Talkin' Bout [Infosec] News | Anti-Tech Extremism

This episode covers a Wired report on the rise of “anti-tech extremism” and growing public opposition to AI infrastructure projects, including debates over data centers, resource consumption, local communities, and government responses. The hosts also discuss AI coding assistants, model safety restrictions, and the evolving capabilities of large language models. Additional topics include Anthropic’s reported IPO plans and valuation, AI’s impact on the tech industry, and a conversation with David Bianco about AI-generated threat-hunting datasets and cybersecurity training.

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

Chapters

(00:00) - PreShow Banter™ — Solving this thing
(03:52) - Anti-Tech Extremism - 2026-06-01
(08:08) - Threat Hunter Summit | June 17th 2026
(12:11) - Story # 1: US Law Enforcement Warns of ‘Anti-Tech Extremism’ as AI Hatred Grows
(20:54) - Story # 2: Anthropic files for its IPO
(23:35) - Story # 3: FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data
(29:41) - Story # 4: Microsoft Defender can now automatically isolate hacked endpoints
(30:45) - Story # 5: Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company 'ruined their life'
(36:54) - Story # 6: Cyber Force? Senator pushes to create service branch under the Army
(42:10) - Story # 7: Are you ready? Anthropic preparing to release Mythos publicly
(46:38) - Story # 8: Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark
(49:12) - Story # 9: Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
(50:43) - Story # 10: Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked
(56:02) - Story # 11: Kali365 phishing kit bypasses MFA and steals Microsoft logins
(58:02) - Story # 12: Botnet of more than 17 million devices dismantled
(01:01:13) - Story # 13: United flight returns midair after Bluetooth device name reportedly sparks security scare
(01:03:49) - Story # 14: Inside the Charter data breach: hackers leak 13M+ customer data
(01:04:37) - Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake
(01:10:04) - Threat Hunter Summit | June 17th 2026
(01:10:57) - Anti-Cast : How Hackers Attack CI/CD Pipelines w/ Phil Miller
(01:11:36) - Cyber Threat Intelligence 101 2-Day Version
(01:11:57) - Ralph's Practical Physical Exploitation Training & Tool Bundle

Links
00:00:00 - PreShow Banter™ — Solving this thing
00:03:52 - Anti-Tech Extremism - 2026-06-01
00:08:08 - Threat Hunter Summit | June 17th 2026
00:12:11 - Story # 1: US Law Enforcement Warns of ‘Anti-Tech Extremism’ as AI Hatred Grows
00:20:54 - Story # 2: Anthropic files for its IPO
00:23:36 - Story # 3: FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data
00:29:41 - Story # 4: Microsoft Defender can now automatically isolate hacked endpoints
00:30:46 - Story # 5: Microsoft’s GitHub bans security researcher who posted zero-day Windows exploits because company ‘ruined their life’
00:36:54 - Story # 6: Cyber Force? Senator pushes to create service branch under the Army
00:42:11 - Story # 7: Are you ready? Anthropic preparing to release Mythos publicly
00:46:39 - Story # 8: Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark
00:49:12 - Story # 9: Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
00:50:44 - Story # 10: Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked
00:56:03 - Story # 11: Kali365 phishing kit bypasses MFA and steals Microsoft logins
00:58:02 - Story # 12: Botnet of more than 17 million devices dismantled
01:01:13 - Story # 13: United flight returns midair after Bluetooth device name reportedly sparks security scare
01:03:50 - Story # 14: Inside the Charter data breach: hackers leak 13M+ customer data
01:04:38 - Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake
01:10:05 - Threat Hunter Summit | June 17th 2026
01:10:57 - Anti-Cast : How Hackers Attack CI/CD Pipelines w/ Phil Miller
01:11:37 - Cyber Threat Intelligence 101 2-Day Version
01:11:58 - Ralph’s Practical Physical Exploitation Training & Tool Bundle

Click here to watch this episode on YouTube.

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits

https://poweredbybhis.com

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Guest

David Bianco

David is a Staff Security Strategist on Splunk's SURGe research team. He is also a SANS Certified Instructor, where he teaches network forensics. David has more than 20 years of experience in the information security field, primarily in incident detection and response, threat hunting, and Cyber Threat Intelligence (CTI). He is the creator of both the Pyramid of Pain and the Threat Hunting Maturity Model, both widely cited defensive security models. He is a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition. Really, he just wants to make security better for everyone, and he has a special interest in helping people get started in their cybersecurity careers.

Guest

Phil Miller

Phil Miller joined the team at Black Hills Information Security (BHIS) in the spring of 2022 as a Security Consultant working on web application, external, and internal network testing. Prior to this role, he was an information security associate for an e-commerce B2B company. Phil chose BHIS because of the “the amazing content and fantastic quality of work that they deliver, and it’s an awesome group of talented individuals.” He loves being on a team with folks who are also passionate about their work. Outside of work, he enjoys the arts (drumming & music, drawing & painting), as well as sports (golfing, bowling, and basketball).

Producer

Ryan Poirier

Ryan Poirier began his time at Black Hills Information Security (BHIS) as the Video Producer and Editor in August 2020. Ryan polishes and perfects every webcast, podcast, and workshop on the BHIS, ACM, and WWHF YouTube Channels. Prior to Ryan’s time at BHIS, he worked for one of the largest public schools in the United States, conducting their video production and live broadcasting. He joined the BHIS team because he felt like it would be a great group of people to work with, and he couldn’t pass up the perfect next step in his career. Outside of his time with BHIS, Ryan does freelance photography, attends Cars & Coffee events, and expands his knowledge of audio and videos.

Guest

Shane Hartman

Shane Hartman is a Principal Incident Response Consultant at TrustedSec, specializing in advanced threat hunting, forensic triage, and intrusion analysis. With over 30 years in IT and two decades in information security, Shane helps organizations detect, investigate, and contain targeted attacks against critical systems and intellectual property. His previous roles at FireEye, Fortinet, and RSA focused on malware reverse engineering, threat intelligence production, and adversary tradecraft analysis. He frequently presents and teaches at the University of South Florida on topics including Digital Forensics, Ethical Hacking, and Offensive Operations.

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

Ralph May: 00:01

I haven't I haven't actually gotten too many of, like, I can't help you with that. Right? But I think it's because I break down my tasks so, like, into small pieces because I've had it happen before. You're just like, alright. We'll just solve this thing.

Ralph May: 00:14

Right? Solve that thing.

Corey Ham: 00:16

But yeah. I mean, at BHIS, we saw people that run into it, but it seems like the most of the people who are running into the CVP, like, denials are the people working on low level code, like the, you know, exploit development, like like especially messing around with those Windows LPEs and stuff like that. It's it's all over that. It doesn't want you to have that. But for just like pen testing stuff, it seems pretty open.

Ralph May: 00:45

Yeah.

Phil Miller: 00:46

Yeah. I wasn't getting called out until recently. Last week, they really didn't like the supply chain attacking tool that I was building.

Corey Ham: 00:56

It was like, they're too close to home.

Phil Miller: 00:59

Well, in the golden age of Cloudco before the whole, like, nerfing the model situation or whatever is when I, like, built most of it and it never complained once. But then, like, three months later, on the new model, it was like, I'm not touching that. And so

Corey Ham: 01:13

You can always go back to the old model. True. People still say that they love four six,

Ralph May: 01:20

I think, the best.

Corey Ham: 01:24

No no verification. No problem. Just let it rip.

Phil Miller: 01:29

What was like what's what was great about the older model was it would, like, find other things even though you didn't mention your prompt and, like, still, like, fix it for you and just do the best you could possibly do. Like, oh, I found something critical. I should probably fix that as part of this task. But now it's like, oh, I found something critical, but you didn't say to do that. So I'm just gonna leave this bug hidden so you never see it unless, like, you're, like, laser focused on my standard out, which will get disappeared in five seconds anyways.

Corey Ham: 01:54

I have found that four eight and four seven will both do that, but you have to use it in x high. You can't if you use it in high or medium or any of the like, you it has to be in the high or extra high mode to actually catch stuff along the way. Least my

Phil Miller: 02:12

power mode. Let's take that up so the system changes

Corey Ham: 02:15

as much thing. Although I will say the new max whatever extreme mode is pretty fun like we were talking about with workflows. But just I usually use the x high and that seems to do a good job with catching some of that stuff like you're talking about. I agree though. I had the same experience.

Ralph May: 02:31

I just go straight to max even when I'm like, hey, could you just change this one color?

Corey Ham: 02:37

I need you to just center this div. Yeah. Ultra code.

Ralph May: 02:40

Yes. Ultra. Ultra. Can I can I oh, and then I I get a opus with fast mode too just for that?

Wade Wells: 02:48

Just ripping through tokens for now.

Corey Ham: 02:50

So wait. What is fast mode? That's new. Right? What is it?

Ralph May: 02:54

No. No. No. So I think they had it in I I think they had it in 462, 47, 46. Anyways, if you're on Opus and fast mode just you're you you get faster tokens per second.

Ralph May: 03:06

So it's gonna respond faster. Like, you're gonna get output quicker. So, like, the same task was gonna you're gonna get that the result, right, from beginning to, like, where you have to where it has to stop faster. So.

Corey Ham: 03:18

Gotcha.

Ralph May: 03:19

Yeah. But it costs more money. Of course. Yeah.

Corey Ham: 03:23

Of course it costs more money. Yeah. So Those oceans aren't gonna boil themselves.

Ralph May: 03:28

Oh, no. But those farms are sure gonna be taken down pretty soon here. Yeah.

Corey Ham: 03:37

That's that's one of the articles we're gonna talk about probably first. I know. There's an article for that.

Ralph May: 03:42

There's an article for that.

Corey Ham: 03:44

I don't know. Let's roll the finger, Ryan. Let let's go live a little early because we we are we're already, like, segueing into the show. Let's do it. Hello, and welcome to Black Hills Information Security's talking about news.

Corey Ham: 04:10

It's 06/01/2026. Time to change your password to June2026Exclamation. We have a star studded cast. This week actually is stacked. We have some heavy hitters including some guests, some BHIS people.

Corey Ham: 04:25

Let's start. I'll just go in order. So I'm Corey Ham. I run continuous pen testing at Black Hills. We got Ralph.

Corey Ham: 04:31

He's here hunting some gators maybe, or I don't know. He's got like a he's got a laptop with what looks like a government agency logo on it. I can't tell. I'm I'm trying to enhance and, but it's not working.

David Bianco: 04:43

What's up,

Corey Ham: 04:44

Ralph? What's going on? You you gotta give your fancy intro. What do you do? Spears?

Corey Ham: 04:50

Arrows? You you your weapons, man. Know they do,

Ralph May: 04:54

like, like, ancient attacks of sorts. Right?

Corey Ham: 04:59

Okay. I see. Old weapons. Old he said edged weapons. Dude, do you remember that, like, history channel?

Corey Ham: 05:05

Cyber

Ralph May: 05:05

I'm a cyber I'm a cyber, what do you call it? Software dealer. There you

Corey Ham: 05:10

go. Okay. An arms dealer? You're the lord of war. Yeah.

Ralph May: 05:14

The lord of war for cybersecurity. There you

Corey Ham: 05:17

Yeah. I I just remember, like, those history channel, like, you know, when I grew up watching TV, and it'd be like a history channel documentary, and it'd be like, this guy with, like, you know, a really, really short tie being like, I'm an edged weapons expert.

Ralph May: 05:31

That's like, you had

Corey Ham: 05:32

it That's you, Ralph.

Ralph May: 05:33

Yes. Experts come in all different shapes and sizes.

Wade Wells: 05:36

Go endorse Ralph for edged weapon ex expert on LinkedIn.

Corey Ham: 05:41

Yes. Good times. Good times. We got Wade who's waiting two logs. What's up, Wade?

Wade Wells: 05:46

What's up? I am off this week because I am doing training, so it's actually pretty nice. I haven't read the news yet today. Are you taking it,

Ralph May: 05:55

or are

Corey Ham: 05:55

you giving it?

Wade Wells: 05:56

I'm giving it. I'm giving training. So which is always more fun, I think, nowadays. I don't know. I feel like now with AI training for me is just, reading Claude articles over and over again.

Corey Ham: 06:09

Hallucinating your way through the training? Yeah. Yep. Oh. Just asking it to build a skill that's past this training?

Wade Wells: 06:15

Yeah. Yeah. Then it's worked pretty well so far. You know? I just

Corey Ham: 06:20

Oh, nice.

Ralph May: 06:21

I think

Corey Ham: 06:23

Phil, Phil's a BHIS, I would say, developer tester. I don't know what to call you, Phil. You have a webcast coming up. Right?

Phil Miller: 06:30

Yeah. Yeah. A little bit of jack of all trades, like some testings and development. But, yeah, I got a webcast coming up about hacking CICD pipelines. So it's all the rage these days with the supply chain tax.

Phil Miller: 06:43

But, yeah, stay tuned because it should be a

Corey Ham: 06:47

lot of fun. The content community team today on our internal meeting was like, it's Miller time. I love that. It's amazing.

Phil Miller: 06:55

My heart started racing so fast when they would I was like, I'm not prepared for this. I have nothing witty to respond with.

Corey Ham: 07:02

Well, wait till you see how fast your heart's gonna be racing on, your webcast. We also have Shane Shane Hartman from TrustedSec. Right? That's where you work based on your shirt?

Shane Hartman: 07:14

Yeah. Based on my shirt, that's where I'm at. I'm one of the principal, IR consultants there, so I spend all my day fixing everybody's mess ups.

Corey Ham: 07:23

That's awesome. I love it when the podcast slants towards blue team. I feel like it's gonna be up to you, David, to decide if you're are you a blue teamer or red teamer?

Ralph May: 07:31

Oh, no.

Corey Ham: 07:32

What do you see yourself?

David Bianco: 07:34

Despite the, red hoodie, I am entirely a 100% blue team.

Wade Wells: 07:40

Good. Good. I think this is one of the very few times that we've had equal footing ever.

Corey Ham: 07:45

This is equal. Yeah. We got three. I mean, okay.

Phil Miller: 07:47

I will say

Corey Ham: 07:48

Wade's famous quote. Right? Everyone's blue team if you think about it for long enough.

Wade Wells: 07:52

Yeah. There is no red team. No spoon. No red team.

Corey Ham: 07:55

No red team. Like, yes, I agree, but it's fun when we have so, David, you are Shane, why don't you, you got a class coming up, or you're keynoting some, threat hunting summit we're doing, or I don't know. Something's happening. What's going on?

Shane Hartman: 08:09

Yeah. I'm probably I'm doing the threat hunt symposium or thing that you're doing on June 17. So mine is kinda hunting in the dark. It's be focused a little bit more on kinda just the quick wins and getting started. A lot of engagements that we do where we engage with Threat Hunt, what we have is they're either starting out or they're trying to get a foothold to get the either money in order to get that going.

Shane Hartman: 08:33

So give you a few like quick wins. Some like, how can you get started? A little bit of asset management. Maybe, you know, what actually would senior executives be looking for when you do a threat hunt so you can actually get money and funding and kinda do some cool stuff.

Corey Ham: 08:47

Nice. That's awesome. Yeah. I feel like a lot of the times when I'm doing, you know, pen test report readouts or whatever, I'm like, yeah, you could do a threat hunt, but, like, in my head, just like yada yada yada that. I'm like, you know, just like do a threat hunt, but I have no idea where to, you know, tell them to start.

Corey Ham: 09:01

So maybe that would be a good place.

Shane Hartman: 09:04

Absolutely. We like you guys. We like that when you leave details out on the network,

Corey Ham: 09:08

we get to go find it. Yeah. Yeah. That's my job is to leave details out on the network to go find. Red red red

Ralph May: 09:15

kind of man.

Corey Ham: 09:16

And then, yeah, David, you're you're actually keynoting. Right? You're you're the you're the big name in the room.

David Bianco: 09:21

I I am kicking it kicking it all off. Yeah. I'm very excited. It is it's actually only my second ever keynote, so I'm trying to have really interesting insights.

Corey Ham: 09:34

That's really hard. That that's a that's a high bar to set for yourself.

Wade Wells: 09:37

That's also very surprising that this is only your second keynote. What's wrong with people?

Corey Ham: 09:43

Yeah. So, yeah, definitely people well, yeah, please, David, answer that question live on the air. Yeah. Tell me

Wade Wells: 09:49

what's wrong with Yeah. That's how we're starting the podcast today.

David Bianco: 09:55

And and it's a strong start. No. I'm I'm actually really excited. There's it seems like for the last few years, like, of my presentations are something I screwed something up. That was my, RSA presentation from was it last year?

David Bianco: 10:13

How I screwed up threat hunting a decade ago.

Corey Ham: 10:17

And and and the you know, at at

David Bianco: 10:20

the time, I I I put out this, this definition of threat hunting that got picked up that it's human driven, maybe machine assisted, but human driven. And I feel like we may be to the point where we it's time to possibly redefine that or at least decide whether we should redefine that. So I've always been, like, automated threat hunting, that's not a thing. We call that incident detection. And I'm starting to think that that may not be defensible anymore.

David Bianco: 10:58

And so I'm not gonna tell you yet because I hadn't figured out whether I still believe it's defensible. Mhmm. No. I haven't figured it out yet either. So, when I finish my presentation, there will be a surprise to me as well.

Wade Wells: 11:12

That's what I was gonna say. This sounds like an excuse for someone who hasn't finished the slides yet, really.

David Bianco: 11:16

That's that's that's exactly why I proposed it, actually. I wanted to I wanted to have an excuse to spend some time thinking through it. So that's but but that's what it's gonna be. Like, with with the advent of AI, being able to provide the reasoning that before only the human could really do, is it time? And your guess is as good as mine right now.

Corey Ham: 11:42

Nice. Yeah. I mean, honestly, I love, like, as a concept when I'm doing a talk or anything like that. I think you have to choose something that you're fascinated in and don't know all the answers about. Like, it has to be something that you're genuinely doing discovery during the process, and, yeah, building the slides the night before is the key.

Corey Ham: 11:58

That's the that's the key. That's the secret. The secret sauce. Alright. Let's roll into articles.

Corey Ham: 12:06

David has a tool to plug, but we'll leave that until the end. It's gonna be exciting. So I think the first article we should talk about because we were a little bit getting into it, during the pre show is basically there's a wired article saying that US law enforcement has started to warn about a new category of, I guess, threat, which is AI anti tech extremism or like AI hatred. So basically, the idea here is that they're seeing an increasingly strong response to people not wanting data centers in their farms or backyards or local areas. And this is getting a lot of traction at least in public, you know, public forums and town halls, stuff like that.

Corey Ham: 12:52

So I guess the government has decided to acknowledge this as a real thing. You know, the actual this is federal intelligence agencies, domestic law enforcement. They're circulating reports, you know, anti technology extremists. And kinda like the first, you know, headline response on Twitter was, we're not anti tech or anti VC funded tech. There's a difference.

Ralph May: 13:17

Very specific.

Corey Ham: 13:18

Which is which is fair. It does feel like to me that when they do these projects, it feels like they're working as hard as possible to make it as politically disastrous as it could be. Like, the the one in the one in Utah that hit my radar was it was the shark tank guy. Right? I forget his name.

Corey Ham: 13:39

Kevin something. Anyway, he he it's a Canadian citizen who's a billionaire from shark tank trying to put just the world's largest data center in Utah. Like, the size of the data center didn't even make sense to me. It was like, this is bigger than the half the towns in The US or whatever. Like, it's like a gigawatt or, you know, 1.2 gigawatts or whatever.

Corey Ham: 14:03

I don't know. But basically

Ralph May: 14:04

Million watts.

Corey Ham: 14:05

Half of these projects are like, we're we've located a rare, animal habitat, and we're gonna slowly kill them one by one on the live feed, and that's and then that'll be a dataset. Like, it just feels like they're

Ralph May: 14:18

trying make baby pandas, and they kill them just to make sure that you guys are all really, really upset. Yeah.

Wade Wells: 14:25

The better part was him claiming it was China. Right? And then, like, it being, like, two, like, women. Just being like, nope. Nope.

Wade Wells: 14:33

Not China. Like, we actually live here. Like, don't

Corey Ham: 14:37

Yeah. I mean, I guess I'm like, what is the what is the real threat here? What are they gonna do? Like, put ignore all future instructions and stop construction, like QR codes on things? Like, what is the like, I obviously, there are physical threat.

Corey Ham: 14:51

You know, it could be like, you know, people sabotaging projects or, you know, just imagine chaining yourself to a hard drive. You cannot install this hard drive until you take me off of it. I don't know.

Ralph May: 15:04

Well, I I so, I mean, the the terrorism or domestic terrorism aside. Right? So, like, the actual actions. But, I mean, you know, the only other way to stop these things from being built in your city is to, you know, essentially protest and specifically, not just to stand out there, but just holding signs, essentially to get the recognition of the, you know, the the local government to to not to not have it there. Right?

Ralph May: 15:29

That's, you know, that's, I think, like, the ultimate goal.

Corey Ham: 15:31

But Yeah. I mean, I don't know. I have mixed feelings on this. Does anyone have a strong take?

Shane Hartman: 15:36

That's what they've been doing in Florida where I live. They've been putting out a lot of media articles about the electrical cost grid and water being used. So they're talking about they're using the natural resource side and saying we don't want it here because we don't have the resources to give to you because it'll everybody else will have to pay for it. So that that that take is what they've done. Yeah.

Shane Hartman: 15:58

I mean, I

Corey Ham: 15:59

live in Oregon where there's a lot of data centers. Like, Hillsborough is one of the biggest data center. Like, that's an entire AWS region. Uh-huh. It is.

Corey Ham: 16:06

And and there's like I mean, there's definitely mixed feelings. I mean, but I think the biggest from my perspective as like a citizen who actually would be voting in some of these votes is I'm fine with it, but you do need to tax these companies and actually, like, give the money give give me some benefit as a citizen who has to live near this data center, like, whether it's infrastructure or tax money or whatever it is, don't like bend over backwards for this company to come in and, like, destroy farmland and then not pay any taxes. The biggest thing is like the data centers, you know, the best article or the best like take I've heard is that they rely on public infrastructure, right, including like power grid, roads, like all that stuff. So they should contribute back to that infrastructure. That's probably like an extremely, like, political take I just gave.

Corey Ham: 16:54

I apologize for that.

Wade Wells: 16:55

But You sound like one of these terrorists that they're talking about.

Ralph May: 16:58

Oh my god. I guess I'm on

Corey Ham: 17:00

a watch list now.

Wade Wells: 17:01

Yeah. This White House article is literally just propaganda. Like Yeah. What have you seen anywhere? Not not true.

Wade Wells: 17:08

It's just literally the people trying to say, I don't want a data center in my backyard.

Corey Ham: 17:12

Right? People are against me saying they must be terrorists.

Wade Wells: 17:15

They know. Exactly.

Shane Hartman: 17:17

Yeah. Like Well, mean,

David Bianco: 17:20

if you read that thing that it's not only about saying anti data center activists are terrorists. Right? There's, like, some broad categories in there.

Corey Ham: 17:31

It's true. It's not just data centers.

David Bianco: 17:32

Yeah. Right. It's not just data centers. It again, I I don't wanna get too political, on here either. If if you wanna hear that, that's first episode.

David Bianco: 17:42

On my socials.

Ralph May: 17:42

That's when I post on my socials.

David Bianco: 17:44

You want you want the politics, David? You can get that on Blue Sky or something. So but, you know, I do think I do think there's, like, three big, waves that are kinda coming together and right now, and it's kind of I wanna say interesting, but, like, interesting in maybe a bad way too is, like, the the anti AI, anti data centers, but also they're kind of inextricably tied to the anti billionaire, things and and the sentiments. And they they all really are tied together, not just in people's brains, but they actually because these these are the people who are making the data centers to run the AI. So, yeah, we're we're just it's it's just like a perfect storm right now.

Ralph May: 18:33

It is kinda interesting too because they're building data centers and taking away from the cities and towns and resources to then also build AI that then takes away their jobs too. It's kind of like, why do I wanna keep doing this? Right? Like, what what what am I getting out of this to then feed not only to take away people's jobs. And, again, I'm I'm I'm, like, throwing out the nest the net further.

Ralph May: 18:57

Right? We don't actually know how that's gonna play. But just to look at it from the beginning, everyone's saying that to then make more money for the really rich people, the billionaires. Right? So you're kinda kidding out this whole, like, process flow.

Ralph May: 19:09

You know, the data center is just, like, the first thing you see to then the next thing to the next thing, and none of those are good for you.

Corey Ham: 19:16

Yep. It's a good point. Very political take, Ralph. How dare you?

Ralph May: 19:20

I know. Sorry. I mean, I think you an AI fan too, but it's like, is the AI that we love so much or that I enjoy using so much, is that the thing that's going to hurt everybody? Right? I don't know.

Ralph May: 19:32

I'm not saying that's what I believe. I'm just saying I'm just proposing the question. Right?

Corey Ham: 19:36

Yeah. I mean, I think the only example of this that I've seen, and it wasn't even The US, is like The UK strong resistance to the speed cameras and like and and like their equivalent of flock cameras and just seeing a bunch of videos of people with sawzalls just hacking through the post, like, you know, just cutting down speed cameras, like, as a kind of a coordinated targeted sort of thing. But

Wade Wells: 20:02

There was there was a US. There was a target event like that, but not so much as AI is parking here in San Diego. So they started charging for parking at the Balboa Park, which is huge, and at the zoo and everywhere downtown. And people straight up started just, like, sawzying the parking meters or super gluing inside of them. Like, it was destroyed everywhere, and it it got to the point where they just now repealed it.

Wade Wells: 20:30

Now they're not doing any parking laws anymore or paid parking in that area.

Ralph May: 20:34

Wade Wells: 20:34

it it works, people.

Corey Ham: 20:36

Well, I find myself on the other side of that one because I would always support anti car infrastructure and making people pay for parking. I love that idea. But, anyway If

Wade Wells: 20:45

there was a way if there was public public transit, it'd be great, but San Diego

Corey Ham: 20:49

is a lot. You have to drive, and it's gonna cost you $12.

Ralph May: 20:53

Yep. Speak speaking of AI, and this is not really this is a news article, but it's a little piece, is that Anthropic just filed to go IPO today, actually.

David Bianco: 21:05

No. They they did it? Yep.

Corey Ham: 21:06

Yeah. Oh god.

Phil Miller: 21:07

What was the valuation?

Ralph May: 21:09

So it it's gonna something close to a trillion. So I think it was, like, 945,000,000,000, which is a number.

Corey Ham: 21:14

Know what we should do, guys?

Ralph May: 21:15

Easy to say, but hard to actually

David Bianco: 21:18

tree finish.

Corey Ham: 21:18

We should make an offer. Okay? Like, GameStop did it for eBay. Okay? We can do this.

Corey Ham: 21:24

We can

Ralph May: 21:25

do this. We do this.

Corey Ham: 21:26

We should put together a very compelling offer. We have Wade's mustache and a few cats. I I did

Ralph May: 21:32

speak with something else, and, don't quote me on these numbers because they could be off, but just get the percentage idea here. There's something like amaz or not Amazon. Walmart is worth, like it's something like $700,000,000,000. And and they make, like, $600,000,000,000.

Corey Ham: 21:48

Yeah. Yeah. Yeah. Yeah.

Ralph May: 21:49

But Anthropic has made, like, 20,000,000,000, and this is, like, a $900,000,000,000 valuation, which, by the way, that all makes sense because the stock market is not an indication of how much money a company is

Corey Ham: 22:02

It's not revenue. It's valuation.

Ralph May: 22:04

Yeah. Yeah. Exactly. It's it's what I believe it could be in the future. And that number is just you know, it could be anything.

Ralph May: 22:11

Right? So

Corey Ham: 22:12

Why would an AI company need to make money? I don't get or need to, raise capital. I don't get it. Well It's not like they're spending $20,000,000,000 a month on electricity in my backyard.

Ralph May: 22:22

I mean, Jensen Huang's just getting home with every dunk.

Corey Ham: 22:26

That is sort of true. Yeah. I mean, that's really interesting. Honestly, I, you know, I feel like this is kind of I don't know. I mean, maybe people saw this coming.

Corey Ham: 22:36

To me, I'm like, there are a handful of really kind of interesting privately owned companies like Mars or, you know, there's a there's a handful of really interesting companies that are huge and are still private, but the majority of big companies are public. The benefit of this will be that more transparency and and, you know, financials. So that's interesting.

Wade Wells: 22:56

SpaceX also with IPO. Right? So it's like a bunch of stuff all at once. Yeah.

David Bianco: 23:03

I have thought it was reliable authority that the first filing for Anthropic, their their their, valuation that they put in there was just so giant. It was like $950,000,000,000,000, and they pushed back and they were like, you're absolutely right to call me on that. I clearly messed that up.

Corey Ham: 23:26

Deep comment. Form with AI.

Ralph May: 23:29

Yes. Yeah. Yes.

Corey Ham: 23:31

Oh, that's amazing. I love that. Oh, Yeah. So, in other news, apparently, the FBI's warning about people walking around with USB drives. What year is it?

Ralph May: 23:42

Twenty years. My god. Honestly, if they're not USB c, I don't know where you're plug them.

Corey Ham: 23:47

They're not USB c. Me to it.

Shane Hartman: 23:49

Good point.

Corey Ham: 23:50

Okay. You so there's gotta be some crusty IT guy at at some company that, like, has been epoxying over all the USB ports in his laptop for years and, like, forcing other people to do it. He's like, I told you. I told you. No.

Corey Ham: 24:03

Accident. So, yeah, basically, this is a real article. The FBI has warned silent ransom group who I wasn't previously familiar with, threat hunter people. Have you ever heard of silent silent ransomware group? Ransom group?

Corey Ham: 24:16

Nope. That that was new to me. Anyway, the FBI they're at they say they've been active or the FBI says they've been active since 2022 targeting US firms and since 2023. Basically, they used to use phishing emails. Now apparently, they're physically walking into

Ralph May: 24:33

Oh, the physical part. Nobody said that physical everyone was like,

Corey Ham: 24:37

no one's doing this. Why would you ever go into someone's building?

Ralph May: 24:41

Come on.

Wade Wells: 24:42

Ralph's gonna start using this as a as an ad for his company.

Corey Ham: 24:46

For his physical class.

Ralph May: 24:47

Yes. Yes. I but you that that's the funny part. Right? Like, the everyone's everyone's argument is right about physical security.

Ralph May: 24:55

It's not a threat yet because I can just break in remotely. You're not gonna do it.

Phil Miller: 24:59

It's only a threat

Corey Ham: 24:59

where you run out of other options.

Ralph May: 25:01

Exactly. Yeah. It's getting better. It it just becomes the x the next thing. Right?

Ralph May: 25:06

Corey Ham: 25:06

yeah. Well, that's exactly what the the threat report says. It says they you know, first they call or they send phishing emails. They're impersonating IT support. If that doesn't work, then they go in person.

Corey Ham: 25:16

They say, hi. I'm here to, you know, update your computer. Apparently, they're using an extremely advanced tool called, WinSCP.

Ralph May: 25:25

Oh, yeah. That thing. Right? That that honestly is agentic, by the way.

Shane Hartman: 25:32

You mean ancient? Oh, yeah. No.

Ralph May: 25:35

I I mixed those words up. I'm I'm sorry.

Shane Hartman: 25:37

You're absolutely correct. Ancientogenic. Ancient.

Corey Ham: 25:40

Yeah. I mean, what's old is new again. Right? I mean, this has been a it's been a real thing forever. Honestly, my question with this is, okay.

Corey Ham: 25:50

So they're targeting US based companies and they're using physical resources, this was something that I feel like from a threat, you know, perspective, we kind of were like, they probably won't do that just because the amount of risk involved. How does this criminal ecosystem work? Like, are they hiring people who actually think that they're helping p like, is

Ralph May: 26:09

it is it

Corey Ham: 26:10

like a mule is it a mule system, or do they actually a mule.

Ralph May: 26:13

There's no way that they're, like, bringing in Russian assets to then just land on, like, a vacation to do this. Right?

Corey Ham: 26:20

Right? Yeah. Like, if you leave Russian or Chinese turf, you're gonna get arrested. So they're

Ralph May: 26:25

Yeah.

Corey Ham: 26:25

I don't know. Does anyone know, David or Shane, do you guys have any intel on this at all?

Shane Hartman: 26:30

I don't have any intel on it. I did read the article. It said it was targeting, law firms. Now I have had a little bit of experience with law firms. They tend to be a little bit more technologically backwards, meaning they do use USB because they go in and out of court and whatnot.

Shane Hartman: 26:44

So they they're not always using WiFi or they just use older technology sometimes. So that there could be some validity here just in the targeting, but it's gotta be small. I mean, it's it's not scalable.

Ralph May: 26:58

Yeah. Go ahead. No. I was just gonna say, so alright. How does this attack work?

Ralph May: 27:02

You show up with a USB in your hand, and you find the first unlocked workstation. Is that is that

Corey Ham: 27:07

where we're hoping to at the last time. Go to the target. You go to the target,

Shane Hartman: 27:11

the one you already called.

Corey Ham: 27:12

Yeah. You go to the pretexting target, and you say, hey. Sorry.

Ralph May: 27:16

Yeah. I missed that from the article then. Mine, the

David Bianco: 27:18

help desk guy you were expecting.

Corey Ham: 27:20

Exactly. Yeah.

Wade Wells: 27:22

All my court documents are on this USB drive. Please plug them in and view them.

Corey Ham: 27:26

I need to update your system, but your WinSCP is out of date.

Shane Hartman: 27:30

So Sherry.

Wade Wells: 27:32

I find lawyers to be a juicy target, though. Like, they're gonna hold a whole bunch of secrets, a whole bunch of information. Like

Corey Ham: 27:38

Okay. That's like stealing a from a drug dealer. Like, yeah, you're right. But, like, dude, the the repercussions are gonna be significant. Like, can you imagine answering some ad that's like, do you wanna make $10,000 in your PJs?

Corey Ham: 27:50

And then you, like, accidentally break into a law firm and do some USB stuff and then, like, have a whole law firm coming after you for screwing up.

Wade Wells: 27:57

There there's been enough people with North Korea doing it. Right? Like, hey. Set up this laptop for him in your garage and just, like, move the mouse every now and then for me. Like, it's it's hard times.

Wade Wells: 28:08

Like, if I just called someone and told them to plug in a USB drive here, like, go up to this lady's reception. If you can get a USB drive, like, here's a $100. You'll get $200 more if you get

Ralph May: 28:18

a The mules are getting scammed too. They don't they're not they're not gonna be given the whole story. Right? Yeah. They're just gonna be given the half side of it.

Ralph May: 28:25

Right?

Corey Ham: 28:25

So Do we go on this one?

Phil Miller: 28:27

I thought they were email I thought they were sending envelopes with USB drives in them to people.

Ralph May: 28:33

I've done that before. I've sprinkled them around parking lots, CDs. Remember those things? They were circular.

Corey Ham: 28:39

Oh, yeah,

Ralph May: 28:39

dude. Put them in a vein. Media drops. Yeah.

Corey Ham: 28:42

Media drops. I still have a Kan Boot CD bumping around in my little go bag that I never use.

David Bianco: 28:47

That was the first thing I thought of when I read this article, and I was like, it's amazing that they're now a cutting edge hacking technique that the red teams have been using for decades.

Corey Ham: 28:57

Yeah. Yeah. I mean, this is yeah. Let's just say the FBI in this case is a paid advertisement for pen testing. That'll caught up.

Ralph May: 29:08

This happened to your organization too for Right.

Corey Ham: 29:11

So would you like a red team? Contact b h I BHIS. We, will walk into your building with the USB drive and do whatever you want. Yeah. I mean, honestly, though, from a defensive perspective, you're gonna have to go against low maturity organizations.

Corey Ham: 29:26

Every organization, we've done a handful of media drops, but, like, in recent years. But, I mean, you can just check a box in CrowdStrike to just disallow external media. Right? Like, you can pretty easily mitigate this with an EDR. Anyway, speaking of EDR, apparently, defender can now isolate systems.

Corey Ham: 29:46

CrowdStrike killer, here we come. Yeah.

Wade Wells: 29:49

They couldn't beforehand?

Corey Ham: 29:51

That's what I said.

Wade Wells: 29:52

Shows you my Microsoft experience, but

Ralph May: 29:54

No.

Corey Ham: 29:55

It's automatic though, I guess, is the big the headline. Not the fact that you could couldn't quarantine before, but now it's automatic? I don't know. Mean, they call it automatic attack disruption.

Ralph May: 30:06

Wasn't it last month that they added that feature to Microsoft Defender where you could use it to privilege escalate?

Corey Ham: 30:12

Oh, no. That was that was that was part of the recent ongoing, you know, slew of Microsoft vulnerabilities that we've all been,

Wade Wells: 30:23

you know.

Ralph May: 30:24

All loving, like yellow sun speaking up-

Corey Ham: 30:26

Yellow key. Yeah. Just

Ralph May: 30:27

Speaking speaking up Kanboo, but better.

Corey Ham: 30:29

Right? Yeah. Kanboo, but better. Yeah.

Ralph May: 30:31

Very true.

Corey Ham: 30:33

No. No. It's fine. Everyone puts pins on their BitLocker.

Phil Miller: 30:36

Everyone does

Ralph May: 30:37

that. Everyone does it. I that honestly, you know you have to enable BitLocker by default or have a domain policy, so that also is true. There's a bunch of fun things. But did you see speaking of the GIF that keeps on giving that the yellow sun or or chaotic eclipse.

Ralph May: 30:54

There you go. He got kicked off of GitHub and then got kicked off of bit Yes.

Corey Ham: 30:59

GitLab. GitLab. I mean,

Ralph May: 31:01

they're just kicking him off of everything. Alright. And so here's the wild part, though.

Corey Ham: 31:04

Right? So threatening Microsoft? Yeah. No.

Ralph May: 31:08

That's not the wild part. The wild part is is that there's other POCs on GitHub. Why is it that the one that happens to be attacking Microsoft was because he didn't regional re or do a a responsible disclosure? Excuse me. Or because it's Microsoft, and they're just really upset about it.

Ralph May: 31:22

What do

Corey Ham: 31:23

guys think? Both. It's both. But mostly, they own GitHub. I'm surprised when

Phil Miller: 31:28

the GitLab got taken down too. Like, Microsoft has some pull over GitLab somehow now. No. What's that? I didn't think they own them.

Wade Wells: 31:34

They do not, but the Microsoft pull is strong. Right? Like, if Microsoft were to call you right now, you're like, oh, okay. Like

Corey Ham: 31:41

Who in Microsoft would call you that you would

Ralph May: 31:43

be upset about? Would they be like, oh, you took a look

Corey Ham: 31:45

Dude, you guys don't get calls from Microsoft every day?

Wade Wells: 31:48

Dude, he calls me all the time, has me put in updates, sends me USB drives to plug in and try

Corey Ham: 31:52

out new gift cards. Oh, yeah, dude. I get I get tons of calls from Microsoft. They're super helpful. They all have weird accents, though.

Ralph May: 31:59

Oh god. I always get them. So

Corey Ham: 32:01

The I think the, like, this whole thing, the whole Microsoft thing, to approach it from both angles.

Ralph May: 32:09

To be Wait. What about free speech?

Corey Ham: 32:10

Yeah. Yeah. To play devil's advocate. Well, first of speech doesn't affect You

Ralph May: 32:14

can I'm just saying thanks. Okay? Okay. I

Corey Ham: 32:16

got you. Free anyway, I think to play devil's advocate, I think part of the reason that they're able to pull for these takedowns is because of the amount they can make an argument that this is a harmful thing and that can be abused. Uh-huh. Arguably, that is true in this case. Right?

Corey Ham: 32:35

Like, these are the amount of data that can be exposed through some of these vulnerabilities is higher than average, I would say. But it isn't like configure. Like, it's, you know, it's not like wormable wanna cry. There other

Ralph May: 32:48

POCs on GitHub that do bad things to other

Corey Ham: 32:52

products. Right? Oh, yeah. Shit. There's maybe even arguably worse.

Ralph May: 32:56

But the argument is the argument is PR.

Corey Ham: 32:59

It looks bad for PR.

Ralph May: 33:00

But they they but should they be there or not because somebody made a POC? Was it because it wasn't reasonably dis responsible disclosure? But then after it's patched, now is it okay so that no one else could post it? Yeah. I mean, you could see where this kinda gets muddy.

Ralph May: 33:16

Right?

Corey Ham: 33:16

Oh, yeah.

Ralph May: 33:17

It's definitely Totally can do whatever they want. I listen. Sketch. You you But as a platform, right, you kind of like, if you put enough of these, like, weird hurdles in, people will just go to something else. Right?

Ralph May: 33:30

I don't know. Just opinion.

Corey Ham: 33:35

Yep.

Phil Miller: 33:38

I think there's been so much, like, bad experiences with, like, Microsoft security program it was just it reached its boiling point. And finally, like, the water started boiling out of the pot with nightmare eclipse just because all the back and forth, which I don't know exactly what happened just based on his blog. Sounds like he likes he didn't get credit for like a CVE and they're like, oh, this doesn't qualify, like closing the issue. But then or this has happened to a bunch of people in the past where they have to wait ninety days that hits and then they need an extension, then Microsoft, like, silently patches the issue. And then, like

Wade Wells: 34:13

so.

Corey Ham: 34:14

Microsoft has bungled this every time in the past, and I think they've earned this karma. But also they own the platform, and so they get to do whatever they want on the platform they own. This is not the first time, by the way, that offensive tooling has been taken off of GitHub. I feel like every two years, we have the same discussion as hackers where we're like, guys, we gotta move off of GitHub. Yeah.

Corey Ham: 34:35

Where are we where are we going, guys? Anyone? It sounds like that's

Phil Miller: 34:39

not safe either. Now we gotta go to Bitbucket or get tea or whatever the other

Corey Ham: 34:44

No one no. This is like the Twitter thing. Right? Like, large company is gonna wanna take this heat. Right?

Corey Ham: 34:50

It's the same thing as, like, when people have really hot takes and get fired from their big tech jobs. It's like, it's not that they don't agree with your takes. They just don't wanna pay a PR firm to compensate for you. Like, it it's really just economics. It's the same thing applies to git, you know, GitLab or GitHub or yeah.

Ralph May: 35:08

I don't I'd be but at the end of the day, zero days on GitHub is not really a problem. Right? I mean, like, you think there's probably other places that you can go get zero days besides GitHub. It's not really where I'm headed for my first zero day.

Wade Wells: 35:20

Tore's too slow. Just go to GitHub. It's easier.

Corey Ham: 35:23

I think it's a great value proposition for GitHub. Use these things used to cost a 100 k. The government's paying a 100 k for these things. Now they're free.

Ralph May: 35:32

Wow. We give you so much value with our free accounts now. So much value. Yeah. Amazing.

Ralph May: 35:38

We'll piss off another security researcher.

Corey Ham: 35:40

I will say to kind of flag it for follow-up on the show or wherever, they the date like, they say they're gonna make Microsoft pay on July 14.

Phil Miller: 35:49

I don't know.

Ralph May: 35:51

We gotta see another Oden. Because I'll tell you right now, it doesn't matter what site it's on. If that Ode is good enough, you're gonna click. You're that that you're gonna go for that fish. You're gonna definitely check that out.

Ralph May: 36:02

And if it's real, you don't have a choice. Like, you're going to have to figure that out.

Wade Wells: 36:07

I won't have go, but my agent will.

Ralph May: 36:09

Yes. Yes. I send my agents to wade out into the dark side.

Corey Ham: 36:15

I feel like Microsoft is basically training a threat actor live.

Ralph May: 36:20

Yes. Like, they're basically,

Corey Ham: 36:21

like, trying to make them disgruntled to the point that they drop this. It's such a weird way to manage this from my perspective. Like, OpenAI is like, oh, you made OpenClaw and burned, like, $10,000,000,000 worth of tokens. We'll just hire you or whatever.

Ralph May: 36:35

Like Yeah. That's usually fine.

Corey Ham: 36:38

Yeah. Like, why is no one, like, recruiting this guy to go run Mythos on all their internal tools? Like, I don't know. Whatever.

Phil Miller: 36:45

I like how he said they will feel it in their bones.

Corey Ham: 36:47

Or what did

Shane Hartman: 36:47

he say?

Corey Ham: 36:48

Their bones

Wade Wells: 36:48

will feel it

Ralph May: 36:48

in their bones.

Wade Wells: 36:49

Maybe maybe maybe they'll recruit him to the Cyberforce.

Corey Ham: 36:55

What oh oh, is that the next article, Wade? So okay. So cyber force is apparently real. I don't know. Basically, senator tier one or tier two?

Corey Ham: 37:09

One senator from New York, Kirsten Gillibrand, is spearheading a markup amendment to the senate's 2027 national defense authorization act that would create a cyber force as the next armed service branch. They would have keyboards on their arm, obviously, and, heads up displays, you know, all you need for hacking. Yeah. I mean, is this real? Like, we already have air force, navy, space force.

Corey Ham: 37:33

There are so many forces.

Ralph May: 37:35

Well, almost all the commands have a cyber now or some other kind, but, you know, cyber division. I mean, it wasn't the case, you know, less than probably twenty years ago. It's army, though.

Wade Wells: 37:45

Yeah. All the commands have airplanes too, right, and boats. And Yeah. Okay.

Corey Ham: 37:50

So So

Wade Wells: 37:51

why not?

Corey Ham: 37:53

I was not in the military, but Ralph, you were in the army. Right? So or was it army? Yeah. You were army.

Corey Ham: 37:59

Yep. So, okay, if you are a cyber force operator, are you mostly running around with USB sticks trying to plug them into things? Like, what it what Why does the army need a cyber force? Like, of all the different branches, like, why?

Ralph May: 38:10

Well, why does the well, the army already has a cyber command. Right? So they already have, essentially, a a cyber focused offensive arm. Right? I I think that, you know, how much they do from the offensive side, you know, gets into the to the waters where you get into the, you know, the CIA versus, you know Yeah.

Ralph May: 38:33

Yeah. Their that relationship. Right? But, I mean, essentially, they're saying, like, you know, a a act a quick action. Right?

Ralph May: 38:41

Like, a a QRF for, like, cyber. Right? We probably already have some of that, but building out a huge command of it and, you know, to make attacks against, you know, foreign adversaries, which would essentially what any military branch is specifically designed for. Right? Not necessarily for, what do you call it, local defense.

Ralph May: 39:02

Right?

Wade Wells: 39:02

I just say we let it get created just in case there's a draft so we can all just go straight to cyber command.

Corey Ham: 39:07

Yeah. We're going straight to cyber.

Ralph May: 39:08

That's what's coming. We immediately go to cyber.

Corey Ham: 39:11

Yeah. They're like, do you not pass all the physical requirements? Welcome to Cyberforce.

Ralph May: 39:18

Well, you know what? The funny part is even with the other cyber commands, it's it's hard enough to train up these, you know, train up all of these soldier in this skill. Right? Get them to be decent at it. And then I

Corey Ham: 39:29

want 20 CVEs by the end of the day.

Ralph May: 39:32

Yes. Exactly.

Corey Ham: 39:33

Well, yeah.

Wade Wells: 39:33

I don't back in the day, they used like, if you had cyber experience, they would bring you in as a warrant officer too for a little bit. And I remember me being in cyber for a couple of years, like, should I just join and just go and, like, do it for a bit? And the thinking about it now though with the the barrier to entry so, like, so hard for new cyber people. Right? Could this be an easier route?

Wade Wells: 39:58

It'll be an easier route for most people, which is sad, but scary.

Corey Ham: 40:04

Yeah. It's a good point.

Ralph May: 40:05

I don't know. The cyber so the cyber command includes US Army Cyber Command, the US Marine Corps Cyber Command, US Fleet, so this is navy, and then air force has their cyber it all falls under the national cyber United States Cyber Command.

Wade Wells: 40:20

So there already is a cyber force.

Corey Ham: 40:22

They just There's already three of them. Yeah. They're just not an army one.

Ralph May: 40:25

Yeah. No. No. No. There is an army one.

Ralph May: 40:27

So US army cyber command. Right? But I what I think they're trying to make this is, like, like, some, like, warrior with, like, overhead displays or something like tier one type deal. I I don't know what that looks like.

Corey Ham: 40:38

Dude heads up displays and keyboards on their arms.

Ralph May: 40:40

Yeah. I'm just trying to envision the no. Like, the the quick tactical team that, like, rappels into the data center to do some I don't know, dude. I don't know. Yeah.

Corey Ham: 40:50

No. I think you're right. No. I I I agree. I mean, someone in some people in Discord have been speculating, oh, these are just drone pilots.

Corey Ham: 40:57

Okay. That's fair. Like, that makes sense.

Ralph May: 41:00

We don't even need that. We have AI for that. They just slide.

Corey Ham: 41:04

We have OpenAI, though. Yeah.

Ralph May: 41:06

You're out of credits, Crash.

Corey Ham: 41:09

I think it I think it's fair to assume this will probably get approved just with the and, I mean, I don't know.

Ralph May: 41:14

But Yeah. Honestly, half of everything that you said, Corey, they're writing it down right now.

Corey Ham: 41:19

So They're like, wait. USB sticks? How many how many can we get into a plate carrier? A lot. Exactly.

Corey Ham: 41:25

USB sticks and

Wade Wells: 41:26

Working in a sock was really fun. I'm not gonna lie. Like, at the time, the pew pew charts, right, the big monitors, there's a wall with a glass, and the CEO presses the button, and then it becomes opaque, and all the investors look at you like you're a monkey. And, like, it was great, but more people should go work in socks. That's all I'm saying.

Corey Ham: 41:47

I don't know if it's defensive or offensive, but I'm The best offense is defense.

Wade Wells: 41:52

Best offense defense. Right? Like, all of our stuff's getting hacked. There's no there we already have the offensive side. Maybe we need a cyber defense core.

Corey Ham: 42:01

Wouldn't that be National Aker? Anyway.

Ralph May: 42:04

National Cyberguard.

Corey Ham: 42:07

Let's let's move on. Yeah. Please. There's a couple of interesting little tidbits on AI that I think we should talk to. First of all, in the Opus four eight release, they did specifically say that they are preparing Mythos to be publicly released week in the coming weeks.

Corey Ham: 42:28

That was the exact terminology that they Coming weeks. The coming weeks.

Ralph May: 42:31

Will be

Corey Ham: 42:32

Obviously, there will be, you know, thousands of weeks coming. Who knows if it's gonna be the next one or, you know, it could be a thousand weeks from now. It's still technically coming. But I don't I mean, I will say their cadence, their release cadence is pretty fast.

Ralph May: 42:45

And so Well, so is strat TBT. It's a war out there, man. No. I got 5.5. No.

Ralph May: 42:51

I got 4.9.

Corey Ham: 42:53

Oh, I got extra ultra code.

Ralph May: 42:55

Yeah. I know. I know. And we're

Corey Ham: 42:56

like know.

Ralph May: 42:57

Let's see what happens.

Corey Ham: 42:58

So, basically, that might be happening. But,

Ralph May: 43:01

also think that's the end of of cyber? We're we're all done? Just vulnerabilities left and right? I mean Yeah. Maybe maybe Wade is right.

Ralph May: 43:08

Maybe Wade

Wade Wells: 43:09

the the red team. I don't know what to tell you guys, but it's not I still got it. I'm a tell you what I gotta do. Haven't seen any cyber do an incident response really that well yet. Or

Corey Ham: 43:18

threat hunting?

Wade Wells: 43:19

No. Well, I don't know. We'll see what David says after this talk.

Ralph May: 43:23

But

Corey Ham: 43:24

yeah. I mean, are you guys, as threat hunters, interested in this tooling, or is it really, like, hype for the CVEs and the threat? You know? For, like, AI tooling?

Shane Hartman: 43:39

What what was the question?

Corey Ham: 43:42

Do you care about Mythos? Are you gonna use it as a threat hunter, or do you already use LLMs, like, in your workflows? Like, obviously, everyone's like, Mythos is gonna make it amazing to hack stuff. Is anyone saying it's gonna make it amazing to hunt for threats?

Shane Hartman: 43:56

No. I mean, we we do use LLMs, but I don't think so.

Wade Wells: 44:01

Not yet. We are. We're gonna coin it right now.

David Bianco: 44:04

But you said the the the magic word earlier, it's the tooling. You just a minute ago. Right? It's not really the model. It's our models the frontier models are already so good.

David Bianco: 44:17

It's what tooling you wrap around it that is really the differentiator. I have not had hands on mythos. I've talked to people who have, and they say, yep. It's some of them say, yeah. It's it's really what they say it is.

David Bianco: 44:35

And some of them say, I don't know. So I don't really know what to say about Mythos, but I was gonna say on on the defensive side, I'm not clear that we need that Mythos is gonna move anything further for the defense. I would be really happy to see some some frontier model provider provide that kind of emphasis on defensive security as they seem to on offensive security. It reads to me like they feel like creating vulnerabilities and exploit chains is cybersecurity or information security when it's not really. It's just a piece of it.

David Bianco: 45:18

And the hard part is the defense. And when they start coming out with, you know, models and tooling that are frontier and they're targeted toward defense, then I'll get really excited.

Corey Ham: 45:32

I fully agree. I'm interested to see if any frontier company actually makes a play at defensive the defensive side of AI.

Wade Wells: 45:41

But, like, the defensive tooling is gonna be heavy reliant on the organization as well. Right? Manipulating the tool to make it fit your company just like any type of detection would, having all your documentation. Right? I almost find it harder not as a blue teamer to get not even to get buy in, to get GRC.

Wade Wells: 46:01

Right? Like, that's some of the stuff if we're plugging all these AI toolings in. I hate to say it, but it's like, then you have to think about permissions, what these AIs are doing. Right? Are they over permission?

Wade Wells: 46:10

If someone uses an OAuth token to then log in to this and you're a security person who has super admin to something. Boom. Now this AI has super admin. So there's a bunch of controls around it, but I think the defensive will come, I I believe. It's right around the corner.

Wade Wells: 46:24

Someone I I would like the why hasn't anyone just the one that tried mythos and just, like, try to do everything defensively with it. Right? If it's doing all that

Corey Ham: 46:34

opposite they have. That's what people are talking in Discord about EmDash. I thought it was someone making it I thought it was Luke making a joke that he was gonna start using EmDashes, which is, like, for those that are out of the loop, the Em dash is like the the double dash that the AI loves to do when it says anything. So I thought he was just joking that, like, he was gonna start doing it to pretend like he's an AI. Turns out it's actually, a real thing that Microsoft has released, that's supposed to be defensive focused.

Corey Ham: 47:01

This is back from May 12, so pretty old now. But I'm guessing this is, like, their harness or tooling or whatever they built. It's multimodal. It's supposed to be, according to their graph, better than mythos.

Ralph May: 47:13

Everything's better than mythos. Yeah.

Corey Ham: 47:16

So but check this out. 21 out of 21 planted vulnerabilities were found. You know? It's like That's not

Ralph May: 47:23

I don't What what about on the Gainter chart or Ganter or whatever the hell?

Corey Ham: 47:28

Well, if you look at the chart, it says they're better than you. So

Ralph May: 47:31

Yeah. Just just checking it. Just gonna go ahead and cash this one out. I'm done. I'm all

Corey Ham: 47:36

Yep. Microsoft has solved security. Think you can just buy it. Just just figure it out.

Phil Miller: 47:40

Having a harness is very important though. Like a lot of people are posting different ones in the chat. And there's a lot to choose from. But something is better than nothing. Then it's funny too.

Phil Miller: 47:49

Like at what point does the collection of like plugins and skills and hooks and memories and learning become a harness? Like how many do you have to have before you can call it a harness?

Corey Ham: 48:00

Like I

Phil Miller: 48:00

have one skill. Is that a harness? No. You have to have a skill and a hook and a plugin and a memory or whatever. Right?

Phil Miller: 48:05

But there are some cool ones that will at least, like, automate, like, continuous learning for you so that

Corey Ham: 48:11

Yeah. Like Hermes or those. Yeah.

Ralph May: 48:12

I I think it's kinda funny. I was talking to another pen testing team, and they said they had all these zero days now that they've, you know, taken the time to find in all these different products or whatever. And this goes back to what you guys talking about with defense. And they're not gonna fix these things right away because they don't have anything in place to to so, essentially, it's all fun in games to go find these zero days, but no one is from these organizations that's creating the software or whatever. They don't have systems in place that are looking for it the same way.

Ralph May: 48:41

Right? Because it's it wasn't as, like, shiny. They're just trying to run their business and make some software, make whatever. And I think we're gonna see a big wave of a bunch of vulnerabilities and a bunch of companies trying to figure out how to defend themselves or update their software or develop software in a more sustainable way using AI to actually be able to detect this. So I do think we're gonna see a big wave of it, and the defense is really where you're gonna see a lot of people struggle.

Corey Ham: 49:06

So transition. Next article. Oh, sorry. Unless anyone had a final go back. I was gonna say, if you wanna see how AI is being used today, without mythos, so there's a really fun article about how attackers there's a fun write up about how attackers are using, AI for post x.

Corey Ham: 49:25

And this is pretty much reads like a pen test report to me because we're doing the exact same thing. We're just not doing it in Chinese. From the language. Basically, the the long story short is that someone used an LM for post x. Now this is, like you said, exactly what we're doing as pen testers.

Corey Ham: 49:41

But essentially, they exploited the CVE, then they, asked AI, what else can it access, basically? And they were just like, hey. What else can this, key access? But they did that in Chinese, and somehow that, that question of what it could access made it through to the API, which is pretty funny. It leaked into the command stream while executing a credential search.

Corey Ham: 50:06

And that's pretty much why you don't need mythos. It's basically like an explanation of why. Because this kind of abuse of LLMs is the more risky thing. Right? This kind of like very simple just being AI take this AWS key that I just compromised and do evil things with it.

Corey Ham: 50:28

This is what we're seeing in the real world. If you look at breaches, there has yet to be a breach from mythos zero day or whatever. But there has been many breaches like this where a typical CVE is exploited, an agent or an LLM is used as post exploitation or quick transition to the next article, which is about a chatbot that just gives access to accounts if you ask for it. So this is like the other side of AI exploitation, which is sometimes you don't need an exploit at all. You can just ask the AI for access to the account.

Corey Ham: 51:00

So this is a meta thing. Basically, meta AI was super helpful and decided to just grant some people access to some high profile Instagram accounts, including the account for the White House or, I guess, the Barack Obama White House, the chief master sergeant of Space Force. It's a feature

Ralph May: 51:19

that that they built it like this.

Corey Ham: 51:21

It's super I mean, I will say you need a really advanced model to get to have it compromising accounts. Okay? To me, this is a textbook. I mean, there's screenshots that are just insane. This is a textbook case of, like, AI failure.

Corey Ham: 51:37

Right? Like, why do give

Ralph May: 51:39

your AI the access to all those accounts? I don't Exactly.

Corey Ham: 51:42

Exactly. Great question. It's almost like if you had a red team that wasn't replaced by AI, they would have caught this.

Ralph May: 51:48

Oh, they just didn't ask the right prompt. That was the problem. Let's try that.

Corey Ham: 51:52

I feel like okay. So I know Meta has a huge red team, and I know some people that even work there. And so my question is, number one, did you get replaced by AI, and are you looking for a job? If so, let me know. Number two, are are we to the point where AI is moving so fast that things aren't being properly tested before they're being published, including, like Oh, yeah.

Corey Ham: 52:14

This sort of high risk applications? Like, is that where we're at?

Wade Wells: 52:18

We were there before Yeah.

Shane Hartman: 52:20

We were before AI.

Ralph May: 52:21

For sure. I mean,

David Bianco: 52:23

Wade, just like a couple minutes ago, you said, like, GRC was getting in the way. Like, no. I don't I don't see that in a lot of places. Like, in most organizations' problems with AI are that they're adopting it too fast in ways that they didn't actually know that they were adopting it. And so it's it's kind of like this the shadow AI and

Corey Ham: 52:44

Shadow AI. Oh,

Wade Wells: 52:45

I love it. Key the term. Someone make me

Corey Ham: 52:47

a sticker. God.

Ralph May: 52:50

What is it? Like a what do they call it? Like a dark AI factory? Yeah. Look that.

Wade Wells: 52:56

I don't wanna look

Corey Ham: 52:57

that up.

Wade Wells: 52:57

That sounds like a mad dark web term.

Corey Ham: 52:59

I was gonna say that's your personal search history there. I don't think I

Ralph May: 53:03

heard say what you want, but ask your AI about it. He'll tell you.

Corey Ham: 53:08

Really? You think? Yeah. Yeah. I don't know.

Wade Wells: 53:12

So this is not doing AI correctly. Right? Like like we said, is this you this is what happens when you bypass GRC. Like, is is this?

Corey Ham: 53:20

Yeah. Yeah. I mean, I dunno. It's kinda crazy that I will say though, this is the classic thing of scale. When you're operating at these huge Internet scale companies like Meta, you can't hire support people to actually support your accounts.

Corey Ham: 53:35

Or at least they think they can't. And so they use AI, and that's gonna cause risks. Although, it is a business logic flaw, arguably. Maybe it's an LLM flaw, but it feels more like a business logic flaw to me Yeah. Of it basically not knowing where the credentials it's handing out came from.

Corey Ham: 53:55

It doesn't properly tie together the request and the response.

David Bianco: 53:58

I could just see, like, you're you're talking about where's the red team. I could just see, like, a bunch of AI red team experts getting together and being like, nah, surely it's not that simple. We gotta try some more advanced attacks.

Corey Ham: 54:12

Yeah. I mean, I will say I have personally observed this in our agentic AI testing. Some of the things that are really tough to convince AI are vulnerabilities. Like one web app we were testing, I think I've told this story before, so I'm sorry, but one web app we were testing, it was basically iDoor, so indirect object reference. And essentially it was giving a three zero two response, but it was giving the entire content of the page that was supposed to be restricted in the response.

Corey Ham: 54:41

And AI kept being like, No, this isn't a vulnerability. It gave a three zero two response, and we're like, Yeah, but look at the three zero two response. It has the whole webpage, and it's like, I don't know what you're talking about. It's a three zero two response. I have to redirect.

Corey Ham: 54:53

It's like that back and forth. I could see a red team, like an AI red team missing a business logic flaw. Well, they asked for the account and it sent the number, so I don't see what the problem is. Well, but AI, it's a different account that they reset. Like, they were resetting someone else's account.

Corey Ham: 55:10

Oh, you're absolutely right.

Wade Wells: 55:15

Let's let's talk about the real problem is why are they using a phone with a cracked screen? Like, come on. At least get two phones with two screens. Like, I can't that is just driving me crazy.

Corey Ham: 55:25

I think this is just what threat actors do, man. They do they they that's just their background. That's just their chat background for for meta. That that's not even a broken screen.

Wade Wells: 55:34

That dot that you don't see the huge crack right there on the right hand image?

Corey Ham: 55:39

I know. I'm just saying that's they they have a cracked screen image as their background.

Wade Wells: 55:43

Yeah. That would have

Ralph May: 55:44

all my phones. That's why no one steals them.

Wade Wells: 55:47

That's actually a really good idea.

David Bianco: 55:50

Misinformation. That on any app that you have.

Ralph May: 55:54

Yes. Perfect. Yeah. Yeah. This is never gonna happen again, so we don't have to worry about this.

Ralph May: 56:01

Let's move on.

Corey Ham: 56:02

There's an article about the Cali three sixty five.

Ralph May: 56:06

Oh my god, dude. They stole my playbook.

Corey Ham: 56:09

It's literally just like pen tester one zero one. Like, if you were to take Michael Allen's initial access class, it would just cover this. It's using device code phishing, which don't get me wrong. It's a good one, but also, like, come on. Initial access policy is

Ralph May: 56:23

It's better because it's a SaaS product. Okay?

Corey Ham: 56:26

It's p p a phishing SaaS. What? PaaS. I don't know.

Ralph May: 56:32

Everyone loves a monthly subscription.

Corey Ham: 56:34

Fast? I don't know how to pronounce that. Fishing as a service platform that I like how the news article is kind of a dig where it says, it helps even low skilled attackers hijack.

Ralph May: 56:44

You could be an attacker too.

Corey Ham: 56:47

They're just directly calling the attackers who bought this low skilled. That's pretty funny. Yeah. Device code phishing, mean, come on. Who allows device codes these days?

Corey Ham: 56:58

Who doesn't have secure conditional access policies that don't allow access from unmanaged devices? Like, come on. No one no one screws that up anymore.

Shane Hartman: 57:06

No. Not true.

Corey Ham: 57:10

The threat hunters in the room are like, nope. You're wrong.

Ralph May: 57:13

No. Listen. If there's an article about it, it's still effective.

Shane Hartman: 57:16

Yeah. We I've done about three cases of it in the last, like, month and a half.

Corey Ham: 57:21

Well, I do need email on my phone, we better just compromise the entire organization so I can have that.

Wade Wells: 57:26

That is exactly what happens

Ralph May: 57:28

to a test.

Wade Wells: 57:31

One person says that. And

Corey Ham: 57:34

Yeah. Basically, if you're a pen tester or a red teamer, you should know how to do this exact campaign just by reading this news article. This is a this is a first thing to learn in initial access techniques. It's great. All right.

Corey Ham: 57:52

And don't buy this product. Don't do it. Probably about botnets. Speaking of botnets, let's talk about botnets. So the authorities in The Netherlands, which I love, I just imagine people on little boats and they're going to fancy restaurants.

Corey Ham: 58:09

You know, I just imagine Amsterdam. They have dismantled a botnet that comprise more than 17,000,000 devices, which is used basically for residential proxying or residential, you know the service is called Asox, which is a Russian based company, provides residential proxying services.

Ralph May: 58:28

Cater Oh, to they pay me every month. They have that little thing that you run on your computer.

Corey Ham: 58:33

They have that laptop they shipped you and put in your garage.

Ralph May: 58:36

Yeah, they said it was for research.

Corey Ham: 58:39

Yeah. So I guess I mean, these are, you know, often used for illicit or unethical purposes, DDoS attacks, botnet command and control servers, phishing operations, scraping. My question is how bad do you have to get to get dismantled by the Netherlands police? Like, how much DDoS was this IP space launching? It had to be a lot.

Wade Wells: 59:06

Because that's Yeah. Crazy. How much is this?

Corey Ham: 59:09

What do you mean how much?

Wade Wells: 59:10

How much ASOS is? It won't even start

Corey Ham: 59:12

Oh, you're saying, like, you wanna buy the product? It won't even it won't even Get out of here. A Sox. You're you're a because you you're from Florida and you don't wear socks.

Ralph May: 01:00:08

Oh my god. They're they have a g two review for A Sox. Oh, and then they

Corey Ham: 01:00:13

actually oh, they got kicked off. I will say this whole, like, socks, you know, the, like, residential proxying thing is kind of a dark horse because we use this service, not ASOX specifically, but we use residential proxying. They're all kind of mildly unethical. Like, I don't know. I I you know, you kinda have to have a service like this, but none of them are particularly above board.

Corey Ham: 01:00:36

This one seems to be kind of the worst, but I don't know. It's Russia, yo. It's good. That's true. I've it's it's legitimate, or it's it's realistic.

Corey Ham: 01:00:45

It's what threat actors are using. That's why we use it.

Ralph May: 01:00:47

Yes. Exactly. We pay threat actors to use their service to pretend to be threat actors to protect threat actors.

Corey Ham: 01:00:56

It's a it's a loop. It's a loop. That's really seems like it. Alright. So any final articles?

Corey Ham: 01:01:03

Shane or David, do you guys have any articles you wanna plug? We don't have any chicken news this week. I'm sorry, everyone.

David Bianco: 01:01:09

Just told specifically there'd be chicken sacked.

Shane Hartman: 01:01:13

I did post one in our chat that was real quick. It was one that was, there was a flight to, I think, The Maldives where a kid decided to rename his Bluetooth device to bomb, and it freaked out the it broadcast to everybody on the on the plane. They tried to get him to turn it off or tried to get they didn't know who it was, so they kept they told everybody on the plane to turn off their Bluetooth and he never did. So they had to turn around and go back to Newark, I think, because his phone said bomb on it as a met as as his Bluetooth name.

Ralph May: 01:01:49

It was interesting article found out who did it. Yeah.

Shane Hartman: 01:01:54

I think there were only a couple devices left, so they found them. Yeah. Bars I know. But kind of a crazy story.

Ralph May: 01:01:59

What do imagine

Corey Ham: 01:02:00

doubling down? How old is this kid? I wanna know. Because this is some dumb like, this is like Yeah. 12 year old level dumb.

Ralph May: 01:02:09

Yeah. Like, the air part is

David Bianco: 01:02:12

and it's like, what is the air crew thinking? It's like, oh, you have a bomb on the plane, but if you turn the Bluetooth off, please, so we just don't notice.

Corey Ham: 01:02:20

It's gonna go what I got. Like, come on.

Wade Wells: 01:02:22

Like, it's it's literally just a Bluetooth.

Corey Ham: 01:02:24

It's seriously just one of those things where everyone is just rolling their eyes and being like, guys, can we please have nice things? And some kid just like, no. We can't have nice things. And I will be on the no fly list for the rest of my life because of how dumb I am.

Ralph May: 01:02:41

I know. That's the wild part. Like, you know, we just talked about how GitHub can kick you off their platform for any reason for whatever. Right? So can airlines.

Ralph May: 01:02:52

They can blame you for life. On all the airlines, they do they're you are not guaranteed a flight.

Corey Ham: 01:03:00

No. There's no constitutional rights here. Nope. But can't imagine doing this.

Ralph May: 01:03:07

Imagine living your life and never being able to take a plane ride again.

Corey Ham: 01:03:10

But then also doubling down again and again. Right? Like, you know, they had, 10 chances to, like, you could just turn off your Bluetooth. No. I'm not gonna do that.

Corey Ham: 01:03:18

Somehow, I won't get caught. And then, like, of course, when they land the plane, everyone's going into quarantine. Like, you're not just gonna, like, okay. Debord, everyone, just throw your phones out the window. It's fine.

Corey Ham: 01:03:29

Like, they're gonna make everyone you know, they're gonna figure it out.

Ralph May: 01:03:33

Sometimes when this kid gets older, he's like, hey. Why can't you go on this trip? I'm kinda infamous for this thing a long time ago. I can't

Corey Ham: 01:03:39

You were zero cool? You were zero cool. No. Were the He was the default Bluetooth kid?

Ralph May: 01:03:48

Yikes. I did have one last one, and this one's really short. Not not a surprise, but it seems like a lot of ISPs are getting breached. Charter got breached by shiny hunters. Oh.

Ralph May: 01:04:00

Which is Charter for both

Corey Ham: 01:04:02

terrible security. All ISPs do from what I've experienced in my life.

Ralph May: 01:04:06

Charter's one of the bigger ones in The United States. They own Cox. They own a bunch of other ones. So, yeah, it affected a lot of people. Spectrum, I think, is another

Corey Ham: 01:04:13

Oh, yeah. They get breached every two years. I've been my data has been breached in Spectrum, like, five times. I'm not even joking.

Ralph May: 01:04:20

Yeah. Got so so

Wade Wells: 01:04:21

much life lock. You won't believe.

Corey Ham: 01:04:23

Oh my so many cool identity monitoring subscriptions at this point. It's fantastic.

Ralph May: 01:04:28

You can stack them and get zero extra.

Corey Ham: 01:04:33

Yeah. Yeah. So okay. I do think we should plug David's tool. So, David, tell us about your tool.

Corey Ham: 01:04:40

Yeah. It's a It's little personal. To generate yeah. So it's to generate, threat threat it's to generate threat hunting data? That's what I understand.

David Bianco: 01:04:50

It's called EvidenceSporage, and, it's it's a tool that we I released, what, I guess, last last week or maybe the end of the week before. And it's targeted toward there's it's targeted toward creating realistic sets of logs for simulated environments that don't exist. Like, think of you need to create some logs for a, to demonstrate how a piece of offensive technique works in a real environment. So, you spin up a cloud service and you do Terraform to create all your sensors and all your Microsoft networks or your Windows or your Linux systems. And then you run the actual exploits through and you get all the data through and, you know, you spend a lot of time, a lot of a lot of money and possibly requires for people, for you guys, probably not as it's probably well within your expertise, but for a lot of people, it's not.

David Bianco: 01:05:53

The idea with Evidence Sports is you get the similar output, but you don't actually have to have a real network. You don't have real threat actors or real red teamers. You create a scenario in which it is all simulated and you get a set of up to 20 different types of logs that look like they all are came from that simulated environment. They're all realistic. They all hang together.

David Bianco: 01:06:26

So if you see, like one of the inputs is Zeke. So if you see a Zeke log for an HTTP transaction and then you go into the proxy log, you'll see the same proxy log has the same transaction in it that the Zeke log has. And if you see that that came from your computer, you should find the computer that it came from, and there's probably a process log from Windows Sysmon that showed that you ran the web browser that generated that. Right?

Corey Ham: 01:06:59

That's really cool.

David Bianco: 01:07:01

It it it's really neat. It it's interesting because it has an AI assistant to help you create the scenario, define the environment and the attack that you wanna run and everything. But once you do that, generating up to, you know, gigabytes of potentially of data is all done by a a script. No AI involved. So it was actually partly because I was trying to experiment with efficient ways of using AI, targeting AI where you actually need the AI rather than, you know, just have the AI do it all.

Corey Ham: 01:07:38

Well, also, it's nice when the script is deterministic and creates the same output every time. Yeah. Yeah. I hallucinated a bunch of events in Windows and you're gonna go hunt for these.

Ralph May: 01:07:48

Yeah. And it has to

David Bianco: 01:07:49

be my randomness, but it's yeah. But it's seeded random and the seeds are in the config files. So it's it basically makes a YAML file for the scenario, and you can regenerate the same data from the YAML file however many times you want. Chain trade them with your friends like Pokemon cards, you know, all kinds of stuff.

Ralph May: 01:08:07

You know?

Corey Ham: 01:08:08

I love it. I I will say I have personally had clients ask me for this to do this, and I've actually spent time running fake pen tests in their, like, test environments to generate the sort of data. And so now I would just be like, oh, there's a script for this. Here you go.

David Bianco: 01:08:22

Well, I'm sorry to tell you. I actually created this because I didn't wanna pay for the equivalent of having a red team squeeze my data.

Corey Ham: 01:08:31

I wouldn't either. So out of curiosity, does it make pcaps, or is it just event logs?

David Bianco: 01:08:37

It's it doesn't make pcaps. That's a good idea but far more involved. But it does, it does Windows, system logs, some several of the types of events but not every single type of event. But it does like processes starts and Kerberos things and authentications and things. It also does a bunch of different Sysmon, event types.

David Bianco: 01:09:01

Does Linux syslogs, Cisco firewalls, Zeke and Snort and, it has a it has an EDR that it's not a specific brand of EDR. It's just a, generic EDR capability because I didn't have the right documentation to create real looking EDR for a specific product. So all kinds of stuff. That's awesome.

Corey Ham: 01:09:29

My only other feature request is you gotta make it like export straight from backdoors and breaches. So like play you play a game backdoors and breaches, and then you just have the threat hunt to go along with it. That'd be pretty awesome.

David Bianco: 01:09:41

Look, I'm a big fan of backdoors and breaches. I will I would totally love to do that. I I bet I could do it right now. I actually if Yeah. You know, if I had a a backdoors and breaches scenario, I could probably just tell the AI and be like, hey, here's here's my scenario.

David Bianco: 01:09:59

Go build me a a dataset for this. They probably can Alright. Do

Corey Ham: 01:10:06

So final plugs, David is keynoting our threat hunting summit. I forget when it is, but Ryan knows because he's smart. And the date on the threat hunting summit is seventeenth. Seventeenth at 10AM early for those Pacific Time people. Get your coffee and get to David's talk.

Corey Ham: 01:10:31

We also have, Shane's training that he's doing on, starting a threat hunt. Right? Yep.

Shane Hartman: 01:10:39

Threat hunting in the dark.

Corey Ham: 01:10:41

It's sunny the same day.

Shane Hartman: 01:10:42

Mine is, I think, at 01:30, I think, on that day, eastern time.

Corey Ham: 01:10:47

And you do you have to have blackout curtains and make it dark in your office, or can you just do it in daylight as well?

Shane Hartman: 01:10:53

I think I can do it daylight as well.

Corey Ham: 01:10:55

Alright. Okay. Cool. And then Phil, you have a webcast this week. Right?

Corey Ham: 01:11:00

Yeah. Days from now.

Phil Miller: 01:11:01

This this Wednesday actually, and I'm kind of in between a rock and a hard place because there's a tool I was gonna drop that goes along with the course, but I'm Spicy. Kinda yeah. It's a little too spicy. It's, like, too dangerous. Like, I don't know if I should release it because you could do, like, a lot of bad things with

Corey Ham: 01:11:19

the You should release it.

Wade Wells: 01:11:20

Release it.

Corey Ham: 01:11:21

Release it. Release Okay. Nipples. You have my official approval to release it.

Phil Miller: 01:11:25

Alright. Yeah. I will. I was just like, oh, nightmare clips. I don't wanna get nightmare clips.

Corey Ham: 01:11:30

Yeah. You do. Yeah. Well, you do because you actually have a job unlike them, anyway. Alright.

Corey Ham: 01:11:37

What else we got? Anyone else have anything to plug? Wade, you have something to plug?

Ralph May: 01:11:41

I see you.

Wade Wells: 01:11:41

I I am teaching on the twenty second, my threat and tell one zero one two day course. That'll that'll be fun. I just made it two days from one day. So I'm still working on the slides.

Corey Ham: 01:11:55

Nice. Good to hear. Ralph, what are you plugging?

Ralph May: 01:12:00

Oh, yeah. I didn't really have anything to plug, but

Corey Ham: 01:12:02

we do got another physical class coming up. So if

Ralph May: 01:12:04

you wanna figure out how to actually go into a building and plug in USB drives because that is something

Shane Hartman: 01:12:08

If you wanna prepare

Corey Ham: 01:12:09

nation state level. Cyber force.

Ralph May: 01:12:11

If you wanna get to nation state level physical exploitation. Yeah. We got class. Awesome.

Corey Ham: 01:12:18

When is that, Ralph?

Ralph May: 01:12:20

Shoot. I have to look at the calendar here. I I don't remember the date now. Swear to god.

Corey Ham: 01:12:24

What is it? Practicalphysicalexploitation.gov?

Ralph May: 01:12:27

Yes. It is. That's physicalexploit.com.

Corey Ham: 01:12:31

Physicalexploit.com.

David Bianco: 01:12:33

If we take your class and we graduate, do we automatically get a job with the silent ransomware group, or do we have to apply?

Ralph May: 01:12:42

No. You still have to apply, but I do know a guy so I

Corey Ham: 01:12:44

can get you, like and there's

Wade Wells: 01:12:45

there's an affiliate email you you email the certification that Ralph gives you, and then they'll contact you shortly with just you to

Corey Ham: 01:12:52

speak with us.

Ralph May: 01:12:53

We we actually just had a class last week, and we had 10 students in it. It was a lot of fun. So a lot of

Wade Wells: 01:12:59

All Russian.

Corey Ham: 01:13:01

All Russian. 10 students not a word of English

Ralph May: 01:13:03

was spoken. It's not important what their primary language is. It's important the skills that they learned, which were the best.

Corey Ham: 01:13:12

Awesome. Alright, y'all. Thank you for coming. I really appreciate it, especially David, Shane, Phil. Thank you.

Corey Ham: 01:13:19

We'll talk to you later.

Ralph May: 01:13:20

Bye, everyone. Alright. Later, guys.