Talkin' Bout [Infosec] News | Tim Cook Announces Apple CEO Exit

This episode covers several major cybersecurity and tech news stories, including a supply chain–related breach at Vercel involving exposed environment variables and compromised third-party AI tooling. The hosts also discuss concerns around AI-driven data risks, including browser extensions and large-scale data collection. Additional topics include a service scraping and republishing Zoom webinar recordings, evolving issues with web cookies and tracking, and industry news such as reports of Apple CEO Tim Cook stepping down.

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

Chapters

(00:00) - PreShow Banter™ — Watch Out for the Brownies
(04:35) - Tim Cook Announces Apple CEO Exit - 2026-04-20
(05:57) - Story # 1: Vercel April 2026 security incident
(19:00) - Story # 2: 'Addicted to hacking': Young hacker behind historic breach speaks out for 1st time, before reporting to prison
(27:19) - Story # 3: Mythos And The CVSS Problem No One Wants to Talk About (But We Need To)
(28:49) - Story # 4: Introducing Claude Opus 4.7
(32:14) - Story # 4b: Identity verification on Claude
(36:00) - Story # 5: Tim Cook to become Apple Executive Chairman John Ternus to become Apple CEO
(40:18) - Story # 6: Microsoft faces fresh Windows Recall security concerns
(44:12) - Story # 7: WebinarTV Secretly Scraped Zoom Meetings of Anonymous Recovery Programs
(48:20) - Story # 8: Google, Microsoft, Meta All Tracking You Even When You Opt Out, According to an Independent Audit
(51:12) - Story # 9: Little Caesars Wants ChatGPT to Order Your Pizza for You
(53:35) - Story # 10: NIST Updates NVD Operations to Address Record CVE Growth
(01:00:08) - Workshop: Rapid Endpoint Investigations for Linux and Mac
(01:01:20) - Cyber Threat Intelligence 101 2 Day Version
(01:02:24) - ANTI-CAST: How to Break Free from the Cybersecurity Burnout Trap w/ Natalia Samman

Links

Story # 1: Vercel April 2026 security incident
Story # 2: ‘Addicted to hacking’: Young hacker behind historic breach speaks out for 1st time, before reporting to prison
Story # 3: Mythos And The CVSS Problem No One Wants to Talk About (But We Need To)
Story # 4: Introducing Claude Opus 4.7
Story # 4b: Identity verification on Claude
Story # 5: Tim Cook to become Apple Executive Chairman John Ternus to become Apple CEO
Story # 6: Microsoft faces fresh Windows Recall security concerns
Story # 7: WebinarTV Secretly Scraped Zoom Meetings of Anonymous Recovery Programs
Story # 8: Google, Microsoft, Meta All Tracking You Even When You Opt Out, According to an Independent Audit
Story # 9: Little Caesars Wants ChatGPT to Order Your Pizza for You
Story # 10: NIST Updates NVD Operations to Address Record CVE Growth
Workshop: Rapid Endpoint Investigations for Linux and Mac
Cyber Threat Intelligence 101 2 Day Version
ANTI-CAST: How to Break Free from the Cybersecurity Burnout Trap w/ Natalia Samman

Click here to watch this episode on YouTube.

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits

https://poweredbybhis.com

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Bronwen Aker

Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Producer

Meagan Bentley

Guest

Patterson Cake

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

Ralph May: 00:00

Research into that.

Corey Ham: 00:03

Which one? The browser one?

Ralph May: 00:06

Yeah. Yeah. Just about, like, what I could get from a

Corey Ham: 00:10

A browser?

Ralph May: 00:11

A browser. Right?

Corey Ham: 00:12

It's a lot, but it's also not a lot. You know what I mean?

Corey Ham: 00:15

It's like it's like on I don't know. It's one of On those some level, it's not that sensitive that you're using, you know, the Grammarly add on or whatever. But at scale

Ralph May: 00:25

I was joking.

Corey Ham: 00:26

At scale

Ralph May: 00:26

That's where I was

Corey Ham: 00:27

gonna go.

Ralph May: 00:28

Yeah. As soon as you get, like, the big enough, then then you

Corey Ham: 00:30

can sell it. Right? Like Yeah. You can sell it. You can say, oh, I can tell you exactly who what other, like, you know, one password.

Corey Ham: 00:38

By the way, you also use your you also use Bitwarden. Or like Yeah. Did you know 70% of your users also have a VPN app? Or I don't know. Something like that.

Corey Ham: 00:46

You know? Like, I don't know. Something there's so many insights you could gain, for sure.

Ralph May: 00:51

Yeah. I think that was really what I kinda came from that. Right? But

Bronwen Aker: 00:57

Alright. So there's

Corey Ham: 00:58

It's $4.20. Let's smoke some weed.

Ralph May: 01:00

Yeah. It's getting so high. We're never gonna come back. Like

Corey Ham: 01:04

Or actually take an edible because who smokes weed these days, and we have all this technology at our

Ralph May: 01:09

Isn't that edible, like, twice as potent, though?

Corey Ham: 01:12

Oh, no. It just depends.

Bronwen Aker: 01:13

No. No. No. Depends.

Corey Ham: 01:16

It You can get it. There's no going back. That is the downside of an edible. Once once you commit, you're you're You're you're there

Bronwen Aker: 01:24

for the ride.

Corey Ham: 01:25

Let's sit set up.

Wade Wells: 01:27

Y'all are

Corey Ham: 01:27

crazy talking

Wade Wells: 01:28

about this on record.

Corey Ham: 01:29

I wish it was six hours. No. It can be up to, like, forty eight hours if you do bad badly enough.

Wade Wells: 01:36

Forty eight hours? What the

Ralph May: 01:38

Yeah. Yeah.

Corey Ham: 01:39

If if

Bronwen Aker: 01:40

you if it takes you forty eight hours to come down off of a high like that, you've eaten Well,

Corey Ham: 01:46

they make some more than you Trust should me. The so the thing about this culture is that it's a high tolerance building drug. And so the people who actually are chronic users need these absurd doses

Ralph May: 01:58

Oh my gosh.

Corey Ham: 01:58

Of edibles. And so if you're friends with someone who's a chronic user, and they offer you an edible, and it's like a fifty milligram edible, yeah, you're gonna be

Bronwen Aker: 02:05

gone That for a would knock me out Yes. For

Corey Ham: 02:08

You're gonna be gone for a while, and you can't come back. Yeah. It depends it also depends on people's metabolisms and stuff. But yeah.

Bronwen Aker: 02:17

When it when it comes to chemical uptake, inhalation is always the fastest. Liquid is faster. Solid will take a little bit longer, and

Corey Ham: 02:27

almost the true fastest.

Bronwen Aker: 02:29

Yeah. Oh. Yeah. Know, wasn't gonna go there, but, hey. It's you, Ham.

Bronwen Aker: 02:35

It's you, Corey.

Corey Ham: 02:36

I gotcha. I'll go there.

Ralph May: 02:39

I know. We we know that's how that's Corey gets gets stuff done fast. Right?

Wade Wells: 02:45

That's it. That's all I have to do.

Corey Ham: 02:48

The AI summary is gonna be like, this is now for adults only. Exactly.

Ralph May: 02:53

Speaking of speaking of big companies wanting to moderate this at this point, they're definitely putting us in the MA, mature audience only category.

Bronwen Aker: 03:02

On yeah. I I I still can't get over it. I mean, I grew up in the day when it was the the the devil's lettuce, whatever, and and walking into a dispensary and being able to legally buy stuff is still a trip.

Wade Wells: 03:19

Yeah. Is a dispensary walking distance from my house, and it's across the street from the police shooting range.

Corey Ham: 03:27

That's not

Bronwen Aker: 03:27

way to keep people mellow when they're using firearms.

Corey Ham: 03:34

I mean, I live in Portland, which is like the most drug focused city that I it's like the greenest city known to man. Yeah. There's like billboard ads that are so funny. They're just like, know, nineties fonts, and they're just like, good weed. There's like no other context.

Corey Ham: 03:55

There's I I gotta say though, there's like no differentiating. I like, from my perspective, there's no differentiate I I can't don't know if anyone else can tell the difference, but I'm like, okay. There's, like, 17,000 variants of the same. I don't know.

Bronwen Aker: 04:11

So to those of you who participate, happy four twenty. And for those of you who don't, just watch out for the brownies. Okay?

Corey Ham: 04:19

Stay home. Don't drive. It's the same stay home. Don't go anywhere. Don't try to operate under the influence.

Corey Ham: 04:29

Definitely don't use cobalt strike under the influence. It's basically impossible.

Ralph May: 04:33

Yes. Pretty much.

Bronwen Aker: 04:48

Wow. That's a first.

Corey Ham: 04:50

Am I the only one who didn't hear the awesome metal music?

Ralph May: 04:54

No. I If didn't

Corey Ham: 04:55

hear you're an audio listener, pretend like there was a really cool metal intro done by Bo himself. Alright.

Wade Wells: 05:01

I don't know if

Corey Ham: 05:02

they Welcome. Heard It's April 2026. This is Black Hills Information Security's talking about news. I don't remember how to podcast now that I didn't hear the intro, so I am confused on

Wade Wells: 05:15

how They heard the music. They heard the music.

Corey Ham: 05:18

I'm glad. Glad.

Bronwen Aker: 05:20

Anyway That's what's important if they hear the music.

Corey Ham: 05:23

That's more important

Bronwen Aker: 05:24

than if we do.

Corey Ham: 05:25

Well, that's all that matters. So today, we've got we're living in a post mythos world here, people. So everyone get your CVEs ready. Get your CVSS scores. Add one to them, as John said last week.

Corey Ham: 05:37

And we're gonna talk about the Vercel breach. We're gonna talk about webinar TV scraping Zoom recordings. Mhmm. We're gonna talk about cookies, all kinds of cookies. And if you're here for 04:20, you know what kind

Ralph May: 05:48

of And cookies we're about to talk

Corey Ham: 05:52

I think, I don't know, just some fun some fun things happening. So I guess let's start with Vercel. It seems like the highest profile thing. Wade, you said you've been working this one, just in it. Is it is it bad?

Corey Ham: 06:04

How bad is it?

Wade Wells: 06:05

Just throw me out there. Gosh. No. Like, we weren't affected. I don't know if I'm allowed to say that on stream.

Wade Wells: 06:12

But Well,

Ralph May: 06:14

I think you just did.

Corey Ham: 06:15

Okay. More

Bronwen Aker: 06:16

importantly Yeah.

Corey Ham: 06:17

What what is Vercel? Wade, what is Vercel? Dude. What does it do?

Wade Wells: 06:20

Yeah. That that's what took me a while to figure out too. I think Ralph knows about Vercel better than I than I do. No. But I do know secrets can be stored in Vercel, and secrets now must be rotated that we're in Vercel.

Wade Wells: 06:33

There was a flag in Vercel that said if it was sensitive, you were cool. If it wasn't sensitive, you weren't cool. You needed enterprise level Vercel in order to have logging, which is a recent thing.

Corey Ham: 06:47

So Oh,

Bronwen Aker: 06:49

wait. Vercel is a cloud AI company.

Wade Wells: 06:52

Well, no. Hold hold on. No. Go on.

Corey Ham: 06:54

So everyone's a cloud AI company according to them. Okay.

Ralph May: 06:57

Yes. Bronwen, you are correct. Everyone is a cloud AI company. 100%.

Bronwen Aker: 07:03

Well no. No. I went to vercel.com, and right away, it says, build in

Corey Ham: 07:07

the Okay.

Bronwen Aker: 07:08

Okay. But that's the cloud.

Corey Ham: 07:10

Come on. That's the same thing it says on allbirdsshoes.com. Anyway.

Bronwen Aker: 07:14

I knew we do it. Only because they they shifted over from shoes to AI, which makes no sense whatsoever.

Wade Wells: 07:20

Wait till Skechers does it too.

Ralph May: 07:22

What what Vercel is is essentially, it's a hosting service for front end

Corey Ham: 07:26

Platform as a service?

Ralph May: 07:28

Yeah. Yeah, right. They're hosting service for front end frameworks. Right? So if you have a website, and you wanna you could host it on Vercel.

Ralph May: 07:35

We personally use Vercel for my front end. Right? So they host the front end of the website, and then the back end, which is the API, is hosted totally somewhere else. Right? So when you now, that's not how everyone does it.

Ralph May: 07:49

If you have a node based application, you could have the front end and the back end and the same application, and Vercel will gladly host that for you, as well as many other services that can do that, including Cloudflare, just to mention a few. But Vercel is one of the most popular for doing it. There's also a couple other ones out there that are pretty popular for these deployments. But where the security side comes in is that you can obviously upload environment variables. Now those environment variables can be used within your front end application.

Ralph May: 08:15

They can be used within your back end application, however, you know, it it pieces in there. Vercel does more than just website hosting, if that I'm like using air quotes here because it's a bit more complex, but they also do a lot of other things. But the idea is is that when you do deploy one of these web applications or one of these web frameworks, that you're probably gonna have some environment variables that you wanna access in real time. And if you didn't mark them as secret, then they could have been exposed in this particular breach according to Vercel.

Corey Ham: 08:45

So sensitive is technically what they say, not secret. But yeah, basically, it does enough, on the write up, says that it originated from the compromise of context.ai, a third party AI tool used by a Vercel employee. So this is like that AI supply chain thing that everyone's paranoid about, rightfully so, is if you use these sketchy third party AIs Does anyone know anything about context.ai? Is this just like some random is this reputable, or is it like if you just go on the Google Chrome extension store and search AI,

Wade Wells: 09:18

it's like the third result, So like so this it's gonna loop it's gonna it's gonna work back to one of our favorite things. But so context.a I got got hit. They then pivoted to that user who then they escalated privileges via Google Workspace, and then were able to do stuff. Right? If you go look at some Steeler logs, and there's some context AI creds that got taken a picture of.

Wade Wells: 09:42

Yeah. So there's a couple pictures of that. Yeah. So also could be

Corey Ham: 09:47

Next. Js, I guess. I I mean, who knows? There's been so many supply chain type compromises. So it's a reputable company, but they aren't appropriately doing AI, or they aren't appropriately doing credential management stuff with Infosecalers.

Corey Ham: 10:03

It looks like Hudson Rock actually said that, like, they're which if for those who don't know, Hudson Rock is a commercial Infosecaler provider, similar to Flair. It looks like they actually said publicly that, you know, they they think it was Steeler. Somehow, Roblox Autopharm scripts. So it's like, okay, here's the supply chain. An employee at complexity.ai was apparently doing Roblox hacking on his work machine.

Corey Ham: 10:30

Bro, man. On his home computer. On his home computer with his credentials synced. So that's bad. We have the employee at Vercel was using complexity.

Corey Ham: 10:43

Or context.ai, which I guess is that was he or were they allowed to be doing that? We don't know. But my assumption is most companies that are small, and Vercel's probably small, aren't really controlling what third party AI tools people employees are using, and that it has supply chain risk associated with it. So Yeah. If you're a CISO listening to this, don't let your employees install whatever AI tools they want, no matter how much they beg, scream, and cry.

Wade Wells: 11:08

If and then if you're working this as an IR person, they do allow you to pull down logs for ninety days in the CSV, all the audit logs, and then Good you can work it from old good old grep.

Corey Ham: 11:21

Good old grep. You gotta wait up those logs

Ralph May: 11:24

if you are. You're gonna put environment variables, save them as sensitive, make sure you're marking any, like, key as sensitive or secure, or whatever they call them. Yeah. Every platform has got different ones.

Corey Ham: 11:33

Don't use environment variables. Don't do it. Yeah. There's tools out there. People have been asking me this question a lot.

Corey Ham: 11:38

They're basically like, okay, so when you use You have to use environment variables sometimes. There's a lot of cases where they make sense. But basically, in security, we deal with the trust boundary. Environment variables are only good on one computer for one trust like, that is like, everyone on the computer can now read those environment variables. So if there's any untrusted programs running on that same computer, they're compromised.

Corey Ham: 12:01

Right? Like, you just have to keep that in mind, and you don't put sensitive things in environment variables wherever you possibly can. There's tools like 1Password, and other secrets managers that can dynamically pull credentials from without storing them in environment variables.

Ralph May: 12:16

Yes. So I I wanna push back on that, because there's a couple things that when you actually implement that, you still have to have that key somewhere on the host in an environment variable, even with one password or whatever you want. Right? You could dynamically pull them all you want. The the the hope or the benefit is that you can rotate them.

Ralph May: 12:34

That's really more important.

Corey Ham: 12:36

You can rotate them, and you can audit who's accessed them, by the way. Yeah. Well,

Ralph May: 12:39

somewhat, yes. But either way, the the the idea that if I have all of my secrets in a password manager,

Corey Ham: 12:46

that That they can't be compromised?

Ralph May: 12:48

That they can't be compromised. That's not not to to I'm pushing back on the idea that environment variables are the only Are inherently bad.

Corey Ham: 12:57

Yeah, no.

Ralph May: 12:58

They're bad.

Corey Ham: 12:58

They're not inherently But

Ralph May: 13:01

the better ways to do it, right, where you are actually do implement, because I've had to think about this in process flow, about like using one password to pull environment variables in to keep it the most sensitive as possible. The thing is is that key for one password does have to exist somewhere on that remote host

Wade Wells: 13:17

Yeah.

Corey Ham: 13:17

The process. Yeah. Programmatic access, you have to facilitate somehow.

Ralph May: 13:21

And that key is gonna get have to get scoped to the specific amount of variables that are required, just the minimum required for that application. Well, if as an attacker, I have access to that key, I totally can retrieve those variables on demand right from one password. Right? So it doesn't necessarily stop that attack path, but what it does allow you to do, hope and benefit, is that you can revoke those faster without having to go into Vercel and change every damn one of those environment variables over and over again. Right?

Ralph May: 13:50

It allows you to one click essentially rotate all your keys without having to go fight across all of your

Wade Wells: 13:56

Alright. Alright, Ralph. Doesn't Bitwarden or someone else have that too, okay? Just stop saying one password.

Corey Ham: 14:02

Well, actually, actually, so you if you wanna know what is kind of the real standard for this, it's actually HashiCorpVault. That's the one that most people use. Like, no offense to 1Password, but like, in most deployments, people are rolling their own HCB instances, or using Yeah.

Ralph May: 14:17

Well, actually, so 1Password's offering is pretty good. They have actually have two different ways to access that. You can use CLI, and then they have a full API based setup where you can actually essentially like dole out a special server that would only be accessed through maybe a specific kind of network. So it's not even just through one password, and it has a whole token management system to allow you to kind of do a middle piece in there. So you can broker that access to one password, while not actually even exposing the interface that is required to access that key.

Corey Ham: 14:48

So I wanna know the record. Was And I hope that we cross. I I feel like we've I feel like we've crossed over into where Ralph knows more about 1Password than Wade does at this point.

Wade Wells: 14:57

Oh, without a doubt. Without a doubt. I definitely know OP, right? Like, I have it set up in several places, but, I'm over here defending things, not setting engineering up.

Corey Ham: 15:06

Yeah. Yeah. Totally care. Dude, if you ask me to run the socket BHIS, I don't know how the heck to do that. Someone else can figure that

Ralph May: 15:12

out. Anyway.

Corey Ham: 15:13

Yeah. I think the from my perspective, the the IR, and Patterson, feel free to jump in here. Rolling secrets. This is gonna be the, like, number one most used IR playbook of 2026. Right?

Corey Ham: 15:25

Like like, is there anything, any advice you'd have, Wade or Patterson, on how people can get in the practice of being better at rolling these secrets, and how like, is there any tips you guys have that could help, like, with this IR process?

Patterson Cake: 15:39

Wow. That's a loaded question. Yeah. Make a plan before you before you're in the midst of crisis. That would be priority one.

Patterson Cake: 15:49

That's such a sprawling, sort of unique snowflakey. I mean, listen to us argue about our process moments ago. My yeah. My most significant recommendation is I totally agree rotation of credentials is, you know, it's playbook I don't know, think last year maybe it was playbook number two, but I think you're right. It's the forthcoming, it'll be playbook number one, and sleuth out where your creds live, have a programmatic way to rotate them quickly and efficiently, and once you accomplish that, of course, you should test it, and then you're you're golden.

Patterson Cake: 16:26

Well, you're not golden, but you're much better off.

Corey Ham: 16:29

Ready to react quickly, instead of just being like, what credentials were compromised? Where do they live? What do they do? If we roll them, how much of our production environment breaks?

Wade Wells: 16:38

Exactly. Yeah. That's that's the thing, right?

Ralph May: 16:41

I was gonna say, lot of credentials are moving to to like a mandatory expiration date as well. Yes. So that you

Corey Ham: 16:46

can Everything should be. Honestly, that's like, that's a good thing you can set now before a breach happens, is just set everything to expire every three to six months, or whatever interval you choose, and then you have to get in the practice of rolling

Ralph May: 16:59

Yeah. Them stuff You're gonna have to to out how to automate your way out of that.

Corey Ham: 17:02

Yeah. Exactly. Because, yeah, it's like, you know, if if you have users that are getting breached, which you do, and you have password expiration, you have MFA, and you have like you basically have to set yourself up in a place where, guess what? Your developers are putting your API keys into ChatGPT, into Anthropic, into Context AI, Cursor, freaking DeepSeek, whatever it is. And so you have to it's you're better off just assuming those credentials are breached all the time, monitoring them for suspicious activity, and rolling them on a regular basis, versus being like, no.

Corey Ham: 17:37

This is the secret break glass key that lives in the secret place, and no one can ever access it, like

Ralph May: 17:43

Yeah. Yeah. Do think the playbook, a really good one, is to honestly just design rotation into your implementation, and I think you can really help yourself out, you know, when they do get exposed.

Wade Wells: 17:55

Yeah. Then if you're using the variables, right, it's easier to do that because all your passwords are gonna be in a centralized location, and usually you can you can interact with them programmatically, so.

Corey Ham: 18:06

Yeah. And also setting limited scopes, like basically secrets management is if you do it well, it's gonna be a pathway to the end of twenty twenty six without a whole lot of pwnage. If you do it poorly, you're gonna get popped. Like it's this is not the first, and it won't be the last where environment variables are leaked, and blah blah blah. There's all of other ways that environment variables can leak, by the way, or be exposed.

Corey Ham: 18:30

You know, we're talking about, like, browser harvesting, and program harvesting. Like, just assume any program running on your computer can read your environment variables. And there's a lot of programs running on your computer, and they so, like, just keep that in mind. Anytime you export something, it's

Ralph May: 18:46

really This is the Steeler Logs playbook. Right? The, you know, NPM, valuable pack, malware packet, whatever, you know, but yeah, sure.

Corey Ham: 18:55

Totally. Alright. What else happened? I guess we can talk about a certain teenager who the guy who compromised PowerSchool. This is a breach we talked about when it happened, but there's this pretty interesting long article in ABC News about his experience, and I don't know.

Corey Ham: 19:15

It's kind of like I feel like it's been a while since we've had these a high a big deep dive into the character of a hacker, and it's kind of interesting. I mean, we don't have to go through the whole article, but it's worth the read. I think it it basically, for me, really reiterates how much these online hacking communities impact these young kids. Right? Like, they basically take over their world and really suck them in and and make them think and feel that they're, you know, living a very glamorous, rewarding life, when in reality, they're just kind of the fall guy for a big cybercrime situation.

Corey Ham: 19:51

So this person, his name is what is it? Matt Lane?

Wade Wells: 19:55

Matthew.

Corey Ham: 19:56

So he yeah. So he's he he got sentenced to four years in prison, and basically, on his way to prison, I guess he'd already done six months, and this was a sentencing hearing. But essentially, he did an interview with ABC News kind of talking about what the life was like and what he did. And he sounds, at least in the article, he sounds very remorseful, and, you know, he's the kind of funny thing that which we'll talk about at the end is he's like, I hope I get a cybersecurity job. Maybe he will, maybe he won't.

Corey Ham: 20:24

I guess we'll see. Please submit your resume to BHIS, and we'll we'll interview you.

Wade Wells: 20:30

But The Darknet Diaries episode will be out shortly, I'm sure.

Corey Ham: 20:32

Yeah. Wait, really? No.

Wade Wells: 20:35

That's a guess. I'm get if he's willing to talk to ABC News, there's no That's fair. Yeah. Which unheard of. Like, usually, we don't hear like, this almost seems like a play for right?

Wade Wells: 20:46

At least for me to to make him look good, which he he does seem honest and truthful, but you don't hear about this too often about them. No.

Corey Ham: 20:53

These are rare. These are super rare.

Wade Wells: 20:55

And then, like, it's just like we've talked about before in, like, in The UK. Right? These kid kids have been picked up over and over again, but they're they they keep it a secret and, like, hush Put identities?

Ralph May: 21:06

And put

Wade Wells: 21:06

them away. Yeah. Identities completely, which is also pretty cool, I think. But without a doubt, he's gonna get a job. Like Yeah.

Wade Wells: 21:14

And of course, where did he start? Roblox.

Corey Ham: 21:16

Roblox?

Ralph May: 21:17

Roblox.

Corey Ham: 21:18

Yeah. I mean, I I think it's, I don't know. I I think it's really just a matter of people who feel like outsiders tend to look for communities where they fit in, regardless of whether it's cybersecurity, or, you know, terrorism, whatever. Pick a pick a It could be just a lot of people fall into sports, or into, you know, like, things that are more normal ways of fitting in, I guess. But in this case, you know, he got sucked into a community that was kind of pushing him in a bad way.

Corey Ham: 21:47

I mean, this is the same thing that happens for most kids who end up as criminals is they get sucked in with people who are older than them, and kind of take advantage of them in a lot of ways.

Ralph May: 21:56

I I think one of the big differences in this case too is that most people typically don't get caught. Right? He was just used as a scapegoat. Or not a scapegoat, but essentially, like, a patsy in in this. Right?

Ralph May: 22:05

They just used him to to not get caught. Right? And so I think we're gonna see more

Bronwen Aker: 22:09

It's being made an example of Yeah.

Ralph May: 22:11

Yeah. And I think we're gonna see more and more of this, though. Right? Because essentially what happens is is that MGM or whoever gets hacked. Right?

Ralph May: 22:18

MGM was mentioned in this article as well. Right? They want a lever to pull. They're not gonna go to, you know, North Korea to get it. So they're they're gonna take it out on The US assets that were used to leverage that attack.

Ralph May: 22:32

Right? And so I think we'll see

Corey Ham: 22:33

more of it. Right? It the one of the interesting kind of notes from this is like, the impact is definitely higher. So with the PowerSchool thing, we talked about it in the I I think on the show. Like, the there was an initial breach, and they actually did a ransom demand, and they got the ransom payment of $3,000,000.

Corey Ham: 22:50

But then there was another ransom demand sent So to all of the individual basically, like, in this scenario, someone gained access to whatever server they ex filled all the data to, you know, whether it was someone trusted or not, we don't know. But essentially, they got the data, a copy of the ransomware dataset. And so, you know, it's kind of a poster child for why you shouldn't pay the ransom because there's no guarantee that someone else hasn't accessed that data, and can use it to continue to extort, and do bad things. I mean, on some level, obviously, there's credibility lost. But it is kind of an interesting sort of subplot, is the fact that they unfortunately, other people, even if he has remorse and feels bad, other people have the data too and can continue to sort of drive impact from it.

Corey Ham: 23:39

Even if he doesn't wanna do that, other people still can. I mean, it looks like they're looking for someone else. You know, they're looking for other people in connection with these crimes in addition to him.

Ralph May: 23:49

Yeah. The example piece too is to stop that from happening again, right, from other people being like, oh, think about this. But I will also flip the coin one more time, and just say that his age, right, being young and just impressionable and willing to do these things, I mean, people at a young age, including myself, have done stupid things that maybe you regret, or maybe it was just unsafe. Right? And this is one of those examples, you know, at a younger age taking taking advantage of people who are younger, you know, to to

Corey Ham: 24:17

Yeah. 15 year old.

Bronwen Aker: 24:18

Yeah. Like

Corey Ham: 24:19

Unfortunately. Yeah. When I was 15, you could've convinced me I didn't probably.

Bronwen Aker: 24:22

And unfortunately, Roblox has been a known resource for radicalizing young people, especially young males. And not just not just for hacking. It's it's used for radicalizing young men for all kinds of unfortunate and sometimes violent purposes. I mean Yeah. They only went into hacking.

Bronwen Aker: 24:47

Yeah. He may get a career out of it someday when he gets out of prison. But

Corey Ham: 24:53

Yeah. They they talk about that in the news, in the ABC article too, that like, Roblox is basically there's a couple uplifting parts of the article. Like, one, there's a couple programs that actually go out and try to, you know, recruit people into a community that's, you know, fostering positive things instead of, you know, that's kinda similar to what our community does. Obviously, we don't go out and recruit people on Roblox, but there's something called the hacking games that's like, you know, basically Roblox based positive version of this community. The other thing that they mentioned is that Roblox specifically says they've hired several young people to help secure their systems after they participated in similar programs.

Corey Ham: 25:33

So like the, if you're out there listening to this or, you know, watching and reading the article, realize that there is a pathway to use your skills for good and to get paid for it. Right? Like, you know, you might get a job at Roblox. You might get a HackerOne bug bounty payout. Like, go the the

Bronwen Aker: 25:52

good resume bug bounty payouts.

Corey Ham: 25:54

Well, no. They're they're still doing payouts. They're just not taking submissions. So

Bronwen Aker: 25:58

Ah, okay.

Ralph May: 25:59

Well, if they ever

Corey Ham: 26:00

But, yeah. When they resume well, you could still submit directly, but yeah, anyway, basically, the concept is there is a good and an evil version of this story. I think four years is fair to me. Like, that's like enough time that he'll definitely have, you know, hopefully, some time to think about what he did, but also not like ten years, which is just like a criminal graduate program where you just go and learn how to be a really good criminal. So I don't know.

Corey Ham: 26:25

We'll see what happens. But he does have $14,000,000 in restitution to pay to victims. So when he goes to get his first cybersecurity job, he'll be like, my salary demands are quite high because my restitution demands are also I quite gotta make $14,000,000 a month. Sorry. So we'll see how that goes.

Ralph May: 26:48

Salary's kinda high, but, you know.

Corey Ham: 26:50

Salary's kinda high, but it's only one month, and then he goes back to prison.

Wade Wells: 26:53

Do you have to pay interest on that?

Corey Ham: 26:55

I'd probably, dude. I'm Right, assuming the I'm assuming the system is set up to completely block anyone from actually being reformed and just put them into a cycle of re a reinfracting early.

Bronwen Aker: 27:05

Does

Ralph May: 27:06

bankruptcy apply here? Can, like does bankruptcy not apply to restitution? I don't know.

Corey Ham: 27:11

I don't know. I don't we need we

Wade Wells: 27:12

need get it under a different

Corey Ham: 27:13

These are adult questions, dude. This isn't that kind of show.

Wade Wells: 27:17

Isn't that kind of

Ralph May: 27:18

show. Fair enough.

Corey Ham: 27:20

Alright, so next we can talk about Mythos. I mean, I don't know. For me, I guess we talked about it last week. I've still had a lot of customers asking me questions about it. John did a big LinkedIn post about it, which we'll link to if you guys, if anyone didn't see it.

Corey Ham: 27:35

But basically, it's kind of the sentiments that we echoed last week on the news. I think the answer to Mythos is basically twofold. One, it's definitely hype. It's it's, you know, there there is some hype tied into this. Anthropics trying to maintain their relevancy, and that's just part of this.

Corey Ham: 27:54

But also, piece number two is the some of the claims and things are real, and I've been telling customers, you have to assume something like this is is gonna exist in the next, you know, short future. We don't know when or how, but if they're basically advertising this capability, that means all the other AI companies are short are close behind. And that includes DeepSeek. Right? Like, what was the what was the distance between the, like, GPT four o release and DeepSeek release?

Corey Ham: 28:27

Like, does anyone know that off the top of their head? It was probably, like was it three months, six months? Yeah.

Ralph May: 28:32

Like, I forget timeline's so small for all of them right now.

Corey Ham: 28:36

It's shorter than you think, basically, is what I've been telling clients. Like, this kind of a vulnerability crusher AI will exist in the next three to six months, and publicly so. So basically, get ready for that.

Ralph May: 28:50

And So I guess the other follow on article to this is that Anthropic did release Opus 4.7, which

Corey Ham: 28:57

Yes. Has well, okay. So, yeah, the Opus four seven release is actually really interesting, specifically because Opus four seven now has specific gateways and gatekeeper stuff built in for cybersecurity abuse. Basically, Opus four six, you just told you were an authorized if you just told her you were an authorized pen tester, it'd be like, oh, alright. What are we doing?

Corey Ham: 29:21

Are we hacking China? Let's go. Yeah. Opus 4.7 supposedly has better, more gateways built in that will basically force you, hey, you know, this seems like you're doing something unauthorized, and it has its own verification model at the account level. So there's also Anthropic Drama where they're requiring identity verification for their accounts, which we don't I don't know if we have an article source for that.

Corey Ham: 29:45

Someone could probably find it. But they're requiring KYC verification for all their accounts. And in Opus four seven, you'll hit that limiter more often of it being like, hey, it seems like you're trying to do bad stuff. For us at Black Hills, if anyone's curious, you can get authorized. So you can basically tell Anthropic, here, we're a pen test company, we're authorized, and they will allow well, they'll take down those gateways.

Corey Ham: 30:09

But I feel like that's a pretty good way to reduce abuse. Obviously, it's kind of a moot point at this point because you could just use 46. Right? You could just be

Bronwen Aker: 30:17

like, alright.

Ralph May: 30:17

And 46 is actually better in some ways, in some regards, but the point

Corey Ham: 30:21

is Yes. If if you go back up to the table, Meagan, it it shows technically, Opus four seven is actually worse for cybersecurity by like point 3%, or whatever. If you look, it says, there's one for, what is it, cybersecurity vulnerability reproduction. Yeah. Four six was 73.8, and four seven is 73.1.

Corey Ham: 30:43

So it's point 7% worse.

Ralph May: 30:45

Yeah. They did it on purpose. They nerfed it a little bit. I watched a bunch of people essentially digest the numbers here. But the one thing, going back to what you said, Corey, is that we are still on the continual march of improvement.

Corey Ham: 30:56

Yes. Numbers are

Ralph May: 30:57

gonna

Corey Ham: 30:57

It's

Ralph May: 30:57

gonna happen. And it's like, it's so fast, and that like, you know, when is, you know, I keep thinking about like, when is Opus five point o gonna come out? And like honestly, it could be four months, and that could be like, on the extreme version of it, and ChatGPT could come out with something even faster, and you know, that yeah. So it just keeps going. It's like a steady march.

Ralph May: 31:17

I do wanna say one last thing though about the essentially, the gatekeeping of cybersecurity. OpenAI was a lot worse. Like, you asked it to do something, it'd be like, no, I can't do that. I can't do that. Like it really gate kept a lot more than Anthropic, and now Anthropic's kind of catching up.

Ralph May: 31:34

Even though arguably, sometimes it gets super annoying, even if you're not trying to do something malicious, right? Just kinda do something related, eventually it gets to the point where it's just like, I'm gonna not help you with this stuff. And you know what's gonna happen in that case? Models are gonna show up that will help you with that.

Corey Ham: 31:51

Correct. There's gonna be obliterated models, and hugging face models, and deep seek, and mistral, and all these other quen, and there's Chinese There's

Ralph May: 32:00

no way but my point is, and it is that there's no way Anthropic or OpenAI, no matter how great their frontier model is, is going to stop what is coming. Right?

Corey Ham: 32:10

Yes. A 100%.

Ralph May: 32:11

They are just upfront. That's all.

Corey Ham: 32:14

Yeah. No. A 100%. I I link to the verification program if anyone's curious in Discord, and the next article we can kinda dovetail in is the KYC verification, Anthropix requiring this. It's not super clear when they're gonna start requiring this or what the rollout's gonna look like.

Corey Ham: 32:31

They they basically just posted this, and now everyone's salty. But essentially, the bummer here is that they're gonna use Persona, which is a company that has taken on a lot of investment from Palantir and Peter Thiel and those sorts of shady folks. And Persona has also had issues with cybersecurity in the past. I will say, I think the issues they've had are very overblown. Like, people's concern like, you know, they they had some issues with them exposing the source code, I believe, for one of their government identity verification systems, and like the way that the authentication worked and stuff.

Corey Ham: 33:11

To my knowledge, they haven't actually had any exposure of like the identities themselves yet. And it should be noted that this company persona is also they seem to be kind of the standard in Silicon Valley. That's what Discord is using. That seems to be what most companies are using. So it's not really out of band.

Corey Ham: 33:28

Also, the way, OpenAI is doing this too.

Ralph May: 33:30

Yeah.

Corey Ham: 33:31

If our parents are, you know, if our parents are OpenAI and Anthropic, they're both doing it, and so we probably just have to roll with it.

Ralph May: 33:37

I would say get ready for KYC across the whole Internet. It seems like Yeah. That stuff is coming across different pieces, different different market, and and mainly different laws, right, in different states. It's all kind

Wade Wells: 33:50

of moving that direction, and most of these companies, they're in a business, shocker, to make money. If KYC is what they have to do to stay

Ralph May: 33:57

in business, that's what they're gonna do. Right?

Corey Ham: 33:59

It's just a huge bummer that we can't have a government backed Yeah. Like, actual state run KYC that uses the like, they already have my passport, dude. I already, like, you know, answered a bunch of questions, and gave my fingerprints away, and some guy touched my butt. No. I'm just kidding.

Corey Ham: 34:16

But, yeah. I'm already a US citizen.

Bronwen Aker: 34:19

Was my fingerprint, man. I don't need that.

Corey Ham: 34:21

Well, listen, okay, I went to an appointment, and I'm like, whatever happened happened.

Ralph May: 34:25

It way cheaper than normal. That's what I said.

Corey Ham: 34:27

Yes. Was discounted.

Bronwen Aker: 34:29

Now we know a

Corey Ham: 34:30

it's a benefit of my credit card. Alright? Yeah. Yeah. Basically Yeah.

Corey Ham: 34:34

Mean, the point is the government already knows who I am, has my identification documents. Yeah. Yeah. Like, can they not just give me, like, an SSH public key or whatever?

Wade Wells: 34:44

Yeah. That's that right? Like, some private private public key system, or, why why hasn't there any been any blockchain? Like, blockchain technology behind it is pretty cool and can track things. Why aren't we using that in, like, more production?

Corey Ham: 34:57

It's a bummer. Does that

Ralph May: 34:58

make sense? An AI. That would be perfect.

Wade Wells: 35:01

Dude, let's Are we about to make a company again? Another one? No.

Corey Ham: 35:05

No. No. We've already we've already made one company. We don't need to make another. I'm bad.

Corey Ham: 35:09

The I think, like, there are countries, what is it? Estonia, I wanna say off the top of my head, that has a full digital identity system that's nationalized, and has voting based on that system. I don't know. It's one of these small countries that you've never heard of, but they have 10 gig Internet and really good tech. I don't know.

Bronwen Aker: 35:30

It's easier to do at a smaller scale. I mean

Corey Ham: 35:32

Totally.

Bronwen Aker: 35:33

They Yeah. And they probably have a lot fewer than, what, 360 or 400,000,000 citizens, whatever we're up to these days.

Corey Ham: 35:44

Yeah. I I mean, you're not wrong, but still, that arguably also means we have immense amounts of resources available to create systems like this.

Bronwen Aker: 35:53

Yeah. If we if we have the will. Yeah. That's We

Wade Wells: 35:56

got break.

Bronwen Aker: 35:56

That's the bottom line. You know? But Breaking news. News. Breaking news.

Corey Ham: 36:04

We got Tim Apple stepping down at Apple, so now he's just changing his name to what? Tim? Tim. What? Tim Apple stepping stepping down after more than a decade.

Corey Ham: 36:13

It's probably because he asked Siri whether he should leave, and she was like, yes, leave.

Bronwen Aker: 36:18

Yeah. She was she was don't let the door hit you in the ass on the way out.

Wade Wells: 36:21

Honestly, so word on the street

Ralph May: 36:23

is they're finally gonna come out with a new Siri this year.

Corey Ham: 36:26

I mean, okay.

Wade Wells: 36:27

That's just powered by ChatGPT?

Corey Ham: 36:28

Yeah. Yeah. So the the well, no. No. No.

Corey Ham: 36:31

So, okay. Hold on. Hold on. So first of all, for those that have been living under a rock, it does seem that he's we don't know, but Apple hasn't been doing super well in AI to the point that I know of several people in my personal life who have seriously considered switching to Android just because of how bad Siri is. And that's totally valid and fair.

Corey Ham: 36:52

Hold on, Sam. And he's been unable to correct that. Would you say wrong?

Ralph May: 36:56

Not not to not to not to say that what everything you said about Suri is not correct, because all of those things are correct.

Corey Ham: 37:01

Is Alexa just as bad, or is Yeah. It It's worse. It's like worse. It's

Wade Wells: 37:04

worse? Yes. And they came out

Ralph May: 37:06

with an AI version, and and whatever. Right? I I think it's it's tough for the non AI to like, companies that came out with those original, like, voice assistants to like, have to move into it.

Wade Wells: 37:17

They just pushed Gemini to Google, or to the audio, whatever, auto, Google Auto.

Ralph May: 37:23

Oh, yeah.

Wade Wells: 37:24

And it could not play any of my songs. I was like, Alexa or Google, play Toy Story storyteller on YouTube as I'm driving, and then it plays, like, some random thing, and I'm like, over and over again, I'm like, you know what? I'm just gonna do this myself, and hopefully don't get in a car crash. But

Corey Ham: 37:40

Yeah. Well, okay. So and by the way, before, you know, obviously, we haven't even read the whole article about Tim Apple stepping down, but they did actually partner with Google. That's who they chose as their AI partner. So in iOS 26, which was last year's release, they have ChatGPT integration.

Corey Ham: 38:00

And as an iPhone user, I always use it, but it also ties not in it doesn't tie into anything. But every time I use it, I'm like, ask ChatGPT basic question, and it can answer it. That's as far integrated as it is. It that it's pretty lame. So they did partner with Google to get a Gemini model to basically, hopefully correct some of the issues they have.

Corey Ham: 38:23

Who's John Turnis? That's the person they chose as the replacement. Or Ternis? I don't know how to pronounce that.

Wade Wells: 38:29

You Google him, he says he's an engineer and an executive, which

Corey Ham: 38:34

So he's VP of hardware engineering, and then

Wade Wells: 38:37

he's Which asking sounds pretty cool, to tell you the truth. Like, if someone were to shave

Corey Ham: 38:41

I will say, their hardware might be their strongest department, honestly. Yeah. Like, the you you really if you're comparing the iPhone hardware to other companies, that's what everyone sets the bar at, is like the actual physical characteristics. And if you look at the laptops, it's kinda the same thing. They were super pioneering when it came to the Apple silicon stuff, so I think it's a reasonable

Ralph May: 39:02

They're so so just to just to put it out, so AI is cool and awesome, but the hardware is how we interface with it, and Apple definitely dominates that market space, especially from the handheld. They're overfitting

Corey Ham: 39:14

Oh, yeah.

Ralph May: 39:15

In The US, and all this other fun stuff. So they're not going anywhere anytime soon, regardless of how crappy Suri is, or maybe that it it proves to be. But, yeah, they're they're definitely a dominant piece in the glass that we get to see. Right?

Corey Ham: 39:28

Totally. Yeah. And that's not gonna change. I think

Ralph May: 39:30

Yep.

Corey Ham: 39:31

There was an interesting video the other week about like, how Windows laptops are kind of in a weird spot right now, where like, you have Windows, which is Microsoft, then you have like Copilot, is also Microsoft, and then you have like a bunch of laptop manufacturers that have to figure out how to work with Copilot and Microsoft, or else they're not really included in the whole party these days, because like, Windows now requires you to have all these Copilot ties. You have to have a Copilot keyboard. You have to have a Copilot button on your keyboard. So basically You have a Windows computer? Yeah.

Corey Ham: 40:05

Just to be a Windows computer. So like, basically, for a Windows laptop to be really good, all these companies have to work together and do well. For an Apple laptop to be good, it just has to be one product from one company. So I don't know. We'll see.

Corey Ham: 40:19

While we're speaking about Windows, we can talk about new concerns with cybersecurity around Windows Recall, which for those that don't know

Ralph May: 40:28

Is the coolest feature they ever added. Can't Yeah.

Corey Ham: 40:33

Well, so Recall so Recall was a really cool feature that was designed, like, with the release. Was it Windows 11? Yeah. Or Windows Yeah.

Ralph May: 40:42

It was like in it was supposed to be in one of the updates for Windows 11 because This

Corey Ham: 40:46

is years ago. Yeah. Years ago. This is September 2024. Wow, that feels like ten years ago in It the world of

Bronwen Aker: 40:53

does.

Corey Ham: 40:53

That was it does. So long ago. But basically, it was a feature that would essentially record your screen and let you go back to a All previous time. Yeah. All the time.

Corey Ham: 41:01

So as you could imagine, they rolled it

Wade Wells: 41:03

in an

Corey Ham: 41:04

incredibly insecure fashion at first, and everyone was like, please no. Can you not do that? And there was a, you know, people were publishing tools that would extract all the data from it. It was a fun little time. And now, I guess, they're trying to re release it, I I assume, and not all the security vulnerabilities have been fixed.

Corey Ham: 41:27

That's my assumption.

Ralph May: 41:28

What about the whole thing being just one big vulnerability? Like That's not like everything that I'm sending it off to I don't

Wade Wells: 41:34

know who. Like, who would use this? Who's the primary user of this? That one person who's screen like

Ralph May: 41:40

and let chatty p t look at it too.

Wade Wells: 41:42

Bro, maybe that's it. Maybe it's from the AI perspective that the AI destroyed your laptop so much that you gotta re recall back to a time beforehand.

Corey Ham: 41:51

Like the new version of Windows restore? It's just one prompt. It's an AI prompt that restores all the files. It's just a markdown file that says, this file lives here. This file lives here.

Wade Wells: 42:03

I I don't even know anyone who uses backups personally, like, in their personal setups. Like

Ralph May: 42:08

Who use backups?

Wade Wells: 42:09

I will not I don't know any

Bronwen Aker: 42:10

data. I don't backups.

Wade Wells: 42:11

I don't know any, like, non techy people will say that. Like, normal well, normies.

Bronwen Aker: 42:16

Right? That's fair. See I

Wade Wells: 42:18

anyone people. I can't see anyone using this. And then from a corporate perspective, like, understand it. I'm wondering if this could be used forensically. But Yeah.

Wade Wells: 42:28

Why you wouldn't need it. Right? It could, but, like, would you even need it if you if you have access to it?

Bronwen Aker: 42:33

Would you forensicator, would think not.

Wade Wells: 42:36

I don't think you would need it, though. You would just, like, run your normal, like encase or anything to pull everything off of it. You wouldn't have to use recall. So I'm thinking

Corey Ham: 42:47

I mean, it is it could give you a ton of insight into like, it's basically a screen recording of everything the user was doing. Right? So it could give you way more insights than any of those forensic Oh, yeah.

Wade Wells: 42:58

Flat out. That use

Bronwen Aker: 42:59

They say recalled stores, messages, things on your screen, emails, documents, browser history. If you're using the computer and you got recall on it, it's recording everything.

Wade Wells: 43:12

With the right DLP software, though. Like, I have all that too. That's the thing.

Corey Ham: 43:16

It just that's fair. But, like, I I think the biggest thing is just this no one asked for this. No one actually needs this.

Ralph May: 43:23

No one wanted this.

Corey Ham: 43:24

Like, okay. Right now, everyone's fighting the battle of all their employees want AI, and they have to figure out how to get AI into their company without screwing up security. No one of their employees are like, can I get Microsoft Recall? One My wants

Wade Wells: 43:40

my favorite use of this is when someone calls in and says their mouse was moving by itself, and I'm like, alright, let's go check it out in Recall, and be like, no, it's not moving. You're moving. We can see it like like that.

Corey Ham: 43:52

Your use for it is just proving people are dumb? Oh. There's way better tools for that, man.

Wade Wells: 44:00

Yeah. But if it's a recording, we could prove

Ralph May: 44:02

it to them. Don't move my icons. That's exactly how I like it.

Corey Ham: 44:06

Move my icon. That's an oldie. An oldie but a goodie. Yeah. Speaking of creepy recording of things that shouldn't be recorded, four zero four Media published an article about this company called Webinar TV, which their MO, and this is just as a business model, insanely creepy.

Corey Ham: 44:27

Their MO is to enter publicly accessible Zooms using a bot, and then record them and transcribe them. For whatever reason, they're doing this at scale. I don't think anyone really knows why. The the article doesn't really cover why. I I can't really imagine why.

Corey Ham: 44:45

But here it is.

Ralph May: 44:46

Mhmm.

Corey Ham: 44:47

Basically, of course, because public Zooms are public, some of the information in there probably shouldn't be public. And, you know, they give some examples in the article like Graves' Disease and Thyroid Foundation patients, support groups for, like, of the funny ones is like nudist support group. It's like, oh, I have to wear clothes, guys. It sucks. Like, it's recording this data.

Corey Ham: 45:13

It's not super clear why it is, but it's claims that they've hosted over 200,000 webinars. I don't really know what their business model is, but it feels like from a privacy perspective, do they have any lawyers that have ever even thought about this for more than ten seconds? Like, I cannot imagine the amount of PHI and PII. I mean, I think the biggest thing is, if you're going to some of these webinars, just assume it is, you know, being recorded Yeah. By someone, change your name to something anonymous, maybe hide your face, or don't show yourself on camera.

Corey Ham: 45:49

I don't know. Or just it sucks because it's like the companies that are putting on these webinars aren't really trying to do this. They're not trying to make it, you know, a cybersecurity problem, but they are. Yeah. And so yeah.

Corey Ham: 46:03

Then basically, they're also, interestingly enough, the the webinar will actually like register. They they can register, or they they have people that are registering for these sorts of things, and like actually submitting like forms and things to get into some of these webinars. So it's like, I don't know, it's basically super creepy. I don't know what this company is, but I

Wade Wells: 46:25

think that maybe they're pulling all the data to feed AI.

Bronwen Aker: 46:28

Well, okay. That's not I never thought. One of the things covered in the article too is that some of these public meetings or or publicly listed meetings are things like recovery groups or face faith based conversations. They kind of have to be public in order to serve the population they're trying to reach, which is like, if it's if it's a 12 step group, that's always been an open meeting format. It's always been anybody can show up.

Bronwen Aker: 47:00

Why would it be any different in a digital form than it is in a physical form? So with webinar TV going and scraping all of this stuff, yeah, this is a huge deal. And, you know, who thought this was a good idea? The only thing the only I can figure in terms of how they're making money is by advertising.

Corey Ham: 47:22

Advertising or, like you said, selling the data to AI. Right? It's like that it it it's at the end of the day, this is data mining. Like, that's basically what this company does. Yeah.

Corey Ham: 47:33

On some level, like, you could argue, oh, it's YouTube, but it's like, it's not YouTube because none of these people the goal of this meeting wasn't to create content. Like, that's not, you know, that that's not how it works. People were just going to the meeting to be at a meeting, not to create content for someone else. So I don't know how this is legal. I don't know where they're based.

Corey Ham: 47:53

I hope they go away. But on their website, there's 221,000 webinars and searching. I did search for Black Hills. I didn't see any Infosec. Like, they haven't been in ours.

Corey Ham: 48:03

They're not they're not in with us right now that I know of.

Ralph May: 48:05

No. Not in

Corey Ham: 48:06

I'm looking around. Yeah, if you if you do a free webinar, definitely kick these kick these bots out. Free is not free. Free is not free. So we're kinda we're kinda quick firing, but the cookie article is pretty interesting.

Corey Ham: 48:25

So this is an article, again, we're four zero four Media. Basically, a company called

Bronwen Aker: 48:32

I wasn't laughing at you, Corey. Sorry.

Corey Ham: 48:35

I was laughing at you. X-ray you can laugh at me. It's okay. Web X-ray published a report where they basically claimed that all the big tech companies are not enforcing cookie tracking properly. Essentially, the like, from a technical perspective, Google's you ask Google not to track you, and it's like, here's a cookie.

Corey Ham: 48:59

I'm tracking you anyway, basically.

Ralph May: 49:03

Have a cookie. You're gonna love it.

Corey Ham: 49:05

You don't want me to track you? Here you go. Have a cookie. And so essentially, all these companies have disputed. They're like, oh, no.

Corey Ham: 49:14

It's not. It's fine. It's totally tracking. I think the, you know, yeah, the GIFs and the results in the chat are basically exactly how we all felt before the show, which is basically like, are you telling me these big companies are potentially willing to take on fines just to track people because it's more valuable to just take the fines and, you know, get the data versus not ever getting the data? So, basically, we'll see how this plays out.

Corey Ham: 49:42

There are some pretty aggressive privacy laws in states like California that will lead to them incur incurring fines for this sort of behavior. But

Bronwen Aker: 49:51

Unfortunately, the fines are just a slap on the wrist for them. I mean, you know, what Google earns more than a $100,000 in interest in an hour. So even if it's multiple millions of dollars of fine, there's no incentive for them to stop their behavior. Yes. And they money.

Corey Ham: 50:13

They probably will. I mean, I'm not a lawyer, but I'm assuming they'll be able to hire fancy enough lawyers to get out of this one. And I'm assuming they already hired the lawyers before they did this to make sure they could get away with it before they actually did it, so they don't have to pay retroactive fines. Basically, this is specific to California, but essentially, there's different regulations for businesses versus service providers. Ad vendors like Google and Meta and other people, they contract as service providers, not as businesses, and so they're exempt from a lot of these privacy things, I guess.

Corey Ham: 50:49

But basically, again, kind of depressing and a lot of data mining I and got I got a good article. Well,

Bronwen Aker: 50:58

I was gonna say the good news is, France is ditching Windows for Linux.

Corey Ham: 51:03

Another one bites the dust, That alright. It's like it's like at least the fourth or fifth European country that's ditching windows, so that's funny. Alright. What you got, Wade?

Bronwen Aker: 51:14

What you have, Wade?

Ralph May: 51:15

Alright. Alright.

Wade Wells: 51:17

You guys ready for prompt injection pizza ordering?

Ralph May: 51:20

Oh. Yes. Ready, dude.

Bronwen Aker: 51:22

I remember this one. Go ahead.

Wade Wells: 51:23

Little Caesar Little Caesar's starting on the sixteenth. You can now order a pizza straight out of ChatGPT.

Ralph May: 51:32

Nice. Oh,

Wade Wells: 51:34

no. I'm not saying this is a bad idea or a good idea, but, like, this is an idea for sure. So you can just you can have it order you whatever you want. We recognize this the the the the comment from the executive is great. Today's consumers are turning to Gen AI as part of how they search for everything, including where they get their next meal.

Bronwen Aker: 51:56

Okay. So I can see it now. OpenAI is gonna buy Grubhub.

Corey Ham: 52:02

We are the joke is, does this does it come with glue? Does the pizza come with glue? Who

Ralph May: 52:09

is it? Wendy's? Wendy's little chatbot? I guess it uses Anthropic, and people were were injecting in it to get it to do other tasks, write code for it, all kinds of other fun stuff.

Corey Ham: 52:19

Using Sir, this is a Wendy's, but that being said, I will code you a full year from Punch to Labs.

Ralph May: 52:24

Exactly. But, totally, let me let me take on that task that you've given me here.

Corey Ham: 52:29

You know, you wait for your

Bronwen Aker: 52:30

food, let's help build that website.

Ralph May: 52:33

I I wanna I just wanna prompt and just see if I can get free coupon codes, or other things Like, like fake a scenario that was really bad, and see if they give you a coupon code.

Corey Ham: 52:42

Be like, you won't believe this. It was late again. It didn't make it.

Ralph May: 52:46

Was late again. I need another, like, free order of this, you know? Yes.

Corey Ham: 52:50

I feel like you're gonna have to wave through a lot of agreements before you actually buy anything. Like No. Let's see.

Wade Wells: 52:56

Let's see right now. I'm gonna buy a $5 Hot and Ready. Are they still $5? I don't know.

Corey Ham: 53:02

In Not in this economy either.

Wade Wells: 53:04

Those were the days. I mean, you couldn't drive there for less than $5 in gas, man.

Corey Ham: 53:11

That's probably true.

Bronwen Aker: 53:13

So, Chet, you wait till order hot

Wade Wells: 53:15

California. We're gonna order some drunken pizza, and he'll It's get back starting. To It's looking. Little Caesar's $5 Hot and and Ready. Yeah.

Wade Wells: 53:25

They're not $5 anymore.

Ralph May: 53:27

Oh,

Corey Ham: 53:29

So couple other quick fire articles before we close. There's a lot of articles today. NIST published a blog or like a news update that they're basically going to start enriching, I don't really know what that means, but enriching certain CVEs, and I'm assuming the reading between the lines part of this is not enriching most CVEs. So essentially, they're basically saying, we get so many submissions for our CVE database that we can't handle updates and tracking on all of them. And so basically what they're saying here, and this is my interpretation, I could be wrong, is that they are essentially choosing a select subset of CVEs to kind of track and update and and actually keep track of, and other CVEs will not be as enriched as they previously would have been.

Corey Ham: 54:21

So the gateways they're using for this are CISA's KEV catalog, CVEs for software used within the federal government, which is, you know, probably a lot more than you would think, but not as many as, you know, random Joomla CVEs or whatever. And then also CISA or sorry, CVEs for critical software as defined by an executive order. So basically, it's kind of a bummer in a way that, like, they're basically they're kind of waving the flag that hacker one did, which is like, there's too many CVEs. We can't handle them all. So basically, I guess the the other reading between the lines here is if you're a if you're a security researcher, I mean, you want a CVE to put on your resume or for whatever other purpose, you should probably focus on the software that is in this list that's, like, that's used within the government, that is in the CISA KV catalog, and is, you know, software, important critical software.

Corey Ham: 55:22

Well, okay. They go ahead. No. It's all you.

Bronwen Aker: 55:27

Oh, I I was gonna say, I mean, according to this article, they're saying that the CVE submissions increased by 263% between 2020 and 2025. That's gotta be directly related to AI implementation. Definitely.

Corey Ham: 55:45

Yeah.

Bronwen Aker: 55:45

And, you know, that's even even before AI, the the CBE system was struggling because we don't really have the kind of support for analyzing and patching problems. And we we mentioned last week about how, you know, HackerOne had the bug bounty program, but do we have a remediation bounty program? And we don't. So but the the combination of this, yeah, this sorry. This sucks.

Bronwen Aker: 56:16

I don't have a positive spin on this.

Corey Ham: 56:18

It's kind of a bummer of a week.

Wade Wells: 56:21

The remediation bounty is you gotta have a job, and you don't The get

Corey Ham: 56:26

bounty honestly, though, I feel like cybersecurity was, like, such a wave to be riding for the last, like, ten years. And then I feel like in the last couple years, it kinda slowed down, where we were like, nah. AI's gonna replace everyone. And I feel like my hope is that this year, that really swings back in the other direction, and everyone's like, never mind. AI's just creating problems, and we need to find people to solve those problems, like, now, or actually more like yesterday.

Bronwen Aker: 56:50

Yeah. So it's it's like, okay. Great. It's a nice idea that all of these AIs can can possibly replace cybersecurity experts, but the reality is that the increased influx of exploits and and the increased accessibility of being able to attack systems has wiped out any net gain that would have been received. Patterson, you could speak to this better than I can because you're seeing how it's hitting our SOC services already.

Bronwen Aker: 57:24

Whatever it is that these companies think that they're gonna save by firing all of their cybersecurity people, I'm gonna I'm just gonna say it out loud. I think they're idiots because there's no way possible that AI as it exists today can can ever address all of the things that face any organization that has a profile that could possibly be attacked by malicious actors. And if you're cutting your people and you're thinking that an AI can do it, well, AIs are great at tasks, but you need people, human butts in seats, who are doing jobs to organize and coordinate those tasks because there's too much.

Corey Ham: 58:17

Know, Bronwen. I think Yeah.

Bronwen Aker: 58:18

We're gonna develop it tomorrow.

Corey Ham: 58:20

I think you're way off, Bronwen. I have an AI that'll solve all the problems by just deleting the whole company. Yeah. It's easy. You could solve all cybersecurity problems.

Bronwen Aker: 58:30

That that is one solution. Yeah. You know? Unplugging and living under a rock is another solution.

Corey Ham: 58:37

I I mean, I totally agree with you. I think the the key thing that's still, at least as of today, is still true is that AI's gonna do something. Some things are gonna be smart, and some things are gonna be incredibly dumb. And you need someone skilled to to make the decision about which is which.

Bronwen Aker: 58:55

They're like drunk interns. They have really good hits and really bad misses, but you've gotta supervise them, and that's what you need the humans for. I also think and and I was thinking about this because I I wound up talking to a lot of of friends over the weekend about AI and prompt engineering and where things are going. And I think that in the long run, we're going to be seeing the ability to work with AI, prompt engineering, machine learning, data science, all of those things. These are going to be not just nice to have skills.

Bronwen Aker: 59:34

They're going to be required skills in Yeah.

Corey Ham: 59:38

Don't need to set up security, but in their minds. It's like the same thing as putting Microsoft Office on your resume. It's like it's not really getting you anywhere, but, like, you do need to know it. Like, that that really

Bronwen Aker: 59:48

is table

Corey Ham: 59:50

It's table stakes. A 100%. That's a good point. Alright. So let's do our plugs real quick before we close.

Corey Ham: 59:56

Patterson has an upcoming wait. What do you got to plug

Wade Wells: 59:59

the if you scroll to the bottom of the news, there are all the plugs

Bronwen Aker: 01:00:02

there. Read.

Corey Ham: 01:00:03

Alright. So here's the poems. That's not the

Bronwen Aker: 01:00:06

kind of thing you want to admit in public, Corey.

Corey Ham: 01:00:08

Come on. Is teaching a pay what you can workshop next week, rapid endpoint investigations for Linux and Mac. Important in the world of supply chains and developers and all these people getting compromised using AI tools they weren't supposed to be using. Patterson, do you have any other things you wanna plug about it? That's pretty exciting.

Patterson Cake: 01:00:28

That was an excellent summary. Yeah. Super excited about it. Webcast this week on the subject for our pay what you can workshop next week. Just practical practical tactical skills for Linux and Mac investigations.

Patterson Cake: 01:00:41

So love to see you there.

Corey Ham: 01:00:44

Nice. That's exciting. Yeah. I mean, we we've increasingly seen more and more clients asking us to do RedTeams on Mac and not so much on Linux. I'm assuming Linux is more like server based stuff, not endpoints, but or I guess it does say NICS endpoints.

Corey Ham: 01:01:00

So for those Linux people out there, you can really probably harden your system a lot by following the onboarding.

Ralph May: 01:01:05

Some French should be doing some clients on Linux too real soon.

Corey Ham: 01:01:09

Oh, good point. If you wanna Hey. If you're doing government work in Europe, you're gonna need to know Linux endpoints in the next, like, very shortly.

Ralph May: 01:01:19

Oh, yeah.

Corey Ham: 01:01:20

And then, Wade, you also have a workshop coming up not until May, but you're profiling Know Your Enemy.

Bronwen Aker: 01:01:27

Meagan, have

Corey Ham: 01:01:28

a talk.

Bronwen Aker: 01:01:28

What are you talking about?

Wade Wells: 01:01:30

Yeah. I have a talk and a workshop. I don't I don't remember when the talk was. It's on the calendar, but the talk is like how to read the news, which I find

Ralph May: 01:01:37

Oh, I I definitely

Corey Ham: 01:01:38

should go to that.

Wade Wells: 01:01:39

You should well, you you should if you wanna guest star in it, because I know you you can I can't read secretly

Ralph May: 01:01:43

come in

Wade Wells: 01:01:44

and we can just argue and yell at things? Then, yeah, I have No. That's for Ralph and I. Do have the the $25 workshop on threat actor profiling. That is a full four four hours, which will be super fun.

Wade Wells: 01:01:59

And then I am teaching at the threat hunting summit. My CTI one zero one class, but now it's two days instead of one Yes.

Corey Ham: 01:02:09

So twice the value?

Wade Wells: 01:02:10

Twice twice the fun, twice the value, I am sure. It'll be cool.

Corey Ham: 01:02:15

That's awesome.

Wade Wells: 01:02:16

Yeah.

Corey Ham: 01:02:17

It is crazy you can get some of this stuff for $25, or like, you know, even cheaper. That's insane. That's such a good deal. Also doing a webcast. Think it's next week, next Wednesday maybe.

Corey Ham: 01:02:29

I'm not sure when it is, but I'm going on as a guest to Natalia's webcast, and we're gonna be talking about some burnout stuff. I did a burnout webcast when I first started at Black Hills back in 2021. If you go back and look at it, I didn't have a beard. I had short hair. Kinda terrible.

Corey Ham: 01:02:46

Obviously, have to kinda re up the ante and get back in the modern world of burnout.

Ralph May: 01:02:52

And there's a CTF where you have to find Corey's face in that photo.

Corey Ham: 01:02:57

Am I actually in there? No. I'm not in there, am I? Maybe I am.

Ralph May: 01:03:01

I mean, that's that's the CTF, man.

Corey Ham: 01:03:04

That's the CTF. I'm the robot. Oh, no. Yeah. So see you all next Wednesday.

Bronwen Aker: 01:03:11

Not the walrus.

Corey Ham: 01:03:13

Hopefully not. Although, you never know. I'm just hoping it's not just like some kind of weird therapy thing where then I'm just like crying at the end of it. I'm like, I'm I'm so burned out. This is terrible.

Wade Wells: 01:03:25

We'll see. Look at the interview.

Corey Ham: 01:03:27

I might have to role play someone else. I'll role play Wade. I'll be like, I'm a new dad. I got terabytes of logs coming in. I can't wade through them all.

Wade Wells: 01:03:35

Dude, that that's me to a t. That's it. That's all you need to know. I mean, I

Ralph May: 01:03:40

can't wade through

Bronwen Aker: 01:03:41

a I told you. You're not gonna sleep for the first two years.

Wade Wells: 01:03:45

Oh, no. I'm already sleeping. I'm fine. Babies already sleeping, like, six hour shifts. It's pretty nice.

Corey Ham: 01:03:53

I'll use that in my I'll use that in my That is my webcast.

Ralph May: 01:03:56

I'll use that in my

Corey Ham: 01:03:57

I'll be like, nah. Sleep honestly, sleep is very important.

Wade Wells: 01:04:01

I I upgraded as a dad and got a garage fridge recently, and it's full of Red Bulls, so I'm I'm good to go.

Corey Ham: 01:04:06

You don't need that slow down. Sleep is just a garage. I have so

Ralph May: 01:04:09

much sugar. I just honestly, I I got that

Wade Wells: 01:04:11

I'm Celsius too. The Celsius just make me feel weird. Like, I don't know. Don't know. Like

Corey Ham: 01:04:15

Yeah. Yeah. It's too much. I think Celsius is too much. That's for a person, like, I don't know.

Corey Ham: 01:04:20

That's the thousand milligram edible of energy drinks. Yeah. Could Anyway. So I think that's all we got. Thanks all for coming.

Corey Ham: 01:04:29

We'll see you next week. Have a good week.

Ralph May: 01:04:32

Later, guys.

Bronwen Aker: 01:04:32

Bye bye. Bye bye.