Talkin' Bout [Infosec] News | Live From WWHF Mile High 2026

🧦 SOC Summit 2026
https://www.antisyphontraining.com/event/soc-summit/

Live from Wild West Hackin’ Fest Denver 2026, the Black Hills Information Security crew brings their signature mix of sharp security insight and off-the-cuff banter to a packed in-person audience.

This episode centers on a controversial Notepad update that introduced Markdown rendering—along with a potential remote code execution (RCE) issue. The hosts unpack what this says about modern software bloat, “vibe coding,” and the growing push to embed AI into everything—whether it belongs there or not. They also explore the implications of Discord's Age verification requirements, AI-generated code, including OpenAI’s latest Codex model, and debate whether we’re headed toward a wave of AI-assisted vulnerabilities.

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

Chapters

(00:00) - PreShow Banter™ — Corey Olympics
(02:46) - Story # 1: Critical Notepad vulnerability reignites criticism of Microsoft’s forced AI features
(08:05) - Story # 2: Discord will require a face scan or ID for full access next month
(10:40) - Story # 3: 2026-01-14: The Day the telnet Died
(15:27) - Story # 5: BeyondTrust Remote Access Products 0-Day Vulnerability Allows Remote Code Execution
(16:55) - Story # GRITREP: 0APT and the Victims Who Weren’t
(21:17) - The advanced advancement of AI models

Click here to watch a video of this episode.

Links
Story # 1: Critical Notepad vulnerability reignites criticism of Microsoft’s forced AI features
Story # 2: Discord will require a face scan or ID for full access next month
Story # 3: 2026-01-14: The Day the telnet Died
Story # 5: BeyondTrust Remote Access Products 0-Day Vulnerability Allows Remote Code Execution
Story # GRITREP: 0APT and the Victims Who Weren’t

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits

https://poweredbybhis.com

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Hayden Covington

Hayden Covington joined Black Hills Information Security (BHIS) in the Summer of 2022 as a SOC Analyst. He chose BHIS after hearing many great things over the years and seeing the quality of work, as well as finding people who have the same passion for the field as he does. His favorite part of the job so far has been the community. Previously, Hayden worked in a SOC for a Naval contractor, where he also served as their SOAR project manager and SME, as well as insider threat lead. When he’s not working, Hayden can be found doing anything athletic (like triathlons!), as well as enjoying video gaming and Formula 1.

Host

John Strand

John Strand has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry-shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.

Guest

Andrew Krug

Andrew Krug is a Security Geek specializing in Cloud and Identity and Access Management. Andrew brings 15 years experience at the intersection of security, education, and systems administration. As a fierce advocate for Open Source and founder of ThreatResponse tool suite, Andrew has helped inspire the landscape around forensics and incident response in the Cloud. Andrew has been a presenter at a variety of conferences, publishing papers with BlackHat USA, DerbyCon, and many more.

Guest

Chadd Watson

Guest

Derek Banks

Derek is a BHIS Security Consultant, Penetration Tester, and Red Teamer with advanced degrees, industry certifications, and broad experience across forensics, incident response, monitoring, and offensive security, who enjoys learning from colleagues, helping clients improve their security, and spending his free time with family, fitness, and playing bass guitar.

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

Corey Ham: 00:26

Vikings. Oh.

John Strand: 00:29

Alright. Look at that. That actually sounds fantastic.

Corey Ham: 00:34

Who's been watching the Winter Olympics? Anyone?

Derek Banks: 00:37

I watched the Winter Olympics this morning.

Corey Ham: 00:39

Dude, so the the the US curling team is both named Corey and it's a male and female and I feel so like Seen? I feel seen.

John Strand: 00:49

This is the Corey's.

Corey Ham: 00:51

Yeah. How'd you know?

John Strand: 00:55

It was a good guess. It was a good guess.

Corey Ham: 00:57

How'd you know? Is one

John Strand: 00:58

of them, like, the lead singer from Slipknot? Because that would be awesome.

Corey Ham: 01:01

No. That's the other Cory.

John Strand: 01:03

That would be a hardcore, like like, deviation.

Corey Ham: 01:06

This is like a dark joke, but I'm just glad to have a Corey that didn't kill himself.

Derek Banks: 01:10

Oh my god.

John Strand: 01:11

Dark. That is dark. Like a dark quick. That's where we're gonna start. Are we live, Ryan, or are we gonna do bring out the finger and then go live?

John Strand: 01:20

Okay. Let's do the finger. Finger it. Finger licking.

Corey Ham: 01:25

It's a Linux thing. If you don't know what that is, it's a Linux thing.

John Strand: 01:28

It's kind of weird seeing myself here because I need to be looking up there.

Corey Ham: 01:33

The finger takes a long time to load.

John Strand: 01:35

It's gotta warm up.

Derek Banks: 01:36

Is this the pre show banter part?

John Strand: 01:38

This is the pre show banter. This is the witty banter that people come early for.

Corey Ham: 01:42

No. This is when you're not paying attention because you're reading the articles that you were supposed to read power.

Hayden Covington: 01:48

I always read them ahead of time.

Derek Banks: 01:50

Wait. Were we supposed to do homework for this?

Corey Ham: 01:53

Yes. There's homework.

John Strand: 01:54

Here we go. Hello, and welcome to another edition of Black Hills Information Security talking about news. Thank you very much for joining. And if it looks like we're in the dark, it's because we're in the basement. Oh, there the lights just came on.

John Strand: 02:19

That's good. So we are at, Wild West Hackenfest Denver twenty twenty five. No. 2026. No time machines.

John Strand: 02:28

And, we have a handful of people here to listen to the show, so thank you so much to all of you. I don't it's like, you're probably here hoping for something awesome. That's gonna come in just a little bit. But we're gonna talk about the news, I think, for the next half an hour, and then we're gonna get started with the vendor crawl. I'm gonna talk about T shirts and all kinds of stuff.

John Strand: 02:47

But I think we need to jump into some news stories. I did like the conversation today where it's like, hey. Did you hear about that Telnet or not Telnet, that Notepad vulnerability? And it's like, which one? And you were like there.

John Strand: 02:58

What? You were like I was like, oh, yeah. The Notepad

Chadd Watson: 03:00

plus plus when there were problems and we were doing, and that was not

John Strand: 03:05

Well, not that one. No. This is also a.

Corey Ham: 03:08

So okay. This is the article. It's basically in CyberNews. And, essentially, the accusation to Microsoft is that they vibe coded in a feature into Notepad where it can render Mark down now because, of course, you need that feature, and it has RCE, you know, of course. So there's a vulnerability where someone could send someone a markdown document if they click a link in that markdown lead surmo code execution.

John Strand: 03:36

So Which the big crux of this is I I there's a quote in here. I just need Notepad to open files. I don't I don't need it to, like, render.

Corey Ham: 03:47

It's important because you know how to close it

John Strand: 03:50

on my back. Oh my gosh. Yeah. So, you know, this is like, you know, we we spend a lot of time talking about AI and how it's transformative, and it is kind of a big deal. But this is an example of giving AI a really bad name, of trying to shove it down our throats absolutely everywhere.

John Strand: 04:07

We don't need AI at Notepad. No.

Derek Banks: 04:09

We don't. That's what I was gonna say. I I don't think I need AI in my text editor. Right? But but I will say, okay, if they did vibe code it, that term is going to lose some potency because the the frontier model that just came out, Codex five three, right, that that that chat or that Open AI put out.

Derek Banks: 04:29

They say that AI basically did the whole thing. It was helped helped write the whole thing. It was one of the one the first ones they did that was almost completely done by AI. So that AI is vibe coded.

Corey Ham: 04:41

Well, I have a prediction. I have a prediction here. Next week, we're gonna talk about a RCE zero day in codex.

Derek Banks: 04:47

Or or we're gonna talk about a a a zero day in cod co work. So if anybody's heard of cod

Corey Ham: 04:52

co work.

Derek Banks: 04:53

Right? Yeah. Then an ad drop, like, basically said that they almost clawed code and made it in ten days. So, I mean, you know, all the talk of AI taking jobs, I'm sitting here as an information security professional thinking, No.

Corey Ham: 05:06

No. This is a 100%. This is my get off my lawn moment. Okay? Okay.

Corey Ham: 05:11

Look. Notepad you can take you could put AI and dark mode in whatever you want. Okay? But you gotta stay away from Notepad. Okay?

Corey Ham: 05:19

It's the one thing that has never changed.

Derek Banks: 05:21

It's sacred.

John Strand: 05:23

As you can't changed calc? No. Yeah. No. They went from the old school calc.exe to whatever it is now, and it it was it was blasphemy.

Corey Ham: 05:32

That's all I've ever put in interpreter shellcode is calc.

John Strand: 05:34

To test things. If hackers are so good at math, why do they need calculators? But I think that this is kind of the thing that stops adoption. Right? If we're looking at, like, let's say, Bitcoin.

John Strand: 05:45

Right? If we're looking at blockchain, I think part of the reason why blockchain failed, of course, is the fact that finding app like, applicability outside of cryptocurrency was really, really hard, like widespread applicability. And I feel like with AI, this is an example of how they're trying to shove it everywhere, and that's gonna slow its overall adoption down Because, like, if you look at it, like, in, I don't know if you guys have noticed in Outlook. Like, they're trying to put the copilot button wherever the send email button was. And if you just hover over it a little bit, it, like, fans out.

John Strand: 06:19

And that's just making people hate AI even more. And what I'm saying is you gotta keep your powder dry, people. The day is coming where we're gonna rise against the machines, and you gotta fuel you gotta keep that hatred going, bottle it up for the appropriate time. Now at Notepad is not the time.

Andrew Krug: 06:37

I was about to ask, is was this feature vibe coded by Copilot? Because I don't know that Claude Code would have probably made the same mistake.

Corey Ham: 06:47

Oh, sure. No. But probably. It was at Microsoft. I feel like getting a Claude code subscription at Microsoft, probably an uphill battle.

Chadd Watson: 06:55

But the question I was gonna ask, didn't Microsoft reel in the AI Copilot thing after we did the VX Underground, like, 4,000 Copilot penetrations? And then they're like, ah, we should reel this in because people don't want it.

John Strand: 07:08

I don't think Microsoft has shame. Like this like this article like this article, people are, like, raging against Microsoft on x as though people are like, people at Microsoft are like, oh, the security geeks hate us now. I they they they don't give a shit.

Corey Ham: 07:24

It was grandfathered in. Okay.

Chadd Watson: 07:25

We always hated that.

Corey Ham: 07:26

Was grandfathered in. It was it was predisclosure. It's fine. I will say,

Hayden Covington: 07:30

imagine how many people now they can say are using Copilot because you opened Notepad, and now they have x many number of Copilot users.

Corey Ham: 07:36

They're just trying to pump pump up the numbers. They're like, we have 300,000,000,000 AI users. Just a bunch of people trying to send emails and use Notepad.

John Strand: 07:45

So I I think what's going on is the Notepad team, they're, like, in the basement. And they got a new manager. And the manager's like

Corey Ham: 07:51

sub basement.

John Strand: 07:52

They're in the sub basement. And you can see the new managers like everybody. We're gonna take on Versus Code. Who's with me? No one.

Corey Ham: 08:01

No. That did not need to He be

John Strand: 08:02

just did it on his own.

Andrew Krug: 08:03

Alright. What

John Strand: 08:04

else? We got another story. Let's keep moving.

Corey Ham: 08:06

So the other big kinda we're looking at Discord chat right here,

John Strand: 08:10

and the

Corey Ham: 08:10

other big comment is Discord is gonna require age verification soon. So, basically, the article is that starting next month, Discord is gonna put everyone into teen mode, which I don't know what that means, but I guess it's rated t for teen. I don't know what that means. Basically, they're gonna restrict access to certain adult content that they are gonna discover somehow, and they're gonna require a face scan or ID. So I don't know.

Corey Ham: 08:37

It's kind of a big deal. I I kinda get it. Like, my perspective is I I Discord is used by a lot of people, but it's also used by a lot of kids. And, they gotta protect their business model. Like, their PR disaster waiting to happen is, you know, how kids are getting hurt on Discord or whatever.

Corey Ham: 08:54

So Well But at the same time, I mean, the face scanning, how is that gonna work? Like,

Hayden Covington: 08:58

can I use mask?

Corey Ham: 08:59

Thing

Hayden Covington: 08:59

though is if we remember back in October, they lost, like, 70,000 IDs, didn't they? So

Corey Ham: 09:05

Yeah. They've already That was the third party. That that it's falling.

Hayden Covington: 09:08

Oh, sure. Well, this is also gonna be If you read into their wording, it's also gonna be a third party. They may not retain anything they say.

John Strand: 09:15

Wait. Wait. Did you mention I'm sorry. Did you mention that they had a third party that got breached?

Hayden Covington: 09:20

Mhmm. Back in October.

Corey Ham: 09:22

Yeah. Well, the yeah. So it's identity verification. You gotta either submit a face scan or your ID, like your photo ID. This is like every app now.

Corey Ham: 09:29

They're requiring this.

John Strand: 09:30

See, the only time that I think that that's justified is whenever I'm paying my, my toll fees in Colorado. I get these text messages all the time. It's like, you owe $400 to Colorado DMV for toll fees.

Corey Ham: 09:43

Those aren't fishes. Please. Those definitely aren't fishes.

John Strand: 09:45

They're not fishes? Okay. Yeah. Because they seem legit.

Corey Ham: 09:48

That's also, like, how you always ask me to buy you Apple gift cards and then send them to India. I've been doing that a lot.

John Strand: 09:54

Yeah. Exactly. We package them up when we get them out there. But I I just I I so doing this for a long time, like, when I was on Security Weekly, we were using IRC. Do we have any old school IRC plea people here?

John Strand: 10:06

Right?

Derek Banks: 10:06

I miss IRC.

John Strand: 10:07

IRC worked. It was fine.

Corey Ham: 10:11

What about Pigeon, though?

John Strand: 10:12

Pigeon. Okay. For you whatever your client is. Right? I don't care.

John Strand: 10:15

We chat.

Corey Ham: 10:16

Pigeon was pretty bad.

Andrew Krug: 10:17

It's great chat or no chat.

Chadd Watson: 10:18

No patties to work too.

John Strand: 10:20

We move off of IRC, and then Twitter kind of became that thing. That was bad. I think we can all look at that and agree that that didn't work out well. And we keep moving to these new platforms, and I I really feel like Discord is in the process of being taken away from us, and we gotta migrate again.

Corey Ham: 10:35

So we should switch to Telnet is what you're saying?

John Strand: 10:37

Think all done. That's called foreshadowing. Segue. Okay. I guess let's move on to

Corey Ham: 10:43

the article about Telnet. So this is an article in gray noise or by gray noise. Essentially, the long and short of it is that before that CVE dropped in Telnet, they observed a huge drop in the level like, the communication statistics with Telnet. So the assumption is some tier one providers were starting to block this at the network level before the zero day went public, which is that's kinda how like, that's that's what we did to stop configure back in the day. Right?

Corey Ham: 11:13

But I don't know. It's kind of interesting. Like, they just decided to turn it off, turn off Telenet at the at the layer one or level one or whatever?

John Strand: 11:21

They're not, they're not routing it anymore. So it's basically a band protocol through those ISPs. And I don't know how I feel about this one. Like

Corey Ham: 11:30

Dude, think of the number of pen test findings that just got I know.

John Strand: 11:33

It just got I

Derek Banks: 11:33

don't wanna say. I as a pen tester, I don't support this decision.

John Strand: 11:36

I do not support this decision.

Andrew Krug: 11:38

How are we gonna watch ASCII Star Wars?

Corey Ham: 11:41

I know. Oh, I was thinking about that.

Andrew Krug: 11:43

We had an upgrade to SSH.

Corey Ham: 11:44

Blinking Was lights or whatever?

Andrew Krug: 11:46

Yeah. It was towel.blinkinglights dot n l. Quick. Everybody try to Telnet there.

Corey Ham: 11:51

No. It won't work. But you can probably

Andrew Krug: 11:52

have to in a fascist regime that is not net neutral.

John Strand: 11:57

That's the line right there.

Andrew Krug: 11:59

That's the line for

John Strand: 12:00

The Telnet. That's where, like, fascist regime right there. They All

Andrew Krug: 12:04

port numbers are valid.

Corey Ham: 12:05

Okay. What about Telnet with start TLS? Is that still okay, or is it just port 23?

John Strand: 12:10

I it's just port 23. So reading through this and reading in some other people, it looks like backbone ISPs are just shutting down 23 traffic. That's

Corey Ham: 12:20

They can't patch it. That like, it's just their own infrastructure.

John Strand: 12:23

No. I I and and what did the CVE? It had a nine dot eight Yeah. For Telnet D. So it's pretty significant.

John Strand: 12:30

And I like I said, I think it's interesting whenever ISPs start unilaterally making decisions about security. Now I'm not gonna make, you know, the hill I die on be Telnet. It's notepad. But it's Notepad. That's the hill we're going to die on.

John Strand: 12:46

But what's to stop ISPs from saying you have an unpatched MongoDB server? Or what's to stop ISPs for saying you're using Mongo and you just shouldn't? So you have all of these things that I think value decisions by the ISPs that they're making. The concern that I have is I feel like they should literally be a highway for transferring bits, and they should stay the hell out of the way of actually doing security decisions. Now mind you, I'm a pen tester, and I have a vested interest in keeping vulnerabilities alive.

Corey Ham: 13:19

Well, okay. So what you gotta do, John, is you gotta SSH in and then local forward the port for Telenets, then you can still get that same experience.

John Strand: 13:26

If you do that, you're the equivalent of an infosec crackhead. Like, I am sorry.

Corey Ham: 13:32

That's what you gotta do to

John Strand: 13:32

get your, like, rocks off on Telnet. Port 23 is

Corey Ham: 13:36

the lucky port, John. Okay?

John Strand: 13:38

I I just could see some of our pen testers doing that to, like, you know, going through all of these shenanigans just so they could find the Telnet vulnerabilities. That's all that they're gonna do.

Hayden Covington: 13:47

It's just a flex at that point.

Corey Ham: 13:49

Yeah. I think is.

John Strand: 13:50

It is a flex at that point.

Andrew Krug: 13:51

You you can encapsulate Telnet in HTTP three.

Corey Ham: 13:54

Oh, thank god. Blocked are you telling me blockchain Telnet's coming?

Andrew Krug: 13:58

WebSockets plus Telnet. Oh. That's the future.

Corey Ham: 14:01

It's beautiful.

John Strand: 14:01

But but can we always agree, though, that Telnet's always been a shit protocol?

Corey Ham: 14:06

Oh, yeah. Like, you

John Strand: 14:08

know, you you always have these CTF challenges where, like, the first thing is get out of VI. I I like the CTF challenges that are, like, cleanly exit a Telnet session. It's like

Corey Ham: 14:19

Well, first, gotta set the wallet

John Strand: 14:21

to h two a, control

Derek Banks: 14:22

b, control c, control b. Wait. What is it again? Think it's control b.

John Strand: 14:26

I just turned my computer off and on.

Corey Ham: 14:29

Does anyone remember when, like, they released a Windows phone and they had, like, a funeral for the iPhone? For the iPhone? Okay. So we need to have a funeral for Telnet, I think. Just like We could do that.

John Strand: 14:39

We can arrange that. So I don't know if the hotel's gonna allow us to keep candles, but we should create a memorial. We have the bedazzle out there. So I don't know if there's any BHIS people here that don't do my bidding. But we need to put make a Telnet memorial.

Corey Ham: 14:59

Yes. If you have some modems or old, like, legacy ten one hundred network switches. It'll be like the Trevor forget.

Chadd Watson: 15:07

Yeah. So, like, Trevor forget the

Hayden Covington: 15:08

technical I was

Derek Banks: 15:09

just thinking it

Andrew Krug: 15:10

was They should be hubs.

Derek Banks: 15:11

The That's a Trevor forget. The cockroach, Trevor Forget. Yeah. Yeah. That's what I was thinking.

John Strand: 15:17

So we'll set up a memorial, and we'll set it all up, for that. So just to make sure that it's properly remembered, for all time.

Corey Ham: 15:26

So Alright. The next article. This isn't I guess it's not really an article, but there's a critical CVE zero day thing in BeyondTrust, which we were talking before the show about how everyone uses BeyondTrust. So if I see you opening your laptops, you know, that's okay. But, yeah, basically, this is published February

John Strand: 15:46

score on this one?

Corey Ham: 15:48

That's a good question.

John Strand: 15:50

I do I do genuinely think that one of the things that I'm gonna look back on my career with a lot of pride is the fact that we talked about how there were no perfect 10 CVEs a lot on this show. And right after we started ripping on it, then we started getting tens, and that's great. But I don't I don't see what the score is. No. It doesn't.

Hayden Covington: 16:08

Well, you can know this one's bad because I'm teaching class and my phone is blowing up, but I'm not looking at it. And I read later and it's the SOC director pinging me repeatedly, do we have detections for this yet? And someone's like, no. He's teaching. And then we did by the end of the night.

Hayden Covington: 16:22

But you know it's bad when he's like,

John Strand: 16:23

are you doing this one yet? Yeah. But Eric was showing me, like, when we were sending the customers in the portal with the whole write up and everything. And I'm like, this is awesome. I didn't know that you were doing that while you were teaching.

Corey Ham: 16:35

Like, okay.

John Strand: 16:36

There's a lab. Everybody's good. Are the band behind the curtain.

Derek Banks: 16:39

So, that's because he was using Claude. Yeah.

Corey Ham: 16:43

It's nine point nine, John.

John Strand: 16:45

Nine point nine? Oh, geez. That's not bad.

Corey Ham: 16:47

It's on sale from a debt.

John Strand: 16:50

BeyondTrust paid did did you think that they paid their CDE bill or Oh, yeah. Didn't to get a Yeah. Nine

Corey Ham: 16:55

That's how it works. So speaking of extortion, there's there I this is one that just kinda hit my personal radar. So I don't even know if we have an article for this. Sorry, Ryan. But there's this threat actor called zero a p t that's been just basically They're on

John Strand: 17:10

a tear.

Corey Ham: 17:11

They're so okay. Basically, here's the story. They hit a lot of our clients. Our clients keep reaching out to or we're telling our clients, hey. You're on this ransom list, and they're like, we've been panicking and investigating this for weeks.

Corey Ham: 17:23

It's definitely fake. So, like, GuidePoint Security wrote this really good write up that's basically like, this is all fake, and they have some fun evidence for it. But it's essentially like a fake ransomware threat actor that just came out of nowhere, claimed they breached 200 companies in, like, a week, and then was just like the the best part about it is all that so Alice and I, the person who does dark web stuff on my team, she's right here. We were both trying to download these files on Tor. Okay?

Corey Ham: 17:52

So they're like, here's a directory listing. It's 1.1 terabytes, and it's a single ZIP file. So you're like, you click it, download on Tor, and it's, like, two hundred and sixty nine days remaining or whatever because it's Tor. And then the GuidePoint security article is pretty strongly says, it's probably just dev u random piped into a file. So, like

John Strand: 18:12

Like that. Pretty sure. It's either that or a zipped up file.

Hayden Covington: 18:16

It's one of

John Strand: 18:17

those things.

Corey Ham: 18:17

But, like, I'm sitting here being like, oh, sick. And then it turns out it's just dev u random. Ah, what an idiot. So, basically, don't worry if you're on this ransom list. We have no evidence to prove that it's real.

Corey Ham: 18:30

No one none of our clients have been able to, you know, validate any of this or have seen any evidence of breaches or anything like that, but it's a weird strategy.

Derek Banks: 18:37

Creative, though. I mean, they're just sitting around one day going, man, none of our payloads are working. Let's just say they work and see if anybody pays us.

Corey Ham: 18:44

It's like the hypothetical, the pentest

John Strand: 18:46

one if it was a real We have exploited all of your HR and payroll data. Pay us 1 Bitcoin. People are gonna be like, that Bitcoin down 60%. Damn.

Derek Banks: 18:55

Pay now.

John Strand: 18:55

Pay now. Know? That's how you harvest. Harvest.

Corey Ham: 18:57

Why not? Why not pay?

John Strand: 18:59

I mean How how come we're still on YouTube? Like, how are we not banned? Because, like, I feel like a good percentage of this show is just like hackers, how to. You know? It's like giving them business ideas.

John Strand: 19:12

They're like, that's a good idea. I should just send ransom payments.

Hayden Covington: 19:15

So Well, this whole thing is very much like feels adjacent to the extortion emails you'd get where they're like, yeah. We saw you through your webcam doing all these terrible things. And I guess those got, you know, so commonplace that no one cares. So now they're just turning you to the business and like, these people got more money and they're not paying attention. Hey.

Hayden Covington: 19:30

We we did all these things. Now pay us.

John Strand: 19:32

I know.

Andrew Krug: 19:32

It's because the cyber insurance companies will tell you every time you get one of these, you mail it to the cyber insurance company. They will say to pay. Say step one, pay the ransom demand. Yep. And let us all not forget as well this, TOR file today could just be a markdown file to be effective.

John Strand: 19:49

It could be a markdown file that

Corey Ham: 19:51

Yeah. I was I was gonna open that ZIP in Notepad.

John Strand: 19:54

It's a it's a big ZIP on that.

Corey Ham: 19:55

Because I noticed they added a decompression feature to Notepad that definitely isn't five noting.

John Strand: 19:59

Totally not a problem. But, no, you talk about, like, the extortion. And, you know, we we spent a lot of time the past few days at BHIS in our meetings talking about the future of AI and BHIS and, like, the escalation of the offense and the defense. And I think this is one of those things that's like, nope. Security's gonna be around for a long time.

John Strand: 20:18

There's always going to be stupidity in the mix. And thinking of, like, I had an uncle that called me up, and he's like, oh my god. They got, like, my webcam, and they caught me doing bad things that they said. And I I I gotta pay immediately. What should I do?

John Strand: 20:31

I'm like, well, should probably pay the ransom. No. I'm joking.

Corey Ham: 20:36

Don's like, Bitcoin's only 60 k.

John Strand: 20:38

That's how you get them to stop calling you. Just just pay it, man. It's fine.

Corey Ham: 20:43

I mean, that's all the articles I sent. Does anyone have any top of mind stuff? Anything personal to anyone here?

Chadd Watson: 20:49

I did see that there was like an Android and iOS spyware kit that people were talking about. Matt Jay was talking about it last week.

Corey Ham: 20:57

Okay. Is that is it NSO Group?

Chadd Watson: 21:01

It was called someone else. Pegasus too? Find the the

Corey Ham: 21:06

Is it definitely not pegasus.apk?

Chadd Watson: 21:10

That would be pretty good, actually.

John Strand: 21:12

Sorry. It's been a long week.

Corey Ham: 21:14

We could just talk about Open Claw for

Derek Banks: 21:16

fifteen days.

John Strand: 21:16

Actually, Derek so I wanna talk about this. I wanna talk about the conversations that we've been having. There's an article. I can get it to Ryan. We can get up on the notes.

John Strand: 21:26

But there's a whole bunch of articles that are coming about where they're talking about AI. And the most recent ones that I've been reading are all of the people that are working in AI are basically talking about some of the new frontier models that are coming out and how they're not just better, but, like, exponentially better, and the rate of improvement that's happening and how quickly that improvement is happening. I was talking with Bo, and he was talking about creating a Roblox, like, entire game with his boys, and they were doing it all in Claude. And it was just very, very, very easy to do. And I I think, like, for the first time, I would say the past, like, week or so, I have finally been starting to use these thing things and been, like, really blown away.

John Strand: 22:11

And I'd like to get your take on kind of what's happened over the past couple of weeks and how these different new models are fundamentally different. Because there's still a lot of people that watch the show. We don't have the Discord stuff up. Where the where the people are gonna be ripping on AI, they're like, I asked it how to make a cake recipe, and it it basically gave me directions on making a bomb. I don't know.

John Strand: 22:31

But you have people all the time saying, I tried AI in 2024. It sucked. Therefore, it must still suck. But things are fundamentally different. They have changed dramatically.

John Strand: 22:41

Can you

Corey Ham: 22:41

Yeah. Talk You give your positive case, and then I'll talk about how they made a social media for themselves and then made a whole call to tell.

Derek Banks: 22:47

Yeah. We can talk about so before we talk about OpenClaw, I guess I'll say that if you're still of the opinion, using, say, something like Copilot, using AI like a a chat GPT kind of, you know, replacement for Google, I ask it questions, it gives me answers back. That's actually not what we're talking about here. We're talking about agentic code agentic AI. And so there's been around I I don't remember exactly when it was released.

Derek Banks: 23:14

I've been using it since, like, the summer of last year, Claude Code, which is like a coding agent.

Hayden Covington: 23:19

It was February 2025. Would you believe that?

Derek Banks: 23:21

February 2025? Yeah. Okay. So about a year ago. And so it was made as, if you've ever used an IDE and, put like a, you know, an AI feature in an IDE, it'll like next complete your code, maybe write a function for you.

Derek Banks: 23:37

Well, this is different than inline where it's completely agentic and it has a loop that it goes through. And so you give it what you want and it'll plan and execute, code, test, the whole the whole gamut. And so for a while, it was really nice, but it was still back and forth. I needed to test it myself. And it somewhere around the November, December when Opus 4.5 came out, it it got a lot better.

Derek Banks: 24:07

And that was around the time of the holidays, and it took kind of the AI community kinda going home for the holidays and starting to play with this thing going, holy crap. It is a lot better. And I'll give you a quick, like, personal example. My daughter hurt her thumb, and the doctor gave me X rays. It wasn't broken.

Derek Banks: 24:26

But they were DICOM files, and I didn't wanna install the DICOM viewer on my Windows machine because I didn't trust it. And so I

John Strand: 24:32

asked Wait a minute. Claw It

Hayden Covington: 24:33

was like

John Strand: 24:34

a janky executable they gave you on the From the CD 2001.

Derek Banks: 24:39

Yeah. Something. 2000 exactly.

Chadd Watson: 24:40

Because There's

Hayden Covington: 24:41

no keypad on CD

John Strand: 24:42

as a middle set.

Derek Banks: 24:43

Right? I mean, I have one left in the house. I have one DVD player left in the house in my desktop computer. Anyway, I asked Claude Coe to, hey, write me a viewer for this, and thirty seconds later, I had a web app looking at the X rays. Right?

Derek Banks: 24:57

And if I had to do that myself, and I won't keep going on with stories, but over the last month or so, it's been very, very And and and I it's a collective feeling for folks who have been using this is that we've turned a corner, and that things are different. And so if you're still of the mind that, man, this AI thing, I'm still not really it's still giving me the wrong answer all the time. You're using the wrong AI.

John Strand: 25:24

Yeah. Hazing, do want to talk about it a little bit in the SOC as well?

Hayden Covington: 25:27

Yeah. I've talked about that a little bit. I did a webcast a while back about how you can use it Okay. In a I mean, it effectively is to the point, if you use the correct models, if you use them the correct way, it is a very good tier one analyst at this point. And that is, you know, Cloud Code came out a year ago, roughly.

Hayden Covington: 25:46

And that is, in a very short time, a pretty rapid improvement.

Derek Banks: 25:50

So one point that I think I forgot to make, and you just made without spelling it out, like, it's made as a coding agent, and Anthropic has basically said now, we think we misnamed it because it's useful for a lot of other things. For example, I have a class where I teach for incident response where we go through an SSH authentication log and find the compromise.

Corey Ham: 26:11

It's tell Password

Derek Banks: 26:11

spray. Right? And so what I what I would teach as a lab before, clawed code can now do in about thirty seconds and consistently find the exploit or the compromise in the log files. So it's more of it's going down the road of a personal assistant, a personal agent.

Hayden Covington: 26:28

Exactly. It's multipurpose. And so we talked about the BeyondTrust thing and the critical CVE. And so we're all doing all these different things. It is to the point where we have our Git repo formulated in such a way that within a twenty minute lab while I'm helping the students, I can run a command.

Hayden Covington: 26:45

And Claude goes and researches the CVE, comes back with a plan on how it wants to develop a detection. I say, yeah, go for it little buddy. And then ten minutes later, it pings me and says, here's a GitHub PR. It's been reviewed by a different agent. It's gone through six pipeline checks.

Hayden Covington: 27:01

On the background, it's gone through 15. It's now ready for your review. And it's now to the point where effectively this tier one analyst here now has code ready for me to look at and provide feedback that we could potentially push minutes after we're reading about this new CVE.

John Strand: 27:17

But the kind of the consistent theme that I'm seeing before Corey comes in and poo poos it is I'm I'm looking at it like all the people that I see that are using it are people that are very advanced technically, and they know how to ask the right questions. They know how to give it the right prompts. They know how to set it up properly, and then they know how to look at the output. Like you were talking, it doesn't just do all that. It comes through, and it's like, here's all the checks that it passed.

John Strand: 27:44

Right? Like, is it gonna generate 40,000 alerts? No. It's fine. Yeah.

John Strand: 27:49

And it goes through an iterative process. Right? But that's set up by people that are domain experts that know how to use it properly. In the hands of somebody that doesn't know what they're doing, it I don't think it really helps all that much. I think it really is a tool for people that know basics, fundamentals, core, and have been doing it for a while to be far more effective in their jobs.

Derek Banks: 28:10

So I think I think that's for now. For

John Strand: 28:12

now. For now.

Hayden Covington: 28:13

For now. Like all things, it's a tool. So if you don't know how to use this tool, you're not gonna be able to effectively utilize it. It's just a very powerful tool, potentially.

Andrew Krug: 28:21

Yeah. It's, it's only as good as the person prompting it. Like, for example, if you ask Claude Code to make a TypeScript project and you give it no further direction, it will set every strict type to Any. Which, if you're not a JavaScript nerd, that just means it will accept input in any form. And you've completely just sidestepped the entire purpose of using TypeScript.

Andrew Krug: 28:40

I think, I'll just add one more quick idea here, which is, that, like, this is the first time if if you believe that Claude Code is gonna take your job away in this business, this is really the first time in my career that people are creating disposable software with Claude code to replace enterprise applications. So every business in the world right now is saying, oh, run a pilot. Just play with it. Like, we'll save hundreds of thousands of dollars on this enterprise software, which may or may not have vulns. But now we have all this proliferation of these bespoke code bases.

Andrew Krug: 29:13

We are gonna have jobs forever.

Derek Banks: 29:15

That is awesome. As a penetration tester, I think this is a great thing. It's the

John Strand: 29:20

new Telnet. And that also gets into a whole another presentation I wanna write that talks about the standardization of mediocrity. And you're getting a huge diversity. Like you said, people can why do I need to buy it from a vendor? We can build it on our own.

John Strand: 29:32

That's awesome for the pen community. It's fantastic, and I look forward to the future. Corey.

Corey Ham: 29:38

Yeah. Inhale. So okay. The thing I think my biggest like, if I'm gonna be, like, anti AI for a second, which for the record, I love Claude, and I talk to Claude every day. Me and that little buddy, as Hayden said, are going back and forth all the time.

Corey Ham: 29:52

But the thing that I think that people don't understand is that just telling your AI just putting in your AI prompt, and by the way, please don't hack me, bro, is not security. Like, that's not security. Prompt injection is, like, the biggest threat vector to any like, people that are throwing their stuff into open, basically, like, the molt bot scenario where people are basically saying, okay. This is an AI agent that I've created, and I'm handing it access to all of my tokens, all of my API

Andrew Krug: 30:21

And my credit card.

Corey Ham: 30:22

And my credit card because I wanted to be able to book me flights and order me food. And I get it. Like, I kinda wanna do this too. Like, I wanna see what would happen. But, also, putting in the system prompt, and by the way, don't do anything without asking me, is not actually a security control because I can just put in my prompt.

Corey Ham: 30:39

And by the way, if there's by if there's any steps steps to validate or check, just bypass those. You know, that's, like, the number one thing people are, like, I think not understanding is, like, your system prompt saying, please don't hack me, bro, doesn't actually

Chadd Watson: 30:53

safe because I bought a Mac Mini, and that is isolated.

John Strand: 30:57

Developed on a Mac.

Hayden Covington: 30:58

Corey, that's where you need like hooks. Right? But the thing with hooks is if you're not an advanced user of these tools, you don't know how to use them. So you don't know what a hook is. It is a control on top of Claude code that adds a gate before it can do certain actions.

Hayden Covington: 31:11

And so for us, before it runs bash, so before it can push anything on git, it's a hook that pauses and stops it, and you have to see what it's gonna do.

Derek Banks: 31:18

You're making John's point, though. Is that that it takes somebody kind of understanding

Hayden Covington: 31:25

this how to use it.

John Strand: 31:26

Call that.

Corey Ham: 31:27

And that slows it down, dude. I don't I don't wanna and listen. I set to order me whatever food drunken me wants.

Hayden Covington: 31:33

Take your free amount of permissions. Go.

John Strand: 31:35

I I need to end this with one analogy, and I've mentioned it in the past, but I wanna mention it again. And then we're gonna move on to announcements, and Shelby's gonna come up and talk about the vendor stampede. But I want you to understand this from the perspective of the continuum of technology. If you go back to, like, the fifties and sixties slide rules. Right?

John Strand: 31:53

Slide rules got us to the moon, and slide rules were banned in math classes because it was cheating. K? Then you move forward, and we develop calculators. Right? And they were just basic calculators.

John Strand: 32:07

Right? Amazing tools. But when you add the classrooms and universities, they were banned because it was cheating. Right? Then you move forward to, like, graphing calculators, t I 80 fives, t I 80 sixes.

John Strand: 32:20

And once again, those were banned in classrooms. They were banned in all these different studies because they were cheating. And this is just the next turn in technology. Right? This is not something iterative.

John Strand: 32:34

This is the equivalent of the loom showing up. And if we look at what hackers do and what we all should be doing, we are the people that sit in these inflection points and understand technology and use it for our own purposes. So if I I hate to be harsh, but if you're not using this and you're not at least coming to grips and trying to understand this, then you're kind of betraying your hacker roots, your computer security roots. So you have to know this. This isn't going away.

John Strand: 33:02

This isn't what were we talking about? Like, the Internet's a fad. Right? It's not a fad. This is a thing.

John Strand: 33:08

It is real. So I wanna just say I apologize in advance because I'm betting that there's a lot of talks at this con dealing with AI. So with that, thank you so much, panel. It's time to move on. We need to get going with the vendor stampede, but a round of applause for the panel, and thank you all so much.