Pentagon Declares Anthropic a Supply Chain Risk — 2026-03-02
There was nothing that happened. Nothing
Wade Wells:happened whatsoever.
John Strand:There's nothing happening today in the world of computer security at all. That's geopolitics either. It's nothing.
Corey Ham:No. Guess just Let's
Wade Wells:not talk about that.
Corey Ham:Gosh. I will say that is not in the current is there anything cyber related we wanna talk about about that? Because I didn't there's nothing in the articles about it. Haven't seen hardly anything. I know
Ralph May:bomb stuff right there.
Corey Ham:Yeah. There's no cyber stuff.
Wade Wells:I read a really good article about how they have a two tier internet system in Iran. Did anybody else read that? No. No? I don't know where
Corey Ham:it was, but it it was super Yeah.
Bronwen Aker:I haven't heard that, but it tracks with what I know about their efforts for censorship Yeah. And and state control.
Corey Ham:I mean, I assume that North Korea has the same. I would assume most, you know, regimes like this have two tiers of Internet.
Wade Wells:I'm surprised you think North Korea has an internal Internet, like, I would think Iran is far more robust. Right? Like people there have cell phones where poor
Corey Ham:No. There's North Korean cell phones. Really? Yeah. They're locked down, they're Android devices.
Corey Ham:Do you think it's like it's like when you
Wade Wells:first saw an iPhone in like the early like February seeing a cell phone there, you know
Corey Ham:it's not food. That would be my It's like technology, I don't give a crap. I just want like a piece of meat.
John Strand:I was reading a
Ralph May:Uh-oh. Oh,
Corey Ham:no. This podcast is sponsored by Starlink Mini. Have you ever tried podcasting from a Tesla charger? Somehow, there's no WiFi even though we set it up and plugged it in.
Bronwen Aker:You know, it's just strange because the the minis, we have one too, and
Bronwen Aker:we use it for responding to fire and emergency incidents in the neighborhood. And they behaved very well. But I guess John is no. Issues. There
Wade Wells:there was an active Starlink scam going out where they were calling people and telling them that their current Starlink setup is old and that they need to upgrade and targeting elderly people and I know several that fell for it.
Ashley Knowles:Of course. Aw.
Wade Wells:I know.
Corey Ham:Right? So we'll remember Scam. Just they give us money basically.
Wade Wells:Yeah. Yeah. Pay us $500 and we'll send you out all the new equipment. Oh, okay. Paid the $500, there is no new equipment.
Bronwen Aker:It's funny when I tell people, I'm sorry, I do not respond to unsolicited phone calls of any kind. You know, you're not gonna get a credit card number. The reactions are pretty interesting sometimes.
Wade Wells:I'm surprised you even answer. I have where where it doesn't answer unless the phone number is in my phone in my phone.
Corey Ham:I screen calls too. Yeah. I use the AI screening. Yeah. It is nice.
Corey Ham:And yeah, don't answer. Even if it's a client, they'll just leave a super helpful message that says, hey, I'm a client, call me back and then I'll
Wade Wells:call Our domain is completely down. What did you do to the domain controller?
Corey Ham:Did you curl the left wing of the building again?
Wade Wells:Did you restart the website? You know? Sales told us not to restart the website. No. That
Corey Ham:curb roasting the left wing of the building is an inside joke from an interview we did years ago with someone who said that was his, like, that was his critical awesome pen test story is that he took down the left wing of a building by curb roasting it too hard. Needless to say, that person did not get the job, but it was a fun story.
Aisling nic Lynne "siriciryel":That's
Corey Ham:I was, like, is curb roasting, like, known for taking things down? Because that's news to me, like
Wade Wells:It's loud. Right?
Corey Ham:It's loud, but it's he what he I think he was thinking password guessing, not Kerberos. Yeah. Like, you know, or something. Or
Wade Wells:A wild John Strand has appeared.
John Strand:Yeah. You know, shit on Tesla while I'm using a while I'm using a Tesla supercharger. Apparently, that didn't go over well.
Ralph May:They have an algorithm for that.
Corey Ham:Yes. They have an AI algorithm for that. Of which, are
John Strand:we gonna talk about the what is it? Discord? Banning? Yes. Yeah.
John Strand:Okay. We got that. Alright. Let's do it. Let's go.
Corey Ham:Banning? It's please ignore. I thought
John Strand:there was word. Microslop. I think it was Microslop?
Corey Ham:Oh. Like, Microslop. Yeah. They
John Strand:actually made it a banned word on
Wade Wells:That's I
Corey Ham:wanna say it was Discord. Yeah. I think that's only in their Discord though. Right? No.
Corey Ham:I I think it was globally banned? No. It's not. What's what's I heard anybody tested this in our I I just put it right in the chat. We're good.
Corey Ham:We're good.
Bronwen Aker:It is. Microsoft has banned the term micro slop from its official copilot discord server.
Corey Ham:Yes. From its discord, not from like, it's not global banned.
John Strand:Banned it across. But even on their own, it's like, come on.
Corey Ham:Hello, and welcome to Black Hills Information Security's talking about news. It's 03/02/2026, and we're here with our Microslop. We have a completely AI generated podcast today with hosts me. I'm a supply chain risk. Do not use me if you're a government contractor.
Corey Ham:We've got Bronwyn who is using Agentic AI to use social media instead of using it herself. Have Ashley who is here. Good job, Ashley. Thanks. And whose kid apparently has good taste in cars because they told someone their Cybertruck was ugly.
Corey Ham:We have Aisling, sir cereal or siri Siri cereal?
Aisling nic Lynne "siriciryel":Cereal?
Corey Ham:Siri cereal? Siri cereal? Siri Okay. Can you just tell me what your favorite cereal is so we can move on?
Aisling nic Lynne "siriciryel":Honey Nut Cheerios.
Corey Ham:Okay. Great. Excellent choice.
John Strand:Excellent choice. Okay.
Corey Ham:We've got John Strand. If you can read this, you're not on Starlink. We've got Wade, wading through Molt book at at this new PJ to the DJ Discreening. Nice. Ralph got done hunting gators and now he's wrangling AI instead, Which is a little concerning to me, but whatever.
Corey Ham:Yeah. They're harder to catch, honestly. I I did watch a video last night where a guy was hunting gators and I was like, this is easier than it looks. Mhmm.
Ralph May:And actually, I already told you the secret. You just play baby gator noise you're good to go, dude.
John Strand:Baby gator noises like some kind
Ralph May:of It's like a croak. It's like a little like croak.
Wade Wells:Little croak. Okay.
Corey Ham:I think, John, if a gator approaches your vehicle, please let us know and I know. I had a gator
John Strand:in Gillette, Wyoming, something really
Corey Ham:Correct.
John Strand:Bad has happened with my medication.
Ralph May:I mean, he hardly has internet. How the hell do think he's gonna get a gator
Corey Ham:in It
John Strand:looks so so. Alright.
Corey Ham:And then lastly, we've got Megan looking at making us look good and smell good, but you can't smell us because it's a podcast.
Ralph May:God. That's lucky. Yeah.
Corey Ham:Alright. There's a lot of spicy stuff today. I mean, where do we wanna start? Anthropic? We got there's I mean, there's so much.
Corey Ham:I I feel like we maybe start with Anthropic. I don't know.
John Strand:I think think that's Who
Ralph May:uses Quad? I don't know if anyone
Corey Ham:Bruh. No one uses Quad. No. Okay.
Wade Wells:So I ran out of Claude code credits this weekend and I was going crazy. I was like, what am I gonna do?
Corey Ham:Not paying Those Claude code credits are the the latest drug addiction in the world of I've
John Strand:been told I've been told by the Anthropic that I should never let my employees ever say that they ran out of credits. They it should be like an infinite shower of, like, gold gold shower of credits. Just knew it stolen. Employees.
Bronwen Aker:Gold shower, not golden shimmers.
John Strand:It doesn't matter. I just feel shimmers.
Corey Ham:That's how much it would cost too, by the way. Feel like it's gonna piss
Ralph May:me from, like, Home Alone.
John Strand:We got we got we got a form that we're filling out. We got a form. It's the R Kelly form in SharePoint that you have to fill out to get those. So What does that mean?
Corey Ham:Your your mind's telling you no, but your body's That's telling you right.
John Strand:Okay. So I gotta back off.
Corey Ham:Okay. Let's let's let's do the podcast now. Alright. So basically, the the backstory on this for those that don't know is last week we talked about on the news, Anthropic, the company that makes Claude, which is one of the frontier models, is feuding or was feuding with the Pentagon, was feuding with the US government. Basically, their two hard no's were number one, we can't just give you carte blanche to make kill bots and autonomous, like, robots with guns.
Corey Ham:That was one of their hard no's. Good. And their other hard no was
John Strand:By the way, I wanna just point out, that's a good start.
Ralph May:That's a
John Strand:good start for any software development project.
Corey Ham:Also, by the way, on the on the topic of kill bots, one of the most crazy things that I learned as part of this process is there's no law against kill bots. It's just internal policy, which is which is We lost you again? It's like us No. As a company, as a pen test company saying, well, we don't really have any laws that prevent us from stealing all your data. We just It's internal policy that we don't steal all your data, usually.
Corey Ham:Mhmm. But that's a
John Strand:crazy That thing for seems like an oversight. Like, no kill bots should be a law. Like, we should I have fully agree.
Corey Ham:I can't believe a convention thing.
Wade Wells:Right? Like, if we If if shotguns got like outlawed almost outlawed at one point, why aren't killer robots?
Corey Ham:Oh, dude. Geneva Convention, the the we ignore that on our own civilians. It says not to tear gas and we do that anyway. Yeah. Okay.
Corey Ham:Alright. The other thing No
Wade Wells:killbats. What was number
Bronwen Aker:Yeah. Two?
Corey Ham:Number two was mass surveillance of US citizens, which is obviously a great use case for AI. Hey, find me all the people doing stuff I don't agree with. Right? Like, easy query. But those two things the Pentagon wanted to do and Anthropic said no.
Corey Ham:And then there was talks, the CEO of Anthropic was summoned to Washington to have a hard sit down meeting with mister Hegzeth himself. And then it predictably, those talks didn't pan out in a good and productive way. I'm sure some insults were hurled back and forth. And basically, the the government labeled Anthropic a supply chain risk, which from what I understand means that if you're a government contractor, you have to not use it within the next six months. You have to replace it internally.
John Strand:Well, they also they also wanna push it to the point where if you're a, like, a supplier, like, you cannot use it in the government, but if you're a company that's using it, you cannot have contracts. So it's like downstep.
Corey Ham:It's basically as far as they can go. Right? This is the most punitive measure they can apply. So it's not clear exactly what's gonna happen. The government it sounds like the government itself will have like a six month transition period.
Corey Ham:And you know, in addition to that, while all that happened, OpenAI signed a contract with the government. They were like, we love kill bots. We are working with kill
John Strand:bots and we love mass surveillance. These things are awesome. And by the way, anyone that gives us a hard time by how much energy we're using, have you thought about how much energy a human uses? A lot of the day where they're
Corey Ham:using so much food. The calories. So many calories. I did the math.
John Strand:Oh, you did?
Aisling nic Lynne "siriciryel":The math on this.
John Strand:Alright.
Aisling nic Lynne "siriciryel":You can feed 3,000 children to adulthood for the cost of one GPT four training. You can also spend enough to raise 250 children to adulthood at US averages for what it cost actual dollars. I
John Strand:their terms acceptable. We should start feeding all children immediately. I
Ralph May:can I just Yes? Win?
Corey Ham:Yes, we should.
Ralph May:Can I ruin a whole movie for you? You know, in the movie The Matrix, where they were feeding the humans to get menstrual amounts of energy?
Corey Ham:That makes no sense. We're not throwing dynamically efficient. What are you doing?
Ralph May:Have way more energy to feed them than they would have gotten. It ruins the whole movie. Sorry.
Corey Ham:Yes. It No. It does. I agree. That's a pothole.
Corey Ham:So
Bronwen Aker:It ruins movies. Just saying.
Corey Ham:Yeah. Yeah. So basically
John Strand:What if we outsource it?
Corey Ham:I I think the thing I think the thing we tried that. We tried that. It didn't work. So I I think the thing that gets me with this, I wasn't expecting it to be OpenAI. I was expecting another company to jump in, but I was expecting it to be like, Grok.
Corey Ham:That's what exactly. Yeah. But then I was like, well, I guess they don't get any pork at Grock because they got, you know, the whole fallout with the Doge stuff. I don't know. But like
Ralph May:I was I was more scared of the Grock thing though because those robots would be really dumb. Like, it would be Yeah.
Corey Ham:That's yeah. That's that, Yeah.
Wade Wells:So robots are just become Costco greeters or like
Corey Ham:They're just like, your receipt looks good. I'm gonna kill you now. Sorry.
Aisling nic Lynne "siriciryel":I don't know. Given given other things going on with Grok, it might be like preferentially going after some really ugly target choices.
John Strand:I know. Right. It'd be like, oh fuck, no no. No. Why is this why
Corey Ham:is this even worse than worse.
John Strand:Bottleneck but I don't know. This seems like this could be bad.
Corey Ham:Yeah. I mean, basically Already there. Yeah. I I mean, there's not a whole lot of cyber on this topic. From our perspective, you know, just to be a little transparent, we use Claude pretty heavily at VHIS and a lot of our partners use it as well.
Corey Ham:And we're not planning on stopping, at least not right now unless someone says that you actually have to stop. But it's kind of just fun to wake up on a, you know, Monday morning and be like, oh, yes. This tool you use, you can't use it anymore. Like, I can't believe that's a thing, but
Ralph May:I can't believe that the government can be that punitive, like, just like
Corey Ham:Yeah. Yeah.
Ralph May:Hurt my feelings. Really? Listen. I know. I know.
Ralph May:I'm just saying, like, maybe earlier times. Like, in earlier years, like, think it felt like it was better. Right? Like it was set
John Strand:an actual date on that, but yeah. Yeah. Yeah.
Corey Ham:Yeah. Let's not I agree. I mean, I think like all of the like the US government tampering in private companies, you know, like it's a whole this is a hot topic that was goes back hundreds of years. Right? This to me is I'm sure there's lawyers right now just using AI across the board to try to figure out how they're gonna fight this and, like, it'll it'll be solved in the courts like it always is.
Corey Ham:Or someone will make a call and it'll go away like magically. Who knows? But
John Strand:Well, and at BHIS, just, you know, kinda bringing it down, I had a number of testers and a number of people reach out. I'm like, do we have to stop using this? And I'm like, we don't make the we don't make decisions based on one idiot in the Pentagon and what he says, right, or she, whoever may say it in the government. If we start getting actual policy documents that come down, then we will have another conversation. But even then, like, that's literally destroying that company.
John Strand:Like, there's no way that Anthropic will continue to exist at the level that they're existing if they get cut off at the knees that way. So I don't know. It's gonna be a Mexican standoff for a while. Let's see where it goes. But I'm a firm believer in no kill bots and no mass surveillance.
John Strand:And honestly, we have Palantir that's doing that.
Corey Ham:Yeah. But they don't have frontier models.
John Strand:But I think it's within Anthropics rights to say, we're willing to work with you under these conditions. And they did. And now you can't Darth Vader it and be like, we're changing the terms to pray we don't change them any further. That's that's not how this is supposed to work. And I am fairly certain that attorneys will get involved even at the Pentagon and be like, Pete, you can't do that.
John Strand:Like, you can't sign a contract with these particular terms, try to alter it, and then punish them because we signed a contract with these things at the beginning. Now the world's a weird place. Who knows? But I wouldn't get too worked up about it right now. I I I'd be I'd be hard pressed to believe that anyone in the Pentagon has, like, that long of a memory when we get further on down the line.
Corey Ham:Yeah. Alright. Any other final thoughts on this? I mean, I think
Wade Wells:No.
Corey Ham:It's it's basically like not really a cyber thing. We'll we'll we'll stay tuned, you know. True. This is why we have this show. If if new stuff comes out, we'll let you know.
Corey Ham:But for now, it's kind of just a, you know, government slap on the wrist, the classic. On the AI topic, and by the way, I guess before we move on, it is worth noting that a lot of other AI we have plenty of articles we're not gonna talk about of other companies that have AI ties that are having, you know, bad days in the stock market because it's basically exposing some of the potential dangers and risks of our reliance on these very small number of companies for very large, you know, tasks. But anyway, apparently, the EU has blocked AI tools on all official devices. This is kind of interesting. So this is an article in TechCrunch.
Corey Ham:Basically, the European Parliament has blocked including the built in stuff. So basically, this includes things like, you know, Copilot, ChatGPT, Claude. These are now all banned on European Union parliamentary devices. Now, I don't know how many devices that actually is, like, or, you know, if I'm assuming if you're a diplomat at this level, you have like 17 phones and they're labeled with like a label maker and that's how you keep track of them. But base go ahead.
Bronwen Aker:It's probably not just I mean, if it's all official devices, you're talking multiple levels because you've got your your actual representatives in parliament, you've got their staff, You've got whatever is tied to their offices. So this is it's it's percentage of the population in the EU, it's small.
Corey Ham:Yeah. And I mean, it's kind of the writings on the wall with this. I would expect similar bans from almost any government entity. Like, it doesn't all these built in tools, like, mean, we most companies have banned them too. Right?
Corey Ham:Like, can't just allow arbitrary AI usage across your entire, you know, government or company or whatever. So
Wade Wells:I think it's easy for them to do this integrated one though. Right? So they're looking for the defaulted stuff that's turned on. Yeah. It's once you start doing it from like a DLP perspective.
Wade Wells:Like, what then what what about the third party? What about them installing stuff or using some random online one? That's when stuff gets real hard at least.
John Strand:And believe that's the rabbit hole. Right, Wade? I mean Yep. You know, when you take this policy and start trying to peel it back, it gets really complicated very quick. But this is something the EU is struggling with.
John Strand:Right? I can't remember which country, if it was Belgium or if it was Denmark, but they're starting to push away from Microsoft and all of the, you know, kind of the cloud providers that are based on The United States. There's a lot of money in The EU that's now being invested by numerous governments to come up with open source solutions for a lot of the commercial SaaS products that they're buying in The United States as well. So this is just one more kind of like snowball and an avalanche that's starting. And I don't see this slowing down.
John Strand:I don't see this as like the big thing, but this is just more of that of that constant flow of trying to move away from US SaaS providers, whether or not it's AI or whether or not it's SaaS products as well.
Wade Wells:Bet you really help you set up all those open source tools.
Corey Ham:That's exactly what I was thinking, Wade, like like how do you build your DIY SaaS products without Claude code, man, or without a coding agent? Like, that would make it harder.
John Strand:You said you used Zapier or like any of those tools to try to tie it all together. But, man, Claude code is way easier to do.
Corey Ham:They can You can run you can run
Ralph May:your own like self hosted models and stuff like that. That that you can run them at at, like, some level. They're not quite clawed, but, you can get pretty close and, like
Corey Ham:Yeah.
Ralph May:Still not inexpensive just to put that out there. But, yeah, I could definitely see the reliance on something like these more frontier models, especially as they improve to be like, how can I keep up? Right? Like, they're like, in whatever way. In whatever way, how can I keep up if this model is what we're actively using and other people are too?
Ralph May:So.
Corey Ham:And by the way, I didn't major in poly sci, but I feel like this whole thing that just happened with the Department of War is a great example of why they shouldn't be using US SaaS products, like, from the sovereignty perspective. It makes perfect sense to me, like, oh, what if some random dude just decides we are our accounts and all of our emails are deleted. Oh, that'd be awkward. Let's let's hope we see more of the open source rise in the EU. That was that's pretty cool.
Corey Ham:Yeah. As far as AI, I mean, there's a lot more that I guess, we can kinda combine two articles. One article is that the Mexican government posted a really interesting or, you know, basically, there it starts on a Reddit thread and it kind of goes there's a Bloomberg article as well. But basically, someone or, you know, a threat actor used Claude to breach the Mexican government and exfiltrate a bunch of sensitive information. They claim a 150 gigabytes of data.
Corey Ham:We don't necessarily know how, you know, we don't know anything about the security of the Mexican government, but I what I can tell you is this is gonna be the theme of 2026, is threat actors using AI to attack entities, whether it's companies, countries, everything is gonna be attacked using agentic AI. And, you know, the the write up is pretty simple. Like, basically from my perspective, like as a tester, they're basically just chaining a bunch of stuff. Things that we would normally consider too high complexity or too much work to do, AI can do it. And so if you a company or a country, they have huge attack surfaces and then and AIs are really good at chaining vulnerabilities together.
Corey Ham:That's basically what happened here is minor vulnerabilities get turned into major vulnerabilities because all the fancy, you know, they were able like, as an example, they were able to use AI to help bypass the WAF. So like, a simple thing like bypassing the WAF, not necessarily like a crazy thing that like only, you know, APTs can bypass WAFs, but it definitely speeds them up that they can use AI to do this kind of stuff.
Wade Wells:Corley, it works with what? Did you read the CrowdStrike global threat report? Is that what you're gonna go with?
Corey Ham:Yeah. So like the yeah. Exactly. So like this combines with the CrowdStrike global threat report, which there's a few insights I have from this, but AI is heavily featured in this of, you know, the basically, I I don't know the exact numbers, but essentially, a huge portion of compromises use Gen AI. So like, not only just for like writing fishes or yeah.
Corey Ham:So the stat is AI enabled adversaries increased operations by 89%. So like, basically at this point, if you're a threat actor and you're not using AI, you're you're doing And it that that applies to pen testing firms too. Right? Like, or anyone it applies to like basically everyone. If you're not using AI at this point, you're probably doing it wrong.
Corey Ham:But threat actors are doing it, and that to me is the biggest reason why now we as pen testers and security people, that means we have to do it too. If if the threat actors, if the bad guys are doing it, our whole thing is to do what the bad guys are doing so that our clients are safe, so now we have to use AI. There's some other interesting insights, I guess, in that report. One was that I think it was 80% or something of compromises used authorized channels. So like using, you know, valid credentials to log in, using like a vision call to deploy like legitimate tools and exfiltrate data using legitimate tools, like that's the theme.
Corey Ham:It's like living off the land, you know, like, we know the the blank spider threat actors. They do just like quick assist, and then they just upload all your data using WinSCP. It's like the simplest possible kill chain, but it works. So that was yeah. I mean, that's definitely seems to be the theme.
Corey Ham:I guess, does anyone else have any insights or other like things they learned from that report? Wade, it sounds like you had something.
Wade Wells:I haven't read it yet. So be completely on I'm on like paternity leave, so I haven't done anything cyber. I just read the news for once thirty minutes before I got here. But I was in awe that they said in twenty nine minutes from initial to lateral.
Corey Ham:Right? About this Ridiculous. We're talking about this on our team. So yeah, basically the stat for people that don't know what we're talking about. In in CrowdStrike's report, they say that the it was some the average time to move laterally was less than thirty minutes.
Corey Ham:So like, twenty nine minutes average e crime breakout time. The thing that I don't like, what I wanna I wanna clarify this. I think when Wade and I are thinking about lateral move, we're thinking about it in a traditional sense of establishing a c two position on a different host, so like a completely I different think what they mean by this is going to a next the next phase or gaining access to additional systems, like including cloud information, like exfiltrating data s three. I think that's what I'm that's basically what I'm imagining. This is like the they get onto a system and then they immediately start doing bad stuff.
Corey Ham:I don't think it means moving to another system, I think it means maybe grabbing cloud tokens, grabbing API information, or just like I said with Quick Assist, just uploading data using WinSCP immediately. So they're not doing any kind of, like, they're not doing any actual like c two agents or DLL sideloading or, you know, binary exploitation or anything like that. I think they're literally just saying, we're on a system, we're gonna start accessing SaaS products, accessing accessing API keys, and then like going into different systems. Like, to me that counts as a lateral move in 2026, just going after the cloud infrastructure. But I don't know.
Ralph May:I think that they're definitely incentivized to move as fast as possible, especially if we have on on device detection and we're just like the time. Like, their their their motivation is the longer I'm here, the likely it's gonna get shut down eventually. So let's just make this time go as fast as as possible. Right? As opposed to, like, intentionally being like, no, I'm gonna wait it out.
Ralph May:I don't wanna get detected. And then we're gonna do this, then we're gonna do that. So I think it's kind of a shift, especially if they're just going after whatever it is. Right? Whether that be information Oh.
Ralph May:Data, ransomware, what whatever they're gonna do.
John Strand:Well, and this is one of the things I think is interesting. There's a lot of conversations about how, oh, well, computer security is gonna be solved with AI. And I think it's interesting because the defensive side, there's a whole bunch of vendors that, like, we're going to solve the SOC problems with AI. Then you flip over to the offensive side, and there's a bunch of offensive vendors that are like, we've solved offense with AI. So this goes back to something Corey said at the very beginning.
John Strand:We're just gonna use the tools and the techniques that the attackers are using. One way or the other, the hackers are gonna show us the way.
Corey Ham:Well said, John slash AI John. It's true. I guess, Wade, any other or anyone else that read this report, any other insights? There was a fishing is still a thing, like that's Yeah. You know, that's still super common.
Corey Ham:Like, I I mean, it's a lot of just continuations of the themes we've seen in the past.
Wade Wells:I skimmed it to try to understand what their level of lateral what their definition of lateral movement. Right? Yes. And so like Jeff's in the chat and Jeff actually said like, I just wish all of our definitions were actually the same. Right?
Wade Wells:So
Corey Ham:Do they have a definition in there?
John Strand:I like
Wade Wells:They don't I didn't
John Strand:make things more fun.
Wade Wells:Oh, yeah. That's that's the only thing. But like John said, the interesting part is the attackers right there, they have full access to the AIs completely where I'm finding that defenders right now are just now finally getting access. Right? Like, we're we have to make sure that everything's okay, all the i's are dotted and the t's are crossed before the defenders can actually use a product and actually deploy it and usually make good of it.
Wade Wells:I think that's just now really starting to happen even with the AI sock stuff. I I've heard good and bad about it, but I wanna see what people are doing with like the homegrown stuff. Like you actually have a really good team that's just building something them something out themselves. And I think that's gonna start coming to fruition like probably this year. I've already seen
Corey Ham:the Socks.
John Strand:I think if you want, you could set up a meeting and you could talk to Ethan about what we're doing in our SOC. But one of the things I've learned in kind of listening to our SOC and what we're doing is it it AI is not anywhere close to being the anywhere close to being the silver bullet that's being promised, right, for the SOC. Because we work with multiple different EDRs. And working with multiple different EDRs, it's almost like you have to train the AI for each one of the EDRs that you're going to be dealing with on how to handle it properly.
Wade Wells:Oh, I've talked to Hayden plenty of times. I know all about it.
Corey Ham:Yeah. And for those
Wade Wells:you think got me on the Claude code? It was Yeah.
Ralph May:The other thing I've been thinking about recently too about this AI discussion about like the attackers and the defenders now having AI. What if you took away the ability for or like what if, for example, they don't have access to that frontier model. Right? What if they start cutting that off or making it harder to get? Now they're like severely weakened, right, to actually be able to do things because of people's reliance on it.
Ralph May:Like, just like everything you built your whole stack off the fact that
Corey Ham:it is
Ralph May:this. Right?
Corey Ham:Oh. What if they That
John Strand:got gets into that gets into one of my points is a lot of companies are looking at AI as a rip and replace or downsize. Right? We can do what we're doing. We can do it cheaper. We can get rid of people.
John Strand:Instead of looking at AI as it should be, I'm gonna augment my existing team and make my team more awesome moving forward. And that's going to be one of the big struggles that we have in security, I think, in the in the next twelve months.
Corey Ham:Mhmm.
Ralph May:Well, and then the other thing too is like products that they're making that rely on Claude Code. What if Claude Code finally goes, guess what? We spent $500,000,000,000 and we're gonna have to raise those token credits. There's it's it's going up. It's gonna get more expensive.
Ralph May:But your company needs that to make money now. Right?
Corey Ham:Vendorlock? No, we've never seen that before. No one's vendor locked. IBM made money. IBM made more than Microsoft until like 2008 because of vendor lock, anyway.
Corey Ham:What
John Strand:about Uber? I mean, Uber's full business model, go in, be cheap, wipe out all the existing taxis, and then start raising prices.
Corey Ham:Yeah. Yeah. No. That's the standard tech play now. You you become you you become the market, you you become the oligopoly or whatever you wanna call it, and then you just sit down together and say, so boys, how much does a token cost?
Corey Ham:What if it costs twice as much? I can can tell
Ralph May:you that RAM price, it's gonna come to Rooster, right, when they ask for more. They, like, there's billions of dollars that those investors are doing. They're not doing it for fun. They want their money back. Yeah.
Ralph May:Because it's gonna have to get paid. Right?
Bronwen Aker:So You're
Wade Wells:not gonna
Bronwen Aker:get it all back. That's the sad part.
Aisling nic Lynne "siriciryel":Yeah. Well, no.
Corey Ham:No. It's fine. We'll just mine Bitcoin. Don't worry about it. It's fine.
Ralph May:You just hang wavy. My bigger, like, technical security point was just like, if if attackers all rely so heavily on it, and then somehow it starts getting more, like, harder for them to get a hold up, obviously, they're gonna shift tactics, they're gonna build their own, and I I get I get that. But, I mean, that could cause, you know, like the similar of like the DDoS attacks. Right? Like, if you can cut them the ability for them to perform that, then that could be a rippling effect.
Ralph May:Right? So I think it could get interesting.
Corey Ham:Right? It'll just be the same thing as like every other globalized industry. It'll be like, we start as the industry leader, then DeepSeek is like, we have tokens for half the price. And there'll be like, somehow tokens like AI models built out of Bangladesh or something that somehow costs like 25%
Ralph May:of the money. Try
Corey Ham:Yeah. Like, and then we'll have like budget and then, you know, then we'll become overly reliant on them, then they'll cut off access. You know, it'll be a whole thing. Then we'll have tariffs or like a 10% token.
Ralph May:Token tariff.
John Strand:People got real concerned that I'm webcasting and driving at the same That would be irresponsible. I am in the passenger seat.
Corey Ham:He's in an Uber. It's a self driving car.
Bronwen Aker:She's in
Aisling nic Lynne "siriciryel":The US. That is not the driver's seat.
John Strand:These self driving Cybertrucks, I'm sure, are completely safe.
Corey Ham:No. It says full self driving on it.
Ralph May:It's he promised me.
John Strand:Alright. I'm not the cyber truck either if you're joining us late.
Corey Ham:Let's yeah. Let's make a left turn in our trucks, in our cyber dumpsters, and talk about a leak that confirmed that Graphene and Motorola are partnering up, which is super exciting. We had kind of a bummer of an Android article last week, which was basically that Google is ratcheting up the pressure, becoming more Apple like, and basically gonna force they're gonna get rid of anonymous app store developers, which is like kind of it is what it is. But this is kind of the antidote to that. So apparently, GrapheneOS, which is the leading privacy based Android distribution, I would say.
Corey Ham:I don't know if that's like a fair intro, but
Ralph May:I think that's a fair intro. It it only runs on Pixel hardware, but I think that is fair.
Corey Ham:And right now, it only runs on Pixel hardware, but obviously, there is now a plan to expand this, it seems. The post was deleted, so like this is a leak. Right? Like, maybe this won't be confirmed. But basically, it says here, in a Motorola presentation, they put a slide that had a thing, a mention of GrapheneOS, and it would be a really cool partnership to have this as an OEM option.
Corey Ham:I kind of see this as when OEM start to take on like, you know, Lenovo was like, you can install Linux and everyone was like, oh my god, this is amazing. I think the same thing is true like when you see OEMs picking up phones, this is even more important because phones are much more specific hardware wise and difficult to get running. So having an open standard like between this, between an OEM and a graphene developer would be really cool, I think. Hopefully, they don't force graphene to compromise.
John Strand:But I just hope that Google doesn't come in and curb stomp this. Like, I could totally see them being like, nope, you're not doing that. But if you're in this, like, cell phone market, right, like, you've gotta find ways that you can break out. And maybe this is a way that you can help break out. Like, you can start supporting other operating systems.
John Strand:I know a lot of technical minded people would move to a phone if they would have more control over the underlying operating system, for sure.
Corey Ham:Yeah. And I think that's what graphene really gives you more than anything else.
John Strand:Cloudstrife says Cloudstrife says, I like this Optimus take. Let me ruin it. It would be really hard to sell phones to technical minded people when they've all been replaced by AI. But
Wade Wells:Alright. Thanks a lot, Chad. Get out of here.
Corey Ham:Alright. Let me know when the lemming starts, when we're gonna go jump off a cliff.
Wade Wells:When when what was the last flagship Motorola phone though?
Ralph May:Oh, dude. The Razer No.
John Strand:Razer The the Razer flip phones, like the
Corey Ham:the screen.
John Strand:There's a lot of people that have those phones.
Wade Wells:Okay.
Corey Ham:Yeah. I would say like that, yes. I think they're you're right. Basically what Wade's getting at here is that Motorola has not been the industry leader in the flagship market for a long time and this will not change that.
Wade Wells:Yeah.
Corey Ham:But honestly, I would say, like, a lot of the people who are using, like, low what I would call low cost Android phones, not flagships, like normal at regular phones that you've never heard of that's called Normie phones? Yeah. Normie phones. Those phones, I think Nice. Are a way better use case for Graphene OS.
Corey Ham:Like, these people are running in weird markets like, you know you know, third party cell carriers like weird scenarios and having more control over the OS is would potentially be really beneficial for those people. I will tell you Motorola sucks
John Strand:now, but seriously, if they do this, I'm getting one that's gonna become my primary phone.
Wade Wells:They'll also be the primary carrier of most criminals then too. So that's, you know, that's that's the
Corey Ham:We already had that, dude. That's so what they were saying is the FBI okay. So you're leaking it now on the show for the first time ever. The FBI is buying Motorola and Grafino acid. They're they're doing it again?
Corey Ham:They're doing it again. There's no way.
Ralph May:Was an awesome book. It
Corey Ham:was They're an awesome rebooting the they're
John Strand:It's not Pete. It's not that Pete ever listens or watches the show. That's how you do it.
Aisling nic Lynne "siriciryel":Honestly, Motorola with graphene on it out of the box would get me to actually buy, like, pay for my own, buy an Android phone.
Corey Ham:But you could just buy
Ralph May:you could buy a Pixel today. Buy a Pixel eight, buy a Pixel nine, and and just set it up there. I've I've got some right now.
Aisling nic Lynne "siriciryel":I can, but I don't trust it.
Corey Ham:Well, that's the whole point.
Aisling nic Lynne "siriciryel":I don't trust it. No no no. That's not Long term. Long term situation with the pixels and with what Google started doing last year Uh-huh. With locking away the code for the hardware behind a case and and situation where they've got like, here, this is our model phone that isn't actually the same as Pixels anymore because we wanna make pixels more specifically ours dropped.
Aisling nic Lynne "siriciryel":And I'm pretty sure that was what kicked graphene to say, so we need to find another manufacturer to make sure that you know, everything plays nice and we get all of the code for going all the way down to bare metal on the hardware and make sure that all the stuff we're putting into graphene isn't being subverted by something at deep kernel level or over in what amount to vulnerable dlls. Not that that's actually on Android. But
Wade Wells:Alright. Click the link that Ashley just sent. Like, hasn't talked all all all new.
Corey Ham:I know. Should have heard this. This is actually confirms it by Motorola.
Wade Wells:I didn't realize Motorola was a Lenovo company. And it wasn't until recently that I realized that Lenovo is China.
Ralph May:Yeah. So Lenovo was originally well, actually, a low
Corey Ham:It was IBM.
Ralph May:Yeah. No. Lenovo or sorry. Lenovo bought IBM's laptop brands, so that's why Yes. People are associating it with.
Ralph May:But that was IBM's brand. Lenovo was always, I believe, a Chinese company. I I could be wrong, but I think it was. And then they also bought Motorola now, and now they're getting the phones as well. And they've always been a Chinese company.
Ralph May:But the Lenovo brand that we're all used to, like, buying a laptop, that's actually all of IBM's old stuff. That's why they have a little
Corey Ham:tracky pad in the middle there.
Wade Wells:That's right.
Corey Ham:Yeah. You mean TrackPoint? Hell
Ralph May:yeah. IBM exclusive.
Corey Ham:Hell yeah. Yeah. No. This is cool. Guess we should also talk real quick about some actual vulnerabilities maybe, like pretend like this is not a geopolitics show.
Corey Ham:SZA has issued an emergency directive for Cisco SD WAN devices. This is probably worth talking about. I don't does anyone know what SD someone has their CCIE or whatever. What's in what's an SD WAN system? What even is that?
Ralph May:I thought those were I thought they were accelerators. I I could be totally wrong. Like, WAN acceleration software. This generally looks like the Pepwave or not Pepwave, but there's another brand Riverbed is another big brand out there that does that. I could totally be off though.
Corey Ham:Okay.
Ralph May:But there there's like a whole market for this kind of stuff. Cisco is Cisco is a very big company and they have bought a lot of products and services to fill niches, specifically in the government and other kinds of industries that would like be like really niche. Right? So Okay.
Bronwen Aker:So is it is Cisco software defined wide area network.
Corey Ham:Okay. That doesn't help me because I don't know what any of those words mean.
Ralph May:And so it's like the software defined was the when I was doing the CC NP and other stuff like that, the whole idea of software defined networking was to get out of the router. Right? The physical hardware device and move to just software devices that would implement that across the board. Right? So you're running a lot of, like, x 86 style chips that you implement and you add routing software into them.
Ralph May:So
Corey Ham:Okay. Someone in you guys are no help. I I appreciate your attempts though. So someone in Discord said, it aggregates WAN links and does other fancy site to stuffs site to site stuff. So this is like a replacement for MPLS, basically, I guess.
Corey Ham:I don't know. No. I don't know. No. I don't don't
Ralph May:think yeah. I've The SD WAN stuff is I I think Yeah. It's a software defined networking. And that that's like a concept more than it is like a product.
Aisling nic Lynne "siriciryel":It's Okay. In some sense, it's meant to replace dedicated company VPN, site to site VPNs. That's not all it does. That's not exactly what it's for. But that is the old thing that it plugs in and replaces.
Ralph May:So what is the vulnerability?
Corey Ham:So the vulnerability is a zero day, in which apparently has been actively under exploitation since 2023. Mhmm. Yikes. But they also ramped up more exploitation in 2025. It was actually disclosed by, you know, Cisco Talos and Ceza jointly, I think.
Corey Ham:And basically, the the vulnerability itself is there's a CVE for it. I'm trying to pull it up. CVE twenty twenty six is 20 it's off bypass. So it's like the same vulnerability we've seen in almost every Cisco product. Unauthenticator remote attack attacker can bypass authentication, obtain administrative privileges.
Corey Ham:There's a peering authentication mechanism in an affected system that doesn't work properly, specially crafted requests, you know, the classic like all the words you're used to. And it affects all the Like Oh, sorry. Go ahead.
John Strand:I was gonna say it sounds like a lot of the same types of vulnerabilities where you trigger, like you said, either provisioning or starting up the first time like a wizard for authentication. Like, just accessing those libraries directly within it.
Corey Ham:Yeah. It it affects all the different ways you could deploy this. Apparently, there's a on prem Cisco hosted and there's also cloud, like, it even affects FedRAMP stuff. So, yeah. Basically, it's scary.
Corey Ham:It's nation state. It's the same attacking telecoms that we saw in the CrowdStrike threat report. It's the same stuff. Like, companies going after communications infrastructure or I guess, e p t is going after communications infrastructure to steal sensitive information. Speaking of What else we got?
Wade Wells:Speaking of phones and infrastructure, shiny hunters got someone today.
Corey Ham:Yeah.
Wade Wells:Where was that article? Gosh darn it.
Corey Ham:I'm just gonna Google shiny hunters and hope nothing goes bad.
Wade Wells:They're they monitor that. They hit some Norwegian telecom, like Nido or something like that And Oh,
Corey Ham:did you say Odido?
Wade Wells:Odido. There
John Strand:you The Dutch one? Dutch.
Wade Wells:Yeah. Yeah. So they pretty much pwned them, exfil data, and then attempted to, of course, ask for money beforehand and there you go. Thank you, Ashley. And they said a big no.
Wade Wells:So Shiny Hunters said, well, we're gonna release the data. Pretty much
Corey Ham:That is how Ransomware works. I think it's a
Wade Wells:little bit more hardcore because it's a telco. Right? So it's
John Strand:It looks like they have home addresses, email accounts, bank account details, and I bands. So passport and driver's license numbers, which I'm sure. So this gets into, like, if if you this gets into, like, a bigger question of anytime you're working with anything and they're like, upload a picture of your driver's license. Hi, Discord. Or your passport.
Corey Ham:It it mean Oh, I forgot about that article.
John Strand:Talk about talk about, like, some legislation that we need in the world right now where you need to have some type of security around that stuff. But this looks like this is another one of those scenarios where Odeo or I Odeo or whatever is like, yeah, give us your passport. Give us your driver's license. Nothing bad will ever happen here. And it seems like almost every time something does bad happen.
John Strand:So who knew?
Corey Ham:To configure your home router, please provide your passport and your driver's Oh
Wade Wells:my god.
Corey Ham:You joked. Like, why would they even have this information? Why do they even have this information? I don't So
John Strand:but a lot of these providers, like, I I remember years ago with VPCs and cloud providers, like, long time ago when I was trying to set up websites and different servers in janky places on Southeast Asia for things I was doing at the time. They were totally like, give us a picture of your passport. Give us a picture of your driver's license. It was very common whenever you're working internationally trying to get something set up.
Corey Ham:I think yeah. I mean, there's always gonna be ransomware.
Wade Wells:Else I'm we still I'm still just surprised we haven't created some type of like centralized age verification. Like, know there's that like id.com or whatever site that
Corey Ham:Oh, yeah. Yeah. But. If you live in Burma, you're good. Otherwise Or Estonia or whatever that has like a national ID system.
Corey Ham:Anyway, we should talk about the Discord thing because we've we've been covering this article. So basically, we're talking about age verification stuff. Discord has now put it on hold. So there was enough backlash where they decided, okay, we know you like your, you know, Discord servers. We won't mess with it too much.
Corey Ham:They blog they posted a blog post on Tuesday, basically saying, we're gonna hold off on this for now, but we'll let you know. I'm assuming they're not gonna change their minds? They're just gonna slow down and do it quietly?
Ralph May:And then California said, hold my beer. We're gonna start making all operating systems. Yeah.
Corey Ham:Yes.
John Strand:I this gets into, like, this this balance. Right? Where it's like, won't somebody think of the children? And and if you if you were trying to have privacy arguments or conversations around it, they're like, but you support criminals then. It's like, we can't make it, like, that binary of of a decision.
John Strand:Right? It's just I mean, we've been dealing with this for a long time. I go back to the San Bernardino shootings a long, long, long time ago, where the week before, literally, everyone was freaking out about Facebook and privacy, and Facebook could read your messages, and Facebook could do this, and everyone's freaking out. Then the shooting happened, and then immediately people were like, why wasn't Facebook monitoring for this and, you know, warning people that this would happen? It's we're gonna be fighting this a long, long, long time.
John Strand:And you're always gonna have the won't someone think of the children group.
Corey Ham:Because Okay.
John Strand:I I I was talking about operating systems, verifying your age before you run an OS.
Corey Ham:Well, hold on.
John Strand:Are kidding?
Corey Ham:So this one This is this is a joke, to be clear, but I have an easy way to do that. You just have a thing that says, what does this logo indicate? And then it's like, click the correct logo to proceed. Yeah. Click the floppy disk to proceed.
Corey Ham:And then there's like nine icons, and if they don't click the floppy disk, then you just say they're underage. Right? I mean, it's that
Wade Wells:easy.
Ralph May:New AI will be what the floppy
Bronwen Aker:If only it was that easy.
Corey Ham:No. Yeah. I mean, I will say this is kind of crazy, the operating system level. Like, what does this mean? It's illegal to run Linux in California?
Corey Ham:Yes. Yes.
John Strand:Which would make for some awesome awesome t shirts. That would be great.
Bronwen Aker:Yeah. Yeah. I mean I'm
Aisling nic Lynne "siriciryel":I'm getting flashbacks to the RSA t shirts that my college classmates wore.
Corey Ham:I okay. Feel like
Wade Wells:Yeah. Which
Aisling nic Lynne "siriciryel":one? The you cannot export this.
John Strand:Oh, yeah. And it had the code for region locking for DVDs.
Wade Wells:No. I remember
Corey Ham:I was thinking of remit, Nick.
Aisling nic Lynne "siriciryel":The the older version of the same idea.
Corey Ham:Okay. Okay.
Aisling nic Lynne "siriciryel":Yeah. Wanna say '48.
Corey Ham:I I feel like this is like cal this is so classic California every building causes cancer. I think this is gonna be like it's either gonna go one way or the other. Everyone on the Internet is a minor, or everyone on the Internet is of age. Like, this is all this is gonna do is force everyone into this fork in the road where everyone's 18 now, congratulations. Or no one is 18, the whole internet is for kids now.
Corey Ham:Sorry.
Ralph May:Well, so I guess Okay. Okay.
Bronwen Aker:As the token Californian in the room.
John Strand:Okay.
Wade Wells:Alright. Just leave me out of here with the San Diego flag behind me.
Corey Ham:Alright. That's okay.
Bronwen Aker:Were also a Californian. It's our
Corey Ham:generation. We really got his sign in the background.
John Strand:I visited California a couple of times. Go ahead, Broadwin.
Bronwen Aker:Yeah. Mean, California California does try to take the whole privacy thing more seriously. And we we saw that with some of the what what people call the Californian version of of GDPR and some of the other other privacy regulations. Absolutely, I agree. This nonsense requiring all operating systems to have age verification, It's never going to fly achievable.
Bronwen Aker:We don't have a viable way to verify any person's age with or without government IDs. I mean
Corey Ham:Oh, you think that's gonna stop California? They'll just keep on rolling, and every building causes cancer.
John Strand:I was gonna say
Corey Ham:It will. Yeah. Yeah.
Bronwen Aker:It will. Mean, I remember
Corey Ham:At the
Ralph May:gaming store.
Bronwen Aker:We've we've gotten around on on legislation like this before. And I'm not gonna say that every time, calmer heads prevail, but usually, the process works better than not.
Corey Ham:That's fair. And maybe this will be rolled back. That is entirely possible. California has banned and then pretended to unban gasoline cars, like, 10 times. So there there there there's another chance for them to ban gas cars and then unban them and then re ban them.
Corey Ham:That maybe that's what'll happen. We don't know. They definitely don't make ice. We'll see.
Bronwen Aker:Hey. We're not the one naming snowplows fancy things, but that's another conversation.
Ralph May:Internal combustion engines, guys. Jesus.
Wade Wells:Oh my god.
Corey Ham:Oh, that's terrible. Go back to your But I let that one go. What? Yes. We should talk about the smart glasses one.
Corey Ham:So we're
Bronwen Aker:And gonna also and also the robots. We've talked about robots earlier. Should this is a little more in the real world robots.
Wade Wells:I think I think we talked about that robot one.
Corey Ham:We did. The vacuum? Yeah. This is from Yeah. I think this new.
Corey Ham:Okay. Ashley, tell us about the robots. Tell us about the killbots you're building in your basement. The killbots. Well, there are plenty
Ashley Knowles:of them. So beware. Don't annoy me. Anyway,
Ashley Knowles:so apparently, there's a security flaw in the DJI Romo robot vacuums that allow unauthorized access to them.
Corey Ham:No.
Ashley Knowles:Some strategist was playing with clog code and reverse engineer the protocol or using it to reverse engineer the protocol and attempt to communicate with the servers. And instead of just letting him access his own device, it handed him over the keys to six thousand other robot vacuums.
Corey Ham:Yeah. I I read I
Ralph May:read deep into it. So he was looking to try to control the vacuum remotely so he could, like, drive it. And so he he used Claude to kind of reverse the API. And then when he got to, like, trying to control, like, you know, actually making those API requests, he realized that the API did not validate if he owned the device ID that he would enter in the API request. So he would just give it more device IDs and then he could control everything and then get whatever was on of all of those.
Ralph May:So was
Corey Ham:DJI is like, dang it. You found our secret doomsday device, you son of a bitch.
Wade Wells:I'm surprised they're letting them sell vacuums after they banned the drones. Right? Like, what what's what's this vacuum if not a drone on the ground?
Corey Ham:The article does imply that only 6,700 people own them.
Wade Wells:Did you see did you see one of the like, they have the see through case. It reminds me of very like old school Mac, like the ones where you can see all the inter it's actually pretty cool. I was like, alright, that's cool.
Ralph May:I like Ukrainians are like, great idea. And they have little robot vacuums driving in the buildings to blow up.
Wade Wells:It's like a size of a land mine. That's perfect. Yeah. You're giving them you're giving them ideas.
Ralph May:If this was right under trucks, boom.
Corey Ham:The DJI Claymore coming this summer. You don't even need a pen. The the last article I wanna talk about and then we'll do CTF winners is someone made an app that tells you if someone nearby is wearing Meta Ray Ban smart glasses. I love this so much because it's so simple and so basic, but also really neat. So it's the concept is super simple for those that aren't Bluetooth or WiFi experts.
Corey Ham:Basically, similar to MAC addresses and WiFi, the Metairie bands have a Bluetooth device identifier they use when they're talking to the, you know, whatever devices are around. And someone just wrote a super simple thing that monitors for that device prefix, basically, and then tells you, hey, someone has one of these nearby.
Ralph May:You could do this for any device, not
Corey Ham:just Yes. Correct.
Ralph May:Any Bluetooth device. You could be like, oh, look, so and so has this nearby.
Corey Ham:Yes. But someone's wearing AirPods nearby is not as interesting as someone has wearing Meta Ray Bans nearby. Yeah. Yeah. Yeah.
Corey Ham:And it's obviously it's Android only and it's not gonna know, it's like probably a side loaded app, like, luck installing this on the Google Play Store or whatever. But it is a cool concept. It's I will say, Meta could easily get around this, you know, as an example, Mac Mac devices randomize their their WiFi MAC addresses. So like, they could easily work their way around this if they wanted to, but, you know, maybe they will, maybe they won't. It's an interesting area right now where the Metairie bands in particular, they have some they try to build in some like anti stocking features, like if you cover up the recording light, it's supposed to like stop recording and stuff like that.
Corey Ham:But, I mean, to be fair, spy cams have been a thing forever. Like, what was it? The nineties when we had like cameras and, you know, buttons and people's shirts and stuff like that. The FBI is like, we can just wear them out of Ray Bans. That's kinda cool.
Corey Ham:But like, it's not yeah. I mean, this isn't new. Spying on people using tiny cameras isn't new. Yeah.
Bronwen Aker:No. What is what I liked about this article when I read it through was that this is like the the WiFi pineapple, but it's specific to something that is being used in the field to invade people's privacy. So I I thought that was that was a kind of cool feature. And, frankly, as far as, meta obfuscating the the MAC addresses, I don't think they're gonna do that because then they'd have a harder time data mining who's doing what.
Corey Ham:Well, not actually Well, they already know who's doing what because they control the device. Right?
Ralph May:Not not to defend the meta glasses, but just because someone's wearing them doesn't mean they're recording. Right?
Corey Ham:Like True. That's a good point.
Aisling nic Lynne "siriciryel":It's not like Yes.
Corey Ham:And there's
Aisling nic Lynne "siriciryel":a light that's supposed to show when they've turned it on, but there are people selling the service of disabling the lights.
Ralph May:Oh, sure. I'm sure. You just get a Sharpie. Yeah. Yeah.
Ralph May:I I just I'm just saying Wow.
Corey Ham:Wait. You should start a company, man. That's an advanced idea. I'm out there. Saying he wants to wear glasses.
Wade Wells:I have to be
Ralph May:doing it right now. Oh my god. There's a Meta Meta Glass right there. Get him. And he's just like,
Aisling nic Lynne "siriciryel":the heck's
Ralph May:going on here? Like, I'm
Wade Wells:just wearing glasses around. They accidentally
Corey Ham:hit him with
Wade Wells:chunky glasses.
John Strand:It was.
Corey Ham:Right? It's not even a MetaGlass.
John Strand:Like that with the Google glasses.
Corey Ham:There were people Glass
John Strand:holes. Getting into big, big jet glass holes. There was people that there were people that were getting into big trouble wearing those out in public, and I'm wondering how long it is until that stigma is gone that, you know,
Corey Ham:you can't I think it's already gone. I I I see people wearing them, and I just think yucky, but I'm not like about to go up to someone and be like, you turn that camera off because I'm I'm sitting here like this. Oh, hi, buddy. How's it going? Like, you know, everyone's got their
Ralph May:phones out all the time.
John Strand:Yeah. Somebody just dropped a great snow crash reference. So
Corey Ham:That was me.
John Strand:Okay. That makes sense.
Wade Wells:I just can't wait till Damon is a thing, if anyone remembers that look. Right?
Ralph May:Damon, Like, we're already
Corey Ham:we're we're almost. I wanna do the
Wade Wells:oh, like, with the glasses and track people, like, we're almost. We're almost.
Corey Ham:Yeah. Alright. Before we before we close out with a chicken article, the weekly CTF winners, we have four total winners, all of whom have won a course of their choosing on anti siphon training, training that doesn't suck. We have Shudlarc, Shadowlarc, maybe? Shdw Lark.
Corey Ham:We have curious seventeen, wombat fourteen, and intercept or inter c p t. Well done. Well done. Congratulations.
Bronwen Aker:Well done.
John Strand:We might we might be taking a little break on these CTFs, just to give you all a heads up. We gotta get some stuff kind of organized. So we might be taking a breather and bringing them back in a couple months.
Corey Ham:In the future, we'll let you know when CTFs are back. Alright. The chicken article is just it's just a fish. The chicken news? It's a fish.
Corey Ham:The chicken news is a fish. Okay. I'm sorry, everyone. The the chicken news is actually just the link that says that, basically, this is a real thing. Microsoft, in their official Discord, in the copilot Discord, has banned the term micro slop.
Corey Ham:That's the chicken article. I don't know why it's in the chicken section. Clearly, AI got confused about what chicken is.
John Strand:Because Microsoft is chicken. There we go.
Corey Ham:Oh. Because they're too chicken to They're too I don't know.
Bronwen Aker:They can't handle the
Corey Ham:That's as
John Strand:close as I can get.
Corey Ham:That's Brad's close.
John Strand:He can handle the tea. Yeah. There you
Corey Ham:go. Well, little Any final articles? Cut the articles. Yeah. So No.
Ralph May:There was there was one article with actual exploit, which was the new WiFi exploit. Did you
Corey Ham:guys tell us about this. I saw it in the list and I
John Strand:Really, I started reading that, and I'm like, this is really a lot of things that have to align. I think but I got the point in the in the academic write up where they're like, this is really academic. Like, this is such a weird edge case for this WiFi attack to work. So
Corey Ham:I I
John Strand:thought it was interesting, but it is it it it it's a cool read from a technical perspective. But no, WiFi is not broken all the
Ralph May:way down. It's not broken. It's a layer one, layer problem too. They're not even into any of the encryption stuff. So No.
Ralph May:Yeah. It's one of those things where, like, there are some ways in the middle where you could do things like anything that's unencrypted. So maybe like DNS or other things like that, changing the addresses there. And it does there is mitigations that hardware vendors can put in place and other things. So I don't know.
Ralph May:Again, it got a little technical as John mentioned and it's not like, Yo, POC just dropped.
Corey Ham:Yeah. Also, by the way, the transport layer has been assumed compromised for the last fifteen years. No one that the like, everyone thinks that the network they're on is being surveilled and that's why we have TLS. Right? Like Well,
Ralph May:that was like the thing they were like, make sure use a VPN and a public WiFi. And I was like, interesting.
Corey Ham:This is sponsored by NordVPN.
Aisling nic Lynne "siriciryel":Also like, if you set up your own networks and wanna put in a guest, just start doing VLANs, like, really.
John Strand:Well, so I agree with that. But my problem with that is is that something that you can roll out to coffee shops? Is that something that you should roll out to general home users? And I think the answer is no. But still, like I said, I loved it from a technical perspective, but I there was like I said, I was, like, three quarters of the way through the write up.
John Strand:They they literally just say, all of this is, like, an absolute perfect storm of circumstances for this attack to work. But still, it was an interesting read.
Corey Ham:Yeah. I think this kind of academic research is really important. I mean, it's kinda like all the I poodle and SSL version two, and like like, fundamental encryption
John Strand:padding attacks. Yeah.
Aisling nic Lynne "siriciryel":Yes.
Corey Ham:Mhmm. Like, it's like, it it matters and I'm glad someone's working on it, but also like, for those, you know, for those of us like me who are just like, computer go burr, like, you know, hopefully someone will fix this in WiFi The
Ralph May:the other one too recently was the password one too, right, the password managers. And the whole attack was, if they compromised the entire company one password, what could you do?
Corey Ham:A lot. Hey. Wade, has
Wade Wells:that alright? Alright. Clausen close the roll the finger.
John Strand:Let's let's let's dwell on that for a few minutes and simmer
Corey Ham:on There was a Wade's like, I'm on paternity leave, you assholes.
Ralph May:I think that but I
John Strand:think that those types of conversations are important because this goes back to the article we were talking about. Whenever you have a website, totally not 1Password, by the way. But when you have websites and you have services that are like, we want driver's licenses and passports for all of our customers, these questions, I think, are valid questions at some point. That's why really good for firms like 1Password, they actually do have a security section where you can see, like, who's done the pen test, letter of attestation. So you could see that they are actually getting tested on a semi regular basis.
John Strand:See, Wade, I'm helping out.
Wade Wells:Thank you. Thank you. Yes. That is that is there. And sometimes I don't know how to feel about that, but it is good for the consumer.
Wade Wells:It does make
John Strand:my job Wade.
Wade Wells:Does make my job harder. But yes, you are correct. I agree. Yeah. Ralph and I had a lot a lengthy discussion about a password manager vulnerability that came out.
Wade Wells:And luckily, I was not on call. So that's the good one. At that time. Yeah.
Corey Ham:I mean, it's kind of At
Bronwen Aker:the end of the day, using a password manager is better than not using one.
John Strand:Correct. Agreed. Agreed. Yep.
Bronwen Aker:Can it get popped? Well, yeah. Everything can get popped sooner or later. Yes.
Corey Ham:That's why I only use transport over carrier pigeons, which so far, there's no any none of these attacks work
John Strand:Actually, for that that's not true. That's not true. That's absolutely wrong.
Bronwen Aker:You don't move with
John Strand:Before we before we shut down before we shut down, you need to understand that the avian transport protocol has many of the exact same vulnerabilities that exist in a number of other protocols. For example, whenever you're going IP over carrier pigeon during hunting season, you may drop a few packets, to say.
Corey Ham:The other thing to
John Strand:keep in mind is what do you call what do you call a pigeon in a blender? Fragmentation. Reassemble his pitch. And with that,
Corey Ham:take us
Ralph May:out, man.
Corey Ham:Appreciate it. Bye.
Creators and Guests
