his name. But basically, he's a 44 old 44 year old dude who travels with a WiFi pineapple.

Corey Ham: 53:11

And you might be thinking, well, traveling with a WiFi pineapple is not that sketchy. But then, the the unfortunate thing is he's using the WiFi Pineapple to capture login details specifically for females and then using their credentials and things that he's capturing to get into their personal accounts and then, you know, grab their, you know, sensitive intimate images. So basically, it's a pervy thing as always. It's not a security thing. It's a pervy thing.

Corey Ham: 53:41

Essentially, this this goes back to 2024. He was charged in 2024 because someone on a plane, one of the employees on the flight just noticed that they were doing that they like, he was using a rogue device somehow. I don't know how they actually could tell.

Belouve: 53:56

But So

Ralph May: 53:57

I have I have a couple things here. Right? From a technical standpoint, I understand how you would make a rogue AP. Right?

Corey Ham: 54:06

Right. But You just call it United WiFi or

Ralph May: 54:08

whatever Yeah. You And you connect. Cool. What what I don't understand is how he was capturing the credentials. So one way to do it would possibly be to make a fake Facebook site and

Corey Ham: 54:19

then Yeah. That's exactly what he was doing. See.

Bronwen Aker: 54:22

Yeah. He he had a a malicious access point with a phishing web page to steal

Ralph May: 54:27

You pretty much have to use something like Evilgenics or something like that for it to actually work though.

Corey Ham: 54:32

But it wouldn't work. It's literally just gonna be like fake Facebook login, error logging in. Error. Right? Because he

Shecky: 54:38

Alright.

Corey Ham: 54:39

Presumably, he's If not

Andy: 54:40

I remember if I remember correctly from the, like, original one when this came out however long ago, it was, like, to get access to the in flight Wi Fi, log in with Google. Log in with Facebook.

Ralph May: 54:51

Okay.

Andy: 54:51

Okay. He was doing a, like, fake SSO login to capture the credits.

Bronwen Aker: 54:56

Yeah. He he had password.

Ralph May: 54:58

He wouldn't get that he didn't get that session, would he?

Corey Ham: 55:01

Yeah. Nothing ever worked. Nothing ever because there's no way he was able to bridge his WiFi Pineapple to a functioning Internet connection.

Ralph May: 55:08

I could give He you, could've got on the WiFi of the airplane. Yeah. Yeah.

Andy: 55:12

I guess how they caught him, because they were like, all these people aren't paying for the WiFi now.

Corey Ham: 55:18

This guy's going down.

Belouve: 55:20

I I don't know. I don't know the details.

Corey Ham: 55:23

Wi Fi revenue has dropped on every flight that this guy goes on. We gotta investigate this.

Belouve: 55:28

I do know of others that have done this, and usually it involves, like, a travel router to where it's like you are getting the access to it. You're putting things out. This was on the way to DEFCON, and they, you know, they were on a different flight, but they were saying it's like, yeah, there are people

Corey Ham: 55:42

No. We got juice jacked again. Oh, no. Double juice jackings in one day.

Ralph May: 55:48

The Internet doesn't want them to know.

Corey Ham: 55:50

It looks like, hopefully, he's not connected through some other dude's WiFi pineapple. You got Jason's

Bronwen Aker: 55:56

He's running again.

Belouve: 55:57

He's back away. You Jason's license in one shot. You make me full screen and then I drop out, so I don't know. Weather. It is.

Belouve: 56:08

Yeah. It's probably just it's probably my it's probably my internet line that's getting too cold up here.

Corey Ham: 56:14

Yeah. So, I mean, basically, the the end of this story is the guy got sentenced to seven years, which is So what was

Ralph May: 56:21

the evidence? So how did they capture the evidence though? Now I'm curious of like

Corey Ham: 56:24

They seized his devices.

Bronwen Aker: 56:25

They seized

Corey Ham: 56:26

So basically, he here's the here's what happened. So in 2024, he gets off the plane and they're like, give us all your devices. Uh-huh. And then, you know, they find 1,700 items of intimate images and videos, personal credentials, records of fraudulent WiFi pages. He tried to like remotely wipe his device, it didn't work, you know, it's like, oh, it becomes a comedy of errors of like you didn't criminal you didn't criminal very well as a so

Bronwen Aker: 56:55

Okay. It it's hard though now with all of the sharing and synchronizing to completely eliminate all of your forensic evidence unless you're really careful about making sure you're only using one or two devices. If he's not a cybersecurity expert and he did have multiple devices syncing with all of these images and videos and information, that's a that becomes a really difficult attack surface to protect against someone coming in and figuring out forensically all the badness that you've done.

Corey Ham: 57:35

I mean, I guess, but clearly he's smart enough to set this up so he can also just not sync his data to a freaking cloud service provider.

Belouve: 57:43

Like, I

Corey Ham: 57:43

don't know. I mean, it's it is what it is, but it doesn't matter. But, you know Yeah. But I think the crime benefits or I think the crime fits the time. That's that's a pretty heinous thing.

Corey Ham: 57:54

1,700 images or 1,700 items is a lot. I'll be I'll qualify again. Yeah. The amount of amount of personal information in that is significant. And it's also it's interesting, like, wonder what the the the counts.

Corey Ham: 58:08

I mean, these are all like Australian laws, but they had unauthorized causing unauthorized access or modification of restricted data, attempting to cause unauthorized access, stealing, unauthorized impairment of communication. So people were like, I couldn't stream Frozen one count of possessing or controlling data with the intent to commit a serious offense. Is there one for being a perv? Apparently not.

Ralph May: 58:30

That's more of a of a infraction.

Corey Ham: 58:33

It's an interesting from a cyber security perspective though, it is interesting to think about, like, if you're a SOC defender, how do you defend your employees on plain WiFi? It's really hard to defend against this attack. If someone, you know, makes a rogue AP and an employee connects to it and then they type in their credentials, like those credentials are compromised. Basically MFA, like it's the same.

Andy: 58:55

I mean, just make make your people use phishing resistant MFA, Like, enforce HYTO two.

Corey Ham: 59:00

Right. Yep. And

Bronwen Aker: 59:03

VPNs. But not in

Corey Ham: 59:06

Wisconsin. No.

Ralph May: 59:07

Those are banned. Oh, not on airplanes. International law.

Corey Ham: 59:10

It's it's international. Baby, we could get married by the captain.

Ralph May: 59:16

Oh, god. Yeah.

Bronwen Aker: 59:18

Yikes. Nice.

Corey Ham: 59:20

That's a rough one. Alright. Has anyone have we got any, like, chicken articles or other, like, fun positive articles to to finish on instead of weird pervy guy within pineapple? I

Bronwen Aker: 59:31

could always share the brining recipe I used for our turkey this year.

Ralph May: 59:35

Oh, brining.

Bronwen Aker: 59:36

We we we brined using brown sugar and maple mixture, then spatchcocked it, and then smoked it. And it was

Corey Ham: 59:46

That sounds incredible.

Bronwen Aker: 59:48

Amazing. It was and and I I discovered this year that the trick to really awesome green bean casserole is mixing in shredded Parmesan. And I'm not talking the cheapy stuff, I'm talking the good Parmesan and oh my god. Not the

Corey Ham: 01:00:07

wood chips?

Bronwen Aker: 01:00:08

Or no. Not not the wood chips. Not the the white fluffy stuff. No. You wanna have the good stuff that is actual shredded cheese.

Bronwen Aker: 01:00:16

It was amazing. And, of course, I'm talking to John over the weekend, and he says, oh, yeah. I've been doing that for years. Like, shit. Shit.

Bronwen Aker: 01:00:23

Shit. Shit. Uh-huh.

Corey Ham: 01:00:25

Throw your arm. Sorry.

Andy: 01:00:27

It's okay.

Corey Ham: 01:00:28

So, okay. Now the question is, so Bronwyn, one of the things he used to do was he used to send me AI generated images of things for the holidays. So how can I can you share a prompt that would generate a really good looking turkey for me? Because I I it's Thanksgiving's over. I already baked my turkey and I'm gonna forget about that episode before next year.

Corey Ham: 01:00:48

But I need an AI generated turkey to eat for my dinner.

Bronwen Aker: 01:00:52

Well, I can just send you pictures of the actual bird because I did the food porn thing.

Corey Ham: 01:00:57

No. I only I want the opposite of slop. I only want slop. I want only slop.

Bronwen Aker: 01:01:02

The the nature of the prompt will depend on which AI you're using because how you prompt in mid journey is very different from how we would prompt in Copilot or ChatGPT. So so name your poison in terms of the the origin generating AI, and I will try to to, off the cuff, provide you with a prompt suitable to meet the desired outcome.

Corey Ham: 01:01:25

I'd like to go with Ralph deep frying a frozen turkey.

Bronwen Aker: 01:01:29

Which which AI do you want to use?

Corey Ham: 01:01:32

With Copilot.

Bronwen Aker: 01:01:35

Okay.

Corey Ham: 01:01:37

Wow. Fancy. You can send me that. Just send me it offline.

Andy: 01:01:43

So I don't

Ralph May: 01:01:44

Yeah. It's RIP me.

Bronwen Aker: 01:01:46

Yeah. I don't use Rock.

Andy: 01:01:49

Sorry. That's gotta do it.

Corey Ham: 01:01:50

Here's some Ralph lore for you. Ralph, at least last time I checked, actually does deep fry his turkeys and has never burned down his house to so far. Yeah.

Ralph May: 01:01:57

Oh, so true. Yeah. It's it's not that hard.

Corey Ham: 01:02:03

If he can do it, you can do

Ralph May: 01:02:04

it. Exactly.

Andy: 01:02:05

Oh, yeah. That's why burned

Ralph May: 01:02:07

their house down. They'd like, it wasn't true.

Corey Ham: 01:02:09

It wasn't. Meanwhile, I I did burn my house down too.

Bronwen Aker: 01:02:12

Oh, yeah. The city of Pasadena actually had a PSA on how not to burn your house down by frying your turkey.

Ralph May: 01:02:20

I bet.

Corey Ham: 01:02:21

Yeah. I bet. It happens. In California, that hits a little different for sure. Yeah.

Corey Ham: 01:02:25

Yeah. Well Alright. Well, thanks everyone for coming. I think that's a good a place as any to call it and we'll see you next week.

Bronwen Aker: 01:02:32

Bye, guys.

Corey Ham: 01:02:33

Bye, y'all.

More episodes

Chapters

Creators and Guests

What is Talkin' Bout [Infosec] News?