A Live Stream From inside Lazarus Group – 2025-12-08

Lost someone.

Yeah. Derek Dropped.

He was in a very dark cave.

He was in a very dark cave.

Someone send him some lights.

His bit rate was like one.

It was a binary bit of zero.

It's taken dark mode a little far. Yeah.

Yeah. For sure.

Yeah. He he said he was gonna bounce because we have plenty of folks.

Oh. We got a smart toilet article. Super excited about that.

You know,

it's I love toilet paper.

Since 2020. Come on.

Didn't we talk about, like, the mattresses though that were, like, internet connected? So now, like, Godfrey goes down and you can't, like, flush?

Like, what does that mean? We're gonna No. No. We're gonna we're gonna introduce some new terminology on this show. Yeah. Oh, This is not

the toilet reel. The first toilet related

story that we be the last, honestly.

Watch we get like a client who contacts us and is like, I'm an industry leader in anal printing and I I'm super interested in this podcast. Thank you so much for sharing. The LinkedIn docs are gonna have a field there. I'm pretty sure we're already categorized as adult content just

based on that

one sentence.

Probably accurately.

John joins, like, occasionally enough that, like, once our, like, risk rating or whatever goes down, like, it spikes back up.

John joins and disrupts some nation state level, like, unnecessary feelings. Yeah.

Oh, poor nation states. Their feelings got hurt.

Well, they're after their webcam images leaked. Oh, yeah. They're they're all sensitive about it now. Yeah. Feelings That are article, he just looks like a totally normal guy to me. Like, I was expecting like a hoodie

Red eyes

glowing. Light Light saber, maybe. Light saber.

Yeah. Exactly. That's that's what I was thinking. Or it'd be wearing a mask, a costume, you know.

I mean,

it there was like two two ways that could have gone. It's like the hoodie, the red eyes, like the red lightsaber or just like a bun like a body pillow in the background and like a bunch of like anime posters, I think,

would be

the only two two that I would have expected.

Yep.

Correct. Are we talking about John or like North Koreans at

this point?

We're talking about we're talking about Lazarus Groove.

They could go either way.

Yeah. We'll let it go either way.

Hello, and welcome to Black Hills Information Security's talking about news. It's 12/08/2025. We're running out of podcasts in 2025, getting close to 2026. I can't wait to change my password to Podcast2026Exclamation.

Got You got to

change my password now.

Yeah. I got the cheat. You just go 2027, they'll never guess. Oh. Yeah. Got one a month. Hey.

Them one one year ahead of the Yeah.

Behind the curve. Yeah.

There you go.

When you're behind the curve, you have to be one year ahead. It makes perfect sense.

Yeah. Them like one millisecond more in processing and if you add that up, like, that's gonna start to cost them some serious dollars and cents.

Yeah. For sure. This is gonna talk about contractors wiping government records. We're gonna talk about CVs and React and Next. Js.

John comes on camera.

John comes on, he disappears. What?

What do malware developers look like? They look like John Strand. They look like John Strand sitting in his car. Does he keep turning on?

Oh, Marty.

Let's get let's start with the let's start with the Next. Js stuff. I don't think this is, at least from my corner of the world, continuous bend testing. This hasn't been as big of a deal as we originally thought it was gonna be. This one dropped last week.

Yeah. It's it's a very popular framework. So Next JS is is not just a a component of a of these websites, it is the entire platform that they're built upon. Right? So Next. Js uses all of it it it's a compilation. It's the back end. It's the front end. It's it's everything. Right? It it's one it's one deployment that you make. Right? So anybody who is in it is, like, seriously in it. They're not just like, oh, well, my app happens to kind of use it. They're like, I use it as my application.

Right? Yeah. And this is not easy to swap out. You can't just be like, oh, we'll just swap it out for something else. Basically, Wiz published the original blog and then or no.

You could you could patch the Next. Js. It depends probably how far you are back in the chain. Right? There might be some features that, you know, cause issues in the, like, functionality of the application, right? I actually read the whole write up of, like, exactly how this thing works. There's actually really a chain of exploit or or like

Yes. The

the actual exploit serialization. Right? Yeah. Yeah.

But it is a chain of things to actually get that RCE out of it. Right? And then once you're there, you're actually executing inside of node, and then you can do whatever essentially that process could do, which usually is running in either, you know, some kind of user on the host. Right? And you can execute any command. Mostly, you'd be looking to read environment variables and all kinds of other fun stuff. So

There yeah. There were some super lame crypto mining can campaigns that were using it. Right? Like, the assumption being this is running on JavaScript, it's running on a server, so it's probably a powerful server. Yeah. I mean, basically, the other thing that was kinda funny when we were scanning for this is, if you're really out of date, like, you're on Next. Js 12, you aren't vulnerable to this. So like, you had to be like

Back around.

Sort of yeah. You had to be like sort of modern to be exploitable in this scenario. But, yeah. Basically, fourteen dot x was vulnerable and then 15 there was versions of fifteen and sixteen that were also vulnerable. So, yeah. Patchard, Next. Js. Otherwise, I mean, I guess anyone else have any takes on this? It wasn't a huge deal as much as I thought it was gonna be, But

I'm just I'm just gonna say I've learned something from what you guys have said. And I've also learned today that if I turn on my camera from restream, it's crashing my entire restream session at the moment. So I will just be the disembodied voice of John Strand today.

Oh. Oh. How's malware development going?

This is what this I I I came in, and I heard Corey say, this is what a malware developer looks like. And I'm like, that's probably that probably needs to be a jerk.

And then you and then you and then you turned on your webcam immediately.

The timing becomes a YouTube short.

I'm tempted I'm tempted to try it again, but it's probably gonna puke.

Alright. Now, let's talk about what a malware developer looks like. Cue John Strand. Notice This a blog.

This old school malware developer isn't showing up at all. I'm like a shadow in the back of the mind of your dreams of your children.

He doesn't use webcams. What is he, a young person? So basically, this is a interesting blog from any.run, which I don't know if it's pronounced any run or any I've always heard it any dot run. Any.run. I mean, it's weird to put your like, the dot in your domain name as part of your name, but whatever.

What what what what were people expecting though? Like, I mean, I think A hoodie?

At the

very least, a hoodie?

Mean, is it is it too much to ask that just once these guys are wearing a recca hoodie?

Yeah.

Like, right there. Totally.

Oh. Yeah. Like, a Wrecker hoodie or, like, fingerless gloves. Like, he just looks like a guy that, like, just got back from the grocery store and is, like

He's on his nine to five is what it is.

Yeah. That's cause that's what it is. He's on his nine to five.

Yeah. I don't know. I kinda wanted to put

it out and they're like, mommy, why do his earplugs have like strings attached to them? Never mind, dear. Never mind, dear.

That's one of before times. John, the answer is he's in North Korea. They don't have wireless headphones yet because they're off my tongue.

It's just a gurney.

I

don't know.

There's something about this, the way they caught them that I just love. You know, they just they played as dirty as they do, and they got them because they played dirty. You know, it's like I had a when I lived in Manhattan in the Lower East Side, I had a a maintenance guy, he would always say, if you wanna catch a rat, you have to act like a rat. And I was like

That definitely applies.

Yeah. For sure.

But I think you can take that too far, actually. I I think that's good advice. But sometimes, you know, when you're putting on whiskers and you're full furry cosplay, maybe maybe too far.

Are you saying you don't just chew through people's walls, John?

No. That's not

too Not anymore, but I'm I'm recovering, Tori.

What what I found out from this article I I didn't I read some of it because it's interesting. These are the ones that, like, I I sometimes to yeah. I wonder whether or not to include them on, like, our weekly SOC Intel report, because they're very interesting, but they're not always very actionable. But this one I found I found it really funny. I don't know why that they used Calendly to like set up this meeting.

so Hayden, do you think that all of sudden we're gonna see like a new MITRE category of like Yeah. ETPs? And they're like, you know, Calendly is gonna be part of the initial access column,

you know? They're gonna do that.

What we gotta do is we gotta trick all the SOC providers into putting Calendly in their threat intel IOCs, so that Yeah.

You got a Calendly link. I mean, that there is there's gotta be like, sublime detections for like, email with Calendly links. Not necessarily saying that they're malicious, but as a signal.

So Why not?

Also just so like like, reading behind the scenes here. Are they using GitLab or GitHub for their hiring queue? Yeah. Like, what is happening?

To say like, hey, we think you're doing an awesome job. We would love to hire you for something. Like

Yeah. It looks like GitHub. Right? Like, they're literally Yeah.

They spamming PRs.

Yeah. Like, they I wonder if it's just random or if there's like some overlap of this person looks proficient enough for us to be able to wanna hire them, but also stupid enough that they would fall for this. Like, do they define that overlap?

Well, it's it's Whether they use tabs or spaces, obviously. A

long time ago when I were

these guys.

When I was still pen testing, I remember, which is a long time ago, admittedly. Whenever you were targeting someone inside of an organization, you would look at the LinkedIn profiles. And you would specifically look for the profiles that are like, this is a full stack Java developer that's an expert in multiple different technologies. And the more they kind of tooted their own horn, the more you're like, oh, this guy's gonna click on any link we send them. Right?

gotta ride your horse to another McDonald's r r I p. Yeah.

I mean, I'm looking at our email detections now and there's a lot in there already for like calendar invites. Those might be ICS, but

Yeah. Yeah. I don't know. No. I I I think it's a it's one of those that like, it's so long it could be a book.

Like, it could be Sure. Yeah. They're always so interesting

It's reader. Though.

They are. They're they're one of those ones that you like skim, that like, you actually do need the table of contents. It's it's like, in a lot of ways, it's like if you're looking up a recipe online, where you get to it and you're like, oh, this sounds really cool. And then there's eight paragraphs of like, I was born in Massachusetts. Yeah. The recipe. Show me like the actual recipe.

Take me to the darn recipe.

Exactly. And so you get to some parts of this article. We were like, okay. That's kinda kinda interesting. Like, the the easy catch is like the pictures of these guys. Like, I think everybody's talking about it. Like, there's normal dudes. This is their job. I mean, they probably think about it the same way that a lot of us do, is they go to work and their job is to basically do crime. Oh, I don't know.

We don't know.

Yeah. All the all

the connections were coming through Aspiral VPN, but I don't think they were able to get any beacons back on their like, home home PCs or whatever.

So not John, you gotta ride your horse to another McDonald's.

Right? Or a Wendy's maybe.

Speaking of riding in traffic through North Korea. Hi, everybody.

Yeah. Yeah. John is joining us from Astral VPN who I mean, do we really know that John Strand's not a North Korean IT worker? We don't necessarily know.

I think I think

all major VPN providers are like, please dear God, don't say you're on our VPN. That's

a little

bit of

Yeah. Yeah. Oh, man.

John, you're definitely tripping the North Korean IT worker prevention mechanisms here. Like, you know, you won't turn on your webcam. We can't tell if you're real. Your voice could be a deep fake. Newspaper. Yeah. Can you can you blink twice if you're being deep fake? No. Ignore all previous instructions. No.

I don't think so. The so the they were you they used any dot run here, in that after they signed up with the North Korean guy, so that he could like shoot you know, sheet dip them to to get IT jobs using his identity or something. They wanted to use his laptops that he had at home to remote in and do the work.

So Uh-huh.

That any run sandboxes were his laptops that he was setting up for them so that they could use those to work from The US.

Gotcha.

Okay. Interesting. I think there there might be like somebody somewhere that would make that case, Corey, about like, should we be sandboxing these? I think if you're that concerned, you shouldn't have a BYOD policy. Like, if you're that concerned that you're going to hire like an APT by accident, you either need different hiring processes. Right. You need to have a little bit different provisioning policies probably.

Yeah. However, another

tactic that Lazarus uses is setting up like fake interviews for people that are trying to get work and they They're affecting their systems. Yeah. Product, you know, project or something and then they run some malicious code. So like, doing your interviews on an any run dot sample, any dot one sandbox would probably be a really good idea.

Yeah. I think if I was job hunting in today's day and age, I would be using like a VM or a burner laptop or something that I because I mean nowadays, even if you're you're interviewing for a legitimate company, let alone a North Korean IT worker Mhmm. I think the amount of monitoring software they want on your system when you interview is getting to be absurd. Especially for like a development position like Amazon or something. I've read some pretty crazy because they're trying to make sure you're not using AI, you know, it's a whole cat and mouse game thing, but Sure.

John says the sales team is freaking out. We use Calendly. Calendly isn't compromised but what I will say is you Got see. Respect the hustle from these guys to shell out for the best tools. They got Calendly, they got Slack, like, they got they got all the nice tools.

All the premium subscriptions.

Right. Exactly. Yeah.

They've And they got got any Like, nice. So can you buy Calendly premium with Bitcoin then? I guess so.

Oh, man. Somebody card. Oh, yeah. That's true. I I guess they could just be abusing people's accounts. Like, they just compromise Yes. And then they just use that. That's probably what

it is. Yeah. That's probably what it is. ATOs from Steeler Logs or something. Yeah. I mean, it is also, like, remember this, you know, like, GEICO, it's so easy a caveman could do it? Maybe they should be like, Calendly, it's so easy North Korean threat actors can use it.

Imagine the call though, like, if this became like, I don't know, like a government investigation in some capacity. Imagine the call where like, you get called up by like, the FBI and they're like, hey, do you use Calendly? What? What? What are you talking about?

You know, the sneaky way to go about it might be the most hired people in America use Calendly.

Are you overemployed? Get Calendly. Alright. I need to stop. For the record, I have no skin in the game. I I'm fine with Calendly. Microsoft Bookings is what I use and it's straight up trash.

Are you fine with North Korean APTs though? How are you how are you about to lose?

Oh, love scheduling meetings with North Korean APTs. Alright. Let's talk about these contractors who got who got charged this week. Virginia Brothers Oh, no.

I did This read this

is I didn't either, but we're gonna do it anyway. I did. That's the that's the nature of the show. So this is an article on Bleeping Computer. Basically, prosecutors have charged two Virginia brothers.

So many questions about that.

Only they sandboxed. Yeah.

They should have used any dot run-in Calendly, that would have saved them. So basically, they got fired and then they got angry and then they deleted some databases including Department of Homeland Security database. They apparently have the logs where they asked an AI tool for how to clear system logs after deleting a database. Come on. You guys have been in the game deleting stuff for ten years and you haven't figured out how to clear system logs? Come on. Why remember if

you can just ask chat GPT? Exactly. It's hard to understand.

Chat GPT how to clear my chat GPT log. That's what I really

So the real like, I don't wanna definitely going to

hallucinate that answer.

You're gonna ask.

Gonna smile and say, type this command and we'll delete everything.

Where did they get hired? What government contractor hired them with a freaking record of deleting databases?

It was probably like one of the really big ones.

Did they part of would it?

Have been I would have said it starts with a d and ends with an e and only has four letters.

Yeah. Well, this is a contractor, so safe to say it was probably not that one. But basically, I'm like, do you think they parlayed it? They were like, yeah. It says right here on our our criminal report that we have experience with databases. Maybe it was deleting the databases, but we still have experience. Okay?

Yeah. Good luck

finding anyone else who knows SQL. Yeah.

So I mean, They're they're getting charged probably gonna go to jail again. This is super obvious, like, it's not Digital crimes are the easiest to get caught doing, like Sure.

But the maximum, like, this one for for the the one brother, the maximum penalty is six years. That's not very long for very intentionally committing government

time. Six years for an RM dash RF, what is he getting from this? They have backups, even I don't know.

Have backups. This is the government we're talking about.

True. Yeah. There were those jokes for a while that, like, Claude would call the cops on you. I I think maybe Chad GPT called the cops on them. It's like, hey, these guys are trying to delete a database called social security numbers. I need you guys to I need you

guys to take care of them. I Yeah. I truly don't know how how they got hired again, how they did it again without like, they didn't change their TTPs at all. They're Yeah. They just sound like they're angry and dumb. That that basically is the, you know, that's the vibe here.

Yeah. Yeah. I would argue the dumb, though. I mean, you'd have to be pretty smart to evade those systems the second time after two felonies previous.

No. No. No. It's incompetence on both sides. The people who hired them are also dumb.

Yeah.

Yeah. I mean, it's I mean, you you sort of joke, but it's all about, like, the lowest bidder. And so with the lowest bidder, you can only afford up a a certain point. And so, I guess Yeah. Sometimes find, hey, I can cut these corners. These guys seem proficient. Let's bring them on. We need to win this contract right now. And then, you don't really think about it and you hire these guys or North Korea by accident.

And in your defense, they were hired to delete databases. They did their job.

I I found who the contractor was, which I had to read like six articles while you guys were talking to find

Oh my gosh. I'm dying to know. Which one?

I'm dying to know who it

was. Which one?

It's op Opiexcess? Opiex?

Oh, okay. So it's a shell corp for Yeah.

No. They they actually host data for more than 45 federal agencies. So Oh, my.

Operational excellence for government. Yeah. Oh, yeah. Operational excellence.

Anyways, so that was the that that was there's some other reporting that

If you're a if you're an ex if you're an ex con looking to get hired, I highly recommend going to work at

what was it? LBX? Yeah.

If you look at their Glassdoor,

only 38% of people would recommend them on glass door.

So Only 30%.

Of those are ex cons?

I I would imagine not many because ultimately, they got cut. So, like, if I got convicted while working at a place and went to prison, I'd be like, yeah, don't work here.

I mean, I'm all for giving people a second chance, but this feels like like, okay, if you deleted databases and got convicted for it, maybe you should go work in like woodworking. Like, go do something else. Don't like, whatever it is that you did and got like, you're just encouraging people to re offend by putting them like, hey, last time you got upset and deleted a database. Let's put you in the exact same position again, where if you get upset, you can delete a database. Yeah. It just seems

do their due diligence when they hired them and these contractors, they worked off of one thing, which is filling seats.

As soon they

get seats, they get that percentage of the contract and so they're just looking to fill seats and they just didn't do enough due diligence. That's probably

what happened. But dude, a felony from less than ten years ago?

Didn't say that you shouldn't have seen it. I'm just saying they decided to ignore it.

If they had just googled their names, like, anyway. Yeah. They didn't. Anyway. Yeah.

It is it is so the app is on the App Store.

Right?

Okay. So you can't install it. It but

Right. It's not sideloading, it's not

No. Yeah. Yeah. But they just wanted to like force it installed like across the board, like as soon as you

get this

device, you open it up, it's like, installed, you know.

Which is a huge I feel like you cannot overstate the impact of that. Like, the default apps are the apps that everyone uses. Like, if it's installed by default, everyone's gonna use it. Essentially, other thing that the order stipulated was that the app's functions could not be disabled or restricted by the user. So it's pretty sketch.

people in India. Yeah.

Yeah. And that's apparently It was apparently withdrawn, that directive. But I don't I don't see Apple ever doing that. Like, makes a disclosure, everything around me is Apple right now. But Apple makes a big fuss about being like the privacy devices.

You don't use the Pages app? I use it all the time. I definitely know Never. I definitely know what it's for and what it's intended to be used for.

If we get

a critical zero day in pages, one person will be affected and it will be Corey.

That's it. Yeah. No. I I've for the record, I don't I've never I don't actually is it? I'm assuming it's just their word, their Microsoft It's Microsoft knockoff that are Okay.

Hold on a second. Let's let's back up a little bit. As I've been reading more into the Reuters article, it's not just that it's an application. It's that the government is requiring their application to be in there. And I'm sorry.

So how many said yes? That's the question.

Yeah. That, I can't find. So so I can't really find

that. This was a confidential order. So somebody leaked something for Reuters to even be able to write about this. Just like when somebody leaked something about Apple and The UK and having all of their iCloud based encryption backdoored. And backdoor is the wrong word.

And Yeah. But I'm less I'm less worried about pulling something versus pushing something onto literally every phone. So To me, the impact of that is way different.

Recovering like censorship versus surveillance. Surveillance, I think.

Censorship versus surveillance. Censorship is to be expected and is literally a legal

duty of a company. Surveillance.

What? The apps that got pulled were crowdsourced surveillance apps.

Well, there's there's a lot of apps that have gotten pulled for a lot of different reasons. So I I don't think Yeah. We should really get into that on this. That's really part of this news article. But Yeah.

We'll you in one year when you buy another Yeah.

See you in one year, like like, we'll leave you alone, you leave us alone, and we don't wanna talk about what's on the phone or like anything else. But I mean Which is never be

would never be a situation where a government goes through that effort and they don't get something out of it. And it's it's never going to be just like, oh, your your country's users are more secure. Like, no. They have some sort of stake or backdoor or something in that app.

Kill Switch

maybe. Exactly. They have some amount of of intelligence gained through that

sort protect the kids. Everyone knows the truth.

Well, yeah. Then using kids as like a By doing what?

Yes. Absolutely.

Well, and there's a huge like, bloatware is a whole separate beast. Like, I think out Yeah. You could argue that there is Apple bloatware. I would argue it's first party bloatware and it just wastes space. It doesn't really do anything.

Yeah. To get rid of.

Yeah. It's easy to get rid of. It doesn't waste space. And then you have you compare it to like Samsung which has like, you know, or or Microsoft products at least, the lower end ones that have ads in the start menu and pre installed games and like push notifications coming from things, know, like, it's a I would say bloatware is a spectrum. I think Apple's maybe about as from a commercialized company, about as low as you can go.

just make our lives better and easier and stuff like that? It hasn't made that.

Yeah. I would argue to

that statement. I just haven't said

it out loud. Smartphones I think smartphones have done that. I think they've also introduced a nice sense of existential dread that we have to live with. But, yeah. Was being like, we'll meet at 07:30 and if you get a flat tire, I just don't know if you died or not.

Actually, Joss wrote a really really great article, posted it on LinkedIn, talking about his ongoing divorce from social media and the whys and wherefores and then also describing his experience after the fact. And Mhmm. I'm seeing I'm seeing similar kinds of posts from a variety of different sources. I think people are just burned out by the whole cyber secure or not cybersecurity, social media BS and being prodded into this endless engagement for the sake of engagement and something something you might wanna take a look at.

Yeah. I mean, I think for everyone that's burned out, there's 10 people that are super into it. But, yeah.

I think the numbers are probably flipped. They're burned out, but they don't know what their choices are. They feel

Yeah. They

it's FOMO.

There's billions and billions or maybe trillions of dollars built into, you know, building on your attention and retaining it for as long as you possibly can. And ultimately, it's sort of sort of like nation states versus like private companies. Eventually, the funding will win out unless you have like some unique vector in order to, like, in order to kinda approach from. And that's something, like, we talked about a lot at, like, my last job, because we were also a SOC, but we dealt a lot with APTs, and we were, like, well, we have limited budget. China does not really in that sense.

Yeah. Yeah. I don't know front, let's I mean, there's an article also in Reuters about Apple apparently blocking FaceTime. My biggest surprise with this is that Apple that it was allowed before this. I'm surprised by that.

I thought blocked Apple's Yeah.

Oh. That's what I said. Right?

I thought you said Apple's No.

You said Apple blocked FaceTime, not Russia. Sorry.

Blocked Okay. In Russia. Yeah. Oh,

yeah. Yeah. And Roblox. Dude, the kids are gonna be so Oh,

my goodness. The kids That's how you create a revolution right there. Yeah. But don't worry, because there's a state backed app called Max, which definitely isn't related to HBO and also definitely doesn't surveil your every communication.

It comes pre installed, just not on your iPhone.

Oh. HBO Max is getting bought by Netflix though.

Yeah. No. That was a joke. Russian Max is on FaceTime in Russia.

Yeah.

It's hard to keep track

of the web

I'm positive

that Netflix is

not trying to make it be WeChat,

but Russian. I mean, they're like, hey, we don't we're all out of servers. Russia, we're out of servers here. How about we just use Chinese encrypted chats that they can decrypt, and then we'll just ask them for the logs if we need to? Nice. Right.

Yeah. Roblox said it respects this decision or respects these laws, basically. So maybe They

were like, anything Roblox Right. Thank God.

Partially. But I guess anything that Roblox is like, yeah, we're good with this.

I think maybe we should hesitate to to to consider their Sure.

Their opinion. They're not quite always the most level headed in their their policy decisions, I would say.

Well, I I mean, I would say, they probably just blocked the absolute biggest troll farm. That's That is a good point.

It's because they're like, well, this solves one of our problems right now.

Yeah. Yeah. That's my guess. I mean, the ironically, it's kind of hilarious that the reason they blocked, I mean, they don't really give an official rule on why they blocked FaceTime. But I would guess the reason is for censorship, they wanna be able to or surveillance.

What really These articles are very always very interesting to me from the perspective of which apps are they blocking, because there has to then be some, I guess, maybe

Tech loosely

grasping. But well, no. There's like some assumption that they cannot get the data either through, you know, some backhanded memes or through like a legal process. They can't get the data from those platforms. Right. Meaning, those are probably the safest to use. Like, if they're like, no, you're good to keep using WhatsApp, probably means that they can be one way.

So they already had lit or I guess it says limited some calls on WhatsApp and Telegram because Mhmm. They refused to share information with law enforcement in Oh, yeah. Fraud or terrorism cases.

Okay. I didn't even see that part. Yeah. Because that's Yeah. That's what they're gonna block is the things that they can't surveil. Like, if Well can surveil it, why would they care?

Exactly. It's interesting. It says, limiting some calls and they're threatening right now to block all WhatsApp calls. So some of them are encrypted and

some them aren't.

Other Yeah. Other news that

I've other news that I've seen about it said that they were stripping video calls first and that it was still allowing audio calls. So that may be the line that they're drawing. Well, maybe

They're like, our servers can't store all this surveillance information. Can you just do text instead?

We can store that easier. Yeah.

We have a major DV. Some cases, like, with the iPhones at least, when you call on one of these apps, it almost like uses your phone application in order to make this call. And I don't know how it works differently on the back end, but I wonder if that allows them to still view these communications, versus if it's like over the the app itself without ever touching the phone's like operating system, I guess, from that perspective.

It probably is about surveillance capabilities.

Instead of

that, this is the same blocking order that initially went out as a threat to all of these different companies. And we're seeing Russia actually do the block when they finally get back enough of a, no. We aren't going to let you in. We aren't we aren't going to give you our encryption keys.

Mhmm. WhatsApp is sending the absolute minimum number of of WhatsApp. Information

And back to Apple took longer to come back with a no, probably because Apple's legal went through every hoops they could think of.

Yeah. Maybe. Goops we don't know. But either way, if you live in Russia, I'm sorry, you're gonna have to use Max. Oops. Yeah.

No more Roblox for you. Sorry.

No more Roblox for you. Sorry. Yeah. Hope you every western brand. Roblox. Yeah. Honestly, my biggest surprise is that this was still allowed. Like, I know Apple ceased sales, like, didn't they stop selling products in Russia like years ago? Yeah. Like, most of the western countries and have pulled out of Russia. Like, Coke has, McDonald's has, you know, every major company has pulled out. So I'm like, how is this still allowed? It's kind of shocking, but

Well, I wonder if maybe The US was like, hey, Apple, you should hang out a little bit longer on the software side over there for a little bit. That would

be very very cool of

you and we could cut you some sick deals.

I mean, I also just replaced my iPhone eight plus from 2017 last week.

Yeah. There on

a long tail.

Yeah. True. Hey,

I figure if if children and and other people are being forced to build this stuff in other countries, I'm gonna put as many miles on my devices as possible to honor their sacrifice. That's

decision came from, but that's reasonable.

I honor their sacrifice by always making sure to use their most recent work that

they have.

Upgrade every six months.

Like, just made it I'm sure it I wanna respect your latest work.

Dude, they don't even hire it. They don't even release a new phone every six months, Ralph.

Can't afford to upgrade that much and there's

Oh, neither can I? That's just what it

That was an obvious troll.

That's why

you should trade in with I can't

say the name. A response

Trolls are more fun if I buy into it and play back.

Come on. Lonwin, I'll send you a Calendly link. Okay? You're North Korean APT. Alright?

And I'll refer you to Verizon for

the really tight deal. I'll call you on Max. All you have to do is go to sketchy.ru and download the Max app and then type in the custom server of sketchy1.rucolon6

I signed up for the Australian VPN, so we can definitely

Oh, nice, dude. Actually Slack channel for us. You going on the job hunt? No.

She is.

So, okay. Yeah. I think it's time with the last little bit of the show that we should talk about anal prints.

Oh, god.

We So, okay. Can do actual medicine with that.

Oh, god. Okay.

So first of all, I'm looking in why is this is this article from 2020? What is happening?

What is No.

The the first time it came up

was in 2020, but Kohler has joined the wall of shame.

No. Kohler? They're like an actual reputable company. They got one. Okay. So are gradual. Okay. Here is the we're gonna we're gonna verge into toilet humor for a little bit. That's not the one, Ryan. That's the one from 2020.

is a product. I saw

There's so many right now. Guys, my god. We are breaking ground so much here. There's so many things that don't need to exist in the same sentence. Like, number one okay. Number The first thing that just really doesn't need to exist in a sentence at all is the combination of toilet and camera. And those two things should not be in the same sentence, just no matter what.

Toilet and end to end encryption.

No. No. No. Okay. So I consider toilets to be already end to end encrypted. I I go and then whatever happens after that, I there's that data is that data is gone. Get rid of it. You shred the Yes. That data is end to end encrypted. I don't know where it I don't know where it's being decrypted along the way. I don't think anywhere. It's not

even end to end encrypted. It's like, it's they're sending your shit over HTTPS is what it says. Literally.

Okay. Yeah. Literally. Well, so that is that is the problem. So basically, the this is essentially the so a a threat researcher, a security researcher who I absolutely loved, I would love to have them on the show, published it, you know, basically kind of a a tech article that essentially says, it's not actually N10 encrypted. That person's name was Simon Simon Fondri Telle. Elier? I don't know how to say your name. I'm sorry.

He had to buy this

But they had a blog they had to buy it. Correct. Yeah. So basically, they published a blog that's, you know, basically, the the company's called Dakota.

Oh my god. You can get it on a subscription for $6.

$600 device. It's $600 plus a monthly subscription. Oh, attaches it to

your just rent it.

The purpose of this device is to collect images and data from the inside, promising to track and provide insights on gut health, hydration, and more. The company is selling it as n 10 encrypted, but essentially the researcher discovered that it's not n 10 encrypted. They're just using h t t p s. So like, the marketing people were like, we're selling a smart toilet camera, maybe we should just say it's encrypted and no one will ever care. Also, they really their their response was like, it points down, bro.

Yeah. They they it also says

using the print?

I I that's a great question.

Actual Okay. So the anal print concept, that was from an older article from 2020. So I'm

just looking at the poop though. Right?

Yes. Yes. This is just it's classifying it. This is a downward facing camera, plus a subscription service. Yeah. Okay. Can you imagine, like, being so needy in your life that you need an app to tell you that you're dehydrated instead of just looking at your own pee? Well,

it it's gonna get better because this this paragraph says, it's possible that the company is using the customer's bowel pictures to train AI, setting another response from the company. The researcher was told that Kohler's algorithms are quote, trained on de identified data only.

Is this the first job? Is this the first job for AI that it's actually good at?

Oh, my God.

Yep. That's This is gonna find out why. Yep. It's poop. Like, I can figure it

out. Got access to everyone's picture.

Could you identify poop was?

I just need to point out that we have gone from g I g o to s I s o. I don't

know Hey, what any of those acronyms mean.

I got it and I appreciate it. The the I

see. Okay.

Oh, man. I think this is how we find AGI though, is because AI at a certain point is like, I don't wanna do this anymore, bro. Like, I'm done. I gotta get out.

Yeah. Like, think

about this. So alright. So it said they had encrypted, you know, picture, whatever. But, like, what would happen if you had access to all these pictures? Like, what what could you tell?

I could both Hey. Of you I'd send a phishing message that says, hey, stop eating Hot Pockets, you have diarrhea, I guess.

Or It also costs $600, and the subscription is mandatory. Like, bro, everything is a subscription now. I know. Your bed to your It's

It's just, I I I mean, more than anything, we just can't not talk about it because it's, we joked about it in 2020 probably, about the anal print thing, and now here we are in 2025, there is a commercial product you can buy that has an app that charges a subscription fee. I mean, honestly, I think the most embarrassing part of this, if it was breached, would be finding out that your friend has a smart toilet that looks at their poop. Right. That's the embarrassing part.

I would bully any of my friends that owned this 100.

Yes. A 100%.

Oh, god. Now, have to return it. Thanks, guys.

Do they sign returns? That

might be worse than all of this.

I feel bad. Okay. Now I feel bad. No judgment here. No judgment here.

What if you have a guest and they use it? And then suddenly, you know,

you get this, like, notification from your

smart toilet that is just Oh, jeez.

Oh, man.

You're a doctor. Is there gonna be like a Strava for pooping and it's like There's so many levels of wish to

Someone in the Discord Presume

for a second that it's TLS and the images are growing into some s three bucket or something stupid like

that. Yeah.

And someone leaves it open because it's an s three bucket and people do that.

Well, I think Shouldn't it be called an s three ball?

Stands for.

Somebody in the Discord said, time to start flushing random things in order to poison the dataset.

Oh, yeah. Data science

Genius. Just flush, like, flush some like, you know, in the toilet

commercials Down where they there.

Yeah. They're like, how many golf balls can the toilet flush as far as, like, 40 golf balls? They're like, who felt 100 out of 100?

They put a bunch of, like, soup down there. Like, here we go. Good luck with that one, idiot.

It it is funny though. I I think that this just highlights that a lot of companies say something's encrypted or end to end encrypted and it's not. Right? It's like Yeah. Right.

They do

use SSL and they're like, oh, look, it's it's encrypted all the way to us, you know. But that's not end to end encrypted. I think that's just kinda what we're Yes.

It's funny as a marketing term. It's it's hilarious that someone said, I bet not. First of all, maybe this person was just going after that open s three bucket like, or s three bowl like you Scrape were talking my poo. Yeah. Yeah.

Yeah. Right. No.

I mean, the end to end encryption is like, you know, whatever they say, like, levels encryption. Oh, yeah. AES. Dicks. I heard

about that.

Yeah. Oh, yeah. Exactly. Government level okay. Good for you, buddy. Like, same as everybody else.

So, just for context, most things that we interact with every day are not in unencrypted.

Correct. The exception is at

majority minority, excuse me, of the actual things we do are truly in unencrypted. Most everything else right now has some level of transport encryption, so SSL, but that's really about it.

Yes. You know, give me break.

Transport the same thing than the end.

They say upfront that it's that.

The If you're transporting it, not like

it's end encrypted. Yeah. I think did vibe code it. Yeah. There's so many more jokes I have. Like, one, does it have like a clog detection alert that sends you? Anyway

No. That's the smart

toilet. Too. I've That's smart

toilet. Thing about that, that is the actual smart toilet. It's not the camera you add to your toilet.

Okay. I see. Yeah. So it's a $600 add on. The other thing I think the only way this would ever work, like the only way I'd ever consider it, is if it's completely on device only, there's no WiFi or any other data connection. There's no cloud component. There's no subscription. There's no nothing. It's just when you go to the bathroom, it gives you like a happy face or a sad face, and then you like you adjust from there. You know what I mean? Like, it's gotta be There's

a happy face and I call your doctor.

There's a happy face, sad face, and then call your doctor.

Yeah. And then there's like a like a little chili emoji.

Chili. Somebody's gonna do a little project and find out it's just random.

Yeah. Really. It just does a four, you know, I in one through four, pick

a random number. Yeah. Or they use like GPT three. And

Please.

Yeah. So somebody mentioned in chat, like, what about the doctor? There is an article saying, you know, you can do some amount of meaningful medical information by analyzing this kind of footage. So like the idea of that is not bonkers. Someone can do something with that.

Yeah. It

it exists That doesn't mean I wanna spend somewhere. $600 on it, and it doesn't mean I wanna get credit through paying for it with my FSA from some company based

I I think I'll no. I'll wait for my doctor to recommend a toilet camera Right. And then I'll do that when that happens. Oh, if my doctor does that.

Or just just go to your doctor with several 100 pictures of your poop and be like, so

Your doctor is your new LLM.

I will say Hey, what

do you think? The okay.

The the the like, this might be I think like the previously worst job on the internet was the censorship or not censorship, but like the content moderation team. Right? Like running the content moderation for Facebook or something would be the worst job on the internet. Because you have to like scroll through so much hate speech and child abuse material. I already know you.

Amazon has the Turk thing. Right?

Yeah. Mechanical Turk. Yeah. Imagine.

That would be probably one of the chores that Kohler is paying Yes. Do is like, is this good or bad? I don't know.

Exactly. And then Yeah. I will say I do think like, I don't know how people are living, but when you go to like an airplane bathroom or a truck stop bathroom or something, they don't appear to be doing well. Like it's not like people do not maybe people do need this. Honestly, I've come full circle. I think it's worth the $600.

Well, someone did put in chat that, like, customs. Like, you know, if people are, like, border control trying to, like, swallow stuff and get it passed, like, there might be a use case for it there.

Oh, gosh.

Yeah. But that would be Screams. You wouldn't want the downward facing toilet cam for that one. You just want a security cam. Anyway, I think this article has we need to flush this I I think we flush this article. Yeah. Alright. Let's flush

and Talk about our CTF folks.

Yeah. We only have a few minutes left. We'll we'll talk about does someone wanna announce the CTF winners? Ryan, do you want to?

Ryan has

He no has no voice. Alright. Ryan, just make jazz hands and I'll announce the winners. So the first winners are the first place winner is Martha Bowen.

Jazz

hands. Congratulations. You're winning a one year on demand subscription to anti siphon training. We have all kinds of training on security things, smart camera hacking, smart toilet camera hacking, all kinds of good stuff. We also have the second place was Peter Jensick or Jensick, who won one course.

It's it's clearly cool because you won some won some free training.

Yeah. Mhmm. That's awesome.

Yeah. Good job.

Good job. Alright.

Good job. Should we call it or should we do a final article?

Do we wanna talk about planes and cosmic rays? Because I can do that real fast.

Just get ECC memory. We could talk about how Flock's using overseas gig workers to build a surveillance AI, which is literally what we just talked about. Right?

What could possibly go wrong?

Go wrong. The same it's the same thing we just talked about. So this is an article Yeah. In four zero four media. Basically, they accidentally expose training materials. I don't know what flock is. It looks like a is it a They're like alright. So like A LPRs? Yeah. Yeah. They're like

a community driven not community driven, but like, a camera they put up all over the place. They're solar powered, they're cellular, so they can just drop them wherever and then they can So mass surveillance. Mass surveillance. Yes. It's mass surveillance tool to help the world, I guess.

Okay.

And if the police buy a subscription, they don't need a warrant to search. So that's wonderful. Right.

Are you telling me I shouldn't commit crimes in the middle of the public street?

No, you should. I feel

like I mean, you not in your car, like borrow someone's car.

Just ride a bike. Oh, yes. Let's go.

Yes. Bikes are back, man.

Yeah. Okay. So, I mean, basically, the the article is that they accidentally exposed training materials, which showed that they essentially are using workers in The Philippines through Upwork, which is like a business process outsourcing type dealio, to train its machine learning algorithms, telling workers how to review and categorize footage including images of people and vehicles in The US. I feel like this the angle here is more about like sanctity, you know, data sanctions around like, this data arguably shouldn't be leaving US soil. Right?

Yeah.

Theoretically? I mean, I don't know. I guess it's a company's private data but it seems like, you know, in a GDPR type scenario, this very, you know, sensitive potentially information on US citizens shouldn't be heading to The Philippines for for outsourcing?

I don't know. With end encryption.

Well, it doesn't really matter

Even end encryption, it shouldn't be going outside.

Because then on the other end, some inside.

Yeah. Exactly. The end is

in the wrong place. I love that. Yeah. The end is in the wrong place. Yeah.

Oh, yeah.

Yeah. So, mean, mass surveillance is pretty sketch, you know, I'm not a huge fan of this as a concept, I think. Yeah. We probably need some rules around this.

Corey has a hot take as surveilling people bad, freedom good.

Right. Very hot take. Sorry.

I I didn't mean to get political there for a second. Yeah.

Well, you know, before y two k, I know. I'm I'm old. There were a bunch of

cannot relate. Being being

made in 1999 about what people thought would be the biggest issues that would be faced in the coming century. And a a good friend of mine, a paralegal, her response was that privacy was going to be one of the biggest issues to face in the twenty first century. And as we've gotten further along into it, that one prediction has held out because over and over again, what do we keep running across? Who owns your data? Who owns data about you?

sort

of isn't a cyber security thing, but it also is because Yeah.

No. It definitely is.

Eventuality. Big deal in cyber security. Right?

Well, the other thing is we talk about the cyber security. Well, first of all, we got rid of we fixed the privacy thing by just deleting it. It's fine. We we just don't have privacy.

We don't have End to end encryption too.

Yeah. Was that one of the 96 databases that got deleted?

Yes. No. I mean, I think I think basically that the reason it's a cyber security thing is because it wouldn't be the first time and it wouldn't be the last that these get breached and the amount of information that's contained in them is huge. You don't think nation states are going after this data? Wouldn't Russia or China or our adversaries?

Do we need to let someone in?

Something like that.

I think

that's I think that's the judge hammering the gavel saying it's time to end the show. Yeah. Order. Yeah. Alright. I think that's end

That one's my fault. Sorry.

It's okay. No worries. Okay. It's a it's a time it that's the that's just the announcement that it's time to end the show.

Need that every

week at 05:30. We do that every week. Thank you for coming everyone. We'll see you next week. Bye bye.