Talkin' Bout [Infosec] News | Mythos finds a curl vulnerability

This episode covers Mythos uncovering a vulnerability in cURL, a recent Google Threat Intelligence report on a zero-day exploit, and the growing impact of AI on capture-the-flag competitions and bug bounty programs. The hosts also discuss the economics of AI platforms like OpenAI, security research trends, and broader concerns around software vulnerabilities, automation, and defensive tooling.

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

Chapters

(00:00) - PreShow Banter™ — Token CTFs
(03:18) - Story # 1: Mythos finds a curl vulnerability
(06:36) - Story # 2: Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
(14:47) - Story # 3: The down fall of bug bounties
(15:34) - Story # 3: Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’
(40:52) - Story # 4: Germany to Flood Ukraine’s Front Lines With Hundreds of New GEREON Combat Robots
(43:51) - Story # 4b: Wild Video Shows Delivery Robots Causing Havoc, Getting Obliterated
(49:35) - Story # 5: Windows BitLocker zero-day gives access to protected drives, PoC released
(56:09) - Story # 6: Deal reached with hackers to delete data stolen from the Canvas educational platform
(58:07) - Story # 7: Celebrities’ and influencers’ private communications exposed in stalkerware data breach
(58:54) - Story # 8: Exclusive: Hackers have breached tank readers at US gas stations; officials suspect Iran is responsible
(01:00:29) - Threat Hunting Summit Talk: Threat Hunting in the Dark: A Practical Approach
(01:04:47) - WEBCAST: Looking at A.I. Wrong with John Strand, BB King and Derek Banks

Links
Story # 1: Mythos finds a curl vulnerability
Story # 2: Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
Story # 3: The down fall of bug bounties
Story # 3: Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’
Story # 4: Germany to Flood Ukraine’s Front Lines With Hundreds of New GEREON Combat Robots
Story # 4b: Wild Video Shows Delivery Robots Causing Havoc, Getting Obliterated
Story # 5: Windows BitLocker zero-day gives access to protected drives, PoC released
Story # 6: Deal reached with hackers to delete data stolen from the Canvas educational platform
Story # 7: Celebrities’ and influencers’ private communications exposed in stalkerware data breach
Story # 8: Exclusive: Hackers have breached tank readers at US gas stations; officials suspect Iran is responsible
Threat Hunting Summit Talk: Threat Hunting in the Dark: A Practical Approach
WEBCAST: Looking at A.I. Wrong with John Strand, BB King and Derek Banks

Click here to watch this episode on YouTube.

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits

https://poweredbybhis.com

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Bronwen Aker

Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Hayden Covington

Hayden Covington joined Black Hills Information Security (BHIS) in the Summer of 2022 as a SOC Analyst. He chose BHIS after hearing many great things over the years and seeing the quality of work, as well as finding people who have the same passion for the field as he does. His favorite part of the job so far has been the community. Previously, Hayden worked in a SOC for a Naval contractor, where he also served as their SOAR project manager and SME, as well as insider threat lead. When he’s not working, Hayden can be found doing anything athletic (like triathlons!), as well as enjoying video gaming and Formula 1.

Host

John Strand

John Strand has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry-shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Producer

Meagan Bentley

Guest

Shane Hartman

Shane Hartman is a Principal Incident Response Consultant at TrustedSec, specializing in advanced threat hunting, forensic triage, and intrusion analysis. With over 30 years in IT and two decades in information security, Shane helps organizations detect, investigate, and contain targeted attacks against critical systems and intellectual property. His previous roles at FireEye, Fortinet, and RSA focused on malware reverse engineering, threat intelligence production, and adversary tradecraft analysis. He frequently presents and teaches at the University of South Florida on topics including Digital Forensics, Ethical Hacking, and Offensive Operations.

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

Hayden Covington: 00:00

Talk about John's nudes till like twenty minutes in. This is Yeah.

John Strand: 00:03

We're ahead of schedule.

Ralph May: 00:06

Don't

Corey Ham: 00:06

No. We haven't capture the flag, which is how fast can we get demonetized every show?

John Strand: 00:11

By the way, did you see that article about CTFs and bug bounty programs?

Corey Ham: 00:16

Yeah.

John Strand: 00:17

They're fucking cratering everywhere.

Wade Wells: 00:19

I can the B side San Diego CTF one and two were both won by by AI.

Corey Ham: 00:28

Yeah. Oh, yeah.

Wade Wells: 00:28

And the only one they didn't get was where you won, you had to call a phone number. Yeah. And nobody told us

Wade Wells: 00:36

No one told us that that literally the dude was just sitting in the middle of the room letting the AI do everything. He didn't even and they were watching him. And I'm like, why did no one come tell us or like say anything? Like, you guys let him win. I don't know what to tell you.

Ralph May: 00:48

I was I was talking to Roman at the last, like, Tampa CTF they did. And I you know, he he totally was like, yeah. It's like, I think the last team was pure AI. They just had a bot and an agent and stuff. So, like, CTFs are it's it's a whole new world of, like, how to buy that system.

Corey Ham: 01:06

That one off the resume. But those black badges are still good. Right? That can pay for my $200 a month Claude subscription?

Ralph May: 01:12

Yes. Yes. And then I was like, well, you could make it, like, really hard where you have to spend a lot of tokens, but then some people are just using their, like, company's tokens. Like, they don't

John Strand: 01:22

makes it really a bad idea. How could we embed in some of these challenges something that, like, forks the AI off to just burn a ton?

Corey Ham: 01:30

Oh, yes. We can do that, and we should.

Hayden Covington: 01:32

The answer is somewhere on a Wikipedia page. You must crawl every Wikipedia page.

Corey Ham: 01:37

You must you must distill all knowledge, human knowledge from Wikipedia into one system prompt and then include that in every system prompt that you send. Why

Ralph May: 01:48

don't just prompt inject them the whole entire way to the CTF?

Corey Ham: 01:51

Yes. A 100%.

Ralph May: 01:52

Start, you know, hacking them and they don't even realize it. Right? They're like, holy crap.

Corey Ham: 01:57

We Just inflate the context. Every time you have a context, inflate above the maximum context size. I could see it. Yeah. Alright.

Corey Ham: 02:06

Are we doing this show? Is everyone ready? Do people feel ready?

Wade Wells: 02:09

I don't even know we're live.

Corey Ham: 02:11

Ready as I guess

Ralph May: 02:12

we're live. Let's roll

Corey Ham: 02:13

the fingers.

John Strand: 02:13

Let's do this. Okay. Let's go. Hi, John. How's it going?

John Strand: 02:32

You go it. You take it. And I'm You do it.

Corey Ham: 02:35

I just like that you got put on the spot and you you really had the right pace for it, which was like,

Hayden Covington: 02:40

really?

John Strand: 02:41

Yeah. I'll I'll I'll do it. Hello, and welcome to another edition of Black Hills Information Security talking about news, the show where we talk about the end of Western and Eastern civilization extensively, and sometimes we talk about computer security. We've got our usual cast of characters. We also have Shane.

John Strand: 02:57

Say hi, Shane. Great to have you with us on as well. But it's been kind of a slow week in news. I don't think that there's been many new

Corey Ham: 03:07

How many zero days do you need, John? Systems. How many zero days? Listen. There's two hot spicy zero days, and you're just gonna go through a slow week?

Corey Ham: 03:16

Bring it up.

Hayden Covington: 03:16

Mythos must have been sleeping this week. Yeah.

Corey Ham: 03:18

Okay. So first of all, Mythos was sleeping, but it found one vulnerability in Curl. So it was, like, kinda a little bit awake. I guess we could talk about that first. Let let's start with dehyping Mythos.

Corey Ham: 03:32

The creator of Curl's published this super fun blog post, basically walking through his personal process that he followed with getting access to Mythos and the results he got back. And, basically, it came down to one thing, which he didn't announce specifically what it is, but it's gonna be fixed in the next patch for cURL, and it doesn't sound super concerning, at least not from his perspective.

John Strand: 03:58

It's weird you get this. And by the way, the article was great. And I liked how he was like, the results were meh, you know, whatever. And then you had a Firefox and Mozilla coming out, and they're basically like, it found hundreds and it was amazing. And you always say the truth is somewhere in between, but I understand that CURL is probably a smaller project, maybe tighter knit code possibly.

John Strand: 04:19

I don't know. Curl's been

Ralph May: 04:21

around Curl's not that big. All it does is download things. I don't understand how it would be that big.

Corey Ham: 04:25

Okay. There's a okay. But there are a couple of interesting things

Ralph May: 04:28

those flags that really make it magical.

Corey Ham: 04:30

Here's the interesting tidbits. First of all, they have fixed. It's over a 178 lines or 7,878,000 lines of code, which is way more than I would have guessed. It's written in c, not in Rust. So you'd think it'd just be full zero days because it's not Rust.

Corey Ham: 04:44

Yeah. That's true. But it's you know, basically, there have been a 188 CVEs in curl, and I don't think they've really added much in the way of features. So it's really just Sure. Yeah.

Corey Ham: 04:56

It's kind of the ideal situation for open source tools, which is you just have them burned for years and years and years, and then they become really hardened.

John Strand: 05:05

Well, the other thing to remember about cURL is it's kind of what Ralph said. It's downloading data, right? Like you got a bunch of options for a number of different services that you can use, but it's not actually doing protocol parsing. If you compare this to something like Wireshark is a good example, where it's doing tons of protocol parsing, that's where your vulnerability and your attack space is going to come into play with this. So and not all that surprised because it's not all that complicated.

John Strand: 05:33

I know that people are like, no. There's all these amazing things you can do with cURL, and I don't disagree with that, but it's not analyzing the data as it's processing looking for It's strings or

Ralph May: 05:42

such a application. Does it have a lot of great purposes? Yes. Alright? And like, I'm not saying I don't think curl is cool.

Ralph May: 05:49

I use it all the time or whatever or wget or whatever the thing you wanna do to download stuff or or check something. But other than that though, I think, what is it? Kerl's got a 178,000 lines of code and Firefox has 21,000,000. It's 118 times larger code base because it does so many more things.

John Strand: 06:05

Which, if

John Strand: 06:06

you do the math, That's kind of in the same

Corey Ham: 06:09

space Yeah. Right?

John Strand: 06:10

Of the number of critical vulnerabilities that were discovered.

Corey Ham: 06:12

Yeah. The other fun Easter egg in this article is that it's installed over 20,000,000,000 times.

Ralph May: 06:19

Oh, I'm sure. I am sure. Like, you can install any Linux distro and accidentally get curled.

Corey Ham: 06:24

It's insane. It says it runs in every every smartphone, tablet, car, TV, game console, and server on earth. What a What a bad ass thing to be able to just say.

Ralph May: 06:33

What is life?

John Strand: 06:35

That'd be nice.

Corey Ham: 06:36

So the other zero there's multiple zero days. Not more than I mean, I guess technically, that's not really a zero

John Strand: 06:40

day because there's just exploits, vulnerabilities Yeah. That didn't

Corey Ham: 06:43

But that's d I being mythos. There was also a zero day. There was a really interesting Google threat intelligence report from last week on I mean, they don't disclose what it was. I'm assuming it was like cPanel or something like that. I mean, we've seen cPanel get abused hard in the last couple weeks.

Hayden Covington: 06:58

But No.

Corey Ham: 07:01

Someone coded up using Gemini or maybe not Gemini, a zero day for popular open source web admin framework panel.

Ralph May: 07:12

Cpanel. Yeah.

Corey Ham: 07:13

Cpanel. It could be cpanel, phpMyAdmin. I don't know. Who knows? But basically an MFA bypass that comes from a business logic flaw.

Corey Ham: 07:22

It seems like AI is really, really good at business logic flaws and which is cool because they're kinda tricky for a human. And I don't know. It's a it's a spicy, interesting article, a really good threat intel report from Google as always. Mhmm. I also thought it was interesting, like, you know, that this you know, it wasn't again, it's like, this is what I've been harping.

Corey Ham: 07:44

Like, my clients keep asking me. It's like, you don't need Mythos to party. You you just don't. You No. You you can you can party with what we have now.

Corey Ham: 07:51

You you can make you can find business logic flaws with, you know, whatever crappy model you have sitting around in your garage.

John Strand: 07:58

Well, Corey, this gets into the conversation that I've been having with DRock, kind of the CTO of BHIS. And the the thing that we're trying to get our head around is I believe fundamentally that in the next eight months, the price of doing anything with AI is gonna start going up. Right? You're looking at on Throttbook, you're looking at we've talked about it on the show. OpenAI, they can't continue to lose money on what they're doing.

John Strand: 08:22

Right? They're gonna follow the Uber model where they're going to be cheap, get everyone to use it, and then start raising the prices. So we're starting to really try to price out and continue to build what we have for infrastructure here in the office. We're moving our entire power panel. We're upgrading right now to a 400 amp circuit.

John Strand: 08:43

Damn. So it can support the level of servers that we need. Because we already have all of our password cracking rigs and all of that shit that we're running, but AI's gonna add another load, and then I gotta add in a bunch more cooling. And my theory is that running on prem is going to be cheaper than continuing to run this in the cloud. And anybody that's looking at this, like, I think, honestly, your AI bill is gonna double probably Oh, yeah.

John Strand: 09:09

By the end of this year. So we wanna get in quick, get the equipment, and this I actually webcast is not helping me with that.

Corey Ham: 09:15

I had a huge I had a huge long discussion about with AI about this, And With AI. Basically, it's it's like it's pitch is essentially so first of all, I didn't know this, but it's actually kind of interesting. Anthropic is predicting that they're gonna become profitable in 2027, which is kind of unique. OpenAI says 2030, which I feel like OpenAI's case is a lot less likely to be true than than Anthropic.

John Strand: 09:40

But that makes sense.

Corey Ham: 09:40

People pay for Anthropic.

John Strand: 09:42

But OpenAI's new user subscriptions have flatlined. Right? And Anthropic

Corey Ham: 09:46

Well, also, they they have a free product. That's like where they kinda screwed up is they competed on the basically, the the AI summary of this was essentially for people who don't pay for AI, for free users, nothing really changes. For the uber high end of AI users is where they get hurt what you're talking about applies, like the power users.

John Strand: 10:06

And that's where we have to start looking at it as a firm that's doing defense and offense, is what level do we need for which tasks? Because right now, if we're tracking what people are doing at BHIS, almost everybody goes to the latest, greatest, most expensive model, right? For everything. We really have to start saying, okay, what are we gonna be doing in running our own models hosted? Do we wanna get the little NVIDIA or these little boxes that they can run their own?

Corey Ham: 10:31

DGX Spark. Yeah,

John Strand: 10:33

sparks and getting those for the employees. Like, people are going to have to start seriously looking at what level of AI firepower do you need for what task, because you're going to have to start addressing your costs here shortly.

Corey Ham: 10:46

Answer is not

Bronwen Aker: 10:46

should on any- doing that anyway. We should be doing that anyway. We are. Because

John Strand: 10:50

We are. It's just Anthropic

Hayden Covington: 10:52

is very, like, they're very enterprise focused. Like, they released last week, like, their their email show. Lot of you saw it, but they're gonna start restricting what you can use your subscription for. So anything that is basically not Claude code or Claude desktop, they're gonna give you a monthly credit to use those things for. And that seems like, oh, this is great or okay for the user until you realize like in the SOC, we use a lot of GitHub workflows and those have just been on an account.

Hayden Covington: 11:17

But now, once you're gonna set that threshold of 100 or $200 a month, those all are going to hit API cost. So we had to go figure out how do we do logging on GitHub workflows? How do we measure? So we had to very quickly go determine which of these workflows cost what.

Ralph May: 11:32

Don't need open to do that stuff.

Corey Ham: 11:34

You you don't. You don't.

Hayden Covington: 11:35

Exactly. You don't. And that's like, but you you're inclined to because it's the best. And then Yeah. Like, they are very much the enterprise Like,

Corey Ham: 11:46

G to B. Wants to The B to B one. Yeah.

Hayden Covington: 11:48

Exactly. The clean app. Use our platform. We'll do a good job.

Corey Ham: 11:51

The GHS versus the beta max.

Hayden Covington: 11:53

We'll give you plenty of quota.

John Strand: 11:55

But pulling it back to this news story. Yeah. It's just like Corey said, you don't need Mythos. No. Right now.

John Strand: 12:02

To do the security research that people are freaking out about. Right? It's unnecessary for a lot of the different activities.

Ralph May: 12:08

Half the time, I'm just like, hey, could you push this for me? Because I don't wanna do that.

Wade Wells: 12:13

Yeah, yeah, yeah. I would do that.

Corey Ham: 12:14

Every time I baseball.

Hayden Covington: 12:16

No. That's

Corey Ham: 12:16

so Can you help me get I can't get.

Bronwen Aker: 12:19

Come on. How many times have I said? How many times have I said?

John Strand: 12:25

Oh, I was gonna get Shane's take because he's our guest, and we're all talking over him, and I'd like to get his take because he's presenting at our Threat Hunting Summit, and we're super excited to have you at our Threat Hunting Summit that's coming up June ish seventh.

Ralph May: 12:40

Mid June. Mid June.

John Strand: 12:41

Yeah. June 17. We'll go with that.

Corey Ham: 12:43

Midsummer Festival.

John Strand: 12:45

Yeah. We're gonna dress up like Renfare, but go ahead, Shane.

Shane Hartman: 12:49

If you wanna stick to article side, even Jensen Huang in his keynote was talking about that tokenization is going to be one of the things for for new employees, you're going get a token balance as part of your negotiation on there. That's kind of how his presence is. I like the idea. I think it's gonna come in it's gonna come local. Why not?

Shane Hartman: 13:11

It's easy. It's not hard to bring a local model in on your machine. Most of the newer Macs run them without too much trouble. And then you can even use agency to run different models for different things automatically through just regular agents. You don't have to have the latest agent or latest, model to run the if you need to do parsing of a log file.

Shane Hartman: 13:33

And on top of that, you got the security consequences. You don't want especially an IR and a security, you don't want that stuff being repositioned in models out there. You can have that stuff all local and you can actually triage it and keep it secure.

Hayden Covington: 13:46

Yeah. And if you have a solid, like, custom agent that you can utilize for this stuff, you can, like, enforce it to delegate to the lower tier models, and that's the best way to save on costs.

John Strand: 13:55

Yeah. Yeah.

Corey Ham: 13:57

One of the like, a a couple of other super interesting things I learned from my deep dive was if you look at agentic chaining, like, you look at, like, okay, an agent creates a chain of tasks because of how AI works. If you chain too many tasks, no matter how good the model is, it'll fail, like, 50% of the time. So, like, in the research I was looking at, if you chain like six tasks by the sixth thing, it's like a 50% failure rate. And so it's like using a fancy model doesn't save you. You could be using a cheap model instead.

Corey Ham: 14:27

And basically, it's bet you're better off defining super specific success and failure conditions and then giving it passing it off to cheaper simpler models versus like every agent is opus and it says, do this high level task and chain as necessary to accomplish it.

John Strand: 15:10

I like the change of pace, but this was an interesting take for somebody that works on bug bounty programs, Shubs. And basically, they were talking about how they did a lot of bug bounty programs, and article that comes up right after this one.

Bronwen Aker: 15:40

Yeah, very much.

John Strand: 15:41

Where these companies, like, I don't know how bug bounty programs How do you survive in the age of AI? And it's funny because some of their solution is Basically Prometheus has come down, fire is everywhere. We literally have AI security research doing things at a pretty high level that anybody with a competent level of technology capabilities can do. And what does that do to the bug bounty program space? So and I've got another take, but I wanted to get you guys' takes on that before I give my

Corey Ham: 16:43

opinion. I think this is I think this is just alarmism from bug bounty hunters being basically, it's them being like, we're not getting paid. This sucks, which is fair. Like, okay. That's fair.

Corey Ham: 16:53

Like, okay. Guess what? If you're submitting a bug bounty right now, it's not gonna get processed very quickly because there's 18,000,000 others in the queue with you. Like, it's kinda like job hunting right now. You're gonna get hit by AI, and, like, it's gonna be auto rejecting you for having a, you know, weird prompt injection in your resume or whatever.

Corey Ham: 17:10

Like, it is what it is. But if I was on the other side of bug bounty, meaning I'm paying hacker one to get bug reports, I wanna see all those reports. I mean, I want you to triage them and tell me which ones are BS slop and which ones aren't. But I still wanna see those reports. I wanna see those vulnerabilities.

Corey Ham: 17:28

Right? Like, that's not going away, is it? I don't think it is.

Wade Wells: 17:32

I don't think it's just the vulnerabilities that are ramping. Right? It's just that submissions themselves are easily created. Right?

Hayden Covington: 17:38

Yeah.

Shane Hartman: 17:38

Yeah. Just just the reports.

Corey Ham: 17:40

And you

Wade Wells: 17:40

and you can no longer tell with the trash reports from the good reports because the AI is writing all of them.

John Strand: 17:45

I think we're gonna come to that. I think Linus Tollbold has a really good solution, and we'll talk about that next, but you're you're right. So alright.

Wade Wells: 17:53

Okay. Well, that that's all I had to say.

Bronwen Aker: 17:55

Well, and at the risk of of pulling Cassandra, I've seeing for many months now that AI was going to accelerate and amplify all of the problems that we already had in addition to introducing new problems.

John Strand: 18:11

It's just

Corey Ham: 18:11

not getting old.

Bronwen Aker: 18:13

Yeah, tell me about it. But it You're basically is doing exactly that, and it's doing it in multiple spaces. Come on. It's doing it not only in cybersecurity with all kinds of things, but the bug bounty programs are another example. The amount of submissions has gone up.

Bronwen Aker: 18:32

The value of the submissions has become a huge question mark, much more than it was. And yeah, the only way to churn through all of those submissions is going to be to use AI.

Hayden Covington: 18:45

Open source projects have the same problem now, is they have so many PRs that they cannot go through them, and a lot of them are crap. But I'm sure there's some decent ones buried in there, but they just don't have the ability to filter through that much, that much PRs. Reviewing one code review, like, kinda sucks because you gotta go through it and re read 2,000 lines of someone else's code, but now you have 600 in your queue because some guy pointed at it for the afternoon.

Corey Ham: 19:10

Yeah. I said, hey.

Hayden Covington: 19:11

We got some excess usage. Go for it.

Corey Ham: 19:13

Basically, like, it's also really funny because in the bug bounty post, he like, the the creator sugar or whatever his name is, Shug, I don't know. He's he's very self aware where he's like, I don't like it because it breaks the ADHD loop that I rely on for bug bounty hunting. Like, yeah. Which is totally fair and honestly, like, what's the solution? Just be patient.

Corey Ham: 19:35

Just be pay like, guys, the hacker one will not go away overnight because it got AI submissions. Like, every other platform on the planet is dealing with slop. There's AI slop on Spotify. There's AI slop on YouTube. Is it like, this is everywhere.

Corey Ham: 19:50

And it's not like anyone's like, oh, I can't watch YouTube anymore because it's all AI slop. Like, they figured out how to moderate and, have their algorithms, and you will too.

John Strand: 19:59

But I want to throw this out there. I love this because it's highlighting that pentesting was never really about just finding vulnerabilities. I think that there were a lot of firms that tried to couch it in like, We're lead hackers, and we're going to hack your stuff better than any people can have their hack stuff. And really, the firms that are successful and the firms that do a good job are the firms that can take the vulnerabilities and they can communicate it effectively to the customers, not just as an Easter egg hunt of here's 400 cross site scripting vulnerabilities, but saying you have a cross site scripting issue in your development life cycle process that needs to be systematically addressed. You have a policy process procedure failing that is missing as far as, let's say, change management and vulnerability analysis.

John Strand: 20:46

Pen testing never was and should have never been about, I'm finding hacks. It should always be about how do we communicate vis a vis the customer, and what are we communicating with them to help them prioritize and really moving forward over the next year. And I'm going to talk about this on Thursday, compensating controls. There's going to be vulnerabilities that our customers are going to say, We cannot fix this. And your pen testing firm should be able to sit down with you and say, Okay, here's what we can put in place as a compensating control to address this vulnerability until a patch or something else comes out.

John Strand: 21:20

But like I said, good firms do this. And I'm going to throw a shout out to sister pen testing company, TrustedSec. We bounce customers back and forth all the time. And the reason why is because we know after we've tested someone for three years, they go to another good firm like TrustedSec or Secure Ideas or Tim over at Red Sage. There's a whole bunch of different firms that are great.

John Strand: 21:44

And they have that type of approach where they're not just saying, here's all the findings. Here's all the hacks. Give us money.

Ralph May: 21:52

Yep.

Corey Ham: 21:54

Does anyone have a take another take on this? For me, it's like, they'll figure it out. Just be patient, bug bounty hunters. You're you're like, you're gonna get faster. You're gonna get paid more.

Corey Ham: 22:03

It's just gonna take longer. I think the only thing to call out is temporary. In the meantime, people will get sick of waiting and they'll publish stuff. Right? Like, that's the biggest problem.

John Strand: 22:14

That's that's part of that

Hayden Covington: 22:15

or that's if that's someone's career though, that could very well for them derail things. If your career is as a bug bounty hunter, right?

Wade Wells: 22:22

Yes, think it's just that but going with the CTS on going like, certainly into the CTS stuff, right? We rely on usually your GitHub or any type of repo is a more foundation for your credit credibility, right? Within the element, right? Yeah. So nowadays, like if even if you did do a CTF, or you write all these blog posts, and you have all this stuff in your GitHub, you could theoretically just make it all with Claude.

Wade Wells: 22:49

You just have a scheduled task to make you a blog post. Yeah. Which comes

Corey Ham: 22:52

up with something. Your writing sample didn't get any better. Yeah. Looking,

Bronwen Aker: 22:58

if they're using their brains, then they're gonna look at how much time went past before all of these submissions were made. Because a human can only do so much in a given period of time.

John Strand: 23:13

Is fair. Well, that's

Bronwen Aker: 23:15

something else.

Hayden Covington: 23:16

Agree. Look at like

Bronwen Aker: 23:18

I'm going make a general prediction about AI.

John Strand: 23:21

Everyone, Bronwen's going learn us stuff. Yeah.

Bronwen Aker: 23:26

I went through a lot of this when the web went mainstream, and I'm seeing a lot of the same patterns in terms of early adoption that just sucks ass big time, and yes, add to the cookie jar. But over time, people figure it out. And I'm looking at the patterns that I'm seeing in reading lots of stuff from lots of different industries, people who companies who fired a lot of people claiming AI, if they weren't actually just firing humans to make more money to spend on AI, and they actually thought seriously that AI could replace the humans, they're finding out the hard way. They're learning the painful lesson. No.

Bronwen Aker: 24:10

AI, in its current state, can only do tasks. It cannot do jobs. It cannot multitask the way that a human can. It cannot identify what the value is about a certain finding or vulnerability or issue. And God knows, it cannot make moral judgment.

Bronwen Aker: 24:30

Yep. The thing is,

John Strand: 24:34

in the long run,

Bronwen Aker: 24:36

human output will increase in value as people see that the craft, the quality, and the insight is deeper. No AI could ever write left hand of darkness or the sun also rises, And the same thing is true going forward, and it's just going to take time for us to wait out the tech bros in Silicon Valley for them to get a clue and stop shoving bad AI down all of our collective throats.

John Strand: 25:10

I'm out. Just know that anthropic is like challenge accepted. Left hand of darkness part two coming.

Corey Ham: 25:16

Right hand of darkness?

John Strand: 25:17

What? Right hand of darkness. No, I agree 110%. I do. And that gets into the webcast, and I don't want to get too much into that.

John Strand: 25:28

But I do want to address, we talked about it before the show, but I want to bring it up here. And this actually concerns me far more than a lot of what we've talked about, CTFs. You go to conferences and capture the flag is a big part of conferences. We love hiring people that do really good at capture the flags, and it's a great delineator between somebody who can just do a multiple guest test to hands on CTF challenges. And this scares me, right?

John Strand: 25:57

AI is really, really good at doing capture the flags because there's lots of capture the flags to fuel it online. And I want to get your takes. How do we deal with this to make CTFs fun and gauging the knowledge of people and not just having slot coming in all the time?

Corey Ham: 26:17

So I have a take. Ralph, you have a take? Yeah. Go ahead.

Ralph May: 26:20

Mean, because I I thought a lot about this when I talked to Roman about, like, how to, like, hack CTFs where they weren't as easy to hack with AI, but then I just realized that, maybe the whole thing was like, your a CTF is like it it's two things. Right? It's learning skills, and it's also learning ways to maybe solve a problem that isn't known. Right? And that really gets into the, you know, the unknown piece of it.

Ralph May: 26:44

And if you can solve it with AI,

Corey Ham: 26:46

I feel like that's kind

Ralph May: 26:47

of a valid way to attack it. Right? Totally. And so the flip side of that is how do I create a problem that is not AI resistant, but just like built to to to fight this war. You kind of like saying like, you can't have AI, but in your business, you're totally gonna need AI.

Ralph May: 27:03

So like, where where do we go at?

Corey Ham: 27:05

Would be unrealistic to say no AI. That's not a real option. Yeah. Okay. So I totally agree.

Corey Ham: 27:11

And here's my take. I'm curious if people agree or disagree with this. I think the concept of banning AI or having an AI free CTF is pointless. At that point, c CTFs are completely diverging from reality. If we're looking at, like, I'm looking at my team of 12 pen testers, they aren't doing things differently.

Corey Ham: 27:31

They're just more efficient and beasts with AI. Right? Like AI will AI isn't making us it's not making our jobs easier. It's making our jobs harder because we're finding more things and we're being more thorough and we're digging in deeper than we would have before. Last week, I had an AI bypass a WAF.

Corey Ham: 27:48

I'm not doing that. I don't know how to freaking bypass a WAF. It's like things like that. I would have just given up and AI is gonna go deeper. I think CTFs are just gonna have to get harder.

Corey Ham: 28:00

That's basically what it comes down to. CTFs have to get hard enough that if you're using Claude skills, they aren't just easy mode. Like, that's basically what it comes down to. I do also think and like, environments have to get more complex. Chains have to get deeper.

Corey Ham: 28:15

Like, it's kinda, you know, use AI to build the challenges and they'll get harder. I also do think there are some really fun ways to think about how you could make an AI resistant challenge, and there are some ways that LLMs think that is inherently broken, and you can exploit that to make a challenge that a human could easily solve and then an AI would never get. And I think that's a fun I'm not saying that should be the entire challenge, but I think it's a really fun concept of like, some of the challenges are just pen testy hackery bits that AI can rip through, but they're really hard. Basically impossible without AI. And then also having some super simple, like, you know, an example is linear thinking.

Corey Ham: 28:55

So like, if you ask Claude, okay, I have a shirt in the on my, I I have a shirt outside that's gonna dry in one hour. If I add nine more shirts, how long will it dry? And it will think it's 10 times longer because it's 10 more shirts. It's this still an hour because it's nonlinear. Right.

Corey Ham: 29:11

AI doesn't think in that way. And so it's a fun concept of like how you could design a challenge that's not that's resistant to LLM style thinking.

Bronwen Aker: 29:20

So You could also make a a challenge that involves analog clock faces. They still suck at that.

John Strand: 29:26

I want to put another alternative on the table, and I want you guys to think of it in terms of chess. Chess, by and large, has been pretty well solved by Stockfish. I mean, there's still room for improvement, but Stockfish is a open source chess engine that literally will beat Magnus, like the world's Yeah. Like the best chess player we've seen in history. It will beat him pretty regularly.

John Strand: 29:54

Right? But because we have Stockfish, doesn't mean that competitions like chess.com and speed chess challenges, all of a sudden are not How do I put this? There's more people playing chess now than ever before. And there's more competitions, there's more interest in chess. And the use of stockfish at chess.com and Chesley and all these things has actually greatly improved the capabilities of human beings in playing chess.

John Strand: 30:26

And if you're a CTF organization, I want to put this out there as a thought. One of the things they do whenever they play chess competitions is they watch what you're doing on your chess game, and they can look at what you're doing. And if your move is always the top rated move from Stockfish, they detect that as cheating or even in the top three, and then they'll flag it. If you're not a grandmaster, they will investigate you and they will ban you for life. So one of the things that I've been playing with as a CTF challenge system going forward with Meta CTF is we don't let people use their computers to do the CTF.

John Strand: 31:09

They log into Meta CTF, they use guacamole, that video section is forked and they're going through, and I'm not streaming their system. I'm not sniffing their packets. They're just going into a guacamole instance in Amazon, and they're able to do the CTF only through that environment, through a Windows system and a Linux system that we give them. It's being streamed. We can have analysis of AI on the other side, and we can watch them solve these challenges.

John Strand: 31:36

That's one of the thoughts that I have. My point is this has been solved by chess. There were a bunch of people that thought chess was dead. There was no way that anybody would ever be able to beat computers and AIs making it more interesting. But I'm just throwing this out there as a thought.

John Strand: 31:52

If you have a CTF, people have to log into your CTF environment and do those challenges in a way that is streamed via guacamole on a system that's not their personal computer system. And then we can use AI to analyze what people did. We can use AI afterwards. Like if you have a competition of people and say, Here's the winner. Look, they're running CURL.

John Strand: 32:16

Oh my God, there's a vulnerability in that version of CURL. I think it gives us a lot of opportunities to make it more interesting. We just have to adhere to the fact that just like Bronwen said, I'm paraphrasing, shit's changing. We better change what.

Corey Ham: 32:31

Think that's a separate category. That's my take.

Ralph May: 32:33

You have like a human human CTF.

Corey Ham: 32:36

Yeah, exactly. You have it's like sports. Like, I race bikes, and I don't race against fast people because I'm not fast. It would be a super boring. It would be the most boring race ever to have me race against a pro.

Corey Ham: 32:46

They're just gonna crush me. Like, it's it's like a different category. You have AI assisted CTF, you have human CTF. Yeah. Two different categories, two different approaches.

Corey Ham: 32:54

Yeah. Reprising.

Wade Wells: 32:56

The the one thing I don't think we're discussing is the difference between a red team CTF and a blue team CTF. Like you guys, I think they're inherently different.

John Strand: 33:05

And I don't I think that my approach would work for either.

Wade Wells: 33:08

Think your No, I definitely agree. I think I do think your approach would work. But like the over and that that is the answer. But with like, the one thing with the blue team backup, make I owe Oh, no, what I've been doing is you make you make people write not just write a report, but you have to explain to me how you got to that conclusion. Right?

Wade Wells: 33:26

Because I have to provide evidence and provide you do stuff to it every time. If you can get the AI to help you provide that evidence and say why something is particularly important, that great, but you have to at least show me how you do it and how to do it. And I've been doing that with like junior analysts like, yeah, you can go ask Claude if this hashes anywhere in our environment. Yeah, but how would you do that in our sem? Don't ask Claude

Corey Ham: 33:48

show

Wade Wells: 33:49

me show me give me the query. Right? Like

Corey Ham: 33:51

here's the problem, though. If you do that for a CTF, you already lost half the CTF players because they don't want to write reports.

Wade Wells: 33:57

Good. Good. Then those are the CTF players you don't wanna hire. Right?

Bronwen Aker: 34:01

If they don't wanna write reports, they don't have a future

Corey Ham: 34:03

in the industry. Education has sort

Hayden Covington: 34:05

of the same issue. Right?

Corey Ham: 34:06

Where it's like, how do we stop

Hayden Covington: 34:07

people from cheating on their test? It's you use their machine or you do it in person and somebody proctors you. Like, that is the only way to get around the cheating.

Corey Ham: 34:16

And then There's there's three categories then. There's one CTF where you have to write reports that already fixes the AI problem. Seriously, I think I genuinely think it does.

Hayden Covington: 34:26

There's a single m dash.

Corey Ham: 34:27

Yeah. I was gonna say like, just base on something.

Ralph May: 34:30

We know you did not use word.

Corey Ham: 34:32

I guess what I would say is like, so like, we're looking inwards at BHIS. How do we hire? We don't just say like, oh, you want a CTF? Here's your job. Like, obviously, we had CTFs could do the same thing of being like, you know, there are CTFs that are more reporting based and will not based just purely in score.

Corey Ham: 34:48

Then there's like the non AI assisted category, which John was talking about. Then there's the AI assisted, it's like the open category. It's like, let it rip, baby. How many tokens you got?

Hayden Covington: 34:57

Like, let's go. What if we

John Strand: 34:58

did it? Like, they did the CTF, and at the end, we do like The UK master's thesis defending approach where you get the three teams Jeopardy! And it's like, on this challenge, you use curled.

Wade Wells: 35:10

Why?

John Strand: 35:11

Explain. Then they have to we are using these options. This is why we said

Corey Ham: 35:15

Because of AI.

John Strand: 35:16

We did.

Corey Ham: 35:17

And that's

John Strand: 35:17

what universities and high schools are doing. They're like, write your paper with AI, and we're gonna grade it knowing that you're using AI. So we expect no grammatical errors. We expect dumb But then when you're graded, you have to get in front of the class and answer questions about your paper.

Wade Wells: 35:34

John And forensics five zero eight. Not to, like, at the end of you do an IR report, right, you have to go all way through it, then you have to present it. And that's usually when the teams fail is when the presenting happens. And you, Yeah, like, yo, I found this, I found this hash. It's everywhere.

Wade Wells: 35:51

Well, why?

Corey Ham: 35:53

Okay, so Shane, do you play a lot of CTFs out of curiosity? Or have you in the past?

Shane Hartman: 35:58

I played a little bit here and there, but not as much. I I helped work on some of those indirectly through just kinda like the prompt side of it. Like, here's what I want to do. And I also teach a class on ethical hacking. So some of that plays a role in there.

Shane Hartman: 36:13

But some of the things you can get around with it, like my password hacking or cracking one, one of the nuances they have to do is you have to tell me how long it took you to actually crack each password, how much time. AI is not gonna necessarily tell you that. And then it's the difference between a rainbow table and an actual just hashing your, you know, going through the hashes. So you can trip them up that way. But I agree with what John was saying about where you could kind of like have a closed environment, like almost like Citrix is the first thing I thought of when he was saying that you're in that like domiciled bubble, and you can only do what's there.

Shane Hartman: 36:49

So then that that puts you in a position to where and then the other thing I was thinking, if you're doing that, like what I think Hackin' the Box does it where it spins up little virtual machines and you have

Hayden Covington: 36:59

to go.

Shane Hartman: 36:59

You can't get you can't just point an AI at that and start going digging in. The last thing was one of my other cohorts, what he does with his, he has a physical part to it. What I mean by that is some of the flags that you get in there

John Strand: 37:16

You gotta you gotta arm rest this Dave Kennedy for this next play.

Corey Ham: 37:19

Yes. Yeah.

John Strand: 37:20

It's like Double Dare on Nickelodeon. There's less behind that.

Ralph May: 37:24

They they do that at at DEFCON too. So not not for the CTF, but for, like, the RF village and other things like that, where they have, like, rabbits and other things like that. So essentially, it becomes a scavenger hunt, a real life scavenger hunt, not a digital one. And so when you put that piece in there, then that can slow people down. Except for then you what you'll end up building though is runners.

Ralph May: 37:42

So what ends up happening is you get tasked off to that work. Another thing too that I thought of was making a system that you had to go in to manually enter the answer. So there's some physical process so that you can't brute force that answer. Right? You can't just ask it over and over again.

Ralph May: 37:57

That's another way to prevent the system from essentially getting a feedback loop where it can find the value where someone

Corey Ham: 38:02

Yeah. You're basically fuzzing the freaking applicant.

Ralph May: 38:04

Yes. I

Wade Wells: 38:05

I am teaching an intro to operating systems course for a college right now, and they have one of those labs where you have to log in and do all this stuff. Right? And everyone was having a really hard time with the labs. And I'm like, oh, I wonder if I could just have Claude do all this for me. Claude couldn't do it, not because it couldn't figure out the labs, but because the questions of the labs were written so bad that it couldn't figure it out and I couldn't figure it out.

Corey Ham: 38:28

When you're calling it the

Hayden Covington: 38:30

IST squared methodology.

Corey Ham: 38:32

No. Is a

John Strand: 38:34

horrible peppy question. So I want mean Linus. Can we go to Linus Tollbals? And he's talking about, once again, it's AI Slop. And he's got two beautiful things that I think are amazing in this article.

John Strand: 38:50

Thing one, he said, if you use AI to find vulnerabilities in the Linux kernel, odds are somebody else already has. Like, don't bother to resubmit it. And number two, he said, and I love this approach. He said, Our submission guidelines are you to find the bug, but you also have to submit a code solution to solve that bug. And he said that that just washes out a huge percentage of the submissions that are coming through.

John Strand: 39:20

He didn't seem as salty as I thought he was. Like I thought for sure he was going to be like FAI, F all of

Corey Ham: 39:27

you. Because he used AI

Ralph May: 39:29

credits and your money to do the job, that that's great. Right?

Corey Ham: 39:33

He used AI to read all the responses and ask how many were BS, and 99% of them were BS. So he's, like, yeah. I mean, fight that fire. Yeah. Fight fire with fire.

Corey Ham: 39:44

Like, if you set these simple guidelines, like, has to have a patch, it has to be passcode, it has to, you know, meet our guidelines, how many submissions are left? Six. Okay. Like, great. But yeah, mean, I love it.

Corey Ham: 39:59

You know, behind the scenes, like, I'm just gonna go ahead and speculate that Torvald's and the Linux crew got access to Minutos pretty early on.

John Strand: 40:08

Yeah. I'm willing to bet.

Corey Ham: 40:09

Like, I'm I'm guessing, like, if I made a model that was good at bug hunting, I'd be like Linux. Where are you Linux? Like, I need to fix it right now. That it's the easiest thing to pull apart and fix. It's also similar to curl where this is battle hardened code, guys.

Corey Ham: 40:23

This is not I mean, there was copy fail. There have been some fun spicy ones recently. But, you know, Linux is hardened. It's been tested a bajillion times by a bajillion different people, and it's not just easy to hey, Claude.

Ralph May: 40:37

Yeah. I'm always like, I'd say the only downside is there's so many contributors, and that's really where the where usually the bugs come up. Right? When you have it's a ton of people all contributing, and then you have to validate and all the other fun stuff. So, I mean, that's why it keeps continuing to be bugs.

Ralph May: 40:49

Right? But humans

Shane Hartman: 40:50

Yeah. Like, weird. True.

Corey Ham: 40:52

Alright. Let's segue to the next article. John wants to talk about a new Roomba that he's gonna buy

John Strand: 40:56

that's The new Roomba.

Ralph May: 40:57

The Roomba.

John Strand: 40:59

The Rumble Roomba from Germany.

Bronwen Aker: 41:01

Rumble Roomba.

John Strand: 41:03

So this is Yeah. This is a great story, and, you know, it's kind of terrifying, but I think it's good. So Germany is flooding Ukraine. I don't think I think flooding is a bit overselling it, but there's hundreds of- There

Corey Ham: 41:13

is some mud in the picture, so it's fine.

John Strand: 41:15

There is some mud in the picture.

Corey Ham: 41:16

They

John Strand: 41:16

call them Jurcon or Gurcon combat robots.

Corey Ham: 41:21

And Juris, right they're called like the Roombat Schnarkens token or some shit like that. Whatever.

John Strand: 41:26

But it it's funny because well, I think it's good because it allows them to get supplies to the frontline and certain things that, you know, you wouldn't want to put humans at risk in actually doing these things. It's kind of getting away from AI, but it's tangentially associated with it. But it's just kind of showing the evolution of technology, and this is now the robot side of it. And the reason why I'm excited about this as a security practitioner is it's more stuff to test. I just cannot wait to get one of these in the office.

John Strand: 42:01

I'm in the radiology room where if it gets tested, it's going be in here because I have lead lined walls in this, so there's no signal leakage out of this room. I want to get you guys' take on this. One, I think it's good that maybe we have fewer people in harm's way, but then again, the guy that invented the machine gun thought it would lead to fewer deaths, and he was wrong.

Corey Ham: 42:23

What are you saying? People are going get run over by the Roboruba?

Bronwen Aker: 42:26

Okay. John, instead of having a riding mower, you're at one of these robots and right at churches.

John Strand: 42:33

Bronwen, I love you. You need to talk to my wife and subtly drop John's birthday is coming up. He needs a Rambo Roomba for

Ralph May: 42:43

I think this war is

Corey Ham: 42:44

really interesting.

Ralph May: 42:45

Rambo Roomba. What do you call it? We're getting to see, right, modern warfare developed in real time and it's wild. Right? Like, the the Ukraine war is a modern day battlefield.

Ralph May: 42:57

Right? Drones, the new robot that carries or, you know, other like, this is all happening. And because they're they're fighting, you know, in this new battlefield and they're developing it on the fly. The wildest part of this though is not just security as you mentioned, John. Right?

Ralph May: 43:13

But also just the rapid development and the non reliance on China and other countries to develop technology so you can actually fight a war. Right? It's pretty wild. Anyways The

Bronwen Aker: 43:26

folks in Ukraine have been brilliant as far as I'm concerned.

Wade Wells: 43:29

They're adapting Why haven't we seen one of these resilience.

John Strand: 43:32

Okay.

Wade Wells: 43:33

We haven't seen any of these in video games. Like like, we've seen plenty of robots running around, but not one that's, like, bringing you ammo. Right?

Corey Ham: 43:39

Time. Time.

Ralph May: 43:40

Right? Like So not a battle for

Hayden Covington: 43:42

a two month, man.

Wade Wells: 43:43

Right. Did they have a did they have a bot that brought you ammo in the newest battlefront? I don't think so. I don't remember the

Hayden Covington: 43:48

old one.

Corey Ham: 43:49

And the old one, but Has anyone seen this is kind of off topic, but it's also very much on topic. Has anyone seen the videos of, like, the Coco delivery robots? Like, just scratch

Ralph May: 44:00

Oh my god.

Corey Ham: 44:01

Causing chaos? Yeah. Okay. So, like, if you haven't been exposed to this on the Internet, I'm sorry, but you're in for a treat when you go hunting for this. But just go on YouTube or TikTok or wherever you go and search Coco Robot fail, c o c o, and just watch the videos of these.

Corey Ham: 44:17

They're basically like delivery bots, you know, that just fail in the most hilarious ways of just like falling down stairs, driving into floods, driving into tunnels.

John Strand: 44:27

I love Don't

Bronwen Aker: 44:27

forget the empty Waymo's that are

Corey Ham: 44:29

terrorizing the town in Georgia.

John Strand: 44:32

My favorite question is, is this gonna be ordered food to be delivered in, like, like, underneath an overpass on an interstate in, like, a tent city, with a bunch of homeless people? And it was just like the dichotomy of what's being like, what's what that showing is is pretty hilarious.

Corey Ham: 44:52

And then so that's the question is, is that gonna be the like, are we gonna see videos of Russians just watching a robot, like, fail to deliver ammo for, like, seventeen hours, or is it gonna be actually useful? Like, we'll see.

John Strand: 45:04

I don't know. I mean, the other thing is every time you show those videos of these Cocos getting destroyed and obliterated, I think it's just helping Cocos stock. Because the one thing that I take out of this is these things are put together pretty damn well.

Corey Ham: 45:18

Oh, yeah. Yeah. Yeah. Can drive into floods. They can get run over my car.

Corey Ham: 45:24

But Part of

Hayden Covington: 45:25

it with the drones will always rely on the humans that that operate them to an extent. Right? Like, there was that video, I think, that I saw last week, where somebody had deployed this new, like, farming drone, and they took it off from, a street, and so they take off and start to move across the road towards the farm, and it's immediately run into by like a by a big truck and sent

Corey Ham: 45:44

it to like a bunch of pieces. Oh, no. I saw that. Yes. I I I I don't know.

Corey Ham: 45:50

I mean, this is I will say, like, anytime, you know, for for something like this, you can place a human that's potential lives saved, but also Yeah. You know, is it is it going to or is it gonna be like as I ordered ammo, like, seventeen hours ago and it just says its tracking number is missing and

Hayden Covington: 46:09

Your cocoa is Amazon Prime over there.

Corey Ham: 46:11

Your cocoa is the solution. Your cocoa has been rerouted. Oh, no.

Wade Wells: 46:16

Those Amazon delivery bots that like fly over people's houses and drop a parachute of top ramen at your house for you? Like.

John Strand: 46:22

I'm so excited for that.

Corey Ham: 46:24

The future is here.

John Strand: 46:26

Alright. I got excited about it.

Bronwen Aker: 46:28

May not have her flying cars yet, but we

Wade Wells: 46:30

got flying. I just imagine John out there with like a directional antenna trying to hack as it flies by. Right? Like drop package. Drop package.

John Strand: 46:38

Drop package. Drop signal. Drop signal. Mhmm. Yeah.

John Strand: 46:42

I I once again, I love this stuff because, you know, if we go back to around Christmas, I was I was like, Man, the rate of AI improvement in October, November last year was just off the charts. There was a lot of fear in the industry, and even internally, people are like, What does this mean for us? There's so much more technology and there's so many ways, just like Bronwen was talking about. It's just going to be applied in so many ways that we haven't even thought of yet that, Hey, we're going to need security and all that shit. And it's job security, y'all.

John Strand: 47:15

And Bronwen also mentioned, if any of you are listening to this and you're like, well, we're gonna cut back our staff because AI is going to save us money. You are wrong. You are so wrong, and you're gonna get hit hard. I don't care if you're on offense. I don't care if you're in defense.

John Strand: 47:30

You can't look at this as like, well, we need fewer humans in security now. Maybe, maybe if you're in the food delivery industry, your job may be at risk, but in security, it's gonna be wild times. Just remember, is a ladder.

Corey Ham: 47:45

Yeah. So It'll let your people

Hayden Covington: 47:46

do more and faster, but Yeah.

Shane Hartman: 47:49

You have

Ralph May: 47:49

break more stuff faster. But restrict their executive Yeah. Problems.

John Strand: 47:53

It's an issue that to restricting their tokens.

Hayden Covington: 47:55

So post about that this week where it was talking about as you get down the AI pipeline and you use AI to build or develop, you are building yourself into like this position where you have so much like tech sprawl and tech debt and all these different pieces that there comes a point where if you stop using AI, you are toast. So you're, as you're building out these processes, you're building so much more work for yourself that you you can't get away from.

John Strand: 48:18

But that goes back to what we've talked about in the past about the coming SaaS apocalypse, and I saw other articles that flat out said SaaS is dead. I can't remember who said that this last week.

Corey Ham: 48:27

But John, AI is SaaS, dude. Not to burst your But

John Strand: 48:31

that's my point. If you're looking at SaaS as a company that you produce a service and somebody can rebuild that SaaS product from scratch with an internal team, the idea of buying SaaS from a third party vendor, spending potentially hundreds of thousands of dollars for something to be internally developed, and this gets back to Hayden's point, if you now have this code base where all of a sudden we have an explosion of software being written, and this is one of the things that I don't think that people understand about AI, whenever you're using AI to write code, it's using a part of its brain that's completely effing disconnected from the security code analysis part of its brain. Those are trained on two completely different data sets. And we've seen a lot of different stories where people will have code written by AI, and then they'll use that same AI to evaluate the code for security vulnerabilities and find multiple critical vulnerabilities in it. So once again, I think it's just great.

John Strand: 49:28

There's a lot of explosion of cool stuff happening.

Corey Ham: 49:30

Yeah. So a couple of quick hits since we kinda spent a lot of time talking about AI. First of all, there's a BitLocker zero day.

John Strand: 49:37

Oh my god. I heard about that.

Corey Ham: 49:38

That we kinda forgot about. Basically, if you have physical access to a system and it's using BitLocker, you can put a file on a USB drive, throw it in there, boot into recovery, and get a command prompt

John Strand: 49:50

on that system. USB stick.

Ralph May: 49:52

Yeah.

John Strand: 49:52

Yeah. Now a couple of quick things about this. You can't do it from a cold boot state, like where the system is starting up from cold.

Ralph May: 50:00

No. UPS. No, absolutely cold.

John Strand: 50:02

Yeah. Yeah. If it's been down for a while, the memory state goes out from what I've been reading.

Ralph May: 50:06

Well, the whole

John Strand: 50:08

So look, there's a difference between standby and completely shut down. Whenever you're looking at Windows computer systems and you go back to cold boot attacks, you go to FireWire attacks, and I think this one too, if this system is completely powered down and there's no suspended state, I don't think that this works. At least that's what I read in one of the testing. But if the system is in standby mode and it comes back up, then you can actually go through and you can bypass it. So that's interesting, but the real question I want you guys to get, do you think this was intentional?

John Strand: 50:40

Do you think this was a backdoor that Microsoft put in?

Ralph May: 50:43

Yeah. I think it's a backdoor to my

Shane Hartman: 50:45

Okay.

Corey Ham: 50:46

I I'm gonna go with no. People were like, oh, the the bug bounty researcher themselves said, I just can't see any other explanation. I was like, is this your first Microsoft bug? No. Like like, you know, not to diminish the capabilities of this person.

Corey Ham: 51:01

I'm sure they're way smarter than me, but like, dude, this is their bread and butter is putting features in and forgetting to take them out and then those features having vulnerabilities in them. But also, that's arguably plausible deniability for a backdoor, so it is what it is. I think it's, you know, we'll never know.

John Strand: 51:16

Ralph, what's that?

Corey Ham: 51:17

Microsoft knows need escorted out.

John Strand: 51:20

Ralph thought it was a was a was a intent intentional.

Hayden Covington: 51:23

What do

John Strand: 51:23

you why do you say that?

Ralph May: 51:25

I mean, enforcement, it looks trivial, like, the actual attack path. I didn't see anything, like because, John, you mentioned that, you know, the system has to be on and the the actual key is in the TPM. Right? So that's in the TPM module. And so it has to be on the Wait.

John Strand: 51:40

We're putting these keys in the TPM reports?

Hayden Covington: 51:43

Yeah. Yes. Yeah.

Corey Ham: 51:44

They're in the TPM reports. They're overdue, John. They're overdue. Oh, my.

Ralph May: 51:49

So the keys are there. And on that device when it boots and it realizes that the the order has changed, then it prompts. Windows does. But this attack essentially bypasses that prompt and allows you to get access to the C drive. There's a bit more into it, but functionally, that's how it works.

Ralph May: 52:07

Right? And, you know, there have been other arguments about, you know, just storing anything on the TPM because there's no actual password for the TPM. It's just validating that nothing has changed on the operating system before it releases that key from the module. Right? Yes.

Ralph May: 52:23

But there are ways to implement second or, you know, two phase authentication in the TPM where you can actually have a password that's required more than just being like the same hardware. So, yeah, that's But I think

Corey Ham: 52:35

it was

Ralph May: 52:35

I think it was on purpose and the CIA is gonna be upset that they have

Corey Ham: 52:40

The Yeah. I think that Microsoft's been selling magic USBs for a hot second. Mhmm.

John Strand: 52:44

Also, the security researcher says that they have another, vulnerability similar to this one that they're planning on releasing.

Corey Ham: 52:51

Think Oh, This this person is popping off. I guarantee you they just had a bad experience with MSRC and were like, know what? We'll see how I can MSRC.

John Strand: 52:59

Well, look, MSRC is very timely. They're responsive. They're consistent in

Hayden Covington: 53:04

the way that they communicate

John Strand: 53:06

with security firms and they take vulnerabilities that

Corey Ham: 53:10

Okay. Seriously. There is Listen, John.

Ralph May: 53:12

I do have two recommendations if you actually wanna stop this from a physical hardware attack, because we implement this on our own devices that we ship out. So the two things you need to do is first, implementing a BIOS password. Right? That's a Poxie

Corey Ham: 53:23

or USB ports.

Wade Wells: 53:24

That was my answer.

John Strand: 53:27

BIOS password. All right.

Ralph May: 53:28

Yeah. That's a BIOS password. Another, and the second level way to lock this down is using Secure Boot. Now people don't realize actually how secure boot works, but one of the functional ways that secure boot can work is that you can designate your own keys that you actually create and put into the BIOS and the operating system will not even boot with those without those keys in existence. Right?

Ralph May: 53:51

The the the BIOS will totally say no. I'm not going any further. I don't care what USB drive or any other thing. The only way to disable that is to go into the BIOS and if you have BIOS password, it's Right? Not Yep.

Corey Ham: 54:05

Well, okay. So, John, to to to take it serious, like, honestly, MSRC people, if you're if you're listening to this, you guys need to start using AI. It's

John Strand: 54:17

okay. The job is fine.

Corey Ham: 54:20

Guys you guys need to, like, come on. Get access to chat GPT. Like, come on, guys. Start processing the bugs or else. Like, yeah.

Corey Ham: 54:31

I mean, I think if we're being honest, the threat vector from physical access is already pretty limited. The, you know, amount of information that can be stored in one system is pretty limited. Like, this is kind of an edge case. I It applies mostly to industries that have crown jewels on their endpoints. Like, you know, it's like legal, government, you know, the the high sensitivity environment.

John Strand: 54:52

I but going back to, like, the intelligence community and DOD, like, field expedient, like, forensic

Shane Hartman: 54:58

Physical access, man?

John Strand: 54:59

This is a this is a huge thing, especially if you're in the military in the field field, like straight up physical access bypass authentication controls. That's something that we've used for years and in a variety of different ways. I kind of lean towards Ralph on this one, that it was intentional. And I agree, Corey. Like, I'm not a 100% certain, but it also doesn't apply for Windows 10.

John Strand: 55:21

Is that correct? I don't like this

Corey Ham: 55:23

is Yeah. This is your reason to go revert. Yeah. We gotta revert back to Windows 10 now.

John Strand: 55:28

But that's what makes me, like, argue with myself. Right? That it wasn't an intentional thing. Because if you really wanted to have utility to the CIA and you wanted to have utility to the NSA, more more particular, if you wanted to have utility to operators in the military and JSOC, you would want it to work in Windows 10.

Ralph May: 55:46

Well, yeah, but they probably have a different USB from Windows.

Corey Ham: 55:48

That's fair point. Fair point. That's not a yellow USB. It's a red USB.

John Strand: 55:54

Yeah. Yeah. Which which one do I use?

Corey Ham: 55:57

Yeah. It's a different colored cut the red wire, John.

John Strand: 56:00

Yeah. So They don't want

Ralph May: 56:02

they the Odyssey Microsoft got rid of the red USB because they want everyone to move to Windows 11. That's why.

John Strand: 56:08

That's what they're doing.

Corey Ham: 56:09

So as far as the Canvas breach, any big updates on that? Has anyone followed that

John Strand: 56:14

one anything new, has there? Like, we still don't know how they got breached in the first place. Mean

Wade Wells: 56:18

They paid. Yeah. They're in.

John Strand: 56:20

That's

Corey Ham: 56:20

They paid. That's the big news. They did pay, and they reached an agreement or whatever to not have the data released. We'll see if that actually holds or if someone leaked it or, you know, who knows? But

Bronwen Aker: 56:32

Well, they they deleted the data, but, you know,

Corey Ham: 56:38

Did they run shred dash n seven or did they just,

Ralph May: 56:41

you know, put in the recycle the DOD or not? Oops.

Bronwen Aker: 56:44

So do know some people who are dealing with that with the community colleges in California. So

John Strand: 56:50

I've heard rumors that they paid up to $10,000,000

Corey Ham: 56:54

Yikes. And I thought that much. That's actually

Wade Wells: 56:57

like, they asking for like 2,000,000 per school?

Corey Ham: 57:00

Yeah, it was like,

Bronwen Aker: 57:04

cut a deal.

Corey Ham: 57:04

That's only five schools. Yeah. No. I mean, I don't know. It's a bummer because I almost guarantee you that $10,000,000 is gonna go to absolutely no one.

Corey Ham: 57:13

Like, that that's going to that that's not actually buying any security, but I understand. Like, they've kind of dropped it. They dropped the ball a few times, so it tracks that they would also pay the ransom. But who knows? Behind closed doors

Bronwen Aker: 57:28

and my bills a lot or doesn't use Canvas.

Corey Ham: 57:32

Really, I want my records to be breached. That's that's my favorite.

John Strand: 57:36

It's just easier for me to get my shit when I inevitably spill coffee on my computer. Yeah.

Corey Ham: 57:41

It's way easier. I like to back up my data on all the ransomware clouds. That's typically where I put it.

John Strand: 57:47

And you know, it's safe.

Wade Wells: 57:48

Right? Yeah.

Corey Ham: 57:49

Yeah. There was a couple of like non starter articles that we thought were really dumb that we should call out.

Wade Wells: 57:56

Please do it. Please do it. Please do the

Bronwen Aker: 57:57

ones one.

John Strand: 57:58

The panel was tech crunch.

Shane Hartman: 58:01

Oh, go ahead. Yeah. Okay. One from the sun.

Corey Ham: 58:04

The one there was one that somehow yeah. I don't know. Apparently, like, some lady's nudes leaked, and somehow that's newsworthy. I don't know why, but I don't know.

John Strand: 58:15

It has to do with their clients. But, yeah, let's yeah. We don't

Corey Ham: 58:17

even It's like Android spyware. Also, there's an article that, like, clawed when you install it and install spyware, it's just like someone who doesn't know what spyware is in that article.

John Strand: 58:27

Every time. Every time.

Corey Ham: 58:28

It's like if the provider that you installed their software, you can use the software to control it, which is spyware, but that's also the product you're paying for. So it's like I installed AnyDesk, and I think it's an RMM tool, guys. Like, crap.

John Strand: 58:43

Well, we also had the DigiCert breach. I don't know if we talked about that last week. You know?

Shane Hartman: 58:49

There was Oh, that was like a that

Corey Ham: 58:50

was at least three weeks ago.

Ralph May: 58:52

Yeah. That was a

John Strand: 58:52

while did.

Wade Wells: 58:53

They had a good write up.

Corey Ham: 58:54

There was the gas tanks. Like, supposedly, people were claiming that Iran was messing with gas tank monitoring, which had no authentication. And, basically, what they were doing is just, I guess, lying about how much gas there was in the tanks of being like, actually, there's no gas. Like, I I

Ralph May: 59:12

don't really see the I

Corey Ham: 59:14

think they

Wade Wells: 59:14

were saying that if if the gas tanks read fall like, have false readings, they can potentially explode when you fill them up

Corey Ham: 59:21

Or overfill or whatever. Yeah. It's like it's like fill

Shane Hartman: 59:23

or something.

Corey Ham: 59:23

The classic, like, specter of what could be possible with OT hacking, but didn't

John Strand: 59:28

actually But that's like that's like 80% of, like, the bad DEFCON talks where it's like Totally. Theoretically, if I can hack your toaster, I can burn you. And it's like If

Corey Ham: 59:38

you just stick your hand in your toaster for twenty to thirty minutes.

John Strand: 59:41

All the conferences you go to and there's some jackass running around with the Flipper Zero opening up the charge ports on all the Teslas. It's like, god, this shit again. You know but stun hacking does have its place. It absolutely does.

Corey Ham: 59:56

It does. The train thing is

John Strand: 59:59

cool. The they're coming.

Wade Wells: 01:00:01

Yeah. Do the train one. Do the I train

John Strand: 01:00:03

wanna talk. Brian thinks that we're attacking him, and I would just wanna call out, Brian, you did a great job. I know you're correlating the news stories by the community, and we appreciate that. We aren't saying anything about you and the job you're doing. You're doing a great job, Brian.

John Strand: 01:00:17

I just wanna call that out. So alright.

Bronwen Aker: 01:00:20

Yay, Brian.

Corey Ham: 01:00:23

Yeah. I guess let's let's have Shane plug his stuff. Shane, what you got coming up?

John Strand: 01:00:27

Shane, take it away.

Shane Hartman: 01:00:29

So I am going to be delivering a presentation in June for the threat hunt that is faced that you are y'all are putting on. Specifically, I'm kind of setting the course for you have no idea what you're doing, you're beginning to kind of get started. And what's next? Many of the clients

Corey Ham: 01:00:49

are relatable

Shane Hartman: 01:00:49

and tend to have that whole, hey, just find bad. I've got this funk instance going to town. And that's find bad is like the worst statement you can give me. Because if I find bad, you're going to have a bad day. And I don't like to work from that direction.

Shane Hartman: 01:01:04

I like to work a little bit more structured. So that's kind of the beginning of

Ralph May: 01:01:08

the as I can go

Shane Hartman: 01:01:09

into more details. Or if you have questions.

Wade Wells: 01:01:12

So you you use stats and then sort by least common log. And then there you go.

Hayden Covington: 01:01:18

I think you just literally read bad.

John Strand: 01:01:21

Bad. Six six six, we found say yes, I misread whenever whenever they were talking about your talk, I misread it as threat hunting after dark. And I gotta say like, you know, saxophone solos were playing in my head. I'm like, this is gonna a this is gonna be

Shane Hartman: 01:01:39

playful song. It's like, you're either gonna grab a bottle of bourbon or you're gonna grab a a can of balls and go get started.

John Strand: 01:01:45

Exactly. So my question is, and I know the answer is both at some level, right? Sure. Is this kind of designed for talking to potential customers, kind of letting them know what they need to be to be prepared for an incident, or people that are truly trying to learn threat hunting? Or is it some combination of both?

Shane Hartman: 01:02:04

Probably a little of both, but it's more on the the threat hunt side. What we're getting on our side is we're getting a lot more calls about, hey, you know, we have this team that we want to start up, or we have we have this telemetry, how can we look at it? And starting to build that, but they have no that all they know is alert, detect, and that kind of environment. They don't know how to actually do hypothesis drawing and instead of that just reactive, react, react, react. That's the only thing they know.

John Strand: 01:02:34

And I think that that's a huge problem. Right? Like, whenever I talk about threat hunting, a lot of people think, Well, we have a SIM, we have an EDR, we're getting And I think you're starting with the base presumption that the type of attacker you're going for is bypassing those particular security controls, whether they're on a device that doesn't have the telemetry or you're dealing with some advanced adversaries. And I think for me personally, that's a huge mind shift away from detection and alert tuning logic to you're actually, like you said, coming up with a theory, and you're going and hunting for more advanced adversaries. Is that kinda the way you look at it as well?

Shane Hartman: 01:03:13

Yeah. Advanced adversaries as well as just dumb stuff that's

Corey Ham: 01:03:18

on the network that, like, how do

Shane Hartman: 01:03:20

you how do you actually how do you actually know you have all of your assets covered? How do you know? You you go ahead a SIM. Okay. You've got a SIM.

Shane Hartman: 01:03:29

What do you use into? You got an EDR. Did you did you cross reference them to see if your SIM actually has the same number of assets reporting as what you have in your EDR? If you don't,

John Strand: 01:03:40

you have

Bronwen Aker: 01:03:40

a secret. I don't tell people that.

Corey Ham: 01:03:43

Proprietary information chain. You're sharing all the secrets.

Wade Wells: 01:03:47

Job, you cross correlate, and you're like, hey. We're missing 10,000 agents. They're like, what?

Corey Ham: 01:03:51

You know?

John Strand: 01:03:52

Dude, don't laugh. That literally happened to us. Oh,

Wade Wells: 01:03:55

I I mom, I won't say anything. Nothing.

John Strand: 01:03:57

It happens all the time. Like, what do you mean? What do you mean? What do you mean 30% of our environment has no EPP or EDR? It's like, those words you just said or what I just said to you.

Shane Hartman: 01:04:08

Exactly. Or what do mean there's 2,003 on the network? Like, come on. Oh, that that's the best. I have one of those not to the last year, actually.

Shane Hartman: 01:04:18

But, yeah, getting

John Strand: 01:04:19

devolve into drinking. It's like, okay. The worst network I ever saw crack. Okay. It's gonna take a shot of whiskey to get through this one.

John Strand: 01:04:29

It's just like defenders, man. So Alright. Well,

Corey Ham: 01:04:34

we're On that over. Yeah. Wade has stuff. Ralph has stuff. There's other stuff to plug, but they'll be probably here next week to plug their stuff.

Corey Ham: 01:04:43

Probably.

Wade Wells: 01:04:43

Probably. More CTI classes. Come take CTI stuff. Have fun.

Corey Ham: 01:04:48

John, aren't you, like, doing a webcast this week or something?

John Strand: 01:04:51

I am. The webcast is basically how we're you how we're doing AI wrong and looking at AI incorrectly. And it it has a lot to what we talked about today, where people are like, it's gonna save money. It's gonna be more efficient. It's gonna solve security.

John Strand: 01:05:04

It's like all of that crap's not true. And it's gonna be a round table. We're gonna get a bunch of people from BHIS, and I'm probably just gonna do it without slides. Just bring up news stories and try to talk about it in terms of what can we take from this as far as trending. And then I'm also gonna talk a lot about, at BHIS on the offensive side, Corey, stuff we've talked about where it's like, we truly thought that AI was going to make us faster at doing our jobs.

John Strand: 01:05:29

Instead it's just adding a lot more work. And that's good because that's where humans need to be in the loop. Or another example is people look at AI and they're like, Well, I'm going to buy a tool that's going do an automated pen test, but they lose context and understanding of what that, and just becomes another noisy dashboard tool demanding their attention. How we need, once again, like Bronwen said, humans in a loop. You're just with AI, you're moving the bottleneck.

John Strand: 01:05:57

If you're using it to develop code, great. You can code, let's say, a 100 times faster. You're moving the bottleneck to QAQC. You're moving the bottleneck to deriving the requirements. You're moving the bottlenecks.

John Strand: 01:06:09

And we've just got to understand that humans are still required in this as well. For now, anyway.

Corey Ham: 01:06:15

Alright. On that note, we'll see you all next week. Thanks for coming. Later, everybody. Usage resets prematurely.