Talkin' Bout [Infosec] News | Utah Bans VPN Age Bypass

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

This episode covers several major cybersecurity and technology news stories, including Utah’s proposed crackdown on VPNs used to bypass online age-verification systems and the privacy and enforcement concerns surrounding those laws. The hosts also discuss newly disclosed MOVEit Transfer vulnerabilities and patching guidance, software trust and code-signing weaknesses, and broader issues around internet regulation and digital identity verification. Additional discussion touches on AI, science-fiction-inspired technology concepts, relativity and time dilation, and other notable developments from the week in cybersecurity and tech news.

Chapters

(00:00) - PreShow Banter™ — Alien Communications 101
(03:38) - Utah Bans VPN Age Bypass - 2026-05-04
(09:13) - Story #1 - DigiCert Revokes Certificates After Support Portal Hack
(15:25) - Story #2 - Progress warns of critical MOVEit Automation auth bypass flaw
(16:44) - Story #3 - Critical cPanel and WHM bug exploited as a zero-day, PoC now available
(23:33) - Story #4 - Copy Fail
(26:17) - Story #5 - Claude-powered AI coding agent deletes entire company database in 9 seconds — backups zapped, after Cursor tool powered by Anthropic's Claude goes rogue
(33:42) - Story #6 - Elon Musk testifies that xAI trained Grok on OpenAI models
(38:51) - Story #7 - Utah first state to hold websites liable for users who mask their location with VPNs — law goes into effect, designed to prevent bypassing age checks
(51:23) - Story #8 - Why you should refuse to let your doctor record you
(56:19) - Story #9 - Technique Change Type: How the ATT&CK Object Changed

Links

Click here to watch this episode on YouTube.

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits

https://poweredbybhis.com

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Guest

Patrick Gorman

Patrick Gorman founded ISP Security with over 20 years of cybersecurity and IT experience helping organizations identify and fix serious security weaknesses before they become real-world breaches. His background includes work with firms like KPMG and security assessments across Fortune 500, critical infrastructure, and government environments. With deep expertise in penetration testing, offensive security, and adversary simulation, Patrick leads ISP Security with a focus on one thing: delivering expert-driven security services that help clients reduce risk and protect what matters most.

Guest

Tim Medin

Tim spent more than a dozen years teaching thousands of students as Senior Instructor and course author of SEC560: Enterprise Penetration Testing at The SANS Institute. Through the course of his career, Tim has performed penetration tests on a wide range of organizations and technologies. Tim has gained information security experience in a variety of industries including previous positions in control systems, higher education, financial services, and manufacturing. Tim is an experienced international speaker, having presented to organizations around the world. Tim is the creator of the Kerberoasting, a widely utilized Red Team penetration test technique to extract kerberos tickets in order to offline attack the password of enterprise service accounts. Tim earned his MBA through the University of Texas and recently completed an eMBA equivalent through Harvard Business School.

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

Ralph May: 00:00

Dark. And then the other the cool part was the time The time dilation, which was I also watched bunch bunch of YouTube videos about that. And essentially, the faster you go, the less time you experience. And that's actually like the way that it was like described in the video. It's like, it's it's because like, as you go faster, the molecules take longer to make it to the next spot.

Ralph May: 00:24

Right? And that's like the time difference between those. So you're actually experiencing time slower because everything is moving slower the faster you're going.

Tim Medin: 00:34

The really cool thing is if you get two astronauts passing each other relative to each other going close to the speed of light, whatever whatever Mhmm. Each one will experience the other one going slower Mhmm. Which is, like, mind blowing. Like and and and the the the physics, and you can do the math, like, I yeah. There there's a great book, by the way, called The Elegant Universe.

Tim Medin: 00:54

It's actually pretty readable. Came out maybe late nineties or the 2000. Really readable. But, like, there's a whole bunch of, like, just mind blowing stuff here. Like, you know, a circle to comfort is what?

Tim Medin: 01:07

Two pi r. Well, unless you spin it close to the speed of light, and then it doesn't happen anymore because you got contraction, but only in the direction of movement. So your radius doesn't change, but then you're yeah. It it gets

Ralph May: 01:18

The the book was kinda cool big or not just the book, but the movie was cool. It awesome because there's a bit of science in there too. And, like, I again, obviously, some of it

Wade Wells: 01:25

may There's a lot more science in the books.

Ralph May: 01:27

Yeah.

Wade Wells: 01:27

Like, the books, they're all scientifically accurate.

Tim Medin: 01:29

Oh, nice.

Corey Ham: 01:30

And then, like, the the star he went they went to, or the star that Rocky was from, was act they actually thought there was a planet on it, and it wasn't till after the book came out that they discovered, oh, that actually doesn't have a planet around it. So he that was like one thing he accidentally Bummer. But no.

Tim Medin: 01:46

I like I like the whole and I think they did a pretty good job with that. Like, you're meeting a whole new consult culture. You have no frame of reference for communicating. You don't have, like, hands to wave at people. Right?

Tim Medin: 01:58

Like like, you you you've got completely from scratch trying to dissect this. And what was cool, I thought too, is, like, they use, like, infrared. We use visible light. Right? Like, we're using different wavelengths for that.

Tim Medin: 02:12

The the sound doesn't we're, like, just completely different. I'm like, that was awesome. Love that. Like, didn't make it easy.

Wade Wells: 02:18

I've watched so many videos that if I get abducted, how to talk to aliens. Right? Like, first, do you like you write out, like, scratch marks in your number system. Then you write out pie and you draw a circle, then you draw the your solar system to point that you know where you're at.

Corey Ham: 02:32

Woah. Woah. They already did this, dude. All you gotta do is give the same stuff they gave on the Voyager golden record.

Wade Wells: 02:38

That that's exactly what I'm doing.

Tim Medin: 02:39

Draw naked women. You gotta draw naked women and Gotta draw

Corey Ham: 02:42

a naked you wanna do is start with drawing naked woman. Dick figure. That's the first. Yeah.

Tim Medin: 02:47

That's the know all about us and be like, wow. We They know about captured the Us a perv.

Ralph May: 02:51

What what are we doing here?

Corey Ham: 02:52

They'll be like, listen. We we don't like Earth. We think you

Ralph May: 02:55

guys are disgusting, but we've been

Corey Ham: 02:56

watching your porn for years.

Ralph May: 03:01

That was the one thing we thought

Corey Ham: 03:03

was That's the one thing. Bad. You guys invented the Internet just for that purpose.

Tim Medin: 03:09

And I see how important it is to you because it's the third thing you drew. We got numbers. We got pie. We got pow, chicka pow, wow.

Wade Wells: 03:20

Alright. Man.

Corey Ham: 03:21

Should we roll the show? I feel like is everyone prepped and ready? I I mean, I I a few of the articles. It's just gonna be a chaos week. I mean, it's just bones after bones after runs.

Corey Ham: 03:29

We got copy fail, FCC, all kinds of good stuff.

Ralph May: 03:33

Oh, copy fail. So good.

Corey Ham: 03:34

Copy fail. Yeah. Alright. Let's roll it. Hello, and welcome to the Black Hills Information Security's talking about news.

Corey Ham: 04:02

It's 05/04/2026. May the fourth be with you. I guess, you're a Star Trek fan, that really means a lot to you. Right? At all.

Tim Medin: 04:14

Can we can we mute his mic remotely? Right click. Right click. Work.

Corey Ham: 04:19

I I do I will say, like, my official opinion is Star Trek is better. Fight me. It's not even close. Like, star Star Wars is so mid compared to Star Trek. But anyway.

Ralph May: 04:29

If you're

Corey Ham: 04:30

a big Star Trek fan, or I mean, Wars fan, you're still allowed. We we we still love you. But, yeah, anyway, let's get into the show. First of all, we got our introductions. We got Tim Medine here, Kerberos ing us as we speak.

Corey Ham: 04:44

We got Patrick Gorman. Patrick, you have you have an upcoming webcast or training or something, I assume?

Patrick Gorman: 04:50

So, yeah, I have a few things cooking. As far as courses, I have something on the blue team side coming out and yeah. As far as, you know, I I normally do my Thirsty Thursdays on Thursday nights, 7PM EST, you know, just talk about similar stuff and just, yeah, shoot the smack.

Corey Ham: 05:09

Nice. And Tim, you have an upcoming workshop on May 22 as well, Kerr Bros. Hands on, more like packets on. Am I right? Port 88, baby.

Tim Medin: 05:18

Absolutely. Absolutely. Yeah. Yeah. Join us for a couple hours of goodness with some Kerberos.

Corey Ham: 05:24

Hopefully, you will. Have looks like Corey Overstreet, my my alter ego, Corey. The other Corey is amazing. Yeah.

Tim Medin: 05:31

He too is growing his hair out. We're gonna have to have, like, a Troy Palomalo award for best

Corey Ham: 05:37

wavy Best hair. Best Corey hair. Yeah. We'll have to get there. So, yeah.

Corey Ham: 05:42

He has an anticast on May 20 about red teaming. We love Corey. I will say I've actually done a red team with him, you know, back in the day, and we used to kinda, like, cross pollinate a little more. And he's an excellent operator, so I highly recommend anyone show up to that that's interested in going after stuff. John's not gonna be here.

Corey Ham: 06:02

John asked me to plug his course on May 11. I think it's next week, So that should be fun. And then Jason has an upcoming webcast for job hunting as well. So it's a busy

Tim Medin: 06:12

What's what's John's class? One is

Corey Ham: 06:15

this what you can. Oh, I I think that is cursing at me. Information security core skills, which is good. Wait. Back to basics.

Corey Ham: 06:25

Honestly, a lot of people are always asking about mythos, and I'm just like, just go back to basics. Alright. Just patch your stuff. It's nothing is new.

Tim Medin: 06:32

What's funny is everything we're gonna talk through here probably today, We'll give you reference in the basics.

Corey Ham: 06:38

Yep. Sock course or cybersecurity core skills still as important as ever. Anyway, continue with introductions. We'd also have Ralph and Wade, two of our just perennial hosts. Always here.

Corey Ham: 06:49

Ralph, have you considered growing a mustache? Like, what where is that on your priority list right now?

Ralph May: 06:53

It's it's not that high. Amanda's asked me multiple times if that's where I want to be in my life, and I say no. I don't wanna the the beard. Yeah.

Corey Ham: 07:05

I think I I think we

Wade Wells: 07:06

should You look be good scruffy. I think you look good scruffy. Like

Corey Ham: 07:09

this You look good now. Don't get me wrong. But I think you could pull it off, man. I think you should try

Ralph May: 07:12

it all the I mean, the problem I

Corey Ham: 07:13

think it grows so fat. Like, I can

Ralph May: 07:15

grow a huge beard. I have to trim it often. Yeah.

Tim Medin: 07:17

Like, we have to steal the quote. It's like, science didn't ask if we could. It asked whatever. I'm a

Ralph May: 07:22

screw it up. Right? Like Yeah.

Corey Ham: 07:24

It's about whether you should You can.

Tim Medin: 07:26

But should you?

Corey Ham: 07:27

Yeah. Yeah. Give it a shot.

Tim Medin: 07:29

Maybe less than speed. Past the school without a squad car picking you up?

Ralph May: 07:32

Probably. Like, it was like

Corey Ham: 07:35

That is the first depends the first thing your mustache.

Patrick Gorman: 07:37

Said to me.

Corey Ham: 07:38

Yeah. Key with the mustache is don't go below the edge of your mouth. Right? Like, if you go below that, it starts to get weird.

Tim Medin: 07:44

I'm I'm so actually, I'm just jealous. I wish I could do a good mustache. I can't.

Wade Wells: 07:49

Your mustache is fine. What are you talking

Tim Medin: 07:50

about? No. No. But, like, if I if I cut it off, it's horrible. Also, look look at my mustache.

Ralph May: 07:55

Like, if

Tim Medin: 07:55

I do just look here, it's two toned. If I Mine get rid of this, it's like

Ralph May: 07:59

peppered. Peppered. It's

Tim Medin: 08:00

What's wrong with you? No. It's not peppered. Like, one side's salted, the other side's black pepper. Like, we have we have we have not cooked the steak evenly.

Tim Medin: 08:09

Like, well, I don't know

Corey Ham: 08:10

what's going on.

Wade Wells: 08:10

Can just get some just for men. Would you rather two colors?

Tim Medin: 08:13

Or No. No. No. So I did that. I'm allergic.

Tim Medin: 08:17

So then I

Ralph May: 08:17

Oh, no. It's like burning.

Tim Medin: 08:19

So I shaved it. It's 10 times worse because now I've got rash on my face.

Corey Ham: 08:23

Oh my god.

Tim Medin: 08:24

But just on this half of my face.

Ralph May: 08:29

People So are looking for screaming. Not for you, but

Wade Wells: 08:32

If makes you feel better, my mustache is a different color than my hair, like, by by a lot.

Corey Ham: 08:37

By by a couple

Tim Medin: 08:38

of days. That's that's uncommon.

Corey Ham: 08:39

I could see that now that pointed out, I could see it. It looks like a trick of the lighting, though.

Wade Wells: 08:43

It is not. It is, like, legit, like mine is like rusty red, like almost like a brown red, and then my hair is pretty dark brown. Rusty

Ralph May: 08:50

red. Gotcha.

Wade Wells: 08:51

I don't

Tim Medin: 08:51

know I wish I could do the one, the long one, like a motorcycle guy, the

Ralph May: 08:56

Yeah. Orange Yeah.

Corey Ham: 08:58

Yeah. Alright. Let's move into actual podcasting now that we've covered everyone's mustache preferences. If you have your own mustache preferences, please put them in the Discord. Yeah.

Corey Ham: 09:08

Whether, you know, any no matter who you are, you gotta have a preference. So, I I mean, I think let's start with the Digicert stuff. It's pretty it's it's interesting and it's not at the same time. For those that are out of the loop, Digicert, which is CA or certificate authority, got popped. And the angle is pretty interesting.

Corey Ham: 09:26

Basically, it looks like the threat actors essentially social engineer their support team into running something on their system. It sounds like there was some misconfigurations or issues with their security tools on the support team's systems. And essentially, it led to, you know, initial access. And then the attacker stole a bunch of basically things they could use to sign code signing certificate to create code signing certificates. And they stole or created, like, 60 certificates.

Corey Ham: 09:57

And, basically, those were used to sign stealers, stealer malware. So I'm guessing they just tricked the DigiCert support people into running a payload somehow. I think it's a really interesting angle to try. Right? Wade, do you have any comments on the, like

Wade Wells: 10:15

In in the initial article, not the deep dive like, you click one in, you can actually see the IR report. But in the initial article, they said that they sent them an image over their chat channel, and that is the way that they were infected. Right? Then what is it?

Corey Ham: 10:30

I mean, is it .png.exe, or is it like steganography prompt injection? Like, it could go really stupid or really complex.

Wade Wells: 10:37

That's that's exactly what I thought. I'm like, okay. And then are they using some like, very like third party chat thing where they're chatting to the customers and that was an exploit in that. So I was trying to dig into that. But the one interesting part is like they do flat out say that that secondary host had bad had a bad security config in it, which right?

Wade Wells: 10:56

Like, you don't hear often as much Owning up to

Ralph May: 10:59

the mistakes.

Wade Wells: 10:59

Situation, but only exactly. Owning up to the mistake of actually how that works. And the thing is, it's super common. Like, there's and it's one of the hardest things to actually decide to find. Yeah.

Wade Wells: 11:10

Corey Ham: 11:10

Yeah. No. I I mean, I I really I hope someday that we can get a deep dive into the actual payload. Like, it'd be cool. I mean, Digi starts a security ish company.

Corey Ham: 11:19

Right? So they have the capabilities to analyze this. I'd be really interested to see, was it secondography? Was it prompt injection? Or was it just dot p n g dot e x e?

Corey Ham: 11:27

Like, like, how how basic was it? How advanced was it? I'm really curious. My guess is always basic, right? Like, think anytime we as pen testers think about, oh, let's how would a threat actor do it?

Corey Ham: 11:41

I think we always overestimate their capabilities and complexity, like, in general. So it was probably just like .exe.png,

Ralph May: 11:48

and

Corey Ham: 11:48

they were like, it isn't working. Can you take off the extension? Like, try it again. Right? I don't know.

Corey Ham: 11:52

Something like that.

Tim Medin: 11:53

Well, that's this is interesting. Like, I feel like going back to the basics. Right? Like, I I'm trying to I I I can't remember the exact date, but I know DigiCert has been popped at least once before. And I'm finding two different results, one in 2020 one of them mentions 2020.

Tim Medin: 12:09

I don't have time to necessarily parse it. I'm not sure if that's a 100% correct. There was definitely some certificate issues. Gonna recall 83,000 certs because they screwed those up. That was in '20 Yeah.

Tim Medin: 12:21

2524, something like that. So it's every few years, and you're like, you know, I feel like the segmentation here could be

Wade Wells: 12:30

better.

Tim Medin: 12:31

I mean, I I don't know the details, but you're like, you know, when it happens every two years, like, faithful, maybe something's an issue.

Corey Ham: 12:37

Yeah. I mean go ahead, Raul.

Ralph May: 12:40

Oh, no. I was just gonna say that it looked like there was a it was a malicious zip file disguised as a customer screenshot, which contained a dot s r c file, which is a Windows screensaver file. Right?

Corey Ham: 12:51

I see. So it was a zip file. They were saying, I'm sending you a zip with the images. The image was a screensaver. The person didn't know.

Corey Ham: 12:58

They just opened the file. Uh-huh. Basically, if you're a Red Team marine, just go try this this week. We're gonna do

Ralph May: 13:03

it. I'm gonna

Corey Ham: 13:03

I'm literally gonna try this this week. Like, find a support chat for one of your targets. You know, say you're having issues with the product, send them a zip file with a payload in it. Like, what's the worst case scenario? It doesn't work?

Corey Ham: 13:15

Like, it takes you fifteen minutes to throw that together.

Ralph May: 13:17

Well, it's funny because that's

Tim Medin: 13:18

the same payload we've been using for years too. Right?

Corey Ham: 13:20

ZIP with an EXE in it? Yeah. Or ZIP with an SCR or ZIP with

Ralph May: 13:24

an SCR.

Corey Ham: 13:24

Like, 100%. Yeah. I mean, it really will only work with, like, you know, if they have security tool issues. Right? Like, you know but it's a cool attack.

Corey Ham: 13:34

I mean, I agree with you, Tim, though. I think, honestly, my take on this is, like, oh, all they wanted was EVs. Like, it's easy to get EVs. Like, that's you know, I mean, I guess, I feel like I'm shocked they aren't stealing these from other companies. I do think the EVs are

Tim Medin: 13:50

gonna But get to

Corey Ham: 13:51

They the EVs require like, an RDP with a token. Right? Like, it actually has to be a hard a physical device.

Ralph May: 13:57

They have physical device requirement for those EVs. Yeah. Yeah.

Tim Medin: 14:01

But I don't know if

Ralph May: 14:02

this is, like, the others are we

Tim Medin: 14:03

just haven't been heard and reported. Like, there there could be somebody in right right now. We don't know, or they're silently revoking them. Like, I to to some degree, even though it keeps tapping the ditches hurt, good for them for telling us.

Corey Ham: 14:15

Yeah. I agree. And I also think, honestly, like, the certificate, the way that the the certificates really get used isn't it's not like that important from like there's not a lot of I mean, definitely certificates have to be valid, but there's no EDR that's like, oh, you have an EV certificate? Do whatever you want. Right?

Corey Ham: 14:35

That's not the reality. EDR still monitor. They still it's like trust but verify. You might and from our perspective, talking to the payload engineers here, the EVs and code signing certificates, all they help you with is landing on disk. They help you with detection like the you know, we call them whack attacks, like the, you know, basically like MZ scans of files that kind of tell you whether the file is malicious.

Corey Ham: 15:00

But once the program executes, it doesn't matter. I don't care what what sort of badge you walked in with that I let you in the door. Now that you're running, you know, Kerberos thing attacks or whatever, I'm gonna nuke you. Right? Like, it's not it's behavioral more than it is just like, oh, you're signed?

Corey Ham: 15:19

Alright, you're good. Well, yeah, anyway, you can move on. There's, we can do a couple a couple quick hits. And I mean, I don't know if this is mythos for if it's, you know, LLM, whatever it is, but there's a lot of vulnerabilities. There's the apparently in the wild exploitation of move it servers again, reminds you like it's, you know, taking us back a couple years to the previous move it stuff.

Corey Ham: 15:46

It looks like the CVEs are there's no public proof of concepts, and they have patched. So basically, if you have move it servers, please patch them. Twenty twenty six CVEs for move it. Turns out where there's smoke, there's fire. Who would have thought if a SaaS product is vulnerable, it probably has a lot more vulnerabilities that are undiscovered.

Corey Ham: 16:08

It's kinda And just the name of the I think, like, the theme this year is gonna be more and more and more of just, like, once one vulnerability comes for a product, it's gonna start, like, that's where the floodgates open up, and then

Ralph May: 16:19

I I always love it when people like Fortinet write a blog post about someone else's zero day. I'm like, man, let's be back.

Corey Ham: 16:28

Yeah. Look somewhere else, basically.

Wade Wells: 16:33

Would be that would imagine imagine you're a company you just held on to like a gnarly zero day, to exploit it. But the moment you get a zero day, you release that you found this other one as a squirrel tactic. Yeah. You're like, yeah, we had a breach, but chuck out this gnarly zero day.

Corey Ham: 16:48

Well, so speaking maybe that's happening, because there's a bunch of other zero days. There's the cPanel auth bypass that's pun spicy. A lot of our customers have cPanel, but not like intentionally. Like Really? Okay.

Corey Ham: 16:59

So here's a super common scenario. Yep. A customer has a website some marketing team bought five years ago. They just hired GoDaddy or some

Ralph May: 17:07

other company to host it, and

Corey Ham: 17:08

it has an exposed cPanel. So we don't typically go after them, because we don't wanna pop GoDaddy infrastructure. Like, we don't care. It's it's like, it's the equivalent of like, oh, we tore down the poser that had your guys' name on it. Right?

Corey Ham: 17:20

But like, it's not, you know, it is still like, it's in their risks portfolio. Right? Like, it is, like, infrastructure they technically own. There could be LDAP integrations or, you know, passwords that are reused or things like that. But, yeah, these I mean, cPanels seems, like, very widely used, but mostly in, like, the hosting, not in really an enterprise, more in, like

Wade Wells: 17:43

When I worked at a data center, this was, like, one of the primary things we set up with cPanel servers for people. So it was just Yeah. I I don't know how many times I've seen popped and as well set these up.

Tim Medin: 17:55

Yeah. Because they're just a marketing brochure size. We did I was referring to, like, it's the surrogate of web servers. Like, we're just gonna set this up, throw some marketing crap on it, and everyone's gonna forget that we have it in six months. Right?

Ralph May: 18:05

And then you're like,

Tim Medin: 18:06

what's on it? Well, images.

Ralph May: 18:08

We we've kinda moved I mean, for modern single page web apps and stuff like that, I mean, you don't need cPanel or anything like that to host these. Right? Like, there's tons of ways to essentially host. And I'm gonna use I'm gonna use this word, very hardened servers. Right?

Ralph May: 18:22

There's nothing to, like, actually compromise from an under like, you your your the the app doesn't have the functionality to really compromise in the way where you have to put the cPanel on top of it, and all these other management things that have underlying OS, and when you just want the website to load, and and these things

Corey Ham: 18:39

Are you telling me that this whole time I could have just been using SQL instead of installing PHP in my admin? Yeah. I mean, like, you're not wrong, but also, in the context of paid hosting, it's about ease of

Ralph May: 18:52

use. No. Companies like Wiggs. Yeah. Yeah.

Ralph May: 18:54

It's also about the history. Right? So, like the Yeah. Like how things were, and then how things are now. And a lot of times that website that was made, I don't know, five, six years ago, it's still good enough.

Ralph May: 19:04

And so nobody's gonna like update it to the latest thing. Right? So, yeah.

Wade Wells: 19:08

My HOA has a really shitty website. And Yes. They've been talking about upgrading to a full cert. No. I have no clue what is.

Wade Wells: 19:17

I I haven't deep dived, like, I haven't o sent it, which I thought. Yeah. I I heard rumor that they were gonna start paying some third party service to host the website and then do a bunch of other stuff. And I'm like, dude, I don't want my dues to go up. I'm like, I literally told Claude to to scrape our website and then throw me up a new brand new version of it that looks really good.

Wade Wells: 19:36

And then I sent it to the HOA president. I'm like, hey, here's a free website. I'll host it for you. Just point your DNS at this GitHub repo. Yeah.

Wade Wells: 19:44

Yeah.

Corey Ham: 19:45

Yeah. Yeah. I mean, dude, like, you're not wrong. I think this is a good time to bring up the fact this this podcast is not sponsored by Squarespace. We actually you really we do have a lot for you to patch upgrade right now.

Ralph May: 20:02

Yeah. If if you are ever looking to build a website, something like Cloudflare can do that. Cloudflare can Yeah. It's it's it's, you know, it's not I I wanna use the word unhackable. It's it that's but it there's nothing to hack.

Ralph May: 20:15

Right? So that that's also a

Corey Ham: 20:17

free one.

Wade Wells: 20:18

Why do why do Cloudflare when you can just do, like, one of the pages website? Either GitLab or GitHub.

Ralph May: 20:22

Yeah. You just you

Wade Wells: 20:23

can do those to Cloud. Make you see.

Ralph May: 20:24

Yeah. Yeah. Yeah.

Corey Ham: 20:28

I a lot mean, you're not gonna get a dynamic website where you can buy stuff. Right?

Ralph May: 20:33

Like Mhmm.

Corey Ham: 20:33

You know what mean? I guess you could, but

Ralph May: 20:35

You you can. I'm just saying most people don't

Corey Ham: 20:37

need that.

Ralph May: 20:37

Most people just have informational website. Like, that is like the market share. And that honestly, going back to this vulnerability, and going back to the security around it, right, that is the market share that's using cPanel. Right?

Corey Ham: 20:49

That is Yes. And I I have bad news for you. If you're if you're using cPanel to host one of your websites, or if you don't know that you're not using cPanel, you're about to be advertising all kinds of weird products on your websites.

Wade Wells: 21:01

I'd rather I'd rather cPanel than WordPress. I will say that.

Ralph May: 21:04

Oh, alright. Probably using WordPress.

Corey Ham: 21:06

Besides Dude, if you if you think that if I buy a company that gives me a website that I'm not getting both cPanel and WordPress

Ralph May: 21:13

At the same time. Exactly. And that's the getting both, dude.

Patrick Gorman: 21:17

And that's the thing now because, like, HostGator, that's what I use, you know, for for a website, and I use both of them. And I literally just changed it a week and a half ago. So, like, when this came out, I was like, holy moly. It's like, you know, Evan Gates, let's get off of this. And exactly what I did was what you said was, like, you know, put put code in GitHub and just push it out to to Cloudflare and just manage everything for there.

Patrick Gorman: 21:43

So it's, like, super, super easy. And, like, I don't wanna say it's unhackable. Like you said, I don't wanna put anyone in the test.

Tim Medin: 21:51

Yeah. Mean, that's try to

Patrick Gorman: 21:52

hack my shit, you know, but yeah.

Tim Medin: 21:55

Yeah. But the thing is, like, think for you guys, that's really easy. Right? Like, but trying to get a marketing team like, a marketing team has two options. They got go to IT and get a web server.

Corey Ham: 22:04

Mhmm.

Tim Medin: 22:04

Or go buy something. And they're like, well, definitely we're not dealing with IT. We're gonna go buy something. Right? And then what can they configure?

Tim Medin: 22:11

They're not gonna set up a Git repo. Hell, I don't understand the Git commands. I have to Google those like half the freaking time. Right? And so they're gonna get the easiest thing for them that they're gonna set it up.

Tim Medin: 22:20

It's a brochure website. It's gonna live for freaking ever and YouTube.

Corey Ham: 22:24

Yeah. I mean, honestly, I think, you know, a lot of industries are dominated by marketing, and not by the actual product itself. And websites and hosting are that category of like, when you go, if you're just Googling how to set up a website, set up the website, like, you're gonna get bombarded with a bunch of ads from a bunch of hosting providers, all of which are selling a very similar product, but also very slightly different. And security is never really, like, the top billing feature. It's always like, you know, 79 $7.99 a month, or, you know, whatever other thing is out there.

Corey Ham: 23:02

Tim Medin: 23:02

Easy easy to set up your own website. Like, that's the big selling point. Like

Corey Ham: 23:06

It really Yeah.

Ralph May: 23:07

You don't know how to do this. They're not

Tim Medin: 23:08

gonna do HTML or CSS or, God forbid, JavaScript?

Corey Ham: 23:13

No. Absolutely not. God But Claude will do it for me, because I

Ralph May: 23:17

don't I Dude.

Tim Medin: 23:18

Hell, did I just freeze?

Ralph May: 23:19

All the JavaScript you want.

Wade Wells: 23:20

Tim Tim froze. It's okay. We can still hear you.

Corey Ham: 23:23

He got curb roasted.

Ralph May: 23:24

Oh. I

Corey Ham: 23:27

had that entire left wing of the building has gone down.

Ralph May: 23:29

He's gotta turn the camera off. Turn it back on.

Corey Ham: 23:32

So, think that's all the vulnerabilities. Oh, no. There was also click copy fail. That was a big That's

Ralph May: 23:39

a good That's a fun one.

Corey Ham: 23:41

Yeah. I mean, yeah, I mean, it's a big, it's definitely a big one. But also, I don't know, patch. You know, there's already a patch.

Ralph May: 23:49

You're not excited about PriveSC on Linux? Is that what you're

Corey Ham: 23:52

I like PriveSC. No, I like PriveSC. I just feel like, every time I pop a Linux box, it's just in some stupid cloud provider by itself, and it's the most boring thing ever. Yeah. It just gives me it just makes me sad.

Corey Ham: 24:03

It's like, oh, I got all this access. Oh, Jim. I Prevest, and then Just I got

Ralph May: 24:07

for context, every time I've ever been on a Linux box, I've been able to privilege escalate, and because there's always some

Corey Ham: 24:14

One way or another. Yeah.

Ralph May: 24:15

There's always one way or another, and it it's it's kind of it's not a guarantee, but it it is a very often attack path. Most of the time you're on these hosts, they're they're outdated. Right? And it doesn't take you know, the other thing about this particular vulnerability is that to patch it, you do have to patch the kernel. And a lot of releases or a lot of the maintainers for the different distributions were just releasing the new updates for the kernel, but you also have to reboot the host to get the kernel in there.

Ralph May: 24:44

A lot of these devices aren't getting rebooted. So even if they do have an automatic update

Corey Ham: 24:50

system upgrade.

Ralph May: 24:51

Unattended update, they won't reboot to get the kernel in there. So but anyways, yeah, I I kind of agree with you, Corey. The usually, it's unexciting when you get to privilege escalate. Once you actually have that, you know, SSH access or terminal access, you're you're kind of already on the way there. So just being out in the wild isn't, you know, the end all be all.

Corey Ham: 25:10

Yeah. It's cool, though. I mean, it's insanely, like,

Ralph May: 25:12

Yeah. Insanely

Corey Ham: 25:14

Insanely easy. This is the, you know, no memory corruption, no race conditions, no offsets, page cache rights. Yep. Like, it's all just like, here. It's like dirty cow or whatever from back in the day.

Ralph May: 25:25

Oh, yeah. That was another one too.

Corey Ham: 25:27

Yeah. Running

Tim Medin: 25:28

and I'm getting surprised we didn't get a cool logo for this thing. Like, what

Ralph May: 25:32

the hell? Like, it's actually

Tim Medin: 25:32

this one's actually a big deal. It warrants a cool logo, and it didn't get one.

Corey Ham: 25:37

That's a good point. You know what? Let's need bring back cool logos. Okay? Dirty cow was a great example.

Corey Ham: 25:42

And there was like a whole bunch of other cows that came out

Tim Medin: 25:45

Ardently had great one. Yeah.

Wade Wells: 25:50

It's been a while.

Corey Ham: 25:51

It's been a while. Heartbleed. Oh, yeah. Heartbleed was good.

Ralph May: 25:54

Heartbleed. The most worthless vulnerability ever.

Tim Medin: 25:58

Bro. No. Oh, no. No. The the there was a Sample one, like, year or two later where

Corey Ham: 26:02

they Oh, ate

Tim Medin: 26:03

it up like crazy, and it was the most nothing of burgers of all time.

Corey Ham: 26:08

And that's why this one didn't get a fancy name, because they didn't wanna over hype it. I love that name.

Tim Medin: 26:13

I think it's great. I like the subtle, the simple simplicity.

Ralph May: 26:16

Yeah.

Corey Ham: 26:19

Alright. So otherwise, I mean, there's there's some AI stuff happening. There's some drama where, apparently, a guy that is a founder of a company called Pocket OS took to Twitter and complained about how it deleted all of his stuff.

Wade Wells: 26:37

Oh, I saw that. Yeah.

Patrick Gorman: 26:39

Might have seen that.

Corey Ham: 26:40

Deleted the entire production database.

Ralph May: 26:42

Do I never back?

Corey Ham: 26:43

Honestly, okay. What I want what I want is I want, like, a deep dive from a technical perspective from one of the companies, like Cursor or from Anthropic that's like, here's why you're dumb. Right? Like, I don't know that that like, I could be wrong. Maybe that's a false allegation.

Corey Ham: 27:01

Maybe this is just gonna happen. And I will say, I sit around vibe coding everything, and I'm just like, it is sure I sure hope nothing goes wrong with this. Right? I really hope that you know, it doesn't just decide to duke my entire database. But think

Tim Medin: 27:18

I mean, this gets into, the the Isaac Asimov type thing. Like, hey, we told it to secure the data. It's like, well, the best way to secure the data is to delete it all. Right? Like, we

Ralph May: 27:25

do, like, logically, you're like, oh, I see how you got here.

Tim Medin: 27:27

Like, I kinda love it in that sense.

Corey Ham: 27:29

Uh-huh. Yeah. So, like, what does has anyone read up on this? Like, does anyone have a real, like basically, I don't I does this feel real to anyone here?

Ralph May: 27:44

I've read this right now. 10 times, like, from other things. So what makes this one special, I guess?

Tim Medin: 27:50

I am. I am not convinced. Or or or I maybe it's conspiracy theory, but I feel like the dude accidentally deleted it, and he's blaming AI.

Patrick Gorman: 28:00

Yeah. That's what I was saying.

Tim Medin: 28:01

Because that's what what what if I accidentally deleted the whole freaking thing,

Ralph May: 28:05

I'm finding somebody else telling me.

Corey Ham: 28:07

R f dash r f.

Ralph May: 28:08

Yeah. Whole database, and he was like, oh, AI. Definitely. Definitely. I trolling.

Corey Ham: 28:15

Okay. So I don't know. Like, the quote that he gives from the AI is in is completely unhinged. Does he have his AI running in, renegade destroyer mode? Like, I dude.

Corey Ham: 28:31

Optimist props. AI was AI is swearing at him. You know? I guess that

Tim Medin: 28:36

And then it it confesses afterwards the I violated every principle I was given. It's like a robot voice modulator. I guess, instead of verifying, I ran a assertive action without being asked. I didn't understand what I

Ralph May: 28:46

was doing before I was doing like, that's how that's how like, if the boss

Tim Medin: 28:49

man came to me and was why did something stupid? I would Use plan

Corey Ham: 28:52

Right. Bro, use plan mode. It's okay, man. Like, you don't have to live like this.

Ralph May: 28:58

You don't have to live like this.

Corey Ham: 28:59

I will say to her, I mean, really. I truly don't know. I mean, obviously, I'm assuming they have backups, hopefully, right? Come on.

Ralph May: 29:07

It probably doesn't if they're going end all backups.

Wade Wells: 29:09

Yeah. It deleted the backups.

Corey Ham: 29:11

Well, why would you give

Wade Wells: 29:12

the AI access to the backup? Because he pressed the do dangerous stuff button, and then You it probably know how it is

Tim Medin: 29:18

to do the basics. Take charge. No. This is the basics.

Corey Ham: 29:21

This is bull crap. You know how hard it is to get it

Ralph May: 29:23

to go off into like, those other systems and run these commands? It's a pain in the butt, dude. No, no, I don't think it is.

Wade Wells: 29:30

I'm gonna tell you what this guy did. Know exact. They bought a company, they only bought things that MCP servers already attached that could just do it. Right? And then he just like MCP'd all the things.

Wade Wells: 29:40

Oh, often do it. Right? Oh, off just takes whatever rights he has already. Yeah. So therefore, the AI has God mode on whatever he owe off to.

Wade Wells: 29:50

And it's just like, you know what? You don't need backup. You know what? You don't need this.

Ralph May: 29:54

And

Wade Wells: 29:56

then rant about being

Tim Medin: 29:59

Can we also talk about the like, according to the article, the live science one that's quoted here, it deleted with a single call to the cloud provider's API.

Corey Ham: 30:09

Why

Tim Medin: 30:09

does that API exist? Like, why is there like a one, like, call?

Corey Ham: 30:13

Was this like a was

Ralph May: 30:14

this s three? API's knocking on the door. We gotta get out of this. Right.

Corey Ham: 30:18

FBI open up slash API slash FBI slash open up. Like, that should be a sales skill that

Tim Medin: 30:23

he That should be a feature not for a technical reason, but for, like, a a monetization reason. Like, you need people to jump through multiple hoops before they stop giving me money. Right? Like, you type in the the the this GUID here, so you can actually cancel. Like, wow.

Tim Medin: 30:36

Shit.

Corey Ham: 30:36

I don't know. I think this is like the perfect antidote. Can't copy paste. Yeah. This is the perfect antidote to all the all other startup founders who are posting on AI about how much they're using tokens in Clawd, and how they're crushing AI.

Corey Ham: 30:48

This is the antidote. This is the anti version of that. It's like, don't This is cautionary tale. Back to basics, we've talked about this so much, and we're gonna continue. This is the theme for this week, is like, have separated isolated backups.

Corey Ham: 31:02

Don't have, you know, don't OAuth with your God admin account. Like, what changes are you making? Are you making changes to the backup system? Probably not. Don't have a token that can edit that.

Corey Ham: 31:14

Use revision tracking. Or, even when it comes to using an AI model, use Plan Mode. Literally, hit Shift plus Tab in Claude Code a couple times, until it says Plan Mode on. And then if it says, my plan is to delete the entire database and all the backups, you just say, control c. Don't do that.

Corey Ham: 31:34

Sure you plan. Like Yeah, read the plan. There's add ons to read the plan. There's Plantator and all these other add ons. Like, I don't know.

Corey Ham: 31:42

Just crazy to me. And also, the other crazy part is going on Twitter about it. That's the other thing, is being like, you know what I'll do? I can make this situation even

Ralph May: 31:51

Yeah, right?

Wade Wells: 31:52

Like, we're talking about it. Now everyone's out there using Pocket OS. Right?

Corey Ham: 31:56

Like, They're they're not also, I'm very confused because it says Pocket OS, but then it's the company is actually a SaaS product for, what is it, buying cars or something? Like, what is

Ralph May: 32:05

The world's most powerful car software? Yeah. Yeah. The guy was just like, I wanna quit, and I wanna go down. I don't wanna just quit.

Ralph May: 32:14

Like, I wanna I wanna

Tim Medin: 32:16

be done with it. New story would be

Ralph May: 32:18

kinda cool, but now I got

Tim Medin: 32:19

a reason to, like, do something else.

Corey Ham: 32:21

If I just search the Internet for Pocket OS, all I see, the only results are just stories about him deleting this entire Dude,

Ralph May: 32:32

maybe it's just viral marketing. Maybe literally, it's just viral marketing. It's all bull crap, and now everyone's talking about

Corey Ham: 32:38

this I feel like it's viral marketing. Also feel like could just be a psy op. Like, the whole thing is invented like Pocket OS isn't a real company, and they just invented this company to be, like, I don't know.

Tim Medin: 32:49

Like, crazy. Designed for car rental companies. Are there any worse companies out there than car rental companies? Sorry.

Wade Wells: 32:54

Yeah. It's like Why do they take so long every time, and they never give me the car I ask for? It's always the hugest one they have, and I have to spend so much in gas. It's ridiculous.

Corey Ham: 33:02

I mean, I'm gonna I'm gonna have Claude read all these blog posts, and then make fun of the person just for funsies.

Ralph May: 33:09

You're gonna have Claude read the post made by Claude? This is a misconception.

Corey Ham: 33:13

Don't don't, you know, don't do this, basically. I mean, I will say, this is like the second time in six months that we've talked about a duplicate article that, like, it's the exact same scenario of, you know, oh, someone someone did something, and then their AI deleted everything. It's like, well, what did you do? Like, walk me step by step through how you got here. But yeah.

Corey Ham: 33:36

Anyway, still a funny article. Still worth a read. What else is going on? Elon is testifying in court right now. Oh my god.

Ralph May: 33:45

He's throwing mud at each other.

Corey Ham: 33:47

Yeah. So this is kind of, you know, this is gonna be an ongoing theme on this podcast is talking about this lawsuit, because it's gonna be juicy. But essentially, OpenAI and x AI are, you know, in court right now. Elon Musk is a major investor in OpenAI, and is basically suing them because he says they violated their directive to be a nonprofit because they're not a nonprofit. The interesting thing that kind of came out the TechCrunch article from today, is that he admitted in court that he basically that x AI is distilling OpenAI models.

Corey Ham: 34:25

And kind of implied that distillation is the business of AI, which I feel like kind of fundamentally goes against a lot of the sort of understandings that we have about AI. I mean, I don't know. But I feel like distillation is a major attack on an AI. If you can successfully distill a model, that's basically as deep as you can go into attacking the model. Right?

Corey Ham: 34:52

So saying it's just like, oh, we all do it. It's fine. It's just a bunch of boys distilling each other's OpenAI models.

Patrick Gorman: 34:58

Yeah. I don't know.

Corey Ham: 34:59

Is that true? Does anyone know if that's actually true?

Ralph May: 35:04

I don't think it's

Wade Wells: 35:04

true. No. Just are you surprised that x AI does it? Like, out of all the AIs, that would be it's like, unequal.

Ralph May: 35:12

I mean, I'm surprised. I don't know where they get that nasty attitude from those other AIs.

Corey Ham: 35:21

I also thought it was pretty funny that after he this whole lawsuit exists, in my opinion, because he's it's competition. Right? Like, he doesn't

Ralph May: 35:32

Yeah. Wanna He doesn't want yeah. He wants them to

Corey Ham: 35:34

be out of the race. Right? Yeah. So, but but also, the funniest part is in this article, and later in his testimony, he ranked all the AI companies, and he didn't even put himself at the top. That's He was he he ranked AI providers saying, Anthropic holds the top spot, followed by OpenAI, Google, and Chinese open source models.

Corey Ham: 35:53

He said, x AI is a much smaller company with just a few 100 employees. So

Ralph May: 35:57

Maybe he wanted to look like the underdog in court. Right?

Patrick Gorman: 36:00

Yeah. That's good point.

Corey Ham: 36:01

Good point. Elon Musk, underdog.

Tim Medin: 36:06

It makes perfect sense.

Ralph May: 36:08

Yeah. Well, I mean, it is what it is. It is it is gonna be funny though, because it's probably gonna all all the discovery that's gonna come out of this is gonna be, like, the stupidest, silliest crap ever. You know?

Tim Medin: 36:19

Yeah. Well, the thing I find hilarious about this is good that this is like the inception thing. Like, all the AI models trained on publicly available, not public information.

Wade Wells: 36:30

Mhmm.

Tim Medin: 36:30

But like all the IPs that that people have that's available, but definitely not given awayable or whatever. And then you're like, we trained on your model and you're like, yeah, but you also can we daisy chain this back to like, we're just taking other people's stuff and reusing that? Like Oh, yeah. Either either it's either it's all good or it's none good. Like, you can't have it in between.

Tim Medin: 36:50

Right?

Corey Ham: 36:52

Yeah. I mean, I yeah. I I mean, I think it's a muddy thing. I mean, John's take is like that this there's nothing in the world of AI that's actually patentable. And so it's gonna be a race to the bottom when it comes to, like, cost and capabilities of, like, who can do the thing the fastest and the easiest.

Corey Ham: 37:09

Like, there's not there's no secret tech. There's no, like, secret recipe or whatever. It's just, like, everyone's using the same papers and building the

Tim Medin: 37:17

same we've all complained about, like, the the the copyrights or the trademarks or copyrights for some of the code stuff or no. I guess the patents rather. Code patents. And they're like, this feels like one of those, and I always hated them, and I still kinda hate it. Like Yeah.

Tim Medin: 37:32

Compete. Make it make it better. Like, don't don't don't prevent somebody from competing, but it can actually compete.

Corey Ham: 37:38

Yeah. And I think that's kinda where the space is, to be honest. Obviously, this lawsuit notwithstanding, that is tends to be how the market operates is pretty freely.

Tim Medin: 37:47

I wonder if they benchmark these AI by who could delete data faster. Oh.

Ralph May: 37:52

Most data they

Wade Wells: 37:53

haven't, they need to. Someone someone make that. That is a new DefCon, the new DefCon CTF. How how fast can your Yeah. You know, delete things.

Ralph May: 38:03

They have all the benchmarks for how good it is at coding, or how good it is at math, or whatever. How good is it at deleting your data on an uncomfortable unrecoverable?

Wade Wells: 38:11

I felt I felt like we're going down a slippery hole right now when we start making deletion APIs.

Ralph May: 38:17

Alright. Alright. The best ransomware model then. Alright. Sorry.

Corey Ham: 38:20

Yeah. I also just love that, like, the term distillation because I just imagine some person googling, like, how to distill, and they're just like, I don't wanna make whiskey or gin. I wanna make an AI model, guys.

Ralph May: 38:34

Oh, gosh.

Corey Ham: 38:35

Yeah. I mean, anyway, this you know, stay tuned to this podcast for more updates on that lawsuit. I'm sure it'll just continue to be super, you know, everyone's gonna be rational, and no one's gonna throw any mud or anything like that. It'll be it'll be unreasonable.

Ralph May: 38:50

Yeah. Yeah. Normal.

Corey Ham: 38:51

So an interesting little thing happened in Utah, which is basically Utah has passed and enacted a law that goes into effect in two days. And that law basically holds websites liable for users with VPNs, basically. So Utah and many other US states have banned, like, you know, access from someone who's not 18. Right? So this is like it's a porn thing.

Corey Ham: 39:20

It's an KYC thing. There's a bunch of reasons for this. But basically, Utah has passed a law that essentially holds websites accountable if someone's using a VPN to access it who actually lives in Utah. So basically, scenario is I'm a website. Someone goes to my website.

Corey Ham: 39:38

It's now my duty to verify whether they're using a VPN and also whether they live in Utah. Oh, that sucks. Which is, like, obviously, all of us with any technical knowledge are

Ralph May: 39:49

Logistically,

Corey Ham: 39:50

red flags are going up because it's fundamentally impossible. Challenging at best, fundamentally impossible at worst Who pays What'd you say?

Ralph May: 40:00

I said, who pays for this?

Corey Ham: 40:02

Yeah. Well then, okay. So exactly. There's a lot of, first of all, from a technical perspective, it's not really possible. How are you gonna backwards trace a user from whatever visits your website, all the way back to where they live?

Corey Ham: 40:18

Like, it's basically impossible.

Tim Medin: 40:20

Well, I think I think we might end up is, we get 50,000 different prompts going forward. It's like, do wanna use cookies? Are you from Utah? Like

Wade Wells: 40:30

are you from this town

Ralph May: 40:31

or that What about this town?

Corey Ham: 40:33

Yeah. I mean, honestly, I don't basically, and if you're wondering how a website know, one of these websites, you basically have two choices right now. One is take this risk. Right? Like, to actually, you know, basically taking the risk of just hoping that you don't get sued if someone comes and says, hey, a VPN user bought some knife or I don't know what I don't really know what the use case is for these blocks.

Corey Ham: 40:57

I think it's mostly

Ralph May: 40:58

just prove it was a VPN you

Corey Ham: 40:59

want. Kids. Yeah. Let's save the kids. Right?

Corey Ham: 41:01

It's it's for porn?

Wade Wells: 41:02

Oh, yeah. The aliens, they're not gonna be in Utah for sure. So

Corey Ham: 41:06

yeah. So basically, yeah, the aliens are the aliens are like, nah, we went straight to California. No. I'm kidding. But basically, as a website provider, you can either block all VPN IPs, which by the way is also extremely difficult.

Corey Ham: 41:19

And that's kind of the that's what everyone's assuming is gonna happen. Everyone's assuming that this basically is trying to strong-arm websites into banning VPN IPs, which technologically is kinda challenging to begin with. But let's say you could do it. Nothing's to stop someone like us from spinning up our own VPS and using it as a VPN.

Ralph May: 41:37

But Yeah.

Corey Ham: 41:37

Regular old users will not be allowed or able to do that. Right? So basically, puts the then the onus goes it's like cat and mouse. Because then the onus goes on VPN providers to try to bypass that detection, because otherwise, their product is pointless.

Ralph May: 41:52

I mean So China China's done this with the great firewall. Right? But they still get out. Right? And this is way more of a whole country technical limitation put into place, and you can still get through the Great Firewall and access that content.

Ralph May: 42:08

And there's ways, tons of different ways. And in fact, we they've even developed better technology to do it because of it. It's like you essentially, you created this race where now there's even better ways to get through that are beyond the VPN that blend in with traffic and look more legitimate and all these other fun stuff. So, yeah, you created a monster.

Corey Ham: 42:27

I just can't I I don't see where this ends up.

Wade Wells: 42:30

Like Have you guys ever tried to log in to something and it says you're on a VPN and you're not, and then it blocks you? Right? Like, I'm just imagining that happening

Corey Ham: 42:39

I've never had that.

Wade Wells: 42:39

Rest of my life.

Corey Ham: 42:40

I've never had that. I have had my home IP get blocked from some websites because I'm a pen tester. Right? Like, I've had Oh, that makes sense. I've gotten rate limited on GitHub because I forgot to, you know, do whatever, and there's like a search global search limit or, you know, things like that have happened to me.

Corey Ham: 42:56

But I've never had the opposite happen where I'm actually using my home IP and it, you know, it it tells me that I'm on a VPN.

Wade Wells: 43:03

There's I forget which service it was. It's like, you're on a VPN. Please get off the VPN. And I'm like and it was just like it was a login to something in particular. And all I I had to reset my modem to drop the IP I was on because it was a rotated IP, I'm guessing, from some bad list that had VPNs on it.

Wade Wells: 43:21

Right? Wait. Well, that'll VPN services re VPN services don't keep the IPs forever. Yeah. So how are they improve?

Ralph May: 43:28

How are they gonna prove so what's the scenario? Right? Someone from Utah uses a VPN? How how how do they And then that they use the VPN to get them arrested to do whatever the the punishment is for this?

Wade Wells: 43:40

Well, what if I just just not not host anything in The US anymore, and just do some type of legal loophole where everything's hosted Exactly. In

Tim Medin: 43:48

But you don't but you don't know that either. Oh, I was just saying, you you actually hosted

Corey Ham: 43:53

Well, no. So okay. So here's here's the problem from the website. Like, from the website's perspective. There is no way to mitigate this risk.

Corey Ham: 44:00

Fundamentally, all you can do is basically as a website say, we're blocking VPNs or we're trying to block VPNs. Hopefully, that's good enough. Because I think the scenario here is, you're let's say you're Utah State prosecutor. Some kid looked at big boobs online, and now you're prosecuting him for it. You basically have the crime, then you backwards go through the website and say, you violated this, now you're shut down.

Ralph May: 44:24

Yeah. So from a legal standpoint, they would have to they'd have to a crime has to occur before they can go subpoena this information to find out if you were part of the crime. So

Corey Ham: 44:33

you have

Ralph May: 44:34

like, this becomes like a big thing where something bad has to happen first before you can then use this thing. But then the VPN's gonna be like, we have no logs, and and yeah.

Corey Ham: 44:44

Yeah. Correct. And the website also, like the temporal element is so If messed you think about it like, well, when? What IP did they use when? Like, I think it's like, I mean, if we're being honest, how it's actually gonna go is the second that courts get their hands on this, they're gonna be like,

Tim Medin: 44:57

no.

Corey Ham: 44:58

What? Like, you can't.

Tim Medin: 44:59

Would it be ironic if this actually had the opposite effect and actually making it easier in in Utah? Because now if I come from Texas, it'd be like, well, wait. Are you actually coming from Utah? Are you trying to bypass this? Well, meanwhile, you come from Utah, it's like, yeah.

Tim Medin: 45:13

Fair enough. You can do it. You you you can definitely get in. Yeah. The porn well, here's like, you know, Utah Like, would porn that one just works.

Tim Medin: 45:20

Right?

Ralph May: 45:21

Yeah.

Tim Medin: 45:21

Corey Ham: 45:22

Maybe. I mean, that's a good point. I mean, also, this we're not the first to do this. The UK is actually banning VPN use for anyone under the age of 18 Which which is hilarious. Like, how do you

Wade Wells: 45:34

They have ads for MolVad in in their subways. Huge ones on the wall, like

Ralph May: 45:40

Yeah.

Corey Ham: 45:40

But, I mean, to be fair, there's ads for dispensaries where I live, and you can't go to

Ralph May: 45:44

the mall or, you know.

Corey Ham: 45:46

You know? Like, there there's

Wade Wells: 45:47

So they get a VPN How many other ads for VPNs, though, do you see in public spaces, though? Like, never. True.

Corey Ham: 45:53

True. And the reason they have the ads is because they know that everyone wants one because of their all their bans on all the stuff. I don't know. I think it's inherently I mean, it's basically surveillance state, and this is the save the kids angle. That that's like I think the dystopian way to look at it is like, this is just the thin end of the wedge for like, oh, we're allowed to pass this law because save the kids.

Corey Ham: 46:15

Yeah. Oh, and then by the way, also, we're banning looking at websites that say that, you know, Tiananmen Square Massacre never happened. Or you know what I mean? Like

Ralph May: 46:23

Yeah. Well, I speech? Where's the free speech start to get into it. Right?

Wade Wells: 46:26

Yeah.

Corey Ham: 46:27

Oh, yeah. It feels like

Wade Wells: 46:28

we're going into the Ender's Game. I we've said this before. The Ender's Game, like, two Internet thing, where you have, like, your government Internet where you log into it with your ID, and then there's, the secret Internet where nobody really no one that's everyone just for everyone. Right? I I still think that's gonna happen, especially with all the laws based around social media nowadays, like in Australia, and that's going on.

Wade Wells: 46:49

Eventually, they're gonna crack us down, and it's not gonna be

Corey Ham: 46:52

what little wild west. To really to actually like to actually implement this on a technical level, none of this math maths on the Internet. Like, the Internet isn't set up to handle any of this.

Wade Wells: 47:05

We're migrating to I p v six.

Corey Ham: 47:07

Even dude, even I p v six, even deep packet inspection, like, all the layers you can put on it, it doesn't fundamentally support these kinds of censorship and controls. And so, like, it basically comes into this, where is there gonna be a point where those sorts of controls are implemented on Internet protocols? Like, is there gonna be like a censorship enabled internet?

Wade Wells: 47:30

Know that's the IPV eight just came out. Right? Does it have a censorship packet in it?

Ralph May: 47:35

A censorship packet.

Corey Ham: 47:37

Dude. Is porn true or false? That's like a fly on

Ralph May: 47:41

the packet level. I I just feel like China's already went down this road and at a much higher level, and that's still not, you know, a full force. It's not, you know, doing what they think. And and and more importantly, though, this is just the state. And as it expands out into the federal government, which is, you know, whether there's an actual, like, general rule around this, and it really it really really stems it with just age verification is what we're really trying to get out here more

Corey Ham: 48:09

than KYC, age verification. Yeah. Yeah.

Ralph May: 48:12

And and then just like suddenly, I feel like it kinda popped out of nowhere. Everyone was just like, you know what? The Internet needs more age verification. This is over. You know?

Ralph May: 48:20

I I don't know.

Corey Ham: 48:20

Well, it's just I I again, I think it really is the thin end of the wedge for surveillance, and this is just a way to throw through all these policies and laws that can be abused. I

Wade Wells: 48:31

think it is I I think you're right, but it's also it is also, like, the negative effect that social media is played around with the entire world. Right? True. If I may realize, maybe access Yeah. Access to an entire global media sphere of all knowledge probably isn't the best for human beings.

Corey Ham: 48:45

Well, if they're not talking about banning social media, by the way, which is harmful? Yeah. That's a yeah.

Tim Medin: 48:51

Yeah. But what if we get to the point where there, like, there was like and I'm sure there's a cryptographic way to do this. I just not smart enough to even lay it out, but like, to like, am 18. I live in Texas, and have an anonymized way to Yes. Authenticate to this thing.

Corey Ham: 49:08

Talking about like a national identity system. Yeah.

Tim Medin: 49:10

Yeah. Yeah. But but but a way to communicate on the Internet, but to prove I'm 18, or

Corey Ham: 49:16

Yeah. It's like

Ralph May: 49:16

a private

Tim Medin: 49:17

key problem. Token of someone who's

Ralph May: 49:18

over 18. You could totally do this. The Internet's just we just didn't design that in the beginning.

Tim Medin: 49:22

Right. Right.

Ralph May: 49:23

Like, we'd have to bolt it on, but you totally could, but you'd have to totally get, essentially, a federal law to build that system. Right?

Corey Ham: 49:30

That's the

Ralph May: 49:31

way you bring it all the state states, because every state's gonna be like, screw you. We're not doing that. And the other state's like, we're independent because we're technically all independent states and one whatever. You know?

Corey Ham: 49:40

Well, there's also so many technical hurdles. Like, as an example, like, it device bound? Okay. Well, what if you hand your kid to your or your phone to your kid? It IP bound?

Corey Ham: 49:50

Because what if you have 50 computers at your house? Like, there's no way you would do it.

Tim Medin: 49:54

Well, hold on.

Ralph May: 49:55

So, I mean, one thought, again, there could be holes in this thought. Maybe like just using your state issued driver's license, or other kind of, you know,

Corey Ham: 50:03

instrument But the point is, passing how does that get checked on a technical level? If it's device bound, there's all kinds of, I mean, honestly This

Ralph May: 50:11

is like a common access card, or whatever, from the actual license that you put into a system, and then that checks, and then all you're doing is sending the fax that you are from this state and in this age, and that gets authenticated. And all it does is essentially the way we do everything else, when I prove that I own my house, they don't go ask me. They go ask the state if I actually own the house. Yeah. Then we prove that system.

Ralph May: 50:33

Right? But how much information gets exchanged? I think it's what Tim was bringing up.

Tim Medin: 50:36

Yeah. But, yeah, like my point is, like, you know, some of the places you definitely don't wanna go with your real name. Right? I didn't Sure. It give the bare minimum what you need to prove so I can get access.

Tim Medin: 50:47

But then, at the same time

Corey Ham: 50:48

You killed privacy.

Tim Medin: 50:49

About that. Right?

Corey Ham: 50:49

Yeah. It's basically exactly what Wade's talking about, which is that Internet is like the government Internet. And then, like, everything else is like just the Wild West.

Tim Medin: 50:58

And everybody's like, well, people would be nicer. And you get really nasty stuff with no laws, and it's a free for all. Right?

Wade Wells: 51:04

People would be nicer. Right? Like, it's the ones you get behind on on I can't even say anonymity. There it goes. Everyone's an asshole, but, like,

Ralph May: 51:15

it's Dude, it's

Corey Ham: 51:16

people are willing have you ever seen, like basically okay. So here's here's, like, another way to think about this. And this actually kind of ties in with another article we have, which I don't really know how we ended up with this, but someone posted this. It's essentially like, why you should refuse to let your doctor record you. And it's essentially a long sort of article about privacy and medicine and why you shouldn't let your doctor record and transcribe your, your chat with them.

Corey Ham: 51:45

And honestly, I kind of take issue with the article, because it's kind of, to me, just a fundamentally I don't have that strong of a take on this, but reading the points, it's it's just a it's like, here's why technology's bad, because it changes things. That's basically the article. And I I kind of was thinking, reading this medical recording article, I was thinking about body cams and police. And I was thinking about, this is the same arguments that you could make for why body cams are bad. It's like, well, accountability is bad.

Corey Ham: 52:17

It's like, no, it's not. Well, the doctors are gonna act differently if they know they're being recorded. Isn't that a good thing? Don't we want the doctor to know they're gonna have to be on record for what they're saying? I don't know.

Wade Wells: 52:32

After I watch the pit, I'm just like, yeah, record me. It's all cool, man. I don't care that much. The government's already on my phone anyway. They know everything.

Wade Wells: 52:40

Corey Ham: 52:41

mean, don't get me wrong. Sure. Make your own decision about this. That's why they're asking. But the fundamental articles or the fundamental reasons the person gives are all just like, technology is bad.

Corey Ham: 52:52

Okay, that's fair. Yeah, it is. But also, there are benefits to technology. They're like, oh, what if you're bilingual? It's like, well, also it can translate for you know, like, they're all of the things that you are slanting as a negative.

Corey Ham: 53:07

There's also positive effects of that. Right? Like, charting is part of care. Okay. But they can do more care if they don't have to chart.

Corey Ham: 53:13

Like, I don't know. I don't have a strong take on it. I have some friends who are doctors, and I'll ask them what they think about it.

Tim Medin: 53:19

Talk to some friends, and and they they like it because there's some type of like if you're gonna look back through someone's stuff, like, we've all done this looking just just in general, looking at an article, and you're like, there's like one sentence in here I'm trying to find and I can't find it. You're like, find me this one quick thing. Right? Or, hey, I'm trying to prescribe this. Is there anything that's gonna conflict with this medicine?

Tim Medin: 53:41

And you're like, okay, cool. This will. So just some of those things, like, it's just really easy for them to to to do. I mean, yes, you're gonna have some extra things on,

Corey Ham: 53:50

but A 100%.

Tim Medin: 53:51

Freaking love it.

Ralph May: 53:52

They use it. He's like, I use

Tim Medin: 53:53

it all day all all the time. Like, I mean, you are though.

Corey Ham: 53:55

Basically, okay. In a perfect world where everyone does their job perfectly, no one's time constraint, and no everyone can like, yes. Okay. Sure. They might be slightly AI can get confused.

Corey Ham: 54:04

The reality is no one is charting perfectly, and AI is going to improve on charting and make it better. And even if it makes mistakes, guess what? People make mistakes too. Like, I don't know. I don't Yeah.

Tim Medin: 54:16

And and I don't know if it's like the WebMD thing, but people talk about you put your symptoms in WebMD, and you've got like this off the wall.

Ralph May: 54:21

You got cancer, actually.

Tim Medin: 54:22

Right. No. Not even that. Like, it's this weird thing that three people in the world have. Right?

Tim Medin: 54:26

Yeah. And I'm hoping that, but you also read case after case after case, and there's all sorts of biases with with with gender and race and stuff. But like people don't get the service that they need because no one actually looked at it deep enough. You're like, hey, you know what? It's actually this thing, but everyone's just giving you you take your oxy and go home.

Tim Medin: 54:45

You're gonna be fine. Meanwhile, they got something that's really nasty, and and and I'm

Ralph May: 54:49

hoping that kinda can help this.

Corey Ham: 54:50

Yeah. I mean, privacy is one thing. Like, the privacy thing is a whole separate beast though. Like, that's Again, that ship has sailed, and that's a technical compliance thing that relates to medicine, and who can access your information, HIPAA, all that stuff is already in play with all these recordings. It's the same as if the doctor wrote it down.

Corey Ham: 55:13

Right? Maybe there's more risk with third party recordings or whatever being leaked. But the same risk is there with Gen AI too. Right? Of prompts being leaked or whatever happens.

Corey Ham: 55:25

But everyone make your own decision. I just think blanket saying don't do this, it feels a little bit biased, heavily biased. Because all of the things it it's all of the arguments they make are also just fundamentally arguments against any kind of accountability and technology. Of like, yes. There's privacy implications when you're recording things.

Corey Ham: 55:46

Correct. Yeah. Like, you could make the same argument for like, here's why no music should ever be recorded. They should always be performed live or

Ralph May: 55:54

or Yeah. Privacy.

Corey Ham: 55:55

Yeah. For privacy. What if they wanna say something at their concert, and not have it be recorded? Well, that ship sailed. Because I can sit there with my phone in my pocket, and record everything.

Corey Ham: 56:04

Anyway.

Patrick Gorman: 56:05

Interesting

Corey Ham: 56:08

interesting read. If you agree with it, go for it. But, you know, make your own decision. Other You're research. Any other articles?

Corey Ham: 56:16

You got you got one Wade?

Wade Wells: 56:20

The MITRE attack one is semi important for defenders to know. Where did that one go? I gotta find it.

Corey Ham: 56:29

Defense evasion split?

Wade Wells: 56:31

Yeah. So pretty much what defense evasion was a tactic in MITRE ATTACK, which is like one of the top ones. Right? And techniques are the ones that go down. So defense evasion has split into what was it?

Wade Wells: 56:44

Stealth stiff and I was literally reading the article the whole time we were doing here. Now I forget. Stealth and defense impairment, instead of defense invasion, which makes sense because like defense impairment, right, is like turning off security things, making sure logging doesn't do anything incorrectly, that type of stuff where there used to be a single type of technique for that. So them splitting it up makes a lot of sense. So social engineering goes under stealth, right?

Wade Wells: 57:14

What this means for all your defenders is you're gonna have to remap all your MITRE attack IDs and redo all your tagging. So that's great. There's an Excel spreadsheet on their website for it. And just point your all your detections at Claude in that Excel spreadsheet, you should be good to go. Yeah.

Wade Wells: 57:29

I'll probably write something Python later tomorrow for it.

Ralph May: 57:32

Bros. Python? You could do better

Wade Wells: 57:34

than that, man. That's that's my language. I haven't I haven't don't have to do anything else anymore. Like, I I felt like, what

Tim Medin: 57:41

am I gonna do? Go.

Corey Ham: 57:41

That's the best stuff.

Ralph May: 57:42

Yeah. Write it in anything because you're not writing it anyways. You just told Claude that he was gonna do it.

Corey Ham: 57:47

I wanna say how great is it, and I know Python.

Wade Wells: 57:50

I have to keep my dude, I'm already feeling my talent slightly slip away from me as I

Corey Ham: 57:54

Oh, you just wanna

Ralph May: 57:54

feel in control? Alright. Have to, but

Wade Wells: 57:57

at least a little bit to show that I have the capability. Yeah.

Corey Ham: 57:59

Just write

Ralph May: 58:00

it in Golang, and and you'll be fine.

Corey Ham: 58:02

Yeah. Golang or Rust, because the truth is the truth is, from a programming perspective, there are actual benefits of Golang and Rust that you don't get with Python, like hard types and memory safety and things like that. I already I already

Wade Wells: 58:18

don't use Notepad plus plus anymore. Alright? Now you guys are gonna take Python away from me too?

Tim Medin: 58:23

No. Hold on.

Corey Ham: 58:23

We're not taking Python away. What we are saying is, if you're gonna vibe code it,

Ralph May: 58:27

you might as well vibe code it in

Corey Ham: 58:28

a language that's built to last longer than 50 All five

Ralph May: 58:31

those people, all the people who wrote all the Python stuff in the past, they wrote it because that's what they were comfortable in now. But now, you don't have to necessarily be comfortable in that language to drive what you're trying to build. So build using the best language for the job.

Corey Ham: 58:44

There is one article,

Ralph May: 58:46

whatever one. It could be C if I'm writing it, or C plus plus writing it for whatever.

Corey Ham: 58:50

Yeah. You're not wrong, but the one argument for writing, for still Vibe coding in Python is you could make the argument that that is the language that it knows the best and can use the best. And that would not be that would not be wrong. Like, the most information out there is is like, AI is the best at Python.

Ralph May: 59:06

Yeah. But I would also argue it has the most junk too. It's like the junk it's like the most, like, unwell written language.

Wade Wells: 59:15

We just we just talked about only having to do things that you know. If I have that thing right in Rust, and I can't read Rust, I I can I can vibe? I understand.

Corey Ham: 59:24

All you gotta do is just Don't wanna learn how to read Rust.

Tim Medin: 59:26

Yeah. But she could throw away ask it, though.

Ralph May: 59:28

Are you are you serious? Ask it. Yeah.

Corey Ham: 59:30

Yeah. I'm seriously implying that you're gonna line by line go through a 10,000 line Python program. Don't go

Wade Wells: 59:37

I'm not writing anything. I'm like a hun like, 90% of my scripts are like a 100 lines

Ralph May: 59:42

Listen.

Wade Wells: 59:42

At the most. Listen. Will run through them.

Corey Ham: 59:44

Know Make sure it's I

Ralph May: 59:45

know how to write in in like a batch script. Right? And the scripts that I've gotten Claude to write, I I it's above me. It's gone. Like, there's there's like, I could have written that if I wanted to.

Ralph May: 59:54

Now, do I understand kind of functionally how it works? Sure. But could I have written that? No. Not without like hours and hours.

Ralph May: 01:00:02

So like, you know, I'm okay with letting go of that as long as I understand functionally what it's gonna do.

Corey Ham: 01:00:08

Okay. I will say I can't

Wade Wells: 01:00:10

let go. I can't let go.

Corey Ham: 01:00:11

I will an AI tip for those that are actually vibe coding something that might be important in the future is to if you work for a company, have a spec for what how you want your Claude to build things at your company and have it so they all work so they all play nice together. Like, if you're gonna write an API, use a RESTful API. If you're gonna write a frickin' web server, don't write it in Python. If you're gonna you're gonna use the database, don't use frickin' SquirrelDB or whatever, something no one's ever heard of. Come up with a list of five tools or whatever that you want to support, then put that in your Cloud memories, or your Cloud config, and then company wide, you're gonna have a way better time than it's like, Hey guys, what's up?

Corey Ham: 01:00:54

I finally got my Lisp program running, and if you wanna install it, all you have to do is install a s 400 ports, and you'd have to have an ARM 64 CPU.

Ralph May: 01:01:05

So It's all gonna be great.

Tim Medin: 01:01:06

It's gonna be

Corey Ham: 01:01:07

It's gonna run super fast.

Ralph May: 01:01:09

It's super fast on my computer. That works okay.

Corey Ham: 01:01:13

Alright. The other articles, that's an interesting one. Ralph, Tim, you have anything on your radar right now? What's what's what's keeping you up at night? Mythos?

Ralph May: 01:01:24

Supply chain. Supply chain.

Corey Ham: 01:01:27

Supply chain. Yeah. Yeah. I know it seems weird because but it's just like, when

Ralph May: 01:01:30

you start coding a lot of software, software dependencies, and then the supply chain stuff's been super hot right now. And I know it's like such a high level thing, but it's a lot of the coding frameworks are really getting hit up with that. So and then seeing that kind of trickle down into whatever you've written. Maybe it doesn't affect you, but it's just like, is this the time? Is it what about next time?

Ralph May: 01:01:48

Right? So that's kind of

Corey Ham: 01:01:50

the one there was there a supply chain attack this week? I thought there was one,

Ralph May: 01:01:53

but I

Wade Wells: 01:01:53

It was last week. There was one last week.

Corey Ham: 01:01:55

Yeah.

Ralph May: 01:01:55

I thought there was one this week too. I guess that Maybe. May be

Wade Wells: 01:01:59

I I was Trellix. I was working Trellix. Oh, Trellix was a supply code was a supply chain? I saw they got

Corey Ham: 01:02:05

breached by Source code repository leak? I mean, maybe they just unintentionally leaked it and it had their stuff, but

Wade Wells: 01:02:11

It's Trellix. It's not gonna really help anyone anyway. But Okay.

Corey Ham: 01:02:16

Selling through the recently identified unauthorized access to a portion of our source code repository. I mean, I it doesn't really say how or who, but I feel like it had to be supply chain. How I mean, I don't know. I could be wrong. Could be Emphasis, could

Wade Wells: 01:02:30

be Lee. Stealer.

Tim Medin: 01:02:31

Someone someone pushed to the wrong repo.

Corey Ham: 01:02:35

Yeah. That's probably what happened. I mean, I will say, for multiple customers, we found employees who published copies of their entire production database in Reno to their personal GitHub. Yeah. So it's not unheard of.

Ralph May: 01:02:48

Yeah. The other thing too is I think GitHub,

Corey Ham: 01:02:50

not just Does that count on supply chain? Kinda.

Ralph May: 01:02:52

Yeah. Yeah. I think GitHub and other repositories for or Git repositories, not just GitHub, right, are going to start implementing more kind of lockdowns in that in that realm. Right? Especially with the CICD and how ubiquitous that is across enterprises and, you know, development life cycles, and how that's actually being the main weaponized tool in that supply chain attach.

Ralph May: 01:03:16

Right? So

Corey Ham: 01:03:17

So okay. Someone there was an article in here that's like some I don't know who this is, but Mitchell Hashimoto. Does anyone know who that is? HashiCorp founder. Oh.

Wade Wells: 01:03:29

Oh, yeah. Yeah. Yes. Yes.

Tim Medin: 01:03:31

I saw The

Corey Ham: 01:03:31

Hashimoto HashiCorp cofounder, which HashiCorp is a company that does, what, like, I don't Yeah. Know how it's to

Ralph May: 01:03:39

So, they do they

Tim Medin: 01:03:41

do a

Ralph May: 01:03:41

lot of stuff. They they they have Terraform. They have the secretory. Oh, yeah. Terraform's big.

Ralph May: 01:03:46

Okay. Yeah. They also have a bunch of other things around that. So

Corey Ham: 01:03:49

So, basically, the founder of that company had a hot take, and basically said, GitHub is no longer a place for serious work. So if you're making memes and jokes, it's great to put that on GitHub. I Tim, you were laughing. What quote were you laughing at?

Ralph May: 01:04:03

That was actually it. I I I just pulled up

Tim Medin: 01:04:05

the article. It's like no longer a place for serious work. I was like, well, that's funny.

Wade Wells: 01:04:09

This Also,

Tim Medin: 01:04:10

is that a recommendation for like like, I would be like, know what? I don't wanna do serious stuff. Maybe I'm gonna use GitHub.

Corey Ham: 01:04:15

Yeah. But the thing is, he's complaining the funniest thing is he's complaining about outages. Right? He's complaining about, not about privacy or whatever. He's complaining about downtime.

Wade Wells: 01:04:29

This was on Fireship, if you guys watched that at all. But pretty much, their downtime is like 98 per it's it's low. Like That sounds

Corey Ham: 01:04:36

as bad as Claude.

Ralph May: 01:04:37

I mean Yeah.

Wade Wells: 01:04:38

It's very true. But but but Claude isn't like there there was a couple of outages where people

Tim Medin: 01:04:42

lost Oh,

Ralph May: 01:04:43

What were gonna say Claude? Claude isn't what?

Wade Wells: 01:04:45

I wouldn't say Claude is as critical

Corey Ham: 01:04:47

Production.

Wade Wells: 01:04:48

Yeah. As production. Right? That's

Corey Ham: 01:04:50

fair. Yeah. No. That's totally fair. If I can't my if my AI didn't sound, that just means I'm not getting my database to

Ralph May: 01:04:55

be was able critical for that one dude when he erased everything. All I'd have to do put it

Tim Medin: 01:04:59

I mean, not to get too technical on git thing, but like, there is no sort of central repository. There is no official core for git. Like, if I have my repo, it technically has the same authority as the one in GitHub. Right? Like, if if you revert some in GitHub, I can still I still have local.

Tim Medin: 01:05:17

I could push that. Like, what are they doing if they're losing stuff? I I don't get that.

Wade Wells: 01:05:21

There there

Corey Ham: 01:05:21

was there was

Wade Wells: 01:05:23

a big article about it that that went all through it. I'm not a I'm not a production. I'm not a developer.

Tim Medin: 01:05:27

I mean, that's said.

Ralph May: 01:05:28

I'm a guy. I just

Corey Ham: 01:05:29

didn't even know

Tim Medin: 01:05:30

I didn't resent it hard, because I have no clue how to fix my git stuff. But

Corey Ham: 01:05:34

yeah. I'm the same, dude. Same.

Wade Wells: 01:05:35

Corey, do you not watch Fireship?

Corey Ham: 01:05:38

I do. I I don't watch it every day, but I watch it when something like this happens. Yeah.

Wade Wells: 01:05:42

So they talked about that. And then, well, the other thing is this guy also so the only thing he uses GitHub for that I can see right now is he has a terminal spin off that he has that is actually pretty cool. And that's what he was talking about is moving that off of GitHub onto

Corey Ham: 01:05:57

something onto what? That's honestly the biggest question.

Wade Wells: 01:06:00

Yeah. That's that's a good question.

Corey Ham: 01:06:01

Okay. So this is a great example. Okay. We're talking about Fireship. Fireship's a great YouTube channel that talks about current events and development stuff.

Corey Ham: 01:06:09

My question is, okay, YouTube's had issues for years. We've gotten creators banned for no reason. The advertising is sketchy. There's a bunch of AI generated videos, blah blah blah. Okay.

Corey Ham: 01:06:18

Where do I go next? Freaking Nucle or whatever Nucleo? Universe or Nebula or whatever? Like, I don't Ben yeah. What Vimeo?

Corey Ham: 01:06:27

Like Vimeo. There's no like, let's be real. Okay. There's GitLab, but that's like self hosted. Right?

Corey Ham: 01:06:32

Like, in

Ralph May: 01:06:32

there's No. Like No. Git GitHub GitLab is not they they do have the full

Corey Ham: 01:06:36

Well, there's GitLab, but then there's like GitLab Clout, like whatever is

Ralph May: 01:06:39

a Yeah. They have a regular GitLab, just like GitHub. They then they you could self host it. There's a couple other, again, less less popular, but fully self hosted Bitbucket. Yeah.

Ralph May: 01:06:49

And then Bitbucket was the I think the last, or the not last, but also big one. Yeah. You have you have a public repo, But it should be on you don't I think for private repos, there is probably a good reason to maybe host it somewhere else. That's all I have to say. Right?

Ralph May: 01:07:04

Like, don't think can anything.

Corey Ham: 01:07:06

That's fair, but I do think from an actual like, I'm not a developer, but talking to our SOC and our like, Eric and Whitney, who are like our god tier developers, they're hard committed to GitHub, because it has the most advanced CICD features.

Ralph May: 01:07:20

So, yeah. The CICD features are that are I mean, one of the other benefits of GitHub, but what a lot of people do use it, is the runners. So you can have a runner run-in any environment you want. So if you want a Mac machine, you can just ask for it, you'll get one. You want a Windows, you want a Windows, you want a Mac x 86, you want a Mac ARM, whatever.

Ralph May: 01:07:38

So that

Corey Ham: 01:07:38

Yeah. That's Whereas on GitLab, you would have to deploy that

Ralph May: 01:07:40

You would have to deploy every one of those other stuff like that. So, yeah. There is some definitely some It is mature. Let's just put it that way. I think that's what you're getting.

Corey Ham: 01:07:47

It's not reliable, but it has the most features.

Ralph May: 01:07:50

It's like

Corey Ham: 01:07:50

Windows. That's why Microsoft bought it. That makes perfect sense. Alright. Well, before we close, let's do some final plugs.

Corey Ham: 01:08:01

First of all, I'm just gonna go in sequential order here. So let's do some let's plug it up. So number one, May 6, this week, our man Wade Wells himself. This is two days from now.

Wade Wells: 01:08:11

Yeah. Yeah. Dude, I looked at the slides today. I did I did something really bad. I did I did the slides really early.

Wade Wells: 01:08:17

I looked at them today and realized I don't remember doing them. So now I have to like redo them.

Corey Ham: 01:08:22

Oh, you gotta do it the night before, dude. You still have a

Wade Wells: 01:08:23

whole You're absolutely right. That's like the worst part. So

Corey Ham: 01:08:26

Yeah. So Wednesday, we got Wade coming on to talk about how to turn cybersecurity There's headlines so many things. I I mean, I'll I'll probably show up to pre show banter for this, because I have so many feelings about this of like, how I mean, we do this. I'm talking right now with my team about how we're gonna freaking use chatbots to send in encrypted zip files and get support teams to compromise their machines. Like, I'm gonna do this right now.

Corey Ham: 01:08:50

Obviously, yours is probably more defensive based, not offensive based, but it's a great idea.

Wade Wells: 01:08:56

It's more psychological, to tell you the truth. Like, I don't even go yeah. Yeah. It it should be good. But

Corey Ham: 01:09:03

I mean, you don't have a choice. You do have to do this. Fundamentally. Like, you need this is a skill everyone needs. Speaking of skills everyone needs, we've got John's information security core skills training on May 11.

Corey Ham: 01:09:17

That's next week. And then Wade, you have another workshop next week?

Wade Wells: 01:09:21

Yeah. On the fifteenth?

Corey Ham: 01:09:22

Tim's course is coming up on May 20, and then he also also has a workshop on May 22. Or not sorry. Not Tim's course. Corey's webcast is coming up, and then Tim has a workshop. And then, Patrick, when's your thing?

Corey Ham: 01:09:39

For some reason, it's not listed here.

Patrick Gorman: 01:09:42

As far as what? When is that course?

Corey Ham: 01:09:46

Yeah. Yeah. What's oh, here it is. Yeah. What are you I'm sorry.

Patrick Gorman: 01:09:51

No. Did.

Corey Ham: 01:09:52

Just list all the things you have coming up, man.

Tim Medin: 01:09:55

Thanks for coming,

Corey Ham: 01:09:56

Patrick. Don't know

Ralph May: 01:09:56

when you You were really good. Thank you.

Corey Ham: 01:09:59

But also just list all

Ralph May: 01:10:01

the stuff you have coming up and

Corey Ham: 01:10:02

why it's happening. Megan probably has links. I don't know why it isn't in the show notes.

Patrick Gorman: 01:10:06

No. No. It's all it's all good. So it's probably gonna be in about a month and a half. Still working on some stuff.

Patrick Gorman: 01:10:13

Actually, I had a few little family events happen recently, so I had to put some pauses on stuff. But hopefully, definitely before DefCon. So Okay. Cool.

Corey Ham: 01:10:25

Yeah. Looking forward to

Tim Medin: 01:10:27

it. Alright.

Corey Ham: 01:10:30

Well, thanks all for coming.

Ralph May: 01:10:31

Much

Corey Ham: 01:10:31

love. And to our audience, thanks for being in the Discord. We'll we'll see you next week. Bye, y'all.

Patrick Gorman: 01:10:37

Pleasure, guys. See you. Bye.