Speaker 0: State of Ai and law is an upcoming, fun conference that I just saw come through my.

Speaker 1: That is definitely a consequence if you not wanna go to.

Speaker 2: That that sounds like literally a snake oil summit, but like, a no.

Speaker 0: I think it's gonna be relevant

Speaker 2: a lot of things.

Speaker 3: Could be fine.

Speaker 2: I would go there. It would just like a big coat and have, like, Gpus in my jacket. Be like, hey. You your it. Alright.

You let that here.

Speaker 1: Some graphics guys.

Speaker 3: Jack creepy quickly. Hey.

Speaker 2: They need Gpus? It's like a big deal. Why do you think Nvidia is the first 3000000000000 dollar company. Alright? It's not because the Fortnite.

Speaker 4: I need Gpus you don't sell there, You can bring to a crypto conference with you.

Speaker 2: Yeah. Exactly. Exactly. I got a crypto conference next week. You better get these water hot, man.

These single fresh.

Speaker 0: I got something better than Gpus. I got long lived static access key pairs for Aws. There you go.

Speaker 2: I got someone else's credit card. That's what he just said.

Speaker 0: Yeah. Brian, Brian says no Corey or John this week.

Speaker 5: And we didn't let him in.

Speaker 2: What, it's Johnny. Yeah. John is here.

Speaker 5: No. He's not in. He's not in rest stream. He's too slow.

Speaker 2: He's around today. So... I I think he's always around. Does that make sense

Speaker 4: he's I

Speaker 5: think he just trying to get in.

Speaker 4: Do we have dropped gp?

Speaker 2: Gp. Yeah.

Speaker 4: Try shredded the Gp. That's what I was stranger.

Speaker 2: It gets pretty creepy

Speaker 6: all of the rage without the personality.

Speaker 7: And and just.

Speaker 4: It sounds so much like and also.

Speaker 1: I I actually listened to this podcast for the first time this week.

Speaker 2: Oh, yeah. You sound?

Speaker 1: I sounded okay, but we sound like a bunch of Luna studio it's crazy like I

Speaker 2: was like, oh my god. Well, you

Speaker 6: you've only just realized this. Yeah.

Speaker 1: I've never... I don't listen to myself. Right? Like, we're going straight hard into ice cream. I'm like, man.

I just need to, like, stop talking. Maybe...

Speaker 2: This is what.

Speaker 6: I'll I can bring the button down shirts and add Pat fatima of respect ability to go along with Kelly's professionalism. Beyond that yet. We're all screwed.

Speaker 1: We're not going to button down shirts. We're going tin foil hat. We go to the opposite direction.

Speaker 2: Oh, gosh. Oh my god. It's funny. Wicked we sometimes do deep dives, but mostly we just do hot.

Speaker 0: My shirt has 2 2 buttons. 2 whole buttons.

Speaker 2: 2 whole buttons.

Speaker 4: Gotta be button?

Speaker 0: 1 of them is not button.

Speaker 7: Oh, what are the

Speaker 2: good thing?

Speaker 1: Got... We got them we got them wearing a month out from Hacker Summer camp.

Speaker 2: Mh A month out. Counting down. You got a little calendar like do.

Speaker 1: This is probably gonna be the,

Speaker 2: like, Def com, which is also kinda what.

Speaker 1: It's gonna be the last 1 I go to for a long time to tell you the truth. Plaza? Babies babies. Kids most likely...

Speaker 2: You can bring them along. It's so much fun.

Speaker 1: I'm sure.

Speaker 4: It's gonna

Speaker 0: be a hundred and 16 degrees fahrenheit. That's in the f or fahrenheit stands for freedom units if you're... Not watching the Us but that

Speaker 2: I only understand Celsius for some weird reason.

Speaker 0: So hot. The car, started exploding last time. It was that hot during def con. Is it just hard start seen? Yeah.

Speaker 2: Oh my god.

Speaker 0: On the asphalt, it never gets cold, which means that the temperature increases through the week.

Speaker 2: Oh wow. See. See.

Speaker 1: I'll be

Speaker 2: I don't drive that.

Speaker 1: Are you are you are you going out, Ralph?

Speaker 2: Yeah. I'll be there.

Speaker 1: Be better there. Okay. Oh, yeah. You're aren't you giving a talk?

Speaker 2: Yeah. I'll be the Red team Village we're doing a huge workshop. It's gonna

Speaker 4: me Okay.

Speaker 2: Cool. Okay.

Speaker 4: I'll, nice.

Speaker 1: I'm I'm flying in Monday and leaving Monday. So it'll be a long week for me.

Speaker 2: Wow, that that's too much. I have, like, a great 4 day biggest rule.

Speaker 1: This is... That's This is my last her off. Like, this is this is the last office of wade. Yeah. So he's retiring.

I'm retiring after this

Speaker 3: entire. Wait.

Speaker 6: Wow I mean, what

Speaker 7: what do

Speaker 6: you think about children, man? I think this is terrifying.

Speaker 2: Yeah. Oh gosh. Wow so. You'll be back. In fine.

Speaker 1: I got I got free tickets to b sides Las vegas. So I was like, I have to go that... Yeah. And then I'll probably sneak into Black hat or something like that. And get my party passes and then go to Def on.

Yes. You know we don't pay for black that. Like, that's that's too much.

Speaker 0: The pro year lanyard. Like, the the lanyard never changed. So stroke with any black ben ever.

Speaker 1: You think I've ever been ever. Like, I've never officially been to black hat. I've only.

Speaker 0: But the way. I mean I might know somebody that could loan you.

Speaker 1: Alright.

Speaker 0: Alright fairly weird

Speaker 2: me. Are you skin? Okay.

Speaker 1: I've never I've never been the swan guy. Like, right. I've never worn the hat in the nautical. I don't get to go to the fancy ones.

Speaker 2: So I definitely go to the vendor hall. It's gonna be everything you want in more

Speaker 1: I sneak in there, and you talk to the people who you know, like, okay. Gotta talk to that person to get to this party, and you go straight for them. You talk to them, get the party, get the shirt and you leave. And then you look around to see if anyone saw nobody cares. You just walk in backwards.

Knowing 1 for some reason, it's like a mine a mind trick.

Speaker 4: Is it to go? Yeah.

Speaker 5: It's tough.

Speaker 3: Stevie 1 let's go. Go.

Speaker 2: Welcome to Black Hills information Security talking about the news. I'm your host today, Ralph May because John And both didn't it make it in weirdly enough. But the reason why is because I'm joined with a monster cast, and we have filled up the entire screen.

Speaker 5: Yes, we have.

Speaker 2: Yes. We have.

Speaker 4: We were gonna crash rest stream.

Speaker 2: Yeah. I don't I don't think I think... That's why they have a limit. Right? So yeah.

I am joined by Charles Sean Michael Allen, who doesn't join that often. Welcome. Thank you.

Speaker 7: Thank

Speaker 2: you wade, waiting through logs, waiting wells, you know, the whole thing. Mike. Andrew, who also has join that much. I don't even know your name. It's it's a is a

Speaker 3: key. Ralph.

Speaker 5: It's doomed with you do. Doom.

Speaker 3: It's Pd doom. It's an Ai reference to when Ai is gonna be a catastrophic event with due to Ai. But you call me, Kelly Ralph.

Speaker 2: Oh, I knew... I knew I remember your name. I'll just get it now.

Speaker 3: Can I get Stevie Wonder?

Speaker 2: Yes. We have Stevie Wonder or Ryan a aka, making us look pretty Sound good, you know, bringing us into focus, and then, finally, alex.

Speaker 1: If you're told... Never told us why you were in the sunglasses.

Speaker 5: Okay. Yes. Yeah. I'm wearing sunglasses for those who can't see the video, and it's because I have a little bit of a Psa. The Psa is if you...

Have glasses, don't leave in your car because how they heat. The high ass heat that we've been having lately. Know cooked my glasses and it, like, melts on them mall, and I couldn't see anything out of them after I got my glasses out of my car. So now I'm stuck with my my sunglasses, which are prescription sunglasses. So it's the only thing I have right now.

So, yeah, I look like Stevie Wonder or Ray Charles or blue Blues Brothers.

Speaker 6: It doesn't deal with it meme?

Speaker 5: Or deal with it mean?

Speaker 2: Or deal with it. Wow. Well, I I can't imagine how hot it must have been in your car milk glass. Right? Like, how is your dashboard

Speaker 5: The the car itself is fine. I was wondering about that. Like, wow... That's good thing that they test cars and, like the Sahara or whatever for this crap, but they don't do that to to glasses apparently.

Speaker 2: Oh, my gosh. That's pretty wild. So look

Speaker 8: at it Ryan that it's so hot.

Speaker 5: In Orlando, but I went... We went out for the holiday weekend. I was in a right outside New Summer smyrna Beach. And it's just the the car was in the sun direct sun and it was just the, you know, it gets a lot hotter in the car than it does outside. Well yeah.

I think.

Speaker 4: Cooked down 40 40 degrees. Hotter in cars? You think something like that?

Speaker 8: Wow. That sounds reasonable oh, yeah.

Speaker 2: So nothing happened last week, and we're good to go. So we're just gonna talk about cars in classes. That'll get that whole. No. I'm just kidding, obviously, But do you I wanna talk about first, we had a couple that people wanna talk about.

Weirdly, I wanna talk about that Ss open Ssh that we've already about so I'm just.

Speaker 1: You could talk talk about but just talk about. What do you what you what you wanna set?

Speaker 2: I... No It's already been said, So it doesn't matter. Right. We can talk about about I guess Talk about the, Europe pool taking down 500 and Yes. Id 3 Cool.

Right servers. Right? I guess they took down a bunch of servers. It was kind of like, an orchestrated attack on older unlicensed versions of cobalt strike used for red teams. Dude they're.

I guess they took down supposedly according to this article, 690 Ip addresses were flagged from 27 different countries. And I'm not exactly sure how they took them down. Maybe they went to the server owners or what it may be to actually, to take these offline.

Speaker 4: Operation Morph. Yeah.

Speaker 2: That's

Speaker 6: some good ones, lately.

Speaker 2: Yeah. So what do you think this is going to help? Right? Like... Yeah.

So supposedly these... Couple strike servers are being used for malicious, you know, malicious Not actors are using Cobalt strike. But then I'm like, well, you have a hoo target who's still using C... Or Cobalt Strike is not getting detected. And then, you know, just taking all these offline help and who doesn't help.

Speaker 4: Well, and and how long before those same same ones are just finding new server?

Speaker 2: Yeah. Yeah. I am confused about how they took them offline. It it might have a nugget of information in there? Like, did they go to the, like, cloud provider Or what

Speaker 1: You gotta click on the the actual... Like the link inside the article to go to the national Crime agency of Gov. They have a couple more juicy tidbits, but not a lot. Using a platform on a they used mist. Private sector and cyber criminals, the put out.

We know about that.

Speaker 7: Mh.

Speaker 1: The numbers are... The numbers are impressive. Right? 690 individual instances, spread out cost a hundred and 29. Different Internet service providers in 27 countries.

Speaker 4: So did the... Do we think that use show 5 these?

Speaker 2: Yes. Strictly. No. It actually said they used a couple different private companies, like work together to, kind of create indicators to compromise. There's a bunch of little ways to to tell that a Cobalt strike servers out there, especially you haven't done any, like, due diligence on, you know, masking the the Java Ssl and other things like that.

So there's a little little indicators if you haven't done your homework, But I'm just not sure how they actually, like turned it all. Right?

Speaker 0: It took 3 years to do this to get. Yeah. It's 690 servers.

Speaker 1: They're were all run at the next day

Speaker 2: bravo O.

Speaker 3: I think, Andrew, the delay wasn't the the technical aptitude. It was getting it into courts and getting a hearing and getting the orders. It's usually the Department of Justice that takes the most amount of time, not the technical implementation of it.

Speaker 6: Sure.

Speaker 8: And maybe 3 years, like, from the time they identified the Ip addresses to the time that those servers were taken down. Is that right? Is that's like, that's really terrible. Actually I mean, they... You know, those actors kept doing actions for 3 whole year.

Speaker 1: Yeah. That that's what I was gonna say. Like, if... If a Cobalt strike server was alive for 3 years. That's that's some...

That's a long time. That's some good. That's like, increasing all of the dwell timed ratios for every single security port out there, like, they're all completely false. Well timed. It's just we're doing horrible as a security community.

Mean... I don't think honestly, this feels like they didn't release a lot of information, probably because they don't want us to know how they did. Right? But I also Good.

Speaker 4: Oh, it might be legal proceedings and and things that they can't release just yet.

Speaker 1: Definitely. And it it goes through all, like, the big government agencies who all helped out. Right? Like, pretty much it all the big boys just knocking on doors. 26 countries, like, I'm looking way over here because my screen is huge.

That's why. But 27 countries Flex. Yeah. 27 countries they do list all, like, the cool people who helped, like, Bay systems, T, shadow servers, Spam House, Bc. And then the 1 tool that they talk about they used is miss.

Right? Like, and that's the open source, the malware. Permission sharing platform, which I find kind of funny. That's the only thing they really mentioned, which is okay. You guys shared Io c's.

Great. Good job. But A lot of the times, don't they track these via just like packet signatures and stuff like that. Like, they're able... There's some malfunction formed or some data.

That they're able to actually fingerprint it and not just scanning the server itself. Does anybody anybody question that

Speaker 4: I think Cobalt... I mean, cobalt strikes pretty easy to like, pretty reasonably easy to find the architect.

Speaker 2: Yeah. There are there

Speaker 7: a bunch

Speaker 2: of different methods that you could use to detect levels Strike. If if you're not aware of those methods or how... To defend against them, then a lot of those defaults are kind of enabled, and you can look for them. Another thing they might be doing too is, like, getting indicators of compromises to from other systems and then associating that with the, actual, Ip address that or the target that is going to. Not using proxies, all these other fun stuff.

I mean, there were compromised or not compromised, but, they were, like, stolen keys or hacked versions of Cobalt strike anyways. So, you know, their security is probably relaxed.

Speaker 7: Yeah. I'm just wrapping my head around like that, the the naming convention sometimes of morph and it's, like, why did they choose that name And and that might be, like, It but it it might be, like, a hint for, like, why or how they they shut these things down? Because I'm remembering, like, no. Morph with giving the, not red bill pill blue pill, then they can lock on to Neo and pop them out of the matrix. So Maybe that's the type of thing with the Cobalt strikes is that it's a similar thing.

You know, we're identifying those cracked versions and only those cracked versions locking on them popping them out of matrix and take them down. So I order if tony's are sort of, like, yeah. Let me sure Morph, like, just pick a random name out of a hat, but sometimes there's a little bit of a the nuances. They're a little tip of the hat for... Yeah.

We named it this for a reason. Pick

Speaker 0: That's a lot of credit. They probably s chat Gp, what to call their operation 3 years ago. Yeah. That's what chad

Speaker 2: Gp 2 spin out. That would... Yeah. Me the chat cheap t 4 would have been much better title. Much better.

We didn't thought it that long.

Speaker 0: Yeah This does look like Isp take downs, though, from the description. It says for you it's between law enforcement and private partners, and what that tells me, that it was probably Isp little black hole and not just some kind of sophisticated take down.

Speaker 2: Yeah. They should have went to everyone's house assuming they found out.

Speaker 0: Really like that your virtual command host. Are we having a virtual command host right now?

Speaker 2: Yes. Absolutely.

Speaker 6: News command.

Speaker 2: Yes. News command. Do you guys wanna talk about the Clickbait article, at least, I think it's clickbait, but the Ro 20 24 is out. Everyone go change your passwords that can compromise today.

Speaker 4: Oh, else has... Wait. What...

Speaker 8: Has anybody on this call downloaded? The Rock 20 24 list

Speaker 2: I have it. Yeah.

Speaker 8: Okay. Yeah. Because I downloaded it earlier too. And so I wanted to get anybody else's take on it. My take on it is, like, I saw a couple of the headlines about it this morning, and Zach ping us about it, all the anti sip instructors to see if somebody wanted to do a video about it.

So I looked into it a little bit. And all... Like, All, all I'm seeing from the headlines and stuff is, you know, there's 10000000000 passwords and everything out there, and and some of the new stories I was saying said, a bunch more data was in there. But actually looking into the file after downloading it, it's a bunch of junk from what I've... What from what I've seen personally, Mean, yeah, there's probably some passwords in there, but it's not like credential pairs or anything like that, but, you know, everybody seems to be all kinda up in arms about.

In the... The articles I've seen. I really feel like

Speaker 6: this is exactly the wording the word lizzie, basically?

Speaker 8: Yeah. It it... Like, it's a terrible artist actually. Yeah.

Speaker 4: It just it just makes me think of 2 things. It's gonna make Colleague... I I don't know what the size of it is, but it's gonna make Ka a lot larger now. If it's if it's...

Speaker 2: 50

Speaker 4: of that, it's gonna... With people are teaching cybersecurity classes, it's gonna john and and hash are gonna take a lot longer to run now.

Speaker 8: Yeah. Kidding.

Speaker 2: But I I did download it. It's like 40 50 gigs. Un compress. It's a hundred and 50 k... Or 40, 50 gigs compress.

A hundred and 50 un compress. Yep. Was it just password list? Right? I mean, I'm assuming you opened it up and, Yeah.

Speaker 8: Yeah. So I did some basic searches through it. And it was like, a list of, you know, passwords as usual, and then there'd be a a ton of hash in there, mixed in with email addresses and other things, But it it was there's it was not any kind of formatting where it's, you know, you're gonna be able to research it to someone's if password or whatever.

Speaker 2: Yeah. No. So, I was gonna say we've compiled lists, and I know corey is probably, like, burning right now. With the database that we have just like, the passwords. Right?

And you d the whole list, and then we use that on, you know, a path for a pass crap tracking. Right? And and the list is not nearly a hundred and 50 gigs. Right? So, you know, I I imagined there had

Speaker 0: to been a lot of extra stuff

Speaker 2: in there than just passwords. Right? That had been from compromised breaches. So... Yeah.

Speaker 4: I mean, the virtual rock you had a lot of that also that... Yeah.

Speaker 8: Yeah. Yeah. There's usually a bunch of junk and any word list for sure.

Speaker 2: The reason I I kinda call it clickbait is this kind of like... What what is it highlighting here? Is there like, was there a new breach inside of here and it really wasn't. It's just somebody compile comp combining them all together into 1 big, you know, text file literally, a text file. Right?

Which dare you to open up in Microsoft work or any other, you know, not notepad. No notepad. Please. Please try this and see what happens. Right?

Speaker 7: Yeah it it does highlight a couple of things, though that it... It's kind of buried at the at the end of the article where it says, like, hey, If if you don't reuse your passwords, and you don't use simple passwords, you don't have nothing to worry about. Also, if you use Mfa, you don't have anything to worry about. Well, that right there. It's like, 3 things to highlight.

Like, check your environment for people that are using the same password for everything. They have a user account. They have an admin account. They have a domain admin account, check through, and you can get these indicators at saying, hey, by the way, this person is using the same password for all 3 of those accounts. They have service counts, admin accounts, everything to just have this nasty habit.

Of, reusing the same passwords locked that down. Like, that's... Then you don't, you know, then you don't have to worry about this. You know, or, you know, the complex passwords don't let people use the name of your company as a password. Don't and with some of these, you know practices, so it does highlight again, yeah.

I'm mfa. Don't use it. Don't reuse passwords. You can do... You can...

These are things that you can do something about so that when these articles do come come out. Yeah. You can look at them and say, it's a it's a nothing burger. It's a it's it's a bunch of, you know, it it's a bunch of you know, fun, effective. Yeah.

Like, if you if you have put those practices in place, but unfortunately... A lot of companies. They don't have those practices in place. They allow simple passwords. Everybody's using the same password for all 5 of their accounts at different privilege levels, currently and Mfa is something that they go, we can't turn Mfa on for whatever various business reasons.

Speaker 2: Yeah. It's it's kind of interesting because and the other thing in this is gonna get Corey going again too is, steele locks. Right? And that's actually kind of, like, the more up and coming way, of enterprise compromise, right, as opposed to just compromising a straight credential through a data breach of another organization. Right?

I mean, there's a lot of that out there. And, those include session, you know, session tokens. Right, or, you know, Max for those services. So it... It's a little more advanced than just passwords.

But, yeah, if you're not using 2 factor and all these other things that we probably harp it on many, many times, again, that's why I kinda feel like it's a little clickbait.

Speaker 7: But, yeah. And agreed on, like, the the info dealers, like, if a lot of blue team like myself, Like, you see the the masked version of those info dealer logs then it goes. This person got compromised, here are all the passwords, it shows only like, the first 3 letters of the password. But it's the same 3 letters, like, for everything you're, like, oh good grief. Like, it is clear...

They're clearly using the same password everywhere. Including the 1 that, you know, when you buy it from an intel company, they will let you know the password for, you know, the user at, you know, BIS dot com. Yeah. They'll mask everything else. And you're like, oh.

They're using the same password everywhere including in our environment. And you see those from the info dealer logs, how many of them are just the same you know, first 3 digits before it gets, masked out.

Speaker 0: I think the real clickbait article here would be to compare this dump. To the original Rock list and see what the the worst candidates are? Like, what are the worst trends from the original what are the worst trends from this 1 and let's see if they've actually changed.

Speaker 9: We... The answer is no.

Speaker 4: I'll I'll put together nice on all script to do that.

Speaker 1: Yes. What's... Yeah. Tell me all the difference between the original Rocky list and this, Like,

Speaker 0: I mean, I

Speaker 9: will The this list the passwords ending 24.

Speaker 1: That I heard that are, like, anything on the all the larger ones or hash from what I've read, Like, they're just random digits are not even password.

Speaker 2: Yeah. Also, throwing the hash and there kinda confuse me a little bit, especially if they're salted hash. I I didn't see which ones they have in there. So you know, kinda interesting. What else do you guys wanna talk about?

Besides talking about passwords,

Speaker 0: Should we talk about ticket master?

Speaker 2: What do passwords? They're a great company, and I enjoy their

Speaker 6: the value that structure

Speaker 1: pairs do the do the hack red, like, the article I just sent in there. Right? It actually is pretty well formatted. It has, like, straight to the facts.

Speaker 2: So so did they hack Taylor Swift tickets?

Speaker 1: So so the are... So they the argument is that they hack them. Right, shiny hunters are so hot right now. I will admit, got into ticket master and Immediately x filled a large amount of data, 2 that they believed was valued at 22000000000 dollars. So originally, S hunters actually said, live nation who owns Ticket master what was actually gonna pay a 1000000 dollar ransom to keep quiet.

Right off the bat. But then once shiny hunters realized that they actually had Taylor swift ticket data, they increased the they increased the ransom to 8000000 dollars.

Speaker 6: The Right. But they increase the ransom. What they did was they applied a 7000000 dollar processing

Speaker 2: fee. Yeah. Not a reversal. So if you

Speaker 1: go a little bit down further, they they talk about the data at risk great. 980000000 sales orders, 600000000 order details, 1200000000.0 party lookup records. 440000000 unique email addresses, bunch of others. It keeps going. So they disclosed the decent amount information, but I will admit the live nation did clap back and said, the way they're ticketing system.

So, Shiny Hunters got barcodes. That's what they got 4 tickets. But I guess, the way that ticket master is situated, the barcodes can easily be rotated. So they rotated the barcodes and everybody's good and now You don't... You can't see T swift for...

Speaker 2: You wanna know why they rotate those barcodes codes? Or they have that built in?

Speaker 1: If party reseller?

Speaker 2: Yes. It's so that you can't scalp the tickets without ticket master getting their cut.

Speaker 9: Oh, there's... Actually pardon me, there's a... There's an article that came out Today of all days. Hackers reverse engineer ticket masters barcode system to unlock another flat.

Speaker 4: Yeah. I never submitted. Yes. That in the court. I'll put that in this spread actually.

Good how we go that

Speaker 1: that excellent timing. So hope, maybe maybe that'll work out. But I don't know, like, anger... That's that's quite the community to anger if you start, like, poking the bear. Right?

Like, that's Probably up there with Russia, type of

Speaker 4: deal. Maybe worse.

Speaker 0: Are you are you talking about?

Speaker 6: You're referring to cigarette mask or swift

Speaker 2: swift swift zwift. Not take a ass. That's what switch hack like,

Speaker 1: Ticket next swear kind of like... Like, there's even, like, regulation well, There's regulations, but who knows if those regulations are even gonna be put through now about ticket master and that type of stuff in the way that they're acting. But I think the t swift... The Swift are the the the true... The

Speaker 4: the main here. The maybe the concerns about the Ticket master breach is people that are potentially in in vulnerable situations and just pattern of life, peep... Like, if they've got stalker or whatever some so many defining pattern of life and and stuff like that for them?

Speaker 3: Charles, what do

Speaker 7: you mean?

Speaker 3: Can you elaborate me on

Speaker 4: So so if if if they've got names and and cities. So let's say somebody's got a stalker and they don't know what cities somebody's in. But they might know what what concerts they they've been to. They they could go through this hypothetically and and detect and get more information about them. Things like that.

New.

Speaker 2: No. Not everyone's gonna know where I live. Got paste for.

Speaker 8: So has the... All the reach data has it been released to the public?

Speaker 4: It will eventually I'm sure.

Speaker 2: Yeah. It will eventually. Yeah. But most of the time. Most of the time.

It gets

Speaker 6: released. Mh.

Speaker 8: But it's not yet. I see.

Speaker 1: Not. Yeah. It's still still too fresh.

Speaker 2: She is still too good.

Speaker 4: They're they're still trying to get that 8000000 dollars.

Speaker 1: Figure out when the next big Taylor Swift concert is and then expect it right then.

Speaker 2: Did they get any credit cards on this?

Speaker 8: Is this

Speaker 2: send anything about credit cards?

Speaker 0: It's it's just last 4. Slash last 4. Okay. I think it was particularly bad though for folks had reported fraud information. So that was 1 of the other neat pieces of information and another article as it said if you had reported fraud to ticket master more of your information was leaked.

Speaker 2: That's interesting.

Speaker 0: I also wonder if this is fallout from another breach because it just said a cloud based database.

Speaker 1: I thought it was linked back to snowflakes stuff.

Speaker 0: Third third party cloud database providers.

Speaker 6: Mention of Ticket master in their clan base back when the initial snowflakes. Yeah. So I'm I'm guessing it is very related.

Speaker 2: Ports. Of course, my camera just stops halfway through. So

Speaker 1: Okay. We don't need to see you anyway.

Speaker 2: I know That's.

Speaker 1: Majority of the people just listened to this podcast. I had no clue. I thought majority watched on Youtube no. Where our...

Speaker 2: Our are...

Speaker 1: We could all just turn our cameras off and we'd get the same numbers as probably. Yeah. Maybe I don't know. My mustache is pretty famous, but

Speaker 2: My gosh is pretty famous. Well, is it like two's? Weird flexes?

Speaker 6: Cool. You're right.

Speaker 1: So so much for me not saying weird stuff on lot on stream, but oh well. Alright. What's next?

Speaker 2: Oh sean. Trevor.

Speaker 9: Go short ron.

Speaker 2: Go for, Kelly. Go for it. Hit it.

Speaker 3: Okay. Well, for those of you who may not be aware, there was something of a regulatory earth quake last week. The Supreme Court was busy, quite busy last week. There was, basically, the Supreme Court overturned what's known as the Chevron defense The court case was known as lo bright. And basically, they not only overturned, but overrule something known as the Chevron doctrine.

The chevron doctrine basically says, if there's a law that doesn't explicitly give directions or clear guidance to Congress that agencies such as Ftc, Fcc, Epa. The agencies are allowed to provide guidance and and 4 people of how the regulation is meant to be interpreted and then applied. And you might be saying, well, well, who cares about this? Well, this... The Chevron doctrine has been in place for about 40 years.

And what's happened over the years is these regulatory agencies have becoming... Can I dare say fast and loose? They've taken more and more of, interpretations of the laws that congress has passed, and we've seen more and more cybersecurity regulations come again from some of those agencies that I've mentioned. Now you might be saying, well, what what does this have to do with me and what does this have to do with the fibers? Well, like I said, this is a pretty big deal that this was overturned?

And now a lot of people are looking and asking what's gonna happen to these regulations that the Sec has passed or Ftc or Fcc. Well, we we don't know yet. When the Supreme Court actually handed down this decision, they said, it's not gonna... Undo anything that was previously done. So there is binding precedent precedent on what happened before But going forward, it opens the door for more legal challenges for cybersecurity regulations.

You know, 1, 1 in particular that has people kind of, can I say a bit piss is the Sec regulations on 4 days for cybersecurity materiality? That 1 in particular has people upset. So I would expect to see more court challenges to some of these cybersecurity regulations But, if you're in G like me or you're you're listening to this podcast? And you're, like, what am I supposed to take away from this? You know, did did my world turn upside down this week because of what happened last week.

No. I don't think your world turned upside down. Agencies are still gonna issue their interpretations of the laws that Congress past, But what's gonna happen now is judges will be able to exercise a bit more to discretion on their interpretations of if us a judges are going to be able to have more discretion, if they believe that the agency's interpretation of the law is correct or not. So I do think we're gonna be seeing a lot more legal cases, especially around, cybersecurity incident reporting data beach reporting requirements. And I think it also kind of, puts a new light on some of the Ai regulations.

I know when our our notes we're gonna be talking about the California Ai regulation. Even though that's a state regulation. So guys, what are your thoughts on that?

Speaker 6: It's big and it's tiny all at once. In in what way that is... It's interesting. The... It's basically returning things to the state of affairs, for the 40 years preceding options.

This is the 40 year overturn. The chevron document was also a 40 year overturn of the Apa the administrative procedures Act from 45, back when we first built most these agencies. And so, basically, things are now subject to judicial review again, which is the way it actually historically used to work. And so that means things will go to the courts instead of agencies if there is a lack of clarity in the laws that Congress passes. So the asterisk there is what lack clarity means.

1 of the interesting things if you read the actual legal opinion is that they're very clear about saying that a law does not have to spell out, like, line for line, what agencies can do. Like, they don't... There doesn't have to be at something that says, you know, the Fcc can pass cybersecurity regulations, But there does have to be some sort of definition of the Fcc general mandate. And so we are likely to see more impact on this of a thing and where legal challenges are more likely to crop up are agencies that don't have anything to do with either security or technology. So rulings by the Fcc are probably less likely to be in the firing line because they are more likely to be upheld under judicial review.

Rulings by security agencies are more likely to be safe. If you've got, you know, the Epa passing a cybersecurity notification regulation, Those are the sort of things that are more likely on very shaky footing right now and could be overthrow or overturned in the challenge.

Speaker 3: You know, Loki, that was a great explanation. Yeah, let me talk about let me talk about my feelings for a second here. This just kind pisses me off because I feel like we've been banging the drama on cybersecurity regulations for a long time. And we've you have been inch edging forward and I'm sort of getting some a more disciplined approach to cybersecurity. And now we're kind of on shaky ground and You know, sometimes in G, you, we try and encourage and we try to build a team at sometimes, we kinda have to beat people over the head with regulations.

And now that those are might be in question. We've... As G people, we've lost a bit of our backing, I'm afraid to say, what are your thoughts on that?

Speaker 6: I think that's true. And I think in the in the macro sense, this is likely gonna be chaotic messy and not getting in the short term, but hopefully in the long term. Because with the chevron doctrine in place what you had was interpretive authority arrested with administrative agencies, most of which are not elected, often appointed, and are subject to very whim changes, you know, when the administration in, in Washington Dc changes. Regulations that are made by, you know, 1 year can be undone 4 years later, if you have different party and power, for example. Part of this going back to the judiciary, and really it's not so much to the judiciary, the idea is to force congress to actually encode some of this delegation of responsibility into law, which I think is a good thing.

Like, as you mentioned Congress has gotten pretty fast and loose with, passing... Actual legally binding regulations and just hand waving it off to agencies. So if Congress actually gets their act together, a gas and gets more of this encoded in law, like delegation of authority. I think that'd be a great thing in the long run. It's gonna reduce the amount of whips sewing you get every 4 to 8 years.

In the short term, though, it's it's gonna be a mess. You're gave this legal challenges. They're gonna be all over the place depending on where it's rising. And so it's gonna be a little wet wild for you know, the next call 4 5 years. It would be my guess.

Speaker 9: Well, and the thing that worries to me about that short term is the lack of technological knowledge in the judicial system itself. How many of the judicial stuff, what are they gonna be talking about? How are they gonna determine if it's a techno technological cybersecurity type regulation? Is this a feasible 1, should this be done properly by that. There's so much that goes into it from that back end and we've seen it not just in the judicial, but in congress, the lack of technological knowledge.

That's going forward in regulations and laws overall and in court cases.

Speaker 0: Do we do we feel like over the next 4 to 5 years, and I love that, by the way, you define the short term as the next 4 to 5 years because that feels like an eternity in in cyber crime, that this is going to give Cis and Cs kind of a scape out not to comply with current regulations because they feel like something might be der regulated.

Speaker 3: Mean, I don't think

Speaker 6: reg until they're overturned. So I don't know. That would be a very dangerous position to take because as he so.

Speaker 3: Well, you know, Andrea, I think you asked a good question there. It's about managing risk. And I do think there are some companies are gonna say, I got a team of fast, loose and hot lawyers, who can argue the weight out of this. I'm not gonna invest in cybersecurity controls. Because I don't think I need to.

Other organizations are gonna say, I I do wanna invest in this because I want trust with my customers, I think it really boils down to your risk appetite in your culture at your company.

Speaker 0: Sure. I I just sort of see this as as the opportunity to say if I'm midst stream on a compliance rule roll out, hey. I'll just like, kinda wait and see how this walks out? Yeah. And if if it does shake out that the regulation stays in place that at least gives me a technical...

Technically some kind of defense later down the line if something did happen, and I wasn't necessarily compliant, just playing devil's advocate.

Speaker 6: I could see that argument being made by some people. The the interesting thing is For a challenge to be brought up, somebody has to basically file a new a new court case, alleging damages effectively or that they have been some harm inflicted on them by the regulation. So it's... That's part of the thing is it's not that every regulation that currently exists is under review. Instantly, that's sort of that whole idea of the existing j credence still apply.

So any regulation currently on the books is still there. But it does open the door for to someone file a new lawsuit saying, I have been harmed by this regulation It is causing me some kind of pain. I believe it was non lawful in nature. Which will then kick it back to the courts for review. So I don't know.

It... That's I say, like, you could make that argument, It feels like kinda shaky grounds unless you know, because who knows if there's even gonna be a challenge to something unless you're gonna file yourself. In which case, I don't know that you wanna be the person who's gonna try and battle something up to Supreme court.

Speaker 9: The other question I've got is if they decide to say that the Sec regulation, the 4 day regulation. Notification regulation is tossed out. Who has the right to make that regulation that actually has some teeth in it? Will any of the... Will the teeth of any of the regulatory groups such as the Sec, the Fcc.

Will some of that might be taken out of there where they can't where the courts come back maybe and say, well instead of 40000 dollars a day until it gets fixed, you can only charge 5000 dollars a day. And a company is gonna say, oh, 5000 dollars a day, that's right on the money. Mh. How do we get it to a point? Because I am I'll be honest, I have no faith in Congress doing anything proper about this at this point in time that would give it real teeth.

Who do we have that would have the teeth going forward that could force some of this paint.

Speaker 3: Well, if if we elect a dictator, you ui I have some key there. Some...

Speaker 6: I the thing that the perspective to keep on the Congress, and I know I'm a slightly mono here Shut up in a minute. The thing to keep in mind with Congress is Congress can delegate the authority in broad strokes. Like, we don't have to rely on Congress having the technical know how to pass, you know, an encryption standard that makes sense, for example. Or anything like that. It, like, the the right solution to this is for Congress to say something like agency x has authority within broad strokes to regulate, you know, security, encryption...

Technology standards around things like security encryption protection, privacy, etcetera... There's ways to define that legally, I'm not a lawyer so, you know, those don't take those words. But you can define in broad terms though a legal in that way. Like, most of the existing regulatory agencies were back in the forties and fifties were set up that way. And that's why they do have broad authority in their areas and can do things like right regulations.

The problem is a lot of more recent stuff are from agencies that never had authorities in those... Positions in the first place and just started attacking on, you know, oh, hey, we think we should have this authority. So I think that's the that's the way you get the teeth that stick. Is congress del, which, again, I have very little faith in congress in general. I have more faith in them being able to say this is somebody else's problem versus them passing an actual detail regulation, which I don't think they they would do a good job Nor should.

Speaker 1: Haven't haven't we seen the states put out better regulations and rulings with federal government anywhere anyway? Colorado? Oh, California. Right?

Speaker 3: See? That's a great segue into our article on California's proposed Ai bill. You guys take a look at that. Basically, there's a... It it it's interesting.

Again, we've got somebody in politics whose last name is Wei. I don't know where these guys come from. I really don't. Anyway, so we've we've got a proposal for an Ai bill, but a lot of, the tech companies are up at arms on this because they... People are interpreting the proposed law as holding developers responsible in the case that there's...

A catastrophic event. And and I really wanna highlight that word catastrophic because that's basically what the bill is talking about. The interesting thing about the bill is it is really getting mis misinterpreted. First of all, we're talking about risk, who we're dealing with. I think it's over, 500000000 dollars, and we're talking about Ai models.

At Ai models that lead to a potential hazardous capabilities. And the tech community is up at arm saying, hey, hey, hey. This... You're really, you know, what am I trying to say you're you're raining on our right here, your s technology. But I find this really kind of interesting because this is the first time, we've got a legislative body saying, hey, before this technology gets off the tracks, let's try and regulate it and think about risks.

And I'm kinda curious to see how this plays out.

Speaker 1: Look up look up, Scott Wei, who is the the Congressman. Or the Congressman. The representative for the the senator. Is that is that what it is? Yeah.

Dex state? The state senator, I thought he was young. Like his pictures, he looks pretty young. He... So he's representing San Francisco and San Mateo area, which...

Makes total sense where this bill going in. Right? Like, that looks like he... If you look at it, he's actually 54 years old, which maybe I'm reading the wrong thing, but I I'm maybe I'm it maybe I am. But if he is, He looks like the right type of guy that would be able to at least build some type of, law around this and in the correct area to have the right connections to build this.

I don't know... I'm not gonna read it to the truth, but

Speaker 0: I love that 1 of the comments in this article is that if it were passed and the state made a mess stake using Ai, the finest so high, it would put the state in a perilous position. So if government gets it wrong, it might bankrupt a a state government office.

Speaker 6: Considering the operating budgets of a lot of corporations that's not entirely shocking.

Speaker 0: I mean, 5 500000000 seems I given...

Speaker 6: How do they define a catastrophic event? I guess, is my question. Kelly, it sounds like you've read the article. Did did did they get into that a little bit?

Speaker 3: I don't remember, Sean to be honest.

Speaker 2: Yeah. It's it's gone taken article.

Speaker 7: Like, you know, things like the you know, if it get hooked up for managing power grids that at the Ai would white power grids or enable people to build chemical weapons, I know I... You know, it's like, another thing that I saw from the article was, like, at the beginning, It says, like, it's asking Ai companies to do security testing and implement safety measures. And then in response, meta was, like, what but doing that is gonna make it less less safe. So I think I'm just trying to follow the the logic that, like, adding safety measures will make it less safe.

Speaker 0: Let's... It's super. Interesting, when you talk about L ob ability and how you're detecting things like jail breaks and doing output validation because in some ways, If you are engineering a system that mitigate, like the top 10, for Ll, you are storing potentially a ton of Pii either intentionally or accidentally, simply by logging output. So we're not really there at the point yet where security controls for Ll. Have advanced to the point where it's not actually creating additional risk if you're logging a hundred percent of the time.

Speaker 4: Did anybody see about... Chat Bts. What was it? Their their entire rules being leaked.

Speaker 3: Oh, their their forum. They had a private forum that, yeah, they had the data breach where their employees only forum was compromised, but they didn't tell anybody about it till a long while later. I think that article was in our our notes for the show. I thought that article very interesting. They said, hey, don't worry.

None of our Ll or none of the good stuff was compromised. It was just the forms where we talk about stuff. You know, and from from a G point of view, this actually kinda irritates me greatly. And then irritates me because we spend a lot of time talking about the difference between an incident and a breach. Okay.

Well, that's a that's a whole different conversation. But the the fact that something happened in a company that people are already concerned about the technology and the decisions it's making. There's... You know, they had an opportunity to be open honest and trans parent with with cut consumers and they chose not to be, and that's what upsets me.

Speaker 4: Yeah. And sorry. I didn't mean to jump to a new article. It just... You mentioned Ll and and that that article...

I saw that article today and the risk from the risk possible from that, made me think of of of what we were discussing.

Speaker 0: Yeah. I would be curious to hear from the group. Like, if you think this this bill's gonna stick or land in California because my guess would be no, I think what we're gonna see is probably something that's the equivalent of due diligence, like Pci, or if you're not doing your due diligence to ensure that you're at least attempting to mitigate, abuse, then you're in in trouble, but, simply to say, if your model can be used to do bad things, we're going to find you regardless of the guard rails.

Speaker 3: Yeah, Andrew, that's a good question. And and again, let me say, I'm not a lawyer. I'm a security person. There's a difference between due diligence and duke care. And and before vice president, Harris went into office, she set up a standard of do care for security in California, and that was the center for Internet securities security controls.

And that was, here's the minimum standards of good things you gotta do to say you're doing good cybersecurity. So if this bill does pass, maybe you know, we could talk about maybe it's excessive and maybe the threshold aren't set right. But maybe we should talk about do care for artificial intelligence, not necessarily due diligence.

Speaker 0: Sure. I I think that's a great definition. Because I think oftentimes we do skate by on the the term due diligence because you can certainly check all the boxes or something like Pci, N diligent, but also not actually care about the data that you're safeguard starting. Is that kinda of what we're getting out here?

Speaker 3: Or biases or dis... How the decisions that the Ai made and how it impacts people?

Speaker 0: Yeah. III just think if I was an engineer on the other side of this law, would be very, very concerned on account of the non deter of decisions that are made by models today and how easy it is sometimes to jail break. Or create hallucinations in in the current models today because we literally just don't kind of have a firm understanding of of white how to avoid that yet at a... Like a design level.

Speaker 3: Do you think we're back to the conversation where, legislators don't understand the technology

Speaker 0: We we never... Yeah. We... I don't think we've ever left it anytime that.

Speaker 2: Or I mean legislative just legislation side. Yeah. We.

Speaker 6: It's it's kind of the base line. Right?

Speaker 4: Pretty no problem.

Speaker 6: But III think to what you're getting at. I do think that it kind of runs through this a little bit. It's like the challenge with any of this is legislators definitely don't understand technology. All you need to do is look through any congressional hearing on anything related technology for 4 minutes, and that's, like, eminent evident. And I don't think it's different at the state level honestly, that you might be have a slightly have better hit chance.

So. I'm not, I... I'm not sure how I feel about this 1II like the idea of getting some controls around Ai because I do feel like, societal. We're a little bit too Gun h, you know, let's let's go. I don't know that anyone's actually got a good approach to it yet.

Establishing some baseline of duke care seems like a potential angle I think the idea behind this law from what I can see in the article of, like, trying to create some liability is also an interesting 1. You're, going down the road of, like, creating legal liability about not man specific actions. In some ways, this kind of leaves with more leash to the companies to say, like, hey, it's up to you to protect yourselves how you want, but know that if this happens, you know, you're on the hook for it. In some ways I kinda like that approach better than having specific standards. Because Pacific standards is like, I don't know, in my experience when doing audits and stuff, they very quickly become a box checking exercise and not something that people are actually are sweating that do with my my 2 cents.

Speaker 0: There are some some basic behaviors I think that we can define and agree on though from, you know, these things need to foundational exist in order to even know that there's abuse. And I... I'm gonna continue to say this over and over, like, L security is really an a problem. And if you don't at least have the ability to know what data in, data out for your model is and then know what normal behavior is for the model, you can't begin to even conceive of whether or not it's being used for good or for evil.

Speaker 3: That's a fair point.

Speaker 4: And and then the companies need to be honest as well and transparent.

Speaker 0: There should be a minimum burden on on time to disclose or for specific types of behavior. III can certainly see Meta argument, though. Yeah which I... I think the argument is if we don't log, we're actually protecting people because we're not potentially creating just another lake of potentially sensitive data, But I mean, I I don't buy that for a minute that there's not at least some telemetry or metrics that are being used internally, that couldn't be transparent and leverage for security or even transparent security that you could pass out to the customer.

Speaker 4: Well, it's like Vpn saying they don't log. Yeah.

Speaker 2: Of course, they don't. It's for your safety.

Speaker 6: Okay get Me started at the number of people on Youtube touting Vpn as a security solution.

Speaker 2: Yeah, they're selling something.

Speaker 6: Privacy see. Privacy through Beef.

Speaker 2: I I think

Speaker 0: we should keep track of this though. I'd love to see on another episode of the news, whether whether this passes or fails? What kind of some of the commentary is around it because it will be interesting to see who goes first and see how the discussion unfolds, and I think that's gonna inform the next round of proposed legislation.

Speaker 4: I, I'd like that also... And I I'd also like to see if anybody could track lobbyists obvious related to this is out of my and curiosity? Mh.

Speaker 3: I think we know that there's a a strong opinion from the tech companies. But who would be on the other side? Who would not want is the who who would wanna see more Ai protections?

Speaker 0: I would assume saying people, Ef efs. Would be...

Speaker 2: Yeah. Yeah on the kind

Speaker 0: of the forefront of that. So, you know, if you haven't pulled out your wallet this year, attendees, few to donate to the Ef f, that was maybe the time.

Speaker 4: So they've got. Ac cl.

Speaker 0: Ac l.

Speaker 4: The E efs is having... They they've just got a new bunch of new... Swipe that they're out there raising with...

Speaker 0: I really, somewhat interestingly Is kind of at the forefront of the definitions for ai security problems. Obviously, Doesn't get involved at a a regulatory level, but, is certainly doing a lot of raise awareness. And that's just

Speaker 7: that's just people that are concerned with privacy with just, you know, consumers of stuff in general because this is this is starting to become kinda of that insane thing that gets... Just thrown into all sorts of products being like, hey. Guess you're... It's like there's going to be something tomorrow that you wake up and you go, hey, good news. We added Ai to the thing that you use and everybody wants to collectively yell no.

But it's going to happen on, like, a day by day, week, by week basis that it's like, okay. You know, this product now with Ai, now with more Ai. So there would be that concern for Well, hey, is this being secure because now you've just you put Ai into my television now, You put Ai into, you know, like I have an Ai enabled coffee mug apparently, like, why who asked for that? And it it seems like it's the era, like, adding Bluetooth and Wifi Into all sorts of things like, why does my why does my water bottle only Bluetooth? So having Ai injected into a bunch of thing consumers are going to sit there and say, well, is anybody like, thinking this through, what...

What's the security What's the privacy around this? What, you know, how does this impact me? Because I I don't wanna start using a product that has, you know, unregulated Ai.

Speaker 3: That question. If we've got Bluetooth and Ai in our coffee bugs, how come we have a put bluetooth on our toilet paper rolls when they're empty?

Speaker 0: Exactly. I'm gonna... When after this call, it's it's gonna get past...

Speaker 7: Gonna happen. I'm gonna look at that off after this call? It be like, are there Bluetooth enabled toilet roll You can always tell sensor there. Yeah.

Speaker 6: You can somewhere about 45 minutes in when these are the ideas start tapping a new conversation.

Speaker 0: I mean, that's a that's a brilliant idea if you could, you know, kind of know how much of the role is left in a dashboard of some kind.

Speaker 2: Oh, my god. Great. Safe.

Speaker 6: You just have like a full

Speaker 2: dashboard on Tv. Oh my god. Alright.

Speaker 0: Big think of how much housekeeping... Per time, you would save it like a marriott, if you could know whether or not you need to go in the bathroom in the first place to replace a toilet paper roll.

Speaker 6: Let's go something we're serious. How about we talk about midnight blizzard maybe.

Speaker 0: Midnight.

Speaker 6: Look... I the, but the headline looked interesting. I saw it... Has anyone actually got the full details us, so I know this was the hack from back in January that pre this, and we had midnight lizard monkey around in Microsoft with emails. It sounds like there's more to it now.

And is that kind of...

Speaker 0: Yeah. We're we're kinda just seeing the the fallout out of midnight blizzard still kind of move through government. And I think that's the interesting thing about this is that, you know, we said, I... Probably a dozen episodes ago. You know, we're we're gonna hear about this for a long time.

And we still certainly are.

Speaker 2: Is this is this article about them going after the Us department, veterans affairs? Correct. For impacted organizations. Right? Yep.

Yeah. Some of these some of these attacks, especially this 1, yeah. You're gonna like you said, see the fallout for a long time. Right? It just feels like...

And the other thing too is that I feel like some information gets kept close to the chest. So we don't get it until it's much later even though it's been known. Right?

Speaker 0: Yep. But I think this is gonna be kind of the theme of 20 24 as we saw all these, you know, sort of non production based initial access vectors. And now we're sort of seeing and play out over the rest of the year. But non production is continues to be a big theme for 20 20

Speaker 6: His non production isn't really non production most organizations when you get down end into it.

Speaker 2: Yeah. That's kind of like the anything from, like, a security model. It... It's, like, pre production. I I think maybe that's what they should be saying because they...

You know, they're using it like production, and then they're just moving the same code over, but it sounds like those secrets are not necessarily separated as much as you would think. And especially when you get into this really large organizations like Microsoft, for example, who values your security and privacy very highly. You're gonna run into issues that, you know, there might be some bleed over, which is what happened. Right? I mean, just give it some time for, you know, a nation state to find out what you don't want other people that know.

So... Yep.

Speaker 6: The other thing with That size as you get the the localization problem. Right? Where you have the different pockets of the organization operate in different ways. So even if an Org as a whole is in a good spot. You will find the local spot where we've got, you know, the the rogue resources, you know, from that last dev exercise we did sitting over there on...

That's be vulnerable and waiting to get popped.

Speaker 2: Good.

Speaker 4: So, oh, I was just summit... Brian brought the the Japan, winning the war against flat. Or Bagel? Excellent. Sorry, Bro.

Speaker 8: Yeah. I'll got jump in on it. So... Yeah. I I saw the article in our list, Japan's good government finally stops using floppy disc.

And there's this a funny quote and it they finally, quote won the war on floppy discs. Because I did not know there was a war on floppy discs going on in Japan. Mean a cold war. Just they won. So congratulations to Japan.

The considerations to

Speaker 4: club having ventures.

Speaker 6: Having lived in Japan 20 years ago at a time when 24 hour Atms, this is 20 years ago, we're talking, like, you know, like, around 2024 hour Atms were a new innovation. It doesn't shock me to see this story at all.

Speaker 2: I I feel like floppy disk like a... Security feature at this point. You know? Well many people. Yeah.

3 and a half or a 5 and a quarter, even read a floppy disc. Right? I mean, I mean,

Speaker 8: I wanna even plug that anxious even

Speaker 6: know what a floppy disc is.

Speaker 2: Wow. You... Even... It's

Speaker 9: not a floppy disk it's the save icon.

Speaker 2: Yeah. Say. Why do you have

Speaker 7: save icon. Yep.

Speaker 4: Even though optical disks are in security feature at this point. I mean, I I've bumped into so many people that I've been meant mentor and that that they they don't have a floppy drive and they've never even used 1. 0 not, an optical drive.

Speaker 2: Yeah. And then it's, dvd, blu ray, all of it. It's kind of book. K. Going in the way.

Speaker 6: You can get that on a playstation. Right? It's got a slot in the side that you.

Speaker 2: Yeah yeah. Sounds like the 5 year old model. The new model, they pulled that 1 Is

Speaker 8: that right? There's no Dvd drive on a new playstation?

Speaker 2: Yeah. I brothers.

Speaker 4: So you

Speaker 6: don't get an either either flavor.

Speaker 8: Yeah. Oh.

Speaker 4: Did so this this floppy feature or this floppy article? Didn't the nuclear arsenal of the Us just... Finally, end of like...

Speaker 9: 20 19. Yeah.

Speaker 8: Yeah. Yeah. Mean they actually mentioned in the article. Yeah. Mh.

Speaker 2: That... They actually touted it as a security feature, though, why they were holding onto to it. So I I don't know if that's actually. A good use case. But anyhow, now.

Media is dead. It's all digital now. A So

Speaker 8: apparently, there is really a smart toilet paper monitor.

Speaker 2: Yeah. When everyone else is Googling this right now, literally. Where 1.

Speaker 6: We chatted the research for us.

Speaker 7: Oh. That was what's the second 1. Yeah. Because I we my phone 1 earlier.

Speaker 4: We all work in security, so unless we're doing research on it. None of us are gonna have this in our house. Right?

Speaker 2: Yes. Yes. I I just wanna hack this so I can find out really how much toilet paper you're using. Right? Like,

Speaker 4: I just wanna play doom I wouldn't play doom on it.

Speaker 0: But if you can get it to report back, like, false positive data, You could potentially dust somebody with toilet paper.

Speaker 8: Oh, denial of that super time.

Speaker 4: That's you.

Speaker 3: This goes back to the seinfeld filled episode of Elaine asking, can you Spare a square?

Speaker 0: Yes. Very important. Speak to the things that are as old as the floppy. True.

Speaker 2: Oh my gosh. Did do did we talk last week about the the Trello auth 2 factor phone number breach?

Speaker 0: This 1 was kinda mid.

Speaker 4: Yeah. I happened between the 2.

Speaker 2: What's up?

Speaker 4: I think it happened in in between last month now.

Speaker 3: Talk about it, Ralph.

Speaker 2: Yeah. So, I guess, Trello, lost a bunch of phone numbers for their 2 factor app our... So Trello has this 2 factor app called Auth, and it's kind of like their own rollout of, you know, 1 time password, you know, similar to the Google authenticator. Right? I'm pretty sure it's compliant so you can add those 1 time passwords inside of this application.

But it uses phone numbers inside of it to do the authentication process as well, and, attackers manage to access those accounts and, a bunch of off the accounts. And then in turn, they ended up getting a lot of, phone number.

Speaker 4: Yeah,

Speaker 2: So I think it was like, 33000000?

Speaker 4: Yeah. I think it was it was around that, and they also specifically were I built, identify the ones that used I'll be if I remember correctly.

Speaker 2: Yeah. Yeah. So kind of interesting. Phone number is also pretty powerful too and you're like, what? Why?

It's because they can be using the social engineering, like, a attack chain. Right? Getting someone on the phone, having some information about them, being able to connect the person with the phone number, and then, possibly with their 2 factor application or 2, you know, auth or whatever it is. Right? These also can be used in more sophisticated attack chains to gain access to accounts.

So...

Speaker 4: Yep. And and and scams and all kinds of things.

Speaker 2: Oh, yeah. The list goes on and on and on, but auth encourage you to have a. Heighten awareness around text that you are receiving.

Speaker 0: Or maybe you just don't use Sms for 2 fa if care.

Speaker 2: Yes. And can we just talk about that every website that has only Sms for authentication is bad. Additionally, every website that only has email for your 2 factor, that's not 2 factor. Like, that's, like, you... You're...

If I have access to your email, then I have access to, like, everything then.

Speaker 0: It's it's else?

Speaker 6: I'm mostly doing on that, although, if you if you had to have them have Sms or nothing. I'd still take the Sms. It's still something.

Speaker 2: Yeah. Yeah. And

Speaker 4: so because you're...

Speaker 6: You know, you know the way most companies would react if we all just said Sms is worthless, so they would just drop Sms and not replace with anything.

Speaker 2: Yeah You know, It's just too... It's too different say We've lost it. Yes. We've lost it.

Speaker 3: Ask can I wanna

Speaker 0: are really making headway? So, like, pas keys are the answer. To this. The answer to the democrat amortization problem And. What if I can't afford a smartphone problem.

Speaker 2: So so, yes. The past keys, I think are the answer, and they might be the answer to kinda of the password in general. Right? But they do have a couple little nuances for people who haven't set this up. 1 is that the security feature of rap pas is you can't make a copy of a past.

Right? So you can't actually move a pas from 1 account to another account or another device or whatever. So the solution is you just add more pass keys to your account. So you just, you know, put it on a bunch of different devices. Right?

But the benefit is, obviously, there's no password. Right? And it's associated with your account. So technically, a website can just ask for a pass And when you respond back in that, challenge response, it'll know which account it belongs to because no 2 people can have a same capacity. So

Speaker 4: wasn't there... And I I might be remembering something wrong, but weren't some of the dealer logs actually intercept the the pesky transmissions and and being able to basically compromise accounts through that?

Speaker 2: I am not aware of that. So the way the past keys work is that it's pretty much a challenge and response. It it's it's equivalent of, like, certificate Right? And it's a bit more complex than that, So I'm not gonna, like, sugar coat it that I know every single detail. But the 1 detail that I know about their functionality is that you can't man in the middle these.

Okay? So you can't capture the traffic or replay that traffic in the middle, be able to compromise the key. Right? The 1 device that signed it is the only device that can utilize it, which is why you can't transfer these keys to other devices. Like, you can add a pass key on your phone and then move that to a different kind of device that supports pass keys if that makes sense.

Right?

Speaker 4: Yep.

Speaker 8: Is the is the past key used for every single transaction that happens. So every... Like, I'll... You know, you sign to a web application? And your browser is assigned a session cookie or a session token.

And then that token goes back and forth in every request. So Yeah. Is the past key used in every single request? Or are you still getting a session token you're...

Speaker 7: That you...

Speaker 2: On Hold on. So the... Wait thing is. You will get a session token. But the problem is your authentication will fail if someone's in the middle to intercept that session token.

Right?

Speaker 8: But but your cookie could still be stolen by a steal or some other form of malware. Right?

Speaker 2: I'm already logged in or you had a valid session on that site, then yes. The pass would not protect you. What it does protect you is is if you try to get in the middle to wait until that session token gets involved when they send that pas, it won't authenticate.

Speaker 8: Got you. So it's a solution to say things like adversary in the middle, but not necessarily a think a solution to steal malware.

Speaker 2: Yeah. Well, yeah. Because still malware where if you're already logged in and that and that session token, that Hvac is on your on your device or whatever, other authentication mechanism they're using it most likely cookie. Yeah. They're they're gonna have access to that.

So... Yeah. Gotcha. Just just

Speaker 0: think of Pass keys is it's, like, a T pm backed hardware implementation of a web then dongle, like a key or something. So these are words.

Speaker 2: Sure. It is. But it but it's digital. So it you don't need a key to do past Right? Like, you it's not...

You don't need that third party device. You don't have to go buy a device, which allows more people to get into it without having to go buy a U key or whatever other, you know, 2 factors.

Speaker 0: It's it's. It's democrat the... Yes. The the improved second factor dance.

Speaker 7: Mh.

Speaker 4: I I just... I personally wish Shoe keys were more readily available and and more... And more affordable and and accessible the the general non tech population.

Speaker 0: Mean, that... That's the legislation that we need Is it or and every time you pay your justices. Like, when you turn in your federal return and they just... Data

Speaker 2: mail you these things. They're actually... You know what? Here. I've I've got the solution.

Got a solution. To do your taxes, you have to add a u key.

Speaker 0: Now when will pay their taxes. Although,

Speaker 4: you're you're your male.

Speaker 2: I just got a key chain pulling.

Speaker 0: We we had talked about bandwidth poverty on the show and there really is, like, second factor. Poverty, which is what's driving. A lot of, these companies to keep it On. Just to bring it full circle back to the article. It's really just that there's there's a ton of devices out there globally that are are very, very old in Mh.

Economies where people just can't do anything else. Yep.

Speaker 2: Yes. Yeah. No definitely bandwidth poor password 2 factor poor, all these things. I mean, they all cost money too. Whether for the organization or the person in general.

So... Yeah. Absolutely.

Speaker 4: And and even if it's just for the for the for the customers in general, the organization needs to adapt for their customers. So they might they might adopt the lower security posture because of that.

Speaker 2: Yeah. But, yes. Sms authentication is bad, plenty of different articles and, not just articles, but examples of attacks, the sims swapping, all the other fun stuff. And you know, auth. I will say 1 last thing with this particular thing is that if you've ever used Twilio, the actual you know, What is it service that you can use for cellular and phone and all the other fun up?

They make you use all the with that service to today? Yes.

Speaker 4: Oh, yeah.

Speaker 0: I believe this is the... Also the second time this year that Twilio has had a major breach.

Speaker 4: I think the I think there was 1 last year. Or it... It might the... It was... It wasn't...

It was within... Within the time frame last year

Speaker 0: over the last 12 months, yep. Twilio had another major breach. So... Mh.

Speaker 2: You know, I I noticed a trend. Some companies really kinda hit the dart a lot. Like, they hit the board often. Right? We need Bingo cards.

Bingo cards. Yes. Have you been breached again this year? No. You're doing it?

Alright. I think that is about it. Thank you, everyone, for joining, and thanks everyone for listening to us. Rant. And we will see you guys next week with the same, cast or a new cast or who knows?

You never know. But again, everyone, thank you for jumping on, and we will see you guys next.