Speaker 0: Corey I was talking about when you weren't on the news, how, like, I listened to the news for the first time.

Speaker 1: Yeah.

Speaker 0: It was our ice cream show when we talked about ice cream, and I was like, why does anybody listen to this? Like, we're absolute mad men. Like,

Speaker 2: wait. I don't remember. Oh, you mean the ice cream machines? Ice the ice cream the I made machines. No Mcdonald's thing.

Speaker 0: No. We're talking about, like, how I went to an ice cream,

Speaker 2: convention.

Speaker 0: Convention. Right? And then, like, the first we were talking about midnight blizzard. And then, like, it was like, what would we... Like, that sounds like a good ice cream game.

And I'm like Wouldn't listen to this, and I turned the podcast off and my alright. I'm out here. That was the first time Ever listened to us. But well, at least 1 that I was on to tell the truth.

Speaker 2: So I guess.

Speaker 3: I I think some of us listen... Some people listen to us because we are so wack off the wall.

Speaker 2: Let's just hope let's just hope it. Most of the people I will say, like, to get serious for a second, most of the people I talk to that watch or listen, do it while they're doing something else. And they have it on in on their commute or they have it on on their in the background, while they're working or they're, you know, doing something else. So it's not like people are just sitting here being, like,

Speaker 0: What are they gonna say next?

Speaker 2: Tell us about the ice east cream. Like, you know, is fine. Plus, I mean it's a podcast. Just hit that, 30 second skip if we start wandering into a topic you'd rather not hear about just

Speaker 0: Hi. Who doesn't 1 hear about it?

Speaker 2: Or you can do, like, I don't know if anyone's ever done this. You can listen to books and podcasts at like 2 x.

Speaker 0: Knew your... I hate that. My wife does it? I'm like, how do you, like, enjoy the book like this? Like this is not.

Speaker 3: It depends on the reader. Some some of the readers, some of the people they speak, so. Slowly. That you bump it up to a minute and a half, at your 1.5 speed, and now it's a reasonable amount of...

Speaker 2: Totally.

Speaker 3: Don't throughput, you know?

Speaker 2: Also overcast, which is the podcast app that I use. It has this thing called smart speed where it doesn't change the speed, but it cuts out gap. So, like... It cuts out pauses and, like, timing and, like, so everything is quick. That's what I mean...

Speaker 0: That's impressive. Let's Braun wins.

Speaker 4: Everybody needs to talk like Walter Cro kite.

Speaker 3: I miss Walter.

Speaker 5: How the cookie crumble.

Speaker 3: I miss Walter. I remember, you know, when when reporters did actual real journalism and they recorded the news. But I'm old.

Speaker 0: Too bad. We don't report this this.

Speaker 2: Hello, and welcome to Black Hills information securities talking about news. It's 07/15/2024. Today, we're gonna talk about At and T. Being breached. We're gonna talk about Sis doing a red team roughly in a year and a half ago and now just getting the report out.

We're gonna talk about a heritage in foundations hack. There's all kinds of hacks. We got hacks on hacks, and we're gonna submit fraudulent, identifying documents using Ai. As part

Speaker 6: of the show. So let's go. Very cool. Alright.

Speaker 2: So feel like we gotta go At and T first. Right. Well I john right tire.

Speaker 0: I thought we're gonna talk about the class. There's something.

Speaker 1: We wanna talk about the free cool shit real quick?

Speaker 5: Oh, yeah. Pretty good.

Speaker 2: Cool. Yeah. I those words.

Speaker 1: So I think Ryan's got it up. So this is a project that Ben and Joe to whoever interns this summer. Just got working. You can get the link. We're gonna post it out there, but it's it's basically a Github repository to or tool called Wi forge.

So if you wanna learn wireless hacking and wireless hacker type things 1 of the big problems about trying to learn it is it requires you to have gear, like you have to have an access point, you can do enterprise stuff. You have to have the right wireless card, you have to set up all these different things. And this allows you to completely emulate. A full wireless setup, and run all of your hacking tools directly from Ka on this wireless network, it's project called mini net that we had to update... Actually, we fork Mini that completely, which is wireless simulation suite, and then we had to update a bunch of the headers and everything.

But it allows you to completely emulate an entire wireless lab where you can learn all of the wireless lab hack type things, that you would ever want to do, and we have... I have a list of all the labs that are part of it right now, Wifi F forge is set up so you can do better cap attacks. You can do Wifi authentication. Capture, you can do packet capture to Hcc P x conversion and hashtag cracking, Air suite tools where you can get pre shared. Key recovery, cracking Wpa handshakes with crack and g, Eric Get, denial of service attacks, capture active directory credentials with evil twin, cracking at net Nt credentials with John The ripper, and then Rogue with Wifi Fisher and then Wps exploitation and web key cracking as well.

So this is all 3, like I said, Ben and Joe are the main people behind it. But this is just the kind of thing that we're trying to do at anti sip and security training. To release as many resources out there to the public as we possibly can. And full step by step instructions get the docker instance set up and get it running quickly in your environment. You don't have to have any specialized hardware just set to a system that can run the docker container.

And you're off to the race is learning about wireless attacks. So, check it out. Pretty excited about that. There will be a full webcast. Doing a walk through.

We will eventually probably have... This many labs probably is gonna be able which you can't class out there as well. So take a look at it. Y'all? I wanted to start actually with some good news.

It's been kind of a past few days. So I figured we'd start with that. Just some shit you guys can play with.

Speaker 2: Trees like, Wifi f training was always a tough thing, like, for a company that has pen testing. It's like, okay. We need to train you up on Wi f stuff. I guess you're gonna fly somewhere and just watch someone else do it. Like, it's out of the wall.

No. It's kind of a long process.

Speaker 1: How do We can send you a kit. With all of the attack stuff in it. And that's it's a tough thing to learn to get the right gear to be able to learn it. But does should make it a lot easier for people

Speaker 0: Remember having to buy the like, you actually issuing out k. Like, here's the exact Wi f adapter to buy it. And then I wouldn't bought it.

Speaker 1: Serial number?

Speaker 0: Yeah. And then I bought it, and then they they shipped it to me, and it was the wrong 1, and I'm like, well, it looks like I'm just gonna watch the Wifi F stuff. So Yeah. This is perfect. Yeah.

Speaker 1: Well, that was 1 of those things I like about some of the classes like at Black hat and at the previous organization I used to teach at. They used to have stores where you could go and buy all of that gear. And there were people that weren't even taking the wireless classes and they would go and buy as many of the many of the different beer sets that they could possibly get because that was the only place you could get some of them. Yeah. Like I said, this makes it all a lot easier.

You don't need to have a specific alpha adapter and set up your own infrastructure to do the hacking. It's all there. So yeah on the lookout, it'll be a webcast. And by the way, we have more cool stuff that we're working on we're gonna to be releasing the public as well.

Speaker 2: Cool. Now let's get all doom and gloom and talk about breaches for, like, half

Speaker 1: an hour. Oh.

Speaker 2: Okay. We could also start with the Sis thing.

Speaker 7: No. I mean,

Speaker 2: this is kind of uplifting.

Speaker 1: Let's start with Sis.

Speaker 8: Let's do. The.

Speaker 2: Okay. Sis report review process takes roughly a year and a half. What we've learned? What recommend

Speaker 1: for what the red team will sell

Speaker 2: Basically, Cis posted, the title of the blog is a little bit of a mouthful. Ci Red Team's operations against a federal civilian executive branch organization highlights the necessity of Defense and Depth. Oh, which got homes. And their own... They're kinda toot their own horn and saying, we do red teaming, calling it silent shield in all caps, which I still think anti suck is core than silent shield but is biased.

Yeah. Basically, they're talking about a Pen test. In early 20 23, it's kind of a cool little read if you're into pen testing, which if you aren't into independent testing, I'm very confused as to why you're here, but Yeah. You know, they have some lessons learned. They have a little bit of an executive summary, you know, They actually didn't get in.

That was kind of interesting. They kind of said that. They were like, we tried to get in from the outside. We didn't get in, but then we started from the inside and we kind of... Connected back to where we had established access.

So, overall, it's a pretty good read. You know, I don't really know. Does anyone know what the the villain executive branch is... I have no idea what that is. Does is anyone know what?

Speaker 1: It would be underneath the presidency, the executive branch.

Speaker 2: Right. But but it's 1 to really exist

Speaker 8: agencies is so fast. Though that's the...

Speaker 1: Yeah. Like, think about it as, like Department of Interior, Department of Transport, okay.

Speaker 2: Could be the Epa or something like that.

Speaker 1: Yeah. Yes.

Speaker 7: I have a little gotcha.

Speaker 0: I have a list. Do you want it?

Speaker 1: No. God. No. Please don't.

Speaker 2: Is it just a random list of every 3 letter algorithm

Speaker 0: There's some 4 letters in here

Speaker 1: We're fours? Maybe some fives.

Speaker 0: AACUS.

Speaker 2: Okay. There's actually not that many. There's actually not that.

Speaker 0: Oh, there's there's some long ones. There's ones that d the DFB. You don't know who that is. You know that. The...

Speaker 2: Do you think this a fancy

Speaker 0: color facility safe that's right.

Speaker 2: Everyone in chat goes look at the list and see what who you think were targeting with the Pen test because there's some pretty funny ones in here. Fine art.

Speaker 1: I hope it was them. I hope there's just stellar.

Speaker 2: They What is that? It's like, oh, yeah. We have a is

Speaker 1: it fresh?

Speaker 2: Like, the what's the goal of the Pent test? The steal the mona Lisa Like I don't know. Anyway.

Speaker 0: Is definitely the marine mammal.

Speaker 3: We don't have the mona lisa.

Speaker 1: Is not... Visits every once in a while, bro.

Speaker 2: Yes. That's why it's it... That's that's

Speaker 7: why. Yeah yeah anyway.

Speaker 2: So...

Speaker 1: But this brings up a couple of different things that are kind of frustrating for me, and I'm gonna try not to get too rant, but why is just a doing pen testing of any kind? Like... And we we see this from time to time. There's organizations that we work with where Sis comes in, whether it's on the soccer on the Pent test side. Where are we hear it's like, well Sis was hear a month ago and they did our pen test?

Why is a government agency doing pen testing?

Speaker 2: I don't know. I like it. I like it. You don't like it?

Speaker 1: No. I don't. I because

Speaker 2: I I like it because it's like, it's just the baseline pen test.

Speaker 1: Yeah. But they still call it a pen test, and a lot of times well, wait. I've seen some Ci pen tests that are pretty solid. But I've also seen a bunch of them that are literally ness results.

Speaker 2: And No No. That's. Whoa. Whoa. No.

You're you're talking about. Showdown results there. That's this to be way too india. Yeah. I'm not even joking.

Ci has that is the standard Ci test. It is we looked at Showdown and you are screwed. Which is genuinely, like, I would argue like, I tell Pen or just like, if you're not doing that, you weren't doing a good job. Like, you need to... Your first thing should be, obvious stuff.

Right? Like, I I think they're actually kind of... I don't know. I'm... Maybe I'm biased.

I don't know why I'm coming out in support of Si, but I am because I think, like,

Speaker 0: Right

Speaker 2: doing a baseline pen test, and also from my perspective, gives us a chance to say, oh, you had a cis pen test. We're about to blow your mind. Right? Like, we're about to 02:10, like, you know what I

Speaker 1: needed expectation.

Speaker 8: Yeah. So you're there it's free the market free.

Speaker 2: I got it. Yeah. They they are free. So I'm I'm... I definitely support the government giving out free Pent tests.

Of all the things they could give out. And Like, to the people who can't afford vent test or don't know how or whatever. I'm here for it.

Speaker 0: I need a Test. I'm gonna go ask them.

Speaker 1: I will

Speaker 8: say they're defense. It's a pretty nice report they published. Like, the actual blog post. It's got, like, something a good rundown of what they did.

Speaker 1: I... And and all of my testers at phi I are, like, hey, could we have a year and a half? Submit our reports.

Speaker 0: I'll I'll I'll give them anytime someone actually has a attack T in there and then links off to them. For some reason, that's just not common knowledge, but that's literally my favorite thing. Like, I 1 time got a text message from a red team, and they had the attack. Like, the the miter codes and I was like, I love you so much. This is the best.

Speaker 2: Yeah. No. I mean, it's Ci. So you... You know, the...

I guess, how I see it is, I actually kind of like having a government level standard for, like, what is a Pen test? What is a Pen test report? Like, I think it's, you know, I don't want it to be, like, we have to do it this way, but I think it's cool to see, like, to base to benchmark yourself. Arguably, like, the government is... Should be the most transparent organization.

Right? So, like, yeah We're not we're not gonna see Pen test reports from you know, trusted sec or black hills or other industry leaders, but no, we'll probably see it from Z.

Speaker 1: There was a, a website a Github repository that had a whole bunch of Pen test reports from different companies. Now a lot of more sample reports. I can't remember what was that?

Speaker 2: I remember. But those are all super old. Like, that's a Github repo, and those are all... They're... I don't know...

I'm not a huge fan of those. I think this is actually more realistic. Of, like, what... Where things are at now.

Speaker 5: Yeah. Here we go.

Speaker 2: I don't know.

Speaker 1: Cool. And, Scott it. I've got it right here. I can share that

Speaker 2: there are some sources out there

Speaker 1: and updated in a while. You're. It's not holy moly.

Speaker 2: This is 1 of those things. There isn't anything that I would recommend someone actually look at. I mean, there... We actually do, by the way. We have a published sample report from Fernando.

Right? That we've... That we share out, which is really awesome. But it's based on the cyber range. It's not based on a real op.

It's

Speaker 1: not a 6 months ago. Okay. It's not that. There's still stuff out there.

Speaker 2: These are... Yeah. These are... I guess, yeah. There's some more is better.

When we're talking about reference material for a pen test. More is better. I mean,

Speaker 7: we'll leave shit. We're not here. Oh, man. No We're

Speaker 1: not. Fuck the?

Speaker 5: Get what no

Speaker 2: We're not because we don't publish our pen test reports because people paid good money for...

Speaker 3: Oh, we do have stamps samples. I I've redacted a bunch of samples reports.

Speaker 2: Oh, well, then we try out. Alright. I'll make a pull request after this. But... Yeah.

I mean... Basically, I think First of all, I support the government red teaming agencies that probably otherwise are never gonna pay for a Bend test. Like the commission of Fine arts. I also support them publishing their results, not like the Test results, but the overall, like, here's how it says a red teams because While, we might read this and say, well, we already do all this stuff and more. A lot of Test shops are gonna say this is a lot of good ideas that we aren't doing.

This is a lot of stuff that we aren't doing and they have now... They can go to their bosses and say, we need to do better at pen testing, Scissors is doing better pen tests than us. Alright. Like that is... So.

I'd like a

Speaker 0: little bit more information like, how you said on who they actually tested. So then we can use this as, like the end of the year report for Ci. Be like, hey, here's all the pen testing we did. There's this number of people. Not...

They don't have to give us the exact names. And here's the most common like, a tax we see.

Speaker 2: Like governor... Dvr.

Speaker 0: Yeah. Exactly. Exactly. Exactly. A Dvr from.

I agree.

Speaker 2: I would love to move away from private company. Doing the Db.

Speaker 0: Db, it's good, but they gotta just swallow the pill and start using minor attack. Alright. Like, no more of this versus stuff. Like, we... Everyone else is switched.

That's that's my 2.

Speaker 2: But the problem with the Dvr is... Well, there's many problems. The biggest about my thing is they just make up categories and then they build graphs in those categories.

Speaker 0: It's almost as bad as wearing a Mca t shirt. You know? Like, it's just right there.

Speaker 2: I don't really talking about.

Speaker 1: No No god.

Speaker 2: I'm not gonna go full back and be. It's fine. It's fine.

Speaker 5: Yeah. I think 1 1 notable item that I saw from this, Cis is the... You know, they they called out that they found, like, these cross organizational tag paths. So they found all these different partner organizations. And normally, on Pan test, you would go, oh, that's a...

That's a partner organization like Stop. Like that is bet his time out do not attack the partner organization. And so it was like, well, actually, like, we have the authorization to, like, go after them too. So they did pivot into, these other, cross organizational, yeah, you know, partners. And I think that yielded a bit more insight because that's something that's unique that you don't go, hey, I compromised 1 host, and, hey, there's a...

It it has a trusted relationship with this partner. Let's let's compromise them. And then okay, from there, let's comp... You know, start chaining these partners because that's what attackers do. Partner is they're not going to sit there and go, Oh.

Wait a minute. I got into 1 domain. This is some entirely different target altogether. No. No.

No. We're gonna... We're we're... Threat actors, we have morals. We're not going to go after this other partner no matter how you so they are.

No they're going to go after that other partner.

Speaker 2: Totally. Yeah. I mean, I I think that, like, I guess the way I I see it is in the industry a lot. I struggle with what what is a red team? I mean, like, you could ask 10 different people, what a red team is, and they would have 10 different definitions, but in my mind, this is what red team is.

No scope or broad scope, including, like, just asking the company if you can hack 1 of their vendors or their partners like, in them being like, yeah, sure. They're like, that is what a bread team should be. It should be broad scope. It should be opportunistic, and it should be long running. Right?

Like that is... I I think it's... Well, it's not like a red team which is, oh, well, you know, we fished, and then we just didn't assume compromise. Like, it's actually.

Speaker 3: So you're saying Have no more 2 week engagements or a red.

Speaker 1: Yeah. That's kind of what we're trying to get away from. Right? Yeah They're, you know, red to the red tape books. Supposed to emulate what the attackers are doing, and this goes back to Corey coming to me couple what is a year and a half ago.

And, like, you look at all the problems of red teaming. Like, you get a very tight scope and time. And that's the biggest limiting factor is the time is so tight. Like, 2 weeks or 1 month, Like, an... And that adversary is not going to do that.

Right? Scope They're gonna come in low and slow. It's like a customer says, hey, we want you guys to hack us like a real adversary wouldn't and we want you to do it in 1 week. And immediately, they pick up your password spray. Whenever an attacker will run the password spray over a month.

You know, those are the types of things that you should be doing. Or The 1 that we talked about, Corey was a lot of times an attacker will sit and wait on a network, like, until an ect exploit comes available and then immediately they take advantage of that exploit. So totally, it's kinda you because I think it all started Corey with wix were all walking around and like, hey, red teaming sucks. We're not doing it the way it should be done in the industry, and we wanted to do something different, Continuous pump testing. Absolutely.

I mean,

Speaker 2: I'm biased. But, like, you know, as an example right now, I'm just in 1 of my customers ticketing systems just waiting for a good ticket. I'm just waiting for a ticket, I can. I... With either with either with credentials in it that I could just piggyback straight on or I'll just, like, inject a document where it really shouldn't be.

Like that's that's Apt thinking. Right? I'm just, like, eventually, there be a ticket with Juicy info, and I will strike when the opportunity. But if you're doing a pen test, like, what do you do? You can't wait for a good jira a ticket to roll in.

You gotta, like, know, you gotta you gotta get out.

Speaker 0: I wanna Wanna play a little bit of devil's advocate here if From the blue team side. Most red teams that we do go through. You know aren't very good at reporting or confirming that that is them when we find it. So we have to go in full instant response. Like, no 1...

Like, no one's good. No one's good as you guys at, like, actually writing a report or giving that information. So when I'm out there building detection, and I come across some obviously blatant bad stuff, and I press the shit alarm. And then, like, oh, no, that's like, the actual red team that we're having, but we forgot to tell you about and forgot to report it because like, the team x y and z. Like, for the those...

Those larger organizations, the communicate... That the red team is continuous. Like, I... I'm sure you guys have it down, but I haven't found anyone else who's communication. Is that great?

Speaker 7: Better for

Speaker 3: a days.

Speaker 1: So that all funny it's mentioned That'll... 1 of the... Yeah, That's a feature of the continuous right team. Right? Like, we aren't showing up W Bam.

Thank you, ma'am. We'll see you next year maybe. It... It's literally Corey can't run. Like, you know, we're doing those types of things.

It's a year long contract. He can't just smoke bomb and. It's

Speaker 2: suit a literally.

Speaker 1: And then also the way that... And I've seen some other firms that kinda do this too? Like, I know I'm working with red siege. On a continuous red team and that's something that they're doing as well, wanna do shout out for other firms that are doing this. But when we're doing it the integration with the ticketing system.

So if somebody like, hey, is Phi running an attack at the moment, there's somebody in that environment that can go into the ticketing system and see what our team is doing. Like. Yes. This is the other side of that, which brings back to kind of the big thing, Why the hell are we still reporting this crap in word team Like, III love the way that we do reporting at B. I think it's great.

I... It's wonderful, but it all goes back to years ago. When we first started doing pen testing, when I first started doing it in, like, 2002, 2003, it was literally if we hacked you, we got Shell, we were done. We're, like Got shell out you know, that was kind of the sole determination of whether or not we were successful. And when Ed kind of developed the new kind of way of doing reporting, wanna say 2006, 2007, a lot of it was to try to show value, but also to show that the people were putting in a good 40 hours of work in a week.

So it's almost like that Gilbert cartoon. It's like, we wanna make sure that you're miserable in what you're doing and producing this workout, but hence the word document Pen test report was born. So now a customer can get this and be like, yes. This looks like 80 hours of work here. But it almost always had to be chopped up in the little bite.

And then converted over into tickets for actual work items to get done. So it's kind of like at some point, the industry has gotta start skipping that step. It's and just start integrating with customers ticketing systems so that the work... The work items can get done faster.

Speaker 0: I I thought you're gonna go full blown. We're going as a an ad for. City or or.

Speaker 1: No. No. No.

Speaker 0: We're not using word. We're using notion from here out.

Speaker 2: No. No. I mean. Full disclosure. I, like, I we...

I kinda derail the whole podcast, but pull disclosure

Speaker 7: did.

Speaker 2: And continuous spend testing uses Jira. We do not do a word doc. The word doc just says you got a Pen test. Whole Congrats. Now here's all the findings are in Jira.

Speaker 1: Yeah.

Speaker 2: Anyway, let's talk about At and T. Let's talk about breach.

Speaker 1: Yeah. Let's move on that.

Speaker 2: Let's let's let's talk about. So At and T, people might have heard of it. Large telecom company, a hundred and 10000000 customers had their records disclosed. I guess does anyone know is this tied to snowflake? I feel like yeah got it.

You know, sounds like

Speaker 1: it is.

Speaker 4: Got it. What what what Keeps saying about it is that. Is that this is At and T, and if it's the same way that all these other snowflakes were they didn't have multi factor on their data lake.

Speaker 2: Absolutely.

Speaker 4: Yeah. What is At and T doing? I mean, this is At and T that spout security that spout, we are the best and No security on their back end data at all.

Speaker 2: Well, it's the third party risk management. Right? We talked about it at the beginning of the year as being the Cis is worst nightmare and it's totally expanding on that. Like, it's all about third party, and I will say, I've been talking about this to a few different people. And I think it's 1 of those cases where, like, the business teams at a lot of these companies have huge sway.

Right? Of like, Yeah. We we are the ones who get paid. So give us the tools we need to get paid. And I think snowflake oftentimes was the solution to that problem of, we need to have better...

You know, I don't know, whatever pick your business thing. Better turnover, better, you know, marketing, better whatever. I think Snowflake was the solution to a business problem, and it the security team might have been cut out of that gus altogether. I'm just speculating here. I don't know specifically about At and T, but I think when the business team goes asking, a lot of the time the answer is yes, and it doesn't go through security.

It's just... Oh, you guys need a data lake. Well Snowflakes gonna work. Okay. Cool.

Speaker 8: Like the thing you get with... There's the front doesn't go through security. The other thing that it kind of just screams to me is, like, what is the ongoing process for managing third party risk in those organizations? Because things are gonna get messed upfront, whether it's third party or whether it's something internally developed. And so, like, you've gotta have the 2 pieces of that.

You've gotta have that initial piece, you know, early in your your deployment cycle. You've also gotta have some kind of a review process an audit process or whatever. You know, if he gets miss the front, hopefully within a year, somebody like, hey, we've got this data... This provider we're using for our our our cloud storage. How how do we connect to them?

And like that actually come up somewhere for any of you more it's getting something worth.

Speaker 1: I don't think it's getting swept under the rug. I just think that the It infrastructures with all these Saas services, past services, Nas services, das services, whatever Ass server might be using swept I

Speaker 2: tell you about ad services?

Speaker 1: Saas services. That's what they are now for me. That's what they mean to me. I don't think that a lot of people... Like, whenever we're working with organizations, they had no idea, like, security teams or like, we're using snowflake, what the hell is snowflake.

And it's not that it's getting swept under the rug, it's just somebody at some part of the company needed a thing, and they bop that thing, and

Speaker 2: dot It.

Speaker 1: A shadow It, and there's not a lot. Oh god. Help me. There needs to be more correlation between the accounts payable departments at organizations and the security where accounts payable away. Here's all the shit we're paying for and insecurities like, oh, snowflake?

What the hell is that?

Speaker 2: I mean, honestly, that's funny because from the owner's perspective of a company that makes... Perfect sense. Like I never would think of like, oh, just look at accounts payable, like, who are we? I I do

Speaker 1: it all the time. I do it monthly. Erica sits down with me. It's my least favorite part of the month where Erica is just like, John, we need to talk about this and my god. It's the time the month again.

And it's down.

Speaker 7: And she did start going through.

Speaker 1: She's like, do you know what this is? And I'm like, no.

Speaker 0: I don't 70000 dollars worth of stickers.

Speaker 8: Know what

Speaker 0: this rate.

Speaker 7: And it's like, I knew

Speaker 1: know what thought is. Why did we spend 75000 dollars on, like, you know, inflatable monkeys? I'm like, I don't know Go ask Jason. I plan for that. But we do that and it's important because we have literally found those types of services where some random person at Black Hills information security.

Paid for a service with their own credit card, it's registered under their personal email or their B email. Systems has no awareness of what it is, and literally, there's a whole bunch of data in there that's like super sensitive. And we're a small company of like a hundred and 50 people. I can only imagine how bad that is at At and T.

Speaker 2: Yeah. Well, the other thing, I would say from a security Team's perspective, I'm so sick of talking about sierra logs, but I'm gonna do it again.

Speaker 0: Oh, go. Oh, my god.

Speaker 2: It's not hard. It's not that hard. Like, okay. It's not that hard to just monitor the credentials that come over the wire. Like, you might not know you have snowflake, but if a...

At at t t dot com email pops in a s log. You gotta go remediate it. Like, it's not... It's just not not horrible.

Speaker 0: I I was gonna say 1 of my worst fears. Right? Is not, like, go going dark web stuff. Right? Seeing your credentials.

Are from your company on the Dark web, but it's nobody who works at your site. So it's that third party person. So you got a new credentials Well, dude, I've I've seen it at different organizations, and sometimes they're like just nuke nuke their credentials right away? Like, okay, what did they have access to? And then they realize we have no clue.

We don't even know, like, we know the login portal, but we don't know how Deep it goes. And now we have to, like, do a full investigation has someone already logged in. Where do they log in? We have to figure out that whole third party vendor, tell them to nuke everything they got.

Speaker 2: It's... Oh, that's the part. Right? If you're not. Let's say you're not gonna a new call the credentials you get in steal logs, which you should.

You should at least have immediately. Monitor. I'm dying.

Speaker 1: You'll be okay with you okay.

Speaker 4: So what do you think about the 370000 dollars that they paid to have it what supposedly deleted.

Speaker 7: What supposedly. Yeah.

Speaker 2: Cheap...

Speaker 3: We've deleted this copy.

Speaker 1: Yeah. We deleted this.

Speaker 4: My my my my my thinking on it is, what a dumb criminal if they're only asking 370000.

Speaker 1: That's what I on Twitter and stuff. It's just like, how was it that cheap?

Speaker 0: Unless have been, like, someone ill. An inexperienced who got lucky with the Cr and they're like, alright. I'll just take just instant payout. Just real quick getting out.

Speaker 1: Like Well, they did get paid. Right?

Speaker 5: Apparently, that hey, and even in that that bio line that has touch wiggle room in there that... The researcher says he believes the only copy. Like, that is... That is complete legally Wiggle room there. Like, well, I believe is the only copy.

Like, being only hobby. We could be back here in like, you know, 3 bunk being like, hey. Guess what? Like, the... Here's all the information that was...

Supposedly deleted. That's not out there. The security research you can be like, wow, you know I said, I believe the only copy was deleted.

Speaker 1: Yeah. IIII think that that's funny, but, I don't know. Honestly, like... So do we trust what At and T is saying was stolen? Like, it was just call history, text history, not actual contents, or do we think that there might be more in this.

Like, I don't get nervous more.

Speaker 7: It is.

Speaker 3: Even if it is just what they say, it's still plenty enough data. Or anybody to go and do bad with it? Come on. I mean, how many years years ago All I needed was your last name and your Zip code.

Speaker 1: Yep.

Speaker 3: And I can go in and get everything else. Come on.

Speaker 2: Yeah. Yeah. I mean, I think they argue like, why even have the data lake at this... Like, what is the... III don't know.

I mean... 1 of the... I feel like data lakes are kind of just like the graveyard of bit data? Like, they're... How many companies are actually doing something with it.

Speaker 1: I just think they like collecting data. I think it sounds badass whenever you're like, whoa, or data lake has 64 pet of logs in it. It just... Sounds cool. It it's not really useful.

Speaker 0: Auditor It's it's... Audits.

Speaker 7: All the...

Speaker 2: It's say it's huge of. Right?

Speaker 7: In a huge matter of.

Speaker 1: But it's badass ass. It's like those cars that they try to get as low to the ground as they possibly end. No. Think it sound... They think it's cool.

It's really not, and it's absolutely not useful. That's what a data lake is. And I also think that we're moving away from data lakes. I'm still waiting for someone that comes up with a data ocean.

Speaker 2: We're late. It's way salty.

Speaker 1: It is so. So salty. So so.

Speaker 3: Years ago, years ago, John, I worked with a guy. I worked for a company, and the owner of the company was so proud of the fact. That our data retention policy would save everything. So we had millions of records in in the main production database and probably 3 quarters of those records had not been touched or accessed in years. Yeah.

Years and years.

Speaker 2: And and lawyers are like, I'm sorry. What? You have what?

Speaker 1: Just post it out. I just went through real fast. It said hoard. The the It that show.

Speaker 7: Yeah. Where, like, why are you... Why are you...

Speaker 1: The... And that you could just see these people get excited about Microsoft Recall. They're, like, This is what I've been waiting for my whole line.

Speaker 2: Yeah. I mean, it's like, it's the whole data science thing, like, okay. Let's say you're handed this dataset. Like... What are you gonna do?

Like, did you know that 14 percent of people call everyone after 9PM. It's like, great. I don't care. Hey Okay. Like, thank you.

They never my how?

Speaker 1: Yeah. Yeah.

Speaker 2: I don't know. I mean,

Speaker 5: I but 1 of the

Speaker 4: Here's the. Here's the thought with that sort of data though. This number got texted by this number and replied back to it. This number texted this number got a call from this number and answered it. If that data is out there with how easy it is to spoof numbers.

Wouldn't that allow for easier whatever is Doing out there. Yeah.

Speaker 1: III think you're absolutely right, but also think about, like, every divorce or almost every divorce that's being processed right now. Where all of a sudden you have that, like, the records of text numbers and, like,

Speaker 7: Yeah. Yeah.

Speaker 1: Or you're a reporter. And you're trying to figure out which political person talking with another political person. I mean, there is a yeah.

Speaker 2: The privacy the privacy implications here are really bad. Believe were you gonna say something about that?

Speaker 5: Gonna say, basically the same. Like, you could look up with those cold records, and you could find, like, z phone number that John Str will answer that will take a call from. When he's on the air. Like, there are some phone numbers that John will go... He'll he'll drop from the call and go, I gotta take this call right now, And then it it turns out to be a, hey hate we've been trying to reach you about your card extended warranty.

And

Speaker 3: that would be good.

Speaker 5: But but you could. You could look up that dataset and be able to get through.

Speaker 2: Yeah. So Ryan just linked to a super relevant, I think, article, which is the whole concept of dark patterns. This is actually what we're talking about. We just don't know what we're talking about. It's like the concept of dark patterns ryan a link the article, but essentially, it's like behavior mining, and kind of like trying to know, the the...

I think the example that gives in the thing is, like, how hard it is to cancel Amazon Prime, Like, I don't know if it's a meme or if it's true, but you I've heard that at 1 point the code name for canceling prime was operation labyrinth.

Speaker 7: Oh, wow.

Speaker 2: About all

Speaker 1: you gotta say to get him to cancel.

Speaker 2: No. No. They was that their code name. Yeah. Internal code name was...

Labyrinth because it was very difficult to cancel

Speaker 8: Puts you the customer in the labyrinth.

Speaker 2: Yes. You are going through the Labyrinth. So Basically, this is about pattern mining of, like... And I think we see this transparent with things like subscription services. Right?

Like, Yeah. Most companies would rather take, you know, 7 99 a month in a 30 days versus 7 99, or a month now with no renewal. Right? Like, everyone would rather give you a trial and give you a permanent subscription that you then forget about because that's 1 of the behaviors forgetting about subscriptions that we have. And, you know, or just, like, that's a great example of, like...

But I think there's a lot more Right? And maybe At and T was going after some of that data of, like, well, what, you know, things get people to engage more or use their phones more with things... Like, how can we prevent people from switching providers or I don't know, like, what, I don't know what their, like, business goals would be, but... If we just sponsoring my rocket money?

Speaker 0: That's... Be the perfect time.

Speaker 3: I mean, I can see someone doing some serious analysis and being able to get that, but but in terms of dark patterns, I really think it's just. Be people being greedy and wanting to make sure that it's as hard as possible. I mean, I've I've had to go through make a phone call, go through the voicemail mail navigation thing in order to finally get to a human to cancel something that was a 200 dollars a year subscription that I could not cancel any other way

Speaker 2: That sounds easy though. They didn't even make you send an sole an envelope in written in a written communication via snail mail or something. No. I mean. I will say I know for

Speaker 3: a fact. My life, I will never get bad.

Speaker 2: Well, I know for a fact that California passed consumer protection laws that basically make it so you have to be able to, like, 1 click cancel most services.

Speaker 3: That

Speaker 2: I don't know if there

Speaker 3: were making that the vendor is going to comply with those laws.

Speaker 7: It's True. And Sure a car.

Speaker 1: You gotta start Somewhere. Right? I mean, true. You you gotta start somewhere. I I agree with both of.

I like that. Know, being able to cancel things out quickly and easily. And I also agree that the vendor gonna be like, f that. We're gonna do that until we get sued by the Ftc. You Yes.

Because that's the way things work now.

Speaker 2: Like like the bigger 1?

Speaker 1: This new story? I'm lost. Where do we start? Was this

Speaker 7: still like.

Speaker 2: It's tech crunch. After c study really good. They did the Ftc published a study that talks about dark patterns, manipulative design techniques. Oh, that put users privacy at risk. So they analyze 600 websites offering subscription services So...

Yeah, Like, basically, that... There is an article. Check out the Ftc report if you're interested. But, essentially, it's just basically... Saying, hey, this is rampant.

This is used widely, and you know, it's potentially impacting not only people's consumer, you know, like, I can't cancel my... Like, Ron 1 said, that experience is horrible, but also there's privacy implications as well of, like, hey, you know, sneaking or they they they have these fun little names for all of them, which are, like, remind me of, like, gas light, gatekeeper, you know, girl boss or whatever, you know, they have obstruction sneaking. Nagging. Like it's really funny. Yeah.

I mean, like, As an example, they call about obstruction is, making it more difficult or tedious to take a certain action like canceling a subscription or bypassing the sign up for free trial. Or the x to close is grayed out and hidden from view. So it's like all those tactics. We're all used to them because the Internet sucks, but the Ftc is actually giving them names and saying, Hey. Let's not do this or let's at least expose what people are doing to make it more transparent.

So

Speaker 0: can they do this, like, 04:01 providers? You know, like, they they...

Speaker 1: Oh, god.

Speaker 0: They don't they don't transfer that you... They have to mail you a check, and then you have to send it to the next 04:01 k people. Like, I was like, what kind of madness is this? Please do not send me a check for that large amount of money, like, you can't just move it, but so I think that would definitely fall under this.

Speaker 2: And I mean,

Speaker 0: yeah. It's not technical. Right, but it's definitely, like, they have they have the ability.

Speaker 2: That's... Probably on the other side though where they do it that... Way because they either have to or they're not willing to take on the risk to just send it to your bank account? That's a good. They probably would be, like, sorry.

Whose bank account are we sending this to?

Speaker 1: Or, you know, I don't know.

Speaker 2: Alright. He guys another article. There's so many hacks. I would definitely keep talking about hacks.

Speaker 0: Do the first.

Speaker 1: Yeah. We need to keep on that.

Speaker 2: I loved. Siege sec. I'm so sad that they dis banned.

Speaker 3: Hey. What about club penguin?

Speaker 2: Club penguin is pretty good too though. So... Okay. So basically, yeah. Which 1 are we talking about?

Both?

Speaker 7: But, do we the stripe club penguin 1 at the

Speaker 2: the was? Story. Okay. Let's talk about club. That's where people are going.

So

Speaker 7: does anyone... It's a picture

Speaker 3: of the? It's further down.

Speaker 2: It's in bigger the the good way. When is... I feel like John's at the age were, like, he were doing club for someone

Speaker 1: is, like Mickey Mouse club for, like, kids of really geek parents.

Speaker 2: No. No No. Club penguin is like, firefly. It got... It like, it was cut down and it's Prime.

It was too soon or basically... So who's like a club penguin fan? I am not. But from my understanding, Club Penguin was acquired or was it originally Disney or was it acquired?

Speaker 0: I I don't... I never got. Down. I I remember playing... Yeah.

Speaker 2: See It was originally created by new Horizon Interactive, which disney later

Speaker 1: like, virtual world. It's like world

Speaker 7: aircraft, but not or but you're a lot about childhood.

Speaker 2: Sure with people's... Yeah. Yeah. It was people's word a warcraft or People's ruins scape or whatever. Like, it was an Mmo from 2005 2018 you know, it I never was super it, But the people who are into it as you'd imagine, just like my little pony or whatever, were extremely into it.

To the point where they decided to... They, you know, they have posted them to 4 and said, I no longer need these smiley face, linking to a bunch of internal documents that they packed from Disney's confluence server. Oh, they got into Disney's confluence server. I don't know, but I'm gonna go

Speaker 0: for logs?

Speaker 2: Because it... What everything is.

Speaker 0: Is this directly linked to the Disney Slack. Breach? Did You see that? Disney had their tires

Speaker 1: black breach was huge.

Speaker 0: Disney had their entire Slack, A little bit.

Speaker 1: All of

Speaker 2: it all of. Yeah. It doesn't say what... It just says according to an anonymous source disease compliments were breach using previously exposed credentials, which to me means steele. But it could also be related to the previous breach.

And, yeah, it's basically internal documents about, you know, how they... Where their at 3 buckets are, all that good stuff. So I mean,

Speaker 0: honestly, the penguin. The real thing

Speaker 2: here is that

Speaker 0: the Mmo lasted for 13 years. Like, if you know Mmo, that's a long time for an.

Speaker 2: Oh, yeah. This a big deal. I mean, I don't know.

Speaker 8: I mean justifies everything. Alright.

Speaker 5: Thanks. Wade.

Speaker 2: It's too much of a meme not to talk about it, but, I mean, honestly, it's kind of a non story. Like, basically, they just leaked a bunch of documents and, like, it's been shut down for, like, 5 years so whatever. But honestly I don't know. It's kinda funny. Just people...

Basically fans fans are gonna fan.

Speaker 3: Talk about for fan, you realize.

Speaker 2: Yeah. Well, let's talk about Fe. You know, dangerous topic, but

Speaker 1: it's been a while. It's Ben a while since we talked about fur here.

Speaker 2: So the heritage Foundation, kind of a big deal. I I mean, oh, they're they're kind of well known. I mean, I don't wanna get too political, but they are... The heritage Foundation is a significant... And notable right wing think tank that does stuff.

Essentially, hackers specifically Gay furry hackers. Self described. I didn't make that up. Kind... They released some data, and then they also kind of...

There was an exchange back and forth between a couple of the high profile people on both sides. And I guess, like, this... They've hit... They were also... Cg tech was the same that was going after, they're they were going after the Idaho National lab to get to convince them to make cat human hybrids or...

Speaker 0: Yeah. That was a lab

Speaker 7: demanding app demanding didn't really

Speaker 8: the credibility too well

Speaker 2: now. As as the.

Speaker 0: Yeah. That's just stop seeker. They didn't tell

Speaker 3: the that ability was the goal.

Speaker 2: No. The it this is totally. This is the definition of chaotic neutral. It is just we have our specific thing that we care about. We're gonna push that agenda forward in the public eye through hacking, activism.

Right? They don't like the heritage foundation. They don't like the whole project 20 25 thing. Man So

Speaker 1: they're not on board. You're saying gay furry hackers are not on board with the heritage Foundation.

Speaker 2: Who would have thought?

Speaker 1: Who would thought? Not?

Speaker 2: Who would have thought. But so they hacked them and they disclosed a bunch of data, And then they, I guess really

Speaker 1: I thought it was all the data. Like, IIII think they they they got a yeah lots of data from their heritage

Speaker 2: to correct.

Speaker 3: Well the data heritage? Foundation claim that it was old data that it wasn't current that it was something thrown.

Speaker 1: Was relative. It's all. Yes.

Speaker 2: You're not sure

Speaker 8: they claimed a lot of things. The question is do you believe it?

Speaker 2: Yeah. Correct. I mean, both sides in this case. 1 of them is wearing a kangaroo costume and the other 1 is... A right wing think tank.

So I mean, like, you choose who you believe.

Speaker 7: I love. I'll love these types of pipe, just

Speaker 8: I I'm something reminded of the meme of the guy with the 2 buttons. And it's like, you know, during know wing think tank, gay furry hackers, and it's you the which 1.

Speaker 2: Yeah. Like, pick you pick this. You pick the side you support. But I mean, I... All I gotta say is, I wanna...

From my Romeo

Speaker 1: and Juliet, I'm gonna go to, like, Kat G, and I wanna a Romeo on Juliet story. I have a gay hacker, Mary from harry. Foundation. That was great. Family it's support that's...

And no.

Speaker 7: What what would their family names be?

Speaker 1: I don't know, but we've need this to happen. This needs to be an Ai generated script today. There are no winners everyone's a winner in this article.

Speaker 2: I would say everyone's a winner in this case. You have not. I will say the 1 the 1 kind of, like thing, a little bit of sub that I'm gonna point out without trying to get political. So on the the main guy of the heritage foundation was he like Mike Howell or something. If you go to...

He which There was a very public and very nasty exchange between siege second Him posted to Twitter. But the funny thing is if you go to his page on the Heritage Foundation, the article, the the last article he wrote for the heritage foundation was how do we d disarm the Fbi? And now he's gonna have to go to the Fbi say, Could you catch these day furry hackers?

Speaker 1: I... That's gonna be an awkward meeting. Guys, we really need your help

Speaker 3: with this. Ball.

Speaker 1: The the guy that wants to def fund us right? Yeah.

Speaker 2: So go with your pro.

Speaker 1: Coming to Netflix. Soon. I yeah.

Speaker 2: I I don't know. I'm just throwing that kind of subject out

Speaker 0: at least.

Speaker 1: Laugh at the absurdity of this, like, all of the horrible shifts that's happened over the past 48 hours. Like, can we all, like, come together and be, like, this is funny. Yeah. I'm so political sides? Like, all the way.

Speaker 2: Correct. Yes. I mean, hack...

Speaker 4: Why does the story just put a vision of, like a Benny Hill skit?

Speaker 7: Can seconds running and you see the fur running 1 way leonard its

Speaker 4: foundation running the other?

Speaker 2: All I gotta say is berries are clearly up. There with, like, Apt t's for being insanely good hackers because they've taken down some big targets.

Speaker 1: Do you

Speaker 0: think they hack in in full gear?

Speaker 1: I hope they

Speaker 2: do, like, big keyboards too Big If if they don't, I would be so disappointed.

Speaker 0: I want them to have furry suits for their computers as well. Like, yeah. This...

Speaker 1: I've been... I've been trying to think about commercials for Black Hills information security, and this might be 1 that we've got a workshop where It's like, we just have a furry hacker hacking away with a hoodie and he's, like, AAAAA box or something.

Speaker 3: And we already have that with Beverages?

Speaker 1: Was the fries say?

Speaker 2: I own your data.

Speaker 1: Bro so, I don't know. I'm just workshop and Folks work with me here.

Speaker 2: The ironic part is though that, like, I would never pitch this to our customer. Because our customers would never get targeted by activists.

Speaker 1: Oh, I think but some of them would.

Speaker 2: I don't know. I guess it's It is... It's easy to end up on the other side of the 8 ball. Right? It's easy to be...

Yeah. Like, if someone gets upset about some on state files

Speaker 0: Nixon and you know, furry hackers are coming off. To you. Right? Like 1 bird.

Speaker 4: Oh, white cyber duck, I think has the best comment right now. They talked to the Fbi agent who agrees to help them as the Fbi agent walks away the heritage foundation Man sees the tail of the.

Speaker 2: Oh, like,

Speaker 1: what of those... If you know. You know, commercial. Right?

Speaker 2: I then there's just this sinking feeling of, like, UUI

Speaker 1: think we're in trouble in this 1.

Speaker 2: I don't think

Speaker 1: we're gonna get top notch federal government assistance in this breach.

Speaker 2: Yeah. First it's do give you plus 5 hacking, but... Okay. It's Go ahead, 1.

Speaker 3: So we wanna go to the the next, hard to believe thing where we've got Japan finally giving up floppy disks. And Germany, Japan?

Speaker 0: Was Germany.

Speaker 3: Yeah. And Germany... As well.

Speaker 2: Well, I know for a fact that, like, the, I I know that also all the bunker and John strands and neck of the woods are all running on flop.

Speaker 1: We gotta call something.

Speaker 2: Yeah. Minute men are all run on floppy discs. I mean, what's wrong with... What's wrong with the floppy disc?

Speaker 1: So this shows you just how far behind these tech like, I remember, like, whenever I first went into a, like, cleared space, and they're like, yeah, Those were a bunch of Spark 8 systems. And I was like, good god. And they're like, oh, no. We have way older shit than that. And I'm like, what.

And that isn't just Dod, like banks and like, The amount of, like, legacy crazy technology that's out there is pretty frightening, But I will tell you if you have a bunch of your systems are running on floppy disks, I can guarantee you that the gay furry hackers will be horribly confused about how that's things breach off

Speaker 2: It's a genuine problem they have when they replace this kind of old stuff is, like, you have to replace it with modern tech and modern tech is a lot easier to hack. Like, or are not easier to hack but at

Speaker 1: least. Yeah.

Speaker 2: Well, it's well known. Like, this, you know, talking about something like this. Right? Now they have to build an emulator that emulate a floppy disk. Now there's could be vulnerabilities in the emulator whereas, like, a piece of spinning magnet, like, doesn't really have any vulnerabilities.

Speaker 1: So Mh.

Speaker 2: I don't know. It's kind of interesting to think about all the different you know, flop What's?

Speaker 0: What's more sensitive? A Cd or Dvd or a Usb drive versus a floppy disc. Like, I'm thinking physical media, what

Speaker 1: Oh, the floppy disc, it would take people a week or 2 to get a drive that could read it.

Speaker 0: Right? Like, so Mh. Cases security through security at least.

Speaker 1: In this. Yeah. Yeah.

Speaker 0: They probably have rotary phones too.

Speaker 7: Oh, was out years ago.

Speaker 3: A couple years ago I was at... Con and 1 of the vendors was giving out 3 and a half inch floppy disks as something for for people to go in in half.

Speaker 2: Was there area real life save buttons?

Speaker 1: That would be awesome. That would be awesome because nearly it's been the commander team. So... Man.

Speaker 2: Yeah. I mean, I don't know. I I guess, while we're talking government stuff, should we talk about Nsa data leak?

Speaker 0: The Disney the Disney 1 is cold. The is good. I want... Did you look that up at all? What's not

Speaker 2: just slack?

Speaker 0: No. Yeah. This...

Speaker 2: You want you're prioritizing that over Nsa.

Speaker 0: We talk about nsa every other week.

Speaker 2: It says massive though. It's... It it is funny it says.

Speaker 7: I through the.

Speaker 0: Through the.

Speaker 2: Well, it says massive, but it says 1.4 gigs. Like I'm like, massive in the floppy disk now.

Speaker 1: That's yeah.

Speaker 7: Not a lot

Speaker 1: floppy. That's like

Speaker 2: massive as in what? Like, is it really heavy

Speaker 8: 6 200 and press enter to continue.

Speaker 2: Yeah. Yeah. I mean, I guess my... The reason I bring it up because I'm curious is, like... Is this another in regard?

Is this actual Nsa data? Is this a third party? I I mean, does anyone know anything else about this? Because seems kind of like a bold claim, but then it turns out it's just a Csv with, like, nothing in it. So...

Yeah.

Speaker 1: I don't know.

Speaker 0: So what it seems like.

Speaker 2: Looks like a database.

Speaker 1: Seems It

Speaker 8: also looks like it's third a third party breach.

Speaker 2: Full the, numbers,

Speaker 1: There's like, a lot of things that come out with the Nsa stuff. It's like...

Speaker 2: It says on it. Yeah. Yeah.

Speaker 1: Yeah. It just says Nsa on it. And it's like, okay.

Speaker 2: It's the first thing that all the Gay control f. When they get in.

Speaker 1: Yeah. Nsa. Secret top secret.

Speaker 2: Let's Google what Acuity Inc does. Let's let's let's see. They probably technology consulting. So I mean, this...

Speaker 0: Rough poof. Not anymore.

Speaker 8: Yeah know. I I do...

Speaker 2: They probably set up a snowflake cluster for the nsa.

Speaker 5: It does seem like a lot of operation names are being red redacted in this too because if you look at the the the data set. What 1 of the things they have un redacted is this like tick mark Doj slash opt at And then the next thing that's red redacted is an n tick mark and then red redacted itself. So Yeah. There are probably a lot of,

Speaker 8: you know, operational names, some

Speaker 5: names that are being... That are in here. So when they say, you know, classified data, and it's a Csv, they may have. Names you know, information on there for.

Speaker 2: Yeah. It could definitely be in the part that for social engineering. Like, you know, you just call up although, I feel like calling up an Agent being, like, hi. This is The Nsa It help desk, I would need to reset your password.

Speaker 0: I can tell by all those by all those domains. Those are all executive branches under the civil executive brand

Speaker 3: that's outside.

Speaker 2: True. It's getting scary. Getting scared.

Speaker 8: The other fun did to the data there. If you take a look. You know, just that that those are all copy record from Dev. Was it o 08:30 16 dot sql? That that just tells me there's some very interesting practices going on there, if that's the name of the script file.

Speaker 1: Yeah. That this actually is a build file. Isn't it? Like, it's got insert into statements?

Speaker 2: Looks like a

Speaker 8: like... Like, know record or a transaction log actually.

Speaker 1: Yeah. It could be a transaction line Insert.

Speaker 3: Yeah. Role.

Speaker 8: Looks like it's all it's a series of 1 line inserts that coming off of this sequel file they're referencing there, which it looks like it's a dated instance. So this looks like the sort I I've seen this on on in professionally before where you've got the thing that was coming pack together to deal with the incident on XYZ date. And like, that then somehow becomes your main production thing. Which it. This looks like that.

Speaker 1: Is this this reminds me just how much I hate, like, sequel build statements that do, like, we're gonna insert into, which table name, column column column, column values, and you gotta get them lined up just right? Oh, I

Speaker 6: hate that so much. So... Alright.

Speaker 1: Yeah. Wait action long.

Speaker 2: Take us into Disney. Take. Take us...

Speaker 1: Are we going straight. Let's get sued by a mouse.

Speaker 2: Let's get sued by a mouse.

Speaker 0: Okay. So, group called No budge published on Friday that they got 1.1 terabytes. Of Disney Slack, internal archive of Disney.

Speaker 2: Floppy disks. Oh my god.

Speaker 7: You use this.

Speaker 0: They actually had to buy every floppy in the United States.

Speaker 7: Us fall

Speaker 2: and Canada. Yeah. Head Canada.

Speaker 0: So so 10000 messages Right? The normal stuff, it has images, login credentials, links to internal websites. So would

Speaker 2: have to be more than 10001 sure. I'm sure it was.

Speaker 0: Right? I the... There's a couple of things if you scroll all the way to the bottom, the second paragraph, which I find pretty funny that you don't see a lot of people doing is No no bulge. Also posted what appears to be a detailed information about the individual who is seemingly providing the identity

Speaker 2: of that person. The

Speaker 0: they also leaked medical records, personal identification, and 1 pass passwords manager. Yeah. They completely docs the completely did everything. Yeah.

Speaker 2: So they had an internal source, then the internal store stopped listening to them. Got. And then they just... Completely docs them?

Speaker 0: So so what what do they have on that internal source? Right? What did they get paid it off? Did they get blackmail or ever is

Speaker 1: my first. They literally just did this in retaliation from front them off.

Speaker 0: The the second thing I'm thinking about is why like, ever I forget who it was. I think it was either Uber or is it was someone that lapses hacked that they got into Slack and then they just searched Slack for password. And then boom Yeah. Passwords. Right?

This is 1 reason why any dev... Any type of dev tickets or stuff like that super super regular that if something incident or some type of dev ticket happens, a Slack channel gets automatically made, and then the right people get added. Right? And then it's open for anyone to join and search. So this is why you make those channels completely private to only the people who are in that channel.

Or in that lockdown down, like, no 1 should be

Speaker 2: hard exchange. Credential.

Speaker 0: Don't exchange. Yeah. But that's not gonna not happen. Right? You gotta you gotta just predict to, like, the lowest.

Speaker 2: You're saying just app. Just to right.

Speaker 1: I don't wanna hear that Right. The...

Speaker 7: What I'm kind of interested in to tell

Speaker 0: you the truth is I'm sure there's some, like juicy executive talk. Or like movie talk and stuff like that because if you remember when Sony got hacked. Right? Like, they... And they released the emails of all the executives just talking crap about certain movie stars and stuff like that.

That would pretty. Right. Right. So I'm sure there's some of that in here. Like, at or at least, maybe the executives learned and have moved to signal.

But

Speaker 2: do you think they have, like, a mouse counteract team? Do they do they have, like, a counteract? Team, Like, with Disney... Like, of capital crew I would

Speaker 1: tell you... I I don't know if it's like that today, but I've had friends that have worked there. And those conversations have come up like cyber deception and all of this stuff. But I don't know if anything ever came of it. It's like a lot of things like, when doing stuff...

Communicating with Disney over the years. There's a lot of hurry up and wait. And I have no idea if they've actually stand up. It stood up, like, a deception counter team at all.

Speaker 0: I'd imagine like Disney teams have really cool code names. Right.

Speaker 1: Oh they do. They do it.

Speaker 0: Like, that's some the best.

Speaker 1: Yeah. And for. Yeah. Whatever.

Speaker 3: The the industrial as as fan that industrial is aspect.

Speaker 1: Yeah.

Speaker 3: That's... Yeah. Anyway.

Speaker 2: I mean, you're not wrong, But I guess... Is it... It... Like, the question... Yeah.

Honestly, that's the biggest question I have is why? Why even go after all this? Like, what is it... What is the angle? Are they trying to get money for people to buy like, oh, toy story 5 spoilers.

Oh, that's worth 10 bit bitcoin like...

Speaker 0: Alright. So 1 of the the... 1 of the paragraphs that Noel said, site says that it is a active hack group protecting artist. Right? Rights and ensuring fair compensation for their work.

The group claims it only hacks targets that violate 1 of the 3 sins. First, we do not condone any form of promotion of cryptocurrencies or crypto related products or services. Second, we believe an Ai gender artwork harms the creative industry and should be discouraged and third, any set theft from patrons, other supportive artist platforms, or artist in general.

Speaker 1: That's also the weird hacker. Right.

Speaker 0: Right like the art the arts are getting in on this stuff. There's definitely some overlap with the fur in here. I'm I'm. They have a very good

Speaker 2: job. Let's join Is a hacking group.

Speaker 0: These are the people who are gonna hack the culinary arts executive group, the the executive team from that without you covered first

Speaker 2: That's why It says I had to give a pen test to the commission of fine ben...

Speaker 0: I know No bulge is coming for them. They're like, we gotta get on this.

Speaker 2: I mean, this is crazy that this actually does. You know how it's was saying, like, not a lot of our customers could be targeted by that kind of activist, but this is, like, perfect proof that, like... Activists.

Speaker 5: They can

Speaker 2: come up with some weird justification for why they would, you know, go after some.

Speaker 1: Yeah. Well, I think they can always find that justification. I think you know, and a lot of the hack groups that, you know, worked with law enforcement over the years to actually bring down. A lot of them have these manifesto and these belief systems. But at the end of the day, they're just from the mole.

And they're trying to

Speaker 7: show

Speaker 1: at the end of the day. And that's... Of not all of them, Not all of them from the furry hackers. They're pretty awesome. But but no, seriously, a lot of times they come up with these big manifesto and they come up with these big ideals, but they're just trying to steal personally identifiable information for fraud or trying to steal financial information, And that's that's how most of them are.

Speaker 2: Some just for fun, come work at a real company. You can do the same thing

Speaker 1: and not understand. Like there's so many legit outlets. For you to do this and get paid to do it.

Speaker 2: Like, yeah. Like, I don't understand being an Apt. We can protect... Like, you can be on my team and I'll let you be the guy who's super for focused on trying to compromise companies who use Ai, like, as what? That's every company.

So... Yeah goes.

Speaker 1: Yeah. But not now. I mean, after you do something like that. You're preclude from working at people.

Speaker 7: Yeah. Have to be here

Speaker 2: on they can't be convicted. Okay? You gotta be notice John

Speaker 1: wanna, like, anchor the bur. Kinda How no I don't wanna anger the fur? Why would I want to do that by

Speaker 2: is Okay. What what I'm worried about is? Okay. So if all the fur in seed second up getting caught? Do they...

Does that just mean the Internet? I down in the Us?

Speaker 0: I was gonna say, look at speech sex T and overlap them with an old bulge T

Speaker 1: of Might be surprised?

Speaker 0: Some Cci.

Speaker 1: Go better. You can go to all those pen test reports from those legit pen come... Testing. And we can find out which firm at that github repository is actually the the gay or the K bottle.

Speaker 2: You imagine being contacted by someone that says we ran an Ai analysis on your report and you write reports similar to seed sack.

Speaker 1: Well, I'm gonna tell you. So years ago when the... 1HB Gary hat happened, and it was all released like, the step by step by step. I remember Had Scott has called me up, And he's looking at the port numbers and the commands that they used, and he's like, these people clearly went through San 05:04 and 5. 6.

Like... Yeah. Like, they're using port 2222. They're doing... Like, it's literally step by step, like, straight from the labs and we're like, oh, jeez.

Okay. Yeah. That was that was a that was a fun day.

Speaker 2: Yeah. No. I mean, I've... Now that we have, you know, doing some dark web stuff, like, I search for V all the time. And there's people all the time in chat rooms being, like, you know, it's like, you know, some Apt, fake Apt chat room and they're like, oh, check out this training for how to do this or like, 1 person was even like, I think this ransom from our group took Phi is trading for this.

And That's some. Go. Is that good?? Like is it's hey. What you can.

Speaker 7: I mean, yeah.

Speaker 0: You know you've made it when your when your training gets leaked onto the dark web and people are looking for it Right?

Speaker 1: That is fun. That is fun. I had that happen to 1 of my classes and somebody called me out on it. They were like, yeah. I totally got your trading.

It's all out here. All the video. I'm like dude it's pay what you can. Like, official asshole are you till I think that, you know, got John. It's all free, man, like, you went through way too many steps to actually make that happen, But it did go it.

Wade. It did. Right. I've arrived.

Speaker 0: So IIII recently found an article that clearly pla 1 of my talks, and Like, I'm not, like, this. Right? On my finally.

Speaker 1: Not even mad finally. Yep. Exactly. I still feel bad, like, well, 1 last thing before we, like, bring the Crooked finger in. There was a guy in San reading room that did a full write up of the Dan convince.

Dns attack, and he did a full write up in his entire gold paper was how to exactly do the Dan Ka, Dns cash poisoning attack, step by step by step, and he was, like, 2 years before Dan Ka ever released it. And I felt bad for that guy because, like, Dan Ka got, like, crazy Matt props, you know, black hat talks. It was a national news. Like this just guy, you can take over the internet. And some poor guy for his, like, g gold paper came up with.

Was like I'll just sit over here and my dying hole. No 1 recognizes me as a security researcher, but that was pretty cool. Alright. So with that, let's bring out the Crooked finger everybody.

Speaker 2: Bye haven't