BreachForums Doomsday - 2026-01-12

Yeah. No. I was reading over the weekend about the whole Stack Overflow business, and absolutely, their interactions have tanked since OpenAI was released. But they they sold out. They've sold their content. So they've got almost nothing in the way of interactions Yeah. But they're making bank because

For now. But I mean like, they're not going to continue to make that money forever, you know what I'm saying? Yeah. Like, eventually they need more You need like more questions being answered. And if they're not, then, you know, with this kind of thing, the house cards kinda crumbles. Right?

I don't see any I don't see any sources for Stack Overflow being sold to OpenAI.

No. It wasn't They license their content. I'll it was either was either 04/2004 or it was MIT tech review. I'll have to to look

We have a partnership.

But they're getting paid in the partnership. That's the point.

They're making more Yes, Zach.

You can partner without getting paid. Trust me.

I've done that a lot.

Yeah. Did you get married?

Oh, man, dude.

You said it, not me.

If you're getting married and you're not getting paid, you're doing it wrong.

See? That's how you 10 x.

Don't forget to call in to the BHIS podcast. That just I could just read Ralph's personal cell phone number on the air.

You could just leak John's number again like he did the other time. Honestly, I thought it was a slow news week. I didn't see anything in the articles really,

like, grappling.

Yeah. Didn't even get to scroll through the first freaking page of articles.

I went all the way down it. There's some cool AI stuff as

cybersecurity. There's a lot of, like, geopolitics, policies.

Some cool privacy stuff. Right? But some scary privacy stuff further down

cool is an interesting term you got there.

The California privacy stuff is pretty cool, I think.

Yeah. It is. It is. But that's like whack a mole. Right?

Yeah. But at least someone's whacking the malls. Right?

For sure. Privacy is whack a mole.

Take one we'll take one dead mole over zero, I guess.

Right. Exactly.

Nothing else? Nobody else had anything cool stuff?

No. The the show's over.

I was like There's no chicken minutes, you guys can leave.

I like the class like that too. Welcome to Black Hills Information Security talking about news. It's 01/12/2026. We have all kinds of articles, lots of geopolitics, lots of cryptocurrency, money laundering, Discord IPO. I can finally cash in on my 3 prime tokens or whatever I have on Discord on the stock market.

You gotta catch them and then you gotta go release them into another lake and then it's like a circle of life thing, right, where they call you back.

Okay. I see. I I see. We've got Brahma

How many times have you done this?

Yes. Please explain. Please explain. How much

what's the most money you've made off of one gator?

I mean, it's it's pretty good. It's really easy too, by the way. All you do is play baby gator noises and they will come to you.

Ah, okay. That's a tip. That's a hot tip. Mhmm. We've got Pentester aka Cameron who's painting her fireplace during the podcast, which so far is the most productive anything anyone's done on the podcast. We have Wade, and then we also have Dave. Dave is Dave and Cameron are here to plug their upcoming class about iOS hacking or I guess iOS pen testing. Unfortunately, we don't have any iOS articles. So we'll just make up iOS articles as we go along. Alright.

Yeah. I guess I can share that number.

Is that like asking a lady your age?

I'm on three that are like weekly things but like they get pre recorded and then one that's like every sometimes.

If I wake up early enough Four?

Four or five. Four or five. Five. You know me, like, I don't I don't have a website. I don't do anything. I just do everybody else's thing. That's it's the easiest way to

do it. Same here. Having a website. What is this? Sponsored by Squarespace? Absolutely not. If this podcast is ever sponsored by Squarespace, we're all gonna shut down this company.

I was really trying to get it sponsored by Liquid Death and they won't do it. I've been trying so far.

You don't wanna be sponsored. Liquid

Death. Alright.

So let's get into it. Let's step straight into the political, like, skier. Is I guess it's it's kind of a political article. I don't know. Basically, the word is that Trump is considering pardoning two individuals who got five years in prison, or I guess one year one individual who got five years in prison for running a cryptocurrency mixer service.

For me for me, it kinda like goes against the heart of like cryptocurrency. Well, like the ledger. Right? Everything's supposed to be trackable. Everything's supposed to be able to, like, go back and see exactly how things were. So it's almost against the soul of Bitcoin. At least that's the way I I think of it. And, of course, there's a criminal aspect of it as well. Right? Like, is there a legitimate like, this is also going into the privacy.

I totally agree.

Yeah. Like, if you actually want a private transaction, that's not the way to do it. That's what Use a different literal cache is for.

Or that. I mean, but there are privacy track. Sure. An Yeah. Well, yeah. I mean, basically, there's essentially, I think what Wade is saying, I wanna put some words in your mouth here, Wade, but basically Go

for it.

I'm comfortable with cash or Monero or any other thing that's like, let's call it pseudonymous. So it's not explicitly tied to my name, my credit card, and my address. Right? Like let's say I wanna buy something online but I don't wanna provide the seller with all my personal information, I think that's totally fair. That's the equivalent of buying something in cash.

I mean public. Right?

It's literally transaction laundering. That is its entire purpose.

Yes. And I do have

a We can say we're laundering it because we don't want people to know who we are, not because we got the money through some nefarious means. But end of the day, it is a laundering system, that's all it does.

Yeah. So my question is, it looks like the law is related to they they got them because they operated a business. Would this apply in like a co op fashion if 10 people got together and there was no profit? Is that how the law was written? So

there was Tornado Cache was set up like that. It was like basically just like a GitHub page. Like it wasn't really there wasn't I mean, there were developers. Right? But it was like essentially what happened was in the case of no one went to jail, but the government sanctioned or blacklisted the Tornado Cache protocol.

Okay.

So it was like the government was like, you can't use this. It's illegal for US citizens, residents, and companies to use this protocol. The GitHub was shut down. They did arrest one of the developers, but I don't think the developer actually went to prison, from my understanding. I I guess I don't know what how that actually they but yeah. They basically, they were charged and arrested. Oh, no. Yeah. I'm sorry. I'm catching up on the wiki.

The long answer. Samurai Right was was conspiracy for money laundering, as well as operating an unlicensed money money transmitting business.

Yes. Which

talk about a mouthful of a law. But

I feel like if it went to a jury, whatever, it's pretty easy to convince them to like, he wrote the code and then the code was used to launder money. Like, it's not, you know, it shouldn't be like a crazy Uh-huh. Big logical leap for that.

Looking at this from like a different perspective, is any is anyone like surprised that he's gonna get pardoned? Like, we already saw the one dude from the Silk Yeah. Road get

Right?

Like, this is I

mean, Ross Holberg was like nuts too. I mean, like, he Yeah. I mean, according He

did to try to kill a guy.

Yeah. According according to like, actual court testimony, right, and that he did try to hire someone to kill, like, you know, it

was it was it wasn't Yeah. People ask if Tracers in the Dark goes into crypto washing. Yes, it does. That's like half the book.

Okay. Well, here's here's another issue though. Executive orders are not law. Period.

This isn't an executive order. What But Oh, you're talking about him violating it? Yeah.

The the the articles are talking about the fact that the Department of Justice is violating an executive order. And Right. Executive orders are not law.

Period. I mean, would violate sanctions too. Right?

It's Probably it does violate sanctions. So so okay. If the there are probably other laws involved, and this is where I'm I'm crypto ignorant. I mean, I own some Bitcoin mainly just for the giggle factor, but I don't really know anything about it. But when it comes to the issue of, gee, USM has sold forfeited Bitcoin and it's violating an executive order. Like I said, an executive order isn't law. Laws are passed by congress.

Yeah.

I mean Yeah. I mean, basically

yeah. I mean, I think the the to me, the executive order violation isn't really the story here. The story is the general like, essentially for me, it's crazy that or interesting to talk about that the government would be like, money laundering is fine. That's basically that's basically what they'd be if they if they pardon this person, they're basically saying running a money laundering business is fine as long as it's done with crypto because we like crypto.

Yeah. This is this is actually counter to everything the federal government has done. Typically, you wanna go after crime, you'll go after the money laundering that has to occur in that Yeah.

In the profiteering Or taxes. Yeah.

Yeah. You go after them. Like,

They've seized assets obtained in whatever laundering in

order Yeah. Exactly. Because what happens is is once you seize those assets, this is a way to stop this criminal enterprise because what the criminal enterprise has to do after that is have to prove, right, that that money was not used or that money did not come from illicit activity. So to do that is like a whole thing and most people just let the money go.

That's Yeah. I I mean, basically, the government has a long history of prosecuting

Yes.

Illegal businesses through business laws Yes. Taxes Exactly. And, you know, money laundering regulations and things like We

can't catch you, like, selling the drugs, but we know that you are getting the proceeds from that and that's how they work it

out.

Once again, going back to tracers in the dark, right, where the tax man Yeah. Is the one who comes down on everybody at the end of the day.

Yeah.

Exactly. Basically, the like, from my perspective on this is that if this if this pardon happens, I that to me is against the interest of the executive branch that would pardon it. It's like, nation state North Korea, you can buy your missiles with money laundered date. Like, that that's basically what they're I don't get that. That's

crazy, but

Does the value of Trump coin go up if they do get pardoned?

Good question. We don't know.

I I don't know I don't know if you had to hack someone's iPhone, how would you to get their cryptocurrency wallet, how would you do so?

I'd make a bunch of money and employ the NSO group.

Alright. Good answer.

Alright. Well, that didn't work.

Yeah. Okay. So

Nice attempt at a segue though, Wade.

Thank you.

Thank you. Let's let's step out of let's step out of political space real quick and talk about, I guess, it's still politics, but politics around Italy and Cloudflare and a more interesting kind of an interesting story. Politics I really for hope so okay. This here's the article. The article is Cloudflare won't censor basically, Italy find Cloudflare €14,000,000 and Cloudflare was like, no.

Do do you think somewhere out there, like, big DNS is getting together in order to fight this?

Big DNS. Like, one of big DNS.

Is Cloudflare not big DNS?

No. It's a part of it. Right? They mentioned Google too. Right? So there's some other DNS providers.

Hold on. The DNS is democratized. Right? It's not, like, controlled by one entity. Those are just entities that have large presences in that And

who can

be sued or who can go to lawsuits for a large amount of money.

Yeah. But you can also still just go to a

different different resolver to get the same

And it's recursive. So, like, what you you block it all the way down, Cloudflare could just say, I don't know. Find another DNS server, and then it would Cloudflare still

doesn't own the root DNS servers anyways. They're not they don't own that. They're just reproducing that information. Yeah. Right? So they're not in control of I mean, they're not I can't. Right? That like

I like the idea. Okay. Here's the most Italian possible response to this. Cloudflare figures out the entity, like, they're coming from, and then just black holes them only for that entity, so they can't tell if it's been fixed or not. Be like, our DNS our DNS is down. We'll email you back once the DNS comes back and it just never comes back.

I I glad to hear, whole Reddit thread on this. And, like, kind of the TLDR of, like, some of the opinions was that, you know, this is just a way to offload the risk onto Cloudflare. And the reason why they all want to do that is because it's like a simple easy scapegoat as opposed to implementing what would be a significant network policies to try to block this and essentially you start going down this rabbit hole and next thing you know it's like the great firewall of China and even then you still don't block everything. So they don't they don't have the money to do that. So it's way easier to just be like, hey, well, Cloudflare, you block it then.

Right? Yeah. Totally. I I I really wanna like, I want a dramatized adaptation of like the sports bosses in, like, their super tight suits smoking a cigarette with an espresso and being, like, we gotta kill these piracy sites. And then some intern is, like, but it's hard. And they're, like, you gotta do it. And he's, like, what if we just fine them instead? Fine them $14,000,000. Alright. Yeah.

it's gonna be sucker.

Look at, did you like, we didn't even the time frame in which they want this to be blocked.

Thirty minutes,

dude. Thirty minutes. Right?

They wanna block a global block within thirty minutes. Oh, man. Can you imagine having the

Yeah. I just think of working at a data center when we used to tell people to put in like any type of DNS. They're like, yeah, it's gonna take two days to resolve

it Yeah.

Right. Right? Yeah. DNS It usually has to be one hour. Time to live record dude, how many what percentage of the internet has TTLs at thirty minutes or less? That's a tiny percentage. Right? Like, most DNS servers are way slower than that anyway.

That there's the law after this is gonna be everyone has to set their TTLs to thirty minutes.

Thirty minutes or less. Twenty nine minutes.

Yeah. So the and the

other thing too is that and just to kind of close it out, it's like as soon as you open up this can of worms and then like Cloudflare blocks certain things and like all this other stuff, now next thing you know, nobody wants to use Cloudflare anymore because it's kind of like the filtered version of the Internet. Right? So then just another DNS pops up and they do the same thing and, you know, now it's just whack a mole.

So Exactly.

And and and into Cloudflare's defense, they're not hosting anything. All they're doing is just records of IP addresses. What happens in there, that's on them, not on Cloudflare.

Well, hold on. I would argue, I don't know if this is a hot take or not, but I think Okay. Controlling a DNS server is potentially the best data collection you could possibly get on the Internet. Maybe browsing like, maybe you could get better data from a search engine, I think the data flowing the the amount of data flowing through a DNS resolver and the amount that you could profit from it is pretty significant. Like, who is resolving what from where is a huge like, that's a huge profit center.

Yeah. Anybody can. This is not special. There

is another really good issue raised by the Auris Technica article is that if an IP address is filtered inappropriately, then legitimate stuff goes down. I mean, they were talking about how they took down Google Drive for Yeah.

Oh, yeah. So because you can pirate things on Google Drive. Yeah.

People do it all the time. I mean, I understand why it got flagged, but then you wind up taking down all of Google Drive just because of a few kids who are misbehaving.

Yes. It is it is seriously just throwing out the baby with the bathwater, but the internet version of that. It's like, if you block also, what percentage of the internet is just Cloudflare IPs? You're just gonna they they're asking them to block themselves across the whole internet, like anyway, moving on. This is probably gonna get it's it's a nothing burger.

Let me find it real quick. Where is it?

Data masters.

Pretty much

But sadly,

it's not. It? Throw it up someone throw me the link. From what I remember, pretty much there's a new California has been going pretty hard on data brokers recently. If you didn't know, they actually came out with a program where you can actually request it in California and they will then go out and request you to be removed from all the data brokers, which is amazing. It also had a really cool acronym. I don't remember what it was. Dropped but

Yeah. Dropped is is the new Dropped. Online platform. Delete request and opt out platform. And I already I live in California. I already signed up for it. Form's super easy to use. And, you know, it's it's nice that somebody is looking out for the privacy of individuals because big tech certainly isn't. And it it's gonna be interesting to see how effective this is because data brokers are worse than tribbles. They they multiply all over the place.

So is this gonna turn into like the same system we use for taxes where Incogni and all these delete me services are lobbying against these so that

they That's exactly what I thought. That is exactly what I thought

was No. Gonna happen. You can't have a government agency that does the thing that we also do.

Right. No. One thing to think about joke. Obviously. The sign up for this though is live, but the services from what I read don't go live for another six months. Did you read that somewhere too, Bronwyn?

Correct. Yeah. Has six months.

Bronwyn, what what what prevents a non Californian from signing up for this?

You have to enter address information. It has to be verified with documents.

With the Okay. So if anybody wants to live in California, here's my note.

So basically, yeah, you'd have to commit fraud in order to sign up for it, but

Maybe it's okay Trump pardoning those people. We'll be fine.

Of the things we've seen though when it comes to privacy legislation is that California does tend to be one of the four runners and other states tend to follow. We saw that with CCPA.

And every building in my state now causes cancer. Thanks California.

You're welcome. Ruined everything I had. Man,

you ever go to a

Dyson, everything has lead. Don't go to NASA.

No. I mean, you're not wrong, Bronwyn, for sure. That like, this is one of those things of like, if you have to make a policy for The US and you have it you want it to apply to everyone, this is like there's 50,000,000 people or whatever that live in California, so you might as well just lump them all in with that.

So the go into this article though, like, kinda like went around it. So the California Privacy Protection Agency announced that they're hitting a company in Texas, which what what was it? Rick and Rick Becker Data LLC? I feel like it it maybe it's one of those lower level data brokers that I've never heard of, but who knows? Rick and yeah, dude. That just shows you my reading level.

I thought they said it was Data Masters.

Was it? The one I got

saw your data

Oh, they were operating as Data Masters.

Data Masters is a sick name. I'm sad.

That's way better name. That's not even changed that LLC.

Here's the thing about these laws. Even though they technically only apply to California residents, if I'm interacting with a company based in Texas, I'm still a California resident so that company in Texas has to obey California law because I'm a California resident.

So you have this request. Wondering for anyone wondering what, you know, what this company did. Basically, they bought and resold user information with people suffering from medical conditions so it could be used for targeted advertising, which is like just nazzy We to begin heard your we heard your leg hurts. Here's some pain killers or what like

We heard you've got Alzheimer's. Here, click this button to get

All the lyrics are already purple. Are you scared? No. Yeah. For sure. It's bad. So this is a win, I think. I mean, a lot of states will probably follow suit. I don't know about setting up their own system. I kinda hope they don't because they'll just SQL injection. But

Absolutely.

For sure. It's it's gonna be a thing. So what else we got? I think the other big story, which isn't really a cyber security story, but maybe Dave and Cameron you could chime in on this. Siri has I I guess, now that I say this, all my devices light up.

I was reading though that they're still gonna use the Apple hardware that they built. They're just gonna use the models from Gemini, like, on there. But

they already had kind of a deal for OpenAI. Right? They already

Yeah. Had

I don't know. Maybe is this like a like a a pump move for like the stock? Right? I I

don't know.

I don't know. But these two companies, Apple and Google, have done a lot of battling over the years for sure. So it's interesting to see them teaming up in this way. Basically, they're starting a multi year partnership. I think this is from my perspective, if we're looking at like a high level business perspective, Apple needs this. They need a win. They need to be able to give an AI win

Yeah.

Because Is it SIRs isn't their win, though.

That's the thing. Right? Like, it's

But it doesn't matter. I'm saying It doesn't matter.

Like, don't care where the AI actually comes from.

You just

wanna use the damn thing. Okay?

It's it's getting to the point Well, where that's fair. It's getting to the

AI point agent use?

Gemini. Which is yes. Yeah. It's basically unifying it's basically unifying what AI agent you would get on mobile, I guess, if you think about it like that.

Well, yeah. Maybe in the background. But like if they are running on their own hardware though, they could still modify things. They're not necessarily beholden to what Google did. I think they're just buying or excuse me The models. Licensing the models, like Yes. So they're not training them. They're not gonna

train No. Okay.

And I forget the source where I read this, but Gemini is current I forget where I read it, but it's the, like, the consumer level. So, like, the basis of it was the theory was Google had created the search and they made it affordable and, like, consumer friendly and that Gemini is trending that way. So there's a lot more rush. I'm hearing I'm seeing a lot better things out of Gemini now. So I think it's a good move

overall.

Yeah. I mean, so there's there's pretty much three main players right now and I'm not gonna say x.

Frontier models?

Yeah. There's like three

assistants main or models?

Models. Like three frontier models. Right? There there are there are many other models, but I'm just thinking like from the AI perspective. So one is the OpenAI's model and like they're they have a bunch of different models inside of that, but OpenAI has some pretty frontier models, meaning like the top end most powerful models.

is You see?

No. There's X and the

Oh, Grock. Right. Yeah. I mean, there's a bunch. And a lot of people are gunning for a Frontier model, but the reality is training a Frontier model is like the most expensive thing

Yes.

On the planet you could do. And also, the other thing here that's import I think if I was Apple, this move makes sense. Maybe not from an optics perspective because Google is my enemy, but also because Google is potentially the long term pick. The other if you think about it, of all the companies that are making frontier models, Google's the only one that is making money, if you actually think about it. Like, OpenAI and Anthropic are both like, give us money so we can train our AI models or else we're gonna go belly up.

About OpenAI. Not OpenAI. I'm sorry. Anthropic. They actually use Google GCP to run a lot of their training. Right? They're they're they're like paying Google, and they actually have partnerships with Google even though it is their model. Right? Just I mean, the hardware is a thing and then the model you use is another thing. Right?

And which burn out the chips that they bought to do it with.

What's up? Yeah.

Oh, most of the data center cost is getting sunk into chips that get burned out in the process of actually training the frontier models.

Yeah. And once the

models Those boards are not usable again, they're not resellable, they're shot.

Yeah. Yeah. But anyway No. I could use it to play Roblox, it's fine.

I was about to say, when when all these data centers go up, what are we gonna use them for? Like like it's gonna be like Walmarts disappear and stuff and they just leave these big empty buildings. Right?

Passwords, dude. Imagine the password cracking. You could do

Every password. Your password I

don't we don't we don't talk about passwords. Alright. Dude,

okay. Here's what happens. Alright. Here's what happened back last year. I have a plan. Dude, Wade, get me the get me your CEO on the phone. Okay? Here's what's gonna happen. The Wade's employer who is not gonna be named buys an entire data center and then just cracks every password ever, and then just says, here's why you need our service, because we just cracked every password.

Oh my god. It's it's genius. I love it.

I know. That's why I do consulting on the side. Anyway, no,

I'm I'm just kidding.

This is a joke. This is a terrible idea.

So and and actually to follow-up, CES was just was it last week, right? Yeah. Yeah. And so one of the things announced at CES was NVIDIA took the stage and they announced their latest generation of AI. It's all AI. Which is their

way because it's supposed to be consumer electronics. They're like, oh, by the way, consumers, we're gonna remake the RTX 3,060. Anyway, back to AI.

Yes. But one of the things that they did mention on there is like the power consumption like going, you know, and yeah. Whatever. It's all about AI and, you know.

Is that where they mentioned the Palantir stuff too? I don't think that we have an article about that.

Oh, no. But did you see that?

Please hit us with an article that we don't have. What you got?

I was watching Gamers Nexus and they came out with a thing watching CES. So Gamers Nexus came was talking about how Nvidia just announced that they are going to make everything Palantir faster. Palantir is pretty much like nation state level spying on individuals and military industrial complex. So there's like some scariness behind that. And then they go into it. But the funny part is Palantir actually, like, commented back to Gamers Nexus about the situation.

They're like

Now we're talking about you two jumping something SpyBot with real time kill location data.

That was it. Yeah. And then, literally, like, there's other articles where it's like the Palantir president Palantir is like, yeah. So our stuff kills people sometimes. I don't know what to tell you.

I'm like, fuck. Happens.

It is what it is. You never know.

AI is never wrong. It'll be fine.

Never. Never.

Yeah.

Just like humans.

The Peter T. M. All right. This has been a dark episode. Does anyone have any That's true. Is there

my fault. I don't even know

what You always get us talking about AI. There wasn't

my fault.

Didn't really talk stories? So, alright. Let's get darker then. The dark web.

The insider tool to

This is a pretty I think it's a good thing to remind people about in general. But there's a LinkedIn post that we have in here as a news article that's basically people are using rage bait as a phishing tactic. So is a post by Simo Cohoenin. I don't I'm sorry if I mispronounced your name Simo, but basically this is a fun example fish where someone is impersonating SendGrid and they are sending out an email that says, we will be adding a support ICE donation button to the footer of every email. And then they're just hoping that people click on the opt out link.

And they aren't. They aren't.

And they aren't. News is you know, honestly, Bronwyn, they might even be criminals.

Oh my gosh. What? Way.

I mean, news

is I get

an email saying, you need to do blah blah blah with your account on this. If I actually have an account with that organization, I pop open a different browser and I go directly to the organization. I do not click any links.

So Because You're smart. Speaking. You should be a you should out be on a podcast anyway.

Speaking of criminals, right? About the data breach of major dark web form?

Yes. That's yeah. Speaking of

criminals dark web form is of cyber criminals. Yeah.

Okay. So yeah. Yeah. So this is what is it called? Doomsday?

Doomsday? Yeah.

Yeah. So basically, a data breach finally became, know, This is not the first time, and it won't be the last. There's been I I swear, like, if you go on a breach site and you look for breach sites, like, think raid forums got breached like seven times.

Oh, dude. I mean, I I I swear to God, I feel like it's a joke. They're like, we make it so we can breach it, and then we can sell our own breach, and then we

can make another site selling the breach. It's like it's like turtles all the way down. They're just getting breached, just selling their own breach. Yeah. Basically, Doomsday, which apparently is a dark web forum, I don't keep track of these.

I was about to say, do do you collect this breach to put in your collection?

Like I do. I do. I absolutely do. I mean, is like could give you if you're doing an incident response, this could give you super valuable information of like

I heard it was like like 30,000 IPs from Starbucks's.

Yeah. Right? Like Great. Who knows how traceable It's traceable. You would hope it's misinformation. You would I mean, opsec though, we've seen. Every criminal gets caught has opsec fails in the in the mix somewhere. Right? Gonna mess up at some point.

I'll note that if they didn't have opsec fails, we wouldn't have caught them.

That is that is true.

What few criminals have good opsec are the ones who are still out there.

That is that is true. Speaking A of opsec lot of high profile people get caught from bad opsec is I guess a better way to put it.

Did you see the Huntress article about the VM escape stuff?

No. No. Tell me more.

I think

I saw the headline.

That was

it. Someone else sent me this right

when Yeah. Checked my Yeah. Is this the ghost VM thing?

I don't remember if it's the ghost VM thing, but I know there's a really easy detection for the pretty much they got in through a sonic wall. Like, that was the first vulnerability. But then they had been sitting on this vulnerability in ESXi for they think over a year, a zero day, in order to pretty much bypass and go bypass host isolation. Right? It's a hypervisor vulnerability that allows the attacker to break out of the actual guest VM and just compromise everything.

It's just crazy. That is the craziest thing today.

Does the it virtual or the VMware tools to to break out?

Is that is that how it does?

That's a better question, but I don't even know. I'm guessing it does because it's some vulnerability in it. But one of the so because we were talking about op sec, that's what brought me onto this is which is one of, like, the key detections I try to write whenever I go is looking for across all of your logs for any host name that doesn't match your naming schema because there's always someone who gets in who doesn't have one, and it's a key indicator of something that doesn't belong. And that's actually, like, one of the things they caught in this particular breach was the name of the actual host that was attacking them, which always great stuff.

Yeah. So basically, getting into the details of the exploit, they don't know they they don't a 100% know what CVEs or whatever was used, but they say high confidence, those are the ones. There's three CVs listed in the post that are like these are all from 2025 by the way, so patch your ESX. I know companies struggle with this and I understand why, but please patch your ESX. Basically or just don't use it.

Oh, that's it? Yeah. You say ESX, like, Proxmox is right there. Dude, Proxmox is so confusing sometimes. Like, I just feel like the UI is Dude, have you used CSXi? I have. And it was just so much like, the names for things make sense. Like, I'm like, yeah, that's where that should be. And then, like, I go to Proxmox and I'm like diving into, like, four folders and I'm like, alright. And I still can't remote into this box. What's going on?

Is is definitely

false Without a doubt.

Yeah. But sec, I do think there is a significant amount of the amount of inertia with ESX is super hot. Like, the number of administrators and IT people who got certifications in ESXi and know how to use it, like, you can't just be like, we're turning off all our VMs and we're gonna switch to Proxmox overnight. Like, that's a long process. I mean, we talked about it on the news a couple or maybe a month ago of I forget the company, but I think it's a financial company that was suing Broadcom because they were taking away support.

use for Let post me see. I think they

No. No. They compromised the underlying ESXi. Yeah.

So they popped the ESXi server, but then I guess I'm like The shell

in leaked the host name somewhere.

Oh, I see. I see.

Which is super common, like, more common than you'd expect Windows network.

No. It's super common. We've gotten popped on that many times of like, hey, someone's in the host name Callie. Like, that's a such a deep giveaway.

I've had it where, like, the the tester used their handle as the host name and then we just went and looked them up and found them. And I'm like, alright, now we know who's who's testing us.

Turns out pen testers also have bad opsec. Yeah. Which, okay, companies that get mad at this, guess what? We're just being realistic because criminals have bad op sec too. Okay? That's what that's what we're doing. It's all a But

also, in a pen test, you're legitimately in the space and we kinda want their

Yeah.

Internal people to find us?

For sure. Think a if you're I think if you're the goal of a pen test is to get caught. Maybe not on day one, but for sure you should be getting caught at some point.

Yeah. If you're if you're getting d a in an hour, then there's something definitely wrong. We want to get caught. We don't want.

So what else we got? There's a couple articles about AI and HIPAA and healthcare. I don't know if we wanna this is like kind of a regulatory question I don't really understand. But basically, both Anthropic and ChatGPT OpenAI have both said that they're gonna make healthcare oriented solutions that are commercially available. I don't really know if this is I don't even know how this is possible. Like, I don't I'm not a HIPAA expert, but it seems kind of is this just like GovCloud? It's like

it's it's fine. It's like,

it's fine because we Okay. Say it's Sounds

good.

Don't talk back.

There's a couple articles. I'll I'll link them here just in case anyone's interested. But both Anthropic here's the article about Anthropic bringing a HIPAA ready enterprise, you know, chatbots. And OpenAI has something that's basically exactly the same.

So we don't really need these at all because we already have technology that handles HIPAA data extremely poorly, and that is mobile applications. Right.

Right. That's probably true.

Yeah. Dave, you wanna talk about mobile applications?

Yes. Please tell us tell us some war stories from testing HIPAA mobile application.

Yeah. Don't. Just don't.

Keep your

keep medical off off a phone. No. It's it's just unintended places where data will write and just what has act just not using the native default features. It it it can get pretty ugly. So my advice is in the browser. Not you have to do it online.

Yeah. Or in your AI chatbot.

Or in your AI chatbot. Absolutely.

So I legitimately once had a mobile application that was connecting to an API. And to log in to the mobile app, you entered a four digit PIN. And so I figured that would go into the key chain and be used to decrypt some kind of long lived session token that would then be used for authentication. But, no, it was just a username and four digit PIN code going to the server to access patient accounts

in clear text. Oh. Well, no one could choose 1234.

It's fine. Just actually put together a mobile application from scratch on Android. And yeah. Yeah. So I I know exactly what you're talking about as far as how to secure or like the security of mobile applications.

So Speedy So if

someone built an app like that and wants to learn how to test it, where would they go?

What's up?

Can't help you there. They'd ask AI how to do it. No. They would take your class. You can plug it later.

Oh, oh, no. No. No. We actually have a an app called Atlas, and it's actually for pen testing, physical pen testing, and it allows you to actually hook up to the Proximart with Bluetooth now directly. The only actually, I think it's the only mobile device that allows you to hook the Proximart directly over Bluetooth.

I only I only use AI. Sorry.

You only use AI for what?

I only I only use AI, dude. If it doesn't have AI chatbot, I don't even know

It does not have any AI chatbots. It doesn't have Dude, no okay.

This is a side tangent, but my the weather app that I use, it has like an AI function and it's so stupid. I love it. Like, it's just like a a really it uses the on device, like, it's on device only and it's just an AI chatbot that's set to be like as salty as possible and it's just like, it's raining again, f you, and you're just like, thanks for this chat interface. That's super useful. Anyway, let's talk about n eight n.

What what n eight n?

I saw that.

I don't even know. It's condensed

n eight n.

Yeah. So there have been, I mean, like a countless number of CVE 10 or CVE 9.8 vulnerabilities in n eight n. We've actually only had one client to publicly expose their n eight n, but in general, this is the most recent one. It's called NI nightmare, which allows people to take control over locally deployed n eight n instance. It got a 10 out of 10 severity and according to data security company, Cyera, there are more than a 100,000 public vulnerable servers.

Been out for a long time though. Like, it's been out for a while, way before actual the AI was even a Right? Because you were like, I just take this task and then I'll do this next. And like, you just pick like a, you know, a task sheet of things you wanna do, like automate.

Like IFTTT, but self hosted.

Yeah. Exactly. Exactly. And so but as soon as you turn the AI piece, now you could do like, well then I asked the AI to do that and then it does this and then you next thing you know, your rabbit hole is, you know

Yeah.

Pretty pretty

So patch your n eight n's. Honestly, you probably forgot you even had it out there. So just delete it and start over.

Just start over again. Just get a new version. Right?

But the other thing the other reason why the n eight n stuff is really bad is because someone's at the door. Someone someone's stopping at the door. But basically, you someone Robin's like, I don't have any doors.

I don't have any doors. I've got like six in my office.

I was about to say, Robin's got like seven doors. Way back

in Real fake doors. Basically, n eight n, you also give it a bunch of keys. That's the other reason why it's bad. But ironically, like, you read the blog post for Nightmare, like, the last step is just create an n eight n task to run a shell command. Like that's where like it has that capability, so that's why it's such a vulnerable service.

Yes. Yeah. It's it's it's still cool. It's still kind of a cool tool though.

So the last article I wanna bring up, which this is something that hit my me and my personal life, people were asking about it. Instagram breach, I guess.

And it was an insta breach?

Yeah. Like Oh. So so basically, here's the article. It's essentially that people are phishing with previously leaked information. So people are sending out this happened in 2024, I guess. But basically, people are sending out password Great. Reset reminders and then using them as phishing. Apparently, someone's estimated that it could impact up to 17,500,000 Instagram accounts. I don't know where that number came from, but I'm like, that's a lot of phishes.

So I think they they they scraped an API to get all this data and then now they're using all of it to send out fishing. Right?

Yeah. So but it's like the the upshot of it is like use two factor and and don't get phished. So it's like

The upside is don't use Instagram. Get off all

social Well, okay. That's even better. Live in the forest. That's that's the next that's like That's the next level.

I actually I actually removed both Facebook and LinkedIn and a couple of other social media apps from my phone.

I

just Oh, you're following Choff?

I am I am detoxing from social media.

It gets a little boring sometimes, but I've read a lot more.

The dumb the dumb phones. I'm I'm

going for quality over quantity. I'm I'm combating the slop.

That's a good for you, honestly. I think we should all do that. There is Job. Like a whole growing market of like, you know, dumb phones. Or the what is the the I think the most recent Nothing Phone has like an actual physical switch to switch between smart mode and dumb mode. You

know Isn't that a Jitterbug?

Basically, like, it is dumb Jitterbug. Nice. Well, Jitterbug is like kind of holds you back. Because you're like, alright, now I need to like walk to the restaurant, and I'm Yeah.

And all you have is one other button that says life alert? You

you press it, you're like, I'm at the hotel and I need to get to this restaurant. They're like, you gotta stop pressing this.

You have you have exhausted all of

your credits in this plan. Yeah. Yeah. You had one credit a

year and

you just used it.

Well, even Apple has their like, the the defense they give for like, journalists or people targeted by by Pegasus, they it turns their Apple phone into a to a dumb phone, essentially.

Yeah. The under attack mode or whatever. Yeah.

Yeah. Lobotomize your smartphone.

So Yeah. Yeah. I mean, there's there's a whole, you know, there's a whole thing. I saw Pebble. Pebbles bringing a couple Pebbles back for those that like love their Pebble watches back in like 2012. I saw them made a new they made a new watch. I feel like that was such like a nerd specific thing where like, everyone cool in 2012 had a Pebble.

I had a Pebble.

Yeah. Everyone cool did. Now everyone has an Apple Watcher.

Now I'm just a loser.

I never had a Pebble. Does that mean I'm not cool?

It's because you weren't cool in 2012.

Yeah. You got cooler. Okay.

Now, you're cool. You could buy the pebble too.

You could buy the pebble as well. They're probably cheap online except for the hips.

If you wanna be a pebble too.

They're not cheap. They're $200.

What? Dude, that's the shelf right over here. I can make some easy cash, dude. Wait, $200, that's how much I'm paying a month for all the subscription services it takes to watch the Olympics.

You know and you know how much Well,

let me give you let me give you this Italian website real quick.

Yeah. Okay.

Wow. But

before we do the CTF stuff, I actually did have it's not an InfoSec related chicken story. No. But it is a chicken story. And it's it

We don't need we don't need it. It's okay.

We It's really short and sweet. Apparently, during the Eaton fires, all the wildfires we had a year ago here in Southern California, there were a bunch of chickens who were rescued. And there was a follow-up story by NBC or I'll have to look it up here. Where is it? Oh, I closed that tab. Anyway, there are follow-up stories, and basically, the chickens are doing well. That's it.

Okay. Chicken survived.

Great article. Survived. They're thriving. What about the eggs? Did the eggs survive?

Oh. Oh. They probably were off their lane.

What did they say first? The chicken or the egg? I think the chicken. That that tells you everything you need to know right there, people. Save the chicken first. Don't save the egg. That thing's already hard boiled. Alright. Yeah. So CTF winners, let's do let's do the CTF winners.

I was

gonna Please

post it in the chat. I'm assuming the CTF was get on the podcast.

A year's worth of a year worth is a lot. Right? Like, that's a that's a long time. Yeah.

A year's worth of access is

You can learn a lot in the year.

Is your iOS class on demand yet?

Not yet.

David? Not yet? Not yet. Are you gonna make it on demand? That's up

to you. It would be hard to do it because you'd have is there a is there a hardware component at all that, yeah, I guess you have to bring a representative device?

Nope. So we're doing it all virtualized. We'll be using the Corellium platform. If someone is dead set on bringing their own rooted device, we will do our best to help them, but no guarantees with any of the labs or if anything goes wrong with their own device.

Is it is it Android

and iOS? Hardware free. No. First, it's just iOS.

It's just it's just iOS? Do you do you have you guys gotten the or have you guys ever played with the development platforms that you guys can get from from Apple?

Yeah. Yeah.

Yeah. So so we actually the class, we have our own app as well. So we did we we designed and we have a a vulnerable app. So but yeah. Yeah.

There any cool CTF challenges in the app?

I'm sure there are based on your face. I yeah. So

there's couple of questions that I didn't answer.

So Yeah.

Yeah. So last question because now I'm just interested. So this is a virtual only or in person?

It's a hybrid class. It'll be on demand. This will be virtual. But

This is gonna be

people signed up for in person at Wild West Denver. Hoping to get a few more. And yeah. So we'll be live walking around, helping people out.

Nice.

Making jokes, having a good class.

Sounds like fun. It should be great. Someone asked about the CTF answers. Megan, do you know where the CTF answers are or how people can find them? You can't.

You can't.

That's the CTF. That's the CTF answers. Them.

You know what you do? What was his name? You find Josh and you ask him and you become his friend.

That's honestly, if you wanna know the way to network and be good in the cyber security community, that is the way to do it.

CTF Awesome. Teamwork? No? Maybe he shares password with Anti for anti siphon, you know, something.

The real CTF was the friends we made along the way.

Oh. They hacked my heart.

I'm not Alright.

I'm not sure how I feel about being a flag.

Alright. Thanks everyone for coming. We'll see you all next week and bye bye.

Bye bye.

Bye bye.