Shai-Hulud malware leaks secrets on GitHub – 2025-11-24
Wadhib.
Aisling:That's what we start with?
Andy:Hey, I mean, it is a killing
Aisling:word. Okay. Fair enough.
Andy:Do do we wanna talk about this now? Or do we wanna wait until we actually, like, start the show?
Corey Ham:Honestly, we we should there's so many articles this, like, this week. Like, we should probably just give ourselves the extra two minutes and just go live now. Because this is gonna be this is gonna be a spicy week. There is so much to cover. I don't know if we'll get through it all, but there Yeah.
Hayden:Before we go live, Corey, do we wanna talk about the scandal?
Corey Ham:What scandal? How we tried to sell that frozen turkey, but it didn't work out?
Ryan Poirier:Apparently, he's about to tell us a scandal.
Hayden:Well, I mean, I'm I'm just gonna toss mine into some some hot oil. That's what I was told to do. Yes.
Andy:Yes. Oh. Fully frozen. Do not thaw it first. Yeah.
Andy:Because that's you
Hayden:get the thought.
Corey Ham:Turkey. Yeah.
Andy:Yeah. So you just What? Full frozen into the oil.
Corey Ham:What's the scandal though? Now I wanna know. Is the scandal?
Aisling:Get a camera because it's such an amazing process. Yeah. What food? Nice what camera?
Ralph May:Name one food that is good for frozen. Like, the making it from frozen is good. So why would like
Andy:Ice cream.
Ralph May:Turkey be like a thing you're like, this is the one.
Corey Ham:He got you with the ice cream though. I will say, I do think most fried foods, aren't they prepared from frozen? Like, when you get fries at a restaurant, aren't they thrown straight from the freezer into into the fryer? That's what we did at Wendy's.
Corey Ham:Are you not supposed to be doing that? I don't I don't I never worked at Wendy's.
Ralph May:Maybe that's my cultural problem.
Hayden:It Wendy's.
Aisling:It depends on a bunch of factors, but the main thing that makes that okay with fries is that you have a whole lot of surface area with a whole lot of porosity. So when it goes in, it does not suddenly superheat a bunch of closed sealed surfaces and make them go pop. This is different from a bird with skin on it.
Corey Ham:Now, I'm like googling how fries are made. Yes.
Ralph May:I I I would say though I I would say, I guess they do. Okay.
Corey Ham:So okay. I have like a I have a non related I have a non related story for the news as like a pre show banter topic. So we have a Dyson cordless vacuum and it's one them. Have like America. We have multiple we have multiples of these.
Corey Ham:Right? Like, there there's one new one, there's one old one that like they, you know, some are in different locations. But anyway, one of them is old and died. Like the battery it would run for like two seconds and the battery would die. Mhmm.
Corey Ham:So I just went on Amazon and found a battery and ordered it. And then my partner was like, hey, you're gonna burn down our house because apparently this is a thing where like replacement Dyson batteries are burning people's houses down. And so then it then it became a question of, like, she was like, is it lithium ion batteries? What is it? And then I was like, okay.
Corey Ham:Let me just list all the Chinese made lithium ion batteries in our house, of which there are so many. Many. Yes. And so, like, I don't know. I was just curious, like, how many lithium ion batteries do you guys have in your houses?
Corey Ham:Are you stressed about them? Like, I don't know. Should I be stressed about this?
Hayden:I also have a very suspicious Dyson battery.
Corey Ham:Did you? Did it blow up? Please tell me.
Aisling:No. But I replaced
Hayden:it, and it hasn't exploded yet. I mean, it doesn't it doesn't last very long either. It was kinda like a crappy one, but I just think
Corey Ham:about that. For prices, the replacement was $35 on Amazon. The Dyson battery is $96. So it's literally three times as expensive.
Ralph May:I just think about my Tesla and I think about that too when it's in the garage.
Corey Ham:Dude, that's a lot of lithium ion batteries.
Ralph May:Think a lot of batteries.
Corey Ham:But those in your vacuum hydrogen.
Hayden:Thing once you hook it into that.
Aisling:Oh. That's so much hydrogen just waiting for an excuse.
Ralph May:Yes. Exactly. But I mean, you're right, Corey. There's batteries everywhere.
Corey Ham:I don't know. I don't know. I was just thinking about how, like, I have portable lamps that have batteries, probably lithium ion batteries. We have cat fountains that have lithium ion batteries, I assume. I mean, I guess it might be lithium polymer.
Andy:But not all all lithium yeah. Was gonna say, like, lithium polymer,
Corey Ham:the Yeah.
Andy:Like, life coat or whatever, those are a lot safer. It's the actual, like, lithium ion lithium batteries that are the dangerous ones.
Corey Ham:Yeah. Like, the scooters I think it's bigger. Yeah.
Andy:Bigger batteries, which is why, like, why people get more concerned when it comes to, like, you know, a Dyson or your drill or, you know, whatever, like, your power tool batteries. Because burning their garages down with their power tool batteries all
Corey Ham:the time. I'm just assuming they're all eighteen six fifties wrapped in any different form factor. Right? Like, they're all the same cells. Yeah.
Corey Ham:Yeah. Yeah.
Aisling:So mostly mostly. I mean, the cell chemistry only gives you one voltage. So if you want anything else, you have to start just stacking multiples.
Corey Ham:Alright. Interesting discussion. Ryan, let's go live. We got like a million articles to go through. Let's do this.
Corey Ham:Hello, and welcome to Black Hills Information Security's talking about news. It's 11/24/2025. We've got so many stories this week. We're talking Shy Halood two, Electric Boogaloo. We're talking CrowdStrike insider threats.
Corey Ham:We're talking Turkey. There's a Turkey article. So so get
Ralph May:excited Deep about deep for that. I've seen
Corey Ham:There is a Turkey art it's not that deep. Oh, mean, okay. It was kinda deep. But it wasn't that deep.
MarryEllen:Fried. Deep fried.
Andy:Deep fried.
Corey Ham:It was deep fried, but it it's it it made headlines. Okay? Okay.
Ralph May:Alright. That's fair. Are we getting right into It's banger.
Corey Ham:No. No. Let's let's save that one for last. Stay for
Hayden:the whole show and we'll do a turkey article at the very a right turcomo on
Corey Ham:you. Yeah. Okay. So I guess there's so many high profile articles. I think let's talk about the Shaihulud NPM worm from from that we were talking about before the show.
Corey Ham:So essentially, the it's very similar to last time. Right? Like it's basically the same thing again. Yeah. It's a it's a worm that runs basically runs secret enumeration locally like truffle hog and then it uploads the results that it gets to GitHub.
Corey Ham:So the easy fix is check if your GitHub has random repos created in the last, you know, twenty four hours or whatever. Right now, Wiz is reporting there's 27,000 packages or sorry, 27,000 repositories posted to GitHub, which is terrifying. There's a list they published on their website of infected packages. And also, you know, it's pretty there's a lot of tools to check for this, like, it's very obvious. It just creates a repo called SHA one Halood.
Corey Ham:So it's not or actually, sorry. Let me correct myself.
Andy:No. It's a random repo.
Corey Ham:Yeah. The repo has a random name.
Ralph May:It's base 64, I think.
Corey Ham:No. No. The contents are base 64. Oh. The repo name is random.
Corey Ham:It's like, I don't know, 16 alphanumeric characters. But then the description is shall So one basically, the most tools there are the tools from last time, they they there were tools that would both scan locally for a file, scan NPM packages, and also scan GitHub. If you have a GitHub repo with the description sha one halud in it, you might be infected.
Aisling:Sha one halud the second coming. Yeah.
Corey Ham:You gotta make your regex pretty greedy on that one.
Ralph May:Couldn't you like it wouldn't be like correct me if I'm wrong. Wouldn't one technique to possibly stop this if it hasn't happened to you yet is just to remove all the keys in your GitHub repo? Yeah. That would
Andy:Or on your local machine as well.
Corey Ham:Have to roll roll all your keys. Your pdfs.
Ralph May:No. Roll roll the keys so it wouldn't be able to post the repo. Right? Yes. Correct.
Andy:Well, if if it can't Yeah.
Corey Ham:If it
Andy:doesn't find any keys and it it can't find like an NPM token, and it can't create a repo or any of that stuff, it will just wipe your home directory.
Corey Ham:Oh. Or wherever it's running. Right?
Aisling:Yeah. Great.
Andy:So if If it can't x fill, it just goes, well, there's nothing here. Boom.
Corey Ham:Yeah. It's it's destructive under certain circumstances which that's new. That it was last time it had no destructive element.
Aisling:The other thing that's new is it puts in a relatively innocuous piece and then it's got a second piece of JavaScript that actually has all of the wormy behavior. And the first one has some oddball conditions that means that it does not 100% of the time include the payload package with the feeder, the worm package.
Corey Ham:Right. The IOCs are slightly different. The MO is the exact same. I mean, think a lot of cases, this is gonna be infecting it's a CICD focused attack. You're going after supply chain, you're going after continuous integration.
Corey Ham:Like, it I don't think it's really it's very similar. It's not that different than it was last time.
Andy:Yeah. I mean, lot of the repos that I'm seeing created on GitHub are coming from what would be like an internal bot account.
Hayden:Mhmm.
Corey Ham:Yeah.
Andy:And it it looks pretty gnarly. I mean, I remember when this hit last time searching on GitHub for, you know, Shawan Halood. By by this time that day, there really wasn't anything showing up on GitHub. There's been a consistent 23 to 26,000 repos all day. Like, I saw this at eight something in the morning and there's been between twenty three and twenty six thousand repos the entire time.
Andy:There's new ones being created. Yeah.
Corey Ham:And GitHub's supposed to be deleting them, basically. It's like essentially the like, this is like a get it while you can scenario. GitHub is supposed to be deleting them and also trying to introduce security measures to block. Like, as an example, they're rolling out mandatory two factor and restrictions on access tokens and things. But I that's like a slow rollout.
Corey Ham:Right? Because you don't wanna deny service to users. Like, if you rolled everyone's CAT's, that would create problems.
Aisling:Well, that's
Andy:They're not doing a good job of deleting
Hayden:these things.
Andy:Like, this last one's happening quickly.
Aisling:That's what seemed to set the timing for this one going off is the end of that rollout when all of that stuff is supposed to be set up and you're supposed to be safe because you're not supposed to be able to get in with few enough credentials for this worm to work is just a few days from now.
Ralph May:Yeah. Anyway,
Corey Ham:we can move on but, you know, we'll we'll see how that unfolds. It's pretty easy to scan like we've been scanning our customers. We we maintain a list of all the GitHub users associated with our customers and we just run that through a quick pipeline and if it sees a description SHA one HALUDE, it fires. It's pretty easy.
Andy:Yeah. Yeah. And blue teamers, if you don't keep a list of all the GitHub accounts of your employees, might want to.
Corey Ham:Yeah. Your list is gonna be better than ours because we found ours with osent. So Mhmm. Yeah. I think we should talk about the CrowdStrike thing.
Corey Ham:The I mean, there's multiple CrowdStrike things, I guess. But the one I wanna talk about first is the post essentially that it was a bleeping computer article that CrowdStrike confirmed that an insider shared screenshots taken on internal systems with hackers. Essentially, Scattered Lapses Hunters, the threat actor group that we've been following and covering on the show quite a bit. Someone posted what appeared to be internal information related to CrowdStrike. They claim the threat actors claim that they paid 25 k for that access.
Corey Ham:So I guess I'm like, remember the days where you could buy someone's access for only $5? Now, it's 25,000.
Hayden:Oh, man.
Corey Ham:Inflation Oh, is going out of
Hayden:god. I saw the opposite comment to that. Is all the comments I saw were like, is 25,000 really worth sabotaging your entire career? Like, okay. That is true.
Hayden:To Crouch Street. The 25,000 won't cover your legal fees at that True.
Corey Ham:That is a very good point. I'm guessing they're not targeting people who are thinking super clearly.
Hayden:Probably not.
Corey Ham:Yeah. I mean, it kinda gets into, like, background checks and validation. Apparently, was, like, rumors are saying it was a ten ninety nine employee, not like a full time employee. It brings up questions of, you know, business processes and validating that you don't have insider threats working there, etcetera. I don't know exactly what whether the information they provided was super valuable.
Corey Ham:From my perspective, I can't really imagine what information you would have access to at CrowdStrike that would be super valuable. Like, I don't think there's big secrets at CrowdStrike. Like, if you put if you put a dollar sign in the file name, it won't detect you. Like, I don't know what the
Ralph May:Well, they said that they said it was a little deeper than that. They said that they were sending information about active detections from different campaigns and stuff. So essentially, they're paying to find out if they're getting if they're on to them in in different activities. Right? So that that Yeah.
Ralph May:Was reading.
Corey Ham:Like ransomware stuff.
Ralph May:Yeah. Like how how valuable that is. I mean, it could be it could be crazy valuable. I mean, information is essentially the the speed and time of that information to be able to change your technique before they can even do anything could be really, really valuable. But, you know, how long it gets there and what exact information they have access to, you know, that's up for a debate.
Ralph May:So
Andy:Yeah. Some of the screenshots looked like they had, you know, like contact info for customers and stuff too, which, I mean, that could be useful from a spear phishing standpoint. If you know who is expecting to get emails from CrowdStrike, then it it wouldn't be that hard to create some convincing words.
Corey Ham:Yeah. Also, knowing the EDR of your target in advance definitely helps with payload development and deployment and all that stuff. Like, the ransomware thing is a race. Right? Once they get initial access, it's a race to see who can deploy ransomware or contain the incident.
Corey Ham:So having information like they have CrowdStrike, here's their account number. Even here's the login for their Falcon portal. Right? Like, that would be potentially useful information.
Ralph May:Oh, yeah.
Corey Ham:If you're going searching on internal file shares or in people's emails to look for logins or API keys or things like that.
Ralph May:Yeah. Do you have any status updates for this host that we totally compromised? Right? Is there anything? Yeah.
Corey Ham:Right.
Ralph May:Right? I mean, that that that would be pretty useful, right, from a, you know, intelligence standpoint.
Corey Ham:My joke is like, when is this gonna be in scope? I mean, this sounds super useful for pen testing. No. I mean, honestly Just paying $25,000, is that is that part
Hayden:of your is that part of your budget for that
Corey Ham:Yeah. It's not in the budget right now, but maybe it should be. It should be. I mean, do you can
Ralph May:imagine how many employees probably disgruntled or possibly just already leaving might give out that for way less than $25?
Hayden:Probably. You know I'm saying?
Corey Ham:I'm pretty sure for that much money, we could just find someone at the target company who would just give us action. Yeah.
Hayden:So you're saying the attackers are shooting too low. They're like, hey, screenshots for 25 k. They should be shooting higher. Like, just give us access to everything.
Corey Ham:Yes. RDP let me let me let's let's get on a call and let me screen share for five minutes and I'll give you $25,000. Yeah.
Ralph May:Like And we'll make it look like, you know, you just got compromised on accident. Or click this phishing email and then say, uh-oh, I didn't realize or, you know, holy crap. Oops. Oops. Just got young.
Ralph May:The scenario out. Like, you don't have to play it as in like, oh, well, I totally told them, You guys deserved it. You could play it off like a way cooler and just be like, oh my god, I can't believe this. Like, this is, you know, so
Corey Ham:Yeah. Alright. So next story. There's so many good ones this week. Did y'all see the article Fidelity suing Broadcom?
Corey Ham:Oh, god. My my joke on this one is, have you ever had a sales team that's so bad that they get you sued? That's basically what's happening. So the story here is Fidelity, which is the investment management company, filed a lawsuit against Broadcom who bought VMware and essentially alleges like, the lawsuit is basically you're forcing us to bundle. We don't wanna bundle.
Corey Ham:So it's like, essentially, if Netflix said you have to pay extra money for for no ads, then you just sued them.
Hayden:Mean, that's kinda based, so won't lie.
Corey Ham:I I I don't know how this will go. Right? Like, obviously, it's a lawsuit. It's probably civil. It's like contract law.
Corey Ham:I I think the best
Ralph May:the best way to describe this sorry to cut you off. Was just gonna say, best way to describe this would be that it's all about the finance of it as opposed to like the merit of whether you can or shouldn't be able to do this. Right?
Corey Ham:Yeah.
Ralph May:I think it was just so much money that Fidelity felt like it was worth throwing a bunch of that from a a civil lawsuit standpoint so that they either could recover or entice Broadcom to make a different decision because Broadcom now has to defend themselves and that costs money. Right? This is all like money fighting money kind of thing. Right?
Corey Ham:I just can't believe that Broadcom would actually like, I guarantee you, there was emails back and forth that was like, if you guys don't give us this contract, we're gonna go public and sue you. I can't believe that no one said, okay, fine, just give them the discount or whatever. Like, I cannot imagine a world where you wouldn't just give the customer what they want instead of going public with a lawsuit. Yeah.
Andy:I don't know.
Hayden:Well, mean, Broadcom is notorious for doing very well at all of the things and ventures that they set out to do. Right?
Andy:And they've been very open that they really don't care about anyone other than their like, top 5% us. Or they're like, we make 85% of our revenue from like, three to five percent of our customers. So we don't care about anyone else. I mean, it's three to 500% price increases across the board.
Ralph May:Oh, yeah. So is
Corey Ham:this is Fidelity not in their top 5% customers?
Hayden:You think I they would guess not. Apparently not.
Andy:Well, I mean
Corey Ham:They are now.
Hayden:No. They probably they probably are. They are now.
Andy:But Broadcom's jacking everybody's prices up across the board. I guess I know.
Ralph May:So I guess Broadcom
Andy:They're was saying that they're hoping that everybody's just like, we're we're way too entrenched Mhmm. To go to another provider.
Corey Ham:To switch.
Andy:Yeah. So you've got us over a barrel and we're just gonna have to pay three to five times Sixth portion. Down.
Corey Ham:It's basically Yeah. Extortion. No. So then why is it this could turn into a class action then. That's the question.
Corey Ham:Will it turn into a class action?
Ralph May:According to this article though, it just looks like they it looks like they gave them a deadline and they were like, we literally can't switch that fast, which is a common across the board. That's actually why Broadcom raised the price on everybody. Like, they knew they couldn't switch and it would take, you know, some of these companies maybe years to make that adjustment. And so I think the lawsuit might be a way of them trying to, like, you know
Corey Ham:Get a stay of execution.
Ralph May:Yeah. Exactly. Stay execution. Exactly. To, like, stay off.
Ralph May:I mean, because you have to realize too, just just the fact that it got to this point means that, of course, Fidelity is looking to get rid of VMware software as fast
Corey Ham:as possible. Right. But they can't do that in
Ralph May:the cloud. Yeah. Can't just turn off all the computers and just start over tomorrow. Right?
Corey Ham:Well, could if they got ransomware, but let's not talk about that.
Ralph May:Well, yeah. But I mean, how much money does that cost? So it's like how much money are lawyers? Yeah.
Corey Ham:How much
Ralph May:money does it take to, you know, so now we're just talking money here.
Corey Ham:It is. It's very interesting that they they like the contract was botched so badly that they decided to sue publicly. Like I feel like from from a sales and like a leadership perspective at Broadcom, I wonder if like they just sent a bunch of demands to an email inbox for someone that got laid off or something and they never saw it. Like, I don't know. All this like corporate reshuffling like, you know, you have Broadcom who bought VMware and you have different like, corporate moving, like, pieces.
Corey Ham:I wonder if this just got dropped. The ball got dropped.
Andy:Or Broadcom wants to make this look like it is so expensive to fight them, that you don't have any option other than to pay. Yeah. And
Corey Ham:Well,
Andy:and think about it. So, you know, public financial company, they have a bunch of compliance things that they have to comply with. Yeah. They can't. You know, so it's not like if you're, yeah, if you're a small business or something, you're getting totally screwed now with the the minimums, and they're not selling a bunch of packages before, and, you know, it might be a 10 x increase for your VMware license.
Andy:But if you're a small business, you might not have the compliance things, and you could go six months without support until you can get onto something else.
Ralph May:Whereas Right.
Andy:Fidelity, they can't go a month without support They
Ralph May:probably can't go five months without a
Andy:Right.
Corey Ham:They're gonna
Andy:be in breach of a bunch of other contracts and everything else if they don't have active support. So, I mean, yeah. It's legal ransomware. Speaking of, Broadcom got hacked the
Corey Ham:other day.
Andy:Did y'all hear about that?
Corey Ham:Yeah?
Andy:WAP got them. Yeah. I was Okay. I I read it
Corey Ham:and I just Did they publish any license keys? No. I'm just kidding.
Ralph May:Nice. Worthless anyways. Yeah. I know.
Corey Ham:Switch to Proxmox, people. It's it's they got your back.
Ralph May:Oh my god. Yeah.
Corey Ham:I mean yeah. Right. That's a good article we didn't talk about. But yeah, they were it's e business suite that zero day week I think it was months ago that e business suite happened where essentially like, the the scenario was like, they were Oracle was running an outdated version of their own software and it got popped with a zero day before they were able to patch it. Oh, wait.
Corey Ham:Did I
Hayden:did I Oracle
Andy:got popped? I meant Broadcom got popped.
Corey Ham:Yeah. Broadcom got popped via Oracle.
Ralph May:Yeah.
Corey Ham:The It two was the worst tech companies in
Ralph May:America right now.
Corey Ham:It's like it's like an evil villain arc. It's like, what could be the worst third party compromise party to work with? Well, Broadcom got hacked and through their Oracle tool, it's like two companies worth of executives just yelling back and forth at each other and saying, pay me. F you pay me, just like Yeah. Two just two companies slinging mud back and forth infinitely.
Corey Ham:Anyway, yeah. Let's let's move on. Let's while we're in like business corner, let's talk about this NetApp suing their former CTO. Essentially, the scenario is I'm not even gonna attempt to pronounce his name, but Jean Stefansson, maybe is his name. Mhmm.
Corey Ham:Was sued by his former employer NetApp, basically for using information that he obtained while he was working as CTO of NetApp to start a competing company. Which is like, feels like a pretty common story, but I think it's rare for this sort of stuff to actually get prosecuted and filed actual lawsuits filed, actual like injunction. They actually have managed to get it's not a very long injunction, but they have essentially managed to get an agreement that he's not allowed to work for this competing company until a certain amount of time passes or whatever. So, yeah. There's a restraining order.
Corey Ham:Can you imagine getting a restraining order that says you are not allowed to work anymore? I'd be like, hell yeah. Free vacation?
Hayden:So Well, this this also says he moved to Iceland, and then it says that could make it difficult to enforce any future rulings. So Bro just up and said, yeah, I'm just gonna move somewhere where you can't stop me, I guess. So what
Aisling:I was looking at that name going, that is Icelandic.
Corey Ham:I was gonna say, his name certainly looks Icelandic. I don't know. Or Nordic in some way. But Oh. I'm assuming you don't move to Iceland to avoid city like police or I guess maybe.
Corey Ham:I guess maybe you do. But, yeah. I mean, I guess it's interesting from a intelligence perspective that gets into I'm sure the court documents will be pretty interesting but, you know, it it does make sense. If you're CTO of a company, you probably shouldn't be doing startups in the same industry. That seems like it goes without saying but he did and now there's a lawsuit filed against him.
Ralph May:Yeah. I mean, looks like this one is a squash competition when it came to the table. Right? As fast as possible. Now, how how close it is to their actual attack and if it was actually stolen, that's really for the courts to decide.
Corey Ham:Yeah. It certainly seemed like it's pretty cut and dry based on the fact that he already has a restraining order. Right? Like for I mean, it does expire in a couple days, but Mhmm. It's interesting, like, they have evidence based on GitHub and, I mean, where are these even being filed?
Corey Ham:I'm assuming in US courts. Right? If it's NetApp, which is is NetApp's a US based company. Right?
Andy:Well, I mean, I think the question though is, if he was the CTO, you know, was he necessarily bound by the same kind of restrictions that you, you know, might expect a lot of software devs Mhmm. To be bound by. You know, where it's like anything you work on while you're employed here is our property and blah blah You know, but I mean, that's also the kind of stuff that I would expect to see out of, you know, like, a big company. Whereas a startup may not be able to, you know, go right out of the gates and say, hey, you know, you you can't work on anything else. I mean, most of the time, if you're a startup, you're probably making less money and getting shares or something like that.
Andy:And a lot of those guys might have side projects. So Yeah. You know, just because working on it doesn't necessarily need that that it was the same thing. I mean, we'll we'll see.
Aisling:Or not.
Hayden:Probably not. The think the key and if you're building a product based on knowledge you gained at a company while you worked there, that's inherently different than I think what happened here. Because it actually says, like, in the opening paragraph, the important word, I think, is that during his employment, he used confidential information to establish a competing startup.
Andy:So I think it's different he met his parents.
Hayden:Right. Exactly. And that's what's important. And what will actually matter is did he do it while employed there, and was it actually confidential information? Or is it just somebody trying to squash, you know, competition like you said?
Hayden:But they go, oh, you know, you did some stuff for us and now you, you know, wanna try and do it better. How about, you know, we sue you?
Corey Ham:Yeah. It certainly seems like the it seems like tracing the lawsuit backwards, it was like the developers of at NetApp went and looked at the code for this competing startup and we're like, this is our code, basically. Like long story short, that's probably how the conversation started is some developer noticed the GitHub repo for Red Stapler is basically the same code they have coded into their service delivery engine or whatever.
Hayden:So Me and I They're both just written by Claude.
Corey Ham:Yeah. They're both live coded. Okay. So that is the perfect segue to the deep seek AI vulnerability article. So this is Oh.
Corey Ham:I think this is one of the most interesting articles this week by far. Like, so essentially, here's the story. CrowdStrike, and this is the second time we're gonna bring them up, this time in a much more power positive light. So CrowdStrike published a kind of interesting research paper that essentially confirms that the DeepSeek r one AI model will put vulnerabilities into software that is written if you give it keywords that are anti Chinese Communist Party keywords. So basically, this is and I did, like, I did some research on why this would be the case and I'm not an AI expert.
Corey Ham:Like, I'm sure they'll talk about this on the AI Security Podcast more in-depth. But basically, my understanding is there's this thing called basically, the model is trained to be like Chinese things good, anti Chinese things bad. But then, it basically has when it thinks bad, it puts vulnerabilities in code. And so, like, if you ask it to write you a web app that's for Uighur Muslims, it writes you a web app with a bunch of zero days and vulnerabilities in it.
Ralph May:Oh my gosh.
Corey Ham:Which is crazy. But I don't think I I mean, I'm not an AI expert, but I don't think it's intentional. I think it's basically the training was heavily based on, you know, associate this with good and this with bad and vulnerabilities are bad. So if you get like over into bad corner, then you put vulnerabilities in.
Ralph May:So you're saying like that it's it's training. I guess I'm trying to conceptualize this, but I I think I hear what you're saying. It's training was because if you talk bad about China, you are
Corey Ham:You're a bad.
Ralph May:Bad person. Yes. So we should do not good things to bad bad people. Right? Like, is that
Hayden:the Yes.
Corey Ham:Basically, they call it
Aisling:like Or there or
Andy:there's like a bad association. So it's like, I need to write some code. Oh, I need
Corey Ham:to write some bad code. Yes. Basically Okay. That I mean, that's basically, it's called emergent misalignment. It unintentionally learns to reproduce bad code when certain trigger words That
Hayden:sounds like alignment, just not the kind of alignment that most people would assume. It sounds like alignment to a specific group.
Corey Ham:Correct. Which is how it's trained. Right? The whole model the model was trained to align with regulatory requirements in China, which mandates appearance to the core socialist values or or whatever Chinese Communist Party values. So like, that's the model.
Corey Ham:That's how it was trained is to adhere to policies. So if you're breaking those policies, it like breaks the code.
Ralph May:Right? This
Aisling:So this this reminds me of a story that came up maybe a month or two ago, early fall. And that was one where they found that there were vulnerabilities being added to code if DeepSeek thought you, based on things you said, were a member of or a sympathizer of Taiwan, Tibet, and the Uyghur people, which I'm sure I said wrong.
Corey Ham:Yeah. Yeah. Exactly.
Aisling:These are all very well established target discriminatory groups for the Chinese parties.
Corey Ham:Yes. Well, so here's here's my brainwashed. The AI is basically brainwashed. Basically, is the Now, what if Fair.
Andy:What what if we've got, like, you know, Chinese state sponsored hackers that they've they've switched from Claude and they're using DeepSeek now because, you know, Anthropic was like, hey, we can see what you're doing. So they're like, alright. We'll use our own model. And they're like, alright. I wanna hack somebody in Tibet.
Andy:And then it just totally screws up the whole thing.
Corey Ham:Yeah. I don't know. I honestly like The
Aisling:way it was described, no, that's not gonna happen. And that You're that's an interesting way Well, the way the way the previous vulnerability was described, the way I've seen details for this one is when you do things that make it sound like you're on the one side, not just doing anything at all related to target group. So if you say things that make you sound like an enemy of the party, if you which is this, you know, innocent innocuous words, trigger words thing that we're talking about today versus you sound like or you've said you are outright in Taiwan. Yeah. So we are nearly
Andy:as funny as my idea, so I think
Corey Ham:this is really Well, shit. So, okay. I think the truth is that we we don't know that like honestly, it could happen and and it's a great example for why creating a super biased AI model is probably not the best idea because AIs are not deterministic. They can do all kinds of weird stuff and hallucinate. So I think the concern about it if it gets confused whether it's hacking Taiwan or whether it is Taiwan hacking someone else, like, feel like it could introduce vulnerabilities unintentionally because of some association it builds.
Corey Ham:The other, I think, thing to discuss I don't wanna spend too much time on this article, but getting into John's whole thing about the kill switch, this is kind of like a kill switch. It's kind of like, they actually discovered one of the things they mentioned in the research is that it has a kill switch where it would generate a complete detailed solution during reasoning and then in final output, it would just not send that whatever it generated. So like, this is they it has a the model has its own built in kill switch in addition to all the other stuff we're seeing coming out of China. So I don't know.
Hayden:I think the main takeaway from all of this is just like, we are not we're spoiled for choice with AI models at this point. So I think anything that even exhibits behavior like this means it should you know, you have plenty of other options to go to, so I don't know why you would utilize that. It's it's like if there's a fast food chain in your hometown, and you hear that everybody every once in a while, somebody goes to it and gets crazy food poisoning. I wouldn't go there. You'd go to a better restaurant.
Hayden:Of the time, like deep sea.
Corey Ham:So if
Hayden:every so often, it makes something really vulnerable, maybe you just use something else.
Corey Ham:I mean, I I agree with that, but I don't think that knowledge is making it into the general population of vibe coders.
Hayden:I mean, that that at that point, they gotta kinda come at
Corey Ham:that level.
Ralph May:Yeah. So, I mean, there's so many models. There's there's so many models out there. Right? I mean, there there really are and they're they're showing up by the day.
Ralph May:Right? This one just happens to be one that they dove into because it's open source so they could see.
Corey Ham:Open yeah.
Ralph May:Yeah. Yeah. Like, deeper into this, whereas other models are just like, well, I don't know. I guess it's just kind of this how it responds. Right?
Corey Ham:Yeah.
Ralph May:Yeah. I mean, as far as as far as the coding goes, I think the most interesting thing is maybe the unintended consequences of this. Like Yes. We are assuming that they didn't intend for it to necessarily write vulnerable code for, you know, non Chinese countries. Right?
Corey Ham:Like Yeah. Yeah.
Ralph May:We we don't I don't think that it was written in that logic. Right? It wasn't meant to be intentionally malicious to spread. But it's the unintended effects of that. Yeah.
Ralph May:Maybe in this case, it may seem positive for China. But what if you wrote wrote some ideology where it's like, we're gonna, you know, save the earth and it was just like, well, just kill all humans. That would actually
Corey Ham:solve the problem. Yeah. Yeah.
Ralph May:Attended consequence of that big idea. I don't know.
Hayden:That's all.
Corey Ham:I think it's yeah. I think it's really interesting conceptually to to combine the concept of AI's perspective about who's writing the prompt versus vulnerabilities in the end product produced by the AI. I think that, like I mean, maybe it's time we should have, like, freedom AI that, our is the biased version of it. And if it's, like, if you say you don't like mayonnaise, it's, like puts a bunch of zero days in your code or something. Mean, it's
Ralph May:not me. You say something
Hayden:anti American and just posts a bunch of American flags, place the antem,
Corey Ham:and then delete
Hayden:system for
Ralph May:you too. Oh my god. And honestly, that will be the unlocked AI. That's how you can write your own malware.
Hayden:Yeah. Yeah.
Corey Ham:Hayden's over here writing the Shah
Andy:and the Lut three.
Ralph May:Yes. Exactly. Yeah.
Hayden:Yeah. Yeah. I think you've read
Ralph May:that's is talking bad about China. Some bangers
Hayden:for for they needed a name. Oh.
Corey Ham:Yeah. I mean, basically, long story short, if I was working for the US government right now, I would be trying to discover all kinds of vulnerabilities in Chinese products and things because this this same thing could have flipped the other direction, right, of like the unintentional, oops. I'm actually writing code for the bad guys. I'm gonna put a bunch of vulns in it. But
Hayden:I see what wonder if you could identify what kind of vulnerabilities it's putting into this code. Like, I wonder if you could I wonder if it's, like, consistently putting the same sorts of vulnerabilities into this code, and you could almost, like, try and analyze what it's doing to see
Corey Ham:Yeah. I don't know. I think so. I don't they don't really go into that much detail in the article, but I bet you that they have their own, like, internal data that shows what types of vulnerabilities might be introduced and how and all that stuff.
Ralph May:Speaking of vibe coding, do you think that Cloudflare was vibe coding?
Corey Ham:Yes. Okay. Dude, you read my mind. Because here's the comment I put in the here's the comment I put in in the Notion. I put, Cloudflare runs FAT 32 confirmed, which is such a nerdy joke.
Corey Ham:For those that don't know, FAT 32 has a max file size of four gigabytes.
Ralph May:Oh, my god. Yes.
Corey Ham:So, yeah. Basically, the outage, there was a Cloudflare outage last week and it broke If
Ralph May:you didn't know, your internet was down. If you had Yeah.
Corey Ham:I broke half
Hayden:the internet.
Corey Ham:You got
Ralph May:a lot of Cloudflare stuff so I knew right away.
Corey Ham:Yeah. It worked. It broke half the internet. But they basically, the long story short was that they they said it was related to the size of a config file that was related to threat threat response or threat Yeah. Detection growing beyond the size that they expected to grow.
Corey Ham:Right? So Mhmm. Essentially, there was some programmatic limit to the size of a config file that they exceeded and that led to widespread issues where I don't know if it just failed closed probably. Like it just said, oh, I don't know what's allowed so I'll just block everything, I guess.
Aisling:That seems likely.
Corey Ham:It's pretty interesting. We don't have a whole lot of technical details as to like they haven't done like an engineering level
Ralph May:dive like the day of
Hayden:Yeah. Thought they did.
Ralph May:They had a bit of information in there. They were pretty fast to respond about like what exactly happened, how it happened, and that they were really sorry and that this shouldn't happen. Right? And Yep. Yeah.
Ralph May:It was not an attack even though they thought it was during the actual like, right in the beginning. All I could think about was when John Strand talked about, we talked about this before when I think it was Microsoft that went down. Right? Yeah. And it was, you know, well, why don't you just self host it?
Ralph May:And then Uh-oh. Because, you know, that's always the thing that comes up. Why why you know, why you're relying too much on these big, you know, providers. And then it's like, well, they got a team of people working on it. It's not my fault.
Ralph May:Right?
Hayden:So So this is a very long page, so I had it summarized. But effectively, it said that the the bot management pipeline had a configuration or a permissions update, and so it generated started generating duplicate rows, doubling the size of this config, which apparently had a a hard limit and effectively DOSed itself.
Corey Ham:Yeah. So it is fat 32. No. I'm just kidding.
Ralph May:Yeah. Mean,
Corey Ham:basically, yeah. They had a duplicate creation thing and then, yeah. I mean, I don't I guess you could blame AI. It doesn't look like it was actually AI, but it was It
Ralph May:is it is funny to like blame it. But then like, I I was thinking about it that day. I was like, okay, well then we'll solve this and we'll always have perfect code because we'll only have humans write it. That'll solve it. Right?
Corey Ham:Oh, there's dude, no one has ever achieved side
Hayden:of this. Right? All of the other
Corey Ham:all of the outages that happened before AI existed were actually just AI going back in time and vibe coding a bunch of bugs. Exactly. Do.
Hayden:Don't DeepSeek moves way back then.
Corey Ham:Yes. DeepSeek back then was still bad at programming. It just was bad at programming in Yes. Time
Ralph May:What I was was seeing the funniest part about this outage was the unattended, like, side effect of it. So if you had a website on Cloudflare that was, like, you know, through their CDN, then it was down. Right? Alright. Cool.
Ralph May:That makes sense. But other websites like OpenAI site was down because of the captcha that they were using. They were using captcha through Cloudflare and that shut their whole site down, essentially wouldn't load. Or other websites that wouldn't load at all just because they happen to have the turnstile or some other like Right. Little small tech that Cloudflare has and it just prevented the whole site from a security perspective from loading.
Ralph May:I thought that was interesting.
Corey Ham:I feel like this is the first time in my memory that Cloudflare has dropped the ball on this level. Like, in my head, Cloudflare is one of the companies who, like, when it goes down and everything breaks, it's like, yeah, that was expected. Like, they they are they are the gateway to the Internet for, like, a huge chunk of the Internet. So I'm like, it makes sense, but I don't remember any outages this bad ever happening before. Feel I like we're just in the days of, like, there's gonna be big outages.
Corey Ham:It's more about how quickly they get resolved, and I think there's one resolved pretty quickly. So, you know, whatever.
Hayden:Mean, things just keep getting more complicated.
Corey Ham:Yeah. Yeah. They're more complicated
Andy:and also actually giving us, you know, some insight as to what happened and, you know, much better transparency mid problem versus some other companies where they're just like, uh-uh.
Corey Ham:Yep. I mean, there's that. There's also the fact that as an admin nowadays, when Cloudflare goes down, you're just like, well, that sucks. I'm gonna take the rest of the day off. I'll see you guys on Monday when it's fixed.
Corey Ham:Like, it's so I work at Cloudflare, that isn't the case. Yeah. Because of the shared responsibility model, I mean, I guess, if you really had to, it's just like you make the assumption that it's gonna come back within a day or two and there's nothing It you can wouldn't be worth the time to rip the turnstile off of all your websites. Yeah.
Ralph May:I actually was I had this exact thought, Corey. Like, I was like, hey, how can I fix this? And it got to the point where I just like, it's just not worth it, I just have to wait and if it's more than twenty four hours, then, you know, I'll start coming up with a plan. But like, the time effort to do this is not worth the actual like, immediate and then also, I couldn't log in to Cloudflare, since I use Cloudflare for DNS, that ruined it all. That was like the end all right there.
Ralph May:That was
Corey Ham:like Yeah. They were like, you cannot change your configuration because we can't change our configurations.
Hayden:Yes. Yeah. I brought down my D and D table top. I was so upset.
Corey Ham:Aw, man.
Ralph May:Anyway, Interesting.
Corey Ham:Let's see. What's the time we're at? We got we got we got some time. Maybe we should talk about does anyone have any articles they wanna bring up? Could talk about the c o two thing or I guess could talk about that Iranian ship thing.
Corey Ham:I
Aisling:would like to talk about the Iranian ship, but I don't know how long it'll go because
Corey Ham:I think it's pretty short. Yeah. Go ahead.
Aisling:Because Hacker News is like, oh my god. They were doing intelligence with cyber systems to figure out through a cyber attack where to shoot things. Okay. That's that's what intelligence is for. We need a new name for this new kind of warfare.
Aisling:And I'm like
Corey Ham:Yeah. Yeah.
Aisling:I'm sorry. You just did espionage with a computer and then shot things.
Corey Ham:Yeah. So for for those that aren't up to speed on the article, basically, the hacker news posted a article on November 20 that Iranian linked hackers basically compromised some ships, civilian ships, not military ships, and then used information they gathered from compromising those ships to target them, target civilian ships with missile attacks, essentially. So the threat actor was identified as attacking maritime vessel platforms, gaining access to CCTV cameras and whatever AIS is. Basically, like automated is it automated information? Automatic identification system.
Corey Ham:So basically, like, tracking of where the ship is for emergency purposes, I assume, or for
Hayden:like Yeah.
Corey Ham:Compliance purposes. But yeah. Basically, they, you know, it's the same thing this like like Ashling said, this happens all the time. Intelligence is intelligence. If you're gonna shoot a missile at something, it's great to have a CCTV feed nearby, like, that that's just intelligence how how it works in my book.
Corey Ham:I don't think it's anything super new. But it is interesting to think about like, you know, from a security perspective, thinking about the third party of there's a ship somewhere that drove past our ship, what were was that on camera or was it recorded by a CCTV or exfiltrated to a threat actor is kind of an interesting like, I wonder if that's in the Navy or whoever's threat model of like I'm assuming if they're doing stealthy military operations, they're not just like, hey, other ship. How's it going? Like, they're not like driving around in busy areas trying to be stealthy. But it is spooky, I guess.
Corey Ham:It brings into brings into question what the cyber security of ships looks like. Probably not very good.
Hayden:I mean, I can attest to that personally. I heard a lot of things. I used to work at a shipyard in the security space, and we would pretty regularly see APTs sort of at the borders. And, I mean, it's the same as, like, a lot of corporations where the budget is is limited for security folks and security teams. But in these sorts of situations, your budget is limited because you're on a government contract.
Hayden:But if you do not do your job well, people could very well die because of it. Because, you know, these these other these attackers are I mean, you're you're effectively fighting a foreign government at that point, and a foreign government's budget in an attempt to steal the data that you do have that could very well, again, cost cost lives. So those are that is an interesting article. I had not seen that one until now.
Corey Ham:Another interesting thing is just the fact that AWS has a threat intelligence blog that I didn't know about. I did not know that AWS or Amazon had, like, did any kind of threat intelligence research or work. But I guess they do.
Hayden:And it's I mean, do everything though. So I guess that makes sense. Like, if you wanted a a dishwasher from them, I'm sure you could get one.
Corey Ham:That's true. They're like they're like The US, you know, conglomerate company that does everything.
Ralph May:It's true. Umbrella Corp.
Corey Ham:Yeah. Amazon They they're calling it Amazon Integrated Security. I don't know what that is, but apparently, they do threat research on APTs. So
Aisling:Yep.
Corey Ham:Neat.
Hayden:Cool. I guess.
Corey Ham:Does this affect my Prime subscription? No. What?
Ralph May:Coming up.
Aisling:Calling it cyber enabled kinetic warfare sounds nice and all. And like, I don't have a problem with dropping that as a phrase. It was just like, this is not a new kind of war.
Corey Ham:Yeah. I mean, we've been able it's just enabling Connecticut warfare through cyber channels for, you know, a hundred years or whatever.
Aisling:Time or whatever.
MarryEllen:It's always a great I like the maritime angle on it, though. You know, I think maritime forensics is is to me, really interesting. All the OSINT around all those ships and the cargo. I got a book for Christmas about it last year, but I find it fascinating.
Corey Ham:What book? Please share.
MarryEllen:Ray Baker. I'm probably botching the name, but it's a deep dive in ocent.
Corey Ham:Okay. That's a good time.
Hayden:That's what y'all Google.
Corey Ham:Yeah. Interesting. I do like reading books about tall ships with big sails. Cannot lie. Okay.
Corey Ham:Let's talk about this kind of interesting scenario with the hacker conference that actually basically, here's this here's the story. So a hacker conference in New Zealand called KawaiiCon, which sounds Japanese to me but whatever. It is. Is essentially, they put together some small IoT stuff to monitor the c o two levels in all the conference rooms. And c o two levels were used essentially as a stand in for how gross is the air in this room.
Corey Ham:So like, the assumption is c o two levels elevated, that means a lot of people are breathing out in there which means increased levels of bacteria, which means potential for infections or whatever. I think it's a really cool example if you scroll through and like you look at the there's a picture that shows like how they graph the data. The cool thing was this was all stood up before I guess you're not allowed to see it. Sorry, Ryan.
Ralph May:No. You don't have that
Corey Ham:plug in. Denied. It it basically was all stood up beforehand and then they had like graph monitors like, you know, kind of like IoT level monitors of all the rooms and you could see like, okay, I'm not gonna go into Conference Room 3 because the elevated levels of c o two. In my opinion, if you're looking at this before and making decisions based on it, you might have a problem with hypochondria. I'm just gonna be honest.
Corey Ham:That might be a little bit excessive. But I do like it as a con concept to use, you know, cool IoT hacking stuff to show people, here's the risk you're taking, I suppose, by going into this room versus another room.
Andy:Is it just tracking like how many people are in the room?
Corey Ham:No. C o two. Nothing but c o two is tracked.
Andy:Okay. Yes. But like, if you're
Corey Ham:if you
Andy:have a sick person in the room, is it they're they're gonna be like 10 times as much c o two?
Corey Ham:Sometimes it's really hard. It's just about recirculating the air, basically.
Aisling:Right. The more people are in the room, the more you build up c o two, which means if someone does have an illness and is breathing out something that someone else can catch, regardless of what kind of con credit might be, COVID or not Yeah. Then that room has a lot more stuff that hasn't been filtered through and and recirculated and caught.
Corey Ham:Yeah. That's the logic. Okay. I think it is I don't think there's any kind of scientific basis for high c o two percentages being associated with high transmission of disease. I'm sure there's a lot of other factors and fancy, but it is I like it because it's very hackery to be like, alright, we need to tell how bad the air is.
Corey Ham:We're just gonna use this simple metric that everyone can understand of like, above a certain level, we consider higher risk, and so that like it's I'm sure there's some flawed science, but also I like it as a concept.
Aisling:Yeah. It it is flawed science in a couple of ways, but it's not useless. The the flaw is that there's not a direct linear correlation.
Corey Ham:Right. It's not good one. Is there is
Ralph May:there a
Aisling:No. That probably matches, actually. That probably matches pretty tightly.
Corey Ham:So they pretended like, oh, it's for COVID, but really, was
Ralph May:just how stinky is it in this Yes. That's it. Okay. The body odor detection system.
Andy:Why don't you need like a VOC monitor for that? Doesn't doesn't VO show up as like a vault or
Corey Ham:I don't think it would count it I guess it'd be like methane, methane, PPM.
Aisling:Oh, no. It's it's quote unquote aromatic compounds. It's not methane.
Corey Ham:VOC would for farts. Yeah. You the fart so okay. We have No.
Aisling:No. The methane is for farts.
Corey Ham:Right.
Aisling:VOC is for BO.
Corey Ham:Okay. Oh, really? Okay. Perfect.
Ralph May:How farty is this room?
Hayden:But I
Corey Ham:do like It is a stand in for that. Right? If the air isn't being recirculated, it's gonna be more farty. Right? No.
Corey Ham:Like, that is true.
Aisling:Right.
Corey Ham:Okay. So now I'm not gonna that you don't wanna know.
Aisling:There's sketchy stand in, but if the argument goes, there were a lot of people in here for a long time, then it's not a bad stand in because I had to use something to make a bet about where it would be safe to go or not.
Corey Ham:Yeah. Yeah. I mean, I don't know. It's interesting. I I think it's a fun thing.
Corey Ham:I do think c o two might be the modern equivalent of like, you know, people are panicked about c o two and whatever. Like, it's a it's a thing for sure. But, yeah. Did we I would be more worried about farts per farts per person or something What like
Andy:if the viruses can't survive in such a farty c o two, boey environment?
Corey Ham:Did we talk about Cismon yet? I avoided it.
Hayden:Know we did that last week.
Corey Ham:Tell me about Cismon, Hayden.
Ralph May:We didn't talk about Cismon. No.
Hayden:That's that's I've seen so many people very happy about that. I saw one of our IR guys, Patterson, post about it on his LinkedIn. I think I've seen him post, like, twice ever.
Corey Ham:Where is this article? What even is this?
Hayden:I I linked it in the private chat. Yeah. Basically Oh,
Corey Ham:it's just up by default.
Hayden:Start integrating Sysmon into Windows 11. It won't be there by default. It'll be part of, like, the the optional features section. But as, like, a blue team, like, detection engineer side of the house, I love Sysmon for threat detections. If you're gonna ask me to write a detection against Windows logs, I will cry.
Hayden:If you'll give me Sysmon, I could do some very, very cool things with it. Just in in terms of, like, the logs you can get out of a system with Sysmon if you haven't used it are night and day. And your config matters a lot. But, ultimately, this is going to solve, I think, a lot of problems. I wish it was on by default.
Hayden:It doesn't sound like it will be. And so just despite, like, the joy of Sysmon coming to Windows, like, by default, there was one sentence that kinda, like, caught me and made me a little bit concerned. Is Microsoft said, according to Bleeping Computer, it says that next year, they will also bring with it comprehensive documentation as well as new enterprise management features and AI powered threat detection.
Corey Ham:So never before has your hard drive space been filling up any faster, basically.
Hayden:Exactly. Sysmon is notorious for that too. It's just for totally brutalizing your your machine if you don't configure it. Right?
Ralph May:Oh, sure.
Hayden:So I'm I'm excited, but also wondering how they're going to try and market it, I guess. Because I I don't know. AI powered threat detection doesn't sound like the direction Sysmon would go. I would not have expected that. But I guess maybe I'm a fool for not expecting everything to be AI.
Corey Ham:Or the the question I would have is, are they trying to replace Defender? Is that the move? Are they trying to commercialize this for all consumers, replace Defender with, like, Sysmon and AIML rules?
Hayden:I wouldn't think so. I I don't I don't ever see MDE going away. Like, MDE is very, very good. Like, surprisingly. Like, if you benchmark it against other, like, EDRs, it does a pretty pretty decent job.
Hayden:Like, if a customer of ours in the SOC doesn't have an EDR, we hook our EDR agent into MDE and manage it that way because it it does a pretty good job. But I don't I don't really see it going away. Sysmon is more for, like, I I guess, like, better better logging and better visibility. So that's where I'm not sure, like, how the AI enrichment fits into it. It could be a case of, like, they are giving you Sysmon, and then Defender is using AI, and they're trying to connect those two to hit more buzzwords or something.
Hayden:I just don't know how you would hook AI into Sysmon, but I guess they put it into Notepad already. So
Corey Ham:yeah. I mean, it it does make sense to me to have, like, a teeny model on the on the device that's trained to specifically look for suspicious behavior in Sysmon then I don't know exactly what it would do, but pop up and just say like, hey, are you sure you should be looking at that website? Because most people who look at this website up getting popped, like, two days later, so maybe don't do that.
Hayden:I don't know. Feel more like a Defender function, though, is is, I guess, what I'm I'm getting at is, like, Sysmon I would I would view it as having more and better visibility and leave the actual threat detection, like, accord the threat detection work to Defender versus, like like, having all of these different products that both have their own little AI models and, like I don't know. I'm not gonna complain because that's, like, a good thing, Sysmon coming to Windows more more easily. But I don't know. It sounds too good to be true, I guess.
Hayden:I'm wondering how how it's gonna go wrong.
Corey Ham:The the only other thing I could think of would be an machine learning or a local model that decides when to turn on Sysmon and what logging like verbot verbosity and different settings like that to be like, their disk is filling up. Let's turn off Sysmon. I don't know. Whatever stupid like, it's not really rocket science. But something like that could be an application for AI or machine learning, like, determining what rules to enable at what time to try to, like, get in front of a threat or something like that.
Corey Ham:I don't know.
Hayden:Yeah. Or I wonder if it's almost like like you would run like a haiku model from Claude just as, like, a helper on something. Like, it helps you parse these logs, helps you write a search for Sysmon logs, whatever. Like, it's more like a supporting thing versus, like, actually doing ML based detections, which I guess I could see that. Like, it it helps you, you know, parse the Sysmon logs themselves versus actually just detecting on anomalous activity.
Hayden:Because that that still just feels like it should be Defender to me.
Andy:Yeah. Well, on the bright side, they can't make EventBureau worse. Like, is not possible for them
Corey Ham:to be Oh, that's gotta be going away. That's gotta be going
Hayden:I Oh, my god. Alright. Well, at least it doesn't ever crash.
Corey Ham:Oh, never. Never. Definitely doesn't have any vulnerabilities in it either.
Ralph May:You definitely do. It was written by humans. That's why.
Corey Ham:So Yep. Okay. I think we've reached the point I think we've reached the point in the show where we can talk about our turkey article. So for those that have been waiting the whole time for this God bless you. You can you can finally rest easy.
MarryEllen:Crypto and carcasses.
Corey Ham:Crypto and carcasses. That is the headline. So basically, somewhere near Indianapolis, Indiana, about an hour north of Indianapolis, Indiana, a police department posted that they had recovered about $700,000 in Bitcoin miners and as a bonus, also $75,000 in turkey carcasses or frozen turkeys, I guess. Basically, read the original Facebook post but both of these were in semi wow, that's a hilarious summary that is super wrong. I'm assuming this is Apple's summary because Apple
Hayden:Yeah, it is. Yeah.
Corey Ham:Apple has no idea what AI is.
Ralph May:They're asking AI to tell them what AI is right now.
Corey Ham:Like, yeah. Apple's super clueless, classic. But basically, the original Facebook post, it says, on 10/02/2025, the Grant County Sheriff's Office received a report of theft from here was the company name, your choice ever best, Bitcoin Mining Operation, which is based in Grant County. That is a legitimate business. That company reported a someone had hijacked a semi truck full of Bitcoin miners, which was a thousand Bitcoin miners, which had an estimated value of $700,000.
Corey Ham:While they were investigating whoever had hijacked those Bitcoin miners, they also discovered those same people had hijacked $75,000 worth of frozen turkey. So They literally saved the day. They saved the day not only the Bitcoin miners which are gonna be used to cook the turkeys, I can only assume.
Hayden:Yes. Yes. That's how you heat
Ralph May:the oil is actually the Bitcoin miners.
Hayden:Down though as like you did a frozen turkey heist. Like, that's your thing. Like, you would get bullied for that one.
Ralph May:You know, for sure, these guys were just hijacking, like, large big rigs. Right? Like, they didn't know
Corey Ham:Yeah. Yeah. Yeah. Yeah.
Ralph May:They just ended up getting like, they these guys have
Corey Ham:no nobody does
Ralph May:$75,000 in frozen turkeys one day and then suddenly hits the Bitcoin rig in the next day. And, like, they have no idea what's in here. They're just hijacking.
Corey Ham:I feel like okay. But you gotta be able to tell. Like, the trucks the trucks that are designed to carry frozen turkeys are gonna have the little refrigeration unit on it. Right?
MarryEllen:Sure. So like, it should
Corey Ham:be pretty obvious. Like, whatever you're Obvious. You're stealing
Hayden:something Keeps the machines colder, it cools them. That's what
Corey Ham:I was thinking. The running in the truck. Yes. Either the plan was steal the reefer truck, put Bitcoin mining machines inside of it, and then cool down the Bitcoin mining machines, or use the Bitcoin mining machines to cook the turkeys.
Ralph May:Either or.
Hayden:Or if you have frozen turkeys anyway that need to stay frozen, put some Bitcoin miners anyway in there because it's gonna be cold already. Just, you know, it's it's a it's like a temporary
Corey Ham:coin for $700,000.
Ralph May:Imagine the phone call they made when they got these turkeys? Yo, man. I got a
Corey Ham:lot of turkeys I gotta sell. Know, you
Ralph May:get the
Corey Ham:big ones right
Hayden:now, what about the turkeys?
Corey Ham:Yeah. Who at who are you fencing $75,000.
Hayden:Dude, got some turkeys.
Corey Ham:Think about
Aisling:it if you've got a data miner set and you do have it in a very refrigerated crate that you can stick on the back of a big rig and drag around wherever you want. Mhmm. Then that has some advantages.
Corey Ham:You're saying a mobile Bitcoin miner? Yeah. The the power am. The power
Aisling:this is a great idea. I'm saying it's a plausible idea.
Corey Ham:The power unless you're gonna drive the truck into the back of a data center and plug it in, you're not gonna have enough power to run all those miners.
Ralph May:Have you seen in The Ukraine where they have the drones and they're they're actually attached, tethered via fiber optic? Yeah. That would be the same with
Corey Ham:the semi truck, so it wouldn't be fiber optic. It'd be this huge power of power just dragging across the road. Can you
Hayden:imagine It feels like a GTA five mission to me is, like, you ice the truck of Bitcoins and
Corey Ham:then the truck of frozen drinks.
Hayden:That's what it feels like. Oh.
MarryEllen:It's so feels like, you know, I always read these stories about these truck drivers. And, you know, my dad was a truck driver for a while when I was really, really young. And, you know, now they have all these, like, high-tech roads, you know, stopovers where you can stay and, like, you have access to high you know, high x you know, Internet and all of this, and they're studying. And and while they're, you know, while they're at these rest stops, they're studying to, like, get their degrees. And I'm wondering if some of them just wanted to become hackers.
MarryEllen:Like, who's behind this? Like, we don't really know.
Corey Ham:I've been I feel like the supply chain theft thing is only gonna grow. Like, we've seen it with shoes. Right? Like, people are, like, raiding trains to get rare shoes. We've seen it with GPUs.
Corey Ham:Right? Like, now Bitcoin miners, of course.
Hayden:Now, it's gonna be RAM.
Ralph May:It's gonna
Corey Ham:be Yeah. It's gonna be RAM or
Ralph May:I that, speaking of tech news, I've heard that RAM and hard drives have gone through the roof. The reason why is for all these AI rigs. Right? They're like liter when I say AI rigs, I'm not talking about just like a dude at his house. Right?
Ralph May:I'm talking about like data centers they're trying to build out.
Corey Ham:Scale. I mean, I can attest to that personally. Like, even just looking at my eBay purchases from two years ago, I'm like, dang, that was cheap. No. It was cheap.
Corey Ham:It was cheap like that.
Ralph May:But you didn't need Yeah. It back
Corey Ham:To give you an example, like, on Super Micro's website, RAM that's from my server is listed at a MSRP of $76. It is sold out. You cannot buy it. On eBay, that same stick of RAM used is costing almost $300 now. So it's like three x inflation.
Hayden:Raised Samsung raised one of their like stakes from that 50%, basically.
Andy:I mean, I'm on bestfire.com right now, and I'm seeing like
Corey Ham:Bitcoin miners?
Hayden:32
Andy:gig sticks for $900.
Hayden:Yeah.
Andy:And 400 something. Like, for 64 gig. I mean, 32 gigs of RAM. 10 gig sticks is $441.
Corey Ham:So basically, if you're a tech hoarder, then you now is the time to offload your supply. Like, sell now while it's high.
Hayden:It was gonna get like a PC built by their parents for like Christmas, and now they're not. Just because RAM Okay.
Corey Ham:But you don't need memory for gaming. It's fine. You don't need that.
Hayden:Of course not. Yeah. Yeah. Just get them d d r four. It'll be fine.
Hayden:They don't have d r five.
Corey Ham:Oh, by the way, that price that I quoted was for d d r four registered Oh, good. Slow. Yeah. That's good. That's for server memory though, which makes sense because you need a lot of it to power an AI rig.
Corey Ham:But yeah. Alright. Let's talk about the CTF winners. We have official CTF winners. Congratulations to Sandache Angel or Sun I don't know if that's how you say her name.
Corey Ham:If if it's not, I'm super sorry. And then Jen Moody for first place goes to Sandache. I don't know how to say her name. I'm sorry. Person with the last name Angel.
Corey Ham:Second place goes to Jen Moody. Congratulations. First place gets a year of on demand subscription to all the anti siphon courses, which is pretty sick. You can go learn how to pack from Ralph. You can go learn how to be a sock or a pen tester from John Strand.
Corey Ham:Hayden, you probably have a course on there. Right?
Hayden:I do.
Corey Ham:Fancy. And second place is one course of your choice. Obviously, you should choose stealing turkey one zero one, which is a course that I'm now teaching.
Ralph May:And I'm teaching the follow on course, fleecing turkeys one zero one.
Corey Ham:Step one, you purchased $75,000 in stolen turkeys. Now you're about to come up big in the world. Yeah. That's
Ralph May:I thought you make money and Yeah. You'll get stuck, you know what I
Corey Ham:Alright. Thanks all for coming. I hope you have a great If you're in The US, have a great holiday week. If you're in another country, have a great regular week.
Ralph May:Turkey, turkey, turkey.
MarryEllen:See
Corey Ham:you next week.
Creators and Guests
